Blob Blame Raw
From e5de803f4ab1b097c637c269fcc8b567e664c00d Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Fri, 28 Nov 2014 14:23:06 +0100
Subject: [PATCH 31/53] Fix for CVE-2014-8112

	If the unhashed pw switch is set to off this should only
        prevent the generation of the unhashed#user#password
	attribute.
	But encoding of pw values and detiecetion which values have
	to be deleted needs to stay intact.
	So the check if the switch is set has to be placed close to
        the generation of the attribute in different 'if' branches

Reviewed by Noriko, thanks
---
 ldap/servers/plugins/retrocl/retrocl_po.c |  6 +++++
 ldap/servers/slapd/modify.c               | 39 +++++++++++++++++--------------
 2 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
index 4b2cdda..3f8af81 100644
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
 		continue;
 	    }
 	}
+	if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
+		if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
+			/* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
+			continue;
+		}
+	}
 	switch ( ldm[ i ]->mod_op  & ~LDAP_MOD_BVALUES ) {
 	case LDAP_MOD_ADD:
 	    addlenstr( l, "add: " );
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index fb0fdde..de44fd3 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 	 * before calling the preop plugins
 	 */
 
-	if (pw_change && !repl_op &&
-	    (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
+	if (pw_change && !repl_op ) {
 		Slapi_Value **va = NULL;
 
 		unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 						 *  Finally, delete the unhashed userpassword
 						 *  (this will update the password entry extension)
 						 */
-						bval.bv_val = password;
-						bval.bv_len = strlen(password);
-						bv[0] = &bval;
-						bv[1] = NULL;
-						valuearray_init_bervalarray(bv, &va);
-						slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-						valuearray_free(&va);
+						if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+							bval.bv_val = password;
+							bval.bv_len = strlen(password);
+							bv[0] = &bval;
+							bv[1] = NULL;
+							valuearray_init_bervalarray(bv, &va);
+							slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+							valuearray_free(&va);
+						}
 					} else {
 						/*
 						 *  Password is encoded, try and find a matching unhashed_password to delete
@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 								if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
 									if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
 										/* match, add the delete mod for this particular unhashed userpassword */
-										valuearray_init_bervalarray(bv, &va);
-										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-										valuearray_free(&va);
-										free_pw_scheme( unhashed_pwsp );
+										if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+										    valuearray_init_bervalarray(bv, &va);
+										    slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+										    valuearray_free(&va);
+										    free_pw_scheme( unhashed_pwsp );
+										}
 										break;
 									}
 								} else {
 									/*
 									 *  We have a hashed unhashed_userpassword!  We must delete it.
 									 */
-									valuearray_init_bervalarray(bv, &va);
-									slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-									valuearray_free(&va);
+									if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+										valuearray_init_bervalarray(bv, &va);
+										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+										valuearray_free(&va);
+									}
 								}
 								free_pw_scheme( unhashed_pwsp );
 							}
@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 				if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
 					slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
 				}
-			} else {
+			} else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
 				/* add pseudo password attribute */
 				valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
 				if(va && va[0]){
-- 
1.9.3