From 58b738e455355344acbfcac556600b2e19ade1a3 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 2 Dec 2013 17:13:55 -0500
Subject: [PATCH 63/65] Ticket 47614 - Possible to specify invalid SASL
 mechanism in nsslapd-allowed-sasl-mechanisms

Bug Description:  Invalid values could be specified in the allowed sasl mechanisms configuration
                  attribute.  These values are directly passed to the sasl library.

Fix Description:  Follow RFR 4422, only allow upto 20 characters that are ASCII upper-case letters,
                  digits, hyphens, or underscores.

https://fedorahosted.org/389/ticket/47614

Reviewed by: richm(Thanks!)
(cherry picked from commit 7e8a5fc7183f7c08212bfb746ea8c5ceedee0132)
(cherry picked from commit f00321f892545d59e07c1a944936153660640e47)
---
 ldap/servers/slapd/libglobs.c | 60 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index b925a2c..a763135 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -126,6 +126,7 @@ static int config_set_onoff( const char *attrname, char *value,
 static int config_set_schemareplace ( const char *attrname, char *value,
 		char *errorbuf, int apply );
 static void remove_commas(char *str);
+static int invalid_sasl_mech(char *str);
 
 /* Keeping the initial values */
 /* CONFIG_INT/CONFIG_LONG */
@@ -6768,6 +6769,13 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
     /* cyrus sasl doesn't like comma separated lists */
     remove_commas(value);
 
+    if(invalid_sasl_mech(value)){
+        LDAPDebug(LDAP_DEBUG_ANY,"Invalid value/character for sasl mechanism (%s).  Use ASCII "
+                                 "characters, upto 20 characters, that are upper-case letters, "
+                                 "digits, hyphens, or underscores\n", value, 0, 0);
+        return LDAP_UNWILLING_TO_PERFORM;
+    }
+
     CFG_LOCK_WRITE(slapdFrontendConfig);
     slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
     CFG_UNLOCK_WRITE(slapdFrontendConfig);
@@ -7452,3 +7460,55 @@ remove_commas(char *str)
         }
     }
 }
+
+/*
+ * Check the SASL mechanism values
+ *
+ * As per RFC 4422:
+ * SASL mechanisms are named by character strings, from 1 to 20
+ * characters in length, consisting of ASCII [ASCII] uppercase letters,
+ * digits, hyphens, and/or underscores.
+ */
+static int
+invalid_sasl_mech(char *str)
+{
+    char *mech = NULL, *token = NULL, *next = NULL;
+    int i;
+
+    if(str == NULL){
+        return 0;
+    }
+
+    /*
+     * Check the length for each mechanism
+     */
+    token = slapi_ch_strdup(str);
+    for (mech = ldap_utf8strtok_r(token, " ", &next); mech;
+         mech = ldap_utf8strtok_r(NULL, " ", &next))
+    {
+        if(strlen(mech) == 0 || strlen(mech) > 20){
+            /* invalid length */
+            slapi_ch_free_string(&token);
+            return 1;
+        }
+    }
+    slapi_ch_free_string(&token);
+
+    /*
+     * Check the individual characters
+     */
+    for (i = 0; str[i]; i++){
+        if ( ((int)str[i] < 48 || (int)str[i] > 57) && /* not a digit */
+             ((int)str[i] < 65 || (int)str[i] > 90) && /* not upper case */
+             (int)str[i] != 32 && /* not a space (between mechanisms) */
+             (int)str[i] != 45 && /* not a hyphen */
+             (int)str[i] != 95 ) /* not an underscore */
+        {
+            /* invalid character */
+            return 1;
+        }
+    }
+
+    /* Mechanism value is valid */
+    return 0;
+}
-- 
1.8.1.4