diff --git a/.github/workflows/perl-test.yml b/.github/workflows/perl-test.yml index 4a55007..ffd3409 100644 --- a/.github/workflows/perl-test.yml +++ b/.github/workflows/perl-test.yml @@ -18,14 +18,15 @@ jobs: matrix: perl-version: - "5.16" # CentOS 7 - - "5.26" # Ubuntu 18.04 + - "5.26" # Ubuntu 18.04 / RHEL8 - "5.30" # Ubuntu 20.04 + - "5.34" # Ubuntu 22.04 container: image: perldocker/perl-tester:${{ matrix.perl-version }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: uses install-with-cpanm uses: perl-actions/install-with-cpanm@v1 with: diff --git a/Changelog b/Changelog index c224f6a..7d6e92e 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +Version 3.4.3, 2024-08-15 + + * Guess encoding of username to better handle special characters + * Add SSL check using a CA path parameter (#59) by @lferrarotti74 + * Add "Message-Authenticator" to reply to mitigate CVE-2024-3596 (#67) by + @basvandervlies + Version 3.4.2, 2021-08-26 * Better logging diff --git a/privacyidea_radius.pm b/privacyidea_radius.pm index 8e6898d..9fc5fda 100644 --- a/privacyidea_radius.pm +++ b/privacyidea_radius.pm @@ -422,6 +422,7 @@ sub authenticate { if ( exists( $RAD_REQUEST{'Stripped-User-Name'} )) { $params{"user"} = $RAD_REQUEST{'Stripped-User-Name'}; } + if ( exists( $RAD_REQUEST{'User-Password'} ) ) { my $password = $RAD_REQUEST{'User-Password'}; if ( $Config->{SPLIT_NULL_BYTE} =~ /true/i ) { @@ -442,6 +443,18 @@ sub authenticate { $params{"pass"} = ""; } + # We need to decode the username as well since it might contain special chars + if ( exists( $params{"user"} ) ) { + my $decoder = Encode::Guess->guess($params{"user"}); + if ( ! ref($decoder) ) { + radiusd::radlog( Info, "Could not find valid username encoding. Sending username as-is." ); + radiusd::radlog( Debug, $decoder ); + } else { + &radiusd::radlog( Info, "Username encoding guessed: " . $decoder->name); + $params{"user"} = $decoder->decode($params{"user"}); + } + } + # Security enhancement sned Message-Authenticator back if ( exists( $RAD_REQUEST{'Message-Authenticator'} )) { $RAD_REPLY{'Message-Authenticator'} = $RAD_REQUEST{'Message-Authenticator'}; @@ -500,23 +513,29 @@ sub authenticate { &radiusd::radlog( Info, "Not verifying SSL certificate!" ); $ua->ssl_opts( verify_hostname => 0, SSL_verify_mode => 0x00 ); } catch { - &radiusd::radlog( Error, "ssl_opts only supported with LWP 6. error: $@" ); + &radiusd::radlog( Error, "ssl_opts only supported with LWP 6. error: $_" ); } - } - if ($check_ssl == true) { + } else { try { &radiusd::radlog( Info, "Verifying SSL certificate!" ); - if (exists ( $Config->{SSL_CA_PATH} ) ) { - if ( length $SSL_CA_PATH ) { - &radiusd::radlog( Info, "SSL_CA_PATH: $SSL_CA_PATH" ); - $ua->ssl_opts( SSL_ca_path => $SSL_CA_PATH, verify_hostname => 1 ); - } elsif ( ! length $SSL_CA_PATH ) { - &radiusd::radlog( Info, "Verifying SSL certificate against system wide CAs!" ); - $ua->ssl_opts( verify_hostname => 1 ); - } - } - } catch { - &radiusd::radlog( Error, "Something went wrong or something is missing!!!" ); + if ( exists( $Config->{SSL_CA_PATH} ) ) { + if ( length $SSL_CA_PATH ) { + &radiusd::radlog( Info, "SSL_CA_PATH: $SSL_CA_PATH" ); + $ua->ssl_opts( + SSL_ca_path => $SSL_CA_PATH, + verify_hostname => 1 + ); + } + else { + &radiusd::radlog( Info, + "Verifying SSL certificate against system wide CAs!" ); + $ua->ssl_opts( verify_hostname => 1 ); + } + } + } + catch { + &radiusd::radlog( Error, + "Something went wrong setting up SSL certificate verification: $_" ); } } diff --git a/rlm_perl.ini b/rlm_perl.ini index ddd37a4..aacab33 100644 --- a/rlm_perl.ini +++ b/rlm_perl.ini @@ -33,7 +33,7 @@ SSL_CHECK = false # #dir = user #userAttribute = acl -#regex = CN=(\w*)-users,OU=sales,DC=example,DC=com +#regex = CN=(\w*)-user,OU=sales,DC=example,DC=com #prefix = #suffix =