diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-01-31 13:40:36 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-01-31 15:04:07 -0500 |
commit | 172b3f475e2d91d3a11dc42f630f238ec52712f9 (patch) | |
tree | 73f53864b0dde1b940a29286a83a4a32a0bf99b3 | |
parent | fedba8d99e616de74129b64f619990150eb334bb (diff) | |
download | krb5-172b3f475e2d91d3a11dc42f630f238ec52712f9.tar.gz krb5-172b3f475e2d91d3a11dc42f630f238ec52712f9.tar.xz krb5-172b3f475e2d91d3a11dc42f630f238ec52712f9.zip |
Remove partial LDAP client cert support
The LDAP KDB module has some code to interpret {FILE} values in stash
files, and set the service_cert_path/pass fields in the ldap context.
But there was no code to actually use those values to do client cert
authentication, so it wasn't useful. Remove the partial
implementation.
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 89 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 10 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c | 77 |
4 files changed, 40 insertions, 138 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index e8286742e4..dcd313b91b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -206,8 +206,6 @@ typedef struct _krb5_ldap_context { char *bind_pwd; char *service_password_file; char *root_certificate_file; - char *service_cert_path; - char *service_cert_pass; krb5_ldap_certificates **certificates; krb5_ui_4 cert_count; /* certificate count */ k5_mutex_t hndl_lock; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index 66c2cc87c5..6f53640604 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -57,33 +57,15 @@ krb5_validate_ldap_context(krb5_context context, goto err_out; } - if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file != - NULL && ldap_context->service_cert_path == NULL) { + if (ldap_context->bind_pwd == NULL && + ldap_context->service_password_file != NULL) { if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) { prepend_err_str(context, _("Error reading password from stash: "), st, st); goto err_out; } - /* Check if the returned 'password' is actually the path of a certificate */ - if (!strncmp("{FILE}", (char *)password, 6)) { - /* 'password' format: <path>\0<password> */ - ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}")); - if (password[strlen((char *)password) + 1] == '\0') - ldap_context->service_cert_pass = NULL; - else - ldap_context->service_cert_pass = strdup((char *)password + - strlen((char *)password) + 1); - free(password); - } else { - ldap_context->bind_pwd = (char *)password; - if (ldap_context->bind_pwd == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, - _("Error reading password from stash")); - goto err_out; - } - } + ldap_context->bind_pwd = (char *)password; } /* NULL password not allowed */ @@ -106,39 +88,13 @@ static krb5_error_code krb5_ldap_bind(krb5_ldap_context *ldap_context, krb5_ldap_server_handle *ldap_server_handle) { - krb5_error_code st=0; - struct berval bv={0, NULL}, *servercreds=NULL; - - if (ldap_context->service_cert_path != NULL) { - /* Certificate based bind (SASL EXTERNAL mechanism) */ - - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - NULL, /* Authenticating dn */ - "EXTERNAL", /* Method used for authentication */ - &bv, - NULL, - NULL, - &servercreds); - - if (st == LDAP_SASL_BIND_IN_PROGRESS) { - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - NULL, - "EXTERNAL", - servercreds, - NULL, - NULL, - &servercreds); - } - } else { - /* password based simple bind */ - bv.bv_val = ldap_context->bind_pwd; - bv.bv_len = strlen(ldap_context->bind_pwd); - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - ldap_context->bind_dn, - NULL, &bv, NULL, - NULL, NULL); - } - return st; + struct berval bv={0, NULL}; + + bv.bv_val = ldap_context->bind_pwd; + bv.bv_len = strlen(ldap_context->bind_pwd); + return ldap_sasl_bind_s(ldap_server_handle->ldap_handle, + ldap_context->bind_dn, NULL, &bv, NULL, + NULL, NULL); } static krb5_error_code @@ -192,12 +148,11 @@ krb5_error_code krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) { krb5_error_code st=0; - krb5_boolean sasl_mech_supported=TRUE; int cnt=0, version=LDAP_VERSION3; struct timeval local_timelimit = {10,0}; if ((st=krb5_validate_ldap_context(context, ldap_context)) != 0) - goto err_out; + return st; ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_context->ldap_debug); ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version); @@ -218,19 +173,6 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) if (server_info->server_status == NOTSET) { unsigned int conns=0; - /* - * Check if the server has to perform certificate-based authentication - */ - if (ldap_context->service_cert_path != NULL) { - /* Find out if the server supports SASL EXTERNAL mechanism */ - if (has_sasl_external_mech(context, server_info->server_name) == 1) { - cnt++; - sasl_mech_supported = FALSE; - continue; /* Check the next LDAP server */ - } - sasl_mech_supported = TRUE; - } - krb5_clear_error_message(context); #ifdef LDAP_MOD_INCREMENT @@ -252,14 +194,7 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) } HNDL_UNLOCK(ldap_context); -err_out: - if (sasl_mech_supported == FALSE) { - st = KRB5_KDB_ACCESS_ERROR; - krb5_set_error_message (context, st, - _("Certificate based authentication requested " - "but not supported by LDAP servers")); - } - return (st); + return st; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 3173f4439a..5f789da983 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -498,16 +498,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context) ldap_context->service_password_file = NULL; } - if (ldap_context->service_cert_path != NULL) { - krb5_xfree(ldap_context->service_cert_path); - ldap_context->service_cert_path = NULL; - } - - if (ldap_context->service_cert_pass != NULL) { - krb5_xfree(ldap_context->service_cert_pass); - ldap_context->service_cert_pass = NULL; - } - if (ldap_context->certificates) { i=0; while (ldap_context->certificates[i] != NULL) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c index 7eb325b34a..b6f54131b8 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c @@ -42,6 +42,7 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context, char line[RECORDLEN]="0", *start=NULL, *file=NULL; char errbuf[1024]; FILE *fptr=NULL; + struct data PT, CT; *password = NULL; @@ -117,58 +118,36 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context, goto rp_exit; } ++ start; - /* Extract the plain password / certificate file information */ - { - struct data PT, CT; - /* Check if the entry has the path of a certificate */ - if (!strncmp(start, "{FILE}", strlen("{FILE}"))) { - /* Set *password = {FILE}<path to cert>\0<cert password> */ - size_t len = strlen(start); - - *password = (unsigned char *)malloc(len + 2); - if (*password == NULL) { - st = ENOMEM; - goto rp_exit; - } - memcpy(*password, start, len); - (*password)[len] = '\0'; - (*password)[len + 1] = '\0'; - goto got_password; - } else { - CT.value = (unsigned char *)start; - CT.len = strlen((char *)CT.value); - st = dec_password(CT, &PT); - if (st != 0) { - switch (st) { - case ERR_NO_MEM: - st = ENOMEM; - break; - case ERR_PWD_ZERO: - st = EINVAL; - krb5_set_error_message(context, st, - _("Password has zero length")); - break; - case ERR_PWD_BAD: - st = EINVAL; - krb5_set_error_message(context, st, - _("Password corrupted")); - break; - case ERR_PWD_NOT_HEX: - st = EINVAL; - krb5_set_error_message(context, st, - _("Not a hexadecimal password")); - break; - default: - st = KRB5_KDB_SERVER_INTERNAL_ERR; - break; - } - goto rp_exit; - } - *password = PT.value; + /* Extract the plain password information. */ + CT.value = (unsigned char *)start; + CT.len = strlen((char *)CT.value); + st = dec_password(CT, &PT); + if (st != 0) { + switch (st) { + case ERR_NO_MEM: + st = ENOMEM; + break; + case ERR_PWD_ZERO: + st = EINVAL; + krb5_set_error_message(context, st, _("Password has zero length")); + break; + case ERR_PWD_BAD: + st = EINVAL; + krb5_set_error_message(context, st, _("Password corrupted")); + break; + case ERR_PWD_NOT_HEX: + st = EINVAL; + krb5_set_error_message(context, st, + _("Not a hexadecimal password")); + break; + default: + st = KRB5_KDB_SERVER_INTERNAL_ERR; + break; } + goto rp_exit; } -got_password: + *password = PT.value; rp_exit: if (st) { |