On Sun, Dec 06, 2015 at 12:01:32PM +0100, Pali Rohár wrote: > This patch fix security issue when Phase2 param auth=MSCHAPv2 was handled as > MSCHAP (v1) which degraded security. Now when invalid or unsupported auth= > Phase2 param combinations are specified then EAP-TTLS throw error instead > silently doing something. > > More then one auth= Phase2 type cannot be specified and also both auth= and > autheap= options cannot be specified. > > Parsing Phase2 type is case sensitive (as in other EAP parts), so Phase2 > param auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct. > --- Could you please read the top level CONTRIBUTIONS file and resubmit this with Signed-off-by: line added so that I can apply the changes? As far as the changes are concerned, would it be more useful to make phase2 parsing case insensitive to allow that previously invalid auth=MSCHAPv2 case to be parsed in the same way as the valid auth=MSCHAPV2 case? -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
