From owner-freebsd-current@FreeBSD.ORG Wed Jul 6 15:53:00 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49FBE16A41C for ; Wed, 6 Jul 2005 15:53:00 +0000 (GMT) (envelope-from pquerna@apache.org) Received: from utopia.in.force-elite.com (force-elite.com [216.255.199.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id D88CA43D46 for ; Wed, 6 Jul 2005 15:52:59 +0000 (GMT) (envelope-from pquerna@apache.org) X-AuthUser: chip@force-elite.com Received: from [10.0.0.41] (10.0.0.41:2412) by utopia.in.force-elite.com with [XMail 1.17 (Linux/Ix86) ESMTP Server] id for from ; Wed, 06 Jul 2005 08:52:58 -0700 Message-ID: <42CBFE5B.6000401@apache.org> Date: Wed, 06 Jul 2005 08:52:59 -0700 From: Paul Querna User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brian Candler References: <42CAE06A.6000003@apache.org> <20050706100829.GA83543@uk.tiscali.com> In-Reply-To: <20050706100829.GA83543@uk.tiscali.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org Subject: Re: [PATCH] libradius: Always Include Authenticator X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 15:53:00 -0000 Brian Candler wrote: > On Tue, Jul 05, 2005 at 12:32:58PM -0700, Paul Querna wrote: > >>The attached patch will always include the Authenticator Field, in all >>RADIUS packets, not just accounting packets. This is a SHOULD violation >>from the RFC. > > > I don't understand this. If you're talking about RFC 2865, which bit exactly > are you referring to? > Sorry, this is my misunderstanding of the RFC. I thought that an authenticator should of been generated with the same method for both access requests and account requests. > As far as I can see, the function insert_request_authenticator() generates > the authenticator by hashing all the attributes within the request plus the > shared secret. This is the correct behaviour for accounting requests (only). > Your patch wrongly applies this to Access-Request as well. > > In Access-Request packets, the Request Authenticator should be a *random* > number (RFC2865 section 3, page 15), and this is already done by > rad_create_request() > > So, can you describe more precisely how and why you think the current > behaviour is wrong? The behavior I am seeing is that this random number is _always_ the same. >>I found this problem fixing a bug for my mod_auth_xradius[1]. It >>appears that some commercial RADIUS authentication servers will reject >>packets with identical Authenticator fields as duplicates. > > > But these RADIUS servers, even if they detect a duplicate, are required to > send the same response as they did to the original request. > > Is the packet actually a duplicate, or is it a different authentication > request? If it's different, then it should have a different random > authenticator. Are you saying that the random number generator is giving the > same answer each time? If so then it's a seeding problem. I see that > srandomdev() is called in rad_auth_open though. Different authentication requests. All have the same authenticator. Looking closely, it appears the root cause was a problem when I ported the code to Linux. Linux doesn't have a srandomdev() :) Sorry for the noise, I made a mistake. -Paul