|
 |
b2d430 |
From e87e0059520de24047e8448a5b417393adc6c5b4 Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b2d430 |
Date: Fri, 16 Sep 2016 11:47:40 +0200
|
|
|
b2d430 |
Subject: [PATCH 142/143] p11: return a fully-qualified name
|
|
|
b2d430 |
|
|
|
b2d430 |
Related to https://fedorahosted.org/sssd/ticket/3165
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b2d430 |
(cherry picked from commit 3649b959709f1ab187092f054d4aace0798c98fa)
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/responder/pam/pamsrv_p11.c | 20 +++++++++-----------
|
|
|
b2d430 |
src/tests/cmocka/test_pam_srv.c | 16 ++++++++--------
|
|
|
b2d430 |
2 files changed, 17 insertions(+), 19 deletions(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
|
b2d430 |
index 22da33067d5c479153376927855dcd6b43322d8b..570bfe09d4385a038e7e03fcb64c72dd794774a6 100644
|
|
|
b2d430 |
--- a/src/responder/pam/pamsrv_p11.c
|
|
|
b2d430 |
+++ b/src/responder/pam/pamsrv_p11.c
|
|
|
b2d430 |
@@ -521,33 +521,31 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
|
b2d430 |
size_t msg_len;
|
|
|
b2d430 |
size_t slot_len;
|
|
|
b2d430 |
int ret;
|
|
|
b2d430 |
- char *username;
|
|
|
b2d430 |
|
|
|
b2d430 |
if (sysdb_username == NULL || token_name == NULL) {
|
|
|
b2d430 |
DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
|
|
|
b2d430 |
return EINVAL;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = sss_parse_internal_fqname(pd, sysdb_username, &username, NULL);
|
|
|
b2d430 |
- if (ret != EOK) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse [%s]\n", sysdb_username);
|
|
|
b2d430 |
- return ret;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
-
|
|
|
b2d430 |
- user_len = strlen(username) + 1;
|
|
|
b2d430 |
+ user_len = strlen(sysdb_username) + 1;
|
|
|
b2d430 |
slot_len = strlen(token_name) + 1;
|
|
|
b2d430 |
msg_len = user_len + slot_len;
|
|
|
b2d430 |
|
|
|
b2d430 |
msg = talloc_zero_size(pd, msg_len);
|
|
|
b2d430 |
if (msg == NULL) {
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
|
|
|
b2d430 |
- talloc_free(username);
|
|
|
b2d430 |
return ENOMEM;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- memcpy(msg, username, user_len);
|
|
|
b2d430 |
+ /* sysdb_username is a fully-qualified name which is used by pam_sss when
|
|
|
b2d430 |
+ * prompting the user for the PIN and as login name if it wasn't set by
|
|
|
b2d430 |
+ * the PAM caller but has to be determined based on the inserted
|
|
|
b2d430 |
+ * Smartcard. If this type of name is irritating at the PIN prompt or the
|
|
|
b2d430 |
+ * re_expression config option was set in a way that user@domain cannot be
|
|
|
b2d430 |
+ * handled anymore some more logic has to be added here. But for the time
|
|
|
b2d430 |
+ * being I think using sysdb_username is fine. */
|
|
|
b2d430 |
+ memcpy(msg, sysdb_username, user_len);
|
|
|
b2d430 |
memcpy(msg + user_len, token_name, slot_len);
|
|
|
b2d430 |
- talloc_free(username);
|
|
|
b2d430 |
|
|
|
b2d430 |
ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
|
|
|
b2d430 |
talloc_free(msg);
|
|
|
b2d430 |
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
|
b2d430 |
index 02199e6f121cab0784389256cdaac38baf9d73e3..4b2dea4be6a819b23afd243ba99cd9bd57c16c20 100644
|
|
|
b2d430 |
--- a/src/tests/cmocka/test_pam_srv.c
|
|
|
b2d430 |
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
|
b2d430 |
@@ -664,11 +664,11 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
|
|
b2d430 |
assert_int_equal(val, SSS_PAM_CERT_INFO);
|
|
|
b2d430 |
|
|
|
b2d430 |
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
b2d430 |
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
|
|
|
b2d430 |
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
|
|
|
b2d430 |
|
|
|
b2d430 |
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
|
|
|
b2d430 |
- assert_string_equal(body + rp, "pamuser");
|
|
|
b2d430 |
- rp += sizeof("pamuser");
|
|
|
b2d430 |
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
|
|
|
b2d430 |
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
|
|
|
b2d430 |
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
|
|
|
b2d430 |
|
|
|
b2d430 |
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
|
|
|
b2d430 |
assert_string_equal(body + rp, TEST_TOKEN_NAME);
|
|
|
b2d430 |
@@ -703,11 +703,11 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
|
b2d430 |
assert_int_equal(val, SSS_PAM_CERT_INFO);
|
|
|
b2d430 |
|
|
|
b2d430 |
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
b2d430 |
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
|
|
|
b2d430 |
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
|
|
|
b2d430 |
|
|
|
b2d430 |
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
|
|
|
b2d430 |
- assert_string_equal(body + rp, "pamuser");
|
|
|
b2d430 |
- rp += sizeof("pamuser");
|
|
|
b2d430 |
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
|
|
|
b2d430 |
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
|
|
|
b2d430 |
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
|
|
|
b2d430 |
|
|
|
b2d430 |
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
|
|
|
b2d430 |
assert_string_equal(body + rp, TEST_TOKEN_NAME);
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.7.4
|
|
|
b2d430 |
|