aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMathy Vanhoef <mathy.vanhoef@nyu.edu>2019-03-31 15:26:01 (GMT)
committerJouni Malinen <j@w1.fi>2019-04-09 14:11:15 (GMT)
commitd63edfa90243e9a7de6ae5c275032f2cc79fef95 (patch)
tree190eddd4a58cd2d50079c2f6131ef4c91b785e40
parent70ff850e89fbc8bc7da515321b4d15b5eef70581 (diff)
downloadhostap-d63edfa90243e9a7de6ae5c275032f2cc79fef95.zip
hostap-d63edfa90243e9a7de6ae5c275032f2cc79fef95.tar.gz
hostap-d63edfa90243e9a7de6ae5c275032f2cc79fef95.tar.bz2
EAP-pwd server: Detect reflection attacks
When processing an EAP-pwd Commit frame, verify that the peer's scalar and elliptic curve element differ from the one sent by the server. This prevents reflection attacks where the adversary reflects the scalar and element sent by the server. (CVE-2019-9497) The vulnerability allows an adversary to complete the EAP-pwd handshake as any user. However, the adversary does not learn the negotiated session key, meaning the subsequent 4-way handshake would fail. As a result, this cannot be abused to bypass authentication unless EAP-pwd is used in non-WLAN cases without any following key exchange that would require the attacker to learn the MSK. Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
-rw-r--r--src/eap_server/eap_server_pwd.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 74979da..16057e9 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -753,6 +753,15 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
}
}
+ /* detect reflection attacks */
+ if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
+ crypto_ec_point_cmp(data->grp->group, data->my_element,
+ data->peer_element) == 0) {
+ wpa_printf(MSG_INFO,
+ "EAP-PWD (server): detected reflection attack!");
+ goto fin;
+ }
+
/* compute the shared key, k */
if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,
data->peer_scalar, K) < 0) ||