EAP peer: Replace MD5 with SHA1 in duplicate message workaround

MD5 is not available in CONFIG_FIPS=y builds, so use SHA1 for the EAP
peer workaround that tries to detect more robustly whether a duplicate
message was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-01 16:50:48 +03:00
parent 97e986cd74
commit 125bbef0e7
2 changed files with 7 additions and 7 deletions

View File

@ -708,7 +708,7 @@ SM_STATE(EAP, SEND_RESPONSE)
wpabuf_free(sm->lastRespData);
if (sm->eapRespData) {
if (sm->workaround)
os_memcpy(sm->last_md5, sm->req_md5, 16);
os_memcpy(sm->last_sha1, sm->req_sha1, 20);
sm->lastId = sm->reqId;
sm->lastRespData = wpabuf_dup(sm->eapRespData);
eapol_set_bool(sm, EAPOL_eapResp, TRUE);
@ -914,12 +914,12 @@ static int eap_peer_req_is_duplicate(struct eap_sm *sm)
duplicate = (sm->reqId == sm->lastId) && sm->rxReq;
if (sm->workaround && duplicate &&
os_memcmp(sm->req_md5, sm->last_md5, 16) != 0) {
os_memcmp(sm->req_sha1, sm->last_sha1, 20) != 0) {
/*
* RFC 4137 uses (reqId == lastId) as the only verification for
* duplicate EAP requests. However, this misses cases where the
* AS is incorrectly using the same id again; and
* unfortunately, such implementations exist. Use MD5 hash as
* unfortunately, such implementations exist. Use SHA1 hash as
* an extra verification for the packets being duplicate to
* workaround these issues.
*/
@ -1765,7 +1765,7 @@ static void eap_sm_parseEapReq(struct eap_sm *sm, const struct wpabuf *req)
if (sm->workaround) {
const u8 *addr[1];
addr[0] = wpabuf_head(req);
md5_vector(1, addr, &plen, sm->req_md5);
sha1_vector(1, addr, &plen, sm->req_sha1);
}
switch (hdr->code) {

View File

@ -338,8 +338,8 @@ struct eap_sm {
Boolean rxResp /* LEAP only */;
Boolean leap_done;
Boolean peap_done;
u8 req_md5[16]; /* MD5() of the current EAP packet */
u8 last_md5[16]; /* MD5() of the previously received EAP packet; used
u8 req_sha1[20]; /* SHA1() of the current EAP packet */
u8 last_sha1[20]; /* SHA1() of the previously received EAP packet; used
* in duplicate request detection. */
void *msg_ctx;