RADIUS dictionary: BEGIN-VENDOR does not support format=Extended-Vendor-Specific-*

This issue was migrated from bug 13745 in our old bug tracker.

Original bug information:

Reporter: Marius Paliga
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: All
Platform: All
Version: 2.3.x (Experimental)

Attachments:

homelanextradius.pcapng: pcap with extended attributes
dictionary.alcatel.sr: Dictionary with Extended-Vendor-Specific attributes

See also: Issue #13176 (closed)

Marius Paliga said:

Build Information: TShark (Wireshark) 2.3.0 (ac016c1d65 from master.el6)

Copyright 1998-2017 Gerald Combs <gerald@‍wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, without POSIX capabilities, without libnl, with GLib 2.44.1, with zlib 1.2.3, without SMI, without c-ares, with Lua 5.1.4, with GnuTLS 3.5.11, with Gcrypt 1.4.5, with MIT Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, with libxml2 2.7.6.

Running on Linux 2.6.32-220.7.1.el6.x86_64, with Intel(R) Xeon(R) CPU X3440 @ 2.53GHz (with SSE4.2), with 15943 MB of physical memory, with locale en_US.UTF-8, with libpcap version 1.7.2, with GnuTLS 3.5.11, with Gcrypt 1.4.5, with zlib 1.2.3.

Built using gcc 6.3.0.

Please see bug 13176 for details about RFC 6929 implementation:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13176

The issue is that extended attributes are not interpreted correctly.
VSA type is taken from vendor's dictionary as "normal" attributes instead of extended ones.

For VSAs in the RFC 6929 we should take attributes from vendor's dictionary section followed by "format=Extended-Vendor-Specific-1":
http://freeradius.org/radiusd/man/dictionary.html


Example: The following dictionary entries seems to be ignored (specified with "format=Extended-Vendor-Specific-1"):

BEGIN-VENDOR    Alcatel-IPD format=Extended-Vendor-Specific-1

ATTRIBUTE Alc-PPPoE-Client-Service           1      integer
ATTRIBUTE Alc-PPPoE-Client-MAC               2      string

...

END-VENDOR      Alcatel-IPD


Instead of this wireshark takes attributes from vendor's section without "format=" keyword.

added libwireshark versiondev labels

Alexis La Goutte said:

Hi,

Can you atttach a pcap sample ?

João Valverde said:

I wasn't aware of that format when I closed bug #13176 (closed). It is indeed not supported by our parser.

Marius Paliga said:

Created attachment 15589 pcap with extended attributes

João Valverde said:

Unless there is a bug in the dissector code (quite possible) I edited the title to be more descriptive.

Gerrit Code Review said:

Change 21911 had a related patch set uploaded by João Valverde: RADIUS: Fix gda9363e2

https://code.wireshark.org/review/21911

João Valverde said:

Change 21911 should prevent displaying a wrong EVS value type.

Next step would be to extend the parser for BEGIN-VENDOR and also the vendor dictionary hash table with the larger key space.

Also add an EVS subtree to the UI instead of a VSA where appropriate.

The if (VSA || EVS) condition in dissect_attribute_value_pairs() should be split into separate branches for sanity.

Feedback welcome.

Gerrit Code Review said:

Change 21913 had a related patch set uploaded by Michael Mann: RADIUS: Fix gda9363e2

https://code.wireshark.org/review/21913

João Valverde said:

@‍Marius Can you provide the full dictionary for this capture?

Marius Paliga said:

Created attachment 15607 Dictionary with Extended-Vendor-Specific attributes

Attaching sample dictionary with both "normal" and extended attributes

Gerrit Code Review said:

Change 22136 had a related patch set uploaded by João Valverde: RADIUS: Fix dissection for non-standard VSA lengths

https://code.wireshark.org/review/22136

Gerrit Code Review said:

Change 22139 had a related patch set uploaded by João Valverde: RADIUS: Fix dissection for non-default VSA lengths

https://code.wireshark.org/review/22139

Gerrit Code Review said:

Change 22155 had a related patch set uploaded by João Valverde: RADIUS: Add dictionary support for format= with BEGIN-VENDOR

https://code.wireshark.org/review/22155

Gerrit Code Review said:

Change 22155 merged by Anders Broman: RADIUS: Add dictionary support for format= with BEGIN-VENDOR

https://code.wireshark.org/review/22155

Marius Paliga said:

It seems the fix does not work.

Attached pcap with attached dictinary shows EVS: l=5 5=Unknown-Attribute(9)

João Valverde said:

(In reply to Marius Paliga from comment #14)  
> It seems the fix does not work.  
>  
> Attached pcap with attached dictinary shows  
> EVS: l=5 5=Unknown-Attribute(9)  

Works for me:

Frame 1: 233 bytes on wire (1864 bits), 233 bytes captured (1864 bits) on interface 0
    (...)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 64384 (64384)
    Source Port: radius (1812)
    Destination Port: 64384 (64384)
    Length: 191
    Checksum: 0x9287 [correct]
        [Calculated Checksum: 0x9287]
    [Checksum Status: Good]
    [Stream index: 0]
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x1 (1)
    Length: 183
    Authenticator: 4546148f8caabcd344549bc6c6ada779
    Attribute Value Pairs
        AVP: l=19 t=User-Name(1): 00:00:00:00:00:05
            Type: 1
            Length: 19
            User-Name: 00:00:00:00:00:05
        AVP: l=21 t=Vendor-Specific(26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 26
            Length: 21
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            VSA: l=15 t=Alc-Attribute12(12): subprof_mig_4
                Type: 12
                Length: 15
                Alc-Attribute12: subprof_mig_4
        AVP: l=25 t=Vendor-Specific(26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 26
            Length: 25
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            VSA: l=19 t=Alc-Attribute11(11): [unhandled integer length(17)]
                Type: 11
                Length: 19
        AVP: l=12 t=Extended-Vendor-Specific-1(241.26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 241
            Length: 12
            Extended Type: 26
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            EVS: l=5 t=Alc-Ext-Attribute1(9): 5
                Type: 9
                Alc-Ext-Attribute1: 5
        AVP: l=25 t=Vendor-Specific(26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 26
            Length: 25
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            VSA: l=19 t=Unknown-Attribute(225): 30303a30303a30303a30303a30303a3035
                Type: 225
                Length: 19
                Unknown-Attribute: 30303a30303a30303a30303a30303a3035
        AVP: l=11 t=Extended-Vendor-Specific-1(241.26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 241
            Length: 11
            Extended Type: 26
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            EVS: l=4 t=Alc-Ext-Attribute7(15): 5:5
                Type: 15
                Alc-Ext-Attribute7: 5:5
        AVP: l=20 t=Framed-IPv6-Prefix(97): 3ffe:0:0:5::/64
            Type: 97
            Length: 20
            Framed-IPv6-Prefix: 00403ffe0000000000050000000000000000
        AVP: l=18 t=Extended-Vendor-Specific-1(241.26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 241
            Length: 18
            Extended Type: 26
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            EVS: l=11 t=Alc-Ext-Attribute6(14): target:5:5
                Type: 14
                Alc-Ext-Attribute6: target:5:5
        AVP: l=12 t=Extended-Vendor-Specific-1(241.26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 241
            Length: 12
            Extended Type: 26
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            EVS: l=5 t=Alc-Ext-Attribute2(10): 5
                Type: 10
                Alc-Ext-Attribute2: 5

Marius Paliga said:

Probably problem on my side. But I am still not able to make it work:
- build from master branch
- add custom radius dictionary

Moreover the decoding seems to be incorrect even without adding custom dictionary (clean build from master). Even "normal" attributes are not decoded:


...
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x1 (1)
    Length: 183
    Authenticator: 4546148f8caabcd344549bc6c6ada779
    Attribute Value Pairs
        AVP: l=19 t=User-Name(1): 00:00:00:00:00:05
            Type: 1
            Length: 19
            User-Name: 00:00:00:00:00:05
        AVP: l=21 t=Vendor-Specific(26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 26
            Length: 21
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            VSA: l=15 t=Unknown-Attribute(12): 73756270726f665f6d69675f34
                Type: 12
                Length: 15
                Unknown-Attribute: 73756270726f665f6d69675f34
        AVP: l=25 t=Vendor-Specific(26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 26
            Length: 25
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            VSA: l=19 t=Unknown-Attribute(11): 30303a30303a30303a30303a30303a3035
                Type: 11
                Length: 19
                Unknown-Attribute: 30303a30303a30303a30303a30303a3035
        AVP: l=12 t=Extended-Vendor-Specific-1(241.26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 241
            Length: 12
            Extended Type: 26
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            EVS: l=5 t=Unknown-Attribute(9): 00000005
                Type: 9
                Unknown-Attribute: 00000005
        AVP: l=25 t=Vendor-Specific(26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 26
            Length: 25
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            VSA: l=19 t=Unknown-Attribute(225): 30303a30303a30303a30303a30303a3035
                Type: 225
                Length: 19
                Unknown-Attribute: 30303a30303a30303a30303a30303a3035
        AVP: l=11 t=Extended-Vendor-Specific-1(241.26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 241
            Length: 11
            Extended Type: 26
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            EVS: l=4 t=Unknown-Attribute(15): 353a35
                Type: 15
                Unknown-Attribute: 353a35
        AVP: l=20 t=Framed-IPv6-Prefix(97): 3ffe:0:0:5::/64
            Type: 97
            Length: 20
            Framed-IPv6-Prefix: 00403ffe0000000000050000000000000000
        AVP: l=18 t=Extended-Vendor-Specific-1(241.26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 241
            Length: 18
            Extended Type: 26
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            EVS: l=11 t=Unknown-Attribute(14): 7461726765743a353a35
                Type: 14
                Unknown-Attribute: 7461726765743a353a35
        AVP: l=12 t=Extended-Vendor-Specific-1(241.26) v=Alcatel-Lucent (formerly 'Panthera Networks, Inc.')(6527)
            Type: 241
            Length: 12
            Extended Type: 26
            Vendor ID: Alcatel-Lucent (formerly 'Panthera Networks, Inc.') (6527)
            EVS: l=5 t=Unknown-Attribute(10): 00000005
                Type: 10
                Unknown-Attribute: 00000005

João Valverde said:

How are you adding the custom dictionary? I just copied it to the radius folder in the build dir. Make sure it is $‍INCLUDEd.

Maybe your issue is related to bug #6466 (closed) somehow?

João Valverde said:

(In reply to João Valverde from comment #17)  
> How are you adding the custom dictionary? I just copied it to the radius  
> folder in the build dir. Make sure it is $INCLUDEd.  
>  
> Maybe your issue is related to bug 6466 somehow?  

Forgot to mention that if you are using cmake the radius folder lives in the run directory.