rpms/sssd
6
0
Fork 0
Code Issues Pull Requests Releases Activity
987764900d
sssd/0020-p11_child-Add-timeout-parameter.patch
Alejandro López 987764900d Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z] 
Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z]
2025-10-17 09:54:55 +02:00

263 lines
9.8 KiB
Diff
Raw Blame History

From 629cb8dfc8077f13464a47bf9af5bdc9c2e9b950 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Thu, 20 Mar 2025 18:11:40 +0100
Subject: [PATCH] p11_child: Add timeout parameter
p11_child communication with OCSP server may take a long time
because of network issues. Then p11_child is killed after
`p11_child_timeout` and the authentication fails.
This is not desirable when `certificate_verification` is
set to `soft_ocsp`. This update will pass the timeout to the
child process so it can cancel the OCSP verification
before it is terminated.
Resolves: https://github.com/SSSD/sssd/issues/6601
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Scott Poore <spoore@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 2cf2e83a223f0eb74bd81a7fcaf726c62d577719)
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/p11_child/p11_child.h | 4 +++-
src/p11_child/p11_child_common.c | 19 +++++++++++++---
src/p11_child/p11_child_openssl.c | 29 ++++++++++++++++++++++---
src/responder/ifp/ifp_users.c | 12 +++++++++-
src/responder/pam/pamsrv_p11.c | 12 +++++++++-
src/responder/ssh/ssh_cert_to_ssh_key.c | 10 ++++++++-
6 files changed, 76 insertions(+), 10 deletions(-)
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
index e3547ce23..2bc83990c 100644
--- a/src/p11_child/p11_child.h
+++ b/src/p11_child/p11_child.h
@@ -27,6 +27,7 @@
/* for CK_MECHANISM_TYPE */
#include <p11-kit/pkcs11.h>
+#include <time.h>
/* Time to wait for new slot events. */
#define PKCS11_SLOT_EVENT_WAIT_TIME 1
@@ -59,7 +60,8 @@ enum pin_mode {
};
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
- bool wait_for_card, struct p11_ctx **p11_ctx);
+ bool wait_for_card, time_t timeout,
+ struct p11_ctx **p11_ctx);
errno_t init_verification(struct p11_ctx *p11_ctx,
struct cert_verify_opts *cert_verify_opts);
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
index 5eab9b063..9d690669c 100644
--- a/src/p11_child/p11_child_common.c
+++ b/src/p11_child/p11_child_common.c
@@ -63,12 +63,12 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
const char *cert_b64, const char *pin,
const char *module_name, const char *token_name,
const char *key_id, const char *label, const char *uri,
- char **multi)
+ time_t timeout, char **multi)
{
int ret;
struct p11_ctx *p11_ctx;
- ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, &p11_ctx);
+ ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, timeout, &p11_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n");
return ret;
@@ -165,6 +165,7 @@ int main(int argc, const char *argv[])
char *label = NULL;
char *cert_b64 = NULL;
long chain_id = 0;
+ long timeout = -1;
bool wait_for_card = false;
char *uri = NULL;
@@ -202,6 +203,8 @@ int main(int argc, const char *argv[])
_("PKCS#11 URI to restrict selection"), NULL},
{"chain-id", 0, POPT_ARG_LONG, &chain_id,
0, _("Tevent chain ID used for logging purposes"), NULL},
+ {"timeout", 0, POPT_ARG_LONG, &timeout,
+ 0, _("OCSP communication timeout"), NULL},
POPT_TABLEEND
};
@@ -382,9 +385,19 @@ int main(int argc, const char *argv[])
}
}
+ /* sanity check for timeout value */
+ if (timeout > INT32_MAX) {
+ fprintf(stderr,
+ "Timeout value [%li] is too long, using [%d]\n",
+ timeout, INT32_MAX);
+ timeout = INT32_MAX;
+ } else if (timeout < -1) {
+ timeout = -1;
+ }
+
ret = do_work(main_ctx, mode, ca_db, cert_verify_opts, wait_for_card,
cert_b64, pin, module_name, token_name, key_id, label, uri,
- &multi);
+ timeout, &multi);
done:
fprintf(stdout, "%d\n%s", ret, multi ? multi : "");
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 45a4930ba..468d8cf5c 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -44,6 +44,7 @@ struct p11_ctx {
const char *ca_db;
bool wait_for_card;
struct cert_verify_opts *cert_verify_opts;
+ time_t ocsp_deadline;
};
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
@@ -390,8 +391,19 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
OCSP_request_add1_nonce(ocsp_req, NULL, -1);
- ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
- req_timeout);
+ if (p11_ctx->ocsp_deadline != -1 && p11_ctx->cert_verify_opts->soft_ocsp) {
+ req_timeout = p11_ctx->ocsp_deadline - time(NULL);
+ if (req_timeout <= 0) {
+ /* no time left for OCSP */
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "Timeout before we could run OCSP request.\n");
+ req_timeout = 0;
+ }
+ }
+ if (req_timeout != 0) {
+ ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
+ req_timeout);
+ }
if (ocsp_resp == NULL) {
if (p11_ctx->cert_verify_opts->soft_ocsp) {
tmp_str = get_issuer_subject_str(p11_ctx, cert);
@@ -580,7 +592,8 @@ static int p11_ctx_destructor(struct p11_ctx *p11_ctx)
}
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
- bool wait_for_card, struct p11_ctx **p11_ctx)
+ bool wait_for_card, time_t timeout,
+ struct p11_ctx **p11_ctx)
{
int ret;
struct p11_ctx *ctx;
@@ -591,6 +604,16 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
return ENOMEM;
}
+ if (timeout == 1) {
+ /* timeout of 1 sec is too short (see -1 in deadline calculation),
+ * increasing to 2 and hope that the ocsp operation finishes
+ * before p11_child is terminated.
+ */
+ timeout = 2;
+ }
+ /* timeout <= 0 means no timeout specified */
+ ctx->ocsp_deadline = timeout > 0 ? time(NULL) + timeout - 1 : -1;
+
/* See https://wiki.openssl.org/index.php/Library_Initialization for
* details. */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c
index 7acd46ef1..6c147d74d 100644
--- a/src/responder/ifp/ifp_users.c
+++ b/src/responder/ifp/ifp_users.c
@@ -1128,7 +1128,7 @@ ifp_users_find_by_valid_cert_send(TALLOC_CTX *mem_ctx,
goto done;
}
- state->extra_args = talloc_zero_array(state, const char *, 8);
+ state->extra_args = talloc_zero_array(state, const char *, 10);
if (state->extra_args == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
ret = ENOMEM;
@@ -1143,6 +1143,16 @@ ifp_users_find_by_valid_cert_send(TALLOC_CTX *mem_ctx,
state->extra_args[arg_c++] = "--verify";
}
state->extra_args[arg_c++] = "--verification";
+ if (state->timeout > 0) {
+ state->extra_args[arg_c++] = talloc_asprintf(state, "%d",
+ state->timeout);
+ if (state->extra_args[arg_c - 1] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ state->extra_args[arg_c++] = "--timeout";
+ }
ret = p11_child_exec(req);
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 2f973d89f..1490ca28d 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -746,7 +746,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct timeval tv;
int pipefd_to_child[2] = PIPE_INIT;
int pipefd_from_child[2] = PIPE_INIT;
- const char *extra_args[20] = { NULL };
+ const char *extra_args[22] = { NULL };
uint8_t *write_buf = NULL;
size_t write_buf_len = 0;
size_t arg_c;
@@ -778,6 +778,16 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
/* extra_args are added in revers order */
arg_c = 0;
+ if (timeout > 0) {
+ extra_args[arg_c++] = talloc_asprintf(mem_ctx, "%lu", timeout);
+ if (extra_args[arg_c - 1] == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ extra_args[arg_c++] = "--timeout";
+ }
+
chain_id = sss_chain_id_get();
extra_args[arg_c++] = talloc_asprintf(mem_ctx, "%lu", chain_id);
diff --git a/src/responder/ssh/ssh_cert_to_ssh_key.c b/src/responder/ssh/ssh_cert_to_ssh_key.c
index b8bc8b7ab..53c33c279 100644
--- a/src/responder/ssh/ssh_cert_to_ssh_key.c
+++ b/src/responder/ssh/ssh_cert_to_ssh_key.c
@@ -91,7 +91,7 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
}
state->valid_keys = 0;
- state->extra_args = talloc_zero_array(state, const char *, 8);
+ state->extra_args = talloc_zero_array(state, const char *, 10);
if (state->extra_args == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
ret = ENOMEM;
@@ -108,6 +108,14 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
state->extra_args[arg_c++] = "--verify";
}
state->extra_args[arg_c++] = "--verification";
+ if (timeout > 0) {
+ state->extra_args[arg_c++] = talloc_asprintf(state, "%lu", timeout);
+ if (state->extra_args[arg_c - 1] == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ state->extra_args[arg_c++] = "--timeout";
+ }
state->certs = talloc_zero_array(state, const char *, cert_count);
if (state->certs == NULL) {
--
2.51.0
Reference in New Issue View Git Blame Copy Permalink