PAM: Multiple certificates on a Smartcard #433
Conversation
|
@sumit-bose, as we discussed in our internal meeting, someone from our QA team would do the functional testing. So far I've taken a look at the code and came up with the following changes: https://github.com/fidencio/sssd/tree/review/multiple_certs The most part of the fixup patches are minors and could be ignored but "fixup! pam_sss: refactoring, use struct cert_auth_info" would be worth to have squashed. I'll run coverity in those patches and wait for QA ack as well. Okay? |
|
So, coverity found some issues:
Here it seems that a DLIST_FOR_EACH_SAFE() should be used.
This one could either be solved by a simple check on the called to ensure that tok is not NULL or by the suggested patch below: The patch above would also avoid a check done as part of the one patches to ensure that |
|
I have updated the comments in order to reflect on what we discussed on IRC. |
sumit-bose
force-pushed
the
multiple_certs
branch
from
c51668c
to
716fc76
Compare
|
Thank you for the review, I include all your comments in the latest version. |
|
After a few tries to run coverity in the new code I've finally able to and seems that no new issues have been introduced. You have an ACK from me. @jhrozek would like to run some downstream tests (please, @jhrozek, let us know about the result as soon as you have those) and after that and Scott ACK this PR will be ready to go. @sumit-bose, please, let us know about Scott's tests results. |
|
Hi Fabiano, thank you for the review. Scott's test are not done yet. He found that just showing the subject-DN to select a certificate is not sufficient for some types of Smartcards where all certificates will have the same subject-DN. I prepared a new build for him which he hopefully can test today. |
|
Okay, let me know when you update the patches and I'll do a third round of review then. |
sumit-bose
force-pushed
the
multiple_certs
branch
from
716fc76
to
d923427
Compare
|
I just updates the patches to the latest version which got a positive feedback from Scott. The changes are mostly in the two new patches. |
|
Okay. I'm firing our internal CI and I'll try to go through these patches before lunch. |
|
Please let me know if I should re-run some of the downstream tests I ran the other day. Although you should be able to do that as well if you have the job IDs around -- just cloning those after you build the new test repo should do the trick. |
|
@jhrozek, don't worry, I'll run the downstream tests based on the job IDs you pointed me to. |
|
So, code-wise I have just a few nitpicks related to the new patches. Feel free to pick up the changes or ignore them if you don't think they're valid: Covscan came up without any issues and I'm just waiting for the results of the downstream tests to ACK the patches. |
|
@fidencio, thank you for the review. I used '0' instead of EOK here on purpose. Although in the SSSD source tree the sss_certmap_* calls are coming from an external library and the return code for success is '0' as documented in src/lib/certmap/sss_certmap.h. EOK is used by SSSD's internal calls and is currently defined as '0'. But in theory it should be possible to set this to any int value and SSSD should keep working. I pretty sure this would currently break heavily but that why I would prefer to not use EOK for calls from external libraries. |
|
@sumit-bose, makes sense :-) So, no more comments from me and I'm just waiting for the results of downstream tests. |
|
@sumit-bose, last thing ... running our internal CI has been a little problematic due to the amount of dependencies pulled by gdm-devel. I'd like to suggest to check for the OS version and add gdm-devel as a requirement only for el > 7.4 and fedora >= 27. Does that make sense? |
|
Hmm. It should be enough: Just fired an internal CI build in order to have it tested. |
|
Okay, Debian testing has been failing on our CI and the following patch solves the issue: You can find the two patches that I mentioned at: https://github.com/fidencio/sssd/tree/review/multiple_certs |
sumit-bose
force-pushed
the
multiple_certs
branch
from
d923427
to
1b0239e
Compare
|
The latest version include both fixes, I just renamed the spec file global. |
|
Okay, all the downstream tests passed (one of the them only in the second run, though). ACK! |
|
Please, whoever pushes this patch set, add Scott Poore as reviewer as well. |
|
Just a note. I would like to avoid following change: We need to properly initialise authtok in all cases. It must not be |
|
So, I've just done some tests here and seems that we can just drop "authtok: check for NULL in sss_authtok_get_type()" patch, as long as we add the following fixup to the "p11_child: use options to select certificate for authentication" patch. |
|
@lslebodn, @sumit-bose, both of you agree on that? (so we can have it merged sooner than later :-)) |
Sure I suggested to drop the check. |
This patch refactors the handling of certificates in p11_child. Not only the first but all certificates suitable for authentication are returned. The PAM responder component calling p11_child is refactored to handle multiple certificate returned by p11_child but so far only returns the first one to its callers. Related to https://pagure.io/SSSD/sssd/issue/3560
sumit-bose
force-pushed
the
multiple_certs
branch
from
1b0239e
to
502ca9e
Compare
|
Covscan passed. ACK, and I'm adding the "Accepted" label. |
|
whitespace unit test failed for me on my laptop
|
| return ret; | ||
| } | ||
|
|
||
| request = calloc(1, GDM_PAM_EXTENSION_CHOICE_LIST_REQUEST_SIZE(cert_count)); |
There was a problem hiding this comment.
We should check return value here and fail in case of NULL.
Because it is checked inly in done section which is too late
| return EINVAL; | ||
| } | ||
|
|
||
| DLIST_FOR_EACH(cai, pi->cert_list) cert_count++; |
There was a problem hiding this comment.
Can it happen that cert_count will be 0 ?
There was a problem hiding this comment.
It is checked before if pi->cert_list is NULL, so cert_count is at least one.
|
|
||
| login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME"); | ||
| if (login_token_name == NULL) { | ||
| return PAM_SUCCESS; | ||
| } | ||
|
|
||
| while (pi->token_name == NULL | ||
| || strcmp(login_token_name, pi->token_name) != 0) { | ||
| while (cai->token_name == NULL |
There was a problem hiding this comment.
Clang says that cai can be NULL here
- call pam_sss
- line 2245 -> call get_pam_items
- line 1253 -> "pi->cert_list = NULL"
- return back from call get_pam_items
- line 2263 -> use case SSS_APM_AUTHENTICAte in switch
- line 2287 -> call check_login_token_name
- line 2170 -> "struct cert_auth_info *cai = pi->cert_list;"
- line 2177 -> note: Access to field 'token_name' results in a dereference of a null pointer (loaded from variable 'cai')
But I think it is false positive because we call send_and_receive-> eval_response -> parse_cert_info
What do you think?
There was a problem hiding this comment.
I added a check because we cannot be sure that the PAM responder did add the needed data.
|
BTW fix for whitespace on my laptop it was simpler than adding it to blacklist and unit test passed |
This patch refactors the handling of the certificate and the attributes to address the certificate on the Smartcard (module name, token name and key id). Instead of using individual variables the values are put into a new struct cert_auth_info. Since the new struct can be used as a list the PAM responder can now handle multiple certificates on the Smartcard and can send the needed data to pam_sss with multiple SSS_PAM_CERT_INFO messages. Unit tests are added to confirm the expected behavior. Related to https://pagure.io/SSSD/sssd/issue/3560
Similar as in the PAM responder this patch replaces the individual certificate authentication related attributes by a struct which can be used as a list. With the pam_sss can handle multiple SSS_PAM_CERT_INFO message and place the data in individual list items. If multiple certificates are returned before prompting for the PIN a dialog to select a certificate is shown to the users. If available a GDM PAM extension is used to let the user choose from a list. All coded needed at runtime to check if the extension is available and handle the data is provided by GDM as macros. This means that there are no additional run-time requirements. Related to https://pagure.io/SSSD/sssd/issue/3560
New options are added to p11_child to select a specific certificate during authentication. The related unit tests are updated by adding the needed attributes to the requests. The was not necessary before because although the attribute were already send by pam_sss they were not used in the PAM responder but only forwarded to the back where they were used by the PKINIT code to select the expected certificate. Related to https://pagure.io/SSSD/sssd/issue/3560
A new certificate attribute is added which contains a string which is used in the certificate selection list displayed to the user. The Subject-DN of the certificate is used here because it is present in all certificate and in general differs for certificate with different usage. libsss_certmap is used to extract the subject-DN from the certificate and convert it into a string. Related to https://pagure.io/SSSD/sssd/issue/3560
If only one certificate is available and the logon_name is the user is not given the PAM responder already tried to find the name during the pre-auth step. With multiple certificates this might cause useless extra effort and the name should be determined after the certificate is selected in the authentication step. This might currently only happen with GDM because all other PAM clients will prompt for the user name unconditionally. New unit tests are added to cover this new case. Related to https://pagure.io/SSSD/sssd/issue/3560
Additionally to the NSS erro code a text message describing the error is added. This will help to see why p11_child ignores specific certificates. For example it would be more obvious why the certificate is not valid (expired, missing CA cert, failed OCSP etc). Related to https://pagure.io/SSSD/sssd/issue/3560
With the new selection option and the handling of multiple certificates in the PAM responder it is not needed anymore to filter the certificates in p11_child but the matching rules can be applied by the PAM responder directly. Related to https://pagure.io/SSSD/sssd/issue/3560
Some types of Smartcards contain multiple certificate with the same subject-DN for different usages. To make it easier to choose between them in case the matching rules allow more than one of them for authentication the label assigned to the certificate on the Smartcard is shown in the selection prompt as well. Related to https://pagure.io/SSSD/sssd/issue/3560
sumit-bose
force-pushed
the
multiple_certs
branch
from
502ca9e
to
dc04e54
Compare
|
The latest version fixes @lslebodn's comment and modifies a filter in the whitespace test so that the added NSS database files are skipped as well. |
With this patch set SSSD will ask the user to select a certificate if multiple
certificates suitable for authentication are found on a Smartcard.
The first three patches are basically refactoring to use a list of structs
instead of individual variables. The third also adds the PAM conversations to
select the certificate.
The fourth patch makes sure that p11_child can address a specific certificate
as well.
The fifth adds the string shown to the user to identify a certificate
in the selection dialog.
The sixth makes sure the user name is available when the authentication request
is send to the backend.
Finally the seventh patch adds error messages explaining the NSS error codes in
p11_child to make debugging easier.
Resolves https://pagure.io/SSSD/sssd/issue/3560