Bug in WPA2 EAP

[victorclaessen]

At the request (https://github.com/esp8266/Arduino/pull/4853#issuecomment-401187904) of d-a-v, I updated my arduino esp8266 repo to his pull request and re-ran my code. Now the error message is different "there is no poison after the block", which is interesting but I do not yet know what it means. See below for esp8266 debug output:

Code: Select all

ets Jan  8 2013,rst cause:2, boot mode:(3,7)

load 0x4010f000, len 1384, room 16
tail 8
chksum 0x2d
csum 0x2d
v00000000
~ld

SDK:3.0.0-dev(c0f7b44)/Core:win-2.5.0-dev/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:94e9704
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone

Waiting for connection and IP Address from DHCP
wifi evt: 8
wifi evt: 2
.scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt
EAP-MSCHAPV2: RX identifier 3 mschapv2_id 3
EAP-MSCHAPV2: Generate Challenge Response
EAP-MSCHAPV2: RX identifier 4 mschapv2_id 3
there is no poison after the block. Expected poison address: 0x41491208, actual data: 0x0e 0x00 0x00 0x00
block start: 3fff10bc

Panic C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc\umm_malloc.c:861 check_poison_block

ctx: sys
sp: 3fffec50 end: 3fffffb0 offset: 01b0

>>>stack>>>


[victorclaessen]

To rule out device failure I took a completely new esp8266 module (Witty Cloud board) from its protective packaging, and uploaded the same code to it. I selected 'erase all flash contents' as an arduino upload option. Same result:

Code: Select all

SDK:3.0.0-dev(c0f7b44)/Core:win-2.5.0-dev/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:94e9704
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone

Waiting for connection and IP Address from DHCP
wifi evt: 8
wifi evt: 2
.scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt
EAP-MSCHAPV2: RX identifier 3 mschapv2_id 3
EAP-MSCHAPV2: Generate Challenge Response
EAP-MSCHAPV2: RX identifier 4 mschapv2_id 3
there is no poison after the block. Expected poison address: 0x414910d8, actual data: 0x0e 0x00 0x00 0x00
block start: 3fff0f8c

Panic C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc\umm_malloc.c:861 check_poison_block

ctx: sys
sp: 3fffec50 end: 3fffffb0 offset: 01b0

>>>stack>>>

Decoding 67 results
0x40204af6: printf at /Users/igrokhotkov/e/newlib-xtensa/xtensa-lx106-elf/newlib/libc/stdio/../../../.././newlib/libc/stdio/printf.c line 61
0x40244394: sleep_reset_analog_rtcreg_8266 at ?? line ?
0x401004db: check_poison at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 861
:  (inlined by) check_poison_block at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 851
0x4010020c: _umm_free at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 1295
0x4010020c: _umm_free at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 1295
0x4010053a: get_unpoisoned at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 946
0x401009dc: free at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 1742
0x4022d8e0: _base64_decode at ?? line ?
0x40106944: vPortFree at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/heap.c line 59
0x4022581a: wpa2_sm_rx_eapol at ?? line ?
0x4022582e: wpa2_sm_rx_eapol at ?? line ?
0x40225869: wpa2_sm_rx_eapol at ?? line ?
0x40225434: wpa2_sm_rx_eapol at ?? line ?
0x4021cccd: sta_input at ?? line ?
0x40230d43: pp_tx_idle_timeout at ?? line ?
0x40230603: ppPeocessRxPktHdr at ?? line ?
0x40104740: call_user_start_local at ?? line ?
0x40104746: call_user_start_local at ?? line ?
0x4010000d: call_user_start at ?? line ?
0x40100a84: cont_ret at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/cont.S line 142
0x40100a31: cont_continue at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/cont.S line 51
0x40101232: pp_post at ?? line ?
0x40104620: lmacTxFrame at ?? line ?
0x4010383f: lmacRecycleMPDU at ?? line ?
0x40103ca2: lmacRecycleMPDU at ?? line ?
0x40103786: lmacProcessTxSuccess at ?? line ?
0x401025fb: wDev_ProcessFiq at ?? line ?
0x401022f8: wDev_ProcessFiq at ?? line ?
0x40100439: check_poison_block at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 842
0x40104f19: ets_timer_disarm at ?? line ?
0x40245d80: sleep_reset_analog_rtcreg_8266 at ?? line ?
0x40240000: phy_gpio_cfg at ?? line ?
0x40241c31: ram_set_txbb_atten at ?? line ?
0x4023e77a: tx_atten_set_interp at ?? line ?
0x40231763: pp_attach at ?? line ?
0x402317b2: pp_attach at ?? line ?
0x4010137b: ppCalFrameTimes at ?? line ?
0x4023086b: ppTxPkt at ?? line ?
0x40219d6b: ieee80211_send_probereq at ?? line ?
0x4021ddd4: cnx_start_handoff_cb at ?? line ?
0x4021bb93: scan_remove_probe_ssid at ?? line ?
0x4021b764: scan_start at ?? line ?
0x4021ddd4: cnx_start_handoff_cb at ?? line ?
0x4010505c: ets_timer_arm_new at ?? line ?
0x4021d76b: chm_start_op at ?? line ?
0x4021ddd4: cnx_start_handoff_cb at ?? line ?
0x4021ddd4: cnx_start_handoff_cb at ?? line ?
0x4021d6e0: chm_start_op at ?? line ?
0x4021b754: scan_start at ?? line ?
0x4021b728: scan_start at ?? line ?
0x4021b6f3: scan_start at ?? line ?
0x4021bca4: scan_remove_probe_ssid at ?? line ?
0x4010505c: ets_timer_arm_new at ?? line ?
0x40203398: esp_yield at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/core_esp8266_main.cpp line 91
0x402014e7: delay at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/core_esp8266_wiring.c line 51
0x40202716: setup at C:\Users\claessen\Documents\Arduino\wpa2/wpa2.ino line 45

<<<stack<<<



(The attempt from the previous post used a of Wemos D1 mini v3 board.)

[avc]

@victorclaessen I was going through the espressif repo, and I noticed a more files which were updated along the wpa2 stuff. some on lwip, some in /include folders. Now, When @ESP_Faye asked to try out the latest sdk, I would be surprised he would say so without having someone (he himself or someone in his team) test it out and made sure it is working atleast on their network. Which makes me think: Is it possible that it is not just the 2 lib files, and the wpa2_enterprise.h (which was not updated in this go) that needs to be added for this to work?

[avc]

@ESP_Deng Xin @ESP_Faye @ESP_igrr We have been trying to get this going with the latest release but it seems there are still issues with getting the IP. Can you please look at all the related discussion too at https://github.com/esp8266/Arduino/pull/4853

In my latest attempt, the Radius Server does accept the request and seems to successfully authenticate (atleast it looks like from the Radius server logs), but the ESP cannot complete the process.

Code: Select all

SDK:3.0.0-dev(c0f7b44)/Core:win-2.5.0-dev/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:6d1cefc
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone

Waiting for connection and IP Address from DHCP
wifi evt: 8
wifi evt: 2
.scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt
Method private structure allocated failure
EAP-MSCHAPV2: RX identifier 4 mschapv2_id 4
EAP-MSCHAPV2: Generate Challenge Response
EAP-MSCHAPV2: RX identifier 5 mschapv2_id 4
..state: 5 -> 2 (6c0)
rm 0
wifi evt: 1
STA disconnect: 6
reconnect

Any help would be much appreciated.

[avc]

@ESP_Faye @ESP_wujiangang @ESP_Deng Xin Please address this issue. The issue seems to be not fixed. See full discussion on https://github.com/esp8266/Arduino/pull/4853. We tried both Arduino and native sdk, both showing similar errors.

[akouz]

The problem was not resolved for one year. It is pity. But at least SiLabs offer modules capable to handle WPA2 Enterprise.

[avc]

I hope we are close. xcguang from Espressif promised to look into this and get back with an update soon.

[victorclaessen]

I think we have different opinions on what 'soon' means.

[Catshark]

I know this is an old issue (and I hope that in the meantime it has been fixed properly), but I got it working with the following approach:

I use the following code to connect to a (P)EAP-enabled WPA2-Enterprise network:

Code: Select all

  wifi_set_opmode(STATION_MODE);
  struct station_config wifi_config;
  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);
  wifi_station_set_config(&wifi_config);
  wifi_station_dhcpc_start();
  wifi_station_clear_cert_key();
  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));
  wifi_station_set_enterprise_ca_cert((byte*)ca_cert, strlen(ca_cert));
  wifi_station_connect();


1. I got rid of the 'No poison...' error by modifying the malloc implementation (umm_malloc) used to ignore this kind of error. Of course, this is not the correct way, because you might run into other kinds of issues, but if all you need is a working WPA2-Enterprise connection, then do this at your own risk. (insert `return 1;` at line 43 in https://raw.githubusercontent.com/esp82 ... m_poison.c`)

2. To use DHCP, I had to implement some kind of timeout as sometimes the dhcp discovery just did not fire - I checked with Wireshark running on the gateway (which also supplies the DHCP leases), and in fact every ~2nd time the ESP did not send the correct DHCP packet. My solution is the following:

Code: Select all

  Ticker timer;
  bool connected = true;
  timer.attach(5, [&](){connected = false;});
  while (WiFi.status() != WL_CONNECTED) {
    delay(10);
  }
  timer.detach();


If I do not get a WL_CONNECTED status after 5s, I set the connected flag to false.

My entire code this way:

bool connect() {
wifi_set_opmode(STATION_MODE);
struct station_config wifi_config;
memset(&wifi_config, 0, sizeof(wifi_config));
strcpy((char*)wifi_config.ssid, ssid);
wifi_station_set_config(&wifi_config);
wifi_station_dhcpc_start();
wifi_station_clear_cert_key();
wifi_station_set_wpa2_enterprise_auth(1);
wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
wifi_station_set_enterprise_username((uint8*)username, strlen(username));
wifi_station_set_enterprise_password((uint8*)password, strlen(password));
wifi_station_set_enterprise_ca_cert((byte*)ca_cert, strlen(ca_cert));
wifi_station_connect();
Ticker timer;
bool connected = true;
timer.attach(5, [&](){connected = false;});
while (WiFi.status() != WL_CONNECTED) {
delay(10);
}
timer.detach();
return connected;
}

void connectBlock(){
while(!connect()){
delay(100);
}
}

If you call connectBlock(), you will get a connection after a while - fine-tune the timeout parameter if you need to, but I found that 5s works for me; and if it seems like a long time, then maybe WiFi is not the best approach for your use-case after all.

Note: After establishing the connection, it is pretty stable, I did not experience an influx of dropouts in contrast with a regular WPA2-PSK network.

I hope I could help, please do share your experiences should you try this approach out!