2.x.x (and earier?): yet another decoding SSHA issue

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jul 16 17:12:53 CEST 2013

On 16 Jul 2013, at 15:54, John Dennis <jdennis at redhat.com> wrote:

> On 07/16/2013 09:40 AM, Alan DeKok wrote:
>> Arran Cudbard-Bell wrote:
>>> SSHA1-Password will then hold the raw octet value of the hash. Unfortunately
>>> I believe that rlm_pap has it's own normalization logic, 
>>> so may still attempt to decode the raw octets as hex or base64 *sigh*. 
>>  Only if the data is longer than the length of the binary hash.
>>  i.e.
>> - length == length of hash ---> DONE
>> - length is 4/3 (or so) + other stuff.. --> base64
>> - starts with "0x" and length is 2x the length of the hash --> hex
>>  It should be pretty fail-safe.
> I'm not a fan of heuristics, every time you think you've got the logic
> nailed down some corner case will prove you wrong. Plus it's magical, I
> don't like magic, I prefer explicit well defined behavior. Plus in this
> instance the behavior is tied to well known digests, what about all the
> other places where binary conversion from text encoding might be called
> for? Shouldn't everything obey the same rules?
> Is it possible to add a qualifier indicating the format of the item,
> e.g. base64, hex, etc.?

You could use as part of the atribute name to indicate a cast.

<string>SSHA-Password := <hash>

But it's still awful.

Anyway Stefan's point about SSHA is correct. Maybe an option to turn off the normalisation done by rlm_pap would be useful.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Devel mailing list