rml_perl question

FreeRadius-ML freeradius at zap2link.com
Tue Jul 24 12:54:59 CEST 2007 

Ok,

  It would appear that I'm a little silly, due to the way FreeRadius logs the information
on the console. I've been debugging the information that I get, and I can see that the 
Digest-Attributes actually contain the information, in accordance to the following:

  The first Digest Attribute is the User-Name, 
  The second Digest Attribute is the Realm,
  The third Digest Attribute is the nonce,
  The fourth Digest Attribute is the uri,
  The fifth Digest Attribute is the SIP-METHOD request.

  I didn't realize this in the begining, as it was all HEX dumped, so I couldn't see
that I'm actually looking at the information.

  Now, my question is this, what is the formula to calculate the digest from all of the 
above information? I've tried backtracking the code, but ended up with a slight headache.
If anyone has information, that would be highly appreciated.

Regards,
  Z2L

----- Original Message -----
From: "FreeRadius-ML" <freeradius at zap2link.com>
To: "freeradius-users" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, July 24, 2007 1:07:01 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

Ok,

  I think I'm getting somewhere on this. After running wireshark and capturing the traffic,
I actually realized that the Authentication/Authorization headers consists of a random hash
that is identified by the nonce number. Following is an example:

Authorization: Digest username="101", realm="192.168.2.80", algorithm=MD5, uri="sip:192.168.2.80", nonce="469f2996b4bb829917c6d5d7c3c50bed9da77682", response="1efb1851e1e96ce6855bf406735af4b6"

  Now, if I understand correctly, the digest will be calculated from the combination of the 
username, uri and nonce. Problem is, it would appear that I'm unable to access the nonce field
from rlm_perl, unless, I'm missing something.

Regards,
  Z2L

----- Original Message -----
From: "FreeRadius-ML" <freeradius at zap2link.com>
To: "freeradius-users" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, July 24, 2007 11:43:19 AM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

Hi Peter,

  Well, according to the RFC, the string should be:
username:realm:password and then into the md5sum.

  Now, according to my logs, I can see the following:

Packet-Type = Access-Request
Thu Jul 19 09:37:23 2007
        User-Name = "101 at 192.168.2.80"
        Digest-Attributes = 0x0a05313031
        Digest-Attributes = 0x010e3139322e3136382e322e3830
        Digest-Attributes = 0x022a34363966313930646437336461386462323964356231306236373262646532633262623030353733
        Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
        Digest-Attributes = 0x030a5245474953544552
        Digest-Response = "80d23e66bd4d667eb445c89b74ff7a6b"
        Service-Type = IAPP-Register
        Sip-Uri-User = "101"
        NAS-Port = 5060
        NAS-IP-Address = 192.168.2.80
        Client-IP-Address = 192.168.2.80

  Now, the password for that user is 101.

  So, I did the following: echo '101 at 192.168.2.80:192.168.2.80:101' | md5sum, which generated
the following output: ec6cec8f0b5904ba56401b1e305638b5.

  Now, examining the log file shows that a few minutes before that, the Access-Request looks
like this:

Packet-Type = Access-Request
Thu Jul 19 09:29:54 2007
        User-Name = "101 at 192.168.2.80"
        Digest-Attributes = 0x0a05313031
        Digest-Attributes = 0x010e3139322e3136382e322e3830
        Digest-Attributes = 0x022a34363966313734623339623735663735363137326635613334646135666437393766353563353632
        Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
        Digest-Attributes = 0x030a5245474953544552
        Digest-Response = "a15ff7de436bada1093be663290f8ad8"
        Service-Type = IAPP-Register
        Sip-Uri-User = "101"
        NAS-Port = 5060
        NAS-IP-Address = 192.168.2.80
        Client-IP-Address = 192.168.2.80

  As you can see, the Digest here is different, so I'm surely missing something here.

Regards,
  Z2L


----- Original Message -----
From: "Peter Nixon" <listuser at peternixon.net>
To: freeradius at zap2link.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, July 24, 2007 11:30:25 AM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

On Tue 24 Jul 2007, FreeRadius-ML wrote:
> Thanks, that helps a bunch.
>
> Another question, may be non related. Anyone has an idea how does OpenSER
> and FreeRadius calculate the Digest response for rlm_digest?
>
> According to the output of my rlm_perl RAD_REQUEST, I'm getting the
> following request from the OpenSER server:
>
> rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
> rlm_perl: RAD_REQUEST: Digest-Response = 80d23e66bd4d667eb445c89b74ff7a6b
> rlm_perl: RAD_REQUEST: User-Name = 101 at 192.168.2.80
> rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
> rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
> rlm_perl: RAD_REQUEST: NAS-Port = 5060
> rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
> rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x84e7a90)
> rlm_perl: Added pair Auth-Type = perl
>
> If I understand correctly, I need to calculate the digest response,
> according to the information I hold in my AAA database, which should match
> the Digest-Response request. My question is, what is the actual string
> format that is required for the calculation of the Digest-Response?

Read RFC 2617

-- 

Peter Nixon
http://peternixon.net/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list