TTLS: Fix peer challenge generation for TTLS/MSCHAPv2

Commit 30680e9332 changed the length
of the implicit challenge result to match with the exact length used
in TTLS. However, it failed to update the peer_challenge generation
to use a separate random value. Previously, this was generated as
part of the implicit challenge, but more correct way would have been
to generate a random value for it separately. Do this now to fix the
read after the allocated buffer (16 bytes after the implicit
challenge).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
This commit is contained in:
Jouni Malinen 2012-03-05 16:59:03 +02:00 committed by Jouni Malinen
parent c8c340a9f6
commit e19467e161

View file

@ -435,7 +435,6 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
"implicit challenge"); "implicit challenge");
return -1; return -1;
} }
peer_challenge = challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE, pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
RADIUS_VENDOR_ID_MICROSOFT, 1, RADIUS_VENDOR_ID_MICROSOFT, 1,
@ -448,7 +447,14 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]; data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
*pos++ = data->ident; *pos++ = data->ident;
*pos++ = 0; /* Flags */ *pos++ = 0; /* Flags */
os_memcpy(pos, peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN); if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) {
os_free(challenge);
wpabuf_free(msg);
wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get "
"random data for peer challenge");
return -1;
}
peer_challenge = pos;
pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN; pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
os_memset(pos, 0, 8); /* Reserved, must be zero */ os_memset(pos, 0, 8); /* Reserved, must be zero */
pos += 8; pos += 8;
@ -456,6 +462,7 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
password_len, pwhash, challenge, password_len, pwhash, challenge,
peer_challenge, pos, data->auth_response, peer_challenge, pos, data->auth_response,
data->master_key)) { data->master_key)) {
os_free(challenge);
wpabuf_free(msg); wpabuf_free(msg);
wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive " wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
"response"); "response");