[RADIATOR] random EAP authentication errors since 4.17

Fri Dec 16 11:40:09 UTC 2016

On 16.12.2016 11.46, Hartmaier Alexander wrote:

> Sadly the sh** didn't stop there, OpenSSL segfaults when
> Net::SSLeay::session_reused gets passed an undefined value:

For Net::SSLeay this is just a pass through call to OpenSSL's respective 
function. I think the caller is responsible for not handing undef/NULL 
as the argument.

For this reason I'd say this is not a candiate for a ticket against 
Net::SSLeay and is not something that neither Net::SSLeay or OpenSSL 
needs to handle.

> Is Mike (author of Net::SSLeay) still working for you? I haven't opened
> a RT for the module as I'm not sure if this should be handled at the
> Perl XS layer or in OpenSSL.

Mike is still maintainer for Net::SSLeay, but he is not with us anymore. 
About the ticket, as I mentioned above, I think we need to do the null 
check inside Radiator hook.

> As a workaround I'll check for exists $p->{EAPContext} && exists
> $p->{EAPContext}->{ssl} before calling the function. This was enough for
> MAC bypass auths (non-EAP) but expired certs crashed Radiator again today.

I'd add && $p->{EAPContext}->{ssl} to the checks too. What likely 
happens now is that the hash key 'ssl' exists but the value for the key 
is undef. I'd say this is caused by the code that runs when the 
expiration was noticed.

> Would you advise to use Radius::TLS::contextSessionCheckReuse instead of
> Net::SSLeay::session_reused directly?

I think what could be done in this function is to set something like 
$context->{eap_tls_session_resumed} to the value returned by 
Net::SSLeay::session_reused or implement the resume counter which I 
mentioned earlier. I would not call this function from a hook since its 
purpose is to check if the session was resumed or not and do what's 
appropriate based on resumption and configured resumption settings.

> Please advise a safe way of determining and logging EAP session
> resumption, we seem to stumble from one pitfall to another ourselves.

I'd say the above extra check allow session_reused() to work for now 
until we add the extras/helpers mentioned above and the earlier messages.

Thanks for your patience,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.