Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1440691
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build Identifier: The function ipapwd_cmp_password() in util/ipa_pwd.c uses memcmp() to compare password hashes [1]. memcmp() is vulnerable to remote timing side channel attacks. Sensitive data like password hashes should always be compared with a constant timing comparison function such as [2]. One the one hand, the right hand side of the comparison operation is not under full control of an attacker. It's a hash with an unknown salt. On the other hand the function uses very weak algorithms to hash passwords, neither key stretching nor key derivation with multiple rounds. It's a simple salted hash with one round of SHA1, SHA256, SHA384 or SHA512. [1] https://github.com/freeipa/freeipa/blob/master/util/ipa_pwd.c#L328 [2] https://github.com/python/cpython/blob/master/Modules/_operator.c#L716 Reproducible: Always
This compare operation is done only after user authentication, and is used to test that the new password being set is not the same as one of the old passwords.
So it requires valid credentials and it is checking on old hashes.
A constant time check may be nice, but the worst thing that could happen here is someone trying to probe for an old password after having stolen actual credentials and revealing itself by changing the password.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1440691
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7 backlog
Login to comment on this ticket.