3.0.x: user-password length decoding sometimes wrong?

Mon Nov 30 18:01:32 CET 2015

On 11/30/2015 05:34 PM, Alan DeKok wrote:
> On Nov 30, 2015, at 11:30 AM, Stefano Mason <stefano.mason at eng-mo.it> wrote:
>> Thanks Alan, but the alternative isn't good in all situation. When I used the previous code the regex fail with all the password that end with zero, like: mikemouse00.
>    No.
>
>    The code I posted converts the User-Password to an *octet* string in Tmp-Octets-0.  So if the ASCII version ends with "00", the octet string will end with "3030".

Your code in action from Brocade switch (password MATgia00):

Mon Nov 30 17:47:37 2015 : Debug: (1) Received Access-Request Id 143 
from XXX.XX.XX.X:13894 to XXX.XXX.XX.XX:1812 length 94
Mon Nov 30 17:47:37 2015 : Debug: (1)   User-Name = "bob"
Mon Nov 30 17:47:37 2015 : Debug: (1)   User-Password = 
"MATgia00\000\000\000\000\000\000\000\031"
Mon Nov 30 17:47:37 2015 : Debug: (1)   NAS-IP-Address = XXX.XX.XX.X
Mon Nov 30 17:47:37 2015 : Debug: (1)   NAS-Identifier = "XXXXXXXXXXXXX"
Mon Nov 30 17:47:37 2015 : Debug: (1)   Calling-Station-Id = "XX.XX.XXX.XX"
Mon Nov 30 17:47:37 2015 : Debug: (1)   NAS-Port = 12869
Mon Nov 30 17:47:37 2015 : Debug: (1)   NAS-Port-Type = Virtual
Mon Nov 30 17:47:37 2015 : Debug: (1) session-state: No State attribute
Mon Nov 30 17:47:37 2015 : Debug: (1) # Executing section authorize from 
file /etc/raddb/sites-enabled/default
Mon Nov 30 17:47:37 2015 : Debug: (1)   authorize {
Mon Nov 30 17:47:37 2015 : Debug: (1)     update request {
Mon Nov 30 17:47:37 2015 : Debug: (1)       Tmp-Octets-0 := 
&User-Password -> 0x4d415467696130300000000000000019
Mon Nov 30 17:47:37 2015 : Debug: (1)     } # update request = noop
Mon Nov 30 17:47:37 2015 : Debug: (1)     if (Tmp-Octets-0 =~ /^0x00/) {
Mon Nov 30 17:47:37 2015 : Debug: No matches
Mon Nov 30 17:47:37 2015 : Debug: (1)     if (Tmp-Octets-0 =~ /^0x00/)  
-> FALSE
Mon Nov 30 17:47:37 2015 : Debug: (1)     if (Tmp-Octets-0 =~ 
/^(0x(..)+)00/) {
Mon Nov 30 17:47:37 2015 : Debug: No matches
Mon Nov 30 17:47:37 2015 : Debug: Adding 3 matches
Mon Nov 30 17:47:37 2015 : Debug: (1)     if (Tmp-Octets-0 =~ 
/^(0x(..)+)00/)  -> TRUE
Mon Nov 30 17:47:37 2015 : Debug: (1)     if (Tmp-Octets-0 =~ 
/^(0x(..)+)00/)  {
Mon Nov 30 17:47:37 2015 : Debug: (1)       update request {
Mon Nov 30 17:47:37 2015 : Debug: (1)         1/3 Found: 
0x4d41546769613030000000000000 (31)
Mon Nov 30 17:47:37 2015 : Debug: (1)         EXPAND %{1}
Mon Nov 30 17:47:37 2015 : Debug: (1)            --> 
0x4d41546769613030000000000000
Mon Nov 30 17:47:37 2015 : Debug: (1)         Tmp-Octets-0 := 
0x4d41546769613030000000000000
Mon Nov 30 17:47:37 2015 : Debug: (1)         Overwriting value 
"0x4d415467696130300000000000000019" with "0x4d41546769613030000000000000"
Mon Nov 30 17:47:37 2015 : Debug: (1)       } # update request = noop
Mon Nov 30 17:47:37 2015 : Debug: (1)       update request {
Mon Nov 30 17:47:37 2015 : Debug: (1)         EXPAND %{string:Tmp-Octets-0}
Mon Nov 30 17:47:37 2015 : Debug: (1)            --> 
MATgia00\000\000\000\000\000
Mon Nov 30 17:47:37 2015 : Debug: (1)         User-Password := MATgia00
Mon Nov 30 17:47:37 2015 : Debug: (1)         Overwriting value 
"MATgia00\000\000\000\000\000\000\000\031" with "MATgia00\000\000\000\000"
Mon Nov 30 17:47:37 2015 : Debug: (1)       } # update request = noop
Mon Nov 30 17:47:37 2015 : Debug: (1)     } # if (Tmp-Octets-0 =~ 
/^(0x(..)+)00/)  = noop

Cheers.
Stefano