[PW_SID:793265] eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate #241

IWDTestBot · 2023-10-20T17:08:56Z

Currently eap-mschapv2 does kernel MD4 check during init time, even
though it is possible to use it with Password-Hash on kernels without
MD4.

Separately, mschapv2 is obsolete, deprecated, and removed even in
Windows 11 22H2 [1][2]. Add an error message stating so encouraging
migration to PEAP-TLS or EAP-TLS. Separately, warnings like these often
don't work, thus likely need to remove this authentication method
completely.

IWD usage of MD4 was brought up on linux-crypto mailing list [3], upon
my attempt to remove CRYPTO_MD4 from the kernel which is no longer used
via crypto API by anything else.

It worries me that internet searches suggest that EDUROAM (a Wi-FI
network spanning 106 territories) seems to still often use
mschapv2. Thus dropping this support may leave millions of people
without connectivity. Given how broken and isecure this authentication
method has been since 2012, I hope that EDUROAM is migrating, or has
migrated to P/EAP-TLS.

[1] https://learn.microsoft.com/en-us/security-updates/securityadvisories/2012/2743314
[2] https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues
[3] https://lore.kernel.org/linux-crypto/2e52c8b4-e70a-453f-853a-1962c8167dfa@gmail.com/

src/eap-mschapv2.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)

This is taken care of by the individual cache items and if none exist, tar fails.

Currently eap-mschapv2 does kernel MD4 check during init time, even though it is possible to use it with Password-Hash on kernels without MD4. Separately, mschapv2 is obsolete, deprecated, and removed even in Windows 11 22H2 [1][2]. Add an error message stating so encouraging migration to PEAP-TLS or EAP-TLS. Separately, warnings like these often don't work, thus likely need to remove this authentication method completely. IWD usage of MD4 was brought up on linux-crypto mailing list [3], upon my attempt to remove CRYPTO_MD4 from the kernel which is no longer used via crypto API by anything else. It worries me that internet searches suggest that EDUROAM (a Wi-FI network spanning 106 territories) seems to still often use mschapv2. Thus dropping this support may leave millions of people without connectivity. Given how broken and isecure this authentication method has been since 2012, I hope that EDUROAM is migrating, or has migrated to P/EAP-TLS. [1] https://learn.microsoft.com/en-us/security-updates/securityadvisories/2012/2743314 [2] https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues [3] https://lore.kernel.org/linux-crypto/2e52c8b4-e70a-453f-853a-1962c8167dfa@gmail.com/

IWDTestBot · 2023-10-20T17:10:45Z

Fetch PR
Test ID: fetch
Desc: Fetch the PR commits for this CI run
Duration: 3.61 seconds
Result: PASS

Make Distcheck
Test ID: makedistcheck
Desc: Run distcheck to check the distribution
Duration: 12.22 seconds
Result: FAIL

Output:

make[2]: *** No rule to make target 'ell/sysctl.h', needed by 'distdir-am'.  Stop.
make[1]: *** [Makefile:3218: distdir] Error 2
make: *** [Makefile:3298: dist] Error 2

Build - Configure
Test ID: build
Desc: Configure the BlueZ source tree
Duration: 11.73 seconds
Result: PASS

Make Check
Test ID: makecheck
Desc: Run 'make check'
Duration: 0.00 seconds
Result: SKIP

Output:

makecheck was skipped

Make Check w/Valgrind
Test ID: makecheckvalgrind
Desc: Run 'make check' with Valgrind
Duration: 11.93 seconds
Result: FAIL

Output:

make[1]: *** No rule to make target 'ell/sysctl.c', needed by 'ell/sysctl.lo'.  Stop.
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:1710: all] Error 2

Incremental Build with patches
Test ID: incremental_build
Desc: Incremental build per patch in the series
Duration: 0.42 seconds
Result: PASS

IWDTestBot · 2023-10-20T17:16:19Z

Fetch PR
Test ID: fetch
Desc: Fetch the PR commits for this CI run
Duration: 2.72 seconds
Result: PASS

GitLint
Test ID: gitlint
Desc: Run gitlint with rule in .gitlint
Duration: 0.61 seconds
Result: FAIL

Output:

eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate
24: B1 Line exceeds max length (86>80): "[1] https://learn.microsoft.com/en-us/security-updates/securityadvisories/2012/2743314"
25: B1 Line exceeds max length (119>80): "[2] https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues"
26: B1 Line exceeds max length (88>80): "[3] https://lore.kernel.org/linux-crypto/2e52c8b4-e70a-453f-853a-1962c8167dfa@gmail.com/"

Make Distcheck
Test ID: makedistcheck
Desc: Run distcheck to check the distribution
Duration: 9.27 seconds
Result: FAIL

Output:

make[2]: *** No rule to make target 'ell/sysctl.h', needed by 'distdir-am'.  Stop.
make[1]: *** [Makefile:3217: distdir] Error 2
make: *** [Makefile:3297: dist] Error 2

Build - Configure
Test ID: build
Desc: Configure the BlueZ source tree
Duration: 41.09 seconds
Result: PASS

Make Check
Test ID: makecheck
Desc: Run 'make check'
Duration: 0.00 seconds
Result: SKIP

Output:

makecheck was skipped

Make Check w/Valgrind
Test ID: makecheckvalgrind
Desc: Run 'make check' with Valgrind
Duration: 42.29 seconds
Result: FAIL

Output:

make[1]: *** No rule to make target 'ell/sysctl.c', needed by 'ell/sysctl.lo'.  Stop.
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:1709: all] Error 2

Incremental Build with patches
Test ID: incremental_build
Desc: Incremental build per patch in the series
Duration: 0.61 seconds
Result: PASS

Autotest Runner
Test ID: testrunner
Desc: Runs IWD's autotest framework
Duration: 0.00 seconds
Result: SKIP

Output:

testrunner was skipped

Clang Build
Test ID: clang
Desc: Build IWD using clang compiler
Duration: 47.26 seconds
Result: FAIL

Output:

make[1]: *** No rule to make target 'ell/sysctl.c', needed by 'ell/sysctl.lo'.  Stop.
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:1709: all] Error 2

jprestwo and others added 7 commits October 20, 2023 16:59

Workflow's for syncing with upstream, build, unit test, and test-runner

74a982d

workflow: use newer commit for hostapd

e7efce6

ci: remove cache/ from tar file list

086f2c2

This is taken care of by the individual cache items and if none exist, tar fails.

ci: use kernel 5.19

ba46dec

ci: use iwd-ci after renaming to remove -v2

c256b20

ci: remove set-output use, now deprecated

f19a3ab

github-actions bot force-pushed the workflow branch 5 times, most recently from c94e205 to 0505d54 Compare October 30, 2023 15:00

github-actions bot force-pushed the workflow branch 7 times, most recently from a9a4ef7 to eac1598 Compare November 9, 2023 16:37

github-actions bot force-pushed the workflow branch 8 times, most recently from bcfe88e to d7f439f Compare November 16, 2023 16:00

github-actions bot force-pushed the workflow branch from d7f439f to 92a4b1e Compare November 17, 2023 16:00

github-actions bot force-pushed the workflow branch 5 times, most recently from 61cb7e5 to ede3c3a Compare August 23, 2024 17:32

github-actions bot force-pushed the workflow branch 4 times, most recently from 8991f76 to ca0eb77 Compare September 3, 2024 15:26

github-actions bot force-pushed the workflow branch 8 times, most recently from aada677 to 1163d8b Compare September 11, 2024 16:00

github-actions bot force-pushed the workflow branch 2 times, most recently from cd38a46 to a84ea46 Compare September 25, 2024 15:00

github-actions bot force-pushed the workflow branch 3 times, most recently from 9ef1a07 to b2ed861 Compare October 8, 2024 16:33

github-actions bot force-pushed the workflow branch 5 times, most recently from 0375753 to 7e9a794 Compare October 24, 2024 21:25

github-actions bot force-pushed the workflow branch 3 times, most recently from d961fcd to bd89ecb Compare November 13, 2024 17:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PW_SID:793265] eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate #241

[PW_SID:793265] eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate #241

IWDTestBot commented Oct 20, 2023

IWDTestBot commented Oct 20, 2023

IWDTestBot commented Oct 20, 2023

[PW_SID:793265] eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate #241

Are you sure you want to change the base?

[PW_SID:793265] eap-mschapv2: allow using on kernels without CRYPTO_MD4, and deprecate #241

Conversation

IWDTestBot commented Oct 20, 2023

[1] https://learn.microsoft.com/en-us/security-updates/securityadvisories/2012/2743314 [2] https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues [3] https://lore.kernel.org/linux-crypto/2e52c8b4-e70a-453f-853a-1962c8167dfa@gmail.com/

IWDTestBot commented Oct 20, 2023

IWDTestBot commented Oct 20, 2023

[1] https://learn.microsoft.com/en-us/security-updates/securityadvisories/2012/2743314
[2] https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues
[3] https://lore.kernel.org/linux-crypto/2e52c8b4-e70a-453f-853a-1962c8167dfa@gmail.com/