When using DOUBLE_QUOTED_STRING, passwords with '\"' may not work
平林 哲
Satoshi.Hirabayashi at soliton.co.jp
Sun Sep 10 23:59:08 UTC 2023
Hi!
When using DOUBLE_QUOTED_STRING, passwords with '\"' may not work.
Register a user in ActiveDirectory with the password "pass\"word at 2022",
the following LDAP settings.
===
# cat /usr/local/etc/raddb/mods-enabled/ldap1
ldap {
server = '192.168.1.6'
identity =
'cn=tkt10886-3,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp'
password = "pass\"word at 2022"
base_dn = 'dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp'
===
When attempting to start the RADIUS service in this state, a syntax
error occurred.
=====
# /usr/local/sbin/radiusd -X
FreeRADIUS Version 3.2.3
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file
/usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/totp
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/ldap1
/usr/local/etc/raddb/mods-enabled/ldap1[4]: Syntax error: Expected comma
after 'pass\\': word at 2022"
Errors reading or parsing /usr/local/etc/raddb/radiusd.conf
=====
We also tried several patterns and summarised the results.
Password | Configration | Result
-------------------|-----------------------|-------
pass"word at 2022 | "pass\"word at 2022" | OK
pass\"word at 2022 | "pass\\"word at 2022" | Syntax error
pass\\"word at 2022 | "pass\\\"word at 2022" | OK
pass\\\"word at 2022 | "pass\\\\"word at 2022" | Syntax error
As mentioned above, a Syntax Error occurs when '\' is an even number in
the configuration.
After investigating the cause of this, it appears that there is a
problem with the determination of '˶' in the following section.
===
/*
* Convert backslash-quote to quote, but
* leave everything else alone.
*/
if (p[1] == quote) { /* convert '\'' --> ' */
p++;
} else {
if (buflen < 2) {
fr_strerror_printf("Truncated input");
return T_INVALID;
}
*(s++) = *(p++);
}
*(s++) = *(p++);
}
===
This problem was solved by changing the above section as follows.
===
} else {
/*
* Convert backslash-quote to quote, but
* leave everything else alone.
*/
if (p[1] == quote) { /* convert '\'' --> ' */
if (p[2] != '\0') {
p++;
}
}
*(s++) = *(p++);
}
===
Is this the right approach?
Any advice would be appreciated.
More information about the Freeradius-Users
mailing list