From 7750ebdb6608566e6f7936f7dfd2d106ac8f289b Mon Sep 17 00:00:00 2001 From: Simon Rozman Date: Fri, 4 Nov 2016 11:49:01 +0100 Subject: [PATCH] MSCHAPv2 server challenge issue fixed --- lib/MSCHAPv2/src/Method.cpp | 20 ++++++++------------ lib/TTLS/src/Method.cpp | 2 +- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/lib/MSCHAPv2/src/Method.cpp b/lib/MSCHAPv2/src/Method.cpp index 76f9d9c..1ea66f5 100644 --- a/lib/MSCHAPv2/src/Method.cpp +++ b/lib/MSCHAPv2/src/Method.cpp @@ -169,12 +169,8 @@ void eap::method_mschapv2_base::process_error(_In_ const list &argv) } } else if ((val[0] == 'C' || val[0] == 'c') && val[1] == '=') { hex_dec dec; - sanitizing_blob resp; bool is_last; - dec.decode(resp, is_last, val.data() + 2, (size_t)-1); - if (resp.size() != sizeof(m_challenge_server)) - throw invalid_argument(string_printf(__FUNCTION__ " Incorrect MSCHAPv2 challenge length (expected: %uB, received: %uB).", sizeof(m_challenge_server), resp.size())); - memcpy(&m_challenge_server, resp.data(), sizeof(m_challenge_server)); + dec.decode(m_challenge_server, is_last, val.data() + 2, (size_t)-1); } else if ((val[0] == 'M' || val[0] == 'm') && val[1] == '=') { MultiByteToWideChar(CP_UTF8, 0, val.data() + 2, -1, m_cfg.m_last_msg); m_module.log_event(&EAPMETHOD_METHOD_FAILURE_ERROR1, event_data((unsigned int)m_cfg.get_method_id()), event_data(m_cfg.m_last_msg), event_data::blank); @@ -276,9 +272,9 @@ EapPeerMethodResponseAction eap::method_mschapv2::process_request_packet( // Prepare CHAP response value. sanitizing_blob value; value.reserve( - sizeof(challenge_mschapv2) + // Peer-Challenge + sizeof(m_challenge_client) + // Peer-Challenge 8 + // Reserved - sizeof(nt_response) + // NT-Response + sizeof(m_nt_resp) + // NT-Response 1); // Flags value.insert(value.end(), reinterpret_cast(&m_challenge_client), reinterpret_cast(&m_challenge_client + 1)); // Peer-Challenge value.insert(value.end(), 8, 0); // Reserved (must be zero) @@ -387,9 +383,9 @@ EapPeerMethodResponseAction eap::method_mschapv2_diameter::process_request_packe response.reserve( 1 + // Ident 1 + // Flags - sizeof(challenge_mschapv2) + // Peer-Challenge + sizeof(m_challenge_client) + // Peer-Challenge 8 + // Reserved - sizeof(nt_response)); // NT-Response + sizeof(m_nt_resp)); // NT-Response response.push_back(m_ident); response.push_back(0); // Flags response.insert(response.end(), reinterpret_cast(&m_challenge_client), reinterpret_cast(&m_challenge_client + 1)); // Peer-Challenge @@ -398,9 +394,9 @@ EapPeerMethodResponseAction eap::method_mschapv2_diameter::process_request_packe // Diameter AVP (User-Name=1, MS-CHAP-Challenge=11/311, MS-CHAP2-Response=25/311) m_packet_res.clear(); - diameter_avp_append( 1, diameter_avp_flag_mandatory, identity_utf8.data(), (unsigned int)identity_utf8.size() , m_packet_res); - diameter_avp_append(11, 311, diameter_avp_flag_mandatory, reinterpret_cast(&m_challenge_server) , (unsigned int)sizeof(m_challenge_server), m_packet_res); - diameter_avp_append(25, 311, diameter_avp_flag_mandatory, response.data() , (unsigned int)response.size() , m_packet_res); + diameter_avp_append( 1, diameter_avp_flag_mandatory, identity_utf8 .data(), (unsigned int)identity_utf8 .size(), m_packet_res); + diameter_avp_append(11, 311, diameter_avp_flag_mandatory, m_challenge_server.data(), (unsigned int)m_challenge_server.size(), m_packet_res); + diameter_avp_append(25, 311, diameter_avp_flag_mandatory, response .data(), (unsigned int)response .size(), m_packet_res); m_phase = phase_challenge_server; m_cfg.m_last_status = config_method::status_cred_invalid; // Blame credentials if we fail beyond this point. diff --git a/lib/TTLS/src/Method.cpp b/lib/TTLS/src/Method.cpp index 1642754..104562e 100644 --- a/lib/TTLS/src/Method.cpp +++ b/lib/TTLS/src/Method.cpp @@ -606,7 +606,7 @@ EapPeerMethodResponseAction eap::method_ttls::process_request_packet( if (FAILED(status)) throw sec_runtime_error(status, __FUNCTION__ " Error generating PRF in Schannel."); - memcpy(&inner_mschapv2->m_challenge_server, key_block.rgbKeys, sizeof(challenge_mschapv2)); + inner_mschapv2->m_challenge_server.assign(key_block.rgbKeys, key_block.rgbKeys + sizeof(challenge_mschapv2)); inner_mschapv2->m_ident = key_block.rgbKeys[sizeof(challenge_mschapv2) + 0]; SecureZeroMemory(&key_block, sizeof(key_block));