|
John W. Linville |
aeb7fa6 |
From 16d4f1069118aa19bfce013493e1ac5783f92f1d Mon Sep 17 00:00:00 2001
|
|
John W. Linville |
aeb7fa6 |
From: Jouni Malinen <jouni@codeaurora.org>
|
|
John W. Linville |
aeb7fa6 |
Date: Fri, 5 Apr 2019 02:12:50 +0300
|
|
John W. Linville |
aeb7fa6 |
Subject: [PATCH 14/14] EAP-pwd: Check element x,y coordinates explicitly
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
This adds an explicit check for 0 < x,y < prime based on RFC 5931,
|
|
John W. Linville |
aeb7fa6 |
2.8.5.2.2 requirement. The earlier checks might have covered this
|
|
John W. Linville |
aeb7fa6 |
implicitly, but it is safer to avoid any dependency on implicit checks
|
|
John W. Linville |
aeb7fa6 |
and specific crypto library behavior. (CVE-2019-9498 and CVE-2019-9499)
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
Furthermore, this moves the EAP-pwd element and scalar parsing and
|
|
John W. Linville |
aeb7fa6 |
validation steps into shared helper functions so that there is no need
|
|
John W. Linville |
aeb7fa6 |
to maintain two separate copies of this common functionality between the
|
|
John W. Linville |
aeb7fa6 |
server and peer implementations.
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
|
John W. Linville |
aeb7fa6 |
---
|
|
John W. Linville |
aeb7fa6 |
src/eap_common/eap_pwd_common.c | 106 ++++++++++++++++++++++++++++++++++++++++
|
|
John W. Linville |
aeb7fa6 |
src/eap_common/eap_pwd_common.h | 3 ++
|
|
John W. Linville |
aeb7fa6 |
src/eap_peer/eap_pwd.c | 45 ++---------------
|
|
John W. Linville |
aeb7fa6 |
src/eap_server/eap_server_pwd.c | 45 ++---------------
|
|
John W. Linville |
aeb7fa6 |
4 files changed, 117 insertions(+), 82 deletions(-)
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
|
|
John W. Linville |
aeb7fa6 |
index e49aaf8..c28b56d 100644
|
|
John W. Linville |
aeb7fa6 |
--- a/src/eap_common/eap_pwd_common.c
|
|
John W. Linville |
aeb7fa6 |
+++ b/src/eap_common/eap_pwd_common.c
|
|
John W. Linville |
aeb7fa6 |
@@ -428,3 +428,109 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
return 1;
|
|
John W. Linville |
aeb7fa6 |
}
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
|
|
John W. Linville |
aeb7fa6 |
+ const u8 *buf, size_t len)
|
|
John W. Linville |
aeb7fa6 |
+{
|
|
John W. Linville |
aeb7fa6 |
+ struct crypto_bignum *val;
|
|
John W. Linville |
aeb7fa6 |
+ int ok = 1;
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ val = crypto_bignum_init_set(buf, len);
|
|
John W. Linville |
aeb7fa6 |
+ if (!val || crypto_bignum_is_zero(val) ||
|
|
John W. Linville |
aeb7fa6 |
+ crypto_bignum_cmp(val, prime) >= 0)
|
|
John W. Linville |
aeb7fa6 |
+ ok = 0;
|
|
John W. Linville |
aeb7fa6 |
+ crypto_bignum_deinit(val, 0);
|
|
John W. Linville |
aeb7fa6 |
+ return ok;
|
|
John W. Linville |
aeb7fa6 |
+}
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
|
|
John W. Linville |
aeb7fa6 |
+ const u8 *buf)
|
|
John W. Linville |
aeb7fa6 |
+{
|
|
John W. Linville |
aeb7fa6 |
+ struct crypto_ec_point *element;
|
|
John W. Linville |
aeb7fa6 |
+ const struct crypto_bignum *prime;
|
|
John W. Linville |
aeb7fa6 |
+ size_t prime_len;
|
|
John W. Linville |
aeb7fa6 |
+ struct crypto_bignum *cofactor = NULL;
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ prime = crypto_ec_get_prime(group->group);
|
|
John W. Linville |
aeb7fa6 |
+ prime_len = crypto_ec_prime_len(group->group);
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
|
|
John W. Linville |
aeb7fa6 |
+ if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
|
|
John W. Linville |
aeb7fa6 |
+ !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
|
|
John W. Linville |
aeb7fa6 |
+ wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
|
|
John W. Linville |
aeb7fa6 |
+ return NULL;
|
|
John W. Linville |
aeb7fa6 |
+ }
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ element = crypto_ec_point_from_bin(group->group, buf);
|
|
John W. Linville |
aeb7fa6 |
+ if (!element) {
|
|
John W. Linville |
aeb7fa6 |
+ wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
|
|
John W. Linville |
aeb7fa6 |
+ return NULL;
|
|
John W. Linville |
aeb7fa6 |
+ }
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
|
|
John W. Linville |
aeb7fa6 |
+ if (!crypto_ec_point_is_on_curve(group->group, element) ||
|
|
John W. Linville |
aeb7fa6 |
+ crypto_ec_point_is_at_infinity(group->group, element)) {
|
|
John W. Linville |
aeb7fa6 |
+ wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
|
|
John W. Linville |
aeb7fa6 |
+ goto fail;
|
|
John W. Linville |
aeb7fa6 |
+ }
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ cofactor = crypto_bignum_init();
|
|
John W. Linville |
aeb7fa6 |
+ if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
|
|
John W. Linville |
aeb7fa6 |
+ wpa_printf(MSG_INFO,
|
|
John W. Linville |
aeb7fa6 |
+ "EAP-pwd: Unable to get cofactor for curve");
|
|
John W. Linville |
aeb7fa6 |
+ goto fail;
|
|
John W. Linville |
aeb7fa6 |
+ }
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ if (!crypto_bignum_is_one(cofactor)) {
|
|
John W. Linville |
aeb7fa6 |
+ struct crypto_ec_point *point;
|
|
John W. Linville |
aeb7fa6 |
+ int ok = 1;
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ /* check to ensure peer's element is not in a small sub-group */
|
|
John W. Linville |
aeb7fa6 |
+ point = crypto_ec_point_init(group->group);
|
|
John W. Linville |
aeb7fa6 |
+ if (!point ||
|
|
John W. Linville |
aeb7fa6 |
+ crypto_ec_point_mul(group->group, element,
|
|
John W. Linville |
aeb7fa6 |
+ cofactor, point) != 0 ||
|
|
John W. Linville |
aeb7fa6 |
+ crypto_ec_point_is_at_infinity(group->group, point))
|
|
John W. Linville |
aeb7fa6 |
+ ok = 0;
|
|
John W. Linville |
aeb7fa6 |
+ crypto_ec_point_deinit(point, 0);
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ if (!ok) {
|
|
John W. Linville |
aeb7fa6 |
+ wpa_printf(MSG_INFO,
|
|
John W. Linville |
aeb7fa6 |
+ "EAP-pwd: Small sub-group check on peer element failed");
|
|
John W. Linville |
aeb7fa6 |
+ goto fail;
|
|
John W. Linville |
aeb7fa6 |
+ }
|
|
John W. Linville |
aeb7fa6 |
+ }
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+out:
|
|
John W. Linville |
aeb7fa6 |
+ crypto_bignum_deinit(cofactor, 0);
|
|
John W. Linville |
aeb7fa6 |
+ return element;
|
|
John W. Linville |
aeb7fa6 |
+fail:
|
|
John W. Linville |
aeb7fa6 |
+ crypto_ec_point_deinit(element, 0);
|
|
John W. Linville |
aeb7fa6 |
+ element = NULL;
|
|
John W. Linville |
aeb7fa6 |
+ goto out;
|
|
John W. Linville |
aeb7fa6 |
+}
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
|
|
John W. Linville |
aeb7fa6 |
+{
|
|
John W. Linville |
aeb7fa6 |
+ struct crypto_bignum *scalar;
|
|
John W. Linville |
aeb7fa6 |
+ const struct crypto_bignum *order;
|
|
John W. Linville |
aeb7fa6 |
+ size_t order_len;
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ order = crypto_ec_get_order(group->group);
|
|
John W. Linville |
aeb7fa6 |
+ order_len = crypto_ec_order_len(group->group);
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ /* RFC 5931, 2.8.5.2: 1 < scalar < r */
|
|
John W. Linville |
aeb7fa6 |
+ scalar = crypto_bignum_init_set(buf, order_len);
|
|
John W. Linville |
aeb7fa6 |
+ if (!scalar || crypto_bignum_is_zero(scalar) ||
|
|
John W. Linville |
aeb7fa6 |
+ crypto_bignum_is_one(scalar) ||
|
|
John W. Linville |
aeb7fa6 |
+ crypto_bignum_cmp(scalar, order) >= 0) {
|
|
John W. Linville |
aeb7fa6 |
+ wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
|
|
John W. Linville |
aeb7fa6 |
+ crypto_bignum_deinit(scalar, 0);
|
|
John W. Linville |
aeb7fa6 |
+ scalar = NULL;
|
|
John W. Linville |
aeb7fa6 |
+ }
|
|
John W. Linville |
aeb7fa6 |
+
|
|
John W. Linville |
aeb7fa6 |
+ return scalar;
|
|
John W. Linville |
aeb7fa6 |
+}
|
|
John W. Linville |
aeb7fa6 |
diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h
|
|
John W. Linville |
aeb7fa6 |
index 6b07cf8..2387e59 100644
|
|
John W. Linville |
aeb7fa6 |
--- a/src/eap_common/eap_pwd_common.h
|
|
John W. Linville |
aeb7fa6 |
+++ b/src/eap_common/eap_pwd_common.h
|
|
John W. Linville |
aeb7fa6 |
@@ -67,5 +67,8 @@ int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
|
|
John W. Linville |
aeb7fa6 |
struct crypto_hash * eap_pwd_h_init(void);
|
|
John W. Linville |
aeb7fa6 |
void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len);
|
|
John W. Linville |
aeb7fa6 |
void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
|
|
John W. Linville |
aeb7fa6 |
+struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
|
|
John W. Linville |
aeb7fa6 |
+ const u8 *buf);
|
|
John W. Linville |
aeb7fa6 |
+struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
#endif /* EAP_PWD_COMMON_H */
|
|
John W. Linville |
aeb7fa6 |
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
|
|
John W. Linville |
aeb7fa6 |
index 5a05e54..f37b974 100644
|
|
John W. Linville |
aeb7fa6 |
--- a/src/eap_peer/eap_pwd.c
|
|
John W. Linville |
aeb7fa6 |
+++ b/src/eap_peer/eap_pwd.c
|
|
John W. Linville |
aeb7fa6 |
@@ -308,7 +308,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|
John W. Linville |
aeb7fa6 |
const struct wpabuf *reqData,
|
|
John W. Linville |
aeb7fa6 |
const u8 *payload, size_t payload_len)
|
|
John W. Linville |
aeb7fa6 |
{
|
|
John W. Linville |
aeb7fa6 |
- struct crypto_ec_point *K = NULL, *point = NULL;
|
|
John W. Linville |
aeb7fa6 |
+ struct crypto_ec_point *K = NULL;
|
|
John W. Linville |
aeb7fa6 |
struct crypto_bignum *mask = NULL, *cofactor = NULL;
|
|
John W. Linville |
aeb7fa6 |
const u8 *ptr = payload;
|
|
John W. Linville |
aeb7fa6 |
u8 *scalar = NULL, *element = NULL;
|
|
John W. Linville |
aeb7fa6 |
@@ -572,63 +572,27 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|
John W. Linville |
aeb7fa6 |
/* process the request */
|
|
John W. Linville |
aeb7fa6 |
data->k = crypto_bignum_init();
|
|
John W. Linville |
aeb7fa6 |
K = crypto_ec_point_init(data->grp->group);
|
|
John W. Linville |
aeb7fa6 |
- point = crypto_ec_point_init(data->grp->group);
|
|
John W. Linville |
aeb7fa6 |
- if (!data->k || !K || !point) {
|
|
John W. Linville |
aeb7fa6 |
+ if (!data->k || !K) {
|
|
John W. Linville |
aeb7fa6 |
wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
|
|
John W. Linville |
aeb7fa6 |
"fail");
|
|
John W. Linville |
aeb7fa6 |
goto fin;
|
|
John W. Linville |
aeb7fa6 |
}
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
/* element, x then y, followed by scalar */
|
|
John W. Linville |
aeb7fa6 |
- data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
|
|
John W. Linville |
aeb7fa6 |
+ data->server_element = eap_pwd_get_element(data->grp, ptr);
|
|
John W. Linville |
aeb7fa6 |
if (!data->server_element) {
|
|
John W. Linville |
aeb7fa6 |
wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
|
|
John W. Linville |
aeb7fa6 |
"fail");
|
|
John W. Linville |
aeb7fa6 |
goto fin;
|
|
John W. Linville |
aeb7fa6 |
}
|
|
John W. Linville |
aeb7fa6 |
ptr += prime_len * 2;
|
|
John W. Linville |
aeb7fa6 |
- data->server_scalar = crypto_bignum_init_set(ptr, order_len);
|
|
John W. Linville |
aeb7fa6 |
+ data->server_scalar = eap_pwd_get_scalar(data->grp, ptr);
|
|
John W. Linville |
aeb7fa6 |
if (!data->server_scalar) {
|
|
John W. Linville |
aeb7fa6 |
wpa_printf(MSG_INFO,
|
|
John W. Linville |
aeb7fa6 |
"EAP-PWD (peer): setting peer scalar fail");
|
|
John W. Linville |
aeb7fa6 |
goto fin;
|
|
John W. Linville |
aeb7fa6 |
}
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
- /* verify received scalar */
|
|
John W. Linville |
aeb7fa6 |
- if (crypto_bignum_is_zero(data->server_scalar) ||
|
|
John W. Linville |
aeb7fa6 |
- crypto_bignum_is_one(data->server_scalar) ||
|
|
John W. Linville |
aeb7fa6 |
- crypto_bignum_cmp(data->server_scalar,
|
|
John W. Linville |
aeb7fa6 |
- crypto_ec_get_order(data->grp->group)) >= 0) {
|
|
John W. Linville |
aeb7fa6 |
- wpa_printf(MSG_INFO,
|
|
John W. Linville |
aeb7fa6 |
- "EAP-PWD (peer): received scalar is invalid");
|
|
John W. Linville |
aeb7fa6 |
- goto fin;
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
-
|
|
John W. Linville |
aeb7fa6 |
- /* verify received element */
|
|
John W. Linville |
aeb7fa6 |
- if (!crypto_ec_point_is_on_curve(data->grp->group,
|
|
John W. Linville |
aeb7fa6 |
- data->server_element) ||
|
|
John W. Linville |
aeb7fa6 |
- crypto_ec_point_is_at_infinity(data->grp->group,
|
|
John W. Linville |
aeb7fa6 |
- data->server_element)) {
|
|
John W. Linville |
aeb7fa6 |
- wpa_printf(MSG_INFO,
|
|
John W. Linville |
aeb7fa6 |
- "EAP-PWD (peer): received element is invalid");
|
|
John W. Linville |
aeb7fa6 |
- goto fin;
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
-
|
|
John W. Linville |
aeb7fa6 |
- /* check to ensure server's element is not in a small sub-group */
|
|
John W. Linville |
aeb7fa6 |
- if (!crypto_bignum_is_one(cofactor)) {
|
|
John W. Linville |
aeb7fa6 |
- if (crypto_ec_point_mul(data->grp->group, data->server_element,
|
|
John W. Linville |
aeb7fa6 |
- cofactor, point) < 0) {
|
|
John W. Linville |
aeb7fa6 |
- wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
|
|
John W. Linville |
aeb7fa6 |
- "server element by order!\n");
|
|
John W. Linville |
aeb7fa6 |
- goto fin;
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
|
|
John W. Linville |
aeb7fa6 |
- wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
|
|
John W. Linville |
aeb7fa6 |
- "is at infinity!\n");
|
|
John W. Linville |
aeb7fa6 |
- goto fin;
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
-
|
|
John W. Linville |
aeb7fa6 |
/* compute the shared key, k */
|
|
John W. Linville |
aeb7fa6 |
if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
|
|
John W. Linville |
aeb7fa6 |
data->server_scalar, K) < 0 ||
|
|
John W. Linville |
aeb7fa6 |
@@ -702,7 +666,6 @@ fin:
|
|
John W. Linville |
aeb7fa6 |
crypto_bignum_deinit(mask, 1);
|
|
John W. Linville |
aeb7fa6 |
crypto_bignum_deinit(cofactor, 1);
|
|
John W. Linville |
aeb7fa6 |
crypto_ec_point_deinit(K, 1);
|
|
John W. Linville |
aeb7fa6 |
- crypto_ec_point_deinit(point, 1);
|
|
John W. Linville |
aeb7fa6 |
if (data->outbuf == NULL)
|
|
John W. Linville |
aeb7fa6 |
eap_pwd_state(data, FAILURE);
|
|
John W. Linville |
aeb7fa6 |
else
|
|
John W. Linville |
aeb7fa6 |
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
|
|
John W. Linville |
aeb7fa6 |
index 16057e9..f6c75cf 100644
|
|
John W. Linville |
aeb7fa6 |
--- a/src/eap_server/eap_server_pwd.c
|
|
John W. Linville |
aeb7fa6 |
+++ b/src/eap_server/eap_server_pwd.c
|
|
John W. Linville |
aeb7fa6 |
@@ -669,7 +669,7 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|
John W. Linville |
aeb7fa6 |
{
|
|
John W. Linville |
aeb7fa6 |
const u8 *ptr;
|
|
John W. Linville |
aeb7fa6 |
struct crypto_bignum *cofactor = NULL;
|
|
John W. Linville |
aeb7fa6 |
- struct crypto_ec_point *K = NULL, *point = NULL;
|
|
John W. Linville |
aeb7fa6 |
+ struct crypto_ec_point *K = NULL;
|
|
John W. Linville |
aeb7fa6 |
int res = 0;
|
|
John W. Linville |
aeb7fa6 |
size_t prime_len, order_len;
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
@@ -688,9 +688,8 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
data->k = crypto_bignum_init();
|
|
John W. Linville |
aeb7fa6 |
cofactor = crypto_bignum_init();
|
|
John W. Linville |
aeb7fa6 |
- point = crypto_ec_point_init(data->grp->group);
|
|
John W. Linville |
aeb7fa6 |
K = crypto_ec_point_init(data->grp->group);
|
|
John W. Linville |
aeb7fa6 |
- if (!data->k || !cofactor || !point || !K) {
|
|
John W. Linville |
aeb7fa6 |
+ if (!data->k || !cofactor || !K) {
|
|
John W. Linville |
aeb7fa6 |
wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
|
|
John W. Linville |
aeb7fa6 |
"fail");
|
|
John W. Linville |
aeb7fa6 |
goto fin;
|
|
John W. Linville |
aeb7fa6 |
@@ -704,55 +703,20 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
/* element, x then y, followed by scalar */
|
|
John W. Linville |
aeb7fa6 |
ptr = payload;
|
|
John W. Linville |
aeb7fa6 |
- data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
|
|
John W. Linville |
aeb7fa6 |
+ data->peer_element = eap_pwd_get_element(data->grp, ptr);
|
|
John W. Linville |
aeb7fa6 |
if (!data->peer_element) {
|
|
John W. Linville |
aeb7fa6 |
wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
|
|
John W. Linville |
aeb7fa6 |
"fail");
|
|
John W. Linville |
aeb7fa6 |
goto fin;
|
|
John W. Linville |
aeb7fa6 |
}
|
|
John W. Linville |
aeb7fa6 |
ptr += prime_len * 2;
|
|
John W. Linville |
aeb7fa6 |
- data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
|
|
John W. Linville |
aeb7fa6 |
+ data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
|
|
John W. Linville |
aeb7fa6 |
if (!data->peer_scalar) {
|
|
John W. Linville |
aeb7fa6 |
wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
|
|
John W. Linville |
aeb7fa6 |
"fail");
|
|
John W. Linville |
aeb7fa6 |
goto fin;
|
|
John W. Linville |
aeb7fa6 |
}
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
- /* verify received scalar */
|
|
John W. Linville |
aeb7fa6 |
- if (crypto_bignum_is_zero(data->peer_scalar) ||
|
|
John W. Linville |
aeb7fa6 |
- crypto_bignum_is_one(data->peer_scalar) ||
|
|
John W. Linville |
aeb7fa6 |
- crypto_bignum_cmp(data->peer_scalar,
|
|
John W. Linville |
aeb7fa6 |
- crypto_ec_get_order(data->grp->group)) >= 0) {
|
|
John W. Linville |
aeb7fa6 |
- wpa_printf(MSG_INFO,
|
|
John W. Linville |
aeb7fa6 |
- "EAP-PWD (server): received scalar is invalid");
|
|
John W. Linville |
aeb7fa6 |
- goto fin;
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
-
|
|
John W. Linville |
aeb7fa6 |
- /* verify received element */
|
|
John W. Linville |
aeb7fa6 |
- if (!crypto_ec_point_is_on_curve(data->grp->group,
|
|
John W. Linville |
aeb7fa6 |
- data->peer_element) ||
|
|
John W. Linville |
aeb7fa6 |
- crypto_ec_point_is_at_infinity(data->grp->group,
|
|
John W. Linville |
aeb7fa6 |
- data->peer_element)) {
|
|
John W. Linville |
aeb7fa6 |
- wpa_printf(MSG_INFO,
|
|
John W. Linville |
aeb7fa6 |
- "EAP-PWD (server): received element is invalid");
|
|
John W. Linville |
aeb7fa6 |
- goto fin;
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
-
|
|
John W. Linville |
aeb7fa6 |
- /* check to ensure peer's element is not in a small sub-group */
|
|
John W. Linville |
aeb7fa6 |
- if (!crypto_bignum_is_one(cofactor)) {
|
|
John W. Linville |
aeb7fa6 |
- if (crypto_ec_point_mul(data->grp->group, data->peer_element,
|
|
John W. Linville |
aeb7fa6 |
- cofactor, point) != 0) {
|
|
John W. Linville |
aeb7fa6 |
- wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
|
|
John W. Linville |
aeb7fa6 |
- "multiply peer element by order");
|
|
John W. Linville |
aeb7fa6 |
- goto fin;
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
- if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
|
|
John W. Linville |
aeb7fa6 |
- wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
|
|
John W. Linville |
aeb7fa6 |
- "is at infinity!\n");
|
|
John W. Linville |
aeb7fa6 |
- goto fin;
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
- }
|
|
John W. Linville |
aeb7fa6 |
-
|
|
John W. Linville |
aeb7fa6 |
/* detect reflection attacks */
|
|
John W. Linville |
aeb7fa6 |
if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
|
|
John W. Linville |
aeb7fa6 |
crypto_ec_point_cmp(data->grp->group, data->my_element,
|
|
John W. Linville |
aeb7fa6 |
@@ -804,7 +768,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
fin:
|
|
John W. Linville |
aeb7fa6 |
crypto_ec_point_deinit(K, 1);
|
|
John W. Linville |
aeb7fa6 |
- crypto_ec_point_deinit(point, 1);
|
|
John W. Linville |
aeb7fa6 |
crypto_bignum_deinit(cofactor, 1);
|
|
John W. Linville |
aeb7fa6 |
|
|
John W. Linville |
aeb7fa6 |
if (res)
|
|
John W. Linville |
aeb7fa6 |
--
|
|
John W. Linville |
aeb7fa6 |
2.7.4
|
|
John W. Linville |
aeb7fa6 |
|