|
 |
b2d430 |
From 5000ad4c45d3cfb4ffa0d76d291c8b1b6c49b02b Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b2d430 |
Date: Wed, 31 Aug 2016 14:32:31 +0200
|
|
|
b2d430 |
Subject: [PATCH 141/143] p11: only set PKCS11_LOGIN_TOKEN_NAME if
|
|
|
b2d430 |
gdm-smartcard is used
|
|
|
b2d430 |
|
|
|
b2d430 |
Resolves https://fedorahosted.org/sssd/ticket/3165
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b2d430 |
(cherry picked from commit 71cd9f98150577224559bdc12c53c01ce6f2c3d9)
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/responder/pam/pamsrv_p11.c | 33 +++++++++------
|
|
|
b2d430 |
src/tests/cmocka/test_pam_srv.c | 89 +++++++++++++++++++++++++++++++++++------
|
|
|
b2d430 |
2 files changed, 97 insertions(+), 25 deletions(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
|
b2d430 |
index a2514f6a1d699de3a245063f49db1b7e51a2b10b..22da33067d5c479153376927855dcd6b43322d8b 100644
|
|
|
b2d430 |
--- a/src/responder/pam/pamsrv_p11.c
|
|
|
b2d430 |
+++ b/src/responder/pam/pamsrv_p11.c
|
|
|
b2d430 |
@@ -505,7 +505,11 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
/* The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome
|
|
|
b2d430 |
- * Settings Daemon to determine the name of the token used for login */
|
|
|
b2d430 |
+ * Settings Daemon to determine the name of the token used for login but it
|
|
|
b2d430 |
+ * should be only set if SSSD is called by gdm-smartcard. Otherwise desktop
|
|
|
b2d430 |
+ * components might assume that gdm-smartcard PAM stack is configured
|
|
|
b2d430 |
+ * correctly which might not be the case e.g. if Smartcard authentication was
|
|
|
b2d430 |
+ * used when running gdm-password. */
|
|
|
b2d430 |
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
|
|
|
b2d430 |
|
|
|
b2d430 |
errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
|
b2d430 |
@@ -553,19 +557,22 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
|
b2d430 |
return ret;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME, token_name);
|
|
|
b2d430 |
- if (env == NULL) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
|
b2d430 |
- return ENOMEM;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
+ if (strcmp(pd->service, "gdm-smartcard") == 0) {
|
|
|
b2d430 |
+ env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME,
|
|
|
b2d430 |
+ token_name);
|
|
|
b2d430 |
+ if (env == NULL) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
|
b2d430 |
+ return ENOMEM;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
|
|
|
b2d430 |
- (uint8_t *)env);
|
|
|
b2d430 |
- talloc_free(env);
|
|
|
b2d430 |
- if (ret != EOK) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
- "pam_add_response failed to add environment variable.\n");
|
|
|
b2d430 |
- return ret;
|
|
|
b2d430 |
+ ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
|
|
|
b2d430 |
+ (uint8_t *)env);
|
|
|
b2d430 |
+ talloc_free(env);
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
+ "pam_add_response failed to add environment variable.\n");
|
|
|
b2d430 |
+ return ret;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
return ret;
|
|
|
b2d430 |
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
|
b2d430 |
index 5de092d0f19318d1d6c773355dbb38e345600133..02199e6f121cab0784389256cdaac38baf9d73e3 100644
|
|
|
b2d430 |
--- a/src/tests/cmocka/test_pam_srv.c
|
|
|
b2d430 |
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
|
b2d430 |
@@ -554,7 +554,7 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name,
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
|
|
|
b2d430 |
- const char *pin)
|
|
|
b2d430 |
+ const char *pin, const char *service)
|
|
|
b2d430 |
{
|
|
|
b2d430 |
size_t buf_size;
|
|
|
b2d430 |
uint8_t *m_buf;
|
|
|
b2d430 |
@@ -576,7 +576,7 @@ static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
|
|
|
b2d430 |
pi.pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- pi.pam_service = "login";
|
|
|
b2d430 |
+ pi.pam_service = service == NULL ? "login" : service;
|
|
|
b2d430 |
pi.pam_service_size = strlen(pi.pam_service) + 1;
|
|
|
b2d430 |
pi.pam_tty = "/dev/tty";
|
|
|
b2d430 |
pi.pam_tty_size = strlen(pi.pam_tty) + 1;
|
|
|
b2d430 |
@@ -626,7 +626,8 @@ static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
|
|
|
b2d430 |
|
|
|
b2d430 |
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
|
|
|
b2d430 |
|
|
|
b2d430 |
-static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
|
b2d430 |
+static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
|
|
b2d430 |
+ size_t blen)
|
|
|
b2d430 |
{
|
|
|
b2d430 |
size_t rp = 0;
|
|
|
b2d430 |
uint32_t val;
|
|
|
b2d430 |
@@ -675,6 +676,44 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
|
b2d430 |
return EOK;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
+static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
|
b2d430 |
+{
|
|
|
b2d430 |
+ size_t rp = 0;
|
|
|
b2d430 |
+ uint32_t val;
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ assert_int_equal(status, 0);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
b2d430 |
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
b2d430 |
+ assert_int_equal(val, 2);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
b2d430 |
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
b2d430 |
+ assert_int_equal(val, 9);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ assert_int_equal(*(body + rp + val - 1), 0);
|
|
|
b2d430 |
+ assert_string_equal(body + rp, TEST_DOM_NAME);
|
|
|
b2d430 |
+ rp += val;
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
b2d430 |
+ assert_int_equal(val, SSS_PAM_CERT_INFO);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
b2d430 |
+ assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
|
|
|
b2d430 |
+ assert_string_equal(body + rp, "pamuser");
|
|
|
b2d430 |
+ rp += sizeof("pamuser");
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
|
|
|
b2d430 |
+ assert_string_equal(body + rp, TEST_TOKEN_NAME);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ return EOK;
|
|
|
b2d430 |
+}
|
|
|
b2d430 |
|
|
|
b2d430 |
static int test_pam_offline_chauthtok_check(uint32_t status,
|
|
|
b2d430 |
uint8_t *body, size_t blen)
|
|
|
b2d430 |
@@ -1438,7 +1477,7 @@ void test_pam_preauth_no_logon_name(void **state)
|
|
|
b2d430 |
{
|
|
|
b2d430 |
int ret;
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1465,7 +1504,7 @@ void test_pam_preauth_cert_nocert(void **state)
|
|
|
b2d430 |
|
|
|
b2d430 |
set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1544,7 +1583,7 @@ void test_pam_preauth_cert_nomatch(void **state)
|
|
|
b2d430 |
|
|
|
b2d430 |
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1566,7 +1605,7 @@ void test_pam_preauth_cert_match(void **state)
|
|
|
b2d430 |
|
|
|
b2d430 |
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1583,13 +1622,37 @@ void test_pam_preauth_cert_match(void **state)
|
|
|
b2d430 |
assert_int_equal(ret, EOK);
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
+/* Test if PKCS11_LOGIN_TOKEN_NAME is added for the gdm-smartcard service */
|
|
|
b2d430 |
+void test_pam_preauth_cert_match_gdm_smartcard(void **state)
|
|
|
b2d430 |
+{
|
|
|
b2d430 |
+ int ret;
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, "gdm-smartcard");
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
|
|
|
b2d430 |
+ discard_const(TEST_TOKEN_CERT));
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ set_cmd_cb(test_pam_cert_check_gdm_smartcard);
|
|
|
b2d430 |
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
|
|
b2d430 |
+ pam_test_ctx->pam_cmds);
|
|
|
b2d430 |
+ assert_int_equal(ret, EOK);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ /* Wait until the test finishes with EOK */
|
|
|
b2d430 |
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
|
b2d430 |
+ assert_int_equal(ret, EOK);
|
|
|
b2d430 |
+}
|
|
|
b2d430 |
+
|
|
|
b2d430 |
void test_pam_preauth_cert_match_wrong_user(void **state)
|
|
|
b2d430 |
{
|
|
|
b2d430 |
int ret;
|
|
|
b2d430 |
|
|
|
b2d430 |
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1613,7 +1676,7 @@ void test_pam_preauth_cert_no_logon_name(void **state)
|
|
|
b2d430 |
|
|
|
b2d430 |
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1636,7 +1699,7 @@ void test_pam_preauth_no_cert_no_logon_name(void **state)
|
|
|
b2d430 |
|
|
|
b2d430 |
set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1657,7 +1720,7 @@ void test_pam_preauth_cert_no_logon_name_no_match(void **state)
|
|
|
b2d430 |
|
|
|
b2d430 |
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1679,7 +1742,7 @@ void test_pam_cert_auth(void **state)
|
|
|
b2d430 |
|
|
|
b2d430 |
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
|
b2d430 |
|
|
|
b2d430 |
- mock_input_pam_cert(pam_test_ctx, "pamuser", "123456");
|
|
|
b2d430 |
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL);
|
|
|
b2d430 |
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
|
b2d430 |
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
|
b2d430 |
@@ -1790,6 +1853,8 @@ int main(int argc, const char *argv[])
|
|
|
b2d430 |
pam_test_setup, pam_test_teardown),
|
|
|
b2d430 |
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match,
|
|
|
b2d430 |
pam_test_setup, pam_test_teardown),
|
|
|
b2d430 |
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_gdm_smartcard,
|
|
|
b2d430 |
+ pam_test_setup, pam_test_teardown),
|
|
|
b2d430 |
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_wrong_user,
|
|
|
b2d430 |
pam_test_setup, pam_test_teardown),
|
|
|
b2d430 |
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name,
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.7.4
|
|
|
b2d430 |
|