Hi all! I've come across an issue with verification of {SSHA} encrypted passwords in FreeRadius 1.1.4. Verification fails for correct passwords. I've managed to track problem through normify() to base64_decode() function in rlm_pap.c. This seems to be a culprit: if (src[length] != '=') return 0; /* no trailing '=' */ Code assumes every base64-encoded string must end with trailing '=', but this assumption does not seem to be true. SSHA encrypted base64 encoded password does not. E.g.: $ /usr/sbin/slappasswd -h {SSHA} -s password {SSHA}n0woq5pPczJ2k/z12gWO8Ita4mvuBlSE It seems that trailing '='s are only used, when padding is required: $ perl -e 'use MIME::Base64; print encode_base64("a")' YQ== $ perl -e 'use MIME::Base64; print encode_base64("aa")' YWE= $ perl -e 'use MIME::Base64; print encode_base64("aaa")' YWFh $ perl -e 'use MIME::Base64; print encode_base64("aaaa")' YWFhYQ== With check removed, SSHA passwords work fine. But I'm not sure if it has a chance to break something else. Ideas for better fix? th.
Tomas Hoger wrote:
Code assumes every base64-encoded string must end with trailing '=', but this assumption does not seem to be true. SSHA encrypted base64 encoded password does not. E.g.:
OK, I'll delete the problematic line of code. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Tomas Hoger wrote:
Hi all!
I've come across an issue with verification of {SSHA} encrypted passwords in FreeRadius 1.1.4. Verification fails for correct passwords. I've managed to track problem through normify() to base64_decode() function in rlm_pap.c. This seems to be a culprit:
if (src[length] != '=') return 0; /* no trailing '=' */
Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Tomas Hoger