Changeset 445

Timestamp:

08/14/10 16:19:36 (22 months ago)

Author:

ludovic.rousseau

Message:

Patch for #239 and #240 (handle more than one cert/pattern matching)

Thanks to Wolf Geldmacher for the patch.
http://www.opensc-project.org/pipermail/opensc-devel/2010-June/014405.html

" Here's a patch to solve the issues I've encountered using pam_pkcs11.

In regards to #239 (pam_pkcs11 only looks at first certificate on
token):

The fix for this turns out to be somewhat problematic, and I'm not at
all sure, whether my implementation of the fix is a valid one.

The basic problem (as I understood it from analyzing the code) is that
finder functions of the mappers return a char*, allowing for a single
value (NULL) to signalize failure and return the key if no mapping (i.e.
no value associated with the key) was found (cf. comment for
mapfile_find in src/mappers/mapper.c). Thus a caller (i.e. find_user in
src/pam_pkcs11/mapper_mgr.c) cannot distinguish between a mapping or a
key being returned and thus will prematurely terminate on the first
certificate that passes the other validity tests.

The fix provided changes the finder function interface by requiring an
additional out parameter that is set to 1, if a real mapping value was
returned and remains unchanged otherwise. This fix breaks existing
loadable mappers.

I considered overloading of the value returned (e.g. having a
byte/substring as first character of the value returned to be able to
distinguish between a value and a key being returned) which would
preserve the interface to the mappers, but refrained from implementing
it that way as I believe this to be unclean and prone to difficult to
track errors.

Another solution I considered was the addition of another entry to the
structure encapsulating the mappers (e.g. a finder2 method), but as this
is no better in breaking the interface for loadable mappers and
duplicates code I forfeited this solution, too.

If somebody could look into the problem and come up with a solution that
preserves the interface to external mappers while allowing the
distinction between keys and values, I'd be more than happy to implement
it.

It might also may make sense to add a new configuration parameter for
the new behaviour of find_user, allowing existing applications to
continue to work with keys being returned instead of values (Feedback
anyone? The comment for find_user actually states that a mapping value
is returned).

In regards to #240 (Allow pattern matching in pam_pkcs11):

I restricted this to only work for mapfiles and the implementation
turned out to be quite simple - it's essentially an 11 line change in
src/mappers/mapper.c - and is triggered by the specification of a fully
anchored (i.e. *must* have initial "^{" and *must* end in "$") pattern as
key in a mapfile.}

This now allows syntax like
^{.*/serialNumber=xxx-xxx-xxx-xxx$ -> username
in all mapfiles.}

The patch attached contains the changes for both issues.

Cheers,
Wolf "

Location:

trunk/src

Files:

• mappers/cn_mapper.c (modified) (2 diffs)
• mappers/digest_mapper.c (modified) (2 diffs)
• mappers/generic_mapper.c (modified) (4 diffs)
• mappers/krb_mapper.c (modified) (2 diffs)
• mappers/ldap_mapper.c (modified) (2 diffs)
• mappers/mail_mapper.c (modified) (4 diffs)
• mappers/mapper.c (modified) (4 diffs)
• mappers/mapper.h (modified) (4 diffs)
• mappers/ms_mapper.c (modified) (2 diffs)
• mappers/null_mapper.c (modified) (1 diff)
• mappers/opensc_mapper.c (modified) (2 diffs)
• mappers/openssh_mapper.c (modified) (2 diffs)
• mappers/pwent_mapper.c (modified) (2 diffs)
• mappers/subject_mapper.c (modified) (2 diffs)
• mappers/uid_mapper.c (modified) (2 diffs)
• pam_pkcs11/mapper_mgr.c (modified) (1 diff)
• tools/pklogin_finder.c (modified) (1 diff)

trunk/src/mappers/cn_mapper.c

@@ -61 +61 @@
 parses the certificate and return the first CN entry found, or NULL
 */
-static char * cn_mapper_find_user(X509 *x509, void *context) {
+static char * cn_mapper_find_user(X509 *x509, void *context, int *match) {
         char *res;
         char **entries= cert_info(x509,CERT_CN,ALGORITHM_NULL);
@@ -69 +69 @@
         }
         DBG1("trying to map CN entry '%s'",entries[0]);
-        res = mapfile_find(mapfile,entries[0],ignorecase);
+        res = mapfile_find(mapfile,entries[0],ignorecase,match);
         if (!res) {
             DBG("Error in map process");

trunk/src/mappers/digest_mapper.c

@@ -58 +58 @@
 }
 
-static char * digest_mapper_find_user(X509 *x509, void *context) {
+static char * digest_mapper_find_user(X509 *x509, void *context, int *match) {
         char **entries;
         if ( !x509 ) {
@@ -66 +66 @@
         entries = cert_info(x509,CERT_DIGEST,algorithm);
         DBG1("find() Found digest '%s'",entries[0]);
-        return mapfile_find(mapfile,entries[0],1);
+        return mapfile_find(mapfile,entries[0],1,match);
 }
 

trunk/src/mappers/generic_mapper.c

@@ -56 +56 @@
 
 static char **get_mapped_entries(char **entries) {
+        int match = 0;
         char *entry;
         int n=0;
@@ -65 +66 @@
             DBG1("Using map file '%s'",mapfile);
             for(n=0, entry=entries[n]; entry; entry=entries[++n]) {
-                res = mapfile_find(mapfile,entry,ignorecase);
+                res = mapfile_find(mapfile,entry,ignorecase,&match);
                 if (res) entries[n]=res;
             }
@@ -83 +84 @@
 }
 
-static char *generic_mapper_find_user(X509 *x509, void *context) {
+static char *generic_mapper_find_user(X509 *x509, void *context, int *match) {
         char **entries;
         int n;
@@ -101 +102 @@
         for (n=0;n<CERT_INFO_SIZE;n++) {
             char *str=entries[n];
-            if (!str && !is_empty_str(str) ) return clone_str(str);
+            if (!str && !is_empty_str(str) ) {
+                *match = 1;
+                return clone_str(str);
+            }
         }
         /* arriving here means no map found */

trunk/src/mappers/krb_mapper.c

@@ -64 +64 @@
 parses the certificate and return the email entry found, or NULL
 */
-static char * krb_mapper_find_user(X509 *x509, void *context) {
+static char * krb_mapper_find_user(X509 *x509, void *context, int *match) {
         char *res;
         char **entries= cert_info(x509,CERT_KPN,ALGORITHM_NULL);
@@ -72 +72 @@
         }
         DBG1("trying to map kpn entry '%s'",entries[0]);
-        res = mapfile_find("none",entries[0],0);
+        res = mapfile_find("none",entries[0],0,match);
         if (!res) {
             DBG("Error in map process");

trunk/src/mappers/ldap_mapper.c

@@ -923 +923 @@
 }
 
-static char * ldap_mapper_find_user(X509 *x509, void *context) {
+static char * ldap_mapper_find_user(X509 *x509, void *context, int *match) {
         struct passwd *pw = NULL;
         char *found=NULL;
@@ -934 +934 @@
                 DBG1("Certificate maps to user '%s'",pw->pw_name);
                 found= clone_str(pw->pw_name);
+                *match = 1;
                 break;
             } else {

trunk/src/mappers/mail_mapper.c

@@ -107 +107 @@
 parses the certificate and return the email entry found, or NULL
 */
-static char * mail_mapper_find_user(X509 *x509, void *context) {
+static char * mail_mapper_find_user(X509 *x509, void *context, int *match) {
         char **entries= cert_info(x509,CERT_EMAIL,ALGORITHM_NULL);
         if (!entries) {
@@ -114 +114 @@
         }
         /* TODO: What's on ignoredomain flag ?*/
-        return mapfile_find(mapfile,entries[0],ignorecase);
+        return mapfile_find(mapfile,entries[0],ignorecase,match);
 }
 
@@ -122 +122 @@
 */
 static int mail_mapper_match_user(X509 *x509, const char *login, void *context) {
+        int match = 0;
         char *item;
         char *str;
@@ -132 +133 @@
         for (item=*entries;item;item=*++entries) {
             DBG1("Trying to match email entry '%s'",item);
-            str= mapfile_find(mapfile,item,ignorecase);
+            str= mapfile_find(mapfile,item,ignorecase,&match);
             if (!str) {
                 DBG("Mapping process failed");

trunk/src/mappers/mapper.c

@@ -32 +32 @@
 #include <string.h>
 #include <pwd.h>
+#include <regex.h>
 #include "../common/debug.h"
 #include "../common/error.h"
@@ -141 +142 @@
 * @param key  Key to search in mapfile
 * @param icase ignore case
+* @param match Set to 1 for mapped string return, unmodified for key return
 * @return mapped string on match, key on no match, NULL on error
 */
-char *mapfile_find(const char *file, char *key, int icase) {
+char *mapfile_find(const char *file, char *key, int icase, int *match) {
         struct mapfile *mfile;
-        int done=0;
         if ( (!key) || is_empty_str(key) ) {
                 DBG("key to map is null or empty");
@@ -162 +163 @@
         }
         while (get_mapent(mfile)) {
-            if ( (icase) && (!strcasecmp(key,mfile->key)) ) done=1;
-            if ( (!icase) && (!strcmp(key,mfile->key)) ) done=1;
+            int done = 0;
+            if (mfile->key[0]=='^' && mfile->key[strlen(mfile->key)-1]=='$') {
+                regex_t re;
+                DBG2("Trying RE '%s' match on '%s'",mfile->key,key);
+                if (regcomp(&re,mfile->key,(icase ? REG_ICASE : 0)|REG_NEWLINE)) {
+                    DBG2("RE '%s' in mapfile '%s' is invalid",mfile->key,file);
+                } else {
+                    done = !regexec(&re,key,0,NULL,0);
+                    regfree(&re);
+                }
+            } else if (icase)
+                done = !strcasecmp(key, mfile->key);
+            else
+                done = !strcmp(key, mfile->key);
+
             if (done) {
                 char *res=clone_str(mfile->value);
                 DBG2("Found mapfile match '%s' -> '%s'",key,mfile->value);
                 end_mapent(mfile);
+                *match = 1;
                 return res;
             }
@@ -187 +202 @@
 int mapfile_match(const char *file, char *key, const char *value, int icase) {
         int res;
-        char *str=mapfile_find(file,key,icase);
+        int match = 0;
+        char *str=mapfile_find(file,key,icase,&match);
         if (!str) return -1;
         if (icase) res= (!strcasecmp(str,value))? 1:0;

trunk/src/mappers/mapper.h

@@ -50 +50 @@
     char **(*entries)(X509 *x509, void *context);
     /** cert. login finder */
-    char *(*finder)(X509 *x509, void *context);
+    char *(*finder)(X509 *x509, void *context, int *match);
     /** cert-to-login matcher*/
     int (*matcher)(X509 *x509, const char *login, void *context);
@@ -126 +126 @@
 *@param key String to be mapped
 *@param ignorecase Flag to indicate upper/lowercase ignore in string compare
+*@param match Set to 1 for mapped string return, unmodified for key return
 *@return key on no match, else a clone_str()'d of found mapping
 */
-MAPPER_EXTERN char *mapfile_find(const char *file,char *key,int ignorecase);
+MAPPER_EXTERN char *mapfile_find(const char *file,char *key,int ignorecase,int *match);
 
 /**
@@ -185 +186 @@
 */
 #define _DEFAULT_MAPPER_FIND_USER                                       \
-static char * mapper_find_user(X509 *x509,void *context) {              \
+static char * mapper_find_user(X509 *x509,void *context,int *match) {           \
         if ( !x509 ) return NULL;                                       \
+        *match = 1;                                                     \
         return "nobody";                                                \
 }
@@ -202 +204 @@
 #define _DEFAULT_MAPPER_MATCH_USER                                      \
 static int mapper_match_user(X509 *x509, const char *login, void *context) { \
-        char *username= mapper_find_user(x509,context);                         \
+        int match = 0;                                                  \
+        char *username= mapper_find_user(x509,context,&match);          \
         if (!x509) return -1;                                           \
         if (!login) return -1;                                          \

trunk/src/mappers/ms_mapper.c

@@ -109 +109 @@
 parses the certificate and return the first valid UPN entry found, or NULL
 */
-static char * ms_mapper_find_user(X509 *x509, void *context) {
+static char * ms_mapper_find_user(X509 *x509, void *context, int *match) {
         char *str;
         char **entries  = cert_info(x509,CERT_UPN,ALGORITHM_NULL);
@@ -123 +123 @@
              if (res) {
                 DBG2("Found valid UPN: '%s' maps to '%s' ",str,res);
+                *match = 1;
                 return clone_str(res);
              } else {

trunk/src/mappers/null_mapper.c

@@ -44 +44 @@
 static int debug=0;
 
-static char * mapper_find_user(X509 *x509,void *context) {
+static char * mapper_find_user(X509 *x509,void *context,int *mp) {
         if ( !x509 ) return NULL;
-        return (match)?clone_str((char *)default_user):NULL;
+        if (match) {
+            *mp = 1;
+            return clone_str((char *)default_user);
+        }
+        return NULL;
 }
 

trunk/src/mappers/opensc_mapper.c

@@ -136 +136 @@
 their ${HOME}/.eid/authorized_certificates
 */
-static char * opensc_mapper_find_user(X509 *x509, void *context) {
+static char * opensc_mapper_find_user(X509 *x509, void *context, int *match) {
         int n = 0;
         struct passwd *pw = NULL;
@@ -156 +156 @@
             /* arriving here means user found */
             DBG1("Certificate match found for user '%s'",pw->pw_name);
-            res= clone_str(pw->pw_name);
-                    endpwent();
+            res = clone_str(pw->pw_name);
+            endpwent();
+            *match = 1;
             return res;
         } /* next login */

trunk/src/mappers/openssh_mapper.c

@@ -319 +319 @@
 parses the certificate and return the _first_ user that matches public key
 */
-static char * openssh_mapper_find_user(X509 *x509, void *context) {
+static char * openssh_mapper_find_user(X509 *x509, void *context, int *match) {
         int n = 0;
         struct passwd *pw = NULL;
@@ -345 +345 @@
             /* arriving here means user found */
             DBG1("Certificate match found for user '%s'",pw->pw_name);
-            res= clone_str(pw->pw_name);
+            res = clone_str(pw->pw_name);
             endpwent();
+            *match = 1;
             return res;
         } /* next login */

trunk/src/mappers/pwent_mapper.c

@@ -64 +64 @@
 parses the certificate and return the _first_ CN entry found, or NULL
 */
-static char * pwent_mapper_find_user(X509 *x509,void *context) {
+static char * pwent_mapper_find_user(X509 *x509,void *context, int *match) {
         char *str;
         char *found_user = NULL;
@@ -81 +81 @@
             } else {
                 DBG1("Found CN in pw database for user '%s'",found_user);
+                *match = 1;
+                /* WJG: Usually allocated mem is returned - memleak/problem? */
                 return found_user;
             }

trunk/src/mappers/subject_mapper.c

@@ -57 +57 @@
 parses the certificate and return the first Subject entry found, or NULL
 */
-static char * subject_mapper_find_user(X509 *x509, void *context) {
+static char * subject_mapper_find_user(X509 *x509, void *context, int *match) {
         char **entries = cert_info(x509,CERT_SUBJECT,ALGORITHM_NULL);
         if (!entries) {
@@ -63 +63 @@
                 return NULL;
         }
-        return mapfile_find(filename,entries[0],ignorecase);
+        return mapfile_find(filename,entries[0],ignorecase,match);
 }
 

trunk/src/mappers/uid_mapper.c

@@ -62 +62 @@
 If no UID found or map error, return NULL
 */
-static char * uid_mapper_find_user(X509 *x509, void *context) {
+static char * uid_mapper_find_user(X509 *x509, void *context, int *match) {
         char *res;
         char **entries= cert_info(x509,CERT_UID,ALGORITHM_NULL);
@@ -70 +70 @@
         }
         DBG1("trying to map uid entry '%s'",entries[0]);
-        res = mapfile_find(mapfile,entries[0],ignorecase);
+        res = mapfile_find(mapfile,entries[0],ignorecase,match);
         if (!res) {
             DBG("Error in map process");

trunk/src/pam_pkcs11/mapper_mgr.c

@@ -265 +265 @@
                 DBG1("Mapper '%s' has no find() function",item->module->module_name);
             } else {
-                set_debug_level(item->module->module_data->dbg_level);
-                login = (*item->module->module_data->finder)(x509,item->module->module_data->context);
+                        int match = 0;
+
+                        set_debug_level(item->module->module_data->dbg_level);
+                login = (*item->module->module_data->finder)(x509,item->module->module_data->context, &match);
                 set_debug_level(old_level);
-                if (login) return login;
+                DBG3("Mapper '%s' found %s, matched %d", item->module->module_name,login, match);
+                        if (login) {
+                                if (match)
+                                        return login;
+                                free(login);
+                        }
             }
             item=item->next;

trunk/src/tools/pklogin_finder.c

@@ -146 +146 @@
       user=find_user(x509);
       if (!user) {
-          DBG1("find_user() failed: %s", get_error());
-          break;
+          DBG2("find_user() failed for certificate #%d: %s", i + 1, get_error());
+          continue;     /* with next certificate */
       } else {
           DBG1("Certificate is valid and maps to user %s",user);