Ticket 49027 - on secfailure do not store cleartext password content

Bug Description: During development of the pbkdf2 module, I noticed that when the backend was unable to hash the password content, the password was stored as {CLEAR}<password> into the database. This may be considered a leak of password material as we write it clear text to disk. Fix Description: If the pw_enc callback from the password module returns any value except 0, we return an unwilling to perform, and generate an error to the error log. This prevents the leak, and notifies the admin and user of the issue quickly. https://fedorahosted.org/389/ticket/49027 Author: wibrown Review by: nhosoi (Thanks!)
389ds · Jan 11, 2017 · 9835e2b · 9835e2b
1 parent dfcef18
commit 9835e2b
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
@@ -567,7 +567,11 @@ static void op_shared_add (Slapi_PBlock *pb)
 				valuearray_add_valuearray(&unhashed_password_vals,
 				                          present_values, 0);
 				valuearray_add_valuearray(&vals, present_values, 0);
-				pw_encodevals_ext(pb, slapi_entry_get_sdn (e), vals);
+				if (pw_encodevals_ext(pb, slapi_entry_get_sdn (e), vals) != 0) {
+					slapi_log_err(SLAPI_LOG_CRIT, "op_shared_add", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
+					send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
+					goto done;
+				}
 				add_password_attrs(pb, operation, e);
 				slapi_entry_attr_replace_sv(e, SLAPI_USERPWD_ATTR, vals);
 				valuearray_free(&vals);

diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
@@ -959,7 +959,11 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 			valuearray_init_bervalarray(pw_mod->mod_bvalues, &va);
 
 			/* encode password */
-			pw_encodevals_ext(pb, sdn, va);
+			if (pw_encodevals_ext(pb, sdn, va) ) {
+				slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
+				send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
+				goto free_and_return;
+			}
 
 			/* remove current clear value of userpassword */
 			ber_bvecfree(pw_mod->mod_bvalues);