You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
From d63edfa90243e9a7de6ae5c275032f2cc79fef95 Mon Sep 17 00:00:00 2001
|
|
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
|
|
Date: Sun, 31 Mar 2019 17:26:01 +0200
|
|
Subject: [PATCH 12/14] EAP-pwd server: Detect reflection attacks
|
|
|
|
When processing an EAP-pwd Commit frame, verify that the peer's scalar
|
|
and elliptic curve element differ from the one sent by the server. This
|
|
prevents reflection attacks where the adversary reflects the scalar and
|
|
element sent by the server. (CVE-2019-9497)
|
|
|
|
The vulnerability allows an adversary to complete the EAP-pwd handshake
|
|
as any user. However, the adversary does not learn the negotiated
|
|
session key, meaning the subsequent 4-way handshake would fail. As a
|
|
result, this cannot be abused to bypass authentication unless EAP-pwd is
|
|
used in non-WLAN cases without any following key exchange that would
|
|
require the attacker to learn the MSK.
|
|
|
|
Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
|
|
---
|
|
src/eap_server/eap_server_pwd.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
--- a/src/eap_server/eap_server_pwd.c
|
|
+++ b/src/eap_server/eap_server_pwd.c
|
|
@@ -753,6 +753,15 @@ eap_pwd_process_commit_resp(struct eap_s
|
|
}
|
|
}
|
|
|
|
+ /* detect reflection attacks */
|
|
+ if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
|
|
+ crypto_ec_point_cmp(data->grp->group, data->my_element,
|
|
+ data->peer_element) == 0) {
|
|
+ wpa_printf(MSG_INFO,
|
|
+ "EAP-PWD (server): detected reflection attack!");
|
|
+ goto fin;
|
|
+ }
|
|
+
|
|
/* compute the shared key, k */
|
|
if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,
|
|
data->peer_scalar, K) < 0) ||
|