Re: More problems with RADIUS (protocol and implementations)

[Miquel van Smoorenburg <miquels () cistron nl>]

According to 3APA3A:
> 2.   RFC  2865  requires  unpredictability  of  authenticator  value  in
> Authentication  Request packet. Many RADIUS servers and client libraries
> implementations   do  not  follow  it.  Many  of  them  have  code  like
> srand(time(0) + getpid()) (or even srand(time(0)) + rand(). As you know,
> the number of rand() states is very limited and it's easy to predict the
> state of PRNG. It opens possibility to spoof NAS Authentication Request.
> For  example  Cistron  RADIUS has this flow in proxy module. Many RADIUS
> client libraries also have this flow.

In the 1.6.5 snapshot of Cistron Radius, soon the be the real 1.6.5,
this has been fixed for Linux by using /dev/urandom to seed the
random generator.

> 3.  Most  of current freeware RADIUS server implementations (and some of
> commerce  ones)  are  derived  from Cistron. And most of them (including
> Cistron  itself)  have buffer overflow in digest calculation (in case of
> Cistron itself it's static data overflow in calc_acctdigest() function).

Also fixed in the 1.6.5 snapshot. That is the snapshot of tonight ;)

Mike.
-- 
"Only two things are infinite, the universe and human stupidity,
 and I'm not sure about the former" -- Albert Einstein.