Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 263633

Summary: net-wireless/wpa_supplicant-0.6.4 fails to authenticate when built with gnutls
Product: Gentoo Linux Reporter: Christopher Head <bugs>
Component: Current packagesAssignee: Mobile Herd (OBSOLETE) <mobile+disabled>
Status: VERIFIED FIXED    
Severity: normal CC: chaujc, pesa
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Christopher Head 2009-03-24 17:25:29 UTC
When I build wpa_supplicant with USE="gnutls" and attempt to connect to my university's network, it fails to authenticate and the following output is visible from wpa_cli:

<2>CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
<2>CTRL-EVENT-SCAN-RESULTS 
<2>Trying to associate with 00:12:44:b0:25:1f (SSID='ubcsecure' freq=5180 MHz)
<2>Associated with 00:12:44:b0:25:1f
<2>CTRL-EVENT-EAP-STARTED EAP authentication started
<2>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
<2>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<2>CTRL-EVENT-EAP-STARTED EAP authentication started
<2>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
<2>CTRL-EVENT-EAP-FAILURE EAP authentication failed

when built with USE="-gnutls", everything is fine, and the output from the "status" command is as follows (which should hopefully give enough details about the network to diagnose this):

bssid=00:12:44:b0:25:10
ssid=ubcsecure
id=1
pairwise_cipher=TKIP
group_cipher=TKIP
key_mgmt=WPA/IEEE 802.1X/EAP
wpa_state=COMPLETED
ip_address=128.189.248.189
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=25 (EAP-PEAP)
EAP TLS cipher=AES-128-SHA
EAP-PEAPv0 Phase2 method=MSCHAPV2


Reproducible: Always

Steps to Reproduce:
Comment 1 Davide Pesavento gentoo-dev 2009-04-11 17:00:52 UTC
This may be related to bug #263589.
Post your emerge --info and gnutls version please.

Btw, wpa_supplicant-0.6.8 and 0.6.9 built with USE=gnutls are working fine for me.
Comment 2 Christopher Head 2009-04-11 20:01:21 UTC
# emerge --info
Portage 2.1.6.7 (default/linux/x86/2008.0, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.28-hardened-r7 i686)
=================================================================
System uname: Linux-2.6.28-hardened-r7-i686-Intel-R-_Pentium-R-_M_processor_1.70GHz-with-glibc2.0
Timestamp of tree: Sun, 05 Apr 2009 20:15:01 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python:     2.5.2-r7
dev-util/cmake:      2.6.2-r1
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium-m -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium-m -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo ftp://gentoo.arcticnetwork.ca/pub/gentoo ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo"
LANG="en_CA.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en en_CA"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/usr/portage/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync21.us.gentoo.org/gentoo-portage"
USE="X a52 alsa bzip2 cairo caps cdda cddb cdio cgi cli cups dri dvd firefox flac gif gimp glibc-omitfp gmp gnutls gtk hpn isdnlog java jce joystick jpeg kdehiddenvisibility libsamplerate midi mikmod mmx mp3 mpeg multiuser ncurses nls nptl nptlonly nsplugin ntfs offensive ogg opengl pam pdf pg-intdatetime pic plotutils png pppd qq readline reflection replytolist scanner scenarios session sockets spell spl sse sse2 svg symlink sysfs theora timidity truetype unicode usb vim-syntax vorbis win32codecs x86 xcb xinerama xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard synaptics wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_CA" USERLAND="GNU" VIDEO_CARDS="intel"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 3 Christopher Head 2009-04-11 20:02:30 UTC
net-libs/gnutls-2.6.4
dev-libs/libgcrypt-1.4.4
Comment 4 Christopher Head 2009-04-11 20:13:51 UTC
Doesn't sound like it's #263589 because I use -O2 in CFLAGS and running "FEATURES=test emerge -1 libgcrypt" shows all selftests passing.

I can try to get more information about the network being connected to (if you can tell me what to run to do so), but it'll take some time as I'm not in the area every day.
Comment 5 Davide Pesavento gentoo-dev 2009-04-14 12:59:27 UTC
You should try a more recent version of wpa_supplicant, see bug #246117 for updated ebuilds. Version 0.6.4 is considered experimental by upstream and imho it shouldn't have ever been marked stable.
Comment 6 Jimmy C. Chau 2009-04-25 02:17:17 UTC
I'm not sure if my problem is caused by the gnutls use flag as this bug claims, but I think I have the same/a similar problem.  For now, I masked 0.6.4, which has been unable to reliably connect to Boston University's 802.1x authenticated wireless network; it may take over 20 minutes of failed attempts before wpa_supplicant can get me connected.  

On the other hand, 0.5.7, to which I had to downgrade, is able to connect almost immediately and without errors.  

Below are the relevant sections from my wpa_supplicant.conf (with confidential login info and apparently unrelated network blocks altered/removed):
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=2
ap_scan=1
network={
        ssid="BU (802.1x)"
        priority=15
        key_mgmt=WPA-EAP
        # Either TTLS or PEAP may be used for phase 1 (outer authentication).
        # From examples and through trials, know that MSCHAPV2 does not need
        # to be here even though it will be used later.
        eap=TTLS PEAP
        identity="username-redacted"
        password="password-redacted"
        # The "autheap" is for TTLS and the "auth" is for PEAP.  For both,
        # MSCHAPV2 need to be used for phase 2 (inner authentication).
        phase2="autheap=MSCHAPV2 auth=MSCHAPV2"
}

I have not yet tried to connect with version 0.6.4 without the gnutls use flag.  I'll try this after I finish my work for the semester or when I have free time.  

Below is my current emerge --info: 
Portage 2.1.6.7 (default/linux/x86/2008.0, gcc-4.3.2, glibc-2.8_p20080602-r1, 2.6.28-gentoo-r5-2009Apr24 i686)
=================================================================
System uname: Linux-2.6.28-gentoo-r5-2009Apr24-i686-Intel-R-_Pentium-R-_M_processor_1.73GHz-with-glibc2.0
Timestamp of tree: Fri, 24 Apr 2009 01:45:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python:     2.5.4-r2
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.6.2-r1
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium-m -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=pentium-m -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://www.gtlib.gatech.edu/pub/gentoo  http://gentoo.mirrors.pair.com/         http://gentoo.netnitco.net      http://open-systems.ufl.edu/mirrors/gentoo       http://gentoo.mirrors.tds.net/gentoo    ftp://mirror.datapipe.net/gentoo        http://distfiles.gentoo.org     http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
LINGUAS="en_US en"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa bash-completion berkdb bluetooth bzip2 cairo caps cdparanoia cjk cli cracklib crypt cups dbus dell directfb divx dri dts dvb dvd eap-tls emacs encode exif fbcon ffmpeg flac fortran ftp gd gdbm gif gmedia gnutls gpm gstreamer gtk hal hardened iconv ipv6 isdnlog java javascript jpeg jpeg2k laptop libcaca logrotate lzo mad mailwrapper matroska mbrola midi mmx mmxext mp3 mpeg mudflap ncurses nls nptl nptlonly ogg openal opengl openmp pam pcmcia pcre pdf perl png ppds pppd prediction preview-latex python qt3support qt4 quicktime readline realmedia reflection samba scanner sdl session socks5 sound spell spl sse sse2 ssl svg sysfs tcpd theora threads tiff tk truetype unicode usb v4l v4l2 vcd vlm vorbis wifi win32codecs wmf wmp wxwindows x86 xinerama xml xorg xulrunner xv xvid xvmc zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" ELIBC="glibc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en" USERLAND="GNU" VIDEO_CARDS="intel"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 7 Jimmy C. Chau 2009-04-25 02:43:52 UTC
In case this helps, below is an email I sent to the University's LUG about this problem back in February 12, 2009.  I received one reply from someone claiming that wpa-supplicant 0.6.4 works without problems for them on Fedora 10.


In the process of furiously tweaking & reverting my configs, I noticed
(through my wpa_gui window) that it somehow managed to connect and get
an IP address.  I ran a diff against my original wpa_supplicant.conf and
realized that it was the same.  In disbelief, I disconnected &
reconnected & it still worked.

Then I removed the debug flags from my /etc/conf.d/net for
wpa_supplicant.  Restart, & it gives me the same old

   CTRL-EVENT-EAP-STARTED EAP authentication started
   CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
   CTRL-EVENT-EAP-FAILURE EAP authentication failed

Since I strongly doubted that increasing the debug verbosity solved my
problem, I decided to leave it running.  Pages of the above message
continued to appear.  Sure enough, after a painfully long wait (long
enough that it will probably be faster for me to go home, take a nap,
grab a Ethernet cable & return to where I am), it was able to connect
and acquire an DHCP lease.

   WPA: Key negotiation completed with 00:1b:d5:c9:6a:e2 [PTK=CCMP
   GTK=TKIP]
   CTRL-EVENT-CONNECTED - Connection to 00:1b:d5:c9:6a:e2 completed
   (reauth) [id=2 id_str=]

So I downgraded back to 0.5.7 (the version I was using before), which is
much faster in connecting (a few seconds), but has a worse wpa_gui
interface than 0.6.4.  I want to file a bug report so that this will get
fixed, but I'm not sure what to report.  I don't know what the problem
is; nobody else online (that I can find) appears to have a similar
problem; I don't know whether it's my configuration problem, the
server's problem, or wpa_supplicant's problem; I don't even know what
RADIUS server BU's using.

Ryan, if you have time, can you try upgrading your wpa_supplicant to
0.6.4 to see whether it's just my computer?  Anyone else who uses
wpa_supplicant, please reply with its version number, your OS/distro,
and whether it still works (you can get this with the following command):

   wpa_supplicant -v


Thanks!
Comment 8 Davide Pesavento gentoo-dev 2009-04-25 12:48:54 UTC
I had problems with 0.6.4 too, when connecting to my university's wifi network (PEAP-MSCHAPv2). Newer versions work fine though.
Jimmy, could you try the latest 0.6.9 in portage?
Comment 9 Jimmy C. Chau 2009-04-27 14:22:55 UTC
(In reply to comment #8)
Thanks, Davide.  0.6.9 works for me.  I think marking this bug as fixed would be appropriate.  
Comment 10 Davide Pesavento gentoo-dev 2009-04-27 17:39:06 UTC
IMHO wpa_supplicant-0.6.9 should be stabilized ASAP, it fixes a great number of bugs affecting current stable (0.6.4, considered experimental by upstream!)
Comment 11 Christopher Head 2009-10-22 08:05:50 UTC
0.6.9 works for me.