summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTed Trask <ttrask01@yahoo.com>2014-09-17 19:07:31 +0000
committerTed Trask <ttrask01@yahoo.com>2014-09-17 19:07:31 +0000
commit2ecbaa496a6f4545d9a883b714f426b53339f1ee (patch)
tree7f07bbc0665713525ed2f52ab4d76f33c68b7d4a
parent7d25635f278549eaac801f78e320e714fe61bf06 (diff)
downloadacf-freeradius3-2ecbaa496a6f4545d9a883b714f426b53339f1ee.tar.bz2
acf-freeradius3-2ecbaa496a6f4545d9a883b714f426b53339f1ee.tar.xz
Fixes for Blowfish algorithm
-rw-r--r--freeradius3-model.lua21
1 files changed, 8 insertions, 13 deletions
diff --git a/freeradius3-model.lua b/freeradius3-model.lua
index 83764c7..078268b 100644
--- a/freeradius3-model.lua
+++ b/freeradius3-model.lua
@@ -160,7 +160,7 @@ local mksalt = function()
local file = io.open("/dev/urandom")
local str = ""
if file == nil then return nil end
- for i = 1,16 do
+ for i = 1,22 do
local offset = (string.byte(file:read(1)) % 64) + 1
str = str .. string.sub (b64, offset, offset)
end
@@ -238,7 +238,7 @@ local get_passwd_entry_private = function(self, clientdata, create)
retval.value.fields.value[tostring(i)] = cfe({ type="password", label=label, seq=i })
-- FIXME - this leads to inconsistent handling of blank password since this function is reused
if not create then retval.value.fields.value[tostring(i)].descr="Leave blank to leave unchanged" end
- retval.value.fields.value["algorithm"..i] = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2$", label="Blowfish"}, {value="$2a$", label="eksblowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i })
+ retval.value.fields.value["algorithm"..i] = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2a$07$", label="Blowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i })
-- Hide the algorithm so user does not use insecure algorithms unless they REALLY want to
retval.value.fields.value["algorithm"..i].type = "hidden"
else
@@ -567,7 +567,7 @@ function mymodule.get_passwd(self, clientdata)
retval.value.oldpassword = cfe({ type="password", label="Current Password", seq=4 })
retval.value.password = cfe({ type="password", label="New Password", seq=5 })
retval.value.password_confirm = cfe({ type="password", label="New Password (confirm)", seq=6 })
- retval.value.algorithm = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2$", label="Blowfish"}, {value="$2a$", label="eksblowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i })
+ retval.value.algorithm = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2a$07$", label="Blowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i })
-- Hide the algorithm so user does not use insecure algorithms unless they REALLY want to
retval.value.algorithm.type = "hidden"
end
@@ -588,16 +588,11 @@ function mymodule.update_passwd(self, passwd)
local form,pwhash = get_passwd_entry_private(self, {filename=passwd.value.filename.value, entry=passwd.value.entry.value}, false)
-- Validate the old password
- local success = false
- passwd.value.oldpassword.errtxt = "Incorrect password"
- local algo_salt, hash = string.match(pwhash, "^(%$%d%$[a-zA-Z0-9./]+%$)(.*)")
- if not algo_salt then algo_salt = string.sub(pwhash, 1, 3) end
- if algo_salt ~= nil then
- if (pwhash == posix.crypt(passwd.value.oldpassword.value, algo_salt)) then
- success = true
- passwd.value.oldpassword.errtxt = nil
- end
- end
+ local success = true
+ if (pwhash ~= posix.crypt(passwd.value.oldpassword.value, pwhash)) then
+ success = false
+ passwd.value.oldpassword.errtxt = "Incorrect password"
+ end
-- Validate the new password
if passwd.value.password.value ~= passwd.value.password_confirm.value then