andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch

ed6197
From e40a6ef764f13b6efcf573a6181b6747bb029b90 Mon Sep 17 00:00:00 2001
ed6197
From: Mark Reynolds <mreynolds@redhat.com>
ed6197
Date: Thu, 24 Mar 2016 09:46:11 -0400
ed6197
Subject: [PATCH] Ticket 47888 - DES to AES password conversion fails if a
ed6197
 backend is empty
ed6197
ed6197
Bug Description:  The process of converting DES passwords to AES can incorrectly
ed6197
                  disable the DES plugin if an error is encountered.  In this case
ed6197
                  it was because a backend was defined but was missing the top entry
ed6197
                  which lead to an error 32 when searching for DES passwords.  This
ed6197
                  causes the existing DES passwords to fail to decode.
ed6197
ed6197
Fix Description:  There are two issues here.  One, we should ignore errors when
ed6197
                  searching all the backends for passwords.  Two, we should only
ed6197
                  disable the DES plugin if all the DES passwords were successfully
ed6197
                  converted.
ed6197
ed6197
https://fedorahosted.org/389/ticket/48777
ed6197
ed6197
Reviewed by: nhosoi(Thanks!)
ed6197
ed6197
(cherry picked from commit 6b7f980e80af3803bc395e50bd4228ded9bceb00)
ed6197
(cherry picked from commit c6eaf691c6ff3330dc1a3dcbf4dcc31af52c2919)
ed6197
---
ed6197
 ldap/servers/slapd/daemon.c | 53 ++++++++++++++++++++++-----------------------
ed6197
 1 file changed, 26 insertions(+), 27 deletions(-)
ed6197
ed6197
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
ed6197
index d25c44d..d702129 100644
ed6197
--- a/ldap/servers/slapd/daemon.c
ed6197
+++ b/ldap/servers/slapd/daemon.c
ed6197
@@ -694,7 +694,8 @@ convert_pbe_des_to_aes()
ed6197
     char **attrs = NULL;
ed6197
     char **backends = NULL;
ed6197
     char *val = NULL;
ed6197
-    int converted_des = 0;
ed6197
+    int converted_des_passwd = 0;
ed6197
+    int disable_des = 1;
ed6197
     int result = -1;
ed6197
     int have_aes = 0;
ed6197
     int have_des = 0;
ed6197
@@ -739,7 +740,7 @@ convert_pbe_des_to_aes()
ed6197
         char *cookie = NULL;
ed6197
 
ed6197
         LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes:  "
ed6197
-                "Converting DES passwords to AES...\n",0,0,0);
ed6197
+                "Checking for DES passwords to convert to AES...\n",0,0,0);
ed6197
 
ed6197
         be = slapi_get_first_backend(&cookie);
ed6197
         while (be){
ed6197
@@ -777,10 +778,13 @@ convert_pbe_des_to_aes()
ed6197
                 slapi_search_internal_pb(pb);
ed6197
                 slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
ed6197
                 if (LDAP_SUCCESS != result) {
ed6197
-                    LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
ed6197
-                            "failed to search for password on (%s) error (%d)\n",
ed6197
-                            backends[be_idx], result, 0);
ed6197
-                    goto done;
ed6197
+                    slapi_log_error(SLAPI_LOG_TRACE, "convert_pbe_des_to_aes: ",
ed6197
+                        "Failed to search for password attribute (%s) error (%d), skipping suffix (%s)\n",
ed6197
+                        attrs[i], result, backends[be_idx]);
ed6197
+                    slapi_free_search_results_internal(pb);
ed6197
+                    slapi_pblock_destroy(pb);
ed6197
+                    pb = NULL;
ed6197
+                    continue;
ed6197
                 }
ed6197
                 slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
ed6197
                 for (ii = 0; entries && entries[ii]; ii++){
ed6197
@@ -799,9 +803,9 @@ convert_pbe_des_to_aes()
ed6197
                             /* decode the DES password */
ed6197
                             if(pw_rever_decode(val, &passwd, attrs[i]) == -1){
ed6197
                                 LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
ed6197
-                                        "failed to decode existing DES password for (%s)\n",
ed6197
+                                        "Failed to decode existing DES password for (%s)\n",
ed6197
                                         slapi_entry_get_dn(entries[ii]), 0, 0);
ed6197
-                                converted_des = 0;
ed6197
+                                disable_des = 0;
ed6197
                                 goto done;
ed6197
                             }
ed6197
 
ed6197
@@ -813,7 +817,7 @@ convert_pbe_des_to_aes()
ed6197
                                         slapi_entry_get_dn(entries[ii]), 0, 0);
ed6197
                                 slapi_ch_free_string(&passwd);
ed6197
                                 slapi_value_free(&sval);
ed6197
-                                converted_des = 0;
ed6197
+                                disable_des = 0;
ed6197
                                 goto done;
ed6197
                             }
ed6197
 
ed6197
@@ -834,22 +838,18 @@ convert_pbe_des_to_aes()
ed6197
                             slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
ed6197
                             if (LDAP_SUCCESS != result) {
ed6197
                                 LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
ed6197
-                                        "failed to convert password for (%s) error (%d)\n",
ed6197
+                                        "Failed to convert password for (%s) error (%d)\n",
ed6197
                                         slapi_entry_get_dn(entries[ii]), result, 0);
ed6197
-                                converted_des = -1;
ed6197
+                                disable_des = 0;
ed6197
                             } else {
ed6197
                                 LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
ed6197
-                                        "successfully converted password for (%s)\n",
ed6197
+                                        "Successfully converted password for (%s)\n",
ed6197
                                          slapi_entry_get_dn(entries[ii]), result, 0);
ed6197
-                                converted_des = 1;
ed6197
-
ed6197
+                                converted_des_passwd = 1;
ed6197
                             }
ed6197
                             slapi_ch_free_string(&passwd);
ed6197
                             slapi_value_free(&sval);
ed6197
                             slapi_pblock_destroy(mod_pb);
ed6197
-                            if(result){
ed6197
-                                goto done;
ed6197
-                            }
ed6197
                         }
ed6197
                         slapi_ch_free_string(&val;;
ed6197
                     }
ed6197
@@ -860,6 +860,10 @@ convert_pbe_des_to_aes()
ed6197
             }
ed6197
             slapi_ch_free_string(&filter);
ed6197
         }
ed6197
+        if (!converted_des_passwd){
ed6197
+            slapi_log_error(SLAPI_LOG_FATAL, "convert_pbe_des_to_aes",
ed6197
+                "No DES passwords found to convert.\n");
ed6197
+        }
ed6197
     }
ed6197
 
ed6197
 done:
ed6197
@@ -870,9 +874,9 @@ done:
ed6197
 
ed6197
     if (have_aes && have_des){
ed6197
         /*
ed6197
-         * If a conversion attempt did not fail, disable DES plugin
ed6197
+         * If a conversion attempt did not fail then we can disable the DES plugin
ed6197
          */
ed6197
-        if(converted_des != -1){
ed6197
+        if(converted_des_passwd && disable_des){
ed6197
             /*
ed6197
              * Disable the DES plugin - this also prevents potentially expensive
ed6197
              * searches at every server startup.
ed6197
@@ -905,14 +909,9 @@ done:
ed6197
                         des_dn, 0, 0);
ed6197
             }
ed6197
             slapi_pblock_destroy(pb);
ed6197
-        }
ed6197
-        if(converted_des == 1){
ed6197
-             LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
ed6197
-                    "Finished - all DES passwords have been converted to AES.\n",
ed6197
-                    0, 0, 0);
ed6197
-        } else if (converted_des == 0){
ed6197
-            LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes:  "
ed6197
-                    "Finished - no DES passwords to convert.\n",0,0,0);
ed6197
+            LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
ed6197
+                      "All DES passwords have been converted to AES.\n",
ed6197
+                      0, 0, 0);
ed6197
         }
ed6197
     }
ed6197
 }
ed6197
-- 
ed6197
2.4.3
ed6197