January 2009 - 389-commits - Fedora Mailing-Lists

[Fedora-directory-commits] ldapserver/ldap/servers/slapd ssl.c, 1.22, 1.23

by Richard Allen Megginson

Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27785/ldapserver/ldap/servers/slapd Modified Files: ssl.c Log Message: Resolves: bug 482909 Bug Description: server seg fault if doing SSLCLIENTAUTH without being an ssl server Reviewed by: nkinder (Thanks!) Fix Description: When I changed the code to allow the DS to be an SSL client without having to be an SSL server, I missed the svrcore setup for EXTERNAL (ssl client auth). The fix is to check to see if svrcore has been set up, and initialize it if not, before attempting to use it. Platforms tested: RHEL5 Flag Day: no Doc impact: no Index: ssl.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -r1.22 -r1.23 --- ssl.c 13 Jan 2009 19:01:10 -0000 1.22 +++ ssl.c 28 Jan 2009 21:59:41 -0000 1.23 @@ -473,18 +473,11 @@ return rv; } -/* - * slapd_ssl_init() is called from main() if we plan to listen - * on a secure port. - */ -int -slapd_ssl_init() { +static int +svrcore_setup() +{ PRErrorCode errorCode; - char ** family_list; - char *val = NULL; - char cipher_string[1024]; int rv = 0; - PK11SlotInfo *slot; #ifndef _WIN32 SVRCOREStdPinObj *StdPinObj; #else @@ -492,40 +485,11 @@ SVRCOREAltPinObj *AltPinObj; SVRCORENTUserPinObj *NTUserPinObj; #endif - Slapi_Entry *entry = NULL; - - /* Get general information */ - - getConfigEntry( configDN, &entry ); - - val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" ); - ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" ); - - /* We are currently using the value of sslSessionTimeout - for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */ - /* Note from Tom Weinstein on the meaning of the timeout: - - Timeouts are in seconds. '0' means use the default, which is - 24hrs for SSL3 and 100 seconds for SSL2. - */ - - if(!val) { - errorCode = PR_GetError(); - slapd_SSL_warn("Security Initialization: Failed to retrieve SSL " - "configuration information (" - SLAPI_COMPONENT_NAME_NSPR " error %d - %s): " - "nssslSessionTimeout: %s ", - errorCode, slapd_pr_strerror(errorCode), - (val ? "found" : "not found")); - slapi_ch_free((void **) &val); - slapi_ch_free((void **) &ciphers); - return -1; - } - - stimeout = atoi(val); - slapi_ch_free((void **) &val); - #ifndef _WIN32 + StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj(); + if (StdPinObj) { + return 0; /* already registered */ + } if ( SVRCORE_CreateStdPinObj(&StdPinObj, dongle_file_name, PR_TRUE) != SVRCORE_Success) { errorCode = PR_GetError(); @@ -536,6 +500,10 @@ } SVRCORE_RegisterPinObj((SVRCOREPinObj *)StdPinObj); #else + AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj(); + if (AltPinObj) { + return 0; /* already registered */ + } if (SVRCORE_CreateFilePinObj(&FilePinObj, dongle_file_name) != SVRCORE_Success) { errorCode = PR_GetError(); @@ -563,6 +531,58 @@ #endif /* _WIN32 */ + return rv; +} + +/* + * slapd_ssl_init() is called from main() if we plan to listen + * on a secure port. + */ +int +slapd_ssl_init() { + PRErrorCode errorCode; + char ** family_list; + char *val = NULL; + char cipher_string[1024]; + int rv = 0; + PK11SlotInfo *slot; + Slapi_Entry *entry = NULL; + + /* Get general information */ + + getConfigEntry( configDN, &entry ); + + val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" ); + ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" ); + + /* We are currently using the value of sslSessionTimeout + for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */ + /* Note from Tom Weinstein on the meaning of the timeout: + + Timeouts are in seconds. '0' means use the default, which is + 24hrs for SSL3 and 100 seconds for SSL2. + */ + + if(!val) { + errorCode = PR_GetError(); + slapd_SSL_warn("Security Initialization: Failed to retrieve SSL " + "configuration information (" + SLAPI_COMPONENT_NAME_NSPR " error %d - %s): " + "nssslSessionTimeout: %s ", + errorCode, slapd_pr_strerror(errorCode), + (val ? "found" : "not found")); + slapi_ch_free((void **) &val); + slapi_ch_free((void **) &ciphers); + return -1; + } + + stimeout = atoi(val); + slapi_ch_free((void **) &val); + + if (svrcore_setup()) { + return -1; + } + if((family_list = getChildren(configDN))) { char **family; char *token; @@ -687,6 +707,10 @@ #ifndef _WIN32 SVRCOREStdPinObj *StdPinObj; + if (svrcore_setup()) { + return 1; + } + StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj(); SVRCORE_SetStdPinInteractive(StdPinObj, PR_FALSE); #endif @@ -1159,35 +1183,37 @@ /* Free config data */ + if (!svrcore_setup()) { #ifndef _WIN32 - StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj(); - err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token ); + StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj(); + err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token ); #else - AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj(); - pw = SVRCORE_GetPin( (SVRCOREPinObj *)AltPinObj, token, PR_FALSE); + AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj(); + pw = SVRCORE_GetPin( (SVRCOREPinObj *)AltPinObj, token, PR_FALSE); #endif - if ( err != SVRCORE_Success || pw == NULL) { - errorCode = PR_GetError(); - slapd_SSL_warn("SSL client authentication cannot be used " - "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - errorCode, slapd_pr_strerror(errorCode)); - } else { - rc = ldapssl_enable_clientauth (ld, SERVER_KEY_NAME, pw, cert_name); - if (rc != 0) { + if ( err != SVRCORE_Success || pw == NULL) { errorCode = PR_GetError(); - slapd_SSL_warn("ldapssl_enable_clientauth(%s, %s) %i (" - SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - SERVER_KEY_NAME, cert_name, rc, - errorCode, slapd_pr_strerror(errorCode)); + slapd_SSL_warn("SSL client authentication cannot be used " + "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + errorCode, slapd_pr_strerror(errorCode)); } else { - /* We cannot allow NSS to cache outgoing client auth connections - - each client auth connection must have it's own non-shared SSL - connection to the peer so that it will go through the - entire handshake protocol every time including the use of its - own unique client cert - see bug 605457 - */ + rc = ldapssl_enable_clientauth (ld, SERVER_KEY_NAME, pw, cert_name); + if (rc != 0) { + errorCode = PR_GetError(); + slapd_SSL_warn("ldapssl_enable_clientauth(%s, %s) %i (" + SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + SERVER_KEY_NAME, cert_name, rc, + errorCode, slapd_pr_strerror(errorCode)); + } else { + /* We cannot allow NSS to cache outgoing client auth connections - + each client auth connection must have it's own non-shared SSL + connection to the peer so that it will go through the + entire handshake protocol every time including the use of its + own unique client cert - see bug 605457 + */ - ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE); + ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE); + } } }

15 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] adminserver/admserv/newinst/src AdminServer.pm.in, 1.14, 1.15 adminserver.map.in, 1.10, 1.11

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/adminserver/admserv/newinst/src In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19994/admserv/newinst/src Modified Files: AdminServer.pm.in adminserver.map.in Log Message: Resolves: 430364 Summary: Allow listen address to be passed in via installer. Index: AdminServer.pm.in =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/AdminServer.pm.in,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- AdminServer.pm.in 14 Jul 2008 20:00:03 -0000 1.14 +++ AdminServer.pm.in 28 Jan 2009 21:25:58 -0000 1.15 @@ -346,7 +346,9 @@ $? = 0; # clear error my $output = `$cmd 2>&1`; - if ($?) { + # Check the output of the config CGI to see if something bad happened. + if ($? || $output =~ /NMC_Status: 1/) { + debug(0, "Error updating console.conf:\n"); debug(0, $output); $ENV{LD_LIBRARY_PATH} = $savepath; $ENV{SHLIB_PATH} = $savepath; Index: adminserver.map.in =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/adminserver.map.in,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- adminserver.map.in 14 Jul 2008 18:43:02 -0000 1.10 +++ adminserver.map.in 28 Jan 2009 21:25:58 -0000 1.11 @@ -48,6 +48,7 @@ uname_m = `open(UNAMEM, "uname -m |"); $returnvalue = <UNAMEM>; chomp $returnvalue; close(UNAMEM);` asid = `$returnvalue = $mapper->{fqdn}; $returnvalue =~ s/\..*$//;` as_port = Port +as_addr = ServerIpAddress admpw = "@configdir@/admpw" as_error = "@logdir@/error" as_access = "@logdir@/access"

15 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] adminserver/admserv/cgi-src40 config.c, 1.16, 1.17

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/adminserver/admserv/cgi-src40 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19994/admserv/cgi-src40 Modified Files: config.c Log Message: Resolves: 430364 Summary: Allow listen address to be passed in via installer. Index: config.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/config.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- config.c 4 Dec 2008 20:01:28 -0000 1.16 +++ config.c 28 Jan 2009 21:25:58 -0000 1.17 @@ -1037,13 +1037,9 @@ #endif static int validate_addr(char* ip) { - - char systemInfo[SYS_INFO_BUFFER_LENGTH]; - char buf[PR_NETDB_BUF_SIZE]; - PRIntn index; - PRNetAddr netaddr, netaddr1; - PRStatus pr_st; - PRHostEnt hostentry; + PRNetAddr netaddr; + PRFileDesc *sock = NULL; + int ret = 0; /* If ip address is not define, it means that server should listen on all interfaces */ if (ip==NULL || *ip=='\0') return 1; @@ -1052,18 +1048,16 @@ if (!strcmp(ip, "127.0.0.1")) return 1; if (!strcmp(ip, "0.0.0.0")) return 1; - PR_StringToNetAddr(ip, &netaddr); - - pr_st = PR_GetSystemInfo(PR_SI_HOSTNAME, systemInfo, SYS_INFO_BUFFER_LENGTH); - - pr_st = PR_GetHostByName(systemInfo, buf, PR_NETDB_BUF_SIZE, &hostentry); - - index = 0; - while ((index = PR_EnumerateHostEnt(index, &hostentry, 8000, &netaddr1))) { - if (netaddr1.inet.ip == netaddr.inet.ip) return 1; + if (PR_StringToNetAddr(ip, &netaddr) == PR_SUCCESS) { + if ((sock = PR_NewTCPSocket()) != NULL) { + if (PR_Bind(sock, &netaddr) == PR_SUCCESS) { + ret = 1; + } + PR_Close(sock); + } } - - return 0; + + return ret; } /*

15 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] adminserver/admserv/schema/ldif 20asdata.ldif.tmpl, 1.6, 1.7

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/adminserver/admserv/schema/ldif In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19994/admserv/schema/ldif Modified Files: 20asdata.ldif.tmpl Log Message: Resolves: 430364 Summary: Allow listen address to be passed in via installer. Index: 20asdata.ldif.tmpl =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/schema/ldif/20asdata.ldif.tmpl,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- 20asdata.ldif.tmpl 14 Jul 2008 18:43:02 -0000 1.6 +++ 20asdata.ldif.tmpl 28 Jan 2009 21:25:59 -0000 1.7 @@ -78,7 +78,7 @@ cn: Configuration nsServerPort: %as_port% nsSuiteSpotUser: %as_user% -nsServerAddress: +nsServerAddress: %as_addr% nsAdminEnableEnduser: on nsAdminEnableDSGW: on nsDirectoryInfoRef: cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot

15 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] mod_admserv mod_admserv.c,1.37,1.38

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/mod_admserv In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1705/mod_admserv Modified Files: mod_admserv.c Log Message: Resolves: #191834 Summary: Clean up admin password in memory when it's freed Description: (comment #6) Overwrote password strings with '\0's. Index: mod_admserv.c =================================================================== RCS file: /cvs/dirsec/mod_admserv/mod_admserv.c,v retrieving revision 1.37 retrieving revision 1.38 diff -u -r1.37 -r1.38 --- mod_admserv.c 12 Dec 2008 19:45:05 -0000 1.37 +++ mod_admserv.c 28 Jan 2009 00:05:13 -0000 1.38 @@ -886,25 +886,28 @@ if (error != UG_OP_OK) { *errorInfo = (char*)"unable to set User/Group baseDN"; - goto done; + goto done; } } if (!extractLdapServerData(&userGroupServer, userGroupLdapURL, s)) { *errorInfo = (char*)"unable to extract User/Group LDAP info"; - goto done; + goto done; } userGroupServer.bindDN = userGroupBindDN ? apr_pstrdup(module_pool, userGroupBindDN) : NULL; userGroupServer.bindPW = userGroupBindPW ? apr_pstrdup(module_pool, userGroupBindPW) : NULL; - retval = TRUE; /* made it here, so success */ + retval = TRUE; /* made it here, so success */ done: - PL_strfree(siedn); - PL_strfree(userGroupLdapURL); - PL_strfree(userGroupBindDN); - PL_strfree(userGroupBindPW); - PL_strfree(dirInfoRef); - destroyAdmldap(info); + PL_strfree(siedn); + PL_strfree(userGroupLdapURL); + PL_strfree(userGroupBindDN); + if (userGroupBindPW) { + memset(userGroupBindPW, 0, strlen(userGroupBindPW)); + PL_strfree(userGroupBindPW); + } + PL_strfree(dirInfoRef); + destroyAdmldap(info); return retval; }

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] adminserver/admserv/cgi-src40 sec-activate.c, 1.13, 1.14 security.c, 1.19, 1.20 viewlog.c, 1.12, 1.13

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/adminserver/admserv/cgi-src40 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1705/admserv/cgi-src40 Modified Files: sec-activate.c security.c viewlog.c Log Message: Resolves: #191834 Summary: Clean up admin password in memory when it's freed Description: (comment #6) Overwrote password strings with '\0's. Index: sec-activate.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/sec-activate.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- sec-activate.c 4 Dec 2008 20:01:28 -0000 1.13 +++ sec-activate.c 28 Jan 2009 00:05:13 -0000 1.14 @@ -463,6 +463,7 @@ admSetCachedSIEPWD(pwd); + memset(pwd, 0, strlen(pwd)); free(pwd); return admGetCachedSIEPWD(); Index: security.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/security.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- security.c 15 Dec 2008 20:06:55 -0000 1.19 +++ security.c 28 Jan 2009 00:05:13 -0000 1.20 @@ -505,7 +505,8 @@ PL_strfree(ssecurity); PL_strfree(binddn); if (freebindpw) { - PL_strfree(bindpw); + memset(bindpw, 0, strlen(bindpw)); + PL_strfree(bindpw); } } } Index: viewlog.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/viewlog.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- viewlog.c 4 Dec 2008 20:01:28 -0000 1.12 +++ viewlog.c 28 Jan 2009 00:05:13 -0000 1.13 @@ -269,7 +269,9 @@ PL_strfree(ssecurity); PL_strfree(binddn); if (freebindpw) { + memset(bindpw, 0, strlen(bindpw)); PL_strfree(bindpw); + bindpw = NULL; } } }

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] adminutil/lib/libadminutil admutil.c, 1.9, 1.10 psetc.c, 1.5, 1.6 srvutil.c, 1.6, 1.7 uginfo.c, 1.5, 1.6

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/adminutil/lib/libadminutil In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv32529/lib/libadminutil Modified Files: admutil.c psetc.c srvutil.c uginfo.c Log Message: Resolves: #191834 Summary: Clean up admin password in memory when it's freed Description: (comment #5) 1) overwrote password string with '\0's. 2) psetCreate (psetc.c), psetCreateSSL (psetcssl.c) Both has the similar code "passwd = bindPasswd; /* not to free bindPasswd */". According to the comment, by setting bindPasswd to passwd, bindPasswd is not supposed to be freed. But the current location does not stop it's being freed since at that point bindPasswd is NULL and NULL is set to passwd. (Probably, the path is not usually taken.) Index: admutil.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/admutil.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- admutil.c 5 Jul 2007 21:12:55 -0000 1.9 +++ admutil.c 28 Jan 2009 00:01:10 -0000 1.10 @@ -1434,24 +1434,23 @@ admInfo->localAdminName = NULL; } if (admInfo->localAdminPassword) { + memset(admInfo->localAdminPassword, '\0', strlen(admInfo->localAdminPassword)); PR_Free(admInfo->localAdminPassword); admInfo->localAdminPassword = NULL; } - if (admInfo->sieDN) - { - PR_Free(admInfo->sieDN); - admInfo->sieDN = NULL; - } - if (admInfo->userDN) - { - PR_Free(admInfo->userDN); - admInfo->userDN = NULL; - } - if (admInfo->passwd) - { - PR_Free(admInfo->passwd); - admInfo->passwd = NULL; - } + if (admInfo->sieDN) { + PR_Free(admInfo->sieDN); + admInfo->sieDN = NULL; + } + if (admInfo->userDN) { + PR_Free(admInfo->userDN); + admInfo->userDN = NULL; + } + if (admInfo->passwd) { + memset(admInfo->passwd, '\0', strlen(admInfo->passwd)); + PR_Free(admInfo->passwd); + admInfo->passwd = NULL; + } if (admInfo->ldapHndl) { ldap_unbind(admInfo->ldapHndl); admInfo->ldapHndl = NULL; @@ -1876,7 +1875,10 @@ PR_IMPLEMENT(void) admSetCachedSIEPWD(const char *pwd) { - if (cachedSIEPWD) PR_Free(cachedSIEPWD); + if (cachedSIEPWD) { + memset(cachedSIEPWD, '\0', strlen(cachedSIEPWD)); + PR_Free(cachedSIEPWD); + } cachedSIEPWD = PL_strdup(pwd); } Index: psetc.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/psetc.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- psetc.c 8 May 2007 19:13:25 -0000 1.5 +++ psetc.c 28 Jan 2009 00:01:10 -0000 1.6 @@ -171,7 +171,10 @@ if (psetp->configFile) PR_Free(psetp->configFile); if (psetp->sieDN) PR_Free(psetp->sieDN); if (psetp->binddn) PR_Free(psetp->binddn); - if (psetp->bindpw) PR_Free(psetp->bindpw); + if (psetp->bindpw) { + memset(psetp->bindpw, 0, strlen(psetp->bindpw)); + PR_Free(psetp->bindpw); + } PR_Free(psetp); } @@ -1362,11 +1365,11 @@ userDN = admldapGetUserDN(ldapInfo, user); if (passwd) { bindPasswd = passwd; - } else { - bindPasswd = admldapGetSIEPWD(ldapInfo); + } else { /* passwd is NULL */ + bindPasswd = admldapGetSIEPWD(ldapInfo); /* duplicated; need to free */ if (!bindPasswd) { + ADM_GetCurrentPassword(errorcode, &bindPasswd); /* should not free */ passwd = bindPasswd; /* setting this not to free bindPasswd */ - ADM_GetCurrentPassword(errorcode, &bindPasswd); } } @@ -1384,7 +1387,13 @@ PR_Free(sieDN); PR_smprintf_free(path); PR_Free(userDN); - if (!passwd) { if (bindPasswd) PR_Free(bindPasswd); } + if (!passwd) { + if (bindPasswd) { + memset(bindPasswd, '\0', strlen(bindPasswd)); + PR_Free(bindPasswd); + bindPasswd = NULL; + } + } destroyAdmldap(ldapInfo); return pset; } @@ -2367,7 +2376,10 @@ if (pset->binddn) PR_Free(pset->binddn); if (userDN) pset->binddn = PL_strdup(userDN); else pset->binddn = NULL; - if (pset->bindpw) PR_Free(pset->bindpw); + if (pset->bindpw) { + memset(pset->bindpw, 0, strlen(pset->bindpw)); + PR_Free(pset->bindpw); + } if (passwd) pset->bindpw = PL_strdup(passwd); else pset->bindpw = NULL; Index: srvutil.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/srvutil.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- srvutil.c 3 Dec 2008 18:36:49 -0000 1.6 +++ srvutil.c 28 Jan 2009 00:01:10 -0000 1.7 @@ -82,7 +82,10 @@ if (sie) PR_Free(sie); if (domainDN) PR_Free(domainDN); if (host) PR_Free(host); - if (siepwd) PR_Free(siepwd); + if (siepwd) { + memset(siepwd, '\0', strlen(siepwd)); + PR_Free(siepwd); + } return nl; err: @@ -90,7 +93,10 @@ if (sie) PR_Free(sie); if (domainDN) PR_Free(domainDN); if (host) PR_Free(host); - if (siepwd) PR_Free(siepwd); + if (siepwd) { + memset(siepwd, '\0', strlen(siepwd)); + PR_Free(siepwd); + } return NULL; } @@ -182,7 +188,10 @@ psetDelete(domainPset); PL_strfree(host); PL_strfree(sie); - PL_strfree(siepwd); + if (siepwd) { + memset(siepwd, '\0', strlen(siepwd)); + PL_strfree(siepwd); + } PL_strfree(isie); return resultList; Index: uginfo.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/uginfo.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- uginfo.c 8 May 2007 19:13:25 -0000 1.5 +++ uginfo.c 28 Jan 2009 00:01:10 -0000 1.6 @@ -123,7 +123,7 @@ if (s && strcmp(s[0], "")) { char *temp = strrchr(directoryURLVals[0], '/'); /* append failover list to url */ - if (NULL != temp) { + if (NULL != temp) { *temp = '\0'; PR_snprintf(buffer, sizeof(buffer), "%s %s/%s", directoryURLVals[0], s[0], temp + 1); @@ -144,6 +144,9 @@ } if (bindPasswordVals) { *bindPassword = PL_strdup(bindPasswordVals[0]); + if (bindPasswordVals[0]) { + memset(bindPasswordVals[0], '\0', strlen(bindPasswordVals[0])); + } ldap_value_free(bindPasswordVals); } if (directoryInfoRefVals) { @@ -282,7 +285,11 @@ } if (oldDirectoryURL) PR_Free(oldDirectoryURL); if (oldBindDN) PR_Free(oldBindDN); - if (oldBindPassword) PR_Free(oldBindPassword); + if (oldBindPassword) { + memset(oldBindPassword, '\0', strlen(oldBindPassword)); + PR_Free(oldBindPassword); + oldBindPassword = NULL; + } if (oldDirectoryInfoRef) PR_Free(oldDirectoryInfoRef); } @@ -302,7 +309,11 @@ *error_code = UG_LDAP_SYSTEM_ERR; if (oldDirectoryURL) PR_Free(oldDirectoryURL); if (oldBindDN) PR_Free(oldBindDN); - if (oldBindPassword) PR_Free(oldBindPassword); + if (oldBindPassword) { + memset(oldBindPassword, '\0', strlen(oldBindPassword)); + PR_Free(oldBindPassword); + oldBindPassword = NULL; + } if (oldDirectoryInfoRef) PR_Free(oldDirectoryInfoRef); return 0; } @@ -449,6 +460,7 @@ oldBindDN = NULL; } if (oldBindPassword) { + memset(oldBindPassword, '\0', strlen(oldBindPassword)); PR_Free(oldBindPassword); oldBindPassword = NULL; }

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] adminutil/lib/libadmsslutil admsslutil.c, 1.10, 1.11 psetcssl.c, 1.4, 1.5 srvutilssl.c, 1.7, 1.8 uginfossl.c, 1.3, 1.4

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/adminutil/lib/libadmsslutil In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv32529/lib/libadmsslutil Modified Files: admsslutil.c psetcssl.c srvutilssl.c uginfossl.c Log Message: Resolves: #191834 Summary: Clean up admin password in memory when it's freed Description: (comment #5) 1) overwrote password string with '\0's. 2) psetCreate (psetc.c), psetCreateSSL (psetcssl.c) Both has the similar code "passwd = bindPasswd; /* not to free bindPasswd */". According to the comment, by setting bindPasswd to passwd, bindPasswd is not supposed to be freed. But the current location does not stop it's being freed since at that point bindPasswd is NULL and NULL is set to passwd. (Probably, the path is not usually taken.) Index: admsslutil.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/admsslutil.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- admsslutil.c 3 Dec 2008 18:36:50 -0000 1.10 +++ admsslutil.c 28 Jan 2009 00:01:10 -0000 1.11 @@ -96,6 +96,7 @@ char *dn = admldapGetSIEDN(info); ldapError = ldap_simple_bind_s(ld, dn, passwd); PL_strfree(dn); + memset(passwd, '\0', strlen(passwd)); PL_strfree(passwd); } else { /* no password means just punt rather than do anon bind */ Index: psetcssl.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/psetcssl.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- psetcssl.c 8 May 2007 19:13:26 -0000 1.4 +++ psetcssl.c 28 Jan 2009 00:01:10 -0000 1.5 @@ -205,11 +205,11 @@ userDN = admldapGetUserDN(ldapInfo, user); if (passwd) { bindPasswd = passwd; - } else { - bindPasswd = admldapGetSIEPWD(ldapInfo); + } else { /* passwd is NULL */ + bindPasswd = admldapGetSIEPWD(ldapInfo); /* duplicated; need to free */ if (!bindPasswd) { + ADM_GetCurrentPassword(errorcode, &bindPasswd); /* should not free */ passwd = bindPasswd; /* not to free bindPasswd */ - ADM_GetCurrentPassword(errorcode, &bindPasswd); } } @@ -228,7 +228,12 @@ PR_Free(ldapHost); PR_Free(sieDN); PR_smprintf_free(path); - if (!passwd) { if (bindPasswd) PR_Free(bindPasswd); } + if (!passwd) { + if (bindPasswd) { + memset(bindPasswd, '\0', strlen(bindPasswd)); + PR_Free(bindPasswd); + } + } return pset; } Index: srvutilssl.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/srvutilssl.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- srvutilssl.c 3 Dec 2008 18:36:50 -0000 1.7 +++ srvutilssl.c 28 Jan 2009 00:01:10 -0000 1.8 @@ -75,8 +75,11 @@ PR_Free(host); host = NULL; - PR_Free(siepwd); - siepwd = NULL; + if (siepwd) { + memset(siepwd, '\0', strlen(siepwd)); + PR_Free(siepwd); + siepwd = NULL; + } if (!domainPset) goto err; nl = retrieveSIEs(domainPset, domainDN, adminName); @@ -132,8 +135,11 @@ host = NULL; PR_Free(siedn); siedn = NULL; - PR_Free(siepwd); - siepwd = NULL; + if (siepwd) { + memset(siepwd, '\0', strlen(siepwd)); + PR_Free(siepwd); + siepwd = NULL; + } if (!domainPset) goto err; resultList = retrieveISIEs(domainPset, domainDN); psetDelete(domainPset); Index: uginfossl.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/uginfossl.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- uginfossl.c 4 Apr 2007 19:37:47 -0000 1.3 +++ uginfossl.c 28 Jan 2009 00:01:10 -0000 1.4 @@ -103,7 +103,10 @@ *error_code = ADMUTIL_LDAP_ERR; destroyAdmldap(ldapInfo); PL_strfree(binddn); - PL_strfree(bindpw); + if (bindpw) { + memset(bindpw, 0, strlen(bindpw)); + PL_strfree(bindpw); + } return NULL; } @@ -111,7 +114,11 @@ binddn, bindpw); PL_strfree(binddn); - PL_strfree(bindpw); + if (bindpw) { + memset(bindpw, 0, strlen(bindpw)); + PL_strfree(bindpw); + bindpw = NULL; + } /* authenticate to LDAP server*/ if (ldapError != LDAP_SUCCESS) {

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_agmtlist.c, 1.11, 1.12

by Richard Allen Megginson

Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19724/ldapserver/ldap/servers/plugins/replication Modified Files: repl5_agmtlist.c Log Message: Resolves: bug 479253 Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message Reviewed by: nkinder (Thanks!) Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message. Same if GSSAPI is being used and the user attempts to use a secure transport. Platforms tested: RHEL5 Flag Day: no Doc impact: no Index: repl5_agmtlist.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_agmtlist.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- repl5_agmtlist.c 10 Nov 2006 23:45:17 -0000 1.11 +++ repl5_agmtlist.c 27 Jan 2009 22:37:18 -0000 1.12 @@ -48,6 +48,7 @@ */ #include "repl5.h" +#include <plstr.h> #define AGMT_CONFIG_BASE "cn=mapping tree, cn=config" #define CONFIG_FILTER "(objectclass=nsds5replicationagreement)" @@ -373,8 +374,22 @@ else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5TransportInfo)) { + /* do not allow GSSAPI if using TLS/SSL */ + char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5TransportInfo); + /* if some value was set, and the value was not set to LDAP (i.e. was set to use security), + and we're already using gssapi, deny the change */ + if (tmpstr && PL_strcasecmp(tmpstr, "LDAP") && (BINDMETHOD_SASL_GSSAPI == agmt_get_bindmethod(agmt))) + { + /* Report the error to the client */ + PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change %s to a value other than SASL/GSSAPI before changing %s to use security", type_nsds5ReplicaBindMethod, type_nsds5TransportInfo); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: " + "%s", errortext); + + *returncode = LDAP_UNWILLING_TO_PERFORM; + rc = SLAPI_DSE_CALLBACK_ERROR; + } /* New Transport info */ - if (agmt_set_transportinfo_from_entry(agmt, e) != 0) + else if (agmt_set_transportinfo_from_entry(agmt, e) != 0) { slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " "failed to update transport info for agreement %s\n", @@ -386,8 +401,19 @@ else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaBindMethod)) { - /* New replica bind method */ - if (agmt_set_bind_method_from_entry(agmt, e) != 0) + /* do not allow GSSAPI if using TLS/SSL */ + char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindMethod); + if (tmpstr && !PL_strcasecmp(tmpstr, "SASL/GSSAPI") && agmt_get_transport_flags(agmt)) + { + /* Report the error to the client */ + PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change %s to LDAP before changing %s to use SASL/GSSAPI", type_nsds5TransportInfo, type_nsds5ReplicaBindMethod); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: " + "%s", errortext); + + *returncode = LDAP_UNWILLING_TO_PERFORM; + rc = SLAPI_DSE_CALLBACK_ERROR; + } + else if (agmt_set_bind_method_from_entry(agmt, e) != 0) { slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " "failed to update bind method for agreement %s\n", @@ -395,6 +421,7 @@ *returncode = LDAP_OPERATIONS_ERROR; rc = SLAPI_DSE_CALLBACK_ERROR; } + slapi_ch_free_string(&tmpstr); } else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicatedAttributeList))

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/chainingdb cb_instance.c, 1.13, 1.14

by Richard Allen Megginson

Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19724/ldapserver/ldap/servers/plugins/chainingdb Modified Files: cb_instance.c Log Message: Resolves: bug 479253 Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message Reviewed by: nkinder (Thanks!) Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message. Same if GSSAPI is being used and the user attempts to use a secure transport. Platforms tested: RHEL5 Flag Day: no Doc impact: no Index: cb_instance.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_instance.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- cb_instance.c 2 Dec 2008 15:29:30 -0000 1.13 +++ cb_instance.c 27 Jan 2009 22:37:17 -0000 1.14 @@ -722,7 +722,18 @@ return(LDAP_INVALID_SYNTAX); } - if (apply) { + if (ludp && (ludp->lud_options & LDAP_URL_OPT_SECURE) && inst && inst->rwl_config_lock) { + int isgss = 0; + PR_RWLock_Rlock(inst->rwl_config_lock); + isgss = inst->pool->mech && !PL_strcasecmp(inst->pool->mech, "GSSAPI"); + PR_RWLock_Unlock(inst->rwl_config_lock); + if (isgss) { + PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use LDAPS if using GSSAPI - please change the %s to use something other than GSSAPI before changing connection to use LDAPS", CB_CONFIG_BINDMECH); + rc = LDAP_UNWILLING_TO_PERFORM; + } + } + + if ((LDAP_SUCCESS == rc) && apply) { PR_RWLock_Wlock(inst->rwl_config_lock); @@ -1346,7 +1357,18 @@ cb_backend_instance * inst=(cb_backend_instance *) arg; int rc = LDAP_SUCCESS; - if (apply) { + if (value && inst && inst->rwl_config_lock) { + int isgss = 0; + PR_RWLock_Rlock(inst->rwl_config_lock); + isgss = inst->pool->mech && !PL_strcasecmp(inst->pool->mech, "GSSAPI"); + PR_RWLock_Unlock(inst->rwl_config_lock); + if (isgss) { + PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use startTLS if using GSSAPI - please change the %s to use something other than GSSAPI before changing connection to use startTLS", CB_CONFIG_BINDMECH); + rc = LDAP_UNWILLING_TO_PERFORM; + } + } + + if ((LDAP_SUCCESS == rc) && apply) { PR_RWLock_Wlock(inst->rwl_config_lock); inst->pool->starttls=(int) ((uintptr_t)value); PR_RWLock_Unlock(inst->rwl_config_lock); @@ -1374,7 +1396,18 @@ cb_backend_instance * inst=(cb_backend_instance *) arg; int rc=LDAP_SUCCESS; - if (apply) { + if (value && !PL_strcasecmp((char *) value, "GSSAPI") && inst && inst->rwl_config_lock) { + int secure = 0; + PR_RWLock_Rlock(inst->rwl_config_lock); + secure = inst->pool->secure || inst->pool->starttls; + PR_RWLock_Unlock(inst->rwl_config_lock); + if (secure) { + PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change the connection to use no security before changing %s to use GSSAPI", CB_CONFIG_BINDMECH); + rc = LDAP_UNWILLING_TO_PERFORM; + } + } + + if ((LDAP_SUCCESS == rc) && apply) { PR_RWLock_Wlock(inst->rwl_config_lock); if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) && ( phase != CB_CONFIG_PHASE_STARTUP )) {

15 years, 3 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits January 2009