From 7ac21ffc3165d213502518177cb3f26bef0dbdeb Mon Sep 17 00:00:00 2001
From: Ludovic Poitou <ludovic.poitou@forgerock.com>
Date: Thu, 21 Nov 2013 14:58:53 +0000
Subject: [PATCH] Fix for issue OPENDJ-1216 : Possible incorrect evaluation of the SSF value by the SASL layer. The changes are making sure that we treat any unexpected behavior as if no security was provided (i.e. SSF = 0).
---
opends/src/server/org/opends/server/extensions/SASLContext.java | 42 +++++++++++++++++++-----------------------
1 files changed, 19 insertions(+), 23 deletions(-)
diff --git a/opends/src/server/org/opends/server/extensions/SASLContext.java b/opends/src/server/org/opends/server/extensions/SASLContext.java
index b559b7a..b7a5778 100644
--- a/opends/src/server/org/opends/server/extensions/SASLContext.java
+++ b/opends/src/server/org/opends/server/extensions/SASLContext.java
@@ -516,26 +516,29 @@
{
int ssf = 0;
final String qop = (String) saslServer.getNegotiatedProperty(Sasl.QOP);
- if (qop.equalsIgnoreCase(integrity))
+ if (integrity.equalsIgnoreCase(qop))
{
ssf = 1;
}
- else
+ else if (confidentiality.equalsIgnoreCase(qop))
{
final String negStrength = (String) saslServer
.getNegotiatedProperty(Sasl.STRENGTH);
- if (negStrength.equalsIgnoreCase("low"))
+ if ("low".equalsIgnoreCase(negStrength))
{
ssf = 40;
}
- else if (negStrength.equalsIgnoreCase("medium"))
+ else if ("medium".equalsIgnoreCase(negStrength))
{
ssf = 56;
}
- else
+ else if ("high".equalsIgnoreCase(negStrength))
{
ssf = 128;
}
+ /* Treat anything else as if not security is provided and keep the
+ server running
+ */
}
return ssf;
}
@@ -684,7 +687,6 @@
{
setCallbackMsg(ERR_SASLDIGESTMD5_EMPTY_AUTHZID.get());
callback.setAuthorized(false);
- return;
}
else if (!responseAuthzID.equals(userName))
{
@@ -862,11 +864,11 @@
/**
* Helper routine to call the SASL server evaluateResponse method with the
- * specified byte array.
+ * specified ByteString.
*
- * @param bytes
- * The byte array to pass to the SASL server.
- * @return A byte array containing the result of the evaluation.
+ * @param response A ByteString containing the response to pass to the
+ * SASL server.
+ * @return A ByteString containing the result of the evaluation.
* @throws SaslException
* If the SASL server cannot evaluate the byte array.
*/
@@ -920,7 +922,6 @@
setCallbackMsg(ERR_SASL_CANNOT_GET_ENTRY_BY_DN.get(
String.valueOf(userDN), SASL_MECHANISM_DIGEST_MD5,
e.getMessageObject()));
- return;
}
finally
{
@@ -998,8 +999,8 @@
}
}
- if (AccessControlConfigManager.getInstance().getAccessControlHandler()
- .mayProxy(authInfo.getAuthenticationEntry(), e, bindOp) == false)
+ if (!AccessControlConfigManager.getInstance().getAccessControlHandler()
+ .mayProxy(authInfo.getAuthenticationEntry(), e, bindOp))
{
setCallbackMsg(ERR_SASL_AUTHZID_INSUFFICIENT_ACCESS.get(String
.valueOf(authEntry.getDN())));
@@ -1144,17 +1145,13 @@
}
setCallbackMsg(ERR_SASLDIGESTMD5_CANNOT_MAP_USERNAME.get(
String.valueOf(userName), e.getMessageObject()));
- return;
}
}
-
- if (authEntry == null)
- {
- // The authEntry is null, this is an error. The password callback
- // will catch this error. There is no way to stop the processing
- // from the name callback.
- return;
- }
+ /*
+ At this point, the authEntry should not be null.
+ If it is, it's an error, but the password callback will catch it.
+ There is no way to stop the processing from the name callback.
+ */
}
@@ -1214,7 +1211,6 @@
// Use the first password.
final char[] password = clearPasswords.get(0).toString().toCharArray();
passwordCallback.setPassword(password);
- return;
}
--
Gitblit v1.10.0