EAP-PWD in wpa_supplicant

navigium · 01-12-2017, 10:35 AM

Is there a reason wpa_supplicant isn't compiled with

Code:

CONFIG_EAP_PWD="y"

?

I'm aware that there was a security problem in wpa_supplicant 2.4 which could be solved by removing support for eap-pwd as indicated in the changelog:

Code:

Tue May 12 07:17:33 UTC 2015
n/wpa_supplicant-2.4-x86_64-2.txz: Rebuilt.
       This update fixes potential denial of service issues.
       For more information, see:
       http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt
       http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt
       http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt
       http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1863
       (* Security fix *)

However, this is solved in wpa_supplicant 2.5 which ships with Slackware 14.2. I recompiled wpa_supplicant with this enabled to be able to access eduroam using wpa-pwd, but I'd prefer to have Slackware supporting it without recompiling - unless there is a reason not to, then I'd probably want to stick with the default package.

ponce · 01-13-2017, 08:47 AM

YMMV but, here (and in other universities) I don't need wpa-pwd but just PEAP/MsCHAPv2 for using eduroam...

Code:

network={
   scan_ssid=1
   ssid="eduroam"
   key_mgmt=WPA-EAP
   eap=PEAP
   identity="me@example.com"
   password="mysupersecretpassword"
   phase1="peaplabel=0"
   phase2="auth=MSCHAPV2"
}

navigium · 01-14-2017, 11:35 AM

Quote:

Originally Posted by ponce

YMMV but, here (and in other universities) I don't need wpa-pwd but just PEAP/MsCHAPv2 for using eduroam...

I know, I tested EAP PEAP and TTLS and both work flawlessly. The point is that EAP-PWD is a lot easier because you don't have to worry about the ca certificate. That's why I was wondering why Slackware doesn't support this out of the box.