crash with EAP-TLS when client Cert isn't signed by root CA

[Andreas Wolf]

I encountered a crash when using EAP-TLS. The client was trying to  
authenticate
with a cert that wasn't signed by the root CA that the server is using  
(expected to fail to authenticate, but not to crash).
This happens everytime unless I use a client cert that is signed by the  
server's
root CA.

Here is the session debug log and the gdb backtrace:

rad_recv: Access-Request packet from host 17.206.27.135:1025, id=113,  
length=220
        Framed-MTU = 1466
        NAS-IP-Address = 10.0.1.1
        NAS-Identifier = "P_81"
        User-Name = "andreas"
        Service-Type = Framed-User
        NAS-Port = 256
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "wl0"
        Called-Station-Id = "00-03-93-ed-70-e1"
        Calling-Station-Id = "00-0a-95-f1-d2-f0"
        Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
        State = 0xd8bd787b5f0d8e3311387011ff7093df
        EAP-Message =  
0x020700250d800000001b1503010016124adcea2d6cc26bcbc1005858fbabb3a9a1e8f 
b1b22
        Message-Authenticator = 0x9db66ad685c2c3c6583700f9124389bf
Tue Nov  4 16:57:55 2003 : Debug: modcall: entering group authorize  
for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: calling  
preprocess (rlm_preprocess) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: returned  
from preprocess (rlm_preprocess) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modcall[authorize]: module  
"preprocess" returns ok for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: calling chap  
(rlm_chap) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: returned  
from chap (rlm_chap) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modcall[authorize]: module "chap"  
returns noop for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: calling eap  
(rlm_eap) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   rlm_eap: EAP packet type response  
id 7 length 37
Tue Nov  4 16:57:55 2003 : Debug:   rlm_eap: No EAP Start, assuming  
it's an on-going EAP conversation
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: returned  
from eap (rlm_eap) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modcall[authorize]: module "eap"  
returns updated for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: calling  
suffix (rlm_realm) for request 12
Tue Nov  4 16:57:55 2003 : Debug:     rlm_realm: No '@' in User-Name =  
"andreas", looking up realm NULL
Tue Nov  4 16:57:55 2003 : Debug:     rlm_realm: No such realm "NULL"
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: returned  
from suffix (rlm_realm) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modcall[authorize]: module  
"suffix" returns noop for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: calling  
files (rlm_files) for request 12
Tue Nov  4 16:57:55 2003 : Debug:     users: Matched DEFAULT at 152
Tue Nov  4 16:57:55 2003 : Debug:     users: Matched DEFAULT at 171
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: returned  
from files (rlm_files) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modcall[authorize]: module "files"  
returns ok for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: calling  
mschap (rlm_mschap) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authorize]: returned  
from mschap (rlm_mschap) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modcall[authorize]: module  
"mschap" returns noop for request 12
Tue Nov  4 16:57:55 2003 : Debug: modcall: group authorize returns  
updated for request 12
Tue Nov  4 16:57:55 2003 : Debug:   rad_check_password:  Found  
Auth-Type EAP
Tue Nov  4 16:57:55 2003 : Debug: auth: type "EAP"
Tue Nov  4 16:57:55 2003 : Debug: modcall: entering group authenticate  
for request 12
Tue Nov  4 16:57:55 2003 : Debug:   modsingle[authenticate]: calling  
eap (rlm_eap) for request 12
Tue Nov  4 16:57:55 2003 : Debug:   rlm_eap: Request found, released  
from the list
Tue Nov  4 16:57:55 2003 : Debug:   rlm_eap: EAP_TYPE - tls
Tue Nov  4 16:57:55 2003 : Debug:   rlm_eap: processing type tls
Tue Nov  4 16:57:55 2003 : Debug:   rlm_eap_tls: Authenticate
Tue Nov  4 16:57:55 2003 : Debug:   rlm_eap_tls: processing TLS
Tue Nov  4 16:57:55 2003 : Info: rlm_eap_tls:  Length Included
Tue Nov  4 16:57:55 2003 : Debug:   eaptls_verify returned 11
Tue Nov  4 16:57:55 2003 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake  
[length 07c8], Certificate
Tue Nov  4 16:57:55 2003 : Error: --> verify error:num=19:self signed  
certificate in certificate chain
Tue Nov  4 16:57:55 2003 : Info: chain-depth=1,
Tue Nov  4 16:57:55 2003 : Info: error=19

Program received signal EXC_BAD_ACCESS, Could not access memory.
0x90006f70 in strlen ()
(gdb) bt
#0  0x90006f70 in strlen ()
#1  0x90004b0c in __vfprintf ()
#2  0x90012484 in vsnprintf ()
#3  0x00006eac in vradlog (lvl=3, fmt=0x2 <Address 0x2 out of bounds>,  
ap=0xbfffae08 "????") at log.c:133
#4  0x00007084 in radlog (lvl=1, msg=0x1 <Address 0x1 out of bounds>)  
at log.c:224
#5  0x00251220 in cbtls_verify (ok=1, ctx=0xbfffb210) at cb.c:155
#6  0x96aafad4 in X509_verify_cert ()
#7  0x96b55504 in ssl_verify_cert_chain ()
#8  0x96b48040 in ssl3_get_client_certificate ()
#9  0x96b462e4 in ssl3_accept ()
#10 0x96b4d8b0 in ssl3_read_bytes ()
#11 0x96b4b934 in ssl3_read_internal ()
#12 0x00251600 in tls_handshake_recv (ssn=0x282000) at tls.c:163
#13 0x00250bec in eaptls_operation (eaptls_packet=0x1,  
status=EAPTLS_REQUEST, handler=0x56e8b0) at eap_tls.c:632
#14 0x00250db8 in eaptls_process (handler=0x56e8b0) at eap_tls.c:765
#15 0x002502e4 in eaptls_authenticate (arg=0x1, handler=0x282000) at  
rlm_eap_tls.c:487
#16 0x00215820 in eaptype_call (atype=0x56e710, handler=0xb) at  
eap.c:156
#17 0x00215ba0 in eaptype_select (inst=0x56e8b0, handler=0x282000) at  
eap.c:320
#18 0x0021527c in eap_authenticate (instance=0x2805600,  
request=0x56dfd0) at rlm_eap.c:259
#19 0x0000c810 in call_modsingle (component=1, sp=0x55ca70,  
request=0x56dfd0, default_result=0) at modcall.c:201
#20 0x0000ca8c in modcall (component=0, c=0x55ca70, request=0x20038)  
at modcall.c:312
#21 0x0000c8a8 in call_modgroup (component=0, g=0x1, request=0x56dfd0,  
default_result=0) at modcall.c:226
#22 0x0000ca2c in modcall (component=0, c=0x566510, request=0x56dfd0)  
at modcall.c:303
#23 0x000091d4 in rad_check_password (request=0x56dfd0) at auth.c:353
#24 0x00009544 in rad_authenticate (request=0x56dfd0) at auth.c:601
#25 0x00003f08 in rad_respond (request=0x56dfd0, fun=0x9304  
<rad_authenticate>) at radiusd.c:1526
#26 0x00003a24 in rad_process (request=0x56dfd0, dospawn=0) at  
radiusd.c:1233
#27 0x00003640 in main (argc=5615560, argv=0x0) at radiusd.c:1009
(gdb)


Let me know if there is anything else I can provide to help debug this.

-Andreas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html