krb5 commit: Remove partial LDAP client cert support
Greg Hudson
ghudson at MIT.EDU
Thu Jan 31 15:04:19 EST 2013
https://github.com/krb5/krb5/commit/172b3f475e2d91d3a11dc42f630f238ec52712f9
commit 172b3f475e2d91d3a11dc42f630f238ec52712f9
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Jan 31 13:40:36 2013 -0500
Remove partial LDAP client cert support
The LDAP KDB module has some code to interpret {FILE} values in stash
files, and set the service_cert_path/pass fields in the ldap context.
But there was no code to actually use those values to do client cert
authentication, so it wasn't useful. Remove the partial
implementation.
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 2 -
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 89 +++-----------------
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 10 --
.../kdb/ldap/libkdb_ldap/ldap_service_stash.c | 79 +++++++-----------
4 files changed, 41 insertions(+), 139 deletions(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index e828674..dcd313b 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -206,8 +206,6 @@ typedef struct _krb5_ldap_context {
char *bind_pwd;
char *service_password_file;
char *root_certificate_file;
- char *service_cert_path;
- char *service_cert_pass;
krb5_ldap_certificates **certificates;
krb5_ui_4 cert_count; /* certificate count */
k5_mutex_t hndl_lock;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index 66c2cc8..6f53640 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -57,33 +57,15 @@ krb5_validate_ldap_context(krb5_context context,
goto err_out;
}
- if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file !=
- NULL && ldap_context->service_cert_path == NULL) {
+ if (ldap_context->bind_pwd == NULL &&
+ ldap_context->service_password_file != NULL) {
if ((st=krb5_ldap_readpassword(context, ldap_context, &password)) != 0) {
prepend_err_str(context, _("Error reading password from stash: "),
st, st);
goto err_out;
}
- /* Check if the returned 'password' is actually the path of a certificate */
- if (!strncmp("{FILE}", (char *)password, 6)) {
- /* 'password' format: <path>\0<password> */
- ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}"));
- if (password[strlen((char *)password) + 1] == '\0')
- ldap_context->service_cert_pass = NULL;
- else
- ldap_context->service_cert_pass = strdup((char *)password +
- strlen((char *)password) + 1);
- free(password);
- } else {
- ldap_context->bind_pwd = (char *)password;
- if (ldap_context->bind_pwd == NULL) {
- st = EINVAL;
- krb5_set_error_message(context, st,
- _("Error reading password from stash"));
- goto err_out;
- }
- }
+ ldap_context->bind_pwd = (char *)password;
}
/* NULL password not allowed */
@@ -106,39 +88,13 @@ static krb5_error_code
krb5_ldap_bind(krb5_ldap_context *ldap_context,
krb5_ldap_server_handle *ldap_server_handle)
{
- krb5_error_code st=0;
- struct berval bv={0, NULL}, *servercreds=NULL;
-
- if (ldap_context->service_cert_path != NULL) {
- /* Certificate based bind (SASL EXTERNAL mechanism) */
-
- st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
- NULL, /* Authenticating dn */
- "EXTERNAL", /* Method used for authentication */
- &bv,
- NULL,
- NULL,
- &servercreds);
-
- if (st == LDAP_SASL_BIND_IN_PROGRESS) {
- st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
- NULL,
- "EXTERNAL",
- servercreds,
- NULL,
- NULL,
- &servercreds);
- }
- } else {
- /* password based simple bind */
- bv.bv_val = ldap_context->bind_pwd;
- bv.bv_len = strlen(ldap_context->bind_pwd);
- st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
- ldap_context->bind_dn,
- NULL, &bv, NULL,
- NULL, NULL);
- }
- return st;
+ struct berval bv={0, NULL};
+
+ bv.bv_val = ldap_context->bind_pwd;
+ bv.bv_len = strlen(ldap_context->bind_pwd);
+ return ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
+ ldap_context->bind_dn, NULL, &bv, NULL,
+ NULL, NULL);
}
static krb5_error_code
@@ -192,12 +148,11 @@ krb5_error_code
krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context)
{
krb5_error_code st=0;
- krb5_boolean sasl_mech_supported=TRUE;
int cnt=0, version=LDAP_VERSION3;
struct timeval local_timelimit = {10,0};
if ((st=krb5_validate_ldap_context(context, ldap_context)) != 0)
- goto err_out;
+ return st;
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_context->ldap_debug);
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
@@ -218,19 +173,6 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context)
if (server_info->server_status == NOTSET) {
unsigned int conns=0;
- /*
- * Check if the server has to perform certificate-based authentication
- */
- if (ldap_context->service_cert_path != NULL) {
- /* Find out if the server supports SASL EXTERNAL mechanism */
- if (has_sasl_external_mech(context, server_info->server_name) == 1) {
- cnt++;
- sasl_mech_supported = FALSE;
- continue; /* Check the next LDAP server */
- }
- sasl_mech_supported = TRUE;
- }
-
krb5_clear_error_message(context);
#ifdef LDAP_MOD_INCREMENT
@@ -252,14 +194,7 @@ krb5_ldap_db_init(krb5_context context, krb5_ldap_context *ldap_context)
}
HNDL_UNLOCK(ldap_context);
-err_out:
- if (sasl_mech_supported == FALSE) {
- st = KRB5_KDB_ACCESS_ERROR;
- krb5_set_error_message (context, st,
- _("Certificate based authentication requested "
- "but not supported by LDAP servers"));
- }
- return (st);
+ return st;
}
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 3173f44..5f789da 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -498,16 +498,6 @@ krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context)
ldap_context->service_password_file = NULL;
}
- if (ldap_context->service_cert_path != NULL) {
- krb5_xfree(ldap_context->service_cert_path);
- ldap_context->service_cert_path = NULL;
- }
-
- if (ldap_context->service_cert_pass != NULL) {
- krb5_xfree(ldap_context->service_cert_pass);
- ldap_context->service_cert_pass = NULL;
- }
-
if (ldap_context->certificates) {
i=0;
while (ldap_context->certificates[i] != NULL) {
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
index 7eb325b..b6f5413 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
@@ -42,6 +42,7 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context,
char line[RECORDLEN]="0", *start=NULL, *file=NULL;
char errbuf[1024];
FILE *fptr=NULL;
+ struct data PT, CT;
*password = NULL;
@@ -117,58 +118,36 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context,
goto rp_exit;
}
++ start;
- /* Extract the plain password / certificate file information */
- {
- struct data PT, CT;
- /* Check if the entry has the path of a certificate */
- if (!strncmp(start, "{FILE}", strlen("{FILE}"))) {
- /* Set *password = {FILE}<path to cert>\0<cert password> */
- size_t len = strlen(start);
-
- *password = (unsigned char *)malloc(len + 2);
- if (*password == NULL) {
- st = ENOMEM;
- goto rp_exit;
- }
- memcpy(*password, start, len);
- (*password)[len] = '\0';
- (*password)[len + 1] = '\0';
- goto got_password;
- } else {
- CT.value = (unsigned char *)start;
- CT.len = strlen((char *)CT.value);
- st = dec_password(CT, &PT);
- if (st != 0) {
- switch (st) {
- case ERR_NO_MEM:
- st = ENOMEM;
- break;
- case ERR_PWD_ZERO:
- st = EINVAL;
- krb5_set_error_message(context, st,
- _("Password has zero length"));
- break;
- case ERR_PWD_BAD:
- st = EINVAL;
- krb5_set_error_message(context, st,
- _("Password corrupted"));
- break;
- case ERR_PWD_NOT_HEX:
- st = EINVAL;
- krb5_set_error_message(context, st,
- _("Not a hexadecimal password"));
- break;
- default:
- st = KRB5_KDB_SERVER_INTERNAL_ERR;
- break;
- }
- goto rp_exit;
- }
- *password = PT.value;
+ /* Extract the plain password information. */
+ CT.value = (unsigned char *)start;
+ CT.len = strlen((char *)CT.value);
+ st = dec_password(CT, &PT);
+ if (st != 0) {
+ switch (st) {
+ case ERR_NO_MEM:
+ st = ENOMEM;
+ break;
+ case ERR_PWD_ZERO:
+ st = EINVAL;
+ krb5_set_error_message(context, st, _("Password has zero length"));
+ break;
+ case ERR_PWD_BAD:
+ st = EINVAL;
+ krb5_set_error_message(context, st, _("Password corrupted"));
+ break;
+ case ERR_PWD_NOT_HEX:
+ st = EINVAL;
+ krb5_set_error_message(context, st,
+ _("Not a hexadecimal password"));
+ break;
+ default:
+ st = KRB5_KDB_SERVER_INTERNAL_ERR;
+ break;
}
+ goto rp_exit;
}
-got_password:
+ *password = PT.value;
rp_exit:
if (st) {
More information about the cvs-krb5
mailing list