Issue 1: RadiusClient fail with password with more than 16characters
Status:  New
Owner: ----
Reported by hy...@hyber.dk, May 16, 2013
RFC 2865 says:

      Call the shared secret S and the pseudo-random 128-bit Request
      Authenticator RA.  Break the password into 16-octet chunks p1, p2,
      etc.  with the last one padded at the end with nulls to a 16-octet
      boundary.  Call the ciphertext blocks c(1), c(2), etc.  We'll need
      intermediate values b1, b2, etc.

         b1 = MD5(S + RA)       c(1) = p1 xor b1
         b2 = MD5(S + c(1))     c(2) = p2 xor b2
                .                       .
                .                       .
                .                       .
         bi = MD5(S + c(i-1))   c(i) = pi xor bi

      The String will contain c(1)+c(2)+...+c(i) where + denotes
      concatenation.

However when calculating b2, b3, b4, etc. Secret+P1, Secret+P2, Secret+P3, etc is used, when it should have been c(1), c(2), c(3), etc.

This means that passwords longer than 16bytes will be calculated wrong and will not work.

Attached is patch that fixes the problem..

Hope this help you (or someone else)

Cheers

Esben
AccessRequest.patch
1.2 KB   View   Download