Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-25 00:38:24 -05:00
Code Issues Projects Releases Wiki Activity

EAP-MSCHAPv2 peer: Add option to disable password retry query

Browse Source 
wpa_supplicant used to request user to re-enter username/password if the
server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2)
authentication failed (E=691), but retry is allowed (R=1). This is a
reasonable default behavior, but there may be cases where it is more
convenient to close the authentication session immediately rather than
wait for user to do something.

Add a new "mschapv2_retry=0" option to the phase2 field to allow the
retry behavior to be disabled. This will make wpa_supplicant abort
authentication attempt on E=691 regardless of whether the server allows
retry.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-02-01 17:45:19 +02:00
parent f4cd0f6454
commit 49fcc32e91
3 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/eap_peer/eap_config.h
View File

@ -425,7 +425,9 @@ struct eap_peer_config {
* phase2 - Phase2 (inner authentication with TLS tunnel) parameters * phase2 - Phase2 (inner authentication with TLS tunnel) parameters
* *
* String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
* "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. "mschapv2_retry=0" can
* be used to disable MSCHAPv2 password retry in authentication failure
* cases.
*/ */
char *phase2; char *phase2;

7
src/eap_peer/eap_mschapv2.c
View File

@ -472,6 +472,13 @@ static int eap_mschapv2_failure_txt(struct eap_sm *sm,
pos += 2; pos += 2;
msg = pos; msg = pos;
} }
if (data->prev_error == ERROR_AUTHENTICATION_FAILURE && retry &&
config && config->phase2 &&
os_strstr(config->phase2, "mschapv2_retry=0")) {
wpa_printf(MSG_DEBUG,
"EAP-MSCHAPV2: mark password retry disabled based on local configuration");
retry = 0;
}
wpa_msg(sm->msg_ctx, MSG_WARNING, wpa_msg(sm->msg_ctx, MSG_WARNING,
"EAP-MSCHAPV2: failure message: '%s' (retry %sallowed, error " "EAP-MSCHAPV2: failure message: '%s' (retry %sallowed, error "
"%d)", "%d)",

3
wpa_supplicant/wpa_supplicant.conf
View File

@ -942,7 +942,8 @@ fast_reauth=1
# pbc=1. # pbc=1.
# phase2: Phase2 (inner authentication with TLS tunnel) parameters # phase2: Phase2 (inner authentication with TLS tunnel) parameters
# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
# used to disable MSCHAPv2 password retry in authentication failure cases.
# #
# TLS-based methods can use the following parameters to control TLS behavior # TLS-based methods can use the following parameters to control TLS behavior
# (these are normally in the phase1 parameter, but can be used also in the # (these are normally in the phase1 parameter, but can be used also in the