Why MessageAuthenticator_Set() has to be called twice when calculate HMAC.MD5 hashes? - Githubissues

layeh / radius

a Go (golang) RADIUS client and server implementation

https://pkg.go.dev/layeh.com/radius

Mozilla Public License 2.0

567 stars 176 forks source link

Why MessageAuthenticator_Set() has to be called twice when calculate HMAC.MD5 hashes? #123

Open taleintervenor opened 1 month ago

taleintervenor commented 1 month ago

I have read the issue 27 and successfully add the Message-Authenticator field to request. But I cannot understand why rfc2869.MessageAuthenticator_Set() has to be called twice.

In my own code:

    rfc2869.MessageAuthenticator_Set(packet, make([]byte, 16))
    ...
    rfc2869.MessageAuthenticator_Set(packet, hash.Sum(nil))

It seems the second set action should completely overwrite the previous data. But when I coment out the first MessageAuthenticator_Set, the request sent to freeradius server was dropped with error log like:

Info: Dropping packet without response because of error: Received packet from xxx with invalid Message-Authenticator! (shared secret isincorrect,)

It turns out that the first MessageAuthenticator_Set() is necessary. So what is the difference it actually made?

icb- commented 9 hours ago

Per RFC2869 §5.14

When the checksum is calculated the signature string should be considered to be sixteen octets of zero.

The first call to rfc2869.MessageAuthenticator_Set inserts the attribute in the packet. The second call updates the attribute value to the hash you calculated.