Начало Каталог Помощ
Регистрация Вход
Apq
/
389-ds-base
огледало от https://github.com/389ds/389-ds-base.git
1
0
Разклонения 0
Файлове Задачи 0 Уики
Преглед на файлове

Ticket 49336 - SECURITY 1.3.5.x: Locked account provides different return code

Backport to 1.3.5.x

Bug Description:  The directory server password lockout policy prevents binds
 from operating once a threshold of failed passwords has been met. During
 this lockout, if you bind with a successful password, a different error code
 is returned. This means that an attacker has no ratelimit or penalty during
 an account lock, and can continue to attempt passwords via bruteforce, using
 the change in return code to ascertain a sucessful password auth.

Fix Description:  Move the account lock check *before* the password bind
check. If the account is locked, we do not mind disclosing this as the
attacker will either ignore it (and will not bind anyway), or they will
be forced to back off as the attack is not working preventing the
bruteforce.

https://pagure.io/389-ds-base/issue/49336

Author: wibrown

Review by: mreynolds (thanks)
William Brown преди 8 години
родител
fb27943c92
ревизия
4cce1663f6
променени са 1 файла, в които са добавени 5 реда и са изтрити 4 реда
Разделен изглед Покажи статистика за разликите
  1. 5 4
      ldap/servers/slapd/bind.c

+ 5 - 4
ldap/servers/slapd/bind.c
Целия файл 

@@ -722,10 +722,7 @@ do_bind( Slapi_PBlock *pb )
 
             }
 
             slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
 
             set_db_default_result_handlers(pb);
 
-            if ( (rc != 1) && 
-                 (auto_bind || 
-                  (((rc = (*be->be_bind)( pb )) == SLAPI_BIND_SUCCESS) ||
 
-                   (rc == SLAPI_BIND_ANONYMOUS))) ) {
 
+            if ( rc != 1) {
 
                 long t;
 
                 char* authtype = NULL;
 
                 /* rc is SLAPI_BIND_SUCCESS or SLAPI_BIND_ANONYMOUS */
 
@@ -783,6 +780,10 @@ do_bind( Slapi_PBlock *pb )
 
                         myrc = 0;
 
                     }
 
                     if (!auto_bind) {
 
+                        rc = (*be->be_bind)( pb );
 
+                        if (rc != SLAPI_BIND_SUCCESS && rc != SLAPI_BIND_ANONYMOUS) {
 
+                            goto account_locked;
 
+                        }
 
                         /* 
                          * There could be a race that bind_target_entry was not added 
                          * when bind_target_entry was retrieved before be_bind, but it