c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface
280 lines
12 KiB
Diff
280 lines
12 KiB
Diff
From 3c096c9ad6dad911d035cfdd802b5dda4710fc68 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Thu, 11 Oct 2018 17:35:24 +0200
|
|
Subject: [PATCH 75/83] p11_child: add crl_file option for the OpenSSL build
|
|
|
|
In the NSS build a Certificate Revocation List (CRL) can just be added
|
|
to the NSS database. For OpenSSL a separate file is needed.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3489
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/man/sssd.conf.5.xml | 24 ++++++++++++++++++++++++
|
|
src/p11_child/p11_child_common.c | 12 ++++++------
|
|
src/p11_child/p11_child_openssl.c | 26 +++++++++++++++++++++++++-
|
|
src/tests/cmocka/test_utils.c | 16 ++++++++++++++++
|
|
src/util/util.c | 13 +++++++++++++
|
|
src/util/util.h | 1 +
|
|
6 files changed, 85 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
index 5e3ae48..bea25c6 100644
|
|
--- a/src/man/sssd.conf.5.xml
|
|
+++ b/src/man/sssd.conf.5.xml
|
|
@@ -503,6 +503,30 @@
|
|
pam_cert_db_path.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
+ <varlistentry>
|
|
+ <term>crl_file=/PATH/TO/CRL/FILE</term>
|
|
+ <listitem>
|
|
+ <para>(NSS Version) This option is
|
|
+ ignored, please see
|
|
+ <citerefentry>
|
|
+ <refentrytitle>crlutil</refentrytitle>
|
|
+ <manvolnum>1</manvolnum>
|
|
+ </citerefentry>
|
|
+ how to import a Certificate Revocation
|
|
+ List (CRL) into a NSS database.</para>
|
|
+
|
|
+ <para>(OpenSSL Version) Use the
|
|
+ Certificate Revocation List (CRL) from
|
|
+ the given file during the verification
|
|
+ of the certificate. The CRL must be
|
|
+ given in PEM format, see
|
|
+ <citerefentry>
|
|
+ <refentrytitle>crl</refentrytitle>
|
|
+ <manvolnum>1ssl</manvolnum>
|
|
+ </citerefentry>
|
|
+ for details.</para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
<para condition="with_nss">
|
|
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
|
|
index 097e7fa..b992aeb 100644
|
|
--- a/src/p11_child/p11_child_common.c
|
|
+++ b/src/p11_child/p11_child_common.c
|
|
@@ -48,7 +48,7 @@ static const char *op_mode_str(enum op_mode mode)
|
|
return "pre-auth";
|
|
break;
|
|
case OP_VERIFIY:
|
|
- return "verifiy";
|
|
+ return "verify";
|
|
break;
|
|
default:
|
|
return "unknown";
|
|
@@ -219,7 +219,7 @@ int main(int argc, const char *argv[])
|
|
case 'a':
|
|
if (mode != OP_NONE) {
|
|
fprintf(stderr,
|
|
- "\n--verifiy, --auth and --pre are mutually " \
|
|
+ "\n--verify, --auth and --pre are mutually " \
|
|
"exclusive and should be only used once.\n\n");
|
|
poptPrintUsage(pc, stderr, 0);
|
|
_exit(-1);
|
|
@@ -229,7 +229,7 @@ int main(int argc, const char *argv[])
|
|
case 'p':
|
|
if (mode != OP_NONE) {
|
|
fprintf(stderr,
|
|
- "\n--verifiy, --auth and --pre are mutually " \
|
|
+ "\n--verify, --auth and --pre are mutually " \
|
|
"exclusive and should be only used once.\n\n");
|
|
poptPrintUsage(pc, stderr, 0);
|
|
_exit(-1);
|
|
@@ -239,7 +239,7 @@ int main(int argc, const char *argv[])
|
|
case 'v':
|
|
if (mode != OP_NONE) {
|
|
fprintf(stderr,
|
|
- "\n--verifiy, --auth and --pre are mutually " \
|
|
+ "\n--verify, --auth and --pre are mutually " \
|
|
"exclusive and should be only used once.\n\n");
|
|
poptPrintUsage(pc, stderr, 0);
|
|
_exit(-1);
|
|
@@ -283,7 +283,7 @@ int main(int argc, const char *argv[])
|
|
|
|
if (mode == OP_NONE) {
|
|
fprintf(stderr, "\nMissing operation mode, either " \
|
|
- "--verifiy, --auth or --pre must be specified.\n\n");
|
|
+ "--verify, --auth or --pre must be specified.\n\n");
|
|
poptPrintUsage(pc, stderr, 0);
|
|
_exit(-1);
|
|
} else if (mode == OP_AUTH && pin_mode == PIN_NONE) {
|
|
@@ -350,7 +350,7 @@ int main(int argc, const char *argv[])
|
|
|
|
ret = parse_cert_verify_opts(main_ctx, verify_opts, &cert_verify_opts);
|
|
if (ret != EOK) {
|
|
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verifiy option.\n");
|
|
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verify option.\n");
|
|
goto fail;
|
|
}
|
|
|
|
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
index d66a2f8..9defdfc 100644
|
|
--- a/src/p11_child/p11_child_openssl.c
|
|
+++ b/src/p11_child/p11_child_openssl.c
|
|
@@ -501,6 +501,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
X509_STORE *store = NULL;
|
|
unsigned long err;
|
|
X509_LOOKUP *lookup = NULL;
|
|
+ X509_VERIFY_PARAM *verify_param = NULL;
|
|
|
|
store = X509_STORE_new();
|
|
if (store == NULL) {
|
|
@@ -527,6 +528,30 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
goto done;
|
|
}
|
|
|
|
+ if (cert_verify_opts->crl_file != NULL) {
|
|
+ verify_param = X509_VERIFY_PARAM_new();
|
|
+ if (verify_param == NULL) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "X509_VERIFY_PARAM_new failed.\n");
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
|
|
+ | X509_V_FLAG_CRL_CHECK_ALL));
|
|
+
|
|
+ X509_STORE_set1_param(store, verify_param);
|
|
+
|
|
+ ret = X509_load_crl_file(lookup, cert_verify_opts->crl_file,
|
|
+ X509_FILETYPE_PEM);
|
|
+ if (ret == 0) {
|
|
+ err = ERR_get_error();
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "X509_load_crl_file failed [%lu][%s].\n",
|
|
+ err, ERR_error_string(err, NULL));
|
|
+ ret = EIO;
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
+
|
|
p11_ctx->x509_store = store;
|
|
p11_ctx->cert_verify_opts = cert_verify_opts;
|
|
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
|
|
@@ -536,7 +561,6 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
done:
|
|
if (ret != EOK) {
|
|
X509_STORE_free(store);
|
|
- X509_LOOKUP_free(lookup);
|
|
}
|
|
|
|
return ret;
|
|
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
|
index c86e526..cf1c2ae 100644
|
|
--- a/src/tests/cmocka/test_utils.c
|
|
+++ b/src/tests/cmocka/test_utils.c
|
|
@@ -1567,6 +1567,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
assert_true(cv_opts->do_ocsp);
|
|
assert_null(cv_opts->ocsp_default_responder);
|
|
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
+ assert_null(cv_opts->crl_file);
|
|
talloc_free(cv_opts);
|
|
|
|
ret = parse_cert_verify_opts(global_talloc_context, "wedfkwefjk", &cv_opts);
|
|
@@ -1575,6 +1576,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
assert_true(cv_opts->do_ocsp);
|
|
assert_null(cv_opts->ocsp_default_responder);
|
|
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
+ assert_null(cv_opts->crl_file);
|
|
talloc_free(cv_opts);
|
|
|
|
ret = parse_cert_verify_opts(global_talloc_context, "no_ocsp", &cv_opts);
|
|
@@ -1583,6 +1585,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
assert_false(cv_opts->do_ocsp);
|
|
assert_null(cv_opts->ocsp_default_responder);
|
|
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
+ assert_null(cv_opts->crl_file);
|
|
talloc_free(cv_opts);
|
|
|
|
ret = parse_cert_verify_opts(global_talloc_context, "no_verification",
|
|
@@ -1592,6 +1595,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
assert_true(cv_opts->do_ocsp);
|
|
assert_null(cv_opts->ocsp_default_responder);
|
|
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
+ assert_null(cv_opts->crl_file);
|
|
talloc_free(cv_opts);
|
|
|
|
ret = parse_cert_verify_opts(global_talloc_context,
|
|
@@ -1601,6 +1605,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
assert_false(cv_opts->do_ocsp);
|
|
assert_null(cv_opts->ocsp_default_responder);
|
|
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
+ assert_null(cv_opts->crl_file);
|
|
talloc_free(cv_opts);
|
|
|
|
ret = parse_cert_verify_opts(global_talloc_context,
|
|
@@ -1633,6 +1638,17 @@ static void test_parse_cert_verify_opts(void **state)
|
|
assert_true(cv_opts->do_ocsp);
|
|
assert_string_equal(cv_opts->ocsp_default_responder, "abc");
|
|
assert_string_equal(cv_opts->ocsp_default_responder_signing_cert, "def");
|
|
+ assert_null(cv_opts->crl_file);
|
|
+ talloc_free(cv_opts);
|
|
+
|
|
+ ret = parse_cert_verify_opts(global_talloc_context, "crl_file=hij",
|
|
+ &cv_opts);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ assert_true(cv_opts->do_verification);
|
|
+ assert_true(cv_opts->do_ocsp);
|
|
+ assert_null(cv_opts->ocsp_default_responder);
|
|
+ assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
+ assert_string_equal(cv_opts->crl_file, "hij");
|
|
talloc_free(cv_opts);
|
|
}
|
|
|
|
diff --git a/src/util/util.c b/src/util/util.c
|
|
index 7f475fa..cbe6a28 100644
|
|
--- a/src/util/util.c
|
|
+++ b/src/util/util.c
|
|
@@ -1024,6 +1024,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
|
|
cert_verify_opts->do_verification = true;
|
|
cert_verify_opts->ocsp_default_responder = NULL;
|
|
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
|
|
+ cert_verify_opts->crl_file = NULL;
|
|
|
|
return cert_verify_opts;
|
|
}
|
|
@@ -1035,6 +1036,8 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
|
|
"ocsp_default_responder_signing_cert="
|
|
#define OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN \
|
|
(sizeof(OCSP_DEFAUL_RESPONDER_SIGNING_CERT) - 1)
|
|
+#define CRL_FILE "crl_file="
|
|
+#define CRL_FILE_LEN (sizeof(CRL_FILE) -1)
|
|
|
|
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
struct cert_verify_opts **_cert_verify_opts)
|
|
@@ -1116,6 +1119,16 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
DEBUG(SSSDBG_TRACE_ALL,
|
|
"Using OCSP default responder signing cert nickname [%s]\n",
|
|
cert_verify_opts->ocsp_default_responder_signing_cert);
|
|
+ } else if (strncasecmp(opts[c], CRL_FILE, CRL_FILE_LEN) == 0) {
|
|
+ cert_verify_opts->crl_file = talloc_strdup(cert_verify_opts,
|
|
+ &opts[c][CRL_FILE_LEN]);
|
|
+ if (cert_verify_opts->crl_file == NULL
|
|
+ || *cert_verify_opts->crl_file == '\0') {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Failed to parse crl_file option [%s].\n", opts[c]);
|
|
+ ret = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
} else {
|
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
"Unsupported certificate verification option [%s], " \
|
|
diff --git a/src/util/util.h b/src/util/util.h
|
|
index e3e9100..7e9b3d6 100644
|
|
--- a/src/util/util.h
|
|
+++ b/src/util/util.h
|
|
@@ -371,6 +371,7 @@ struct cert_verify_opts {
|
|
bool do_verification;
|
|
char *ocsp_default_responder;
|
|
char *ocsp_default_responder_signing_cert;
|
|
+ char *crl_file;
|
|
};
|
|
|
|
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
--
|
|
2.9.5
|
|
|