Issue 7468 - RFE - Add HIBP HTTP client#7469
Open
jchapma wants to merge 2 commits into389ds:mainfrom
Open
Conversation
Description: Implement an HTTP client for querying the Have I Been Pwned (HIBP) Pwned Passwords API using the k-anonymity model. This is the first commit toward password breach detection in 389 Directory Server. Requires libcurl (optional dependency, enabled via --enable-hibp). - HTTP transport using libcurl - SHA-1 hashing via NSS - Unit tests with mock transport Fixes: 389ds#7468 Reviewed by:
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The global
g_mock_responseandhibp_set_mock_response()are not thread-safe and are exposed in the production header; consider confining this mocking mechanism to test-only builds (e.g., via#ifdef TESTor a separate test header) or making it thread-safe to avoid races if used concurrently. - The public
hibp.hcurrently exposes several test-only helpers (hibp_parse_response_wrapper,hibp_write_callback_wrapper,hibp_set_mock_response); it would be cleaner to hide these behind a test-only interface so that the production ABI only exposes the actual client API.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The global `g_mock_response` and `hibp_set_mock_response()` are not thread-safe and are exposed in the production header; consider confining this mocking mechanism to test-only builds (e.g., via `#ifdef TEST` or a separate test header) or making it thread-safe to avoid races if used concurrently.
- The public `hibp.h` currently exposes several test-only helpers (`hibp_parse_response_wrapper`, `hibp_write_callback_wrapper`, `hibp_set_mock_response`); it would be cleaner to hide these behind a test-only interface so that the production ABI only exposes the actual client API.
## Individual Comments
### Comment 1
<location path="ldap/servers/slapd/hibp_client.c" line_range="511" />
<code_context>
+ prefix[HIBP_SHA1_HEX_PREFIX_LEN] = '\0';
+ strcpy(suffix, sha1_hex + HIBP_SHA1_HEX_PREFIX_LEN);
+
+ slapi_log_err(SLAPI_LOG_DEBUG, "hibp_check_password", "Checking prefix: %s\n", prefix);
+
+ /* Configure timeout */
</code_context>
<issue_to_address>
**🚨 issue (security):** Avoid logging the hash prefix, as it may expose sensitive password-derived data into logs.
Because the prefix is still derived from user passwords, it may be treated as sensitive in some environments. Please either remove this log, restrict it to a very-verbose/debug-only path, or log only generic status without the prefix value.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
Congratulations! One of the builds has completed. 🍾 You can install the built RPMs by following these steps:
Please note that the RPMs should be used only in a testing environment. |
vashirov
reviewed
May 5, 2026
Member
vashirov
left a comment
vashirov
left a comment
There was a problem hiding this comment.
For the testing (at this stage at least compilation), please add changes to the spec file (BuildRequires for libcurl-devel and configure options), thanks!
| [], [enable_hibp=no]) | ||
| if test "x$enable_hibp" = "xyes"; then | ||
| AC_MSG_RESULT(yes) | ||
| PKG_CHECK_MODULES([CURL], [libcurl >= 7.40.0]) |
Member
There was a problem hiding this comment.
This is quite an old version from 2015, I think we should use at least 7.61 (available in RHEL8) that contains CVE fixes.
| #include <curl/curl.h> | ||
| #include <pk11pub.h> | ||
|
|
||
| #define HIBP_API_URL "https://api.pwnedpasswords.com/range/" |
Member
There was a problem hiding this comment.
This currently works with the official HIBP API, but doesn't work with easypwned (different API). Would be nice in the future to allow defining custom offline servers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Implement an HTTP client for querying the Have I Been Pwned (HIBP) Pwned Passwords API using the k-anonymity model. This is the first commit toward password breach detection in 389 Directory Server. Requires libcurl (optional dependency, enabled via --enable-hibp).
Fixes: #7468
Reviewed by:
Summary by Sourcery
Introduce an optional HIBP-based password breach checking client and wire it into the slapd password policy with supporting configuration, build flags, and tests.
New Features:
Enhancements:
Build:
Tests: