[PATCH] EAP-TTLS: Fix parsing auth= and autheap= Phase2 params

Jouni Malinen j at w1.fi
Sun Dec 6 03:47:12 PST 2015

On Sun, Dec 06, 2015 at 12:01:32PM +0100, Pali Rohár wrote:
> This patch fix security issue when Phase2 param auth=MSCHAPv2 was handled as
> MSCHAP (v1) which degraded security. Now when invalid or unsupported auth=
> Phase2 param combinations are specified then EAP-TTLS throw error instead
> silently doing something.
> More then one auth= Phase2 type cannot be specified and also both auth= and
> autheap= options cannot be specified.
> Parsing Phase2 type is case sensitive (as in other EAP parts), so Phase2
> param auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct.
> ---

Could you please read the top level CONTRIBUTIONS file and resubmit this
with Signed-off-by: line added so that I can apply the changes?

As far as the changes are concerned, would it be more useful to make
phase2 parsing case insensitive to allow that previously invalid
auth=MSCHAPv2 case to be parsed in the same way as the valid
auth=MSCHAPV2 case?

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list