Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/wpa/dist/src/eap_peer When processing an EAP-pw...
details: https://anonhg.NetBSD.org/src/rev/64321f9ff1f2
branches: trunk
changeset: 998197:64321f9ff1f2
user: christos <christos%NetBSD.org@localhost>
date: Wed Apr 10 17:49:59 2019 +0000
description:
When processing an EAP-pwd Commit frame, the server's scalar and element
(elliptic curve point) were not validated. This allowed an adversary to
bypass authentication, and act as a rogue Access Point (AP) if the
crypto implementation did not verify the validity of the EC point.
Fix this vulnerability by assuring the received scalar lies within the
valid range, and by checking that the received element is not the point
at infinity and lies on the elliptic curve being used. (CVE-2019-9499)
The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
(and also BoringSSL) implicitly validate the elliptic curve point in
EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
diffstat:
external/bsd/wpa/dist/src/eap_peer/eap_pwd.c | 20 ++++++++++++++++++++
1 files changed, 20 insertions(+), 0 deletions(-)
diffs (30 lines):
diff -r e405761804b9 -r 64321f9ff1f2 external/bsd/wpa/dist/src/eap_peer/eap_pwd.c
--- a/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c Wed Apr 10 17:49:26 2019 +0000
+++ b/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c Wed Apr 10 17:49:59 2019 +0000
@@ -594,6 +594,26 @@
goto fin;
}
+ /* verify received scalar */
+ if (crypto_bignum_is_zero(data->server_scalar) ||
+ crypto_bignum_is_one(data->server_scalar) ||
+ crypto_bignum_cmp(data->server_scalar,
+ crypto_ec_get_order(data->grp->group)) >= 0) {
+ wpa_printf(MSG_INFO,
+ "EAP-PWD (peer): received scalar is invalid");
+ goto fin;
+ }
+
+ /* verify received element */
+ if (!crypto_ec_point_is_on_curve(data->grp->group,
+ data->server_element) ||
+ crypto_ec_point_is_at_infinity(data->grp->group,
+ data->server_element)) {
+ wpa_printf(MSG_INFO,
+ "EAP-PWD (peer): received element is invalid");
+ goto fin;
+ }
+
/* check to ensure server's element is not in a small sub-group */
if (!crypto_bignum_is_one(cofactor)) {
if (crypto_ec_point_mul(data->grp->group, data->server_element,
Home |
Main Index |
Thread Index |
Old Index