URL: https://github.com/SSSD/sssd/pull/201 Author: sumit-bose Title: #201: Fix handling of binary keys in the ssh responder Action: opened
PR body: """ ssh-keys derived from certificates are already stored in binary from to avoid a useless base64 encoding/decoding cycle. In the second patch support for certificates from overrides from non-default views is added. I'm not sure if this is a regression of if it never worked so far. Related to https://pagure.io/SSSD/sssd/issue/3332 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/201/head:pr201 git checkout pr201
From 24e86082032a4d0a6b9c66a1416fe9d0d9a765d3 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Thu, 16 Mar 2017 12:38:08 +0100 Subject: [PATCH 1/2] ssh: handle binary keys correctly Related to https://pagure.io/SSSD/sssd/issue/3332 --- src/responder/ssh/ssh_reply.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c index 807f4ee..7093e47 100644 --- a/src/responder/ssh/ssh_reply.c +++ b/src/responder/ssh/ssh_reply.c @@ -32,6 +32,11 @@ #include "responder/common/cache_req/cache_req.h" #include "responder/ssh/ssh_private.h" +/* Locally used flag for libldb's ldb_message_element structure to indicate + * binary data. Since the related data is only used in memory it is safe. If + * should be used with care if libldb's I/O operations are involved. */ +#define SSS_EL_FLAG_BIN_DATA (1<<4) + static errno_t get_valid_certs_keys(TALLOC_CTX *mem_ctx, struct ssh_ctx *ssh_ctx, struct ldb_message_element *el_cert, @@ -148,7 +153,7 @@ static errno_t decode_and_add_base64_data(struct sss_packet *packet, } for (d = 0; d < el->num_values; d++) { - if (skip_base64_decode) { + if (skip_base64_decode || (el->flags & SSS_EL_FLAG_BIN_DATA)) { key = el->values[d].data; key_len = el->values[d].length; } else { @@ -233,6 +238,7 @@ ssh_get_output_keys(TALLOC_CTX *mem_ctx, } if (elements[i] != NULL) { + elements[i]->flags |= SSS_EL_FLAG_BIN_DATA; num_keys += elements[i]->num_values; i++; } From fc5b0b04b71a517ca53d90eb90513800a2c06ff0 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Thu, 16 Mar 2017 13:00:48 +0100 Subject: [PATCH 2/2] ssh: add support for certificates from non-default views --- src/responder/ssh/ssh_reply.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c index 7093e47..1bb9d33 100644 --- a/src/responder/ssh/ssh_reply.c +++ b/src/responder/ssh/ssh_reply.c @@ -204,7 +204,7 @@ ssh_get_output_keys(TALLOC_CTX *mem_ctx, uint32_t i = 0; errno_t ret; - elements = talloc_zero_array(mem_ctx, struct ldb_message_element *, 5); + elements = talloc_zero_array(mem_ctx, struct ldb_message_element *, 6); if (elements == NULL) { return ENOMEM; } @@ -244,6 +244,24 @@ ssh_get_output_keys(TALLOC_CTX *mem_ctx, } } + if (DOM_HAS_VIEWS(domain)) { + user_cert = ldb_msg_find_element(msg, OVERRIDE_PREFIX SYSDB_USER_CERT); + if (user_cert != NULL) { + ret = get_valid_certs_keys(elements, ssh_ctx, user_cert, + &elements[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_valid_certs_keys failed.\n"); + goto done; + } + + if (elements[i] != NULL) { + elements[i]->flags |= SSS_EL_FLAG_BIN_DATA; + num_keys += elements[i]->num_values; + i++; + } + } + } + *_elements = elements; *_num_keys = num_keys;
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
