c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface
239 lines
9.5 KiB
Diff
239 lines
9.5 KiB
Diff
From f7b2152a4c3c816a5bc4226a0e01791313accef3 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Mon, 8 Oct 2018 12:47:25 +0200
|
|
Subject: [PATCH 66/83] p11_child: add PKCS#11 uri to restrict selection
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3814
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/p11_child/p11_child.h | 2 +-
|
|
src/p11_child/p11_child_common.c | 9 +++--
|
|
src/p11_child/p11_child_nss.c | 2 +-
|
|
src/p11_child/p11_child_openssl.c | 81 +++++++++++++++++++++++++++++++++++++--
|
|
4 files changed, 86 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
|
|
index dd8fdea..92ecf74 100644
|
|
--- a/src/p11_child/p11_child.h
|
|
+++ b/src/p11_child/p11_child.h
|
|
@@ -54,5 +54,5 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64);
|
|
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
enum op_mode mode, const char *pin,
|
|
const char *module_name_in, const char *token_name_in,
|
|
- const char *key_id_in, char **_multi);
|
|
+ const char *key_id_in, const char *uri, char **_multi);
|
|
#endif /* __P11_CHILD_H__ */
|
|
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
|
|
index bc5f6b0..097e7fa 100644
|
|
--- a/src/p11_child/p11_child_common.c
|
|
+++ b/src/p11_child/p11_child_common.c
|
|
@@ -60,7 +60,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
|
bool wait_for_card,
|
|
const char *cert_b64, const char *pin,
|
|
const char *module_name, const char *token_name,
|
|
- const char *key_id, char **multi)
|
|
+ const char *key_id, const char *uri, char **multi)
|
|
{
|
|
int ret;
|
|
struct p11_ctx *p11_ctx;
|
|
@@ -90,7 +90,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
|
}
|
|
} else {
|
|
ret = do_card(mem_ctx, p11_ctx, mode, pin,
|
|
- module_name, token_name, key_id, multi);
|
|
+ module_name, token_name, key_id, uri, multi);
|
|
}
|
|
|
|
done:
|
|
@@ -159,6 +159,7 @@ int main(int argc, const char *argv[])
|
|
char *key_id = NULL;
|
|
char *cert_b64 = NULL;
|
|
bool wait_for_card = false;
|
|
+ char *uri = NULL;
|
|
|
|
struct poptOption long_options[] = {
|
|
POPT_AUTOHELP
|
|
@@ -194,6 +195,8 @@ int main(int argc, const char *argv[])
|
|
_("Key ID for authentication"), NULL},
|
|
{"certificate", 0, POPT_ARG_STRING, &cert_b64, 0,
|
|
_("certificate to verify, base64 encoded"), NULL},
|
|
+ {"uri", 0, POPT_ARG_STRING, &uri, 0,
|
|
+ _("PKCS#11 URI to restrict selection"), NULL},
|
|
POPT_TABLEEND
|
|
};
|
|
|
|
@@ -367,7 +370,7 @@ int main(int argc, const char *argv[])
|
|
}
|
|
|
|
ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
|
|
- cert_b64, pin, module_name, token_name, key_id, &multi);
|
|
+ cert_b64, pin, module_name, token_name, key_id, uri, &multi);
|
|
if (ret != 0) {
|
|
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
|
|
goto fail;
|
|
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
|
index fff1f25..f9cbf3f 100644
|
|
--- a/src/p11_child/p11_child_nss.c
|
|
+++ b/src/p11_child/p11_child_nss.c
|
|
@@ -480,7 +480,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
|
|
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
enum op_mode mode, const char *pin,
|
|
const char *module_name_in, const char *token_name_in,
|
|
- const char *key_id_in, char **_multi)
|
|
+ const char *key_id_in, const char *uri, char **_multi)
|
|
{
|
|
int ret;
|
|
SECStatus rv;
|
|
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
index 09edeef..000e1c9 100644
|
|
--- a/src/p11_child/p11_child_openssl.c
|
|
+++ b/src/p11_child/p11_child_openssl.c
|
|
@@ -85,7 +85,7 @@ static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
|
|
memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
|
|
|
|
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
|
|
- ret = p11_kit_uri_set_slot_id(uri, slot_id);
|
|
+ p11_kit_uri_set_slot_id(uri, slot_id);
|
|
|
|
memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
|
|
|
|
@@ -662,7 +662,7 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
|
|
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
enum op_mode mode, const char *pin,
|
|
const char *module_name_in, const char *token_name_in,
|
|
- const char *key_id_in, char **_multi)
|
|
+ const char *key_id_in, const char *uri_str, char **_multi)
|
|
{
|
|
int ret;
|
|
size_t c;
|
|
@@ -674,6 +674,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
CK_ULONG num_slots;
|
|
CK_SLOT_ID slots[MAX_SLOTS];
|
|
CK_SLOT_ID slot_id;
|
|
+ CK_SLOT_ID uri_slot_id;
|
|
CK_SLOT_INFO info;
|
|
CK_TOKEN_INFO token_info;
|
|
CK_INFO module_info;
|
|
@@ -690,6 +691,19 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
char *multi = NULL;
|
|
bool pkcs11_session = false;
|
|
bool pkcs11_login = false;
|
|
+ P11KitUri *uri = NULL;
|
|
+
|
|
+ if (uri_str != NULL) {
|
|
+ uri = p11_kit_uri_new();
|
|
+ ret = p11_kit_uri_parse(uri_str, P11_KIT_URI_FOR_ANY, uri);
|
|
+ if (ret != P11_KIT_URI_OK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_parse failed [%d][%s].\n",
|
|
+ ret, p11_kit_uri_message(ret));
|
|
+ ret = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
+
|
|
|
|
/* Maybe use P11_KIT_MODULE_TRUSTED ? */
|
|
modules = p11_kit_modules_load_and_initialize(0);
|
|
@@ -709,6 +723,23 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
free(mod_name);
|
|
free(mod_file_name);
|
|
|
|
+ if (uri != NULL) {
|
|
+ memset(&module_info, 0, sizeof(CK_INFO));
|
|
+ rv = modules[c]->C_GetInfo(&module_info);
|
|
+ if (rv != CKR_OK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
|
|
+ ret = EIO;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ /* Skip modules which do not match the PKCS#11 URI */
|
|
+ if (p11_kit_uri_match_module_info(uri, &module_info) != 1) {
|
|
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
+ "Not matching URI [%s], skipping.\n", uri_str);
|
|
+ continue;
|
|
+ }
|
|
+ }
|
|
+
|
|
num_slots = MAX_SLOTS;
|
|
rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
|
|
if (rv != CKR_OK) {
|
|
@@ -730,6 +761,37 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
info.slotDescription, info.manufacturerID, info.flags,
|
|
(info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
|
(info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
|
+
|
|
+ /* Skip slots which do not match the PKCS#11 URI */
|
|
+ if (uri != NULL) {
|
|
+ uri_slot_id = p11_kit_uri_get_slot_id(uri);
|
|
+ if ((uri_slot_id != (CK_SLOT_ID)-1
|
|
+ && uri_slot_id != slots[s])
|
|
+ || p11_kit_uri_match_slot_info(uri, &info) != 1) {
|
|
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
+ "Not matching URI [%s], skipping.\n", uri_str);
|
|
+ continue;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if ((info.flags & CKF_TOKEN_PRESENT) && uri != NULL) {
|
|
+ rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
|
|
+ if (rv != CKR_OK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
|
|
+ ret = EIO;
|
|
+ goto done;
|
|
+ }
|
|
+ DEBUG(SSSDBG_TRACE_ALL, "Token label [%s].\n",
|
|
+ token_info.label);
|
|
+
|
|
+ if (p11_kit_uri_match_token_info(uri, &token_info) != 1) {
|
|
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
+ "No matching uri [%s], skipping.\n", uri_str);
|
|
+ continue;
|
|
+ }
|
|
+
|
|
+ }
|
|
+
|
|
if ((info.flags & CKF_REMOVABLE_DEVICE)) {
|
|
break;
|
|
}
|
|
@@ -788,6 +850,13 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
goto done;
|
|
}
|
|
|
|
+ if (uri != NULL && p11_kit_uri_match_token_info(uri, &token_info) != 1) {
|
|
+ DEBUG(SSSDBG_CONF_SETTINGS, "No token matching uri [%s] found.",
|
|
+ uri_str);
|
|
+ ret = ENOENT;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
module_id = c;
|
|
slot_name = p11_kit_space_strdup(info.slotDescription,
|
|
sizeof(info.slotDescription));
|
|
@@ -891,7 +960,12 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
}
|
|
|
|
memset(&module_info, 0, sizeof(CK_INFO));
|
|
- module->C_GetInfo(&module_info);
|
|
+ rv = module->C_GetInfo(&module_info);
|
|
+ if (rv != CKR_OK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
|
|
+ ret = EIO;
|
|
+ goto done;
|
|
+ }
|
|
|
|
DLIST_FOR_EACH(item, cert_list) {
|
|
item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
|
|
@@ -970,6 +1044,7 @@ done:
|
|
free(token_name);
|
|
free(module_file_name);
|
|
p11_kit_modules_finalize_and_release(modules);
|
|
+ p11_kit_uri_free(uri);
|
|
|
|
return ret;
|
|
}
|
|
--
|
|
2.9.5
|
|
|