From 52b703a4c7cc43ae908300795569e27b64186ec8 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 6 Jan 2011 13:05:03 +0100 Subject: Convert obfuscated password once at startup --- src/providers/ldap/ldap_common.c | 41 ++++++++++++++++++++++++++++++ src/providers/ldap/sdap_async_connection.c | 14 ---------- 2 files changed, 41 insertions(+), 14 deletions(-) diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index f0db53f2..c98dd4ff 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -28,6 +28,7 @@ #include "providers/krb5/krb5_common.h" #include "util/sss_krb5.h" +#include "util/crypto/sss_crypto.h" /* a fd the child process would log into */ int ldap_child_debug_fd = -1; @@ -203,6 +204,9 @@ int ldap_get_options(TALLOC_CTX *memctx, const char *ldap_deref; int ldap_deref_val; int o; + const char *authtok_type; + struct dp_opt_blob authtok_blob; + char *cleartext; const int search_base_options[] = { SDAP_USER_SEARCH_BASE, SDAP_GROUP_SEARCH_BASE, SDAP_NETGROUP_SEARCH_BASE, @@ -391,6 +395,43 @@ int ldap_get_options(TALLOC_CTX *memctx, goto done; } + authtok_type = dp_opt_get_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE); + if (authtok_type != NULL && + strcasecmp(authtok_type,"obfuscated_password") == 0) { + DEBUG(9, ("Found obfuscated password, " + "trying to convert to cleartext.\n")); + + authtok_blob = dp_opt_get_blob(opts->basic, SDAP_DEFAULT_AUTHTOK); + if (authtok_blob.data == NULL || authtok_blob.length == 0) { + DEBUG(1, ("Missing obfuscated password string.\n")); + return EINVAL; + } + + ret = sss_password_decrypt(memctx, (char *) authtok_blob.data, + &cleartext); + if (ret != EOK) { + DEBUG(1, ("Cannot convert the obfuscated " + "password back to cleartext\n")); + return ret; + } + + authtok_blob.data = (uint8_t *) cleartext; + authtok_blob.length = strlen(cleartext); + ret = dp_opt_set_blob(opts->basic, SDAP_DEFAULT_AUTHTOK, authtok_blob); + talloc_free(cleartext); + if (ret != EOK) { + DEBUG(1, ("dp_opt_set_string failed.\n")); + return ret; + } + + ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE, + "password"); + if (ret != EOK) { + DEBUG(1, ("dp_opt_set_string failed.\n")); + return ret; + } + } + ret = EOK; *_opts = opts; diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 986a56c9..ff8fb0d8 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -24,7 +24,6 @@ #include "util/util.h" #include "util/sss_krb5.h" #include "providers/ldap/sdap_async_private.h" -#include "util/crypto/sss_crypto.h" #define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D @@ -970,25 +969,12 @@ static int sdap_auth_get_authtok(TALLOC_CTX *mem_ctx, struct dp_opt_blob authtok, struct berval *pw) { - char *cleartext; - int ret; - if (!authtok_type) return EOK; if (!pw) return EINVAL; if (strcasecmp(authtok_type,"password") == 0) { pw->bv_len = authtok.length; pw->bv_val = (char *) authtok.data; - } else if (strcasecmp(authtok_type,"obfuscated_password") == 0) { - ret = sss_password_decrypt(mem_ctx, (char *) authtok.data, &cleartext); - if (ret != EOK) { - DEBUG(1, ("Cannot convert the obfuscated " - "password back to cleartext\n")); - return ret; - } - - pw->bv_len = strlen(cleartext); - pw->bv_val = (char *) cleartext; } else { DEBUG(1, ("Authentication token type [%s] is not supported\n", authtok_type)); -- cgit