From ab6e5a77de769f55d55e70d7754ec732385e7067 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Wed, 30 Sep 2009 09:33:29 -0700 Subject: Add minimum SSF setting This adds a new configuration setting to the cn=config entry named nsslapd-minssf. This can be set to a non-negative integer representing the minimum key strength required to process operations. The default setting will be 0. The SSF for a particular connection will be determined by the key strength cipher used to protect the connection. If the SSF used for a connection does not meet the minimum requirement, the operation will be rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along with a message stating that the minimum SSF was not met. Notable exceptions to this are operations that attempt to protect a connection. These operations are: * SASL BIND * startTLS These operations will be allowed to occur on a connection with a SSF less than the minimum. If the results of these operations end up with a SSF smaller than the minimum, they will be rejected. Additionally, we allow UNBIND and ABANDON operations to go through. I also corrected a few issues with the anonymous access switch code that I noticed while testing. We need to allow the startTLS extended operation to go through when sent by an anonymous user since it is common to send startTLS prior to a BIND to protect the credentials. I also noticed that we were using the authtype from the operation struct to determine is a user was anonymous when we really should have been using the DN. This was causing anonymous operations to get through on SSL/TLS connections. --- ldap/servers/slapd/pblock.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'ldap/servers/slapd/pblock.c') diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c index 072b6185..d8cd876a 100644 --- a/ldap/servers/slapd/pblock.c +++ b/ldap/servers/slapd/pblock.c @@ -351,6 +351,16 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value ) (*(int *)value) = pblock->pb_conn->c_sasl_ssf; PR_Unlock( pblock->pb_conn->c_mutex ); break; + case SLAPI_CONN_SSL_SSF: + if (pblock->pb_conn == NULL) { + LDAPDebug( LDAP_DEBUG_ANY, + "Connection is NULL and hence cannot access SLAPI_CONN_SSL_SSF \n", 0, 0, 0 ); + return (-1); + } + PR_Lock( pblock->pb_conn->c_mutex ); + (*(int *)value) = pblock->pb_conn->c_ssl_ssf; + PR_Unlock( pblock->pb_conn->c_mutex ); + break; case SLAPI_CONN_CERT: if (pblock->pb_conn == NULL) { LDAPDebug( LDAP_DEBUG_ANY, -- cgit