dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Source Code
GIT

Blame SOURCES/0036-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   71e59364bf4bf30ca1631dcafcbe696959a37827
  2.   SOURCES
  3.   0036-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
Blob History Raw
71e593 
From 8fbdd8b692be1dc63be4dd18c79d9647aeb2d74d Mon Sep 17 00:00:00 2001
71e593 
From: Sumit Bose <sbose@redhat.com>
71e593 
Date: Tue, 2 Oct 2018 12:13:29 +0200
71e593 
Subject: [PATCH 36/47] p11: handle multiple certs during auth with OpenSSL
71e593
71e593 
This patch adds missing code already available in the NSS version to
71e593 
select a certificate for authentication if multiple certificates are
71e593 
available on the Smartcard. A unit test to check this feature is added
71e593 
as well.
71e593
71e593 
Related to https://pagure.io/SSSD/sssd/issue/3489
71e593
71e593 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
71e593 
(cherry picked from commit e29b82077a78157a1e4d90e2308c1272d7612f3d)
71e593 
---
71e593 
 src/p11_child/p11_child_openssl.c | 46 ++++++++++++++++++++++++++++++++++++++-
71e593 
 src/tests/cmocka/test_pam_srv.c   | 36 ++++++++++++++++++++++++++++++
71e593 
 2 files changed, 81 insertions(+), 1 deletion(-)
71e593
71e593 
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
71e593 
index be5872626e248ad8acc042300a2ee2eee526cdaf..bf4418f8603eac4d77d20f464e8b56fb82285f0a 100644
71e593 
--- a/src/p11_child/p11_child_openssl.c
71e593 
+++ b/src/p11_child/p11_child_openssl.c
71e593 
@@ -572,8 +572,10 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
71e593 
     char *slot_name = NULL;
71e593 
     char *token_name = NULL;
71e593 
     CK_SESSION_HANDLE session = 0;
71e593 
+    struct cert_list *all_cert_list = NULL;
71e593 
     struct cert_list *cert_list = NULL;
71e593 
     struct cert_list *item = NULL;
71e593 
+    struct cert_list *tmp_cert = NULL;
71e593 
     char *multi = NULL;
71e593 
     bool pkcs11_session = false;
71e593 
     bool pkcs11_login = false;
71e593 
@@ -691,12 +693,54 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
71e593 
         DEBUG(SSSDBG_TRACE_ALL, "Login NOT required.\n");
71e593 
     }
71e593
71e593 
-    ret = read_certs(mem_ctx, module, session, p11_ctx, &cert_list);
71e593 
+    ret = read_certs(mem_ctx, module, session, p11_ctx, &all_cert_list);
71e593 
     if (ret != EOK) {
71e593 
         DEBUG(SSSDBG_OP_FAILURE, "read_certs failed.\n");
71e593 
         goto done;
71e593 
     }
71e593
71e593 
+    DLIST_FOR_EACH(item, all_cert_list) {
71e593 
+        /* Check if we found the certificates we needed for authentication or
71e593 
+         * the requested ones for pre-auth. For authentication all attributes
71e593 
+         * must be given and match, for pre-auth only the given ones must
71e593 
+         * match. */
71e593 
+        DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n",
71e593 
+              module_name_in, module_file_name, token_name_in, token_name,
71e593 
+              key_id_in, item->id);
71e593 
+
71e593 
+        if ((mode == OP_AUTH
71e593 
+                && module_name_in != NULL
71e593 
+                && token_name_in != NULL
71e593 
+                && key_id_in != NULL
71e593 
+                && item->id != NULL
71e593 
+                && strcmp(key_id_in, item->id) == 0
71e593 
+                && strcmp(token_name_in, token_name) == 0
71e593 
+                && strcmp(module_name_in, module_file_name) == 0)
71e593 
+            || (mode == OP_PREAUTH
71e593 
+                && (module_name_in == NULL
71e593 
+                    || (module_name_in != NULL
71e593 
+                        && strcmp(module_name_in, module_file_name) == 0))
71e593 
+                && (token_name_in == NULL
71e593 
+                    || (token_name_in != NULL
71e593 
+                        && strcmp(token_name_in, token_name) == 0))
71e593 
+                && (key_id_in == NULL
71e593 
+                    || (key_id_in != NULL && item->id != NULL
71e593 
+                        && strcmp(key_id_in, item->id) == 0)))) {
71e593 
+
71e593 
+            tmp_cert = talloc_memdup(mem_ctx, item, sizeof(struct cert_list));
71e593 
+            if (tmp_cert == NULL) {
71e593 
+                DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n");
71e593 
+                ret = ENOMEM;
71e593 
+                goto done;
71e593 
+            }
71e593 
+            tmp_cert->prev = NULL;
71e593 
+            tmp_cert->next = NULL;
71e593 
+
71e593 
+            DLIST_ADD(cert_list, tmp_cert);
71e593 
+
71e593 
+        }
71e593 
+    }
71e593 
+
71e593 
     /* TODO: check module_name_in, token_name_in, key_id_in */
71e593
71e593 
     if (cert_list == NULL) {
71e593 
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
71e593 
index 446985d5d2462f58a28c702fd5eaa5de7b20ed27..2b02ac27b7356c5bce9e11dae785ecdbddd31aa3 100644
71e593 
--- a/src/tests/cmocka/test_pam_srv.c
71e593 
+++ b/src/tests/cmocka/test_pam_srv.c
71e593 
@@ -2443,6 +2443,40 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state)
71e593 
     assert_int_equal(ret, EOK);
71e593 
 }
71e593
71e593 
+void test_pam_cert_auth_2certs_one_mapping(void **state)
71e593 
+{
71e593 
+    int ret;
71e593 
+
71e593 
+#ifdef HAVE_NSS
71e593 
+    set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
71e593 
+#else
71e593 
+    set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
71e593 
+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf"));
71e593 
+#endif
71e593 
+
71e593 
+    mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
71e593 
+                        TEST_MODULE_NAME,
71e593 
+                        "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
71e593 
+                        test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
71e593 
+                        true);
71e593 
+
71e593 
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
71e593 
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
71e593 
+
71e593 
+    /* Assume backend cannot handle Smartcard credentials */
71e593 
+    pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
71e593 
+
71e593 
+    set_cmd_cb(test_pam_simple_check_success);
71e593 
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
71e593 
+                          pam_test_ctx->pam_cmds);
71e593 
+    assert_int_equal(ret, EOK);
71e593 
+
71e593 
+    /* Wait until the test finishes with EOK */
71e593 
+    ret = test_ev_loop(pam_test_ctx->tctx);
71e593 
+    assert_int_equal(ret, EOK);
71e593 
+}
71e593 
+
71e593 
+
71e593 
 void test_filter_response(void **state)
71e593 
 {
71e593 
     int ret;
71e593 
@@ -2875,6 +2909,8 @@ int main(int argc, const char *argv[])
71e593 
                                         pam_test_setup, pam_test_teardown),
71e593 
         cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_two_mappings,
71e593 
                                         pam_test_setup, pam_test_teardown),
71e593 
+        cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
71e593 
+                                        pam_test_setup, pam_test_teardown),
71e593 
         cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
71e593 
                                         pam_test_setup, pam_test_teardown),
71e593 
         cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
71e593 
--
71e593 
2.14.4
71e593

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation