On Thu, 2010-06-10 at 14:12 +0200, Alan DeKok wrote:
f0rud wrote:
I found the "calc_replydigest" function in radius.c always return 2 (digest_cmp failed) Since this function is new in code , then its the problem and the diff. with version 1.x
The "digest_cmp" is failing because the packet is wrong.
Try the old code from an earlier version of radius.c. It will *also* fail to authenticate the packet.
Thats the problem, version 1.1.8 have no problem!(This time I check this myself. with the code from download page.)
For fixing my problem, I just by pass this test for PW_DISCONNECT_ACK (not a good idea I know but what else I can do?) and now its fine for my problem.
Or, you could ask the NAS vendor to implement RADIUS properly.
In Mikrotik forum they said to ask your team (not to me they said this is radclient problem.) thats I love : infinite loop :))
I see the code for another messages (for ex: PW_AUTHENTICATION_REQUEST) you just ignore the code,
Uh... no. It does not do that.
So check this at radius.c about line 2110 /* * Calculate and/or verify digest. */ switch(packet->code) { int rcode=0; char buffer[32]; case PW_AUTHENTICATION_REQUEST: case PW_STATUS_SERVER: /* * The authentication vector is random * nonsense, invented by the client. */ break; and after this break, the function return 0 that means OK , so where the code take care of this messages digest?
so why this one(PW_DISCONNECT_ACK) "must" be checked? if some one want to do "timing attack" then can use this message(PW_AUTHENTICATION_REQUEST) so by checking just some message its not "safe".
That is not true.
This timing attack (I read the comment on the code) so bypassing this function (rad_verify) means some one can do this attack, and If yo don't believe me, check the code, any PW_AUTHENTICATION_REQUEST package will pass this function. so what difference, and why this pass exist at all when there is some exception?