On Thu, May 27, 2004 at 05:03:26PM -0400, Alan DeKok wrote:
> Dinko Korunic <[EMAIL PROTECTED]> wrote:
> You can then run it on two machines, use 'grep' to pull out the
> MSCHAP lines from the debug log, and then use 'diff' to see where
> they differ. This will let you track down where the problem occurs.
More/less I've done what you've told me to. I've hacked around
rlm_mschap (code is at the end of mail) to verbosely print hex values of
important values, and used FreeRADIUS radclient for proven correct
attribute (sorry, I've used mine which succeeded in authorisation just
to be sure) sending..
Attributes:
User-Name=aland
MS-CHAP-Challenge=0x303132333435363738393A3B3C3D3E3F
MS-CHAP2-Response=0x3C00202122232425262728292A2B2C2D2E2F00000000000000006649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF
Unsucessful log:
CHAPDBG: challenge length 16
rlm_mschap: doing MS-CHAPv2 with NT-Password
CHAPDBG: peer challenge 202122232425262728292A2B2C2D2E2F
CHAPDBG: auth challenge 303132333435363738393A3B3C3D3E3F
CHAPDBG: username aland
CHAPDBG: nt password B8CB804B59CAB90FA682D579C7FD9009
CHAPDBG: challenge 6C7C02695D6C6D7F
CHAPDBG: calculated 445D54B8A44023A305D59E18DCD6F78CCAA9E79046FB7601
CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Successful log:
CHAPDBG: challenge length 16
rlm_mschap: doing MS-CHAPv2 with NT-Password
CHAPDBG: peer challenge 202122232425262728292A2B2C2D2E2F
CHAPDBG: auth challenge 303132333435363738393A3B3C3D3E3F
CHAPDBG: username aland
CHAPDBG: nt password B8CB804B59CAB90FA682D579C7FD9009
CHAPDBG: challenge CC8E988B421E3260
CHAPDBG: calculated 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF
CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF
As we can see, initial challenge calculation has gone wrong somewhere.. which
is happening in challenge_hash(), function whish is strictly using OpenSSL SHA1
functions. Doh. I thought at least OpenSSL should be endian-clean..
=== patch follows ===
--- rlm_mschap.c-orig 2004-05-28 02:23:53.000000000 +0200
+++ rlm_mschap.c 2004-05-28 02:26:42.000000000 +0200
@@ -94,6 +94,17 @@
}
}
+char * bin2hex2 (const unsigned char *szBin, int len)
+{
+ int i;
+ static char szHex2[1024];
+ for (i = 0; i < len; i++) {
+ szHex2[i<<1] = letters[szBin[i] >> 4];
+ szHex2[(i<<1) + 1] = letters[szBin[i] & 0x0F];
+ }
+ szHex2[(i<<1)] = 0;
+ return szHex2;
+}
/* Allowable account control bits */
#define ACB_DISABLED 0x0001 /* 1 = User account disabled */
@@ -233,11 +244,20 @@
char *response)
{
char challenge[8];
-
+
+ DEBUG2("CHAPDBG: peer challenge %s", bin2hex2(peer_challenge, 16));
+ DEBUG2("CHAPDBG: auth challenge %s", bin2hex2(auth_challenge, 16));
+ DEBUG2("CHAPDBG: username %s", user_name);
+ DEBUG2("CHAPDBG: nt password %s", bin2hex2(nt_password, 16));
+
challenge_hash(peer_challenge, auth_challenge, user_name,
challenge);
+ DEBUG2("CHAPDBG: challenge %s", bin2hex2(challenge, 8));
+
lrad_mschap(nt_password, challenge, response);
+
+ DEBUG2("CHAPDBG: calculated %s", bin2hex2(response, 24));
}
/*
@@ -819,6 +839,7 @@
/*
* MS-CHAPv2 challenges are 16 octets.
*/
+ DEBUG2("CHAPDBG: challenge length %d", challenge->length);
if (challenge->length < 16) {
radlog(L_AUTH, "rlm_mschap: MS-CHAP-Challenge has the wrong
format.");
return RLM_MODULE_INVALID;
@@ -853,6 +874,7 @@
mschap2(response->strvalue + 2, challenge->strvalue,
request->username->strvalue, nt_password->strvalue,
calculated);
+ DEBUG2("CHAPDBG: response %s", bin2hex2(response->strvalue + 26, 24));
if (memcmp(response->strvalue + 26, calculated, 24) != 0) {
DEBUG2(" rlm_mschap: FAILED: MS-CHAP2-Response is incorrect");
add_reply(&request->reply->vps, *response->strvalue,
--
| |--.----.-----. Dinko 'kreator' Korunic #include <stddisclaimer.h>
| <| _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com
|__|__|__| |_____| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
