EAP-TLV: Earlier failure - force failed Phase 2

Jouni Malinen j at w1.fi
Tue Jan 5 13:49:54 PST 2016

On Tue, Jan 05, 2016 at 12:01:57PM -0800, Adam Jacobs wrote:
> Complete log attached.

Thanks! This is a bit long for the mailing list, so I'll drop the
message from the moderation queue. Anyway, I do have the log and it was
indeed quite helpful.

This confirms that the cryptobinding works fine with TLS v1.2 in the
initial authentication. Furthermore, I was able to find what the server
did here with the keys exposed in the log.

The difference here is in the server going through the Phase 2 method
(EAP-MSCHAPv2) even though TLS session resumption is used. This is
against the [MS-PEAP] specification from Microsoft.. That seems to be
pretty clear on fast reconnection (= TLS session resumption) not using
inner EAP authentication. Because of this, wpa_supplicant followed the
specified derivation of CMK rather than what the server wanted to do

If I make wpa_supplicant use the style used in the no-fast-reconnect
case during fast-reconnect where inner EAP method is used, I get
matching Compound_MAC with the one shown in your log.

Would you be able to run a test with wpa_supplicant modified with the
following changes and provide a debug log from such a run? The main
change is in adding the additional !data->phase2_eap_started condition
for using the fast-reconnect style CMK derivation (which would be a
one-liner, but I think it's useful to add the debug entry here to make
it easier to see what happens here if some other servers implement
PEAPv0 fast-reconnect differently).

diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
index 503d4b0..bf420cc 100644
--- a/src/eap_peer/eap_peap.c
+++ b/src/eap_peer/eap_peap.c
@@ -253,6 +253,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
 	u8 *tk;
 	u8 isk[32], imck[60];
+	int resumed;
 	 * Tunnel key (TK) is the first 60 octets of the key generated by
@@ -263,8 +264,12 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
 		return -1;
 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
-	if (data->reauth &&
-	    tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
+	resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn);
+	wpa_printf(MSG_DEBUG,
+		   "EAP-PEAP: CMK derivation - reauth=%d resumed=%d phase2_eap_started=%d phase2_success=%d",
+		   data->reauth, resumed, data->phase2_eap_started,
+		   data->phase2_success);
+	if (data->reauth && !data->phase2_eap_started && resumed) {
 		/* Fast-connect: IPMK|CMK = TK */
 		os_memcpy(data->ipmk, tk, 40);
 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list