2.x.x (and earier?): yet another decoding SSHA issue

Stefan Winter stefan.winter at restena.lu
Tue Jul 16 12:04:41 CEST 2013


Hi,

> At a guess, i'd say the attribute you were creating was of type
OCTETS, in which case the above is the correct behaviour. Can you double
check that the type of the attribute is string, and not octets.

It's SSHA1-Password. Yes, it is octets, as defined in
dictionary.freeradius.internal.

> Nearly all string to value conversions (all drivers produce values as strings) go through pairparsevalue. String attributes will *not* be treated as hex strings by pairparsevalue, only raw attributes are.
> 
> Looking at src/lib/valuepair.c (pairparsevalue), writing to a destination attribute of type octets would describe exactly when you're experiencing.

I certainly wouldn't call it "correct". All other values for
SSHA1-Password which don't incidentally start with an 0X get parsed and
used correctly.

Looking at the code, it's much more so that lib/valuepair.c's case
PW_TYPE_OCTETS does a (poor) heuristics on the first two bytes of the
incoming blob. If it finds a 0x then it thinks it needs to decode.
Otherwise, it just returns vp.

What are you suggesting to make SSHA1-Password work deterministically?

* Should I change the dictionary.freeradius.internal away from octets to
string?

* Or encode the already base64-encoded SSHA hashes inside a hex encoding
to make the heuristics happy?

* Or should the heuristics maybe become a little more clever to *try* to
hex-decode things which start with 0x, but just return the value as-is
if that failed?

Greetings,

Stefan Winter


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130716/f0323f9d/attachment.pgp>


More information about the Freeradius-Devel mailing list