[Freeipa-devel] [PATCH 0051] Validate OTP during password change requests

[Nathaniel McCallum]

The pwdch extop would just validate the old password before setting the
new one. Becuase this operation returns INVALID_CREDENTIALS when the
password is wrong, it provides an opportunity to brute force the first
factor distinct from the second factor.

This patch causes the pwdch extop to validate the OTP as well. This
closes the above attack vector. It is also, conveniently, the behavior
most users will probably expect.

https://fedorahosted.org/freeipa/ticket/4248
From 1da047f41b3f07a3c659ee2f1a75be483d483359 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Fri, 2 May 2014 13:10:09 -0400
Subject: [PATCH] Validate OTP during password change requests

The pwdch extop would just validate the old password before setting the new
one. Becuase this operation returns INVALID_CREDENTIALS when the password is
wrong, it provides an opportunity to brute force the first factor distinct
from the second factor.

This patch causes the pwdch extop to validate the OTP as well. This closes
the above attack vector. It is also, conveniently, the behavior most
users will probably expect.

https://fedorahosted.org/freeipa/ticket/4248
---
 .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am|   1 +
 daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c  | 129 +
 daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.h  |  64 ++
 .../ipa-pwd-extop/ipa_pwd_extop.c  |  14 ++-
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h   |   3 +-
 daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c  |  95 +--
 6 files changed, 210 insertions(+), 96 deletions(-)
 create mode 100644 daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c
 create mode 100644 daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.h

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index 4cf80ec802b40bb579a44fc9357c6a8119dab577..2045a6e6989115ba9e769a91ea38b768ed64c3f3 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -41,6 +41,7 @@ plugin_LTLIBRARIES = libipa_pwd_extop.la
 libipa_pwd_extop_la_LIBADD  = $(builddir)/../libotp/libotp.la
 libipa_pwd_extop_la_SOURCES = 		\
 	authcfg.c			\
+	authotp.c			\
 	common.c			\
 	encoding.c			\
 	prepost.c			\
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c
new file mode 100644
index ..f309796cf7b0cbee0ec5151a0d934f2571a4781f
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authotp.c
@@ -0,0 +1,129 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see http://www.gnu.org/licenses/.
+ *
+ * Additional permission under GPLv3 section 7:
+ *
+ * In the following paragraph, GPL means the GNU General Public
+ * License, version 3 or any later version, and Non-GPL Code means
+ * code that is governed neither by the GPL nor a license
+ * compatible with the GPL.
+ *
+ * You may link the code of this Program with Non-GPL Code and convey
+ * linked combinations including the two, provided that such Non-GPL
+ * Code only links to the code of this Program through those well
+ * defined interfaces identified in the file named EXCEPTION found in
+ * the source code files (the Approved Interfaces). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline
+ * functions from the Approved Interfaces without causing the resulting
+ * work to be covered by the GPL. Only the copyright holders of this
+ * Program may make changes or additions to the list of Approved
+ * Interfaces.
+ *
+ * Authors:
+ * Nathaniel McCallum npmccal...@redhat.com
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+/*
+ * Authenticates creds against OTP tokens. Returns true when authentication
+ * completed successfully against a token OR when a user has no active tokens.
+ *
+ * WARNING: This function DOES NOT authenticate the first factor. Only the OTP
+ *  code is validated! You still need to validate the first factor.
+ *
+ * NOTE: When successful, this function truncates creds to remove the token
+ *   value at the end. This leaves only the password in creds for later
+ *   validation.
+ */
+
+#include authotp.h
+#include authcfg.h
+#include ipapwd.h
+
+#include util.h

Re: [Freeipa-devel] [PATCH 0051] Validate OTP during password change requests

[Nathaniel McCallum]

On Tue, 2014-05-06 at 08:28 -0400, Nathaniel McCallum wrote:
 The pwdch extop would just validate the old password before setting the
 new one. Becuase this operation returns INVALID_CREDENTIALS when the
 password is wrong, it provides an opportunity to brute force the first
 factor distinct from the second factor.
 
 This patch causes the pwdch extop to validate the OTP as well. This
 closes the above attack vector. It is also, conveniently, the behavior
 most users will probably expect.
 
 https://fedorahosted.org/freeipa/ticket/4248

This patch was posted for posterity/record. However, on the call this
morning we decided NOT to do this validation. Please do not review this
patch. :)

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel