Re: Proxying EAP-TTLS requests via 2.1.0 to 1.1.7

Tue, 30 Sep 2008 05:02:05 -0700 

BINGO!

Found it. The bug is that function dict_addvendor() in src/lib/dict.c,
around line 440 is missing an initialization of dv->flags:

        dv->flags = 0;

If I add that then the Windows PC client successfully connects to the
WLAN station and authenticates correctly...

- Peter


INGO!

> Notice the following that I feel are a bit 'suspect' that
> happens in the rad_vp2attr() function:
> 
> 
> 1. dv->flags=808989706
> 2. vp->attribute=20381713
> 
> This is printed in the code around:
> 
>               /*
>                *      This must be an RFC-format attribute.  If it
>                *      wasn't, then the "decode" function would have
>                *      made a Vendor-Specific attribute (i.e. type
>                *      26), and we would have "vendorcode == 0" here.
>                */
>               if (dv) {
>                       vsa_tlen = dv->type;
>                       vsa_llen = dv->length;
>                       if (dv->flags) vsa_offset = 1;
>                       DEBUG("PETER: dv->flags=%d\n", dv->flags);
>               }
> 
>               DEBUG("PETER: rad_vp2attr: vendorcode=%d, vsa_tlen=%d, 
> vsa_llen=%d,
> vsa_offset=%d, vp->attribute=%d\n",
>                     vendorcode, vsa_tlen, vsa_llen, vsa_offset,
>                     vp->attribute);
>               
> 
> With dv->flags set to '808989706' then vsa_offset is set to 1, and then
> a bit down in the code this happens (notice the 'ptr[0] = 0x00;' - could
> this be where the mysterious 0x00-byte gets added?):
> 
>               if (vsa_offset) {
>                       /*
>                        *      Allow TLV's to be encoded, if someone
>                        *      manages to somehow encode the sub-tlv's.
>                        *
>                        *      FIXME: Keep track of room in the packet!
>                        */
>                       if (vp->length > (254 - (ptr - start))) {
>                           DEBUG("PETER: rad_vp2attr: Calling 
> rad_vp2continuation\n");
>                               return rad_vp2continuation(vp, start, ptr);
>                       }
> 
>                       ptr[0] = 0x00;
>                       ptr++;
> 
>                       /*
>                        *      sub-TLV's can only be in one format.
>                        */
>                       if (vp->flags.is_tlv) {
>                           DEBUG("PETER: rad_vp2attr: vp->flags.is_tlv=%d\n",
>                                 vp->flags.is_tlv);
>                       
>                               *(ptr++) = (vp->attribute & 0xff00) >> 8;
>                               tlv_length_ptr = ptr;
>                               *(ptr++) = 2;
>                               vsa_offset += 2;
> 
> 
> 
> 
> Output from the server when running with my DEBUG() calls added:
> 
> 
> Sending Access-Accept of id 5 to 192.168.160.158 port 2299
>         MS-MPPE-Recv-Key =
> 0x3b7338c7c2942aa068f6b52ba9616e0b6daf553595483804575f70c3910b49e4
> PETER: rad_vp2attr: start=ffffffff7fffc344
> PETER: dv->flags=808989706
> PETER: rad_vp2attr: vendorcode=311, vsa_tlen=1, vsa_llen=1,
> vsa_offset=1, vp->attribute=20381713
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=246, vp->length=32, vp->flags.encrypt=2
> PETER: make_tunnel_passwd: inlen=32, room=246
> PETER: make_tunnel_passwd: adjusted len=48
>         MS-MPPE-Send-Key =
> 0x6a238a9b2f97d43cfef37c80bc88309fc843d571dd97316b3754d0dee7c8754a
> PETER: rad_vp2attr: start=ffffffff7fffc37f
> PETER: dv->flags=808989706
> PETER: rad_vp2attr: vendorcode=311, vsa_tlen=1, vsa_llen=1,
> vsa_offset=1, vp->attribute=20381712
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=246, vp->length=32, vp->flags.encrypt=2
> PETER: make_tunnel_passwd: inlen=32, room=246
> PETER: make_tunnel_passwd: adjusted len=48
>         EAP-Message = 0x03050004
> PETER: rad_vp2attr: start=ffffffff7fffc3ba
> PETER: rad_vp2attr: vendorcode=0
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=253, vp->length=4, vp->flags.encrypt=0
>         Message-Authenticator = 0x00000000000000000000000000000000
> PETER: rad_vp2attr: start=ffffffff7fffc3c0
> PETER: rad_vp2attr: vendorcode=0
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=253, vp->length=16, vp->flags.encrypt=0
>         User-Name = ""
> PETER: rad_vp2attr: start=ffffffff7fffc3d2
> PETER: rad_vp2attr: vendorcode=0
> PETER: rad_vp2attr: vp->flags.has_tag=0, vp->flags.tag=0
> PETER: vp2data: offset=0, room=253, vp->length=0, vp->flags.encrypt=0
> PETER: rad_encode, packet data (162 bytes):
> 020500a26ac716ea68df22aa04b11b19748b4cd41a3b00000137113500812965b0fd4eab49fe3130
> a05e5c23ba80f7165b2f81fab9a798cdd4d42ec06e85496fe978b1ece15c4eb60342e59fca50781a3b000001371035008edb28255c56fbc717358e4599af
> b0ea6e99a802da0445c3d2ee12387d2ad9d31ce168bfeee5e3222881fd1d659ff1dcd3234f0603050004501200000000000000000000000000000000
> Tue Sep 30 11:20:36 2008 : Debug: Finished request 5.
> 
> 
> Ah well. Back to adding mot DEBUG() calls to locate what's going on...
> 
> - Peter
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to