freeradius/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch

77 lines
3.0 KiB
Diff

From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix information leakage in EAP-PWD
The EAP-PWD function compute_password_element() leaks information about the
password which allows an attacker to substantially reduce the size of an
offline dictionary attack.
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index d94851c3aa..9f86b62114 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
+
/* The random function H(x) = HMAC-SHA256(0^32, x) */
static void H_Init(HMAC_CTX *ctx)
{
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
uint32_t *token)
{
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
- HMAC_CTX *ctx = NULL;
+ EVP_MD_CTX *hmac_ctx;
+ EVP_PKEY *hmac_pkey;
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
int nid, is_odd, primebitlen, primebytelen, ret = 0;
- ctx = HMAC_CTX_new();
- if (ctx == NULL) {
- DEBUG("failed allocating HMAC context");
- goto fail;
- }
+ MEM(hmac_ctx = EVP_MD_CTX_new());
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
switch (grp_num) { /* from IANA registry for IKE D-H groups */
case 19:
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
* pwd-seed = H(token | peer-id | server-id | password |
* counter)
*/
- H_Init(ctx);
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
- H_Update(ctx, (uint8_t const *)password, password_len);
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
- H_Final(ctx, pwe_digest);
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
BN_clear_free(x_candidate);
BN_clear_free(rnd);
talloc_free(prfbuf);
- HMAC_CTX_free(ctx);
+ EVP_MD_CTX_free(hmac_ctx);
+ EVP_PKEY_free(hmac_pkey);
return ret;
}