diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch | 335 |
1 files changed, 335 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch new file mode 100644 index 0000000000..e944ef110f --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch | |||
@@ -0,0 +1,335 @@ | |||
1 | From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001 | ||
2 | From: Jouni Malinen <jouni@codeaurora.org> | ||
3 | Date: Fri, 5 Apr 2019 02:12:50 +0300 | ||
4 | Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly | ||
5 | |||
6 | This adds an explicit check for 0 < x,y < prime based on RFC 5931, | ||
7 | 2.8.5.2.2 requirement. The earlier checks might have covered this | ||
8 | implicitly, but it is safer to avoid any dependency on implicit checks | ||
9 | and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499) | ||
10 | |||
11 | Furthermore, this moves the EAP-pwd element and scalar parsing and | ||
12 | validation steps into shared helper functions so that there is no need | ||
13 | to maintain two separate copies of this common functionality between the | ||
14 | server and peer implementations. | ||
15 | |||
16 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | ||
17 | Signed-off-by: Adrian Bunk <bunk@stusta.de> | ||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2019-9498 | ||
20 | CVE: CVE-2019-9499 | ||
21 | --- | ||
22 | src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++ | ||
23 | src/eap_common/eap_pwd_common.h | 3 ++ | ||
24 | src/eap_peer/eap_pwd.c | 45 ++--------------- | ||
25 | src/eap_server/eap_server_pwd.c | 45 ++--------------- | ||
26 | 4 files changed, 117 insertions(+), 82 deletions(-) | ||
27 | |||
28 | diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c | ||
29 | index e49aaf8..c28b56d 100644 | ||
30 | --- a/src/eap_common/eap_pwd_common.c | ||
31 | +++ b/src/eap_common/eap_pwd_common.c | ||
32 | @@ -428,3 +428,109 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k, | ||
33 | |||
34 | return 1; | ||
35 | } | ||
36 | + | ||
37 | + | ||
38 | +static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime, | ||
39 | + const u8 *buf, size_t len) | ||
40 | +{ | ||
41 | + struct crypto_bignum *val; | ||
42 | + int ok = 1; | ||
43 | + | ||
44 | + val = crypto_bignum_init_set(buf, len); | ||
45 | + if (!val || crypto_bignum_is_zero(val) || | ||
46 | + crypto_bignum_cmp(val, prime) >= 0) | ||
47 | + ok = 0; | ||
48 | + crypto_bignum_deinit(val, 0); | ||
49 | + return ok; | ||
50 | +} | ||
51 | + | ||
52 | + | ||
53 | +struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group, | ||
54 | + const u8 *buf) | ||
55 | +{ | ||
56 | + struct crypto_ec_point *element; | ||
57 | + const struct crypto_bignum *prime; | ||
58 | + size_t prime_len; | ||
59 | + struct crypto_bignum *cofactor = NULL; | ||
60 | + | ||
61 | + prime = crypto_ec_get_prime(group->group); | ||
62 | + prime_len = crypto_ec_prime_len(group->group); | ||
63 | + | ||
64 | + /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */ | ||
65 | + if (!eap_pwd_element_coord_ok(prime, buf, prime_len) || | ||
66 | + !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) { | ||
67 | + wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element"); | ||
68 | + return NULL; | ||
69 | + } | ||
70 | + | ||
71 | + element = crypto_ec_point_from_bin(group->group, buf); | ||
72 | + if (!element) { | ||
73 | + wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed"); | ||
74 | + return NULL; | ||
75 | + } | ||
76 | + | ||
77 | + /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */ | ||
78 | + if (!crypto_ec_point_is_on_curve(group->group, element) || | ||
79 | + crypto_ec_point_is_at_infinity(group->group, element)) { | ||
80 | + wpa_printf(MSG_INFO, "EAP-pwd: Invalid element"); | ||
81 | + goto fail; | ||
82 | + } | ||
83 | + | ||
84 | + cofactor = crypto_bignum_init(); | ||
85 | + if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) { | ||
86 | + wpa_printf(MSG_INFO, | ||
87 | + "EAP-pwd: Unable to get cofactor for curve"); | ||
88 | + goto fail; | ||
89 | + } | ||
90 | + | ||
91 | + if (!crypto_bignum_is_one(cofactor)) { | ||
92 | + struct crypto_ec_point *point; | ||
93 | + int ok = 1; | ||
94 | + | ||
95 | + /* check to ensure peer's element is not in a small sub-group */ | ||
96 | + point = crypto_ec_point_init(group->group); | ||
97 | + if (!point || | ||
98 | + crypto_ec_point_mul(group->group, element, | ||
99 | + cofactor, point) != 0 || | ||
100 | + crypto_ec_point_is_at_infinity(group->group, point)) | ||
101 | + ok = 0; | ||
102 | + crypto_ec_point_deinit(point, 0); | ||
103 | + | ||
104 | + if (!ok) { | ||
105 | + wpa_printf(MSG_INFO, | ||
106 | + "EAP-pwd: Small sub-group check on peer element failed"); | ||
107 | + goto fail; | ||
108 | + } | ||
109 | + } | ||
110 | + | ||
111 | +out: | ||
112 | + crypto_bignum_deinit(cofactor, 0); | ||
113 | + return element; | ||
114 | +fail: | ||
115 | + crypto_ec_point_deinit(element, 0); | ||
116 | + element = NULL; | ||
117 | + goto out; | ||
118 | +} | ||
119 | + | ||
120 | + | ||
121 | +struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf) | ||
122 | +{ | ||
123 | + struct crypto_bignum *scalar; | ||
124 | + const struct crypto_bignum *order; | ||
125 | + size_t order_len; | ||
126 | + | ||
127 | + order = crypto_ec_get_order(group->group); | ||
128 | + order_len = crypto_ec_order_len(group->group); | ||
129 | + | ||
130 | + /* RFC 5931, 2.8.5.2: 1 < scalar < r */ | ||
131 | + scalar = crypto_bignum_init_set(buf, order_len); | ||
132 | + if (!scalar || crypto_bignum_is_zero(scalar) || | ||
133 | + crypto_bignum_is_one(scalar) || | ||
134 | + crypto_bignum_cmp(scalar, order) >= 0) { | ||
135 | + wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid"); | ||
136 | + crypto_bignum_deinit(scalar, 0); | ||
137 | + scalar = NULL; | ||
138 | + } | ||
139 | + | ||
140 | + return scalar; | ||
141 | +} | ||
142 | diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h | ||
143 | index 6b07cf8..2387e59 100644 | ||
144 | --- a/src/eap_common/eap_pwd_common.h | ||
145 | +++ b/src/eap_common/eap_pwd_common.h | ||
146 | @@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k, | ||
147 | struct crypto_hash * eap_pwd_h_init(void); | ||
148 | void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len); | ||
149 | void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest); | ||
150 | +struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group, | ||
151 | + const u8 *buf); | ||
152 | +struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf); | ||
153 | |||
154 | #endif /* EAP_PWD_COMMON_H */ | ||
155 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c | ||
156 | index 5a05e54..f37b974 100644 | ||
157 | --- a/src/eap_peer/eap_pwd.c | ||
158 | +++ b/src/eap_peer/eap_pwd.c | ||
159 | @@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, | ||
160 | const struct wpabuf *reqData, | ||
161 | const u8 *payload, size_t payload_len) | ||
162 | { | ||
163 | - struct crypto_ec_point *K = NULL, *point = NULL; | ||
164 | + struct crypto_ec_point *K = NULL; | ||
165 | struct crypto_bignum *mask = NULL, *cofactor = NULL; | ||
166 | const u8 *ptr = payload; | ||
167 | u8 *scalar = NULL, *element = NULL; | ||
168 | @@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, | ||
169 | /* process the request */ | ||
170 | data->k = crypto_bignum_init(); | ||
171 | K = crypto_ec_point_init(data->grp->group); | ||
172 | - point = crypto_ec_point_init(data->grp->group); | ||
173 | - if (!data->k || !K || !point) { | ||
174 | + if (!data->k || !K) { | ||
175 | wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation " | ||
176 | "fail"); | ||
177 | goto fin; | ||
178 | } | ||
179 | |||
180 | /* element, x then y, followed by scalar */ | ||
181 | - data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr); | ||
182 | + data->server_element = eap_pwd_get_element(data->grp, ptr); | ||
183 | if (!data->server_element) { | ||
184 | wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element " | ||
185 | "fail"); | ||
186 | goto fin; | ||
187 | } | ||
188 | ptr += prime_len * 2; | ||
189 | - data->server_scalar = crypto_bignum_init_set(ptr, order_len); | ||
190 | + data->server_scalar = eap_pwd_get_scalar(data->grp, ptr); | ||
191 | if (!data->server_scalar) { | ||
192 | wpa_printf(MSG_INFO, | ||
193 | "EAP-PWD (peer): setting peer scalar fail"); | ||
194 | goto fin; | ||
195 | } | ||
196 | |||
197 | - /* verify received scalar */ | ||
198 | - if (crypto_bignum_is_zero(data->server_scalar) || | ||
199 | - crypto_bignum_is_one(data->server_scalar) || | ||
200 | - crypto_bignum_cmp(data->server_scalar, | ||
201 | - crypto_ec_get_order(data->grp->group)) >= 0) { | ||
202 | - wpa_printf(MSG_INFO, | ||
203 | - "EAP-PWD (peer): received scalar is invalid"); | ||
204 | - goto fin; | ||
205 | - } | ||
206 | - | ||
207 | - /* verify received element */ | ||
208 | - if (!crypto_ec_point_is_on_curve(data->grp->group, | ||
209 | - data->server_element) || | ||
210 | - crypto_ec_point_is_at_infinity(data->grp->group, | ||
211 | - data->server_element)) { | ||
212 | - wpa_printf(MSG_INFO, | ||
213 | - "EAP-PWD (peer): received element is invalid"); | ||
214 | - goto fin; | ||
215 | - } | ||
216 | - | ||
217 | - /* check to ensure server's element is not in a small sub-group */ | ||
218 | - if (!crypto_bignum_is_one(cofactor)) { | ||
219 | - if (crypto_ec_point_mul(data->grp->group, data->server_element, | ||
220 | - cofactor, point) < 0) { | ||
221 | - wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply " | ||
222 | - "server element by order!\n"); | ||
223 | - goto fin; | ||
224 | - } | ||
225 | - if (crypto_ec_point_is_at_infinity(data->grp->group, point)) { | ||
226 | - wpa_printf(MSG_INFO, "EAP-PWD (peer): server element " | ||
227 | - "is at infinity!\n"); | ||
228 | - goto fin; | ||
229 | - } | ||
230 | - } | ||
231 | - | ||
232 | /* compute the shared key, k */ | ||
233 | if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, | ||
234 | data->server_scalar, K) < 0 || | ||
235 | @@ -702,7 +666,6 @@ fin: | ||
236 | crypto_bignum_deinit(mask, 1); | ||
237 | crypto_bignum_deinit(cofactor, 1); | ||
238 | crypto_ec_point_deinit(K, 1); | ||
239 | - crypto_ec_point_deinit(point, 1); | ||
240 | if (data->outbuf == NULL) | ||
241 | eap_pwd_state(data, FAILURE); | ||
242 | else | ||
243 | diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c | ||
244 | index 16057e9..f6c75cf 100644 | ||
245 | --- a/src/eap_server/eap_server_pwd.c | ||
246 | +++ b/src/eap_server/eap_server_pwd.c | ||
247 | @@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
248 | { | ||
249 | const u8 *ptr; | ||
250 | struct crypto_bignum *cofactor = NULL; | ||
251 | - struct crypto_ec_point *K = NULL, *point = NULL; | ||
252 | + struct crypto_ec_point *K = NULL; | ||
253 | int res = 0; | ||
254 | size_t prime_len, order_len; | ||
255 | |||
256 | @@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
257 | |||
258 | data->k = crypto_bignum_init(); | ||
259 | cofactor = crypto_bignum_init(); | ||
260 | - point = crypto_ec_point_init(data->grp->group); | ||
261 | K = crypto_ec_point_init(data->grp->group); | ||
262 | - if (!data->k || !cofactor || !point || !K) { | ||
263 | + if (!data->k || !cofactor || !K) { | ||
264 | wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation " | ||
265 | "fail"); | ||
266 | goto fin; | ||
267 | @@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
268 | |||
269 | /* element, x then y, followed by scalar */ | ||
270 | ptr = payload; | ||
271 | - data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr); | ||
272 | + data->peer_element = eap_pwd_get_element(data->grp, ptr); | ||
273 | if (!data->peer_element) { | ||
274 | wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element " | ||
275 | "fail"); | ||
276 | goto fin; | ||
277 | } | ||
278 | ptr += prime_len * 2; | ||
279 | - data->peer_scalar = crypto_bignum_init_set(ptr, order_len); | ||
280 | + data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr); | ||
281 | if (!data->peer_scalar) { | ||
282 | wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation " | ||
283 | "fail"); | ||
284 | goto fin; | ||
285 | } | ||
286 | |||
287 | - /* verify received scalar */ | ||
288 | - if (crypto_bignum_is_zero(data->peer_scalar) || | ||
289 | - crypto_bignum_is_one(data->peer_scalar) || | ||
290 | - crypto_bignum_cmp(data->peer_scalar, | ||
291 | - crypto_ec_get_order(data->grp->group)) >= 0) { | ||
292 | - wpa_printf(MSG_INFO, | ||
293 | - "EAP-PWD (server): received scalar is invalid"); | ||
294 | - goto fin; | ||
295 | - } | ||
296 | - | ||
297 | - /* verify received element */ | ||
298 | - if (!crypto_ec_point_is_on_curve(data->grp->group, | ||
299 | - data->peer_element) || | ||
300 | - crypto_ec_point_is_at_infinity(data->grp->group, | ||
301 | - data->peer_element)) { | ||
302 | - wpa_printf(MSG_INFO, | ||
303 | - "EAP-PWD (server): received element is invalid"); | ||
304 | - goto fin; | ||
305 | - } | ||
306 | - | ||
307 | - /* check to ensure peer's element is not in a small sub-group */ | ||
308 | - if (!crypto_bignum_is_one(cofactor)) { | ||
309 | - if (crypto_ec_point_mul(data->grp->group, data->peer_element, | ||
310 | - cofactor, point) != 0) { | ||
311 | - wpa_printf(MSG_INFO, "EAP-PWD (server): cannot " | ||
312 | - "multiply peer element by order"); | ||
313 | - goto fin; | ||
314 | - } | ||
315 | - if (crypto_ec_point_is_at_infinity(data->grp->group, point)) { | ||
316 | - wpa_printf(MSG_INFO, "EAP-PWD (server): peer element " | ||
317 | - "is at infinity!\n"); | ||
318 | - goto fin; | ||
319 | - } | ||
320 | - } | ||
321 | - | ||
322 | /* detect reflection attacks */ | ||
323 | if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 || | ||
324 | crypto_ec_point_cmp(data->grp->group, data->my_element, | ||
325 | @@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, | ||
326 | |||
327 | fin: | ||
328 | crypto_ec_point_deinit(K, 1); | ||
329 | - crypto_ec_point_deinit(point, 1); | ||
330 | crypto_bignum_deinit(cofactor, 1); | ||
331 | |||
332 | if (res) | ||
333 | -- | ||
334 | 2.7.4 | ||
335 | |||