Proxying EAP-TTLS requests via 2.1.0 to 1.1.7

Peter Eriksson peter at ifm.liu.se
Tue Sep 30 13:59:47 CEST 2008 

BINGO!

Found it. The bug is that function dict_addvendor() in src/lib/dict.c,
around line 440 is missing an initialization of dv->flags:

	dv->flags = 0;

If I add that then the Windows PC client successfully connects to the
WLAN station and authenticates correctly...

- Peter


INGO!

> Notice the following that I feel are a bit 'suspect' that
> happens in the rad_vp2attr() function:
> 
> 
> 1. dv->flags=808989706
> 2. vp->attribute=20381713
> 
> This is printed in the code around:
> 
> 		/*
> 		 *	This must be an RFC-format attribute.  If it
> 		 *	wasn't, then the "decode" function would have
> 		 *	made a Vendor-Specific attribute (i.e. type
> 		 *	26), and we would have "vendorcode == 0" here.
> 		 */
> 		if (dv) {
> 			vsa_tlen = dv->type;
> 			vsa_llen = dv->length;
> 			if (dv->flags) vsa_offset = 1;
> 			DEBUG("PETER: dv->flags=%d\n", dv->flags);
> 		}
> 
> 		DEBUG("PETER: rad_vp2attr: vendorcode=%d, vsa_tlen=%d, vsa_llen=%d,
> vsa_offset=%d, vp->attribute=%d\n",
> 		      vendorcode, vsa_tlen, vsa_llen, vsa_offset,
> 		      vp->attribute);
> 		
> 
> With dv->flags set to '808989706' then vsa_offset is set to 1, and then
> a bit down in the code this happens (notice the 'ptr[0] = 0x00;' - could
> this be where the mysterious 0x00-byte gets added?):
> 
> 		if (vsa_offset) {
> 			/*
> 			 *	Allow TLV's to be encoded, if someone
> 			 *	manages to somehow encode the sub-tlv's.
> 			 *
> 			 *	FIXME: Keep track of room in the packet!
> 			 */
> 			if (vp->length > (254 - (ptr - start))) {
> 			    DEBUG("PETER: rad_vp2attr: Calling rad_vp2continuation\n");
> 				return rad_vp2continuation(vp, start, ptr);
> 			}
> 
> 			ptr[0] = 0x00;
> 			ptr++;
> 
> 			/*
> 			 *	sub-TLV's can only be in one format.
> 			 */
> 			if (vp->flags.is_tlv) {
> 			    DEBUG("PETER: rad_vp2attr: vp->flags.is_tlv=%d\n",
> 				  vp->flags.is_tlv);
> 			
> 				*(ptr++) = (vp->attribute & 0xff00) >> 8;
> 				tlv_length_ptr = ptr;
> 				*(ptr++) = 2;
> 				vsa_offset += 2;
> 
> 
> 
> 
> Output from the server when running with my DEBUG() calls added:
> 
> 
> Sending Access-Accept of id 5 to 192.168.160.158 port 2299
>         MS-MPPE-Recv-Key =
> 0x3b7338c7c2942aa068f6b52ba9616e0b6daf553595483804575f70c3910b49e4
> PETER: rad_vp2attr: start=ffffffff7fffc344
> PETER: dv->flags=808989706
> PETER: rad_vp2attr: vendorcode=311, vsa_tlen=1, vsa_llen=1,
> vsa_offset=1, vp->attribute=20381713
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=246, vp->length=32, vp->flags.encrypt=2
> PETER: make_tunnel_passwd: inlen=32, room=246
> PETER: make_tunnel_passwd: adjusted len=48
>         MS-MPPE-Send-Key =
> 0x6a238a9b2f97d43cfef37c80bc88309fc843d571dd97316b3754d0dee7c8754a
> PETER: rad_vp2attr: start=ffffffff7fffc37f
> PETER: dv->flags=808989706
> PETER: rad_vp2attr: vendorcode=311, vsa_tlen=1, vsa_llen=1,
> vsa_offset=1, vp->attribute=20381712
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=246, vp->length=32, vp->flags.encrypt=2
> PETER: make_tunnel_passwd: inlen=32, room=246
> PETER: make_tunnel_passwd: adjusted len=48
>         EAP-Message = 0x03050004
> PETER: rad_vp2attr: start=ffffffff7fffc3ba
> PETER: rad_vp2attr: vendorcode=0
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=253, vp->length=4, vp->flags.encrypt=0
>         Message-Authenticator = 0x00000000000000000000000000000000
> PETER: rad_vp2attr: start=ffffffff7fffc3c0
> PETER: rad_vp2attr: vendorcode=0
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=253, vp->length=16, vp->flags.encrypt=0
>         User-Name = ""
> PETER: rad_vp2attr: start=ffffffff7fffc3d2
> PETER: rad_vp2attr: vendorcode=0
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=253, vp->length=0, vp->flags.encrypt=0
> PETER: rad_encode, packet data (162 bytes):
> 020500a26ac716ea68df22aa04b11b19748b4cd41a3b00000137113500812965b0fd4eab49fe3130
> a05e5c23ba80f7165b2f81fab9a798cdd4d42ec06e85496fe978b1ece15c4eb60342e59fca50781a3b000001371035008edb28255c56fbc717358e4599af
> b0ea6e99a802da0445c3d2ee12387d2ad9d31ce168bfeee5e3222881fd1d659ff1dcd3234f0603050004501200000000000000000000000000000000
> Tue Sep 30 11:20:36 2008 : Debug: Finished request 5.
> 
> 
> Ah well. Back to adding mot DEBUG() calls to locate what's going on...
> 
> - Peter
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list