sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 4 Jul 2023 19:06:27 +0200
Subject: [PATCH 3/3] certmap: fix partial string comparison
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the formatting option of the certificate digest/hash function
contained and additional specifier separated with a '_' the comparison
of the provided digest name and the available ones was incomplete, the
last character was ignored and the comparison was successful if even if
there was only a partial match.

Resolves: https://github.com/SSSD/sssd/issues/6802

Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
---
 src/lib/certmap/sss_certmap_ldap_mapping.c |  9 ++++++++-
 src/tests/cmocka/test_certmap.c            | 22 ++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
index 2f16837a1..354b0310b 100644
--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
+++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
     bool colon = false;
     bool reverse = false;
     char *c;
+    size_t len = 0;
 
     sep = strchr(inp, '_');
+    if (sep != NULL) {
+        len = sep - inp;
+    }
 
     for (d = 0; digest_list[d] != NULL; d++) {
         if (sep == NULL) {
             cmp = strcasecmp(digest_list[d], inp);
         } else {
-            cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
+            if (strlen(digest_list[d]) != len) {
+                continue;
+            }
+            cmp = strncasecmp(digest_list[d], inp, len);
         }
 
         if (cmp == 0) {
diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
index da312beaf..a15984d60 100644
--- a/src/tests/cmocka/test_certmap.c
+++ b/src/tests/cmocka/test_certmap.c
@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
     assert_non_null(ctx);
     assert_null(ctx->prio_list);
 
+    /* cert!sha */
+    ret = sss_certmap_add_rule(ctx, 91,
+                            "KRB5:<ISSUER>.*",
+                            "LDAP:rule91={cert!sha}", NULL);
+    assert_int_equal(ret, EINVAL);
+
+    ret = sss_certmap_add_rule(ctx, 91,
+                            "KRB5:<ISSUER>.*",
+                            "LDAPU1:rule91={cert!sha}", NULL);
+    assert_int_equal(ret, EINVAL);
+
+    /* cert!sha_u */
+    ret = sss_certmap_add_rule(ctx, 90,
+                            "KRB5:<ISSUER>.*",
+                            "LDAP:rule90={cert!sha_u}", NULL);
+    assert_int_equal(ret, EINVAL);
+
+    ret = sss_certmap_add_rule(ctx, 99,
+                            "KRB5:<ISSUER>.*",
+                            "LDAPU1:rule90={cert!sha_u}", NULL);
+    assert_int_equal(ret, EINVAL);
+
     /* cert!sha555 */
     ret = sss_certmap_add_rule(ctx, 89,
                             "KRB5:<ISSUER>.*",
-- 
2.38.1