From nobody@FreeBSD.org  Wed Nov  1 16:12:58 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F3B2E16A403
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  1 Nov 2006 16:12:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 854DE43D62
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  1 Nov 2006 16:11:41 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id kA1GBesr086736
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 1 Nov 2006 16:11:40 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id kA1GBeAH086735;
	Wed, 1 Nov 2006 16:11:40 GMT
	(envelope-from nobody)
Message-Id: <200611011611.kA1GBeAH086735@www.freebsd.org>
Date: Wed, 1 Nov 2006 16:11:40 GMT
From: David Wood<david@wood2.org.uk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [maintainer-update] Remove unnecessary patch files/patch-ab from net/freeradius
X-Send-Pr-Version: www-3.0

>Number:         105025
>Category:       ports
>Synopsis:       [maintainer-update] Remove unnecessary patch files/patch-ab from net/freeradius
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    alepulver
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 01 16:20:11 GMT 2006
>Closed-Date:    Tue Nov 07 02:52:00 GMT 2006
>Last-Modified:  Tue Nov  7 03:00:38 GMT 2006
>Originator:     David Wood
>Release:        FreeBSD 6.1-RELEASE-p10 i386
>Organization:
>Environment:
FreeBSD titanium.wood2.org.uk 6.1-RELEASE-p10 FreeBSD 6.1-RELEASE-p10 #0: Fri Oct  6 10:56:46 BST 2006     david@titanium.wood2.org.uk:/usr/obj/usr/src/sys/TITANIUM  i386
>Description:
The functionality previously forced by files/patch-ab is now available using the FreeRADIUS with_ntdomain_hack = yes configuration option within mschap { }. files/patch-ab is therefore being removed. /usr/ports/UPDATED needs to carry a warning about the change in functionality, though it is expected to affect only a minority of users.

This change makes rlm-mschap behave the same on FreeBSD as on other platforms. This should help make FreeRADIUS configurations more portable between FreeBSD and other platforms. Without this change, it's possible for a FreeRADIUS configuration to work on FreeBSD but not on other platforms, where failures within MS-CHAP will be observed.



Background:

files/patch-ab was required to force RFC 2759 compliance in historic versions of FreeRADIUS. FreeRADIUS itself now provides the necessary functionality, which is enabled using with_ntdomain_hack = yes inside the mschap { } section of the FreeRADIUS configuration.


RFC 2759, the specification for MS-CHAPv2, requires the calculation of the NT-Response field relating to an MS-CHAPv2 Response to use only the user name, without any prepended domain name (see RFC 2759 paragraphs 4 and 8.2). 

RFC 2759 paragraph 4 states "When computing the NT-Response field contents, only the user name is used, without any associated Windows NT domain name." Later, it states, "The Windows NT domain name may prefix the user's account name".

RFC 2759 paragraph 8.2 amplifies this by stating, in connection to the challenge_hash() function that files/patch-ab patches (which is the implementation of RFC 2759's ChallengeHash) "Only the user name (as presented by the peer and excluding any prepended domain name) is used as input to SHAUpdate()."
>How-To-Repeat:

>Fix:
See attached patch. 
Note: files/patch-ab should be removed


Please add the following warning to /usr/ports/UPDATED:

AFFECTS: Users of net/freeradius
AUTHOR: David Wood <david@wood2.org.uk>

FreeBSD used to patch FreeRADIUS's rlm_mschap.c to strip all domain names when calculating the hash of an MS-CHAP challenge (a requirement specified in RFC 2759 paragraph 4 and amplified in paragraph 8.2).

FreeRADIUS now offers its own solution to discard a domain name before hashing in the MS-CHAP code, which can be enabled via a configuration option. As there is no longer any need for the FreeBSD patch, it has been removed, leaving the MS-CHAP code behaving as supplied by the FreeRADIUS team.

If the previous behaviour of the MS-CHAP code is required, add:
with_ntdomain_hack = yes
to the mschap { } section of your FreeRADIUS configuration. There should
be a commented out line that can be modified around line 696 of /usr/local/etc/raddb/radiusd.conf if your configuration is based on the sample FreeRADIUS configuration.

This option is not set by default in the sample FreeRADIUS configuration.
Only those who have clients sending a domain name as part of the user name when using MS-CHAP will be affected by this change; they will need to set this option to allow FreeRADIUS to authenticate their clients successfully. This may only affect those with older Windows clients, but I cannot be sure.

Some sources suggest setting this configuration option anyway to prevent FreeRADIUS from breaching RFC 2759 inadvertently, leading to authentication failure. It is left to the user whether to set this configuration option anyway, or only to set it in the event of authentication failures stemming from MS-CHAP.

Debug output from radiusd that reads "rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?" suggests that this configuration option should be enabled.

Patch attached with submission follows:

diff -ruN /usr/ports/net/freeradius/Makefile /usr/ports_updated/net/freeradius/Makefile
--- /usr/ports/net/freeradius/Makefile	Wed Nov  1 10:21:17 2006
+++ /usr/ports_updated/net/freeradius/Makefile	Wed Nov  1 12:48:00 2006
@@ -7,6 +7,7 @@
 
 PORTNAME=	freeradius
 PORTVERSION=	1.1.3
+PORTREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	ftp://ftp.freeradius.org/pub/radius/ \
 		ftp://ftp.ntua.gr/pub/net/radius/freeradius/ \
diff -ruN /usr/ports/net/freeradius/files/patch-ab /usr/ports_updated/net/freeradius/files/patch-ab
--- /usr/ports/net/freeradius/files/patch-ab	Sun Aug 29 03:18:42 2004
+++ /usr/ports_updated/net/freeradius/files/patch-ab	Thu Jan  1 01:00:00 1970
@@ -1,19 +0,0 @@
---- src/modules/rlm_mschap/rlm_mschap.c.orig	Thu Aug 19 10:20:28 2004
-+++ src/modules/rlm_mschap/rlm_mschap.c	Thu Aug 19 10:21:16 2004
-@@ -220,10 +220,15 @@
- 	SHA1_CTX Context;
- 	char hash[20];
- 
-+	const char *name;
-+
-+	name = strchr(user_name, '\\');
-+	name = name == NULL ? user_name : name + 1;
-+
- 	SHA1Init(&Context);
- 	SHA1Update(&Context, peer_challenge, 16);
- 	SHA1Update(&Context, auth_challenge, 16);
--	SHA1Update(&Context, user_name, strlen(user_name));
-+	SHA1Update(&Context, name, strlen(name));
- 	SHA1Final(hash, &Context);
- 	memcpy(challenge, hash, 8);
- }

>Release-Note:
>Audit-Trail:

From: David Wood <david@wood2.org.uk>
To: bug-followup@FreeBSD.org, david@wood2.org.uk
Cc:  
Subject: Re: ports/105025: [maintainer-update] Remove unnecessary patch files/patch-ab from net/freeradius
Date: Wed, 1 Nov 2006 16:34:53 +0000

 Let's have another crack at formatting the proposed wording for 
 /usr/ports/UPDATED - it looks pretty ugly in the web version of the PR:
 
 Please add the following warning to /usr/ports/UPDATED:
 
 AFFECTS: Users of net/freeradius
 AUTHOR: David Wood <david@wood2.org.uk>
 
 FreeBSD used to patch FreeRADIUS's rlm_mschap.c to strip all domain names when calculating the hash of an MS-CHAP challenge (a requirement
 specified in RFC 2759 paragraph 4 and amplified in paragraph 8.2). FreeRADIUS now offers its own solution to discard a domain name before hashing
 in the MS-CHAP code, which can be enabled via a configuration option. As there is no longer any need for the FreeBSD patch, it has been removed,
 leaving the MS-CHAP code behaving as supplied by the FreeRADIUS team.
 
 If the previous behaviour of the MS-CHAP code is required, add:
 with_ntdomain_hack = yes
 to the mschap { } section of your FreeRADIUS configuration. There should be a commented out line that can be modified around line 696 of /usr/local/
 etc/raddb/radiusd.conf if your configuration is based on the sample FreeRADIUS configuration.
 
 This option is not set by default in the sample FreeRADIUS configuration. Only those who have clients sending a domain name as part of the user
 name when using MS-CHAP will be affected by this change; they will need to set this option to allow FreeRADIUS to authenticate their clients
 successfully. This may only affect those with older Windows clients, but I cannot be sure.
 
 Some sources suggest setting this configuration option anyway to prevent FreeRADIUS from breaching RFC 2759 inadvertently, leading to
 authentication failure. It is left to the user whether to set this configuration option anyway, or only to set it in the event of authentication failures
 stemming from MS-CHAP.
 
 Debug output from radiusd that reads "rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?" suggests that this
 configuration option should be enabled.
 
 
 
 Formatting:
 
 This should be a total of five paragraphs. The paragraph breaks come:
 
 ...FreeRADIUS team.[para]If the previous behaviour ...
 
 ...sample FreeRADIUS configuration.[para]This option is not ...
 
 ...I cannot be sure.[para]Some sources ...
 
 ... stemming from MS-CHAP.[para]Debug output from ...
 
 
 In the second paragraph, "with_ntdomain_hack = yes" should be on a line 
 by itself.

From: David Wood <david@wood2.org.uk>
To: bug-followup@FreeBSD.org, david@wood2.org.uk
Cc:  
Subject: Re: ports/105025: [maintainer-update] Remove unnecessary patch files/patch-ab from net/freeradius
Date: Thu, 2 Nov 2006 09:20:36 +0000

 When one of the busy committers gets round to having a look at this, and 
 hopefully committing it, can an acknowledgement be added along the lines 
 of:
 
 New maintainer alerted to this issue by private mail from Thomas Vogt 
 <thomas@bsdunix.ch>
 
 It was remiss of me to omit that acknowledgement in the original PR.
 
 
 Thanks.
Responsible-Changed-From-To: freebsd-ports-bugs->alepulver 
Responsible-Changed-By: alepulver 
Responsible-Changed-When: Sun Nov 5 23:13:33 UTC 2006 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=105025 
State-Changed-From-To: open->closed 
State-Changed-By: alepulver 
State-Changed-When: Tue Nov 7 02:51:58 UTC 2006 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=105025 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/105025: commit references a PR
Date: Tue,  7 Nov 2006 02:51:50 +0000 (UTC)

 alepulver    2006-11-07 02:51:44 UTC
 
   FreeBSD ports repository
 
   Modified files:
     .                    UPDATING 
     net/freeradius       Makefile 
   Removed files:
     net/freeradius/files patch-ab 
   Log:
   - Remove patch file: freeradius/files/patch-ab (see UPDATING note).
   - Add note to UPDATING.
   
   PR:             ports/105025
   Submitted by:   David Wood <david@wood2.org.uk> (maintainer)
   
   Revision  Changes    Path
   1.422     +41 -1     ports/UPDATING
   1.51      +1 -0      ports/net/freeradius/Makefile
   1.4       +0 -19     ports/net/freeradius/files/patch-ab (dead)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
