1 From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@codeaurora.org>
3 Date: Fri, 5 Apr 2019 02:12:50 +0300
4 Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly
6 This adds an explicit check for 0 < x,y < prime based on RFC 5931,
7 2.8.5.2.2 requirement. The earlier checks might have covered this
8 implicitly, but it is safer to avoid any dependency on implicit checks
9 and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
11 Furthermore, this moves the EAP-pwd element and scalar parsing and
12 validation steps into shared helper functions so that there is no need
13 to maintain two separate copies of this common functionality between the
14 server and peer implementations.
16 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
18 src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++
19 src/eap_common/eap_pwd_common.h | 3 ++
20 src/eap_peer/eap_pwd.c | 45 ++---------------
21 src/eap_server/eap_server_pwd.c | 45 ++---------------
22 4 files changed, 117 insertions(+), 82 deletions(-)
24 --- a/src/eap_common/eap_pwd_common.c
25 +++ b/src/eap_common/eap_pwd_common.c
26 @@ -427,3 +427,109 @@ int compute_keys(EAP_PWD_group *grp, con
32 +static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
33 + const u8 *buf, size_t len)
35 + struct crypto_bignum *val;
38 + val = crypto_bignum_init_set(buf, len);
39 + if (!val || crypto_bignum_is_zero(val) ||
40 + crypto_bignum_cmp(val, prime) >= 0)
42 + crypto_bignum_deinit(val, 0);
47 +struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
50 + struct crypto_ec_point *element;
51 + const struct crypto_bignum *prime;
53 + struct crypto_bignum *cofactor = NULL;
55 + prime = crypto_ec_get_prime(group->group);
56 + prime_len = crypto_ec_prime_len(group->group);
58 + /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
59 + if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
60 + !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
61 + wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
65 + element = crypto_ec_point_from_bin(group->group, buf);
67 + wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
71 + /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
72 + if (!crypto_ec_point_is_on_curve(group->group, element) ||
73 + crypto_ec_point_is_at_infinity(group->group, element)) {
74 + wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
78 + cofactor = crypto_bignum_init();
79 + if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
80 + wpa_printf(MSG_INFO,
81 + "EAP-pwd: Unable to get cofactor for curve");
85 + if (!crypto_bignum_is_one(cofactor)) {
86 + struct crypto_ec_point *point;
89 + /* check to ensure peer's element is not in a small sub-group */
90 + point = crypto_ec_point_init(group->group);
92 + crypto_ec_point_mul(group->group, element,
93 + cofactor, point) != 0 ||
94 + crypto_ec_point_is_at_infinity(group->group, point))
96 + crypto_ec_point_deinit(point, 0);
99 + wpa_printf(MSG_INFO,
100 + "EAP-pwd: Small sub-group check on peer element failed");
106 + crypto_bignum_deinit(cofactor, 0);
109 + crypto_ec_point_deinit(element, 0);
115 +struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
117 + struct crypto_bignum *scalar;
118 + const struct crypto_bignum *order;
121 + order = crypto_ec_get_order(group->group);
122 + order_len = crypto_ec_order_len(group->group);
124 + /* RFC 5931, 2.8.5.2: 1 < scalar < r */
125 + scalar = crypto_bignum_init_set(buf, order_len);
126 + if (!scalar || crypto_bignum_is_zero(scalar) ||
127 + crypto_bignum_is_one(scalar) ||
128 + crypto_bignum_cmp(scalar, order) >= 0) {
129 + wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
130 + crypto_bignum_deinit(scalar, 0);
136 --- a/src/eap_common/eap_pwd_common.h
137 +++ b/src/eap_common/eap_pwd_common.h
138 @@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group *grp, con
139 struct crypto_hash * eap_pwd_h_init(void);
140 void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len);
141 void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
142 +struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
144 +struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
146 #endif /* EAP_PWD_COMMON_H */
147 --- a/src/eap_peer/eap_pwd.c
148 +++ b/src/eap_peer/eap_pwd.c
149 @@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct e
150 const struct wpabuf *reqData,
151 const u8 *payload, size_t payload_len)
153 - struct crypto_ec_point *K = NULL, *point = NULL;
154 + struct crypto_ec_point *K = NULL;
155 struct crypto_bignum *mask = NULL, *cofactor = NULL;
156 const u8 *ptr = payload;
157 u8 *scalar = NULL, *element = NULL;
158 @@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct e
159 /* process the request */
160 data->k = crypto_bignum_init();
161 K = crypto_ec_point_init(data->grp->group);
162 - point = crypto_ec_point_init(data->grp->group);
163 - if (!data->k || !K || !point) {
164 + if (!data->k || !K) {
165 wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
170 /* element, x then y, followed by scalar */
171 - data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
172 + data->server_element = eap_pwd_get_element(data->grp, ptr);
173 if (!data->server_element) {
174 wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
178 ptr += prime_len * 2;
179 - data->server_scalar = crypto_bignum_init_set(ptr, order_len);
180 + data->server_scalar = eap_pwd_get_scalar(data->grp, ptr);
181 if (!data->server_scalar) {
183 "EAP-PWD (peer): setting peer scalar fail");
187 - /* verify received scalar */
188 - if (crypto_bignum_is_zero(data->server_scalar) ||
189 - crypto_bignum_is_one(data->server_scalar) ||
190 - crypto_bignum_cmp(data->server_scalar,
191 - crypto_ec_get_order(data->grp->group)) >= 0) {
192 - wpa_printf(MSG_INFO,
193 - "EAP-PWD (peer): received scalar is invalid");
197 - /* verify received element */
198 - if (!crypto_ec_point_is_on_curve(data->grp->group,
199 - data->server_element) ||
200 - crypto_ec_point_is_at_infinity(data->grp->group,
201 - data->server_element)) {
202 - wpa_printf(MSG_INFO,
203 - "EAP-PWD (peer): received element is invalid");
207 - /* check to ensure server's element is not in a small sub-group */
208 - if (!crypto_bignum_is_one(cofactor)) {
209 - if (crypto_ec_point_mul(data->grp->group, data->server_element,
210 - cofactor, point) < 0) {
211 - wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
212 - "server element by order!\n");
215 - if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
216 - wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
217 - "is at infinity!\n");
222 /* compute the shared key, k */
223 if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
224 data->server_scalar, K) < 0 ||
225 @@ -702,7 +666,6 @@ fin:
226 crypto_bignum_deinit(mask, 1);
227 crypto_bignum_deinit(cofactor, 1);
228 crypto_ec_point_deinit(K, 1);
229 - crypto_ec_point_deinit(point, 1);
230 if (data->outbuf == NULL)
231 eap_pwd_state(data, FAILURE);
233 --- a/src/eap_server/eap_server_pwd.c
234 +++ b/src/eap_server/eap_server_pwd.c
235 @@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_s
238 struct crypto_bignum *cofactor = NULL;
239 - struct crypto_ec_point *K = NULL, *point = NULL;
240 + struct crypto_ec_point *K = NULL;
242 size_t prime_len, order_len;
244 @@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_s
246 data->k = crypto_bignum_init();
247 cofactor = crypto_bignum_init();
248 - point = crypto_ec_point_init(data->grp->group);
249 K = crypto_ec_point_init(data->grp->group);
250 - if (!data->k || !cofactor || !point || !K) {
251 + if (!data->k || !cofactor || !K) {
252 wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
255 @@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_s
257 /* element, x then y, followed by scalar */
259 - data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
260 + data->peer_element = eap_pwd_get_element(data->grp, ptr);
261 if (!data->peer_element) {
262 wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
266 ptr += prime_len * 2;
267 - data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
268 + data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
269 if (!data->peer_scalar) {
270 wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
275 - /* verify received scalar */
276 - if (crypto_bignum_is_zero(data->peer_scalar) ||
277 - crypto_bignum_is_one(data->peer_scalar) ||
278 - crypto_bignum_cmp(data->peer_scalar,
279 - crypto_ec_get_order(data->grp->group)) >= 0) {
280 - wpa_printf(MSG_INFO,
281 - "EAP-PWD (server): received scalar is invalid");
285 - /* verify received element */
286 - if (!crypto_ec_point_is_on_curve(data->grp->group,
287 - data->peer_element) ||
288 - crypto_ec_point_is_at_infinity(data->grp->group,
289 - data->peer_element)) {
290 - wpa_printf(MSG_INFO,
291 - "EAP-PWD (server): received element is invalid");
295 - /* check to ensure peer's element is not in a small sub-group */
296 - if (!crypto_bignum_is_one(cofactor)) {
297 - if (crypto_ec_point_mul(data->grp->group, data->peer_element,
298 - cofactor, point) != 0) {
299 - wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
300 - "multiply peer element by order");
303 - if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
304 - wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
305 - "is at infinity!\n");
310 /* detect reflection attacks */
311 if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
312 crypto_ec_point_cmp(data->grp->group, data->my_element,
313 @@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_s
316 crypto_ec_point_deinit(K, 1);
317 - crypto_ec_point_deinit(point, 1);
318 crypto_bignum_deinit(cofactor, 1);
projects / oweals / openwrt.git / blob