rlm_digest: cannot do "auth-int" digest authentication to work

Bruno Negrao bnegraolists at gmail.com
Mon Dec 12 21:50:32 CET 2005


Hi all,

I'm testing the rlm_digest module in freeradius 1.0.5 to make a digest
authentication.

To test, I'm using radclient and I'm passing to it the Digest attributes in
order to authenticate on the localhost.

I'm using the command bellow to authenticate the user "bob" password
"zanzibar" in my radius server but it's not working.


echo ' User-name = "bob", Digest-Response =
"bdbeebb2da6adb6bca02599c2239e192", Digest-Realm = "biloxi.com",
Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093", Digest-Method =
"INVITE", Digest-URI = "sip:bob at biloxi.com", Digest-Algorithm = "MD5",
Digest-User-Name = "bob", Digest-QOP = "auth-int", Digest-Nonce-Count  =
"00000001", Digest-CNonce = "0a4f113b", Digest-Body-Digest =
"c1ed018b8ec4a3b170c0921f5b564e48"' | /usr/bin/radclient localhost auth
testing123 2>&1

The values in I'm passing in the attributes are supposed to be correct. I
extracted them from the draft
http://ftp6.us.freebsd.org/pub/rfc/internet-drafts/draft-smith-sipping-auth-examples-01.txt

What is going wrong is the calculation of H(A2). See the output of "radiusd
-X" in response to that command above:

Cleaning up request 0 ID 111 with timestamp 439dbec1
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:32937, id=117,
length=229
        User-Name = "bob"
        Digest-Response = "bdbeebb2da6adb6bca02599c2239e192"
        Digest-Attributes = 0x010c62696c6f78692e636f6d
        Digest-Attributes =
0x022464636439386237313032646432663065386231316430663630306266623063303933
        Digest-Attributes = 0x0308494e56495445
        Digest-Attributes = 0x04147369703a626f624062696c6f78692e636f6d
        Digest-Attributes = 0x06054d4435
        Digest-Attributes = 0x0a05626f62
        Digest-Attributes = 0x050a617574682d696e74
        Digest-Attributes = 0x090a3030303030303031
        Digest-Attributes = 0x080a3061346631313362
        Digest-Attributes =
0x07226331656430313862386563346133623137306330393231663562353634653438
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-Realm = "biloxi.com"
        Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093"
        Digest-Method = "INVITE"
        Digest-URI = "sip:bob at biloxi.com"
        Digest-Algorithm = "MD5"
        Digest-User-Name = "bob"
        Digest-QOP = "auth-int"
        Digest-Nonce-Count = "00000001"
        Digest-CNonce = "0a4f113b"
        Digest-Body-Digest = "c1ed018b8ec4a3b170c0921f5b564e48"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 1
    rlm_realm: No '@' in User-Name = "bob", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
    users: Matched entry bob at line 5
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
  rad_check_password:  Found Auth-Type Digest
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
A1 = bob:biloxi.com:zanzibar
A2 = INVITE:sip:bob at biloxi.com:Áí???Ä£±pÀ??[VNH
H(A1) = 12af60467a33e8518da5c68bbff12b11
H(A2) = 7a3ae801f64033d060b8209ec071569c
KD =
12af60467a33e8518da5c68bbff12b11:dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth-int:7a3ae801f64033d060b8209ec071569c
EXPECTED 6b2a26c4371e4bbac1d5e71763443f5f
RECEIVED bdbeebb2da6adb6bca02599c2239e192
rlm_digest: FAILED authentication
  modcall[authenticate]: module "digest" returns reject for request 1
modcall: group authenticate returns reject for request 1
auth: Failed to validate the user.


PS: The value of H(A2) should be 3e8ec46a56447dbb073e1171b1be0683.  You
verify it by running te command:

echo -n "INVITE:sip:bob at biloxi.com:c1ed018b8ec4a3b170c0921f5b564e48" |
md5sum

That draft also confirms that H(A2) should be "
3e8ec46a56447dbb073e1171b1be0683".

So, why is rlm_digest calculating it as "7a3ae801f64033d060b8209ec071569c"?

Is it really a bug or am I making a some silly mistake?

Any help will be greatly appreciated.

bnegrao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051212/f696664a/attachment.html>


More information about the Freeradius-Users mailing list