diff options
Diffstat (limited to 'sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch')
-rw-r--r-- | sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch new file mode 100644 index 000000000000..258940bab38e --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch @@ -0,0 +1,87 @@ +From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose <sbose@redhat.com> +Date: Tue, 4 Jul 2023 19:06:27 +0200 +Subject: [PATCH 3/3] certmap: fix partial string comparison +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the formatting option of the certificate digest/hash function +contained and additional specifier separated with a '_' the comparison +of the provided digest name and the available ones was incomplete, the +last character was ignored and the comparison was successful if even if +there was only a partial match. + +Resolves: https://github.com/SSSD/sssd/issues/6802 + +Reviewed-by: Alejandro López <allopez@redhat.com> +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc) +--- + src/lib/certmap/sss_certmap_ldap_mapping.c | 9 ++++++++- + src/tests/cmocka/test_certmap.c | 22 ++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c +index 2f16837a1..354b0310b 100644 +--- a/src/lib/certmap/sss_certmap_ldap_mapping.c ++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c +@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list, + bool colon = false; + bool reverse = false; + char *c; ++ size_t len = 0; + + sep = strchr(inp, '_'); ++ if (sep != NULL) { ++ len = sep - inp; ++ } + + for (d = 0; digest_list[d] != NULL; d++) { + if (sep == NULL) { + cmp = strcasecmp(digest_list[d], inp); + } else { +- cmp = strncasecmp(digest_list[d], inp, (sep - inp -1)); ++ if (strlen(digest_list[d]) != len) { ++ continue; ++ } ++ cmp = strncasecmp(digest_list[d], inp, len); + } + + if (cmp == 0) { +diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c +index da312beaf..a15984d60 100644 +--- a/src/tests/cmocka/test_certmap.c ++++ b/src/tests/cmocka/test_certmap.c +@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state) + assert_non_null(ctx); + assert_null(ctx->prio_list); + ++ /* cert!sha */ ++ ret = sss_certmap_add_rule(ctx, 91, ++ "KRB5:<ISSUER>.*", ++ "LDAP:rule91={cert!sha}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ ret = sss_certmap_add_rule(ctx, 91, ++ "KRB5:<ISSUER>.*", ++ "LDAPU1:rule91={cert!sha}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ /* cert!sha_u */ ++ ret = sss_certmap_add_rule(ctx, 90, ++ "KRB5:<ISSUER>.*", ++ "LDAP:rule90={cert!sha_u}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ ret = sss_certmap_add_rule(ctx, 99, ++ "KRB5:<ISSUER>.*", ++ "LDAPU1:rule90={cert!sha_u}", NULL); ++ assert_int_equal(ret, EINVAL); ++ + /* cert!sha555 */ + ret = sss_certmap_add_rule(ctx, 89, + "KRB5:<ISSUER>.*", +-- +2.38.1 + |