15 character maximum password length for PAP?

Mark Dennehy Mark.Dennehy at cs.tcd.ie
Wed Sep 9 17:33:21 UTC 2009

Ref:[Mark Dennehy, Wed, 09/09/09 @ 16:39 +0100]
> Ref:[Wichert Akkerman, Wed, 09/09/09 @ 17:19 +0200]
> >> Are the changes not also in revision 223?
> > There might have been other changes since then which affect that code.  
> > Knowing if 217 works for you will help us track that down.
> > Wichert.
> Okay, checking it out now.

Nope, getting the same problem again. If I put in
"test/12345678901234567890" as the username/password into the captive
portal, I get "test/1234567890123456" as the username/password being
received by FreeRADIUS.

I think it's down to lines 1653-1655 in redir.c:

     * decode password - encoded by the UAM portal/script. 
    for (m=0; m < RADIUS_PWSIZE;) 
          for (n=0; n < REDIR_MD5LEN; m++, n++)
            user_password[m] = conn->password[m] ^ chap_challenge[n];

The problem is, they do the right thing :-)
If conn->password[] is longer than chap_challange[], those lines repeat
chap_challange[] to compensate.

Whereas in hotspotlogin.cgi:

  $hexchal  = pack "H32", $challenge;


  } elsif (defined($userpassword)) {
    # Encode plain text password with challenge 
    # (which may or may not be uamsecret encoded)

    $pappassword = unpack "H32", ($password ^ $newchal);

    $logonUrl = "http://$uamip:$uamport/logon?username=$username&password=$pappassword";

So if the password is longer than 16 characters
(the default size of the challange), firstly only the first 16
characters of the password are xor'd with the challange - everything
after that is left in plaintext (well, actually it's xor'd with 0
but that's the same end result); and secondly (and masking the first
problem), everything after the 16th character is dropped by the use of
the "H32" template for the pack and unpack commands on lines 153 and

So, changes to hotspotlogin.cgi (I know it's legacy, but it's in use)
and the problem's fixed, I'm able to use 100-character passwords now
(I've not tested it for passwords over 128 characters):

  $hexchal  = pack "H*", $challenge;


  } elsif (defined($userpassword)) {
    # Encode plain text password with challenge 
    # (which may or may not be uamsecret encoded)

    while (length($newchal) < length($password)){
       $newchal .= $newchal;

    $pappassword = unpack "H*", ($password ^ $newchal);

Patch attached.

Mark Dennehy
tel : +353-1-896 1543
Distributed Systems Group
School of Computer Science & Statistics
Trinity College Dublin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.diff
Type: text/x-diff
Size: 873 bytes
Desc: not available
URL: <http://lists.coova.org/pipermail/chilli/attachments/20090909/764f6ddc/attachment.diff>

More information about the Chilli mailing list