summaryrefslogtreecommitdiffstats
path: root/src/responder
diff options
context:
space:
mode:
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/pam/pamsrv.h1
-rw-r--r--src/responder/pam/pamsrv_cmd.c14
-rw-r--r--src/responder/pam/pamsrv_p11.c21
-rw-r--r--src/responder/ssh/sshsrv_cmd.c25
4 files changed, 52 insertions, 9 deletions
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 64a7d8573..b44e1c337 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -87,6 +87,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
int child_debug_fd,
const char *nss_db,
time_t timeout,
+ const char *verify_opts,
struct pam_data *pd);
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
char **cert, char **token_name);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 80095cc0b..b9fd35325 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1032,6 +1032,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
{
int p11_child_timeout;
const int P11_CHILD_TIMEOUT_DEFAULT = 10;
+ char *cert_verification_opts;
errno_t ret;
struct tevent_req *req;
@@ -1046,8 +1047,19 @@ static errno_t check_cert(TALLOC_CTX *mctx,
return ret;
}
+ ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_CERT_VERIFICATION, NULL,
+ &cert_verification_opts);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read certificate_verification from confdb: [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
- pctx->nss_db, p11_child_timeout, pd);
+ pctx->nss_db, p11_child_timeout,
+ cert_verification_opts, pd);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
return ENOMEM;
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index afb28fd52..58310a253 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -236,6 +236,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
int child_debug_fd,
const char *nss_db,
time_t timeout,
+ const char *verify_opts,
struct pam_data *pd)
{
errno_t ret;
@@ -246,9 +247,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct timeval tv;
int pipefd_to_child[2];
int pipefd_from_child[2];
- const char *extra_args[5] = {NULL, NULL, NULL, NULL, NULL};
+ const char *extra_args[7] = { NULL };
uint8_t *write_buf = NULL;
size_t write_buf_len = 0;
+ size_t arg_c;
req = tevent_req_create(mem_ctx, &state, struct pam_check_cert_state);
if (req == NULL) {
@@ -262,16 +264,21 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
}
/* extra_args are added in revers order */
- extra_args[1] = "--nssdb";
- extra_args[0] = nss_db;
+ arg_c = 0;
+ extra_args[arg_c++] = nss_db;
+ extra_args[arg_c++] = "--nssdb";
+ if (verify_opts != NULL) {
+ extra_args[arg_c++] = verify_opts;
+ extra_args[arg_c++] = "--verify";
+ }
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
- extra_args[2] = "--auth";
+ extra_args[arg_c++] = "--auth";
switch (sss_authtok_get_type(pd->authtok)) {
case SSS_AUTHTOK_TYPE_SC_PIN:
- extra_args[3] = "--pin";
+ extra_args[arg_c++] = "--pin";
break;
case SSS_AUTHTOK_TYPE_SC_KEYPAD:
- extra_args[3] = "--keypad";
+ extra_args[arg_c++] = "--keypad";
break;
default:
DEBUG(SSSDBG_OP_FAILURE, "Unsupported authtok type.\n");
@@ -279,7 +286,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
goto done;
}
} else if (pd->cmd == SSS_PAM_PREAUTH) {
- extra_args[2] = "--pre";
+ extra_args[arg_c++] = "--pre";
} else {
DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM command [%d}.\n", pd->cmd);
ret = EINVAL;
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index 5f5487035..af385fde8 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -797,6 +797,8 @@ static errno_t decode_and_add_base64_data(struct ssh_cmd_ctx *cmd_ctx,
int ret;
size_t d;
TALLOC_CTX *tmp_ctx;
+ char *cert_verification_opts;
+ bool do_ocsp = true;
if (el == NULL) {
DEBUG(SSSDBG_TRACE_ALL, "Mssing element, nothing to do.\n");
@@ -811,9 +813,30 @@ static errno_t decode_and_add_base64_data(struct ssh_cmd_ctx *cmd_ctx,
for (d = 0; d < el->num_values; d++) {
if (cert_data) {
+
+ ret = confdb_get_string(cctx->rctx->cdb, tmp_ctx,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_CERT_VERIFICATION, NULL,
+ &cert_verification_opts);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read p11_child_timeout from confdb: [%d] %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
+ if (cert_verification_opts != NULL) {
+ ret = parse_cert_verify_opts(cert_verification_opts, &do_ocsp);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to parse verifiy option.\n");
+ return ret;
+ }
+ }
+
ret = cert_to_ssh_key(tmp_ctx, ssh_ctx->ca_db,
el->values[d].data, el->values[d].length,
- &key, &key_len);
+ do_ocsp, &key, &key_len);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "cert_to_ssh_key failed.\n");
return ret;
generated by cgit (git 2.34.1) at 2024-06-23 11:59:57 +0000