ab1edfaffcbffa1455a63e4a40e154d2f5aa8a92
[librecmc/librecmc.git] /
1 From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@codeaurora.org>
3 Date: Fri, 5 Apr 2019 02:12:50 +0300
4 Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly
5
6 This adds an explicit check for 0 < x,y < prime based on RFC 5931,
7 2.8.5.2.2 requirement. The earlier checks might have covered this
8 implicitly, but it is safer to avoid any dependency on implicit checks
9 and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
10
11 Furthermore, this moves the EAP-pwd element and scalar parsing and
12 validation steps into shared helper functions so that there is no need
13 to maintain two separate copies of this common functionality between the
14 server and peer implementations.
15
16 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
17 ---
18  src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++
19  src/eap_common/eap_pwd_common.h |   3 ++
20  src/eap_peer/eap_pwd.c          |  45 ++---------------
21  src/eap_server/eap_server_pwd.c |  45 ++---------------
22  4 files changed, 117 insertions(+), 82 deletions(-)
23
24 --- a/src/eap_common/eap_pwd_common.c
25 +++ b/src/eap_common/eap_pwd_common.c
26 @@ -427,3 +427,109 @@ int compute_keys(EAP_PWD_group *grp, con
27  
28         return 1;
29  }
30 +
31 +
32 +static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
33 +                                   const u8 *buf, size_t len)
34 +{
35 +       struct crypto_bignum *val;
36 +       int ok = 1;
37 +
38 +       val = crypto_bignum_init_set(buf, len);
39 +       if (!val || crypto_bignum_is_zero(val) ||
40 +           crypto_bignum_cmp(val, prime) >= 0)
41 +               ok = 0;
42 +       crypto_bignum_deinit(val, 0);
43 +       return ok;
44 +}
45 +
46 +
47 +struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
48 +                                            const u8 *buf)
49 +{
50 +       struct crypto_ec_point *element;
51 +       const struct crypto_bignum *prime;
52 +       size_t prime_len;
53 +       struct crypto_bignum *cofactor = NULL;
54 +
55 +       prime = crypto_ec_get_prime(group->group);
56 +       prime_len = crypto_ec_prime_len(group->group);
57 +
58 +       /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
59 +       if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
60 +           !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
61 +               wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
62 +               return NULL;
63 +       }
64 +
65 +       element = crypto_ec_point_from_bin(group->group, buf);
66 +       if (!element) {
67 +               wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
68 +               return NULL;
69 +       }
70 +
71 +       /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
72 +       if (!crypto_ec_point_is_on_curve(group->group, element) ||
73 +           crypto_ec_point_is_at_infinity(group->group, element)) {
74 +               wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
75 +               goto fail;
76 +       }
77 +
78 +       cofactor = crypto_bignum_init();
79 +       if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
80 +               wpa_printf(MSG_INFO,
81 +                          "EAP-pwd: Unable to get cofactor for curve");
82 +               goto fail;
83 +       }
84 +
85 +       if (!crypto_bignum_is_one(cofactor)) {
86 +               struct crypto_ec_point *point;
87 +               int ok = 1;
88 +
89 +               /* check to ensure peer's element is not in a small sub-group */
90 +               point = crypto_ec_point_init(group->group);
91 +               if (!point ||
92 +                   crypto_ec_point_mul(group->group, element,
93 +                                       cofactor, point) != 0 ||
94 +                   crypto_ec_point_is_at_infinity(group->group, point))
95 +                       ok = 0;
96 +               crypto_ec_point_deinit(point, 0);
97 +
98 +               if (!ok) {
99 +                       wpa_printf(MSG_INFO,
100 +                                  "EAP-pwd: Small sub-group check on peer element failed");
101 +                       goto fail;
102 +               }
103 +       }
104 +
105 +out:
106 +       crypto_bignum_deinit(cofactor, 0);
107 +       return element;
108 +fail:
109 +       crypto_ec_point_deinit(element, 0);
110 +       element = NULL;
111 +       goto out;
112 +}
113 +
114 +
115 +struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
116 +{
117 +       struct crypto_bignum *scalar;
118 +       const struct crypto_bignum *order;
119 +       size_t order_len;
120 +
121 +       order = crypto_ec_get_order(group->group);
122 +       order_len = crypto_ec_order_len(group->group);
123 +
124 +       /* RFC 5931, 2.8.5.2: 1 < scalar < r */
125 +       scalar = crypto_bignum_init_set(buf, order_len);
126 +       if (!scalar || crypto_bignum_is_zero(scalar) ||
127 +           crypto_bignum_is_one(scalar) ||
128 +           crypto_bignum_cmp(scalar, order) >= 0) {
129 +               wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
130 +               crypto_bignum_deinit(scalar, 0);
131 +               scalar = NULL;
132 +       }
133 +
134 +       return scalar;
135 +}
136 --- a/src/eap_common/eap_pwd_common.h
137 +++ b/src/eap_common/eap_pwd_common.h
138 @@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group *grp, con
139  struct crypto_hash * eap_pwd_h_init(void);
140  void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len);
141  void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
142 +struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
143 +                                            const u8 *buf);
144 +struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
145  
146  #endif  /* EAP_PWD_COMMON_H */
147 --- a/src/eap_peer/eap_pwd.c
148 +++ b/src/eap_peer/eap_pwd.c
149 @@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct e
150                                 const struct wpabuf *reqData,
151                                 const u8 *payload, size_t payload_len)
152  {
153 -       struct crypto_ec_point *K = NULL, *point = NULL;
154 +       struct crypto_ec_point *K = NULL;
155         struct crypto_bignum *mask = NULL, *cofactor = NULL;
156         const u8 *ptr = payload;
157         u8 *scalar = NULL, *element = NULL;
158 @@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct e
159         /* process the request */
160         data->k = crypto_bignum_init();
161         K = crypto_ec_point_init(data->grp->group);
162 -       point = crypto_ec_point_init(data->grp->group);
163 -       if (!data->k || !K || !point) {
164 +       if (!data->k || !K) {
165                 wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
166                            "fail");
167                 goto fin;
168         }
169  
170         /* element, x then y, followed by scalar */
171 -       data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
172 +       data->server_element = eap_pwd_get_element(data->grp, ptr);
173         if (!data->server_element) {
174                 wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
175                            "fail");
176                 goto fin;
177         }
178         ptr += prime_len * 2;
179 -       data->server_scalar = crypto_bignum_init_set(ptr, order_len);
180 +       data->server_scalar = eap_pwd_get_scalar(data->grp, ptr);
181         if (!data->server_scalar) {
182                 wpa_printf(MSG_INFO,
183                            "EAP-PWD (peer): setting peer scalar fail");
184                 goto fin;
185         }
186  
187 -       /* verify received scalar */
188 -       if (crypto_bignum_is_zero(data->server_scalar) ||
189 -           crypto_bignum_is_one(data->server_scalar) ||
190 -           crypto_bignum_cmp(data->server_scalar,
191 -                             crypto_ec_get_order(data->grp->group)) >= 0) {
192 -               wpa_printf(MSG_INFO,
193 -                          "EAP-PWD (peer): received scalar is invalid");
194 -               goto fin;
195 -       }
196 -
197 -       /* verify received element */
198 -       if (!crypto_ec_point_is_on_curve(data->grp->group,
199 -                                        data->server_element) ||
200 -           crypto_ec_point_is_at_infinity(data->grp->group,
201 -                                          data->server_element)) {
202 -               wpa_printf(MSG_INFO,
203 -                          "EAP-PWD (peer): received element is invalid");
204 -               goto fin;
205 -       }
206 -
207 -       /* check to ensure server's element is not in a small sub-group */
208 -       if (!crypto_bignum_is_one(cofactor)) {
209 -               if (crypto_ec_point_mul(data->grp->group, data->server_element,
210 -                                       cofactor, point) < 0) {
211 -                       wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
212 -                                  "server element by order!\n");
213 -                       goto fin;
214 -               }
215 -               if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
216 -                       wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
217 -                                  "is at infinity!\n");
218 -                       goto fin;
219 -               }
220 -       }
221 -
222         /* compute the shared key, k */
223         if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
224                                 data->server_scalar, K) < 0 ||
225 @@ -702,7 +666,6 @@ fin:
226         crypto_bignum_deinit(mask, 1);
227         crypto_bignum_deinit(cofactor, 1);
228         crypto_ec_point_deinit(K, 1);
229 -       crypto_ec_point_deinit(point, 1);
230         if (data->outbuf == NULL)
231                 eap_pwd_state(data, FAILURE);
232         else
233 --- a/src/eap_server/eap_server_pwd.c
234 +++ b/src/eap_server/eap_server_pwd.c
235 @@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_s
236  {
237         const u8 *ptr;
238         struct crypto_bignum *cofactor = NULL;
239 -       struct crypto_ec_point *K = NULL, *point = NULL;
240 +       struct crypto_ec_point *K = NULL;
241         int res = 0;
242         size_t prime_len, order_len;
243  
244 @@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_s
245  
246         data->k = crypto_bignum_init();
247         cofactor = crypto_bignum_init();
248 -       point = crypto_ec_point_init(data->grp->group);
249         K = crypto_ec_point_init(data->grp->group);
250 -       if (!data->k || !cofactor || !point || !K) {
251 +       if (!data->k || !cofactor || !K) {
252                 wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
253                            "fail");
254                 goto fin;
255 @@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_s
256  
257         /* element, x then y, followed by scalar */
258         ptr = payload;
259 -       data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
260 +       data->peer_element = eap_pwd_get_element(data->grp, ptr);
261         if (!data->peer_element) {
262                 wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
263                            "fail");
264                 goto fin;
265         }
266         ptr += prime_len * 2;
267 -       data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
268 +       data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
269         if (!data->peer_scalar) {
270                 wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
271                            "fail");
272                 goto fin;
273         }
274  
275 -       /* verify received scalar */
276 -       if (crypto_bignum_is_zero(data->peer_scalar) ||
277 -           crypto_bignum_is_one(data->peer_scalar) ||
278 -           crypto_bignum_cmp(data->peer_scalar,
279 -                             crypto_ec_get_order(data->grp->group)) >= 0) {
280 -               wpa_printf(MSG_INFO,
281 -                          "EAP-PWD (server): received scalar is invalid");
282 -               goto fin;
283 -       }
284 -
285 -       /* verify received element */
286 -       if (!crypto_ec_point_is_on_curve(data->grp->group,
287 -                                        data->peer_element) ||
288 -           crypto_ec_point_is_at_infinity(data->grp->group,
289 -                                          data->peer_element)) {
290 -               wpa_printf(MSG_INFO,
291 -                          "EAP-PWD (server): received element is invalid");
292 -               goto fin;
293 -       }
294 -
295 -       /* check to ensure peer's element is not in a small sub-group */
296 -       if (!crypto_bignum_is_one(cofactor)) {
297 -               if (crypto_ec_point_mul(data->grp->group, data->peer_element,
298 -                                       cofactor, point) != 0) {
299 -                       wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
300 -                                  "multiply peer element by order");
301 -                       goto fin;
302 -               }
303 -               if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
304 -                       wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
305 -                                  "is at infinity!\n");
306 -                       goto fin;
307 -               }
308 -       }
309 -
310         /* detect reflection attacks */
311         if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
312             crypto_ec_point_cmp(data->grp->group, data->my_element,
313 @@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_s
314  
315  fin:
316         crypto_ec_point_deinit(K, 1);
317 -       crypto_ec_point_deinit(point, 1);
318         crypto_bignum_deinit(cofactor, 1);
319  
320         if (res)