----- Original Message ----- > I did not review/test the actual code, but shouldn't we also add libunistring > as BuildRequires in spec file so that it is automatically installed before > the build?
Good catch. Fixed version attached. Nathaniel
From fd68fd234bfcd11b3315e685e8f5192659b4a606 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum <npmccal...@redhat.com> Date: Tue, 16 Jul 2013 11:47:27 -0400 Subject: [PATCH] Use libunistring ulc_casecmp() on unicode strings https://fedorahosted.org/freeipa/ticket/3772 --- daemons/configure.ac | 10 ++++++++++ daemons/ipa-kdb/Makefile.am | 1 + daemons/ipa-kdb/ipa_kdb.h | 2 +- daemons/ipa-kdb/ipa_kdb_common.c | 15 ++++++++++++--- daemons/ipa-kdb/ipa_kdb_principals.c | 15 ++++++++++++--- freeipa.spec.in | 1 + 6 files changed, 37 insertions(+), 7 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 15ea00b0adf39cfb1e340a966aada92982ae4053..835d0b368ab016713f903e59fa857c433d467605 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -179,6 +179,16 @@ AC_CHECK_LIB([pdb],[pdb_enum_upn_suffixes], [$SAMBA40EXTRA_LIBPATH]) dnl --------------------------------------------------------------------------- +dnl Check for libunistring +dnl --------------------------------------------------------------------------- +AC_CHECK_HEADERS([unicase.h],,AC_MSG_ERROR([Could not find unicase.h])) +AC_CHECK_LIB([unistring], + [ulc_casecmp], + [UNISTRING_LIBS="-lunistring"], + [AC_MSG_ERROR([libunistring does not have ulc_casecmp])]) +AC_SUBST(UNISTRING_LIBS) + +dnl --------------------------------------------------------------------------- dnl Check for libverto dnl --------------------------------------------------------------------------- PKG_CHECK_MODULES([LIBVERTO], [libverto]) diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index 13c4551318c7997397d0d83c51a0ffb99490e926..dc543dd56e5c1c094bc7356febea8c8362b94aa2 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -50,6 +50,7 @@ ipadb_la_LIBADD = \ $(KRB5_LIBS) \ $(LDAP_LIBS) \ $(NDRPAC_LIBS) \ + $(UNISTRING_LIBS) \ $(NULL) if HAVE_CHECK diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 54869d8f9f19b7e19d03a5020782064d36aeadd3..f7797c493715d540f079ba3888e004418cdc19de 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -158,7 +158,7 @@ int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le, char *attrname, krb5_timestamp *result); int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le, - char *attrname, char *value); + char *attrname, const char *value); int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le, LDAPDerefRes **results); diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c index e227602ea081cc155bfffb80d2fb1758a66fa9a5..112086b57c9f83895589538b5494ae81fb14a948 100644 --- a/daemons/ipa-kdb/ipa_kdb_common.c +++ b/daemons/ipa-kdb/ipa_kdb_common.c @@ -21,6 +21,7 @@ */ #include "ipa_kdb.h" +#include <unicase.h> static struct timeval std_timeout = {300, 0}; @@ -518,20 +519,28 @@ int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le, } int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le, - char *attrname, char *value) + char *attrname, const char *value) { struct berval **vals; int ret = ENOENT; - int i; + int i, result; vals = ldap_get_values_len(lcontext, le, attrname); if (vals) { for (i = 0; vals[i]; i++) { - if (strcasecmp(vals[i]->bv_val, value) == 0) { + if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, + value, strlen(value), + NULL, NULL, &result) != 0) { + ret = errno; + break; + } + + if (result == 0) { ret = 0; break; } } + ldap_value_free_len(vals); } diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 3566e1ece897d79ced0f18a27c7acaaa64c83544..66d434a531b478dfff42dd7d389bc04ed72bad50 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -21,6 +21,7 @@ */ #include "ipa_kdb.h" +#include <unicase.h> /* * During TGS request search by ipaKrbPrincipalName (case-insensitive) @@ -614,7 +615,7 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext, bool found = false; LDAPMessage *le = NULL; struct berval **vals; - int i; + int i, result; ipactx = ipadb_get_context(kcontext); if (!ipactx) { @@ -643,7 +644,11 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext, /* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */ /* Use case-insensitive comparison in such cases */ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) { - found = (strcasecmp(vals[i]->bv_val, (*principal)) == 0); + if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, + (*principal), strlen(*principal), + NULL, NULL, &result) != 0) + return KRB5_KDB_INTERNAL_ERROR; + found = (result == 0); } else { found = (strcmp(vals[i]->bv_val, (*principal)) == 0); } @@ -663,7 +668,11 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext, /* Again, if aliases are accepted by KDC, use case-insensitive comparison */ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) { - found = (strcasecmp(vals[0]->bv_val, (*principal)) == 0); + if (ulc_casecmp(vals[0]->bv_val, vals[0]->bv_len, + (*principal), strlen(*principal), + NULL, NULL, &result) != 0) + return KRB5_KDB_INTERNAL_ERROR; + found = (result == 0); } else { found = (strcmp(vals[0]->bv_val, (*principal)) == 0); } diff --git a/freeipa.spec.in b/freeipa.spec.in index 93c69e59181b59774709b81028526afbab5d0666..2b16778f928e8f48665e63beffb95a79b1a1842a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -71,6 +71,7 @@ BuildRequires: libsss_nss_idmap-devel BuildRequires: java-1.7.0-openjdk BuildRequires: libverto-devel BuildRequires: systemd +BuildRequires: libunistring-devel # Find out Kerberos middle version to infer ABI changes in DAL driver # We cannot load DAL driver into KDC with wrong ABI. -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel