Using PEAP, proxy-inner-tunnel, use_tunneled_reply = yes and MS-CHAP-MPPE-Keys breaks stuff #1013

Closed
qnet-herwin opened this Issue May 15, 2015 · 1 comment

Projects

None yet

2 participants

@qnet-herwin
Contributor

I've got a server running with the following changes compared to vanilla:

  • mods-available/eap: change virtual_server to proxy-inner-tunnel, change use_tunneled_reply to yes (both in the section peap)
  • users: enable user bob, add MS-CHAP-MPPE-Keys := "0x00112233445566778899aabbccddeeff" as extra reply attribute
  • enable proxy-inner-tunnel virtual server

The addition of MS-CHAP-MPPE-Keys breaks things. The relevant parts of the logging:

# (14) is the packet sent in the proxy
(14) Sent Access-Accept Id 172 from 127.0.0.1:1812 to 127.0.0.1:53383 length 0
(14)   MS-CHAP-MPPE-Keys = 0x00112233445566778899aabbccddeeff
(14)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(14)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(14)   MS-MPPE-Send-Key = 0x90dec0482f4e19030a19e272668e4982
(14)   MS-MPPE-Recv-Key = 0x740d206d5db3758925e23aa851832868
(14)   EAP-Message = 0x030a0004
(14)   Message-Authenticator = 0x00000000000000000000000000000000
(14)   User-Name = 'bob'
(14)   Proxy-State = 0x3130
(14) Finished request
...
# (13) is the packet received in proxy-inner-tunnel
(13) Received Access-Accept Id 172 from 127.0.0.1:1812 to 127.0.0.1:53383 length 185
(13)   MS-CHAP-MPPE-Keys = 0x
(13)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(13)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(13)   MS-MPPE-Send-Key = 0x90dec0482f4e19030a19e272668e4982
(13)   MS-MPPE-Recv-Key = 0x740d206d5db3758925e23aa851832868
(13)   EAP-Message = 0x030a0004
(13)   Message-Authenticator = 0x89f4793a5af105e0cbb541497226751d
(13)   User-Name = 'bob'
(13)   Proxy-State = 0x3130
...
(15) Sent Access-Accept Id 11 from 127.0.0.1:1812 to 127.0.0.1:51946 length 0
(15)   MS-CHAP-MPPE-Keys = 0x
(15)   User-Name = 'bob'
(15)   MS-MPPE-Recv-Key = 0x0b4a833cab9e2a0975b89fb27204f8292d8ffad09c3c03c542173bb7d33e53d4
(15)   MS-MPPE-Send-Key = 0x8f9886bdb0796cd4f2ee84b0ed760d35077cfbb35312fb592bdcb818caa220f2
(15)   EAP-Message = 0x030b0004
(15)   Message-Authenticator = 0x00000000000000000000000000000000
(15) ERROR: Failed sending reply: ERROR: Cannot encode NULL data

MS-MPPE-Send-Key is an attribute of type octets where the setting encrypt=1 is added. Changing the type to string, removing the encrypt attribute, or changing the value of encrypt to 2 fixes the problem. I except that something in the en/decrypt logic can't handle this type correctly.

(And I fully agree that this case shouldn't have an MS-CHAP-MPPE-Keys attributes, because it isn't MSCHAP version 1. However, this still shouldn't break things)

@alandekok alandekok closed this in 8df8d1f May 15, 2015
@alandekok
Member

The fixes work. Sort of. If the MPPE-Key attribute has one or more zeros at the end, it will still get chopped. There really isn't much you can do about that.

The MS-MPPE-Send-Key use the Tunnel-Password encryption method, precisely to get around these kinds of issues. That method includes a "decrypted length" field, so the problem seen here is avoided.

@jpereira jpereira added a commit to jpereira/freeradius-server that referenced this issue May 15, 2015
@alandekok @jpereira alandekok + jpereira Shorten passwords from the end. Fixes #1013 e49c6cb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment