Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
diff options
context:
space:
mode:
Diffstat (limited to 'sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch')
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch87
1 files changed, 87 insertions, 0 deletions
diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
new file mode 100644
index 000000000000..258940bab38e
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
@@ -0,0 +1,87 @@
+From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 19:06:27 +0200
+Subject: [PATCH 3/3] certmap: fix partial string comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the formatting option of the certificate digest/hash function
+contained and additional specifier separated with a '_' the comparison
+of the provided digest name and the available ones was incomplete, the
+last character was ignored and the comparison was successful if even if
+there was only a partial match.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
+---
+ src/lib/certmap/sss_certmap_ldap_mapping.c | 9 ++++++++-
+ src/tests/cmocka/test_certmap.c | 22 ++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
+index 2f16837a1..354b0310b 100644
+--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
+@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
+ bool colon = false;
+ bool reverse = false;
+ char *c;
++ size_t len = 0;
+
+ sep = strchr(inp, '_');
++ if (sep != NULL) {
++ len = sep - inp;
++ }
+
+ for (d = 0; digest_list[d] != NULL; d++) {
+ if (sep == NULL) {
+ cmp = strcasecmp(digest_list[d], inp);
+ } else {
+- cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
++ if (strlen(digest_list[d]) != len) {
++ continue;
++ }
++ cmp = strncasecmp(digest_list[d], inp, len);
+ }
+
+ if (cmp == 0) {
+diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
+index da312beaf..a15984d60 100644
+--- a/src/tests/cmocka/test_certmap.c
++++ b/src/tests/cmocka/test_certmap.c
+@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+
++ /* cert!sha */
++ ret = sss_certmap_add_rule(ctx, 91,
++ "KRB5:<ISSUER>.*",
++ "LDAP:rule91={cert!sha}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ ret = sss_certmap_add_rule(ctx, 91,
++ "KRB5:<ISSUER>.*",
++ "LDAPU1:rule91={cert!sha}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ /* cert!sha_u */
++ ret = sss_certmap_add_rule(ctx, 90,
++ "KRB5:<ISSUER>.*",
++ "LDAP:rule90={cert!sha_u}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ ret = sss_certmap_add_rule(ctx, 99,
++ "KRB5:<ISSUER>.*",
++ "LDAPU1:rule90={cert!sha_u}", NULL);
++ assert_int_equal(ret, EINVAL);
++
+ /* cert!sha555 */
+ ret = sss_certmap_add_rule(ctx, 89,
+ "KRB5:<ISSUER>.*",
+--
+2.38.1
+