15 character maximum password length for PAP?
Wichert Akkerman
wichert at wiggy.net
Thu Sep 10 08:29:14 UTC 2009
On 9/9/09 19:33 , Mark Dennehy wrote:
> Ref:[Mark Dennehy, Wed, 09/09/09 @ 16:39 +0100]
>> Ref:[Wichert Akkerman, Wed, 09/09/09 @ 17:19 +0200]
>>>> Are the changes not also in revision 223?
>>> There might have been other changes since then which affect that code.
>>> Knowing if 217 works for you will help us track that down.
>>> Wichert.
>> Okay, checking it out now.
>
> Nope, getting the same problem again. If I put in
> "test/12345678901234567890" as the username/password into the captive
> portal, I get "test/1234567890123456" as the username/password being
> received by FreeRADIUS.
>
> I think it's down to lines 1653-1655 in redir.c:
>
> /*
> * decode password - encoded by the UAM portal/script.
> */
> for (m=0; m< RADIUS_PWSIZE;)
> for (n=0; n< REDIR_MD5LEN; m++, n++)
> user_password[m] = conn->password[m] ^ chap_challenge[n];
>
>
> The problem is, they do the right thing :-)
> If conn->password[] is longer than chap_challange[], those lines repeat
> chap_challange[] to compensate.
I was quite sure they do the right thing now and I'm happy to see that
you agree :). There were some problems with passwords of 16 characters
and longer before revision 217 in related parts of the code.
> Whereas in hotspotlogin.cgi:
>
> $hexchal = pack "H32", $challenge;
>
> ...
>
> } elsif (defined($userpassword)) {
> # Encode plain text password with challenge
> # (which may or may not be uamsecret encoded)
>
> $pappassword = unpack "H32", ($password ^ $newchal);
>
> $logonUrl = "http://$uamip:$uamport/logon?username=$username&password=$pappassword";
Nicely spotted. I had not seen that since we use a custom portal with
chilli.
Regards,
Wichert.
More information about the Chilli
mailing list