548064 – net-wireless/wpa_supplicant-2.4-r1 - unable to establish connection to a WPA2-Enterprise network

Bug 548064 - net-wireless/wpa_supplicant-2.4-r1 - unable to establish connection to a WPA2-Enterprise network

Summary: net-wireless/wpa_supplicant-2.4-r1 - unable to establish connection to a WPA2...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal critical
Assignee:	Gentoo Linux bug wranglers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-04-28 21:11 UTC by Milan Beneš
Modified:	2015-05-27 23:48 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Milan Beneš 2015-04-28 21:11:24 UTC

After upgrade to net-wireless/wpa_supplicant-2.4-r1 I am no longer able to connect to my home network (PEAP-MSCHAPv2). I had no problems with net-wireless/wpa_supplicant-2.2. I was able to track down the issue to a probable incompatibility with external TLS libraries (both OpenSSL and GNUTLS). If I build wpa_supplicant with the internal crypto implementation (USE="-ssl") then I am able to establish connection once again.

Proposed workaround: set USE="-ssl" for net-wireless/wpa_supplicant

My emerge --info:
Portage 2.2.18 (python 2.7.9-final-0, default/linux/amd64/13.0/desktop/kde, gcc-4.8.4, glibc-2.20-r2, 3.18.11-gentoo x86_64)
=================================================================
System uname: Linux-3.18.11-gentoo-x86_64-Intel-R-_Core-TM-_i7-3520M_CPU_@_2.90GHz-with-gentoo-2.2
KiB Mem:    16309248 total,   1377648 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Tue, 28 Apr 2015 18:30:01 +0000
sh bash 4.2_p53
ld GNU ld (Gentoo 2.24 p1.4) 2.24
distcc 3.1 x86_64-pc-linux-gnu [disabled]
app-shells/bash:          4.2_p53::gentoo
dev-java/java-config:     2.2.0::gentoo
dev-lang/perl:            5.20.2::gentoo
dev-lang/python:          2.7.9-r1::gentoo, 3.3.5-r1::gentoo, 3.4.1::gentoo
dev-util/cmake:           2.8.12.2-r1::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.13.11::gentoo
sys-apps/sandbox:         2.6-r1::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.12.6::gentoo, 1.13.4::gentoo
sys-devel/binutils:       2.24-r3::gentoo
sys-devel/gcc:            4.8.4::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 3.18::gentoo (virtual/os-headers)
sys-libs/glibc:           2.20-r2::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

Portage-local
    location: /usr/local/portage
    masters: gentoo
    priority: 0

Installed sets: @steam
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE skype-4.0.0.7-copyright AdobeFlash-11.x"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=corei7-avx -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/themes/oxygen-gtk/gtk-3.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=corei7-avx -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="cs_CZ.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acpi alsa amd64 avahi bash-completion berkdb bluetooth branding bzip2 cairo cdda cddb cdr cdrom cli consolekit cracklib crypt cups custom-optimization cxx dbus declarative dri drm dts dvb dvd dvdr emboss encode exif fam fat ffmpeg firefox flac fortran gdbm gif gimp glamor gpm iconv icq icu ipv6 jabber java jemalloc jpeg kde kipi lcms ldap libnotify lm_sensors mad magic mmx mmxext mng modules mp3 mp4 mpeg multilib ncurses networkmanager nfs nfsdcld nfsidmap nfsv3 nfsv4 nls nptl nsplugin ntfs ntp offensive ogg opengl openmp oscar pam pango pcre pdf phonon plasma pm-utils png policykit ppds pulseaudio qt3support qt4 readline samba savedconfig scanner sdl semantic-desktop session slp sna sound spell sse sse2 ssl startup-notification svg system-boost system-cairo system-ffmpeg system-icu system-jpeg system-libvpx system-sqlite system-wine tcpd tiff truetype udev udisks unicode upnp upower usb usbredir vaapi vorbis webgl wifi wxwidgets x264 xcb xcomposite xinerama xml xscreensaver xv xvid xvmc zeroconf zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="canon ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer pdfimport" LINGUAS="cs" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby19 ruby20" SANE_BACKENDS="net" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Comment 1 Alexander Tsoy 2015-04-29 14:52:17 UTC

Probably related to this change (disable SSLv2 and SSLv3 by default):
http://w1.fi/cgit/hostap/commit/?id=35efa2479ff19c3f13e69dc50d2708ce79a99beb

If switching to the old behaviour (phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1") doesn't help, please run wpa_supplicant in debug mode and attach the output. I use EAP-TTLS with MSCHAPv2 and it works fine.

Comment 2 Milan Beneš 2015-04-29 15:53:41 UTC

Hello Alexander,
it seems that you are right. I'm using Aruba IAP 105 with an internal radius server. I also have an instance of FreeRadius configured on a home server, but I'm primarily using the embedded radius server in the AP. When I reconfigure the AP to use my other radius server, everything works fine. Unfortunately the bug is present in both the most recent version of ArubaOS as well as the LTS one. I will have to file a bug there.

Comment 3 Milan Beneš 2015-05-06 14:39:52 UTC

Hello,
I have received updated firmware from my AP vendor, specifically designed to address this issue, but the error persists. I managed to find a similar bug report (http://lists.shmoo.com/pipermail/hostap/2015-April/032685.html and http://lists.shmoo.com/pipermail/hostap/2015-May/032736.html) on the HostAP mailing list. It seems, that the problem lies in wrong MPPE key being generated while using TLS 1.2. TLS 1.2 support was introduced in FreeRadius 2.2.6. I'm using the stable 2.2.5 on my dedicated server, so I'm unaffected by this. The bug is fixed in FreeRadius 3.0.8. Please see the Freeradius changelog, specifically the 3.0.8 version and bugfix concerning MPPE and TLS 1.2 (http://freeradius.org/press/index.html). I have also tested versions 2.2.6 and 2.2.7 and both are affected.

Comment 4 Alexander Tsoy 2015-05-06 14:53:07 UTC

(In reply to Alexander Tsoy from comment #1)
> Probably related to this change (disable SSLv2 and SSLv3 by default):
> http://w1.fi/cgit/hostap/commit/?id=35efa2479ff19c3f13e69dc50d2708ce79a99beb

BTW, my comment is not entirely correct. The above change does not disable SSLv2 and SSLv3, it just enabled TLS 1.1 and 1.2.

Comment 5 Mike Nerone 2015-05-27 23:48:42 UTC

If I'm not mistaken, this bug was misdiagnosed and is, in fact, VALID. I experienced the same issue on my corporate network, which is not using FreeRadius. Rolling back to wpa_supplicant-2.2-r1 (which was the stable one prior to ~2.4) resolves the issue. (Yes, I'm aware there are known security issues with that one, but the issue in _this_ bug is separate.)

Arch Linux devs determined this as well (along with another problem) and rolled back to 2.3 as a result [1].

[1] https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/wpa_supplicant&id=7562b98bd83fe5bce43e6952e0e922e7791e18b5