Re: Mikrotik Dissconect

Thu, 10 Jun 2010 06:54:27 -0700 

On Thu, 2010-06-10 at 14:12 +0200, Alan DeKok wrote:
> f0rud wrote:
> > I found the "calc_replydigest" function in radius.c always return 2
> > (digest_cmp failed) Since this function is new in code , then its the
> > problem and the diff. with version 1.x
> 
>   The "digest_cmp" is failing because the packet is wrong.
> 
>   Try the old code from an earlier version of radius.c.  It will *also*
> fail to authenticate the packet.

Thats the problem, version 1.1.8 have no problem!(This time I check this
myself. with the code from download page.)
> 
> > For fixing my problem, I just by pass this test for PW_DISCONNECT_ACK
> > (not a good idea I know but what else I can do?) and now its fine for my
> > problem.
> 
>   Or, you could ask the NAS vendor to implement RADIUS properly.
In Mikrotik forum they said to ask your team (not to me they said this
is radclient problem.)  thats I love : infinite loop :)) 
> 
> > I see the code for another messages (for ex: PW_AUTHENTICATION_REQUEST)
> > you just ignore the code,
> 
>   Uh... no.  It does not do that.
> 
So check this at radius.c about line 2110
        /*
         *      Calculate and/or verify digest.
         */
        switch(packet->code) {
                int rcode=0;
                char buffer[32];

                case PW_AUTHENTICATION_REQUEST:
                case PW_STATUS_SERVER:
                        /*
                         *      The authentication vector is random
                         *      nonsense, invented by the client.
                         */
                        break;

and after this break, the function return 0 that means OK , so where the
code take care of this messages digest?
> > so why this one(PW_DISCONNECT_ACK) "must" be
> > checked? if some one want to do "timing attack" then can use this
> > message(PW_AUTHENTICATION_REQUEST) so by checking just some message its
> > not "safe".
> 
>   That is not true.
> 
This timing attack (I read the comment on the code) so bypassing this
function (rad_verify) means some one can do this attack, and If yo don't
believe me, check the code, any PW_AUTHENTICATION_REQUEST package will
pass this function. 
so what difference, and why this pass exist at all when there is some
exception?
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to