make whether or not to do case-sensitive filtering configurable (patch by Matthew L. Dailey)

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1634 ef36b2f9-881f-0410-afb5-c4e39611909c

12 files changed, 42 insertions, 11 deletions

diff --git a/AUTHORS b/AUTHORS
index 3e11cae..83b23ad 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -116,3 +116,4 @@ Paul Gevers <paul@climbing.nl>
 Jeroen Schot <schot@A-Eskwadraat.nl>
 Tom Judge <tom@tomjudge.com>
 Maxim Vetrov <muxas@mail.ru>
+Matthew L. Dailey <matthew.l.dailey@dartmouth.edu>
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 1a9a505..c9b7dc0 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -702,6 +702,22 @@
      </listitem>
     </varlistentry>
 
+    <varlistentry id="ignorecase">
+     <term><option>ignorecase</option> yes|no</term>
+     <listitem>
+      <para>
+       This specifies whether or not to perform searches for group,
+       netgroup, passwd, protocols, rpc, services and shadow maps using
+       case-insensitive matching.
+       Setting this to <literal>yes</literal> could open up the system
+       to authorisation vulnerabilities and introduce nscd cache poisoning
+       vulnerabilities which allow denial of service.
+       The default is to perform case-sensitve filtering of LDAP search
+       results for the above maps.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry id="pam_authz_search">
      <term><option>pam_authz_search</option>
            <replaceable>FILTER</replaceable></term>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 809dc41..73199bb 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -89,6 +89,7 @@ static void cfg_defaults(struct ldap_config *cfg)
   cfg->ldc_threads=5;
   cfg->ldc_uid=NOUID;
   cfg->ldc_gid=NOGID;
+  cfg->ldc_ignorecase=0;
   for (i=0;i<(NSS_LDAP_CONFIG_URI_MAX+1);i++)
   {
     cfg->ldc_uris[i].uri=NULL;
@@ -863,6 +864,11 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
       get_gid(filename,lnr,keyword,&line,&cfg->ldc_gid);
       get_eol(filename,lnr,keyword,&line);
     }
+    else if (strcasecmp(keyword,"ignorecase")==0)
+    {
+      get_boolean(filename,lnr,keyword,&line,&cfg->ldc_ignorecase);
+      get_eol(filename,lnr,keyword,&line);
+    }
     /* general connection options */
     else if (strcasecmp(keyword,"uri")==0)
     {
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 3a9b66b..45d909c 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -86,6 +86,8 @@ struct ldap_config
   uid_t ldc_uid;
   /* the group id nslcd should be run as */
   gid_t ldc_gid;
+  /* whether or not case should be ignored in lookups */
+  int ldc_ignorecase;
   /* NULL terminated list of URIs */
   struct myldap_uri ldc_uris[NSS_LDAP_CONFIG_URI_MAX+1];
   /* protocol version */
diff --git a/nslcd/common.h b/nslcd/common.h
index cf137df..bd30fee 100644
--- a/nslcd/common.h
+++ b/nslcd/common.h
@@ -265,4 +265,10 @@ int nslcd_pam_pwmod(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid);
     return 0; \
   }
 
+/* macro to compare strings
+   Use the ignorecase config option to determine whether or not to do a
+   case-sensitive match */
+#define STR_CMP(str1,str2) \
+  (nslcd_cfg->ldc_ignorecase == 1 ? strcasecmp(str1,str2) : strcmp(str1,str2))
+
 #endif /* not NSLCD__COMMON_H */
diff --git a/nslcd/group.c b/nslcd/group.c
index 4725295..abe5e38 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -187,7 +187,7 @@ static int do_write_group(
       log_log(LOG_WARNING,"%s: %s: denied by validnames option",
                           myldap_get_dn(entry),attmap_group_cn);
     }
-    else if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
+    else if ((reqname==NULL)||(STR_CMP(reqname,names[i])==0))
     {
       for (j=0;j<numgids;j++)
       {
diff --git a/nslcd/netgroup.c b/nslcd/netgroup.c
index e9d81a2..7cec138 100644
--- a/nslcd/netgroup.c
+++ b/nslcd/netgroup.c
@@ -220,7 +220,7 @@ static int write_netgroup(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname)
                         myldap_get_dn(entry),attmap_netgroup_cn);
     return 0;
   }
-  for (i=0;(names[i]!=NULL)&&(strcmp(reqname,names[i])!=0);i++)
+  for (i=0;(names[i]!=NULL)&&(STR_CMP(reqname,names[i])!=0);i++)
     /* nothing here */ ;
   if (names[i]==NULL)
     return 0; /* the name was not found */
diff --git a/nslcd/passwd.c b/nslcd/passwd.c
index 73dd9f5..a6d0d5b 100644
--- a/nslcd/passwd.c
+++ b/nslcd/passwd.c
@@ -556,7 +556,7 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
   attmap_get_value(entry,attmap_passwd_loginShell,shell,sizeof(shell));
   /* write the entries */
   for (i=0;usernames[i]!=NULL;i++)
-    if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
+    if ((requser==NULL)||(STR_CMP(requser,usernames[i])==0))
     {
       if (!isvalidname(usernames[i]))
       {
diff --git a/nslcd/protocol.c b/nslcd/protocol.c
index 90327b8..20b741c 100644
--- a/nslcd/protocol.c
+++ b/nslcd/protocol.c
@@ -123,9 +123,9 @@ static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname)
   if (name==NULL)
     name=aliases[0];
   /* check case of returned protocol entry */
-  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  if ((reqname!=NULL)&&(STR_CMP(reqname,name)!=0))
   {
-    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+    for (i=0;(aliases[i]!=NULL)&&(STR_CMP(reqname,aliases[i])!=0);i++)
       /* nothing here */ ;
     if (aliases[i]==NULL)
       return 0; /* neither the name nor any of the aliases matched */
diff --git a/nslcd/rpc.c b/nslcd/rpc.c
index 90cb89e..e8691c6 100644
--- a/nslcd/rpc.c
+++ b/nslcd/rpc.c
@@ -124,9 +124,9 @@ static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname)
   if (name==NULL)
     name=aliases[0];
   /* check case of returned rpc entry */
-  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  if ((reqname!=NULL)&&(STR_CMP(reqname,name)!=0))
   {
-    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+    for (i=0;(aliases[i]!=NULL)&&(STR_CMP(reqname,aliases[i])!=0);i++)
       /* nothing here */ ;
     if (aliases[i]==NULL)
       return 0; /* neither the name nor any of the aliases matched */
diff --git a/nslcd/service.c b/nslcd/service.c
index d0db52d..16133da 100644
--- a/nslcd/service.c
+++ b/nslcd/service.c
@@ -152,9 +152,9 @@ static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,
   if (name==NULL)
     name=aliases[0];
   /* check case of returned servies entry */
-  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  if ((reqname!=NULL)&&(STR_CMP(reqname,name)!=0))
   {
-    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+    for (i=0;(aliases[i]!=NULL)&&(STR_CMP(reqname,aliases[i])!=0);i++)
       /* nothing here */ ;
     if (aliases[i]==NULL)
       return 0; /* neither the name nor any of the aliases matched */
@@ -196,7 +196,7 @@ static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,
   }
   /* write the entries */
   for (i=0;protocols[i]!=NULL;i++)
-    if ((reqprotocol==NULL)||(*reqprotocol=='\0')||(strcmp(reqprotocol,protocols[i])==0))
+    if ((reqprotocol==NULL)||(*reqprotocol=='\0')||(STR_CMP(reqprotocol,protocols[i])==0))
     {
       WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
       WRITE_STRING(fp,name);
diff --git a/nslcd/shadow.c b/nslcd/shadow.c
index eb5ffcb..d6a5a7e 100644
--- a/nslcd/shadow.c
+++ b/nslcd/shadow.c
@@ -307,7 +307,7 @@ static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
                         &inactdays,&expiredate,&flag);
   /* write the entries */
   for (i=0;usernames[i]!=NULL;i++)
-    if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
+    if ((requser==NULL)||(STR_CMP(requser,usernames[i])==0))
     {
       WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
       WRITE_STRING(fp,usernames[i]);