[l2tpns-users] l2tpns security issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

Ive noticed, that using the generateload program, that
l2tpns-2.1.9 does not require the challenge / response
in the setup of tunnels, it supports the challenge /
response but there is no way to force it to use the
challenge / response if the tunnel has not challenge.

ie: 

in /etc/l2tpns/startup-config
set l2tp_secret "blah"

generateload can still establish tunnels with out the
"blah" secret set.

below is a patch for generateload.c to make it do
challenges, this is not a patch that fixes l2tpns.
19a20
> #include "md5.h"
206a208
> void controlb(controlt * c, u16 avp, char *val,
unsigned int len, u8 m);
223a226
> void build_chap_response(char *challenge, u8 id, u16
challenge_length, char **challenge_response);
249a253
> char *chapresponse = NULL;
423,424c427,432
<                       controlsend(c, t, 0);
<                       controlfree(c);
---
>                       if (chapresponse != NULL) {
>                               controlb(c, 13,
chapresponse, 16, 1);
>                       }
>                         controlsend(c, t, 0);
>                         controlfree(c);
440a449
>                       control32(c, 15, 13, 0); //
Assigned Session ID
685a695,703
> // add a binary AVP
> void controlb(controlt * c, u16 avp, char *val,
unsigned int len, u8 m)
> {
>         u16 l = ((m ? 0x8000 : 0) + len + 6);
>         *(u16 *) (c->buf + c->length + 0) =
htons(l);
>         *(u16 *) (c->buf + c->length + 2) =
htons(0);         *(u16 *) (c->buf + c->length + 4) =
htons(avp);         memcpy(c->buf + c->length + 6,
val, len);
>         c->length += 6 + len;
> }
>
818a837,841
>                         case 11 :
>                                 printf("\n");
>                                
build_chap_response(a->value, 3, a->length - 6,
&chapresponse);
>                                                     

>                                 break;
932a958,959
>                                              
control32(c, 19, 1, 1); // Framing (Async)
>                                              
control32(c, 24, 155520000, 1); // Framing (Async)
1286a1314,1330
>                                                     

> void build_chap_response(char *challenge, u8 id, u16
challenge_length, char **challenge_response)
> {
>         MD5_CTX ctx;
>         *challenge_response = NULL;
>                                                     

>         *challenge_response = (char *)calloc(17, 1);
>                                                     

>         MD5_Init(&ctx);
>         MD5_Update(&ctx, &id, 1);
>         MD5_Update(&ctx, "secret",
strlen("secret"));
>         MD5_Update(&ctx, challenge,
challenge_length);
>         MD5_Final(*challenge_response, &ctx);
>                                                     

>         return;
> }
>

__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com