Why MessageAuthenticator_Set() has to be called twice when calculate HMAC.MD5 hashes? #123

taleintervenor · 2024-07-31T10:16:04Z

I have read the issue 27 and successfully add the Message-Authenticator field to request. But I cannot understand why rfc2869.MessageAuthenticator_Set() has to be called twice.

In my own code:

	rfc2869.MessageAuthenticator_Set(packet, make([]byte, 16))
	...
	rfc2869.MessageAuthenticator_Set(packet, hash.Sum(nil))

It seems the second set action should completely overwrite the previous data.
But when I coment out the first MessageAuthenticator_Set, the request sent to freeradius server was dropped with error log like:

Info: Dropping packet without response because of error: Received packet from xxx with invalid Message-Authenticator! (shared secret isincorrect,)

It turns out that the first MessageAuthenticator_Set() is necessary.
So what is the difference it actually made?

The text was updated successfully, but these errors were encountered:

icb- · 2024-09-17T16:52:14Z

Per RFC2869 §5.14

When the checksum is calculated the signature string should be considered to be sixteen octets of zero.

The first call to rfc2869.MessageAuthenticator_Set inserts the attribute in the packet. The second call updates the attribute value to the hash you calculated.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Why MessageAuthenticator_Set() has to be called twice when calculate HMAC.MD5 hashes? #123

Why MessageAuthenticator_Set() has to be called twice when calculate HMAC.MD5 hashes? #123

taleintervenor commented Jul 31, 2024

icb- commented Sep 17, 2024

Why MessageAuthenticator_Set() has to be called twice when calculate HMAC.MD5 hashes? #123

Why MessageAuthenticator_Set() has to be called twice when calculate HMAC.MD5 hashes? #123

Comments

taleintervenor commented Jul 31, 2024

icb- commented Sep 17, 2024