generate_state() in rlm_eap module generates duplicate state ?

Alan DeKok aland at deployingradius.com
Wed Sep 26 01:23:01 CEST 2007


Vinay Wagh wrote
> Which is why it took me some time to figure this out. What I did was
> added debug code in rbtree_insert to print out contents of the node if a
> duplicate node existed. In the logs I saw that the node had the same
> state but a different identity.

  Ok.  That shouldn't be happening.  It may be an internal race
condition in the server.

> The reason I started debugging this problem is because I started getting
> Access-Reject without RADIUS_ATTR_MESSAGE_AUTHENTICATOR which is a
> seperate attribute in the radius message.

  Yes... Please also use the common name "Message-Authenticator".
RADIUS_ATTR_MESSAGE_AUTHENTICATOR is an implementation-specific name on
your system.

> I also observed that some
> reply's from the radius server had this field but it did not match the
> authenticator in the original request.

  That statement makes no sense.  The Message-Authenticator attribute is
not supposed to be matched with anything.  Are you saying that it fails
validation on the client?

> Then I tried to link this to the
> problem I found and I think it is possible if we generate the same
> state. Assume that after the server sends the access challenge the
> radius server fails to insert the handler because there is already a
> duplicate and then before it gets rid of the duplicate handler the
> client replies. In this case the radius server will try to look for the
> handler and actually find it since the id, ip addr and state is the same
> but the identity is different. It can then use that context to reply to
> this request in which case the fields may not match. If the radius
> server had already replied to the duplicate handler then it will not
> find the handler that for our current request and send an Access-Reject.

  OK...

> So whether we get an Access-Reject or a reply with invalid message
> authenticator depends on the timing of whether the radius server still
> has the duplicate context or not. Is that possible though ?

  I can understand why it would send an Access-Reject.  I don't
understand why it would reply with an invalid Message-Authenticator.
The calculation for Message-Authenticator is done in src/lib/radius.c,
which is independent of any issues in rlm_eap.

> Thats true, but how do we deal with this as a general solution ? If the
> product we build needs to sit in a network where they have deployed free
> radius we cannot modify their code and will need a solution from the
> freeradius community.  I seems like we need to investigate the 
> generate_state() function and see if we really generate random states.

  If it's a bug in FreeRADIUS, it needs to be fixed.  The fact that this
is seen only for 1000 EAP packets/s indicates it might be a race condition.

  i.e. there are few systems currently handling 1000 EAP packets/s.
Even in your test, I suspect it's doing EAP-MD5.  If not, it's doing
another non-TLS EAP method.  If it is doing a TLS method, then either it
has hardware acceleration, or you have *huge* amounts of CPU power
available to the RADIUS server.

> I have uploaded the log file you can download it at 
> http://download.yousendit.com/D1B4E30A06784505 (its 3MB and I was not
> sure if I would get flamed for attaching it, it will be available for 14
> days at this location). Here are the important line numbers

  Ok.

  As a potential work-around, try editing src/include/libradius.h.  Look
for the lrad_randctx structure, and change every entry from:

	uint32_t ...
 to
	uint32_t volatile ...

  That *might* help.  If it does, I'll commit the change.

  Alan DeKok.



More information about the Freeradius-Users mailing list