Issue with rlm_digest module

malaya.kishore at wipro.com malaya.kishore at wipro.com
Thu Nov 27 12:10:10 CET 2008 

Hi Alan DeKok,

 

Thank you for the prompt response. 

 

Here is the debug log for the same, with the actual code:

("Realm is treo.com")

------------------------------------------------------------------------
----

Debug:     rlm_digest: Converting Digest-Attributes to something sane...

Digest-Realm = "treo.c"

Debug: ERROR: Received Digest-Attributes with invalid sub-attribute 115

Debug:   modsingle[authenticate]: returned from digest (rlm_digest) for
request 1

Debug:   modcall[authenticate]: module "digest" returns invalid for
request 1

Debug: modcall: leaving group authenticate (returns invalid) for request
1

Debug: auth: Failed to validate the user.

------------------------------------------------------------------------
------------------------------------------------

 

Here is a sample debug output when the FreeRadius code of rlm_digest
module is modified:

------------------------------------------------------------------------
------------------------------------------------

Debug:     rlm_digest: Converting Digest-Attributes to something sane...

Digest-Realm = "treo.com"

Digest-URI = "/dir/index.html"

Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093"

Digest-CNonce = "0a4f113b"

Digest-Nonce-Count = "00000001"

Digest-QOP = "auth"

Digest-Method = "REGISTER"

Debug: A1 = user1 at treo.com:treo.com:ABC

Debug: A2 = REGISTER:/dir/index.html

Debug: KD =
c5c96d9d364350f6ac9528a3f63c24a0:dcd98b7102dd2f0e8b11d0f600bfb0c093:0000
0001:0a4f113b:auth:7feac0eabaddecec54986c4c95a7a460

Debug:   modsingle[authenticate]: returned from digest (rlm_digest) for
request 1

Debug:   modcall[authenticate]: module "digest" returns ok for request 1

Debug: modcall: leaving group authenticate (returns ok) for request 1

 

 

 

I find that the length in the packet is the length of the attr-length
not the complete one (type + attr-length).

 

Here is the log when we tried to print the values of p[o] and p[1].

Note: "we have modified attrlen as p[1]+2"

 

------------------------------------------------------------------------
------------------------------

Thu Nov 27 16:17:38 2008 : Info: [digest]     rlm_digest: Converting
Digest-Attributes to something sane...

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received
Digest-Attributes with sub-attribute type 1

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received
Digest-Attributes with sub-attribute length 6

        Digest-Realm = "fr.com"

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received
Digest-Attributes with sub-attribute type 4

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received
Digest-Attributes with sub-attribute length 15

        Digest-URI = "/dir/index.html"

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received
Digest-Attributes with sub-attribute type 2

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received
Digest-Attributes with sub-attribute length 34

        Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093"

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received
Digest-Attributes with sub-attribute type 8

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received
Digest-Attributes with sub-attribute length 8

        Digest-CNonce = "0a4f113b"

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received
Digest-Attributes with sub-attribute type 9

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received
Digest-Attributes with sub-attribute length 8

        Digest-Nonce-Count = "00000001"

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received
Digest-Attributes with sub-attribute type 5

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received
Digest-Attributes with sub-attribute length 4

        Digest-QOP = "auth"

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received
Digest-Attributes with sub-attribute type 3

Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received
Digest-Attributes with sub-attribute length 8

        Digest-Method = "REGISTER"

Thu Nov 27 16:17:38 2008 : Info: [digest] A1 = user1 at fr.com:fr.com:user1

Thu Nov 27 16:17:38 2008 : Info: [digest] A2 = REGISTER:/dir/index.html

H(A1) = 020e9ca2e5128c9446037d86a9ede93e

H(A2) = 7feac0eabaddecec54986c4c95a7a460

Thu Nov 27 16:17:38 2008 : Info: [digest] KD =
020e9ca2e5128c9446037d86a9ede93e:dcd98b7102dd2f0e8b11d0f600bfb0c093:0000
0001:0a4f113b:auth:7feac0eabaddecec54986c4c95a7a460

EXPECTED d592eedfc31ae12d0fcc28611c9b7e73

RECEIVED d592eedfc31ae12d0fcc28611c9b7e73

Thu Nov 27 16:17:38 2008 : Info: ++[digest] returns ok

------------------------------------------------------------------------
------------------------------

 

 

We are not able to analyze the ethereal traces, as these are vendor
specific values, which are not understood by ethereal.

Can it be a error in the client side. Like the length of VSA is not
inserted correctly.

 

Thank you.

 

Kind Regards,

Kishore

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

------------------------------------------------------------------------
-----------------------------------------------------Original
Message-----
From:
freeradius-devel-bounces+malaya.kishore=wipro.com at lists.freeradius.org
[mailto:freeradius-devel-bounces+malaya.kishore=wipro.com at lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: Thursday, November 27, 2008 3:12 PM
To: FreeRadius developers mailing list
Subject: Re: Issue with rlm_digest module

 

malaya.kishore at wipro.com wrote:

> Problem 1:

> 

> In the sanity check of rlm_digest module, we find that the attrlen

> attribute is not incremented correctly.

>  

> FreeRadius version 2.1.1

> 

> Source: freeradius-server-2.1.1\src\modules\rlm_digest\rlm_digest.c

> 

> Line: 138

> 

> Code:

> 

> attrlen = p[1];     /* stupid VSA format */  

> 

> Solution:

> 

> attrlen = p[1]+2; /* stupid VSA format */

 

  I don't see why this is necessary.  The length in the packet is the

length of the attribute, plus 2 octets (type + attr-length).  The

following checks assume:

 

      - minimum attrlen is 3 (type + attr-length + data)

      - data length is "attrlen - 2" (line 165)

 

  Further, this code inter-operates with all other Digest authentication

implementations, and has done so for over 6 years.

 

  Could you explain in more detail why you think the above change is

required?  What problems are you seeing with the existing code?

 

 

> Problem 2:

> 

> As per the FreeRadius site, FreeRadius support RFC: 4590 and 5090.

 

  Unfortunately, it doesn't.  There are patches, but they have not yet

been integrated into the server.

 

  Alan DeKok.

-

List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/devel.html


Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20081127/bfa503ee/attachment.html>

More information about the Freeradius-Devel mailing list