reauth-problem with WPA2-tls

Andreas Hartmann andihartmann at 01019freenet.de
Fri Jun 4 23:18:14 CEST 2010


Hello,

well, I thought about the problem with reauth: Why must there be passwords
in the session? EAP/TLS doesn't need any passwords to be exchanged.
The passphrase stays local.

That's why it shouldn't be necessary to have these Keys in the Session or
in the response (the client didn't send any password, too).

At the moment of adding the Password to the session, the handshake has been done already.


from src/modules/rlm_eap/libeap/eap_tls.c (original):

-------------------------------------------------------------------------------------------------------------------------
	} else if (!SSL_session_reused(tls_session->ssl)) {
		RDEBUG2("Saving response in the cache");
		
		vp = paircopy2(request->reply->vps, PW_USER_NAME);
		pairadd(&vps, vp);
		
		vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
		pairadd(&vps, vp);
		
		if (vps) {
			SSL_SESSION_set_ex_data(tls_session->ssl->session,
						eaptls_session_idx, vps);
		} else {
			RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session.");
			SSL_CTX_remove_session(tls_session->ctx,
					       tls_session->ssl->session);
		}

		/*
		 *	Else the session WAS allowed.  Copy the cached
		 *	reply.
		 */

	} else {
	
		vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
					     eaptls_session_idx);
		if (!vp) {
			RDEBUG("WARNING: No information in cached session!");
			return eaptls_fail(handler, peap_flag);
		} else {
			RDEBUG("Adding cached attributes to the reply:");
			debug_pair_list(vp);
			pairadd(&request->reply->vps, paircopy(vp));

			/*
			 *	Mark the request as resumed.
			 */
			vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
			if (vp) pairadd(&request->packet->vps, vp);
		}
	}
-----------------------------------------------------------------------------------------------------------------------------------


Therefore, I did the following change (-> for testing only!!!!
This should be used only with EAP/tls for testing - no warranty!):


-----------------------------------------------------------------------------------------------------------------------------------
	} else if (!SSL_session_reused(tls_session->ssl)) {
		RDEBUG2("Saving response in the cache");
		
		vp = paircopy2(request->reply->vps, PW_USER_NAME);
		pairadd(&vps, vp);
		
		vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
		pairadd(&vps, vp);
		
		if (vps) {
			SSL_SESSION_set_ex_data(tls_session->ssl->session,
						eaptls_session_idx, vps);
		} else {
			RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session.");
			SSL_CTX_remove_session(tls_session->ctx,
					       tls_session->ssl->session);
		}

		/*
		 *	Else the session WAS allowed.  Copy the cached
		 *	reply.
		 */

	} else {
	
		vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
					     eaptls_session_idx);
		if (!vp) {
			// here should be a check for the authentication type EAP/tls,
			// because I'm not sure, if this code is used exclusively for eap/tls
			RDEBUG("WARNING: No information in cached session!");
			vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
			if (vp) {
				pairadd(&request->packet->vps, vp);
				RDEBUG("WARNING: Missing session-data ignored!");
			}
			else {
				RDEBUG("WARNING: Couldn't set EAP-Session-Resumed data!");
				return eaptls_fail(handler, peap_flag);
			}
		} else {
			RDEBUG("Adding cached attributes to the reply:");
			debug_pair_list(vp);
			pairadd(&request->reply->vps, paircopy(vp));

			/*
			 *	Mark the request as resumed.
			 */
			vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
			if (vp) pairadd(&request->packet->vps, vp);
		}
	}
-----------------------------------------------------------------------------------------------------------------------------------


That's what is sent to the client after this process:

Sending Access-Accept of id 52 to 192.168.1.9 port 2048
        MS-MPPE-Recv-Key = 0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        MS-MPPE-Send-Key = 0xyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
        EAP-Message = 0x03020004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "myuser at mydom.it"


Kind regards,
Andreas Hartmann



More information about the Freeradius-Users mailing list