MS-CHAP Authentication / Bug 17
Neal.Garber at energyeast.com
Mon Sep 21 19:30:42 CEST 2009
Alan, Thank you for taking the time to review the patch and for your feedback.
> has a look at this but it's only of interest for classic MS-CHAP
> activity rather than MSCHAPv2 in PEAP or TTLS - correct?
> (in this case we wouldnt use this function or be able to test
> this at our site...but logically it all looks sane)
Actually, the problem definitely impacts PEAP/MSCHAPv2 (and I believe TTLS/MSCHAPv2 also because it's an error in MS-CHAP, but we don't use TTLS so I can't test that). (I haven't thought about it enough to know whether it affects v1, but it definitely occurs with v2 as that's where I found it.)
The problem occurs when the client creates the MS-CHAPv2 response and uses a userid whose case differs from what FR subsequently uses to create the challenge for ntlm_auth.
> a few changes though (?) - its 'delimiter', not 'delimeter' ;-)
True, but I just copied that line from what was already in the code. I'm ok with fixing the spelling error as part of this patch though ;-)
> and...some RDEBUG2 starts with a white space and others print tight to
> the line - reason for such differences?
I was trying to mimic some of the existing code (when in Rome ;-) )... For instance, there was already an RDEBUG2 for:
RDEBUG2(" NT Domain delimeter found, should we have enabled with_ntdomain_hack?");
I'm not opposed to eliminating the leading spaces if you think it is more readable.
BTW, I just fixed one of the attachments (rlm_eap_mschapv2.c patch). I inadvertently had all 3 patches included in that one file - the replacement now only contains the changes for rlm_eap_mschapv2.c. Sorry about the confusion..
More information about the Freeradius-Users