Rework security restrictions for SASL bind

2025-01-18 11:05:48 +08:00 · 2001-02-03 03:17:22 +00:00 · 2001-02-03 03:17:22 +00:00 · 0fc62be316
commit 0fc62be316
parent f9a302b1f6
3 changed files with 38 additions and 15 deletions
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@ -783,46 +783,55 @@ backend_check_restrictions(
 			updateop++;
 		}

-		if( op->o_ssf < ssf->sss_ssf ) {
-			*text = "confidentiality required";
-			return LDAP_CONFIDENTIALITY_REQUIRED;
-		}
 		if( op->o_transport_ssf < ssf->sss_transport ) {
 			*text = "transport confidentiality required";
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
+
 		if( op->o_tls_ssf < ssf->sss_tls ) {
 			*text = "TLS confidentiality required";
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
-		if( op->o_sasl_ssf < ssf->sss_sasl ) {
-			*text = "SASL confidentiality required";
-			return LDAP_CONFIDENTIALITY_REQUIRED;
+
+		if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
+			/* these checks don't apply to SASL bind */
+
+			if( op->o_sasl_ssf < ssf->sss_sasl ) {
+				*text = "SASL confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
+
+			if( op->o_ssf < ssf->sss_ssf ) {
+				*text = "confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
 		}

 		if( updateop ) {
-			if( op->o_ssf < ssf->sss_update_ssf ) {
-				*text = "update confidentiality required";
-				return LDAP_CONFIDENTIALITY_REQUIRED;
-			}
 			if( op->o_transport_ssf < ssf->sss_update_transport ) {
 				*text = "transport update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
 			if( op->o_tls_ssf < ssf->sss_update_tls ) {
 				*text = "TLS update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
 			if( op->o_sasl_ssf < ssf->sss_update_sasl ) {
 				*text = "SASL update confidentiality required";
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
+
+			if( op->o_ssf < ssf->sss_update_ssf ) {
+				*text = "update confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
 		}
 	}

-	if ( op->o_tag != LDAP_REQ_BIND &&
-		( op->o_tag != LDAP_REQ_EXTENDED ||
-		  strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) )
+	if ( op->o_tag != LDAP_REQ_BIND && ( op->o_tag != LDAP_REQ_EXTENDED ||
+		strcmp( (const char *) opdata, LDAP_EXOP_START_TLS ) ) )
 	{
 		/* these checks don't apply to Bind or StartTLS */

--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@ -251,6 +251,14 @@ do_bind(
 			goto cleanup;
 		}

+		/* check restrictions */
+		rc = backend_check_restrictions( NULL, conn, op, mech, &text );
+		if( rc != LDAP_SUCCESS ) {
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+			goto cleanup;
+		}
+
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 		if ( conn->c_sasl_bind_in_progress ) {
 			if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) {
@ -327,6 +335,9 @@ do_bind(
 				/* disallow */
 				rc = LDAP_INAPPROPRIATE_AUTH;
 				text = "anonymous bind disallowed";
+
+			} else {
+				rc = backend_check_restrictions( NULL, conn, op, mech, &text );
 			}

 			/*
@ -424,7 +435,7 @@ do_bind(
 	}

 	/* check restrictions */
-	rc = backend_check_restrictions( be, conn, op, NULL, &text ) ;
+	rc = backend_check_restrictions( be, conn, op, NULL, &text );
 	if( rc != LDAP_SUCCESS ) {
 		send_ldap_result( conn, op, rc,
 			NULL, text, NULL, NULL );
--- a/tests/data/slapd-schema.conf
+++ b/tests/data/slapd-schema.conf
@ -29,3 +29,6 @@ database	@BACKEND@
 suffix		"o=OpenLDAP Project, l=Internet"
 directory	./test-db
 index		objectClass eq
+
+security	ssf=256
+