Radius authentication passphrase length

buraglio · May 18, 2006, 3:27 PM

What version are you patching this against? I'm running BETA2 (BETA4 has issues booting on my dell 2850's) and had some errors with redirection after applying the patch. I updated to the /usr/local/captiveportal in CVS (as well as added the authLDAP.inc that it requires) but still have some errors. I'd like to mirror what you have been testing on if possible to rule out any version issues.

billm · May 18, 2006, 3:33 PM

@buraglio:

What version are you patching this against? I'm running BETA2 (BETA4 has issues booting on my dell 2850's) and had some errors with redirection after applying the patch. I updated to the /usr/local/captiveportal in CVS (as well as added the authLDAP.inc that it requires) but still have some errors. I'd like to mirror what you have been testing on if possible to rule out any version issues.

I don't have the box in front of my now that I'm at work, but it should apply cleanly against revision 1.12.2.1 of radius_authentication.inc:
http://pfsense.com/cgi-bin/cvsweb.cgi/pfSense/usr/local/captiveportal/radius_authentication.inc?rev=1.12.2.1;content-type=text%2Fplain

Here's the patched Encrypt() function (all I changed)


/*
 * $password = users password
 * $key = shared secret
 * $RA = Request Authenticator (random value it seems like)
 */
function Encrypt($password,$key,$RA) {
        global $debug;

        if ($debug)
            echo "
key: $key
password: $password

* * *

\n";

        $output="";
        $passlen = strlen($password);
        /* figure out the number of xor rounds we need to run through */
        for ($i=16; $i <= 128; $i += 16) {
                if ($len <= $i) {
                        $rounds = $i/16;
                        break;
                }
        }

        $z = 0; // How many chars have we xor'd
        for ($x=1; $x<=$rounds; $x++) {
                $keyRA=$key.$RA;
                $md5checksum=md5($keyRA);

                // Loop 16 times (md5() output / 2)
                // This limits the effective password to 16 characters - is this really in the radius spec???
                for ($i=0;$i<=15;$i++) {
                        // Convert md5 hex output to decimal (md5 lengths are 32 chars)
                        if (2*$i>32) $m=0; else $m=hexdec(substr($md5checksum,2*$i,2));
                        // get the decimal character value for this character in the password
                        if ($z>$passlen-1) $p=0; else $p=ord(substr($password,$z,1));
                        // xor the md5 character with the password character
                        $c=$m^$p;
                        // Convert back to 8-bit output
                        $output.=chr($c);
                        $z++;
                }
                $RA=$output;
        }

        return $output;
}

–Bill

buraglio · May 18, 2006, 4:40 PM

OK, I got it all cleaned up and patched it. It is yielding the same error from the debug info. From the debug output it looks liek it's grabbing 16 characters.

"username is blahblah with len 8 encryptedpassword is …........with len 16 ........"

billm · May 18, 2006, 5:29 PM

Any debug from the Encrypt() function? I tested it with 15-17 character passwords and it seemed to do the right thing there. I don't have a way to test against RADIUS, but the function looks good now :-/

–Bill

buraglio · May 18, 2006, 7:08 PM

No real debug info from the Encrypt() function. I can dig a little deeper. I can also give you access to the box if you'd like.

buraglio · May 18, 2006, 8:04 PM

So it does allow for shorter paswords but generates some errors:


radius-port: 1812
radius-host: 10.10.102.2
username: blahblah

key: TestRadiusKey
password: testpasswd
username is blahblah with len 8 encryptedpassword is šJ»[à6%¤2ÍÇƒhÄ with len 10 nasHostname is portal-a.lab.local with len 18 
writing 95 bytes

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/captiveportal/radius_authentication.inc:48) in /usr/local/captiveportal/index.php on line 335 
radius-port: 1813
radius-host: 10.10.2.25
username: blahblah

username is blahblah with len 8 nasHostname is portal-a.lab.local with len 18 
writing 113 bytes
[/code]

The errors on the RADIUS server for a >16 char passphrase are as i'd expect for an incorrect passphrase.

billm · May 18, 2006, 8:38 PM

@buraglio:

No real debug info from the Encrypt() function. I can dig a little deeper. I can also give you access to the box if you'd like.

It'd be helpful to be able to point at a radius server with an account that has a 17 (or larger) character password. I've got no way of testing that I'm following the RFC correctly - 16 and under still work with the new code I assume?

–Bill

buraglio · May 18, 2006, 9:01 PM

It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.

billm · May 18, 2006, 9:48 PM

@buraglio:

It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.

So it now authenticates accounts with > 16 char passwords? And authenticates accounts with < 16 char passwords? Only a PHP error to cleanup? Good news. Maybe the PHP error is coming from the $debug define.

–Bill

buraglio · May 19, 2006, 3:52 PM

@billm:

@buraglio:

It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.

So it now authenticates accounts with > 16 char passwords? And authenticates accounts with < 16 char passwords? Only a PHP error to cleanup? Good news. Maybe the PHP error is coming from the $debug define.

–Bill

Actually it only authenticates 16 char or below passwords. I mistyped. Sorry.

buraglio · May 22, 2006, 7:36 PM

Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?

sullrich · May 22, 2006, 7:39 PM

@buraglio:

Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?

Yes, please do. Bill does not have access to a tesitng environment for this.

billm · May 22, 2006, 7:40 PM

@buraglio:

Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?

If you can provide me a radius target I can test this myself.

–Bill

buraglio · May 22, 2006, 7:44 PM

I'll work on this this afternoon and post when it's done.

buraglio · May 23, 2006, 6:53 PM

@buraglio:

I'll work on this this afternoon and post when it's done.

I have this up, I'm still verifying correct functionality. How would you like to go about testing?

buraglio · May 23, 2006, 7:23 PM

ok, I have this working whenever you'd like to start working on it.

billm · May 23, 2006, 9:13 PM

@buraglio:

ok, I have this working whenever you'd like to start working on it.

Can you PM me an IP to test against along with two usernames, one with a 15 char password, one with a 20 char password. I can provide a static IP if needed that I'll be testing from.

–Bill

buraglio · May 23, 2006, 9:40 PM

Sent.

billm · May 24, 2006, 4:15 AM

OK, fixed. Thanks!

Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.

–Bill

billm · May 24, 2006, 5:33 AM

@billm:

OK, fixed. Thanks!

Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.

–Bill

I also verified that the code in HEAD works, it's only RELENG_1 that's affected by this.

–Bill