|
|
61f723 |
From d2648bbddbf087c4e3803a89cb67541a50682eae Mon Sep 17 00:00:00 2001
|
|
|
61f723 |
From: William Brown <firstyear@redhat.com>
|
|
|
61f723 |
Date: Mon, 15 May 2017 09:04:45 +1000
|
|
|
61f723 |
Subject: [PATCH] Ticket 49231 - force EXTERNAL always
|
|
|
61f723 |
|
|
|
61f723 |
Bug Description: Because of how our sasl code works, EXTERNAL bypasses
|
|
|
61f723 |
a number of checks so is always available.
|
|
|
61f723 |
|
|
|
61f723 |
Fix Description: Force EXTERNAL to the present mech list, regardless
|
|
|
61f723 |
of the whitelist.
|
|
|
61f723 |
|
|
|
61f723 |
https://pagure.io/389-ds-base/issue/49231
|
|
|
61f723 |
|
|
|
61f723 |
Author: wibrown
|
|
|
61f723 |
|
|
|
61f723 |
Review by: mreynosd (Thanks!)
|
|
|
61f723 |
|
|
|
61f723 |
(cherry picked from commit e6e0db35842fc6612134cff5a08c4968230d1b2f)
|
|
|
61f723 |
---
|
|
|
61f723 |
dirsrvtests/tests/suites/sasl/allowed_mechs.py | 13 +++++++++++--
|
|
|
61f723 |
ldap/servers/slapd/charray.c | 14 ++++++++++++++
|
|
|
61f723 |
ldap/servers/slapd/saslbind.c | 9 +++++++++
|
|
|
61f723 |
ldap/servers/slapd/slapi-private.h | 2 ++
|
|
|
61f723 |
4 files changed, 36 insertions(+), 2 deletions(-)
|
|
|
61f723 |
|
|
|
61f723 |
diff --git a/dirsrvtests/tests/suites/sasl/allowed_mechs.py b/dirsrvtests/tests/suites/sasl/allowed_mechs.py
|
|
|
61f723 |
index a3e385e..7958db4 100644
|
|
|
61f723 |
--- a/dirsrvtests/tests/suites/sasl/allowed_mechs.py
|
|
|
61f723 |
+++ b/dirsrvtests/tests/suites/sasl/allowed_mechs.py
|
|
|
61f723 |
@@ -25,12 +25,21 @@ def test_sasl_allowed_mechs(topology_st):
|
|
|
61f723 |
assert('EXTERNAL' in orig_mechs)
|
|
|
61f723 |
|
|
|
61f723 |
# Now edit the supported mechs. CHeck them again.
|
|
|
61f723 |
- standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'EXTERNAL, PLAIN')
|
|
|
61f723 |
+ standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'PLAIN')
|
|
|
61f723 |
|
|
|
61f723 |
limit_mechs = standalone.rootdse.supported_sasl()
|
|
|
61f723 |
- print(limit_mechs)
|
|
|
61f723 |
assert('PLAIN' in limit_mechs)
|
|
|
61f723 |
+ # Should always be in the allowed list, even if not set.
|
|
|
61f723 |
assert('EXTERNAL' in limit_mechs)
|
|
|
61f723 |
+ # Should not be there!
|
|
|
61f723 |
+ assert('GSSAPI' not in limit_mechs)
|
|
|
61f723 |
+
|
|
|
61f723 |
+ standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'PLAIN, EXTERNAL')
|
|
|
61f723 |
+
|
|
|
61f723 |
+ limit_mechs = standalone.rootdse.supported_sasl()
|
|
|
61f723 |
+ assert('PLAIN' in limit_mechs)
|
|
|
61f723 |
+ assert('EXTERNAL' in limit_mechs)
|
|
|
61f723 |
+ # Should not be there!
|
|
|
61f723 |
assert('GSSAPI' not in limit_mechs)
|
|
|
61f723 |
|
|
|
61f723 |
# Do a config reset
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/charray.c b/ldap/servers/slapd/charray.c
|
|
|
61f723 |
index 6b89714..9056f16 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/charray.c
|
|
|
61f723 |
+++ b/ldap/servers/slapd/charray.c
|
|
|
61f723 |
@@ -272,6 +272,20 @@ charray_utf8_inlist(
|
|
|
61f723 |
return( 0 );
|
|
|
61f723 |
}
|
|
|
61f723 |
|
|
|
61f723 |
+/*
|
|
|
61f723 |
+ * Assert that some str s is in the charray, or add it.
|
|
|
61f723 |
+ */
|
|
|
61f723 |
+void
|
|
|
61f723 |
+charray_assert_present(char ***a, char *s)
|
|
|
61f723 |
+{
|
|
|
61f723 |
+ int result = charray_utf8_inlist(*a, s);
|
|
|
61f723 |
+ /* Not in the list */
|
|
|
61f723 |
+ if (result == 0) {
|
|
|
61f723 |
+ char *sdup = slapi_ch_strdup(s);
|
|
|
61f723 |
+ slapi_ch_array_add_ext(a, sdup);
|
|
|
61f723 |
+ }
|
|
|
61f723 |
+}
|
|
|
61f723 |
+
|
|
|
61f723 |
int slapi_ch_array_utf8_inlist(char **a, char *s)
|
|
|
61f723 |
{
|
|
|
61f723 |
return charray_utf8_inlist(a,s);
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
|
|
|
61f723 |
index 75b83fe..dd0c4fb 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/saslbind.c
|
|
|
61f723 |
+++ b/ldap/servers/slapd/saslbind.c
|
|
|
61f723 |
@@ -794,6 +794,15 @@ char **ids_sasl_listmech(Slapi_PBlock *pb)
|
|
|
61f723 |
ret = sup_ret;
|
|
|
61f723 |
}
|
|
|
61f723 |
|
|
|
61f723 |
+ /*
|
|
|
61f723 |
+ * https://pagure.io/389-ds-base/issue/49231
|
|
|
61f723 |
+ * Because of the way that SASL mechs are managed in bind.c and saslbind.c
|
|
|
61f723 |
+ * even if EXTERNAL was *not* in the list of allowed mechs, it was allowed
|
|
|
61f723 |
+ * in the bind process because it bypasses lots of our checking. As a result
|
|
|
61f723 |
+ * we have to always present it.
|
|
|
61f723 |
+ */
|
|
|
61f723 |
+ charray_assert_present(&ret, "EXTERNAL");
|
|
|
61f723 |
+
|
|
|
61f723 |
slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "<=\n");
|
|
|
61f723 |
|
|
|
61f723 |
return ret;
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
|
|
|
61f723 |
index 3f732e8..0836d66 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/slapi-private.h
|
|
|
61f723 |
+++ b/ldap/servers/slapd/slapi-private.h
|
|
|
61f723 |
@@ -834,6 +834,8 @@ void charray_subtract( char **a, char **b, char ***c );
|
|
|
61f723 |
char **charray_intersection(char **a, char **b);
|
|
|
61f723 |
int charray_get_index(char **array, char *s);
|
|
|
61f723 |
int charray_normdn_add(char ***chararray, char *dn, char *errstr);
|
|
|
61f723 |
+void charray_assert_present(char ***a, char *s);
|
|
|
61f723 |
+
|
|
|
61f723 |
|
|
|
61f723 |
/******************************************************************************
|
|
|
61f723 |
* value array routines.
|
|
|
61f723 |
--
|
|
|
61f723 |
2.9.4
|
|
|
61f723 |
|