[PATCH] EAP-TTLS/PAP: User-Password obfuscation for zero length password

Jouni Malinen j at w1.fi
Wed Dec 9 16:45:17 EST 2009


On Wed, Dec 09, 2009 at 10:47:24AM +0900, Masashi Honma wrote:

> The password in User-Password AVP is padded to a multiple of 16 bytes
> on EAP-TTLS/PAP. But when the password length is zero, no padding is
> added. It doesn't cause connectivity issue. In fact, I could connect
> with hostapd RADIUS server with zero length password.
> 
> I think it's better for obfuscation to pad the 16 bytes data when the
> password length is zero with this patch.

Thanks, applied. While the use of such a password may not be that good
of an idea for most cases, it should be fine to pad that password, too.
However, some RADIUS authentication servers do not seem to even allow
an empty password regardless of the padding, so this is not really that
interoperable selection for a password, never mind the lack of security.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list