[RADIATOR] decode_password2(): LF in padding kills password
Roland Rosenfeld
rrosenfeld at netcologne.de
Tue Jun 16 04:58:49 CDT 2009
Hi!
Under very rare conditions I noticed "Bad encrypted password" where
the password was definitely correct. I did some debugging noticed,
that this was triggered by a linefeed in the padding of the
(decrypted) User-Password.
I know, that the padding of the User-Password should be filled with 0,
but my test client only uses two 0 and junk after this and according
to the comment in decode_password() Cisco has some similar bug.
With Radiator 3.x the problem doesn't trigger, while 4.1 to 4.4 all
trigger the problem here. I compared the decode_password() functions
and noticed that 3.x uses
my $index = index($pwdout, "\000");
substr($pwdout, $index) = '' if $index != -1;
to strip the junk while 4.x uses
$pwdout =~ s/\0.*//;
which runs into trouble if $pwout contains a linefeed, because
everything right to the linefeed is kept instead of removed.
As a quick workaround the attached patch reverts the change, which
works without problems here.
Tschoeeee
Roland
--
Roland Rosenfeld - Content Delivery - NED - Technik
NetCologne Gesellschaft für Telekommunikation mbH - HRB 25580, AG Köln
Am Coloneum 9 50829 Köln Tel.: +49-221-2222-373 Fax: +49-221-2222-7373
Geschäftsführer: Werner Hanf, Karl-Heinz Zankel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decode_password2_padding.patch
Type: text/x-diff
Size: 455 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20090616/a3ab2f6d/attachment.bin
More information about the radiator
mailing list