ldap/servers/plugins/retrocl/retrocl.c | 67 +++++++++++++++++++++++++-
ldap/servers/plugins/retrocl/retrocl_create.c | 4 -
ldap/servers/plugins/retrocl/retrocl_po.c | 6 ++
ldap/servers/slapd/modify.c | 39 ++++++++-------
4 files changed, 94 insertions(+), 22 deletions(-)
New commits:
commit 29652118e2ae17ca98c1934af5109f1ac87d94ae
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Tue Dec 16 16:53:07 2014 -0500
Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
Fix for CVE-2014-8105
Description: At server startup check for the Retro Changelog default ACI
on cn=changelog, if present delete it.
Reviewed by: lkrispenz(Thanks!)
(cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
diff --git a/ldap/servers/plugins/retrocl/retrocl.c
b/ldap/servers/plugins/retrocl/retrocl.c
index 0d2a6dc..8a0f350 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt)
return ma;
}
+static void
+retrocl_remove_legacy_default_aci(void)
+{
+ Slapi_PBlock *pb = NULL;
+ Slapi_Entry **entries;
+ char **aci_vals = NULL;
+ char *attrs[] = {"aci", NULL};
+ int rc;
+
+ pb = slapi_pblock_new();
+ slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE,
"objectclass=*",
+ attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
+ slapi_search_internal_pb(pb);
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+ if (rc == LDAP_SUCCESS) {
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
+ if(entries && entries[0]){
+ if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
+ if(charray_inlist(aci_vals, RETROCL_ACL)){
+ /*
+ * Okay, we need to remove the aci
+ */
+ LDAPMod mod;
+ LDAPMod *mods[2];
+ char *val[2];
+ Slapi_PBlock *mod_pb = 0;
+
+ mod_pb = slapi_pblock_new();
+ mods[0] = &mod;
+ mods[1] = 0;
+ val[0] = RETROCL_ACL;
+ val[1] = 0;
+ mod.mod_op = LDAP_MOD_DELETE;
+ mod.mod_type = "aci";
+ mod.mod_values = val;
+
+ slapi_modify_internal_set_pb_ext(mod_pb,
slapi_entry_get_sdn(entries[0]),
+ mods, 0, 0,
g_plg_identity[PLUGIN_RETROCL], 0);
+ slapi_modify_internal_pb(mod_pb);
+ slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+ if(rc == LDAP_SUCCESS){
+ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+ "Successfully removed vulnerable legacy default aci
\"%s\". "
+ "If the aci removal was not desired please use a
different \"acl "
+ "name\" so it is not removed at the next plugin
startup.\n",
+ RETROCL_ACL);
+ } else {
+ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+ "Failed to removed vulnerable legacy default aci
(%s) error %d\n",
+ RETROCL_ACL, rc);
+ }
+ slapi_pblock_destroy(mod_pb);
+ }
+ slapi_ch_array_free(aci_vals);
+ }
+ }
+ }
+ slapi_free_search_results_internal(pb);
+ slapi_pblock_destroy(pb);
+}
+
+
/*
* Function: retrocl_start
*
@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb)
LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro
changelog (%d).\n",rc);
return rc;
}
-
+
+ /* Remove the old default aci as it exposes passwords changes to anonymous users */
+ retrocl_remove_legacy_default_aci();
+
retrocl_init_trimming();
if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c
b/ldap/servers/plugins/retrocl/retrocl_create.c
index 1ffdaae..870421c 100644
--- a/ldap/servers/plugins/retrocl/retrocl_create.c
+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
val.bv_len = strlen(val.bv_val);
slapi_entry_add_values( e, "cn", vals );
- val.bv_val = RETROCL_ACL;
- val.bv_len = strlen(val.bv_val);
- slapi_entry_add_values( e, "aci", vals );
-
pb = slapi_pblock_new ();
slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */,
g_plg_identity[PLUGIN_RETROCL],
commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Fri Nov 28 14:23:06 2014 +0100
Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
Fix for CVE-2014-8112
If the unhashed pw switch is set to off this should only
prevent the generation of the unhashed#user#password
attribute.
But encoding of pw values and detiecetion which values have
to be deleted needs to stay intact.
So the check if the switch is set has to be placed close to
the generation of the attribute in different 'if' branches
Reviewed by Noriko, thanks
(cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c
b/ldap/servers/plugins/retrocl/retrocl_po.c
index bcf53cd..61f99cf 100644
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char
**includeattrs)
continue;
}
}
+ if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
+ if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
+ /* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
+ continue;
+ }
+ }
switch ( ldm[ i ]->mod_op & ~LDAP_MOD_BVALUES ) {
case LDAP_MOD_ADD:
addlenstr( l, "add: " );
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 9b2f42d..ab12f56 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
* before calling the preop plugins
*/
- if (pw_change && !repl_op &&
- (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
+ if (pw_change && !repl_op ) {
Slapi_Value **va = NULL;
unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
* Finally, delete the unhashed userpassword
* (this will update the password entry extension)
*/
- bval.bv_val = password;
- bval.bv_len = strlen(password);
- bv[0] = &bval;
- bv[1] = NULL;
- valuearray_init_bervalarray(bv, &va);
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
- valuearray_free(&va);
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+ bval.bv_val = password;
+ bval.bv_len = strlen(password);
+ bv[0] = &bval;
+ bv[1] = NULL;
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+ valuearray_free(&va);
+ }
} else {
/*
* Password is encoded, try and find a matching unhashed_password to delete
@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
/* match, add the delete mod for this particular unhashed userpassword */
- valuearray_init_bervalarray(bv, &va);
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr,
va);
- valuearray_free(&va);
- free_pw_scheme( unhashed_pwsp );
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr,
va);
+ valuearray_free(&va);
+ free_pw_scheme( unhashed_pwsp );
+ }
break;
}
} else {
/*
* We have a hashed unhashed_userpassword! We must delete it.
*/
- valuearray_init_bervalarray(bv, &va);
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
- valuearray_free(&va);
+ if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr,
va);
+ valuearray_free(&va);
+ }
}
free_pw_scheme( unhashed_pwsp );
}
@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr,
&a)){
slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
}
- } else {
+ } else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
/* add pseudo password attribute */
valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
if(va && va[0]){