From 9835e2b94e675f2c7b0922e1084e292f44f98c92 Mon Sep 17 00:00:00 2001 From: William Brown Date: Jan 11 2017 23:05:24 +0000 Subject: Ticket 49027 - on secfailure do not store cleartext password content Bug Description: During development of the pbkdf2 module, I noticed that when the backend was unable to hash the password content, the password was stored as {CLEAR} into the database. This may be considered a leak of password material as we write it clear text to disk. Fix Description: If the pw_enc callback from the password module returns any value except 0, we return an unwilling to perform, and generate an error to the error log. This prevents the leak, and notifies the admin and user of the issue quickly. https://fedorahosted.org/389/ticket/49027 Author: wibrown Review by: nhosoi (Thanks!) --- diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c index 8e671bb..1b994a0 100644 --- a/ldap/servers/slapd/add.c +++ b/ldap/servers/slapd/add.c @@ -567,7 +567,11 @@ static void op_shared_add (Slapi_PBlock *pb) valuearray_add_valuearray(&unhashed_password_vals, present_values, 0); valuearray_add_valuearray(&vals, present_values, 0); - pw_encodevals_ext(pb, slapi_entry_get_sdn (e), vals); + if (pw_encodevals_ext(pb, slapi_entry_get_sdn (e), vals) != 0) { + slapi_log_err(SLAPI_LOG_CRIT, "op_shared_add", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e)); + send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL); + goto done; + } add_password_attrs(pb, operation, e); slapi_entry_attr_replace_sv(e, SLAPI_USERPWD_ATTR, vals); valuearray_free(&vals); diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index 51bf057..4bef90a 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -959,7 +959,11 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) valuearray_init_bervalarray(pw_mod->mod_bvalues, &va); /* encode password */ - pw_encodevals_ext(pb, sdn, va); + if (pw_encodevals_ext(pb, sdn, va) ) { + slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e)); + send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL); + goto free_and_return; + } /* remove current clear value of userpassword */ ber_bvecfree(pw_mod->mod_bvalues);