From 58b738e455355344acbfcac556600b2e19ade1a3 Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Mon, 2 Dec 2013 17:13:55 -0500

Subject: [PATCH 63/65] Ticket 47614 - Possible to specify invalid SASL

 mechanism in nsslapd-allowed-sasl-mechanisms

Bug Description:  Invalid values could be specified in the allowed sasl mechanisms configuration

                  attribute.  These values are directly passed to the sasl library.

Fix Description:  Follow RFR 4422, only allow upto 20 characters that are ASCII upper-case letters,

                  digits, hyphens, or underscores.

https://fedorahosted.org/389/ticket/47614

Reviewed by: richm(Thanks!)

(cherry picked from commit 7e8a5fc7183f7c08212bfb746ea8c5ceedee0132)

(cherry picked from commit f00321f892545d59e07c1a944936153660640e47)

---

 ldap/servers/slapd/libglobs.c | 60 +++++++++++++++++++++++++++++++++++++++++++

 1 file changed, 60 insertions(+)

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c

index b925a2c..a763135 100644

--- a/ldap/servers/slapd/libglobs.c

+++ b/ldap/servers/slapd/libglobs.c

@@ -126,6 +126,7 @@ static int config_set_onoff( const char *attrname, char *value,

 static int config_set_schemareplace ( const char *attrname, char *value,

 		char *errorbuf, int apply );

 static void remove_commas(char *str);

+static int invalid_sasl_mech(char *str);

 /* Keeping the initial values */

 /* CONFIG_INT/CONFIG_LONG */

@@ -6768,6 +6769,13 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,

     /* cyrus sasl doesn't like comma separated lists */

     remove_commas(value);

+    if(invalid_sasl_mech(value)){

+        LDAPDebug(LDAP_DEBUG_ANY,"Invalid value/character for sasl mechanism (%s).  Use ASCII "

+                                 "characters, upto 20 characters, that are upper-case letters, "

+                                 "digits, hyphens, or underscores\n", value, 0, 0);

+        return LDAP_UNWILLING_TO_PERFORM;

+    }

+

     CFG_LOCK_WRITE(slapdFrontendConfig);

     slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);

     CFG_UNLOCK_WRITE(slapdFrontendConfig);

@@ -7452,3 +7460,55 @@ remove_commas(char *str)

         }

     }

 }

+

+/*

+ * Check the SASL mechanism values

+ *

+ * As per RFC 4422:

+ * SASL mechanisms are named by character strings, from 1 to 20

+ * characters in length, consisting of ASCII [ASCII] uppercase letters,

+ * digits, hyphens, and/or underscores.

+ */

+static int

+invalid_sasl_mech(char *str)

+{

+    char *mech = NULL, *token = NULL, *next = NULL;

+    int i;

+

+    if(str == NULL){

+        return 0;

+    }

+

+    /*

+     * Check the length for each mechanism

+     */

+    token = slapi_ch_strdup(str);

+    for (mech = ldap_utf8strtok_r(token, " ", &next;; mech;

+         mech = ldap_utf8strtok_r(NULL, " ", &next))

+    {

+        if(strlen(mech) == 0 || strlen(mech) > 20){

+            /* invalid length */

+            slapi_ch_free_string(&token);

+            return 1;

+        }

+    }

+    slapi_ch_free_string(&token);

+

+    /*

+     * Check the individual characters

+     */

+    for (i = 0; str[i]; i++){

+        if ( ((int)str[i] < 48 || (int)str[i] > 57) && /* not a digit */

+             ((int)str[i] < 65 || (int)str[i] > 90) && /* not upper case */

+             (int)str[i] != 32 && /* not a space (between mechanisms) */

+             (int)str[i] != 45 && /* not a hyphen */

+             (int)str[i] != 95 ) /* not an underscore */

+        {

+            /* invalid character */

+            return 1;

+        }

+    }

+

+    /* Mechanism value is valid */

+    return 0;

+}

-- 

1.8.1.4