andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 6 months ago
Clone

Blame SOURCES/0037-Ticket-48228-wrong-password-check-if-passwordInHisto.patch

a2f18f
From a3d41922c0f211aa7602fb843f7cb4980f4bf285 Mon Sep 17 00:00:00 2001
a2f18f
From: Noriko Hosoi <nhosoi@redhat.com>
a2f18f
Date: Mon, 3 Aug 2015 18:49:58 -0700
a2f18f
Subject: [PATCH 37/39] Ticket #48228 - wrong password check if
a2f18f
 passwordInHistory is decreased.
a2f18f
a2f18f
Bug Description: When N passwords to be remembered (passwordInHistroy)
a2f18f
and N passwords are remembered, decreasing the passwordInHistory value
a2f18f
to M (< N) does not allow to use the oldest password which should have
a2f18f
been discarded from the history and should be allowed.
a2f18f
a2f18f
Fix Description: Before checking if the password is in the history or
a2f18f
not, adding a check the passwordInHistory value (M) is less than the
a2f18f
count of passwords remembered (N).  If M < N, discard the (N-M) oldest
a2f18f
passwords.
a2f18f
a2f18f
https://fedorahosted.org/389/ticket/48228
a2f18f
a2f18f
Reviewed by mreynolds@redhat.com (Thank you, Mark!!)
a2f18f
a2f18f
(cherry picked from commit 1a119125856006543aae0520b5800a8b52c3b049)
a2f18f
(cherry picked from commit dd85ee9c9ac24f1b141dd806943de236d2e44c90)
a2f18f
---
a2f18f
 ldap/servers/slapd/pw.c | 193 ++++++++++++++++++++++++++++--------------------
a2f18f
 1 file changed, 114 insertions(+), 79 deletions(-)
a2f18f
a2f18f
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
a2f18f
index f883010..3abebbf 100644
a2f18f
--- a/ldap/servers/slapd/pw.c
a2f18f
+++ b/ldap/servers/slapd/pw.c
a2f18f
@@ -613,7 +613,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw)
a2f18f
 	
a2f18f
 	/* update passwordHistory */
a2f18f
 	if ( old_pw != NULL && pwpolicy->pw_history == 1 ) {
a2f18f
-		update_pw_history(pb, sdn, old_pw);
a2f18f
+		(void)update_pw_history(pb, sdn, old_pw);
a2f18f
 		slapi_ch_free ( (void**)&old_pw );
a2f18f
 	}
a2f18f
 
a2f18f
@@ -654,8 +654,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw)
a2f18f
 	 */
a2f18f
 	if ((internal_op && pwpolicy->pw_must_change && (!pb->pb_conn || strcasecmp(target_dn, pb->pb_conn->c_dn))) ||
a2f18f
 	    (!internal_op && pwpolicy->pw_must_change &&
a2f18f
-	     ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy))))
a2f18f
-	{
a2f18f
+	     ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy)))) {
a2f18f
 		pw_exp_date = NO_TIME;
a2f18f
 	} else if ( pwpolicy->pw_exp == 1 ) {
a2f18f
 		Slapi_Entry *pse = NULL;
a2f18f
@@ -996,6 +995,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
a2f18f
 
a2f18f
 	/* get the entry and check for the password history if this is called by a modify operation */
a2f18f
 	if ( mod_op ) {
a2f18f
+retry:
a2f18f
 		/* retrieve the entry */
a2f18f
 		e = get_entry ( pb, dn );
a2f18f
 		if ( e == NULL ) {
a2f18f
@@ -1004,19 +1004,21 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
a2f18f
 
a2f18f
 		/* check for password history */
a2f18f
 		if ( pwpolicy->pw_history == 1 ) {
a2f18f
+			Slapi_Value **va = NULL;
a2f18f
 			attr = attrlist_find(e->e_attrs, "passwordHistory");
a2f18f
-			if (attr && 
a2f18f
-				!valueset_isempty(&attr->a_present_values))
a2f18f
-			{
a2f18f
-				Slapi_Value **va= attr_get_present_values(attr);
a2f18f
+			if (attr && !valueset_isempty(&attr->a_present_values)) {
a2f18f
+				/* Resetting password history array if necessary. */
a2f18f
+				if (0 == update_pw_history(pb, sdn, NULL)) {
a2f18f
+					/* There was an update in the password history.  Retry... */
a2f18f
+					slapi_entry_free(e); 
a2f18f
+					goto retry;
a2f18f
+				}
a2f18f
+				va = attr_get_present_values(attr);
a2f18f
 				if ( pw_in_history( va, vals[0] ) == 0 ) {
a2f18f
 					if ( pwresponse_req == 1 ) {
a2f18f
-						slapi_pwpolicy_make_response_control ( pb, -1, -1,
a2f18f
-							LDAP_PWPOLICY_PWDINHISTORY );
a2f18f
+						slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDINHISTORY);
a2f18f
 					}
a2f18f
-					pw_send_ldap_result ( pb, 
a2f18f
-						LDAP_CONSTRAINT_VIOLATION, NULL,
a2f18f
-						"password in history", 0, NULL );
a2f18f
+					pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
a2f18f
 					slapi_entry_free( e ); 
a2f18f
 					return ( 1 );
a2f18f
 				}
a2f18f
@@ -1024,26 +1026,17 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
a2f18f
 
a2f18f
 			/* get current password. check it and remember it  */
a2f18f
 			attr = attrlist_find(e->e_attrs, "userpassword");
a2f18f
-			if (attr && !valueset_isempty(&attr->a_present_values))
a2f18f
-			{
a2f18f
-				Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values);
a2f18f
-				if (slapi_is_encoded((char*)slapi_value_get_string(vals[0]))) 
a2f18f
-				{
a2f18f
-					if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 )
a2f18f
-					{
a2f18f
-						pw_send_ldap_result ( pb, 
a2f18f
-										   LDAP_CONSTRAINT_VIOLATION ,NULL,
a2f18f
-										   "password in history", 0, NULL);
a2f18f
+			if (attr && !valueset_isempty(&attr->a_present_values)) {
a2f18f
+				va = valueset_get_valuearray(&attr->a_present_values);
a2f18f
+				if (slapi_is_encoded((char*)slapi_value_get_string(vals[0]))) {
a2f18f
+					if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 ) {
a2f18f
+						pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
a2f18f
 						slapi_entry_free( e ); 
a2f18f
 						return ( 1 );
a2f18f
 					}
a2f18f
-				} else 
a2f18f
-				{
a2f18f
-					if ( slapi_pw_find_sv ( va, vals[0] ) == 0 )
a2f18f
-					{
a2f18f
-						pw_send_ldap_result ( pb, 
a2f18f
-										   LDAP_CONSTRAINT_VIOLATION ,NULL,
a2f18f
-										   "password in history", 0, NULL);
a2f18f
+				} else {
a2f18f
+					if ( slapi_pw_find_sv ( va, vals[0] ) == 0 ) {
a2f18f
+						pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
a2f18f
 						slapi_entry_free( e ); 
a2f18f
 						return ( 1 );
a2f18f
 					}
a2f18f
@@ -1086,68 +1079,112 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
a2f18f
 
a2f18f
 }
a2f18f
 
a2f18f
+/*
a2f18f
+ * Basically, h0 and h1 must be longer than GENERALIZED_TIME_LENGTH.
a2f18f
+ */
a2f18f
+static int
a2f18f
+pw_history_cmp(const void *h0, const void *h1)
a2f18f
+{
a2f18f
+	size_t h0sz = 0;
a2f18f
+	size_t h1sz = 0;
a2f18f
+	if (!h0) {
a2f18f
+		if (!h1) {
a2f18f
+			return 0;
a2f18f
+		} else {
a2f18f
+			return -1;
a2f18f
+		}
a2f18f
+	} else {
a2f18f
+		if (!h1) {
a2f18f
+			return 1;
a2f18f
+		} else {
a2f18f
+			size_t delta;
a2f18f
+			h0sz = strlen(h0);
a2f18f
+			h1sz = strlen(h1);
a2f18f
+			delta = h0sz - h1sz;
a2f18f
+			if (!delta) {
a2f18f
+				return delta;
a2f18f
+			}
a2f18f
+			if (h0sz < GENERALIZED_TIME_LENGTH) {
a2f18f
+				/* too short for the history str. */
a2f18f
+				return 0;
a2f18f
+			}
a2f18f
+		}
a2f18f
+	}
a2f18f
+	return PL_strncmp(h0, h1, GENERALIZED_TIME_LENGTH);
a2f18f
+}
a2f18f
+
a2f18f
+
a2f18f
 static int
a2f18f
 update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw )
a2f18f
 {
a2f18f
-	time_t 		t, old_t, cur_time;
a2f18f
-	int 		i = 0, oldest = 0;
a2f18f
-	int res;
a2f18f
-	Slapi_Entry		*e;
a2f18f
-	Slapi_Attr 	*attr;
a2f18f
+	time_t cur_time;
a2f18f
+	int res = 1; /* no update, by default */
a2f18f
+	Slapi_Entry *e = NULL;
a2f18f
 	LDAPMod 	attribute;
a2f18f
-	char 		*values_replace[25]; /* 2-24 passwords in history */
a2f18f
 	LDAPMod 	*list_of_mods[2];
a2f18f
 	Slapi_PBlock 	mod_pb;
a2f18f
-	char		*history_str;
a2f18f
-	char		*str;
a2f18f
+	char		*str = NULL;
a2f18f
 	passwdPolicy *pwpolicy = NULL;
a2f18f
 	const char *dn = slapi_sdn_get_dn(sdn);
a2f18f
+	char **values_replace = NULL;
a2f18f
+	int vacnt = 0;
a2f18f
+	int vacnt_todelete = 0;
a2f18f
 
a2f18f
 	pwpolicy = new_passwdPolicy(pb, dn);
a2f18f
 
a2f18f
 	/* retrieve the entry */
a2f18f
 	e = get_entry ( pb, dn );
a2f18f
 	if ( e == NULL ) {
a2f18f
-		return ( 1 );
a2f18f
+		return res;
a2f18f
 	}
a2f18f
 
a2f18f
-	history_str = (char *)slapi_ch_malloc(GENERALIZED_TIME_LENGTH + strlen(old_pw) + 1);
a2f18f
-	/* get password history, and find the oldest password in history */
a2f18f
-	cur_time = current_time ();
a2f18f
-	old_t = cur_time;
a2f18f
-	str = format_genTime ( cur_time );
a2f18f
-	attr = attrlist_find(e->e_attrs, "passwordHistory");
a2f18f
-	if (attr && !valueset_isempty(&attr->a_present_values))
a2f18f
-	{
a2f18f
-		Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values);
a2f18f
-		for ( i = oldest = 0 ; 
a2f18f
-			  (va[i] != NULL) && (slapi_value_get_length(va[i]) > 0) ;
a2f18f
-			  i++ ) {
a2f18f
-
a2f18f
-			values_replace[i] = (char*)slapi_value_get_string(va[i]);
a2f18f
-			strncpy( history_str, values_replace[i], GENERALIZED_TIME_LENGTH);
a2f18f
-			history_str[GENERALIZED_TIME_LENGTH] = '\0';
a2f18f
-			if (history_str[GENERALIZED_TIME_LENGTH - 1] != 'Z'){
a2f18f
-				/* The time is not a generalized Time. Probably a password history from 4.x */
a2f18f
-				history_str[GENERALIZED_TIME_LENGTH - 1] = '\0';
a2f18f
-			}
a2f18f
-			t = parse_genTime ( history_str ); 
a2f18f
-			if ( difftime ( t, old_t ) < 0 ) {
a2f18f
-				oldest = i;
a2f18f
-				old_t = t;
a2f18f
-			}
a2f18f
+	/* get password history */
a2f18f
+	values_replace = slapi_entry_attr_get_charray_ext(e, "passwordHistory", &vacnt);
a2f18f
+	if (old_pw) {
a2f18f
+		/* we have a password to replace with the oldest one in the history. */
a2f18f
+		if (!values_replace || !vacnt) { /* This is the first one to store */
a2f18f
+			values_replace = (char **)slapi_ch_calloc(2, sizeof(char *));
a2f18f
 		}
a2f18f
+	} else {
a2f18f
+		/* we are checking the history size if it stores more than the current inhistory count. */
a2f18f
+		if (!values_replace || !vacnt) { /* nothing to revise */
a2f18f
+			res = 1;
a2f18f
+			goto bail;
a2f18f
+		}
a2f18f
+		/* 
a2f18f
+		 * If revising the passwords in the passwordHistory values
a2f18f
+		 * and the password count in the value array is less than the inhistory,
a2f18f
+		 * we have nothing to do.
a2f18f
+		 */
a2f18f
+		if (vacnt <= pwpolicy->pw_inhistory) {
a2f18f
+			res = 1;
a2f18f
+			goto bail;
a2f18f
+		}
a2f18f
+		vacnt_todelete = vacnt - pwpolicy->pw_inhistory;
a2f18f
 	}
a2f18f
-	strcpy ( history_str, str );
a2f18f
-	strcat ( history_str, old_pw );
a2f18f
-	if ( i >= pwpolicy->pw_inhistory ) {
a2f18f
-		/* replace the oldest password in history */
a2f18f
-		values_replace[oldest] = history_str;
a2f18f
-		values_replace[pwpolicy->pw_inhistory] = NULL;
a2f18f
+
a2f18f
+	cur_time = current_time();
a2f18f
+	str = format_genTime(cur_time);
a2f18f
+	/* values_replace is sorted. */
a2f18f
+	if (old_pw) {
a2f18f
+		if ( vacnt >= pwpolicy->pw_inhistory ) {
a2f18f
+			slapi_ch_free_string(&values_replace[0]);
a2f18f
+			values_replace[0] = slapi_ch_smprintf("%s%s", str, old_pw);
a2f18f
+		} else {
a2f18f
+			/* add old_pw at the end of password history */
a2f18f
+			values_replace = (char **)slapi_ch_realloc((char *)values_replace, sizeof(char *) * (vacnt + 2));
a2f18f
+			values_replace[vacnt] = slapi_ch_smprintf("%s%s", str, old_pw);
a2f18f
+			values_replace[vacnt+1] = NULL;
a2f18f
+		}
a2f18f
+		qsort((void *)values_replace, vacnt, (size_t)sizeof(char *), pw_history_cmp);
a2f18f
 	} else {
a2f18f
-		/* add old_pw at the end of password history */
a2f18f
-		values_replace[i] =  history_str;
a2f18f
-		values_replace[++i]=NULL;
a2f18f
+		int i;
a2f18f
+		/* vacnt > pwpolicy->pw_inhistory */
a2f18f
+		for (i = 0; i < vacnt_todelete; i++) {
a2f18f
+			slapi_ch_free_string(&values_replace[i]);
a2f18f
+		}
a2f18f
+		memmove(values_replace, values_replace + vacnt_todelete, sizeof(char *) * pwpolicy->pw_inhistory);
a2f18f
+		values_replace[pwpolicy->pw_inhistory] = NULL;
a2f18f
 	}
a2f18f
 
a2f18f
 	/* modify the attribute */
a2f18f
@@ -1159,21 +1196,19 @@ update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw )
a2f18f
 	list_of_mods[1] = NULL;
a2f18f
 
a2f18f
 	pblock_init(&mod_pb);
a2f18f
-	slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, 
a2f18f
-								 pw_get_componentID(), 0);
a2f18f
+	slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, pw_get_componentID(), 0);
a2f18f
 	slapi_modify_internal_pb(&mod_pb);
a2f18f
 	slapi_pblock_get(&mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &res;;
a2f18f
 	if (res != LDAP_SUCCESS){
a2f18f
 		LDAPDebug2Args(LDAP_DEBUG_ANY,
a2f18f
 		    "WARNING: passwordPolicy modify error %d on entry '%s'\n", res, dn);
a2f18f
 	}
a2f18f
-
a2f18f
 	pblock_done(&mod_pb);
a2f18f
-
a2f18f
-	slapi_ch_free((void **) &str );
a2f18f
-	slapi_ch_free((void **) &history_str );
a2f18f
+	slapi_ch_free_string(&str);
a2f18f
+bail:
a2f18f
+	slapi_ch_array_free(values_replace);
a2f18f
 	slapi_entry_free( e );
a2f18f
-	return 0;
a2f18f
+	return res;
a2f18f
 }
a2f18f
 
a2f18f
 static
a2f18f
-- 
a2f18f
1.9.3
a2f18f