From d857fcfcc21481cdf06b8cce1685e141921d2fbf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 Nov 2024 12:16:09 +0100
Subject: [PATCH] ipa-otpd: use oidc_child's --client-secret-stdin option

To remove the client secret from the command line where it would be
visible e.g. when calling ps it is now passed via stdin to oidc_child.

Fixes: CVE-2024-11029

Signed-off-by: Sumit Bose <sbose@redhat.com>
---
 daemons/ipa-otpd/oauth2.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c
index a33cf51715ca2a3e7a0cef871aed5cfbbd037598..52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69 100644
--- a/daemons/ipa-otpd/oauth2.c
+++ b/daemons/ipa-otpd/oauth2.c
@@ -31,6 +31,7 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <sys/random.h>
+#include <sys/uio.h>
 
 #include "internal.h"
 
@@ -93,6 +94,7 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev)
     (void)vctx; /* Unused */
     ssize_t io;
     struct child_ctx *child_ctx;
+    struct iovec iov[3];
 
     child_ctx = verto_get_private(ev);
     if (child_ctx == NULL) {
@@ -102,15 +104,18 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev)
     }
 
     if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) {
-        /* no input needed */
-        verto_del(ev);
-        return;
-    }
-
+        io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
+                   strlen(child_ctx->item->idp.ipaidpClientSecret));
+    } else {
+        iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret;
+        iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
+        iov[1].iov_base = "\n";
+        iov[1].iov_len = 1;
+        iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
+        iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
 
-    io = write(verto_get_fd(ev),
-               child_ctx->saved_item->oauth2.device_code_reply,
-               strlen(child_ctx->saved_item->oauth2.device_code_reply));
+        io = writev(verto_get_fd(ev), iov, 3);
+    }
     otpd_queue_item_free(child_ctx->saved_item);
 
     if (io < 0) {
@@ -429,8 +434,7 @@ int oauth2(struct otpd_queue_item **item, enum oauth2_state oauth2_state)
     args[args_idx++] = (*item)->idp.ipaidpClientID;
 
     if ((*item)->idp.ipaidpClientSecret) {
-        args[args_idx++] = "--client-secret";
-        args[args_idx++] = (*item)->idp.ipaidpClientSecret;
+        args[args_idx++] = "--client-secret-stdin";
     }
 
     if ((*item)->idp.ipaidpScope) {
-- 
2.47.1