DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-pwd: Validate Prep field in EAP-pwd-ID/Response

Browse source 
RFC 5931 Section 2.8.5.1 does not list the Prep field as something that
the server validates to match the Request. However, the supplicant side
has to use the same pre-processing mechanism for the password for the
authentication to work, so we may as well as enforce this field to match
the requested value now that wpa_supplicant implementation is fixed to
copy the value from the request.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2016-10-08 19:43:36 +03:00
parent 2875e32333
commit 53b2555f67
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/eap_server/eap_server_pwd.c
View file

@ -602,7 +602,9 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
if ((data->group_num != be_to_host16(id->group_num)) ||
(id->random_function != EAP_PWD_DEFAULT_RAND_FUNC) ||
(os_memcmp(id->token, (u8 *)&data->token, sizeof(data->token))) ||
(id->prf != EAP_PWD_DEFAULT_PRF)) {
(id->prf != EAP_PWD_DEFAULT_PRF) ||
id->prep !=
data->password_hash ? EAP_PWD_PREP_MS : EAP_PWD_PREP_NONE) {
wpa_printf(MSG_INFO, "EAP-pwd: peer changed parameters");
eap_pwd_state(data, FAILURE);
return;