On Thu, May 27, 2004 at 05:03:26PM -0400, Alan DeKok wrote:
> You can then run it on two machines, use 'grep' to pull out the
> MSCHAP lines from the debug log, and then use 'diff' to see where they
> differ. This will let you track down where the problem occurs.
I've traced the bug down to SHA1 code which isn't clean - long type on
Alpha is 64bit. I've rewritten SHA1.c using some of CryptoAPI code, and
tested it with test vectors, as well as PEAP - and all is working now
[0.9.3 for sure, probably CVS versions too].
...
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 0
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Login OK: [aland] (from client imu port 0)
Sending Access-Accept of id 242 to 127.0.0.1:32773
MS-CHAP2-Success =
0x3c533d46453337433833344237434339443235463133393233463835354532443335454645343145463042
MS-MPPE-Recv-Key = 0xacd95e31614594ec0c5a1f5f83989c42
MS-MPPE-Send-Key = 0xf52670d2b05a5321de830fa386a034b7
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
...
I'm attaching new sha1.c and sha1.h, which should be working on both little and
bigendian machines, etc. If sha1.c is compiled with -DTEST, it will check
itself with standard three test vectors.
--
| |--.----.-----. Dinko 'kreator' Korunic #include <stddisclaimer.h>
| <| _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com
|__|__|__| |_____| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo
/* SHA1 Secure Hash Algorithm.
*
* Derived from cryptoapi implementation, adapted for in-place
* scatterlist interface. Originally based on the public domain
* implementation written by Steve Reid.
*
* Copyright (c) Alan Smithee.
* Copyright (c) Andrew McDonald <[EMAIL PROTECTED]>
* Copyright (c) Jean-Francois Dive <[EMAIL PROTECTED]>
*
* Modified for FreeRADIUS (c) Dinko Korunic <[EMAIL PROTECTED]>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option)
* any later version.
*
* Version: $Id$
*/
#include "sha1.h"
inline uint32_t rol(uint32_t value, uint32_t bits)
{
return (((value) << (bits)) | ((value) >> (32 - (bits))));
}
/* blk0() and blk() perform the initial expand. */
/* I got the idea of expanding during the round function from SSLeay */
# define blk0(i) block32[i]
#define blk(i) (block32[i&15] = rol(block32[(i+13)&15]^block32[(i+8)&15] \
^block32[(i+2)&15]^block32[i&15],1))
/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5); \
w=rol(w,30);
#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5); \
w=rol(w,30);
#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5); \
w=rol(w,30);
#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
/* Hash a single 512-bit block. This is the core of the algorithm. */
void SHA1Transform(uint32_t *state, const uint8_t *in)
{
uint32_t a, b, c, d, e;
uint32_t block32[16];
/* convert/copy data to workspace */
for (a = 0; a < sizeof(block32)/sizeof(uint32_t); a++)
block32[a] = ntohl (((const uint32_t *)in)[a]);
/* Copy context->state[] to working vars */
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
/* 4 rounds of 20 operations each. Loop unrolled. */
R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
/* Add the working vars back into context.state[] */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
state[4] += e;
/* Wipe variables */
a = b = c = d = e = 0;
memset (block32, 0x00, sizeof block32);
}
void SHA1Init(void *ctx)
{
SHA1_CTX *sctx = ctx;
static const SHA1_CTX initstate = {
0,
{ 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 },
{ 0, }
};
*sctx = initstate;
}
void SHA1Update(void *ctx, const uint8_t *data, unsigned int len)
{
SHA1_CTX *sctx = ctx;
unsigned int i, j;
j = (sctx->count >> 3) & 0x3f;
sctx->count += len << 3;
if ((j + len) > 63) {
memcpy(&sctx->buffer[j], data, (i = 64-j));
SHA1Transform(sctx->state, sctx->buffer);
for ( ; i + 63 < len; i += 64) {
SHA1Transform(sctx->state, &data[i]);
}
j = 0;
}
else i = 0;
memcpy(&sctx->buffer[j], &data[i], len - i);
}
/* Add padding and return the message digest. */
void SHA1Final(uint8_t *out, void* ctx)
{
SHA1_CTX *sctx = ctx;
uint32_t i, j, idex, padlen;
uint64_t t;
uint8_t bits[8] = { 0, };
static const uint8_t padding[64] = { 0x80, };
t = sctx->count;
bits[7] = 0xff & t; t>>=8;
bits[6] = 0xff & t; t>>=8;
bits[5] = 0xff & t; t>>=8;
bits[4] = 0xff & t; t>>=8;
bits[3] = 0xff & t; t>>=8;
bits[2] = 0xff & t; t>>=8;
bits[1] = 0xff & t; t>>=8;
bits[0] = 0xff & t;
/* Pad out to 56 mod 64 */
idex = (sctx->count >> 3) & 0x3f;
padlen = (idex < 56) ? (56 - idex) : ((64+56) - idex);
SHA1Update(sctx, padding, padlen);
/* Append length */
SHA1Update(sctx, bits, sizeof bits);
/* Store state in digest */
for (i = j = 0; i < 5; i++, j += 4) {
uint32_t t2 = sctx->state[i];
out[j+3] = t2 & 0xff; t2>>=8;
out[j+2] = t2 & 0xff; t2>>=8;
out[j+1] = t2 & 0xff; t2>>=8;
out[j ] = t2 & 0xff;
}
/* Wipe context */
memset(sctx, 0, sizeof *sctx);
}
#ifdef TEST
int main()
{
/* test vectors from FIPS PUB 180, "Secure Hash Standard", 1993. */
unsigned char digest[20];
unsigned char message[3] = {'a', 'b', 'c' };
unsigned char *mess56 =
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
/* correct hashes */
char *dig1 = "A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D";
char *dig2 = "84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1";
char *dig3 = "34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F";
SHA1_CTX sha;
int i;
unsigned char big[1000];
/* process first vector */
SHA1Init(&sha);
SHA1Update(&sha, message, 3);
SHA1Final(digest, &sha);
for (i = 0; i < 20; i++)
{
if ((i % 4) == 0) printf(" ");
printf("%02x", digest[i]);
}
printf("\n");
printf(" %s <= correct\n", dig1);
/* process second vector */
SHA1Init(&sha);
SHA1Update(&sha, mess56, 56);
SHA1Final(digest, &sha);
for (i = 0; i < 20; i++)
{
if ((i % 4) == 0) printf(" ");
printf("%02x", digest[i]);
}
printf("\n");
printf(" %s <= correct\n", dig2);
/* process second vector */
/* Fill up big array */
for (i = 0; i < 1000; i++)
big[i] = 'a';
SHA1Init(&sha);
/* Digest 1 million x 'a' */
for (i = 0; i < 1000; i++)
SHA1Update(&sha, big, 1000);
SHA1Final(digest, &sha);
for (i = 0; i < 20; i++)
{
if ((i % 4) == 0) printf(" ");
printf("%02x", digest[i]);
}
printf("\n");
printf(" %s <= correct\n", dig3);
return 0;
}
#endif
#ifndef _LRAD_SHA1_H
#define _LRAD_SHA1_H
/* SHA1 Secure Hash Algorithm.
*
* Derived from cryptoapi implementation, adapted for in-place
* scatterlist interface. Originally based on the public domain
* implementation written by Steve Reid.
*
* Copyright (c) Alan Smithee.
* Copyright (c) Andrew McDonald <[EMAIL PROTECTED]>
* Copyright (c) Jean-Francois Dive <[EMAIL PROTECTED]>
*
* Modified for FreeRADIUS (c) Dinko Korunic <[EMAIL PROTECTED]>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option)
* any later version.
*
* Version: $Id$
*/
#include "autoconf.h"
#include <string.h>
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
/*
* FreeRADIUS defines to ensure globally unique SHA1 function names,
* so that we don't pick up vendor-specific broken SHA1 libraries.
*/
#define SHA1_CTX librad_SHA1_CTX
#define SHA1Transform librad_SHA1Transform
#define SHA1Init librad_SHA1Init
#define SHA1Update librad_SHA1Update
#define SHA1Final librad_SHA1Final
typedef struct {
uint64_t count;
uint32_t state[5];
uint8_t buffer[64];
} SHA1_CTX;
void SHA1Transform(uint32_t *, const uint8_t *);
void SHA1Init(void *ctx);
void SHA1Update(void *, const uint8_t *data, unsigned int len);
void SHA1Final(uint8_t *out, void* ctx);
uint32_t rol(uint32_t value, uint32_t bits);
#endif /* _LRAD_SHA1_H */
