88 lines
3.1 KiB
Diff
88 lines
3.1 KiB
Diff
|
From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Sumit Bose <sbose@redhat.com>
|
||
|
|
Date: Tue, 4 Jul 2023 19:06:27 +0200
|
||
|
|
Subject: [PATCH 3/3] certmap: fix partial string comparison
|
||
|
|
MIME-Version: 1.0
|
||
|
|
Content-Type: text/plain; charset=UTF-8
|
||
|
|
Content-Transfer-Encoding: 8bit
|
||
|
|
|
||
|
|
If the formatting option of the certificate digest/hash function
|
||
|
|
contained and additional specifier separated with a '_' the comparison
|
||
|
|
of the provided digest name and the available ones was incomplete, the
|
||
|
|
last character was ignored and the comparison was successful if even if
|
||
|
|
there was only a partial match.
|
||
|
|
|
||
|
|
Resolves: https://github.com/SSSD/sssd/issues/6802
|
||
|
|
|
||
|
|
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||
|
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||
|
|
(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
|
||
|
|
---
|
||
|
|
src/lib/certmap/sss_certmap_ldap_mapping.c | 9 ++++++++-
|
||
|
|
src/tests/cmocka/test_certmap.c | 22 ++++++++++++++++++++++
|
||
|
|
2 files changed, 30 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
|
||
|
|
index 2f16837a1..354b0310b 100644
|
||
|
|
--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
|
||
|
|
+++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
|
||
|
|
@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
|
||
|
|
bool colon = false;
|
||
|
|
bool reverse = false;
|
||
|
|
char *c;
|
||
|
|
+ size_t len = 0;
|
||
|
|
|
||
|
|
sep = strchr(inp, '_');
|
||
|
|
+ if (sep != NULL) {
|
||
|
|
+ len = sep - inp;
|
||
|
|
+ }
|
||
|
|
|
||
|
|
for (d = 0; digest_list[d] != NULL; d++) {
|
||
|
|
if (sep == NULL) {
|
||
|
|
cmp = strcasecmp(digest_list[d], inp);
|
||
|
|
} else {
|
||
|
|
- cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
|
||
|
|
+ if (strlen(digest_list[d]) != len) {
|
||
|
|
+ continue;
|
||
|
|
+ }
|
||
|
|
+ cmp = strncasecmp(digest_list[d], inp, len);
|
||
|
|
}
|
||
|
|
|
||
|
|
if (cmp == 0) {
|
||
|
|
diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
|
||
|
|
index da312beaf..a15984d60 100644
|
||
|
|
--- a/src/tests/cmocka/test_certmap.c
|
||
|
|
+++ b/src/tests/cmocka/test_certmap.c
|
||
|
|
@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
|
||
|
|
assert_non_null(ctx);
|
||
|
|
assert_null(ctx->prio_list);
|
||
|
|
|
||
|
|
+ /* cert!sha */
|
||
|
|
+ ret = sss_certmap_add_rule(ctx, 91,
|
||
|
|
+ "KRB5:<ISSUER>.*",
|
||
|
|
+ "LDAP:rule91={cert!sha}", NULL);
|
||
|
|
+ assert_int_equal(ret, EINVAL);
|
||
|
|
+
|
||
|
|
+ ret = sss_certmap_add_rule(ctx, 91,
|
||
|
|
+ "KRB5:<ISSUER>.*",
|
||
|
|
+ "LDAPU1:rule91={cert!sha}", NULL);
|
||
|
|
+ assert_int_equal(ret, EINVAL);
|
||
|
|
+
|
||
|
|
+ /* cert!sha_u */
|
||
|
|
+ ret = sss_certmap_add_rule(ctx, 90,
|
||
|
|
+ "KRB5:<ISSUER>.*",
|
||
|
|
+ "LDAP:rule90={cert!sha_u}", NULL);
|
||
|
|
+ assert_int_equal(ret, EINVAL);
|
||
|
|
+
|
||
|
|
+ ret = sss_certmap_add_rule(ctx, 99,
|
||
|
|
+ "KRB5:<ISSUER>.*",
|
||
|
|
+ "LDAPU1:rule90={cert!sha_u}", NULL);
|
||
|
|
+ assert_int_equal(ret, EINVAL);
|
||
|
|
+
|
||
|
|
/* cert!sha555 */
|
||
|
|
ret = sss_certmap_add_rule(ctx, 89,
|
||
|
|
"KRB5:<ISSUER>.*",
|
||
|
|
--
|
||
|
|
2.38.1
|
||
|
|
|