From jylefort@twist.frontis.net  Sat Jul  6 06:00:09 2002
Return-Path: <jylefort@twist.frontis.net>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9253137B405
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  6 Jul 2002 06:00:09 -0700 (PDT)
Received: from mirapoint2.brutele.be (mirapoint2.brutele.be [212.68.193.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8F31A43E09
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  6 Jul 2002 06:00:08 -0700 (PDT)
	(envelope-from jylefort@twist.frontis.net)
Received: from gateway.lefort.net ([213.189.162.78])
	by mirapoint2.brutele.be (Mirapoint)
	with ESMTP id BAZ70153;
	Sat, 6 Jul 2002 15:00:00 +0200 (CEST)
Received: from jsite.lefort.net (jsite.lefort.net [192.168.1.2])
	by gateway.lefort.net (Postfix) with ESMTP id CF121152E9
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  6 Jul 2002 14:59:59 +0200 (CEST)
Received: by jsite.lefort.net (Postfix, from userid 1000)
	id 153CF2305E; Sat,  6 Jul 2002 14:59:59 +0200 (CEST)
Message-Id: <20020706125959.153CF2305E@jsite.lefort.net>
Date: Sat,  6 Jul 2002 14:59:59 +0200 (CEST)
From: Jean-Yves Lefort <jylefort@brutele.be>
Reply-To: Jean-Yves Lefort <jylefort@brutele.be>
To: FreeBSD-gnats-submit@freebsd.org
Subject: telnet SRA sometimes fails at authentificating
X-Send-Pr-Version: 3.113

>Number:         40266
>Category:       bin
>Synopsis:       telnet SRA sometimes fails at authentificating
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 06 06:10:02 PDT 2002
>Closed-Date:    Wed Aug 21 23:21:25 PDT 2002
>Last-Modified:  Wed Aug 21 23:21:25 PDT 2002
>Originator:     Jean-Yves Lefort
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
>Environment:
System: FreeBSD jsite.lefort.net 4.6-STABLE FreeBSD 4.6-STABLE #0: Tue Jul 2 23:49:16 CEST 2002 jylefort@jsite.lefort.net:/usr/obj/usr/src/sys/JSITE i386


	
>Description:
	The telnet SRA authentification mechanism sometimes refuses a _valid_
password. If it refuses it one time, then the rest of the login session will
give the same results: the valid password will be refused.

	Sometimes, the string "[ SRA accepts you ]" is displayed, but the login
is prompted again, disallowing any login.

	I use FreeBSD since 4.4-RELEASE, and this bug never changed so far.

>How-To-Repeat:
	Setup a telnetd on a FreeBSD box, and try to connect to it from
another one. Try until you experience the bug (it shouldn't be long, the
occurence rate of the bug is quite high).

>Fix:
	None known.
>Release-Note:
>Audit-Trail:

From: "Andrew L. Neporada" <andr@dgap.mipt.ru>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: bin/40266 telnet SRA sometimes fails at authentificating
Date: Thu, 22 Aug 2002 08:35:42 +0400

 It take me some time to find out why our telnetd rejects right password
 with probability (1 - 1/256)^(strlen(login) + strlen(password)) ;-)
 
 The fix is quite simple, though:
 
 Index: crypto/telnet/libtelnet/pk.c
 ===================================================================
 RCS file: /home/ncvs/src/crypto/telnet/libtelnet/pk.c,v
 retrieving revision 1.9
 diff -u -r1.9 pk.c
 --- crypto/telnet/libtelnet/pk.c	30 Nov 2001 21:06:34 -0000	1.9
 +++ crypto/telnet/libtelnet/pk.c	22 Aug 2002 02:59:23 -0000
 @@ -251,7 +251,7 @@
  	for (l=0,op=0;l<strlen(in)/2;l++,op+=2) {
  		if(in[op] == '0' && in[op+1] == '0') {
  			buf[l] = '\0';
 -			break;
 +			continue;
  		}
  		if (in[op] > '9')
  			n1 = in[op] - 'A' + 10;
 
 
 P.S. Attached test program will help you to observe the bug. Save it in /tmp
      then run following commands
 
      cd /tmp
      cp /usr/src/crypto/telnet/libtelnet/pk.c .
      cp /usr/src/crypto/telnet/libtelnet/pk.h .
      cc -c pk.c
      cc -c test_pk.c
      cc -o tpk test_pk.o pk.o -lmp -lcrypto
      ./tpk
      ....
 
 ----- begin test_pk.c -----
 #include <stdio.h>
 #include <string.h>
 #include "pk.h"
 
 int
 main(void)
 {
 	char		*user, *xuser, *pass, *xpass;
 	char		pka[HEXKEYBYTES + 1], ska[HEXKEYBYTES + 1];
 	char		pkb[HEXKEYBYTES + 1], skb[HEXKEYBYTES + 1];
 	DesData		cl_ck, ser_ck;
 	IdeaData	cl_ik, ser_ik;
 	int		i;
 
 	user = (char *)malloc(256);
 	pass = (char *)malloc(256);
 	xuser = (char *)malloc(513);
 	xpass = (char *)malloc(513);
 
 	if (user == NULL || pass == NULL || xuser == NULL || xpass == NULL) {
 		fprintf(stderr, "malloc failed");
 		return (1);
 	}
 	for (i = 0; i < 1000; i++) {
 		genkeys(pka, ska);
 		genkeys(pkb, skb);
 		common_key(ska, pkb, &cl_ik, &cl_ck);
 		common_key(skb, pka, &ser_ik, &ser_ck);
 
 		memset(user, 0, 256);
 		memset(pass, 0, 256);
 		memset(xuser, 0, 513);
 		memset(xpass, 0, 513);
 
 		strcpy(user, "test1234");
 		strcpy(pass, "qwerty12");
 
 		printf("Encrypting...\n");
 		pk_encode(user, xuser, &cl_ck);
 		pk_encode(pass, xpass, &cl_ck);
 		printf("%s -> %s\n", user, xuser);
 		printf("%s -> %s\n", pass, xpass);
 
 		printf("Decrypting...\n");
 		memset(user, 0, 256);
 		memset(pass, 0, 256);
 		pk_decode(xuser, user, &ser_ck);
 		pk_decode(xpass, pass, &ser_ck);
 		printf("%s -> %s\n", xuser, user);
 		printf("%s -> %s\n", xpass, pass);
 
 		if (strcmp("test1234", user) || strcmp("qwerty12", pass)) {
 			printf("bang!\n");
 			break;
 		}
 	}
 	return(0);
 }
 ----- end test_pk.c -----
 
State-Changed-From-To: open->closed 
State-Changed-By: nsayer 
State-Changed-When: Wed Aug 21 23:19:27 PDT 2002 
State-Changed-Why:  
Bravo zulu! Excellent find! Committed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40266 
>Unformatted:
