Issue with rlm_digest module

malaya.kishore at malaya.kishore at
Fri Nov 28 10:00:44 CET 2008

Hi Alan DeKok,

Any plans when RFC 5090 will be included in standard FreeRadius.

Kind Regards,

-----Original Message-----
From: at
[ at lists.freeradi] On Behalf Of Alan DeKok
Sent: Thursday, November 27, 2008 3:12 PM
To: FreeRadius developers mailing list
Subject: Re: Issue with rlm_digest module

malaya.kishore at wrote:
> Problem 1:
> In the sanity check of rlm_digest module, we find that the attrlen
> attribute is not incremented correctly.
> FreeRadius version 2.1.1
> Source: freeradius-server-2.1.1\src\modules\rlm_digest\rlm_digest.c
> Line: 138
> Code:
> attrlen = p[1];     /* stupid VSA format */  
> Solution:
> attrlen = p[1]+2; /* stupid VSA format */

  I don't see why this is necessary.  The length in the packet is the
length of the attribute, plus 2 octets (type + attr-length).  The
following checks assume:

	- minimum attrlen is 3 (type + attr-length + data)
	- data length is "attrlen - 2" (line 165)

  Further, this code inter-operates with all other Digest authentication
implementations, and has done so for over 6 years.

  Could you explain in more detail why you think the above change is
required?  What problems are you seeing with the existing code?

> Problem 2:
> As per the FreeRadius site, FreeRadius support RFC: 4590 and 5090.

  Unfortunately, it doesn't.  There are patches, but they have not yet
been integrated into the server.

  Alan DeKok.
List info/subscribe/unsubscribe? See

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

More information about the Freeradius-Devel mailing list