[PATCH] EAP-TTLS/PAP: User-Password obfuscation for zero length password

Dan Williams dcbw at redhat.com
Tue Dec 8 22:09:13 EST 2009


On Wed, 2009-12-09 at 10:47 +0900, Masashi Honma wrote:
> Hello.
> 
> The password in User-Password AVP is padded to a multiple of 16 bytes
> on EAP-TTLS/PAP. But when the password length is zero, no padding is
> added. It doesn't cause connectivity issue. In fact, I could connect
> with hostapd RADIUS server with zero length password.

Random question; are zero-length passwords actually used by people?
What's the point of a zero-length password?  It seems to default all
pretense of security...

Dan

> I think it's better for obfuscation to pad the 16 bytes data when the
> password length is zero with this patch.
> 
> 
> diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
> index 800f1b5..f93ba38 100644
> --- a/src/eap_peer/eap_ttls.c
> +++ b/src/eap_peer/eap_ttls.c
> @@ -846,7 +846,7 @@ static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
>  	/* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
>  	 * the data, so no separate encryption is used in the AVP itself.
>  	 * However, the password is padded to obfuscate its length. */
> -	pad = (16 - (password_len & 15)) & 15;
> +	pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15;
>  	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
>  			       password_len + pad);
>  	os_memcpy(pos, password, password_len);
> 
> 
> Regards,
> Masashi Honma.
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap



More information about the HostAP mailing list