From d35f47a4e50feeb2b54c1621d0c2f5b15cd275eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 28 Feb 2017 11:47:32 +0100 Subject: [PATCH 85/90] secrets: allow to configure certificate check Some users may want to use TLS with unverified peer (for example if they use self-signed certificate) or if unverified hostname (if certificate hostname does not match with the real hostname). On the other side it may be useful to point to a directory containing custom certificate authorities. This patch add three new options to secrets responder: verify_peer => peer's certificate must be valid verify_host => hostnames must match capath => path to directory containing CA certs cacert => ca certificate cert => client certificate key => client private key Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce Reviewed-by: Jakub Hrozek (cherry picked from commit 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417) --- src/config/SSSDConfig/__init__.py.in | 6 +++ src/config/cfg_rules.ini | 6 +++ src/config/etc/sssd.api.conf | 6 +++ src/man/sssd-secrets.5.xml | 76 ++++++++++++++++++++++++++++++++++++ src/responder/secrets/proxy.c | 55 ++++++++++++++++++++++++++ 5 files changed, 149 insertions(+) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 211338778e81c1c60ffb3cdbc67c9619343d7798..75515ab5c68822538728900482296b9159e1547e 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -137,6 +137,12 @@ option_strings = { 'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'), 'username': _('The username to use when authenticating to a Custodia server using basic_auth'), 'password': _('The password to use when authenticating to a Custodia server using basic_auth'), + 'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'), + 'verify_host': _('If false peer\'s certificate may contain different hostname then proxy_url when https protocol is used'), + 'capath': _('Path to directory where certificate authority certificates are stored'), + 'cacert': _('Path to file containing server\'s CA certificate'), + 'cert': _('Path to file containing client\'s certificate'), + 'key': _('Path to file containing client\'s private key'), # [provider] 'id_provider' : _('Identity provider'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 1a749db754cedd87f263f7ae596d6f8238bb4357..e47ff33242d6a9e5979fe0eb8eea14c2af28685a 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -265,6 +265,12 @@ option = auth_header_value option = forward_headers option = username option = password +option = verify_peer +option = verify_host +option = capath +option = cacert +option = cert +option = key # KCM responder [rule/allowed_kcm_options] diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index a1a0c2992925a4c7df86832117eec2a0cf7894c9..f86589ecefa0b9e046aba781ded107f8e94395d6 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -114,6 +114,12 @@ auth_header_value = str, None, false forward_headers = list, None, false username = str, None, false password = str, None, false +verify_peer = bool, None, false +verify_host = bool, None, false +capath = str, None, false +cacert = str, None, false +cert = str, None, false +key = str, None, false [provider] #Available provider types diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml index 80e9c405921e1fb46a3d172d9873deebfa5ed2ce..44a86c3fb56a8bdebebd01e9f49ad171986282a4 100644 --- a/src/man/sssd-secrets.5.xml +++ b/src/man/sssd-secrets.5.xml @@ -273,6 +273,82 @@ systemctl enable sssd-secrets.service + + verify_peer (boolean) + + + Whether peer's certificate should be verified and valid + if HTTPS protocol is used with the proxy provider. + + + Default: true + + + + + verify_host (boolean) + + + Whether peer's hostname must match with hostname in + its certificate if HTTPS protocol is used with the + proxy provider. + + + Default: true + + + + + capath (string) + + + Path to directory containing stored certificate authority + certificates. System default path is used if this option is + not set. + + + Default: not set + + + + + cacert (string) + + + Path to file containing server's certificate authority + certificate. If this option is not set then the CA's + certificate is looked up in capath. + + + Default: not set + + + + + cert (string) + + + Path to file containing client's certificate if required + by the server. This file may also contain private key or + the private key may be in separate file set with + key. + + + Default: not set + + + + + key (string) + + + Path to file containing client's private key. + + + Default: not set + + + diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c index 3c495716010ac468c9e2f1fb6356529a8dbdc614..240a1de1e431d511a1eca24d8b463c37ba893e7b 100644 --- a/src/responder/secrets/proxy.c +++ b/src/responder/secrets/proxy.c @@ -59,6 +59,13 @@ struct proxy_cfg { struct pat_basic_auth basic; struct pat_header header; } auth; + + char *key; + char *cert; + char *cacert; + char *capath; + bool verify_peer; + bool verify_host; }; static int proxy_get_config_string(struct proxy_context *pctx, @@ -129,6 +136,38 @@ static int proxy_sec_get_cfg(struct proxy_context *pctx, } } + ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_peer", + true, &cfg->verify_peer); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "verify_peer: %s\n", + (&cfg->verify_peer ? "true" : "false")); + + ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_host", + true, &cfg->verify_host); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "verify_host: %s\n", + (&cfg->verify_host ? "true" : "false")); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "capath", &cfg->capath); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "capath: %s\n", cfg->capath); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "cacert", &cfg->cacert); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "cacert: %s\n", cfg->cacert); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "cert", &cfg->cert); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "cert: %s\n", cfg->cert); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "key", &cfg->key); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "key: %s\n", cfg->key); + ret = confdb_get_string_as_list(pctx->cdb, cfg, secreq->cfg_section, "forward_headers", &cfg->fwd_headers); if ((ret != 0) && (ret != ENOENT)) goto done; @@ -385,6 +424,22 @@ static errno_t proxy_http_create_request(TALLOC_CTX *mem_ctx, goto done; } + /* Set TLS settings to verify peer. + * This has no effect for HTTP protocol so we can set it anyway. */ + ret = tcurl_req_verify_peer(tcurl_req, pcfg->capath, pcfg->cacert, + pcfg->verify_peer, pcfg->verify_host); + if (ret != EOK) { + goto done; + } + + /* Set client's certificate if required. */ + if (pcfg->cert != NULL) { + ret = tcurl_req_set_client_cert(tcurl_req, pcfg->cert, pcfg->key); + if (ret != EOK) { + goto done; + } + } + talloc_steal(tcurl_req, body); *_tcurl_req = talloc_steal(mem_ctx, tcurl_req); -- 2.9.3