On 2015-08-15 17:55, I wrote:
The attached patch adds support for RADIUS passwords longer than 16 octets.
Improved the coding and comments a bit, new version attached. .m
*** a/src/backend/libpq/auth.c --- b/src/backend/libpq/auth.c *************** *** 2168,2173 **** CheckCertAuth(Port *port) --- 2168,2174 ---- #define RADIUS_VECTOR_LENGTH 16 #define RADIUS_HEADER_LENGTH 20 + #define RADIUS_MAX_PASSWORD_LENGTH 128 typedef struct { *************** *** 2241,2247 **** CheckRADIUSAuth(Port *port) radius_packet *receivepacket = (radius_packet *) receive_buffer; int32 service = htonl(RADIUS_AUTHENTICATE_ONLY); uint8 *cryptvector; ! uint8 encryptedpassword[RADIUS_VECTOR_LENGTH]; int packetlength; pgsocket sock; --- 2242,2250 ---- radius_packet *receivepacket = (radius_packet *) receive_buffer; int32 service = htonl(RADIUS_AUTHENTICATE_ONLY); uint8 *cryptvector; ! int encryptedpasswordlen; ! uint8 encryptedpassword[RADIUS_MAX_PASSWORD_LENGTH]; ! uint8 *md5trailer; int packetlength; pgsocket sock; *************** *** 2259,2264 **** CheckRADIUSAuth(Port *port) --- 2262,2268 ---- fd_set fdset; struct timeval endtime; int i, + j, r; /* Make sure struct alignment is correct */ *************** *** 2316,2325 **** CheckRADIUSAuth(Port *port) return STATUS_ERROR; } ! if (strlen(passwd) > RADIUS_VECTOR_LENGTH) { ereport(LOG, ! (errmsg("RADIUS authentication does not support passwords longer than 16 characters"))); return STATUS_ERROR; } --- 2320,2329 ---- return STATUS_ERROR; } ! if (strlen(passwd) > RADIUS_MAX_PASSWORD_LENGTH) { ereport(LOG, ! (errmsg("RADIUS authentication does not support passwords longer than %d characters", RADIUS_MAX_PASSWORD_LENGTH))); return STATUS_ERROR; } *************** *** 2344,2371 **** CheckRADIUSAuth(Port *port) radius_add_attribute(packet, RADIUS_NAS_IDENTIFIER, (unsigned char *) identifier, strlen(identifier)); /* ! * RADIUS password attributes are calculated as: e[0] = p[0] XOR ! * MD5(secret + vector) */ ! cryptvector = palloc(RADIUS_VECTOR_LENGTH + strlen(port->hba->radiussecret)); memcpy(cryptvector, port->hba->radiussecret, strlen(port->hba->radiussecret)); ! memcpy(cryptvector + strlen(port->hba->radiussecret), packet->vector, RADIUS_VECTOR_LENGTH); ! if (!pg_md5_binary(cryptvector, RADIUS_VECTOR_LENGTH + strlen(port->hba->radiussecret), encryptedpassword)) { ! ereport(LOG, ! (errmsg("could not perform MD5 encryption of password"))); ! pfree(cryptvector); ! return STATUS_ERROR; } pfree(cryptvector); ! for (i = 0; i < RADIUS_VECTOR_LENGTH; i++) ! { ! if (i < strlen(passwd)) ! encryptedpassword[i] = passwd[i] ^ encryptedpassword[i]; ! else ! encryptedpassword[i] = '\0' ^ encryptedpassword[i]; ! } ! radius_add_attribute(packet, RADIUS_PASSWORD, encryptedpassword, RADIUS_VECTOR_LENGTH); /* Length need to be in network order on the wire */ packetlength = packet->length; --- 2348,2390 ---- radius_add_attribute(packet, RADIUS_NAS_IDENTIFIER, (unsigned char *) identifier, strlen(identifier)); /* ! * RADIUS password attributes are calculated as: ! * e[0] = p[0] XOR MD5(secret + Request Authenticator) ! * for the first group of 16 octets, and then: ! * e[i] = p[i] XOR MD5(secret + e[i-1]) ! * for the following ones (if necessary) */ ! encryptedpasswordlen = ((strlen(passwd) + RADIUS_VECTOR_LENGTH - 1) / RADIUS_VECTOR_LENGTH) * RADIUS_VECTOR_LENGTH; ! cryptvector = palloc(strlen(port->hba->radiussecret) + RADIUS_VECTOR_LENGTH); memcpy(cryptvector, port->hba->radiussecret, strlen(port->hba->radiussecret)); ! ! /* for the first iteration, we use the Request Authenticator vector */ ! md5trailer = packet->vector; ! for (i = 0; i < encryptedpasswordlen; i += RADIUS_VECTOR_LENGTH) { ! memcpy(cryptvector + strlen(port->hba->radiussecret), md5trailer, RADIUS_VECTOR_LENGTH); ! /* .. and for subsequent iterations the result of the previous XOR (calculated below) */ ! md5trailer = encryptedpassword + i; ! ! if (!pg_md5_binary(cryptvector, strlen(port->hba->radiussecret) + RADIUS_VECTOR_LENGTH, encryptedpassword + i)) ! { ! ereport(LOG, ! (errmsg("could not perform MD5 encryption of password"))); ! pfree(cryptvector); ! return STATUS_ERROR; ! } ! ! for (j = i; j < i+RADIUS_VECTOR_LENGTH; j++) ! { ! if (j < strlen(passwd)) ! encryptedpassword[j] = passwd[j] ^ encryptedpassword[j]; ! else ! encryptedpassword[j] = '\0' ^ encryptedpassword[j]; ! } } pfree(cryptvector); ! ! radius_add_attribute(packet, RADIUS_PASSWORD, encryptedpassword, encryptedpasswordlen); /* Length need to be in network order on the wire */ packetlength = packet->length;
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers