I'm testing the rlm_digest module in freeradius 1.0.5 to make a digest authentication.
To test, I'm using radclient and I'm passing to it the Digest attributes in order to authenticate on the localhost.
I'm using the command bellow to authenticate the user "bob" password "zanzibar" in my radius server but it's not working.
echo ' User-name = "bob", Digest-Response = "bdbeebb2da6adb6bca02599c2239e192", Digest-Realm = "biloxi.com", Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093", Digest-Method = "INVITE", Digest-URI = "sip:[EMAIL PROTECTED]", Digest-Algorithm = "MD5", Digest-User-Name = "bob", Digest-QOP = "auth-int", Digest-Nonce-Count = "00000001", Digest-CNonce = "0a4f113b", Digest-Body-Digest = "c1ed018b8ec4a3b170c0921f5b564e48"' | /usr/bin/radclient localhost auth testing123 2>&1
The values in I'm passing in the attributes are supposed to be correct. I extracted them from the draft http://ftp6.us.freebsd.org/pub/rfc/internet-drafts/draft-smith-sipping-auth-examples-01.txt
What is going wrong is the calculation of H(A2). See the output of "radiusd -X" in response to that command above:
Cleaning up request 0 ID 111 with timestamp 439dbec1
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:32937, id=117, length=229
User-Name = "bob"
Digest-Response = "bdbeebb2da6adb6bca02599c2239e192"
Digest-Attributes = 0x010c62696c6f78692e636f6d
Digest-Attributes = 0x022464636439386237313032646432663065386231316430663630306266623063303933
Digest-Attributes = 0x0308494e56495445
Digest-Attributes = 0x04147369703a626f624062696c6f78692e636f6d
Digest-Attributes = 0x06054d4435
Digest-Attributes = 0x0a05626f62
Digest-Attributes = 0x050a617574682d696e74
Digest-Attributes = 0x090a3030303030303031
Digest-Attributes = 0x080a3061346631313362
Digest-Attributes = 0x07226331656430313862386563346133623137306330393231663562353634653438
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_digest: Converting Digest-Attributes to something sane...
Digest-Realm = "biloxi.com"
Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093"
Digest-Method = "INVITE"
Digest-URI = "sip:[EMAIL PROTECTED]"
Digest-Algorithm = "MD5"
Digest-User-Name = "bob"
Digest-QOP = "auth-int"
Digest-Nonce-Count = "00000001"
Digest-CNonce = "0a4f113b"
Digest-Body-Digest = "c1ed018b8ec4a3b170c0921f5b564e48"
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 1
rlm_realm: No '@' in User-Name = "bob", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry bob at line 5
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
A1 = bob:biloxi.com:zanzibar
A2 = INVITE:sip:[EMAIL PROTECTED]:Áí???Ä£±pÀ??[VNH
H(A1) = 12af60467a33e8518da5c68bbff12b11
H(A2) = 7a3ae801f64033d060b8209ec071569c
KD = 12af60467a33e8518da5c68bbff12b11:dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth-int:7a3ae801f64033d060b8209ec071569c
EXPECTED 6b2a26c4371e4bbac1d5e71763443f5f
RECEIVED bdbeebb2da6adb6bca02599c2239e192
rlm_digest: FAILED authentication
modcall[authenticate]: module "digest" returns reject for request 1
modcall: group authenticate returns reject for request 1
auth: Failed to validate the user.
PS: The value of H(A2) should be 3e8ec46a56447dbb073e1171b1be0683. You verify it by running te command:
echo -n "INVITE:sip:[EMAIL PROTECTED]:c1ed018b8ec4a3b170c0921f5b564e48" | md5sum
That draft also confirms that H(A2) should be " 3e8ec46a56447dbb073e1171b1be0683".
So, why is rlm_digest calculating it as "7a3ae801f64033d060b8209ec071569c "?
Is it really a bug or am I making a some silly mistake?
Any help will be greatly appreciated.
bnegrao
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
