diff options
| author | Nathaniel McCallum <npmccallum@redhat.com> | 2014-11-05 13:50:41 -0500 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2014-11-06 10:56:19 +0100 |
| commit | 79df668b5df59813ffbb6192eecfb687bccbc0eb (patch) | |
| tree | 16adc3b29fab5b4b1c978356e3ac74158f5c11bc /daemons | |
| parent | 730f33680b7254622659eec2e48399ef7033a477 (diff) | |
| download | freeipa-79df668b5df59813ffbb6192eecfb687bccbc0eb.tar.gz freeipa-79df668b5df59813ffbb6192eecfb687bccbc0eb.tar.xz freeipa-79df668b5df59813ffbb6192eecfb687bccbc0eb.zip | |
Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
https://fedorahosted.org/freeipa/ticket/4690
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 60ceaaa7a..1f595d01d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) /* Try to do OTP first. */ syncreq = sync_request_present(pb); - if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) { - slapi_entry_free(entry); - slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, - NULL, NULL, 0, NULL); - return 1; - } + if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) + goto invalid_creds; + + /* Ensure that there is a password. */ + if (credentials->bv_len == 0) + goto invalid_creds; /* Authenticate the user. */ ret = ipapwd_authenticate(dn, entry, credentials); @@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) } /* Attempt to handle a token synchronization request. */ - if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) { - slapi_entry_free(entry); - slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, - NULL, NULL, 0, NULL); - return 1; - } + if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) + goto invalid_creds; /* Attempt to write out kerberos keys for the user. */ ipapwd_write_krb_keys(pb, dn, entry, credentials); slapi_entry_free(entry); return 0; + +invalid_creds: + slapi_entry_free(entry); + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, + NULL, NULL, 0, NULL); + return 1; } /* Init pre ops */ |