From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix information leakage in EAP-PWD

The EAP-PWD function compute_password_element() leaks information about the 
password which allows an attacker to substantially reduce the size of an 
offline dictionary attack.

Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index d94851c3aa..9f86b62114 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
 #include <freeradius-devel/radiusd.h>
 #include <freeradius-devel/modules.h>
 
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
+
 /* The random function H(x) = HMAC-SHA256(0^32, x) */
 static void H_Init(HMAC_CTX *ctx)
 {
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
 			      uint32_t *token)
 {
 	BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
-	HMAC_CTX *ctx = NULL;
+	EVP_MD_CTX *hmac_ctx;
+	EVP_PKEY *hmac_pkey;
 	uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
 	int nid, is_odd, primebitlen, primebytelen, ret = 0;
 
-	ctx = HMAC_CTX_new();
-	if (ctx == NULL) {
-		DEBUG("failed allocating HMAC context");
-		goto fail;
-	}
+	MEM(hmac_ctx = EVP_MD_CTX_new());
+	MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
 
 	switch (grp_num) { /* from IANA registry for IKE D-H groups */
 	case 19:
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
 		 *    pwd-seed = H(token | peer-id | server-id | password |
 		 *		   counter)
 		 */
-		H_Init(ctx);
-		H_Update(ctx, (uint8_t *)token, sizeof(*token));
-		H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
-		H_Update(ctx, (uint8_t const *)id_server, id_server_len);
-		H_Update(ctx, (uint8_t const *)password, password_len);
-		H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
-		H_Final(ctx, pwe_digest);
+		EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
 
 		BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
 		if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
 	BN_clear_free(x_candidate);
 	BN_clear_free(rnd);
 	talloc_free(prfbuf);
-	HMAC_CTX_free(ctx);
+	EVP_MD_CTX_free(hmac_ctx);
+	EVP_PKEY_free(hmac_pkey);
 
 	return ret;
 }