December 2010 - 389-commits - Fedora Mailing-Lists

by Richard Allen Megginson

ldap/servers/slapd/ldaputil.c | 63 +++++++++++++++++++++++++++++++++++------- 1 file changed, 53 insertions(+), 10 deletions(-) New commits: commit 53c948cbcd7d9e94ae1bc77eb625a337b470e368 Author: Rich Megginson <rmeggins(a)redhat.com> Date: Thu Dec 16 08:28:26 2010 -0700 Bug 642046 - Segfault when using SASL/GSSAPI multimaster replication, possible krb5_creds doublefree https://bugzilla.redhat.com/show_bug.cgi?id=642046 Resolves: bug 642046 Bug Description: Segfault when using SASL/GSSAPI multimaster replication, possible krb5_creds doublefree Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Added a mutex around all of the krb5 code. We are using static variables to cache the credentials from the keytab. Even though krb5 uses locks internally to protect the memory cache, it is possible the crash is caused by a race condition. The mutex should prevent the race condition. Also added a hack for testing to allow setting the principal - nsds5replicabinddn now must be in DN format so cannot use it for krb principal name - we really should add configuration paramters for the principal name and the keytab name. On machines with broken DNS/reverse DNS, testing Kerberos is quite hard without this. Instead of passing NULL to krb5_sname_to_principal() for the hostname, use the hostname from config_get_localhost() - this is consistent with what SASL does to initialize the SASL context. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c index 3d65efc..7103fc7 100644 --- a/ldap/servers/slapd/ldaputil.c +++ b/ldap/servers/slapd/ldaputil.c @@ -1620,6 +1620,23 @@ cleanup: return myrc; } +static PRCallOnceType krb5_callOnce = {0,0}; +static PRLock *krb5_lock = NULL; + +static PRStatus +internal_krb5_init(void) +{ + PR_ASSERT(NULL == krb5_lock); + if ((krb5_lock = PR_NewLock()) == NULL) { + PRErrorCode errorCode = PR_GetError(); + slapi_log_error(SLAPI_LOG_FATAL, NULL, "internal_krb5_init PR_NewLock failed %d:%s\n", + errorCode, slapd_pr_strerror(errorCode)); + return PR_FAILURE; + } + + return PR_SUCCESS; +} + /* * This implementation assumes that we want to use the * keytab from the default keytab env. var KRB5_KTNAME @@ -1658,14 +1675,23 @@ set_krb5_creds( appear to be used currently */ - /* probably have to put a mutex around this whole thing, to avoid - problems with reentrancy, since we are setting a "global" - variable via an environment variable */ - /* wipe this out so we can safely free it later if we short circuit */ memset(&creds, 0, sizeof(creds)); + /* + * we are using static variables and sharing an in-memory credentials cache + * so we put a lock around all kerberos interactions + */ + if (PR_SUCCESS != PR_CallOnce(&krb5_callOnce, internal_krb5_init)) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not perform internal krb5 init\n"); + rc = -1; + goto cleanup; + } + + PR_Lock(krb5_lock); + /* initialize the kerberos context */ if ((rc = krb5_init_context(&ctx))) { slapi_log_error(SLAPI_LOG_FATAL, logname, @@ -1765,16 +1791,31 @@ set_krb5_creds( goto cleanup; } - /* if still no principal, construct one */ - if (!princ && - (rc = krb5_sname_to_principal(ctx, NULL, "ldap", - KRB5_NT_SRV_HST, &princ))) { + if (getenv("HACK_PRINCIPAL_NAME") && + (rc = krb5_parse_name(ctx, getenv("HACK_PRINCIPAL_NAME"), &princ))) { slapi_log_error(SLAPI_LOG_FATAL, logname, - "Error: could not construct ldap service " - "principal: %d (%s)\n", rc, error_message(rc)); + "Error: could not convert [%s] into a kerberos " + "principal: %d (%s)\n", getenv("HACK_PRINCIPAL_NAME"), + rc, error_message(rc)); goto cleanup; } + /* if still no principal, construct one */ + if (!princ) { + char *hostname = config_get_localhost(); + if ((rc = krb5_sname_to_principal(ctx, hostname, "ldap", + KRB5_NT_SRV_HST, &princ))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Error: could not construct ldap service " + "principal from hostname [%s]: %d (%s)\n", + hostname ? hostname : "NULL", rc, error_message(rc)); + } + slapi_ch_free_string(&hostname); + if (rc) { + goto cleanup; + } + } + if ((rc = krb5_unparse_name(ctx, princ, &princ_name))) { slapi_log_error(SLAPI_LOG_FATAL, logname, "Unable to get name of principal: " @@ -1944,6 +1985,8 @@ cleanup: if (ctx) { /* cannot pass NULL to free context */ krb5_free_context(ctx); } + PR_Unlock(krb5_lock); + return; }

12 years, 11 months

1
0
0 / 0

Changes to 'refs/tags/389-ds-base-1.2.7.5'

by Richard Allen Megginson

Changes since 389-ds-base-1.2.6.a1: Endi S. Dewata (168): Bug 545620 - Password cannot start with minus sign Bug 538525 - Ability to create instance as non-root user Bug 570542 - Root password cannot contain matching curly braces Bug 470684 - Pam_passthru plugin doesn't verify account activation Bug 573375 - MODRDN operation not logged Bug 520151 - Error when modifying userPassword with proxy user Bug 455489 - Address compiler warnings about strict-aliasing rules Bug 566320 - RFE: add exception to removal of attributes in cn=config for aci Bug 566043 - startpid file is only cleaned by initscript runs Bug 584109 - Slapd crashes while parsing DNA configuration Bug 542570 - Directory Server port number is not validated in the beginning. Bug 145181 - Plugin target/bind subtrees only take 1 value. Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 619122 - fix coverify Defect Type: Resource leaks issues CID 11975 - 12053 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverify Defect Type: Resource leaks issues CID 12094 - 12136 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 628096 - spurious error message from /sbin/service when doing a stop on no instances Bug 573889 - Migration does not remove deprecated schema Bug 606545 - core schema should include numSubordinates Bug 643979 - Strange byte sequence for attribute with no values (nsslapd-referral) Endi Sukma Dewata (16): Bug 630092 - Coverity #12117: Resource leaks issues Bug 630092 - Coverity #15478: Resource leaks issues Bug 630092 - Coverity #15479: Resource leaks issues Bug 630092 - Coverity #15481: Resource leaks issues Bug 630092 - Coverity #15482: Resource leaks issues Bug 630092 - Coverity #15483: Resource leaks issues Bug 630092 - Coverity #15484: Resource leaks issues Bug 630092 - Coverity #15485: Resource leaks issues Bug 630092 - Coverity #15487: Resource leaks issues Bug 630092 - Coverity #15490: Resource leaks issues Bug 630092 - Coverity #15497: Resource leaks issues Bug 630092 - Coverity #11991: Resource leaks issues Bug 630092 - Coverity #12000: Resource leaks issues Bug 630092 - Coverity #12003: Resource leaks issues Bug 630092 - Coverity #11985: Resource leaks issues Bug 630092 - Coverity #11992,11993: Resource leaks issues Nathan Kinder (107): Bug 549554 - Trim single-valued attributes before sending to AD Improve search for pcre header file Bug 434735 - Allow SASL ANONYMOUS mech to work Bug 570912 - Avoid selinux context conflict with httpd Allow instance name to be parsed from start-slapd Add managed entries plug-in Bug 572355 - Label instance files and ports during upgrade. Bug 578863 - Password modify extop needs to send referrals on replicas Bug 584156 - Remove ldapi socket file during upgrade Fix rsearch usage of name files for random filters Bug 584497 - Allow DNA plugin to set same value on multiple attributes Add replication session hooks Correct function prototype for repl session hook Bug 592389 - Set anonymous resource limits properly Bug 601433 - Add man pages for start-dirsrv and related commands Bug 604263 - Fix memory leak when password change is rejected Bug 612242 - membership change on DS does not show on AD Bug 613833 - Allow dirsrv_t to bind to rpc ports Bug 594745 - Get rid of dirsrv_lib_t label Bug 620927 - Allow multiple membership attributes in memberof plugin Bug 612264 - ACI issue with (targetattr='userPassword') Bug 630098 - fix coverity Defect Type: Code maintainability issues Bug 630098 - fix coverity Defect Type: Code maintainability issues Bug 630093 - (cov#15511) Don't use unintialized search_results in refint plugin Bug 630093 - (cov#15518) Need to intialize fd in ldbm2ldif code Bug 630096 - (cov#11778) check return value of ldap_parse_result Bug 630096 - (cov#15446) check return value of ber_scanf() Bug 630096 - (cov#15449,15450) Check return value of stat() Bug 630096 - (cov#15448) Check return value of cache_replace() Bug 630096 - (cov#15447) - Check return value of idl_append_extend() Bug 630090 - (cov#11974) Remove unused ACL functions Bug 630090 - (cov#15445) Fix illegal free in archive code Bug 630094 - (cov#11818) Fix unreachable return in snmp subagent Bug 630094 - (cov#15451) Get rid of unreachable free statements Bug 630094 - (cov#15452) Remove NULL checking for op_string Bug 630094 - (cov#15453) Eliminate NULL check for local_newentry Bug 630094 - (cov#15454) Fix deadcode issue in mapping tree code Bug 630094 - (cov#15455) Remove deadcode in attr_index_config() Bug 630094 - (cov#15456) Remove NULL check for srdn in import code Bug 630094 - (cov#15457) Remove deadcode in import code Bug 630094 - (cov#15458) Fix deadcode issue in moddn code Bug 630094 - (cov#15459) Remove NULL check for srdn in ldif2ldbm code Bug 630094 - (cov#15520) Fix unreachable code issue if perfctrs code Bug 630094 - (cov#15581) Add missing breaks in agt_mopen_stats() Bug 690090 - (cov#11974) Remove additional unused ACL functions Bug 630091 - (cov#15512) Fix usage of uninitialized bervals Bug 630091 - (cov#15513) Fix usage of uninitialized bervals Bug 630091 - (cov#15514) Initialize DBT in entryrdn_get_parent() Bug 630091 - (cov#15515) Use of uninitialized array in index config code Bug 630091 - (cov#15516,15517) Initialize pointers before attempting to free Bug 630091 - (cov#15519) Initialize bervals in search_easter_egg() Bug 630091 - (cov#15582) Free of uninitialized pointer in attr_index_config() Bug 630097 - (cov#11933) Fix NULL dereference in schema code Bug 630097 - (cov#11938) NULL dereference in mmldif Bug 630097 - (cov#11946) NULL dereference in ResHashCreate() Bug 630097 - (cov#11964) Remove dead code from libaccess Bug 630097 - (cov#12143) NULL dereference in cos cache code Bug 630097 - (cov#12148) NULL dereference in ruvInit() Bug 630097 - (cov#12182,12183) NULL dereference in import code Bug 630097 - (cov#15460) NULL deference in ACL URL code Bug 630097 - (cov#15461) Remove unnecessary NULL check in DNA Bug 630097 - (cov#15462) NULL dereference in mep_modrdn_post_op() Bug 630097 - (cov#15463) Remove NULL check in referint plugin Bug 630097 - (cov#15464) NULL dereference in repl code Bug 630097 - (cov#15465) Null dereference in USN code Bug 630097 - (cov#15473) NULL dereference in ResHashCreate() Bug 630097 - (cov#15505) NULL dereference in memberOf code Bug 630097 - (cov#15506) NULL dereference in dblayer code Bug 630097 - (cov#15507,15508) NULL dereference in entryrdn code Bug 630097 - (cov#15509) NULL dereference in idsktune Bug 630097 - (cov#11938) NULL dereference in mmldif Bug 630097 - (cov#15477) NULL dereference in ACL plug-in code Bug 630091 - (cov#12209) Use of uninitialized pointer in libaccess Bug 630092 - (cov#12116) Resource leak in ldclt code Bug 630092 - (cov#12105) Resource leak in pwdscheme config code Bug 630092 - (cov#12068) Resource leak in certmap code Bug 630091 - (cov#11973) Array overrun in libaccess Bug 522055 - Scope check for managed attribute fails Bug 625335 - Self-write aci has permission to invalid attribute Bug 631993 - Log authzid when proxy auth control is used Cov #16300 - Unused variable in account policy plugin Bug 544321 - remove-ds.pl should not throw error unlabelling port Bug 555955 - Allow CoS values to be merged Bug 643937 - Initialize replication version flags Bug 305131 - Allow empty modify operation Bug 619633 - Make attribute uniqueness obey requiredObjectClass Bug 619623 - attr-unique-plugin ignores requiredObjectClass on modrdn operations Bug 189985 - Improve attribute uniqueness error message Bug 647932 - multiple memberOf configuration adding memberOf where there is no member Bug 521088 - DNA should check ACLs before getting a value from the range Bug 635009 - Add one-way AD sync capability Bump VERSION.sh to 1.2.8.a1 Bug 648949 - Move selinux policy into base OS Bug 648949 - Update configure Roll back VERSION.sh for 1.2.7 release Bug 625950 - hash nsslapd-rootpw changes in audit log Bug 656392 - Remove calls to ber_err_print() Bug 656515 - Allow Name and Optional UID syntax for grouping attributes Bug 197886 - Avoid overflow of UUID generator Bug 658312 - Allow mapped attribute types to be quoted Bug 197886 - Initialize return value for UUID generation code Bug 658309 - Process escaped characters in managed entry mappings Bug 659456 - Incorrect usage of ber_printf() in winsync code Bug 641944 - Don't normalize non-DN RDN values Bug 658312 - Invalid free in Managed Entry plug-in Bug 661792 - Valid managed entry config rejected Bug 663597 - Memory leaks in normalization code Noriko Hosoi (182): 544089 - Referential Integrity Plugin does not take into account the attribute 557224 - subtree rename breaks the referential integrity plug-in 247413 - Incorrect error on multiple identical value add 559016 - Attempting to rename suffix returns inappropriate errors 555577 - Syntax validation fails for "ou=NetscapeRoot" tree Undo - 555577 - Syntax validation fails for "ou=NetscapeRoot" tree 560827 - Admin Server templates: DistinguishName validation fails 548535 - memory leak in attrcrypt 563365 - Error handling problems in the backend functions 565664 - Incorrect parameter for CACHE_RETURN() 565987 - redhat-ds-base fails to build due to undefined struct 527848 - make sure db upgrade to 4.7 and later works correctly 539618 - Replication bulk import reports Invalid read/write 567370 - dncache: assertion failure in id2entry_delete 548115 - memory leak in schema reload 555970 - missing read lock in the combination of cos and nsview 539618 - Replication bulk import reports Invalid read/write 570667 - MMR: simultaneous total updates on the masters cause Merge branch '547503' Revert "Merge branch '547503'" Bug 554573 - ACIs use bind DN from bind req rather than cert mapped DN from sasl/external 199923 - subtree search fails to find items under a db 570107 - The import of LDIFs with base-64 encoded DNs fails, 572649 - DS8.2 crashes on RHEL 4 (corresponding to bob, ber_2 test case) 573060 - DN normalizer: ESC HEX HEX is not normalized ( 573896 - initializing subtree with invalid syntax crashes ns-slapd 515805 - Stop "initialize Database" crashes the server 548533 - memory leak in Repl_5_Inc_Protocol_new Fixing a syntax error Update to New DN Format 585905 - ACL with targattrfilters error crashes the server 574167 - An escaped space at the end of the RDN value is not 590931 - rhds81 import - hardcoded pages_limit for nsslapd-import-cache-autosize 591336 - Implementing upgrade DN format tool 593453 - Creating password policy with ns-newpolicy.pl on Replicated 593110 - backup-restore does not ALWAYS work 593899 - adding specific ACI causes very large mem allocate request 588867 - entryusn plugin fails on solaris 593899 - adding specific ACI causes very large mem allocate request 595893 - Base DN in SASL mapping is not normalized 511112 - Password history limited to 25 values 597375 - Deleting LDBM database causes backup/restore problem 574101 - MODRDN request never returns - possible deadlock 606920 - anonymous resource limit - nstimelimit - 605827 - In-place upgrade: upgrade dn format should not run in setup-ds-admin.pl 578296 - Attribute type entrydn needs to be added when subtree 609256 - Selinux: pwdhash fails if called via Admin Server CGI 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 609255 - fix coverity Defect Type: Memory - illegal accesses issues 616618 - 389 v1.2.5 accepts 2 identical entries with different DN formats 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 610281 - fix coverity Defect Type: Control flow issues 616608 - SIGBUS in RDN index reads on platforms with strict alignments 619595 - Upgrading sub suffix under non-normalized suffix disappears 513166 - Simple Paged result doesn't provide the server's estimate 621928 - Unable to enable replica (rdn problem?) on 1.2.6 rc6 Bug 194531 - db2bak is too noisy Bug 622628 - fix coverity Defect Type: Integer handling issues Bug 622628 - fix coverity Defect Type: Integer handling issues Bug 622628 - fix coverity Defect Type: Integer handling issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 622903 - fix coverity Defect Type: Code maintainability issues Bug 623118 - Simplepaged results going in infinite loop Bug 614511 - fix coverity Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 619122 - fix coverity Defect Type: Resource leaks issues CID 11975 - 12051 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 617630 - fix coverity Defect Type: Resource leaks issues CID 12052 - 12093 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 616500 - fix coverity Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverity Defect Type: Resource leaks issues CID 12094 - 12136 Bug 616500 - fix coverity Defect Type: Resource leaks issues CID 12094 - 12136 Bug 614511 - fix coverify Defect Type: Null pointer dereferences issues 11846 - 11891 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 - 11939 Bug 613056 - fix coverify Defect Type: Null pointer dereferences issues 11892 Bug 616500 - fix coverity Defect Type: Resource leaks issues Bug 623507 - fix coverity Defect Type: Incorrect expression issues Bug 623507 - fix coverity Defect Type: Incorrect expression issues Bug 613056 - fix coverify Defect Type: Null pointer dereferences Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 610119 - fix coverify Defect Type: Null pointer dereferences issues 12167 - 12199 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Bug 611790 - fix coverify Defect Type: Null pointer dereferences issues 11940 - 12166 Removed redundant code in agmt_new_from_entry Bug 617630 - fix coverify Defect Type: Resource leaks issues CID 12052 - 12093 Bug 628300 - DN is not normalized in dn/entry cache when an entry is added, entrydn is not present in search results Bug 531642 - EntryUSN: RFE: a configuration option to make entryusn "global" Bug 627738 - The cn=monitor statistics entries for the dnentry cache do not change or change very rarely DN normalizer should check the invalid type Bug 627738 - The cn=monitor statistics entries for the dnentry cache Bug 629710 - escape_string does not check '\<HEX><HEX>' agmtlist_shutdown (repl5_agmtlist.c) had an illegal access defect. Bug 633168 - Share backend dbEnv with the replication changelog Bug 633168 - Share backend dbEnv with the replication changelog Bug 631862 - crash - delete entries not in cache + referint Bug 625014 - SubTree Renames: ModRDN operation fails and the server hangs if the entry is moved to "under" the same DN. Bug 558099 - Enhancement request: Log more information about the search result being a paged one Bug 635987 - Incorrect sub scope search result with Bug 606920 - anonymous resource limit- nstimelimit - Bug 635987 - Incorrect sub scope search result with ACL containing ldap:///self Bug 639289 - Adding a new CN entry with UpperCase UTF-8 Character Bug 640027 - Naming attribute with a special char sequence parsing bug Bug 640854 - changelog db: _cl5WriteOperation: failed to Bug 637852 - sasl_io_start_packet: failed - read only 3 bytes Bug 586966 - Sample update script has syntax errors Bug 586973 - Sample update ldif points to non-existent directory Bug 602456 - Allow to add any cn=config attributes; Bug 244229 - targetattr not verified against schema when setting an aci Bug 643532 - Incorrect DNs sometimes returned on searches Bug 592397 - Upgrade tool dn2rdn: it does not clean up Bug 645061 - Upgrade: 06inetorgperson.ldif and 05rfc4524.ldif Bug 629681 - Retro Changelog trimming does not behave as expected Bug 644608 - RHDS 8.1->8.2 upgrade fails to properly migrate ACIs Bug 644608 - RHDS 8.1->8.2 upgrade fails to properly migrate ACIs Bug 644608 - RHDS 8.1->8.2 upgrade fails to properly migrate ACIs Bug 638773 - permissions too loose on pid and lock files Bug 491733 - dbtest crashes Bug 329751 - "nested" filtered roles searches candidates more Bug 567282 - server can not abandon searchRequest of "simple paged results" Bug 572018 - Upgrading from 1.2.5 to 1.2.6.a2 deletes userRoot Bug 651571 - When attrcrypt is on, entrydn is stored in the backend db Rich Megginson (130): Net::LDAP password modify extop breaks; msgid in response is 0xFF Clean up assert for entrydn Bug 543080 - Bitwise plugin fails to return the exact matched entries for Bitwise search filter Bug 537466 - nsslapd-distribution-plugin should not require plugin name to begin with "lib" bump version to 1.2.6.a2 Do not use syntax plugins directly for filters, indexing wrap new style matching rule plugins for use in old style indexing code change extensible filter code to use new syntax function style mr funcs change syntax plugins to register required matching rule plugins crash looking up compat syntax; numeric string syntax using integer; make octet string ordering work correctly fix memory leak in attr replace when replacement fails fix dso linking issues found by fedora 13 linking problems linking with -z defs 389 DS segfaults on libsyntax-plugin.so - part 1 389 DS segfaults on libsyntax-plugin.so - part 2 389 DS segfaults on libsyntax-plugin.so - part 3 Bug 460162 - FedoraDS "with-FHS" installs init.d StartupScript in wrong location on non-RHEL/Fedora OS Bug 568196 - Install DS8.2 on Solaris fails Bug 568196 - Install DS8.2 on Solaris fails - part 2 Bug 551198 - LDAPI: incorrect logging to access log bump version to 1.2.6.a3 fix various memory leaks Bug 551198 - LDAPI: incorrect logging to access log - part 2 Bug 554573 - ACIs use bind DN from bind req rather than cert mapped DN from sasl/external cleanup build warnings Bug 571514 - upgrade to 1.2.6 should upgrade 05rfc4523.ldif (cert schema) Bug 570905 - postalAddress syntax should allow empty lines (should allow $$) Add support for additional schema/matching rules included with 389 Bug 572677 - Memory leak in searches including GER control Bug 571677 - Busy replica on consumers when directly deleting a replication conflict Bug 576074 - search filters with parentheses fail Bug 567429 - slapd didn't close connection and get into CLOSE_WAIT state Bug 578167 - repl. of mod/replace deletes multi-valued attrs Bug 561575 - setup-ds-admin fails to supply nsds5ReplicaName when configuring via ConfigFile Bug 572162 - the string "|*" within a search filter on a non-indexed attribute returns all elements. Bug 576644 - segfault while multimaster replication (paired node won't find deleted entries) start of 1.2.6.a4 Bug 572018 - Upgrading from 1.2.5 to 1.2.6.a2 deletes userRoot Fix too few args for format warning in acllas Bug 586571 - DS Console shows escaped DNs Bug 591685 - Server instances Fail to Start on Solaris due to Library Path and pcre bump console version to 1.2.3 Repl Session API needs to check for NULL api before init Bug 593392 - setup-ds-admin.pl -k creates world readable file Bug 595874 - 99user.ldif getting overpopulated bump version to 1.2.6.a5 bump version to 1.2.6.rc1 bump version to 1.2.6.rc2 bump version to 1.2.6.rc3 Bug 604453 - SASL Stress and Server crash: Program quits with the assertion failure in PR_Poll Bug 604453 - SASL Stress and Server crash: Program quits with the assertion failure in PR_Poll Bug 603942 - null deref in _ger_parse_control() for subjectdn bump version to 1.2.6.rc4 Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 602530 - coverity: op_shared_modify: compare pre, post and original entries before freeing them Bug 602531 - coverity: op_shared_delete: compare preop entry and GLUE_PARENT_ENTRY before freeing them Bug 609590 - fix coverity Defect Type: Memory - corruptions issues Bug 610177 - fix coverity Defect Type: Uninitialized variables issues Bug 610276 - fix coverity Defect Type: API usage errors issues Bug 611850 - fix coverity Defect Type: Error handling issues Bug 614242 - C99/ANSI C++ related compile errors on HP-UX Bug 547503 - replication broken again, with 389 MMR replication and TCP errors Bug 617013 - repl-monitor.pl use cpu upto 90% fix build failures due to libtool problems Bug 617629 - Missing aliases in new schema files Bug 617862 - Replication: Unable to delete tombstone errors bump version to 1.2.7.a1 Bug 610281 - fix coverity Defect Type: Control flow issues - daemon.c:write_function() Bug 610281 - fix coverity Defect Type: Control flow issues - last repl init status postalAddress syntax does not accept empty values ger should support both "dn" and "distinguishedName" openldap - ldap_url_parse_ext is not part of the public api fix memleak in ldbm_config_read_instance_entries Add -x option to ldap tools when using openldap openldap - add support for missing controls, add ldif api, fix NSS usage port client tools to use openldap API use the mozldap versions of the proxy auth control create function document slapi wrappers for openldap/mozldap functions that differ fix some compiler warnings use strcasecmp with ptype and type->bv_val ber_printf 'o' cannot handle NULL bv_val fix the url_parse logic when looking for a missing suffix DN openldap ldapsearch uses -LLL to suppress # version: N add ldaptool_opts for the non BUNDLE case in Makefile.am openldap ldapsearch returns empty line at end of LDIF output have to use LDAP_OPT_X_TLS_NEVER to defeat cert hostname checking openldap_read_function needs to set EWOULDBLOCK if the buffer is empty do not terminate unwrapped LDIF line with another newline slapi_ldap_url_parse must handle multiple host:port in url convert mozldap host list to openldap uri list move the out pointer back if continuation lines were removed check src < *out only; only check for \nspace if src < *out - 2 use slapi_ldap_url_parse in the acl code do not un-null-terminate normalized DN until new url is constructed implement slapi_ldap_explode_dn and slapi_ldap_explode_rdn use slapi_pblock_set to set the ldap result code for the be postop plugins pass the string copy to slapi_dn_normalize_original bug 614511 - fix coverity null reference - revert macro aci $dn logic fix compiler warnings - unused vars/funcs, invalid casts use slapi_mods_init_passin/get_ldapmods_passout if modifying the smods Have to explicitly set protocol version to 3 Only check modrdn ops for backend/suffix correctness if not the default backend Bug 634561 - Server crushes when using Windows Sync Agreement openldap ber_init will assert if the bv->bv_val is NULL add the account policy plugin and related server code, schema, and config fix pblock memory leak do not register pre/post op plugins if disabled add support for global inactivity limit fix typos in Makefile.am, acctpolicy schema bump version to 1.2.7.a2 remove extra format argument; use %lu for size_t printf format Bug 644013 - uniqueness plugin segfault bug bump version to 1.2.7.a3 bump to 1.2.7.a4 bump version to 1.2.7.a5 put replication config entries in separate file bump version to 1.2.7.a6 bump version to 1.2.7.1 bump version to 1.2.7.2 bump version to 1.2.7.3 bump version to 1.2.7.4 bump version to 1.2.7.5 root (1): Bug 480787 - Autoconf parameter --with and --without --- .gitignore | 1 Makefile.am | 120 Makefile.in | 4833 - VERSION.sh | 7 aclocal.m4 | 6884 -- compile | 21 config.guess | 302 config.h.in | 15 config.sub | 232 configure |31776 ++++-------- configure.ac | 59 depcomp | 172 include/base/dbtbase.h | 2 include/base/lexer.h | 126 include/i18n.h | 115 include/ldaputil/ldaputil.h | 10 include/libaccess/aclerror.h | 1 include/libaccess/aclproto.h | 15 include/libaccess/aclstruct.h | 2 include/libaccess/dbtlibaccess.h | 3 include/public/nsacl/aclapi.h | 7 install-sh | 517 ldap/admin/src/scripts/10cleanupldapi.pl | 23 ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif | 5 ldap/admin/src/scripts/60upgradeschemafiles.pl | 2 ldap/admin/src/scripts/80upgradednformat.pl | 206 ldap/admin/src/scripts/81changelog.pl | 29 ldap/admin/src/scripts/90subtreerename.pl | 6 ldap/admin/src/scripts/DSCreate.pm.in | 139 ldap/admin/src/scripts/DSDialogs.pm | 4 ldap/admin/src/scripts/DSMigration.pm.in | 11 ldap/admin/src/scripts/DSUpdate.pm.in | 12 ldap/admin/src/scripts/DSUtil.pm.in | 106 ldap/admin/src/scripts/Inf.pm | 53 ldap/admin/src/scripts/Migration.pm.in | 19 ldap/admin/src/scripts/Setup.pm.in | 19 ldap/admin/src/scripts/exampleupdate.ldif | 2 ldap/admin/src/scripts/exampleupdate.sh | 10 ldap/admin/src/scripts/migrate-ds.pl.in | 13 ldap/admin/src/scripts/remove-ds.pl.in | 28 ldap/admin/src/scripts/repl-monitor.pl.in | 3 ldap/admin/src/scripts/restart-dirsrv.in | 25 ldap/admin/src/scripts/setup-ds.pl.in | 7 ldap/admin/src/scripts/setup-ds.res.in | 9 ldap/admin/src/scripts/start-dirsrv.in | 32 ldap/admin/src/scripts/stop-dirsrv.in | 27 ldap/admin/src/scripts/template-bak2db.in | 36 ldap/admin/src/scripts/template-bak2db.pl.in | 4 ldap/admin/src/scripts/template-db2bak.in | 40 ldap/admin/src/scripts/template-db2bak.pl.in | 4 ldap/admin/src/scripts/template-db2index.in | 2 ldap/admin/src/scripts/template-db2index.pl.in | 8 ldap/admin/src/scripts/template-db2ldif.in | 2 ldap/admin/src/scripts/template-db2ldif.pl.in | 4 ldap/admin/src/scripts/template-dbverify.in | 2 ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in | 4 ldap/admin/src/scripts/template-fixup-memberof.pl.in | 4 ldap/admin/src/scripts/template-ldif2db.in | 2 ldap/admin/src/scripts/template-ldif2db.pl.in | 4 ldap/admin/src/scripts/template-ldif2ldap.in | 4 ldap/admin/src/scripts/template-monitor.in | 4 ldap/admin/src/scripts/template-ns-accountstatus.pl.in | 8 ldap/admin/src/scripts/template-ns-activate.pl.in | 8 ldap/admin/src/scripts/template-ns-inactivate.pl.in | 8 ldap/admin/src/scripts/template-ns-newpwpolicy.pl.in | 6 ldap/admin/src/scripts/template-restart-slapd.in | 2 ldap/admin/src/scripts/template-restoreconfig.in | 4 ldap/admin/src/scripts/template-saveconfig.in | 4 ldap/admin/src/scripts/template-schema-reload.pl.in | 4 ldap/admin/src/scripts/template-start-slapd.in | 3 ldap/admin/src/scripts/template-stop-slapd.in | 2 ldap/admin/src/scripts/template-suffix2instance.in | 4 ldap/admin/src/scripts/template-syntax-validate.pl.in | 4 ldap/admin/src/scripts/template-upgradedb.in | 4 ldap/admin/src/scripts/template-upgradednformat.in | 56 ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in | 4 ldap/admin/src/scripts/template-vlvindex.in | 4 ldap/admin/src/slapd.inf.in | 2 ldap/include/ldaplog.h | 32 ldap/ldif/50replication-plugins.ldif | 26 ldap/ldif/template-baseacis.ldif.in | 2 ldap/ldif/template-bitwise.ldif.in | 6 ldap/ldif/template-dse.ldif.in | 56 ldap/ldif/template-suffix-db.ldif.in | 1 ldap/schema/00core.ldif | 72 ldap/schema/01core389.ldif | 3 ldap/schema/02common.ldif | 8 ldap/schema/05rfc4523.ldif | 14 ldap/schema/05rfc4524.ldif | 30 ldap/schema/06inetorgperson.ldif | 5 ldap/schema/10mep-plugin.ldif | 104 ldap/schema/30ns-common.ldif | 4 ldap/schema/60acctpolicy.ldif | 47 ldap/schema/60qmail.ldif | 4 ldap/servers/plugins/acctpolicy/acct_config.c | 143 ldap/servers/plugins/acctpolicy/acct_init.c | 191 ldap/servers/plugins/acctpolicy/acct_plugin.c | 314 ldap/servers/plugins/acctpolicy/acct_util.c | 257 ldap/servers/plugins/acctpolicy/acctpolicy.h | 81 ldap/servers/plugins/acctpolicy/sampleconfig.ldif | 40 ldap/servers/plugins/acctpolicy/samplepolicy.ldif | 27 ldap/servers/plugins/acl/acl.c | 105 ldap/servers/plugins/acl/acl.h | 15 ldap/servers/plugins/acl/acl_ext.c | 29 ldap/servers/plugins/acl/aclanom.c | 1 ldap/servers/plugins/acl/acleffectiverights.c | 54 ldap/servers/plugins/acl/aclgroup.c | 9 ldap/servers/plugins/acl/acllas.c | 379 ldap/servers/plugins/acl/acllist.c | 14 ldap/servers/plugins/acl/aclparse.c | 590 ldap/servers/plugins/acl/aclplugin.c | 27 ldap/servers/plugins/acl/aclproxy.c | 232 ldap/servers/plugins/acl/aclutil.c | 103 ldap/servers/plugins/bitwise/bitwise.c | 20 ldap/servers/plugins/chainingdb/cb_bind.c | 2 ldap/servers/plugins/chainingdb/cb_config.c | 13 ldap/servers/plugins/chainingdb/cb_controls.c | 12 ldap/servers/plugins/chainingdb/cb_init.c | 4 ldap/servers/plugins/chainingdb/cb_instance.c | 68 ldap/servers/plugins/chainingdb/cb_utils.c | 3 ldap/servers/plugins/collation/collate.c | 22 ldap/servers/plugins/cos/cos_cache.c | 258 ldap/servers/plugins/deref/deref.c | 8 ldap/servers/plugins/dna/dna.c | 562 ldap/servers/plugins/http/http_impl.c | 81 ldap/servers/plugins/linkedattrs/fixup_task.c | 4 ldap/servers/plugins/linkedattrs/linked_attrs.c | 17 ldap/servers/plugins/memberof/memberof.c | 449 ldap/servers/plugins/memberof/memberof.h | 6 ldap/servers/plugins/memberof/memberof_config.c | 231 ldap/servers/plugins/mep/mep.c | 2344 ldap/servers/plugins/mep/mep.h | 129 ldap/servers/plugins/pam_passthru/pam_ptimpl.c | 17 ldap/servers/plugins/passthru/ptconfig.c | 43 ldap/servers/plugins/pwdstorage/smd5_pwd.c | 9 ldap/servers/plugins/referint/referint.c | 700 ldap/servers/plugins/replication/cl5_api.c | 1467 ldap/servers/plugins/replication/cl5_api.h | 77 ldap/servers/plugins/replication/cl5_clcache.c | 18 ldap/servers/plugins/replication/cl5_clcache.h | 2 ldap/servers/plugins/replication/cl5_config.c | 181 ldap/servers/plugins/replication/legacy_consumer.c | 1 ldap/servers/plugins/replication/repl-session-plugin.h | 119 ldap/servers/plugins/replication/repl5.h | 42 ldap/servers/plugins/replication/repl5_agmt.c | 96 ldap/servers/plugins/replication/repl5_agmtlist.c | 11 ldap/servers/plugins/replication/repl5_connection.c | 119 ldap/servers/plugins/replication/repl5_inc_protocol.c | 27 ldap/servers/plugins/replication/repl5_init.c | 26 ldap/servers/plugins/replication/repl5_plugins.c | 12 ldap/servers/plugins/replication/repl5_prot_private.h | 4 ldap/servers/plugins/replication/repl5_protocol.c | 99 ldap/servers/plugins/replication/repl5_protocol_util.c | 506 ldap/servers/plugins/replication/repl5_replica.c | 73 ldap/servers/plugins/replication/repl5_replica_config.c | 1 ldap/servers/plugins/replication/repl5_ruv.c | 52 ldap/servers/plugins/replication/repl5_tot_protocol.c | 28 ldap/servers/plugins/replication/repl5_total.c | 22 ldap/servers/plugins/replication/repl_compare.c | 1 ldap/servers/plugins/replication/repl_controls.c | 2 ldap/servers/plugins/replication/repl_extop.c | 262 ldap/servers/plugins/replication/repl_globals.c | 1 ldap/servers/plugins/replication/repl_init.c | 1 ldap/servers/plugins/replication/repl_objset.c | 9 ldap/servers/plugins/replication/repl_session_plugin.c | 188 ldap/servers/plugins/replication/replutil.c | 26 ldap/servers/plugins/replication/test_repl_session_plugin.c | 335 ldap/servers/plugins/replication/urp.c | 1 ldap/servers/plugins/replication/windows_connection.c | 133 ldap/servers/plugins/replication/windows_inc_protocol.c | 52 ldap/servers/plugins/replication/windows_private.c | 112 ldap/servers/plugins/replication/windows_protocol_util.c | 270 ldap/servers/plugins/replication/windows_tot_protocol.c | 115 ldap/servers/plugins/replication/windowsrepl.h | 11 ldap/servers/plugins/replication/winsync-plugin.h | 2 ldap/servers/plugins/retrocl/retrocl.c | 3 ldap/servers/plugins/retrocl/retrocl.h | 2 ldap/servers/plugins/retrocl/retrocl_create.c | 13 ldap/servers/plugins/retrocl/retrocl_po.c | 11 ldap/servers/plugins/retrocl/retrocl_trim.c | 20 ldap/servers/plugins/rever/des.c | 72 ldap/servers/plugins/rever/rever.c | 8 ldap/servers/plugins/roles/roles_cache.c | 64 ldap/servers/plugins/schema_reload/schema_reload.c | 5 ldap/servers/plugins/shared/plugin-utils.h | 112 ldap/servers/plugins/shared/utils.c | 508 ldap/servers/plugins/statechange/statechange.c | 7 ldap/servers/plugins/syntaxes/bin.c | 142 ldap/servers/plugins/syntaxes/bitstring.c | 36 ldap/servers/plugins/syntaxes/ces.c | 140 ldap/servers/plugins/syntaxes/cis.c | 288 ldap/servers/plugins/syntaxes/dn.c | 42 ldap/servers/plugins/syntaxes/int.c | 64 ldap/servers/plugins/syntaxes/nameoptuid.c | 41 ldap/servers/plugins/syntaxes/numericstring.c | 118 ldap/servers/plugins/syntaxes/string.c | 198 ldap/servers/plugins/syntaxes/syntax.h | 59 ldap/servers/plugins/syntaxes/syntax_common.c | 117 ldap/servers/plugins/syntaxes/tel.c | 62 ldap/servers/plugins/syntaxes/validate.c | 17 ldap/servers/plugins/syntaxes/value.c | 116 ldap/servers/plugins/uiduniq/7bit.c | 7 ldap/servers/plugins/uiduniq/plugin-utils.h | 96 ldap/servers/plugins/uiduniq/uid.c | 181 ldap/servers/plugins/uiduniq/utils.c | 249 ldap/servers/plugins/usn/usn.c | 68 ldap/servers/plugins/usn/usn.h | 2 ldap/servers/plugins/usn/usn_cleanup.c | 13 ldap/servers/plugins/views/views.c | 6 ldap/servers/slapd/abandon.c | 7 ldap/servers/slapd/add.c | 118 ldap/servers/slapd/agtmmap.c | 56 ldap/servers/slapd/attr.c | 80 ldap/servers/slapd/attrlist.c | 7 ldap/servers/slapd/attrsyntax.c | 85 ldap/servers/slapd/auth.c | 73 ldap/servers/slapd/back-ldbm/ancestorid.c | 10 ldap/servers/slapd/back-ldbm/archive.c | 72 ldap/servers/slapd/back-ldbm/back-ldbm.h | 38 ldap/servers/slapd/back-ldbm/cache.c | 4 ldap/servers/slapd/back-ldbm/dbhelp.c | 12 ldap/servers/slapd/back-ldbm/dblayer.c | 1503 ldap/servers/slapd/back-ldbm/dblayer.h | 12 ldap/servers/slapd/back-ldbm/dbtest.c | 349 ldap/servers/slapd/back-ldbm/dbversion.c | 47 ldap/servers/slapd/back-ldbm/dn2entry.c | 12 ldap/servers/slapd/back-ldbm/filterindex.c | 98 ldap/servers/slapd/back-ldbm/findentry.c | 72 ldap/servers/slapd/back-ldbm/id2entry.c | 163 ldap/servers/slapd/back-ldbm/idl.c | 17 ldap/servers/slapd/back-ldbm/idl_new.c | 18 ldap/servers/slapd/back-ldbm/import-merge.c | 28 ldap/servers/slapd/back-ldbm/import-threads.c | 1165 ldap/servers/slapd/back-ldbm/import.c | 395 ldap/servers/slapd/back-ldbm/import.h | 19 ldap/servers/slapd/back-ldbm/index.c | 127 ldap/servers/slapd/back-ldbm/init.c | 8 ldap/servers/slapd/back-ldbm/instance.c | 31 ldap/servers/slapd/back-ldbm/ldbm_add.c | 94 ldap/servers/slapd/back-ldbm/ldbm_attr.c | 247 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 56 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c | 2 ldap/servers/slapd/back-ldbm/ldbm_config.c | 101 ldap/servers/slapd/back-ldbm/ldbm_delete.c | 77 ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 523 ldap/servers/slapd/back-ldbm/ldbm_index_config.c | 106 ldap/servers/slapd/back-ldbm/ldbm_instance_config.c | 225 ldap/servers/slapd/back-ldbm/ldbm_modify.c | 53 ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 121 ldap/servers/slapd/back-ldbm/ldbm_search.c | 32 ldap/servers/slapd/back-ldbm/ldbm_usn.c | 71 ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 540 ldap/servers/slapd/back-ldbm/matchrule.c | 26 ldap/servers/slapd/back-ldbm/misc.c | 223 ldap/servers/slapd/back-ldbm/monitor.c | 14 ldap/servers/slapd/back-ldbm/nextid.c | 17 ldap/servers/slapd/back-ldbm/perfctrs.c | 24 ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 25 ldap/servers/slapd/back-ldbm/sort.c | 12 ldap/servers/slapd/back-ldbm/start.c | 29 ldap/servers/slapd/back-ldbm/vlv.c | 206 ldap/servers/slapd/back-ldbm/vlv_srch.c | 6 ldap/servers/slapd/back-ldbm/vlv_srch.h | 3 ldap/servers/slapd/back-ldif/back-ldif.h | 2 ldap/servers/slapd/back-ldif/modrdn.c | 12 ldap/servers/slapd/backend.c | 53 ldap/servers/slapd/backend_manager.c | 8 ldap/servers/slapd/bind.c | 255 ldap/servers/slapd/charray.c | 6 ldap/servers/slapd/compare.c | 31 ldap/servers/slapd/configdse.c | 58 ldap/servers/slapd/connection.c | 135 ldap/servers/slapd/control.c | 7 ldap/servers/slapd/csngen.c | 6 ldap/servers/slapd/daemon.c | 67 ldap/servers/slapd/delete.c | 82 ldap/servers/slapd/dn.c | 1113 ldap/servers/slapd/dse.c | 22 ldap/servers/slapd/dynalib.c | 29 ldap/servers/slapd/entry.c | 557 ldap/servers/slapd/entrywsi.c | 54 ldap/servers/slapd/eventq.c | 4 ldap/servers/slapd/extendop.c | 37 ldap/servers/slapd/factory.c | 1 ldap/servers/slapd/fe.h | 5 ldap/servers/slapd/fedse.c | 19 ldap/servers/slapd/filter.c | 2 ldap/servers/slapd/filter.h | 1 ldap/servers/slapd/filtercmp.c | 25 ldap/servers/slapd/filterentry.c | 27 ldap/servers/slapd/index_subsystem.c | 18 ldap/servers/slapd/ldaputil.c | 634 ldap/servers/slapd/lenstr.c | 6 ldap/servers/slapd/libglobs.c | 140 ldap/servers/slapd/libslapd.def | 1 ldap/servers/slapd/log.c | 3 ldap/servers/slapd/main.c | 258 ldap/servers/slapd/mapping_tree.c | 258 ldap/servers/slapd/match.c | 57 ldap/servers/slapd/modify.c | 270 ldap/servers/slapd/modrdn.c | 215 ldap/servers/slapd/modutil.c | 30 ldap/servers/slapd/opshared.c | 102 ldap/servers/slapd/pagedresults.c | 78 ldap/servers/slapd/passwd_extop.c | 97 ldap/servers/slapd/pblock.c | 242 ldap/servers/slapd/plugin.c | 193 ldap/servers/slapd/plugin_internal_op.c | 12 ldap/servers/slapd/plugin_mr.c | 472 ldap/servers/slapd/plugin_syntax.c | 352 ldap/servers/slapd/protect_db.c | 24 ldap/servers/slapd/protect_db.h | 5 ldap/servers/slapd/proto-slap.h | 43 ldap/servers/slapd/proxyauth.c | 247 ldap/servers/slapd/psearch.c | 1 ldap/servers/slapd/pw.c | 149 ldap/servers/slapd/pw_mgmt.c | 136 ldap/servers/slapd/rdn.c | 14 ldap/servers/slapd/regex.c | 3 ldap/servers/slapd/result.c | 24 ldap/servers/slapd/rootdse.c | 4 ldap/servers/slapd/sasl_io.c | 167 ldap/servers/slapd/sasl_map.c | 53 ldap/servers/slapd/saslbind.c | 122 ldap/servers/slapd/schema.c | 62 ldap/servers/slapd/search.c | 35 ldap/servers/slapd/slap.h | 80 ldap/servers/slapd/slapi-plugin-compat4.h | 6 ldap/servers/slapd/slapi-plugin.h | 432 ldap/servers/slapd/slapi-private.h | 25 ldap/servers/slapd/slapi_counter.c | 6 ldap/servers/slapd/snmp_collator.c | 3 ldap/servers/slapd/str2filter.c | 1 ldap/servers/slapd/task.c | 94 ldap/servers/slapd/test-plugins/testpostop.c | 1 ldap/servers/slapd/tools/dbscan.c | 72 ldap/servers/slapd/tools/ldclt/data.c | 50 ldap/servers/slapd/tools/ldclt/ldapfct.c | 150 ldap/servers/slapd/tools/ldclt/ldclt.c | 33 ldap/servers/slapd/tools/ldclt/ldclt.h | 2 ldap/servers/slapd/tools/ldclt/ldcltU.c | 24 ldap/servers/slapd/tools/ldclt/parser.c | 19 ldap/servers/slapd/tools/ldclt/scalab01.c | 49 ldap/servers/slapd/tools/ldif.c | 4 ldap/servers/slapd/tools/mmldif.c | 9 ldap/servers/slapd/tools/pwenc.c | 2 ldap/servers/slapd/tools/rsearch/addthread.c | 25 ldap/servers/slapd/tools/rsearch/searchthread.c | 62 ldap/servers/slapd/utf8compare.c | 2 ldap/servers/slapd/util.c | 162 ldap/servers/slapd/uuid.c | 6 ldap/servers/slapd/value.c | 26 ldap/servers/slapd/valueset.c | 68 ldap/servers/slapd/vattr.c | 69 ldap/servers/snmp/ldap-agent.c | 26 ldap/servers/snmp/main.c | 9 ldap/systools/idsktune.c | 17 lib/base/crit.cpp | 6 lib/base/ereport.cpp | 2 lib/base/lexer.cpp | 1015 lib/base/plist.cpp | 3 lib/base/util.cpp | 13 lib/ldaputil/cert.c | 4 lib/ldaputil/certmap.c | 409 lib/ldaputil/dbconf.c | 1 lib/ldaputil/utest/Makefile | 149 lib/ldaputil/utest/auth.cpp | 611 lib/ldaputil/utest/authtest | 138 lib/ldaputil/utest/certmap.conf | 68 lib/ldaputil/utest/dblist.conf | 47 lib/ldaputil/utest/example.c | 153 lib/ldaputil/utest/plugin.c | 152 lib/ldaputil/utest/plugin.h | 57 lib/ldaputil/utest/stubs.c | 144 lib/ldaputil/utest/stubs.cpp | 139 lib/ldaputil/utest/test.ref | 480 lib/ldaputil/vtable.c | 2 lib/libaccess/acl.tab.cpp | 21 lib/libaccess/aclcache.cpp | 105 lib/libaccess/aclflush.cpp | 1 lib/libaccess/aclpriv.h | 1 lib/libaccess/acltools.cpp | 1724 lib/libaccess/authdb.cpp | 112 lib/libaccess/lasdns.cpp | 7 lib/libaccess/lasip.cpp | 16 lib/libaccess/nseframe.cpp | 1 lib/libaccess/oneeval.cpp | 17 lib/libaccess/permhash.h | 11 lib/libaccess/register.cpp | 50 lib/libaccess/usrcache.cpp | 14 lib/libaccess/utest/.purify | 19 lib/libaccess/utest/Makefile | 147 lib/libaccess/utest/acl.dat | 44 lib/libaccess/utest/aclfile0 | 87 lib/libaccess/utest/aclfile1 | 43 lib/libaccess/utest/aclfile10 | 45 lib/libaccess/utest/aclfile11 | 43 lib/libaccess/utest/aclfile12 | 43 lib/libaccess/utest/aclfile13 | 43 lib/libaccess/utest/aclfile14 | 43 lib/libaccess/utest/aclfile15 | 43 lib/libaccess/utest/aclfile16 | 43 lib/libaccess/utest/aclfile17 | 43 lib/libaccess/utest/aclfile18 | 51 lib/libaccess/utest/aclfile19 | 46 lib/libaccess/utest/aclfile2 | 43 lib/libaccess/utest/aclfile3 | 43 lib/libaccess/utest/aclfile4 | 43 lib/libaccess/utest/aclfile5 | 43 lib/libaccess/utest/aclfile6 | 55 lib/libaccess/utest/aclfile7 | 43 lib/libaccess/utest/aclfile8 | 43 lib/libaccess/utest/aclfile9 | 43 lib/libaccess/utest/aclgrp0 | 42 lib/libaccess/utest/aclgrp1 | 42 lib/libaccess/utest/aclgrp2 | 42 lib/libaccess/utest/aclgrp3 | 42 lib/libaccess/utest/aclgrp4 | 42 lib/libaccess/utest/acltest.cpp | 794 lib/libaccess/utest/onetest.cpp | 77 lib/libaccess/utest/shexp.cpp | 331 lib/libaccess/utest/shexp.h | 168 lib/libaccess/utest/test.ref | 217 lib/libaccess/utest/testmain.cpp | 89 lib/libaccess/utest/twotest.cpp | 87 lib/libaccess/utest/ustubs.cpp | 331 lib/libadmin/error.c | 2 lib/libadmin/template.c | 2 lib/libadmin/util.c | 48 lib/libsi18n/coreres.c | 141 lib/libsi18n/coreres.h | 52 lib/libsi18n/getlang.c | 330 lib/libsi18n/getstrmem.c | 160 lib/libsi18n/getstrmem.h | 1 lib/libsi18n/getstrprop.c | 85 lib/libsi18n/makstrdb.c | 21 lib/libsi18n/propset.c | 442 lib/libsi18n/propset.h | 80 lib/libsi18n/reshash.c | 21 ltmain.sh | 8836 ++- m4/db.m4 | 21 m4/fhs.m4 | 4 m4/icu.m4 | 25 m4/kerberos.m4 | 4 m4/mozldap.m4 | 38 m4/netsnmp.m4 | 15 m4/nspr.m4 | 17 m4/nss.m4 | 17 m4/openldap.m4 | 23 m4/pcre.m4 | 28 m4/sasl.m4 | 25 m4/selinux.m4 | 13 m4/svrcore.m4 | 41 man/man8/restart-dirsrv.8 | 50 man/man8/start-dirsrv.8 | 50 man/man8/stop-dirsrv.8 | 50 missing | 104 selinux/dirsrv.fc.in | 2 selinux/dirsrv.if | 41 selinux/dirsrv.te | 11 wrappers/initscript.in | 201 wrappers/migratecred.in | 2 wrappers/mmldif.in | 2 wrappers/pwdhash.in | 2 464 files changed, 46595 insertions(+), 51345 deletions(-) ---

12 years, 11 months

1
0
0 / 0

Branch '389-ds-base-1.2.7' - VERSION.sh

by Richard Allen Megginson

VERSION.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit 486b0e9b5ca8dbb1ad60552e7c211dd3afb315ff Author: Rich Megginson <rmeggins(a)redhat.com> Date: Thu Dec 16 09:52:14 2010 -0700 bump version to 1.2.7.5 diff --git a/VERSION.sh b/VERSION.sh index 23e16b7..5ffc206 100644 --- a/VERSION.sh +++ b/VERSION.sh @@ -10,7 +10,7 @@ vendor="389 Project" # PACKAGE_VERSION is constructed from these VERSION_MAJOR=1 VERSION_MINOR=2 -VERSION_MAINT=7.4 +VERSION_MAINT=7.5 # if this is a PRERELEASE, set VERSION_PREREL # otherwise, comment it out # be sure to include the dot prefix in the prerel

12 years, 11 months

1
0
0 / 0

Changes to '389-ds-base-1.2.7'

by Richard Allen Megginson

New branch '389-ds-base-1.2.7' available with the following commits: commit cea436bedbf40c2c29dfb325e2d6266c371cf2a9 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Thu Dec 16 08:02:46 2010 -0800 Bug 663597 - Memory leaks in normalization code The DN normalization code uses a Slapi_Attr on the stack to avoid allocation of the struct. The contents of the Slapi_Attr are never freed. This patch ensure that the struct is cleared out properly. There was also a leak in the syntax normalization code where a pointer to recently allocated string could get overwritten without freeing the string first. This patch frees the string first. (cherry picked from commit 4da627a74d756ab627863de6f52dc663d58fb2d2)

12 years, 11 months

1
0
0 / 0

Branch 'Directory_Server_8_2_Branch' - ldap/servers

by Nathan Kinder

ldap/servers/slapd/attrsyntax.c | 6 +++--- ldap/servers/slapd/dn.c | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) New commits: commit 3e170da37a4f8a15b1342430cc2a912bb8b99872 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Thu Dec 16 08:02:46 2010 -0800 Bug 663597 - Memory leaks in normalization code The DN normalization code uses a Slapi_Attr on the stack to avoid allocation of the struct. The contents of the Slapi_Attr are never freed. This patch ensure that the struct is cleared out properly. There was also a leak in the syntax normalization code where a pointer to recently allocated string could get overwritten without freeing the string first. This patch frees the string first. diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c index ba30871..6d3fe8c 100644 --- a/ldap/servers/slapd/attrsyntax.c +++ b/ldap/servers/slapd/attrsyntax.c @@ -469,14 +469,14 @@ char * slapi_attr_syntax_normalize( const char *s ) { struct asyntaxinfo *asi = NULL; - char *r; - + char *r = NULL; - if((asi=attr_syntax_get_by_name(s)) != NULL ) { + if((asi=attr_syntax_get_by_name(s)) != NULL ) { r = slapi_ch_strdup(asi->asi_name); attr_syntax_return( asi ); } if ( NULL == asi ) { + slapi_ch_free_string( &r ); r = attr_syntax_normalize_no_lookup( s ); } return r; diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c index 227a41e..8e0d0fa 100644 --- a/ldap/servers/slapd/dn.c +++ b/ldap/servers/slapd/dn.c @@ -572,6 +572,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len) slapi_attr_init(&test_attr, typestart); is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr); + attr_done(&test_attr); /* Reset the character we modified. */ *d = savechar; @@ -592,6 +593,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len) slapi_attr_init(&test_attr, typestart); is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr); + attr_done(&test_attr); /* Reset the character we modified. */ *d = savechar; @@ -612,6 +614,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len) slapi_attr_init(&test_attr, typestart); is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr); + attr_done(&test_attr); /* Reset the character we modified. */ *d = savechar;

12 years, 11 months

1
0
0 / 0

ldap/servers

by Nathan Kinder

ldap/servers/slapd/attrsyntax.c | 6 +++--- ldap/servers/slapd/dn.c | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) New commits: commit 4da627a74d756ab627863de6f52dc663d58fb2d2 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Thu Dec 16 08:02:46 2010 -0800 Bug 663597 - Memory leaks in normalization code The DN normalization code uses a Slapi_Attr on the stack to avoid allocation of the struct. The contents of the Slapi_Attr are never freed. This patch ensure that the struct is cleared out properly. There was also a leak in the syntax normalization code where a pointer to recently allocated string could get overwritten without freeing the string first. This patch frees the string first. diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c index 456f830..1c77f4a 100644 --- a/ldap/servers/slapd/attrsyntax.c +++ b/ldap/servers/slapd/attrsyntax.c @@ -469,14 +469,14 @@ char * slapi_attr_syntax_normalize( const char *s ) { struct asyntaxinfo *asi = NULL; - char *r; - + char *r = NULL; - if((asi=attr_syntax_get_by_name(s)) != NULL ) { + if((asi=attr_syntax_get_by_name(s)) != NULL ) { r = slapi_ch_strdup(asi->asi_name); attr_syntax_return( asi ); } if ( NULL == asi ) { + slapi_ch_free_string( &r ); r = attr_syntax_normalize_no_lookup( s ); } return r; diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c index 914712a..1912f70 100644 --- a/ldap/servers/slapd/dn.c +++ b/ldap/servers/slapd/dn.c @@ -576,6 +576,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len) slapi_attr_init(&test_attr, typestart); is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr); + attr_done(&test_attr); /* Reset the character we modified. */ *d = savechar; @@ -596,6 +597,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len) slapi_attr_init(&test_attr, typestart); is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr); + attr_done(&test_attr); /* Reset the character we modified. */ *d = savechar; @@ -616,6 +618,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len) slapi_attr_init(&test_attr, typestart); is_dn_syntax = slapi_attr_is_dn_syntax_attr(&test_attr); + attr_done(&test_attr); /* Reset the character we modified. */ *d = savechar;

12 years, 11 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/slapd/pw.c | 57 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 19 deletions(-) New commits: commit f97797235463d73b10581680605d88c0eef546ac Author: Noriko Hosoi <nhosoi(a)jiji.usersys.redhat.com> Date: Wed Dec 15 18:14:48 2010 -0800 Bug 489379 - passwordExpirationTime in entry being added collides with passwordMustChange policy https://bugzilla.redhat.com/show_bug.cgi?id=489379 Description: If we have passwordMustChange policy enabled and try to add an entry that already contains an passwordExpirationTime attribute, then the passwordMustChange code will insert another passwordExpirationTime attribute with the magic 19700101000000Z value. This wont work because passwordExpirationTime is single-valued: ldap_add: Object class violation ldap_add: additional info: single-valued attribute "passwordExpirationTime" has multiple values We need to pick one passwordExpirationTime value to "win". I think it makes sense for the value that exists in the entry being added to win, but I'm open to discussion if it's felt that would violate the password policy. To make the existing passwordExpirationTime value win, in add_password_attrs() in pw.c I think the logic can be changed so the scan for passwordExpirationTime happens unconditionally and then not touch it even if pwpolicy->pw_must_change is set. This patch has been submitted by Ulf Weltman (ulf.weltman(a)hp.com). diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index 94a038f..22f818e 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -1321,44 +1321,63 @@ add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e ) Slapi_Attr **a, **next; passwdPolicy *pwpolicy = NULL; char *dn = slapi_entry_get_ndn(e); - - pwpolicy = new_passwdPolicy(pb, dn); + int has_allowchangetime = 0, has_expirationtime = 0; + time_t existing_exptime = 0; LDAPDebug( LDAP_DEBUG_TRACE, "add_password_attrs\n", 0, 0, 0 ); bvals[0] = &bv; bvals[1] = NULL; - if ( pwpolicy->pw_must_change) { - /* must change password when first time logon */ - bv.bv_val = format_genTime ( NO_TIME ); - } else { - /* If passwordexpirationtime is specified by the user, don't - try to assign the initial value */ - for ( a = &e->e_attrs; *a != NULL; a = next ) { - if ( strcasecmp( (*a)->a_type, - "passwordexpirationtime" ) == 0) { - delete_passwdPolicy(&pwpolicy); - return; + /* If passwordexpirationtime is specified by the user, don't + try to assign the initial value */ + for ( a = &e->e_attrs; *a != NULL; a = next ) { + if ( strcasecmp( (*a)->a_type, + "passwordexpirationtime" ) == 0) { + Slapi_Value *sval; + if (slapi_attr_first_value(*a, &sval) == 0) { + const struct berval *bv = slapi_value_get_berval(sval); + existing_exptime = parse_genTime(bv->bv_val); } - next = &(*a)->a_next; + has_expirationtime = 1; + + } else if ( strcasecmp( (*a)->a_type, + "passwordallowchangetime" ) == 0) { + has_allowchangetime = 1; } + next = &(*a)->a_next; + } - bv.bv_val = format_genTime ( time_plus_sec ( current_time (), - pwpolicy->pw_maxage ) ); + if ( has_allowchangetime && has_expirationtime ) { + return; } - if ( pwpolicy->pw_exp || pwpolicy->pw_must_change ) { + + pwpolicy = new_passwdPolicy(pb, dn); + + if ( !has_expirationtime && + ( pwpolicy->pw_exp || pwpolicy->pw_must_change ) ) { + if ( pwpolicy->pw_must_change) { + /* must change password when first time logon */ + bv.bv_val = format_genTime ( NO_TIME ); + } else if ( pwpolicy->pw_exp ) { + bv.bv_val = format_genTime ( time_plus_sec ( current_time (), + pwpolicy->pw_maxage ) ); + } bv.bv_len = strlen( bv.bv_val ); slapi_entry_attr_merge( e, "passwordexpirationtime", bvals ); + slapi_ch_free_string( &bv.bv_val ); } - slapi_ch_free((void **) &bv.bv_val ); /* * If the password minimum age is not 0, calculate when the password * is allowed to be changed again and store the result * in passwordallowchangetime in the user's entry. + * If the password has expired, don't add passwordallowchangetime, + * otherwise if the user has grace logins, they can't be used to change + * the password if we set a passwordallowchangetime in the future. */ - if ( pwpolicy->pw_minage != 0 ) { + if ( !has_allowchangetime && pwpolicy->pw_minage != 0 && + (has_expirationtime && existing_exptime > current_time()) ) { bv.bv_val = format_genTime ( time_plus_sec ( current_time (), pwpolicy->pw_minage ) ); bv.bv_len = strlen( bv.bv_val );

12 years, 11 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/slapd/configdse.c | 15 ++++++++++----- ldap/servers/slapd/libglobs.c | 16 ++++++---------- ldap/servers/slapd/proto-slap.h | 2 +- 3 files changed, 17 insertions(+), 16 deletions(-) New commits: commit ad544f250e78eb16d841857cd437612b625f6f6f Author: Noriko Hosoi <nhosoi(a)jiji.usersys.redhat.com> Date: Wed Dec 15 14:44:15 2010 -0800 Bug 602456 - Allow to add any cn=config attributes; allow to delete some cn=config attributes https://bugzilla.redhat.com/show_bug.cgi?id=602456 Description: commit e6c0ce5d97a78689722fe3c627f7a99cf81f6b77 included a config param value type mismatch. The value is a string, not an array of strings. To verify the fix, the following command line should return the space separated config attribute list. $ ldapsearch ... -b "cn=config" "(cn=*)" nsslapd-allowed-to-delete-attrs nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c index 3b87cb6..4799145 100644 --- a/ldap/servers/slapd/configdse.c +++ b/ldap/servers/slapd/configdse.c @@ -127,16 +127,21 @@ ignore_attr_type(const char *attr_type) static int allowed_to_delete_attrs(const char *attr_type) { + int rc = 0; if (attr_type) { - char **ap = config_get_allowed_to_delete_attrs(); - for ( ; ap && *ap; ap++) { + char *delattrs = config_get_allowed_to_delete_attrs(); + char **allowed = slapi_str2charray_ext(delattrs, " ", 0); + char **ap; + for (ap = allowed; ap && *ap; ap++) { if (strcasecmp (attr_type, *ap) == 0) { - return 1; + rc = 1; + break; } } + slapi_ch_array_free(allowed); + slapi_ch_free_string(&delattrs); } - - return 0; + return rc; } int diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index e1fb7dd..e0ffdaa 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -1012,10 +1012,7 @@ FrontendConfig_init () { cfg->auditlog_exptimeunit = slapi_ch_strdup("month"); cfg->entryusn_global = LDAP_OFF; - slapi_ch_array_add(&(cfg->allowed_to_delete_attrs), - slapi_ch_strdup("nsslapd-listenhost")); - slapi_ch_array_add(&(cfg->allowed_to_delete_attrs), - slapi_ch_strdup("nsslapd-securelistenhost")); + cfg->allowed_to_delete_attrs = slapi_ch_strdup("nsslapd-listenhost nsslapd-securelistenhost"); #ifdef MEMPOOL_EXPERIMENTAL cfg->mempool_switch = LDAP_ON; @@ -5587,13 +5584,13 @@ config_set_entryusn_global( const char *attrname, char *value, return retVal; } -char ** +char * config_get_allowed_to_delete_attrs(void) { - char **retVal; + char *retVal; slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); CFG_LOCK_READ(slapdFrontendConfig); - retVal = slapdFrontendConfig->allowed_to_delete_attrs; + retVal = slapi_ch_strdup(slapdFrontendConfig->allowed_to_delete_attrs); CFG_UNLOCK_READ(slapdFrontendConfig); return retVal; @@ -5608,9 +5605,8 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value, if (apply) { CFG_LOCK_WRITE(slapdFrontendConfig); - slapi_ch_array_free(slapdFrontendConfig->allowed_to_delete_attrs); - slapdFrontendConfig->allowed_to_delete_attrs = - slapi_str2charray_ext(value, " ", 0); + slapi_ch_free_string(&(slapdFrontendConfig->allowed_to_delete_attrs)); + slapdFrontendConfig->allowed_to_delete_attrs = slapi_ch_strdup(value); CFG_UNLOCK_WRITE(slapdFrontendConfig); } return retVal; diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 1a8c6e5..56878c3 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -513,7 +513,7 @@ int config_get_system_page_bits(); #endif int config_get_force_sasl_external(); int config_get_entryusn_global(void); -char **config_get_allowed_to_delete_attrs(void); +char *config_get_allowed_to_delete_attrs(void); int is_abspath(const char *); char* rel2abspath( char * );

12 years, 11 months

1
0
0 / 0

ldap/servers Makefile.am Makefile.in

by Noriko Hosoi

Makefile.am | 1 Makefile.in | 15 ldap/servers/plugins/replication/cl5.h | 1 ldap/servers/plugins/replication/cl5_api.c | 107 + ldap/servers/plugins/replication/cl5_api.h | 2 ldap/servers/plugins/replication/cl5_config.c | 37 ldap/servers/plugins/replication/cl_crypt.c | 203 +++ ldap/servers/plugins/replication/cl_crypt.h | 53 ldap/servers/plugins/replication/repl_shared.h | 17 ldap/servers/plugins/replication/windows_protocol_util.c | 2 ldap/servers/slapd/back-ldbm/dblayer.c | 42 ldap/servers/slapd/back-ldbm/id2entry.c | 20 ldap/servers/slapd/back-ldbm/init.c | 2 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 818 ++++++++++++--- ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 6 ldap/servers/slapd/backend.c | 11 ldap/servers/slapd/opshared.c | 7 ldap/servers/slapd/pblock.c | 6 ldap/servers/slapd/slap.h | 3 ldap/servers/slapd/slapi-plugin.h | 42 ldap/servers/slapd/slapi-private.h | 1 21 files changed, 1203 insertions(+), 193 deletions(-) New commits: commit 7aef407a3d621f3b03455b75cfcbf2f26fcfd1fe Author: Noriko Hosoi <nhosoi(a)jiji.usersys.redhat.com> Date: Wed Dec 15 13:01:04 2010 -0800 Bug 182507 - clear-password mod from replica is discarded before changelogged https://bugzilla.redhat.com/show_bug.cgi?id=182507 Description: Replication drops unhashed passwords which is necessary for the AD password sync. This patch allows the passwords replicated and introduces a method to encrypt logs in the changelog. See also http://directory.fedoraproject.org/wiki/Changelog_Encryption diff --git a/Makefile.am b/Makefile.am index 051a958..1b43a0a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -991,6 +991,7 @@ libreplication_plugin_la_SOURCES = ldap/servers/plugins/replication/cl5_api.c \ ldap/servers/plugins/replication/cl5_clcache.c \ ldap/servers/plugins/replication/cl5_config.c \ ldap/servers/plugins/replication/cl5_init.c \ + ldap/servers/plugins/replication/cl_crypt.c \ ldap/servers/plugins/replication/csnpl.c \ ldap/servers/plugins/replication/legacy_consumer.c \ ldap/servers/plugins/replication/llist.c \ diff --git a/Makefile.in b/Makefile.in index 9f631c8..a5a5c3e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -483,6 +483,7 @@ am_libreplication_plugin_la_OBJECTS = ldap/servers/plugins/replication/libreplic ldap/servers/plugins/replication/libreplication_plugin_la-cl5_clcache.lo \ ldap/servers/plugins/replication/libreplication_plugin_la-cl5_config.lo \ ldap/servers/plugins/replication/libreplication_plugin_la-cl5_init.lo \ + ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.lo \ ldap/servers/plugins/replication/libreplication_plugin_la-csnpl.lo \ ldap/servers/plugins/replication/libreplication_plugin_la-legacy_consumer.lo \ ldap/servers/plugins/replication/libreplication_plugin_la-llist.lo \ @@ -2101,6 +2102,7 @@ libreplication_plugin_la_SOURCES = ldap/servers/plugins/replication/cl5_api.c \ ldap/servers/plugins/replication/cl5_clcache.c \ ldap/servers/plugins/replication/cl5_config.c \ ldap/servers/plugins/replication/cl5_init.c \ + ldap/servers/plugins/replication/cl_crypt.c \ ldap/servers/plugins/replication/csnpl.c \ ldap/servers/plugins/replication/legacy_consumer.c \ ldap/servers/plugins/replication/llist.c \ @@ -3463,6 +3465,9 @@ ldap/servers/plugins/replication/libreplication_plugin_la-cl5_config.lo: \ ldap/servers/plugins/replication/libreplication_plugin_la-cl5_init.lo: \ ldap/servers/plugins/replication/$(am__dirstamp) \ ldap/servers/plugins/replication/$(DEPDIR)/$(am__dirstamp) +ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.lo: \ + ldap/servers/plugins/replication/$(am__dirstamp) \ + ldap/servers/plugins/replication/$(DEPDIR)/$(am__dirstamp) ldap/servers/plugins/replication/libreplication_plugin_la-csnpl.lo: \ ldap/servers/plugins/replication/$(am__dirstamp) \ ldap/servers/plugins/replication/$(DEPDIR)/$(am__dirstamp) @@ -4763,6 +4768,8 @@ mostlyclean-compile: -rm -f ldap/servers/plugins/replication/libreplication_plugin_la-cl5_config.lo -rm -f ldap/servers/plugins/replication/libreplication_plugin_la-cl5_init.$(OBJEXT) -rm -f ldap/servers/plugins/replication/libreplication_plugin_la-cl5_init.lo + -rm -f ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.$(OBJEXT) + -rm -f ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.lo -rm -f ldap/servers/plugins/replication/libreplication_plugin_la-csnpl.$(OBJEXT) -rm -f ldap/servers/plugins/replication/libreplication_plugin_la-csnpl.lo -rm -f ldap/servers/plugins/replication/libreplication_plugin_la-legacy_consumer.$(OBJEXT) @@ -5519,6 +5526,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-cl5_clcache.Plo(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-cl5_config.Plo(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-cl5_init.Plo(a)am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-cl_crypt.Plo(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-csnpl.Plo(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-legacy_consumer.Plo(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-llist.Plo(a)am__quote@ @@ -7191,6 +7199,13 @@ ldap/servers/plugins/replication/libreplication_plugin_la-cl5_init.lo: ldap/serv @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libreplication_plugin_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ldap/servers/plugins/replication/libreplication_plugin_la-cl5_init.lo `test -f 'ldap/servers/plugins/replication/cl5_init.c' || echo '$(srcdir)/'`ldap/servers/plugins/replication/cl5_init.c +ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.lo: ldap/servers/plugins/replication/cl_crypt.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libreplication_plugin_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.lo -MD -MP -MF ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-cl_crypt.Tpo -c -o ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.lo `test -f 'ldap/servers/plugins/replication/cl_crypt.c' || echo '$(srcdir)/'`ldap/servers/plugins/replication/cl_crypt.c +@am__fastdepCC_TRUE@ $(am__mv) ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-cl_crypt.Tpo ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-cl_crypt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ldap/servers/plugins/replication/cl_crypt.c' object='ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libreplication_plugin_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ldap/servers/plugins/replication/libreplication_plugin_la-cl_crypt.lo `test -f 'ldap/servers/plugins/replication/cl_crypt.c' || echo '$(srcdir)/'`ldap/servers/plugins/replication/cl_crypt.c + ldap/servers/plugins/replication/libreplication_plugin_la-csnpl.lo: ldap/servers/plugins/replication/csnpl.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libreplication_plugin_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ldap/servers/plugins/replication/libreplication_plugin_la-csnpl.lo -MD -MP -MF ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-csnpl.Tpo -c -o ldap/servers/plugins/replication/libreplication_plugin_la-csnpl.lo `test -f 'ldap/servers/plugins/replication/csnpl.c' || echo '$(srcdir)/'`ldap/servers/plugins/replication/csnpl.c @am__fastdepCC_TRUE@ $(am__mv) ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-csnpl.Tpo ldap/servers/plugins/replication/$(DEPDIR)/libreplication_plugin_la-csnpl.Plo diff --git a/ldap/servers/plugins/replication/cl5.h b/ldap/servers/plugins/replication/cl5.h index 1b95973..4c92ecd 100644 --- a/ldap/servers/plugins/replication/cl5.h +++ b/ldap/servers/plugins/replication/cl5.h @@ -55,6 +55,7 @@ typedef struct changelog5Config int maxEntries; /* the changelog DB configuration parameters are defined as CL5DBConfig in cl5_api.h */ CL5DBConfig dbconfig; + char *symmetricKey; }changelog5Config; /* initializes changelog*/ diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c index f781dce..ed93ed2 100644 --- a/ldap/servers/plugins/replication/cl5_api.c +++ b/ldap/servers/plugins/replication/cl5_api.c @@ -57,6 +57,7 @@ #include "cl5_api.h" +#include "cl_crypt.h" #include "plhash.h" #include "plstr.h" @@ -249,6 +250,7 @@ typedef struct cl5desc deadlock detection, etc. */ PRLock *clLock; /* Lock associated to clVar, used to notify threads on close */ PRCondVar *clCvar; /* Condition Variable used to notify threads on close */ + void *clcrypt_handle; /* for cl encryption */ } CL5Desc; typedef void (*VFP)(void *); @@ -513,9 +515,12 @@ int cl5Open (const char *dir, const CL5DBConfig *config) { s_cl5Desc.dbState = CL5_STATE_OPEN; clcache_set_config(); + + /* Set the cl encryption algorithm (if configured) */ + rc = clcrypt_init(config, &s_cl5Desc.clcrypt_handle); } -done:; +done: PR_RWLock_Unlock (s_cl5Desc.stLock); return rc; @@ -1830,7 +1835,7 @@ static int _cl5AppInit (PRBool *didRecovery) { slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, "_cl5AppInit: failed to fetch backend dbenv (%p) and/or " - "index page size (%ld)\n", dbEnv, pagesize); + "index page size (%u)\n", dbEnv, pagesize); return CL5_DB_ERROR; } } @@ -1960,11 +1965,21 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len) size ++; /* we just store NULL char */ slapi_entry2mods (op->p.p_add.target_entry, &rawDN/* dn */, &add_mods); size += strlen (rawDN) + 1; - size += _cl5GetModsSize (add_mods); + /* Need larger buffer for the encrypted changelog */ + if (s_cl5Desc.clcrypt_handle) { + size += (_cl5GetModsSize (add_mods) * (1 + BACK_CRYPT_OUTBUFF_EXTLEN)); + } else { + size += _cl5GetModsSize (add_mods); + } break; case SLAPI_OPERATION_MODIFY: size += strlen (op->target_address.dn) + 1; - size += _cl5GetModsSize (op->p.p_modify.modify_mods); + /* Need larger buffer for the encrypted changelog */ + if (s_cl5Desc.clcrypt_handle) { + size += (_cl5GetModsSize (op->p.p_modify.modify_mods) * (1 + BACK_CRYPT_OUTBUFF_EXTLEN)); + } else { + size += _cl5GetModsSize (op->p.p_modify.modify_mods); + } break; case SLAPI_OPERATION_MODRDN: size += strlen (op->target_address.dn) + 1; @@ -1978,7 +1993,12 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len) size += strlen (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid) + 1; else size ++; /* for NULL char */ - size += _cl5GetModsSize (op->p.p_modrdn.modrdn_mods); + /* Need larger buffer for the encrypted changelog */ + if (s_cl5Desc.clcrypt_handle) { + size += (_cl5GetModsSize (op->p.p_modrdn.modrdn_mods) * (1 + BACK_CRYPT_OUTBUFF_EXTLEN)); + } else { + size += _cl5GetModsSize (op->p.p_modrdn.modrdn_mods); + } break; case SLAPI_OPERATION_DELETE: size += strlen (op->target_address.dn) + 1; @@ -2038,8 +2058,16 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len) break; } - (*len) = size; - + /* (*len) != size in case encrypted */ + (*len) = pos - *data; + + if (*len > size) { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, + "_cl5Entry2DBData: real len %d > estimated size %d\n", + *len, size); + return CL5_MEMORY_ERROR; + } + return CL5_SUCCESS; } @@ -2274,7 +2302,10 @@ static void _cl5WriteMod (LDAPMod *mod, char **buff) char *pos; PRInt32 count; struct berval *bv; + struct berval *encbv; + struct berval *bv_to_use; Slapi_Mod smod; + int rc = 0; slapi_mod_init_byref(&smod, mod); @@ -2293,7 +2324,26 @@ static void _cl5WriteMod (LDAPMod *mod, char **buff) bv = slapi_mod_get_first_value (&smod); while (bv) { - _cl5WriteBerval (bv, &pos); + encbv = NULL; + rc = 0; + rc = clcrypt_encrypt_value(s_cl5Desc.clcrypt_handle, + bv, &encbv); + if (rc > 0) { + /* no encryption needed. use the original bv */ + bv_to_use = bv; + } else if ((0 == rc) && encbv) { + /* successfully encrypted. use the encrypted bv */ + bv_to_use = encbv; + } else { /* failed */ + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, + "_cl5WriteMod: encrypting \"%s: %s\" failed\n", + slapi_mod_get_type(&smod), bv->bv_val); + bv_to_use = NULL; + } + if (bv_to_use) { + _cl5WriteBerval (bv_to_use, &pos); + } + slapi_ch_bvfree(&encbv); bv = slapi_mod_get_next_value (&smod); } @@ -2358,6 +2408,9 @@ static int _cl5ReadMod (Slapi_Mod *smod, char **buff) char *type; int op; struct berval bv; + struct berval *decbv; + struct berval *bv_to_use; + int rc = 0; op = (*pos) & 0x000000FF; pos ++; @@ -2373,11 +2426,43 @@ static int _cl5ReadMod (Slapi_Mod *smod, char **buff) slapi_mod_set_operation (smod, op|LDAP_MOD_BVALUES); slapi_mod_set_type (smod, type); slapi_ch_free ((void**)&type); - + for (i = 0; i < val_count; i++) { - _cl5ReadBerval (&bv, &pos); - slapi_mod_add_value (smod, &bv); + _cl5ReadBerval (&bv, &pos); + decbv = NULL; + rc = 0; + rc = clcrypt_decrypt_value(s_cl5Desc.clcrypt_handle, + &bv, &decbv); + if (rc > 0) { + /* not encrypted. use the original bv */ + bv_to_use = &bv; + } else if ((0 == rc) && decbv) { + /* successfully decrypted. use the decrypted bv */ + bv_to_use = decbv; + } else { /* failed */ + char encstr[128]; + char *encend = encstr + 128; + char *ptr; + int i; + for (i = 0, ptr = encstr; (i < bv.bv_len) && (ptr < encend - 4); + i++, ptr += 3) { + sprintf(ptr, "%x", 0xff & bv.bv_val[i]); + } + if (ptr >= encend - 4) { + sprintf(ptr, "..."); + ptr += 3; + } + *ptr = '\0'; + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, + "_cl5ReadMod: decrypting \"%s: %s\" failed\n", + slapi_mod_get_type(smod), encstr); + bv_to_use = NULL; + } + if (bv_to_use) { + slapi_mod_add_value (smod, bv_to_use); + } + slapi_ch_bvfree(&decbv); slapi_ch_free((void **) &bv.bv_val); } diff --git a/ldap/servers/plugins/replication/cl5_api.h b/ldap/servers/plugins/replication/cl5_api.h index f300cd8..9590dd1 100644 --- a/ldap/servers/plugins/replication/cl5_api.h +++ b/ldap/servers/plugins/replication/cl5_api.h @@ -70,6 +70,8 @@ typedef struct cl5dbconfig size_t pageSize; /* page size in bytes */ PRInt32 fileMode; /* file mode */ PRUint32 maxConcurrentWrites; /* max number of concurrent cl writes */ + char *encryptionAlgorithm; /* nsslapd-encryptionalgorithm */ + char *symmetricKey; } CL5DBConfig; /* changelog entry format */ diff --git a/ldap/servers/plugins/replication/cl5_config.c b/ldap/servers/plugins/replication/cl5_config.c index 2e66917..0698c55 100644 --- a/ldap/servers/plugins/replication/cl5_config.c +++ b/ldap/servers/plugins/replication/cl5_config.c @@ -390,6 +390,14 @@ changelog5_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entr slapi_ch_free_string(&config.maxAge); config.maxAge = slapi_ch_strdup(config_attr_value); } + else if ( strcasecmp ( config_attr, CONFIG_CHANGELOG_SYMMETRIC_KEY ) == 0 ) + { + slapi_ch_free_string(&config.symmetricKey); + config.symmetricKey = slapi_ch_strdup(config_attr_value); + /* Storing the encryption symmetric key */ + /* no need to change any changelog configuration */ + goto done; + } else { *returncode = LDAP_UNWILLING_TO_PERFORM; @@ -720,7 +728,6 @@ static void changelog5_extract_config(Slapi_Entry* entry, changelog5Config *conf /* * Read the Changelog Internal Configuration Parameters for the Changelog DB - * (db cache size, db settings...) */ arg= slapi_entry_attr_get_charptr(entry, CONFIG_CHANGELOG_MAX_CONCURRENT_WRITES); if (arg) @@ -732,6 +739,34 @@ static void changelog5_extract_config(Slapi_Entry* entry, changelog5Config *conf { config->dbconfig.maxConcurrentWrites = CL5_DEFAULT_CONFIG_MAX_CONCURRENT_WRITES; } + + /* + * changelog encryption + */ + arg = slapi_entry_attr_get_charptr(entry, + CONFIG_CHANGELOG_ENCRYPTION_ALGORITHM); + if (arg) + { + config->dbconfig.encryptionAlgorithm = slapi_ch_strdup(arg); + slapi_ch_free_string(&arg); + } + else + { + config->dbconfig.encryptionAlgorithm = NULL; /* no encryption */ + } + /* + * symmetric key + */ + arg = slapi_entry_attr_get_charptr(entry, CONFIG_CHANGELOG_SYMMETRIC_KEY); + if (arg) + { + config->dbconfig.symmetricKey = slapi_ch_strdup(arg); + slapi_ch_free_string(&arg); + } + else + { + config->dbconfig.symmetricKey = NULL; /* no symmetric key */ + } } static void replace_bslash (char *dir) diff --git a/ldap/servers/plugins/replication/cl_crypt.c b/ldap/servers/plugins/replication/cl_crypt.c new file mode 100644 index 0000000..f950b3c --- /dev/null +++ b/ldap/servers/plugins/replication/cl_crypt.c @@ -0,0 +1,203 @@ +/** BEGIN COPYRIGHT BLOCK + * This Program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; version 2 of the License. + * + * This Program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with + * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place, Suite 330, Boston, MA 02111-1307 USA. + * + * In addition, as a special exception, Red Hat, Inc. gives You the additional + * right to link the code of this Program with code not covered under the GNU + * General Public License ("Non-GPL Code") and to distribute linked combinations + * including the two, subject to the limitations in this paragraph. Non-GPL Code + * permitted under this exception must only link to the code of this Program + * through those well defined interfaces identified in the file named EXCEPTION + * found in the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline functions from + * the Approved Interfaces without causing the resulting work to be covered by + * the GNU General Public License. Only Red Hat, Inc. may make changes or + * additions to the list of Approved Interfaces. You must obey the GNU General + * Public License in all respects for all of the Program code and other code used + * in conjunction with the Program except the Non-GPL Code covered by this + * exception. If you modify this file, you may extend this exception to your + * version of the file, but you are not obligated to do so. If you do not wish to + * provide this exception without modification, you must delete this exception + * statement from your version and license this file solely under the GPL without + * exception. + * + * + * Copyright (C) 2010 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifdef HAVE_CONFIG_H +# include <config.h> +#endif + +/* cl_crypt.c - handles changelog encryption. */ + +#include <errno.h> +#include <sys/stat.h> +#if defined( OS_solaris ) || defined( hpux ) +#include <sys/types.h> +#include <sys/statvfs.h> +#endif +#if defined( linux ) +#include <sys/vfs.h> +#endif + +#include "slapi-plugin.h" +#include "cl5_api.h" +#include "cl_crypt.h" + +/* + * BACK_INFO_CRYPT_INIT + */ +int +clcrypt_init(const CL5DBConfig *config, void **clcrypt_handle) +{ + int rc = 0; + char *cookie = NULL; + Slapi_Backend *be = NULL; + back_info_crypt_init crypt_init = {0}; + + slapi_log_error(SLAPI_LOG_TRACE, repl_plugin_name, "-> clcrypt_init\n"); + /* Encryption is not specified */ + if (!config->encryptionAlgorithm || !clcrypt_handle) { + goto bail; + } + crypt_init.dn = "cn=changelog5,cn=config"; + crypt_init.encryptionAlgorithm = config->encryptionAlgorithm; + + be = slapi_get_first_backend(&cookie); + while (be) { + crypt_init.be = be; + rc = slapi_back_ctrl_info(be, BACK_INFO_CRYPT_INIT, + (void *)&crypt_init); + if (LDAP_SUCCESS == rc) { + break; /* Successfully fetched */ + } + be = slapi_get_next_backend(cookie); + } + slapi_ch_free((void **)&cookie); + + if (LDAP_SUCCESS == rc && crypt_init.state_priv) { + *clcrypt_handle = crypt_init.state_priv; + rc = 0; + } else { + rc = 1; + } +bail: + slapi_log_error(SLAPI_LOG_TRACE, repl_plugin_name, + "<- clcrypt_init : %d\n", rc); + return rc; +} + +/* + * return values: 0 - success + * : 1 - no encryption + * : -1 - error + * + * output value: out: non-NULL - encryption successful + * : NULL - no encryption or failure + */ +int +clcrypt_encrypt_value(void *clcrypt_handle, + struct berval *in, struct berval **out) +{ + int rc = -1; + char *cookie = NULL; + Slapi_Backend *be = NULL; + back_info_crypt_value crypt_value = {0}; + + slapi_log_error(SLAPI_LOG_TRACE, repl_plugin_name, + "-> clcrypt_encrypt_value\n"); + if (NULL == out) { + goto bail; + } + *out = NULL; + if (NULL == clcrypt_handle) { + rc = 1; + goto bail; + } + crypt_value.state_priv = clcrypt_handle; + crypt_value.in = in; + + be = slapi_get_first_backend(&cookie); + while (be) { + rc = slapi_back_ctrl_info(be, BACK_INFO_CRYPT_ENCRYPT_VALUE, + (void *)&crypt_value); + if (LDAP_SUCCESS == rc) { + break; /* Successfully fetched */ + } + be = slapi_get_next_backend(cookie); + } + slapi_ch_free((void **)&cookie); + if (LDAP_SUCCESS == rc && crypt_value.out) { + *out = crypt_value.out; + rc = 0; + } else { + rc = -1; + } +bail: + slapi_log_error(SLAPI_LOG_TRACE, repl_plugin_name, + "<- clcrypt_encrypt_entry (returning %d)\n", rc); + return rc; +} + +/* + * return values: 0 - success + * : 1 - no encryption + * : -1 - error + * + * output value: out: non-NULL - encryption successful + * : NULL - no encryption or failure + */ +int +clcrypt_decrypt_value(void *clcrypt_handle, + struct berval *in, struct berval **out) +{ + int rc = -1; + char *cookie = NULL; + Slapi_Backend *be = NULL; + back_info_crypt_value crypt_value = {0}; + + slapi_log_error(SLAPI_LOG_TRACE, repl_plugin_name, + "-> clcrypt_decrypt_value\n"); + if (NULL == out) { + goto bail; + } + *out = NULL; + if (NULL == clcrypt_handle) { + rc = 1; + goto bail; + } + crypt_value.state_priv = clcrypt_handle; + crypt_value.in = in; + + be = slapi_get_first_backend(&cookie); + while (be) { + rc = slapi_back_ctrl_info(be, BACK_INFO_CRYPT_DECRYPT_VALUE, + (void *)&crypt_value); + if (LDAP_SUCCESS == rc) { + break; /* Successfully fetched */ + } + be = slapi_get_next_backend(cookie); + } + slapi_ch_free((void **)&cookie); + if (LDAP_SUCCESS == rc && crypt_value.out) { + *out = crypt_value.out; + rc = 0; + } else { + rc = -1; + } +bail: + slapi_log_error(SLAPI_LOG_TRACE, repl_plugin_name, + "<- clcrypt_decrypt_entry (returning %d)\n", rc); + return rc; +} diff --git a/ldap/servers/plugins/replication/cl_crypt.h b/ldap/servers/plugins/replication/cl_crypt.h new file mode 100644 index 0000000..a306e36 --- /dev/null +++ b/ldap/servers/plugins/replication/cl_crypt.h @@ -0,0 +1,53 @@ +/** BEGIN COPYRIGHT BLOCK + * This Program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; version 2 of the License. + * + * This Program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with + * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place, Suite 330, Boston, MA 02111-1307 USA. + * + * In addition, as a special exception, Red Hat, Inc. gives You the additional + * right to link the code of this Program with code not covered under the GNU + * General Public License ("Non-GPL Code") and to distribute linked combinations + * including the two, subject to the limitations in this paragraph. Non-GPL Code + * permitted under this exception must only link to the code of this Program + * through those well defined interfaces identified in the file named EXCEPTION + * found in the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline functions from + * the Approved Interfaces without causing the resulting work to be covered by + * the GNU General Public License. Only Red Hat, Inc. may make changes or + * additions to the list of Approved Interfaces. You must obey the GNU General + * Public License in all respects for all of the Program code and other code used + * in conjunction with the Program except the Non-GPL Code covered by this + * exception. If you modify this file, you may extend this exception to your + * version of the file, but you are not obligated to do so. If you do not wish to + * provide this exception without modification, you must delete this exception + * statement from your version and license this file solely under the GPL without + * exception. + * + * + * Copyright (C) 2010/ Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +#ifdef HAVE_CONFIG_H +# include <config.h> +#endif + +#ifndef _CLCRYPT_H_ +#define _CLCRYPT_H_ + +#include "pk11func.h" +#include "keyhi.h" +#include "nss.h" +#include "cert.h" + +int clcrypt_init(const CL5DBConfig *config, void **clcrypt_handle); +int clcrypt_encrypt_value(void *clcrypt_handle, struct berval *in, struct berval **out); +int clcrypt_decrypt_value(void *state_priv, struct berval *in, struct berval **out); +#endif /* _CLCRYPT_H_ */ diff --git a/ldap/servers/plugins/replication/repl_shared.h b/ldap/servers/plugins/replication/repl_shared.h index 5cff861..99f785e 100644 --- a/ldap/servers/plugins/replication/repl_shared.h +++ b/ldap/servers/plugins/replication/repl_shared.h @@ -62,23 +62,10 @@ #define CONFIG_CHANGELOG_DIR_ATTRIBUTE "nsslapd-changelogdir" #define CONFIG_CHANGELOG_MAXENTRIES_ATTRIBUTE "nsslapd-changelogmaxentries" #define CONFIG_CHANGELOG_MAXAGE_ATTRIBUTE "nsslapd-changelogmaxage" -/* Changelog Internal Configuration Parameters -> DB related */ -#define CONFIG_CHANGELOG_DB_DBCACHESIZE "nsslapd-dbcachesize" -#define CONFIG_CHANGELOG_DB_DURABLE_TRANSACTIONS "nsslapd-db-durable-transaction" -#define CONFIG_CHANGELOG_DB_CHECKPOINT_INTERVAL "nsslapd-db-checkpoint-interval" -#define CONFIG_CHANGELOG_DB_CIRCULAR_LOGGING "nsslapd-db-circular-logging" -#define CONFIG_CHANGELOG_DB_PAGE_SIZE "nsslapd-db-page-size" -#define CONFIG_CHANGELOG_DB_LOGFILE_SIZE "nsslapd-db-logfile-size" -#define CONFIG_CHANGELOG_DB_MAXTXN_SIZE "nsslapd-db-max-txn" -#define CONFIG_CHANGELOG_DB_VERBOSE "nsslapd-db-verbose" -#define CONFIG_CHANGELOG_DB_DEBUG "nsslapd-db-debug" -#define CONFIG_CHANGELOG_DB_TRICKLE_PERCENTAGE "nsslapd-db-trickle-percentage" -#define CONFIG_CHANGELOG_DB_SPINCOUNT "nsslapd-db-spin-count" /* Changelog Internal Configuration Parameters -> Changelog Cache related */ -#define CONFIG_CHANGELOG_CACHESIZE "nsslapd-cachesize" -#define CONFIG_CHANGELOG_CACHEMEMSIZE "nsslapd-cachememsize" -#define CONFIG_CHANGELOG_NB_LOCK "nsslapd-db-locks" #define CONFIG_CHANGELOG_MAX_CONCURRENT_WRITES "nsslapd-changelogmaxconcurrentwrites" +#define CONFIG_CHANGELOG_ENCRYPTION_ALGORITHM "nsslapd-encryptionalgorithm" +#define CONFIG_CHANGELOG_SYMMETRIC_KEY "nsSymmetricKey" #define T_CHANGETYPESTR "changetype" #define T_CHANGETYPE 1 diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index 5fb6e7b..428f5f1 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -4608,7 +4608,7 @@ windows_search_local_entry_by_uniqueid(Private_Repl_Protocol *prp, const char *u PR_smprintf_free(filter_string); } - if (is_global) slapi_sdn_free(&local_subtree); + if (is_global) slapi_sdn_free((Slapi_DN **)&local_subtree); return rc; } diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c index 3c9b5d6..39a214c 100644 --- a/ldap/servers/slapd/back-ldbm/dblayer.c +++ b/ldap/servers/slapd/back-ldbm/dblayer.c @@ -924,7 +924,7 @@ void dblayer_sys_pages(size_t *pagesize, size_t *pages, size_t *procpages, size_ if (feof(f)) break; if (strncmp(s, "VmSize:", 7) == 0) { - sscanf(s+7, "%lu", procpages); + sscanf(s+7, "%u", procpages); break; } } @@ -4213,7 +4213,7 @@ static int commit_good_database(dblayer_private *priv) filename, PR_GetError(), slapd_pr_strerror(PR_GetError()) ); return -1; } - PR_snprintf(line,sizeof(line),"cachesize:%lu\nncache:%d\nversion:%d\n", + PR_snprintf(line,sizeof(line),"cachesize:%u\nncache:%d\nversion:%d\n", priv->dblayer_cachesize, priv->dblayer_ncache, DB_VERSION_MAJOR); num_bytes = strlen(line); return_value = slapi_write_buffer(prfd, line, num_bytes); @@ -6544,3 +6544,41 @@ ldbm_back_set_info(Slapi_Backend *be, int cmd, void *info) return rc; } + +int +ldbm_back_ctrl_info(Slapi_Backend *be, int cmd, void *info) +{ + int rc = -1; + if (!be || !info) { + return rc; + } + + switch (cmd) { + case BACK_INFO_CRYPT_INIT: + { + back_info_crypt_init *crypt_init = (back_info_crypt_init *)info; + rc = back_crypt_init(crypt_init->be, crypt_init->dn, + crypt_init->encryptionAlgorithm, + &(crypt_init->state_priv)); + break; + } + case BACK_INFO_CRYPT_ENCRYPT_VALUE: + { + back_info_crypt_value *crypt_value = (back_info_crypt_value *)info; + rc = back_crypt_encrypt_value(crypt_value->state_priv, crypt_value->in, + &(crypt_value->out)); + break; + } + case BACK_INFO_CRYPT_DECRYPT_VALUE: + { + back_info_crypt_value *crypt_value = (back_info_crypt_value *)info; + rc = back_crypt_decrypt_value(crypt_value->state_priv, crypt_value->in, + &(crypt_value->out)); + break; + } + default: + break; + } + + return rc; +} diff --git a/ldap/servers/slapd/back-ldbm/id2entry.c b/ldap/servers/slapd/back-ldbm/id2entry.c index 57ada09..c509d3a 100644 --- a/ldap/servers/slapd/back-ldbm/id2entry.c +++ b/ldap/servers/slapd/back-ldbm/id2entry.c @@ -46,6 +46,10 @@ #define ID2ENTRY "id2entry" +static char *protected_attrs_all [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD, + LDBM_ENTRYDN_STR, + NULL}; + /* * The caller MUST check for DB_LOCK_DEADLOCK and DB_RUNRECOVERY returned */ @@ -60,6 +64,7 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt int len, rc; char temp_id[sizeof(ID)]; struct backentry *encrypted_entry = NULL; + char **paap = NULL; char *entrydn = NULL; LDAPDebug( LDAP_DEBUG_TRACE, "=> id2entry_add( %lu, \"%s\" )\n", @@ -120,12 +125,15 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt LDAPDebug2Args( LDAP_DEBUG_TRACE, "=> id2entry_add (dncache) ( %lu, \"%s\" )\n", (u_long)e->ep_id, slapi_entry_get_dn_const(entry_to_use) ); - /* If entrydn exists in the entry, we have to remove it before - * writing the entry to the database. */ - if (0 == slapi_entry_attr_find(entry_to_use, - LDBM_ENTRYDN_STR, &eattr)) { - /* entrydn exists in the entry. let's removed it. */ - slapi_entry_delete_values(entry_to_use, LDBM_ENTRYDN_STR, NULL); + /* + * If protected attributes exist in the entry, + * we have to remove them before writing the entry to the database. + */ + for (paap = protected_attrs_all; paap && *paap; paap++) { + if (0 == slapi_entry_attr_find(entry_to_use, *paap, &eattr)) { + /* a protected attr exists in the entry. removed it. */ + slapi_entry_delete_values(entry_to_use, *paap, NULL); + } } } data.dptr = slapi_entry2str_with_options(entry_to_use, &len, options); diff --git a/ldap/servers/slapd/back-ldbm/init.c b/ldap/servers/slapd/back-ldbm/init.c index 5b3d9c8..c645444 100644 --- a/ldap/servers/slapd/back-ldbm/init.c +++ b/ldap/servers/slapd/back-ldbm/init.c @@ -250,6 +250,8 @@ ldbm_back_init( Slapi_PBlock *pb ) (void *) ldbm_back_get_info ); rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_DB_SET_INFO_FN, (void *) ldbm_back_set_info ); + rc |= slapi_pblock_set( pb, SLAPI_PLUGIN_DB_CTRL_INFO_FN, + (void *) ldbm_back_ctrl_info ); if ( rc != 0 ) { LDAPDebug( LDAP_DEBUG_ANY, "ldbm_back_init failed\n", 0, 0, 0 ); diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c index deb818d..88d78fc 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c @@ -31,7 +31,7 @@ * exception. * * - * Copyright (C) 2005 Red Hat, Inc. + * Copyright (C) 2010 Red Hat, Inc. * All rights reserved. * END COPYRIGHT BLOCK **/ @@ -39,9 +39,8 @@ # include <config.h> #endif -/* This file handles attribute encryption. - */ - +/* This file handles attribute encryption. */ +/* #define DEBUG_ATTRCRYPT 1 */ #include "back-ldbm.h" #include "attrcrypt.h" @@ -54,6 +53,8 @@ * Remember to free the private structures in the attrinfos, so avoid a leak. */ +#define ATTRCRYPT "attrcrypt" + attrcrypt_cipher_entry attrcrypt_cipher_list[] = { {ATTRCRYPT_CIPHER_AES, "AES", CKM_AES_CBC_PAD, CKM_AES_CBC_PAD, CKM_AES_CBC_PAD, 128/8, 16} , {ATTRCRYPT_CIPHER_DES3 , "3DES" , CKM_DES3_CBC_PAD, CKM_DES3_CBC_PAD, CKM_DES3_CBC_PAD, 112/8, 8}, {0} }; @@ -76,8 +77,25 @@ struct _attrcrypt_state_private { attrcrypt_cipher_state *acs_array[1]; }; +/* + * Return + */ +enum +{ + KEYMGMT_SUCCESS = 0, + KEYMGMT_ERR_NO_ENTRY, /* Entry to store key does not exist */ + KEYMGMT_ERR_NO_KEY_ATTR, /* Entry has no key attribute */ + KEYMGMT_ERR_NO_KEY_VALUE, /* Empty key */ + KEYMGMT_ERR_CANT_UNWRAP, /* Key failed to unwrap */ + KEYMGMT_ERR_OTHER /* Other error */ +}; + static int attrcrypt_wrap_key(attrcrypt_cipher_state *acs, PK11SymKey *symmetric_key, SECKEYPublicKey *public_key, SECItem *wrapped_symmetric_key); static int attrcrypt_unwrap_key(attrcrypt_cipher_state *acs, SECKEYPrivateKey *private_key, SECItem *wrapped_symmetric_key, PK11SymKey **unwrapped_symmetric_key); +static int _back_crypt_cleanup_private(attrcrypt_state_private **state_priv); +static void _back_crypt_acs_list_add(attrcrypt_state_private **state_priv, attrcrypt_cipher_state *acs); +static int _back_crypt_keymgmt_get_key(attrcrypt_cipher_state *acs, SECKEYPrivateKey *private_key, PK11SymKey **key_from_store, const char *dn_string); +static int _back_crypt_crypto_op(attrcrypt_private *priv, attrcrypt_cipher_state *acs, char *in_data, size_t in_size, char **out_data, size_t *out_size, int encrypt, backend *be, struct attrinfo *ai /* just for debugging */); /* * Copied from front-end because it's private to plugins @@ -141,10 +159,8 @@ static int attrcrypt_keymgmt_get_key(ldbm_instance *li, attrcrypt_cipher_state *acs, SECKEYPrivateKey *private_key, PK11SymKey **key_from_store) { int ret = 0; - Slapi_Entry *entry = NULL; char *dn_template = "cn=%s,cn=encrypted attribute keys,cn=%s,cn=%s,cn=plugins,cn=config"; char *instance_name = li->inst_name; - Slapi_Attr *keyattr = NULL; char *dn_string = NULL; LDAPDebug(LDAP_DEBUG_TRACE,"-> attrcrypt_keymgmt_get_key\n", 0, 0, 0); @@ -161,27 +177,8 @@ attrcrypt_keymgmt_get_key(ldbm_instance *li, attrcrypt_cipher_state *acs, SECKEY ret = -1; goto bail; } - /* Fetch the entry */ - getConfigEntry(dn_string, &entry); - /* Did we find the entry ? */ - if (NULL != entry) { - SECItem key_to_unwrap = {0}; - /* If so then look for the attribute that contains the key */ - slapi_entry_attr_find(entry, KEY_ATTRIBUTE_NAME, &keyattr); - if (keyattr != NULL) { - Slapi_Value *v = NULL; - slapi_valueset_first_value( &keyattr->a_present_values, &v); - key_to_unwrap.len = slapi_value_get_length(v); - key_to_unwrap.data = (void*)slapi_value_get_string(v); - } - /* Unwrap it */ - ret = attrcrypt_unwrap_key(acs, private_key, &key_to_unwrap, key_from_store); - if (entry) { - freeConfigEntry(&entry); - } - } else { - ret = -2; /* Means: we didn't find the entry (which happens if the key has never been generated) */ - } + ret = _back_crypt_keymgmt_get_key(acs, private_key, key_from_store, + (const char *)dn_string); bail: slapi_ch_free_string(&dn_string); LDAPDebug(LDAP_DEBUG_TRACE,"<- attrcrypt_keymgmt_get_key\n", 0, 0, 0); @@ -402,34 +399,51 @@ attrcrypt_cipher_init(ldbm_instance *li, attrcrypt_cipher_entry *ace, SECKEYPriv acs->ace = ace; acs->cipher_display_name = ace->cipher_display_name; if (NULL == acs->cipher_lock) { - LDAPDebug(LDAP_DEBUG_ANY,"Failed to create cipher lock in attrcrypt_cipher_init\n", 0, 0, 0); + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "Failed to create cipher lock in attrcrypt_cipher_init\n"); } acs->slot = slapd_pk11_GetInternalKeySlot(); if (NULL == acs->slot) { - LDAPDebug(LDAP_DEBUG_ANY,"Failed to create a slot for cipher %s in attrcrypt_cipher_entry\n", acs->cipher_display_name, 0, 0); + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "Failed to create a slot for cipher %s in attrcrypt_cipher_entry\n", + acs->cipher_display_name); goto error; } /* Try to get the symmetric key for this cipher */ ret = attrcrypt_keymgmt_get_key(li,acs,private_key,&symmetric_key); - if (ret) { - if (-2 == ret) { - LDAPDebug(LDAP_DEBUG_ANY,"No symmetric key found for cipher %s in backend %s, attempting to create one...\n", acs->cipher_display_name, li->inst_name, 0); - ret = attrcrypt_generate_key(acs,&symmetric_key); + if (KEYMGMT_ERR_NO_ENTRY == ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "No symmetric key found for cipher %s in backend %s, " + "attempting to create one...\n", + acs->cipher_display_name, li->inst_name); + ret = attrcrypt_generate_key(acs,&symmetric_key); + if (ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "Failed to generate key for %s in attrcrypt_cipher_init\n", + acs->cipher_display_name); + } + if (symmetric_key) { + ret = attrcrypt_keymgmt_store_key(li,acs,public_key,symmetric_key); if (ret) { - LDAPDebug(LDAP_DEBUG_ANY,"Failed to generate key for %s in attrcrypt_cipher_init\n", acs->cipher_display_name, 0, 0); + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "Failed to store key for cipher %s in " + "attrcrypt_cipher_init\n", acs->cipher_display_name); + } else { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "Key for cipher %s successfully generated and stored\n", + acs->cipher_display_name); } - if (symmetric_key) { - ret = attrcrypt_keymgmt_store_key(li,acs,public_key,symmetric_key); - if (ret) { - LDAPDebug(LDAP_DEBUG_ANY,"Failed to store key for cipher %s in attrcrypt_cipher_init\n", acs->cipher_display_name, 0, 0); - } else { - LDAPDebug(LDAP_DEBUG_ANY,"Key for cipher %s successfully generated and stored\n", acs->cipher_display_name, 0, 0); - } - } - - } else { - LDAPDebug(LDAP_DEBUG_ANY,"Failed to retrieve key for cipher %s in attrcrypt_cipher_init\n", acs->cipher_display_name, 0, 0); } + } else if (KEYMGMT_ERR_CANT_UNWRAP == ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "attrcrypt_cipher_init: symmetric key failed to unwrap " + "with the private key; Cert might have been renewed since " + "the key is wrapped. To recover the encrypted contents, " + "keep the wrapped symmetric key value.\n"); + } else if (ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "Failed to retrieve key for cipher %s in attrcrypt_cipher_init " + "(%d)\n", acs->cipher_display_name, ret); } if (symmetric_key) { /* we loaded the symmetric key, store it in the acs */ @@ -444,21 +458,7 @@ static void attrcrypt_acs_list_add(ldbm_instance *li,attrcrypt_cipher_state *acs) { /* Realloc the existing list and add to the end */ - attrcrypt_cipher_state **current = NULL; - size_t list_size = 0; - /* Is the list already there ? */ - if (NULL == li->inst_attrcrypt_state_private) { - /* If not, add it */ - li->inst_attrcrypt_state_private = (attrcrypt_state_private *) slapi_ch_calloc(sizeof(attrcrypt_cipher_state *), 2); /* 2 == The pointer and a NULL terminator */ - } else { - /* Otherwise re-size it */ - for (current = &(li->inst_attrcrypt_state_private->acs_array[0]); *current; current++) { - list_size++; - } - li->inst_attrcrypt_state_private = (attrcrypt_state_private *) slapi_ch_realloc((char*)li->inst_attrcrypt_state_private,sizeof(attrcrypt_cipher_state *) * (list_size + 2)); - li->inst_attrcrypt_state_private->acs_array[list_size + 1] = NULL; - } - li->inst_attrcrypt_state_private->acs_array[list_size] = acs; + _back_crypt_acs_list_add(&(li->inst_attrcrypt_state_private), acs); } int @@ -495,7 +495,6 @@ attrcrypt_init(ldbm_instance *li) attrcrypt_acs_list_add(li,acs); LDAPDebug(LDAP_DEBUG_TRACE,"Initialized cipher %s in attrcrypt_init\n", ace->cipher_display_name, 0, 0); } - } } slapd_pk11_DestroyPublicKey(public_key); @@ -548,16 +547,9 @@ attrcrypt_cleanup(attrcrypt_cipher_state *acs) int attrcrypt_cleanup_private(ldbm_instance *li) { - attrcrypt_cipher_state **current = NULL; - LDAPDebug(LDAP_DEBUG_TRACE, "-> attrcrypt_cleanup_private\n", 0, 0, 0); if (li && li->inst_attrcrypt_state_private) { - for (current = &(li->inst_attrcrypt_state_private->acs_array[0]); - *current; current++) { - attrcrypt_cleanup(*current); - slapi_ch_free((void **)current); - } - slapi_ch_free((void **)&li->inst_attrcrypt_state_private); + _back_crypt_cleanup_private(&(li->inst_attrcrypt_state_private)); } LDAPDebug(LDAP_DEBUG_TRACE, "<- attrcrypt_cleanup_private\n", 0, 0, 0); return 0; @@ -609,14 +601,6 @@ static int attrcrypt_crypto_op(attrcrypt_private *priv, backend *be, struct attrinfo *ai, char *in_data, size_t in_size, char **out_data, size_t *out_size, int encrypt) { int ret = -1; - SECStatus secret = 0; - PK11Context* sec_context = NULL; - SECItem iv_item = {0}; - SECItem *security_parameter = NULL; - int output_buffer_length = 0; - int output_buffer_size1 = 0; - unsigned int output_buffer_size2 = 0; - unsigned char *output_buffer = NULL; attrcrypt_cipher_state *acs = NULL; LDAPDebug(LDAP_DEBUG_TRACE,"-> attrcrypt_crypto_op\n", 0, 0, 0); @@ -632,80 +616,8 @@ attrcrypt_crypto_op(attrcrypt_private *priv, backend *be, struct attrinfo *ai, c log_bytes("attrcrypt_crypto_op decrypt '%s' (%d)\n", (unsigned char *)in_data, in_size); } #endif - /* Allocate the output buffer */ - output_buffer_length = in_size + 16; - output_buffer = (unsigned char *)slapi_ch_malloc(output_buffer_length); - /* Now call NSS to do the cipher op */ - iv_item.data = (unsigned char *)"aaaaaaaaaaaaaaaa"; /* ptr to an array of IV bytes */ - iv_item.len = acs->ace->iv_length; /* length of the array of IV bytes */ - security_parameter = slapd_pk11_ParamFromIV(acs->ace->cipher_mechanism, &iv_item); - if (NULL == security_parameter) { - int errorCode = PR_GetError(); - LDAPDebug(LDAP_DEBUG_ANY,"attrcrypt_crypto_op failed to make IV for cipher %s : %d - %s\n", acs->ace->cipher_display_name, errorCode, slapd_pr_strerror(errorCode)); - goto error; - } - sec_context = slapd_pk11_createContextBySymKey(acs->ace->cipher_mechanism, (encrypt ? CKA_ENCRYPT : CKA_DECRYPT), acs->key, security_parameter); - if (NULL == sec_context) { - int errorCode = PR_GetError(); - LDAPDebug(LDAP_DEBUG_ANY,"attrcrypt_crypto_op failed on cipher %s : %d - %s\n", acs->ace->cipher_display_name, errorCode, slapd_pr_strerror(errorCode)); - goto error; - } - secret = slapd_pk11_cipherOp(sec_context, output_buffer, &output_buffer_size1, output_buffer_length, (unsigned char *)in_data, in_size); - if (SECSuccess != secret) { - int errorCode = PR_GetError(); - LDAPDebug(LDAP_DEBUG_ANY,"attrcrypt_crypto_op failed on cipher %s : %d - %s\n", acs->ace->cipher_display_name, errorCode, slapd_pr_strerror(errorCode)); - goto error; - } -#if defined(DEBUG_ATTRCRYPT) - LDAPDebug(LDAP_DEBUG_ANY,"slapd_pk11_cipherOp %d\n", output_buffer_size1, 0, 0); -#endif - secret = slapd_pk11_DigestFinal(sec_context, output_buffer + output_buffer_size1, &output_buffer_size2, output_buffer_length - output_buffer_size1); - if (SECSuccess != secret) { - int errorCode = PR_GetError(); - LDAPDebug(LDAP_DEBUG_ANY,"attrcrypt_crypto_op digest final failed on cipher %s : %d - %s\n", acs->ace->cipher_display_name, errorCode, slapd_pr_strerror(errorCode)); - goto error; - } else { -#if defined(DEBUG_ATTRCRYPT) - int recurse = 1; - if (encrypt) { - log_bytes("slapd_pk11_DigestFinal '%s' (%d)\n", output_buffer, output_buffer_size1 + output_buffer_size2); - } else { - LDAPDebug(LDAP_DEBUG_ANY,"slapd_pk11_DigestFinal '%s', %u\n", output_buffer, output_buffer_size2, 0); - } - if (*out_size == -1) { - recurse = 0; - } -#endif - *out_size = output_buffer_size1 + output_buffer_size2; - *out_data = (char *)output_buffer; - ret = 0; /* success */ -#if defined(DEBUG_ATTRCRYPT) - if (recurse) { - char *redo_data = NULL; - size_t redo_size = -1; - int redo_ret; - - LDAPDebug(LDAP_DEBUG_ANY,"------> check result of crypto op\n", 0, 0, 0); - redo_ret = attrcrypt_crypto_op(priv, be, ai, *out_data, *out_size, &redo_data, &redo_size, !encrypt); - slapi_log_error(SLAPI_LOG_FATAL, "DEBUG_ATTRCRYPT", - "orig length %ld redone length %ld\n", in_size, redo_size); - log_bytes("DEBUG_ATTRCRYPT orig bytes '%s' (%d)\n", (unsigned char *)in_data, in_size); - log_bytes("DEBUG_ATTRCRYPT redo bytes '%s' (%d)\n", (unsigned char *)redo_data, redo_size); - - LDAPDebug(LDAP_DEBUG_ANY,"<------ check result of crypto op\n", 0, 0, 0); - } -#endif - } -error: - if (sec_context) { - slapd_pk11_DestroyContext(sec_context, PR_TRUE); - } - if (security_parameter) { - slapd_SECITEM_FreeItem(security_parameter, PR_TRUE); - } - if (ret) { - slapi_ch_free_string((char **)&output_buffer); - } + ret = _back_crypt_crypto_op(priv, acs, in_data, in_size, + out_data, out_size, encrypt, be, ai); LDAPDebug(LDAP_DEBUG_TRACE,"<- attrcrypt_crypto_op\n", 0, 0, 0); return ret; } @@ -1026,3 +938,607 @@ bail: return rc; } + +/******************************************************************************/ +static int _back_crypt_cipher_init(Slapi_Backend *be, attrcrypt_state_private **state_priv, attrcrypt_cipher_entry *ace, SECKEYPrivateKey *private_key, SECKEYPublicKey *public_key, attrcrypt_cipher_state *acs, const char *dn_string); +static int _back_crypt_keymgmt_store_key(Slapi_Backend *be, attrcrypt_cipher_state *acs, SECKEYPublicKey *public_key, PK11SymKey *key_to_store, const char *dn_string); +static int _back_crypt_crypto_op_value(attrcrypt_state_private *state_priv, Slapi_Value *invalue, Slapi_Value **outvalue, int encrypt); + +int +back_crypt_init(Slapi_Backend *be, const char *dn, + const char *encAlgorithm, void **handle) +{ + int ret = 0; + attrcrypt_cipher_entry *ace = NULL; + SECKEYPrivateKey *private_key = NULL; + SECKEYPublicKey *public_key = NULL; + attrcrypt_state_private **state_priv = (attrcrypt_state_private **)handle; + + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, "-> back_crypt_init\n"); + /* Encryption is not specified */ + if (!encAlgorithm || !handle) { + goto bail; + } + if (!slapd_security_library_is_initialized()) { + goto bail; + } + _back_crypt_cleanup_private(state_priv); + + /* Get the server's private key, + * which is used to unwrap the stored symmetric keys */ + ret = attrcrypt_fetch_private_key(&private_key); + if (ret) { + goto bail; + } + ret = attrcrypt_fetch_public_key(&public_key); + if (ret) { + goto bail; + } + for (ace = attrcrypt_cipher_list; + ace && ace->cipher_number && !ret; ace++) { + if (strcasecmp(ace->cipher_display_name, encAlgorithm)) { + continue; /* did not match. next. */ + } + /* Make a state object for this cipher */ + attrcrypt_cipher_state *acs = (attrcrypt_cipher_state *)slapi_ch_calloc( + sizeof(attrcrypt_cipher_state), 1); + ret = _back_crypt_cipher_init(be, state_priv, ace, + private_key, public_key, acs, dn); + if (ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "back_crypt_init: Failed to initialize cipher %s\n", + ace->cipher_display_name); + slapi_ch_free((void **)&acs); + } else { + /* Since we succeeded, set acs to state_priv */ + _back_crypt_acs_list_add(state_priv, acs); + slapi_log_error(SLAPI_LOG_BACKLDBM, ATTRCRYPT, + "back_crypt_init: Initialized cipher %s\n", + ace->cipher_display_name); + } + break; + } + SECKEY_DestroyPublicKey(public_key); + public_key = NULL; + SECKEY_DestroyPrivateKey(private_key); + private_key = NULL; +bail: + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- back_crypt_init : %d\n", ret); + return ret; +} + +/* + * return values: 0 - success + * : -1 - error + * + * output value: out: non-NULL - encryption successful + * : NULL - no encryption or failure + */ +int +back_crypt_encrypt_value(void *handle, struct berval *in, struct berval **out) +{ + int ret = -1; + Slapi_Value *invalue = NULL; + Slapi_Value *outvalue = NULL; + attrcrypt_state_private *state_priv = (attrcrypt_state_private *)handle; + + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "-> back_crypt_encrypt_value\n"); + if (NULL == out) { + goto bail; + } + *out = NULL; + if (!state_priv || !state_priv->acs_array) { + goto bail; + } + invalue = slapi_value_new_berval(in); + /* Now encrypt the attribute values in place on the new entry */ + ret = _back_crypt_crypto_op_value(state_priv, invalue, &outvalue, 1); + if (0 == ret) { + *out = slapi_ch_bvdup(slapi_value_get_berval(outvalue)); + } +bail: + slapi_value_free(&invalue); + slapi_value_free(&outvalue); + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- back_crypt_encrypt_entry (returning %d)\n", ret); + return ret; +} + +int +back_crypt_decrypt_value(void *handle, struct berval *in, struct berval **out) +{ + int ret = -1; + Slapi_Value *invalue = NULL; + Slapi_Value *outvalue = NULL; + attrcrypt_state_private *state_priv = (attrcrypt_state_private *)handle; + + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "-> back_crypt_decrypt_value\n"); + if (NULL == out) { + goto bail; + } + *out = NULL; + if (!state_priv || !state_priv->acs_array) { + goto bail; + } + invalue = slapi_value_new_berval(in); + /* Now decrypt the value */ + ret = _back_crypt_crypto_op_value(state_priv, invalue, &outvalue, 0); + if (0 == ret) { + *out = slapi_ch_bvdup(slapi_value_get_berval(outvalue)); + } +bail: + slapi_value_free(&invalue); + slapi_value_free(&outvalue); + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- _back_crypt_decrypt_entry (returning %d)\n", ret); + return ret; +} + +static int +_back_crypt_crypto_op_value(attrcrypt_state_private *state_priv, + Slapi_Value *invalue, Slapi_Value **outvalue, + int encrypt) +{ + int ret = -1; + char *in_data = NULL; + size_t in_size = 0; + char *out_data = NULL; + size_t out_size = 0; + struct berval *bval = NULL; + attrcrypt_cipher_state *acs = NULL; + + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "-> _back_crypt_crypto_op_value\n"); + if (NULL == invalue || NULL == outvalue) { + goto bail; + } + + bval = (struct berval *) slapi_value_get_berval(invalue); + if (NULL == bval) { + goto bail; + } + in_data = bval->bv_val; + in_size = bval->bv_len; + + acs = state_priv->acs_array[0]; + if (NULL == acs) { + /* This happens if SSL/NSS has not been enabled */ + goto bail; + } + ret = _back_crypt_crypto_op(NULL, acs, in_data, in_size, + &out_data, &out_size, encrypt, NULL, NULL); + if (0 == ret) { + struct berval outbervalue = {0}; + outbervalue.bv_len = out_size; + outbervalue.bv_val = out_data; + /* This call makes a copy of the payload data, + * so we need to free the original data after making the call */ + *outvalue = slapi_value_new_berval(&outbervalue); + slapi_ch_free((void**)&out_data); + } + +bail: + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- _back_crypt_crypto_op_value (returning %d)\n", ret); + return ret; +} + + +/* Initialize the structure for a single cipher */ +static int +_back_crypt_cipher_init(Slapi_Backend *be, + attrcrypt_state_private **state_priv, + attrcrypt_cipher_entry *ace, + SECKEYPrivateKey *private_key, + SECKEYPublicKey *public_key, + attrcrypt_cipher_state *acs, + const char *dn_string) +{ + int ret = 1; /* fail by default */ + PK11SymKey *symmetric_key = NULL; + + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, "-> _back_crypt_cipher_init\n"); + acs->cipher_lock = PR_NewLock(); + /* Fill in some basic stuff */ + acs->ace = ace; + acs->cipher_display_name = ace->cipher_display_name; + if (NULL == acs->cipher_lock) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_cipher_init: Cipher lock not found.\n"); + } + acs->slot = slapd_pk11_getInternalKeySlot(); + if (NULL == acs->slot) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_cipher_init: Failed to create a slot for cipher %s\n", + acs->cipher_display_name); + goto error; + } + /* Try to get the symmetric key for this cipher */ + ret = _back_crypt_keymgmt_get_key(acs, private_key, + &symmetric_key, dn_string); + if (KEYMGMT_ERR_NO_ENTRY == ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_cipher_init: entry storing key does not exist.\n"); + } else if (KEYMGMT_ERR_OTHER == ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_cipher_init: coding error.\n"); + } else if (KEYMGMT_ERR_CANT_UNWRAP == ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_cipher_init: symmetric key failed to unwrap " + "with the private key; Cert might have been renewed since " + "the key is wrapped. To recover the encrypted contents, " + "keep the wrapped symmetric key value.\n"); + } else if (ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_cipher_init: No symmetric key found for cipher " + "%s, attempting to create one...\n", acs->cipher_display_name); + ret = attrcrypt_generate_key(acs, &symmetric_key); + if (ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_cipher_init: Failed to generate key for %s\n", + acs->cipher_display_name); + } + if (symmetric_key) { + ret = _back_crypt_keymgmt_store_key(be, acs, public_key, + symmetric_key, dn_string); + if (ret) { + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_cipher_init: Failed to store key for cipher " + "%s\n", acs->cipher_display_name); + } else { + slapi_log_error(SLAPI_LOG_BACKLDBM, ATTRCRYPT, + "Key for cipher %s successfully generated and stored\n", + acs->cipher_display_name); + } + } + } + if (symmetric_key) { + /* we loaded the symmetric key, store it in the acs */ + acs->key = symmetric_key; + } +error: + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- _back_crypt_cipher_init (returning %d\n", ret); + return ret; +} + +/* + * This function cleans up the state_private in cl5Desc + */ +static int +_back_crypt_cleanup_private(attrcrypt_state_private **state_priv) +{ + attrcrypt_cipher_state **current = NULL; + + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "-> _back_crypt_cleanup_private\n"); + if (state_priv && *state_priv) { + for (current = &((*state_priv)->acs_array[0]); *current; current++) { + attrcrypt_cleanup(*current); + slapi_ch_free((void **)current); + } + slapi_ch_free((void **)state_priv); + } + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- _back_crypt_cleanup_private\n"); + return 0; +} + +/* Retrieve a symmetric key from dse.ldif for a specified cipher */ +/* + * return values: 0 -- successfully retrieved + * KEYMGMT_ERR_NO_ENTRY - Entry to store key does not exist + * KEYMGMT_ERR_NO_KEY_ATTR - Entry has no key attribute + * KEYMGMT_ERR_NO_KEY_VALUE - Empty key + * KEYMGMT_ERR_CANT_UNWRAP - Key failed to unwrap + * KEYMGMT_ERR_OTHER - Other error + */ +static int +_back_crypt_keymgmt_get_key(attrcrypt_cipher_state *acs, + SECKEYPrivateKey *private_key, + PK11SymKey **key_from_store, + const char *dn_string) +{ + int ret = KEYMGMT_ERR_OTHER; + Slapi_Entry *entry = NULL; + Slapi_Attr *keyattr = NULL; + + if (NULL == key_from_store) { + return ret; + } + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "-> _back_crypt_keymgmt_get_key\n"); + *key_from_store = NULL; + /* Fetch the entry */ + getConfigEntry(dn_string, &entry); + /* Did we find the entry ? */ + if (entry) { + SECItem key_to_unwrap = {0}; + /* If so then look for the attribute that contains the key */ + slapi_entry_attr_find(entry, KEY_ATTRIBUTE_NAME, &keyattr); + if (keyattr) { + Slapi_Value *v = NULL; + ret = slapi_attr_first_value(keyattr, &v); + if (ret < 0) { + ret = KEYMGMT_ERR_NO_KEY_VALUE; /* Empty key */ + goto bail; + } + key_to_unwrap.len = slapi_value_get_length(v); + key_to_unwrap.data = (void*)slapi_value_get_string(v); + /* Unwrap it */ + ret = attrcrypt_unwrap_key(acs, private_key, + &key_to_unwrap, key_from_store); + if (ret) { + ret = KEYMGMT_ERR_CANT_UNWRAP; /* Key failed to unwrap */ + } + } else { + ret = KEYMGMT_ERR_NO_KEY_ATTR; /* Entry has no key attribute */ + } + } else { + /* we didn't find the entry (which happens if the key has + * never been generated) */ + ret = KEYMGMT_ERR_NO_ENTRY; + } +bail: + freeConfigEntry(&entry); + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- _back_crypt_keymgmt_get_key (returning %d)\n", ret); + return ret; +} + +/* Store a symmetric key for a given cipher in dse.ldif */ +static int +_back_crypt_keymgmt_store_key(Slapi_Backend *be, + attrcrypt_cipher_state *acs, + SECKEYPublicKey *public_key, + PK11SymKey *key_to_store, + const char *dn_string) +{ + int ret = 1; + SECItem wrapped_symmetric_key = {0}; + ldbm_instance *li = NULL; + + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "-> _back_crypt_keymgmt_store_key\n"); + if (!be || !be->be_instance_info) { + goto bail; + } + li = (ldbm_instance *)be->be_instance_info; + /* Wrap the key and then store it in the right place in dse.ldif */ + ret = attrcrypt_wrap_key(acs, key_to_store, + public_key, &wrapped_symmetric_key); + if (!ret) { + /* store the wrapped symmetric key to the specified entry (dn_string) */ + Slapi_PBlock *pb = slapi_pblock_new(); + Slapi_Value *key_value = NULL; + struct berval key_as_berval = {0}; + Slapi_Mods *smods = slapi_mods_new(); + Slapi_Value *va[2]; + int rc = 0; + + /* Add the key as a binary attribute */ + key_as_berval.bv_val = (char *)wrapped_symmetric_key.data; + key_as_berval.bv_len = wrapped_symmetric_key.len; + key_value = slapi_value_new_berval(&key_as_berval); + va[0] = key_value; + va[1] = NULL; + /* key_value is now a copy of key_as_berval + * - free wrapped_symmetric_key */ + slapi_ch_free_string((char **)&wrapped_symmetric_key.data); + + slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE, + KEY_ATTRIBUTE_NAME, va); + slapi_modify_internal_set_pb(pb, dn_string, + slapi_mods_get_ldapmods_byref(smods), NULL, NULL, + li->inst_li->li_identity, 0); + slapi_modify_internal_pb (pb); + slapi_value_free(&key_value); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); + if (rc) { + char *resulttext = NULL; + slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &resulttext); + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_keymgmt_store_key: failed to add config key " + "to the DSE: %d: %s: %s\n", rc, ldap_err2string(rc), + resulttext ? resulttext : "unknown"); + ret = -1; + } + slapi_mods_free(&smods); + slapi_pblock_destroy(pb); + } +bail: + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- _back_crypt_keymgmt_store_key (returning %d)\n", ret); + return ret; +} + +static void +_back_crypt_acs_list_add(attrcrypt_state_private **state_priv, + attrcrypt_cipher_state *acs) +{ + /* Realloc the existing list and add to the end */ + attrcrypt_cipher_state **current = NULL; + size_t list_size = 0; + + if (NULL == state_priv) { + return; + } + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "-> _back_crypt_acs_list_add\n"); + + /* Is the list already there ? */ + if (NULL == *state_priv) { + /* If not, add it */ + /* 2 == The pointer and a NULL terminator */ + *state_priv = (attrcrypt_state_private *)slapi_ch_calloc( + sizeof(attrcrypt_cipher_state *), 2); + } else { + /* Otherwise re-size it */ + for (current = &((*state_priv)->acs_array[0]); current && *current; + current++) { + list_size++; + } + *state_priv = + (attrcrypt_state_private *)slapi_ch_realloc((char *)*state_priv, + sizeof(attrcrypt_cipher_state *) * (list_size + 2)); + (*state_priv)->acs_array[list_size + 1] = NULL; + } + (*state_priv)->acs_array[list_size] = acs; + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- _back_crypt_acs_list_add\n"); + return; +} + +/* Either encipher or decipher an attribute value */ +static int +_back_crypt_crypto_op(attrcrypt_private *priv, + attrcrypt_cipher_state *acs, + char *in_data, size_t in_size, + char **out_data, size_t *out_size, int encrypt, + backend *be, struct attrinfo *ai /* just for debugging */) +{ + int rc = -1; + SECStatus secret = 0; + PK11Context* sec_context = NULL; + SECItem iv_item = {0}; + SECItem *security_parameter = NULL; + int output_buffer_length = 0; + int output_buffer_size1 = 0; + unsigned int output_buffer_size2 = 0; + unsigned char *output_buffer = NULL; + + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, "-> _back_crypt_crypto_op\n"); + if (NULL == acs) { + goto bail; + } + if (encrypt) { + slapi_log_error(SLAPI_LOG_BACKLDBM, ATTRCRYPT, + "_back_crypt_crypto_op encrypt '%s' (%d)\n", + in_data, in_size); + } else { + slapi_log_error(SLAPI_LOG_BACKLDBM, ATTRCRYPT, + "_back_crypt_crypto_op decrypt (%d)\n", in_size); + } + /* Allocate the output buffer */ + output_buffer_length = in_size + BACK_CRYPT_OUTBUFF_EXTLEN; + output_buffer = (unsigned char *)slapi_ch_malloc(output_buffer_length); + /* Now call NSS to do the cipher op */ + iv_item.data = (unsigned char *)"aaaaaaaaaaaaaaaa"; /* ptr to an array + of IV bytes */ + iv_item.len = acs->ace->iv_length; /* length of the array of IV bytes */ + security_parameter = slapd_pk11_ParamFromIV(acs->ace->cipher_mechanism, + &iv_item); + if (NULL == security_parameter) { + int errorCode = PR_GetError(); + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "back_crypt_crypto_op: failed to make IV for cipher %s " + ": %d - %s\n", acs->ace->cipher_display_name, errorCode, + slapd_pr_strerror(errorCode)); + goto error; + } + sec_context = slapd_pk11_createContextBySymKey(acs->ace->cipher_mechanism, + (encrypt ? CKA_ENCRYPT : CKA_DECRYPT), + acs->key, security_parameter); + if (NULL == sec_context) { + int errorCode = PR_GetError(); + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_crypto_op: failed on cipher %s : " + "%d - %s\n", acs->ace->cipher_display_name, errorCode, + slapd_pr_strerror(errorCode)); + goto error; + } + secret = slapd_pk11_cipherOp(sec_context, output_buffer, + &output_buffer_size1, output_buffer_length, + (unsigned char *)in_data, in_size); + if (SECSuccess != secret) { + int errorCode = PR_GetError(); + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_crypto_op failed on cipher %s : %d - %s\n", + acs->ace->cipher_display_name, errorCode, + slapd_pr_strerror(errorCode)); + goto error; + } + secret = slapd_pk11_DigestFinal(sec_context, + output_buffer + output_buffer_size1, + &output_buffer_size2, + output_buffer_length - output_buffer_size1); + if (SECSuccess != secret) { + int errorCode = PR_GetError(); + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "_back_crypt_crypto_op digest final failed on cipher " + "%s : %d - %s\n", acs->ace->cipher_display_name, + errorCode, slapd_pr_strerror(errorCode)); + goto error; + } else { +#if defined(DEBUG_ATTRCRYPT) + int recurse = 1; + if (encrypt) { + log_bytes("slapd_pk11_DigestFinal '%s' (%d)\n", + output_buffer, output_buffer_size1 + output_buffer_size2); + } else { + slapi_log_error(SLAPI_LOG_FATAL, "DEBUG_ATTRCRYPT", + "slapd_pk11_DigestFinal '%s', %u\n", + output_buffer, output_buffer_size1 + output_buffer_size2); + } + if (*out_size == -1) { + recurse = 0; + } +#endif + *out_size = output_buffer_size1 + output_buffer_size2; + *out_data = (char *)output_buffer; + rc = 0; /* success */ +#if defined(DEBUG_ATTRCRYPT) + if (recurse) { + char *redo_data = NULL; + size_t redo_size = -1; + int redo_ret; + + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "------> check result of crypto op\n"); + if (priv && be && ai) { + redo_ret = attrcrypt_crypto_op(priv, be, ai, + *out_data, *out_size, + &redo_data, &redo_size, + !encrypt); + slapi_log_error(SLAPI_LOG_FATAL, "DEBUG_ATTRCRYPT", + "attrcrypt_crypto_op returned (%d) " + "orig length %u redone length %u\n", + redo_ret, in_size, redo_size); + } else { + redo_ret = _back_crypt_crypto_op(NULL, acs, + *out_data, *out_size, + &redo_data, &redo_size, + !encrypt, NULL, NULL); + slapi_log_error(SLAPI_LOG_FATAL, "DEBUG_ATTRCRYPT", + "_back_crypt_crypto_op returned (%d) " + "orig length %u redone length %u\n", + redo_ret, in_size, redo_size); + } + log_bytes("DEBUG_ATTRCRYPT orig bytes '%s' (%d)\n", + (unsigned char *)in_data, in_size); + log_bytes("DEBUG_ATTRCRYPT redo bytes '%s' (%d)\n", + (unsigned char *)redo_data, redo_size); + + slapi_log_error(SLAPI_LOG_FATAL, ATTRCRYPT, + "<------ check result of crypto op\n"); + } +#endif + } +error: + if (sec_context) { + PK11_DestroyContext(sec_context, PR_TRUE); + } + if (security_parameter) { + SECITEM_FreeItem(security_parameter, PR_TRUE); + } + if (rc) { + slapi_ch_free_string((char **)&output_buffer); + } +bail: + slapi_log_error(SLAPI_LOG_TRACE, ATTRCRYPT, + "<- _back_crypt_crypto_op (returning %d)\n", rc); + return rc; +} diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h index e09981a..c5df007 100644 --- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h +++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h @@ -176,6 +176,7 @@ int dblayer_remove_env(struct ldbminfo *li); int ldbm_back_get_info(Slapi_Backend *be, int cmd, void **info); int ldbm_back_set_info(Slapi_Backend *be, int cmd, void *info); +int ldbm_back_ctrl_info(Slapi_Backend *be, int cmd, void *info); /* * dn2entry.c @@ -619,6 +620,11 @@ int ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb, Slapi_Entry* e int ldbm_instance_attrcrypt_config_delete_callback(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, int *returncode, char *returntext, void *arg); int ldbm_instance_attrcrypt_config_modify_callback(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *entryAfter, int *returncode, char *returntext, void *arg); +int back_crypt_init(Slapi_Backend *be, const char *dn, const char *encAlgorithm, void **handle); +int back_crypt_encrypt_value(void *handle, struct berval *in, struct berval **out); +int +back_crypt_decrypt_value(void *handle, struct berval *in, struct berval **out); + void replace_ldbm_config_value(char *conftype, char *val, struct ldbminfo *li); /* diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c index 9bdc0af..24993c1 100644 --- a/ldap/servers/slapd/backend.c +++ b/ldap/servers/slapd/backend.c @@ -603,3 +603,14 @@ slapi_back_set_info(Slapi_Backend *be, int cmd, void *info) rc = (*be->be_set_info)(be, cmd, info); return rc; } + +int +slapi_back_ctrl_info(Slapi_Backend *be, int cmd, void *info) +{ + int rc = -1; + if (!be || !be->be_ctrl_info || !info) { + return rc; + } + rc = (*be->be_ctrl_info)(be, cmd, info); + return rc; +} diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c index a2684f9..1f14341 100644 --- a/ldap/servers/slapd/opshared.c +++ b/ldap/servers/slapd/opshared.c @@ -52,9 +52,10 @@ static void compute_limits (Slapi_PBlock *pb); /* attributes that no clients are allowed to add or modify */ -static char *protected_attrs_all [] = { PSEUDO_ATTR_UNHASHEDUSERPASSWORD, - NULL - }; +/* PSEUDO_ATTR_UNHASHEDUSERPASSWORD used to be in protected_attrs_all. + * Now it's moved to back-ldbm/id2entry.c to share it among repl masters. + * (bz 182507)*/ +static char *protected_attrs_all [] = { NULL }; static char *pwpolicy_lock_attrs_all [] = { "passwordRetryCount", "retryCountResetTime", "accountUnlockTime", diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c index 4cc6536..2418b71 100644 --- a/ldap/servers/slapd/pblock.c +++ b/ldap/servers/slapd/pblock.c @@ -616,6 +616,9 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value ) case SLAPI_PLUGIN_DB_SET_INFO_FN: (*(IFP *)value) = pblock->pb_plugin->plg_set_info; break; + case SLAPI_PLUGIN_DB_CTRL_INFO_FN: + (*(IFP *)value) = pblock->pb_plugin->plg_ctrl_info; + break; case SLAPI_PLUGIN_DB_SEQ_FN: if ( pblock->pb_plugin->plg_type != SLAPI_PLUGIN_DATABASE ) { return( -1 ); @@ -2038,6 +2041,9 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value ) case SLAPI_PLUGIN_DB_SET_INFO_FN: pblock->pb_plugin->plg_set_info = (IFP) value; break; + case SLAPI_PLUGIN_DB_CTRL_INFO_FN: + pblock->pb_plugin->plg_ctrl_info = (IFP) value; + break; case SLAPI_PLUGIN_DB_SEQ_FN: if ( pblock->pb_plugin->plg_type != SLAPI_PLUGIN_DATABASE ) { return( -1 ); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 1cb5212..d5ac772 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -845,6 +845,7 @@ struct slapdplugin { IFP plg_un_db_add_schema; /* add schema */ IFP plg_un_db_get_info; /* get info */ IFP plg_un_db_set_info; /* set info */ + IFP plg_un_db_ctrl_info; /* ctrl info */ } plg_un_db; #define plg_bind plg_un.plg_un_db.plg_un_db_bind #define plg_unbind plg_un.plg_un_db.plg_un_db_unbind @@ -882,6 +883,7 @@ struct slapdplugin { #define plg_add_schema plg_un.plg_un_db.plg_un_db_add_schema #define plg_get_info plg_un.plg_un_db.plg_un_db_get_info #define plg_set_info plg_un.plg_un_db.plg_un_db_set_info +#define plg_ctrl_info plg_un.plg_un_db.plg_un_db_ctrl_info /* extended operation plugin structure */ struct plg_un_protocol_extension { @@ -1162,6 +1164,7 @@ typedef struct backend { #define be_wire_import be_database->plg_wire_import #define be_get_info be_database->plg_get_info #define be_set_info be_database->plg_set_info +#define be_ctrl_info be_database->plg_ctrl_info void *be_instance_info; /* If the database plugin pointed to by * be_database supports more than one instance, diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index 536809d..fd2bf11 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -6272,13 +6272,49 @@ int slapi_back_get_info(Slapi_Backend *be, int cmd, void **info); */ int slapi_back_set_info(Slapi_Backend *be, int cmd, void *info); +/** + * Execute cmd in backend + * + * \param be Backend where the command is executed + * \param cmd macro to specify the execution type + * \param info pointer to the information + * \return \c 0 if the operation was successful + * \return non-0 if the operation was not successful + * + * \note Implemented cmd: + * BACK_INFO_CRYPT_INIT - Initialize cipher (info: back_info_crypt_init) + * BACK_INFO_CRYPT_ENCRYPT_VALUE - Encrypt the given value (info: back_info_crypt_value) + * BACK_INFO_CRYPT_DECRYPT_VALUE - Decrypt the given value (info: back_info_crypt_value) + */ +int slapi_back_ctrl_info(Slapi_Backend *be, int cmd, void *info); + /* cmd */ enum { - BACK_INFO_DBENV, /* Get the dbenv */ - BACK_INFO_INDEXPAGESIZE, /* Get the index page size */ - BACK_INFO_DBENV_OPENFLAGS/* Get the dbenv openflags */ + BACK_INFO_DBENV, /* Get the dbenv */ + BACK_INFO_INDEXPAGESIZE, /* Get the index page size */ + BACK_INFO_DBENV_OPENFLAGS, /* Get the dbenv openflags */ + BACK_INFO_CRYPT_INIT, /* Ctrl: clcrypt_init */ + BACK_INFO_CRYPT_ENCRYPT_VALUE, /* Ctrl: clcrypt_encrypt_value */ + BACK_INFO_CRYPT_DECRYPT_VALUE /* Ctrl: clcrypt_decrypt_value */ +}; + +struct _back_info_crypt_init { + char *dn; /* input -- entry to store nsSymmetricKey */ + char *encryptionAlgorithm; /* input -- encryption althorithm */ + Slapi_Backend *be; /* input -- backend to use */ + void *state_priv; /* outout */ }; +typedef struct _back_info_crypt_init back_info_crypt_init; + +struct _back_info_crypt_value { + void *state_priv; /* input */ + struct berval *in; /* input */ + struct berval *out; /* output */ +}; +typedef struct _back_info_crypt_value back_info_crypt_value; + +#define BACK_CRYPT_OUTBUFF_EXTLEN 16 #ifdef __cplusplus } diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h index ef213f5..d9da346 100644 --- a/ldap/servers/slapd/slapi-private.h +++ b/ldap/servers/slapd/slapi-private.h @@ -886,6 +886,7 @@ int proxyauth_get_dn( Slapi_PBlock *pb, char **proxydnp, char **errtextp ); #define SLAPI_PLUGIN_DB_RMDB_FN 280 #define SLAPI_PLUGIN_DB_GET_INFO_FN 290 #define SLAPI_PLUGIN_DB_SET_INFO_FN 291 +#define SLAPI_PLUGIN_DB_CTRL_INFO_FN 292 /**** End of database plugin interface. **************************************/

12 years, 11 months

1
0
0 / 0

VERSION.sh

by Richard Allen Megginson

VERSION.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) New commits: commit ba8c3c948e434b4d346799bdd3a86604c8e437bf Author: Rich Megginson <rmeggins(a)redhat.com> Date: Wed Dec 15 10:14:07 2010 -0700 bump version to 1.2.8.a1 diff --git a/VERSION.sh b/VERSION.sh index 23e16b7..c0ae824 100644 --- a/VERSION.sh +++ b/VERSION.sh @@ -10,11 +10,11 @@ vendor="389 Project" # PACKAGE_VERSION is constructed from these VERSION_MAJOR=1 VERSION_MINOR=2 -VERSION_MAINT=7.4 +VERSION_MAINT=8 # if this is a PRERELEASE, set VERSION_PREREL # otherwise, comment it out # be sure to include the dot prefix in the prerel -#VERSION_PREREL=.a1 +VERSION_PREREL=.a1 # NOTES on VERSION_PREREL # use aN for an alpha release e.g. a1, a2, etc. # use rcN for a release candidate e.g. rc1, rc2, etc.

12 years, 11 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits December 2010