eapol_test (wpa_supplicant v2.10) 与 OpenSSL v3.0.8
问题描述:
我使用supplicant2.10+openssl3.0.8测试连接802.1x网络,得到以下结果。
PEAP+MSCHAPV2:失败
PEAP+GTC:通过
我想对不支持 GTC 的 Windows NPS 服务器使用 openssl3.0.8 的 PEAP+MSCHAPV2 身份验证(默认情况下仅支持 MSCHAPV2)。 当使用 freeradius 时,也发生了同样的问题。 我使用了supplicant2.10+openssl1.1.1t,它可以使用PEAP+MSCHAPV2进行802.1x身份验证
重现步骤:
使用 eapol_test 对 802.1x 网络进行身份验证,并选择加密模式 PEAP + MSCHAPV2 with OpenSSL v3.0.8
观察到的行为:
连接超时
预期行为:
连接正常
使用 eapol_test 实用程序测试 wpa_supplicant 中提供的 802.1x 身份验证的日志片段:
PEAP+MSCHAPV2:
EAP-MSCHAPV2: Generating Challenge Response
Get randomness: len=16 entropy=0
random from os_get_random - hexdump(len=16): 77 b5 40 38 12 e0 da 75 3c 96 41 67 9a 40 6a f5
random_mix_pool - hexdump(len=20): 0d b9 b1 bf 70 7c bd fa 8b 8c 0a 46 d8 96 87 a4 8e 89 0d 7d
random from internal pool - hexdump(len=16): 52 c7 66 0a bf 85 ed d3 d8 c1 5b 8c 5d 36 f0 8e
mixed random - hexdump(len=16): 25 72 26 32 ad 65 37 a6 e4 57 1a eb c7 76 9a 7b
MSCHAPV2: Identity - hexdump_ascii(len=5):
61 64 6d 69 6e admin
MSCHAPV2: Username - hexdump_ascii(len=5):
61 64 6d 69 6e admin
MSCHAPV2: auth_challenge - hexdump(len=16): 3e 04 b8 c6 6b 23 3d 40 cb bf 55 7b e4 b2 85 d9
MSCHAPV2: peer_challenge - hexdump(len=16): 25 72 26 32 ad 65 37 a6 e4 57 1a eb c7 76 9a 7b
MSCHAPV2: username - hexdump_ascii(len=5):
61 64 6d 69 6e admin
MSCHAPV2: password - hexdump_ascii(len=8):
70 61 73 73 77 6f 72 64 password
OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported
EAP-MSCHAPV2: Failed to derive response
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0
EAP: EAP entering state SEND_RESPONSE
EAP: No eapRespData available
EAP: EAP entering state IDLE
EAPOL test timed out
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
MPPE keys OK: 0 mismatch: 1
FAILURE
此外,调试时发现crypto/evp/digest.c的以下代码片段返回NULL值 在函数 evp_md_init_internal 中,EVP_MD_fetch 返回一个 NULL 值,低于该值则在 NULL 检查中返回。
/* The NULL digest is a special case */
EVP_MD *provmd = EVP_MD_fetch(NULL,
type->type != NID_undef ? OBJ_nid2sn(type->type)
: "NULL", "");
if (provmd == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
return 0;
}
PEAP+GTC:
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: DISCONNECTED -> COMPLETED
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: result=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): ad 7a 54 00 7c 9f c4 ac ae ef 1a 70 04 b1 b1 4f 1b 60 3b f9 dc 99 6e 60 e0 5f cd 93 68 48 91 72
No EAP-Key-Name received from server
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
您的 OPENSSL 版本似乎不兼容,请尝试降级?