d45f8dce3d
- Resolves: RHEL-75658 Include latest fixes in python3-ipatests package - Resolves: RHEL-74466 kinit with external idp user is failing Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
68 lines
2.8 KiB
Diff
68 lines
2.8 KiB
Diff
From d86db9d2c107c66372f422f1d628624b1a55ad45 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Fri, 17 Jan 2025 09:44:22 +0200
|
|
Subject: [PATCH] ipa-otpd: do not pass OIDC client secret if there is none to
|
|
pass
|
|
|
|
If there is no client secret specified for the OIDC client, don't push
|
|
it to oidc_child via stdin. oidc_child does only expect client secret if
|
|
--client-secret-stdin option was specified and we already specify it
|
|
only if client secret is not empty.
|
|
|
|
In addition, if client secret is empty (it is a public OIDC client),
|
|
then strlen(NULL) would crash in glibc internals. Avoid that!
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9734
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
daemons/ipa-otpd/oauth2.c | 29 +++++++++++++++++++----------
|
|
1 file changed, 19 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c
|
|
index 52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69..0eb43b2372701d47b9ef62cbbdb32b97a5f7a0ba 100644
|
|
--- a/daemons/ipa-otpd/oauth2.c
|
|
+++ b/daemons/ipa-otpd/oauth2.c
|
|
@@ -104,17 +104,26 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev)
|
|
}
|
|
|
|
if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) {
|
|
- io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
|
|
- strlen(child_ctx->item->idp.ipaidpClientSecret));
|
|
+ if (child_ctx->item->idp.ipaidpClientSecret != NULL) {
|
|
+ io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
|
|
+ strlen(child_ctx->item->idp.ipaidpClientSecret));
|
|
+ } else {
|
|
+ io = 0;
|
|
+ }
|
|
} else {
|
|
- iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret;
|
|
- iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
|
|
- iov[1].iov_base = "\n";
|
|
- iov[1].iov_len = 1;
|
|
- iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
|
|
- iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
|
|
-
|
|
- io = writev(verto_get_fd(ev), iov, 3);
|
|
+ int idx = 0;
|
|
+ if (child_ctx->item->idp.ipaidpClientSecret != NULL) {
|
|
+ iov[idx].iov_base = child_ctx->item->idp.ipaidpClientSecret;
|
|
+ iov[idx].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
|
|
+ idx++;
|
|
+ iov[idx].iov_base = "\n";
|
|
+ iov[idx].iov_len = 1;
|
|
+ idx++;
|
|
+ }
|
|
+ iov[idx].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
|
|
+ iov[idx].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
|
|
+ idx++;
|
|
+ io = writev(verto_get_fd(ev), iov, idx);
|
|
}
|
|
otpd_queue_item_free(child_ctx->saved_item);
|
|
|
|
--
|
|
2.47.1
|
|
|