Password normalisation functions.
More...
#include <freeradius-devel/server/password.h>
#include <freeradius-devel/util/atexit.h>
#include <freeradius-devel/util/base64.h>
#include <freeradius-devel/util/base16.h>
#include <freeradius-devel/util/md4.h>
#include <freeradius-devel/util/md5.h>
#include <freeradius-devel/util/misc.h>
#include <freeradius-devel/util/sha1.h>
#include <freeradius-devel/util/value.h>
#include <freeradius-devel/protocol/freeradius/freeradius.internal.password.h>
Go to the source code of this file.
|
| static int | _password_free (UNUSED void *uctx) |
| |
| static int | _password_init (UNUSED void *uctx) |
| |
| static ssize_t | normify (normalise_t *action, uint8_t *buffer, size_t bufflen, char const *known_good, size_t len, size_t min_len) |
| |
| fr_pair_t * | password_find (bool *ephemeral, TALLOC_CTX *ctx, request_t *request, fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len, bool normify) |
| | Find a "known good" password in the control list of a request.
|
| |
| int | password_init (void) |
| | Load our dictionaries.
|
| |
| static fr_pair_t * | password_normalise_and_recheck (TALLOC_CTX *ctx, request_t *request, fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len, bool normify, fr_pair_t *const known_good) |
| |
| int | password_normalise_and_replace (request_t *request, bool normify) |
| | Find all password attributes in the control list of a request and normalise them.
|
| |
| static fr_pair_t * | password_normify (TALLOC_CTX *ctx, request_t *request, fr_pair_t const *known_good) |
| | Hex or base64 or bin auto-discovery.
|
| |
| static fr_pair_t * | password_process (TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good, bool normify) |
| | Apply any processing and normification.
|
| |
| static fr_pair_t * | password_process_header (TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good) |
| | Convert a Password.With-Header attribute to the correct type.
|
| |
Password normalisation functions.
- Copyright
- 2019 The FreeRADIUS server project
-
2019 Arran Cudbard-Bell <a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg>
Definition in file password.c.
◆ password_info_t
Password information.
Definition at line 64 of file password.c.
| Data Fields |
|---|
|
bool |
always_allow |
Always allow processing of this attribute, irrespective of what the caller says. |
|
fr_dict_attr_t const ** |
da |
Dictionary attribute representing this type of password. |
|
password_preprocess_t |
func |
Preprocessing function. |
|
size_t |
max_hash_len |
Maximum length of the decoded string if normifying. If 0, will be ignored.
|
|
size_t |
min_hash_len |
Minimum length of the decoded string if normifying. If 0, will be ignored.
|
|
bool |
no_normify |
Don't attempt to normalise the contents of this attribute using the hex/base64 decoders. |
|
password_type_t |
type |
What type of password value this is. |
◆ MIN_LEN
◆ password_preprocess_t
Apply preprocessing logic to a password value.
- Parameters
-
| [in] | ctx | to allocate returned value in. |
| [in] | request | currently being processed. |
| [in] | in | Pair containing the password to process. @ |
Definition at line 59 of file password.c.
◆ normalise_t
| Enumerator |
|---|
| NORMALISED_NOTHING | |
| NORMALISED_B64 | |
| NORMALISED_HEX | |
Definition at line 180 of file password.c.
◆ password_type_t
| Enumerator |
|---|
| PASSWORD_CLEARTEXT | Variable length.
|
| PASSWORD_HASH | Fixed length.
|
| PASSWORD_HASH_SALTED | Fixed length hash, variable length salt.
|
| PASSWORD_HASH_VARIABLE | Variable length everything.
|
Definition at line 45 of file password.c.
◆ _password_free()
| static int _password_free |
( |
UNUSED void * |
uctx | ) |
|
|
static |
◆ _password_init()
| static int _password_init |
( |
UNUSED void * |
uctx | ) |
|
|
static |
◆ normify()
◆ password_find()
Find a "known good" password in the control list of a request.
Searches for a "known good" password attribute, and applies any processing and normification operations to it, returning a new normalised fr_pair_t.
The ctx passed in should be freed when the caller is done with the returned fr_pair_t, or alternatively, a persistent ctx may be used and the value of ephemeral checked. If ephemeral is false the returned pair MUST NOT BE FREED, it may be an attribute in the request->control_pairs list. If ephemeral is true, the returned pair MUST be freed, or added to one of the pair lists appropriate to the ctx passed in.
- Parameters
-
| [out] | ephemeral | If true, the caller must use TALLOC_FREE to free the return value of this function. Alternatively 'ctx' can be freed, which is simpler and cleaner, but some people have religious objections to that. |
| [in] | ctx | Ephemeral ctx to allocate new attributes in. |
| [in] | request | The current request. |
| [in] | allowed_attrs | Optional list of allowed attributes. |
| [in] | allowed_attrs_len | Length of allowed attributes list. |
| [in] | normify | Apply hex/base64 normalisation to attributes. |
- Returns
- A fr_pair_t containing a "known good" password.
- NULL on error, or if no usable password attributes were found.
Definition at line 983 of file password.c.
◆ password_init()
| int password_init |
( |
void |
| ) |
|
◆ password_normalise_and_recheck()
◆ password_normalise_and_replace()
| int password_normalise_and_replace |
( |
request_t * |
request, |
|
|
bool |
normify |
|
) |
| |
Find all password attributes in the control list of a request and normalise them.
- Parameters
-
| [in] | request | The current request. |
| [in] | normify | Apply hex/base64 normalisation to attributes. |
- Returns
- the number of attributes normalised.
Definition at line 887 of file password.c.
◆ password_normify()
Hex or base64 or bin auto-discovery.
Here we try and autodiscover what encoding was used for the password/hash, and convert it back to binary or plaintext.
- Note
- Earlier versions used a 0x prefix as a hard indicator that the string was hex encoded, and would fail if the 0x was present but the string didn't consist of hexits. The base64 char set is a superset of hex, and it was observed in the wild, that occasionally base64 encoded data really could start with 0x. That's why min_len (and decodability) are used as the only heuristics now.
- Parameters
-
| [in] | ctx | to allocate new pairs in. |
| [in] | request | The current request. |
| [in] | known_good | password to normify. |
- Returns
- NULL if known_good was already normalised, or couldn't be normalised.
- A new normalised password pair.
Definition at line 492 of file password.c.
◆ password_process()
Apply any processing and normification.
Definition at line 784 of file password.c.
◆ password_process_header()
Convert a Password.With-Header attribute to the correct type.
Attribute may be base64 encoded, in which case it will be decoded first, then evaluated.
- Note
- The buffer for octets types\ attributes is extended by one byte and '\0' terminated, to allow it to be used as a char buff.
- Parameters
-
| [in] | ctx | to allocate new pairs in. |
| [in] | request | Current request. |
| [in] | known_good | Password.With-Header attribute to convert. |
- Returns
- Buffer containing normified value on success.
- NULL on error.
Definition at line 644 of file password.c.
◆ attr_cleartext
◆ attr_crypt
◆ attr_lm
◆ attr_md5
◆ attr_ns_mta_md5
◆ attr_nt
◆ attr_pbkdf2
◆ attr_pbkdf2_sha1
◆ attr_pbkdf2_sha256
◆ attr_pbkdf2_sha256_legacy
◆ attr_pbkdf2_sha512
◆ attr_root
◆ attr_sha1
◆ attr_sha2
◆ attr_sha2_224
◆ attr_sha2_256
◆ attr_sha2_384
◆ attr_sha2_512
◆ attr_sha3
◆ attr_sha3_224
◆ attr_sha3_256
◆ attr_sha3_384
◆ attr_sha3_512
◆ attr_smd5
◆ attr_ssha1
◆ attr_ssha2_224
◆ attr_ssha2_256
◆ attr_ssha2_384
◆ attr_ssha2_512
◆ attr_ssha3_224
◆ attr_ssha3_256
◆ attr_ssha3_384
◆ attr_ssha3_512
◆ attr_user
◆ attr_with_header
◆ dict_freeradius
◆ dict_radius
◆ normalise_table
Initial value:= {
}
#define L(_str)
Helper for initialising arrays of string literals.
Definition at line 186 of file password.c.
◆ normalise_table_len
◆ password_dict
Initial value:= {
}
#define DICT_AUTOLOAD_TERMINATOR
static fr_dict_t const * dict_freeradius
static fr_dict_t const * dict_radius
Definition at line 126 of file password.c.
◆ password_dict_attr
◆ password_header_table
◆ password_header_table_len
◆ password_info
Metadata for various password attributes.
Definition at line 258 of file password.c.
◆ password_type_table
Initial value:= {
}
@ PASSWORD_HASH
Fixed length.
@ PASSWORD_HASH_VARIABLE
Variable length everything.
@ PASSWORD_HASH_SALTED
Fixed length hash, variable length salt.
@ PASSWORD_CLEARTEXT
Variable length.
Definition at line 193 of file password.c.
◆ password_type_table_len
Include dependency graph for password.c:
1.9.8