f92ce9
From e5de803f4ab1b097c637c269fcc8b567e664c00d Mon Sep 17 00:00:00 2001
f92ce9
From: Ludwig Krispenz <lkrispen@redhat.com>
f92ce9
Date: Fri, 28 Nov 2014 14:23:06 +0100
f92ce9
Subject: [PATCH 31/53] Fix for CVE-2014-8112
f92ce9
f92ce9
	If the unhashed pw switch is set to off this should only
f92ce9
        prevent the generation of the unhashed#user#password
f92ce9
	attribute.
f92ce9
	But encoding of pw values and detiecetion which values have
f92ce9
	to be deleted needs to stay intact.
f92ce9
	So the check if the switch is set has to be placed close to
f92ce9
        the generation of the attribute in different 'if' branches
f92ce9
f92ce9
Reviewed by Noriko, thanks
f92ce9
---
f92ce9
 ldap/servers/plugins/retrocl/retrocl_po.c |  6 +++++
f92ce9
 ldap/servers/slapd/modify.c               | 39 +++++++++++++++++--------------
f92ce9
 2 files changed, 28 insertions(+), 17 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
f92ce9
index 4b2cdda..3f8af81 100644
f92ce9
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
f92ce9
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
f92ce9
@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
f92ce9
 		continue;
f92ce9
 	    }
f92ce9
 	}
f92ce9
+	if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
f92ce9
+		if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
f92ce9
+			/* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
f92ce9
+			continue;
f92ce9
+		}
f92ce9
+	}
f92ce9
 	switch ( ldm[ i ]->mod_op  & ~LDAP_MOD_BVALUES ) {
f92ce9
 	case LDAP_MOD_ADD:
f92ce9
 	    addlenstr( l, "add: " );
f92ce9
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
f92ce9
index fb0fdde..de44fd3 100644
f92ce9
--- a/ldap/servers/slapd/modify.c
f92ce9
+++ b/ldap/servers/slapd/modify.c
f92ce9
@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
f92ce9
 	 * before calling the preop plugins
f92ce9
 	 */
f92ce9
 
f92ce9
-	if (pw_change && !repl_op &&
f92ce9
-	    (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
f92ce9
+	if (pw_change && !repl_op ) {
f92ce9
 		Slapi_Value **va = NULL;
f92ce9
 
f92ce9
 		unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
f92ce9
@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
f92ce9
 						 *  Finally, delete the unhashed userpassword
f92ce9
 						 *  (this will update the password entry extension)
f92ce9
 						 */
f92ce9
-						bval.bv_val = password;
f92ce9
-						bval.bv_len = strlen(password);
f92ce9
-						bv[0] = &bval;
f92ce9
-						bv[1] = NULL;
f92ce9
-						valuearray_init_bervalarray(bv, &va);
f92ce9
-						slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
f92ce9
-						valuearray_free(&va);
f92ce9
+						if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
f92ce9
+							bval.bv_val = password;
f92ce9
+							bval.bv_len = strlen(password);
f92ce9
+							bv[0] = &bval;
f92ce9
+							bv[1] = NULL;
f92ce9
+							valuearray_init_bervalarray(bv, &va);
f92ce9
+							slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
f92ce9
+							valuearray_free(&va);
f92ce9
+						}
f92ce9
 					} else {
f92ce9
 						/*
f92ce9
 						 *  Password is encoded, try and find a matching unhashed_password to delete
f92ce9
@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
f92ce9
 								if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
f92ce9
 									if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
f92ce9
 										/* match, add the delete mod for this particular unhashed userpassword */
f92ce9
-										valuearray_init_bervalarray(bv, &va);
f92ce9
-										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
f92ce9
-										valuearray_free(&va);
f92ce9
-										free_pw_scheme( unhashed_pwsp );
f92ce9
+										if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
f92ce9
+										    valuearray_init_bervalarray(bv, &va);
f92ce9
+										    slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
f92ce9
+										    valuearray_free(&va);
f92ce9
+										    free_pw_scheme( unhashed_pwsp );
f92ce9
+										}
f92ce9
 										break;
f92ce9
 									}
f92ce9
 								} else {
f92ce9
 									/*
f92ce9
 									 *  We have a hashed unhashed_userpassword!  We must delete it.
f92ce9
 									 */
f92ce9
-									valuearray_init_bervalarray(bv, &va);
f92ce9
-									slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
f92ce9
-									valuearray_free(&va);
f92ce9
+									if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
f92ce9
+										valuearray_init_bervalarray(bv, &va);
f92ce9
+										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
f92ce9
+										valuearray_free(&va);
f92ce9
+									}
f92ce9
 								}
f92ce9
 								free_pw_scheme( unhashed_pwsp );
f92ce9
 							}
f92ce9
@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
f92ce9
 				if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
f92ce9
 					slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
f92ce9
 				}
f92ce9
-			} else {
f92ce9
+			} else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
f92ce9
 				/* add pseudo password attribute */
f92ce9
 				valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
f92ce9
 				if(va && va[0]){
f92ce9
-- 
f92ce9
1.9.3
f92ce9