[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Fri Dec 23 06:16:18 UTC 2016
VERSION.sh | 2
debian/changelog | 7 +
dirsrvtests/tests/suites/password/pwd_algo_test.py | 143 +++++++++++++++++++++
ldap/admin/src/scripts/DSUtil.pm.in | 4
ldap/admin/src/scripts/ns-accountstatus.pl.in | 11 +
ldap/servers/plugins/acl/acl.h | 2
ldap/servers/plugins/acl/acl_ext.c | 10 -
ldap/servers/plugins/acl/acllas.c | 11 -
ldap/servers/plugins/pwdstorage/clear_pwd.c | 33 ++++
ldap/servers/plugins/pwdstorage/crypt_pwd.c | 2
ldap/servers/plugins/pwdstorage/md5_pwd.c | 2
ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c | 1
ldap/servers/plugins/pwdstorage/sha_pwd.c | 15 +-
ldap/servers/plugins/pwdstorage/smd5_pwd.c | 2
ldap/servers/plugins/rever/pbe.c | 11 -
ldap/servers/slapd/ch_malloc.c | 47 ++++++
ldap/servers/slapd/entry.c | 1
ldap/servers/slapd/entrywsi.c | 1
ldap/servers/slapd/slapi-plugin.h | 16 ++
rpm/389-ds-base.spec.in | 3
20 files changed, 280 insertions(+), 44 deletions(-)
New commits:
commit c0a6c264fbd115f7b887abf1449ccebc9d5faa5b
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 16 11:02:37 2016 +0200
releasing package 389-ds-base version 1.3.5.15-1
diff --git a/debian/changelog b/debian/changelog
index 883ff49..9231bb6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,9 @@
-389-ds-base (1.3.5.15-1) UNRELEASED; urgency=medium
+389-ds-base (1.3.5.15-1) unstable; urgency=medium
* New upstream release.
- CVE-2016-5405 (Closes: #842121)
- -- Timo Aaltonen <tjaalton at debian.org> Wed, 16 Nov 2016 10:53:11 +0200
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 16 Nov 2016 11:01:00 +0200
389-ds-base (1.3.5.14-1) unstable; urgency=medium
commit c09036771e417f9020369129aff0db1a68e4abd8
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Nov 16 11:00:58 2016 +0200
update changelog
diff --git a/debian/changelog b/debian/changelog
index 45d9fcb..883ff49 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+389-ds-base (1.3.5.15-1) UNRELEASED; urgency=medium
+
+ * New upstream release.
+ - CVE-2016-5405 (Closes: #842121)
+
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 16 Nov 2016 10:53:11 +0200
+
389-ds-base (1.3.5.14-1) unstable; urgency=medium
* New upstream release.
commit 136b366da0646546d8304aa001a18242d7ff578a
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Thu Nov 3 15:39:29 2016 -0400
Bump version to 1.3.5.15
diff --git a/VERSION.sh b/VERSION.sh
index 9f5604a..7c3ee62 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=5.14
+VERSION_MAINT=5.15
# NOTE: VERSION_PREREL is automatically set for builds made out of a git tree
VERSION_PREREL=
VERSION_DATE=$(date -u +%Y%m%d)
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 515e746..c8eefa2 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -129,9 +129,6 @@ slapi_ch_malloc(
PR_INCREMENT_COUNTER(slapi_ch_counter_created);
PR_INCREMENT_COUNTER(slapi_ch_counter_exist);
- /* So long as this happens once, we are happy, put it in ch_malloc. */
- create_oom_buffer();
-
return( newmem );
}
@@ -150,7 +147,7 @@ slapi_ch_memalign(size_t size, size_t alignment)
int oserr = errno;
oom_occurred();
- slapi_log_err(SLAPI_LOG_ERR, SLAPD_MODULE,
+ slapi_log_error(SLAPI_LOG_FATAL, SLAPD_MODULE,
"malloc of %lu bytes failed; OS error %d (%s)%s\n",
size, oserr, slapd_system_strerror( oserr ), oom_advice );
exit( 1 );
commit 3d227536f7d53a3c3d58c066492eb8a5db834089
Author: William Brown <firstyear at redhat.com>
Date: Thu Jul 21 13:22:30 2016 +1000
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Bug Description: Clear and unsalted password types were vulnerable to a timing
attack. This is due to the use of memcmp and strcmp in their comparison.
Fix Description: Add a constant time memcmp function, that does not shortcircuit.
Change all password comparison to use the constant time check. For the clear
scheme, alter the way we do the check to prevent length disclosure timing
attacks.
This resolves CVE-2016-5405
https://bugzilla.redhat.com/show_bug.cgi?id=1358565
https://access.redhat.com/security/cve/CVE-2016-5405
Author: wibrown
Review by: nhosoi (Thanks!)
(cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
(cherry picked from commit 762219a35005914c6c088d915ac9346ce7e28512)
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 705ea86..515e746 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -119,6 +119,7 @@ slapi_ch_malloc(
size, oserr, slapd_system_strerror( oserr ), oom_advice );
exit( 1 );
}
+
if(!counters_created)
{
create_counters();
@@ -128,6 +129,33 @@ slapi_ch_malloc(
PR_INCREMENT_COUNTER(slapi_ch_counter_created);
PR_INCREMENT_COUNTER(slapi_ch_counter_exist);
+ /* So long as this happens once, we are happy, put it in ch_malloc. */
+ create_oom_buffer();
+
+ return( newmem );
+}
+
+/* See slapi-plugin.h */
+char *
+slapi_ch_memalign(size_t size, size_t alignment)
+{
+ char *newmem;
+
+ if (size <= 0) {
+ log_negative_alloc_msg( "memalign", "bytes", size );
+ return 0;
+ }
+
+ if ( posix_memalign((void **)&newmem, alignment, size) != 0 ) {
+ int oserr = errno;
+
+ oom_occurred();
+ slapi_log_err(SLAPI_LOG_ERR, SLAPD_MODULE,
+ "malloc of %lu bytes failed; OS error %d (%s)%s\n",
+ size, oserr, slapd_system_strerror( oserr ), oom_advice );
+ exit( 1 );
+ }
+
return( newmem );
}
@@ -374,13 +402,12 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
int result = 0;
const unsigned char *_p1 = (const unsigned char *)p1;
const unsigned char *_p2 = (const unsigned char *)p2;
- size_t i;
if (_p1 == NULL || _p2 == NULL) {
return 2;
}
- for (i = 0; i < n; i++) {
+ for (size_t i = 0; i < n; i++) {
if (_p1[i] ^ _p2[i]) {
result = 1;
}
commit 48a0203355d28bccbf8728a21a32b738c060132b
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Aug 4 13:26:44 2016 -0700
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Description: Build fails with the commit f0e03b5a51972a125fe78f448d1f68e288782d1e:
error: 'for' loop initial declarations are only allowed in C99 mode
for (size_t i = 0; i < n; i++) {
^
Moved "size_t i;" to the top of slapi_ct_memcmp.
(cherry picked from commit 53da6d718b3dfee6cdd78e112d1926e90d03128a)
(cherry picked from commit 3548aff21be9f58e08b3174cb27d9b59af67cc58)
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index a38268c..705ea86 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -374,12 +374,13 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
int result = 0;
const unsigned char *_p1 = (const unsigned char *)p1;
const unsigned char *_p2 = (const unsigned char *)p2;
+ size_t i;
if (_p1 == NULL || _p2 == NULL) {
return 2;
}
- for (size_t i = 0; i < n; i++) {
+ for (i = 0; i < n; i++) {
if (_p1[i] ^ _p2[i]) {
result = 1;
}
commit 6a7aafb83677a0f5df294dfeaafcde2f5587ddcb
Author: William Brown <firstyear at redhat.com>
Date: Thu Jul 21 13:22:30 2016 +1000
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Bug Description: Clear and unsalted password types were vulnerable to a timing
attack. This is due to the use of memcmp and strcmp in their comparison.
Fix Description: Add a constant time memcmp function, that does not shortcircuit.
Change all password comparison to use the constant time check. For the clear
scheme, alter the way we do the check to prevent length disclosure timing
attacks.
This resolves CVE-2016-5405
https://bugzilla.redhat.com/show_bug.cgi?id=1358565
https://access.redhat.com/security/cve/CVE-2016-5405
Author: wibrown
Review by: nhosoi (Thanks!)
(cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
(cherry picked from commit f0e03b5a51972a125fe78f448d1f68e288782d1e)
(cherry picked from commit c4b5dc8bf325f0a358dc135b91023c3edc103a39)
diff --git a/dirsrvtests/tests/suites/password/pwd_algo_test.py b/dirsrvtests/tests/suites/password/pwd_algo_test.py
new file mode 100644
index 0000000..aa8cbf5
--- /dev/null
+++ b/dirsrvtests/tests/suites/password/pwd_algo_test.py
@@ -0,0 +1,143 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+DEBUGGING = True
+USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+
+
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ """The DS Topology Class"""
+ def __init__(self, standalone):
+ """Init"""
+ standalone.open()
+ self.standalone = standalone
+
+
+ at pytest.fixture(scope="module")
+def topology(request):
+ """Create DS Deployment"""
+
+ # Creating standalone instance ...
+ if DEBUGGING:
+ standalone = DirSrv(verbose=True)
+ else:
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ def fin():
+ """If we are debugging just stop the instances, otherwise remove
+ them
+ """
+ if DEBUGGING:
+ standalone.stop()
+ else:
+ standalone.delete()
+
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+def _test_bind(inst, password):
+ result = True
+ userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
+ try:
+ userconn.simple_bind_s(USER_DN, password)
+ userconn.unbind_s()
+ except ldap.INVALID_CREDENTIALS:
+ result = False
+ return result
+
+def _test_algo(inst, algo_name):
+ inst.config.set('passwordStorageScheme', algo_name)
+
+ if DEBUGGING:
+ print('Testing %s', algo_name)
+
+ # Create the user with a password
+ inst.add_s(Entry((
+ USER_DN, {
+ 'objectClass': 'top account simplesecurityobject'.split(),
+ 'uid': 'user',
+ 'userpassword': 'Secret123'
+ })))
+
+ # Make sure when we read the userPassword field, it is the correct ALGO
+ pw_field = inst.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['userPassword'] )[0]
+
+ if DEBUGGING:
+ print(pw_field.getValue('userPassword'))
+
+ if algo_name != 'CLEAR':
+ assert(algo_name.lower() in pw_field.getValue('userPassword').lower())
+ # Now make sure a bind works
+ assert(_test_bind(inst, 'Secret123'))
+ # Bind with a wrong shorter password, should fail
+ assert(not _test_bind(inst, 'Wrong'))
+ # Bind with a wrong longer password, should fail
+ assert(not _test_bind(inst, 'This is even more wrong'))
+ # Bind with a wrong exact length password.
+ assert(not _test_bind(inst, 'Alsowrong'))
+ # Bind with a subset password, should fail
+ assert(not _test_bind(inst, 'Secret'))
+ if algo_name != 'CRYPT':
+ # Bind with a subset password that is 1 char shorter, to detect off by 1 in clear
+ assert(not _test_bind(inst, 'Secret12'))
+ # Bind with a superset password, should fail
+ assert(not _test_bind(inst, 'Secret123456'))
+ # Delete the user
+ inst.delete_s(USER_DN)
+ # done!
+
+def test_pwd_algo_test(topology):
+ """
+ Assert that all of our password algorithms correctly PASS and FAIL varying
+ password conditions.
+
+ """
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+ for algo in ('CLEAR', 'CRYPT', 'MD5', 'SHA', 'SHA256', 'SHA384', 'SHA512', 'SMD5', 'SSHA', 'SSHA256', 'SSHA384', 'SSHA512'):
+ _test_algo(topology.standalone, algo)
+
+ log.info('Test PASSED')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
index b9b362d..2afe16e 100644
--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
@@ -26,6 +26,7 @@ int
clear_pw_cmp( const char *userpwd, const char *dbpwd )
{
int result = 0;
+ int len = 0;
int len_user = strlen(userpwd);
int len_dbp = strlen(dbpwd);
if ( len_user != len_dbp ) {
diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
index 29355a2..93b54b2 100644
--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
@@ -54,7 +54,7 @@ crypt_pw_cmp( const char *userpwd, const char *dbpwd )
/* we use salt (first 2 chars) of encoded password in call to crypt() */
cp = crypt( userpwd, dbpwd );
if (cp) {
- rc= strcmp( dbpwd, cp);
+ rc= slapi_ct_memcmp( dbpwd, cp, strlen(dbpwd));
} else {
rc = -1;
}
diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
index 0bc8f3c..181661a 100644
--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
@@ -57,7 +57,7 @@ md5_pw_cmp( const char *userpwd, const char *dbpwd )
bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
/* bver points to b2a_out upon success */
if (bver) {
- rc = strcmp(bver,dbpwd);
+ rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd));
} else {
slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
"Could not base64 encode hashed value for password compare");
diff --git a/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c b/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
index 2fed61f..ae1f7b8 100644
--- a/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
@@ -84,6 +84,7 @@ ns_mta_md5_pw_cmp(const char * clear, const char *mangled)
mta_hash[32] = mta_salt[32] = 0;
+ /* This is salted, so we don't need to change it for constant time */
return( strcmp(mta_hash,ns_mta_hash_alg(buffer,mta_salt,clear)));
}
diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c
index 9594ac9..2e4973b 100644
--- a/ldap/servers/plugins/pwdstorage/sha_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c
@@ -120,13 +120,16 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
}
/* the proof is in the comparison... */
- result = ( hash_len >= shaLen ) ?
- ( memcmp( userhash, dbhash, shaLen ) ) : /* include salt */
- ( memcmp( userhash, dbhash + OLD_SALT_LENGTH,
- hash_len - OLD_SALT_LENGTH ) ); /* exclude salt */
+ if ( hash_len >= shaLen ) {
+ result = slapi_ct_memcmp( userhash, dbhash, shaLen );
+ } else {
+ result = slapi_ct_memcmp( userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH );
+ }
- loser:
- if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( &dbhash );
+loser:
+ if ( dbhash && dbhash != quick_dbhash ) {
+ slapi_ch_free_string( &dbhash );
+ }
return result;
}
diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
index f4c92f1..79c2846 100644
--- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
@@ -80,7 +80,7 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd )
PK11_DestroyContext(ctx, 1);
/* Compare everything up to the salt. */
- rc = memcmp( userhash, dbhash, MD5_LENGTH );
+ rc = slapi_ct_memcmp( userhash, dbhash, MD5_LENGTH );
loser:
if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash );
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 10870df..a38268c 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -365,3 +365,25 @@ slapi_ch_smprintf(const char *fmt, ...)
return p;
}
#endif
+
+/* Constant time memcmp. Does not shortcircuit on failure! */
+/* This relies on p1 and p2 both being size at least n! */
+int
+slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
+{
+ int result = 0;
+ const unsigned char *_p1 = (const unsigned char *)p1;
+ const unsigned char *_p2 = (const unsigned char *)p2;
+
+ if (_p1 == NULL || _p2 == NULL) {
+ return 2;
+ }
+
+ for (size_t i = 0; i < n; i++) {
+ if (_p1[i] ^ _p2[i]) {
+ result = 1;
+ }
+ }
+ return result;
+}
+
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 89853c0..1e767eb 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -5825,6 +5825,22 @@ char * slapi_ch_smprintf(const char *fmt, ...)
#else
;
#endif
+/**
+ * slapi_ct_memcmp is a constant time memory comparison function. This is for
+ * use with password hashes and other locations which could lead to a timing
+ * attack due to early shortcut returns. This function *does not* shortcircuit
+ * during the comparison, always checking every byte regardless if it has already
+ * found that the memory does not match.
+ *
+ * WARNING! p1 and p2 must both reference content that is at least of size 'n'.
+ * Else this function may over-run (And will certainly fail).
+ *
+ * \param p1 pointer to first value to check.
+ * \param p2 pointer to second value to check.
+ * \param n length in bytes of the content of p1 AND p2.
+ * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2.
+ */
+int slapi_ct_memcmp( const void *p1, const void *p2, size_t n);
/*
* syntax plugin routines
commit 502df2af823b4b0b2bff8c8be10a50e647a3a4d0
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Mon Aug 8 10:12:33 2016 -0700
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Description: Fixing a compiler warning introduced by commit
f0e03b5a51972a125fe78f448d1f68e288782d1e.
(cherry picked from commit c62ea0c98445d31fb55baebe9778fe860b3266ea)
(cherry picked from commit 3d92679cf97518aedcf6534ac5967edf8d2c9d28)
diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
index 84dac2a..b9b362d 100644
--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
@@ -25,7 +25,37 @@
int
clear_pw_cmp( const char *userpwd, const char *dbpwd )
{
- return( strcmp( userpwd, dbpwd ));
+ int result = 0;
+ int len_user = strlen(userpwd);
+ int len_dbp = strlen(dbpwd);
+ if ( len_user != len_dbp ) {
+ result = 1;
+ }
+ /* We have to do this comparison ANYWAY else we have a length timing attack. */
+ if ( len_user >= len_dbp ) {
+ /*
+ * If they are the same length, result will be 0 here, and if we pass
+ * the check, we don't update result either. IE we pass.
+ * However, even if the first part of userpw matches dbpwd, but len !=, we
+ * have already failed anyawy. This prevents substring matching.
+ */
+ if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) {
+ result = 1;
+ }
+ } else {
+ /*
+ * If we stretched the userPassword, we'll allow a new timing attack, where
+ * if we see a delay on a short pw, we know we are stretching.
+ * when the delay goes away, it means we've found the length.
+ * Instead, because we don't want to use the short pw for comp, we just compare
+ * dbpwd to itself. We have already got result == 1 if we are here, so we are
+ * just trying to take up time!
+ */
+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) {
+ /* Do nothing, we have the if to fix a coverity check. */
+ }
+ }
+ return result;
}
char *
commit 1bafab5ae1e894ae3680679e03e457b9ace7e7d2
Author: Thierry Bordaz <tbordaz at redhat.com>
Date: Fri Oct 21 16:28:59 2016 +0200
Ticket 49016 - (un)register/migration/remove may fail if there is no suffix on 'userRoot' backend
Bug Description:
If an instance has no suffix on 'userRoot' backend, then the info structure
may contain empty 'Suffix'.
In fact if the last backend has no suffix (like cn=config), it overwite all
previsously found value.
This affect register (and possibly unregister/migrate/remove)
Fix Description:
Before overwriting the 'Suffix' value, check that the found backend contains
'nsslapd-suffix'.
https://fedorahosted.org/389/ticket/49016
Reviewed by: Noriko Hosoi (Thank you Noriko)
Platforms tested: RHEL 7.2
Flag Day: no
Doc impact: no
diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in
index 756d6ea..eac59a3 100644
--- a/ldap/admin/src/scripts/DSUtil.pm.in
+++ b/ldap/admin/src/scripts/DSUtil.pm.in
@@ -975,7 +975,9 @@ sub createInfFromConfig {
}
# use the userRoot suffix if available
while ($ent) {
- $suffix = $ent->getValues('nsslapd-suffix');
+ if ($ent->getValues('nsslapd-suffix')) {
+ $suffix = $ent->getValues('nsslapd-suffix');
+ }
last if ($ent->hasValue('cn', 'userRoot', 1));
$ent = $conn->nextEntry();
}
commit ed829078c9dc7b8a940119298f3e12a37034ecf4
Author: Viktor Ashirov <vashirov at redhat.com>
Date: Tue Oct 18 10:31:16 2016 +0200
Ticket 48328 - Add missing dependency
Bug Description:
`host` utility is used in setup process to determine CNAME, but
389-ds-base rpm package doesn't depend on bind-utils, which contains it.
Fix Description:
Add missing dependency for bind-utils.
https://fedorahosted.org/389/ticket/48328
Reviewed by: nhosoi at redhat.com (Thanks!)
(cherry picked from commit 68a76403a6b240ad95d7f9457e01486f128ac4e9)
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index e5d824e..7413cbe 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -126,6 +126,9 @@ Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
+# for setup-ds.pl
+Requires: bind-utils
+
# for setup-ds.pl to support ipv6
%if %{use_Socket6}
Requires: perl-Socket6
commit 39870194a094ca8ebe3e8c7dea9090c2360307cf
Author: Ludwig Krispenz <lkrispen at redhat.com>
Date: Fri Oct 14 13:50:18 2016 +0200
Ticket 49009 - args debug logging must be more restrictive
Bug Description: turning on args debugging logs all attribute value, including #unhashed#
Fix Description: filter unhashed attrs
https://fedorahosted.org/389/ticket/49009
Reviewed by: ?
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index d38f970..0cd3b60 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -3659,6 +3659,7 @@ entry_apply_mod( Slapi_Entry *e, const LDAPMod *mod )
if((strcasecmp(mod->mod_type,"objectclass") == 0)
&& (strncasecmp((const char *)mod->mod_bvalues[i]->bv_val,"ldapsubentry",mod->mod_bvalues[i]->bv_len) == 0))
sawsubentry=PR_TRUE;
+ if (0==strcasecmp(PSEUDO_ATTR_UNHASHEDUSERPASSWORD,mod->mod_type)) continue;
LDAPDebug( LDAP_DEBUG_ARGS, " %s: %s\n", mod->mod_type, mod->mod_bvalues[i]->bv_val, 0 );
}
bvcnt = i;
diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c
index 7445d98..4080125 100644
--- a/ldap/servers/slapd/entrywsi.c
+++ b/ldap/servers/slapd/entrywsi.c
@@ -954,6 +954,7 @@ entry_apply_mod_wsi(Slapi_Entry *e, const LDAPMod *mod, const CSN *csn, int urp)
for ( i = 0;
mod->mod_bvalues != NULL && mod->mod_bvalues[i] != NULL;
i++ ) {
+ if (0==strcasecmp(PSEUDO_ATTR_UNHASHEDUSERPASSWORD,mod->mod_type)) continue;
LDAPDebug( LDAP_DEBUG_ARGS, " %s: %s\n",
mod->mod_type, mod->mod_bvalues[i]->bv_val, 0 );
}
commit 1c6b1c99b576e7b9ffdc217d20737e216ec40a24
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Thu Oct 20 12:38:49 2016 -0400
Ticket 49014 - ns-accountstatus.pl shows wrong status for accounts inactivated by Account policy plugin
Bug Description: ns-accountstatus.pl shows wrong status for accounts inactivated
by inactivity. If there is no acct policy subentry the wrong
basedn was used to get the inactivity limit. This prevented the
script from detecting if an account was inactivated due to inactivity.
Fix Description: If there is no subentry, then use the existing config entry
to get the inactivity limit.
https://fedorahosted.org/389/ticket/49014
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 2e494bc7e5e73f97e8a425b22706418ff8879336)
diff --git a/ldap/admin/src/scripts/ns-accountstatus.pl.in b/ldap/admin/src/scripts/ns-accountstatus.pl.in
index 37fc7fa..a20d2df 100644
--- a/ldap/admin/src/scripts/ns-accountstatus.pl.in
+++ b/ldap/admin/src/scripts/ns-accountstatus.pl.in
@@ -474,7 +474,7 @@ sub getAcctPolicy
close(LDAP1);
#
- # Now, get the DN for the cos template from the entry
+ # Now, get the DN for the account policy subEntry from the entry (if available)
#
$srch{base} = $entry;
$srch{filter} = "(objectclass=*)";
@@ -486,14 +486,19 @@ sub getAcctPolicy
s/\n //g;
if (/^$cosspecattr: (.*)/i){
$templateDN = $1;
+ break;
}
}
close(LDAP1);
#
- # Get the inactivity limit from the template]
+ # Get the inactivity limit
#
- $srch{base} = $templateDN;
+ $srch{base} = $configentry;
+ if ($templateDN){
+ # Use subEntry DN
+ $srch{base} = $templateDN;
+ }
$srch{filter} = "($limitattr=*)";
$srch{scope} = "base";
$srch{attrs} = "$limitattr";
commit 99a34b4ef856af505df254a03e64d39d520c4ab1
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Wed Oct 19 15:50:15 2016 -0400
Ticket 47703 - remove search limit for aci group evaluation
Bug Description: Groups that have members that exceed the server sizelimit
are not fully processed, and aci evalauation fails.
Fix Description: There should not be a sizelimit when processing aci's based
on group membership.
https://fedorahosted.org/389/ticket/47703
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 3151648f2c761efd8caab25cd09023947534a5da)
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index 6e3198f..be3774c 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -523,8 +523,6 @@ struct acl_pblock {
/* Keep the Group nesting level */
int aclpb_max_nesting_level;
- int aclpb_max_member_sizelimit;
-
/* To keep the results in the cache */
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index 7c2e275..08ff186 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -865,16 +865,6 @@ acl_init_aclpb ( Slapi_PBlock *pb, Acl_PBlock *aclpb, const char *ndn, int copy_
aclg_init_userGroup ( aclpb, ndn, 0 /* get lock */ );
slapi_pblock_get( pb, SLAPI_BE_MAXNESTLEVEL, &aclpb->aclpb_max_nesting_level );
- slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit );
- if ( aclpb->aclpb_max_member_sizelimit == 0 ) {
- aclpb->aclpb_max_member_sizelimit = SLAPD_DEFAULT_LOOKTHROUGHLIMIT;
- } else if ( aclpb->aclpb_max_member_sizelimit < -1 ) {
- /* handle the case of a negtive size limit either set or due
- * to bug bz1065971. The member size limit should be dropped,
- * but for backward compatibility to the best we can
- */
- aclpb->aclpb_max_member_sizelimit = -1;
- }
slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &aclpb->aclpb_optype );
aclpb->aclpb_signature = acl_get_aclsignature();
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 47ac0b8..011b8e9 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -1979,7 +1979,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb,
int totalMembersVisited;
int numOfMembers;
int max_nestlevel;
- int max_memberlimit;
aclUserGroup *u_group;
struct member_info *groupMember = NULL;
struct member_info *parentGroup = NULL;
@@ -2064,7 +2063,6 @@ acllas__user_ismember_of_group( struct acl_pblock *aclpb,
info.clientCert = NULL;
info.aclpb = aclpb;
- max_memberlimit = aclpb->aclpb_max_member_sizelimit;
max_nestlevel = aclpb->aclpb_max_nesting_level;
#ifdef FOR_DEBUGGING
@@ -2142,15 +2140,6 @@ eval_another_member:
goto free_and_return;
}
- /* limit of -1 means "no limit */
- if (info.c_idx > max_memberlimit &&
- max_memberlimit != -1 ) {
- slapi_log_error( SLAPI_LOG_ACL, plugin_name,
- "GroupEval:Looked at too many entries:(%d, %d)\n",
- info.c_idx, info.lu_idx);
- result = ACL_DONT_KNOW; /* don't try to cache info based on this result */
- goto free_and_return;
- }
if (info.lu_idx > info.c_idx) {
if (numOfMembers == (info.lu_idx - info.c_idx)) {
/* That means it's not a GROUP. It is just another
commit 9982033b7cd888bd30400001e10158a9bbf9b863
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Fri Oct 14 16:17:46 2016 -0400
Ticket 48909 - Replication stops working in FIPS mode
Bug Description: When FIPS mode is enabled on the security database, the
token name is changed. This prevents the server from
reverse decoding the replication manager's password. Which
prevents replication sessions from getting established.
Fix Description: Instead of getting the key slot from the harded coded token
name, call slapd_pk11_getInternalKeySlot() which gets the
current slot.
https://fedorahosted.org/389/ticket/48909
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 61c72f966bda17993f483e8f79d97dff20b7cc93)
diff --git a/ldap/servers/plugins/rever/pbe.c b/ldap/servers/plugins/rever/pbe.c
index 0588c73..4034ac5 100644
--- a/ldap/servers/plugins/rever/pbe.c
+++ b/ldap/servers/plugins/rever/pbe.c
@@ -69,7 +69,7 @@ struct pk11ContextStore
static int encode_path(char *inPlain, char **outCipher, char *path, int mech);
static int decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid);
-static SVRCOREError genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *algid);
+static SVRCOREError genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *algid);
static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear, unsigned char **out);
static SVRCOREError decryptPassword(struct pk11ContextStore *store, unsigned char *cipher, char **out, int len);
static void freePBE(struct pk11ContextStore *store);
@@ -102,7 +102,7 @@ encode_path(char *inPlain, char **outCipher, char *path, int mech)
*outCipher = NULL;
err = 1;
- if ( genKey(&context, tokPBE, path, mech, arena, NULL) == SVRCORE_Success ){
+ if ( genKey(&context, path, mech, arena, NULL) == SVRCORE_Success ){
/* Try an encryption */
if ( cryptPassword(context, inPlain, &cipher) == SVRCORE_Success ){
base = BTOA_DataToAscii(cipher, context->length);
@@ -160,7 +160,7 @@ decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid)
*outPlain = NULL;
err = 1;
- if ( genKey(&context, tokPBE, path, mech, arena, algid) == SVRCORE_Success ){
+ if ( genKey(&context, path, mech, arena, algid) == SVRCORE_Success ){
/* it seems that there is memory leak in that function: bug 400170 */
base = ATOB_AsciiToData(inCipher, (unsigned int*)&len);
if ( base != NULL ){
@@ -196,7 +196,7 @@ freePBE(struct pk11ContextStore *store)
}
static SVRCOREError
-genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *alg)
+genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *alg)
{
SVRCOREError err = SVRCORE_Success;
struct pk11ContextStore *store = NULL;
@@ -223,8 +223,7 @@ genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, P
}
*out = store;
- /* Use the tokenName to find a PKCS11 slot */
- store->slot = slapd_pk11_findSlotByName((char *)token);
+ store->slot = slapd_pk11_getInternalKeySlot();
if (store->slot == NULL){
err = SVRCORE_NoSuchToken_Error;
goto done;
More information about the Pkg-fedora-ds-maintainers
mailing list