From d63edfa90243e9a7de6ae5c275032f2cc79fef95 Mon Sep 17 00:00:00 2001

From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>

Date: Sun, 31 Mar 2019 17:26:01 +0200

Subject: [PATCH 12/14] EAP-pwd server: Detect reflection attacks

When processing an EAP-pwd Commit frame, verify that the peer's scalar

and elliptic curve element differ from the one sent by the server. This

prevents reflection attacks where the adversary reflects the scalar and

element sent by the server. (CVE-2019-9497)

The vulnerability allows an adversary to complete the EAP-pwd handshake

as any user. However, the adversary does not learn the negotiated

session key, meaning the subsequent 4-way handshake would fail. As a

result, this cannot be abused to bypass authentication unless EAP-pwd is

used in non-WLAN cases without any following key exchange that would

require the attacker to learn the MSK.

Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>

---

 src/eap_server/eap_server_pwd.c | 9 +++++++++

 1 file changed, 9 insertions(+)

diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c

index 74979da..16057e9 100644

--- a/src/eap_server/eap_server_pwd.c

+++ b/src/eap_server/eap_server_pwd.c

@@ -753,6 +753,15 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,

 		}

 	}

+	/* detect reflection attacks */

+	if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||

+	    crypto_ec_point_cmp(data->grp->group, data->my_element,

+				data->peer_element) == 0) {

+		wpa_printf(MSG_INFO,

+			   "EAP-PWD (server): detected reflection attack!");

+		goto fin;

+	}

+

 	/* compute the shared key, k */

 	if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,

 				 data->peer_scalar, K) < 0) ||

-- 

2.7.4