Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-18 01:53:06 -05:00
Code Issues Projects Releases Wiki Activity

EAP peer: Replace MD5 with SHA1 in duplicate message workaround

Browse Source 
MD5 is not available in CONFIG_FIPS=y builds, so use SHA1 for the EAP
peer workaround that tries to detect more robustly whether a duplicate
message was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-01 16:50:48 +03:00
parent 97e986cd74
commit 125bbef0e7
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/eap_peer/eap.c
View File

@ -708,7 +708,7 @@ SM_STATE(EAP, SEND_RESPONSE)
wpabuf_free(sm->lastRespData); wpabuf_free(sm->lastRespData);
if (sm->eapRespData) { if (sm->eapRespData) {
if (sm->workaround) if (sm->workaround)
os_memcpy(sm->last_md5, sm->req_md5, 16); os_memcpy(sm->last_sha1, sm->req_sha1, 20);
sm->lastId = sm->reqId; sm->lastId = sm->reqId;
sm->lastRespData = wpabuf_dup(sm->eapRespData); sm->lastRespData = wpabuf_dup(sm->eapRespData);
eapol_set_bool(sm, EAPOL_eapResp, TRUE); eapol_set_bool(sm, EAPOL_eapResp, TRUE);
@ -914,12 +914,12 @@ static int eap_peer_req_is_duplicate(struct eap_sm *sm)
duplicate = (sm->reqId == sm->lastId) && sm->rxReq; duplicate = (sm->reqId == sm->lastId) && sm->rxReq;
if (sm->workaround && duplicate && if (sm->workaround && duplicate &&
os_memcmp(sm->req_md5, sm->last_md5, 16) != 0) { os_memcmp(sm->req_sha1, sm->last_sha1, 20) != 0) {
/* /*
* RFC 4137 uses (reqId == lastId) as the only verification for * RFC 4137 uses (reqId == lastId) as the only verification for
* duplicate EAP requests. However, this misses cases where the * duplicate EAP requests. However, this misses cases where the
* AS is incorrectly using the same id again; and * AS is incorrectly using the same id again; and
* unfortunately, such implementations exist. Use MD5 hash as * unfortunately, such implementations exist. Use SHA1 hash as
* an extra verification for the packets being duplicate to * an extra verification for the packets being duplicate to
* workaround these issues. * workaround these issues.
*/ */
@ -1765,7 +1765,7 @@ static void eap_sm_parseEapReq(struct eap_sm *sm, const struct wpabuf *req)
if (sm->workaround) { if (sm->workaround) {
const u8 *addr[1]; const u8 *addr[1];
addr[0] = wpabuf_head(req); addr[0] = wpabuf_head(req);
md5_vector(1, addr, &plen, sm->req_md5); sha1_vector(1, addr, &plen, sm->req_sha1);
} }
switch (hdr->code) { switch (hdr->code) {

6
src/eap_peer/eap_i.h
View File

@ -338,9 +338,9 @@ struct eap_sm {
Boolean rxResp /* LEAP only */; Boolean rxResp /* LEAP only */;
Boolean leap_done; Boolean leap_done;
Boolean peap_done; Boolean peap_done;
u8 req_md5[16]; /* MD5() of the current EAP packet */ u8 req_sha1[20]; /* SHA1() of the current EAP packet */
u8 last_md5[16]; /* MD5() of the previously received EAP packet; used u8 last_sha1[20]; /* SHA1() of the previously received EAP packet; used
* in duplicate request detection. */ * in duplicate request detection. */
void *msg_ctx; void *msg_ctx;
void *scard_ctx; void *scard_ctx;