mirror222 / tinyradius4net Goto Github PK

RFC 2865 says:

      Call the shared secret S and the pseudo-random 128-bit Request
      Authenticator RA.  Break the password into 16-octet chunks p1, p2,
      etc.  with the last one padded at the end with nulls to a 16-octet
      boundary.  Call the ciphertext blocks c(1), c(2), etc.  We'll need
      intermediate values b1, b2, etc.

         b1 = MD5(S + RA)       c(1) = p1 xor b1
         b2 = MD5(S + c(1))     c(2) = p2 xor b2
                .                       .
                .                       .
                .                       .
         bi = MD5(S + c(i-1))   c(i) = pi xor bi

      The String will contain c(1)+c(2)+...+c(i) where + denotes
      concatenation.

However when calculating b2, b3, b4, etc. Secret+P1, Secret+P2, Secret+P3, etc 
is used, when it should have been c(1), c(2), c(3), etc.

This means that passwords longer than 16bytes will be calculated wrong and will 
not work.

Attached is patch that fixes the problem..

Hope this help you (or someone else)

Cheers

Esben

What steps will reproduce the problem?
1. Configure radius server , Configure RuggedCom switch for the radius server
2. Try to login as a user other than admin user. (Attribute should contain 
vendor Specific attribute) . Make sure you have added vendor specific attribute 
for RuggedCom

VENDOR         15004   RuggedCom

VENDORATTR     15004   RuggedCom-Privilege-level      2     string

3. Throws exception in the server while reading attributes from the dictionary 
file in the server. When seen in Wireshark says malformed packet.

What is the expected output? What do you see instead?
Should read the vendor specific attribute

What version of the product are you using? On what operating system?
tinyradius for .net in windows 7

Please provide any additional information below.
Am not sure whehter i have latest version. Please provide link to the latest 
version if there is any.