*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
- * Copyright 2002 The FreeRADIUS server project
+ * Copyright 2002,2006 The FreeRADIUS server project
* Copyright 2002 Alan DeKok <aland@ox.org>
*/
-#include <freeradius-devel/autoconf.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
+#include <freeradius-devel/ident.h>
+RCSID("$Id$")
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
-#include <freeradius-devel/conffile.h>
-
-static const char rcsid[] = "$Id$";
static int digest_authorize(void *instance, REQUEST *request)
{
/*
* We require access to the plain-text password.
*/
- passwd = pairfind(request->config_items, PW_PASSWORD);
- if (!passwd) passwd = pairfind(request->config_items, PW_DIGEST_HA1);
+ passwd = pairfind(request->config_items, PW_DIGEST_HA1);
+ if (passwd) {
+ if (passwd->length != 32) {
+ radlog(L_AUTH, "rlm_digest: Digest-HA1 has invalid length, authentication failed.");
+ return RLM_MODULE_INVALID;
+ }
+ } else {
+ passwd = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD);
+ }
if (!passwd) {
- radlog(L_AUTH, "rlm_digest: Configuration item \"User-Password\" or \"Digest-HA1\" is required for authentication.");
+ radlog(L_AUTH, "rlm_digest: Cleartext-Password or Digest-HA1 is required for authentication.");
return RLM_MODULE_INVALID;
}
a1[a1_len] = ':';
a1_len++;
- if (passwd->attribute == PW_USER_PASSWORD) {
+ if (passwd->attribute == PW_CLEARTEXT_PASSWORD) {
memcpy(&a1[a1_len], &passwd->vp_octets[0], passwd->length);
a1_len += passwd->length;
a1[a1_len] = '\0';
/*
* Set A1 to Digest-HA1 if no User-Password found
*/
- if (passwd->attribute != PW_USER_PASSWORD) {
- memcpy(&a1[0], passwd->vp_octets, 16);
+ if (passwd->attribute == PW_DIGEST_HA1) {
+ if (lrad_hex2bin(passwd->vp_strvalue, &a1[0], 16) != 16) {
+ DEBUG2("rlm_digest: Invalid text in Digest-HA1");
+ return RLM_MODULE_INVALID;
+ }
}
} else if (strcasecmp(algo->vp_strvalue, "MD5-sess") == 0) {
* If we find Digest-HA1, we assume it contains
* H(A1).
*/
- if (passwd->attribute == PW_USER_PASSWORD) {
+ if (passwd->attribute == PW_CLEARTEXT_PASSWORD) {
librad_md5_calc(hash, &a1[0], a1_len);
lrad_bin2hex(hash, &a1[0], 16);
- } else {
- lrad_bin2hex(passwd->vp_octets, &a1[0], 16);
+ } else { /* MUST be Digest-HA1 */
+ memcpy(&a1[0], passwd->vp_strvalue, 32);
}
a1_len = 32;
*/
if (((algo != NULL) &&
(strcasecmp(algo->vp_strvalue, "MD5-Sess") == 0)) ||
- (passwd->attribute == PW_USER_PASSWORD)) {
+ (passwd->attribute == PW_CLEARTEXT_PASSWORD)) {
a1[a1_len] = '\0';
librad_md5_calc(&hash[0], &a1[0], a1_len);
} else {
return RLM_MODULE_INVALID;
}
- lrad_hex2bin(&vp->vp_octets[0], &hash[0], vp->length >> 1);
+ if (lrad_hex2bin(&vp->vp_octets[0], &hash[0], vp->length >> 1) != (vp->length >> 1)) {
+ DEBUG2("rlm_digest: Invalid text in Digest-Response");
+ return RLM_MODULE_INVALID;
+ }
#ifndef NDEBUG
if (debug_flag) {