diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-01-31 13:40:36 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-01-31 15:04:07 -0500 |
| commit | 172b3f475e2d91d3a11dc42f630f238ec52712f9 (patch) | |
| tree | 73f53864b0dde1b940a29286a83a4a32a0bf99b3 /src/plugins | |
| parent | fedba8d99e616de74129b64f619990150eb334bb (diff) | |
| download | krb5-172b3f475e2d91d3a11dc42f630f238ec52712f9.tar.gz krb5-172b3f475e2d91d3a11dc42f630f238ec52712f9.tar.xz krb5-172b3f475e2d91d3a11dc42f630f238ec52712f9.zip | |
Remove partial LDAP client cert support
The LDAP KDB module has some code to interpret {FILE} values in stash
files, and set the service_cert_path/pass fields in the ldap context.
But there was no code to actually use those values to do client cert
authentication, so it wasn't useful. Remove the partial
implementation.
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 89 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 10 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c | 77 |
4 files changed, 40 insertions, 138 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index e8286742e4..dcd313b91b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -206,8 +206,6 @@ typedef struct _krb5_ldap_context { char *bind_pwd; char *service_password_file; char *root_certificate_file; - char *service_cert_path; - char *service_cert_pass; krb5_ldap_certificates **certificates; krb5_ui_4 cert_count; /* certificate count */ k5_mutex_t hndl_lock; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index 66c2cc87c5..6f53640604 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -57,33 +57,15 @@ krb5_validate_ldap_context(krb5_context context, goto err_out; } - if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file != - NULL && ldap_context->service_cert_path == NULL) { + if (ldap_context->bind_pwd == NULL && + ldap_context->service_password_file != NULL) { if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) { prepend_err_str(context, _("Error reading password from stash: "), st, st); goto err_out; } - /* Check if the returned 'password' is actually the path of a certificate */ - if (!strncmp("{FILE}", (char *)password, 6)) { - /* 'password' format: <path>\0<password> */ - ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}")); - if (password[strlen((char *)password) + 1] == '\0') - ldap_context->service_cert_pass = NULL; - else - ldap_context->service_cert_pass = strdup((char *)password + - strlen((char *)password) + 1); - free(password); - } else { - ldap_context->bind_pwd = (char *)password; - if (ldap_context->bind_pwd == NULL) { - st = EINVAL; - krb5_set_error_message(context, st, - _("Error reading password from stash")); - goto err_out; - } - } + ldap_context->bind_pwd = (char *)password; } /* NULL password not allowed */ @@ -106,39 +88,13 @@ static krb5_error_code krb5_ldap_bind(krb5_ldap_context *ldap_context, krb5_ldap_server_handle *ldap_server_handle) { - krb5_error_code st=0; - struct berval bv={0, NULL}, *servercreds=NULL; - - if (ldap_context->service_cert_path != NULL) { - /* Certificate based bind (SASL EXTERNAL mechanism) */ - - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - NULL, /* Authenticating dn */ - "EXTERNAL", /* Method used for authentication */ - &bv, - NULL, - NULL, - &servercreds); - - if (st == LDAP_SASL_BIND_IN_PROGRESS) { - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - NULL, - "EXTERNAL", - servercreds, - NULL, - NULL, - &servercreds); - } - } else { - /* password based simple bind */ - bv.bv_val = ldap_context->bind_pwd; - bv.bv_len = strlen(ldap_context->bind_pwd); - st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle, - ldap_context->bind_dn, - NULL, &bv, NULL, - NULL, NULL); - } - return st; + struct berval bv={0, NULL}; + + bv.bv_val = ldap_context->bind_pwd; + bv.bv_len = strlen(ldap_context->bind_pwd); + return ldap_sasl_bind_s(ldap_server_handle->ldap_handle, + ldap_context->bind_dn, NULL, &bv, NULL, + NULL, NULL); } static krb5_error_code @@ -192,12 +148,11 @@ krb5_error_code krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) { krb5_error_code st=0; - krb5_boolean sasl_mech_supported=TRUE; int cnt=0, version=LDAP_VERSION3; struct timeval local_timelimit = {10,0}; if ((st=krb5_validate_ldap_context(context, ldap_context)) != 0) - goto err_out; + return st; ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_context->ldap_debug); ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version); @@ -218,19 +173,6 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) if (server_info->server_status == NOTSET) { unsigned int conns=0; - /* - * Check if the server has to perform certificate-based authentication - */ - if (ldap_context->service_cert_path != NULL) { - /* Find out if the server supports SASL EXTERNAL mechanism */ - if (has_sasl_external_mech(context, server_info->server_name) == 1) { - cnt++; - sasl_mech_supported = FALSE; - continue; /* Check the next LDAP server */ - } - sasl_mech_supported = TRUE; - } - krb5_clear_error_message(context); #ifdef LDAP_MOD_INCREMENT @@ -252,14 +194,7 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context) } HNDL_UNLOCK(ldap_context); -err_out: - if (sasl_mech_supported == FALSE) { - st = KRB5_KDB_ACCESS_ERROR; - krb5_set_error_message (context, st, - _("Certificate based authentication requested " - "but not supported by LDAP servers")); - } - return (st); + return st; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 3173f4439a..5f789da983 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -498,16 +498,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context) ldap_context->service_password_file = NULL; } - if (ldap_context->service_cert_path != NULL) { - krb5_xfree(ldap_context->service_cert_path); - ldap_context->service_cert_path = NULL; - } - - if (ldap_context->service_cert_pass != NULL) { - krb5_xfree(ldap_context->service_cert_pass); - ldap_context->service_cert_pass = NULL; - } - if (ldap_context->certificates) { i=0; while (ldap_context->certificates[i] != NULL) { diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c index 7eb325b34a..b6f54131b8 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c @@ -42,6 +42,7 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context, char line[RECORDLEN]="0", *start=NULL, *file=NULL; char errbuf[1024]; FILE *fptr=NULL; + struct data PT, CT; *password = NULL; @@ -117,58 +118,36 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context, goto rp_exit; } ++ start; - /* Extract the plain password / certificate file information */ - { - struct data PT, CT; - /* Check if the entry has the path of a certificate */ - if (!strncmp(start, "{FILE}", strlen("{FILE}"))) { - /* Set *password = {FILE}<path to cert>\0<cert password> */ - size_t len = strlen(start); - - *password = (unsigned char *)malloc(len + 2); - if (*password == NULL) { - st = ENOMEM; - goto rp_exit; - } - memcpy(*password, start, len); - (*password)[len] = '\0'; - (*password)[len + 1] = '\0'; - goto got_password; - } else { - CT.value = (unsigned char *)start; - CT.len = strlen((char *)CT.value); - st = dec_password(CT, &PT); - if (st != 0) { - switch (st) { - case ERR_NO_MEM: - st = ENOMEM; - break; - case ERR_PWD_ZERO: - st = EINVAL; - krb5_set_error_message(context, st, - _("Password has zero length")); - break; - case ERR_PWD_BAD: - st = EINVAL; - krb5_set_error_message(context, st, - _("Password corrupted")); - break; - case ERR_PWD_NOT_HEX: - st = EINVAL; - krb5_set_error_message(context, st, - _("Not a hexadecimal password")); - break; - default: - st = KRB5_KDB_SERVER_INTERNAL_ERR; - break; - } - goto rp_exit; - } - *password = PT.value; + /* Extract the plain password information. */ + CT.value = (unsigned char *)start; + CT.len = strlen((char *)CT.value); + st = dec_password(CT, &PT); + if (st != 0) { + switch (st) { + case ERR_NO_MEM: + st = ENOMEM; + break; + case ERR_PWD_ZERO: + st = EINVAL; + krb5_set_error_message(context, st, _("Password has zero length")); + break; + case ERR_PWD_BAD: + st = EINVAL; + krb5_set_error_message(context, st, _("Password corrupted")); + break; + case ERR_PWD_NOT_HEX: + st = EINVAL; + krb5_set_error_message(context, st, + _("Not a hexadecimal password")); + break; + default: + st = KRB5_KDB_SERVER_INTERNAL_ERR; + break; } + goto rp_exit; } -got_password: + *password = PT.value; rp_exit: if (st) { |