1 files changed, 335 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch
new file mode 100644
index 0000000000..e944ef110f
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch
@@ -0,0 +1,335 @@
+From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Fri, 5 Apr 2019 02:12:50 +0300
+Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly
+This adds an explicit check for 0 < x,y < prime based on RFC 5931,
+2.8.5.2.2 requirement. The earlier checks might have covered this
+implicitly, but it is safer to avoid any dependency on implicit checks
+and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
+Furthermore, this moves the EAP-pwd element and scalar parsing and
+validation steps into shared helper functions so that there is no need
+to maintain two separate copies of this common functionality between the
+server and peer implementations.
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+Upstream-Status: Backport
+CVE: CVE-2019-9498
+CVE: CVE-2019-9499
+---
+ src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++
+ src/eap_common/eap_pwd_common.h |   3 ++
+ src/eap_peer/eap_pwd.c          |  45 ++---------------
+ src/eap_server/eap_server_pwd.c |  45 ++---------------
+ 4 files changed, 117 insertions(+), 82 deletions(-)
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index e49aaf8..c28b56d 100644
+--- a/src/eap_common/eap_pwd_common.c
+++ b/src/eap_common/eap_pwd_common.c
+@@ -428,3 +428,109 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
+ 
+        return 1;
+ }
+
+
+static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
+                                   const u8 *buf, size_t len)
+{
+       struct crypto_bignum *val;
+       int ok = 1;
+
+       val = crypto_bignum_init_set(buf, len);
+       if (!val || crypto_bignum_is_zero(val) ||
+           crypto_bignum_cmp(val, prime) >= 0)
+               ok = 0;
+       crypto_bignum_deinit(val, 0);
+       return ok;
+}
+
+
+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
+                                            const u8 *buf)
+{
+       struct crypto_ec_point *element;
+       const struct crypto_bignum *prime;
+       size_t prime_len;
+       struct crypto_bignum *cofactor = NULL;
+
+       prime = crypto_ec_get_prime(group->group);
+       prime_len = crypto_ec_prime_len(group->group);
+
+       /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
+       if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
+           !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
+               wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
+               return NULL;
+       }
+
+       element = crypto_ec_point_from_bin(group->group, buf);
+       if (!element) {
+               wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
+               return NULL;
+       }
+
+       /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
+       if (!crypto_ec_point_is_on_curve(group->group, element) ||
+           crypto_ec_point_is_at_infinity(group->group, element)) {
+               wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
+               goto fail;
+       }
+
+       cofactor = crypto_bignum_init();
+       if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
+               wpa_printf(MSG_INFO,
+                          "EAP-pwd: Unable to get cofactor for curve");
+               goto fail;
+       }
+
+       if (!crypto_bignum_is_one(cofactor)) {
+               struct crypto_ec_point *point;
+               int ok = 1;
+
+               /* check to ensure peer's element is not in a small sub-group */
+               point = crypto_ec_point_init(group->group);
+               if (!point ||
+                   crypto_ec_point_mul(group->group, element,
+                                       cofactor, point) != 0 ||
+                   crypto_ec_point_is_at_infinity(group->group, point))
+                       ok = 0;
+               crypto_ec_point_deinit(point, 0);
+
+               if (!ok) {
+                       wpa_printf(MSG_INFO,
+                                  "EAP-pwd: Small sub-group check on peer element failed");
+                       goto fail;
+               }
+       }
+
+out:
+       crypto_bignum_deinit(cofactor, 0);
+       return element;
+fail:
+       crypto_ec_point_deinit(element, 0);
+       element = NULL;
+       goto out;
+}
+
+
+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
+{
+       struct crypto_bignum *scalar;
+       const struct crypto_bignum *order;
+       size_t order_len;
+
+       order = crypto_ec_get_order(group->group);
+       order_len = crypto_ec_order_len(group->group);
+
+       /* RFC 5931, 2.8.5.2: 1 < scalar < r */
+       scalar = crypto_bignum_init_set(buf, order_len);
+       if (!scalar || crypto_bignum_is_zero(scalar) ||
+           crypto_bignum_is_one(scalar) ||
+           crypto_bignum_cmp(scalar, order) >= 0) {
+               wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
+               crypto_bignum_deinit(scalar, 0);
+               scalar = NULL;
+       }
+
+       return scalar;
+}
+diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h
+index 6b07cf8..2387e59 100644
+--- a/src/eap_common/eap_pwd_common.h
+++ b/src/eap_common/eap_pwd_common.h
+@@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
+ struct crypto_hash * eap_pwd_h_init(void);
+ void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len);
+ void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
+                                            const u8 *buf);
+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
+ 
+ #endif  /* EAP_PWD_COMMON_H */
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 5a05e54..f37b974 100644
+--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
+@@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+                                const struct wpabuf *reqData,
+                                const u8 *payload, size_t payload_len)
+ {
+-       struct crypto_ec_point *K = NULL, *point = NULL;
+       struct crypto_ec_point *K = NULL;
+        struct crypto_bignum *mask = NULL, *cofactor = NULL;
+        const u8 *ptr = payload;
+        u8 *scalar = NULL, *element = NULL;
+@@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+        /* process the request */
+        data->k = crypto_bignum_init();
+        K = crypto_ec_point_init(data->grp->group);
+-       point = crypto_ec_point_init(data->grp->group);
+-       if (!data->k || !K || !point) {
+       if (!data->k || !K) {
+                wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
+                           "fail");
+                goto fin;
+        }
+ 
+        /* element, x then y, followed by scalar */
+-       data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
+       data->server_element = eap_pwd_get_element(data->grp, ptr);
+        if (!data->server_element) {
+                wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
+                           "fail");
+                goto fin;
+        }
+        ptr += prime_len * 2;
+-       data->server_scalar = crypto_bignum_init_set(ptr, order_len);
+       data->server_scalar = eap_pwd_get_scalar(data->grp, ptr);
+        if (!data->server_scalar) {
+                wpa_printf(MSG_INFO,
+                           "EAP-PWD (peer): setting peer scalar fail");
+                goto fin;
+        }
+ 
+-       /* verify received scalar */
+-       if (crypto_bignum_is_zero(data->server_scalar) ||
+-           crypto_bignum_is_one(data->server_scalar) ||
+-           crypto_bignum_cmp(data->server_scalar,
+-                             crypto_ec_get_order(data->grp->group)) >= 0) {
+-               wpa_printf(MSG_INFO,
+-                          "EAP-PWD (peer): received scalar is invalid");
+-               goto fin;
+-       }
+-
+-       /* verify received element */
+-       if (!crypto_ec_point_is_on_curve(data->grp->group,
+-                                        data->server_element) ||
+-           crypto_ec_point_is_at_infinity(data->grp->group,
+-                                          data->server_element)) {
+-               wpa_printf(MSG_INFO,
+-                          "EAP-PWD (peer): received element is invalid");
+-               goto fin;
+-       }
+-
+-       /* check to ensure server's element is not in a small sub-group */
+-       if (!crypto_bignum_is_one(cofactor)) {
+-               if (crypto_ec_point_mul(data->grp->group, data->server_element,
+-                                       cofactor, point) < 0) {
+-                       wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
+-                                  "server element by order!\n");
+-                       goto fin;
+-               }
+-               if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
+-                       wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
+-                                  "is at infinity!\n");
+-                       goto fin;
+-               }
+-       }
+-
+        /* compute the shared key, k */
+        if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
+                                data->server_scalar, K) < 0 ||
+@@ -702,7 +666,6 @@ fin:
+        crypto_bignum_deinit(mask, 1);
+        crypto_bignum_deinit(cofactor, 1);
+        crypto_ec_point_deinit(K, 1);
+-       crypto_ec_point_deinit(point, 1);
+        if (data->outbuf == NULL)
+                eap_pwd_state(data, FAILURE);
+        else
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 16057e9..f6c75cf 100644
+--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
+@@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ {
+        const u8 *ptr;
+        struct crypto_bignum *cofactor = NULL;
+-       struct crypto_ec_point *K = NULL, *point = NULL;
+       struct crypto_ec_point *K = NULL;
+        int res = 0;
+        size_t prime_len, order_len;
+ 
+@@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ 
+        data->k = crypto_bignum_init();
+        cofactor = crypto_bignum_init();
+-       point = crypto_ec_point_init(data->grp->group);
+        K = crypto_ec_point_init(data->grp->group);
+-       if (!data->k || !cofactor || !point || !K) {
+       if (!data->k || !cofactor || !K) {
+                wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+                           "fail");
+                goto fin;
+@@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ 
+        /* element, x then y, followed by scalar */
+        ptr = payload;
+-       data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
+       data->peer_element = eap_pwd_get_element(data->grp, ptr);
+        if (!data->peer_element) {
+                wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
+                           "fail");
+                goto fin;
+        }
+        ptr += prime_len * 2;
+-       data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
+       data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
+        if (!data->peer_scalar) {
+                wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+                           "fail");
+                goto fin;
+        }
+ 
+-       /* verify received scalar */
+-       if (crypto_bignum_is_zero(data->peer_scalar) ||
+-           crypto_bignum_is_one(data->peer_scalar) ||
+-           crypto_bignum_cmp(data->peer_scalar,
+-                             crypto_ec_get_order(data->grp->group)) >= 0) {
+-               wpa_printf(MSG_INFO,
+-                          "EAP-PWD (server): received scalar is invalid");
+-               goto fin;
+-       }
+-
+-       /* verify received element */
+-       if (!crypto_ec_point_is_on_curve(data->grp->group,
+-                                        data->peer_element) ||
+-           crypto_ec_point_is_at_infinity(data->grp->group,
+-                                          data->peer_element)) {
+-               wpa_printf(MSG_INFO,
+-                          "EAP-PWD (server): received element is invalid");
+-               goto fin;
+-       }
+-
+-       /* check to ensure peer's element is not in a small sub-group */
+-       if (!crypto_bignum_is_one(cofactor)) {
+-               if (crypto_ec_point_mul(data->grp->group, data->peer_element,
+-                                       cofactor, point) != 0) {
+-                       wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
+-                                  "multiply peer element by order");
+-                       goto fin;
+-               }
+-               if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
+-                       wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
+-                                  "is at infinity!\n");
+-                       goto fin;
+-               }
+-       }
+-
+        /* detect reflection attacks */
+        if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
+            crypto_ec_point_cmp(data->grp->group, data->my_element,
+@@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ 
+ fin:
+        crypto_ec_point_deinit(K, 1);
+-       crypto_ec_point_deinit(point, 1);
+        crypto_bignum_deinit(cofactor, 1);
+ 
+        if (res)
+-- 
+2.7.4

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch new file mode 100644 index 0000000000..e944ef110f --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch
@@ -0,0 +1,335 @@
	1	From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@codeaurora.org>
	3	Date: Fri, 5 Apr 2019 02:12:50 +0300
	4	Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly
	5
	6	This adds an explicit check for 0 < x,y < prime based on RFC 5931,
	7	2.8.5.2.2 requirement. The earlier checks might have covered this
	8	implicitly, but it is safer to avoid any dependency on implicit checks
	9	and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
	10
	11	Furthermore, this moves the EAP-pwd element and scalar parsing and
	12	validation steps into shared helper functions so that there is no need
	13	to maintain two separate copies of this common functionality between the
	14	server and peer implementations.
	15
	16	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
	17	Signed-off-by: Adrian Bunk <bunk@stusta.de>
	18	Upstream-Status: Backport
	19	CVE: CVE-2019-9498
	20	CVE: CVE-2019-9499
	21	---
	22	src/eap_common/eap_pwd_common.c \| 106 ++++++++++++++++++++++++++++++++++++++++
	23	src/eap_common/eap_pwd_common.h \| 3 ++
	24	src/eap_peer/eap_pwd.c \| 45 ++---------------
	25	src/eap_server/eap_server_pwd.c \| 45 ++---------------
	26	4 files changed, 117 insertions(+), 82 deletions(-)
	27
	28	diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
	29	index e49aaf8..c28b56d 100644
	30	--- a/src/eap_common/eap_pwd_common.c
	31	+++ b/src/eap_common/eap_pwd_common.c
	32	@@ -428,3 +428,109 @@ int compute_keys(EAP_PWD_group grp, const struct crypto_bignum k,
	33
	34	return 1;
	35	}
	36	+
	37	+
	38	+static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
	39	+ const u8 *buf, size_t len)
	40	+{
	41	+ struct crypto_bignum *val;
	42	+ int ok = 1;
	43	+
	44	+ val = crypto_bignum_init_set(buf, len);
	45	+ if (!val \|\| crypto_bignum_is_zero(val) \|\|
	46	+ crypto_bignum_cmp(val, prime) >= 0)
	47	+ ok = 0;
	48	+ crypto_bignum_deinit(val, 0);
	49	+ return ok;
	50	+}
	51	+
	52	+
	53	+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
	54	+ const u8 *buf)
	55	+{
	56	+ struct crypto_ec_point *element;
	57	+ const struct crypto_bignum *prime;
	58	+ size_t prime_len;
	59	+ struct crypto_bignum *cofactor = NULL;
	60	+
	61	+ prime = crypto_ec_get_prime(group->group);
	62	+ prime_len = crypto_ec_prime_len(group->group);
	63	+
	64	+ /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
	65	+ if (!eap_pwd_element_coord_ok(prime, buf, prime_len) \|\|
	66	+ !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
	67	+ wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
	68	+ return NULL;
	69	+ }
	70	+
	71	+ element = crypto_ec_point_from_bin(group->group, buf);
	72	+ if (!element) {
	73	+ wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
	74	+ return NULL;
	75	+ }
	76	+
	77	+ /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
	78	+ if (!crypto_ec_point_is_on_curve(group->group, element) \|\|
	79	+ crypto_ec_point_is_at_infinity(group->group, element)) {
	80	+ wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
	81	+ goto fail;
	82	+ }
	83	+
	84	+ cofactor = crypto_bignum_init();
	85	+ if (!cofactor \|\| crypto_ec_cofactor(group->group, cofactor) < 0) {
	86	+ wpa_printf(MSG_INFO,
	87	+ "EAP-pwd: Unable to get cofactor for curve");
	88	+ goto fail;
	89	+ }
	90	+
	91	+ if (!crypto_bignum_is_one(cofactor)) {
	92	+ struct crypto_ec_point *point;
	93	+ int ok = 1;
	94	+
	95	+ /* check to ensure peer's element is not in a small sub-group */
	96	+ point = crypto_ec_point_init(group->group);
	97	+ if (!point \|\|
	98	+ crypto_ec_point_mul(group->group, element,
	99	+ cofactor, point) != 0 \|\|
	100	+ crypto_ec_point_is_at_infinity(group->group, point))
	101	+ ok = 0;
	102	+ crypto_ec_point_deinit(point, 0);
	103	+
	104	+ if (!ok) {
	105	+ wpa_printf(MSG_INFO,
	106	+ "EAP-pwd: Small sub-group check on peer element failed");
	107	+ goto fail;
	108	+ }
	109	+ }
	110	+
	111	+out:
	112	+ crypto_bignum_deinit(cofactor, 0);
	113	+ return element;
	114	+fail:
	115	+ crypto_ec_point_deinit(element, 0);
	116	+ element = NULL;
	117	+ goto out;
	118	+}
	119	+
	120	+
	121	+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group group, const u8 buf)
	122	+{
	123	+ struct crypto_bignum *scalar;
	124	+ const struct crypto_bignum *order;
	125	+ size_t order_len;
	126	+
	127	+ order = crypto_ec_get_order(group->group);
	128	+ order_len = crypto_ec_order_len(group->group);
	129	+
	130	+ /* RFC 5931, 2.8.5.2: 1 < scalar < r */
	131	+ scalar = crypto_bignum_init_set(buf, order_len);
	132	+ if (!scalar \|\| crypto_bignum_is_zero(scalar) \|\|
	133	+ crypto_bignum_is_one(scalar) \|\|
	134	+ crypto_bignum_cmp(scalar, order) >= 0) {
	135	+ wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
	136	+ crypto_bignum_deinit(scalar, 0);
	137	+ scalar = NULL;
	138	+ }
	139	+
	140	+ return scalar;
	141	+}
	142	diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h
	143	index 6b07cf8..2387e59 100644
	144	--- a/src/eap_common/eap_pwd_common.h
	145	+++ b/src/eap_common/eap_pwd_common.h
	146	@@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group grp, const struct crypto_bignum k,
	147	struct crypto_hash * eap_pwd_h_init(void);
	148	void eap_pwd_h_update(struct crypto_hash hash, const u8 data, size_t len);
	149	void eap_pwd_h_final(struct crypto_hash hash, u8 digest);
	150	+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
	151	+ const u8 *buf);
	152	+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group group, const u8 buf);
	153
	154	#endif /* EAP_PWD_COMMON_H */
	155	diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
	156	index 5a05e54..f37b974 100644
	157	--- a/src/eap_peer/eap_pwd.c
	158	+++ b/src/eap_peer/eap_pwd.c
	159	@@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm sm, struct eap_pwd_data data,
	160	const struct wpabuf *reqData,
	161	const u8 *payload, size_t payload_len)
	162	{
	163	- struct crypto_ec_point K = NULL, point = NULL;
	164	+ struct crypto_ec_point *K = NULL;
	165	struct crypto_bignum mask = NULL, cofactor = NULL;
	166	const u8 *ptr = payload;
	167	u8 scalar = NULL, element = NULL;
	168	@@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct eap_sm sm, struct eap_pwd_data data,
	169	/* process the request */
	170	data->k = crypto_bignum_init();
	171	K = crypto_ec_point_init(data->grp->group);
	172	- point = crypto_ec_point_init(data->grp->group);
	173	- if (!data->k \|\| !K \|\| !point) {
	174	+ if (!data->k \|\| !K) {
	175	wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
	176	"fail");
	177	goto fin;
	178	}
	179
	180	/* element, x then y, followed by scalar */
	181	- data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
	182	+ data->server_element = eap_pwd_get_element(data->grp, ptr);
	183	if (!data->server_element) {
	184	wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
	185	"fail");
	186	goto fin;
	187	}
	188	ptr += prime_len * 2;
	189	- data->server_scalar = crypto_bignum_init_set(ptr, order_len);
	190	+ data->server_scalar = eap_pwd_get_scalar(data->grp, ptr);
	191	if (!data->server_scalar) {
	192	wpa_printf(MSG_INFO,
	193	"EAP-PWD (peer): setting peer scalar fail");
	194	goto fin;
	195	}
	196
	197	- /* verify received scalar */
	198	- if (crypto_bignum_is_zero(data->server_scalar) \|\|
	199	- crypto_bignum_is_one(data->server_scalar) \|\|
	200	- crypto_bignum_cmp(data->server_scalar,
	201	- crypto_ec_get_order(data->grp->group)) >= 0) {
	202	- wpa_printf(MSG_INFO,
	203	- "EAP-PWD (peer): received scalar is invalid");
	204	- goto fin;
	205	- }
	206	-
	207	- /* verify received element */
	208	- if (!crypto_ec_point_is_on_curve(data->grp->group,
	209	- data->server_element) \|\|
	210	- crypto_ec_point_is_at_infinity(data->grp->group,
	211	- data->server_element)) {
	212	- wpa_printf(MSG_INFO,
	213	- "EAP-PWD (peer): received element is invalid");
	214	- goto fin;
	215	- }
	216	-
	217	- /* check to ensure server's element is not in a small sub-group */
	218	- if (!crypto_bignum_is_one(cofactor)) {
	219	- if (crypto_ec_point_mul(data->grp->group, data->server_element,
	220	- cofactor, point) < 0) {
	221	- wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
	222	- "server element by order!\n");
	223	- goto fin;
	224	- }
	225	- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
	226	- wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
	227	- "is at infinity!\n");
	228	- goto fin;
	229	- }
	230	- }
	231	-
	232	/* compute the shared key, k */
	233	if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
	234	data->server_scalar, K) < 0 \|\|
	235	@@ -702,7 +666,6 @@ fin:
	236	crypto_bignum_deinit(mask, 1);
	237	crypto_bignum_deinit(cofactor, 1);
	238	crypto_ec_point_deinit(K, 1);
	239	- crypto_ec_point_deinit(point, 1);
	240	if (data->outbuf == NULL)
	241	eap_pwd_state(data, FAILURE);
	242	else
	243	diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
	244	index 16057e9..f6c75cf 100644
	245	--- a/src/eap_server/eap_server_pwd.c
	246	+++ b/src/eap_server/eap_server_pwd.c
	247	@@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_sm sm, struct eap_pwd_data data,
	248	{
	249	const u8 *ptr;
	250	struct crypto_bignum *cofactor = NULL;
	251	- struct crypto_ec_point K = NULL, point = NULL;
	252	+ struct crypto_ec_point *K = NULL;
	253	int res = 0;
	254	size_t prime_len, order_len;
	255
	256	@@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_sm sm, struct eap_pwd_data data,
	257
	258	data->k = crypto_bignum_init();
	259	cofactor = crypto_bignum_init();
	260	- point = crypto_ec_point_init(data->grp->group);
	261	K = crypto_ec_point_init(data->grp->group);
	262	- if (!data->k \|\| !cofactor \|\| !point \|\| !K) {
	263	+ if (!data->k \|\| !cofactor \|\| !K) {
	264	wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
	265	"fail");
	266	goto fin;
	267	@@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_sm sm, struct eap_pwd_data data,
	268
	269	/* element, x then y, followed by scalar */
	270	ptr = payload;
	271	- data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
	272	+ data->peer_element = eap_pwd_get_element(data->grp, ptr);
	273	if (!data->peer_element) {
	274	wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
	275	"fail");
	276	goto fin;
	277	}
	278	ptr += prime_len * 2;
	279	- data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
	280	+ data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
	281	if (!data->peer_scalar) {
	282	wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
	283	"fail");
	284	goto fin;
	285	}
	286
	287	- /* verify received scalar */
	288	- if (crypto_bignum_is_zero(data->peer_scalar) \|\|
	289	- crypto_bignum_is_one(data->peer_scalar) \|\|
	290	- crypto_bignum_cmp(data->peer_scalar,
	291	- crypto_ec_get_order(data->grp->group)) >= 0) {
	292	- wpa_printf(MSG_INFO,
	293	- "EAP-PWD (server): received scalar is invalid");
	294	- goto fin;
	295	- }
	296	-
	297	- /* verify received element */
	298	- if (!crypto_ec_point_is_on_curve(data->grp->group,
	299	- data->peer_element) \|\|
	300	- crypto_ec_point_is_at_infinity(data->grp->group,
	301	- data->peer_element)) {
	302	- wpa_printf(MSG_INFO,
	303	- "EAP-PWD (server): received element is invalid");
	304	- goto fin;
	305	- }
	306	-
	307	- /* check to ensure peer's element is not in a small sub-group */
	308	- if (!crypto_bignum_is_one(cofactor)) {
	309	- if (crypto_ec_point_mul(data->grp->group, data->peer_element,
	310	- cofactor, point) != 0) {
	311	- wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
	312	- "multiply peer element by order");
	313	- goto fin;
	314	- }
	315	- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
	316	- wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
	317	- "is at infinity!\n");
	318	- goto fin;
	319	- }
	320	- }
	321	-
	322	/* detect reflection attacks */
	323	if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 \|\|
	324	crypto_ec_point_cmp(data->grp->group, data->my_element,
	325	@@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_sm sm, struct eap_pwd_data data,
	326
	327	fin:
	328	crypto_ec_point_deinit(K, 1);
	329	- crypto_ec_point_deinit(point, 1);
	330	crypto_bignum_deinit(cofactor, 1);
	331
	332	if (res)
	333	--
	334	2.7.4
	335