rlm_digest: cannot do "auth-int" digest authentication to work

[Bruno Negrao]

Hi Alan,

Thank you very much in answering. Since you confirmed it is a bug I'd
like to let you know that my tests using MD5-sess algorithm also had
failed. This time the error is when calculating the H(A1).  Again,
using the user 'bob' password 'zanzibar', when i run the following
command:

echo ' User-name = "bob", Digest-Response =
"e4e4ea61d186d07a92c9e1f6919902e9", Digest-Realm = "biloxi.com",
Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093", Digest-Method =
"INVITE", Digest-URI = "sip:bob at biloxi.com", Digest-Algorithm =
"MD5-sess", Digest-User-Name = "bob", Digest-QOP = "auth",
Digest-Nonce-Count  = "00000001", Digest-CNonce = "0a4f113b"' |
/usr/bin/radclient localhost auth testing123 2>&1

the output of radiusd -X is:

rad_recv: Access-Request packet from host 127.0.0.1:32937, id=87, length=194
        User-Name = "bob"
        Digest-Response = "e4e4ea61d186d07a92c9e1f6919902e9"
        Digest-Attributes = 0x010c62696c6f78692e636f6d
        Digest-Attributes =
0x022464636439386237313032646432663065386231316430663630306266623063303933
        Digest-Attributes = 0x0308494e56495445
        Digest-Attributes = 0x04147369703a626f624062696c6f78692e636f6d
        Digest-Attributes = 0x060a4d44352d73657373
        Digest-Attributes = 0x0a05626f62
        Digest-Attributes = 0x050661757468
        Digest-Attributes = 0x090a3030303030303031
        Digest-Attributes = 0x080a3061346631313362
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
  modcall[authorize]: module "preprocess" returns ok for request 15
  modcall[authorize]: module "chap" returns noop for request 15
  modcall[authorize]: module "mschap" returns noop for request 15
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-Realm = "biloxi.com"
        Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093"
        Digest-Method = "INVITE"
        Digest-URI = "sip:bob at biloxi.com"
        Digest-Algorithm = "MD5-sess"
        Digest-User-Name = "bob"
        Digest-QOP = "auth"
        Digest-Nonce-Count = "00000001"
        Digest-CNonce = "0a4f113b"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 15
    rlm_realm: No '@' in User-Name = "bob", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 15
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 15
    users: Matched entry bob at line 5
  modcall[authorize]: module "files" returns ok for request 15
modcall: group authorize returns ok for request 15
  rad_check_password:  Found Auth-Type Digest
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
A1 = bob:biloxi.com:zanzibar
A2 = INVITE:sip:bob at biloxi.com
H(A1) = 3fe46a5fca36d79d9b5567e49a5b9fa1
H(A2) = 13a14a3eb5e2c24732a1a04fff543e92
KD = 3fe46a5fca36d79d9b5567e49a5b9fa1:dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth:13a14a3eb5e2c24732a1a04fff543e92
EXPECTED 9c9e30a46fcc7a25a16cc7c4a1330ef8
RECEIVED e4e4ea61d186d07a92c9e1f6919902e9
rlm_digest: FAILED authentication

The correct H(A1) for this case should be: "4f36886771c77832be5c5a8de5a7ec82"
instead of "3fe46a5fca36d79d9b5567e49a5b9fa1".

If you didn't fix this bug yet, use the examples from the draft
http://ftp6.us.freebsd.org/pub/rfc/internet-drafts/draft-smith-sipping-auth-examples-01.txt

They certainly will help you.

Thank you,
bnegrao