diff options
author | Ted Trask <ttrask01@yahoo.com> | 2014-09-17 19:07:31 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2014-09-17 19:07:31 +0000 |
commit | 2ecbaa496a6f4545d9a883b714f426b53339f1ee (patch) | |
tree | 7f07bbc0665713525ed2f52ab4d76f33c68b7d4a | |
parent | 7d25635f278549eaac801f78e320e714fe61bf06 (diff) | |
download | acf-freeradius3-2ecbaa496a6f4545d9a883b714f426b53339f1ee.tar.bz2 acf-freeradius3-2ecbaa496a6f4545d9a883b714f426b53339f1ee.tar.xz |
Fixes for Blowfish algorithm
-rw-r--r-- | freeradius3-model.lua | 21 |
1 files changed, 8 insertions, 13 deletions
diff --git a/freeradius3-model.lua b/freeradius3-model.lua index 83764c7..078268b 100644 --- a/freeradius3-model.lua +++ b/freeradius3-model.lua @@ -160,7 +160,7 @@ local mksalt = function() local file = io.open("/dev/urandom") local str = "" if file == nil then return nil end - for i = 1,16 do + for i = 1,22 do local offset = (string.byte(file:read(1)) % 64) + 1 str = str .. string.sub (b64, offset, offset) end @@ -238,7 +238,7 @@ local get_passwd_entry_private = function(self, clientdata, create) retval.value.fields.value[tostring(i)] = cfe({ type="password", label=label, seq=i }) -- FIXME - this leads to inconsistent handling of blank password since this function is reused if not create then retval.value.fields.value[tostring(i)].descr="Leave blank to leave unchanged" end - retval.value.fields.value["algorithm"..i] = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2$", label="Blowfish"}, {value="$2a$", label="eksblowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i }) + retval.value.fields.value["algorithm"..i] = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2a$07$", label="Blowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i }) -- Hide the algorithm so user does not use insecure algorithms unless they REALLY want to retval.value.fields.value["algorithm"..i].type = "hidden" else @@ -567,7 +567,7 @@ function mymodule.get_passwd(self, clientdata) retval.value.oldpassword = cfe({ type="password", label="Current Password", seq=4 }) retval.value.password = cfe({ type="password", label="New Password", seq=5 }) retval.value.password_confirm = cfe({ type="password", label="New Password (confirm)", seq=6 }) - retval.value.algorithm = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2$", label="Blowfish"}, {value="$2a$", label="eksblowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i }) + retval.value.algorithm = cfe({ type="select", value="$6$", label="Algorithm", option={{value="", label="DES"}, {value="$1$", label="MD5"}, {value="$2a$07$", label="Blowfish"}, {value="$5$", label="SHA-256"}, {value="$6$", label="SHA-512"}}, seq=i }) -- Hide the algorithm so user does not use insecure algorithms unless they REALLY want to retval.value.algorithm.type = "hidden" end @@ -588,16 +588,11 @@ function mymodule.update_passwd(self, passwd) local form,pwhash = get_passwd_entry_private(self, {filename=passwd.value.filename.value, entry=passwd.value.entry.value}, false) -- Validate the old password - local success = false - passwd.value.oldpassword.errtxt = "Incorrect password" - local algo_salt, hash = string.match(pwhash, "^(%$%d%$[a-zA-Z0-9./]+%$)(.*)") - if not algo_salt then algo_salt = string.sub(pwhash, 1, 3) end - if algo_salt ~= nil then - if (pwhash == posix.crypt(passwd.value.oldpassword.value, algo_salt)) then - success = true - passwd.value.oldpassword.errtxt = nil - end - end + local success = true + if (pwhash ~= posix.crypt(passwd.value.oldpassword.value, pwhash)) then + success = false + passwd.value.oldpassword.errtxt = "Incorrect password" + end -- Validate the new password if passwd.value.password.value ~= passwd.value.password_confirm.value then |