From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 4 Jul 2023 19:06:27 +0200 Subject: [PATCH 3/3] certmap: fix partial string comparison MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the formatting option of the certificate digest/hash function contained and additional specifier separated with a '_' the comparison of the provided digest name and the available ones was incomplete, the last character was ignored and the comparison was successful if even if there was only a partial match. Resolves: https://github.com/SSSD/sssd/issues/6802 Reviewed-by: Alejandro López Reviewed-by: Alexey Tikhonov (cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc) --- src/lib/certmap/sss_certmap_ldap_mapping.c | 9 ++++++++- src/tests/cmocka/test_certmap.c | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c index 2f16837a1..354b0310b 100644 --- a/src/lib/certmap/sss_certmap_ldap_mapping.c +++ b/src/lib/certmap/sss_certmap_ldap_mapping.c @@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list, bool colon = false; bool reverse = false; char *c; + size_t len = 0; sep = strchr(inp, '_'); + if (sep != NULL) { + len = sep - inp; + } for (d = 0; digest_list[d] != NULL; d++) { if (sep == NULL) { cmp = strcasecmp(digest_list[d], inp); } else { - cmp = strncasecmp(digest_list[d], inp, (sep - inp -1)); + if (strlen(digest_list[d]) != len) { + continue; + } + cmp = strncasecmp(digest_list[d], inp, len); } if (cmp == 0) { diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c index da312beaf..a15984d60 100644 --- a/src/tests/cmocka/test_certmap.c +++ b/src/tests/cmocka/test_certmap.c @@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state) assert_non_null(ctx); assert_null(ctx->prio_list); + /* cert!sha */ + ret = sss_certmap_add_rule(ctx, 91, + "KRB5:.*", + "LDAP:rule91={cert!sha}", NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_certmap_add_rule(ctx, 91, + "KRB5:.*", + "LDAPU1:rule91={cert!sha}", NULL); + assert_int_equal(ret, EINVAL); + + /* cert!sha_u */ + ret = sss_certmap_add_rule(ctx, 90, + "KRB5:.*", + "LDAP:rule90={cert!sha_u}", NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_certmap_add_rule(ctx, 99, + "KRB5:.*", + "LDAPU1:rule90={cert!sha_u}", NULL); + assert_int_equal(ret, EINVAL); + /* cert!sha555 */ ret = sss_certmap_add_rule(ctx, 89, "KRB5:.*", -- 2.38.1