From bab31499fd0883be8614d807daa6e05da2f9f4f8 Mon Sep 17 00:00:00 2001 From: Masashi Honma Date: Wed, 9 Dec 2009 23:42:54 +0200 Subject: [PATCH] EAP-TTLS/PAP: User-Password obfuscation for zero length password The password in User-Password AVP is padded to a multiple of 16 bytes on EAP-TTLS/PAP. But when the password length is zero, no padding is added. It doesn't cause connectivity issue. In fact, I could connect with hostapd RADIUS server with zero length password. I think it's better for obfuscation to pad the 16 bytes data when the password length is zero with this patch. --- src/eap_peer/eap_ttls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c index 800f1b57d..f93ba38f2 100644 --- a/src/eap_peer/eap_ttls.c +++ b/src/eap_peer/eap_ttls.c @@ -846,7 +846,7 @@ static int eap_ttls_phase2_request_pap(struct eap_sm *sm, /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts * the data, so no separate encryption is used in the AVP itself. * However, the password is padded to obfuscate its length. */ - pad = (16 - (password_len & 15)) & 15; + pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15; pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1, password_len + pad); os_memcpy(pos, password, password_len);