|
 |
f92ce9 |
From e5de803f4ab1b097c637c269fcc8b567e664c00d Mon Sep 17 00:00:00 2001
|
|
|
f92ce9 |
From: Ludwig Krispenz <lkrispen@redhat.com>
|
|
|
f92ce9 |
Date: Fri, 28 Nov 2014 14:23:06 +0100
|
|
|
f92ce9 |
Subject: [PATCH 31/53] Fix for CVE-2014-8112
|
|
|
f92ce9 |
|
|
|
f92ce9 |
If the unhashed pw switch is set to off this should only
|
|
|
f92ce9 |
prevent the generation of the unhashed#user#password
|
|
|
f92ce9 |
attribute.
|
|
|
f92ce9 |
But encoding of pw values and detiecetion which values have
|
|
|
f92ce9 |
to be deleted needs to stay intact.
|
|
|
f92ce9 |
So the check if the switch is set has to be placed close to
|
|
|
f92ce9 |
the generation of the attribute in different 'if' branches
|
|
|
f92ce9 |
|
|
|
f92ce9 |
Reviewed by Noriko, thanks
|
|
|
f92ce9 |
---
|
|
|
f92ce9 |
ldap/servers/plugins/retrocl/retrocl_po.c | 6 +++++
|
|
|
f92ce9 |
ldap/servers/slapd/modify.c | 39 +++++++++++++++++--------------
|
|
|
f92ce9 |
2 files changed, 28 insertions(+), 17 deletions(-)
|
|
|
f92ce9 |
|
|
|
f92ce9 |
diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
|
|
|
f92ce9 |
index 4b2cdda..3f8af81 100644
|
|
|
f92ce9 |
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
|
|
|
f92ce9 |
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
|
|
|
f92ce9 |
@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
|
|
|
f92ce9 |
continue;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
+ if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
|
|
|
f92ce9 |
+ if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
|
|
|
f92ce9 |
+ /* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
|
|
|
f92ce9 |
+ continue;
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
switch ( ldm[ i ]->mod_op & ~LDAP_MOD_BVALUES ) {
|
|
|
f92ce9 |
case LDAP_MOD_ADD:
|
|
|
f92ce9 |
addlenstr( l, "add: " );
|
|
|
f92ce9 |
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
|
|
|
f92ce9 |
index fb0fdde..de44fd3 100644
|
|
|
f92ce9 |
--- a/ldap/servers/slapd/modify.c
|
|
|
f92ce9 |
+++ b/ldap/servers/slapd/modify.c
|
|
|
f92ce9 |
@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
|
|
|
f92ce9 |
* before calling the preop plugins
|
|
|
f92ce9 |
*/
|
|
|
f92ce9 |
|
|
|
f92ce9 |
- if (pw_change && !repl_op &&
|
|
|
f92ce9 |
- (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
|
|
|
f92ce9 |
+ if (pw_change && !repl_op ) {
|
|
|
f92ce9 |
Slapi_Value **va = NULL;
|
|
|
f92ce9 |
|
|
|
f92ce9 |
unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
|
|
|
f92ce9 |
@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
|
|
|
f92ce9 |
* Finally, delete the unhashed userpassword
|
|
|
f92ce9 |
* (this will update the password entry extension)
|
|
|
f92ce9 |
*/
|
|
|
f92ce9 |
- bval.bv_val = password;
|
|
|
f92ce9 |
- bval.bv_len = strlen(password);
|
|
|
f92ce9 |
- bv[0] = &bval;
|
|
|
f92ce9 |
- bv[1] = NULL;
|
|
|
f92ce9 |
- valuearray_init_bervalarray(bv, &va);
|
|
|
f92ce9 |
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
|
|
|
f92ce9 |
- valuearray_free(&va);
|
|
|
f92ce9 |
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
|
|
|
f92ce9 |
+ bval.bv_val = password;
|
|
|
f92ce9 |
+ bval.bv_len = strlen(password);
|
|
|
f92ce9 |
+ bv[0] = &bval;
|
|
|
f92ce9 |
+ bv[1] = NULL;
|
|
|
f92ce9 |
+ valuearray_init_bervalarray(bv, &va);
|
|
|
f92ce9 |
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
|
|
|
f92ce9 |
+ valuearray_free(&va);
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
} else {
|
|
|
f92ce9 |
/*
|
|
|
f92ce9 |
* Password is encoded, try and find a matching unhashed_password to delete
|
|
|
f92ce9 |
@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
|
|
|
f92ce9 |
if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
|
|
|
f92ce9 |
if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
|
|
|
f92ce9 |
/* match, add the delete mod for this particular unhashed userpassword */
|
|
|
f92ce9 |
- valuearray_init_bervalarray(bv, &va);
|
|
|
f92ce9 |
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
|
|
|
f92ce9 |
- valuearray_free(&va);
|
|
|
f92ce9 |
- free_pw_scheme( unhashed_pwsp );
|
|
|
f92ce9 |
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
|
|
|
f92ce9 |
+ valuearray_init_bervalarray(bv, &va);
|
|
|
f92ce9 |
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
|
|
|
f92ce9 |
+ valuearray_free(&va);
|
|
|
f92ce9 |
+ free_pw_scheme( unhashed_pwsp );
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
break;
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
} else {
|
|
|
f92ce9 |
/*
|
|
|
f92ce9 |
* We have a hashed unhashed_userpassword! We must delete it.
|
|
|
f92ce9 |
*/
|
|
|
f92ce9 |
- valuearray_init_bervalarray(bv, &va);
|
|
|
f92ce9 |
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
|
|
|
f92ce9 |
- valuearray_free(&va);
|
|
|
f92ce9 |
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
|
|
|
f92ce9 |
+ valuearray_init_bervalarray(bv, &va);
|
|
|
f92ce9 |
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
|
|
|
f92ce9 |
+ valuearray_free(&va);
|
|
|
f92ce9 |
+ }
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
free_pw_scheme( unhashed_pwsp );
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
|
|
|
f92ce9 |
if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
|
|
|
f92ce9 |
slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
|
|
|
f92ce9 |
}
|
|
|
f92ce9 |
- } else {
|
|
|
f92ce9 |
+ } else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
|
|
|
f92ce9 |
/* add pseudo password attribute */
|
|
|
f92ce9 |
valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
|
|
|
f92ce9 |
if(va && va[0]){
|
|
|
f92ce9 |
--
|
|
|
f92ce9 |
1.9.3
|
|
|
f92ce9 |
|