Properly support PAP inner authentication

There is MSCHAP, MSCHAPV2, PAP-MSCHAPV2 and so on, the same holds true for other inner authentications. See this entire IRC log:
20:48 < Wizzup> EAP TTLS PAP
20:48 < Pali> I guess it should be EAP-TTLS with PAP
20:48 < Wizzup> yes, but in the connui widget you are already in the TTLS sub thing
20:48 < Wizzup> let me double check
20:49 < Pali> EAP-TTLS can use as its inner authentication either, PAP, CHAP, MSCHAP(v2) or any other EAP method
20:49 < Wizzup> so in fremantle it says:
20:49 < Pali> and there is also EAP-MSCHAPV2 authen method, therefore you can use EAP-TTLS with EAP-MSCHAPV2
20:50 < Wizzup> EAP method: {EAP GTC, EAP MSCHAPV2, MSCHAPV2, EAP PAP}
20:50 < Pali> and it is different as EAP-TTLS with MSCHAPV2
20:50 < Wizzup> Pali: could you enlighten me how those MSCHAPV2 are different? I tried to search but didn't find it
20:51 < Wizzup> That is, I am not sure what fremantle eapd does with either of them. I've currently mapped both to wpa_supplicant
                phase2="auth=MSCHAPV2", which is wrong, but I could not figure it out
20:51 < Pali> EAP-TTLS defines IIRC 4 methods for inner authentications: PAP, CHAP, MSCHAP or any other generic EAP method
20:51 < Pali> and there is EAP method for MSCHAP
20:51 < Pali> so EAP-TTLS can use MSCHAP directly, or can wrap MSCHAP into another EAP layer
20:52 < Wizzup> but both of it happens in phase2, does it not?
20:52 < Wizzup> (because it is ttls)
20:52 < Pali> yes, those are inner auth (in wpa supplicant terminology phase2)
20:53 < Pali> https://tools.ietf.org/html/rfc5281#section-11.2
20:54 < Pali> so there are 5 possible phase2 (inner) methods: EAP, CHAP, MS-CHAP, MS-CHAP-V2, PAP
20:55 -!- spiiroin [~spiiroin@84-253-217-140.bb.dnainternet.fi] has joined #maemo-leste
20:55 < Pali> and as EAP you can use any EAP protocol, including EAP-MSCHAPV2
20:56 < Pali> in wpa_supplicant.conf you specify phase2 as:
20:57 < Pali> phase2="auth=MSCHAPV2" or phase2="auth=MSCHAP" or phase2="auth=PAP" or phase2="auth=CHAP"
20:58 < Wizzup> right, and this would not be eap with eap authorisation (with then other mechanism in there), right?
20:58 < Pali> and if you are using EAP as inner phase2, then you specify it as: phase2="autheap=TYPE" (where TYPE EAP-method without "EAP-" prefix)
20:58 < Wizzup> Ah!
20:59 < Wizzup> I guess I'll modify this according then:
                https://github.com/maemo-leste/libicd-network-wpasupplicant/blob/wlan-ng/src/gconfmap.c#L381
21:01 < Pali> so for EAP-TTLS as outher (phase1) with EAP-MSCHAPV2 inner (phase2) you would write: eap=TTLS phase2="autheap=MSCHAPV2"
21:01 < Pali> for EAP-TTLS with MSCHAPV2 you write: eap=TTLS phase2="auth=MSCHAPV2"
21:03 < Pali> now I see that in Maemo Settings GUI for WPA EAP TTLS connection is incorrect description of selections
21:04 < Wizzup> the maemo ui is a bit confusing
21:04 < Wizzup> but now at least I understand the difference much better
21:04 < Pali> in first line is selection box for certificate and in section line is selection box named "EAP method" with options: "EAP GTC", "EAP
              MSCHAPV2", "MSCHAPV2", "EAP PAP"
21:05 < Pali> first two are EAP methods, remaining two are non-EAP methods
21:05 < Pali> instead of "EAP method" it should be named "inner authentication" or similar
21:05 < Pali> and instead of "EAP PAP" should be only "PAP"
21:06 < Pali> there is no EAP-PAP protocol (or at least I have not heard about it)
21:06 < Wizzup> *nod*
21:06 < Pali> for sure in context of EAP-TTLS it is just PAP as specified in above RFC5281 (linked above)
21:07 < Wizzup> yes, I also assumed this was the case here:
                https://github.com/maemo-leste/libicd-network-wpasupplicant/blob/wlan-ng/src/gconfmap.c#L426
21:08 < Pali> XXX: For now we assume EAP_TTLS_MS and EAP_MS are the same. --> those are different!
21:08 < Wizzup> so you're saying there cannot be, in wpa_supplicant terminology: phase2="autheap=PAP"
21:08 < Wizzup> Pali: yes, this is what I asked :)
21:08 < Wizzup> I will change that now
21:08 < Wizzup> well, soon
21:08 < Pali> yes, there cannot be any autheap=PAP
21:08 < Pali> and beware of one thing, configs are in wpa supplicant case sensitive
21:08 < Pali> and correct name is MSCHAPV2 not MSCHAPv2
21:09 < Pali> older versioins of wpa supplicant did prefix match
21:09 < Pali> and MSCHAPv2 parsed as MSCHAP
21:09 < Pali> as MSCHAP is valid method
21:09 < Wizzup> heh
21:09 < Pali> without any warning
21:09 < Wizzup> regarding case sensitive: *nod* I've looked at my wpa_supplicant.conf and just tries to copy it from that directly
21:12 < Pali> so for eap_inner_type == EAP_TTLS_MS you should generate same config as for EAP_TTLS_PAP just replace PAP by MSCHAPV2
21:12 < Pali> (if by MS you mean V2 version)
21:13 < Wizzup> in maemo UI this is V2, just the define isn't named like that
21:13 < Wizzup> I took the define from your commit to libicd-network-wlan
21:13 < Pali> and for EAP_GTC you need to set GTC token
21:14 < Pali> basically plain text password
21:14 < Wizzup> I was wondering about this, because the maemo UI doesn't seem to allow to set the GTC passcode from the settings
21:14 < Wizzup> but it is in gconf: EAP_GTC_passcode
21:14 < Pali> see: http://maemo.org/community/maemo-users/maemo5-_wpa2_eap_ttls-gtc/
21:14 < Wizzup> Pali: this commit:
https://github.com/maemo-leste/libicd-network-wpasupplicant/commit/0d9cf63e4bf44270d81cee7997c1ef8d9636808b#diff-c63fbd2d9bb16437e463d9afcba07733R1095
21:15 < Pali> yes, maemo gui does not allow to set it, it is bug
21:15 < Wizzup> Pali: *nod* we can just add that easily :)
21:16 < Pali> I needed it 6 years ago :) but I was happy that via secret gconf key it worked
21:16 < Wizzup> Pali: now that you are here - what is that 'default password' just below the EAP defines?
21:16 < Wizzup> yes, now that freemangordon has RE'd the ui entirely, we can add it:
                https://github.com/maemo-leste/connui-wlan/blob/master/wizard/wlan.c
21:16 < Pali> #define DEFAULT_PASSWORDI"AeHi5ied"
21:17 < Wizzup> yes, that one
21:17 < Pali> it is password for encrypting local certificate/private via certman
21:17 < Wizzup> so by default they are encrypted with a known password?
21:18 < Pali> if you store certificate with private key into maemo certman, then Maemo ask you for entering passphrase for encrypting it
21:18 < Pali> if you do not specify passphrase, then Maemo certman encrypt it with above default passphrase
21:18 < Wizzup> ok
21:19 < Wizzup> OK, I get it, since openssl is total pain when you leave password empty
21:19 < Pali> and also certman everytime when accessing certificate with private key tries to decrypt it with above password
21:19 < Pali> if it fails, then it ask for passphrase via Maemo GUI
21:19 < Wizzup> makes sense
21:19 < Pali> and IIRC there was a bug in some GUI dialog which tries to set NULL password instead of buf[0]=0
21:20 < Pali> and crashed some process...
21:20 < Wizzup> in maemosec-certman ? or connui?
21:20 < Pali> do not remember, but I fixed it
21:20 < Wizzup> ah :)
21:21 < Pali> in CSSU repo
21:21 < Wizzup> we use code from cssu where possible, so then we'll inherit the fix
21:22 < Wizzup> Pali: probably maemo-security-certman-applet
21:22 < Pali> https://github.com/community-ssu/maemo-security-certman-applet/commit/155a938e3f55533f5dd4ce2dffafcb32376d3507
21:23 < Pali> https://github.com/community-ssu/maemo-security-certman-applet/commit/319b25cc9e9a83cf834ff75f4decc1db80f1b64c
21:23 < Wizzup> acknowledged
21:23 < Pali> https://github.com/community-ssu/maemo-security-certman-applet/commit/e95ee280843e8fc343e212775a3193736f45c442
21:23 < Wizzup> those are in our maemo-security-certman-applet that is ported to openssl 1.1.0 as well
21:23 < Wizzup> err
21:23 < Wizzup> ah, yes
21:25 < Pali> anyway, when you are using wpa_supplicant, there are more new EAP methods with are in use...
21:26 < Pali> e.g. EAP-PWD
21:27 < Pali> and... another thing, are you going to reverse enginneer libicd-network-ipv6?
21:27 < sicelo> iirc it supports EAP-SIM as well?
21:27 < Pali> sicelo: yes
21:27 < Pali> I remember that libicd-network-ipv6 had some bugs which I more times workarounded in shell scripts which that binary run
21:27 < Wizzup> Pali: Regarding RE libicd-network-ipv6, I hope freemangordon will. I'm not a real RE hero, although I could learn
21:28 < Wizzup> do you have specific comments regarding it?
21:28 < Wizzup> as for EAP-PWD and EAP-SIM - I will go through this irc log in the weekend and make tickets for all things to do be done
21:29 < Pali> http://talk.maemo.org/showthread.php?t=85357
21:29 < Pali> in maemo extras is a package libicd-network-ipv6-scripts which contains wrapper script rtsol
21:30 < Pali> and that changes return value of rtsol.real to be correctly processed by libicd-network-ipv6
21:31 < Pali> for ipv6: I can help with details how to implement it correctly -- specialy correct autoconfiguration
21:31 < Pali> as it is not so simple
21:31 < Wizzup> great :)
21:32 < Pali> (needed to check M/O bits in RA, start dhcpv6 client in correct mode, etc...)
21:35 < Pali> I have written daemon radvc which listen for IPv6 Router Advertisement packets, parse them and run external script with parsed data
21:37 < Pali> external script then have in variables e.g. dns servers, ipv6 routes, M, O bits, ... and can do whatever what with it
21:38 < Pali> icd2 uses for it rtsol, but incorrectly and does not handle rdns servers...
21:40 < Wizzup> some of this ipv6 stuff is over my head - I'm not that well verged in ipv6, only the basics
21:48 -!- sunshavi [~user@181.64.192.25] has joined #maemo-leste
21:49 < Wizzup> there is also EAP PAX ?
21:49 < Wizzup> yeah, several more even it seems
21:50 < Wizzup> note to self: we should also have a different icon for wpa eap than for wpa psk
22:10 < Pali> see https://w1.fi/wpa_supplicant/ what is supported
22:10 < Pali> and also https://w1.fi/cgit/hostap/plain/wpa_supplicant/eap_testing.txt
22:12 < Wizzup> *nod*
maemo-leste / bugtracker

Properly support PAP inner authentication #142
