subject:"CVS commit\: src\/external\/bsd\/wpa\/dist\/src\/eap

CVS commit: src/external/bsd/wpa/dist/src/eap_server

2019-04-10 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Wed Apr 10 17:49:26 UTC 2019

Modified Files:
src/external/bsd/wpa/dist/src/eap_server: eap_server_pwd.c

Log Message:
When processing an EAP-pwd Commit frame, verify that the peer's scalar
and elliptic curve element differ from the one sent by the server. This
prevents reflection attacks where the adversary reflects the scalar and
element sent by the server. (CVE-2019-9497)

The vulnerability allows an adversary to complete the EAP-pwd handshake
as any user. However, the adversary does not learn the negotiated
session key, meaning the subsequent 4-way handshake would fail. As a
result, this cannot be abused to bypass authentication unless EAP-pwd is
used in non-WLAN cases without any following key exchange that would
require the attacker to learn the MSK.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 \
src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c
diff -u src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.6 src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.7
--- src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.6	Wed Apr 10 13:48:07 2019
+++ src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c	Wed Apr 10 13:49:26 2019
@@ -753,6 +753,15 @@ eap_pwd_process_commit_resp(struct eap_s
 		}
 	}
 
+	/* detect reflection attacks */
+	if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
+	crypto_ec_point_cmp(data->grp->group, data->my_element,
+data->peer_element) == 0) {
+		wpa_printf(MSG_INFO,
+			   "EAP-PWD (server): detected reflection attack!");
+		goto fin;
+	}
+
 	/* compute the shared key, k */
 	if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,
  data->peer_scalar, K) < 0) ||

CVS commit: src/external/bsd/wpa/dist/src/eap_server

2015-05-09 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Sat May  9 19:50:41 UTC 2015

Modified Files:
src/external/bsd/wpa/dist/src/eap_server: eap_server_pwd.c

Log Message:
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c
diff -u src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.2 src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.3
--- src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.2	Sat May  9 15:47:35 2015
+++ src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c	Sat May  9 15:50:41 2015
@@ -913,11 +913,21 @@ static void eap_pwd_process(struct eap_s
 	 * the first fragment has a total length
 	 */
 	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+		if (len < 2) {
+			wpa_printf(MSG_DEBUG,
+   "EAP-pwd: Frame too short to contain Total-Length field");
+			return;
+		}
 		tot_len = WPA_GET_BE16(pos);
 		wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
 			   "length = %d", tot_len);
 		if (tot_len > 15000)
 			return;
+		if (data->inbuf) {
+			wpa_printf(MSG_DEBUG,
+   "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+			return;
+		}
 		data->inbuf = wpabuf_alloc(tot_len);
 		if (data->inbuf == NULL) {
 			wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "

CVS commit: src/external/bsd/wpa/dist/src/eap_server

2015-05-09 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Sat May  9 19:47:35 UTC 2015

Modified Files:
src/external/bsd/wpa/dist/src/eap_server: eap_server_pwd.c

Log Message:
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.2 \
src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c
diff -u src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.1.1.4 src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.2
--- src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c:1.1.1.4	Wed Apr  1 15:24:46 2015
+++ src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c	Sat May  9 15:47:35 2015
@@ -634,9 +634,21 @@ eap_pwd_process_commit_resp(struct eap_s
 	BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
 	EC_POINT *K = NULL, *point = NULL;
 	int res = 0;
+	size_t prime_len, order_len;
 
 	wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
 
+	prime_len = BN_num_bytes(data->grp->prime);
+	order_len = BN_num_bytes(data->grp->order);
+
+	if (payload_len != 2 * prime_len + order_len) {
+		wpa_printf(MSG_INFO,
+			   "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
+			   (unsigned int) payload_len,
+			   (unsigned int) (2 * prime_len + order_len));
+		goto fin;
+	}
+
 	if (((data->peer_scalar = BN_new()) == NULL) ||
 	((data->k = BN_new()) == NULL) ||
 	((cofactor = BN_new()) == NULL) ||

CVS commit: src/external/bsd/wpa/dist/src/eap_server

2015-04-11 Thread Joerg Sonnenberger

Module Name:src
Committed By:   joerg
Date:   Sat Apr 11 21:14:13 UTC 2015

Modified Files:
src/external/bsd/wpa/dist/src/eap_server: eap_server.c

Log Message:
Cast enum.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.5 -r1.2 \
src/external/bsd/wpa/dist/src/eap_server/eap_server.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/eap_server/eap_server.c
diff -u src/external/bsd/wpa/dist/src/eap_server/eap_server.c:1.1.1.5 src/external/bsd/wpa/dist/src/eap_server/eap_server.c:1.2
--- src/external/bsd/wpa/dist/src/eap_server/eap_server.c:1.1.1.5	Wed Apr  1 19:24:46 2015
+++ src/external/bsd/wpa/dist/src/eap_server/eap_server.c	Sat Apr 11 21:14:13 2015
@@ -96,7 +96,7 @@ static struct wpabuf * eap_sm_buildIniti
 		plen += 2 + domain_len;
 	}
 
-	msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_ERP_TYPE_REAUTH_START, plen,
+	msg = eap_msg_alloc(EAP_VENDOR_IETF, (EapType)EAP_ERP_TYPE_REAUTH_START, plen,
 			EAP_CODE_INITIATE, id);
 	if (msg == NULL)
 		return NULL;

CVS commit: src/external/bsd/wpa/dist/src/eap_server

2012-10-08 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Mon Oct  8 14:03:09 UTC 2012

Modified Files:
src/external/bsd/wpa/dist/src/eap_server: eap_server_tls_common.c

Log Message:
EXP-TLS server: Fix TLS Message Length validation:

http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;\
h=586c446e0ff42ae00315b014924ec669023bd8de

http://www.pre-cert.de/advisories/PRE-SA-2012-07.txt


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2 -r1.2 \
src/external/bsd/wpa/dist/src/eap_server/eap_server_tls_common.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/wpa/dist/src/eap_server/eap_server_tls_common.c
diff -u src/external/bsd/wpa/dist/src/eap_server/eap_server_tls_common.c:1.1.1.2 src/external/bsd/wpa/dist/src/eap_server/eap_server_tls_common.c:1.2
--- src/external/bsd/wpa/dist/src/eap_server/eap_server_tls_common.c:1.1.1.2	Sun Oct  7 19:47:03 2012
+++ src/external/bsd/wpa/dist/src/eap_server/eap_server_tls_common.c	Mon Oct  8 10:03:09 2012
@@ -223,6 +223,12 @@ static int eap_server_tls_process_fragme
    " over 64 kB)");
 			return -1;
 		}
+		if (len > message_length) {
+			wpa_printf(MSG_INFO, "SSL: Too much data (%zu bytes) "
+   "in first fragment of frame (TLS Message "
+   "Length %u bytes)", len, message_length);
+			return -1;
+		}
 
 		data->tls_in = wpabuf_alloc(message_length);
 		if (data->tls_in == NULL) {

CVS commit: src/external/bsd/wpa/dist/src/eap_server

CVS commit: src/external/bsd/wpa/dist/src/eap_server

CVS commit: src/external/bsd/wpa/dist/src/eap_server

CVS commit: src/external/bsd/wpa/dist/src/eap_server

CVS commit: src/external/bsd/wpa/dist/src/eap_server

5 matches

Site Navigation

Mail list logo

Footer information