onkelbeh
/
GentooRepository
mirror of https://github.com/gentoo-mirror/gentoo.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

net-dialup/ppp: backport radius mppe fix 

Closes: https://bugs.gentoo.org/915686
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
This commit is contained in:
Mike Gilbert 2024-03-26 19:01:45 -04:00
parent 69a5fc41a8
commit fb8a1f91bb
No known key found for this signature in database
GPG Key ID: 7E58A298F42F9CCD
2 changed files with 169 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
net-dialup/ppp/files/ppp-2.5.0-radius-mppe.patch Normal file
View File

@ -0,0 +1,167 @@
https://github.com/ppp-project/ppp/pull/463
https://bugs.gentoo.org/915686
From 77693b89fed6d4110184789f8e7dfd31710f3190 Mon Sep 17 00:00:00 2001
From: Jaco Kroon <jaco@uls.co.za>
Date: Thu, 23 Nov 2023 14:54:42 +0200
Subject: [PATCH] radius: fix the MPPE key decryption for the second-half of
the key block.
During he refactor in commit 4cb90c1 the key material used to decrypt
the second-half of the encrypted block was accidentally updated from:
MD5(radius_secret + crypt[0..15]); to:
MD5(radius_secret + crypt[0..15] + salt)
Which would obviously mismatch.
This also refactors back into what I believe to be a more readable block
with lower nesting and more comprehensive error reporting.
Closes: #453
Signed-off-by: Jaco Kroon <jaco@uls.co.za>
---
pppd/plugins/radius/radius.c | 115 +++++++++++++++++------------------
1 file changed, 55 insertions(+), 60 deletions(-)
diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c
index c73ca0b53..e99bc7511 100644
--- a/pppd/plugins/radius/radius.c
+++ b/pppd/plugins/radius/radius.c
@@ -897,80 +897,75 @@ radius_setmppekeys2(VALUE_PAIR *vp, REQUEST_INFO *req_info)
memcpy(plain, crypt, 32);
ctx = PPP_MD_CTX_new();
- if (ctx) {
-
- if (PPP_DigestInit(ctx, PPP_md5())) {
-
- if (PPP_DigestUpdate(ctx, req_info->secret, strlen(req_info->secret))) {
-
- if (PPP_DigestUpdate(ctx, req_info->request_vector, AUTH_VECTOR_LEN)) {
-
- if (PPP_DigestUpdate(ctx, salt, 2)) {
-
- buflen = sizeof(buf);
- if (PPP_DigestFinal(ctx, buf, &buflen)) {
-
- status = 1;
- }
- }
- }
- }
- }
-
- PPP_MD_CTX_free(ctx);
+ if (!ctx) {
+ error("RADIUS: Error creating PPP_MD_CTX for MS-MPPE-%s-Key attribute", type);
+ return -1;
}
- if (status) {
-
- for (i = 0; i < 16; i++) {
- plain[i] ^= buf[i];
- }
+ buflen = sizeof(buf);
+ if (!PPP_DigestInit(ctx, PPP_md5())) {
+ error("RADIUS: Error setting hash algorithm to MD5 for MS-MPPE-%s-Key attribute", type);
+ } else if (!PPP_DigestUpdate(ctx, req_info->secret, strlen(req_info->secret))) {
+ error("RADIUS: Error mixing in radius secret for MS-MPPE-%s-Key attribute", type);
+ } else if (!PPP_DigestUpdate(ctx, req_info->request_vector, AUTH_VECTOR_LEN)) {
+ error("RADIUS: Error mixing in request vector for MS-MPPE-%s-Key attribute", type);
+ } else if (!PPP_DigestUpdate(ctx, salt, 2)) {
+ error("RADIUS: Error mixing in salt for MS-MPPE-%s-Key attribute", type);
+ } else if (!PPP_DigestFinal(ctx, buf, &buflen)) {
+ error("RADIUS: Error finalizing key buffer for MS-MPPE-%s-Key attribute", type);
+ } else {
+ status = 1;
+ }
- if (plain[0] != 16) {
- error("RADIUS: Incorrect key length (%d) for MS-MPPE-%s-Key attribute",
- (int) plain[0], type);
- return -1;
- }
+ PPP_MD_CTX_free(ctx);
- status = 0;
- ctx = PPP_MD_CTX_new();
- if (ctx) {
-
- if (PPP_DigestInit(ctx, PPP_md5())) {
+ if (!status)
+ return -1;
- if (PPP_DigestUpdate(ctx, req_info->secret, strlen(req_info->secret))) {
+ for (i = 0; i < 16; i++) {
+ plain[i] ^= buf[i];
+ }
- if (PPP_DigestUpdate(ctx, crypt, 16)) {
+ if (plain[0] != 16) {
+ error("RADIUS: Incorrect key length (%d) for MS-MPPE-%s-Key attribute",
+ (int) plain[0], type);
+ return -1;
+ }
- if (PPP_DigestUpdate(ctx, salt, 2)) {
+ status = 0;
+ ctx = PPP_MD_CTX_new();
+ if (!ctx) {
+ error("RADIUS: Error creating PPP_MD_CTX for MS-MPPE-%s-Key(2) attribute", type);
+ return -1;
+ }
- buflen = sizeof(buf);
- if (PPP_DigestFinal(ctx, buf, &buflen)) {
+ buflen = sizeof(buf);
- status = 1;
- }
- }
- }
- }
- }
+ if (!PPP_DigestInit(ctx, PPP_md5())) {
+ error("RADIUS: Error setting hash algorithm to MD5 for MS-MPPE-%s-Key(2) attribute", type);
+ } else if (!PPP_DigestUpdate(ctx, req_info->secret, strlen(req_info->secret))) {
+ error("RADIUS: Error mixing in radius secret for MS-MPPE-%s-Key(2) attribute", type);
+ } else if (!PPP_DigestUpdate(ctx, crypt, 16)) {
+ error("RADIUS: Error mixing in crypt vector for MS-MPPE-%s-Key(2) attribute", type);
+ } else if (!PPP_DigestFinal(ctx, buf, &buflen)) {
+ error("RADIUS: Error finalizing key buffer for MS-MPPE-%s-Key(2) attribute", type);
+ } else {
+ status = 1;
+ }
- PPP_MD_CTX_free(ctx);
- }
+ PPP_MD_CTX_free(ctx);
- if (status) {
+ if (!status)
+ return -1;
- plain[16] ^= buf[0]; /* only need the first byte */
+ plain[16] ^= buf[0]; /* only need the first byte */
- if (vp->attribute == PW_MS_MPPE_SEND_KEY) {
- mppe_set_keys(plain + 1, NULL, 16);
- } else {
- mppe_set_keys(NULL, plain + 1, 16);
- }
- return 0;
- }
+ if (vp->attribute == PW_MS_MPPE_SEND_KEY) {
+ mppe_set_keys(plain + 1, NULL, 16);
+ } else {
+ mppe_set_keys(NULL, plain + 1, 16);
}
-
- return -1;
+ return 0;
}
#endif /* PPP_WITH_MPPE */

3
net-dialup/ppp/ppp-2.5.0-r6.ebuild → net-dialup/ppp/ppp-2.5.0-r7.ebuild
View File

@ -37,9 +37,10 @@ PDEPEND="net-dialup/ppp-scripts"
PATCHES=(
"${FILESDIR}"/ppp-2.5.0-passwordfd-read-early.patch
"${FILESDIR}"/ppp-2.5.0-pidfile.patch
"${FILESDIR}"/${P}-radiusclient.conf-parsing.patch
"${FILESDIR}"/ppp-2.5.0-radiusclient.conf-parsing.patch
"${FILESDIR}"/ppp-2.5.0-openssl-pkgconfig.patch
"${FILESDIR}"/ppp-2.5.0-pam-pkgconfig.patch
"${FILESDIR}"/ppp-2.5.0-radius-mppe.patch
)
pkg_setup() {