CVS commit: src/external/bsd/wpa/dist

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/external/bsd/wpa/dist
From: "Christos Zoulas" <christos%netbsd.org@localhost>
Date: Tue, 13 Feb 2024 13:43:45 -0500

Module Name:    src
Committed By:   christos
Date:           Tue Feb 13 18:43:45 UTC 2024

Modified Files:
        src/external/bsd/wpa/dist/src/eap_peer: eap_config.h eap_peap.c
            eap_tls_common.c eap_tls_common.h
        src/external/bsd/wpa/dist/wpa_supplicant: wpa_supplicant.conf

Log Message:
https://www.phoronix.com/news/IWD-WPA-WiFi-Auth-Vulns
https://www.top10vpn.com/research/wifi-vulnerabilities/

PEAP client: Update Phase 2 authentication requirements

The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
 * 0 = do not require Phase 2 authentication
 * 1 = require Phase 2 authentication when client certificate
   (private_key/client_cert) is no used and TLS session resumption was
   not used (default)
 * 2 = require Phase 2 authentication in all cases


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.7 -r1.2 \
    src/external/bsd/wpa/dist/src/eap_peer/eap_config.h \
    src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h
cvs rdiff -u -r1.1.1.8 -r1.2 \
    src/external/bsd/wpa/dist/src/eap_peer/eap_peap.c \
    src/external/bsd/wpa/dist/src/eap_peer/eap_tls_common.c
cvs rdiff -u -r1.1.1.8 -r1.2 \
    src/external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/share/mk
Next by Date: CVS commit: src/sys/arch/evbarm/conf
Previous by Thread: CVS commit: src/share/mk
Next by Thread: CVS commit: src/sys/arch/evbarm/conf
Indexes:

Home | Main Index | Thread Index | Old Index