FidoNet Echomail Archive
sync_programming

<<< Previous Index Next >>>

From: Digital Man
To: mark lewis
Date: 2019-06-14 13:50:10
Subject: possible CRYPT bug with no session password

  Re: possible CRYPT bug with no session password
  By: mark lewis to Digital Man on Fri Jun 14 2019 12:12 pm

 >
 >  On 2019 Jun 14 10:47:04, I wrote to you:
 >
 >  DM>> That means the remote BinkIT system has a session
password configured
 >  DM>> for your node. From binkp.js 1.114 ('-' is the same as a blank/no
 >  DM>> password):
 >
 >  DM>>        if (!this.plain_auth_only && password !== '-')
 >  DM>>                this.sendCmd(this.command.M_NUL, "OPT
CRYPT");
 >
 >  ml> are you saying that if there is no session level password, we should
 >  ml> have
 > a
 >  ml> '-' in the session password field in echocfg??
 >
 > of course that was wrong but if one was put in there, it should work the
 > same... i've glanced over the code and i note that if the password is
 > undefined, it is set to '-'... is it possible that maybe the password is not
 > just undefined but it is blank?

Yes, I think that's exactly what's happening:
        this.node[sec].pass = f.iniGetValue(section, 'SessionPwd', '');

This line (from fidocfg.js) would set the password to a blank string by
default (not undefined).

 >
 >         if (password === undefined)
 >                 password = '-';
 >         if (password === '-')
 >                 this.require_md5 = false;
 >
 > should
 >
 >                 this.wont_crypt = true;
 >                 this.require_crypt = false;
 >
 > be set up there where "this.require_md5 = false" is set
instead of being set
 > further down? then checking additional values would prevent "OPT
CRYPT" from
 > being sent as well??

No, I think that part is right. Just because you don't *require* CRAM-MD5
doesn't mean you won't allow it (and to allow it, you must send the OPT
CRYPT msg).

The blank vs. undefined password thing does seem like a problem though.

                                            digital man

This Is Spinal Tap quote #9:
David St. Hubbins: I mean, it's not your job to be as confused as Nigel.
Norco, CA WX: 73.0F, 59.0% humidity, 3 mph ENE wind, 0.00 inches rain/24hrs
--- SBBSecho 3.07-Linux
 * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
SEEN-BY: 103/705 154/10 203/0 218/700 221/0 229/426 240/5832 261/38 280/464
SEEN-BY: 280/5003 396/45 423/120 633/0 267 280 281 384 412 509 712/848 770/1
@PATH: 103/705 280/464 712/848 633/280 267


<<< Previous Index Next >>>