diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2009-07-14 12:50:36 -0600 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2009-07-14 14:41:45 -0600 |
| commit | bea97a2d7b6437419cc5649645f0c58b6966a46e (patch) | |
| tree | 9baee3513c3905affd830a36a5813e3cfc84a304 /ldap/servers | |
| parent | a4240192f344a1a172cfdf8609661b90435b5db3 (diff) | |
| download | ds-bea97a2d7b6437419cc5649645f0c58b6966a46e.tar.gz ds-bea97a2d7b6437419cc5649645f0c58b6966a46e.tar.xz ds-bea97a2d7b6437419cc5649645f0c58b6966a46e.zip | |
Fix attrcrypt usage of nsSymmetricKey
The current attrcrypt is failing because it attempts to store the encryption
symkey in the nsSymmetricKey attribute. This attribute is not defined in the
schema, so it defaults to DirectoryString syntax. Storing the value then fails
syntax validation because the binary values in the key do not conform to
DirectoryString. The code was poorly designed to handle and report errors of
this nature. The real fix is to add nsSymmetricKey as a BINARY syntax
attribute. I also cleaned up the error detection and reporting for this case.
Reviewed by: nkinder (Thanks!)
Diffstat (limited to 'ldap/servers')
| -rw-r--r-- | ldap/servers/slapd/back-ldbm/dblayer.c | 7 | ||||
| -rw-r--r-- | ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 35 |
2 files changed, 36 insertions, 6 deletions
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c index 4eeb93c1..42642b24 100644 --- a/ldap/servers/slapd/back-ldbm/dblayer.c +++ b/ldap/servers/slapd/back-ldbm/dblayer.c @@ -1837,7 +1837,12 @@ int dblayer_instance_start(backend *be, int mode) return 0; } - attrcrypt_init(inst); + if (attrcrypt_init(inst)) { + LDAPDebug(LDAP_DEBUG_ANY, + "Error: unable to initialize attrcrypt system for %s\n", + inst->inst_name, 0, 0); + return -1; + } /* Get the name of the directory that holds index files * for this instance. */ diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c index a37c0bad..763bd2c9 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c @@ -209,9 +209,14 @@ attrcrypt_keymgmt_store_key(ldbm_instance *li, attrcrypt_cipher_state *acs, SECK slapi_value_free(&key_value); /* Store the entry */ slapi_add_entry_internal_set_pb(pb, e, NULL, li->inst_li->li_identity, 0); - if ((rc = slapi_add_internal_pb(pb)) != LDAP_SUCCESS) { - LDAPDebug(LDAP_DEBUG_ANY, "attrcrypt_keymgmt_store_key: failed to add config key entries to the DSE: %d\n", rc, 0, 0); - } + rc = slapi_add_internal_pb(pb); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); + if (rc != LDAP_SUCCESS) { + char *resulttext = NULL; + slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &resulttext); + LDAPDebug(LDAP_DEBUG_ANY, "attrcrypt_keymgmt_store_key: failed to add config key entries to the DSE: %d: %s: %s\n", rc, ldap_err2string(rc), resulttext ? resulttext : "unknown"); + ret = -1; + } if (entry_string) { slapi_ch_free((void**)&entry_string); } @@ -542,7 +547,7 @@ attrcrypt_get_acs(backend *be, attrcrypt_private *priv) #if defined(DEBUG_ATTRCRYPT) static void log_bytes(char* format_string, unsigned char *bytes, size_t length) { - size_t max_length = 20; + size_t max_length = 40; size_t truncated_length = (length > max_length) ? max_length : length; size_t x = 0; char *print_buffer = NULL; @@ -586,7 +591,7 @@ attrcrypt_crypto_op(attrcrypt_private *priv, backend *be, struct attrinfo *ai, c if (encrypt) { LDAPDebug(LDAP_DEBUG_ANY,"attrcrypt_crypto_op encrypt '%s' (%d)\n", in_data, in_size, 0); } else { - log_bytes("attrcrypt_crypto_op decrypt '%s' (%d)\n", in_data, in_size); + log_bytes("attrcrypt_crypto_op decrypt '%s' (%d)\n", (unsigned char *)in_data, in_size); } #endif /* Allocate the output buffer */ @@ -623,15 +628,35 @@ attrcrypt_crypto_op(attrcrypt_private *priv, backend *be, struct attrinfo *ai, c goto error; } else { #if defined(DEBUG_ATTRCRYPT) + int recurse = 1; if (encrypt) { log_bytes("slapd_pk11_DigestFinal '%s' (%d)\n", output_buffer, output_buffer_size1 + output_buffer_size2); } else { LDAPDebug(LDAP_DEBUG_ANY,"slapd_pk11_DigestFinal '%s', %u\n", output_buffer, output_buffer_size2, 0); } + if (*out_size == -1) { + recurse = 0; + } #endif *out_size = output_buffer_size1 + output_buffer_size2; *out_data = (char *)output_buffer; ret = 0; /* success */ +#if defined(DEBUG_ATTRCRYPT) + if (recurse) { + char *redo_data = NULL; + size_t redo_size = -1; + int redo_ret; + + LDAPDebug(LDAP_DEBUG_ANY,"------> check result of crypto op\n", 0, 0, 0); + redo_ret = attrcrypt_crypto_op(priv, be, ai, *out_data, *out_size, &redo_data, &redo_size, !encrypt); + slapi_log_error(SLAPI_LOG_FATAL, "DEBUG_ATTRCRYPT", + "orig length %ld redone length %ld\n", in_size, redo_size); + log_bytes("DEBUG_ATTRCRYPT orig bytes '%s' (%d)\n", (unsigned char *)in_data, in_size); + log_bytes("DEBUG_ATTRCRYPT redo bytes '%s' (%d)\n", (unsigned char *)redo_data, redo_size); + + LDAPDebug(LDAP_DEBUG_ANY,"<------ check result of crypto op\n", 0, 0, 0); + } +#endif } error: if (sec_context) { |