rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0157-add_pam_cert_response-add-support-for-SSS_PAM_CERT_I.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   bb7cd1535b208c22ad8c1541bee2b4b1f279474a
  2.   SOURCES
  3.   0157-add_pam_cert_response-add-support-for-SSS_PAM_CERT_I.patch
Blob History Raw
bb7cd1 
From c5c6ba2546d350a7a01a9f44bb5df9c6652a1e06 Mon Sep 17 00:00:00 2001
bb7cd1 
From: Sumit Bose <sbose@redhat.com>
bb7cd1 
Date: Mon, 8 May 2017 16:02:36 +0200
bb7cd1 
Subject: [PATCH 157/160] add_pam_cert_response: add support for
bb7cd1 
 SSS_PAM_CERT_INFO_WITH_HINT
bb7cd1 
MIME-Version: 1.0
bb7cd1 
Content-Type: text/plain; charset=UTF-8
bb7cd1 
Content-Transfer-Encoding: 8bit
bb7cd1
bb7cd1 
Related to https://pagure.io/SSSD/sssd/issue/3395
bb7cd1
bb7cd1 
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
bb7cd1 
(cherry picked from commit 6073cfc40747cd6d3142f0f98b880fc390dd7aad)
bb7cd1 
---
bb7cd1 
 src/responder/pam/pamsrv.h     |  2 +-
bb7cd1 
 src/responder/pam/pamsrv_cmd.c |  3 ++-
bb7cd1 
 src/responder/pam/pamsrv_p11.c | 21 +++++++++++++++------
bb7cd1 
 3 files changed, 18 insertions(+), 8 deletions(-)
bb7cd1
bb7cd1 
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
bb7cd1 
index b569748fe2a2005cee5df34bef55e803175492a9..57a37b72594f030995f5e22255eb7a8fcd63d10e 100644
bb7cd1 
--- a/src/responder/pam/pamsrv.h
bb7cd1 
+++ b/src/responder/pam/pamsrv.h
bb7cd1 
@@ -101,7 +101,7 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
bb7cd1
bb7cd1 
 errno_t add_pam_cert_response(struct pam_data *pd, const char *user,
bb7cd1 
                               const char *token_name, const char *module_name,
bb7cd1 
-                              const char *key_id);
bb7cd1 
+                              const char *key_id, enum response_type type);
bb7cd1
bb7cd1 
 bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
bb7cd1
bb7cd1 
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
bb7cd1 
index 36dba37964b71153435b4df5d5328de4361926e6..080cfafa709d63542fbf57d26fab11f0a367dea7 100644
bb7cd1 
--- a/src/responder/pam/pamsrv_cmd.c
bb7cd1 
+++ b/src/responder/pam/pamsrv_cmd.c
bb7cd1 
@@ -1846,7 +1846,8 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
bb7cd1 
                     ret = add_pam_cert_response(preq->pd, cert_user,
bb7cd1 
                                                 preq->token_name,
bb7cd1 
                                                 preq->module_name,
bb7cd1 
-                                                preq->key_id);
bb7cd1 
+                                                preq->key_id,
bb7cd1 
+                                                SSS_PAM_CERT_INFO);
bb7cd1 
                     if (ret != EOK) {
bb7cd1 
                         DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n");
bb7cd1 
                         preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
bb7cd1 
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
bb7cd1 
index 365300b9075983b603a6f9e91ba6f8f21706388f..4dce43800c3c6b026c545df35c846269cbb49610 100644
bb7cd1 
--- a/src/responder/pam/pamsrv_p11.c
bb7cd1 
+++ b/src/responder/pam/pamsrv_p11.c
bb7cd1 
@@ -580,7 +580,7 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
bb7cd1
bb7cd1 
 errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
bb7cd1 
                               const char *token_name, const char *module_name,
bb7cd1 
-                              const char *key_id)
bb7cd1 
+                              const char *key_id, enum response_type type)
bb7cd1 
 {
bb7cd1 
     uint8_t *msg = NULL;
bb7cd1 
     char *env = NULL;
bb7cd1 
@@ -590,14 +590,23 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
bb7cd1 
     size_t module_len;
bb7cd1 
     size_t key_id_len;
bb7cd1 
     int ret;
bb7cd1 
+    const char *username = "";
bb7cd1
bb7cd1 
-    if (sysdb_username == NULL || token_name == NULL || module_name == NULL
bb7cd1 
-            || key_id == NULL) {
bb7cd1 
+    if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
bb7cd1 
+        DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
bb7cd1 
+        return EINVAL;
bb7cd1 
+    }
bb7cd1 
+
bb7cd1 
+    if ((type == SSS_PAM_CERT_INFO && sysdb_username == NULL)
bb7cd1 
+            || token_name == NULL || module_name == NULL || key_id == NULL) {
bb7cd1 
         DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
bb7cd1 
         return EINVAL;
bb7cd1 
     }
bb7cd1
bb7cd1 
-    user_len = strlen(sysdb_username) + 1;
bb7cd1 
+    if (sysdb_username != NULL) {
bb7cd1 
+        username = sysdb_username;
bb7cd1 
+    }
bb7cd1 
+    user_len = strlen(username) + 1;
bb7cd1 
     slot_len = strlen(token_name) + 1;
bb7cd1 
     module_len = strlen(module_name) + 1;
bb7cd1 
     key_id_len = strlen(key_id) + 1;
bb7cd1 
@@ -616,12 +625,12 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
bb7cd1 
      * re_expression config option was set in a way that user@domain cannot be
bb7cd1 
      * handled anymore some more logic has to be added here. But for the time
bb7cd1 
      * being I think using sysdb_username is fine. */
bb7cd1 
-    memcpy(msg, sysdb_username, user_len);
bb7cd1 
+    memcpy(msg, username, user_len);
bb7cd1 
     memcpy(msg + user_len, token_name, slot_len);
bb7cd1 
     memcpy(msg + user_len + slot_len, module_name, module_len);
bb7cd1 
     memcpy(msg + user_len + slot_len + module_len, key_id, key_id_len);
bb7cd1
bb7cd1 
-    ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
bb7cd1 
+    ret = pam_add_response(pd, type, msg_len, msg);
bb7cd1 
     talloc_free(msg);
bb7cd1 
     if (ret != EOK) {
bb7cd1 
         DEBUG(SSSDBG_OP_FAILURE,
bb7cd1 
--
bb7cd1 
2.9.4
bb7cd1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation