From 79df668b5df59813ffbb6192eecfb687bccbc0eb Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Nov 06 2014 09:56:19 +0000
Subject: Ensure that a password exists after OTP validation


Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 60ceaaa..1f595d0 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
 
     /* Try to do OTP first. */
     syncreq = sync_request_present(pb);
-    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) {
-        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, NULL, 0, NULL);
-        return 1;
-    }
+    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials))
+        goto invalid_creds;
+
+    /* Ensure that there is a password. */
+    if (credentials->bv_len == 0)
+        goto invalid_creds;
 
     /* Authenticate the user. */
     ret = ipapwd_authenticate(dn, entry, credentials);
@@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     }
 
     /* Attempt to handle a token synchronization request. */
-    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) {
-        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, NULL, 0, NULL);
-        return 1;
-    }
+    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
+        goto invalid_creds;
 
     /* Attempt to write out kerberos keys for the user. */
     ipapwd_write_krb_keys(pb, dn, entry, credentials);
 
     slapi_entry_free(entry);
     return 0;
+
+invalid_creds:
+    slapi_entry_free(entry);
+    slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
+                           NULL, NULL, 0, NULL);
+    return 1;
 }
 
 /* Init pre ops */