[PATCH] eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate

($INBOX_DIR/description missing)
 help / color / mirror / Atom feed

From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
To: iwd@lists.linux.dev
Subject: [PATCH] eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate
Date: Sun, 15 Oct 2023 00:54:45 +0100	[thread overview]
Message-ID: <20231014235445.167620-1-dimitri.ledkov@canonical.com> (raw)

Currently eap-mschapv2 does kernel MD4 check during init time, even
though it is possible to use it with Password-Hash on kernels without
MD4.

Separately, mschapv2 is obsolete, deprecated, and removed even in
Windows 11 22H2 [1][2]. Add an error message stating so encouraging
migration to PEAP-TLS or EAP-TLS. Separately, warnings like these often
don't work, thus likely need to remove this authentication method
completely.

IWD usage of MD4 was brought up on linux-crypto mailing list [3], upon
my attempt to remove CRYPTO_MD4 from the kernel which is no longer used
via crypto API by anything else.

It worries me that internet searches suggest that EDUROAM (a Wi-FI
network spanning 106 territories) seems to still often use
mschapv2. Thus dropping this support may leave millions of people
without connectivity. Given how broken and isecure this authentication
method has been since 2012, I hope that EDUROAM is migrating, or has
migrated to P/EAP-TLS.

[1] https://learn.microsoft.com/en-us/security-updates/securityadvisories/2012/2743314
[2] https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues
[3] https://lore.kernel.org/linux-crypto/2e52c8b4-e70a-453f-853a-1962c8167dfa@gmail.com/
---
 src/eap-mschapv2.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/eap-mschapv2.c b/src/eap-mschapv2.c
index ef0ce620a8..4f4739717a 100644
--- a/src/eap-mschapv2.c
+++ b/src/eap-mschapv2.c
@@ -437,6 +437,8 @@ static int eap_mschapv2_check_settings(struct l_settings *settings,
 	int r = 0;
 	size_t hash_len;

+	l_error("EAP_MSCHAPv2: Obsolete, please switch to P/EAP-TLS");
+
 	snprintf(setting, sizeof(setting), "%sIdentity", prefix);
 	identity = l_settings_get_string(settings, "Security", setting);

@@ -479,8 +481,14 @@ static int eap_mschapv2_check_settings(struct l_settings *settings,
 		}

 		return 0;
-	} else if (password)
+	} else if (password) {
+		if (!l_checksum_is_supported(L_CHECKSUM_MD4, false)) {
+			l_warn("EAP_MSCHAPv2: Obsolete MD4 not found");
+			l_warn("Please use Password-Hash instead of Password");
+			return -EINVAL;
+		}
 		goto validate;
+	}

 	secret = l_queue_find(secrets, eap_secret_info_match, setting2);
 	if (!secret) {
@@ -561,13 +569,6 @@ static struct eap_method eap_mschapv2 = {
 static int eap_mschapv2_init(void)
 {
 	l_debug("");
-
-	if (!l_checksum_is_supported(L_CHECKSUM_MD4, false)) {
-		l_warn("EAP_MSCHAPv2 init: MD4 support not found, skipping");
-		l_warn("Ensure that CONFIG_CRYPTO_MD4 is enabled");
-		return -ENOTSUP;
-	}
-
 	return eap_register_method(&eap_mschapv2);
 }

-- 
2.34.1

next             reply	other threads:[~2023-10-15  0:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-14 23:54 Dimitri John Ledkov [this message]
2023-10-16 19:45 ` [PATCH] eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate Denis Kenzior
2023-10-18 16:28   ` Dimitri John Ledkov
2023-10-19  2:54     ` Denis Kenzior
2023-10-21  0:33       ` Dimitri John Ledkov
2023-10-24 22:26         ` Emil Velikov

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:ef0ce620a dfblob:4f4739717
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231014235445.167620-1-dimitri.ledkov@canonical.com \
    --to=dimitri.ledkov@canonical.com \
    --cc=iwd@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).