From a4505caea4e4905e1756f31779c315de979f8f2c Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Wed, 5 Nov 2014 13:50:41 -0500
Subject: [PATCH] Ensure that a password exists after OTP validation

Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 26 ++++++++++++-----------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 60ceaaa7ab0cd282efb45f1a89de9dbd240a452c..1f595d01d986ca2950672d796d62f5f78b05c212 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
 
     /* Try to do OTP first. */
     syncreq = sync_request_present(pb);
-    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) {
-        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, NULL, 0, NULL);
-        return 1;
-    }
+    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials))
+        goto invalid_creds;
+
+    /* Ensure that there is a password. */
+    if (credentials->bv_len == 0)
+        goto invalid_creds;
 
     /* Authenticate the user. */
     ret = ipapwd_authenticate(dn, entry, credentials);
@@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     }
 
     /* Attempt to handle a token synchronization request. */
-    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) {
-        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, NULL, 0, NULL);
-        return 1;
-    }
+    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
+        goto invalid_creds;
 
     /* Attempt to write out kerberos keys for the user. */
     ipapwd_write_krb_keys(pb, dn, entry, credentials);
 
     slapi_entry_free(entry);
     return 0;
+
+invalid_creds:
+    slapi_entry_free(entry);
+    slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
+                           NULL, NULL, 0, NULL);
+    return 1;
 }
 
 /* Init pre ops */
-- 
2.1.0