Hi Christian,
I guess this was an this list a few weeks ago:
Fabian Mauchle wrote on 12/09/2019 15:54:
Hi Christian,
On 12.09.19, 15:34, "radsecproxy on behalf of Christian Claveleira"
<radsecproxy-bounces@lists.nordu.net on behalf of Christian.Claveleira@renater.fr> wrote:
it seems the content of the secret string is interpreted when itcontains a "%" :
when a client (or server) declaration contains secret fht8CD%E7am it is interpreted as getgenericconfig: block client xxxx.yyyyy: secret = fht8CDçam One can see "%E7" is translated as the "ç" character.This case is mentioned in the manpage radsecproxy.conf(5): If you want to write a % and not use this decoding, you may of course
write % in hex; i.e., %25.
Regards, Fabian
Regards Helge
Wiethoff, Helge wrote on 09/10/2019 16:44:
Hi Christian,
I guess this was an this list a few weeks ago:
not exactly. If you reread you'll see we take into account the translation of the sequences "%hh" in the secret strings...
Christian
Fabian Mauchle wrote on 12/09/2019 15:54:
Hi Christian,
On 12.09.19, 15:34, "radsecproxy on behalf of Christian Claveleira"
<radsecproxy-bounces@lists.nordu.net on behalf of Christian.Claveleira@renater.fr> wrote:
it seems the content of the secret string is interpreted when itcontains a "%" :
when a client (or server) declaration contains secret fht8CD%E7am it is interpreted as getgenericconfig: block client xxxx.yyyyy: secret = fht8CDçam One can see "%E7" is translated as the "ç" character.This case is mentioned in the manpage radsecproxy.conf(5): If you want to write a % and not use this decoding, you may of course
write % in hex; i.e., %25.
Regards, Fabian
Regards Helge
radsecproxy mailing list radsecproxy@lists.nordu.net https://lists.nordu.net/listinfo/radsecproxy
Hi Chistian,
On 09.10.19, 17:00, "radsecproxy on behalf of Christian Claveleira" <radsecproxy-bounces@lists.nordu.net on behalf of Christian.Claveleira@renater.fr> wrote:
>>> when a client (or server) declaration contains >>> secret fht8CD%E7am >>> >>> it is interpreted as >>> getgenericconfig: block client xxxx.yyyyy: secret = fht8CDçam >>> >>> One can see "%E7" is translated as the "ç" character.
This would indicate that the un-escaping is happening twice. I will check that.
BR, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39 fabian.mauchle@switch.ch, http://www.switch.ch
Hi Christian,
On 16.10.19, 13:14, "radsecproxy on behalf of Fabian Mauchle" <radsecproxy-bounces@lists.nordu.net on behalf of fabian.mauchle@switch.ch> wrote: This would indicate that the un-escaping is happening twice. I will check that.
I've pushed a fix to this to master as well as the maint-1.8 branch
BR, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39 fabian.mauchle@switch.ch, http://www.switch.ch
Fabian Mauchle wrote on 18/10/2019 15:54:
Hi Christian,
On 16.10.19, 13:14, "radsecproxy on behalf of Fabian Mauchle" <radsecproxy-bounces@lists.nordu.net on behalf of fabian.mauchle@switch.ch> wrote: This would indicate that the un-escaping is happening twice. I will check that.
I've pushed a fix to this to master as well as the maint-1.8 branch
Hi Fabian,
I've tested the maint-1.8 branch and now with "ght8CD%25E7am" set as secret in the configuration, a radtest command with "ght8CD%E7am" as secret string succeeds :-)
But radsecproxy debug traces show "block client localhost: secret = ght8CD%25E7am" and not "ght8CD%E7am". Intended ?
Christian
BR, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39 fabian.mauchle@switch.ch, http://www.switch.ch
Hi Christian,
On 22.10.19, 12:20, "Christian Claveleira" Christian.Claveleira@renater.fr wrote: I've tested the maint-1.8 branch and now with "ght8CD%25E7am" set as secret in the configuration, a radtest command with "ght8CD%E7am" as secret string succeeds :-)
Thanks!
But radsecproxy debug traces show "block client localhost: secret = ght8CD%25E7am" and not "ght8CD%E7am". Intended ?
Yes. In this debug log lists the config as it is read. For secrets (and a few others) unhexing is deferred to a later processing, as we need to deal with %00 which would normally terminate (and thus cut off the rest) of the string.
BR, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39 fabian.mauchle@switch.ch, http://www.switch.ch
-
Christian Claveleira -
Fabian Mauchle -
Wiethoff, Helge