Bug 1931885
| Summary: | LDAP unprotected search query during certificate based authentication | ||
|---|---|---|---|
| Product: | Red Hat Directory Server | Reporter: | Cedric Buissart <cbuissar> |
| Component: | 389-ds-base | Assignee: | LDAP Maintainers <idm-ds-dev-bugs> |
| Status: | CLOSED MIGRATED | QA Contact: | LDAP QA Team <idm-ds-qe-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 12.1 | CC: | idm-ds-dev-bugs, mreynolds, pasik, tbordaz |
| Target Milestone: | DS12.5 | Keywords: | Triaged |
| Target Release: | dirsrv-12.5 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-06-26 13:46:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This BZ has been automatically migrated to Red Hat Issue Tracker https://issues.redhat.com/browse/DIRSRV-44. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |
Description of problem: During certificate based client authentication, certmap may be configured to use the user cert's subjectDN to look for a match. The SubjectDN is however not protected and may be used to sabotage the search. In certain circumstances, it may prevent certificate to properly authenticate (e.g.: if subjectDN contains a legitimate `*`, it might match several users, and not authenticate at all). This is not considered a security flaw, since it still requires a trusted CA to have signed the certificate. Version-Release number of selected component (if applicable): all How reproducible: 100% Steps to Reproduce: 1. enable cert based auth, and configure certmap so that it uses the subject to match. e.g.: ``` default:CmapLdapAttr nsCertSubjectDN ``` 2. Create a user with a `nsCertSubjectDN` 3. Create a certificate with a subject containing a `*` Actual results: The certificate will match against the user Expected results: No match, since the subject is actually different. Additional info: Lines 775 & 778 ```c 748 static int 749 ldapu_cert_searchfn_default(void *cert, LDAP *ld, void *certmap_info_in, const char *basedn, const char *dn, const char *filter, const char **attrs, LDAP Message ***res) 750 { 751 int rv = LDAPU_FAILED; 752 const char *ldapdn; 753 LDAPUCertMapInfo_t *certmap_info = (LDAPUCertMapInfo_t *)certmap_info_in; 754 LDAPMessage *single_res = NULL; 755 LDAPMessage **multiple_res = NULL; 756 757 758 if (certmap_info && certmap_info->searchAttr) { 759 char *subjectDN = 0; 760 char *certFilter = 0; 761 int len; 762 763 rv = ldapu_get_cert_subject_dn(cert, &subjectDN); 764 765 if (rv != LDAPU_SUCCESS || !subjectDN) { 766 return rv; 767 } 768 len = strlen(certmap_info->searchAttr) + strlen(subjectDN) + 769 strlen("=") + 1; 770 certFilter = (char *)ldapu_malloc(len * sizeof(char)); 771 if (!certFilter) { 772 free(subjectDN); 773 return LDAPU_ERR_OUT_OF_MEMORY; 774 } 775 sprintf(certFilter, "%s=%s", certmap_info->searchAttr, subjectDN); // <= The Filter doesn't protect subjectDN 776 free(subjectDN); 777 if (ldapu_strcasecmp(basedn, "")) { 778 rv = ldapu_find(ld, basedn, LDAP_SCOPE_SUBTREE, certFilter, attrs, 0, &single_res); 779 ldapu_free((void *)certFilter); 780 if (rv == LDAPU_SUCCESS || rv == LDAPU_ERR_MULTIPLE_MATCHES) { ```