restrictions, etc.
A quite common mistake is to place the attributes in the wrong lists,
-for example placing `Auth-Type`, `Password`, `NT-Password` etc in the check
+for example placing `Auth-Type`, `Password`, `Password.NT` etc in the check
list, or in the reply list. When run in debugging mode, the server will
normally issue `WARNING` messages saying that the attributes are in the
wrong list.
in the request items will not match the password in the check
attributes. You should place Password attribute obtained from database
into configure items and also place Auth-Type attribute with value of
-`MS-CHAP` into same list. The same goes for `NT-Password` (before calling
-`MS-CHAP` Password attribute should be converted to `NT-Password`, it may be
+`MS-CHAP` into same list. The same goes for `Password.NT` (before calling
+`MS-CHAP` Password attribute should be converted to `Password.NT`, it may be
achieved by calling mschap module in authorization section after module
which does actual authorization).
FreeRADIUS to read this, and set the `Password.Cleartext` control
attribute.
. You have access to the NT (MS-CHAPv2) or LM (MS-CHAPv1) hashes, and
-you configure FreeRADIUS to read this and set the NT/LM-Password control
+you configure FreeRADIUS to read this and set the Password.NT/LM control
attribute.
. You have Samba installed, joined into a windows domain, and use the
ntlm_auth helper binary to pass authentication onwards to a domain
=== Local
-If you are performing mschap locally with `Password.Cleartext/NT-Password`,
+If you are performing mschap locally with `Password.Cleartext/Password.NT`,
you can decrypt and process the password change locally.
To do this, you configure the `local_cpw` string:
```
\[
BEGIN
- update radcheck set value=ntpassword where username=raduser and attribute='NT-Password';
+ update radcheck set value=ntpassword where username=raduser and attribute='Password.NT';
if not FOUND then
-- the user does not exist; die
return '';
The local_cpw xlat has access to two variables:
-* MS-CHAP-New-NT-Password - the new value of NT-Password
+* MS-CHAP-New-NT-Password - the new value of Password.NT
* MS-CHAP-New-Cleartext-PAssword - the new value of Password.Cleartext
This allows you to do things like::
```
SQL local_cpw = %{sql:update radcheck set value='%{MS-CHAP-New-NT-Password}' where username=%{User-Name} and
-attribute=’NT-Password'}
+attribute=’Password.NT'}
```
Or:
Q: Can I use rlm_passwd to authenticate user against Linux shadow
password file or BSD-style master.passwd? A: Yes, but you need RADIUS
-running as root. Hint: use Crypt-Password attribute. You probably don’t
+running as root. Hint: use Password.Crypt attribute. You probably don’t
want to use this module with FreeBSD to authenticate against system
file, as it already takes care of caching passwd file entries, but it
-may be helpfull to authenticate against alternate file.
+may be helpful to authenticate against alternate file.
Q: Can I use rlm_passwd to authenticate user against SAMBA smbpasswd? A:
-Yes, you can. Hint: use LM-Password/NT-Password attribute, set authtype
+Yes, you can. Hint: use Password.LM/Password.NT attribute, set authtype
= MS-CHAP.
Q: Can I use rlm_password to authenticate user against
who has current sessions.
| xref:mods-available/sql.adoc[sql] | Provides an abstraction over multiple SQL backends, via database specific drivers.
| xref:mods-available/sqlippool.adoc[sqlippool] | SQL based IP allocation module.
-| xref:mods-available/unix.adoc[unix] | Retrieves a user's encrypted password from the local system and places it into the ``control.Crypt-Password`` attribute.
+| xref:mods-available/unix.adoc[unix] | Retrieves a user's encrypted password from the local system and places it into the ``control.Password.Crypt`` attribute.
The password is retrieved via the ``getpwent()`` and ``getspwent()`` system calls.
|=====
| xref:mods-available/smbpasswd.adoc[smbpasswd] | SMBPasswd
| xref:mods-available/sradutmp.adoc[sradutmp] | sRadutmp
| xref:mods-available/stats.adoc[stats] | Stats
-| xref:mods-available/totp.adoc[totp] |
+| xref:mods-available/totp.adoc[totp] |
|=====
== Policy Modules
# valuepair_attribute = 'radiusAttribute'
update {
&control.Password.With-Header += 'userPassword'
-# &control.NT-Password := 'ntPassword'
+# &control.Password.NT := 'ntPassword'
# &reply.Reply-Message := 'radiusReplyMessage'
# &reply.Tunnel-Type := 'radiusTunnelType'
# &reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'
# ntlm_auth_username = "username: %(mschap:User-Name)"
# ntlm_auth_domain = "nt-domain: %(mschap:NT-Domain)"
# local_cpw = "%(exec:/path/to/script %(mschap:User-Name) %{MS-CHAP-New-Password.Cleartext})"
-# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='NT-Password'}"
+# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'}"
}
# use_open_directory = yes
# allow_retry = yes
| Header | Attribute | Description
| {clear} | Password.Cleartext | Clear-text passwords.
| {cleartext} | Password.Cleartext | Clear-text passwords.
-| {crypt} | Crypt-Password | Unix-style "crypt"ed passwords.
-| {md5} | MD5-Password | MD5 hashed passwords.
-| {base64_md5} | MD5-Password | MD5 hashed passwords.
-| {smd5} | SMD5-Password | MD5 hashed passwords, with a salt.
-| {sha} | SHA-Password | SHA1 hashed passwords.
-| | SHA1-Password | SHA1 hashed passwords.
-| {ssha} | SSHA-Password | SHA1 hashed passwords, with a salt.
-| {sha2} | SHA2-Password | SHA2 hashed passwords.
-| {sha224} | SHA2-Password | SHA2 hashed passwords.
-| {sha256} | SHA2-Password | SHA2 hashed passwords.
-| {sha384} | SHA2-Password | SHA2 hashed passwords.
-| {sha512} | SHA2-Password | SHA2 hashed passwords.
-| {ssha224} | SSHA2-224-Password | SHA2 hashed passwords, with a salt.
-| {ssha256} | SSHA2-256-Password | SHA2 hashed passwords, with a salt.
-| {ssha384} | SSHA2-384-Password | SHA2 hashed passwords, with a salt.
-| {ssha512} | SSHA2-512-Password | SHA2 hashed passwords, with a salt.
-| {ssha3} | SHA3-Password | SHA3 hashed passwords.
-| {ssha3-224} | SHA3-224-Password | SHA3 hashed passwords, with a salt.
-| {ssha3-256} | SHA3-256-Password | SHA3 hashed passwords, with a salt.
-| {ssha3-384} | SHA3-384-Password | SHA3 hashed passwords, with a salt.
-| {ssha3-512} | SHA3-512-Password | SHA3 hashed passwords, with a salt.
-| {nt} | NT-Password | Windows NT hashed passwords.
-| {nthash} | NT-Password | Windows NT hashed passwords.
-| {md4} | NT-Password | Windows NT hashed passwords.
-| {x-nthash} | NT-Password | Windows NT hashed passwords.
-| {ns-mta-md5} | NS-MTA-MD5-Password | Netscape MTA MD5 hashed passwords.
-| {x- orcllmv} | LM-Password | Windows LANMAN hashed passwords.
-| {X- orclntv} | NT-Password | Windows NT hashed passwords.
+| {crypt} | Password.Crypt | Unix-style "crypt"ed passwords.
+| {md5} | Password.MD5 | MD5 hashed passwords.
+| {base64_md5} | Password.MD5 | MD5 hashed passwords.
+| {smd5} | Password.SMD5 | MD5 hashed passwords, with a salt.
+| {sha} | Password.SHA | SHA1 hashed passwords.
+| | Password.SHA1 | SHA1 hashed passwords.
+| {ssha} | Password.SSHA | SHA1 hashed passwords, with a salt.
+| {sha2} | Password.SHA2 | SHA2 hashed passwords.
+| {sha224} | Password.SHA2 | SHA2 hashed passwords.
+| {sha256} | Password.SHA2 | SHA2 hashed passwords.
+| {sha384} | Password.SHA2 | SHA2 hashed passwords.
+| {sha512} | Password.SHA2 | SHA2 hashed passwords.
+| {ssha224} | Password.SSHA2-224 | SHA2 hashed passwords, with a salt.
+| {ssha256} | Password.SSHA2-256 | SHA2 hashed passwords, with a salt.
+| {ssha384} | Password.SSHA2-384 | SHA2 hashed passwords, with a salt.
+| {ssha512} | Password.SSHA2-512 | SHA2 hashed passwords, with a salt.
+| {ssha3} | Password.SHA3 | SHA3 hashed passwords.
+| {ssha3-224} | Password.SHA3-224 | SHA3 hashed passwords, with a salt.
+| {ssha3-256} | Password.SHA3-256 | SHA3 hashed passwords, with a salt.
+| {ssha3-384} | Password.SHA3-384 | SHA3 hashed passwords, with a salt.
+| {ssha3-512} | Password.SHA3-512 | SHA3 hashed passwords, with a salt.
+| {nt} | Password.NT | Windows NT hashed passwords.
+| {nthash} | Password.NT | Windows NT hashed passwords.
+| {md4} | Password.NT | Windows NT hashed passwords.
+| {x-nthash} | Password.NT | Windows NT hashed passwords.
+| {ns-mta-md5} | Password.NS-MTA-MD5 | Netscape MTA MD5 hashed passwords.
+| {x- orcllmv} | Password.LM | Windows LANMAN hashed passwords.
+| {X- orclntv} | Password.NT | Windows NT hashed passwords.
|===
The module tries to be flexible when handling the various password for mats.
and convert them to a format that the server can use.
If there is no `Password.With-Header` attribute, the module looks for one
-of the `Password.Cleartext`, `NT-Password`, `Crypt-Password`, etc. attributes
+of the `Password.Cleartext`, `Password.NT`, `Password.Crypt`, etc. attributes
as listed in the above table. These attributes should contain the relevant
format password directly, without the header prefix.
```
passwd smbpasswd {
filename = /etc/smbpasswd
- format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
+ format = "*User-Name::Password.LM:Password.NT:SMB-Account-CTRL-TEXT::"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
The `pap` module is also responsible for "normalizing" the
various kinds of "known good" passwords.
-e.g. `NT-Password` may come as a 16 byte blob, or as a
+e.g. `Password.NT` may come as a 16 byte blob, or as a
32-byte hex string, or as a base-64 encoded string. The
`pap` module will look for common variations of password
encoding, and convert them all to a normal form.
For users who are using MS-CHAP authentication. A back-end
database listed in the "recv Access-Request" section MUST supply
-either a Password.Cleartext attribute, or an NT-Password
+either a Password.Cleartext attribute, or a Password.NT
attribute. Encrypted passwords won't work.
#
update {
&control.Password.With-Header += 'userPassword'
-# &control.NT-Password := 'ntPassword'
+# &control.Password.NT := 'ntPassword'
# &reply.Reply-Message := 'radiusReplyMessage'
# &reply.Tunnel-Type := 'radiusTunnelType'
# &reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'
# TIP: We give both examples here, but *only one should be used*.
#
# local_cpw = "%(exec:/path/to/script %(mschap:User-Name) %{MS-CHAP-New-Password.Cleartext})"
-# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='NT-Password'}"
+# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'}"
}
#
# | Header | Attribute | Description
# | {clear} | Password.Cleartext | Clear-text passwords.
# | {cleartext} | Password.Cleartext | Clear-text passwords.
-# | {crypt} | Crypt-Password | Unix-style "crypt"ed passwords.
-# | {md5} | MD5-Password | MD5 hashed passwords.
-# | {base64_md5} | MD5-Password | MD5 hashed passwords.
-# | {smd5} | SMD5-Password | MD5 hashed passwords, with a salt.
-# | {sha} | SHA-Password | SHA1 hashed passwords.
-# | | SHA1-Password | SHA1 hashed passwords.
-# | {ssha} | SSHA-Password | SHA1 hashed passwords, with a salt.
-# | {sha2} | SHA2-Password | SHA2 hashed passwords.
-# | {sha224} | SHA2-Password | SHA2 hashed passwords.
-# | {sha256} | SHA2-Password | SHA2 hashed passwords.
-# | {sha384} | SHA2-Password | SHA2 hashed passwords.
-# | {sha512} | SHA2-Password | SHA2 hashed passwords.
-# | {ssha224} | SSHA2-224-Password | SHA2 hashed passwords, with a salt.
-# | {ssha256} | SSHA2-256-Password | SHA2 hashed passwords, with a salt.
-# | {ssha384} | SSHA2-384-Password | SHA2 hashed passwords, with a salt.
-# | {ssha512} | SSHA2-512-Password | SHA2 hashed passwords, with a salt.
-# | {ssha3} | SHA3-Password | SHA3 hashed passwords.
-# | {ssha3-224} | SHA3-224-Password | SHA3 hashed passwords, with a salt.
-# | {ssha3-256} | SHA3-256-Password | SHA3 hashed passwords, with a salt.
-# | {ssha3-384} | SHA3-384-Password | SHA3 hashed passwords, with a salt.
-# | {ssha3-512} | SHA3-512-Password | SHA3 hashed passwords, with a salt.
-# | {nt} | NT-Password | Windows NT hashed passwords.
-# | {nthash} | NT-Password | Windows NT hashed passwords.
-# | {md4} | NT-Password | Windows NT hashed passwords.
-# | {x-nthash} | NT-Password | Windows NT hashed passwords.
-# | {ns-mta-md5} | NS-MTA-MD5-Password | Netscape MTA MD5 hashed passwords.
-# | {x- orcllmv} | LM-Password | Windows LANMAN hashed passwords.
-# | {X- orclntv} | NT-Password | Windows NT hashed passwords.
+# | {crypt} | Password.Crypt | Unix-style "crypt"ed passwords.
+# | {md5} | Password.MD5 | MD5 hashed passwords.
+# | {base64_md5} | Password.MD5 | MD5 hashed passwords.
+# | {smd5} | Password.SMD5 | MD5 hashed passwords, with a salt.
+# | {sha} | Password.SHA | SHA1 hashed passwords.
+# | | Password.SHA1 | SHA1 hashed passwords.
+# | {ssha} | Password.SSHA | SHA1 hashed passwords, with a salt.
+# | {sha2} | Password.SHA2 | SHA2 hashed passwords.
+# | {sha224} | Password.SHA2 | SHA2 hashed passwords.
+# | {sha256} | Password.SHA2 | SHA2 hashed passwords.
+# | {sha384} | Password.SHA2 | SHA2 hashed passwords.
+# | {sha512} | Password.SHA2 | SHA2 hashed passwords.
+# | {ssha224} | Password.SSHA2-224 | SHA2 hashed passwords, with a salt.
+# | {ssha256} | Password.SSHA2-256 | SHA2 hashed passwords, with a salt.
+# | {ssha384} | Password.SSHA2-384 | SHA2 hashed passwords, with a salt.
+# | {ssha512} | Password.SSHA2-512 | SHA2 hashed passwords, with a salt.
+# | {ssha3} | Password.SHA3 | SHA3 hashed passwords.
+# | {ssha3-224} | Password.SHA3-224 | SHA3 hashed passwords, with a salt.
+# | {ssha3-256} | Password.SHA3-256 | SHA3 hashed passwords, with a salt.
+# | {ssha3-384} | Password.SHA3-384 | SHA3 hashed passwords, with a salt.
+# | {ssha3-512} | Password.SHA3-512 | SHA3 hashed passwords, with a salt.
+# | {nt} | Password.NT | Windows NT hashed passwords.
+# | {nthash} | Password.NT | Windows NT hashed passwords.
+# | {md4} | Password.NT | Windows NT hashed passwords.
+# | {x-nthash} | Password.NT | Windows NT hashed passwords.
+# | {ns-mta-md5} | Password.NS-MTA-MD5 | Netscape MTA MD5 hashed passwords.
+# | {x- orcllmv} | Password.LM | Windows LANMAN hashed passwords.
+# | {X- orclntv} | Password.NT | Windows NT hashed passwords.
# |===
#
# The module tries to be flexible when handling the various password for mats.
# and convert them to a format that the server can use.
#
# If there is no `Password.With-Header` attribute, the module looks for one
-# of the `Password.Cleartext`, `NT-Password`, `Crypt-Password`, etc. attributes
+# of the `Password.Cleartext`, `Password.NT`, `Password.Crypt`, etc. attributes
# as listed in the above table. These attributes should contain the relevant
# format password directly, without the header prefix.
#
#
passwd smbpasswd {
filename = /etc/smbpasswd
- format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
+ format = "*User-Name::Password.LM:Password.NT:SMB-Account-CTRL-TEXT::"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
#
# The `pap` module is also responsible for "normalizing" the
# various kinds of "known good" passwords.
- # e.g. `NT-Password` may come as a 16 byte blob, or as a
+ # e.g. `Password.NT` may come as a 16 byte blob, or as a
# 32-byte hex string, or as a base-64 encoded string. The
# `pap` module will look for common variations of password
# encoding, and convert them all to a normal form.
#
# For users who are using MS-CHAP authentication. A back-end
# database listed in the "recv Access-Request" section MUST supply
-# either a Password.Cleartext attribute, or an NT-Password
+# either a Password.Cleartext attribute, or a Password.NT
# attribute. Encrypted passwords won't work.
#
authenticate mschap {
return XLAT_ACTION_FAIL;
if (mschap_nt_password_hash(buffer, arg->vb_strvalue) < 0) {
- REDEBUG("Failed generating NT-Password");
+ REDEBUG("Failed generating Password.NT");
*buffer = '\0';
return XLAT_ACTION_FAIL;
}
int ntlen = sizeof(nt_pass_decrypted);
if (!nt_password) {
- RDEBUG2("Local MS-CHAPv2 password change requires NT-Password attribute");
+ RDEBUG2("Local MS-CHAPv2 password change requires Password.NT attribute");
return -1;
} else {
RDEBUG2("Doing MS-CHAPv2 password change locally");
if ((nt_pass_decrypted[514] != 0) ||
(nt_pass_decrypted[515] != 0)) {
REDEBUG("Decrypted new password blob claims length > 65536, "
- "probably an invalid NT-Password");
+ "probably an invalid Password.NT");
return -1;
}
*/
if (passlen > 512) {
REDEBUG("Decrypted new password blob claims length %zu > 512, "
- "probably an invalid NT-Password", passlen);
+ "probably an invalid Password.NT", passlen);
return -1;
}
RDEBUG2("MS-CHAPv2 password change succeeded: %s", result);
/*
- * Update the NT-Password attribute with the new hash this lets us
+ * Update the Password.NT attribute with the new hash this lets us
* fall through to the authentication code using the new hash,
* not the old one.
*/
* No password: can't do authentication.
*/
if (!password) {
- REDEBUG("FAILED: No NT/LM-Password. Cannot perform authentication");
+ REDEBUG("FAILED: No Password.NT/LM. Cannot perform authentication");
return -1;
}
}
-/** Find an NT-Password value, or create one from a Password.Cleartext, or Password.With-Header attribute
+/** Find a Password.NT value, or create one from a Password.Cleartext, or Password.With-Header attribute
*
* @param[out] ephemeral Whether we created a new password
* attribute. Usually the caller will
* either want to insert this into a
* list or free it.
- * @param[out] out Our new NT-Password.
+ * @param[out] out Our new Password.NT.
* @param[in] inst Module configuration.
* @param[in] request The current request.
* @return
/*
* If we're doing internal auth, then this is an issue
*/
- RWDEBUG2("No &control.%s or &control.%s found. Cannot create NT-Password",
+ RWDEBUG2("No &control.%s or &control.%s found. Cannot create Password.NT",
attr_cleartext_password->name, attr_nt_password->name);
return -1;
ret = mschap_nt_password_hash(p, password->vp_strvalue);
if (ret < 0) {
- RERROR("Failed generating NT-Password");
+ RERROR("Failed generating Password.NT");
talloc_free(nt_password);
if (*ephemeral) TALLOC_FREE(password);
return -1;
#ifdef __APPLE__
/*
- * No "known good" NT-Password attribute. Try to do
+ * No "known good" Password.NT attribute. Try to do
* OpenDirectory authentication.
*
* If OD determines the user is an AD user it will return noop, which
* Otherwise OD will determine auth success/fail.
*/
if (!nt_password && inst->open_directory) {
- RDEBUG2("No NT-Password available. Trying OpenDirectory Authentication");
+ RDEBUG2("No Password.NT available. Trying OpenDirectory Authentication");
rcode = od_mschap_auth(request, challenge, user_name);
if (rcode != RLM_MODULE_NOOP) RETURN_MODULE_RCODE(rcode);
}
}
/*
- * Look for or create an NT-Password
+ * Look for or create an Password.NT
*
- * NT-Password can be NULL here if we didn't find an
+ * Password.NT can be NULL here if we didn't find an
* input attribute, and we're calling out to an
* external password store.
*/
uint8_t digest[MD5_DIGEST_LENGTH];
if (known_good->vp_length <= MD5_DIGEST_LENGTH) {
- REDEBUG("\"known-good\" SMD5-Password has incorrect length, expected 16 got %zu", known_good->vp_length);
+ REDEBUG("\"known-good\" Password.SMD5 has incorrect length, expected 16 got %zu", known_good->vp_length);
RETURN_MODULE_INVALID;
}
uint8_t digest[SHA1_DIGEST_LENGTH];
if (known_good->vp_length != SHA1_DIGEST_LENGTH) {
- REDEBUG("\"known-good\" SHA1-password has incorrect length, expected 20 got %zu", known_good->vp_length);
+ REDEBUG("\"known-good\" Password.SHA1 has incorrect length, expected 20 got %zu", known_good->vp_length);
RETURN_MODULE_INVALID;
}
uint8_t digest[SHA1_DIGEST_LENGTH];
if (known_good->vp_length <= SHA1_DIGEST_LENGTH) {
- REDEBUG("\"known-good\" SSHA-Password has incorrect length, expected > 20 got %zu", known_good->vp_length);
+ REDEBUG("\"known-good\" Password.SSHA has incorrect length, expected > 20 got %zu", known_good->vp_length);
RETURN_MODULE_INVALID;
}
uint8_t hash[EVP_MAX_MD_SIZE];
uint8_t digest[EVP_MAX_MD_SIZE];
- RDEBUG2("Comparing with \"known-good\" PBKDF2-Password");
+ RDEBUG2("Comparing with \"known-good\" Password.PBKDF2");
if (len <= 1) {
- REDEBUG("PBKDF2-Password is too short");
+ REDEBUG("Password.PBKDF2 is too short");
goto finish;
}
q = memchr(p, scheme_sep, end - p);
if (!q) {
- REDEBUG("PBKDF2-Password has no component separators");
+ REDEBUG("Password.PBKDF2 has no component separators");
goto finish;
}
p = q + 1;
if (((end - p) < 1) || !(q = memchr(p, iter_sep, end - p))) {
- REDEBUG("PBKDF2-Password missing iterations component");
+ REDEBUG("Password.PBKDF2 missing iterations component");
goto finish;
}
if ((q - p) == 0) {
- REDEBUG("PBKDF2-Password iterations component too short");
+ REDEBUG("Password.PBKDF2 iterations component too short");
goto finish;
}
iterations = strtoul(iterations_buff, &qq, 10);
if (*qq != '\0') {
REMARKER(iterations_buff, qq - iterations_buff,
- "PBKDF2-Password iterations field contains an invalid character");
+ "Password.PBKDF2 iterations field contains an invalid character");
goto finish;
}
slen = fr_base64_decode(&FR_DBUFF_TMP((uint8_t *)&iterations, sizeof(iterations)),
&FR_SBUFF_IN((char const *)p, (char const *)q), false, false);
if (slen <= 0) {
- RPEDEBUG("Failed decoding PBKDF2-Password iterations component (%.*s)", (int)(q - p), p);
+ RPEDEBUG("Failed decoding Password.PBKDF2 iterations component (%.*s)", (int)(q - p), p);
goto finish;
}
if (slen != sizeof(iterations)) {
- REDEBUG("Decoded PBKDF2-Password iterations component is wrong size");
+ REDEBUG("Decoded Password.PBKDF2 iterations component is wrong size");
}
iterations = ntohl(iterations);
if (iterations == 0) iterations = 1;
if (((end - p) < 1) || !(q = memchr(p, salt_sep, end - p))) {
- REDEBUG("PBKDF2-Password missing salt component");
+ REDEBUG("Password.PBKDF2 missing salt component");
goto finish;
}
if ((q - p) == 0) {
- REDEBUG("PBKDF2-Password salt component too short");
+ REDEBUG("Password.PBKDF2 salt component too short");
goto finish;
}
slen = fr_base64_decode(&FR_DBUFF_TMP(salt, talloc_array_length(salt)),
&FR_SBUFF_IN((char const *) p, (char const *)q), false, false);
if (slen <= 0) {
- RPEDEBUG("Failed decoding PBKDF2-Password salt component");
+ RPEDEBUG("Failed decoding Password.PBKDF2 salt component");
goto finish;
}
salt_len = (size_t)slen;
p = q + 1;
if ((q - p) == 0) {
- REDEBUG("PBKDF2-Password hash component too short");
+ REDEBUG("Password.PBKDF2 hash component too short");
goto finish;
}
slen = fr_base64_decode(&FR_DBUFF_TMP(hash, sizeof(hash)),
&FR_SBUFF_IN((char const *)p, (char const *)end), false, false);
if (slen <= 0) {
- RPEDEBUG("Failed decoding PBKDF2-Password hash component");
+ RPEDEBUG("Failed decoding Password.PBKDF2 hash component");
goto finish;
}
if ((size_t)slen != digest_len) {
- REDEBUG("PBKDF2-Password hash component length is incorrect for hash type, expected %zu, got %zd",
+ REDEBUG("Password.PBKDF2 hash component length is incorrect for hash type, expected %zu, got %zd",
digest_len, slen);
RHEXDUMP2(hash, slen, "hash component");
uint8_t const *p = known_good->vp_octets, *q, *end = p + known_good->vp_length;
if (end - p < 2) {
- REDEBUG("PBKDF2-Password too short");
+ REDEBUG("Password.PBKDF2 too short");
RETURN_MODULE_INVALID;
}
'$', '$', '$', false, password);
}
- REDEBUG("Can't determine format of PBKDF2-Password");
+ REDEBUG("Can't determine format of Password.PBKDF2");
RETURN_MODULE_INVALID;
}
uint8_t digest[MD4_DIGEST_LENGTH];
uint8_t ucs2[512];
- RDEBUG2("Comparing with \"known-good\" NT-Password");
+ RDEBUG2("Comparing with \"known-good\" Password.NT");
fr_assert(password->da == attr_user);
if (known_good->vp_length != MD4_DIGEST_LENGTH) {
- REDEBUG("\"known good\" NT-Password has incorrect length, expected 16 got %zu", known_good->vp_length);
+ REDEBUG("\"known good\" Password.NT has incorrect length, expected 16 got %zu", known_good->vp_length);
RETURN_MODULE_INVALID;
}
char charbuf[32 + 1];
ssize_t len;
- RDEBUG2("Comparing with \"known-good\" LM-Password");
+ RDEBUG2("Comparing with \"known-good\" Password.LM");
if (known_good->vp_length != MD4_DIGEST_LENGTH) {
- REDEBUG("\"known good\" LM-Password has incorrect length, expected 16 got %zu", known_good->vp_length);
+ REDEBUG("\"known good\" Password.LM has incorrect length, expected 16 got %zu", known_good->vp_length);
RETURN_MODULE_INVALID;
}
uint8_t buff[FR_MAX_STRING_LEN];
uint8_t buff2[FR_MAX_STRING_LEN + 50];
- RDEBUG2("Using NT-MTA-MD5-Password");
+ RDEBUG2("Using Password.NT-MTA-MD5");
if (known_good->vp_length != 64) {
- REDEBUG("\"known good\" NS-MTA-MD5-Password has incorrect length, expected 64 got %zu",
+ REDEBUG("\"known good\" Password.NS-MTA-MD5 has incorrect length, expected 64 got %zu",
known_good->vp_length);
RETURN_MODULE_INVALID;
}
/*
- * Sanity check the value of NS-MTA-MD5-Password
+ * Sanity check the value of Password.NS-MTA-MD5
*/
if (fr_base16_decode(NULL, &FR_DBUFF_TMP(digest, sizeof(digest)),
&FR_SBUFF_IN(known_good->vp_strvalue, known_good->vp_length), false) != 16) {
- REDEBUG("\"known good\" NS-MTA-MD5-Password has invalid value");
+ REDEBUG("\"known good\" Password.NS-MTA-MD5 has invalid value");
RETURN_MODULE_INVALID;
}
* This really: sizeof(buff) - 2 - 2*32 - strlen(passwd)
*/
if (password->vp_length >= (sizeof(buff) - 2 - 2 * 32)) {
- REDEBUG("\"known good\" NS-MTA-MD5-Password is too long");
+ REDEBUG("\"known good\" Password.NS-MTA-MD5 is too long");
RETURN_MODULE_INVALID;
}
projects / thirdparty / freeradius-server.git / commitdiff
