+++ /dev/null
-From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Fri, 5 Apr 2019 02:12:50 +0300
-Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly
-
-This adds an explicit check for 0 < x,y < prime based on RFC 5931,
-2.8.5.2.2 requirement. The earlier checks might have covered this
-implicitly, but it is safer to avoid any dependency on implicit checks
-and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
-
-Furthermore, this moves the EAP-pwd element and scalar parsing and
-validation steps into shared helper functions so that there is no need
-to maintain two separate copies of this common functionality between the
-server and peer implementations.
-
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
----
- src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++
- src/eap_common/eap_pwd_common.h | 3 ++
- src/eap_peer/eap_pwd.c | 45 ++---------------
- src/eap_server/eap_server_pwd.c | 45 ++---------------
- 4 files changed, 117 insertions(+), 82 deletions(-)
-
---- a/src/eap_common/eap_pwd_common.c
-+++ b/src/eap_common/eap_pwd_common.c
-@@ -427,3 +427,109 @@ int compute_keys(EAP_PWD_group *grp, con
-
- return 1;
- }
-+
-+
-+static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
-+ const u8 *buf, size_t len)
-+{
-+ struct crypto_bignum *val;
-+ int ok = 1;
-+
-+ val = crypto_bignum_init_set(buf, len);
-+ if (!val || crypto_bignum_is_zero(val) ||
-+ crypto_bignum_cmp(val, prime) >= 0)
-+ ok = 0;
-+ crypto_bignum_deinit(val, 0);
-+ return ok;
-+}
-+
-+
-+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
-+ const u8 *buf)
-+{
-+ struct crypto_ec_point *element;
-+ const struct crypto_bignum *prime;
-+ size_t prime_len;
-+ struct crypto_bignum *cofactor = NULL;
-+
-+ prime = crypto_ec_get_prime(group->group);
-+ prime_len = crypto_ec_prime_len(group->group);
-+
-+ /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
-+ if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
-+ !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
-+ wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
-+ return NULL;
-+ }
-+
-+ element = crypto_ec_point_from_bin(group->group, buf);
-+ if (!element) {
-+ wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
-+ return NULL;
-+ }
-+
-+ /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
-+ if (!crypto_ec_point_is_on_curve(group->group, element) ||
-+ crypto_ec_point_is_at_infinity(group->group, element)) {
-+ wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
-+ goto fail;
-+ }
-+
-+ cofactor = crypto_bignum_init();
-+ if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-pwd: Unable to get cofactor for curve");
-+ goto fail;
-+ }
-+
-+ if (!crypto_bignum_is_one(cofactor)) {
-+ struct crypto_ec_point *point;
-+ int ok = 1;
-+
-+ /* check to ensure peer's element is not in a small sub-group */
-+ point = crypto_ec_point_init(group->group);
-+ if (!point ||
-+ crypto_ec_point_mul(group->group, element,
-+ cofactor, point) != 0 ||
-+ crypto_ec_point_is_at_infinity(group->group, point))
-+ ok = 0;
-+ crypto_ec_point_deinit(point, 0);
-+
-+ if (!ok) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-pwd: Small sub-group check on peer element failed");
-+ goto fail;
-+ }
-+ }
-+
-+out:
-+ crypto_bignum_deinit(cofactor, 0);
-+ return element;
-+fail:
-+ crypto_ec_point_deinit(element, 0);
-+ element = NULL;
-+ goto out;
-+}
-+
-+
-+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
-+{
-+ struct crypto_bignum *scalar;
-+ const struct crypto_bignum *order;
-+ size_t order_len;
-+
-+ order = crypto_ec_get_order(group->group);
-+ order_len = crypto_ec_order_len(group->group);
-+
-+ /* RFC 5931, 2.8.5.2: 1 < scalar < r */
-+ scalar = crypto_bignum_init_set(buf, order_len);
-+ if (!scalar || crypto_bignum_is_zero(scalar) ||
-+ crypto_bignum_is_one(scalar) ||
-+ crypto_bignum_cmp(scalar, order) >= 0) {
-+ wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
-+ crypto_bignum_deinit(scalar, 0);
-+ scalar = NULL;
-+ }
-+
-+ return scalar;
-+}
---- a/src/eap_common/eap_pwd_common.h
-+++ b/src/eap_common/eap_pwd_common.h
-@@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group *grp, con
- struct crypto_hash * eap_pwd_h_init(void);
- void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len);
- void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
-+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
-+ const u8 *buf);
-+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
-
- #endif /* EAP_PWD_COMMON_H */
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct e
- const struct wpabuf *reqData,
- const u8 *payload, size_t payload_len)
- {
-- struct crypto_ec_point *K = NULL, *point = NULL;
-+ struct crypto_ec_point *K = NULL;
- struct crypto_bignum *mask = NULL, *cofactor = NULL;
- const u8 *ptr = payload;
- u8 *scalar = NULL, *element = NULL;
-@@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct e
- /* process the request */
- data->k = crypto_bignum_init();
- K = crypto_ec_point_init(data->grp->group);
-- point = crypto_ec_point_init(data->grp->group);
-- if (!data->k || !K || !point) {
-+ if (!data->k || !K) {
- wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
- "fail");
- goto fin;
- }
-
- /* element, x then y, followed by scalar */
-- data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
-+ data->server_element = eap_pwd_get_element(data->grp, ptr);
- if (!data->server_element) {
- wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
- "fail");
- goto fin;
- }
- ptr += prime_len * 2;
-- data->server_scalar = crypto_bignum_init_set(ptr, order_len);
-+ data->server_scalar = eap_pwd_get_scalar(data->grp, ptr);
- if (!data->server_scalar) {
- wpa_printf(MSG_INFO,
- "EAP-PWD (peer): setting peer scalar fail");
- goto fin;
- }
-
-- /* verify received scalar */
-- if (crypto_bignum_is_zero(data->server_scalar) ||
-- crypto_bignum_is_one(data->server_scalar) ||
-- crypto_bignum_cmp(data->server_scalar,
-- crypto_ec_get_order(data->grp->group)) >= 0) {
-- wpa_printf(MSG_INFO,
-- "EAP-PWD (peer): received scalar is invalid");
-- goto fin;
-- }
--
-- /* verify received element */
-- if (!crypto_ec_point_is_on_curve(data->grp->group,
-- data->server_element) ||
-- crypto_ec_point_is_at_infinity(data->grp->group,
-- data->server_element)) {
-- wpa_printf(MSG_INFO,
-- "EAP-PWD (peer): received element is invalid");
-- goto fin;
-- }
--
-- /* check to ensure server's element is not in a small sub-group */
-- if (!crypto_bignum_is_one(cofactor)) {
-- if (crypto_ec_point_mul(data->grp->group, data->server_element,
-- cofactor, point) < 0) {
-- wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
-- "server element by order!\n");
-- goto fin;
-- }
-- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
-- wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
-- "is at infinity!\n");
-- goto fin;
-- }
-- }
--
- /* compute the shared key, k */
- if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
- data->server_scalar, K) < 0 ||
-@@ -702,7 +666,6 @@ fin:
- crypto_bignum_deinit(mask, 1);
- crypto_bignum_deinit(cofactor, 1);
- crypto_ec_point_deinit(K, 1);
-- crypto_ec_point_deinit(point, 1);
- if (data->outbuf == NULL)
- eap_pwd_state(data, FAILURE);
- else
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_s
- {
- const u8 *ptr;
- struct crypto_bignum *cofactor = NULL;
-- struct crypto_ec_point *K = NULL, *point = NULL;
-+ struct crypto_ec_point *K = NULL;
- int res = 0;
- size_t prime_len, order_len;
-
-@@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_s
-
- data->k = crypto_bignum_init();
- cofactor = crypto_bignum_init();
-- point = crypto_ec_point_init(data->grp->group);
- K = crypto_ec_point_init(data->grp->group);
-- if (!data->k || !cofactor || !point || !K) {
-+ if (!data->k || !cofactor || !K) {
- wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
- "fail");
- goto fin;
-@@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_s
-
- /* element, x then y, followed by scalar */
- ptr = payload;
-- data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
-+ data->peer_element = eap_pwd_get_element(data->grp, ptr);
- if (!data->peer_element) {
- wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
- "fail");
- goto fin;
- }
- ptr += prime_len * 2;
-- data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
-+ data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
- if (!data->peer_scalar) {
- wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
- "fail");
- goto fin;
- }
-
-- /* verify received scalar */
-- if (crypto_bignum_is_zero(data->peer_scalar) ||
-- crypto_bignum_is_one(data->peer_scalar) ||
-- crypto_bignum_cmp(data->peer_scalar,
-- crypto_ec_get_order(data->grp->group)) >= 0) {
-- wpa_printf(MSG_INFO,
-- "EAP-PWD (server): received scalar is invalid");
-- goto fin;
-- }
--
-- /* verify received element */
-- if (!crypto_ec_point_is_on_curve(data->grp->group,
-- data->peer_element) ||
-- crypto_ec_point_is_at_infinity(data->grp->group,
-- data->peer_element)) {
-- wpa_printf(MSG_INFO,
-- "EAP-PWD (server): received element is invalid");
-- goto fin;
-- }
--
-- /* check to ensure peer's element is not in a small sub-group */
-- if (!crypto_bignum_is_one(cofactor)) {
-- if (crypto_ec_point_mul(data->grp->group, data->peer_element,
-- cofactor, point) != 0) {
-- wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
-- "multiply peer element by order");
-- goto fin;
-- }
-- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
-- wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
-- "is at infinity!\n");
-- goto fin;
-- }
-- }
--
- /* detect reflection attacks */
- if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
- crypto_ec_point_cmp(data->grp->group, data->my_element,
-@@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_s
-
- fin:
- crypto_ec_point_deinit(K, 1);
-- crypto_ec_point_deinit(point, 1);
- crypto_bignum_deinit(cofactor, 1);
-
- if (res)
projects / openwrt / openwrt.git / blobdiff