base64 encode passwords in back-config

2025-04-12 15:10:31 +08:00 · 2005-04-09 15:19:36 +00:00 · 2005-04-09 15:19:36 +00:00 · 58d4f7fc20
commit 58d4f7fc20
parent a2a28f7b95
3 changed files with 159 additions and 9 deletions
--- a/include/ldif.h
+++ b/include/ldif.h
@ -85,6 +85,13 @@ ldif_read_record LDAP_P((
 	char **bufp,
 	int *buflen ));

+LDAP_LDIF_F( int )
+ldif_must_b64_encode_register LDAP_P((
+	LDAP_CONST char *name,
+	LDAP_CONST char *oid ));
+
+LDAP_LDIF_F( void )
+ldif_must_b64_encode_release LDAP_P(( void ));

 #define LDIF_PUT_NOVALUE	0x0000	/* no value */
 #define LDIF_PUT_VALUE		0x0001	/* value w/ auto detection */
--- a/libraries/liblutil/ldif.c
+++ b/libraries/liblutil/ldif.c
@ -359,6 +359,131 @@ ldif_getline( char **next )
 	return( line );
 }

+/*
+ * name and OID of attributeTypes that must be base64 encoded in any case
+ */
+typedef struct must_b64_encode_s {
+	struct berval	name;
+	struct berval	oid;
+} must_b64_encode_s;
+
+static must_b64_encode_s	default_must_b64_encode[] = {
+	{ BER_BVC( "userPassword" ), BER_BVC( "2.5.4.35" ) },
+	{ BER_BVNULL, BER_BVNULL }
+};
+
+static must_b64_encode_s	*must_b64_encode = default_must_b64_encode;
+
+/*
+ * register name and OID of attributeTypes that must always be base64 
+ * encoded
+ *
+ * NOTE: this routine mallocs memory in a static struct which must 
+ * be explicitly freed when no longer required
+ */
+int
+ldif_must_b64_encode_register( LDAP_CONST char *name, LDAP_CONST char *oid )
+{
+	int		i;
+	ber_len_t	len;
+
+	assert( must_b64_encode );
+	assert( name );
+	assert( oid );
+
+	len = strlen( name );
+
+	for ( i = 0; !BER_BVISNULL( &must_b64_encode[i].name ); i++ ) {
+		if ( len != must_b64_encode[i].name.bv_len ) {
+			continue;
+		}
+
+		if ( strcasecmp( name, must_b64_encode[i].name.bv_val ) == 0 ) {
+			break;
+		}
+	}
+
+	if ( !BER_BVISNULL( &must_b64_encode[i].name ) ) {
+		return 1;
+	}
+
+	for ( i = 0; !BER_BVISNULL( &must_b64_encode[i].name ); i++ )
+		/* just count */ ;
+
+	if ( must_b64_encode == default_must_b64_encode ) {
+		must_b64_encode = ber_memalloc( sizeof( must_b64_encode_s ) * ( i + 2 ) );
+
+		for ( i = 0; !BER_BVISNULL( &default_must_b64_encode[i].name ); i++ ) {
+			ber_dupbv( &must_b64_encode[i].name, &default_must_b64_encode[i].name );
+			ber_dupbv( &must_b64_encode[i].oid, &default_must_b64_encode[i].oid );
+		}
+
+	} else {
+		must_b64_encode_s	*tmp;
+
+		tmp = ber_memrealloc( must_b64_encode,
+			sizeof( must_b64_encode_s ) * ( i + 2 ) );
+		if ( tmp == NULL ) {
+			return 1;
+		}
+		must_b64_encode = tmp;
+	}
+
+	ber_str2bv( name, len, 1, &must_b64_encode[i].name );
+	ber_str2bv( oid, 0, 1, &must_b64_encode[i].oid );
+
+	BER_BVZERO( &must_b64_encode[i + 1].name );
+
+	return 0;
+}
+
+void
+ldif_must_b64_encode_release( void )
+{
+	int	i;
+
+	assert( must_b64_encode );
+
+	if ( must_b64_encode == default_must_b64_encode ) {
+		return;
+	}
+
+	for ( i = 0; !BER_BVISNULL( &must_b64_encode[i].name ); i++ ) {
+		ber_memfree( must_b64_encode[i].name.bv_val );
+		ber_memfree( must_b64_encode[i].oid.bv_val );
+	}
+
+	ber_memfree( must_b64_encode );
+
+	must_b64_encode = default_must_b64_encode;
+}
+
+/*
+ * returns 1 iff the string corresponds to the name or the OID of any 
+ * of the attributeTypes listed in must_b64_encode
+ */
+static int
+ldif_must_b64_encode( LDAP_CONST char *s )
+{
+	int		i;
+	struct berval	bv;
+
+	assert( must_b64_encode );
+	assert( s );
+
+	ber_str2bv( s, 0, 0, &bv );
+
+	for ( i = 0; !BER_BVISNULL( &must_b64_encode[i].name ); i++ ) {
+		if ( ber_bvstrcasecmp( &must_b64_encode[i].name, &bv ) == 0
+				|| ber_bvstrcasecmp( &must_b64_encode[i].oid, &bv ) == 0 )
+		{
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
 /* compatibility with U-Mich off by one bug */
 #define LDIF_KLUDGE 1

@ -479,10 +604,7 @@ ldif_sput(
 		&& strstr( name, ";binary" ) == NULL
 #endif
 #ifndef LDAP_PASSWD_DEBUG
-		&& (namelen != (sizeof("userPassword")-1)
-		|| strcasecmp( name, "userPassword" ) != 0)	/* encode userPassword */
-		&& (namelen != (sizeof("2.5.4.35")-1) 
-		|| strcasecmp( name, "2.5.4.35" ) != 0)		/* encode userPassword */
+		&& !ldif_must_b64_encode( name )
 #endif
 	) {
 		int b64 = 0;
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -4031,6 +4031,13 @@ config_back_db_init( Backend *be )
 	return 0;
 }

+static int
+config_back_destroy( BackendInfo *bi )
+{
+	ldif_must_b64_encode_release();
+	return 0;
+}
+
 static struct {
 	char *name;
 	AttributeDescription **desc;
@ -4068,10 +4075,12 @@ static struct {
 int
 config_back_initialize( BackendInfo *bi )
 {
-	ConfigTable *ct = config_back_cf_table;
-	char *argv[4];
-	int i;
-	static char *controls[] = {
+	ConfigTable		*ct = config_back_cf_table;
+	char			*argv[4];
+	int			i;
+	AttributeDescription	*ad = NULL;
+	const char		*text;
+	static char		*controls[] = {
 		LDAP_CONTROL_MANAGEDSAIT,
 		NULL
 	};
@ -4081,7 +4090,7 @@ config_back_initialize( BackendInfo *bi )
 	bi->bi_open = 0;
 	bi->bi_close = 0;
 	bi->bi_config = 0;
-	bi->bi_destroy = 0;
+	bi->bi_destroy = config_back_destroy;

 	bi->bi_db_init = config_back_db_init;
 	bi->bi_db_config = 0;
@ -4118,6 +4127,18 @@ config_back_initialize( BackendInfo *bi )
 	i = config_register_schema( ct, cf_ocs );
 	if ( i ) return i;

+	i = slap_str2ad( "olcRootPW", &ad, &text );
+	/* basically, we don't care if it fails */
+	if ( i ) {
+		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
+			"warning, unable to get \"olcRootPW\" "
+			"attribute description: %d: %s\n",
+			i, text, 0 );
+	} else {
+		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
+			ad->ad_type->sat_oid );
+	}
+
 	/* set up the notable AttributeDescriptions */
 	i = 0;
 	for (;ct->name;ct++) {