From 125bbef0e789fa84712dbfa6579e7e5299dfcec0 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 1 Aug 2015 16:50:48 +0300 Subject: [PATCH] EAP peer: Replace MD5 with SHA1 in duplicate message workaround MD5 is not available in CONFIG_FIPS=y builds, so use SHA1 for the EAP peer workaround that tries to detect more robustly whether a duplicate message was sent. Signed-off-by: Jouni Malinen --- src/eap_peer/eap.c | 8 ++++---- src/eap_peer/eap_i.h | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index c8a1231b3..56c24b550 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -708,7 +708,7 @@ SM_STATE(EAP, SEND_RESPONSE) wpabuf_free(sm->lastRespData); if (sm->eapRespData) { if (sm->workaround) - os_memcpy(sm->last_md5, sm->req_md5, 16); + os_memcpy(sm->last_sha1, sm->req_sha1, 20); sm->lastId = sm->reqId; sm->lastRespData = wpabuf_dup(sm->eapRespData); eapol_set_bool(sm, EAPOL_eapResp, TRUE); @@ -914,12 +914,12 @@ static int eap_peer_req_is_duplicate(struct eap_sm *sm) duplicate = (sm->reqId == sm->lastId) && sm->rxReq; if (sm->workaround && duplicate && - os_memcmp(sm->req_md5, sm->last_md5, 16) != 0) { + os_memcmp(sm->req_sha1, sm->last_sha1, 20) != 0) { /* * RFC 4137 uses (reqId == lastId) as the only verification for * duplicate EAP requests. However, this misses cases where the * AS is incorrectly using the same id again; and - * unfortunately, such implementations exist. Use MD5 hash as + * unfortunately, such implementations exist. Use SHA1 hash as * an extra verification for the packets being duplicate to * workaround these issues. */ @@ -1765,7 +1765,7 @@ static void eap_sm_parseEapReq(struct eap_sm *sm, const struct wpabuf *req) if (sm->workaround) { const u8 *addr[1]; addr[0] = wpabuf_head(req); - md5_vector(1, addr, &plen, sm->req_md5); + sha1_vector(1, addr, &plen, sm->req_sha1); } switch (hdr->code) { diff --git a/src/eap_peer/eap_i.h b/src/eap_peer/eap_i.h index 5f8b5fa78..99b44dae4 100644 --- a/src/eap_peer/eap_i.h +++ b/src/eap_peer/eap_i.h @@ -338,9 +338,9 @@ struct eap_sm { Boolean rxResp /* LEAP only */; Boolean leap_done; Boolean peap_done; - u8 req_md5[16]; /* MD5() of the current EAP packet */ - u8 last_md5[16]; /* MD5() of the previously received EAP packet; used - * in duplicate request detection. */ + u8 req_sha1[20]; /* SHA1() of the current EAP packet */ + u8 last_sha1[20]; /* SHA1() of the previously received EAP packet; used + * in duplicate request detection. */ void *msg_ctx; void *scard_ctx;