dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0098-PAM-only-allow-missing-user-name-for-certificate-aut.patch

6cf099
From 63c52299e122a05e7b25b5ee94b528fe64a6c6ef Mon Sep 17 00:00:00 2001
6cf099
From: Sumit Bose <sbose@redhat.com>
6cf099
Date: Thu, 1 Oct 2015 10:10:22 +0200
6cf099
Subject: [PATCH 98/99] PAM: only allow missing user name for certificate
6cf099
 authentication
6cf099
MIME-Version: 1.0
6cf099
Content-Type: text/plain; charset=UTF-8
6cf099
Content-Transfer-Encoding: 8bit
6cf099
6cf099
Resolves:
6cf099
https://fedorahosted.org/sssd/ticket/2811
6cf099
6cf099
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
6cf099
(cherry picked from commit 2e76b32e74abedb23665808bacc73cafd1097c37)
6cf099
(cherry picked from commit ba9d5c0456a2fbb9adf9b4b4dffbfb190628a273)
6cf099
---
6cf099
 src/responder/pam/pamsrv_cmd.c  | 12 +++++++++---
6cf099
 src/tests/cmocka/test_pam_srv.c | 41 +++++++++++++++++++++++++++++++++++++++++
6cf099
 2 files changed, 50 insertions(+), 3 deletions(-)
6cf099
6cf099
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
6cf099
index aa5c20906a36351e425304122517c81676e730b7..ae14b9287268ffb36500b0cfdb38e69adb0ecce9 100644
6cf099
--- a/src/responder/pam/pamsrv_cmd.c
6cf099
+++ b/src/responder/pam/pamsrv_cmd.c
6cf099
@@ -962,11 +962,13 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p
6cf099
     } else {
6cf099
         /* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the
6cf099
          * name is determined with the help of a certificate */
6cf099
-        if (pd->cmd == SSS_PAM_PREAUTH) {
6cf099
+        if (pd->cmd == SSS_PAM_PREAUTH
6cf099
+                && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx,
6cf099
+                                                    struct pam_ctx), pd)) {
6cf099
             ret = EOK;
6cf099
         } else {
6cf099
             DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n");
6cf099
-            ret = EINVAL;
6cf099
+            ret = ERR_NO_CREDS;
6cf099
             goto done;
6cf099
         }
6cf099
     }
6cf099
@@ -1076,7 +1078,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
6cf099
         }
6cf099
         goto done;
6cf099
     } else if (ret != EOK) {
6cf099
-        ret = EINVAL;
6cf099
         goto done;
6cf099
     }
6cf099
 
6cf099
@@ -1597,6 +1598,11 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret)
6cf099
         pam_reply(preq);
6cf099
         break;
6cf099
 
6cf099
+    case ERR_NO_CREDS:
6cf099
+        preq->pd->pam_status = PAM_CRED_INSUFFICIENT;
6cf099
+        pam_reply(preq);
6cf099
+        break;
6cf099
+
6cf099
     default:
6cf099
         preq->pd->pam_status = PAM_SYSTEM_ERR;
6cf099
         pam_reply(preq);
6cf099
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
6cf099
index 3c70c599060e09125ab5b73ce3d2698eaa3006bd..0ae2554032d28329ebb1d6ad09cfd859cf9b4260 100644
6cf099
--- a/src/tests/cmocka/test_pam_srv.c
6cf099
+++ b/src/tests/cmocka/test_pam_srv.c
6cf099
@@ -596,6 +596,23 @@ static int test_pam_wrong_pw_offline_auth_check(uint32_t status,
6cf099
     return test_pam_simple_check(status, body, blen);
6cf099
 }
6cf099
 
6cf099
+static int test_pam_creds_insufficient_check(uint32_t status,
6cf099
+                                             uint8_t *body, size_t blen)
6cf099
+{
6cf099
+    size_t rp = 0;
6cf099
+    uint32_t val;
6cf099
+
6cf099
+    assert_int_equal(status, 0);
6cf099
+
6cf099
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
6cf099
+    assert_int_equal(val, PAM_CRED_INSUFFICIENT);
6cf099
+
6cf099
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
6cf099
+    assert_int_equal(val, 0);
6cf099
+
6cf099
+    return EOK;
6cf099
+}
6cf099
+
6cf099
 static int test_pam_user_unknown_check(uint32_t status,
6cf099
                                        uint8_t *body, size_t blen)
6cf099
 {
6cf099
@@ -1100,6 +1117,25 @@ void test_pam_offline_chauthtok(void **state)
6cf099
     assert_int_equal(ret, EOK);
6cf099
 }
6cf099
 
6cf099
+void test_pam_preauth_no_logon_name(void **state)
6cf099
+{
6cf099
+    int ret;
6cf099
+
6cf099
+    mock_input_pam_cert(pam_test_ctx, NULL, NULL);
6cf099
+
6cf099
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
6cf099
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
6cf099
+
6cf099
+    set_cmd_cb(test_pam_creds_insufficient_check);
6cf099
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
6cf099
+                          pam_test_ctx->pam_cmds);
6cf099
+    assert_int_equal(ret, EOK);
6cf099
+
6cf099
+    /* Wait until the test finishes with EOK */
6cf099
+    ret = test_ev_loop(pam_test_ctx->tctx);
6cf099
+    assert_int_equal(ret, EOK);
6cf099
+}
6cf099
+
6cf099
 static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath)
6cf099
 {
6cf099
     pam_test_ctx->pctx->cert_auth = true;
6cf099
@@ -1405,6 +1441,8 @@ int main(int argc, const char *argv[])
6cf099
                                         pam_test_setup, pam_test_teardown),
6cf099
         cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok,
6cf099
                                         pam_test_setup, pam_test_teardown),
6cf099
+/* p11_child is not built without NSS */
6cf099
+#ifdef HAVE_NSS
6cf099
         cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert,
6cf099
                                         pam_test_setup, pam_test_teardown),
6cf099
         cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nomatch,
6cf099
@@ -1422,6 +1460,9 @@ int main(int argc, const char *argv[])
6cf099
                                    pam_test_setup, pam_test_teardown),
6cf099
         cmocka_unit_test_setup_teardown(test_pam_cert_auth,
6cf099
                                         pam_test_setup, pam_test_teardown),
6cf099
+        cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name,
6cf099
+                                        pam_test_setup, pam_test_teardown),
6cf099
+#endif
6cf099
     };
6cf099
 
6cf099
     /* Set debug level to invalid value so we can deside if -d 0 was used. */
6cf099
-- 
6cf099
2.4.3
6cf099