CVE-2020-1722: prevent use of too long passwords

NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

ipatests/test_integration/test_commands.py

@@ -35,7 +35,7 @@ from ipatests.pytest_ipa.integration import tasks
 from ipaplatform.tasks import tasks as platform_tasks
 from ipatests.create_external_ca import ExternalCA
 from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
-from ipapython.ipautil import realm_to_suffix
+from ipapython.ipautil import realm_to_suffix, ipa_generate_password
 
 logger = logging.getLogger(__name__)
 
@@ -445,6 +445,84 @@ class TestIPACommand(IntegrationTest):
         except CalledProcessError:
             pytest.fail("Password change failed when it should not")
 
+    def test_huge_password(self):
+        user = 'toolonguser'
+        hostname = 'toolong.{}'.format(self.master.domain.name)
+        huge_password = ipa_generate_password(min_len=1536)
+        original_passwd = 'Secret123'
+        master = self.master
+        base_dn = str(master.domain.basedn)
+
+        # Create a user with a password that is too long
+        tasks.kinit_admin(master)
+        add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password)
+        result = master.run_command(['ipa', 'user-add', user,
+                                     '--first', user,
+                                     '--last', user,
+                                     '--password'],
+                                    stdin_text=add_password_stdin_text,
+                                    raiseonerr=False)
+        assert result.returncode != 0
+
+        # Try again with a normal password
+        add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
+        master.run_command(['ipa', 'user-add', user,
+                            '--first', user,
+                            '--last', user,
+                            '--password'],
+                           stdin_text=add_password_stdin_text)
+
+        # kinit as that user in order to modify the pwd
+        user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
+            old=original_passwd,
+            new=original_passwd)
+        master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
+        # sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
+        # a 1s precision)
+        time.sleep(1)
+        # perform ldapmodify on userpassword as dir mgr
+        entry_ldif = textwrap.dedent("""
+            dn: uid={user},cn=users,cn=accounts,{base_dn}
+            changetype: modify
+            replace: userpassword
+            userpassword: {new_passwd}
+        """).format(
+            user=user,
+            base_dn=base_dn,
+            new_passwd=huge_password)
+
+        result = tasks.ldapmodify_dm(master, entry_ldif, raiseonerr=False)
+        assert result.returncode != 0
+
+        # ask_password in ipa-getkeytab will complain about too long password
+        keytab_file = os.path.join(self.master.config.test_dir,
+                                   'user.keytab')
+        password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password)
+        result = self.master.run_command(['ipa-getkeytab',
+                                          '-p', user,
+                                          '-P',
+                                          '-k', keytab_file,
+                                          '-s', self.master.hostname],
+                                         stdin_text=password_stdin_text,
+                                         raiseonerr=False)
+        assert result.returncode != 0
+        assert "clear-text password is too long" in result.stderr_text
+
+        # Create a host with a user-set OTP that is too long
+        tasks.kinit_admin(master)
+        result = master.run_command(['ipa', 'host-add', '--force',
+                                     hostname,
+                                     '--password', huge_password],
+                                    raiseonerr=False)
+        assert result.returncode != 0
+
+        # Try again with a valid password
+        result = master.run_command(['ipa', 'host-add', '--force',
+                                     hostname,
+                                     '--password', original_passwd],
+                                    raiseonerr=False)
+        assert result.returncode == 0
+
     def test_change_selinuxusermaporder(self):
         """
         An update file meant to ensure a more sane default was