Check encoding for usernames

Usernames may consist of special characters so we need to check the encoding of the username as well to avoid broken URL parameter for PI. Closes #57
privacyidea · Aug 15, 2024 · bccce97 · bccce97
1 parent c675312
commit bccce97
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 17 deletions.
diff --git a/.github/workflows/perl-test.yml b/.github/workflows/perl-test.yml
@@ -18,14 +18,15 @@ jobs:
       matrix:
         perl-version:
           - "5.16"  # CentOS 7
-          - "5.26"  # Ubuntu 18.04
+          - "5.26"  # Ubuntu 18.04 / RHEL8
           - "5.30"  # Ubuntu 20.04
+          - "5.34"  # Ubuntu 22.04
 
     container:
       image: perldocker/perl-tester:${{ matrix.perl-version }}
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: uses install-with-cpanm
         uses: perl-actions/install-with-cpanm@v1
         with:

diff --git a/Changelog b/Changelog
@@ -1,3 +1,10 @@
+Version 3.4.3, 2024-08-15
+
+  * Guess encoding of username to better handle special characters
+  * Add SSL check using a CA path parameter (#59) by @lferrarotti74
+  * Add "Message-Authenticator" to reply to mitigate CVE-2024-3596 (#67) by
+    @basvandervlies
+
 Version 3.4.2, 2021-08-26
 
   * Better logging

diff --git a/privacyidea_radius.pm b/privacyidea_radius.pm
@@ -422,6 +422,7 @@ sub authenticate {
     if ( exists( $RAD_REQUEST{'Stripped-User-Name'} )) {
         $params{"user"} = $RAD_REQUEST{'Stripped-User-Name'};
     }
+
     if ( exists( $RAD_REQUEST{'User-Password'} ) ) {
         my $password = $RAD_REQUEST{'User-Password'};
         if ( $Config->{SPLIT_NULL_BYTE} =~ /true/i ) {
@@ -442,6 +443,18 @@ sub authenticate {
         $params{"pass"} = "";
     }
 
+    # We need to decode the username as well since it might contain special chars
+    if ( exists( $params{"user"} ) ) {
+        my $decoder = Encode::Guess->guess($params{"user"});
+        if ( ! ref($decoder) ) {
+            radiusd::radlog( Info, "Could not find valid username encoding. Sending username as-is." );
+            radiusd::radlog( Debug, $decoder );
+        } else {
+            &radiusd::radlog( Info, "Username encoding guessed: " . $decoder->name);
+            $params{"user"} = $decoder->decode($params{"user"});
+        }
+    }
+
     # Security enhancement sned Message-Authenticator back
     if ( exists( $RAD_REQUEST{'Message-Authenticator'} )) {
         $RAD_REPLY{'Message-Authenticator'} = $RAD_REQUEST{'Message-Authenticator'};
@@ -500,23 +513,29 @@ sub authenticate {
             &radiusd::radlog( Info, "Not verifying SSL certificate!" );
             $ua->ssl_opts( verify_hostname => 0, SSL_verify_mode => 0x00 );
         } catch {
-            &radiusd::radlog( Error, "ssl_opts only supported with LWP 6. error: $@" );
+            &radiusd::radlog( Error, "ssl_opts only supported with LWP 6. error: $_" );
         }
-    }
-    if ($check_ssl == true) {
+    } else {
         try {
             &radiusd::radlog( Info, "Verifying SSL certificate!" );
-	    if (exists ( $Config->{SSL_CA_PATH} ) ) {
-			if ( length $SSL_CA_PATH ) {
-            		    &radiusd::radlog( Info, "SSL_CA_PATH: $SSL_CA_PATH" );
-			    $ua->ssl_opts( SSL_ca_path => $SSL_CA_PATH, verify_hostname => 1 );
-			} elsif ( ! length $SSL_CA_PATH ) {
-			    &radiusd::radlog( Info, "Verifying SSL certificate against system wide CAs!" );
-			    $ua->ssl_opts( verify_hostname => 1 );
-			}
-	    }
-        } catch {
-            &radiusd::radlog( Error, "Something went wrong or something is missing!!!" );
+            if ( exists( $Config->{SSL_CA_PATH} ) ) {
+                if ( length $SSL_CA_PATH ) {
+                    &radiusd::radlog( Info, "SSL_CA_PATH: $SSL_CA_PATH" );
+                    $ua->ssl_opts(
+                        SSL_ca_path => $SSL_CA_PATH,
+                        verify_hostname => 1
+                    );
+                }
+                else {
+                    &radiusd::radlog( Info,
+                        "Verifying SSL certificate against system wide CAs!" );
+                    $ua->ssl_opts( verify_hostname => 1 );
+                }
+            }
+        }
+        catch {
+            &radiusd::radlog( Error,
+                "Something went wrong setting up SSL certificate verification: $_" );
         }
     }
 

diff --git a/rlm_perl.ini b/rlm_perl.ini
@@ -33,7 +33,7 @@ SSL_CHECK = false
 #
 #dir = user
 #userAttribute = acl
-#regex = CN=(\w*)-users,OU=sales,DC=example,DC=com
+#regex = CN=(\w*)-user,OU=sales,DC=example,DC=com
 #prefix =
 #suffix =