From: Pierangelo Masarati Date: Sat, 9 Apr 2005 15:19:36 +0000 (+0000) Subject: base64 encode passwords in back-config X-Git-Tag: OPENLDAP_AC_BP~943 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=58d4f7fc20e5eede89f26b2ede48db6cdca333f6;p=openldap base64 encode passwords in back-config --- diff --git a/include/ldif.h b/include/ldif.h index fec4b65ae9..a51e1cf4d3 100644 --- a/include/ldif.h +++ b/include/ldif.h @@ -85,6 +85,13 @@ ldif_read_record LDAP_P(( char **bufp, int *buflen )); +LDAP_LDIF_F( int ) +ldif_must_b64_encode_register LDAP_P(( + LDAP_CONST char *name, + LDAP_CONST char *oid )); + +LDAP_LDIF_F( void ) +ldif_must_b64_encode_release LDAP_P(( void )); #define LDIF_PUT_NOVALUE 0x0000 /* no value */ #define LDIF_PUT_VALUE 0x0001 /* value w/ auto detection */ diff --git a/libraries/liblutil/ldif.c b/libraries/liblutil/ldif.c index e0412b2ae9..c24fa18e0c 100644 --- a/libraries/liblutil/ldif.c +++ b/libraries/liblutil/ldif.c @@ -359,6 +359,131 @@ ldif_getline( char **next ) return( line ); } +/* + * name and OID of attributeTypes that must be base64 encoded in any case + */ +typedef struct must_b64_encode_s { + struct berval name; + struct berval oid; +} must_b64_encode_s; + +static must_b64_encode_s default_must_b64_encode[] = { + { BER_BVC( "userPassword" ), BER_BVC( "2.5.4.35" ) }, + { BER_BVNULL, BER_BVNULL } +}; + +static must_b64_encode_s *must_b64_encode = default_must_b64_encode; + +/* + * register name and OID of attributeTypes that must always be base64 + * encoded + * + * NOTE: this routine mallocs memory in a static struct which must + * be explicitly freed when no longer required + */ +int +ldif_must_b64_encode_register( LDAP_CONST char *name, LDAP_CONST char *oid ) +{ + int i; + ber_len_t len; + + assert( must_b64_encode ); + assert( name ); + assert( oid ); + + len = strlen( name ); + + for ( i = 0; !BER_BVISNULL( &must_b64_encode[i].name ); i++ ) { + if ( len != must_b64_encode[i].name.bv_len ) { + continue; + } + + if ( strcasecmp( name, must_b64_encode[i].name.bv_val ) == 0 ) { + break; + } + } + + if ( !BER_BVISNULL( &must_b64_encode[i].name ) ) { + return 1; + } + + for ( i = 0; !BER_BVISNULL( &must_b64_encode[i].name ); i++ ) + /* just count */ ; + + if ( must_b64_encode == default_must_b64_encode ) { + must_b64_encode = ber_memalloc( sizeof( must_b64_encode_s ) * ( i + 2 ) ); + + for ( i = 0; !BER_BVISNULL( &default_must_b64_encode[i].name ); i++ ) { + ber_dupbv( &must_b64_encode[i].name, &default_must_b64_encode[i].name ); + ber_dupbv( &must_b64_encode[i].oid, &default_must_b64_encode[i].oid ); + } + + } else { + must_b64_encode_s *tmp; + + tmp = ber_memrealloc( must_b64_encode, + sizeof( must_b64_encode_s ) * ( i + 2 ) ); + if ( tmp == NULL ) { + return 1; + } + must_b64_encode = tmp; + } + + ber_str2bv( name, len, 1, &must_b64_encode[i].name ); + ber_str2bv( oid, 0, 1, &must_b64_encode[i].oid ); + + BER_BVZERO( &must_b64_encode[i + 1].name ); + + return 0; +} + +void +ldif_must_b64_encode_release( void ) +{ + int i; + + assert( must_b64_encode ); + + if ( must_b64_encode == default_must_b64_encode ) { + return; + } + + for ( i = 0; !BER_BVISNULL( &must_b64_encode[i].name ); i++ ) { + ber_memfree( must_b64_encode[i].name.bv_val ); + ber_memfree( must_b64_encode[i].oid.bv_val ); + } + + ber_memfree( must_b64_encode ); + + must_b64_encode = default_must_b64_encode; +} + +/* + * returns 1 iff the string corresponds to the name or the OID of any + * of the attributeTypes listed in must_b64_encode + */ +static int +ldif_must_b64_encode( LDAP_CONST char *s ) +{ + int i; + struct berval bv; + + assert( must_b64_encode ); + assert( s ); + + ber_str2bv( s, 0, 0, &bv ); + + for ( i = 0; !BER_BVISNULL( &must_b64_encode[i].name ); i++ ) { + if ( ber_bvstrcasecmp( &must_b64_encode[i].name, &bv ) == 0 + || ber_bvstrcasecmp( &must_b64_encode[i].oid, &bv ) == 0 ) + { + return 1; + } + } + + return 0; +} + /* compatibility with U-Mich off by one bug */ #define LDIF_KLUDGE 1 @@ -479,10 +604,7 @@ ldif_sput( && strstr( name, ";binary" ) == NULL #endif #ifndef LDAP_PASSWD_DEBUG - && (namelen != (sizeof("userPassword")-1) - || strcasecmp( name, "userPassword" ) != 0) /* encode userPassword */ - && (namelen != (sizeof("2.5.4.35")-1) - || strcasecmp( name, "2.5.4.35" ) != 0) /* encode userPassword */ + && !ldif_must_b64_encode( name ) #endif ) { int b64 = 0; diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index b987df1d7a..a1835cea31 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -4031,6 +4031,13 @@ config_back_db_init( Backend *be ) return 0; } +static int +config_back_destroy( BackendInfo *bi ) +{ + ldif_must_b64_encode_release(); + return 0; +} + static struct { char *name; AttributeDescription **desc; @@ -4068,10 +4075,12 @@ static struct { int config_back_initialize( BackendInfo *bi ) { - ConfigTable *ct = config_back_cf_table; - char *argv[4]; - int i; - static char *controls[] = { + ConfigTable *ct = config_back_cf_table; + char *argv[4]; + int i; + AttributeDescription *ad = NULL; + const char *text; + static char *controls[] = { LDAP_CONTROL_MANAGEDSAIT, NULL }; @@ -4081,7 +4090,7 @@ config_back_initialize( BackendInfo *bi ) bi->bi_open = 0; bi->bi_close = 0; bi->bi_config = 0; - bi->bi_destroy = 0; + bi->bi_destroy = config_back_destroy; bi->bi_db_init = config_back_db_init; bi->bi_db_config = 0; @@ -4118,6 +4127,18 @@ config_back_initialize( BackendInfo *bi ) i = config_register_schema( ct, cf_ocs ); if ( i ) return i; + i = slap_str2ad( "olcRootPW", &ad, &text ); + /* basically, we don't care if it fails */ + if ( i ) { + Debug( LDAP_DEBUG_ANY, "config_back_initialize: " + "warning, unable to get \"olcRootPW\" " + "attribute description: %d: %s\n", + i, text, 0 ); + } else { + (void)ldif_must_b64_encode_register( ad->ad_cname.bv_val, + ad->ad_type->sat_oid ); + } + /* set up the notable AttributeDescriptions */ i = 0; for (;ct->name;ct++) {