p11_child: add OpenSSL support

The patch adds an alternative implementation of p11_child with uses p11-kit and OpenSSL instead of NSS. Some certificate validation options are still missing and will be added in upcoming patches. Related to https://pagure.io/SSSD/sssd/issue/3489 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SSSD · Jun 5, 2018 · 6d6e4a5 · 6d6e4a5
1 parent b5136cd
commit 6d6e4a5
Show file tree

Hide file tree

Showing 10 changed files with 858 additions and 8 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -175,15 +175,13 @@ endif
 if BUILD_SEMANAGE
 sssdlibexec_PROGRAMS += selinux_child
 endif
-if HAVE_NSS
 sssdlibexec_PROGRAMS += p11_child
 if SSSD_USER
 if HAVE_POLKIT_RULES_D
 polkit_rulesdir = $(polkitdir)
 dist_polkit_rules_DATA = contrib/sssd-pcsc.rules
 endif
 endif
-endif
 if BUILD_SECRETS
 sssdlibexec_PROGRAMS += sssd_secrets
 endif
@@ -4270,24 +4268,50 @@ proxy_child_LDADD = \
 
 p11_child_SOURCES = \
     src/p11_child/p11_child_common.c \
-    src/p11_child/p11_child_nss.c \
     src/util/atomic_io.c \
     src/util/util.c \
     src/util/util_ext.c \
     $(NULL)
+if HAVE_NSS
+p11_child_SOURCES += src/p11_child/p11_child_nss.c
+else
+p11_child_SOURCES += src/p11_child/p11_child_openssl.c
+endif
+
 p11_child_CFLAGS = \
     $(AM_CFLAGS) \
     $(POPT_CFLAGS) \
+    $(NULL)
+if HAVE_NSS
+p11_child_CFLAGS += \
     $(NSS_CFLAGS) \
     $(NULL)
+else
+p11_child_CFLAGS += \
+    $(P11_KIT_CFLAGS) \
+    $(CRYPTO_CFLAGS) \
+    $(SSL_CFLAGS) \
+    $(NULL)
+endif
+
 p11_child_LDADD = \
     libsss_debug.la \
     $(TALLOC_LIBS) \
     $(DHASH_LIBS) \
     $(POPT_LIBS) \
-    $(NSS_LIBS) \
     libsss_crypt.la \
     $(NULL)
+if HAVE_NSS
+p11_child_LDADD += \
+    $(NSS_LIBS) \
+    $(NULL)
+else
+p11_child_LDADD += \
+    $(P11_KIT_LIBS) \
+    $(CRYPTO_LIBS) \
+    $(SSL_LIBS) \
+    $(NULL)
+endif
 
 memberof_la_SOURCES = \
     src/ldb_modules/memberof.c \
@@ -4780,6 +4804,7 @@ SSSD_USER_DIRS = \
     $(DESTDIR)$(gpocachepath) \
     $(DESTDIR)$(sssdconfdir) \
     $(DESTDIR)$(sssdconfdir)/conf.d \
+    $(DESTDIR)$(sssdconfdir)/pki \
     $(DESTDIR)$(sssddefaultconfdir) \
     $(DESTDIR)$(logpath) \
     $(DESTDIR)$(deskprofilepath) \
@@ -4817,7 +4842,8 @@ endif
             $(DESTDIR)$(pubconfpath) \
             $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
 	$(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) \
-                          $(DESTDIR)$(sssdconfdir)/conf.d
+                          $(DESTDIR)$(sssdconfdir)/conf.d \
+                          $(DESTDIR)$(sssdconfdir)/pki
 if BUILD_SECRETS
 	$(MKDIR_P) $(DESTDIR)$(secdbpath)
 endif

diff --git a/configure.ac b/configure.ac
@@ -393,6 +393,7 @@ fi
 
 if test x$cryptolib = xlibcrypto; then
     AM_CHECK_LIBCRYPTO
+    m4_include([src/external/p11-kit.m4])
 fi
 
 AM_CHECK_INOTIFY

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -1001,6 +1001,9 @@ done
 %attr(750,sssd,sssd) %dir %{_var}/log/%{name}
 %attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd
 %attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d
+%if (0%{?use_openssl} == 1)
+%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/pki
+%endif
 %ghost %attr(0600,sssd,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %dir %{_sysconfdir}/logrotate.d
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
@@ -153,7 +153,11 @@
 #define CONFDB_SSH_KNOWN_HOSTS_TIMEOUT "ssh_known_hosts_timeout"
 #define CONFDB_DEFAULT_SSH_KNOWN_HOSTS_TIMEOUT 180
 #define CONFDB_SSH_CA_DB "ca_db"
+#ifdef HAVE_NSS
 #define CONFDB_DEFAULT_SSH_CA_DB SYSCONFDIR"/pki/nssdb"
+#else
+#define CONFDB_DEFAULT_SSH_CA_DB SYSCONFDIR"/sssd/pki/sssd_auth_ca_db.pem"
+#endif
 #define CONFDB_SSH_USE_CERT_KEYS "ssh_use_certificate_keys"
 #define CONFDB_DEFAULT_SSH_USE_CERT_KEYS true
 

diff --git a/src/external/crypto.m4 b/src/external/crypto.m4
@@ -5,5 +5,6 @@ AC_DEFUN([AM_CHECK_NSS],
 
 AC_DEFUN([AM_CHECK_LIBCRYPTO],
          [PKG_CHECK_MODULES([CRYPTO],[libcrypto])
+          PKG_CHECK_MODULES([SSL],[libssl])
           AC_DEFINE_UNQUOTED(HAVE_LIBCRYPTO, 1, [Build with libcrypt crypto back end])
 ])
diff --git a/src/external/p11-kit.m4 b/src/external/p11-kit.m4
@@ -0,0 +1,4 @@
+AC_SUBST(P11_KIT_CFLAGS)
+AC_SUBST(P11_KIT_LIBS)
+
+PKG_CHECK_MODULES([P11_KIT], [p11-kit-1])
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
@@ -46,7 +46,12 @@ FILES_CONDS = ;enable_files_domain
 else
 FILES_CONDS = ;no_enable_files_domain
 endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)
+if HAVE_NSS
+CRYPTO_CONDS = ;with_nss
+else
+CRYPTO_CONDS = ;with_openssl
+endif
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)
 
 
 #Special Rules:

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -1345,7 +1345,22 @@ pam_account_locked_message = Account locked, please contact help desk.
                             the PKCS#11 modules to access the Smartcard.
                         </para>
                         <para>
-                            Default: /etc/pki/nssdb (NSS version)
+                            Default:
+                            <itemizedlist>
+                                <listitem><para>/etc/pki/nssdb (NSS version,
+                                                path to a NSS
+                                                database)</para></listitem>
+                                <listitem><para>/etc/sssd/pki/sssd_auth_ca_db.pem
+                                                (OpenSSL version, path to a file
+                                                with trusted CA certificates in
+                                                PEM format)</para></listitem>
+                            </itemizedlist>
+                        </para>
+                        <para condition="with_nss">
+                            This man page was generated for the NSS version.
+                        </para>
+                        <para condition="with_openssl">
+                            This man page was generated for the OpenSSL version.
                         </para>
                     </listitem>
                 </varlistentry>
@@ -1515,7 +1530,22 @@ pam_account_locked_message = Account locked, please contact help desk.
                             deriving public ssh keys from them.
                         </para>
                         <para>
-                            Default: /etc/pki/nssdb
+                            Default:
+                            <itemizedlist>
+                                <listitem><para>/etc/pki/nssdb (NSS version,
+                                                path to a NSS
+                                                database)</para></listitem>
+                                <listitem><para>/etc/sssd/pki/sssd_auth_ca_db.pem
+                                                (OpenSSL version, path to a file
+                                                with trusted CA certificates in
+                                                PEM format)</para></listitem>
+                            </itemizedlist>
+                        </para>
+                        <para condition="with_nss">
+                            This man page was generated for the NSS version.
+                        </para>
+                        <para condition="with_openssl">
+                            This man page was generated for the OpenSSL version.
                         </para>
                     </listitem>
                 </varlistentry>