Issue with rlm_digest module
Hi, Greetings, I am Kishore here working in Wipro Technologies. We were testing MD5 digest with FreeRadius as Authentication Server. FreeRadius AAA is running on SUSE Linux machine. We are finding the below two problems: Problem 1: In the sanity check of rlm_digest module, we find that the attrlen attribute is not incremented correctly. FreeRadius version 2.1.1 Source: freeradius-server-2.1.1\src\modules\rlm_digest\rlm_digest.c Line: 138 Code: attrlen = p[1]; /* stupid VSA format */ Solution: attrlen = p[1]+2; /* stupid VSA format */ Problem 2: As per the FreeRadius site, FreeRadius support RFC: 4590 and 5090. But while testing for MD5 digest, FreeRadius server not sending any Digest-Challenge (Access-Challenge). Can someone please clarify the above issues. Thank you. Kind Regards, Kishore Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
malaya.kishore@wipro.com wrote:
Problem 1:
In the sanity check of rlm_digest module, we find that the attrlen attribute is not incremented correctly.
FreeRadius version 2.1.1
Source: freeradius-server-2.1.1\src\modules\rlm_digest\rlm_digest.c
Line: 138
Code:
attrlen = p[1]; /* stupid VSA format */
Solution:
attrlen = p[1]+2; /* stupid VSA format */
I don't see why this is necessary. The length in the packet is the length of the attribute, plus 2 octets (type + attr-length). The following checks assume: - minimum attrlen is 3 (type + attr-length + data) - data length is "attrlen - 2" (line 165) Further, this code inter-operates with all other Digest authentication implementations, and has done so for over 6 years. Could you explain in more detail why you think the above change is required? What problems are you seeing with the existing code?
Problem 2:
As per the FreeRadius site, FreeRadius support RFC: 4590 and 5090.
Unfortunately, it doesn't. There are patches, but they have not yet been integrated into the server. Alan DeKok.
Hi Alan DeKok, Thank you for the prompt response. Here is the debug log for the same, with the actual code: ("Realm is treo.com") ------------------------------------------------------------------------ ---- Debug: rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = "treo.c" Debug: ERROR: Received Digest-Attributes with invalid sub-attribute 115 Debug: modsingle[authenticate]: returned from digest (rlm_digest) for request 1 Debug: modcall[authenticate]: module "digest" returns invalid for request 1 Debug: modcall: leaving group authenticate (returns invalid) for request 1 Debug: auth: Failed to validate the user. ------------------------------------------------------------------------ ------------------------------------------------ Here is a sample debug output when the FreeRadius code of rlm_digest module is modified: ------------------------------------------------------------------------ ------------------------------------------------ Debug: rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = "treo.com" Digest-URI = "/dir/index.html" Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093" Digest-CNonce = "0a4f113b" Digest-Nonce-Count = "00000001" Digest-QOP = "auth" Digest-Method = "REGISTER" Debug: A1 = user1@treo.com:treo.com:ABC Debug: A2 = REGISTER:/dir/index.html Debug: KD = c5c96d9d364350f6ac9528a3f63c24a0:dcd98b7102dd2f0e8b11d0f600bfb0c093:0000 0001:0a4f113b:auth:7feac0eabaddecec54986c4c95a7a460 Debug: modsingle[authenticate]: returned from digest (rlm_digest) for request 1 Debug: modcall[authenticate]: module "digest" returns ok for request 1 Debug: modcall: leaving group authenticate (returns ok) for request 1 I find that the length in the packet is the length of the attr-length not the complete one (type + attr-length). Here is the log when we tried to print the values of p[o] and p[1]. Note: "we have modified attrlen as p[1]+2" ------------------------------------------------------------------------ ------------------------------ Thu Nov 27 16:17:38 2008 : Info: [digest] rlm_digest: Converting Digest-Attributes to something sane... Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received Digest-Attributes with sub-attribute type 1 Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 6 Digest-Realm = "fr.com" Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received Digest-Attributes with sub-attribute type 4 Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 15 Digest-URI = "/dir/index.html" Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received Digest-Attributes with sub-attribute type 2 Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 34 Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093" Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received Digest-Attributes with sub-attribute type 8 Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 8 Digest-CNonce = "0a4f113b" Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received Digest-Attributes with sub-attribute type 9 Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 8 Digest-Nonce-Count = "00000001" Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received Digest-Attributes with sub-attribute type 5 Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 4 Digest-QOP = "auth" Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[0] Received Digest-Attributes with sub-attribute type 3 Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 8 Digest-Method = "REGISTER" Thu Nov 27 16:17:38 2008 : Info: [digest] A1 = user1@fr.com:fr.com:user1 Thu Nov 27 16:17:38 2008 : Info: [digest] A2 = REGISTER:/dir/index.html H(A1) = 020e9ca2e5128c9446037d86a9ede93e H(A2) = 7feac0eabaddecec54986c4c95a7a460 Thu Nov 27 16:17:38 2008 : Info: [digest] KD = 020e9ca2e5128c9446037d86a9ede93e:dcd98b7102dd2f0e8b11d0f600bfb0c093:0000 0001:0a4f113b:auth:7feac0eabaddecec54986c4c95a7a460 EXPECTED d592eedfc31ae12d0fcc28611c9b7e73 RECEIVED d592eedfc31ae12d0fcc28611c9b7e73 Thu Nov 27 16:17:38 2008 : Info: ++[digest] returns ok ------------------------------------------------------------------------ ------------------------------ We are not able to analyze the ethereal traces, as these are vendor specific values, which are not understood by ethereal. Can it be a error in the client side. Like the length of VSA is not inserted correctly. Thank you. Kind Regards, Kishore ------------------------------------------------------------------------ -----------------------------------------------------Original Message----- From: freeradius-devel-bounces+malaya.kishore=wipro.com@lists.freeradius.org [mailto:freeradius-devel-bounces+malaya.kishore=wipro.com@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Thursday, November 27, 2008 3:12 PM To: FreeRadius developers mailing list Subject: Re: Issue with rlm_digest module malaya.kishore@wipro.com wrote:
Problem 1:
In the sanity check of rlm_digest module, we find that the attrlen
attribute is not incremented correctly.
FreeRadius version 2.1.1
Source: freeradius-server-2.1.1\src\modules\rlm_digest\rlm_digest.c
Line: 138
Code:
attrlen = p[1]; /* stupid VSA format */
Solution:
attrlen = p[1]+2; /* stupid VSA format */
I don't see why this is necessary. The length in the packet is the length of the attribute, plus 2 octets (type + attr-length). The following checks assume: - minimum attrlen is 3 (type + attr-length + data) - data length is "attrlen - 2" (line 165) Further, this code inter-operates with all other Digest authentication implementations, and has done so for over 6 years. Could you explain in more detail why you think the above change is required? What problems are you seeing with the existing code?
Problem 2:
As per the FreeRadius site, FreeRadius support RFC: 4590 and 5090.
Unfortunately, it doesn't. There are patches, but they have not yet been integrated into the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
malaya.kishore@wipro.com wrote:
Here is the debug log for the same, with the actual code: Debug: ERROR: Received Digest-Attributes with invalid sub-attribute 115
As I said, the module is inter-operable with all existing implementations, and has been inter-operable for 6 years. Changing it now is not an option.
I find that the length in the packet is the length of the attr-length not the complete one (type + attr-length).
Which client are you using to generate the digest attributes?
Here is the log when we tried to print the values of p[o] and p[1].
...
Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 6
Digest-Realm = "fr.com"
The client is broken. The sub-attribute is *supposed* to be packed in the same way as a normal RADIUS attribute. The length is *supposed* to be "data-len + 2". This client has the length as "data-len". See the "sterman" draft, Nonce-Count sub-attribute. It's length is 10, with 8 bytes of hex data.
Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 8
Digest-Nonce-Count = "00000001"
The client is violating the specification as written in the sterman draft. See doc/rfc/draft-sterman-aaa-sip-00.txt in the FreeRADIUS "tar" file.
We are not able to analyze the ethereal traces, as these are vendor specific values, which are not understood by ethereal.
Can it be a error in the client side. Like the length of VSA is not inserted correctly.
It is an error on the client side. The client is broken, and needs to be fixed. As it is now, the client does NOT work with FreeRADIUS, and it will NOT work with any other RADIUS server that implements the draft-sterman document. Alan DeKok.
Hi Alan DeKok, You are right. The client we used was not correct. After updations to client, it worked fine. Thank you. Kind Regards, Kishore -----Original Message----- From: freeradius-devel-bounces+malaya.kishore=wipro.com@lists.freeradius.org [mailto:freeradius-devel-bounces+malaya.kishore=wipro.com@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Thursday, November 27, 2008 5:05 PM To: FreeRadius developers mailing list Subject: Re: Issue with rlm_digest module malaya.kishore@wipro.com wrote:
Here is the debug log for the same, with the actual code: Debug: ERROR: Received Digest-Attributes with invalid sub-attribute 115
As I said, the module is inter-operable with all existing implementations, and has been inter-operable for 6 years. Changing it now is not an option.
I find that the length in the packet is the length of the attr-length not the complete one (type + attr-length).
Which client are you using to generate the digest attributes?
Here is the log when we tried to print the values of p[o] and p[1].
...
Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 6
Digest-Realm = "fr.com"
The client is broken. The sub-attribute is *supposed* to be packed in the same way as a normal RADIUS attribute. The length is *supposed* to be "data-len + 2". This client has the length as "data-len". See the "sterman" draft, Nonce-Count sub-attribute. It's length is 10, with 8 bytes of hex data.
Thu Nov 27 16:17:38 2008 : Info: [digest] ERROR: p[1] Received Digest-Attributes with sub-attribute length 8
Digest-Nonce-Count = "00000001"
The client is violating the specification as written in the sterman draft. See doc/rfc/draft-sterman-aaa-sip-00.txt in the FreeRADIUS "tar" file.
We are not able to analyze the ethereal traces, as these are vendor specific values, which are not understood by ethereal.
Can it be a error in the client side. Like the length of VSA is not inserted correctly.
It is an error on the client side. The client is broken, and needs to be fixed. As it is now, the client does NOT work with FreeRADIUS, and it will NOT work with any other RADIUS server that implements the draft-sterman document. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Hi Alan DeKok, Any plans when RFC 5090 will be included in standard FreeRadius. Kind Regards, Kishore -----Original Message----- From: freeradius-devel-bounces+malaya.kishore=wipro.com@lists.freeradius.org [mailto:freeradius-devel-bounces+malaya.kishore=wipro.com@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Thursday, November 27, 2008 3:12 PM To: FreeRadius developers mailing list Subject: Re: Issue with rlm_digest module malaya.kishore@wipro.com wrote:
Problem 1:
In the sanity check of rlm_digest module, we find that the attrlen attribute is not incremented correctly.
FreeRadius version 2.1.1
Source: freeradius-server-2.1.1\src\modules\rlm_digest\rlm_digest.c
Line: 138
Code:
attrlen = p[1]; /* stupid VSA format */
Solution:
attrlen = p[1]+2; /* stupid VSA format */
I don't see why this is necessary. The length in the packet is the length of the attribute, plus 2 octets (type + attr-length). The following checks assume: - minimum attrlen is 3 (type + attr-length + data) - data length is "attrlen - 2" (line 165) Further, this code inter-operates with all other Digest authentication implementations, and has done so for over 6 years. Could you explain in more detail why you think the above change is required? What problems are you seeing with the existing code?
Problem 2:
As per the FreeRadius site, FreeRadius support RFC: 4590 and 5090.
Unfortunately, it doesn't. There are patches, but they have not yet been integrated into the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
malaya.kishore@wipro.com wrote:
Any plans when RFC 5090 will be included in standard FreeRadius.
A patch is available: http://bugs.freeradius.org/show_bug.cgi?id=391 It needs to be tested, debugged, and possibly edited. The main problem IIRC, is that the patch *removes* the current functionality from the digest module. This is not appropriate for inclusion in the main source tree, as many people have businesses that depend on the current feature set. Alan DeKok.
participants (2)
-
Alan DeKok -
malaya.kishore@wipro.com