The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
password.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * @file src/lib/server/password.c
19 * @brief Password normalisation functions
20 *
21 * @copyright 2019 The FreeRADIUS server project
22 * @copyright 2019 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
23 */
24RCSID("$Id: 461707e1d7994b1fd728cabe07b6ecdea3415637 $")
25
26#include <freeradius-devel/server/password.h>
27
28#include <freeradius-devel/util/atexit.h>
29#include <freeradius-devel/util/base64.h>
30#include <freeradius-devel/util/base16.h>
31#include <freeradius-devel/util/md4.h>
32#include <freeradius-devel/util/md5.h>
33#include <freeradius-devel/util/misc.h>
34#include <freeradius-devel/util/sha1.h>
35#include <freeradius-devel/util/value.h>
36
37#include <freeradius-devel/protocol/freeradius/freeradius.internal.password.h>
38
39#ifdef HAVE_OPENSSL_EVP_H
40# include <freeradius-devel/tls/openssl_user_macros.h>
41# include <openssl/evp.h>
42# include <openssl/sha.h>
43#endif
44
45typedef enum {
46 PASSWORD_CLEARTEXT = 0, //!< Variable length.
47 PASSWORD_HASH, //!< Fixed length.
48 PASSWORD_HASH_SALTED, //!< Fixed length hash, variable length salt.
49 PASSWORD_HASH_VARIABLE //!< Variable length everything.
50} password_type_t;
51
52/** Apply preprocessing logic to a password value
53 *
54 * @param[in] ctx to allocate returned value in.
55 * @param[in] request currently being processed.
56 * @param[in] in Pair containing the password to process.
57 * @
58 */
59typedef fr_pair_t *(*password_preprocess_t)(TALLOC_CTX *ctx, request_t *request, fr_pair_t *in);
60
61/** Password information
62 *
63 */
64typedef struct {
65 password_type_t type; //!< What type of password value this is.
66 fr_dict_attr_t const **da; //!< Dictionary attribute representing this type of password.
67 password_preprocess_t func; //!< Preprocessing function.
68 size_t min_hash_len; //!< Minimum length of the decoded string if normifying.
69 ///< If 0, will be ignored.
70 size_t max_hash_len; //!< Maximum length of the decoded string if normifying.
71 ///< If 0, will be ignored.
72 bool no_normify; //!< Don't attempt to normalise the contents of this
73 ///< attribute using the hex/base64 decoders.
74 bool always_allow; //!< Always allow processing of this attribute, irrespective
75 ///< of what the caller says.
76} password_info_t;
77
78static fr_dict_t const *dict_freeradius = NULL;
79static fr_dict_t const *dict_radius = NULL;
80
81static fr_dict_attr_t const *attr_cleartext;
82static fr_dict_attr_t const *attr_with_header;
83static fr_dict_attr_t const *attr_root;
84
85static fr_dict_attr_t const *attr_md5;
86static fr_dict_attr_t const *attr_smd5;
87static fr_dict_attr_t const *attr_crypt;
88
89static fr_dict_attr_t const *attr_sha1;
90static fr_dict_attr_t const *attr_ssha1;
91
92static fr_dict_attr_t const *attr_sha2;
93static fr_dict_attr_t const *attr_sha2_224;
94static fr_dict_attr_t const *attr_sha2_256;
95static fr_dict_attr_t const *attr_sha2_384;
96static fr_dict_attr_t const *attr_sha2_512;
97
98static fr_dict_attr_t const *attr_ssha2_224;
99static fr_dict_attr_t const *attr_ssha2_256;
100static fr_dict_attr_t const *attr_ssha2_384;
101static fr_dict_attr_t const *attr_ssha2_512;
102
103static fr_dict_attr_t const *attr_sha3;
104static fr_dict_attr_t const *attr_sha3_224;
105static fr_dict_attr_t const *attr_sha3_256;
106static fr_dict_attr_t const *attr_sha3_384;
107static fr_dict_attr_t const *attr_sha3_512;
108
109static fr_dict_attr_t const *attr_ssha3_224;
110static fr_dict_attr_t const *attr_ssha3_256;
111static fr_dict_attr_t const *attr_ssha3_384;
112static fr_dict_attr_t const *attr_ssha3_512;
113
114static fr_dict_attr_t const *attr_pbkdf2;
115static fr_dict_attr_t const *attr_pbkdf2_sha1;
116static fr_dict_attr_t const *attr_pbkdf2_sha256;
117static fr_dict_attr_t const *attr_pbkdf2_sha512;
118static fr_dict_attr_t const *attr_pbkdf2_sha256_legacy;
119static fr_dict_attr_t const *attr_lm;
120static fr_dict_attr_t const *attr_nt;
121static fr_dict_attr_t const *attr_ns_mta_md5;
122
123static fr_dict_attr_t const *attr_user;
124
125extern fr_dict_autoload_t password_dict[];
126fr_dict_autoload_t password_dict[] = {
127 { .out = &dict_freeradius, .proto = "freeradius" },
128 { .out = &dict_radius, .proto = "radius" },
129 { NULL }
130};
131
132extern fr_dict_attr_autoload_t password_dict_attr[];
133fr_dict_attr_autoload_t password_dict_attr[] = {
134 { .out = &attr_cleartext, .name = "Password.Cleartext", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
135 { .out = &attr_with_header, .name = "Password.With-Header", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
136 { .out = &attr_root, .name = "Password", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
137
138 { .out = &attr_md5, .name = "Password.MD5", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
139 { .out = &attr_smd5, .name = "Password.SMD5", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
140 { .out = &attr_crypt, .name = "Password.Crypt", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
141 { .out = &attr_sha1, .name = "Password.SHA1", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
142 { .out = &attr_ssha1, .name = "Password.SSHA1", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
143
144 { .out = &attr_sha2, .name = "Password.SHA2", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
145 { .out = &attr_sha2_224, .name = "Password.SHA2-224", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
146 { .out = &attr_sha2_256, .name = "Password.SHA2-256", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
147 { .out = &attr_sha2_384, .name = "Password.SHA2-384", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
148 { .out = &attr_sha2_512, .name = "Password.SHA2-512", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
149
150 { .out = &attr_ssha2_224, .name = "Password.SSHA2-224", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
151 { .out = &attr_ssha2_256, .name = "Password.SSHA2-256", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
152 { .out = &attr_ssha2_384, .name = "Password.SSHA2-384", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
153 { .out = &attr_ssha2_512, .name = "Password.SSHA2-512", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
154
155 { .out = &attr_sha3, .name = "Password.SHA3", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
156 { .out = &attr_sha3_224, .name = "Password.SHA3-224", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
157 { .out = &attr_sha3_256, .name = "Password.SHA3-256", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
158 { .out = &attr_sha3_384, .name = "Password.SHA3-384", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
159 { .out = &attr_sha3_512, .name = "Password.SHA3-512", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
160
161 { .out = &attr_ssha3_224, .name = "Password.SSHA3-224", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
162 { .out = &attr_ssha3_256, .name = "Password.SSHA3-256", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
163 { .out = &attr_ssha3_384, .name = "Password.SSHA3-384", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
164 { .out = &attr_ssha3_512, .name = "Password.SSHA3-512", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
165
166 { .out = &attr_pbkdf2, .name = "Password.PBKDF2", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
167 { .out = &attr_pbkdf2_sha1, .name = "Password.PBKDF2-SHA1", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
168 { .out = &attr_pbkdf2_sha256, .name = "Password.PBKDF2-SHA256", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
169 { .out = &attr_pbkdf2_sha512, .name = "Password.PBKDF2-SHA512", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
170 { .out = &attr_pbkdf2_sha256_legacy, .name = "Password.PBKDF2-SHA256-LEGACY", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
171 { .out = &attr_lm, .name = "Password.LM", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
172 { .out = &attr_nt, .name = "Password.NT", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
173 { .out = &attr_ns_mta_md5, .name = "Password.NS-MTA-MD5", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
174
175 { .out = &attr_user, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },
176
177 { NULL }
178};
179
185
186static fr_table_num_sorted_t const normalise_table[] = {
187 { L("base64"), NORMALISED_B64 },
188 { L("hex"), NORMALISED_HEX },
189 { L("nothing"), NORMALISED_NOTHING }
190};
191static size_t normalise_table_len = NUM_ELEMENTS(normalise_table);
192
193static fr_table_num_sorted_t const password_type_table[] = {
194 { L("cleartext"), PASSWORD_CLEARTEXT },
195 { L("hashed"), PASSWORD_HASH },
196 { L("salted-hash"), PASSWORD_HASH_SALTED },
197 { L("variable-length-hash"), PASSWORD_HASH_VARIABLE }
198};
199static size_t password_type_table_len = NUM_ELEMENTS(password_type_table);
200
201/*
202 * Headers for the Password-with-Header attribute
203 *
204 * @note Header comparison is case insensitive.
205 */
206static fr_table_num_sorted_t const password_header_table[] = {
207 { L("{base64_md5}"), FR_MD5 },
208 { L("{clear}"), FR_CLEARTEXT },
209 { L("{cleartext}"), FR_CLEARTEXT },
210 { L("{crypt}"), FR_CRYPT },
211 { L("{md4}"), FR_NT },
212 { L("{md5}"), FR_MD5 },
213 { L("{ns-mta-md5}"), FR_NS_MTA_MD5 },
214 { L("{nt}"), FR_NT },
215 { L("{nthash}"), FR_NT },
216
217 { L("{pbkdf2-sha1}"), FR_PBKDF2_SHA1 },
218 { L("{pbkdf2-sha256}"), FR_PBKDF2_SHA256 },
219 { L("{pbkdf2-sha512}"), FR_PBKDF2_SHA512 },
220 { L("{pbkdf2_sha256}"), FR_PBKDF2_SHA256_LEGACY },
221
222#ifdef HAVE_OPENSSL_EVP_H
223 { L("{sha224}"), FR_SHA2 },
224 { L("{sha256}"), FR_SHA2 },
225 { L("{sha2}"), FR_SHA2 },
226 { L("{sha384}"), FR_SHA2_384 },
227 { L("{sha512}"), FR_SHA2_512 },
228#endif
229 { L("{sha}"), FR_SHA1 },
230 { L("{smd5}"), FR_SMD5 },
231#ifdef HAVE_OPENSSL_EVP_H
232 { L("{ssha224}"), FR_SSHA2_224 },
233 { L("{ssha256}"), FR_SSHA2_256 },
234 { L("{ssha3-224}"), FR_SSHA3_224 },
235 { L("{ssha3-256}"), FR_SSHA3_256 },
236 { L("{ssha3-384}"), FR_SSHA3_384 },
237 { L("{ssha3-512}"), FR_SSHA3_512 },
238 { L("{ssha384}"), FR_SSHA2_384 },
239 { L("{ssha512}"), FR_SSHA2_512 },
240#endif
241 { L("{ssha}"), FR_SSHA1 },
242 { L("{x- orcllmv}"), FR_LM },
243 { L("{x- orclntv}"), FR_NT },
244 { L("{x-nthash}"), FR_NT },
245 { L("{x-pbkdf2}"), FR_PBKDF2 },
246};
247static size_t password_header_table_len = NUM_ELEMENTS(password_header_table);
248
249#ifdef HAVE_OPENSSL_EVP_H
250static fr_pair_t *password_process_sha2(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good);
251static fr_pair_t *password_process_sha3(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good);
252#endif
253static fr_pair_t *password_process_header(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good);
254
255/** Metadata for various password attributes
256 *
257 */
258static password_info_t password_info[] = {
259 [FR_CLEARTEXT] = {
260 .type = PASSWORD_CLEARTEXT,
261 .da = &attr_cleartext,
262 .no_normify = true
263 },
264 [FR_CRYPT] = {
265 .type = PASSWORD_HASH,
266 .da = &attr_crypt
267 },
268 [FR_LM] = {
269 .type = PASSWORD_HASH,
270 .da = &attr_lm,
271 .min_hash_len = MD4_DIGEST_LENGTH
272 },
273 [FR_MD5] = {
274 .type = PASSWORD_HASH,
275 .da = &attr_md5,
276 .min_hash_len = MD5_DIGEST_LENGTH
277 },
278 [FR_NS_MTA_MD5] = {
279 .type = PASSWORD_HASH,
280 .da = &attr_ns_mta_md5
281 },
282 [FR_NT] = {
283 .type = PASSWORD_HASH,
284 .da = &attr_nt,
285 .min_hash_len = MD4_DIGEST_LENGTH
286 },
287 [FR_WITH_HEADER] = {
288 .type = PASSWORD_HASH_VARIABLE,
289 .da = &attr_with_header,
290 .func = password_process_header,
291 .always_allow = true
292 },
293 [FR_PBKDF2] = {
294 .type = PASSWORD_HASH_VARIABLE,
295 .da = &attr_pbkdf2
296 },
297 [FR_PBKDF2_SHA1] = {
298 .type = PASSWORD_HASH_VARIABLE,
299 .da = &attr_pbkdf2_sha1
300 },
301 [FR_PBKDF2_SHA256] = {
302 .type = PASSWORD_HASH_VARIABLE,
303 .da = &attr_pbkdf2_sha256
304 },
305 [FR_PBKDF2_SHA512] = {
306 .type = PASSWORD_HASH_VARIABLE,
307 .da = &attr_pbkdf2_sha512
308 },
309 [FR_PBKDF2_SHA256_LEGACY] = {
310 .type = PASSWORD_HASH_VARIABLE,
311 .da = &attr_pbkdf2_sha256_legacy
312 },
313 [FR_SHA1] = {
314 .type = PASSWORD_HASH,
315 .da = &attr_sha1,
316 .min_hash_len = SHA1_DIGEST_LENGTH
317 },
318#ifdef HAVE_OPENSSL_EVP_H
319 [FR_SHA2] = {
320 .type = PASSWORD_HASH_VARIABLE,
321 .da = &attr_sha2,
322 .func = password_process_sha2,
323 .min_hash_len = SHA224_DIGEST_LENGTH,
324 .max_hash_len = SHA512_DIGEST_LENGTH
325 },
326 [FR_SHA2_224] = {
327 .type = PASSWORD_HASH,
328 .da = &attr_sha2_224,
329 .min_hash_len = SHA224_DIGEST_LENGTH,
330 },
331 [FR_SHA2_256] = {
332 .type = PASSWORD_HASH,
333 .da = &attr_sha2_256,
334 .min_hash_len = SHA256_DIGEST_LENGTH,
335 },
336 [FR_SHA2_384] = {
337 .type = PASSWORD_HASH,
338 .da = &attr_sha2_384,
339 .min_hash_len = SHA384_DIGEST_LENGTH,
340 },
341 [FR_SHA2_512] = {
342 .type = PASSWORD_HASH,
343 .da = &attr_sha2_512,
344 .min_hash_len = SHA512_DIGEST_LENGTH,
345 },
346 [FR_SHA3] = {
347 .type = PASSWORD_HASH_VARIABLE,
348 .da = &attr_sha3,
349 .func = password_process_sha3,
350 .min_hash_len = SHA224_DIGEST_LENGTH,
351 },
352 [FR_SHA3_224] = {
353 .type = PASSWORD_HASH,
354 .da = &attr_sha3_224,
355 .min_hash_len = SHA224_DIGEST_LENGTH,
356 },
357 [FR_SHA3_256] = {
358 .type = PASSWORD_HASH,
359 .da = &attr_sha3_256,
360 .min_hash_len = SHA256_DIGEST_LENGTH,
361 },
362 [FR_SHA3_384] = {
363 .type = PASSWORD_HASH,
364 .da = &attr_sha3_384,
365 .min_hash_len = SHA384_DIGEST_LENGTH,
366 },
367 [FR_SHA3_512] = {
368 .type = PASSWORD_HASH,
369 .da = &attr_sha3_512,
370 .min_hash_len = SHA512_DIGEST_LENGTH
371 },
372#endif
373 [FR_SMD5] = {
374 .type = PASSWORD_HASH,
375 .da = &attr_smd5,
376 .min_hash_len = MD5_DIGEST_LENGTH
377 },
378 [FR_SSHA1] = {
379 .type = PASSWORD_HASH_SALTED,
380 .da = &attr_ssha1,
381 .min_hash_len = SHA1_DIGEST_LENGTH
382 },
383#ifdef HAVE_OPENSSL_EVP_H
384 [FR_SSHA2_224] = {
385 .type = PASSWORD_HASH_SALTED,
386 .da = &attr_ssha2_224,
387 .min_hash_len = SHA224_DIGEST_LENGTH
388 },
389 [FR_SSHA2_256] = {
390 .type = PASSWORD_HASH_SALTED,
391 .da = &attr_ssha2_256,
392 .min_hash_len = SHA256_DIGEST_LENGTH
393 },
394 [FR_SSHA2_384] = {
395 .type = PASSWORD_HASH_SALTED,
396 .da = &attr_ssha2_384,
397 .min_hash_len = SHA384_DIGEST_LENGTH
398 },
399 [FR_SSHA2_512] = {
400 .type = PASSWORD_HASH_SALTED,
401 .da = &attr_ssha2_512,
402 .min_hash_len = SHA512_DIGEST_LENGTH
403 },
404 [FR_SSHA3_224] = {
405 .type = PASSWORD_HASH_SALTED,
406 .da = &attr_ssha3_224,
407 .min_hash_len = SHA224_DIGEST_LENGTH,
408 },
409 [FR_SSHA3_256] = {
410 .type = PASSWORD_HASH_SALTED,
411 .da = &attr_ssha3_256,
412 .min_hash_len = SHA256_DIGEST_LENGTH
413 },
414 [FR_SSHA3_384] = {
415 .type = PASSWORD_HASH_SALTED,
416 .da = &attr_ssha3_384,
417 .min_hash_len = SHA384_DIGEST_LENGTH
418 },
419 [FR_SSHA3_512] = {
420 .type = PASSWORD_HASH_SALTED,
421 .da = &attr_ssha3_512,
422 .min_hash_len = SHA512_DIGEST_LENGTH
423 }
424#endif
425};
426
427#define MIN_LEN(_info) (info->type == PASSWORD_HASH_SALTED ? (info->min_hash_len + 1) : info->min_hash_len)
428
429static ssize_t normify(normalise_t *action, uint8_t *buffer, size_t bufflen,
430 char const *known_good, size_t len, size_t min_len)
431{
432 /*
433 * Else unknown encoding, or already binary. Leave it.
434 */
435 if (action) *action = NORMALISED_NOTHING;
436
437 if (min_len >= bufflen) return 0; /* paranoia */
438
439 /*
440 * Hex encoding. Length is even, and it's greater than
441 * twice the minimum length.
442 */
443 if (!(len & 0x01) && len >= (2 * min_len)) {
444 ssize_t decoded;
445
446 buffer[0] = 0x00; /* clang scan */
447
448 decoded = fr_base16_decode(NULL, &FR_DBUFF_TMP(buffer, bufflen), &FR_SBUFF_IN(known_good, len), true);
449 if (decoded == (ssize_t)(len >> 1)) {
450 if (action) *action = NORMALISED_HEX;
451 return decoded;
452 }
453 }
454
455 /*
456 * Base 64 encoding. It's at least 4/3 the original size,
457 * and we want to avoid division...
458 */
459 if ((len * 3) >= ((min_len * 4))) {
460 ssize_t decoded;
461
462 decoded = fr_base64_decode(&FR_DBUFF_TMP(buffer, bufflen), &FR_SBUFF_IN(known_good, len), true, true);
463 if (decoded <= 0) return 0;
464 if (decoded >= (ssize_t) min_len) {
465 if (action) *action = NORMALISED_B64;
466 return decoded;
467 }
468 }
469
470 return 0;
471}
472
473/** Hex or base64 or bin auto-discovery
474 *
475 * Here we try and autodiscover what encoding was used for the password/hash, and
476 * convert it back to binary or plaintext.
477 *
478 * @note Earlier versions used a 0x prefix as a hard indicator that the string was
479 * hex encoded, and would fail if the 0x was present but the string didn't
480 * consist of hexits. The base64 char set is a superset of hex, and it was
481 * observed in the wild, that occasionally base64 encoded data really could
482 * start with 0x. That's why min_len (and decodability) are used as the
483 * only heuristics now.
484 *
485 * @param[in] ctx to allocate new pairs in.
486 * @param[in] request The current request.
487 * @param[in] known_good password to normify.
488 * @return
489 * - NULL if known_good was already normalised, or couldn't be normalised.
490 * - A new normalised password pair.
491 */
492static fr_pair_t *password_normify(TALLOC_CTX *ctx, request_t *request, fr_pair_t const *known_good)
493{
494 uint8_t buffer[256];
495 ssize_t decoded;
496 fr_pair_t *out;
497 normalise_t normalised;
498 password_info_t *info;
499 size_t min_len;
500
501 if (!fr_cond_assert(known_good->da->attr < NUM_ELEMENTS(password_info))) return NULL;
502
503 info = &password_info[known_good->da->attr];
504 min_len = MIN_LEN(info);
505 if (min_len >= sizeof(buffer)) return NULL; /* paranoia */
506
507 switch (known_good->vp_type) {
508 case FR_TYPE_OCTETS:
509 decoded = normify(&normalised, buffer, sizeof(buffer),
510 (char const *)known_good->vp_octets, known_good->vp_length, min_len);
511 break;
512
513 case FR_TYPE_STRING:
514 decoded = normify(&normalised, buffer, sizeof(buffer),
515 known_good->vp_strvalue, known_good->vp_length, min_len);
516 break;
517
518 default:
519 return NULL;
520 }
521
522 if (normalised != NORMALISED_NOTHING) {
523 RDEBUG2("Normalizing %s %s encoding, %zu bytes -> %zu bytes",
524 known_good->da->name, fr_table_str_by_value(normalise_table, normalised, 0),
525 known_good->vp_length, decoded);
526 MEM(out = fr_pair_afrom_da(ctx, known_good->da));
527 fr_pair_value_memdup(out, buffer, decoded, known_good->vp_tainted);
528 return out;
529 }
530
531 /*
532 * Else unknown encoding, or already binary. Leave it.
533 */
534 return NULL;
535}
536
537#ifdef HAVE_OPENSSL_EVP_H
538/** Split SHA2 hashes into separate attributes based on their length
539 *
540 * @param[in] ctx to allocate attributes in.
541 * @param[in] request The current request.
542 * @param[in] known_good attribute to split.
543 * @return
544 * - A SHA2 length specific attribute.
545 * - NULL on error.
546 */
547static fr_pair_t *password_process_sha2(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good)
548{
549 fr_pair_t *out, *normalised;
550
551 switch (known_good->vp_length) {
552 case SHA224_DIGEST_LENGTH:
553 MEM(out = fr_pair_afrom_da(ctx, attr_sha2_224));
554 fr_pair_value_copy(out, known_good);
555 return out;
556
557 case SHA256_DIGEST_LENGTH:
558 MEM(out = fr_pair_afrom_da(ctx, attr_sha2_256));
559 fr_pair_value_copy(out, known_good);
560 return out;
561
562 case SHA384_DIGEST_LENGTH:
563 MEM(out = fr_pair_afrom_da(ctx, attr_sha2_384));
564 fr_pair_value_copy(out, known_good);
565 return out;
566
567 case SHA512_DIGEST_LENGTH:
568 MEM(out = fr_pair_afrom_da(ctx, attr_sha2_512));
569 fr_pair_value_copy(out, known_good);
570 return out;
571
572 default:
573 out = password_normify(ctx, request, known_good);
574 if (!out) return NULL;
575
576 normalised = password_process_sha2(ctx, request, out);
577 TALLOC_FREE(out);
578
579 return normalised;
580 }
581}
582
583/** Split SHA3 hashes into separate attributes based on their length
584 *
585 * @param[in] ctx to allocate attributes in.
586 * @param[in] request The current request.
587 * @param[in] known_good attribute to split.
588 * @return
589 * - A SHA3 length specific attribute.
590 * - NULL on error.
591 */
592static fr_pair_t *password_process_sha3(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good)
593{
594 fr_pair_t *out, *normalised;
595
596 switch (known_good->vp_length) {
597 case SHA224_DIGEST_LENGTH:
598 MEM(out = fr_pair_afrom_da(ctx, attr_sha3_224));
599 fr_pair_value_copy(out, known_good);
600 return out;
601
602 case SHA256_DIGEST_LENGTH:
603 MEM(out = fr_pair_afrom_da(ctx, attr_sha3_256));
604 fr_pair_value_copy(out, known_good);
605 return out;
606
607 case SHA384_DIGEST_LENGTH:
608 MEM(out = fr_pair_afrom_da(ctx, attr_sha3_384));
609 fr_pair_value_copy(out, known_good);
610 return out;
611
612 case SHA512_DIGEST_LENGTH:
613 MEM(out = fr_pair_afrom_da(ctx, attr_sha3_512));
614 fr_pair_value_copy(out, known_good);
615 return out;
616
617 default:
618 MEM(out = password_normify(ctx, request, known_good));
619 if (!out) return NULL;
620
621 normalised = password_process_sha3(ctx, request, out);
622 TALLOC_FREE(out);
623
624 return normalised;
625 }
626}
627#endif
628
629/** Convert a Password.With-Header attribute to the correct type
630 *
631 * Attribute may be base64 encoded, in which case it will be decoded
632 * first, then evaluated.
633 *
634 * @note The buffer for octets types\ attributes is extended by one byte
635 * and '\0' terminated, to allow it to be used as a char buff.
636 *
637 * @param[in] ctx to allocate new pairs in.
638 * @param[in] request Current request.
639 * @param[in] known_good Password.With-Header attribute to convert.
640 * @return
641 * - Buffer containing normified value on success.
642 * - NULL on error.
643 */
644static fr_pair_t *password_process_header(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good)
645{
646 char const *p, *q, *end;
647
648 uint8_t n1[256], n2[256];
649 ssize_t decoded;
650
651 char header[128];
652 normalise_t normalised;
653
654 fr_pair_t *new;
655 fr_dict_attr_t const *def = attr_cleartext;
656
657 PAIR_VERIFY(known_good);
658
659 /*
660 * Ensure this is only ever called with a
661 * string type attribute.
662 */
663 fr_assert(known_good->vp_type == FR_TYPE_STRING);
664
665 p = known_good->vp_strvalue;
666 end = p + known_good->vp_length;
667
668 /*
669 * Has a header {...} prefix
670 */
671do_header:
672 if ((*p == '{') && (q = memchr(p, '}', end - p))) {
673 size_t hlen;
674 int attr;
675 password_info_t *info;
676
677 hlen = (q - p) + 1;
678 if (hlen >= sizeof(header)) {
679 REDEBUG("Password header too long. Got %zu bytes must be less than %zu bytes",
680 hlen, sizeof(header));
681 return NULL;
682 }
683
684 memcpy(header, p, hlen);
685 header[hlen] = '\0';
686
687 attr = fr_table_value_by_substr(password_header_table, header, hlen, -1);
688 if (attr < 0) {
689 /*
690 * header buffer retains { and }
691 */
692 if (RDEBUG_ENABLED3) {
693 RDEBUG3("Unknown header %s in %pP, re-writing to %s",
694 header, known_good, def->name);
695 } else {
696 RDEBUG2("Unknown header %s in %s, re-writing to %s",
697 header, known_good->da->name, def->name);
698 }
699 p = q + 1;
700 goto bad_header;
701 }
702
703 p = q + 1;
704
705 if (!fr_cond_assert(known_good->da->attr < NUM_ELEMENTS(password_info))) return NULL;
706 info = &password_info[attr];
707
708 MEM(new = fr_pair_afrom_da(ctx, *(info->da)));
709 switch ((*(info->da))->type) {
710 case FR_TYPE_OCTETS:
711 fr_pair_value_memdup(new, (uint8_t const *)p, end - p, true);
712 break;
713
714 case FR_TYPE_STRING:
715 fr_pair_value_bstrndup(new, p, end - p, true);
716 break;
717
718 default:
719 fr_assert_fail(NULL);
720 return NULL;
721 }
722 return new;
723 }
724
725#ifdef STATIC_ANALYZER
726 /*
727 * static analyzer isn't smart enough to notice that "normify" clears out n1.
728 */
729 memset(n1, 0, sizeof(n1));
730#endif
731
732 /*
733 * Doesn't have a header {...} prefix
734 *
735 * See if it's base64 or hex, if it is, decode it and check again!
736 *
737 * We ignore request not to normify, as curly braces aren't
738 * in either of the character sets for the encoding schemes
739 * we're normifying, so there's not the possibility for error
740 * as there is normifying other password hashes.
741 */
742 decoded = normify(&normalised, n1, sizeof(n1), p, end - p, 4); /* { + <char> + } + <char> */
743 if (decoded > 0) {
744 if ((n1[0] == '{') && (memchr(n1, '}', decoded) != NULL)) {
745 RDEBUG2("Normalizing %s %s encoding, %zu bytes -> %zu bytes",
746 known_good->da->name, fr_table_str_by_value(normalise_table, normalised, 0),
747 known_good->vp_length, decoded);
748
749 /*
750 * Password.With-Header is a string attribute.
751 * Even though we're handling binary data, the header
752 * must be \0 terminated.
753 */
754 memcpy(n2, n1, decoded);
755 p = (char const *)n2;
756 end = p + decoded;
757 goto do_header;
758 }
759 }
760
761 /*
762 * Rewrite to the default attribute type
763 * currently Password.Cleartext.
764 *
765 * This is usually correct if there's no
766 * header to indicate hash type.
767 */
768 if (RDEBUG_ENABLED3) {
769 RDEBUG3("No {...} in control.%pP, re-writing to %s", known_good, def->name);
770 } else {
771 RDEBUG2("No {...} in control.%s, re-writing to %s", known_good->da->name, def->name);
772 }
773
774bad_header:
775 MEM(new = fr_pair_afrom_da(ctx, def));
776 fr_pair_value_bstrndup(new, p, end - p, true);
777
778 return new;
779}
780
781/** Apply any processing and normification
782 *
783 */
784static fr_pair_t *password_process(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good, bool normify)
785{
786 password_info_t *info;
787 fr_pair_t *out;
788
789 info = &password_info[known_good->da->attr];
790 if (info->func) {
791 fr_pair_t *from_func, *from_recurse;
792
793 /*
794 * Pass our input attribute to a custom preprocessing
795 * function to manipulate it.
796 */
797 from_func = info->func(ctx, request, known_good);
798 if (!from_func) return NULL;
799
800 /*
801 * Processing function may have produced a different
802 * password type, recurse to deal with it...
803 */
804 from_recurse = password_process(ctx, request, from_func, normify);
805
806 /*
807 * Cleanup any intermediary password attributes created
808 * from running the different normalisation and parsing
809 * operations.
810 */
811 if (!from_recurse) {
812 if (from_func != known_good) TALLOC_FREE(from_func);
813 return NULL;
814 }
815 if ((from_func != known_good) && (from_recurse != from_func)) TALLOC_FREE(from_func);
816
817 return from_recurse;
818 }
819
820 /*
821 * Only normify if we're told to, and we have more data
822 * than the minimum length.
823 */
824 if (normify && !info->no_normify && (known_good->vp_length > info->min_hash_len)) {
825 fr_pair_t *from_normify;
826
827 from_normify = password_normify(ctx, request, known_good);
828 out = from_normify ? from_normify : known_good;
829 } else {
830 out = known_good;
831 }
832
833 /*
834 * Sanity checks - Too short
835 */
836 if (info->min_hash_len && (out->vp_length < MIN_LEN(info))) {
837 if (RDEBUG_ENABLED3) {
838 RWDEBUG3("control.%pP too short, expected %zu bytes, got %zu bytes",
839 out, MIN_LEN(info), out->vp_length);
840 } else {
841 RWDEBUG2("control.%s too short, expected %zu bytes, got %zu bytes",
842 out->da->name, MIN_LEN(info), out->vp_length);
843 }
844 invalid:
845 if (out != known_good) TALLOC_FREE(out); /* Free attribute we won't be returning */
846 return NULL;
847 }
848
849 /*
850 * Sanity checks - Too long
851 */
852 if (info->max_hash_len && (out->vp_length > info->max_hash_len)) {
853 if (RDEBUG_ENABLED3) {
854 RWDEBUG3("control.%pP too long, expected %zu bytes, got %zu bytes",
855 out, info->max_hash_len, out->vp_length);
856 } else {
857 RWDEBUG2("control.%s too long, expected %zu bytes, got %zu bytes",
858 out->da->name, info->max_hash_len, out->vp_length);
859 }
860 goto invalid;
861 }
862
863 /*
864 * Sanity checks - Hashes are a fixed length
865 */
866 if ((info->type == PASSWORD_HASH) && (out->vp_length != info->min_hash_len)) {
867
868 if (RDEBUG_ENABLED3) {
869 RWDEBUG3("control.%pP incorrect length, expected %zu bytes, got %zu bytes",
870 out, info->min_hash_len, out->vp_length);
871 } else {
872 RWDEBUG2("control.%s incorrect length, expected %zu bytes, got %zu bytes",
873 out->da->name, info->min_hash_len, out->vp_length);
874 }
875 goto invalid;
876 }
877
878 return out;
879}
880
881/** Find all password attributes in the control list of a request and normalise them
882 *
883 * @param[in] request The current request.
884 * @param[in] normify Apply hex/base64 normalisation to attributes.
885 * @return the number of attributes normalised.
886 */
887int password_normalise_and_replace(request_t *request, bool normify)
888{
889 fr_dcursor_t cursor;
890 int replaced = 0;
891 fr_pair_t *known_good, *new;
892
893 for (known_good = fr_pair_dcursor_by_ancestor_init(&cursor, &request->control_pairs, attr_root);
894 known_good;
895 known_good = fr_dcursor_next(&cursor)) {
896 if (!fr_cond_assert(known_good->da->attr < NUM_ELEMENTS(password_info))) return -1;
897
898 /*
899 * Apply preprocessing steps and normalisation.
900 */
901 new = password_process(request, request, known_good, normify);
902 if (!new) break; /* Process next input attribute */
903
904 if (RDEBUG_ENABLED3) {
905 RDEBUG3("Replacing control.%pP with control.%pP",
906 known_good, new);
907
908 } else {
909 RDEBUG2("Replacing control.%s with control.%s",
910 known_good->da->name, new->da->name);
911 }
912 fr_dcursor_free_item(&cursor);
913 fr_dcursor_prepend(&cursor, new);
914 replaced++;
915 }
916
917 return replaced;
918}
919
920static fr_pair_t *password_normalise_and_recheck(TALLOC_CTX *ctx, request_t *request,
921 fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len,
922 bool normify, fr_pair_t *const known_good)
923{
924 fr_pair_t *new;
925 size_t j;
926
927 if (!fr_cond_assert(known_good->da->attr < NUM_ELEMENTS(password_info))) return NULL;
928
929 /*
930 * Apply preprocessing steps and normalisation.
931 */
932 new = password_process(ctx, request, known_good, normify);
933 if (!new) return NULL;
934
935 /*
936 * If new != known_good, then we need
937 * to check what was produced is still
938 * acceptable.
939 */
940 if (new->da != known_good->da) {
941 for (j = 0; j < allowed_attrs_len; j++) if (allowed_attrs[j] == new->da) return new;
942
943 /*
944 * New attribute not in our allowed list
945 */
946 TALLOC_FREE(new); /* da didn't match, treat as ephemeral */
947 return NULL; /* Process next input attribute */
948 }
949
950 /*
951 * Return attribute for processing
952 */
953 return new;
954}
955
956/** Find a "known good" password in the control list of a request
957 *
958 * Searches for a "known good" password attribute, and applies any processing
959 * and normification operations to it, returning a new normalised fr_pair_t.
960 *
961 * The ctx passed in should be freed when the caller is done with the returned
962 * fr_pair_t, or alternatively, a persistent ctx may be used and the value
963 * of ephemeral checked.
964 * If ephemeral is false the returned pair *MUST NOT BE FREED*, it may be an
965 * attribute in the request->control_pairs list. If ephemeral is true, the returned
966 * pair *MUST* be freed, or added to one of the pair lists appropriate to the
967 * ctx passed in.
968 *
969 * @param[out] ephemeral If true, the caller must use TALLOC_FREE
970 * to free the return value of this function.
971 * Alternatively 'ctx' can be freed, which is
972 * simpler and cleaner, but some people have
973 * religious objections to that.
974 * @param[in] ctx Ephemeral ctx to allocate new attributes in.
975 * @param[in] request The current request.
976 * @param[in] allowed_attrs Optional list of allowed attributes.
977 * @param[in] allowed_attrs_len Length of allowed attributes list.
978 * @param[in] normify Apply hex/base64 normalisation to attributes.
979 * @return
980 * - A fr_pair_t containing a "known good" password.
981 * - NULL on error, or if no usable password attributes were found.
982 */
983fr_pair_t *password_find(bool *ephemeral, TALLOC_CTX *ctx, request_t *request,
984 fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len, bool normify)
985{
986 fr_dcursor_t cursor;
987 fr_pair_t *known_good;
988
989 if (fr_pair_find_by_da(&request->control_pairs, NULL, attr_user) != NULL) {
990 RWDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
991 RWDEBUG("!!! Ignoring control.User-Password. Update your !!!");
992 RWDEBUG("!!! configuration so that the \"known good\" clear text !!!");
993 RWDEBUG("!!! password is in Password.Cleartext and NOT in !!!");
994 RWDEBUG("!!! User-Password. !!!");
995 RWDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
996 }
997
998 for (known_good = fr_pair_dcursor_by_ancestor_init(&cursor, &request->control_pairs, attr_root);
999 known_good;
1000 known_good = fr_dcursor_next(&cursor)) {
1001 password_info_t *info;
1002 fr_pair_t *out;
1003 size_t i;
1004
1005 if (known_good->da->attr >= NUM_ELEMENTS(password_info)) continue;
1006
1007 info = &password_info[known_good->da->attr];
1008
1009 /*
1010 * Minor reduction in work for the caller
1011 * for a moderate increase in code complexity.
1012 */
1013 if (info->always_allow) {
1014 out = password_normalise_and_recheck(ctx, request,
1015 allowed_attrs, allowed_attrs_len,
1016 normify, known_good);
1017 if (!out) continue;
1018 done:
1019 if (RDEBUG_ENABLED3) {
1020 RDEBUG3("Using \"known good\" %s password %pP",
1021 fr_table_str_by_value(password_type_table,
1022 password_info[out->da->attr].type,
1023 "<INVALID>"), out);
1024 } else {
1025 RDEBUG2("Using \"known good\" %s password %s",
1026 fr_table_str_by_value(password_type_table,
1027 password_info[out->da->attr].type,
1028 "<INVALID>"), out->da->name);
1029 }
1030 if (ephemeral) *ephemeral = (known_good != out);
1031 return out;
1032 }
1033
1034 for (i = 0; i < allowed_attrs_len; i++) {
1035 if (allowed_attrs[i] != known_good->da) continue;
1036
1037 out = password_normalise_and_recheck(ctx, request,
1038 allowed_attrs, allowed_attrs_len,
1039 normify, known_good);
1040 if (!out) continue;
1041 goto done;
1042 }
1043 }
1044
1045 return NULL;
1046}
1047
1048static int _password_init(UNUSED void *uctx)
1049{
1050 if (fr_dict_autoload(password_dict) < 0) {
1051 PERROR("%s", __FUNCTION__);
1052 return -1;
1053 }
1054 if (fr_dict_attr_autoload(password_dict_attr) < 0) {
1055 PERROR("%s", __FUNCTION__);
1056 fr_dict_autofree(password_dict);
1057 return -1;
1058 }
1059
1060 return 0;
1061}
1062
1063static int _password_free(UNUSED void *uctx)
1064{
1065 fr_dict_autofree(password_dict);
1066
1067 return 0;
1068}
1069
1070/** Load our dictionaries
1071 *
1072 */
1073int password_init(void)
1074{
1075 int ret;
1076
1077 fr_atexit_global_once_ret(&ret, _password_init, _password_free, NULL);
1078
1079 return ret;
1080}
buffer
static int const char char buffer[256]
Definition acutest.h:576
fr_base16_decode
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition base16.h:95
fr_base64_decode
#define fr_base64_decode(_out, _in, _expect_padding, _no_trailing)
Definition base64.h:81
RCSID
#define RCSID(id)
Definition build.h:485
L
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
UNUSED
#define UNUSED
Definition build.h:317
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition build.h:339
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:514
fr_dcursor_next
static void * fr_dcursor_next(fr_dcursor_t *cursor)
Advanced the cursor to the next item.
Definition dcursor.h:290
fr_dcursor_free_item
static void fr_dcursor_free_item(fr_dcursor_t *cursor)
talloc_free the current item
Definition dcursor.h:809
fr_dcursor_prepend
static int fr_dcursor_prepend(fr_dcursor_t *cursor, void *v)
Insert a single item at the start of the list.
Definition dcursor.h:378
fr_dcursor_s
Definition dcursor.h:93
fr_cond_assert
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:139
fr_assert_fail
#define fr_assert_fail(_msg,...)
Calls panic_action ifndef NDEBUG, else logs error.
Definition debug.h:216
MEM
#define MEM(x)
Definition debug.h:36
fr_dict_autofree
#define fr_dict_autofree(_to_free)
Definition dict.h:869
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:273
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:286
fr_dict_attr_autoload
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4134
fr_dict_autoload
#define fr_dict_autoload(_to_load)
Definition dict.h:866
in
static fr_slen_t in
Definition dict.h:840
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:272
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:285
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:361
RDEBUG_ENABLED3
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition log.h:335
RDEBUG3
#define RDEBUG3(fmt,...)
Definition log.h:343
RWDEBUG2
#define RWDEBUG2(fmt,...)
Definition log.h:362
RWDEBUG3
#define RWDEBUG3(fmt,...)
Definition log.h:363
MD4_DIGEST_LENGTH
#define MD4_DIGEST_LENGTH
Definition md4.h:25
MD5_DIGEST_LENGTH
#define MD5_DIGEST_LENGTH
Definition merged_model.c:242
FR_TYPE_TLV
@ FR_TYPE_TLV
Contains nested attributes.
Definition merged_model.c:118
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
request_t
Definition merged_model.c:210
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2945
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:697
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
fr_pair_value_bstrndup
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
Definition pair.c:2795
fr_pair_value_copy
int fr_pair_value_copy(fr_pair_t *dst, fr_pair_t *src)
Copy the value from one pair to another.
Definition pair.c:2573
MIN_LEN
#define MIN_LEN(_info)
Definition password.c:427
attr_lm
static fr_dict_attr_t const * attr_lm
Definition password.c:119
password_type_t
password_type_t
Definition password.c:45
PASSWORD_HASH
@ PASSWORD_HASH
Fixed length.
Definition password.c:47
PASSWORD_HASH_VARIABLE
@ PASSWORD_HASH_VARIABLE
Variable length everything.
Definition password.c:49
PASSWORD_HASH_SALTED
@ PASSWORD_HASH_SALTED
Fixed length hash, variable length salt.
Definition password.c:48
PASSWORD_CLEARTEXT
@ PASSWORD_CLEARTEXT
Variable length.
Definition password.c:46
attr_pbkdf2_sha256_legacy
static fr_dict_attr_t const * attr_pbkdf2_sha256_legacy
Definition password.c:118
attr_ssha2_512
static fr_dict_attr_t const * attr_ssha2_512
Definition password.c:101
password_type_table
static fr_table_num_sorted_t const password_type_table[]
Definition password.c:193
password_info_t::max_hash_len
size_t max_hash_len
Maximum length of the decoded string if normifying.
Definition password.c:70
password_info_t::func
password_preprocess_t func
Preprocessing function.
Definition password.c:67
password_normalise_and_recheck
static fr_pair_t * password_normalise_and_recheck(TALLOC_CTX *ctx, request_t *request, fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len, bool normify, fr_pair_t *const known_good)
Definition password.c:920
attr_sha2_256
static fr_dict_attr_t const * attr_sha2_256
Definition password.c:94
password_info_t::type
password_type_t type
What type of password value this is.
Definition password.c:65
attr_nt
static fr_dict_attr_t const * attr_nt
Definition password.c:120
attr_ssha2_384
static fr_dict_attr_t const * attr_ssha2_384
Definition password.c:100
attr_pbkdf2
static fr_dict_attr_t const * attr_pbkdf2
Definition password.c:114
attr_pbkdf2_sha512
static fr_dict_attr_t const * attr_pbkdf2_sha512
Definition password.c:117
_password_init
static int _password_init(UNUSED void *uctx)
Definition password.c:1048
attr_crypt
static fr_dict_attr_t const * attr_crypt
Definition password.c:87
password_process
static fr_pair_t * password_process(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good, bool normify)
Apply any processing and normification.
Definition password.c:784
attr_sha3_256
static fr_dict_attr_t const * attr_sha3_256
Definition password.c:105
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition password.c:78
normify
static ssize_t normify(normalise_t *action, uint8_t *buffer, size_t bufflen, char const *known_good, size_t len, size_t min_len)
Definition password.c:429
attr_sha2_512
static fr_dict_attr_t const * attr_sha2_512
Definition password.c:96
attr_pbkdf2_sha256
static fr_dict_attr_t const * attr_pbkdf2_sha256
Definition password.c:116
attr_ns_mta_md5
static fr_dict_attr_t const * attr_ns_mta_md5
Definition password.c:121
password_init
int password_init(void)
Load our dictionaries.
Definition password.c:1073
password_header_table_len
static size_t password_header_table_len
Definition password.c:247
dict_radius
static fr_dict_t const * dict_radius
Definition password.c:79
attr_user
static fr_dict_attr_t const * attr_user
Definition password.c:123
password_preprocess_t
fr_pair_t *(* password_preprocess_t)(TALLOC_CTX *ctx, request_t *request, fr_pair_t *in)
Apply preprocessing logic to a password value.
Definition password.c:59
attr_pbkdf2_sha1
static fr_dict_attr_t const * attr_pbkdf2_sha1
Definition password.c:115
password_info
static password_info_t password_info[]
Metadata for various password attributes.
Definition password.c:258
attr_sha2_224
static fr_dict_attr_t const * attr_sha2_224
Definition password.c:93
password_info_t::min_hash_len
size_t min_hash_len
Minimum length of the decoded string if normifying.
Definition password.c:68
_password_free
static int _password_free(UNUSED void *uctx)
Definition password.c:1063
password_info_t::always_allow
bool always_allow
Always allow processing of this attribute, irrespective of what the caller says.
Definition password.c:74
attr_ssha3_224
static fr_dict_attr_t const * attr_ssha3_224
Definition password.c:109
normalise_t
normalise_t
Definition password.c:180
NORMALISED_B64
@ NORMALISED_B64
Definition password.c:182
NORMALISED_HEX
@ NORMALISED_HEX
Definition password.c:183
NORMALISED_NOTHING
@ NORMALISED_NOTHING
Definition password.c:181
password_normify
static fr_pair_t * password_normify(TALLOC_CTX *ctx, request_t *request, fr_pair_t const *known_good)
Hex or base64 or bin auto-discovery.
Definition password.c:492
password_process_header
static fr_pair_t * password_process_header(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good)
Convert a Password.With-Header attribute to the correct type.
Definition password.c:644
attr_md5
static fr_dict_attr_t const * attr_md5
Definition password.c:85
attr_sha3_224
static fr_dict_attr_t const * attr_sha3_224
Definition password.c:104
attr_ssha2_256
static fr_dict_attr_t const * attr_ssha2_256
Definition password.c:99
password_info_t::no_normify
bool no_normify
Don't attempt to normalise the contents of this attribute using the hex/base64 decoders.
Definition password.c:72
attr_root
static fr_dict_attr_t const * attr_root
Definition password.c:83
attr_sha3_384
static fr_dict_attr_t const * attr_sha3_384
Definition password.c:106
attr_ssha3_256
static fr_dict_attr_t const * attr_ssha3_256
Definition password.c:110
attr_sha2
static fr_dict_attr_t const * attr_sha2
Definition password.c:92
password_normalise_and_replace
int password_normalise_and_replace(request_t *request, bool normify)
Find all password attributes in the control list of a request and normalise them.
Definition password.c:887
password_dict
fr_dict_autoload_t password_dict[]
Definition password.c:126
password_header_table
static fr_table_num_sorted_t const password_header_table[]
Definition password.c:206
attr_ssha3_512
static fr_dict_attr_t const * attr_ssha3_512
Definition password.c:112
attr_sha3
static fr_dict_attr_t const * attr_sha3
Definition password.c:103
attr_ssha2_224
static fr_dict_attr_t const * attr_ssha2_224
Definition password.c:98
normalise_table_len
static size_t normalise_table_len
Definition password.c:191
password_find
fr_pair_t * password_find(bool *ephemeral, TALLOC_CTX *ctx, request_t *request, fr_dict_attr_t const *allowed_attrs[], size_t allowed_attrs_len, bool normify)
Find a "known good" password in the control list of a request.
Definition password.c:983
attr_sha2_384
static fr_dict_attr_t const * attr_sha2_384
Definition password.c:95
attr_ssha1
static fr_dict_attr_t const * attr_ssha1
Definition password.c:90
password_type_table_len
static size_t password_type_table_len
Definition password.c:199
attr_cleartext
static fr_dict_attr_t const * attr_cleartext
Definition password.c:81
attr_ssha3_384
static fr_dict_attr_t const * attr_ssha3_384
Definition password.c:111
password_dict_attr
fr_dict_attr_autoload_t password_dict_attr[]
Definition password.c:133
attr_smd5
static fr_dict_attr_t const * attr_smd5
Definition password.c:86
attr_sha1
static fr_dict_attr_t const * attr_sha1
Definition password.c:89
attr_sha3_512
static fr_dict_attr_t const * attr_sha3_512
Definition password.c:107
password_info_t::da
fr_dict_attr_t const ** da
Dictionary attribute representing this type of password.
Definition password.c:66
normalise_table
static fr_table_num_sorted_t const normalise_table[]
Definition password.c:186
attr_with_header
static fr_dict_attr_t const * attr_with_header
Definition password.c:82
password_info_t
Password information.
Definition password.c:64
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
done
static bool done
Definition radclient.c:81
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
FR_SBUFF_IN
#define FR_SBUFF_IN(_start, _len_or_end)
SHA1_DIGEST_LENGTH
#define SHA1_DIGEST_LENGTH
Definition sha1.h:29
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
fr_table_value_by_substr
#define fr_table_value_by_substr(_table, _name, _name_len, _def)
Convert a partial string to a value using an ordered or sorted table.
Definition table.h:693
fr_table_num_sorted_t
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
PAIR_VERIFY
#define PAIR_VERIFY(_x)
Definition pair.h:191
fr_pair_dcursor_by_ancestor_init
#define fr_pair_dcursor_by_ancestor_init(_cursor, _list, _da)
Initialise a cursor that will return only attributes descended from the specified fr_dict_attr_t.
Definition pair.h:646
out
static size_t char ** out
Definition value.h:1020
Generated by   doxygen 1.9.8