Proxying EAP-TTLS requests via 2.1.0 to 1.1.7

Peter Eriksson peter at ifm.liu.se
Tue Sep 30 13:41:25 CEST 2008



Alan DeKok wrote:
> Peter Eriksson wrote:
>> Any suggestions on where I should start adding debugging
>> printf's/debugger checkpoints in order to try to pin-point
>> this problem?
> 
>   src/lib/radius.c, rad_encode, and the attr2vp functions.
> 
>> Am I correct in assuming the keys in question are generated in
>> src/modules/rlm_eap/libeap/mppe_keys.c:151 via a call to the local
>> function add_reply?
> 
>   Yes.  But the MPPE keys are the correct length.  The problem comes
> when they are encoded in the packet.  There's an extra "0" byte added to
> the start.  Maybe because it thinks the attribute is tagged?

I've been adding debugging DEBUG() calls to various parts of the
code in order to try to pinpoint this problem. Here's a status
report of what I've found so far. The interesting part is from
the output below I think.

Notice the following that I feel are a bit 'suspect' that
happens in the rad_vp2attr() function:


1. dv->flags=808989706
2. vp->attribute=20381713

This is printed in the code around:

		/*
		 *	This must be an RFC-format attribute.  If it
		 *	wasn't, then the "decode" function would have
		 *	made a Vendor-Specific attribute (i.e. type
		 *	26), and we would have "vendorcode == 0" here.
		 */
		if (dv) {
			vsa_tlen = dv->type;
			vsa_llen = dv->length;
			if (dv->flags) vsa_offset = 1;
			DEBUG("PETER: dv->flags=%d\n", dv->flags);
		}

		DEBUG("PETER: rad_vp2attr: vendorcode=%d, vsa_tlen=%d, vsa_llen=%d,
vsa_offset=%d, vp->attribute=%d\n",
		      vendorcode, vsa_tlen, vsa_llen, vsa_offset,
		      vp->attribute);
		

With dv->flags set to '808989706' then vsa_offset is set to 1, and then
a bit down in the code this happens (notice the 'ptr[0] = 0x00;' - could
this be where the mysterious 0x00-byte gets added?):

		if (vsa_offset) {
			/*
			 *	Allow TLV's to be encoded, if someone
			 *	manages to somehow encode the sub-tlv's.
			 *
			 *	FIXME: Keep track of room in the packet!
			 */
			if (vp->length > (254 - (ptr - start))) {
			    DEBUG("PETER: rad_vp2attr: Calling rad_vp2continuation\n");
				return rad_vp2continuation(vp, start, ptr);
			}

			ptr[0] = 0x00;
			ptr++;

			/*
			 *	sub-TLV's can only be in one format.
			 */
			if (vp->flags.is_tlv) {
			    DEBUG("PETER: rad_vp2attr: vp->flags.is_tlv=%d\n",
				  vp->flags.is_tlv);
			
				*(ptr++) = (vp->attribute & 0xff00) >> 8;
				tlv_length_ptr = ptr;
				*(ptr++) = 2;
				vsa_offset += 2;




Output from the server when running with my DEBUG() calls added:


Sending Access-Accept of id 5 to 192.168.160.158 port 2299
        MS-MPPE-Recv-Key =
0x3b7338c7c2942aa068f6b52ba9616e0b6daf553595483804575f70c3910b49e4
PETER: rad_vp2attr: start=ffffffff7fffc344
PETER: dv->flags=808989706
PETER: rad_vp2attr: vendorcode=311, vsa_tlen=1, vsa_llen=1,
vsa_offset=1, vp->attribute=20381713
PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
PETER: vp2data: offset=0, room=246, vp->length=32, vp->flags.encrypt=2
PETER: make_tunnel_passwd: inlen=32, room=246
PETER: make_tunnel_passwd: adjusted len=48
        MS-MPPE-Send-Key =
0x6a238a9b2f97d43cfef37c80bc88309fc843d571dd97316b3754d0dee7c8754a
PETER: rad_vp2attr: start=ffffffff7fffc37f
PETER: dv->flags=808989706
PETER: rad_vp2attr: vendorcode=311, vsa_tlen=1, vsa_llen=1,
vsa_offset=1, vp->attribute=20381712
PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
PETER: vp2data: offset=0, room=246, vp->length=32, vp->flags.encrypt=2
PETER: make_tunnel_passwd: inlen=32, room=246
PETER: make_tunnel_passwd: adjusted len=48
        EAP-Message = 0x03050004
PETER: rad_vp2attr: start=ffffffff7fffc3ba
PETER: rad_vp2attr: vendorcode=0
PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
PETER: vp2data: offset=0, room=253, vp->length=4, vp->flags.encrypt=0
        Message-Authenticator = 0x00000000000000000000000000000000
PETER: rad_vp2attr: start=ffffffff7fffc3c0
PETER: rad_vp2attr: vendorcode=0
PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
PETER: vp2data: offset=0, room=253, vp->length=16, vp->flags.encrypt=0
        User-Name = ""
PETER: rad_vp2attr: start=ffffffff7fffc3d2
PETER: rad_vp2attr: vendorcode=0
PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
PETER: vp2data: offset=0, room=253, vp->length=0, vp->flags.encrypt=0
PETER: rad_encode, packet data (162 bytes):
020500a26ac716ea68df22aa04b11b19748b4cd41a3b00000137113500812965b0fd4eab49fe3130
a05e5c23ba80f7165b2f81fab9a798cdd4d42ec06e85496fe978b1ece15c4eb60342e59fca50781a3b000001371035008edb28255c56fbc717358e4599af
b0ea6e99a802da0445c3d2ee12387d2ad9d31ce168bfeee5e3222881fd1d659ff1dcd3234f0603050004501200000000000000000000000000000000
Tue Sep 30 11:20:36 2008 : Debug: Finished request 5.


Ah well. Back to adding mot DEBUG() calls to locate what's going on...

- Peter



More information about the Freeradius-Users mailing list