77 lines
3.0 KiB
Diff
77 lines
3.0 KiB
Diff
From: Antonio Torres <antorres@redhat.com>
|
|
Date: Fri, 09 Dec 2022
|
|
Subject: Fix information leakage in EAP-PWD
|
|
|
|
The EAP-PWD function compute_password_element() leaks information about the
|
|
password which allows an attacker to substantially reduce the size of an
|
|
offline dictionary attack.
|
|
|
|
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
|
|
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
|
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
---
|
|
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
|
index d94851c3aa..9f86b62114 100644
|
|
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
|
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
|
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
|
|
#include <freeradius-devel/radiusd.h>
|
|
#include <freeradius-devel/modules.h>
|
|
|
|
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
|
|
+
|
|
/* The random function H(x) = HMAC-SHA256(0^32, x) */
|
|
static void H_Init(HMAC_CTX *ctx)
|
|
{
|
|
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
|
uint32_t *token)
|
|
{
|
|
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
|
- HMAC_CTX *ctx = NULL;
|
|
+ EVP_MD_CTX *hmac_ctx;
|
|
+ EVP_PKEY *hmac_pkey;
|
|
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
|
|
int nid, is_odd, primebitlen, primebytelen, ret = 0;
|
|
|
|
- ctx = HMAC_CTX_new();
|
|
- if (ctx == NULL) {
|
|
- DEBUG("failed allocating HMAC context");
|
|
- goto fail;
|
|
- }
|
|
+ MEM(hmac_ctx = EVP_MD_CTX_new());
|
|
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
|
|
|
|
switch (grp_num) { /* from IANA registry for IKE D-H groups */
|
|
case 19:
|
|
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
|
* pwd-seed = H(token | peer-id | server-id | password |
|
|
* counter)
|
|
*/
|
|
- H_Init(ctx);
|
|
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
|
|
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
|
|
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
|
|
- H_Update(ctx, (uint8_t const *)password, password_len);
|
|
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
|
|
- H_Final(ctx, pwe_digest);
|
|
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
|
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
|
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
|
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
|
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
|
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
|
|
|
|
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
|
|
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
|
|
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
|
BN_clear_free(x_candidate);
|
|
BN_clear_free(rnd);
|
|
talloc_free(prfbuf);
|
|
- HMAC_CTX_free(ctx);
|
|
+ EVP_MD_CTX_free(hmac_ctx);
|
|
+ EVP_PKEY_free(hmac_pkey);
|
|
|
|
return ret;
|
|
}
|