From fedora-directory-commits at redhat.com Mon May 1 10:03:19 2006 From: fedora-directory-commits at redhat.com (­JßN¶² (rmzznho)) Date: Mon, 01 May 2006 11:03:19 +0100 Subject: [Fedora-directory-commits] =?iso-8859-1?q?=B0=D3=B7=7E=B6g=A5Z?= =?iso-8859-1?q?=3A_=27=27=A5x=C6W=BA=F4=B8=F4=C1=CA=AA=AB=A1A=A4?= =?iso-8859-1?q?=BB=A6=7E=A6=A8=AA=F821=2E5=AD=BF=27=27?= Message-ID: An HTML attachment was scrubbed... URL: From fedora-directory-commits at redhat.com Thu May 11 14:23:23 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Thu, 11 May 2006 07:23:23 -0700 Subject: [Fedora-directory-commits] adminutil/lib/libadminutil form_post.c, 1.2, 1.3 Message-ID: <200605111423.k4BENNld017631@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/adminutil/lib/libadminutil In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17600/adminutil/lib/libadminutil Modified Files: form_post.c Log Message: Bug: 186280 Description: Close potential security vulnerabilities in CGI code Reviewed by: Nathan and Noriko (Thanks!) Fix Description: These address a variety of issues with our CGIs. The basic strategy is - Don't Trust The User - any data passed in as a GET/POST parameter is suspect. I mostly looked at parameters which are filenames or filename components, but I also made sure that we don't try to dereference a null parameter or similar things such as that. For filenames, I mostly just verified that path components contain path valid characters (e.g. not things like ../ or "" or potential attack strings), verify that the given filename exists in the given directory using opendir/readdir instead of just relying on PR_Access (which would report success on a path like /opt/fedora-ds/alias/../../../etc/passwd), and some attacks which could be based on using something like this: PR_snprintf(buf, sizeof(buf), "%s/alias", pathfromuser); If pathfromuser overflows buf, the /alias will not be appended and we could be using some bogus path. I replaced most of these with PR_smprintf. Platforms tested: RHEL4 Flag Day: no Doc impact: no QA impact: should be covered by regular nightly and manual testing New Tests integrated into TET: none Index: form_post.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/form_post.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- form_post.c 22 Mar 2006 23:47:14 -0000 1.2 +++ form_post.c 11 May 2006 14:23:21 -0000 1.3 @@ -192,7 +192,7 @@ x=0; tmp = strtok(in, "&"); - if (!tmp) { /* error, bail out */ + if (!tmp || !strchr(tmp, '=')) { /* error, bail out */ PR_Free(in); return(ans); } @@ -218,6 +218,10 @@ form_unescape(ans[x++]); while((tmp = strtok(NULL, "&"))) { + if (!strchr(tmp, '=')) { + PR_Free(in); + return ans; + } if (!(ans[x] = PL_strdup(tmp))) { if (admutil_i18nResource) { rpt_err(MEMORY_ERROR, From fedora-directory-commits at redhat.com Thu May 11 14:29:33 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Thu, 11 May 2006 07:29:33 -0700 Subject: [Fedora-directory-commits] adminserver/admserv/cgi-src40 Makefile, 1.9, 1.10 ReadLog.c, 1.4, 1.5 dsconfig.c, 1.5, 1.6 help.c, 1.6, 1.7 htmladmin.c, 1.6, 1.7 listOldSrvs.c, 1.5, 1.6 security.c, 1.7, 1.8 snmpconf.c, 1.5, 1.6 snmpmctl.c, 1.5, 1.6 statpingserv.c, 1.4, 1.5 viewdata.c, 1.5, 1.6 userinfo.c, 1.4, NONE Message-ID: <200605111429.k4BETXpw017691@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/adminserver/admserv/cgi-src40 In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17655/adminserver/admserv/cgi-src40 Modified Files: Makefile ReadLog.c dsconfig.c help.c htmladmin.c listOldSrvs.c security.c snmpconf.c snmpmctl.c statpingserv.c viewdata.c Removed Files: userinfo.c Log Message: Bug: 186280 Description: Close potential security vulnerabilities in CGI code Reviewed by: Nathan and Noriko (Thanks!) Fix Description: These address a variety of issues with our CGIs. The basic strategy is - Don't Trust The User - any data passed in as a GET/POST parameter is suspect. I mostly looked at parameters which are filenames or filename components, but I also made sure that we don't try to dereference a null parameter or similar things such as that. For filenames, I mostly just verified that path components contain path valid characters (e.g. not things like ../ or "" or potential attack strings), verify that the given filename exists in the given directory using opendir/readdir instead of just relying on PR_Access (which would report success on a path like /opt/fedora-ds/alias/../../../etc/passwd), and some attacks which could be based on using something like this: PR_snprintf(buf, sizeof(buf), "%s/alias", pathfromuser); If pathfromuser overflows buf, the /alias will not be appended and we could be using some bogus path. I replaced most of these with PR_smprintf. Platforms tested: RHEL4 Flag Day: no Doc impact: no QA impact: should be covered by regular nightly and manual testing New Tests integrated into TET: none Index: Makefile =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/Makefile,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- Makefile 21 Mar 2006 18:33:48 -0000 1.9 +++ Makefile 11 May 2006 14:29:30 -0000 1.10 @@ -63,7 +63,7 @@ RB_PROGS = admpw config dsconfig htmladmin listOldSrvs mergeConfig migrateConfig monreplication restartsrv sec-activate security $(SNMP_PROGS) stopsrv ugdsconfig viewdata viewlog #Programs without Resource Bundles -NO_RB_PROGS = statusping userinfo ReadLog statpingserv +NO_RB_PROGS = statusping ReadLog statpingserv #Target CGI programs PROGS = $(NO_RB_PROGS) $(RB_PROGS) Index: ReadLog.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/ReadLog.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- ReadLog.c 18 Aug 2005 18:59:03 -0000 1.4 +++ ReadLog.c 11 May 2006 14:29:30 -0000 1.5 @@ -210,7 +210,7 @@ if(!proceed) { - fprintf(stdout, "Status: 1\nErrorString: name=%s\n", name); + fprintf(stdout, "Status: 1\nErrorString: name=%s\n", name?name:""); exit(1); } } @@ -236,7 +236,7 @@ if(!proceed) { - fprintf(stdout, "Status: 1\nErrorString: name=%s\n", name); + fprintf(stdout, "Status: 1\nErrorString: name=%s\n", name?name:""); exit(1); } } @@ -245,7 +245,7 @@ if(!proceed) { - fprintf(stdout, "Status: 1\nErrorString: op=%s\n", operation); + fprintf(stdout, "Status: 1\nErrorString: op=%s\n", operation?operation:""); exit(1); } Index: dsconfig.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/dsconfig.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- dsconfig.c 31 Mar 2006 22:58:20 -0000 1.5 +++ dsconfig.c 11 May 2006 14:29:30 -0000 1.6 @@ -284,6 +284,26 @@ } } +/* return true if all of the chars in s are valid chars for use in + file and directory names, and false otherwise. This means that + the string must begin with a letter or number, and must contain + letters, numbers, '-' and '_'. +*/ +static int +is_valid_path_string(const char *s) +{ + int ret = 0; + if (s) { + if (isalnum(*s)) { + ret = 1; + for(; ret && *s; ++s) { + ret = isalnum(*s) || (*s == '-') || (*s == '_'); + } + } + } + return ret; +} + /* * Modify ldap url setting */ @@ -313,6 +333,9 @@ if (strcasecmp(ssl_s, "true") == 0) { if(!alias) rpt_err(INCORRECT_USAGE, i18nMsg(DBT_NO_CERTDB,"No certificate database specified for LDAP/SSL usage!"), NULL, NULL); + if (!is_valid_path_string(alias)) { + rpt_err(INCORRECT_USAGE, i18nMsg(DBT_NO_CERTDB,"Invalid alias prefix for certificate database specified for LDAP/SSL usage!"), NULL, NULL); + } ssl = 1; PR_snprintf(keyfile, sizeof(keyfile), "alias%c%s-key3.db", FILE_PATHSEP, Index: help.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/help.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- help.c 31 Mar 2006 22:58:20 -0000 1.6 +++ help.c 11 May 2006 14:29:30 -0000 1.7 @@ -134,7 +134,7 @@ } (*name)[cnt] = strdup(t); - (*val)[cnt++] = ""; + (*val)[cnt++] = strdup(""); } return (cnt); @@ -243,11 +243,13 @@ in the server installation */ loc = strtok(strdup(localeList), ","); while (1){ - safe_snprintf(path, sizeof(path), "%s%c%c%c", BASE_DIR, FILE_SEP, loc[0], loc[1]); - if (dir_open(path)) { -/* return only the first 2 characters of the language code e.g. return en for en-US */ - loc[2] = '\0'; - return loc; + if (loc) { + safe_snprintf(path, sizeof(path), "%s%c%c%c", BASE_DIR, FILE_SEP, loc[0], loc[1]); + if (dir_open(path)) { + /* return only the first 2 characters of the language code e.g. return en for en-US */ + loc[2] = '\0'; + return loc; + } } loc = strtok(NULL, ","); if (!loc) { @@ -414,6 +416,32 @@ return 0; } +/* given the name of a directory and the name of a file/directory in that parent + return true if the given file/directory exists */ +static int +file_or_dir_exists(const char *parent, const char *name) +{ + SYS_DIR *dp; + SYS_DIRENT *d; + int ret = 0; /* default to false */ + + dp = dir_open(parent); + /* loop through all directory entries until we find the one that matches */ + while (dp && name && !ret && (d = dir_read(dp))) { + const char *entname = dir_name(d); + /* exclude "." and ".." from scanning */ + if (strcmp(entname, ".") && strcmp(entname, "..")) { + /* set ret to true if the name matches, which terminates the while loop */ + ret = !strcmp(name, entname); + } + } + if (dp) { + dir_close(dp); + } + + return ret; +} + /* the standard help response handler */ static int help(char *name[], char *val[], int cnt) @@ -461,8 +489,8 @@ if (debugPrintout) { - printf( "Product: %s

\n", product ); - printf( "Token: %s

\n", token ); + printf( "Product: %s

\n", product?product:"" ); + printf( "Token: %s

\n", token?token:"" ); } /* Newer clients can specify a token map file */ @@ -477,8 +505,36 @@ printf( "Map file parameter: %s

\n", mapfile ); } + /* first, see if locale directory exists in its parent */ + safe_snprintf(path, sizeof(path), "%s", BASE_DIR); + if (!file_or_dir_exists(path, locale)) { + if (debugPrintout) { + printf( "No help files for locale [%s]

\n", locale?locale:""); + fflush(stdout); + } + return error_exit("Failed to open help for locale."); + } + /* ok, locale directory is good, check product directory */ + safe_snprintf(path, sizeof(path), "%s%c%s", BASE_DIR, FILE_SEP, locale); + if (!file_or_dir_exists(path, product)) { + if (debugPrintout) { + printf( "No help files for product [%s] in locale [%s]

\n", product?product:"", locale); + fflush(stdout); + } + return error_exit("Failed to open help for given product."); + } + /* Ok, product directory exists, check for the mapfile */ + safe_snprintf(path, sizeof(path), "%s%c%s%c%s", BASE_DIR, FILE_SEP, locale, + FILE_SEP, product); + if (!file_or_dir_exists(path, mapfile)) { + if (debugPrintout) { + printf( "No map file [%s] for product [%s] in locale [%s]

\n", mapfile?mapfile:"", product, locale); + fflush(stdout); + } + return error_exit("Failed to open help for given product."); + } safe_snprintf(path, sizeof(path), "%s%c%s%c%s%c%s", BASE_DIR, FILE_SEP, locale, - FILE_SEP, product, FILE_SEP, mapfile); + FILE_SEP, product?product:"", FILE_SEP, mapfile); if (debugPrintout) { printf( "Opening map file: %s

\n", path ); @@ -496,7 +552,7 @@ /* translate token */ /* match the token from the appropriate token.map file */ - while (fgets(path, PATH_LENGTH, tokenfile)) + while (token && fgets(path, PATH_LENGTH, tokenfile)) { char *p, *q; @@ -530,7 +586,7 @@ { if (debugPrintout) { - printf( "Failed to translate the token: %\n
\n", token ); + printf( "Failed to translate the token: %\n
\n", token?token:"" ); fflush( stdout ); } return error_exit("unable to translate the token"); Index: htmladmin.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/htmladmin.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- htmladmin.c 31 Mar 2006 22:58:20 -0000 1.6 +++ htmladmin.c 11 May 2006 14:29:30 -0000 1.7 @@ -186,6 +186,96 @@ #define SERVER_PING_RATE 5 +/* stolen from ldapserver util.c - need to escape values that may go into + ldap search filters */ +#define UTIL_ESCAPE_NONE 0 +#define UTIL_ESCAPE_HEX 1 +#define UTIL_ESCAPE_BACKSLASH 2 + +static int special_filter(unsigned char c) +{ + /* + * Escape all non-printing chars and double-quotes in addition + * to those required by RFC 2254 + */ + return (c < 32 || + c > 126 || + c == '*' || + c == '(' || + c == ')' || + c == '\\' || + c == '"') ? UTIL_ESCAPE_HEX : UTIL_ESCAPE_NONE; +} + +static const char* +do_escape_string ( + const char* str, + int len, /* -1 means str is nul-terminated */ + char buf[BIG_LINE], + int (*special)(unsigned char) +) +{ + const char* s; + const char* last; + int esc; + + if (str == NULL) { + *buf = '\0'; + return buf; + } + + if (len == -1) len = strlen (str); + if (len == 0) return str; + + last = str + len - 1; + for (s = str; s <= last; ++s) { + if ( (esc = (*special)((unsigned char)*s))) { + const char* first = str; + char* bufNext = buf; + int bufSpace = BIG_LINE - 4; + while (1) { + if (bufSpace < (s - first)) s = first + bufSpace - 1; + if (s > first) { + memcpy (bufNext, first, s - first); + bufNext += (s - first); + bufSpace -= (s - first); + } + if (s > last) { + break; + } + do { + *bufNext++ = '\\'; --bufSpace; + if (bufSpace < 2) { + memcpy (bufNext, "..", 2); + bufNext += 2; + goto bail; + } + if (esc == UTIL_ESCAPE_BACKSLASH) { + *bufNext++ = *s; --bufSpace; + } else { /* UTIL_ESCAPE_HEX */ + sprintf (bufNext, "%02x", (unsigned)*(unsigned char*)s); + bufNext += 2; bufSpace -= 2; + } + } while (++s <= last && + (esc = (*special)((unsigned char)*s))); + if (s > last) break; + first = s; + while ( (esc = (*special)((unsigned char)*s)) == UTIL_ESCAPE_NONE && s <= last) ++s; + } + bail: + *bufNext = '\0'; + return buf; + } + } + return str; +} + +const char* +escape_filter_value(const char* str, int len, char buf[BIG_LINE]) +{ + return do_escape_string(str,len,buf,special_filter); +} + /* * Get bind DN and bind PW info. */ @@ -308,6 +398,10 @@ group = strtok(sie, ","); group = strtok(NULL, ","); group = strtok(NULL, "\0"); + if (!group) { /* invalid sie */ + return NULL; + } + while(*group == ' ') group++; /* eliminate spaces */ @@ -321,6 +415,9 @@ return NULL; entry = ldap_first_entry(server, result); + if (!entry) { + return NULL; + } if((vals = ldap_get_values(server, entry, ADMIN_HOST)) != NULL) { host = strdup(vals[0]); @@ -343,6 +440,9 @@ return NULL; entry = ldap_first_entry(server, result); + if (!entry) { + return NULL; + } /* * Now search the SIE's configuration object to get the port and the security status. @@ -353,6 +453,9 @@ return NULL; entry = ldap_first_entry(server, result); + if (!entry) { + return NULL; + } if((vals = ldap_get_values(server, entry, ADMINCONF_PORT)) != NULL) { port = strdup(vals[0]); @@ -407,40 +510,6 @@ if(*host && *port) return 1; - if(strstr(sie, "Messaging")) { - /* Messaging special case - get ports for IMAP, POP and SMTP */ - int count; - char *service_filters[3]; - - service_filters[0] = strdup("(objectclass=nsmsgcfgimap)"); - service_filters[1] = strdup("(objectclass=nsmsgcfgpop)"); - service_filters[2] = strdup("(objectclass=nsmsgcfgmta)"); - - for(count=0; count < 3; count++) { - if((ldapError = ldap_search_s(server, sie, LDAP_SCOPE_SUBTREE, - service_filters[count], NULL, 0, &result)) != LDAP_SUCCESS) - return 0; - - entry = ldap_first_entry(server, result); - if((vals = ldap_get_values(server, entry, MSGCONF_PORT)) != NULL) { - - if(!*port) { - *port = (int *)malloc(3*sizeof(int)); - (*port)[0] = 0; - (*port)[1] = 0; - (*port)[2] = 0; - } - (*port)[count] = atoi(vals[0]); - ldap_value_free(vals); - } - } - - if(*host && *port && (*port)[0] > 0 && (*port)[1] > 0 && (*port)[2] > 0) - return 1; - else - return 0; - } - PR_snprintf(sie_conf, BIG_LINE, "cn=configuration, %s", sie); @@ -622,6 +691,7 @@ char **vals; char dn[BIG_LINE]; char filter[BIG_LINE]; + char escaped_filter[BIG_LINE]; char *ptr, *ptr2, *ptr3; LDAPMessage *result; @@ -646,9 +716,12 @@ PR_snprintf(dn, sizeof(dn), "ou=\"%s\", ou=UserPreferences, %s", binddn, ptr3); PR_snprintf(filter, sizeof(filter), "(&(objectclass=nscustomview)(nsdisplayname=%s))", view); + /* need to escape the filter value because the view value was given by the user and may + contain values like = () etc. */ + escape_filter_value(filter, -1, escaped_filter); ldapError = ldap_search_s(server, dn, LDAP_SCOPE_SUBTREE, - filter, NULL, 0, &result); + escaped_filter, NULL, 0, &result); if(ldapError != LDAP_SUCCESS) /* fatal error, bail */ @@ -661,7 +734,7 @@ PR_snprintf(dn, sizeof(dn), "ou=Global Preferences, %s", ptr3); ldapError = ldap_search_s(server, dn, LDAP_SCOPE_SUBTREE, - filter, NULL, 0, &result); + escaped_filter, NULL, 0, &result); if(ldapError != LDAP_SUCCESS) /* fatal error, bail */ return NULL; @@ -750,15 +823,13 @@ int is_local_admin(char *host, int port) { - char *localhost = (char *)malloc(NBUF_SIZE); + char localhost[NBUF_SIZE]; int localport, is_local=0; char *endptr; FILE *f; - char *admConf = (char *)malloc(strlen(getenv("ADMSERV_ROOT"))+ /*/admin-serv/config*/ - strlen("/adm.conf")+1); - - PR_snprintf(admConf, sizeof(admConf), "%s%cadm.conf", getenv("ADMSERV_ROOT"), FILE_PATHSEP); + char *admConf = PR_smprintf("%s%cadm.conf", getenv("ADMSERV_ROOT"), FILE_PATHSEP); + localhost[0] = 0; /* get host name(FQDN) and port number from config file */ f = fopen(admConf, "r"); @@ -770,18 +841,17 @@ localport = strtol(strstr(line, " "), &endptr, 10); } if (strstr(line,"host:") == line) { - PR_snprintf(localhost, NBUF_SIZE, "%s", (strstr(line, " ")+1)); + PR_snprintf(localhost, sizeof(localhost), "%s", (strstr(line, " ")+1)); } lineno++; } free(line); + fclose(f); } - fclose(f); is_local = ((localport == port) && !strcmp(localhost, host)); - free(admConf); - free(localhost); + PR_smprintf_free(admConf); return is_local; } @@ -794,10 +864,7 @@ int rate = 300; FILE *f; - char *admConf = (char *)malloc(strlen(getenv("ADMSERV_ROOT"))+ /*/admin-serv/config*/ - strlen("/adm.conf")+1); - - PR_snprintf(admConf, sizeof(admConf), "%s%cadm.conf", getenv("ADMSERV_ROOT"), FILE_PATHSEP); + char *admConf = PR_smprintf("%s%cadm.conf", getenv("ADMSERV_ROOT"), FILE_PATHSEP); /* get host name(FQDN) and port number from config file */ f = fopen(admConf, "r"); @@ -811,10 +878,10 @@ lineno++; } free(line); + fclose(f); } - fclose(f); - free(admConf); + PR_smprintf_free(admConf); return rate; } @@ -827,10 +894,7 @@ int rate = 60; FILE *f; - char *admConf = (char *)malloc(strlen(getenv("ADMSERV_ROOT"))+ /*/admin-serv/config*/ - strlen("/adm.conf")+1); - - PR_snprintf(admConf, sizeof(admConf), "%s%cadm.conf", getenv("ADMSERV_ROOT"), FILE_PATHSEP); + char *admConf = PR_smprintf("%s%cadm.conf", getenv("ADMSERV_ROOT"), FILE_PATHSEP); /* get host name(FQDN) and port number from config file */ f = fopen(admConf, "r"); @@ -844,10 +908,10 @@ lineno++; } free(line); + fclose(f); } - fclose(f); - free(admConf); + PR_smprintf_free(admConf); return rate; } @@ -986,8 +1050,7 @@ int output_topology(AdmldapInfo ldapInfo, char *binddn, char *bindpw, - char *view, - char *op) { + char *view) { char *host = admldapGetHost(ldapInfo); @@ -1751,7 +1814,7 @@ fprintf(stdout, getResourceString(DBT_MAIN_PAGE_HEADER)); - if(!strcmp(operation, "index")) { + if(operation && !strcmp(operation, "index")) { /* * Load the frames. @@ -1762,12 +1825,12 @@ fprintf(stdout, getResourceString(DBT_MAIN_FRAME_FOOTER)); } - else if(!strcmp(operation, "empty")) { + else if(operation && !strcmp(operation, "empty")) { /* Message frame */ fprintf(stdout, getResourceString(DBT_MAIN_MESSAGE_FRAME)); } - else if(!strcmp(operation, "topframepaint")) { + else if(operation && !strcmp(operation, "topframepaint")) { FILE *html = open_html_file(MY_PAGE); while(next_html_line(html, line)) { if(parse_line(line, NULL)) { @@ -1775,14 +1838,14 @@ } } } - else if(!strcmp(operation, "framepaint")) { + else if(operation && !strcmp(operation, "framepaint")) { fprintf(stdout, getResourceString(DBT_MAIN_FRAMESET_HEADER)); fprintf(stdout, "%s", view ? viewparam : ""); fprintf(stdout, getResourceString(DBT_MAIN_FRAMESET_BODY)); fprintf(stdout, "%s", view ? viewparam : ""); fprintf(stdout, getResourceString(DBT_MAIN_FRAMESET_FOOTER)); } - else if(!strcmp(operation, "viewselect")) { + else if(operation && !strcmp(operation, "viewselect")) { /* * Load the custom view frame. */ @@ -1842,7 +1905,7 @@ if(!get_bindinfo(&binddn, &bindpw)) exit(0); - if(!strcmp(operation, "serveractivate")) { + if(operation && !strcmp(operation, "serveractivate")) { /* first turn on or off the server, then load the topology. */ int rv; @@ -1859,30 +1922,12 @@ char *sie; int count, max_count; - if(strstr(object, "Messaging")) { - /* we're at the service dn - go up to the messaging SIE */ - if(strstr(object, "imap")) - - service = getResourceString(DBT_MAIN_IMAP); - else if(strstr(object, "pop")) - - service = getResourceString(DBT_MAIN_POP); - else if(strstr(object, "smtp")) - - service = getResourceString(DBT_MAIN_SMTP); - else - /* POP by default */ - - service = getResourceString(DBT_MAIN_POP); - sie = strtok(object, ","); - sie = strtok(NULL, ","); - sie = strtok(NULL, ","); - sie = strtok(NULL, "\0"); - while(*sie == ' ') - sie++; - } - else + if (object) { sie = strdup(object); + } else { + sie = NULL; + goto output_topology; + } server = server_bind(admldapGetHost(ldapInfo), admldapGetPort(ldapInfo), @@ -1907,19 +1952,7 @@ if(!get_host_and_port(server, sie, sie_entry, &host, &ports)) goto output_topology; - if(service) { - if(!strcmp(service, "imap")) - active_port = ports[0]; - else if(!strcmp(service, "pop")) - active_port = ports[1]; - else if(!strcmp(service, "smtp")) - active_port = ports[2]; - else - /* POP by default */ - active_port = ports[1]; - } - else - active_port = ports[0]; + active_port = ports[0]; if((admin_url = get_admin_url(server, sie)) == NULL) goto output_topology; @@ -1968,8 +2001,7 @@ rv = output_topology(ldapInfo, binddn, bindpw, - view, - operation); + view); if(rv == -1) { fprintf(stdout, getResourceString(DBT_MAIN_LDAP_ERROR)); Index: listOldSrvs.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/listOldSrvs.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- listOldSrvs.c 31 Mar 2006 22:58:20 -0000 1.5 +++ listOldSrvs.c 11 May 2006 14:29:30 -0000 1.6 @@ -33,10 +33,17 @@ #include "prio.h" #include "plstr.h" #include "prmem.h" +#include "prprf.h" #include "libadminutil/resource.h" #include "libadminutil/distadm.h" #include "libadminutil/admutil.h" #include "libadminutil/resource.h" +# define SYS_DIR PRDir +# define SYS_DIRENT PRDirEntry +# define dir_open PR_OpenDir +# define dir_read(d) PR_ReadDir(d, PR_SKIP_BOTH) +# define dir_close PR_CloseDir +# define dir_name(de) (de->name) #define RESOURCE_FILE "listOldSrvs" @@ -121,6 +128,32 @@ return 1; } +/* given the name of a directory and the name of a file/directory in that parent + return true if the given file/directory exists */ +static int +file_or_dir_exists(const char *parent, const char *name) +{ + SYS_DIR *dp; + SYS_DIRENT *d; + int ret = 0; /* default to false */ + + dp = dir_open(parent); + /* loop through all directory entries until we find the one that matches */ + while (dp && name && !ret && (d = dir_read(dp))) { + const char *entname = dir_name(d); + /* exclude "." and ".." from scanning */ + if (strcmp(entname, ".") && strcmp(entname, "..")) { + /* set ret to true if the name matches, which terminates the while loop */ + ret = !strcmp(name, entname); + } + } + if (dp) { + dir_close(dp); + } + + return ret; +} + char** get_server_list(char* oldServerRoot, char* errorInfo, size_t errorSize) { @@ -129,30 +162,55 @@ FILE *fstream; int result, num = 0, i, match; char **servers = NULL; - char fileName[256]; + char *fileName; const char *errMsg = NULL; if (!oldServerRoot) return 0; - PR_snprintf(fileName, sizeof(fileName), "%s/admin-serv/config/%s", oldServerRoot, "servers.lst" ); + /* since oldServerRoot is passed in from a (potentially malicious) user, we cannot + assume it will fit into a buffer of MAX_PATH/PATH_MAX size e.g. what if the + value were something like /etc/../etc/../etc/../ ....... ../etc/passwd which + was exactly 255 bytes long? If we just did an PR_snprintf of this string into + a buffer of size 256, the final fileName value would end up being /etc/passwd */ + /* first, construct the base name from the given server root */ + fileName = PR_smprintf(oldServerRoot); /* essentially, just a strdup */ + if (!fileName) { + goto errorreturn; + } + /* next, see if the path has an "admin-serv" sub directory - also tests if fileName is NULL */ + if (file_or_dir_exists(fileName, "admin-serv")) { + /* ok, admin-serv subdir exists - append that to fileName and look for config */ + fileName = PR_sprintf_append(fileName, "/admin-serv"); + /* next, see if the path has an "config" sub directory - also tests if fileName is NULL */ + if (!fileName || !file_or_dir_exists(fileName, "config")) { + goto errorreturn; + } + /* ok, config subdir exists - append that to fileName and look for servers.lst */ + fileName = PR_sprintf_append(fileName, "/config"); + /* next, see if the path has an "servers.lst" file - also tests if fileName is NULL */ + if (!fileName || !file_or_dir_exists(fileName, "servers.lst")) { + goto errorreturn; + } + /* ok, servers.lst exists, append it */ + } else if (file_or_dir_exists(fileName, "admserv")) { + /* ok, admserv subdir exists - append that to fileName and look for servers.lst */ + fileName = PR_sprintf_append(fileName, "/admserv"); + /* next, see if the path has an "servers.lst" file - also tests if fileName is NULL */ + if (!fileName || !file_or_dir_exists(fileName, "servers.lst")) { + goto errorreturn; + } + } else { + goto errorreturn; + } + /* ok, servers.lst exists, append it */ + fileName = PR_sprintf_append(fileName, "/servers.lst"); - if(!(fstream = fopen(fileName, "r"))) { - /* Not a 3x server Root - try for 2x */ - PR_snprintf(fileName, sizeof(fileName), "%s/admserv/%s", oldServerRoot, "servers.lst" ); - if(!(fstream = fopen(fileName, "r"))) { - - if (i18nResource && - (errMsg = res_getstring(i18nResource, - DBT_ERROR_OPEN_FILE, - acceptLanguage))) - PR_snprintf(errorInfo, errorSize, errMsg, fileName); - else - PR_snprintf(errorInfo, errorSize, "Error open file: %s", fileName); - return 0; - } + if(!fileName || !(fstream = fopen(fileName, "r"))) { + goto errorreturn; } if (!(result = readServersList(oldServerRoot, fstream, fileName, errorInfo, errorSize))) { + PR_smprintf_free(fileName); return NULL; } @@ -187,6 +245,21 @@ } PR_CloseDir(sr); return servers; + +errorreturn: + if (fileName) { + if (i18nResource && + (errMsg = res_getstring(i18nResource, + DBT_ERROR_OPEN_FILE, + acceptLanguage))) { + PR_snprintf(errorInfo, errorSize, errMsg, fileName); + } else { + PR_snprintf(errorInfo, errorSize, "Error open file: %s", fileName); + } + PR_smprintf_free(fileName); + } + + return NULL; } @@ -200,7 +273,7 @@ int err; int *errp = &err; char *oldSR = 0; - char **inputs = 0, **server_list = 0; + char **server_list = 0; char *operation = 0; char *qs = 0; char *nameptr, *valptr, *val; @@ -262,8 +335,6 @@ rpt_err(INCORRECT_USAGE, error_info, NULL, NULL); } - inputs = get_input_ptr(); - oldSR = get_cgi_var("oldServerRoot", NULL, NULL); if (!oldSR) { Index: security.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/security.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- security.c 31 Mar 2006 22:58:20 -0000 1.7 +++ security.c 11 May 2006 14:29:30 -0000 1.8 @@ -241,6 +241,163 @@ extra); } +static int +copyFile(const char *srcname, const char *destname) +{ + PRFileDesc *srcp = NULL, *destp = NULL; + PRInt32 bytes; + char buf[BUFSIZ]; + int ret = 0; + + srcp = PR_Open(srcname, PR_RDONLY, 0); + if(!srcp) { + rpt_err(APP_ERROR, "Cannot open src file for copy!", NULL, NULL); + goto cleanup_and_return; + } + destp = PR_Open(destname, PR_RDWR|PR_CREATE_FILE, PR_IRUSR|PR_IWUSR); + if(!destp) { + rpt_err(APP_ERROR, "Cannot open dest file for copy!", NULL, NULL); + goto cleanup_and_return; + } + while (0 < (bytes = PR_Read(srcp, buf, sizeof(buf)))) { + PRInt32 remaining = bytes; + PRInt32 byteswritten = 0; + while (((byteswritten = PR_Write(destp, buf+byteswritten, remaining)) != remaining) && + (byteswritten > 0)) { + remaining -= byteswritten; + } + if (byteswritten < 0) { + rpt_err(APP_ERROR, "Cannot write data to dest file for file copy!", NULL, NULL); + goto cleanup_and_return; + } + } + if (bytes < 0) { + rpt_err(APP_ERROR, "Cannot read data from src for file copy!", NULL, NULL); + } else if (bytes == 0) { + ret = 1; /* success */ + } + +cleanup_and_return: + if (destp) { + PR_Close(destp); + } + if (srcp) { + PR_Close(srcp); + } + + return ret; +} + +/* return true if all of the chars in s are valid chars for use in + file and directory names, and false otherwise. This means that + the string must begin with a letter or number, and must contain + letters, numbers, '-' and '_'. +*/ +static int +is_valid_path_string(const char *s) +{ + int ret = 0; + if (s) { + if (isalnum(*s)) { + ret = 1; + for(; ret && *s; ++s) { + ret = isalnum(*s) || (*s == '-') || (*s == '_'); + } + } + } + return ret; +} + +/* try various ways to determine if the given name is a valid + file or directory - this value is passed in as a form + parameter, and our motto is "Don't trust the user!" + If the given filetype is directory, also check to see if the optional + given filename (may be NULL) is in the given directory +*/ +static int +verify_file_or_dir( + const char *name, /* name of file or directory to check */ + PRFileType filetype, /* type of name */ + const char *childname, /* optional child file/dir to check inside given parent name */ + size_t childlen, /* only compare first childlen chars of childname - use -1 for entire string */ + PRFileType childtype /* type of child */ +) +{ + int ret = 0; + PRFileInfo fileinfo; + /* first, just a simple access check */ + PRStatus status = PR_GetFileInfo(name, &fileinfo); + ret = ((status == PR_SUCCESS) && (fileinfo.type == filetype)); + if (ret) { + /* checks out ok - let's split it into the base name and the parent dir, + open the parent dir, and see if the base name exists in the parent dir + */ + char *copy = PL_strdup(name); + size_t len = strlen(copy); + char *ptr = ©[len-1]; + /* get the basename - a really bad name may look like + /path/foo/// or even ///////////////// */ + for (; (ptr > copy) && (*ptr == '/'); --ptr) { + /* do nothing */ + } + if ((ptr == copy) && (*ptr == '/')) { + /* bad - string consists of nothing but '/' */ + ptr = NULL; + ret = 0; + } else { + PRDir *pdir; + PRDirEntry *pent; + + ret = 0; + if (*ptr == '/') { + *ptr = 0; /* terminate the string at the first trailing '/' */ + } + ptr = strrchr(copy, '/'); + if (!ptr) { + ptr = copy; + copy = PL_strdup("."); + } else { + *ptr = 0; + ++ptr; + ptr = PL_strdup(ptr); + } + /* copy now points at the parent, ptr at the child */ + if (pdir = PR_OpenDir(copy)) { + for(pent = PR_ReadDir(pdir, PR_SKIP_BOTH); pent && !ret; + pent = PR_ReadDir(pdir, PR_SKIP_BOTH)) { + ret = !strcmp(pent->name, ptr); + } + PR_CloseDir(pdir); + } + if (ret && childname && (filetype == PR_FILE_DIRECTORY)) { + ret = 0; + /* we've verified that name is a valid directory - see if + the given filename exists in that directory */ + if (pdir = PR_OpenDir(name)) { + for(pent = PR_ReadDir(pdir, PR_SKIP_BOTH); pent && !ret; + pent = PR_ReadDir(pdir, PR_SKIP_BOTH)) { + if (childlen > 0) { + ret = !strncmp(pent->name, childname, childlen); + } else { + ret = !strcmp(pent->name, childname); + } + } + PR_CloseDir(pdir); + if (ret) { + /* child exists - check type */ + char *fullname = PR_smprintf("%s%c%s", name, FILE_PATHSEP, childname); + status = PR_GetFileInfo(fullname, &fileinfo); + ret = ((status == PR_SUCCESS) && (fileinfo.type == childtype)); + PR_smprintf_free(fullname); + } + } + } + } + PL_strfree(copy); + PL_strfree(ptr); + } + return ret; +} /* ** Convert a der-encoded integer to a hex printable string form @@ -579,6 +736,9 @@ { /* display crl or ckl */ + if (!crl) { + return; + } fprintf(stdout, "\t%s\n", constructNameDesc(&crl->crl.name)); if (detail) { @@ -718,10 +878,24 @@ static void listCert(char* tokenName) { /* int expired = 0; */ - PK11SlotInfo *slot = PK11_FindSlotByName(tokenName); - char *internalTokenName = PK11_GetTokenName(PK11_GetInternalKeySlot()); CERTCertList *certList; CERTCertListNode *cln; + PK11SlotInfo *slot = PK11_FindSlotByName(tokenName); + PK11SlotInfo *internal_slot; + char *internalTokenName; + + if (!slot) { + errorRpt(GENERAL_FAILURE, getResourceString(DBT_TOKEN_NAME)); + return; + } + + internal_slot = PK11_GetInternalKeySlot(); + if (!internal_slot) { + errorRpt(GENERAL_FAILURE, getResourceString(DBT_INIT_FAIL)); + return; + } + + internalTokenName = PK11_GetTokenName(internal_slot); { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); @@ -1268,9 +1442,16 @@ PRBool keepCerts = PR_TRUE; PRBool caOnly = PR_TRUE; char *nickname = certname; - int trustFlags = atoi(getParameter("trust_flag",getResourceString(DBT_TRUST))); - int trustedCA = (trustFlags & CERTDB_TRUSTED_CA); - + char *truststr = getParameter("trust_flag",getResourceString(DBT_TRUST)); + int trustedCA; + char *endptr = NULL; + int trustflag = strtol(truststr, &endptr, 0); + + if ((*truststr == '\0') || !endptr || (*endptr != '\0')) { + /* invalid trust flags */ + errorRpt(GENERAL_FAILURE, getResourceString(DBT_TRUST_SET_FAIL)); + } + trustedCA = (trustflag & CERTDB_TRUSTED_CA); CERT_ImportCerts(certdb,(trustedCA ? certUsageSSLCA : certUsageAnyCA), collectArgs->numcerts, &collectArgs->rawCerts, &retCerts, keepCerts, caOnly, nickname); @@ -1279,7 +1460,7 @@ errorRpt(GENERAL_FAILURE, getResourceString(DBT_INSTALL_FAIL)); } - setTrust(processNullString(getMD5Fingerprint(retCerts[0])), trustFlags); + setTrust(processNullString(getMD5Fingerprint(retCerts[0])), trustflag); } } @@ -1295,7 +1476,7 @@ slot= PK11_FindSlotByName(tokenName); } - if (PK11_NeedUserInit(slot) == PR_TRUE) { + if (slot && (PK11_NeedUserInit(slot) == PR_TRUE)) { /*errorRpt(INCORRECT_USAGE, getResourceString(DBT_INVALID_CONFIRM_PWD));*/ rpt_success("TRUE"); } else { @@ -1320,7 +1501,7 @@ } - if (PK11_InitPin(slot, 0, keypwd) != SECSuccess) { + if (!slot || (PK11_InitPin(slot, 0, keypwd) != SECSuccess)) { errorRpt(APP_ERROR, getResourceString(DBT_INIT_FAIL)); } } @@ -1352,7 +1533,7 @@ * Delete crl/krl */ static void deleteCRL(char* crlname, char* type) { - int list_type = !PORT_Strcmp(type, "CKL")? SEC_KRL_TYPE : SEC_CRL_TYPE; + int list_type = (type && !PORT_Strcmp(type, "CKL"))? SEC_KRL_TYPE : SEC_CRL_TYPE; CERTSignedCrl* crl = cmgFindCrlByName(certdb, crlname, list_type); if (!crl) { errorRpt(GENERAL_FAILURE, getResourceString(DBT_CRL_CKL_NOT_FOUND)); @@ -1373,7 +1554,12 @@ SECItem derCrl; char msg[BIG_LINE]; - int list_type = !PORT_Strcmp(type, "CKL")? SEC_KRL_TYPE : SEC_CRL_TYPE; + int list_type = (type && !PORT_Strcmp(type, "CKL"))? SEC_KRL_TYPE : SEC_CRL_TYPE; + if (!verify_file_or_dir(filename, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { + /* invalid file */ + PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), filename); + errorRpt(FILE_ERROR, msg); + } {/*try open the file*/ FILE *f; @@ -1698,7 +1884,10 @@ dllname = get_cgi_var("dllname", NULL, NULL); if (!PORT_Strcmp(op, "remove")) { - + if (!dllname || !verify_file_or_dir(dllname, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { + PR_snprintf(msg, sizeof(msg), getResourceString(DBT_MISSING_MODULE_NAME)); + rpt_err(INCORRECT_USAGE, msg, NULL, NULL); + } PR_snprintf(cmd, sizeof(cmd), "%s -dbdir %s -force -nocertdb -delete \"%s\" 2>&1", binary, database_dir, @@ -1709,13 +1898,15 @@ filename = getParameter("filename",getResourceString(DBT_MISSING_FILE)); filetype = getParameter("format",getResourceString(DBT_MISSING_FORMAT)); - if(PR_Access(filename, PR_ACCESS_EXISTS) == PR_FAILURE) { + if((PR_Access(filename, PR_ACCESS_EXISTS) == PR_FAILURE) || + !verify_file_or_dir(filename, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), filename); rpt_err(FILE_ERROR, msg, NULL, NULL); } if((filetype && (!PORT_Strcmp(filetype, "dll"))) && - (!dllname || !PORT_Strcmp(dllname, ""))) { + (!dllname || !PORT_Strcmp(dllname, "") || + !verify_file_or_dir(dllname, PR_FILE_FILE, NULL, 0, (PRFileType)0))) { PR_snprintf(msg, sizeof(msg), getResourceString(DBT_MISSING_MODULE_NAME)); rpt_err(INCORRECT_USAGE, msg, NULL, NULL); } @@ -1840,18 +2031,20 @@ /* Makes a list of the aliases installed on machine. */ static void listAlias() { - char path[PATH_MAX]; + char *path = NULL; char *remstr; char *keystr = "-key"; char **alist; int x; char * serverRoot = getParameter("old_server_root",getResourceString(DBT_OLD_SERVER_ROOT)); - PR_snprintf(path, sizeof(path), "%s%calias", serverRoot, FILE_PATHSEP); - if (PR_FAILURE == PR_Access(path, PR_ACCESS_EXISTS)) { + /* see if serverRoot is legitimate, and also make sure it contains an "alias" directory */ + if (!verify_file_or_dir(serverRoot, PR_FILE_DIRECTORY, "alias", 0, PR_FILE_DIRECTORY)) { errorRpt(INCORRECT_USAGE, getResourceString(DBT_INVALID_SERVER_ROOT)); } + /* if we got here, serverRoot has passed our rigorous integrity checks and contains an alias directory */ + path = PR_smprintf("%s%calias", serverRoot, FILE_PATHSEP); alist = list_directory(path); if (alist == NULL) { errorRpt(INCORRECT_USAGE, getResourceString(DBT_READ_ALIAS)); @@ -1900,6 +2093,12 @@ #endif oldRoot = getParameter("old_server_root", getResourceString(DBT_OLD_SERVER_ROOT)); + if (!verify_file_or_dir(oldRoot, PR_FILE_DIRECTORY, "alias", 0, PR_FILE_DIRECTORY) || + !is_valid_path_string(alias)) + { + PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), oldRoot); + errorRpt(INCORRECT_USAGE, msg); + } newRoot = getenv("NETSITE_ROOT"); aliasLen = PORT_Strlen(alias); @@ -1932,13 +2131,41 @@ sprintf(scratch, mask, newRoot, FILE_PATHSEP, FILE_PATHSEP, alias, cert7); if (PR_SUCCESS == PR_Access(scratch, PR_ACCESS_EXISTS)) { - PR_Rename(scratch, backCertFile); + /* really make sure the file exists */ + char *dir = PR_smprintf("%s%calias", newRoot, FILE_PATHSEP); + char *file = PR_smprintf("%s-%s.db", alias, cert7); + if (verify_file_or_dir(dir, PR_FILE_DIRECTORY, file, 0, PR_FILE_FILE)) { + PR_Rename(scratch, backCertFile); + if (!verify_file_or_dir(backCertFile, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { + PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), backCertFile); + errorRpt(INCORRECT_USAGE, msg); + } + } else { + PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), scratch); + errorRpt(INCORRECT_USAGE, msg); + } + PR_smprintf_free(dir); + PR_smprintf_free(file); } sprintf(scratch, mask, newRoot, FILE_PATHSEP, FILE_PATHSEP, alias, key3); if (PR_SUCCESS == PR_Access(scratch, PR_ACCESS_EXISTS)) { - PR_Rename(scratch, backKeyFile); + /* really make sure the file exists */ + char *dir = PR_smprintf("%s%calias", newRoot, FILE_PATHSEP); + char *file = PR_smprintf("%s-%s.db", alias, key3); + if (verify_file_or_dir(dir, PR_FILE_DIRECTORY, file, 0, PR_FILE_FILE)) { + PR_Rename(scratch, backKeyFile); + if (!verify_file_or_dir(backKeyFile, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { + PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), backKeyFile); + errorRpt(INCORRECT_USAGE, msg); + } + } else { + PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), scratch); + errorRpt(INCORRECT_USAGE, msg); + } + PR_smprintf_free(dir); + PR_smprintf_free(file); } PORT_Free(backCertFile); @@ -1963,11 +2190,12 @@ fileName = (char *) PORT_Alloc(i); sprintf(fileName, mask, oldRoot, FILE_PATHSEP, FILE_PATHSEP, alias, cert); - - if (PR_SUCCESS == PR_Access(fileName, PR_ACCESS_EXISTS)) { + if ((PR_SUCCESS == PR_Access(fileName, PR_ACCESS_EXISTS)) && + verify_file_or_dir(fileName, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { oldCert = PORT_Strdup(fileName); sprintf(fileName, mask, oldRoot, FILE_PATHSEP, FILE_PATHSEP, alias, key); - if (PR_SUCCESS == PR_Access(fileName, PR_ACCESS_EXISTS)) { + if ((PR_SUCCESS == PR_Access(fileName, PR_ACCESS_EXISTS)) && + verify_file_or_dir(fileName, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { } else { PORT_Free(oldCert); oldCert = 0; @@ -1982,32 +2210,37 @@ PORT_Free(oldCert); } else { sprintf(fileName, mask, oldRoot, FILE_PATHSEP, FILE_PATHSEP, alias, cert); - if (PR_SUCCESS == PR_Access(fileName, PR_ACCESS_EXISTS)) { + if ((PR_SUCCESS == PR_Access(fileName, PR_ACCESS_EXISTS)) && + verify_file_or_dir(fileName, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { } else { PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), fileName); errorRpt(INCORRECT_USAGE, msg); } oldCert = PORT_Strdup(fileName); sprintf(fileName, mask, oldRoot, FILE_PATHSEP, FILE_PATHSEP, alias, key); - if (PR_SUCCESS == PR_Access(fileName, PR_ACCESS_EXISTS)) { - char * scratch; - i += sizeof(cmd) + PORT_Strlen(newRoot) + aliasLen + 20; /* overkill but safe */ - scratch = (char *) PORT_Alloc(i); - sprintf(scratch, cmd, oldCert, newRoot, FILE_PATHSEP, FILE_PATHSEP, alias, cert7); - if (system(normalizeCommandLine(scratch))) { - errorRpt(INCORRECT_USAGE, getResourceString(DBT_UNABLE_TO_MIGRATE)); - } - sprintf(scratch, cmd, fileName, newRoot, FILE_PATHSEP, FILE_PATHSEP, alias, key3); - if (system(normalizeCommandLine(scratch))) { - errorRpt(INCORRECT_USAGE, getResourceString(DBT_UNABLE_TO_MIGRATE)); - } - PORT_Free(scratch); - PORT_Free(oldCert); + if ((PR_SUCCESS == PR_Access(fileName, PR_ACCESS_EXISTS)) && + verify_file_or_dir(fileName, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { + char *newfile = PR_smprintf("%s%calias%c%s-%s.db", + newRoot, FILE_PATHSEP, FILE_PATHSEP, + alias, cert7); + if (!copyFile(oldCert, newfile) || + !verify_file_or_dir(newfile, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { + errorRpt(INCORRECT_USAGE, getResourceString(DBT_UNABLE_TO_MIGRATE)); + } + PR_smprintf_free(newfile); + newfile = PR_smprintf("%s%calias%c%s-%s.db", + newRoot, FILE_PATHSEP, FILE_PATHSEP, + alias, key3); + if (!copyFile(fileName, newfile) || + !verify_file_or_dir(newfile, PR_FILE_FILE, NULL, 0, (PRFileType)0)) { + errorRpt(INCORRECT_USAGE, getResourceString(DBT_UNABLE_TO_MIGRATE)); + } + PR_smprintf_free(newfile); } else { - PORT_Free(oldCert); PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), fileName); errorRpt(INCORRECT_USAGE, msg); } + PORT_Free(oldCert); } PORT_Free(fileName); } @@ -2034,6 +2267,7 @@ char * m = getenv("REQUEST_METHOD"); char * qs = 0; char *sie; + char msg[BIG_LINE]; #if 0 CGI_Debug("security"); @@ -2056,7 +2290,7 @@ fflush(stdout); /* This cgi only handle post request*/ - if(!PORT_Strcmp(m, "GET")) { + if(!m || PORT_Strcmp(m, "POST")) { return 0; } @@ -2067,7 +2301,12 @@ { char* operation = getParameter("formop",getResourceString(DBT_OP)); - if (!PORT_Strcmp(operation, "MIGRATE_DB")) { + if (!operation) { + /* if we got here it means front end pass back + a bogus operation string */ + PR_snprintf(line, sizeof(line), getResourceString(DBT_NO_OP), operation); + errorRpt(INCORRECT_USAGE, line); + } else if (!PORT_Strcmp(operation, "MIGRATE_DB")) { keyCertMigrate(getParameter("alias",getResourceString(DBT_ALIAS)), sie); @@ -2075,6 +2314,20 @@ /*only initialize db when we are not trying to migrate if we initialize db then we won't be able to migrate because security library will hog up the file and we can not remove it.*/ + char *dbdir = PR_smprintf("%s%calias", getenv("NETSITE_ROOT"), FILE_PATHSEP); + char *certdbname = PR_smprintf("%s-cert8.db", sie); + char *keydbname = PR_smprintf("%s-key3.db", sie); + if (!is_valid_path_string(sie) || + !verify_file_or_dir(dbdir, PR_FILE_DIRECTORY, certdbname, 0, PR_FILE_FILE) || + !verify_file_or_dir(dbdir, PR_FILE_DIRECTORY, keydbname, 0, PR_FILE_FILE)) { + PR_snprintf(msg, sizeof(msg), getResourceString(DBT_NO_FILE_EXISTS), certdbname); + errorRpt(INCORRECT_USAGE, msg); + } + PR_smprintf_free(dbdir); + PR_smprintf_free(certdbname); + PR_smprintf_free(keydbname); + + /* we got here, we think sie is a valid prefix */ securityInitialization(sie); if (!PORT_Strcmp(operation, "LIST_CERTIFICATE")) { @@ -2083,9 +2336,17 @@ /* fprintf(stdout, "total_cert:%d",num_of_certs++); */ } else if (!PORT_Strcmp(operation, "CHANGE_TRUST")) { + char *endptr = NULL; + char *truststr = getParameter("trust_flag",getResourceString(DBT_TRUST)); + int trustflag = strtol(truststr, &endptr, 0); + if ((*truststr == '\0') || !endptr || (*endptr != '\0')) { + /* invalid trust flags */ + errorRpt(GENERAL_FAILURE, getResourceString(DBT_TRUST_SET_FAIL)); + } + /* change trust */ setTrust(getParameter("certfingerprint",getResourceString(DBT_CERT_FINGERPRINT)), - atoi(getParameter("trust_flag",getResourceString(DBT_TRUST)))); + trustflag); } else if (!PORT_Strcmp(operation, "FIND_CERTIFICATE")) { /* view cert */ @@ -2169,12 +2430,12 @@ } else if (!PORT_Strcmp(operation, "FIND_CRL_CKL")) { /* print detail information of a crl/ckl */ char *type = get_cgi_var("list_type", NULL, NULL); - fprintf(stdout, "<%s>\n", type); + fprintf(stdout, "<%s>\n", type?type:""); showCRLRow(cmgFindCrlByName(certdb, getParameter("crlname", getResourceString(DBT_MISSING_FILE)), - !PORT_Strcmp(type, "CKL")? SEC_KRL_TYPE : SEC_CRL_TYPE), + (type && !PORT_Strcmp(type, "CKL"))? SEC_KRL_TYPE : SEC_CRL_TYPE), PR_TRUE, - ((!PORT_Strcmp("CRL", type))?SEC_CRL_TYPE:SEC_KRL_TYPE)); + ((type && !PORT_Strcmp("CRL", type))?SEC_CRL_TYPE:SEC_KRL_TYPE)); fprintf(stdout, "\n", type); } else if (!PORT_Strcmp(operation, "LIST_ALIAS")) { Index: snmpconf.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/snmpconf.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- snmpconf.c 31 Mar 2006 22:58:20 -0000 1.5 +++ snmpconf.c 11 May 2006 14:29:30 -0000 1.6 @@ -188,7 +188,7 @@ op=get_cgi_var("op", NULL, NULL); - logMsg("op=%s\n", op); + logMsg("op=%s\n", op?op:""); if (op == NULL) { rpt_err(INCORRECT_USAGE, i18nMsg(DBT_NO_OPERATION, "No operation defined"), NULL, NULL); @@ -306,6 +306,11 @@ operation = tab+1; logMsg("%s=%s\n", name, operation); + if (strlen(operation) > (sizeof(op_buf)-strlen("ALLOW OPERATIONS"))) { + logMsg("Error: community operation [%s] is too large\n", community); + PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_UNKNOWN_OPERATION, "Unknown Operation (%s)"), op); + rpt_err(INCORRECT_USAGE, error_info, NULL, NULL); + } PR_snprintf(op_buf, sizeof(op_buf), "ALLOW %s OPERATIONS", operation); list = add_community_entry(list, name, op_buf); Index: snmpmctl.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/snmpmctl.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- snmpmctl.c 31 Mar 2006 22:58:20 -0000 1.5 +++ snmpmctl.c 11 May 2006 14:29:30 -0000 1.6 @@ -197,7 +197,12 @@ } action_type = get_cgi_var("ACTION", NULL, NULL); - if (!strcmp(action_type, "START")) { + if (!action_type) { + PR_snprintf(error_info, sizeof(error_info), i18nMsg(DBT_UNKNOWN_CMD,"Command (%s) not understood"), ""); + logMsg("%s\n", error_info); + rpt_err(INCORRECT_USAGE, error_info, NULL, NULL); + } + else if (!strcmp(action_type, "START")) { logMsg("START\n"); check_superuser(); magent_shutdown(0); Index: statpingserv.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/statpingserv.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- statpingserv.c 31 Mar 2006 22:58:20 -0000 1.4 +++ statpingserv.c 11 May 2006 14:29:30 -0000 1.5 @@ -62,6 +62,8 @@ PRHostEnt hent; char buf[PR_NETDB_BUF_SIZE]; PRStatus err; + char gifbuf[BUFSIZ]; + PRInt32 bytes; PRFileDesc *req_socket= NULL; int retcode; @@ -71,10 +73,12 @@ char *host; int port; - FILE *gif; + PRFileDesc *gif; int character; int count=0; char *file; + char *portstr; + struct PRFileInfo64 prfileinfo; m = getenv("REQUEST_METHOD"); /* @@ -91,13 +95,21 @@ result = get_cgi_var("result", NULL, NULL); host = get_cgi_var("host", NULL, NULL); - port = atoi(get_cgi_var("port", NULL, NULL)); + portstr = get_cgi_var("port", NULL, NULL); + if (portstr) { + port = atoi(portstr); + } else { + port = 0; + } if(result && !strcmp(result, "text")) fprintf(stdout, "Content-type: text/html\n"); else fprintf(stdout, "Content-type: image/gif\n"); + if (!host || !port) { + rpt_err(APP_ERROR, "Invalid hostname and/or port number!", NULL, NULL); + } if(!isdigit(host[0])) { err = PR_GetHostByName(host, buf, sizeof(buf), &hent); if(err == PR_FAILURE) @@ -130,21 +142,34 @@ PR_Close(req_socket); - gif = fopen(file, "rb"); - if(!gif) + if ((PR_FAILURE == PR_GetFileInfo64(file, &prfileinfo)) || + (prfileinfo.type != PR_FILE_FILE)) { rpt_err(APP_ERROR, "Cannot open gif file!", NULL, NULL); - while((character = fgetc(gif)) != EOF) - count++; - fclose(gif); + } - fprintf(stdout, "Content-length: %d\n\n", count); + fprintf(stdout, "Content-length: %ld\n\n", (size_t)prfileinfo.size); + fflush(stdout); - gif = fopen(file, "rb"); + PR_Sync(PR_STDOUT); + gif = PR_Open(file, PR_RDONLY, 0); if(!gif) rpt_err(APP_ERROR, "Cannot open gif file!", NULL, NULL); - while((character = fgetc(gif)) != EOF) - fputc(character, stdout); - fclose(gif); + while (0 < (bytes = PR_Read(gif, gifbuf, sizeof(gifbuf)))) { + PRInt32 remaining = bytes; + PRInt32 byteswritten = 0; + while (((byteswritten = PR_Write(PR_STDOUT, gifbuf+byteswritten, remaining)) != remaining) && + (byteswritten > 0)) { + remaining -= byteswritten; + } + if (byteswritten < 0) { + rpt_err(APP_ERROR, "Cannot write gif to stdout!", NULL, NULL); + } + } + if (bytes < 0) { + rpt_err(APP_ERROR, "Cannot read gif to write to stdout!", NULL, NULL); + } + PR_Sync(PR_STDOUT); + PR_Close(gif); } return 0; Index: viewdata.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/viewdata.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- viewdata.c 31 Mar 2006 22:58:20 -0000 1.5 +++ viewdata.c 11 May 2006 14:29:30 -0000 1.6 @@ -233,9 +233,15 @@ /* Get the domain */ tmp = strdup(sie); - tmp2 = strrchr(tmp, ','); + if (!(tmp2 = strrchr(tmp, ','))) { + free(tmp); + return 1; + } tmp2[0] = '\0'; - domain = strrchr(tmp, ','); + if (!(domain = strrchr(tmp, ','))) { + free(tmp); + return 1; + } domain++; tmp2[0] = ','; @@ -457,81 +463,6 @@ ldap_value_free(vals); } } - else if(directive_is(line, "CHECK_UPGRADE")) { - char *tmp = strdup(sie); - char *isie; - char **vals; - char *sie_product_version; - char *html_line; -#if 0 - - /* First, get the current SIE's product version. */ - isie = strtok(tmp, ","); - isie = strtok(NULL, "\0"); - isie++; - while(*isie == ' ') - isie++; - - if((ldapError = ldap_search_s(server, isie, LDAP_SCOPE_BASE, - "(objectclass=*)", NULL, 0, &entry)) != LDAP_SUCCESS) - return 1; - if(vals = ldap_get_values(server, entry, "nsproductversion")) { - sie_product_version = strdup(vals[0]); - ldap_value_free(vals); - } - - /* - * Next, get the currently-shipping product version of the product we're interested in. - * Check the secret Netcenter URL. No need to init SSL in this case since the site is always insecure. - */ - - if(!get_bindinfo(&binddn, &bindpw)) - exit(0); - - nbuf = (bufstruct *) new_buffer(NBUF_SIZE); - - request = PR_smprintf(getResourceString(DBT_NETCENTER_GET_REQ), binddn); - sockd = make_http_request("http", - getResourceString(DBT_NETCENTER_HOST), - atoi(getResourceString(DBT_NETCENTER_PORT)), - request, 60, &errorcode); - PR_smprintf_free(request); - - if (sockd == NULL) { - continue; - } - - /* Why is the third parameter not used in parse_http_header ?? */ - if (parse_http_header(sockd, nbuf, "Enterprise") < 0) { - end_http_request(sockd); - continue; - } - - while( (html_line = get_line_from_fd(sockd, nbuf)) != (char *) NULL) { - if((strstr(sie, "Messaging") && strstr(html_line, "Messaging")) || - (strstr(sie, "Administration") && strstr(html_line, "Administration")) || - (strstr(sie, "Directory") && strstr(html_line, "Directory")) || - (strstr(sie, "Enterprise") && strstr(html_line, "Enterprise")) || - (strstr(sie, "Certificate") && strstr(html_line, "Certificate")) || - (strstr(sie, "Application") && strstr(html_line, "Application")) || - (strstr(sie, "Biller") && strstr(html_line, "Biller"))) { - /* - * Get the product version. If the version is higher than the server we're looking at, - * display an upgrade link. - */ - if(tmp) free(tmp); - tmp = strtok(html_line, "="); - tmp = strtok(NULL, "\n"); - if(setupVersionCompare(tmp, sie_product_version) > 0) - fprintf(stdout, (const char*)getResourceString(DBT_MAIN_PRODUCT_VERSION), getResourceString(DBT_NETCENTER_SERVER_PRODUCT_URL)); - else - fprintf(stdout, getResourceString(DBT_MAIN_UPGRADE_AVAILABLE)); - - break; - } - } -#endif - } else if(directive_is(line, "SHOW_URL")) { char *text; char *url; --- userinfo.c DELETED --- From fedora-directory-commits at redhat.com Thu May 11 23:30:39 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Thu, 11 May 2006 16:30:39 -0700 Subject: [Fedora-directory-commits] adminutil/lib/libadmsslutil Makefile, 1.4, 1.5 psetcssl.c, 1.1.1.1, 1.2 Message-ID: <200605112330.k4BNUdkD017751@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminutil/lib/libadmsslutil In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17686/lib/libadmsslutil Modified Files: Makefile psetcssl.c Log Message: [161099] admin passwd in clear text in adm.conf 1) sie password is no longer stored in adm.conf. Instead, get it from client via PIPE. 2) added subordinate functions: admldapGetXXX to retrieve ldap handle, directory URL, and userDN. 3) updated Makefiles to clean up the old files from the previous make. 4) increased the buffer size to read in the local cache files. Index: Makefile =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/Makefile,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- Makefile 22 Feb 2006 21:45:37 -0000 1.4 +++ Makefile 11 May 2006 23:30:32 -0000 1.5 @@ -99,8 +99,8 @@ $(SO_LIB): $(OBJS) rm -f $@ $(LINK_DLL) $(OBJS) $(DEPLIBS) - cd $(OBJLIBDIR); ln -s $(SO_NAME)$(SO_EXT) $(SO_NAME)$(SO_COREEXT) - cd $(OBJLIBDIR); ln -s $(SO_NAME)$(SO_EXT) $(SO_NAME)$(SO_COREEXT).$(ADMSDK_SO_MAJORVERSION) + cd $(OBJLIBDIR); rm -f $(SO_NAME)$(SO_COREEXT); ln -s $(SO_NAME)$(SO_EXT) $(SO_NAME)$(SO_COREEXT) + cd $(OBJLIBDIR); rm -f $(SO_NAME)$(SO_COREEXT).$(ADMSDK_SO_MAJORVERSION); ln -s $(SO_NAME)$(SO_EXT) $(SO_NAME)$(SO_COREEXT).$(ADMSDK_SO_MAJORVERSION) endif endif Index: psetcssl.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadmsslutil/psetcssl.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- psetcssl.c 20 Jul 2005 22:51:33 -0000 1.1.1.1 +++ psetcssl.c 11 May 2006 23:30:32 -0000 1.2 @@ -45,7 +45,6 @@ PsetHndl psethndl; int ldapError, unbindF = 0; - if ((!ldapHost) || (ldapPort < 1) || (!sieDN)) { /* set error code to SIEDN not available */ *errorcode = PSET_ARGS_ERROR; @@ -53,34 +52,38 @@ } /* Connect to the LDAP server */ - - if (secure) ld = ldapssl_init(ldapHost, ldapPort, 1); - else ld = ldap_init(ldapHost, ldapPort); - - /* authenticate to LDAP server*/ - if ((ldapError = ldap_simple_bind_s(ld, userDN, passwd)) - != LDAP_SUCCESS ) { - switch (ldapError) { - case LDAP_INAPPROPRIATE_AUTH: - case LDAP_INVALID_CREDENTIALS: - case LDAP_INSUFFICIENT_ACCESS: - /* authenticate failed: Should not continue */ - /* ldap_perror( pset->ld, "ldap_simple_bind_s" ); */ - *errorcode = PSET_AUTH_FAIL; - return NULL; - case LDAP_NO_SUCH_OBJECT: - case LDAP_ALIAS_PROBLEM: - case LDAP_INVALID_DN_SYNTAX: - /* Not a good DN */ - *errorcode = PSET_ENTRY_NOT_EXIST; - return NULL; - default: - ldap_unbind(ld); - unbindF = 0; - ld = NULL; + if (NULL == passwd) { /* if passwd is not given, try info from client */ + ADM_GetCurrentPassword(errorcode, &passwd); + } + if (NULL != passwd) { /* if passwd is not given, let's use cache data */ + if (secure) ld = ldapssl_init(ldapHost, ldapPort, 1); + else ld = ldap_init(ldapHost, ldapPort); + + /* authenticate to LDAP server*/ + if ((ldapError = ldap_simple_bind_s(ld, userDN, passwd)) + != LDAP_SUCCESS ) { + switch (ldapError) { + case LDAP_INAPPROPRIATE_AUTH: + case LDAP_INVALID_CREDENTIALS: + case LDAP_INSUFFICIENT_ACCESS: + /* authenticate failed: Should not continue */ + /* ldap_perror( pset->ld, "ldap_simple_bind_s" ); */ + *errorcode = PSET_AUTH_FAIL; + return NULL; + case LDAP_NO_SUCH_OBJECT: + case LDAP_ALIAS_PROBLEM: + case LDAP_INVALID_DN_SYNTAX: + /* Not a good DN */ + *errorcode = PSET_ENTRY_NOT_EXIST; + return NULL; + default: + ldap_unbind(ld); + unbindF = 0; + ld = NULL; + } } + else unbindF = 1; } - else unbindF = 1; psethndl = psetFullLDAPImportRef(pseth, ld, @@ -89,12 +92,6 @@ filter, unbindF, errorcode, userDN, passwd); - /* - if (psethndl) { - psetSetLDAPReferalInfo(psethndl, userDN, passwd); - } - */ - return psethndl; } @@ -110,7 +107,7 @@ PR_IMPLEMENT(PsetHndl) -psetCreateSSL(char* serverID, char* configRoot, char* userDN, char* passwd, +psetCreateSSL(char* serverID, char* configRoot, char* user, char* passwd, int* errorcode) { PsetHndl pset; @@ -118,6 +115,7 @@ char *serverRoot = getenv("NETSITE_ROOT"); char path[PATH_MAX], *ldapHost=NULL, *sieDN, *bindPasswd = NULL; char *secureStr = NULL; + char *userDN = NULL; int ldapPort = 389, dummy, secure = 0; ldapInfo = admldapBuildInfo(configRoot, errorcode); @@ -152,13 +150,21 @@ } /* Get SIE and password */ - sieDN = admldapGetSIEDN(ldapInfo); - if (!userDN) { - userDN = sieDN; + if (!user) { + ADM_GetCurrentUsername(errorcode, &user); + } + /* if user is just attr val, get dn */ + userDN = admldapGetUserDN(ldapInfo, user); + if (passwd) { + bindPasswd = passwd; + } else { bindPasswd = admldapGetSIEPWD(ldapInfo); + if (!bindPasswd) { + passwd = bindPasswd; /* not to free bindPasswd */ + ADM_GetCurrentPassword(errorcode, &bindPasswd); + } } - else bindPasswd = passwd; if (configRoot) PR_snprintf(path, sizeof(path), "%s%clocal.conf", configRoot, FILE_PATHSEP); From fedora-directory-commits at redhat.com Thu May 11 23:30:33 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Thu, 11 May 2006 16:30:33 -0700 Subject: [Fedora-directory-commits] adminutil/include/libadminutil admutil.h, 1.4, 1.5 Message-ID: <200605112331.k4BNV3Ph017754@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminutil/include/libadminutil In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17686/include/libadminutil Modified Files: admutil.h Log Message: [161099] admin passwd in clear text in adm.conf 1) sie password is no longer stored in adm.conf. Instead, get it from client via PIPE. 2) added subordinate functions: admldapGetXXX to retrieve ldap handle, directory URL, and userDN. 3) updated Makefiles to clean up the old files from the previous make. 4) increased the buffer size to read in the local cache files. Index: admutil.h =================================================================== RCS file: /cvs/dirsec/adminutil/include/libadminutil/admutil.h,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- admutil.h 15 Dec 2005 21:07:17 -0000 1.4 +++ admutil.h 11 May 2006 23:30:31 -0000 1.5 @@ -33,6 +33,7 @@ #include "plstr.h" #include "prprf.h" #include "prmem.h" +#include /* Copy from #include "base/systems.h" */ #if defined (XP_WIN32) /* Windows NT */ @@ -151,6 +152,15 @@ PR_IMPLEMENT(char*) admldapGetSIEPWD(AdmldapInfo info); +PR_IMPLEMENT(LDAP *) +admldapGetLDAPHndl(AdmldapInfo info); + +PR_IMPLEMENT(char *) +admldapGetDirectoryURL(AdmldapInfo info); + +PR_IMPLEMENT(char *) +admldapGetUserDN(AdmldapInfo info, char *uid); + #define UG_OP_OK 0 #define UG_NO_SSL_SUPPORT 1 #define UG_AUTH_FAIL 2 From fedora-directory-commits at redhat.com Thu May 11 23:30:34 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Thu, 11 May 2006 16:30:34 -0700 Subject: [Fedora-directory-commits] adminutil/lib/libadminutil Makefile, 1.7, 1.8 admutil.c, 1.3, 1.4 admutil_pvt.h, 1.1.1.1, 1.2 psetc.c, 1.2, 1.3 uginfo.c, 1.2, 1.3 Message-ID: <200605112331.k4BNV4ZD017759@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminutil/lib/libadminutil In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17686/lib/libadminutil Modified Files: Makefile admutil.c admutil_pvt.h psetc.c uginfo.c Log Message: [161099] admin passwd in clear text in adm.conf 1) sie password is no longer stored in adm.conf. Instead, get it from client via PIPE. 2) added subordinate functions: admldapGetXXX to retrieve ldap handle, directory URL, and userDN. 3) updated Makefiles to clean up the old files from the previous make. 4) increased the buffer size to read in the local cache files. Index: Makefile =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/Makefile,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- Makefile 22 Feb 2006 21:45:32 -0000 1.7 +++ Makefile 11 May 2006 23:30:31 -0000 1.8 @@ -110,8 +110,8 @@ $(SO_LIB): $(OBJS) rm -f $@ $(LINK_DLL) $(OBJS) $(DEPLIBS) - cd $(OBJLIBDIR); ln -s $(SO_NAME)$(SO_EXT) $(SO_NAME)$(SO_COREEXT) - cd $(OBJLIBDIR); ln -s $(SO_NAME)$(SO_EXT) $(SO_NAME)$(SO_COREEXT).$(ADMSDK_SO_MAJORVERSION) + cd $(OBJLIBDIR); rm -f $(SO_NAME)$(SO_COREEXT); ln -s $(SO_NAME)$(SO_EXT) $(SO_NAME)$(SO_COREEXT) + cd $(OBJLIBDIR); rm -f $(SO_NAME)$(SO_COREEXT).$(ADMSDK_SO_MAJORVERSION); ln -s $(SO_NAME)$(SO_EXT) $(SO_NAME)$(SO_COREEXT).$(ADMSDK_SO_MAJORVERSION) endif endif Index: admutil.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/admutil.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- admutil.c 22 Mar 2006 23:47:14 -0000 1.3 +++ admutil.c 11 May 2006 23:30:31 -0000 1.4 @@ -854,7 +854,7 @@ void treeExport(FILE *fstream, char* parentString, TreeNodePtr node) { - char *cptr, *sptr, valBuf[2048]; + char *cptr, *sptr, valBuf[BUFSIZ]; ListNodePtr listPtr; if (node->left) treeExport(fstream, parentString, node->left); @@ -884,7 +884,7 @@ { int status, lineno=1, valLen=0; char linebuf[MAX_LEN], *name=NULL, *val=NULL; - char valBuf[2048], *valptr = valBuf; + char valBuf[BUFSIZ], *valptr = valBuf; int valBuf_len = sizeof(valBuf); TreeNodePtr rootNode = NULL, tmpNode = NULL; @@ -1178,8 +1178,8 @@ return NULL; } - siePasswd = treeFindValueAt(admInfo->configInfo, "siepid", 0); - + /* returned value from ADM_Get... should NOT be freed */ + ADM_GetCurrentPassword(errorcode, &siePasswd); /* via PIPE */ if (ldapInfo->lud_options & LDAP_URL_OPT_SECURE) { *errorcode = ADMUTIL_NO_SSL_SUPPORT; @@ -1191,6 +1191,7 @@ } /* authenticate to LDAP server*/ + /* return value from treeFindValueAt should be freed */ sieDN = treeFindValueAt(admInfo->configInfo, "sie", 0); /* @@ -1198,7 +1199,6 @@ * attempts as long as there is a new password available to use. */ { - int configPassword; /* Indicates password is in config file */ int retry; /* Indicates that a previous password failed */ @@ -1216,7 +1216,7 @@ } else { siePasswd = cbk(retry); if (siePasswd == NULL) { - ldapError = LDAP_INVALID_CREDENTIALS; + ldapError = LDAP_INVALID_CREDENTIALS; break; } } @@ -1231,8 +1231,7 @@ } } - - if ((ldapError != LDAP_SUCCESS ) && !(secureLDAP)){ + if ((ldapError != LDAP_SUCCESS ) && !(secureLDAP)){ #ifdef LDAP_DEBUG ldap_perror(admInfo->ldapHndl, "ldap_simple_bind_s"); #endif @@ -1256,23 +1255,24 @@ admInfo->ldapHndl = NULL; *errorcode = ADMUTIL_LDAP_ERR; } - } - + } - /* setup the referral */ - if (admInfo->ldapHndl) - { - admInfo->sieDN=PL_strdup(sieDN); - ldap_set_rebind_proc(admInfo->ldapHndl, admin_ldap_rebind_proc, + /* setup the referral */ + if (admInfo->ldapHndl) + { + ldap_set_rebind_proc(admInfo->ldapHndl, admin_ldap_rebind_proc, (void *)admInfo); - } - - if (siePasswd != NULL) { - admInfo->passwd=PL_strdup(siePasswd); - } + } - if (sieDN) PR_Free(sieDN); - if (siePasswd) PR_Free(siePasswd); + if (sieDN != NULL) { + admInfo->sieDN=PL_strdup(sieDN); + /* return value from treeFindValueAt should be freed */ + PR_Free(sieDN); + } + if (siePasswd != NULL) { + /* returned value from ADM_Get... should NOT be freed */ + admInfo->passwd=PL_strdup(siePasswd); + } admInfo->ldapInfo = ldapInfo; @@ -1307,11 +1307,6 @@ break; case 1: /* EOF */ - /* - *errorcode = ADMUTIL_OP_FAIL; - return NULL; - break; - */ default: password = strchr(buf, ':'); *password++ = '\0'; @@ -1487,12 +1482,17 @@ char *password = NULL; if(admInfo->passwd) return PL_strdup(admInfo->passwd); - else - return NULL; + else { + admInfo->passwd = admGetCachedSIEPWD(); + if(admInfo->passwd) + return PL_strdup(admInfo->passwd); + } + return NULL; } PR_IMPLEMENT(char*) -admldapGetISIEDN(AdmldapInfo info) { +admldapGetISIEDN(AdmldapInfo info) +{ AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info; char *ldapISIEDN = NULL; @@ -1503,13 +1503,84 @@ } PR_IMPLEMENT(void) -admldapSetLDAPHndl(AdmldapInfo info, LDAP *ld) { +admldapSetLDAPHndl(AdmldapInfo info, LDAP *ld) +{ AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info; if (admInfo->ldapHndl) ldap_unbind(admInfo->ldapHndl); admInfo->ldapHndl = ld; } +LDAP * +admldapGetLDAPHndl(AdmldapInfo info) +{ + AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info; + + return admInfo->ldapHndl; +} + +PR_IMPLEMENT(char *) +admldapGetDirectoryURL(AdmldapInfo info) +{ + AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info; + + return PL_strdup(admInfo->serverDirectoryURL); +} + +PR_IMPLEMENT(char *) +admldapGetUserDN(AdmldapInfo info, char *uid) +{ + AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info; + LDAP *ld = NULL; + char *userDN = NULL; + char *baseDN = NULL; + char *uidFilter = NULL; + int err; + LDAPMessage *result = NULL; + + if (NULL != admInfo->userDN) { + userDN = admInfo->userDN; + goto done; + } + if (NULL != uid && NULL != strchr(uid, '=')) { + userDN = PL_strdup(uid); + goto done; + } + ld = admldapGetLDAPHndl(info); + if (NULL == ld) { + goto done; + } + baseDN = admldapGetBaseDN(info); + if (NULL == baseDN) { + goto done; + } + uidFilter = PR_smprintf("(uid=%s)", uid?uid:admInfo->localAdminName); + err = ldap_search_s(ld, baseDN, LDAP_SCOPE_SUBTREE, uidFilter, + NULL, 0, &result); + if (err != LDAP_SUCCESS || ldap_count_entries(ld, result) == 0) { + ldap_msgfree(result); + goto done; + } else { + LDAPMessage *entry = ldap_first_entry(ld, result); + userDN = ldap_get_dn(ld, entry); + ldap_msgfree(result); + } +done: + PR_smprintf_free(uidFilter); + if (baseDN) PR_Free(baseDN); + if (userDN) { + admInfo->userDN = userDN; + } else { + userDN = treeFindValueAt(admInfo->configInfo, "userdn", 0); + if (userDN) { + admInfo->userDN = PL_strdup(userDN); + } else { + admInfo->userDN = NULL; + } + } + return admInfo->userDN; +} + PR_IMPLEMENT(char*) admGetLocalAdmin(char* configRoot, int *errorcode) { Index: admutil_pvt.h =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/admutil_pvt.h,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- admutil_pvt.h 20 Jul 2005 22:51:32 -0000 1.1.1.1 +++ admutil_pvt.h 11 May 2006 23:30:31 -0000 1.2 @@ -20,14 +20,11 @@ #ifndef __ADMUTIL_PVT_H__ #define __ADMUTIL_PVT_H__ -#include #include #include #include -#include #include - /* * utility function for copy/free string array */ @@ -169,6 +166,7 @@ char *localAdminName; char *localAdminPassword; char *sieDN; + char *userDN; char *passwd; } AdmldapHdnl, *AdmldapHdnlPtr; Index: psetc.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/psetc.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- psetc.c 15 Dec 2005 21:07:44 -0000 1.2 +++ psetc.c 11 May 2006 23:30:31 -0000 1.3 @@ -27,6 +27,7 @@ #include #include #include +#include #include "psetc_pvt.h" #include "libadminutil/admutil.h" #include "dbtadmutil.h" @@ -798,17 +799,19 @@ psetFileImportP(PsetPtr pset) { FILE *fstream; - int errorCode = PSET_OP_OK, status, errorcode; + int errorCode = PSET_OP_OK, status; int lineno = 0, nameLen = 0, valLen = 0; #ifdef XP_UNIX int fd; struct flock flock_data; #endif char linebuf[1024]; - char *name, *val, namebuf[128], valBuf[2048]; - char *nodeName, *attrName, *valptr = valBuf; - int valBuf_len = sizeof(valBuf); + char *name, *val, namebuf[128], *valBuf; + char *nodeName, *attrName, *valptr = NULL; + int valBuf_len = 0; PsetNodePtr lastPsetNode = NULL, target; + PRStatus prst = 0; + PRFileInfo prinfo; if (!pset->configFile) return PSET_LOCAL_OPEN_FAIL; if (!(fstream = fopen(pset->configFile, "r"))) @@ -825,18 +828,32 @@ fstream = NULL; return PSET_LOCAL_OPEN_FAIL; } + prst = PR_GetFileInfo(pset->configFile, &prinfo); + if (PR_SUCCESS != prst) { + fclose(fstream); + fstream = NULL; + return PSET_LOCAL_OPEN_FAIL; + } + valptr = valBuf = (char *)PR_Malloc(prinfo.size + 1); + if (NULL == valBuf) { + fclose(fstream); + fstream = NULL; + return PSET_SYSTEM_ERR; + } + valBuf_len = prinfo.size; #endif namebuf[0] = '\0'; while(1) { /* read line */ - switch(status = admutil_getline(fstream, MAX_LEN, lineno++, linebuf)) { + status = admutil_getline(fstream, sizeof(linebuf), lineno++, linebuf); + switch (status) { case -1: /* Error on reading, SET ERRORCODE */ - errorcode = PSET_SYSTEM_ERR; if (pset->info->attrFile) treeRemoveTree(pset->info->attrFile); pset->info->attrFile = NULL; - return PSET_SYSTEM_ERR; + errorCode = PSET_SYSTEM_ERR; + goto bailout; break; case 1: /* EOF, out of here */ @@ -846,7 +863,7 @@ /* Is the last node? -> strcasecmp node name */ target = lastPsetNode; else /* No, Locate and build node -> psetnodeBuildNodes */ - target = psetNodeBuildNodes(pset->info, nodeName, &errorcode); + target = psetNodeBuildNodes(pset->info, nodeName, &errorCode); /* psetNodeAddNameValue */ if (target) { @@ -859,14 +876,20 @@ #endif fclose(fstream); fstream = NULL; - if (errorCode) return errorCode; + if (errorCode) { + goto bailout; + } namebuf[0] = '\0'; valptr = valBuf; *valptr = '\0'; } - if (pset->fileRW) return PSET_OP_OK; - else return PSET_LOCAL_MODE; + if (pset->fileRW) { + errorCode = PSET_OP_OK; + } else { + errorCode = PSET_LOCAL_MODE; + } + goto bailout; break; default: /* seperate node and attribute */ @@ -889,14 +912,16 @@ /* Is the last node? -> strcasecmp node name */ target = lastPsetNode; else /* No, Locate and build node -> psetnodeBuildNodes */ - target = psetNodeBuildNodes(pset->info, nodeName, &errorcode); + target = psetNodeBuildNodes(pset->info, nodeName, &errorCode); /* psetNodeAddNameValue */ if (target) { errorCode = psetNodeAddNameValue(target, attrName, valBuf); lastPsetNode = target; } - if (errorCode) return errorCode; + if (errorCode) { + goto bailout; + } namebuf[0] = '\0'; valptr = valBuf; *valptr = '\0'; @@ -933,6 +958,9 @@ } } } +bailout: + PR_Free(valBuf); + return errorCode; } /* Export configuration to config file */ @@ -1210,22 +1238,23 @@ /* PsetHndl psetCreate(LDAPServerPtr srv, char* sieDN, char* userDN, char* passwd, - char* configFile, int* errorcode) { - */ -/* SIE, passwd is in //config/adm.conf + char* configFile, int* errorcode) + */ +/* SIE is in //config/adm.conf Local cache is //config/local.conf LDAP is in /admin-serv/config/ldap.conf - */ - + */ PR_IMPLEMENT(PsetHndl) -psetCreate(char* serverID, char* configRoot, char* userDN, char* passwd, +psetCreate(char* serverID, char* configRoot, char* user, char* passwd, int* errorcode) { PsetHndl pset; AdmldapInfo ldapInfo= NULL, admLdapInfo=NULL; char *serverRoot = getenv("NETSITE_ROOT"); - char path[PATH_MAX], *ldapHost=NULL, *sieDN, *bindPasswd = NULL; + char path[PATH_MAX], *ldapHost=NULL, *sieDN = NULL; + char *userDN = NULL; + char *bindPasswd = NULL; int ldapPort = -1, dummy; ldapInfo = admldapBuildInfo(configRoot, errorcode); @@ -1254,13 +1283,21 @@ if (ldapPort < 0) ldapPort = 389; /* Get SIE and password */ - sieDN = admldapGetSIEDN(ldapInfo); - if (!userDN) { - userDN = sieDN; + if (!user) { + ADM_GetCurrentUsername(errorcode, &user); + } + /* if user is just attr val, get dn */ + userDN = admldapGetUserDN(ldapInfo, user); + if (passwd) { + bindPasswd = passwd; + } else { bindPasswd = admldapGetSIEPWD(ldapInfo); + if (!bindPasswd) { + passwd = bindPasswd; /* setting this not to free bindPasswd */ + ADM_GetCurrentPassword(errorcode, &bindPasswd); + } } - else bindPasswd = passwd; if (configRoot) PR_snprintf(path, sizeof(path), "%s%clocal.conf", configRoot, FILE_PATHSEP); @@ -1325,34 +1362,35 @@ return pseth; } - ld = ldap_init(ldapHost, ldapPort); - - /* authenticate to LDAP server*/ - if ((ldapError = ldap_simple_bind_s(ld, userDN, passwd)) - != LDAP_SUCCESS ) { - switch (ldapError) { - case LDAP_INAPPROPRIATE_AUTH: - case LDAP_INVALID_CREDENTIALS: - case LDAP_INSUFFICIENT_ACCESS: - /* authenticate failed: Should not continue */ -#ifdef LDAP_DEBUG - ldap_perror( ld, "ldap_simple_bind_s" ); -#endif - *errorcode = PSET_AUTH_FAIL; - return pset; - case LDAP_NO_SUCH_OBJECT: - case LDAP_ALIAS_PROBLEM: - case LDAP_INVALID_DN_SYNTAX: - /* Not a good DN */ - *errorcode = PSET_ENTRY_NOT_EXIST; - return pset; - default: - ldap_unbind(ld); - unbindF = 0; - ld = NULL; + if (NULL != passwd) { + ld = ldap_init(ldapHost, ldapPort); + /* authenticate to LDAP server*/ + if ((ldapError = ldap_simple_bind_s(ld, userDN, passwd)) + != LDAP_SUCCESS ) { + switch (ldapError) { + case LDAP_INAPPROPRIATE_AUTH: + case LDAP_INVALID_CREDENTIALS: + case LDAP_INSUFFICIENT_ACCESS: + /* authenticate failed: Should not continue */ + #ifdef LDAP_DEBUG + ldap_perror( ld, "ldap_simple_bind_s" ); + #endif + *errorcode = PSET_AUTH_FAIL; + return pset; + case LDAP_NO_SUCH_OBJECT: + case LDAP_ALIAS_PROBLEM: + case LDAP_INVALID_DN_SYNTAX: + /* Not a good DN */ + *errorcode = PSET_ENTRY_NOT_EXIST; + return pset; + default: + ldap_unbind(ld); + unbindF = 0; + ld = NULL; + } } + else unbindF = 1; } - else unbindF = 1; /* Connect to the LDAP server */ pset = psetFullLDAPImportRef(pseth, @@ -1362,13 +1400,6 @@ filter, unbindF, errorcode, userDN, passwd); - - /* - if (!(*errorcode)) { - psetSetLDAPReferalInfo(pset, userDN, passwd); - } - */ - return pset; } Index: uginfo.c =================================================================== RCS file: /cvs/dirsec/adminutil/lib/libadminutil/uginfo.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- uginfo.c 22 Mar 2006 23:47:14 -0000 1.2 +++ uginfo.c 11 May 2006 23:30:31 -0000 1.3 @@ -24,6 +24,7 @@ #include #include #include "admutil_pvt.h" +#include "libadminutil/psetc.h" #ifdef XP_WIN32 #define strcasecmp stricmp @@ -41,7 +42,6 @@ AdmldapHdnlPtr hndl = (AdmldapHdnlPtr)info; if (!hndl) { *error_code = UG_EMPTY_LDAPINFO; return NULL; } - if (!(hndl->ldapHndl)) { *error_code = UG_NULL_LDAP; return NULL; } *error_code = UG_OP_OK; if (targetDN) resultDN = PL_strdup(targetDN); From fedora-directory-commits at redhat.com Thu May 11 23:53:54 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Thu, 11 May 2006 16:53:54 -0700 Subject: [Fedora-directory-commits] mod_admserv mod_admserv.c,1.22,1.23 Message-ID: <200605112353.k4BNrs29017857@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/mod_admserv In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17826 Modified Files: mod_admserv.c Log Message: [161099] admin passwd in clear text in adm.conf 1) In the initialization (mod_admserv_post_config), check if ldap handle is set or not in the admin ldap info structure (AdmldapInfo). If it is not set, the Admin Server does not have an admin user password / SIE password, and it has not connected to the Directory Server. In this case, gather necessary info from the local cache. Also, set the task StartConfigDS in the HashTable for the admin server to start Config DS in case the server is down. 2) Where it expects sie password (from adm.conf), get it from PIPE that user provided (if possible). Index: mod_admserv.c =================================================================== RCS file: /cvs/dirsec/mod_admserv/mod_admserv.c,v retrieving revision 1.22 retrieving revision 1.23 diff -u -r1.22 -r1.23 --- mod_admserv.c 3 Mar 2006 20:16:38 -0000 1.22 +++ mod_admserv.c 11 May 2006 23:53:52 -0000 1.23 @@ -797,23 +797,33 @@ return FALSE; } } - + userGroupServer.host = NULL; userGroupServer.port = 0; userGroupServer.secure = 0; userGroupServer.baseDN = NULL; - admldapGetLocalUserDirectory(info, - &userGroupLdapURL, - &userGroupBindDN, - &userGroupBindPW, - &dirInfoRef, - &error); - - if (error != UG_OP_OK) { - *errorInfo = (char*)"unable to set User/Group baseDN"; - destroyAdmldap(info); - return FALSE; + if (NULL == admldapGetLDAPHndl(info)) { + /* LDAP is not available; gather info from the cache */ + userGroupLdapURL = admldapGetDirectoryURL(info); + userGroupBindDN = admldapGetSIEDN(info); + userGroupBindPW = admldapGetSIEPWD(info); + if (NULL == userGroupBindPW) { + ADM_GetCurrentPassword(&error, &userGroupBindPW); + } + } else { + admldapGetLocalUserDirectory(info, + &userGroupLdapURL, + &userGroupBindDN, + &userGroupBindPW, + &dirInfoRef, + &error); + + if (error != UG_OP_OK) { + *errorInfo = (char*)"unable to set User/Group baseDN"; + destroyAdmldap(info); + return FALSE; + } } if (!extractLdapServerData(&userGroupServer, userGroupLdapURL, s)) { @@ -1016,6 +1026,8 @@ PsetHndl tmp; int servercnt, i; char path[PATH_MAX]; + UserCacheEntry *cache_entry = NULL; + char *passwd = NULL; apr_snprintf(path, sizeof(path), "%s%cadmin-serv%cconfig", serverroot, FILE_PATHSEP, FILE_PATHSEP); @@ -1034,6 +1046,15 @@ task_register_server(ADMIN_SERVER_ID, admldapGetSIEDN(ldapInfo)); + passwd = admldapGetSIEPWD(ldapInfo); + if (NULL == passwd) { /* use the passwd in cache if possible */ + cache_entry = (UserCacheEntry*)HashTableFind(auth_users, + admldapGetUserDN(ldapInfo, NULL)); + if (cache_entry) { + admSetCachedSIEPWD(cache_entry->userPW); + } + } + serverlist = getServerDNListSSL(ldapInfo); servercnt=0; if (serverlist) { @@ -1067,10 +1088,10 @@ } task_register_server(serverid, serverlist[i]); - PL_strfree(serverid); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "sync_task_sie_data: registered server [%s] dn [%s]", serverid, serverlist[i]); + PL_strfree(serverid); } else { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, @@ -1167,9 +1188,9 @@ "admpw file [%s] is corrupted", filename); return 0; } - + uid = inbuf; *col=0; pw=col+1; - + if (!update_ds(path, newpw, r)) { return 0; } @@ -1216,7 +1237,7 @@ fclose(f); return 0; } - + fclose(f); return 1; } @@ -1250,7 +1271,7 @@ } else { lines[linecnt++] = strdup(inbuf); } - } + } fclose(f); if (!modified) { @@ -1909,7 +1930,7 @@ } } } - + if (accessAddresses && *accessAddresses) { int matchflags = APR_FNM_PERIOD; apr_status_t rc = admserv_match_list(apr_pstrdup(r->pool, accessAddresses), clientIP, matchflags); @@ -2228,11 +2249,49 @@ } while (server != NULL && ++tries < 2); if (error != LDAPU_SUCCESS) { + char startds[LINE_LENGTH]; + char normStartds[LINE_LENGTH]; + char *storage = startds; + char *uri = apr_pstrdup(module_pool, STARTDS_IDENTIFIER); + /* Although opening LDAPConnection failed, we can initialize + * Hosts/Addresses using the local cache. + */ + TaskCacheEntry *cache_entry; destroyAdmldap(info); closeLDAPConnection(server); ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, "Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache."); - return OK; + /* Config DS is not up and running + * put startconfigds into the cache for bootstrap */ + if (!build_full_DN(&storage, startds+LINE_LENGTH, uri, + registryServer.bindDN)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "mod_admserv_post_config: unable to build DN from URL - bad URL [%s]", + uri?uri:"none"); + return OK; + } + convert_to_lower_case(startds); + adm_normalize_dn(startds, normStartds); + if (!(cache_entry = (TaskCacheEntry *)HashTableFind(auth_tasks, normStartds))) { + cache_entry = (TaskCacheEntry*)apr_pcalloc(module_pool, sizeof(TaskCacheEntry)); + cache_entry->auth_userDNs = HashTableCreate(); + HashTableInsert(auth_tasks, apr_pstrdup(module_pool, normStartds), cache_entry); + } + + cache_entry->execRef = apr_pstrdup(module_pool, STARTDS_CGI); + cache_entry->execRefArgs = NULL; + cache_entry->logSuppress = 0; + HashTableInsert(cache_entry->auth_userDNs, + apr_pstrdup(module_pool, LOCAL_SUPER_NAME), + (char*)time(0)); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, + "Added StartConfigDs task entry [%s:%s:%s] for user [%s]", + normStartds, + cache_entry->execRef ? cache_entry->execRef : "", + cache_entry->execRefArgs ? cache_entry->execRefArgs : "", + LOCAL_SUPER_NAME); + return host_ip_init(p, plog, ptemp, base_server); } populate_task_cache_entries(LOCAL_SUPER_NAME, server); From fedora-directory-commits at redhat.com Fri May 12 00:41:37 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Thu, 11 May 2006 17:41:37 -0700 Subject: [Fedora-directory-commits] adminserver/admserv/newinst/insadm config.c, 1.7, 1.8 Message-ID: <200605120041.k4C0fbHL020227@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminserver/admserv/newinst/insadm In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20170/admserv/newinst/insadm Modified Files: config.c Log Message: [161099] admin passwd in clear text in adm.conf 1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf. And by calling psetCreate, it generates the local cache file local.conf in the post install phase. 2) ns-update links with adminutil and its dependent components. ns-update has RPATH pointing the components' location. 3) got rid of the code retrieving the admin password from adm.conf from ns-config (ux-config.cc) and ns-remove (ux-remove.cc). Both has the info input by the user. 4) CGI debug (download.c) Index: config.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/newinst/insadm/config.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- config.c 1 Feb 2006 23:04:33 -0000 1.7 +++ config.c 12 May 2006 00:41:30 -0000 1.8 @@ -471,18 +471,17 @@ ); } + /* we don't store the admin password any more */ fprintf(fp, "ldapHost: %s\n" "ldapPort: %d\n" "SIE: %s\n" - "siepid: %s\n" "ISIE: %s\n" "host: %s\n" "port: %d\n", GetLdapHost(), GetLdapPort(), szTemp, - cd.szPassword, szTemp1, cd.szHostname, cd.nPort From fedora-directory-commits at redhat.com Fri May 12 00:41:38 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Thu, 11 May 2006 17:41:38 -0700 Subject: [Fedora-directory-commits] adminserver/admserv/newinst/src Makefile, 1.9, 1.10 ux-config.cc, 1.9, 1.10 ux-remove.cc, 1.5, 1.6 ux-update.cc, 1.21, 1.22 Message-ID: <200605120041.k4C0fc0v020236@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminserver/admserv/newinst/src In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20170/admserv/newinst/src Modified Files: Makefile ux-config.cc ux-remove.cc ux-update.cc Log Message: [161099] admin passwd in clear text in adm.conf 1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf. And by calling psetCreate, it generates the local cache file local.conf in the post install phase. 2) ns-update links with adminutil and its dependent components. ns-update has RPATH pointing the components' location. 3) got rid of the code retrieving the admin password from adm.conf from ns-config (ux-config.cc) and ns-remove (ux-remove.cc). Both has the info input by the user. 4) CGI debug (download.c) Index: Makefile =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/Makefile,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- Makefile 21 Mar 2006 18:34:05 -0000 1.9 +++ Makefile 12 May 2006 00:41:35 -0000 1.10 @@ -65,6 +65,17 @@ CFLAGS += -DNO_DOMAINNAME endif +ifeq ($(ARCH), SOLARIS) + RPATHFLAG_PREFIX=-R +endif +ifeq ($(ARCH), HPUX) + RPATHFLAG_PREFIX=-Wl,+s,+b, +endif +ifeq ($(ARCH), Linux) + RPATHFLAG_PREFIX=-Wl,-rpath, +endif +RPATHFLAG=\$$ORIGIN:\$$ORIGIN/lib + $(OBJDEST): mkdir -p $(OBJDEST) @@ -82,6 +93,7 @@ LIBINST= $(SETUPUTIL_LIBPATH)/libinstall.a DEPLIBS= $(OSDEPLIBS) +DEPLIBS2= $(DEPLIBS) $(ADMINUTILLINK) $(SECURITYLINK) $(LDAPLINK) $(ICULINK) ifeq ($(ARCH), HPUX) ifeq ($(NSOS_RELEASE),B.10.10) @@ -132,12 +144,13 @@ $(BINDEST)/ns-config: $(OBJDEST)/ux-config.o $(OBJS1) $(DEPLIBS) $(LIBINST) $(CXX) $(MODULE_CFLAGS) -o $(BINDEST)/ns-config $(OBJDEST)/ux-config.o \ $(OBJS1) $(LIBINST) $(LIBLDAP) \ - $(DEPLIBS) $(EXTRA_LIBS) $(CURSES) + $(DEPLIBS) $(EXTRA_LIBS) $(CURSES) $(BINDEST)/ns-update: $(OBJDEST)/ux-update.o $(OBJS2) $(DEPLIBS) $(LIBINST) - $(CXX) $(MODULE_CFLAGS) -o $(BINDEST)/ns-update $(OBJDEST)/ux-update.o \ + $(CXX) $(MODULE_CFLAGS) $(RPATHFLAG_PREFIX)$(RPATHFLAG) \ + -o $(BINDEST)/ns-update $(OBJDEST)/ux-update.o \ $(OBJS2) $(LIBINST) $(LIBLDAP) \ - $(DEPLIBS) $(EXTRA_LIBS) $(CURSES) + $(DEPLIBS2) $(EXTRA_LIBS) $(CURSES) $(BINDEST)/ns-remove: $(OBJDEST)/ux-remove.o $(DEPLIBS) $(LIBINST) $(CXX) $(MODULE_CFLAGS) -o $(BINDEST)/ns-remove $(OBJDEST)/ux-remove.o \ Index: ux-config.cc =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/ux-config.cc,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- ux-config.cc 31 Mar 2006 22:58:20 -0000 1.9 +++ ux-config.cc 12 May 2006 00:41:35 -0000 1.10 @@ -283,8 +283,9 @@ { NSString sieDN; - sieDN = admConf.get("sie"); - siePwd = admConf.get("siepid"); + /* Use admin id and admin pwd to access DS */ + sieDN = _installInfo->get(MC_ADMIN_ID); + siePwd = _installInfo->get(MC_ADMIN_PWD); siePort = admConf.get("port"); if (sieDN != (char *) NULL && siePwd != (char *) NULL && ldapURL != NULL) Index: ux-remove.cc =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/ux-remove.cc,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- ux-remove.cc 31 Mar 2006 22:58:20 -0000 1.5 +++ ux-remove.cc 12 May 2006 00:41:35 -0000 1.6 @@ -49,7 +49,6 @@ int main(int argc, char *argv[]) { NSString serverRoot; - NSString instanceDir; NSString admConfFile; NVPair *admConf; InstallInfo *uninstallInfo; @@ -87,55 +86,40 @@ { serverRoot = uninstallInfo->get(SERVER_ROOT); - instanceDir = serverRoot + "/" + "admin-serv"; - snprintf(temp, sizeof(temp), "%s/admin-serv/config/adm.conf", serverRoot.data()); - temp[sizeof(temp)-1] = 0; - admConf = new NVPair(temp); - - if (admConf->isEmpty() == False) - { - /* - * PVO - should we get from adm.conf instead ? How about if - * there's a mismatch - */ - ldapURL = uninstallInfo->get(CONFIG_LDAP_URL); - sieDN = admConf->get("sie"); - siePwd = admConf->get("siepid"); - isieDN = admConf->get("isie"); + ldapURL = uninstallInfo->get(CONFIG_LDAP_URL); + /* Use admin id and admin pwd to authenticate against DS */ + sieDN = uninstallInfo->get(MC_ADMIN_ID); + siePwd = uninstallInfo->get(MC_ADMIN_PWD); - if (ldapURL == NULL || sieDN == NULL || isieDN == NULL) - { - printf("[Admin] LDAP information not found\n"); - err = -1; - } - else - { - LdapError ldapError; - Ldap ldap(ldapError, ldapURL, uninstallInfo->get(MC_ADMIN_ID), - uninstallInfo->get(MC_ADMIN_PWD), - sieDN, siePwd); - - if (ldapError != OKAY) - { - /* remove the message which causes confusion when DS is down - sprintf(temp, "%ld", ldapError.errorCode()); - printf("[Admin] Ldap authentication failed (%s:%s)\n", temp, ldapError.msg()), - */ - err = -1; - } - else - { - ldapError = removeSIE(&ldap, sieDN, True); - - if (ldapError != OKAY) - { - /* remove the message which causes confusion when DS is down - sprintf(temp, "%ld", ldapError.errorCode()); - printf("[Admin] Cannot remove Admin server instance (%s)\n", temp); + if (ldapURL == NULL || sieDN == NULL) + { + printf("[Admin] LDAP information not found\n"); + err = -1; + } + else + { + LdapError ldapError; + Ldap ldap(ldapError, ldapURL, sieDN, siePwd, sieDN, siePwd); + + if (ldapError != OKAY) + { + /* remove the message which causes confusion when DS is down + sprintf(temp, "%ld", ldapError.errorCode()); + printf("[Admin] Ldap authentication failed (%s:%s)\n", temp, ldapError.msg()), + */ + err = -1; + } + else + { + ldapError = removeSIE(&ldap, sieDN, True); + if (ldapError != OKAY) + { + /* remove the message which causes confusion when DS is down + sprintf(temp, "%ld", ldapError.errorCode()); + printf("[Admin] Cannot remove Admin server instance (%s)\n", temp); */ - } - } - } + } + } } } Index: ux-update.cc =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/ux-update.cc,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- ux-update.cc 29 Mar 2006 02:19:52 -0000 1.21 +++ ux-update.cc 12 May 2006 00:41:35 -0000 1.22 @@ -35,6 +35,8 @@ #include #include "ldap.h" +#include "libadminutil/admutil.h" +#include "libadminutil/psetc.h" #if defined(AIX) extern int seteuid(uid_t); @@ -1145,21 +1147,22 @@ LDAPURLDesc *ludpp = NULL; ldap_url_parse((char *) installInfo->get(CONFIG_LDAP_URL), &ludpp); -/* +/* fprintf(f, "ldapHost: %s\n", ludpp->lud_host); fprintf(f, "ldapPort: %d\n", ludpp->lud_port); fprintf(f, "sie: %s\n", sieDN.data()); - fprintf(f, "siepid: %s\n", httppw); + fprintf(f, "userdn: %s\n", ldap.rebindDN()); fprintf(f, "isie: %s\n", isieDN.data()); fprintf(f, "port: %d\n", port); fclose(f); */ + admConf.set("ldapHost", ludpp->lud_host); admConf.set("ldapPort", (unsigned long)ludpp->lud_port); admConf.set("sie", sieDN.data()); - admConf.set("siepid", httppw); + admConf.set("userdn", ldap.rebindDN()); admConf.set("isie", isieDN.data()); admConf.set("port", (unsigned long)port); @@ -1325,6 +1328,15 @@ sprintf(tstr, "%s/uninstall", sroot); chmod(tstr, 0750); + + { + // Generating local.conf + int error_code = 0; + snprintf(tstr, sizeof(tstr), "%s/admin-serv/config", sroot); + PsetHndl pset = psetCreate("admin-serv", (char *)tstr, + (char *)ldap.rebindDN(), httppw, + &error_code); + } } From fedora-directory-commits at redhat.com Fri May 12 00:41:32 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Thu, 11 May 2006 17:41:32 -0700 Subject: [Fedora-directory-commits] adminserver/admserv/cgi-src40 download.c, 1.5, 1.6 sec-activate.c, 1.6, 1.7 Message-ID: <200605120042.k4C0g2oG020240@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminserver/admserv/cgi-src40 In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20170/admserv/cgi-src40 Modified Files: download.c sec-activate.c Log Message: [161099] admin passwd in clear text in adm.conf 1) ns-update (ux-update.cc) stops storing admin password (siepid) in adm.conf. And by calling psetCreate, it generates the local cache file local.conf in the post install phase. 2) ns-update links with adminutil and its dependent components. ns-update has RPATH pointing the components' location. 3) got rid of the code retrieving the admin password from adm.conf from ns-config (ux-config.cc) and ns-remove (ux-remove.cc). Both has the info input by the user. 4) CGI debug (download.c) Index: download.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/download.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- download.c 31 Mar 2006 22:58:20 -0000 1.5 +++ download.c 12 May 2006 00:41:29 -0000 1.6 @@ -147,7 +147,7 @@ continue; /* check if this is a dir and has an executable */ - safe_snprintf(&(path[baselen]), sizeof(path), "%c%s", FILE_SEP, dir_name(ep1)); + safe_snprintf(&(path[baselen]), sizeof(path) - baselen, "%c%s", FILE_SEP, dir_name(ep1)); if (!(dp2 = dir_open(path))) continue; @@ -185,6 +185,8 @@ char *acceptLanguage = NULL; char *loc; + memset(platforms, 0, MAX_NUM_DOWNLOADS * sizeof(char *)); + memset(paths, 0, MAX_NUM_DOWNLOADS * sizeof(char *)); count = populate_download_menu(platforms, paths); has_dsgw = dsgw_exists(); Index: sec-activate.c =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/sec-activate.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- sec-activate.c 31 Mar 2006 22:58:20 -0000 1.6 +++ sec-activate.c 12 May 2006 00:41:29 -0000 1.7 @@ -107,14 +107,14 @@ rv = psetAddSingleValueAttribute(pset, name, value); if(rv != PSET_OP_OK) rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), - getResourceString(DBT_PSET_ATTR_CREATE), NULL); + getResourceString(DBT_PSET_ATTR_CREATE), NULL); } else { /* modify entry */ rv = psetSetSingleValueAttr(pset, name, value); if(rv != PSET_OP_OK) rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), - getResourceString(DBT_PSET_ATTR_MODIFY), NULL); + getResourceString(DBT_PSET_ATTR_MODIFY), NULL); } } @@ -230,8 +230,8 @@ strcpy(temp_return, ""); val = psetGetAttrSingleValue(pset, - "configuration.nsServerSecurity", - &errorCode); + "configuration.nsServerSecurity", + &errorCode); if(val) PR_snprintf(temp, sizeof(temp), "security=%s\n", val); else @@ -246,28 +246,28 @@ token = NULL; personality = NULL; - PR_snprintf(family_attribute, sizeof(family_attribute), "%s.nsSSLActivation", *family); + PR_snprintf(family_attribute, sizeof(family_attribute), "%s.nsSSLActivation", *family); val = psetGetAttrSingleValue(pset, - family_attribute, - &errorCode); + family_attribute, + &errorCode); PR_snprintf(family_attribute, sizeof(family_attribute), "%s.nsSSLToken", *family); token = psetGetAttrSingleValue(pset, - family_attribute, - &errorCode); + family_attribute, + &errorCode); PR_snprintf(family_attribute, sizeof(family_attribute), "%s.nsSSLPersonalityssl", *family); personality = psetGetAttrSingleValue(pset, - family_attribute, - &errorCode); + family_attribute, + &errorCode); if((!val) || (!token) || (!personality)) { - PL_strcatn(temp_return, sizeof(temp_return), "familyList=NULL\n"); - *return_string = PORT_Strdup(temp_return); - return -1; + PL_strcatn(temp_return, sizeof(temp_return), "familyList=NULL\n"); + *return_string = PORT_Strdup(temp_return); + return -1; } family_name = strrchr(*family, '.'); family_name++; - + PR_snprintf(temp, sizeof(temp), "familyList=%s\n", family_name); PL_strcatn(temp_return, sizeof(temp_return), temp); @@ -287,8 +287,8 @@ val = NULL; val = psetGetAttrSingleValue(pset, - "configuration.encryption.nsSSL2", - &errorCode); + "configuration.encryption.nsSSL2", + &errorCode); PL_strcatn(temp_return, sizeof(temp_return), "ssl2-activated="); if(val) PL_strcatn(temp_return, sizeof(temp_return), val); @@ -296,8 +296,8 @@ val = NULL; val = psetGetAttrSingleValue(pset, - "configuration.encryption.nsSSL2Ciphers", - &errorCode); + "configuration.encryption.nsSSL2Ciphers", + &errorCode); PL_strcatn(temp_return, sizeof(temp_return), "ssl2="); if(val) PL_strcatn(temp_return, sizeof(temp_return), val); @@ -305,8 +305,8 @@ val = NULL; val = psetGetAttrSingleValue(pset, - "configuration.encryption.nsSSL3", - &errorCode); + "configuration.encryption.nsSSL3", + &errorCode); PL_strcatn(temp_return, sizeof(temp_return), "ssl3-activated="); if(val) PL_strcatn(temp_return, sizeof(temp_return), val); @@ -314,8 +314,8 @@ val = NULL; val = psetGetAttrSingleValue(pset, - "configuration.encryption.nsSSL3Ciphers", - &errorCode); + "configuration.encryption.nsSSL3Ciphers", + &errorCode); PL_strcatn(temp_return, sizeof(temp_return), "ssl3="); if(val) PL_strcatn(temp_return, sizeof(temp_return), val); @@ -323,8 +323,8 @@ val = NULL; val = psetGetAttrSingleValue(pset, - "configuration.encryption.nsSSLClientAuth", - &errorCode); + "configuration.encryption.nsSSLClientAuth", + &errorCode); PL_strcatn(temp_return, sizeof(temp_return), "clientauth="); if(val) PL_strcatn(temp_return, sizeof(temp_return), val); @@ -343,10 +343,10 @@ */ int SetSSLFamilyAttributes(PsetHndl pset, family_input *family_head, - char *ssl2, - char *ssl3, - char *ssl2_act, - char *ssl3_act) { + char *ssl2, + char *ssl3, + char *ssl2_act, + char *ssl3_act) { family_input *family_ptr = family_head; family_input *delete_ptr; @@ -361,39 +361,39 @@ while(family_ptr != NULL) { PR_snprintf(family_sie_entry, sizeof(family_sie_entry), - "configuration.encryption.%s", - family_ptr->family_name); + "configuration.encryption.%s", + family_ptr->family_name); if((rv = psetCheckAttribute(pset, family_sie_entry)) == PSET_OP_FAIL) { /* family entry doesn't exist, create it */ /* create encryption first if it doesn't exist */ if((rv2 = psetCheckAttribute(pset, "configuration.encryption")) == PSET_OP_FAIL) - { + { - AttrNameList list_name2; - AttributeList initlist2; - list_name2 = createAttrNameList(1); - addName(list_name2, 0, "nsEncryptionConfig"); - initlist2 = createAttributeList(9); - addSingleValueAttribute(initlist2, 0, "nsCertfile", "blank"); - addSingleValueAttribute(initlist2, 1, "nsKeyfile", "blank"); - addSingleValueAttribute(initlist2, 2, "nsSSL2", "off"); /* by default */ - addSingleValueAttribute(initlist2, 3, "nsSSL3", "off"); /* by default */ - addSingleValueAttribute(initlist2, 4, "nsSSLSessionTimeout", "0"); - addSingleValueAttribute(initlist2, 5, "nsSSL3SessionTimeout", "0"); - addSingleValueAttribute(initlist2, 6, "nsSSLClientAuth", "off"); /* hardcoded for now */ - addSingleValueAttribute(initlist2, 7, "nsSSL2Ciphers", "blank"); - addSingleValueAttribute(initlist2, 8, "nsSSL3Ciphers", "blank"); - - if(psetAddEntry(pset, "configuration", "encryption", list_name2, initlist2) != PSET_OP_OK) { - rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), - getResourceString(DBT_PSET_ATTR_CREATE), NULL); - } - } + AttrNameList list_name2; + AttributeList initlist2; + list_name2 = createAttrNameList(1); + addName(list_name2, 0, "nsEncryptionConfig"); + initlist2 = createAttributeList(9); + addSingleValueAttribute(initlist2, 0, "nsCertfile", "blank"); + addSingleValueAttribute(initlist2, 1, "nsKeyfile", "blank"); + addSingleValueAttribute(initlist2, 2, "nsSSL2", "off"); /* by default */ + addSingleValueAttribute(initlist2, 3, "nsSSL3", "off"); /* by default */ + addSingleValueAttribute(initlist2, 4, "nsSSLSessionTimeout", "0"); + addSingleValueAttribute(initlist2, 5, "nsSSL3SessionTimeout", "0"); + addSingleValueAttribute(initlist2, 6, "nsSSLClientAuth", "off"); /* hardcoded for now */ + addSingleValueAttribute(initlist2, 7, "nsSSL2Ciphers", "blank"); + addSingleValueAttribute(initlist2, 8, "nsSSL3Ciphers", "blank"); + + if(psetAddEntry(pset, "configuration", "encryption", list_name2, initlist2) != PSET_OP_OK) { + rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), + getResourceString(DBT_PSET_ATTR_CREATE), NULL); + } + } else if(rv2 == PSET_ATTR_EXIST) - /* it exists, but as an attribute?! */ - rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), - getResourceString(DBT_PSET_INV_ATTR), NULL); + /* it exists, but as an attribute?! */ + rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), + getResourceString(DBT_PSET_INV_ATTR), NULL); list_name = createAttrNameList(1); addName(list_name, 0, "nsEncryptionModule"); @@ -403,14 +403,14 @@ addSingleValueAttribute(initlist, 2, "nsSSLActivation", "blank"); if(psetAddEntry(pset, "configuration.encryption", family_ptr->family_name, list_name, initlist) != PSET_OP_OK) { - rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), - getResourceString(DBT_PSET_ATTR_CREATE), NULL); + rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), + getResourceString(DBT_PSET_ATTR_CREATE), NULL); } } else if(rv == PSET_ATTR_EXIST) /* it exists, but as an attribute?! */ rpt_err(APP_ERROR, getResourceString(DBT_GENERIC_PSET_FAILURE), - getResourceString(DBT_PSET_INV_ATTR), NULL); + getResourceString(DBT_PSET_INV_ATTR), NULL); PR_snprintf(family_token_attr, sizeof(family_token_attr), "%s.nsSSLToken", family_sie_entry); PR_snprintf(family_cert_attr, sizeof(family_cert_attr), "%s.nsSSLPersonalityssl", family_sie_entry); @@ -473,7 +473,6 @@ char *username = 0; char *localAdmin = 0; char *binddn = 0; - char *bindpw = 0; char *security = NULL; char *ssl2 = NULL; @@ -513,7 +512,6 @@ acceptLanguage = "en"; if (lang) acceptLanguage = strdup(lang); - /* Initialize PSET for reading/writing */ /* Get UserDN and User Password */ @@ -526,29 +524,26 @@ /* No DN, maybe it is local super */ localAdmin = admGetLocalAdmin(NULL, &rv); if (localAdmin) { - if (PORT_Strcmp(username, localAdmin)) - rpt_err(ELEM_MISSING, getResourceString(DBT_PSET_INIT_NO_USERDN), NULL, NULL); - else { - binddn = NULL; - bindpw = NULL; - } + if (PORT_Strcmp(username, localAdmin)) + rpt_err(ELEM_MISSING, getResourceString(DBT_PSET_INIT_NO_USERDN), NULL, NULL); + else { + binddn = NULL; + } } else - rpt_err(ELEM_MISSING, getResourceString(DBT_PSET_INIT_NO_USERDN), NULL, NULL); + rpt_err(ELEM_MISSING, getResourceString(DBT_PSET_INIT_NO_USERDN), NULL, NULL); } } - if (binddn) rv = ADM_GetCurrentPassword(&err, &bindpw); - if(!method || !*method) { /* non-UI CGI - can't call ADMSSL_InitSimple() */ server_root = strdup(argv[1]); if(server_root[strlen(server_root)-1] == FILE_PATHSEP) server_root[strlen(server_root)-1] = '\0'; PR_snprintf(admroot, sizeof(admroot), "%s%cadmin-serv%cconfig", - server_root, - FILE_PATHSEP, - FILE_PATHSEP); + server_root, + FILE_PATHSEP, + FILE_PATHSEP); ldapInfo = admldapBuildInfoCbk(admroot, pwdCbk, &rv); @@ -565,9 +560,9 @@ else { server_root = getenv("NETSITE_ROOT"); PR_snprintf(admroot, sizeof(admroot), "%s%cadmin-serv%cconfig", - server_root, - FILE_PATHSEP, - FILE_PATHSEP); + server_root, + FILE_PATHSEP, + FILE_PATHSEP); rv = ADMSSL_InitSimple(); if (rv) { rpt_err(APP_ERROR, getResourceString(DBT_ADMSSL_INIT_FAIL), NULL, NULL); @@ -577,10 +572,10 @@ /* Initialize the pset */ pset = psetCreateSSL("admin-serv", - admroot, - /* userDN */ NULL, - /* passwd */ NULL, - /* errorcode */ &rv); + admroot, + /* userDN */ NULL, + /* passwd */ NULL, + /* errorcode */ &rv); if (!pset) rpt_err(APP_ERROR, getResourceString(DBT_PSET_CREATE_FAIL), NULL, NULL); @@ -654,7 +649,7 @@ if (strcmp(security, "off")==0) { rv = update_conf("console.conf", "NSSEngine", "off"); if (rv < 0) { - rpt_err(APP_ERROR, NULL, getResourceString(DBT_SERVER_XML_MOD), NULL); + rpt_err(APP_ERROR, NULL, getResourceString(DBT_SERVER_XML_MOD), NULL); } } else if (strcmp(security, "on")==0) { @@ -663,12 +658,12 @@ char ciphers[BIG_LINE]; if (get_cert_nickname(certnickname, sizeof(certnickname)) < 0) { - char * scratch = PR_smprintf(getResourceString(DBT_CGI_MISSING_ARGS), certnickname); - rpt_err(ELEM_MISSING, NULL, scratch, NULL); - PR_smprintf_free(scratch); /* never executed */ + char * scratch = PR_smprintf(getResourceString(DBT_CGI_MISSING_ARGS), certnickname); + rpt_err(ELEM_MISSING, NULL, scratch, NULL); + PR_smprintf_free(scratch); /* never executed */ } if (strlen(clientauth) == 0) { - clientauth = (char*)"off"; + clientauth = (char*)"off"; } rv = update_conf("console.conf", "NSSEngine", "on"); rv = update_conf("console.conf", "NSSNickname", certnickname); @@ -693,7 +688,7 @@ rv = update_conf("console.conf", "NSSVerifyClient", "none"); if (rv < 0) { - rpt_err(APP_ERROR, NULL, getResourceString(DBT_SERVER_XML_MOD), NULL); + rpt_err(APP_ERROR, NULL, getResourceString(DBT_SERVER_XML_MOD), NULL); } } else { rpt_err(INCORRECT_USAGE, getResourceString(DBT_CGI_INVALID_ARGS), NULL, NULL); From fedora-directory-commits at redhat.com Fri May 12 00:50:10 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Thu, 11 May 2006 17:50:10 -0700 Subject: [Fedora-directory-commits] adminserver components.mk,1.48,1.49 Message-ID: <200605120050.k4C0oAj4020299@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminserver In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20278 Modified Files: components.mk Log Message: [161099] admin passwd in clear text in adm.conf Let Internal build pick up the new adminutil and mod_admserv... Index: components.mk =================================================================== RCS file: /cvs/dirsec/adminserver/components.mk,v retrieving revision 1.48 retrieving revision 1.49 diff -u -r1.48 -r1.49 --- components.mk 5 Apr 2006 20:05:15 -0000 1.48 +++ components.mk 12 May 2006 00:50:08 -0000 1.49 @@ -171,7 +171,7 @@ ############################################################### ADMINUTIL_SUF = 10 -ADMINUTIL_RELDATE = 20060323 +ADMINUTIL_RELDATE = 20060511 ADMINUTIL_VERSION = $(ADMINUTIL_RELDATE) ADMINUTIL_ROOT = $(NSCP_COMPDIR)/adminutil ADMINUTIL_COMPNAME = adminutil/1.0 @@ -260,7 +260,7 @@ # MOD_ADMSERV ############################################################# -MOD_ADMSERV_RELDATE = 20060320 +MOD_ADMSERV_RELDATE = 20060511 MOD_ADMSERV_SUF = 1.0 MOD_ADMSERV_VERSION = $(MOD_ADMSERV_RELDATE) From fedora-directory-commits at redhat.com Fri May 12 18:29:16 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Fri, 12 May 2006 11:29:16 -0700 Subject: [Fedora-directory-commits] adminserver/admserv/newinst/src Makefile, 1.10, 1.11 Message-ID: <200605121829.k4CITGrt006827@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminserver/admserv/newinst/src In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6801 Modified Files: Makefile Log Message: Added NSPR libraries to the dependency (ns-update). (fixed the build) Index: Makefile =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/Makefile,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- Makefile 12 May 2006 00:41:35 -0000 1.10 +++ Makefile 12 May 2006 18:29:13 -0000 1.11 @@ -93,7 +93,7 @@ LIBINST= $(SETUPUTIL_LIBPATH)/libinstall.a DEPLIBS= $(OSDEPLIBS) -DEPLIBS2= $(DEPLIBS) $(ADMINUTILLINK) $(SECURITYLINK) $(LDAPLINK) $(ICULINK) +DEPLIBS2= $(DEPLIBS) $(ADMINUTILLINK) $(SECURITYLINK) $(LDAPLINK) $(ICULINK) $(NSPRLINK) ifeq ($(ARCH), HPUX) ifeq ($(NSOS_RELEASE),B.10.10) From fedora-directory-commits at redhat.com Wed May 17 00:02:02 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Tue, 16 May 2006 17:02:02 -0700 Subject: [Fedora-directory-commits] mod_admserv mod_admserv.c,1.23,1.24 Message-ID: <200605170002.k4H0225C020753@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/mod_admserv In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18529 Modified Files: mod_admserv.c Log Message: [192022] Admin Server fails to bring up Config DS Always treat StartConfigDS specially. Regardless of the result of opening LDAPConnection, put StartConfigDs into the cache for bootstrap. Index: mod_admserv.c =================================================================== RCS file: /cvs/dirsec/mod_admserv/mod_admserv.c,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- mod_admserv.c 11 May 2006 23:53:52 -0000 1.23 +++ mod_admserv.c 17 May 2006 00:01:55 -0000 1.24 @@ -2248,21 +2248,21 @@ } } while (server != NULL && ++tries < 2); - if (error != LDAPU_SUCCESS) { + { + /* Always treat StartConfigDS specially. + * Regardless of the result of opening LDAPConnection, + * put StartConfigDs into the cache for bootstrap. + * This code allows the Console to launch the Config DS via Admin Server + * even if + * 1) the Config DS is not up when the Admin Server is started, or + * 2) the Config DS is shutdown after the Admin Server is started. + */ char startds[LINE_LENGTH]; char normStartds[LINE_LENGTH]; char *storage = startds; char *uri = apr_pstrdup(module_pool, STARTDS_IDENTIFIER); - /* Although opening LDAPConnection failed, we can initialize - * Hosts/Addresses using the local cache. - */ TaskCacheEntry *cache_entry; - destroyAdmldap(info); - closeLDAPConnection(server); - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, - "Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache."); - /* Config DS is not up and running - * put startconfigds into the cache for bootstrap */ + if (!build_full_DN(&storage, startds+LINE_LENGTH, uri, registryServer.bindDN)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, @@ -2291,6 +2291,13 @@ cache_entry->execRef ? cache_entry->execRef : "", cache_entry->execRefArgs ? cache_entry->execRefArgs : "", LOCAL_SUPER_NAME); + } + + if (error != LDAPU_SUCCESS) { + destroyAdmldap(info); + closeLDAPConnection(server); + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, + "Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache."); return host_ip_init(p, plog, ptemp, base_server); } From fedora-directory-commits at redhat.com Mon May 22 18:14:49 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Mon, 22 May 2006 11:14:49 -0700 Subject: [Fedora-directory-commits] admservconsole - Imported sources Message-ID: <200605221814.k4MIEnbu013245@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/admservconsole In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13228 Log Message: Initial import of admin server console into its own module Status: Vendor Tag: FedoraAdmservConsole Release Tags: FedoraAdmservConsole_0_01 N admservconsole/imports.FC2 N admservconsole/LICENSE N admservconsole/build.properties N admservconsole/imports.HP-UX11i N admservconsole/imports.FC3 N admservconsole/imports.Solaris9 N admservconsole/build.xml N admservconsole/src/com/netscape/management/admserv/classes.env N admservconsole/src/com/netscape/management/admserv/LoggingNode.java N admservconsole/src/com/netscape/management/admserv/AdminServer.java N admservconsole/src/com/netscape/management/admserv/AdminResourceModel.java N admservconsole/src/com/netscape/management/admserv/AdminServerNode.java N admservconsole/src/com/netscape/management/admserv/AdminFrameworkInitializer.java N admservconsole/src/com/netscape/management/admserv/admserv.properties N admservconsole/src/com/netscape/management/admserv/SNMPNode.java N admservconsole/src/com/netscape/management/admserv/AdminServerProduct.java N admservconsole/src/com/netscape/management/admserv/images/admin50.gif N admservconsole/src/com/netscape/management/admserv/images/AdminServer.gif N admservconsole/src/com/netscape/management/admserv/images/admin.gif N admservconsole/src/com/netscape/management/admserv/images/AdminServerL.gif N admservconsole/src/com/netscape/management/admserv/config/ConfigInfoDialog.java N admservconsole/src/com/netscape/management/admserv/config/PluginConfigPanel.java N admservconsole/src/com/netscape/management/admserv/config/GBC.java N admservconsole/src/com/netscape/management/admserv/config/config.properties N admservconsole/src/com/netscape/management/admserv/config/FilteredInputDocument.java N admservconsole/src/com/netscape/management/admserv/config/ConfigPanelException.java N admservconsole/src/com/netscape/management/admserv/config/IConfigDataModel.java N admservconsole/src/com/netscape/management/admserv/config/IPluginConfigPanel.java N admservconsole/src/com/netscape/management/admserv/config/ConfigErrorDialog.java N admservconsole/src/com/netscape/management/admserv/config/ValidationException.java N admservconsole/src/com/netscape/management/admserv/config/ButtonBar.java N admservconsole/src/com/netscape/management/admserv/config/EditMonitor.java N admservconsole/src/com/netscape/management/admserv/config/TabbedConfigPanel.java N admservconsole/src/com/netscape/management/admserv/config/ActionMonitorPanel.java N admservconsole/src/com/netscape/management/admserv/config/BaseConfigPanel.java N admservconsole/src/com/netscape/management/admserv/config/RemoteRequestException.java N admservconsole/src/com/netscape/management/admserv/logging/ErrorLogViewerModel.java N admservconsole/src/com/netscape/management/admserv/logging/AccessLogViewerModel.java N admservconsole/src/com/netscape/management/admserv/cmdln/sample-unix-options N admservconsole/src/com/netscape/management/admserv/cmdln/ViewLogEntriesTask.java N admservconsole/src/com/netscape/management/admserv/cmdln/admconfig.dat N admservconsole/src/com/netscape/management/admserv/cmdln/version.dat N admservconsole/src/com/netscape/management/admserv/cmdln/CountLogEntriesTask.java N admservconsole/src/com/netscape/management/admserv/cmdln/CommandLine.java N admservconsole/src/com/netscape/management/admserv/cmdln/AdmpwTask.java N admservconsole/src/com/netscape/management/admserv/cmdln/sample-nt-options N admservconsole/src/com/netscape/management/admserv/panel/SNMPCommunityPanel.java N admservconsole/src/com/netscape/management/admserv/panel/IAdminOperationListener.java N admservconsole/src/com/netscape/management/admserv/panel/AdminConfigData.java N admservconsole/src/com/netscape/management/admserv/panel/CGISNMPSetup.java N admservconsole/src/com/netscape/management/admserv/panel/SNMPManagerPanel.java N admservconsole/src/com/netscape/management/admserv/panel/UGDirectoryConfigPanel.java N admservconsole/src/com/netscape/management/admserv/panel/NetworkConfigPanel.java N admservconsole/src/com/netscape/management/admserv/panel/panel.properties N admservconsole/src/com/netscape/management/admserv/panel/IRestartControl.java N admservconsole/src/com/netscape/management/admserv/panel/CGIDataModel.java N admservconsole/src/com/netscape/management/admserv/panel/CGIAggregateDataModel.java N admservconsole/src/com/netscape/management/admserv/panel/SNMPConfigPanel.java N admservconsole/src/com/netscape/management/admserv/panel/DialogFrame.java N admservconsole/src/com/netscape/management/admserv/panel/AdminOperation.java N admservconsole/src/com/netscape/management/admserv/panel/SNMPStatusPanel.java N admservconsole/src/com/netscape/management/admserv/panel/LoggingConfigPanel.java N admservconsole/src/com/netscape/management/admserv/panel/CGIServerSetup.java N admservconsole/src/com/netscape/management/admserv/panel/CGIAccessSetup.java N admservconsole/src/com/netscape/management/admserv/panel/AttrNames.java N admservconsole/src/com/netscape/management/admserv/panel/RestartOperation.java N admservconsole/src/com/netscape/management/admserv/panel/StopOperation.java N admservconsole/src/com/netscape/management/admserv/panel/EditableList.java N admservconsole/src/com/netscape/management/admserv/panel/CGIUGDirectorySetup.java N admservconsole/src/com/netscape/management/admserv/panel/AccessConfigPanel.java N admservconsole/src/com/netscape/management/admserv/panel/CGIDirectorySetup.java N admservconsole/src/com/netscape/management/admserv/panel/AdminConfigPanel.java N admservconsole/src/com/netscape/management/admserv/panel/CGILoggingSetup.java N admservconsole/src/com/netscape/management/admserv/panel/DirectoryConfigPanel.java N admservconsole/src/com/netscape/management/admserv/panel/TurnOnSSL.java N admservconsole/src/com/netscape/management/admserv/task/Restart.java N admservconsole/src/com/netscape/management/admserv/task/SNMPSetup.java N admservconsole/src/com/netscape/management/admserv/task/Logging.java N admservconsole/src/com/netscape/management/admserv/task/Stop.java N admservconsole/src/com/netscape/management/admserv/task/AdminTaskObject.java N admservconsole/src/com/netscape/management/admserv/task/ServerSetup.java N admservconsole/src/com/netscape/management/admserv/task/CertSetup.java No conflicts created by this import From fedora-directory-commits at redhat.com Mon May 22 18:56:19 2006 From: fedora-directory-commits at redhat.com (Noriko Hosoi (nhosoi)) Date: Mon, 22 May 2006 11:56:19 -0700 Subject: [Fedora-directory-commits] adminutil components.mk, 1.4, 1.5 internal_comp_deps.mk, 1.4, 1.5 Message-ID: <200605221856.k4MIuJUn013895@cvs-int.fedora.redhat.com> Author: nhosoi Update of /cvs/dirsec/adminutil In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13822 Modified Files: components.mk internal_comp_deps.mk Log Message: [172166] Admin Util build (RPM) Preparation for the RPM build. If these environment variables are set, the paths are used instead of the "local paths" or "internal paths". (note: the values are just examples.) $ env | egrep "ICU_|NSS_|NSPR_|LDAPCSDK_" NSS_INCLUDE_DIR=/usr/include/dirsec/nss3 ICU_INCLUDE_DIR=/usr/include ICU_BIN_DIR=/usr/bin LDAPCSDK_LIB_DIR=/usr/lib NSPR_INCLUDE_DIR=/usr/include/dirsec/nspr4 LDAPCSDK_INCLUDE_DIR=/usr/include/mozldap NSS_LIB_DIR=/usr/lib/dirsec NSPR_LIB_DIR=/usr/lib/dirsec ICU_LIB_DIR=/usr/lib Index: components.mk =================================================================== RCS file: /cvs/dirsec/adminutil/components.mk,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- components.mk 1 Mar 2006 23:44:01 -0000 1.4 +++ components.mk 22 May 2006 18:56:16 -0000 1.5 @@ -63,12 +63,23 @@ endif endif NSPR_LIBNAMES += nspr4 -ifdef NSPR_SOURCE_ROOT - NSPR_LIBPATH = $(NSPR_SOURCE_ROOT)/dist/$(MOZ_OBJDIR_NAME)/lib +ifdef NSPR_INCLUDE_DIR + NSPR_INCDIR = $(NSPR_INCLUDE_DIR) +else + ifdef NSPR_SOURCE_ROOT NSPR_INCDIR = $(NSPR_SOURCE_ROOT)/dist/$(MOZ_OBJDIR_NAME)/include + else + NSPR_INCDIR = $(NSPR_BUILD_DIR)/include + endif +endif +ifdef NSPR_LIB_DIR + NSPR_LIBPATH = $(NSPR_LIB_DIR) else + ifdef NSPR_SOURCE_ROOT + NSPR_LIBPATH = $(NSPR_SOURCE_ROOT)/dist/$(MOZ_OBJDIR_NAME)/lib + else NSPR_LIBPATH = $(NSPR_BUILD_DIR)/lib - NSPR_INCDIR = $(NSPR_BUILD_DIR)/include + endif endif NSPR_INCLUDE = -I$(NSPR_INCDIR) NSPR_LIBS_TO_PKG = $(addsuffix .$(DLL_SUFFIX),$(addprefix $(NSPR_LIBPATH)/lib,$(NSPR_LIBNAMES))) @@ -81,24 +92,34 @@ $(addprefix lib, $(NSPR_LIBNAMES)))) else NSPR_SOLIBS = $(addsuffix .$(DLL_SUFFIX), $(addprefix $(LIB_PREFIX), $(NSPR_LIBNAMES))) - NSPROBJNAME = $(addsuffix .a, $(addprefix $(LIB_PREFIX), $(NSPR_LIBNAMES)) + NSPROBJNAME = $(addsuffix .a, $(addprefix $(LIB_PREFIX), $(NSPR_LIBNAMES))) LIBNSPR = $(addprefix $(NSPR_LIBPATH)/, $(NSPR_SOLIBS)) NSPRLINK = -L$(NSPR_LIBPATH) $(addprefix -l, $(NSPR_LIBNAMES)) endif ### SECURITY ############################# -ifdef SECURITY_SOURCE_ROOT - SECURITY_LIBPATH = $(SECURITY_SOURCE_ROOT)/dist/$(MOZ_OBJDIR_NAME)/lib - SECURITY_BINPATH = $(SECURITY_SOURCE_ROOT)/dist/$(MOZ_OBJDIR_NAME)/bin +ifdef NSS_INCLUDE_DIR + SECURITY_INCDIR = $(NSS_INCLUDE_DIR) +else + ifdef SECURITY_SOURCE_ROOT SECURITY_INCDIR = $(SECURITY_SOURCE_ROOT)/dist/public/nss + else + SECURITY_INCDIR = $(SECURITY_BUILD_DIR)/include + endif +endif + +ifdef NSS_LIB_DIR + SECURITY_LIBPATH = $(NSS_LIB_DIR) else + ifdef SECURITY_SOURCE_ROOT + SECURITY_LIBPATH = $(SECURITY_SOURCE_ROOT)/dist/$(MOZ_OBJDIR_NAME)/lib + else SECURITY_LIBPATH = $(SECURITY_BUILD_DIR)/lib - SECURITY_BINPATH = $(SECURITY_BUILD_DIR)/bin - SECURITY_INCDIR = $(SECURITY_BUILD_DIR)/include + endif endif + SECURITY_INCLUDE = -I$(SECURITY_INCDIR) # add crlutil and ocspclnt when we support CRL and OCSP cert checking in DS -SECURITY_BINNAMES = certutil derdump pp pk12util ssltap modutil shlibsign SECURITY_LIBNAMES = ssl3 nss3 softokn3 ifeq ($(ARCH), WINNT) @@ -117,15 +138,26 @@ # LDAP SDK ################################################### -ifdef LDAPSDK_SOURCE_ROOT - LDAPSDK_LIBPATH = $(LDAPSDK_SOURCE_ROOT)/dist/lib +ifdef LDAPCSDK_INCLUDE_DIR + LDAPSDK_INCDIR = $(LDAPCSDK_INCLUDE_DIR) +else + ifdef LDAPSDK_SOURCE_ROOT LDAPSDK_INCDIR = $(LDAPSDK_SOURCE_ROOT)/dist/public/ldap - LDAPSDK_BINPATH = $(LDAPSDK_SOURCE_ROOT)/dist/bin + else + LDAPSDK_INCDIR = $(LDAP_ROOT)/include + endif +endif + +ifdef LDAPCSDK_LIB_DIR + LDAPSDK_LIBPATH = $(LDAPCSDK_LIB_DIR) else + ifdef LDAPSDK_SOURCE_ROOT + LDAPSDK_LIBPATH = $(LDAPSDK_SOURCE_ROOT)/dist/lib + else LDAPSDK_LIBPATH = $(LDAP_ROOT)/lib - LDAPSDK_INCDIR = $(LDAP_ROOT)/include - LDAPSDK_BINPATH = $(LDAP_ROOT)/bin + endif endif + LDAPSDK_INCLUDE = -I$(LDAPSDK_INCDIR) # package the include files - needed for the plugin API @@ -156,20 +188,40 @@ LDAP_LIBPATH = $(LDAPSDK_LIBPATH) LDAP_INCLUDE = $(LDAPSDK_INCDIR) -LDAP_TOOLDIR = $(LDAPSDK_BINPATH) ### ICU package ########################################## ICU_LIB_VERSION = 34 -ifdef ICU_SOURCE_ROOT - ICU_LIBPATH = $(ICU_SOURCE_ROOT)/built/lib +ifdef ICU_BIN_DIR + ICU_BINPATH = $(ICU_BIN_DIR) +else + ifdef ICU_SOURCE_ROOT ICU_BINPATH = $(ICU_SOURCE_ROOT)/built/bin + else + ICU_BINPATH = $(ICU_BUILD_DIR)/bin + endif +endif + +ifdef ICU_INCLUDE_DIR + ICU_INCPATH = $(ICU_INCLUDE_DIR) +else + ifdef ICU_SOURCE_ROOT ICU_INCPATH = $(ICU_SOURCE_ROOT)/built/include + else + ICU_INCPATH = $(ICU_BUILD_DIR)/include + endif +endif + +ifdef ICU_LIB_DIR + ICU_LIBPATH = $(ICU_LIB_DIR) else + ifdef ICU_SOURCE_ROOT + ICU_LIBPATH = $(ICU_SOURCE_ROOT)/built/lib + else ICU_LIBPATH = $(ICU_BUILD_DIR)/lib - ICU_BINPATH = $(ICU_BUILD_DIR)/bin - ICU_INCPATH = $(ICU_BUILD_DIR)/include + endif endif + ICU_INCLUDE = -I$(ICU_INCPATH) ifeq ($(ARCH), WINNT) ifeq ($(BUILD_DEBUG), optimize) @@ -183,14 +235,17 @@ else ICU_LIBNAMES = icui18n icuuc icudata ICULINK = -L$(ICU_LIBPATH) $(addprefix -l, $(ICU_LIBNAMES)) -#LIBS_TO_PKG = $(addsuffix $(addprefix lib,$(ICU_LIBNAMES)) endif # Resource Bundle Compiler ifeq ($(ARCH), WINNT) ICU_GENRB = $(ICU_BINPATH)/genrb.exe else + ifdef ICU_BIN_DIR + ICU_GENRB = genrb + else ICU_GENRB = sh ./genrb_wrapper.sh $(ICU_BUILD_DIR) + endif endif ########################################################### Index: internal_comp_deps.mk =================================================================== RCS file: /cvs/dirsec/adminutil/internal_comp_deps.mk,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- internal_comp_deps.mk 1 Mar 2006 23:44:01 -0000 1.4 +++ internal_comp_deps.mk 22 May 2006 18:56:16 -0000 1.5 @@ -68,7 +68,6 @@ $(SECURITY_DEP): $(RELTOOLS) $(NSCP_DISTDIR_FULL_RTL) ifdef COMPONENT_DEPS - mkdir -p $(SECURITY_BINPATH) $(FTP_PULL) -method $(SECURITY_PULL_METHOD) \ -objdir $(SECURITY_BUILD_DIR) -componentdir $(SECURITY_IMPORT) \ -files $(SECURITY_FILES) From fedora-directory-commits at redhat.com Mon May 22 19:48:21 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Mon, 22 May 2006 12:48:21 -0700 Subject: [Fedora-directory-commits] admservconsole build.properties, 1.1.1.1, 1.2 Message-ID: <200605221948.k4MJmLKI016753@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/admservconsole In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16736 Modified Files: build.properties Log Message: use admserv instead of as for jar file names Index: build.properties =================================================================== RCS file: /cvs/dirsec/admservconsole/build.properties,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- build.properties 22 May 2006 18:14:32 -0000 1.1.1.1 +++ build.properties 22 May 2006 19:48:18 -0000 1.2 @@ -24,5 +24,5 @@ admservconsole.version=1.0.2 admservconsole.gen.version=1.0 brand=fedora -admservconsole.name=${brand}-as-${admservconsole.version} -admservconsole.gen.name=${brand}-as-${admservconsole.gen.version} +admservconsole.name=${brand}-admserv-${admservconsole.version} +admservconsole.gen.name=${brand}-admserv-${admservconsole.gen.version} From fedora-directory-commits at redhat.com Mon May 22 22:50:10 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Mon, 22 May 2006 15:50:10 -0700 Subject: [Fedora-directory-commits] admservconsole/src/com/netscape/management/admserv/images AdminServer.gif, 1.1.1.1, NONE AdminServerL.gif, 1.1.1.1, NONE admin.gif, 1.1.1.1, NONE admin50.gif, 1.1.1.1, NONE Message-ID: <200605222250.k4MMoAeu025668@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/admservconsole/src/com/netscape/management/admserv/images In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25653 Removed Files: AdminServer.gif AdminServerL.gif admin.gif admin50.gif Log Message: remove improperly added binary files From fedora-directory-commits at redhat.com Mon May 22 22:52:35 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Mon, 22 May 2006 15:52:35 -0700 Subject: [Fedora-directory-commits] admservconsole/src/com/netscape/management/admserv/images AdminServer.gif, 1.2, 1.3 AdminServerL.gif, 1.2, 1.3 admin.gif, 1.2, 1.3 admin50.gif, 1.2, 1.3 Message-ID: <200605222252.k4MMqZeL025708@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/admservconsole/src/com/netscape/management/admserv/images In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25689 Added Files: AdminServer.gif AdminServerL.gif admin.gif admin50.gif Log Message: correctly add binary files From fedora-directory-commits at redhat.com Tue May 23 22:13:39 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Tue, 23 May 2006 15:13:39 -0700 Subject: [Fedora-directory-commits] adminserver/admserv/console Makefile, 1.5, 1.6 Message-ID: <200605232213.k4NMDd5V020797@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/adminserver/admserv/console In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20715/adminserver/admserv/console Modified Files: Makefile Log Message: Bug: 192785 Description: Admin Server: Move admin server console into a separate package Reviewed by: Noriko (Thanks!) Moved files into the top level admservconsole module - changed admin server build/packaging to pick up this as a component - removed now useless java build/makefiles Index: Makefile =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/console/Makefile,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- Makefile 29 Sep 2005 22:11:58 -0000 1.5 +++ Makefile 23 May 2006 22:13:37 -0000 1.6 @@ -32,31 +32,15 @@ include $(BUILD_ROOT)/nsconfig.mk include $(BUILD_ROOT)/components.mk -include javarules.mk -CMDLNPATH=com/netscape/management/admserv/cmdln -CLASSESDIR=$(BUILD_ROOT)/built/classes PACKAGEDIR=$(BUILD_ROOT)/built/package/java -LDAPJDK.JAR = -Dldapjdk.jar=$(LDAPJDK_DIR)/$(LDAPJDK) -CONSOLE.ROOT = -Dconsole.root=$(CONSOLE_JAR_DIR) - all: build -build: ldapjdk nmcjdk $(ANT_DEP) - $(ANT) -Dlang=en $(LDAPJDK.JAR) $(CONSOLE.ROOT) build - cp -p src/$(CMDLNPATH)/admconfig.dat $(CLASSESDIR)/$(CMDLNPATH) - cp -p src/$(CMDLNPATH)/version.dat $(CLASSESDIR)/$(CMDLNPATH) +build: ldapjdk nmcjdk cd cmdln; $(MAKE) $(MFLAGS) -package: $(ANT_DEP) - $(ANT) -Dlang=en $(LDAPJDK.JAR) $(CONSOLE.ROOT) dist +package: cp smartupdate/goto.gif $(PACKAGEDIR) cp smartupdate/spacer.gif $(PACKAGEDIR) cp smartupdate/start-console.html $(PACKAGEDIR) - -doc: $(ANT_DEP) - $(ANT) javadoc - -clean: - $(ANT) clean From fedora-directory-commits at redhat.com Tue May 23 22:13:40 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Tue, 23 May 2006 15:13:40 -0700 Subject: [Fedora-directory-commits] adminserver/admserv/console/cmdln Makefile, 1.5, 1.6 Message-ID: <200605232213.k4NMDe6d020803@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/adminserver/admserv/console/cmdln In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20715/adminserver/admserv/console/cmdln Modified Files: Makefile Log Message: Bug: 192785 Description: Admin Server: Move admin server console into a separate package Reviewed by: Noriko (Thanks!) Moved files into the top level admservconsole module - changed admin server build/packaging to pick up this as a component - removed now useless java build/makefiles Index: Makefile =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/console/cmdln/Makefile,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- Makefile 29 Sep 2005 22:11:58 -0000 1.5 +++ Makefile 23 May 2006 22:13:37 -0000 1.6 @@ -24,7 +24,6 @@ BUILD_ROOT = ../../.. include $(BUILD_ROOT)/nsconfig.mk -include ../rules.mk MKDIR = mkdir -p STAGE_DIR = $(OBJDIR)/cmdln From fedora-directory-commits at redhat.com Tue May 23 22:13:38 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Tue, 23 May 2006 15:13:38 -0700 Subject: [Fedora-directory-commits] adminserver Makefile, 1.19, 1.20 buildpaths.mk, 1.9, 1.10 components.mk, 1.49, 1.50 nsconfig.mk, 1.28, 1.29 Message-ID: <200605232213.k4NMDc1m020785@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/adminserver In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20715/adminserver Modified Files: Makefile buildpaths.mk components.mk nsconfig.mk Log Message: Bug: 192785 Description: Admin Server: Move admin server console into a separate package Reviewed by: Noriko (Thanks!) Moved files into the top level admservconsole module - changed admin server build/packaging to pick up this as a component - removed now useless java build/makefiles Index: Makefile =================================================================== RCS file: /cvs/dirsec/adminserver/Makefile,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- Makefile 21 Mar 2006 19:48:49 -0000 1.19 +++ Makefile 23 May 2006 22:13:36 -0000 1.20 @@ -33,7 +33,7 @@ PACKAGEDEPS = start_time ifndef NOJAVA -PACKAGEDEPS += ldapjdk nmcjdk jsssdk jsslib +PACKAGEDEPS += ldapjdk nmcjdk jsssdk jsslib admservconsole endif PACKAGEDEPS += pkgBase pkgAdmin pkgMcc end_time Index: buildpaths.mk =================================================================== RCS file: /cvs/dirsec/adminserver/buildpaths.mk,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- buildpaths.mk 21 Mar 2006 19:48:49 -0000 1.9 +++ buildpaths.mk 23 May 2006 22:13:36 -0000 1.10 @@ -89,6 +89,8 @@ CONSOLE_SOURCE_DIR = $(BUILD_ROOT)/.. +ADMSERVCONSOLE_SOURCE_DIR = $(BUILD_ROOT)/.. + #LDAPJDK_SOURCE_DIR = $(MOZILLA_SOURCE_ROOT) LDAPJDK_BUILD_DIR = $(CONSOLE_SOURCE_DIR)/imports/ldapjdk Index: components.mk =================================================================== RCS file: /cvs/dirsec/adminserver/components.mk,v retrieving revision 1.49 retrieving revision 1.50 diff -u -r1.49 -r1.50 --- components.mk 12 May 2006 00:50:08 -0000 1.49 +++ components.mk 23 May 2006 22:13:36 -0000 1.50 @@ -399,6 +399,45 @@ endif ############################################################# +# Admserv Console java classes +############################################################# + +ADMSERVCONSOLE_SUF = 1.0.2 +ADMSERVCONSOLE_GEN_SUF = 1.0 +ADMSERVCONSOLE_RELDATE = 20060523 + +ADMSERVCONSOLE_COMP = admservconsole/$(ADMSERVCONSOLE_GEN_SUF) + +ADMSERVCONSOLE_VERSION = $(ADMSERVCONSOLE_RELDATE) + +ifeq ($(BUILD_MODE), int) +ifeq ($(INT_NMCSDK), 1) +ADMSERVCONSOLE_DIR = $(INT_DIR)/$(ADMSERVCONSOLE_COMP)/$(ADMSERVCONSOLE_VERSION)/$(NSOBJDIR_NAME) +else +ADMSERVCONSOLE_DIR = $(COMPONENTS_DIR)/$(ADMSERVCONSOLE_COMP)/$(ADMSERVCONSOLE_VERSION)/$(NSOBJDIR_NAME) +endif +else #fedora +ADMSERVCONSOLE_DIR = $(FED_COMPONENTS_DIR)/$(ADMSERVCONSOLE_COMP)/$(ADMSERVCONSOLE_VERSION)/$(NSOBJDIR_NAME) +endif + +# since the jar files are packaged as is, they should not be symlink'ed. +ADMSERVCONSOLE_METHOD = FTP + +admservconsole: +ifdef INTERNAL_BUILD + mkdir -p $(CLASS_DEST) +# grab the jar files + $(PERL5) $(RELTOOLS)/ftp_puller.pl -method $(ADMSERVCONSOLE_METHOD) -objdir $(ADMSERVCONSOLE_JAR_DIR) -componentdir $(ADMSERVCONSOLE_DIR)/java -files $(ADMIN_BRAND)-admserv-$(ADMSERVCONSOLE_SUF).jar,$(ADMIN_BRAND)-admserv-$(ADMSERVCONSOLE_SUF)_en.jar +ifneq ($(ARCH), WINNT) +# make symlinks; cannot FTP symlinked files + -(cd $(ADMSERVCONSOLE_JAR_DIR); ln -s $(ADMIN_BRAND)-admserv-$(ADMSERVCONSOLE_SUF).jar $(ADMIN_BRAND)-admserv-$(ADMSERVCONSOLE_GEN_SUF).jar) + -(cd $(ADMSERVCONSOLE_JAR_DIR); ln -s $(ADMIN_BRAND)-admserv-$(ADMSERVCONSOLE_SUF)_en.jar $(ADMIN_BRAND)-admserv-$(ADMSERVCONSOLE_GEN_SUF)_en.jar) +endif +else # INTERNAL_BUILD + @if [ ! -f $(ADMSERVCONSOLE_JAR_DIR)/$(ADMIN_BRAND)-admserv-$(ADMSERVCONSOLE_SUF).jar ]; then echo The admservconsole jar files are missing from $(ADMSERVCONSOLE_JAR_DIR) - please build or download them ; exit 1 ; fi +endif + +############################################################# # JSS java classes ############################################################# Index: nsconfig.mk =================================================================== RCS file: /cvs/dirsec/adminserver/nsconfig.mk,v retrieving revision 1.28 retrieving revision 1.29 diff -u -r1.28 -r1.29 --- nsconfig.mk 24 Mar 2006 01:12:20 -0000 1.28 +++ nsconfig.mk 23 May 2006 22:13:36 -0000 1.29 @@ -944,6 +944,12 @@ CONSOLE_JAR_DIR = $(CLASS_DEST) endif +ifdef ADMSERVCONSOLE_SOURCE_ROOT + ADMSERVCONSOLE_JAR_DIR = $(ADMSERVCONSOLE_SOURCE_ROOT)/built/package +else + ADMSERVCONSOLE_JAR_DIR = $(CLASS_DEST) +endif + ifdef ONLINEHELP_SOURCE_DIR else endif From fedora-directory-commits at redhat.com Tue May 23 22:13:39 2006 From: fedora-directory-commits at redhat.com (Richard Allen Megginson (rmeggins)) Date: Tue, 23 May 2006 15:13:39 -0700 Subject: [Fedora-directory-commits] adminserver/admserv pkgadmin.mk, 1.46, 1.47 Message-ID: <200605232213.k4NMDd9f020791@cvs-int.fedora.redhat.com> Author: rmeggins Update of /cvs/dirsec/adminserver/admserv In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20715/adminserver/admserv Modified Files: pkgadmin.mk Log Message: Bug: 192785 Description: Admin Server: Move admin server console into a separate package Reviewed by: Noriko (Thanks!) Moved files into the top level admservconsole module - changed admin server build/packaging to pick up this as a component - removed now useless java build/makefiles Index: pkgadmin.mk =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/pkgadmin.mk,v retrieving revision 1.46 retrieving revision 1.47 diff -u -r1.46 -r1.47 --- pkgadmin.mk 24 Mar 2006 19:13:11 -0000 1.46 +++ pkgadmin.mk 23 May 2006 22:13:36 -0000 1.47 @@ -42,7 +42,7 @@ PKGTOP=$(PLATFORM_PACKAGE_DIR) PKGDIR=$(PLATFORM_PACKAGE_DIR)/admin -ADMIN_JARS=$(BUILD_ROOT)/built/package/java/admin +JAVA_PACKAGE_DIR=$(BUILD_ROOT)/built/package/java ADM_CORE=$(DIR) ADM_CLIENT=client @@ -155,10 +155,10 @@ # grab the jar files ifeq ($(ARCH), WINNT) # no symlink on Windows - cd $(ADMIN_JARS) ; \ + cd $(ADMSERVCONSOLE_JAR_DIR) ; \ cp -p $(ADMIN_BRAND)-admserv-$(ADM_SUF).jar $(ADMIN_BRAND)-admserv-$(ADM_SUF)_en.jar $(CLIENT_DIR)/java/jars else - cd $(ADMIN_JARS) ; \ + cd $(ADMSERVCONSOLE_JAR_DIR) ; \ cp -p $(ADMIN_BRAND)-admserv-$(ADM_SUF).jar $(ADMIN_BRAND)-admserv-$(ADM_SUF)_en.jar $(CLIENT_DIR)/java/jars; \ (cd $(CLIENT_DIR)/java/jars; ln -s $(ADMIN_BRAND)-admserv-$(ADM_SUF).jar $(ADMIN_BRAND)-admserv-$(ADM_GEN_SUF).jar; ln -s $(ADMIN_BRAND)-admserv-$(ADM_SUF)_en.jar $(ADMIN_BRAND)-admserv-$(ADM_GEN_SUF)_en.jar) endif @@ -271,9 +271,9 @@ cd $(ADMSERV_OBJDIR)/cmdln; \ cp -p admconfig $(ADMIN_DIR)/bin/admin; - cd $(ADMIN_JARS)/.. ; \ + cd $(JAVA_PACKAGE_DIR) ; \ find *.html *.gif *.jpg | $(CPIO) $(ADMIN_DIR)/java/html - cd $(ADMIN_JARS)/.. ; \ + cd $(JAVA_PACKAGE_DIR)/.. ; \ find *.html | $(CPIO) $(ADMIN_DIR)/java/html/en endif # NOJAVA