rpms / 389-ds-base

Clone
Source Code
GIT

Blame SOURCES/0095-Ticket-47739-directory-server-is-insecurely-misinter.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-1.4 c8-stream-1.4 c8s-stream-1.4 c8s-stream-ds c9 c9-beta
  1.   3e8a65d85804f994442e69f31356b70310316a53
  2.   SOURCES
  3.   0095-Ticket-47739-directory-server-is-insecurely-misinter.patch
Blob History Raw
cc3dff 
From 8a368a62ea22127f95017467a044df57937ed238 Mon Sep 17 00:00:00 2001
cc3dff 
From: Noriko Hosoi <nhosoi@redhat.com>
cc3dff 
Date: Mon, 10 Mar 2014 16:12:08 -0700
cc3dff 
Subject: [PATCH] Ticket #47739 - directory server is insecurely
cc3dff 
 misinterpreting authzid on a SASL/GSSAPI bind
cc3dff
cc3dff 
Description: SASL_CB_PROXY_POLICY callback is not needed since we
cc3dff 
don't support the case authid and authzid do not match.  This patch
cc3dff 
gets rid of the callback function ids_sasl_proxy_policy.
cc3dff
cc3dff 
https://fedorahosted.org/389/ticket/47739
cc3dff
cc3dff 
Reviewed by nkinder@redhat.com (Thank you, Nathan!!)
cc3dff 
(cherry picked from commit 76acff12a86110d4165f94e2cba13ef5c7ebc38a)
cc3dff 
(cherry picked from commit 9bc2b46b7c7ee4c975d04b041f73a5992906b07c)
cc3dff 
(cherry picked from commit d2063c889feeba122e12f152e2e2c98aed4eb442)
cc3dff 
(cherry picked from commit 614d72196e696395d5bc0a6d62f8be9d4ee41c5b)
cc3dff 
---
cc3dff 
 ldap/servers/slapd/saslbind.c | 33 ---------------------------------
cc3dff 
 1 file changed, 33 deletions(-)
cc3dff
cc3dff 
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
cc3dff 
index 96b1f8c..b405c46 100644
cc3dff 
--- a/ldap/servers/slapd/saslbind.c
cc3dff 
+++ b/ldap/servers/slapd/saslbind.c
cc3dff 
@@ -229,34 +229,6 @@ static int ids_sasl_log(
cc3dff 
     return SASL_OK;
cc3dff 
 }
cc3dff
cc3dff 
-static int ids_sasl_proxy_policy(
cc3dff 
-    sasl_conn_t *conn,
cc3dff 
-    void *context,
cc3dff 
-    const char *requested_user, int rlen,
cc3dff 
-    const char *auth_identity, int alen,
cc3dff 
-    const char *def_realm, int urlen,
cc3dff 
-    struct propctx *propctx
cc3dff 
-)
cc3dff 
-{
cc3dff 
-    int retVal = SASL_OK;
cc3dff 
-    /* do not permit sasl proxy authorization */
cc3dff 
-    /* if the auth_identity is null or empty string, allow the sasl request to go thru */
cc3dff 
-    if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) {
cc3dff 
-        Slapi_DN authId , reqUser;
cc3dff 
-        slapi_sdn_init_dn_byref(&authId,auth_identity);
cc3dff 
-        slapi_sdn_init_dn_byref(&reqUser,requested_user);
cc3dff 
-        if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) {
cc3dff 
-            LDAPDebug(LDAP_DEBUG_TRACE,
cc3dff 
-                  "sasl proxy auth not permitted authid=%s user=%s\n",
cc3dff 
-                  auth_identity, requested_user, 0);
cc3dff 
-            retVal =  SASL_NOAUTHZ;
cc3dff 
-        }
cc3dff 
-        slapi_sdn_done(&authId);
cc3dff 
-        slapi_sdn_done(&reqUser);
cc3dff 
-    }
cc3dff 
-    return retVal;
cc3dff 
-}
cc3dff 
-
cc3dff 
 static void ids_sasl_user_search(
cc3dff 
     char *basedn,
cc3dff 
     int scope,
cc3dff 
@@ -575,11 +547,6 @@ static sasl_callback_t ids_sasl_callbacks[] =
cc3dff 
       NULL
cc3dff 
     },
cc3dff 
     {
cc3dff 
-      SASL_CB_PROXY_POLICY,
cc3dff 
-      (IFP) ids_sasl_proxy_policy,
cc3dff 
-      NULL
cc3dff 
-    },
cc3dff 
-    {
cc3dff 
       SASL_CB_CANON_USER,
cc3dff 
       (IFP) ids_sasl_canon_user,
cc3dff 
       NULL
cc3dff 
--
cc3dff 
1.8.1.4
cc3dff

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation