andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 7 months ago
Clone

Blame SOURCES/0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch

b045b9
From bfaf5b56bb1a416c5e058a9925642098c87e0330 Mon Sep 17 00:00:00 2001
b045b9
From: William Brown <firstyear@redhat.com>
b045b9
Date: Thu, 30 Nov 2017 14:06:59 +0100
b045b9
Subject: [PATCH] Ticket 49474 - sasl allow mechs does not operate correctly
b045b9
b045b9
Bug Description:  In a fix to sasl allowed mechs, the logic
b045b9
was not properly configured.
b045b9
b045b9
Fix Description:  Alter the ids_sasl_supported_mech to be
b045b9
clearer and simpler in it's design.
b045b9
b045b9
https://pagure.io/389-ds-base/issue/49474
b045b9
b045b9
Author: wibrown
b045b9
b045b9
Review by: tbordaz (Thank you!)
b045b9
b045b9
Cherry picked from f75cfbce07b79272a7f1a2e387dc232d45c169f5
b045b9
---
b045b9
 ldap/servers/slapd/saslbind.c | 49 ++++++++-----------------------------------
b045b9
 1 file changed, 9 insertions(+), 40 deletions(-)
b045b9
b045b9
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
b045b9
index 6734c32a7..67da97148 100644
b045b9
--- a/ldap/servers/slapd/saslbind.c
b045b9
+++ b/ldap/servers/slapd/saslbind.c
b045b9
@@ -835,52 +835,21 @@ ids_sasl_listmech(Slapi_PBlock *pb)
b045b9
 static int
b045b9
 ids_sasl_mech_supported(Slapi_PBlock *pb, const char *mech)
b045b9
 {
b045b9
-    int i, ret = 0;
b045b9
-    char **mechs;
b045b9
-    char **allowed_mechs = NULL;
b045b9
-    char *dupstr;
b045b9
-    const char *str;
b045b9
-    int sasl_result = 0;
b045b9
-    Connection *pb_conn = NULL;
b045b9
-
b045b9
-    slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
b045b9
-    sasl_conn_t *sasl_conn = (sasl_conn_t *)pb_conn->c_sasl_conn;
b045b9
     slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_mech_supported", "=>\n");
b045b9
 
b045b9
-    /* sasl_listmech is not thread-safe - caller must lock pb_conn */
b045b9
-    sasl_result = sasl_listmech(sasl_conn,
b045b9
-                                NULL, /* username */
b045b9
-                                "", ",", "",
b045b9
-                                &str, NULL, NULL);
b045b9
-    if (sasl_result != SASL_OK) {
b045b9
-        return 0;
b045b9
-    }
b045b9
-
b045b9
-    dupstr = slapi_ch_strdup(str);
b045b9
-    mechs = slapi_str2charray(dupstr, ",");
b045b9
-    allowed_mechs = config_get_allowed_sasl_mechs_array();
b045b9
+    char **allowed_mechs = ids_sasl_listmech(pb);
b045b9
 
b045b9
-    for (i = 0; mechs[i] != NULL; i++) {
b045b9
-        if (strcasecmp(mech, mechs[i]) == 0) {
b045b9
-            if (allowed_mechs) {
b045b9
-                if (charray_inlist(allowed_mechs, (char *)mech) == 0) {
b045b9
-                    ret = 1;
b045b9
-                }
b045b9
-                break;
b045b9
-            } else {
b045b9
-                ret = 1;
b045b9
-                break;
b045b9
-            }
b045b9
-        }
b045b9
+    /* 0 indicates "now allowed" */
b045b9
+    int allowed_mech_present = 0;
b045b9
+    if (allowed_mechs != NULL) {
b045b9
+        /* Returns 1 if present and allowed. */
b045b9
+        allowed_mech_present = charray_inlist(allowed_mechs, (char *)mech);
b045b9
+        charray_free(allowed_mechs);
b045b9
     }
b045b9
 
b045b9
-    charray_free(allowed_mechs);
b045b9
-    charray_free(mechs);
b045b9
-    slapi_ch_free((void **)&dupstr);
b045b9
-
b045b9
     slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_mech_supported", "<=\n");
b045b9
 
b045b9
-    return ret;
b045b9
+    return allowed_mech_present;
b045b9
 }
b045b9
 
b045b9
 /*
b045b9
@@ -944,7 +913,7 @@ ids_sasl_check_bind(Slapi_PBlock *pb)
b045b9
      * different error code to SASL_NOMECH.  Must be called
b045b9
      * while holding the pb_conn lock
b045b9
      */
b045b9
-    if (!ids_sasl_mech_supported(pb, mech)) {
b045b9
+    if (ids_sasl_mech_supported(pb, mech) == 0) {
b045b9
         rc = SASL_NOMECH;
b045b9
         goto sasl_check_result;
b045b9
     }
b045b9
-- 
b045b9
2.13.6
b045b9