15 character maximum password length for PAP?

wlanmac wlan at mac.com
Thu Sep 10 04:50:25 UTC 2009


committed, thanks! btw, I also saw your writeup in your blog. thanks
again. 


On Wed, 2009-09-09 at 18:33 +0100, Mark Dennehy wrote:
> Ref:[Mark Dennehy, Wed, 09/09/09 @ 16:39 +0100]
> > Ref:[Wichert Akkerman, Wed, 09/09/09 @ 17:19 +0200]
> > >> Are the changes not also in revision 223?
> > > There might have been other changes since then which affect that code.  
> > > Knowing if 217 works for you will help us track that down.
> > > Wichert.
> > Okay, checking it out now.
> 
> Nope, getting the same problem again. If I put in
> "test/12345678901234567890" as the username/password into the captive
> portal, I get "test/1234567890123456" as the username/password being
> received by FreeRADIUS.
> 
> I think it's down to lines 1653-1655 in redir.c:
> 
>     /*
>      * decode password - encoded by the UAM portal/script. 
>      */
>     for (m=0; m < RADIUS_PWSIZE;) 
>           for (n=0; n < REDIR_MD5LEN; m++, n++)
>             user_password[m] = conn->password[m] ^ chap_challenge[n];
>                 
> 
> The problem is, they do the right thing :-)
> If conn->password[] is longer than chap_challange[], those lines repeat
> chap_challange[] to compensate.
> 
> Whereas in hotspotlogin.cgi:
> 
>   $hexchal  = pack "H32", $challenge;
> 
>   ...
> 
>   } elsif (defined($userpassword)) {
>     # Encode plain text password with challenge 
>     # (which may or may not be uamsecret encoded)
> 
>     $pappassword = unpack "H32", ($password ^ $newchal);
> 
>     $logonUrl = "http://$uamip:$uamport/logon?username=$username&password=$pappassword";
> 
> So if the password is longer than 16 characters
> (the default size of the challange), firstly only the first 16
> characters of the password are xor'd with the challange - everything
> after that is left in plaintext (well, actually it's xor'd with 0
> but that's the same end result); and secondly (and masking the first
> problem), everything after the 16th character is dropped by the use of
> the "H32" template for the pack and unpack commands on lines 153 and
> 173.
> 
> So, changes to hotspotlogin.cgi (I know it's legacy, but it's in use)
> and the problem's fixed, I'm able to use 100-character passwords now
> (I've not tested it for passwords over 128 characters):
> 
>   $hexchal  = pack "H*", $challenge;
> 
> ...
> 
>   } elsif (defined($userpassword)) {
>     # Encode plain text password with challenge 
>     # (which may or may not be uamsecret encoded)
> 
>     while (length($newchal) < length($password)){
>        $newchal .= $newchal;
>     }
> 
>     $pappassword = unpack "H*", ($password ^ $newchal);
> 
> 
> Patch attached.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> http://www.coova.org/CoovaChilli




More information about the Chilli mailing list