Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
389-ds.2045
0007-Ticket-bz1358565-clear-and-unsalted-passwo...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0007-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch of Package 389-ds.2045
From 7c0827718562d2af17216292b46aec639bef7500 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi <nhosoi@redhat.com> Date: Mon, 8 Aug 2016 10:12:33 -0700 Subject: [PATCH 07/14] Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack Description: Fixing a compiler warning introduced by commit f0e03b5a51972a125fe78f448d1f68e288782d1e. (cherry picked from commit c62ea0c98445d31fb55baebe9778fe860b3266ea) (cherry picked from commit 3d92679cf97518aedcf6534ac5967edf8d2c9d28) --- ldap/servers/plugins/pwdstorage/clear_pwd.c | 32 ++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c index 84dac2a5a..b9b362d34 100644 --- a/ldap/servers/plugins/pwdstorage/clear_pwd.c +++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c @@ -25,7 +25,37 @@ int clear_pw_cmp( const char *userpwd, const char *dbpwd ) { - return( strcmp( userpwd, dbpwd )); + int result = 0; + int len_user = strlen(userpwd); + int len_dbp = strlen(dbpwd); + if ( len_user != len_dbp ) { + result = 1; + } + /* We have to do this comparison ANYWAY else we have a length timing attack. */ + if ( len_user >= len_dbp ) { + /* + * If they are the same length, result will be 0 here, and if we pass + * the check, we don't update result either. IE we pass. + * However, even if the first part of userpw matches dbpwd, but len !=, we + * have already failed anyawy. This prevents substring matching. + */ + if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) { + result = 1; + } + } else { + /* + * If we stretched the userPassword, we'll allow a new timing attack, where + * if we see a delay on a short pw, we know we are stretching. + * when the delay goes away, it means we've found the length. + * Instead, because we don't want to use the short pw for comp, we just compare + * dbpwd to itself. We have already got result == 1 if we are here, so we are + * just trying to take up time! + */ + if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) { + /* Do nothing, we have the if to fix a coverity check. */ + } + } + return result; } char * -- 2.15.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor