eap_example not working with EAP-TLS and GnuTLS
Carolin Latze
carolin.latze
Wed Jun 24 08:19:04 PDT 2009
Hi all,
as I am trying to implement EAP-TLS with GnuTLS, Jouni raised the idea
to have a look into his EAP implementation, so I tried eap_example to
see whether it works. By default, eap_example does not use GnuTLS, so I
added the following options to its Makefile:
CONFIG_TLS=gnutls
...
ifeq ($(CONFIG_TLS),
gnutls)
CFLAGS +=
-DEAP_TLS_GNUTLS
OBJS_both +=
../src/crypto/tls_gnutls.o
OBJS_both +=
../src/crypto/crypto_gnutls.o
LIBS += -lgnutls
-lgnutls-extra
LIBS +=
-lgcrypt
endif
...
CLFAGS += -DEAP_SERVER_TLS
The compiler does not give any errors using that modified Makefile. If I
execute eap_example as it is, it runs successfully and authenticates the
peer using PEAP/MSCHAPv2. But as I said, I wanted to test EAP-TLS :) So
I changed eap_example_server.c: EAP_TYPE_PEAP -> EAP_TYPE_TLS
and eap_example_peer.c:
eap_ctx.eap_config.client_cert = (u8 *)
os_strdup("client.pem");
eap_ctx.eap_config.private_key = (u8 *) os_strdup("client.key");
The compiler gives no errors, but when I run eap_example like that I get:
EAP: Server state machine created
---[ server ]--------------------------------
EAP: EAP entering state INITIALIZE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 1
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 103
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
==> Request
---[ peer ]----------------------------------
EAP: EAP entering state IDLE
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=103 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=4):
75 73 65 72 user
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
==> Response
---[ server ]--------------------------------
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=103 respMethod=1 respVendor=0
respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=4):
75 73 65 72 user
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: another method available -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 13
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 104
EAP-TLS: START -> CONTINUE
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
==> Request
---[ peer ]----------------------------------
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=104 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: 84 bytes left to be sent out (of total 84 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
==> Response
---[ server ]--------------------------------
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=104 respMethod=13 respVendor=0
respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=90) - Flags 0x00
SSL: Received packet: Flags 0x0 Message Length 0
tls_pull_func - 79 bytes remaining in pull_buf
tls_pull_func - pull_buf consumed
*tls_connection_handshake - gnutls_handshake failed -> Could not
negotiate a supported cipher suite.*
SSL: TLS processing failed
EAP-TLS: CONTINUE -> FAILURE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method failed -> FAILURE
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=104)
==> Fail
---[ peer ]----------------------------------
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
---[ server ]--------------------------------
---[ peer ]----------------------------------
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
EAP: Server state machine removed
I found old mails on several lists that say, that this error indicates
that client and server do not use the same ciphersuites, but as they
come the same source, it cannot be the case here. I could imagine, that
EAP-TLS requires ciphersuites that GnuTLS cannot provide (even if that
sounds strange), could that be?
I wrote my own TLS (no EAP, only TLS) test server and client, which are
working perfectly and compared it to your code in tls_gnutls.c (the TLS
inside EAP should be the same as in TLS-only or am I wrong?), but I
cannot see much difference. So it should work... What did I miss? Did
anybody test it? Or maybe, there was a reason not to include gnutls into
eap_example/Makefile?
Carolin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20090624/8909eaf1/attachment.htm
More information about the Hostap
mailing list