diff options
Diffstat (limited to 'debian/patches/0014-crypt-custom.patch')
| -rw-r--r-- | debian/patches/0014-crypt-custom.patch | 210 |
1 files changed, 210 insertions, 0 deletions
diff --git a/debian/patches/0014-crypt-custom.patch b/debian/patches/0014-crypt-custom.patch new file mode 100644 index 0000000..e900ed8 --- /dev/null +++ b/debian/patches/0014-crypt-custom.patch @@ -0,0 +1,210 @@ +--- a/perl/lib/Wallet/Config.pm ++++ b/perl/lib/Wallet/Config.pm +@@ -791,39 +791,6 @@ with this ACL type. This variable must + + our $LDAP_CACHE; + +-=back +- +-=head2 LDAP Principal Mapping +- +-Depending on the structure of the LDAP directory being queried, +-there may not be any attribute in the directory whose value exactly +-matches the Kerberos principal. The attribute designated by +-LDAP_FILTER_ATTR may instead hold a transformation of the principal name +-(such as the principal with the local realm stripped off, or rewritten +-into an LDAP DN form). If this is the case, define a Perl function named +-ldap_map_principal. This function will be called whenever an LDAP +-attribute ACL is being verified. It will take one argument, the +-principal, and is expected to return the value to search for in the LDAP +-directory server. +- +-For example, if the principal name without the local realm is stored in +-the C<uid> attribute in the directory, set LDAP_FILTER_ATTR to C<uid> and +-then define ldap_map_attribute as follows: +- +- sub ldap_map_principal { +- my ($principal) = @_; +- $principal =~ s/\@EXAMPLE\.COM$//; +- return $principal; +- } +- +-Note that this example only removes the local realm (here, EXAMPLE.COM). +-Any principal from some other realm will be left fully qualified, and then +-presumably will not be found in the directory. +- +-=head1 FILE OBJECT ENCRYPTION +- +-=over 4 +- + =item LDAP_SECRET + + Specifies an LDAP URL that is used to retrieve the secret to use when +@@ -853,43 +820,34 @@ encrypted object. + + our $LDAP_SECRET_PREFIX; + +-=item file_crypt; +- +-This functionality has not been implmented yet. +- +-The default encryption method is based on the twofish cypher. If +-another encryption method is desired then the perl function file_crypt +-should be defined in the configuration file. The function must accept +-three parameters: the action to preform, the encryption secret, and +-the string to encrypt or decrypt. For example: +- +- sub file_crypt { +- use Crypt::RC4; +- my ($action, $secret, $string) = @_; +- +- my $return_string; +- if ($action eq 'encrypt') { +- $return_string = RC4($secret, $string); +- } elsif ($action eq 'decrypt') { +- $return_string = RC4($secret, $string); +- } +- return $return_string; +- } ++=back + +-=item file_crypt_secret ++=head2 LDAP Principal Mapping + +-This functionality has not been implmented yet. ++Depending on the structure of the LDAP directory being queried, ++there may not be any attribute in the directory whose value exactly ++matches the Kerberos principal. The attribute designated by ++LDAP_FILTER_ATTR may instead hold a transformation of the principal name ++(such as the principal with the local realm stripped off, or rewritten ++into an LDAP DN form). If this is the case, define a Perl function named ++ldap_map_principal. This function will be called whenever an LDAP ++attribute ACL is being verified. It will take one argument, the ++principal, and is expected to return the value to search for in the LDAP ++directory server. + +-The default method use is based on the twofish cypher. If another +-method of retrieving a secret is desired then the perl function +-file_crypt_secret should be defined. The function accepts no +-parameters and returns the secret to be used. For example: ++For example, if the principal name without the local realm is stored in ++the C<uid> attribute in the directory, set LDAP_FILTER_ATTR to C<uid> and ++then define ldap_map_attribute as follows: + +- sub file_crypt_secret { +- return "thisIsABadIdea"; ++ sub ldap_map_principal { ++ my ($principal) = @_; ++ $principal =~ s/\@EXAMPLE\.COM$//; ++ return $principal; + } + +-=back ++Note that this example only removes the local realm (here, EXAMPLE.COM). ++Any principal from some other realm will be left fully qualified, and then ++presumably will not be found in the directory. + + =head1 NETDB ACL CONFIGURATION + +@@ -1154,6 +1112,41 @@ as a base64 string. + return $cs; + } + ++=head1 ENCRYPTION METHODS ++ ++The default encryption method is based on the twofish cypher. If ++another encryption method is desired then the perl function file_crypt ++should be defined in the configuration file. The function must accept ++three parameters: the action to preform, the encryption secret, and ++the string to encrypt or decrypt. For example: ++ ++ sub file_crypt { ++ my ($action, $secret, $string) = @_; ++ ++ my $cipher = Crypt::CBC->new(-key => $secret, ++ -cipher => 'Blowfish'); ++ ++ my $return_string; ++ if ($action eq 'encrypt') { ++ $return_string = $cipher->encrypt($string); ++ } elsif ($action eq 'decrypt') { ++ $return_string = $cipher->decrypt($string); ++ } else { ++ print("Unknown encryption action ($action)\n"); ++ } ++ return $return_string; ++ } ++ ++The default method for retrieving the secret used to encryption ++operations is retrieved from an LDAP server. If another method of ++retrieving a secret is desired then the perl function ++file_crypt_secret should be defined. The function accepts no ++parameters and returns the secret to be used. For example: ++ ++ sub file_crypt_secret { ++ return "thisIsABadIdea"; ++ } ++ + =head1 ENVIRONMENT + + =over 4 +--- a/perl/lib/Wallet/Object/File.pm ++++ b/perl/lib/Wallet/Object/File.pm +@@ -114,6 +114,11 @@ sub rename { + sub _get_crypt_key { + my ($self) = @_; + ++ if (defined (&Wallet::Config::file_crypt_secret)) { ++ my $return_val = Wallet::Config::file_crypt_secret(); ++ return $return_val; ++ } ++ + # ldap:///basedn?attr?scope?filter + my $url = $Wallet::Config::LDAP_SECRET; + $url =~ s{^ldap:///}{}xmsi; +@@ -173,14 +178,13 @@ sub _get_crypt_key { + } + + sub _file_crypt { +- my ($self, $action, $string) = @_; ++ my ($self, $action, $key, $string) = @_; + + require Crypt::CBC; + require MIME::Base64; + + my $return_string; + my $pre = $Wallet::Config::LDAP_SECRET_PREFIX; +- my $key = $self->_get_crypt_key(); + + my $cipher = Crypt::CBC->new( + -key => $key, +@@ -210,7 +214,13 @@ sub _file_crypt { + + sub file_decrypt { + my ($self, $data, $user, $host, $time) = @_; +- my $undata = $self->_file_crypt('decrypt', $data); ++ my $key = $self->_get_crypt_key(); ++ my $undata; ++ if (defined (&Wallet::Config::file_crypt)) { ++ $undata = Wallet::Config::file_crypt('decrypt', $key, $data); ++ } else { ++ $undata = $self->_file_crypt('decrypt', $key, $data); ++ } + if ($undata eq $data) { + $self->store($data, $user, $host, $time); + } +@@ -219,7 +229,13 @@ sub file_decrypt { + + sub file_encrypt { + my ($self, $data) = @_; +- my $endata = $self->_file_crypt('encrypt', $data); ++ my $key = $self->_get_crypt_key(); ++ my $endata; ++ if (defined (&Wallet::Config::file_crypt)) { ++ $endata = Wallet::Config::file_crypt('encrypt', $key, $data); ++ } else { ++ $endata = $self->_file_crypt('encrypt', $key, $data); ++ } + return $endata; + } + |