Re: MS-CHAPv1 does not encrypt MPPE keys

[Martin Gadbois]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

3APA3A wrote:
| Dear Martin Gadbois,
|
| readdoc/rlm_mschapcarefully.Allyouneed   is   update
| dictionary.microsoft.

I see.
Sorry if I jumped the guns.

Ref:
- --- dictionary.microsoft	Wed Jul  3 14:25:18 2002
+++ mg.raddb/dictionary.microsoft	Mon Dec  2 16:20:29 2002
@@ -21,7 +21,7 @@
~ ATTRIBUTE	MS-RAS-Vendor		9	integer	# content is Vendor-ID
~ ATTRIBUTE	MS-CHAP-Domain		10	string
~ ATTRIBUTE	MS-CHAP-Challenge	11	octets
- -ATTRIBUTE	MS-CHAP-MPPE-Keys	12	octets
+ATTRIBUTE	MS-CHAP-MPPE-Keys	12	octets  encrypt=1
~ ATTRIBUTE	MS-BAP-Usage		13	integer
~ ATTRIBUTE	MS-Link-Utilization-Threshold 14 integer # values are 1-100
~ ATTRIBUTE	MS-Link-Drop-Time-Limit	15	integer


Thanks!

- --
==
Martin Gadbois
S/W Developper
Colubris Networks Inc.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAj33WwAACgkQ9Y3/iTTCEDlsrgCfVHLr7AWFJh5zEd1esrSeGI65
aR0AoMAHihy+CRmbOQAdnTfMXYeIrPDw
=9xyH
-END PGP SIGNATURE-


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAPv1 does not encrypt MPPE keys

[3APA3A]

Dear Martin Gadbois,

readdoc/rlm_mschapcarefully.Allyouneed   is   update
dictionary.microsoft.

--Tuesday, December 10, 2002, 11:46:51 PM, you wrote to 
[EMAIL PROTECTED]:

MG> -BEGIN PGP SIGNED MESSAGE-
MG> Hash: SHA1

MG> Hello all,

MG> I found that freeradius-0.8 does not encrypt the MS-CHAPv1 MPPE keys as specified 
by RFC 2548 sec.
MG> 2.4.1.
MG> In fact, that code was commented out.

MG> Here is the patch:

MG> - --- freeradius-0.8/src/modules/rlm_mschap/rlm_mschap.cWed Oct  2 
10:37:08 2002
MG> +++ freeradius-0.8-modif/src/modules/rlm_mschap/rlm_mschap.cTue Dec 10 
15:40:33 2002
MG> @@ -860,6 +860,7 @@
MG> ~   /* now create MPPE attributes */
MG> ~   if (inst->use_mppe) {
MG> ~   if (chap == 1){
MG> +   int len;
MG> ~   DEBUG2("rlm_mschap: adding MS-CHAPv1 MPPE 
keys");
MG> ~   memset (mppe_sendkey, 0, 32);
MG> ~   if (smbPasswd.smb_passwd)
MG> @@ -875,10 +876,10 @@
MG> ~   memcpy 
(mppe_sendkey+8,smbPasswd.smb_nt_passwd,16);
MG> ~   */
MG> ~   md4_calc(mppe_sendkey+8, 
smbPasswd.smb_nt_passwd,16);
MG> - -/*
MG> +
MG> ~   rad_pwencode(mppe_sendkey, &len,
MG> ~request->secret, 
request->packet->vector);
MG> - -*/
MG> +
MG> ~   mppe_add_reply( &request->reply->vps,
MG> ~   
"MS-CHAP-MPPE-Keys",mppe_sendkey,32);
MG> ~   }

MG> Sorry if this is a repeat.

MG> That code works well with Win2K Professional.


MG> - --
MG> ==
MG> Martin Gadbois
MG> S/W Developper
MG> Colubris Networks Inc.

MG> PS: I do not subscribe to this list...

MG> -BEGIN PGP SIGNATURE-
MG> Version: GnuPG v1.0.4 (GNU/Linux)
MG> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

MG> iEYEARECAAYFAj32UroACgkQ9Y3/iTTCEDkmqACfdt7uSiZSR6Gjn0sN1rv4Lk7T
MG> pSsAn0rw55GXyAnAU8TmYK/M1k59SwrP
MG> =n1iW
MG> -END PGP SIGNATURE-


MG> - 
MG> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Ïîêà âû âî âëàñòè ïðîâèäåíèÿ, âàì íå óäàñòñÿ óìåðåòü ðàíüøå ñðîêà. (Òâåí)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAPv1 does not encrypt MPPE keys

[Lars Viklund]

On Tue, 2002-12-10 at 21:46, Martin Gadbois wrote:
> I found that freeradius-0.8 does not encrypt the MS-CHAPv1 MPPE keys as specified by 
>RFC 2548 sec.
> 2.4.1.
> In fact, that code was commented out.

If you read the CVS log you will notice that this is becuase the
encryption now is handled in radius.c.

If your FreeRADIUS installation doesn't encrypt the MS-CHAP-MPPE-Keys
attribute this is probably because you have an old version of
dictionary.microsoft installed.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html