From 610e2d409279e87546d537687508b7f8b05bcbfa Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@totoro.usersys.redhat.com>
Date: Fri, 25 Jan 2013 17:18:03 -0800
Subject: [PATCH] Ticket #533 - only scan for attributes to decrypt if there
 are encrypted attrs configured

Bug description: When an internal entry is created in id2entry,
all attributes are scanned in attrcrypt_decrypt_entry() and
checked if they need to be decrypted regardless of SSL configured
on the server or not.

Fix description: In attrcrypt_encrypt_* and attrcrypt_decrypt_*
functions, this patch checks the attrcrypt_configured flag.
It goes scanning the attribute list only when the encrypt_
configured flag is set to true.
---
 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c |   39 +++++++++++++++++++++++++
 1 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
index f0ef692..4e02785 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
@@ -818,6 +818,15 @@ attrcrypt_decrypt_entry(backend *be, struct backentry *e)
 	int rc = 0;
 	Slapi_Attr *attr = NULL;
 	char *type = NULL;
+	ldbm_instance *inst = (ldbm_instance *)be->be_instance_info;
+
+	if (!inst->attrcrypt_configured) {
+		/* 
+		 * No encryption is enabled in this backend at all. 
+		 * There's no need to scan the attributes to decrypt them.
+		 */
+		return ret;
+	}
 
 	LDAPDebug(LDAP_DEBUG_TRACE,"-> attrcrypt_decrypt_entry\n", 0, 0, 0);
 	/* Scan through the entry's attributes, looking to see if any are configured for crypto */
@@ -870,6 +879,15 @@ attrcrypt_encrypt_entry_inplace(backend *be, const struct backentry *inout)
 	char *type = NULL;
 	Slapi_Attr *attr = NULL;
 	Slapi_Value	**svals = NULL;
+	ldbm_instance *inst = (ldbm_instance *)be->be_instance_info;
+
+	if (!inst->attrcrypt_configured) {
+		/* 
+		 * No encryption is enabled in this backend at all. 
+		 * There's no need to scan the attributes to encrypt them.
+		 */
+		return ret;
+	}
 
 	LDAPDebug(LDAP_DEBUG_TRACE,"-> attrcrypt_encrypt_entry_inplace\n", 0, 0, 0);
 	/* Scan the entry's attributes looking for any that are configured for encryption */
@@ -906,6 +924,15 @@ attrcrypt_encrypt_entry(backend *be, const struct backentry *in, struct backentr
 	struct backentry *new_entry = NULL;
 	char *type = NULL;
 	Slapi_Attr *attr = NULL;
+	ldbm_instance *inst = (ldbm_instance *)be->be_instance_info;
+
+	if (!inst->attrcrypt_configured) {
+		/* 
+		 * No encryption is enabled in this backend at all. 
+		 * There's no need to scan the attributes to encrypt them.
+		 */
+		return ret;
+	}
 
 	LDAPDebug(LDAP_DEBUG_TRACE,"-> attrcrypt_encrypt_entry\n", 0, 0, 0);
 	*out = NULL;
@@ -959,6 +986,12 @@ attrcrypt_encrypt_index_key(backend *be, struct attrinfo *ai, const struct berva
 	char *out_data = NULL;
 	size_t out_size = 0;
 	struct berval *out_berval = NULL;
+	ldbm_instance *inst = (ldbm_instance *)be->be_instance_info;
+
+	if (!inst->attrcrypt_configured) {
+		/* No encryption is enabled in this backend at all. */
+		return ret;
+	}
 
 	if (ai->ai_attrcrypt) {
 		LDAPDebug(LDAP_DEBUG_TRACE,"-> attrcrypt_encrypt_index_key\n", 0, 0, 0);
@@ -990,6 +1023,12 @@ attrcrypt_decrypt_index_key(backend *be,
 							struct berval **out)
 {
 	int rc = 0; /* success */
+	ldbm_instance *inst = (ldbm_instance *)be->be_instance_info;
+
+	if (!inst->attrcrypt_configured) {
+		/* No encryption is enabled in this backend at all. */
+		return rc;
+	}
 
 	if (ai->ai_attrcrypt) {
 		Slapi_Value *value = NULL;
-- 
1.7.7.6