Certificate problem between 3.0.11 and 3.1.x

Matthew Newton mcn4 at leicester.ac.uk
Sat Mar 19 01:03:39 CET 2016


On Fri, Mar 18, 2016 at 11:22:53PM +0000, Matthew Newton wrote:
> On Fri, Mar 18, 2016 at 12:02:40PM +0000, Matthew Newton wrote:
> > On Fri, Mar 18, 2016 at 09:23:20AM +0000, Scott Armitage wrote:
> > > Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:
> > > 
> > > commit 8a7f6e330f45439d333f61dde7ee0982ebcc2a29
> > > Author: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> > > Date:   Sun Dec 6 00:34:21 2015 -0500
> > > 
> > >     Add additional debugging so we can track TLS fragments sent
> > 
> > Hmm. If that's the case, then the bug is probably to do with the
> > length included flag and the length of the packet.

> My hypothesis would be a supplicant bug that sees the Length flag
> set so erroneously expects more packets, but that should not be
> the case because M was not set. It certainly works fine in
> eapol_test both pre- and post-8a7f6e330f, so it seems down to the
> way the particular supplicant processes the reply.

OK... *don't try this at home, kids*.

Drop this into your outer post-auth{} section and try again.

        Post-Auth-Type Challenge {
                debug_reply
                if (&reply:EAP-Message =~ /^0x(....00)(..)1980........(.*)$/) {
                        update control {
                                Tmp-String-1 := "%{2}"
                                Tmp-Integer-1 := "0x%{control:Tmp-String-1}"
                                Tmp-Integer-1 := "%{expr: %{control:Tmp-Integer-1} - 4}"
                                Tmp-String-1 := "%{1}"
                                Tmp-String-2 := "%{hex:&control:Tmp-Integer-1}"
                                Tmp-String-3 := "%{3}"
                        }
                        if (&control:Tmp-String-2 =~ /^000000(..)$/) {
                                update control {
                                        Tmp-String-2 := "%{1}"
                                }
                        }
                        update reply {
                                EAP-Message := "0x%{control:Tmp-String-1}%{control:Tmp-String-2}1900%{control:Tmp-String-3}"
                        }
                }
                debug_reply
        }

You should see EAP-Message will sometimes get transformed from e.g.

  EAP-Message = 0x010a002f198000000025170301...

to

  EAP-Message = 0x010a002b1900170301...

If it now works, that shows the extra L flag and length are causing the problem.

If it doesn't work, you get to keep ALL the pieces, and it proves nothing.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list