Skip to content

Commit

Permalink
Merge pull request #68 from privacyidea/57/check_encoding_for_usernames
Browse files Browse the repository at this point in the history
Check encoding for usernames
nilsbehlen authored Aug 15, 2024
2 parents c675312 + bccce97 commit 2ec2b17
Showing 4 changed files with 44 additions and 17 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/perl-test.yml
Original file line number Diff line number Diff line change
@@ -18,14 +18,15 @@ jobs:
matrix:
perl-version:
- "5.16" # CentOS 7
- "5.26" # Ubuntu 18.04
- "5.26" # Ubuntu 18.04 / RHEL8
- "5.30" # Ubuntu 20.04
- "5.34" # Ubuntu 22.04

container:
image: perldocker/perl-tester:${{ matrix.perl-version }}

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: uses install-with-cpanm
uses: perl-actions/install-with-cpanm@v1
with:
7 changes: 7 additions & 0 deletions Changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
Version 3.4.3, 2024-08-15

* Guess encoding of username to better handle special characters
* Add SSL check using a CA path parameter (#59) by @lferrarotti74
* Add "Message-Authenticator" to reply to mitigate CVE-2024-3596 (#67) by
@basvandervlies

Version 3.4.2, 2021-08-26

* Better logging
47 changes: 33 additions & 14 deletions privacyidea_radius.pm
Original file line number Diff line number Diff line change
@@ -422,6 +422,7 @@ sub authenticate {
if ( exists( $RAD_REQUEST{'Stripped-User-Name'} )) {
$params{"user"} = $RAD_REQUEST{'Stripped-User-Name'};
}

if ( exists( $RAD_REQUEST{'User-Password'} ) ) {
my $password = $RAD_REQUEST{'User-Password'};
if ( $Config->{SPLIT_NULL_BYTE} =~ /true/i ) {
@@ -442,6 +443,18 @@ sub authenticate {
$params{"pass"} = "";
}

# We need to decode the username as well since it might contain special chars
if ( exists( $params{"user"} ) ) {
my $decoder = Encode::Guess->guess($params{"user"});
if ( ! ref($decoder) ) {
radiusd::radlog( Info, "Could not find valid username encoding. Sending username as-is." );
radiusd::radlog( Debug, $decoder );
} else {
&radiusd::radlog( Info, "Username encoding guessed: " . $decoder->name);
$params{"user"} = $decoder->decode($params{"user"});
}
}

# Security enhancement sned Message-Authenticator back
if ( exists( $RAD_REQUEST{'Message-Authenticator'} )) {
$RAD_REPLY{'Message-Authenticator'} = $RAD_REQUEST{'Message-Authenticator'};
@@ -500,23 +513,29 @@ sub authenticate {
&radiusd::radlog( Info, "Not verifying SSL certificate!" );
$ua->ssl_opts( verify_hostname => 0, SSL_verify_mode => 0x00 );
} catch {
&radiusd::radlog( Error, "ssl_opts only supported with LWP 6. error: $@" );
&radiusd::radlog( Error, "ssl_opts only supported with LWP 6. error: $_" );
}
}
if ($check_ssl == true) {
} else {
try {
&radiusd::radlog( Info, "Verifying SSL certificate!" );
if (exists ( $Config->{SSL_CA_PATH} ) ) {
if ( length $SSL_CA_PATH ) {
&radiusd::radlog( Info, "SSL_CA_PATH: $SSL_CA_PATH" );
$ua->ssl_opts( SSL_ca_path => $SSL_CA_PATH, verify_hostname => 1 );
} elsif ( ! length $SSL_CA_PATH ) {
&radiusd::radlog( Info, "Verifying SSL certificate against system wide CAs!" );
$ua->ssl_opts( verify_hostname => 1 );
}
}
} catch {
&radiusd::radlog( Error, "Something went wrong or something is missing!!!" );
if ( exists( $Config->{SSL_CA_PATH} ) ) {
if ( length $SSL_CA_PATH ) {
&radiusd::radlog( Info, "SSL_CA_PATH: $SSL_CA_PATH" );
$ua->ssl_opts(
SSL_ca_path => $SSL_CA_PATH,
verify_hostname => 1
);
}
else {
&radiusd::radlog( Info,
"Verifying SSL certificate against system wide CAs!" );
$ua->ssl_opts( verify_hostname => 1 );
}
}
}
catch {
&radiusd::radlog( Error,
"Something went wrong setting up SSL certificate verification: $_" );
}
}

2 changes: 1 addition & 1 deletion rlm_perl.ini
Original file line number Diff line number Diff line change
@@ -33,7 +33,7 @@ SSL_CHECK = false
#
#dir = user
#userAttribute = acl
#regex = CN=(\w*)-users,OU=sales,DC=example,DC=com
#regex = CN=(\w*)-user,OU=sales,DC=example,DC=com
#prefix =
#suffix =

0 comments on commit 2ec2b17

Please sign in to comment.