Fwd: Accessing the "Authenticator" value from within a perl script
When using the perl module to process access-requests, is it possible to get the "Authenticator" value (NOT the Message-Authenticator)? There is a VSA which contains encoded data, which is using the encoding mechanism specified in RFC2865, which requires the Authenticator to decrypt. It does not decode properly when the dictionary specifies RFC2865 (encrypt=1) or RFC2868 (encrypt=2), because the encrypted data is sometimes larger than 192 bytes which is not supported in the Password attribute. For example, I need access to the following value, visible in a packet capture, from within my perl script: Authenticator value <https://i.stack.imgur.com/p6LTq.png> (not the Message-Authenticator AVP <https://i.stack.imgur.com/dB4q4.png>) The text to be decrypted is present in a VSA that is defined in a dictionary, such as ATTRIBUTE MyVendors-Special-Passphrase 44 string encrypt=1 (also tried encrypt=2) An example of the payload of the value is 21caa32fea486d9baf414610ea46510e9706a476812d02e21b956e35aa47501040b445702c6ff7e1f7f839480c1a26458f710af77aeae6e592b6e6910a6d93bbf31fe803d05799bcdec86b6b5c70c85fd92ad63449773ec1500069688280cfce0da532e0ece9e504fffef1cd381b69b981ac1b17a4a5ea672154dbea8d61823bb0644669f5f367b28fe6431d8a11d109ec4a8d19e6be46eca4c8085cd01c1b02fd0fc0bff7719432d8445b2cf39a0e66 I would like to decrypt the data manually inside a perl module, but in order to do that I need the Authenticator value to use as a vector to the decryption algorithm, which I haven't been able to access from my perl script. Since neither encrypt=1 nor encrypt=2 results in the correct data, I would like to do the decryption myself within perl. If I obtain the Authenticator value manually from a packet capture, I am able to complete the process, but I would like to automate this. Does anyone know of a way to get that value? Thank you in advance!
On Jun 28, 2023, at 11:53 AM, Lannar Dean via Freeradius-Devel <freeradius-devel@lists.freeradius.org> wrote:
When using the perl module to process access-requests, is it possible to get the "Authenticator" value (NOT the Message-Authenticator)?
it's in the virtual attribute Packet-Authentication-Vector. You'll have to copy that to a "real" attribute for it to show up in rlm_perl
There is a VSA which contains encoded data, which is using the encoding mechanism specified in RFC2865, which requires the Authenticator to decrypt. It does not decode properly when the dictionary specifies RFC2865 (encrypt=1) or RFC2868 (encrypt=2), because the encrypted data is sometimes larger than 192 bytes which is not supported in the Password attribute.
Edit src/lib/radius.c. Find MAX_PASS_LEN. Change (128) to (254). Recompile.
For example, I need access to the following value, visible in a packet capture, from within my perl script: Authenticator value <https://i.stack.imgur.com/p6LTq.png> (not the Message-Authenticator AVP <https://i.stack.imgur.com/dB4q4.png>)
The text to be decrypted is present in a VSA that is defined in a dictionary, such as
ATTRIBUTE MyVendors-Special-Passphrase 44 string encrypt=1
(also tried encrypt=2)
That uses a completely different encryption method, and won't work for attributes which are supposed to use "encrypt=1". TBH the simplest thing is to just change MAX_PASS_LEN. The RFCs say that User-Password is limited to 128 characters. But I can't for the life of me think of an issue with allowing passwords to be longer than 128 bytes. Since pretty much no one ever sends passwords that long, changing MAX_PASS_LEN won't really affect anyone. Alan DeKok.
On Jun 28, 2023, at 4:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
Edit src/lib/radius.c. Find MAX_PASS_LEN. Change (128) to (254). Recompile.
Sorry, make that 256. It has to be a multiple of 16. Alan DeKok.
Thanks, That was our initial direction, just wanted to see if it was doable without patching code, but I agree this looks like the most straightforward approach and obviates the need to do the decryption in perl. thanks for the assistance! On Wed, Jun 28, 2023 at 4:34 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 28, 2023, at 4:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
Edit src/lib/radius.c. Find MAX_PASS_LEN. Change (128) to (254). Recompile.
Sorry, make that 256. It has to be a multiple of 16.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- <https://www.rgnets.com/> *LANNAR DEAN* Director of Product Engineering <https://www.linkedin.com/company/rgnets> <https://twitter.com/rgnets> <https://www.youtube.com/channel/UCY1FGrqtlcYQGiICvgRZ5VA> <https://www.facebook.com/rg.nets.inc> <https://www.reddit.com/r/RGNets/>
participants (2)
-
Alan DeKok -
Lannar Dean