1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
--- a/perl/lib/Wallet/Config.pm
+++ b/perl/lib/Wallet/Config.pm
@@ -791,39 +791,6 @@ with this ACL type. This variable must
our $LDAP_CACHE;
-=back
-
-=head2 LDAP Principal Mapping
-
-Depending on the structure of the LDAP directory being queried,
-there may not be any attribute in the directory whose value exactly
-matches the Kerberos principal. The attribute designated by
-LDAP_FILTER_ATTR may instead hold a transformation of the principal name
-(such as the principal with the local realm stripped off, or rewritten
-into an LDAP DN form). If this is the case, define a Perl function named
-ldap_map_principal. This function will be called whenever an LDAP
-attribute ACL is being verified. It will take one argument, the
-principal, and is expected to return the value to search for in the LDAP
-directory server.
-
-For example, if the principal name without the local realm is stored in
-the C<uid> attribute in the directory, set LDAP_FILTER_ATTR to C<uid> and
-then define ldap_map_attribute as follows:
-
- sub ldap_map_principal {
- my ($principal) = @_;
- $principal =~ s/\@EXAMPLE\.COM$//;
- return $principal;
- }
-
-Note that this example only removes the local realm (here, EXAMPLE.COM).
-Any principal from some other realm will be left fully qualified, and then
-presumably will not be found in the directory.
-
-=head1 FILE OBJECT ENCRYPTION
-
-=over 4
-
=item LDAP_SECRET
Specifies an LDAP URL that is used to retrieve the secret to use when
@@ -853,43 +820,34 @@ encrypted object.
our $LDAP_SECRET_PREFIX;
-=item file_crypt;
-
-This functionality has not been implmented yet.
-
-The default encryption method is based on the twofish cypher. If
-another encryption method is desired then the perl function file_crypt
-should be defined in the configuration file. The function must accept
-three parameters: the action to preform, the encryption secret, and
-the string to encrypt or decrypt. For example:
-
- sub file_crypt {
- use Crypt::RC4;
- my ($action, $secret, $string) = @_;
-
- my $return_string;
- if ($action eq 'encrypt') {
- $return_string = RC4($secret, $string);
- } elsif ($action eq 'decrypt') {
- $return_string = RC4($secret, $string);
- }
- return $return_string;
- }
+=back
-=item file_crypt_secret
+=head2 LDAP Principal Mapping
-This functionality has not been implmented yet.
+Depending on the structure of the LDAP directory being queried,
+there may not be any attribute in the directory whose value exactly
+matches the Kerberos principal. The attribute designated by
+LDAP_FILTER_ATTR may instead hold a transformation of the principal name
+(such as the principal with the local realm stripped off, or rewritten
+into an LDAP DN form). If this is the case, define a Perl function named
+ldap_map_principal. This function will be called whenever an LDAP
+attribute ACL is being verified. It will take one argument, the
+principal, and is expected to return the value to search for in the LDAP
+directory server.
-The default method use is based on the twofish cypher. If another
-method of retrieving a secret is desired then the perl function
-file_crypt_secret should be defined. The function accepts no
-parameters and returns the secret to be used. For example:
+For example, if the principal name without the local realm is stored in
+the C<uid> attribute in the directory, set LDAP_FILTER_ATTR to C<uid> and
+then define ldap_map_attribute as follows:
- sub file_crypt_secret {
- return "thisIsABadIdea";
+ sub ldap_map_principal {
+ my ($principal) = @_;
+ $principal =~ s/\@EXAMPLE\.COM$//;
+ return $principal;
}
-=back
+Note that this example only removes the local realm (here, EXAMPLE.COM).
+Any principal from some other realm will be left fully qualified, and then
+presumably will not be found in the directory.
=head1 NETDB ACL CONFIGURATION
@@ -1154,6 +1112,41 @@ as a base64 string.
return $cs;
}
+=head1 ENCRYPTION METHODS
+
+The default encryption method is based on the twofish cypher. If
+another encryption method is desired then the perl function file_crypt
+should be defined in the configuration file. The function must accept
+three parameters: the action to preform, the encryption secret, and
+the string to encrypt or decrypt. For example:
+
+ sub file_crypt {
+ my ($action, $secret, $string) = @_;
+
+ my $cipher = Crypt::CBC->new(-key => $secret,
+ -cipher => 'Blowfish');
+
+ my $return_string;
+ if ($action eq 'encrypt') {
+ $return_string = $cipher->encrypt($string);
+ } elsif ($action eq 'decrypt') {
+ $return_string = $cipher->decrypt($string);
+ } else {
+ print("Unknown encryption action ($action)\n");
+ }
+ return $return_string;
+ }
+
+The default method for retrieving the secret used to encryption
+operations is retrieved from an LDAP server. If another method of
+retrieving a secret is desired then the perl function
+file_crypt_secret should be defined. The function accepts no
+parameters and returns the secret to be used. For example:
+
+ sub file_crypt_secret {
+ return "thisIsABadIdea";
+ }
+
=head1 ENVIRONMENT
=over 4
--- a/perl/lib/Wallet/Object/File.pm
+++ b/perl/lib/Wallet/Object/File.pm
@@ -114,6 +114,11 @@ sub rename {
sub _get_crypt_key {
my ($self) = @_;
+ if (defined (&Wallet::Config::file_crypt_secret)) {
+ my $return_val = Wallet::Config::file_crypt_secret();
+ return $return_val;
+ }
+
# ldap:///basedn?attr?scope?filter
my $url = $Wallet::Config::LDAP_SECRET;
$url =~ s{^ldap:///}{}xmsi;
@@ -173,14 +178,13 @@ sub _get_crypt_key {
}
sub _file_crypt {
- my ($self, $action, $string) = @_;
+ my ($self, $action, $key, $string) = @_;
require Crypt::CBC;
require MIME::Base64;
my $return_string;
my $pre = $Wallet::Config::LDAP_SECRET_PREFIX;
- my $key = $self->_get_crypt_key();
my $cipher = Crypt::CBC->new(
-key => $key,
@@ -210,7 +214,13 @@ sub _file_crypt {
sub file_decrypt {
my ($self, $data, $user, $host, $time) = @_;
- my $undata = $self->_file_crypt('decrypt', $data);
+ my $key = $self->_get_crypt_key();
+ my $undata;
+ if (defined (&Wallet::Config::file_crypt)) {
+ $undata = Wallet::Config::file_crypt('decrypt', $key, $data);
+ } else {
+ $undata = $self->_file_crypt('decrypt', $key, $data);
+ }
if ($undata eq $data) {
$self->store($data, $user, $host, $time);
}
@@ -219,7 +229,13 @@ sub file_decrypt {
sub file_encrypt {
my ($self, $data) = @_;
- my $endata = $self->_file_crypt('encrypt', $data);
+ my $key = $self->_get_crypt_key();
+ my $endata;
+ if (defined (&Wallet::Config::file_crypt)) {
+ $endata = Wallet::Config::file_crypt('encrypt', $key, $data);
+ } else {
+ $endata = $self->_file_crypt('encrypt', $key, $data);
+ }
return $endata;
}
|
