Hi! FAST auth is broken for OTP case at least for FreeIPA because krb5_child returns an empty SSS_OTP message as the last one in the buffer. This message never got processed by the krb5_child_handler due to the fact that message size (8 bytes) was triggering the check for buffer length and prematurely claiming that the whole buffer is malformed.
Fixes https://fedorahosted.org/sssd/ticket/2186 and now I have working ssh logons with two-factor authentication using native FreeIPA OTP implementation and FreeOTP Android app. Additionally this patch makes clear how ccache name is passed. It avoids looking into anything but SSS_PAM_ENV_ITEM message. -- / Alexander Bokovoy
From 0aaea4153403d94ad2ff074b3b00a8b919900301 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <a...@samba.org> Date: Tue, 24 Dec 2013 13:01:46 +0200 Subject: [PATCH] FAST: when parsing krb5_child response, make sure to not miss OTP message if it was last one The last message in the stream might be with empty payload which means we get only message type and message length (0) returned, i.e. 8 bytes left remaining in the stream after processing preceding message. This makes our calculation at the end of a message processing loop incorrect -- p+2*sizeof(int32_t) can be equal to len, after all. Fixes FAST processing for FreeIPA native OTP case: https://fedorahosted.org/sssd/ticket/2186 --- src/providers/krb5/krb5_child_handler.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index d582d3f..c872b40 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -548,8 +548,9 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, * CCACHE_ENV_NAME"=". pref_len also counts the trailing '=' because * sizeof() counts the trailing '\0' of a string. */ pref_len = sizeof(CCACHE_ENV_NAME); - if (msg_len > pref_len && - strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0) { + if ((msg_type == SSS_PAM_ENV_ITEM) && + (msg_len > pref_len) && + (strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0)) { ccname = (char *) &buf[p+pref_len]; ccname_len = msg_len-pref_len; } @@ -600,7 +601,7 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, p += msg_len; - if ((p < len) && (p + 2*sizeof(int32_t) >= len)) { + if ((p < len) && (p + 2*sizeof(int32_t) > len)) { DEBUG(SSSDBG_CRIT_FAILURE, ("The remainder of the message is too short.\n")); return EINVAL; -- 1.8.4.2
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel