On Thu, May 27, 2004 at 05:03:26PM -0400, Alan DeKok wrote: > You can then run it on two machines, use 'grep' to pull out the > MSCHAP lines from the debug log, and then use 'diff' to see where they > differ. This will let you track down where the problem occurs.
I've traced the bug down to SHA1 code which isn't clean - long type on Alpha is 64bit. I've rewritten SHA1.c using some of CryptoAPI code, and tested it with test vectors, as well as PEAP - and all is working now [0.9.3 for sure, probably CVS versions too]. ... auth: type "MS-CHAP" modcall: entering group Auth-Type for request 0 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Login OK: [aland] (from client imu port 0) Sending Access-Accept of id 242 to 127.0.0.1:32773 MS-CHAP2-Success = 0x3c533d46453337433833344237434339443235463133393233463835354532443335454645343145463042 MS-MPPE-Recv-Key = 0xacd95e31614594ec0c5a1f5f83989c42 MS-MPPE-Send-Key = 0xf52670d2b05a5321de830fa386a034b7 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 ... I'm attaching new sha1.c and sha1.h, which should be working on both little and bigendian machines, etc. If sha1.c is compiled with -DTEST, it will check itself with standard three test vectors. -- | |--.----.-----. Dinko 'kreator' Korunic #include <stddisclaimer.h> | <| _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_____| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo
/* SHA1 Secure Hash Algorithm. * * Derived from cryptoapi implementation, adapted for in-place * scatterlist interface. Originally based on the public domain * implementation written by Steve Reid. * * Copyright (c) Alan Smithee. * Copyright (c) Andrew McDonald <[EMAIL PROTECTED]> * Copyright (c) Jean-Francois Dive <[EMAIL PROTECTED]> * * Modified for FreeRADIUS (c) Dinko Korunic <[EMAIL PROTECTED]> * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the Free * Software Foundation; either version 2 of the License, or (at your option) * any later version. * * Version: $Id$ */ #include "sha1.h" inline uint32_t rol(uint32_t value, uint32_t bits) { return (((value) << (bits)) | ((value) >> (32 - (bits)))); } /* blk0() and blk() perform the initial expand. */ /* I got the idea of expanding during the round function from SSLeay */ # define blk0(i) block32[i] #define blk(i) (block32[i&15] = rol(block32[(i+13)&15]^block32[(i+8)&15] \ ^block32[(i+2)&15]^block32[i&15],1)) /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ #define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5); \ w=rol(w,30); #define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5); \ w=rol(w,30); #define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); #define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5); \ w=rol(w,30); #define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); /* Hash a single 512-bit block. This is the core of the algorithm. */ void SHA1Transform(uint32_t *state, const uint8_t *in) { uint32_t a, b, c, d, e; uint32_t block32[16]; /* convert/copy data to workspace */ for (a = 0; a < sizeof(block32)/sizeof(uint32_t); a++) block32[a] = ntohl (((const uint32_t *)in)[a]); /* Copy context->state[] to working vars */ a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; /* 4 rounds of 20 operations each. Loop unrolled. */ R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); /* Add the working vars back into context.state[] */ state[0] += a; state[1] += b; state[2] += c; state[3] += d; state[4] += e; /* Wipe variables */ a = b = c = d = e = 0; memset (block32, 0x00, sizeof block32); } void SHA1Init(void *ctx) { SHA1_CTX *sctx = ctx; static const SHA1_CTX initstate = { 0, { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 }, { 0, } }; *sctx = initstate; } void SHA1Update(void *ctx, const uint8_t *data, unsigned int len) { SHA1_CTX *sctx = ctx; unsigned int i, j; j = (sctx->count >> 3) & 0x3f; sctx->count += len << 3; if ((j + len) > 63) { memcpy(&sctx->buffer[j], data, (i = 64-j)); SHA1Transform(sctx->state, sctx->buffer); for ( ; i + 63 < len; i += 64) { SHA1Transform(sctx->state, &data[i]); } j = 0; } else i = 0; memcpy(&sctx->buffer[j], &data[i], len - i); } /* Add padding and return the message digest. */ void SHA1Final(uint8_t *out, void* ctx) { SHA1_CTX *sctx = ctx; uint32_t i, j, idex, padlen; uint64_t t; uint8_t bits[8] = { 0, }; static const uint8_t padding[64] = { 0x80, }; t = sctx->count; bits[7] = 0xff & t; t>>=8; bits[6] = 0xff & t; t>>=8; bits[5] = 0xff & t; t>>=8; bits[4] = 0xff & t; t>>=8; bits[3] = 0xff & t; t>>=8; bits[2] = 0xff & t; t>>=8; bits[1] = 0xff & t; t>>=8; bits[0] = 0xff & t; /* Pad out to 56 mod 64 */ idex = (sctx->count >> 3) & 0x3f; padlen = (idex < 56) ? (56 - idex) : ((64+56) - idex); SHA1Update(sctx, padding, padlen); /* Append length */ SHA1Update(sctx, bits, sizeof bits); /* Store state in digest */ for (i = j = 0; i < 5; i++, j += 4) { uint32_t t2 = sctx->state[i]; out[j+3] = t2 & 0xff; t2>>=8; out[j+2] = t2 & 0xff; t2>>=8; out[j+1] = t2 & 0xff; t2>>=8; out[j ] = t2 & 0xff; } /* Wipe context */ memset(sctx, 0, sizeof *sctx); } #ifdef TEST int main() { /* test vectors from FIPS PUB 180, "Secure Hash Standard", 1993. */ unsigned char digest[20]; unsigned char message[3] = {'a', 'b', 'c' }; unsigned char *mess56 = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; /* correct hashes */ char *dig1 = "A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D"; char *dig2 = "84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1"; char *dig3 = "34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F"; SHA1_CTX sha; int i; unsigned char big[1000]; /* process first vector */ SHA1Init(&sha); SHA1Update(&sha, message, 3); SHA1Final(digest, &sha); for (i = 0; i < 20; i++) { if ((i % 4) == 0) printf(" "); printf("%02x", digest[i]); } printf("\n"); printf(" %s <= correct\n", dig1); /* process second vector */ SHA1Init(&sha); SHA1Update(&sha, mess56, 56); SHA1Final(digest, &sha); for (i = 0; i < 20; i++) { if ((i % 4) == 0) printf(" "); printf("%02x", digest[i]); } printf("\n"); printf(" %s <= correct\n", dig2); /* process second vector */ /* Fill up big array */ for (i = 0; i < 1000; i++) big[i] = 'a'; SHA1Init(&sha); /* Digest 1 million x 'a' */ for (i = 0; i < 1000; i++) SHA1Update(&sha, big, 1000); SHA1Final(digest, &sha); for (i = 0; i < 20; i++) { if ((i % 4) == 0) printf(" "); printf("%02x", digest[i]); } printf("\n"); printf(" %s <= correct\n", dig3); return 0; } #endif
#ifndef _LRAD_SHA1_H #define _LRAD_SHA1_H /* SHA1 Secure Hash Algorithm. * * Derived from cryptoapi implementation, adapted for in-place * scatterlist interface. Originally based on the public domain * implementation written by Steve Reid. * * Copyright (c) Alan Smithee. * Copyright (c) Andrew McDonald <[EMAIL PROTECTED]> * Copyright (c) Jean-Francois Dive <[EMAIL PROTECTED]> * * Modified for FreeRADIUS (c) Dinko Korunic <[EMAIL PROTECTED]> * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the Free * Software Foundation; either version 2 of the License, or (at your option) * any later version. * * Version: $Id$ */ #include "autoconf.h" #include <string.h> #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> #endif #ifdef HAVE_NETINET_IN_H #include <netinet/in.h> #endif #ifdef HAVE_STDINT_H #include <stdint.h> #endif /* * FreeRADIUS defines to ensure globally unique SHA1 function names, * so that we don't pick up vendor-specific broken SHA1 libraries. */ #define SHA1_CTX librad_SHA1_CTX #define SHA1Transform librad_SHA1Transform #define SHA1Init librad_SHA1Init #define SHA1Update librad_SHA1Update #define SHA1Final librad_SHA1Final typedef struct { uint64_t count; uint32_t state[5]; uint8_t buffer[64]; } SHA1_CTX; void SHA1Transform(uint32_t *, const uint8_t *); void SHA1Init(void *ctx); void SHA1Update(void *, const uint8_t *data, unsigned int len); void SHA1Final(uint8_t *out, void* ctx); uint32_t rol(uint32_t value, uint32_t bits); #endif /* _LRAD_SHA1_H */