Openssl3.0.8+wpa_supplicant2.10 can not connect 802.1x network

Sathesh · February 22, 2024, 6:29am

wpa_supplicant2.10 with openssl3.0.8

Issue description:
I used supplicant2.10+openssl3.0.8 to test connecting to an 802.1x network, I got the following results:
PEAP+MSCHAPV2:Failed
PEAP+GTC:Passed

I want to use PEAP+MSCHAPV2 authentication with openssl3.0.8 for windows NPS servers where GTC is not supported (only MSCHAPV2 is supported by default).
I used supplicant2.10+openssl1.1.1t where it can connect to 802.1x using PEAP+MSCHAPV2

Steps to reproduce:
Connect to the 802.1x network and select the encryption mode PEAP+MSCHAPV2

Observed behavior:
connect timeout

Expected behavior:
connect ok

Additional comment:

16:57:53:437 wpa_supplicant: OpenSSL: RX ver=0x303 content_type=256 (TLS header info/)
16:57:53:445 wpa_supplicant: EAP-PEAP: received Phase 2: code=1 identifier=185 length=43
16:57:53:445 wpa_supplicant: EAP-PEAP: Phase 2 Request: type=26
16:57:53:456 wpa_supplicant: EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26
16:57:53:470 wpa_supplicant: EAP-MSCHAPV2: RX identifier 185 mschapv2_id 185
16:57:53:471 wpa_supplicant: EAP-MSCHAPV2: Received challenge
16:57:53:481 wpa_supplicant: EAP-MSCHAPV2: Generating Challenge Response
16:57:53:481 wpa_supplicant: OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported```


Log snippet using eapol_test utility to test 802.1x authentication provided in wpa_supplicant:

EAP-MSCHAPV2: Generating Challenge Response
Get randomness: len=16 entropy=0
random from os_get_random - hexdump(len=16): 77 b5 40 38 12 e0 da 75 3c 96 41 67 9a 40 6a f5
random_mix_pool - hexdump(len=20): 0d b9 b1 bf 70 7c bd fa 8b 8c 0a 46 d8 96 87 a4 8e 89 0d 7d
random from internal pool - hexdump(len=16): 52 c7 66 0a bf 85 ed d3 d8 c1 5b 8c 5d 36 f0 8e
mixed random - hexdump(len=16): 25 72 26 32 ad 65 37 a6 e4 57 1a eb c7 76 9a 7b
MSCHAPV2: Identity - hexdump_ascii(len=5):
     61 64 6d 69 6e                                    admin           
MSCHAPV2: Username - hexdump_ascii(len=5):
     61 64 6d 69 6e                                    admin           
MSCHAPV2: auth_challenge - hexdump(len=16): 3e 04 b8 c6 6b 23 3d 40 cb bf 55 7b e4 b2 85 d9
MSCHAPV2: peer_challenge - hexdump(len=16): 25 72 26 32 ad 65 37 a6 e4 57 1a eb c7 76 9a 7b
MSCHAPV2: username - hexdump_ascii(len=5):
     61 64 6d 69 6e                                    admin           
MSCHAPV2: password - hexdump_ascii(len=8):
     70 61 73 73 77 6f 72 64                           password        
OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported
EAP-MSCHAPV2: Failed to derive response
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0
EAP: EAP entering state SEND_RESPONSE
EAP: No eapRespData available
EAP: EAP entering state IDLE
EAPOL test timed out
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

vbe · February 22, 2024, 10:53am

Do you mind giving us the required information that should be posted each time
( and part of our rules...):
your architecture, your OS and its version

Thank you

Sathesh · February 22, 2024, 11:56am

Ubuntu 20.04.6 LTS - 64 bit