|
 |
e3ffab |
From a4505caea4e4905e1756f31779c315de979f8f2c Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
e3ffab |
Date: Wed, 5 Nov 2014 13:50:41 -0500
|
|
|
e3ffab |
Subject: [PATCH] Ensure that a password exists after OTP validation
|
|
|
e3ffab |
|
|
|
e3ffab |
Before this patch users could log in using only the OTP value. This
|
|
|
e3ffab |
arose because ipapwd_authentication() successfully determined that
|
|
|
e3ffab |
an empty password was invalid, but 389 itself would see this as an
|
|
|
e3ffab |
anonymous bind. An anonymous bind would never even get this far in
|
|
|
e3ffab |
this code, so we simply deny requests with empty passwords.
|
|
|
e3ffab |
|
|
|
e3ffab |
This patch resolves CVE-2014-7828.
|
|
|
e3ffab |
|
|
|
e3ffab |
https://fedorahosted.org/freeipa/ticket/4690
|
|
|
e3ffab |
|
|
|
e3ffab |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
e3ffab |
---
|
|
|
e3ffab |
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 26 ++++++++++++-----------
|
|
|
e3ffab |
1 file changed, 14 insertions(+), 12 deletions(-)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
e3ffab |
index 60ceaaa7ab0cd282efb45f1a89de9dbd240a452c..1f595d01d986ca2950672d796d62f5f78b05c212 100644
|
|
|
e3ffab |
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
e3ffab |
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
e3ffab |
@@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
|
|
e3ffab |
|
|
|
e3ffab |
/* Try to do OTP first. */
|
|
|
e3ffab |
syncreq = sync_request_present(pb);
|
|
|
e3ffab |
- if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) {
|
|
|
e3ffab |
- slapi_entry_free(entry);
|
|
|
e3ffab |
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
|
|
|
e3ffab |
- NULL, NULL, 0, NULL);
|
|
|
e3ffab |
- return 1;
|
|
|
e3ffab |
- }
|
|
|
e3ffab |
+ if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials))
|
|
|
e3ffab |
+ goto invalid_creds;
|
|
|
e3ffab |
+
|
|
|
e3ffab |
+ /* Ensure that there is a password. */
|
|
|
e3ffab |
+ if (credentials->bv_len == 0)
|
|
|
e3ffab |
+ goto invalid_creds;
|
|
|
e3ffab |
|
|
|
e3ffab |
/* Authenticate the user. */
|
|
|
e3ffab |
ret = ipapwd_authenticate(dn, entry, credentials);
|
|
|
e3ffab |
@@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
|
|
e3ffab |
}
|
|
|
e3ffab |
|
|
|
e3ffab |
/* Attempt to handle a token synchronization request. */
|
|
|
e3ffab |
- if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) {
|
|
|
e3ffab |
- slapi_entry_free(entry);
|
|
|
e3ffab |
- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
|
|
|
e3ffab |
- NULL, NULL, 0, NULL);
|
|
|
e3ffab |
- return 1;
|
|
|
e3ffab |
- }
|
|
|
e3ffab |
+ if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
|
|
|
e3ffab |
+ goto invalid_creds;
|
|
|
e3ffab |
|
|
|
e3ffab |
/* Attempt to write out kerberos keys for the user. */
|
|
|
e3ffab |
ipapwd_write_krb_keys(pb, dn, entry, credentials);
|
|
|
e3ffab |
|
|
|
e3ffab |
slapi_entry_free(entry);
|
|
|
e3ffab |
return 0;
|
|
|
e3ffab |
+
|
|
|
e3ffab |
+invalid_creds:
|
|
|
e3ffab |
+ slapi_entry_free(entry);
|
|
|
e3ffab |
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
|
|
|
e3ffab |
+ NULL, NULL, 0, NULL);
|
|
|
e3ffab |
+ return 1;
|
|
|
e3ffab |
}
|
|
|
e3ffab |
|
|
|
e3ffab |
/* Init pre ops */
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|