rlm_digest failing after upgrade from 2.1.12 to 2.2.5

Daniel Pocock daniel at pocock.pro
Thu Oct 22 09:21:53 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 22/10/15 08:48, Daniel Pocock wrote:
> 
> 
> On 21/10/15 10:23, Stefan Paetow wrote:
>>> Can anybody give any feedback on this or suggest the best way
>>> to troubleshoot the issue?
> 
>> As is customary on the list, a debug output of such a request
>> would be most helpful :-)
> 
>> Run /usr/sbin/freeradius -fxx -l stdout and then capture an 
>> authentication request. Post the entire output (from the
>> beginning) here. Folks appreciate that more than having to make a
>> stab in the dark.
> 
> 
> 
> We tried that, we can see freeradius is authorizing the requests
> 
> libfreeradius-client is logging the following:
> 
> rc_check_reply: received invalid reply digest from RADIUS server
> 
> and giving the response -2 (BADRESP_RC) to the application code
> 
> Still trying to work out why this is happening.  Have any digest 
> algorithms or other things changed between 2.1.x and 2.2.5?
> 


I looked at the packets with wireshark, the digest strings appear to
be 16 bytes in request and response

freeradius-client is hard coded to md5

I disabled the check in the libfreeradius-client code and everything
else appears to work (commenting out the return BADRESP_RC):



        if (memcmp ((char *) reply_digest, (char *) calc_digest,
                    AUTH_VECTOR_LEN) != 0)
        {
#ifdef RADIUS_116
                /* the original Livingston radiusd v1.16 seems to have
                   a bug in digest calculation with accounting requests,
                   authentication request are ok. i looked at the code
                   but couldn't find any bugs. any help to get this
                   kludge out are welcome. preferably i want to
                   reproduce the calculation bug here to be compatible
                   to stock Livingston radiusd v1.16.   -lf, 03/14/96
                 */
                if (auth->code == PW_ACCOUNTING_RESPONSE)
                        return OK_RC;
#endif
                rc_log(LOG_ERR, "rc_check_reply: received invalid
reply digest from RADIUS server, ignoring, patched 2015-10-22");
                //return BADRESP_RC;
        }

        return OK_RC;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWKI6RAAoJEOm1uwJp1aqDMrUP/igzj6VjMQVzAllv1HyxlNIB
os4GnSFhIZaf2/bdBXyzh/YX4RRpemip3B8NQYiFCjE8j8KlUsFk+NK9Uucx5ekd
wabckALNS8btxTLFzNwXX8ryfuJC8VU+qxV3b6+Z0d3tlpEgPdJbzCC7sjrv81K2
aDUH7XsrOWb3rJZ1De9/iiXaaipqy5K3933wbbNa25BclIbqhEYdjyg7oSPPczwX
4nCYUhdKL9ZSibzQYwS7iYX5oCAyoQqdyvq9vF560mwkLl0Q9TfXuAvlATjHILqc
xBb/7Z+TjbZEv2JNHhjBLI0LQHVdzIx2v7gj+ZRmrQFiBHcYXkM8qP5SRUDYL5hR
/VnpAPeli1j54Ads/NcX4PJyXN5H6yDmogOFROlc8PBaHBFpglFSnMRnMDCXxd78
vtLZdjJnD6z2jw7yXQRRwvNumclZBFR0KXEbTNAoB12B176jyUhv0xMVlJYDII0N
AHAaSC53DLTbpo2DGYZVo4N1I1VfNlYKBQb6/HoxNYNtjRUibfFKAwJCqGrT+M80
bEh4UIiibIOHFEDytnzUyJk97X1+azldB7YNZg1ucq9b29Y4Qewf6XnOXbYFcVxr
la1rVPaBh1nGq0YA4HomDKjVQEvxk7MU0lpy4l2HR8SfXTjwaFr9ZinHTT8e5NH+
+uaaegLoNVuOfGcetxWR
=MVkX
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list