First Last Prev Next    This bug is not in your last search results.
Bug 38785 - univention-radius-ntlm-auth breaks with certain passwords
univention-radius-ntlm-auth breaks with certain passwords
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Felix Botner
Daniel Tröder
:
Depends on:
Blocks: 38794 39301
  Show dependency treegraph
 
Reported: 2015-06-29 11:12 CEST by Janis Meybohm
Modified: 2018-11-09 14:20 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
/usr/share/pyshared/univention/pyMsChapV2.py (6.78 KB, text/x-python)
2015-09-02 18:32 CEST, Felix Botner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2015-06-29 11:12:16 CEST 
Ticket#2015062521002132

univention-radius-ntlm-auth breaks with certain passwords used.
Concrete example with user "lisa" and password "taylor21." (sambaNTPassword == 00563126F04F3875C417F789B00E72D2).

# radtest -t mschap lisa taylor21. localhost 10 testing123 
Sending Access-Request of id 110 to 127.0.0.1 port 1812                                                                                                                                                        
        User-Name = "lisa"                                                                                                                                                                                     
        NAS-IP-Address = 10.101.69.2                                                                                                                                                                           
        NAS-Port = 10                                                                                                                                                                                          
        MS-CHAP-Challenge = 0x5355f4fc60c8888a                                                                                                                                                                 
        MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000009681672b365655d0592c3e4009547b9e11bc751b6e97943b                                                                              
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=110, length=38                                                                                                                                
        MS-CHAP-Error = "\000E=691 R=1" 

# univention-radius-ntlm-auth --request-nt-key --username=lisa --challenge=5355f4fc60c8888a --nt-response=9681672b365655d0592c3e4009547b9e11bc751b6e97943b --station-id=b4-52-7e-3e-1a-67
Traceback (most recent call last):
  File "/usr/bin/univention-radius-ntlm-auth", line 81, in <module>
    sys.exit(main())
  File "/usr/bin/univention-radius-ntlm-auth", line 73, in main
    if PasswordHash and pyMsChapV2.ChallengeResponse(options.Challenge, PasswordHash) == options.Response:
  File "/usr/lib/pymodules/python2.6/univention/pyMsChapV2.py", line 77, in ChallengeResponse
    Response = DesEncrypt(Challenge, ZPasswordHash[0:7])
  File "/usr/lib/pymodules/python2.6/univention/pyMsChapV2.py", line 55, in DesEncrypt
    return pyDes.des(expandDesKey(key), pyDes.ECB).encrypt(data)
  File "/usr/lib/pymodules/python2.6/univention/pyDes.py", line 400, in __init__
    raise ValueError("Invalid DES key size. Key must be exactly 8 bytes long.")
ValueError: Invalid DES key size. Key must be exactly 8 bytes long.



Looks like DesEncrypt expandDesKey fails to return 8 byte string here.
Comment 1 Felix Botner univentionstaff 2015-09-02 18:32:54 CEST 
Created attachment 7152 [details]
/usr/share/pyshared/univention/pyMsChapV2.py

Here is a replacement for /usr/share/pyshared/univention/pyMsChapV2.py from univention-radius which uses a different method for expanding keys to 8 bit (stolen from univention-squid).

Seems to work in my tests.

Maybe even better we use passlib.utils.des, which is part of the debian package python-passlib (already maintained).

This does the encryption and expansion and would be a replacement for the whole univention.pyDes stuff.

import passlib.utils.des
passlib.utils.des.des_encrypt_block(key, data)
Comment 2 Felix Botner univentionstaff 2015-09-03 11:13:49 CEST 
Replaced univention.pyMsChapV2.DesEncrypt.expandDesKey() with convertKey() from univention-squid. Added some more tests.
4.0-3: r63424
4.1-0: r63427

Create Bug #39301 for replacing this with passlib.utils.des.des_encrypt_block(key, data)


YAML: 2015-09-03-univention-radius.yaml
Comment 3 Daniel Tröder univentionstaff 2015-09-04 13:01:46 CEST 
OK: automated test
OK: manual test
 * install radius app, add user lisa, univention-radius-ntlm-auth → Traceback
 * upgrade to fixed version of univention-radius, univention-radius-ntlm-auth → OK
OK: merge to 4.1
OK: YAML
Comment 4 Janek Walkenhorst univentionstaff 2015-10-14 14:58:01 CEST 
<http://errata.software-univention.de/ucs/4.0/337.html>
First Last Prev Next    This bug is not in your last search results.