From 52514960f5b0609cd9f31f3c4455b61fbe4c04c5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 26 Apr 2017 17:16:19 +0200
Subject: [PATCH 121/121] PAM: check matching certificates from all domains

Although the cache_req lookup found matching in multiple domains only
the results from the first domain were used. With this patch the results
from all domains are checked.

Resolves https://pagure.io/SSSD/sssd/issue/3385

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 92d8b072f8c521e1b4effe109b5caedabd36ed6f)
---
 src/responder/pam/pamsrv_cmd.c | 69 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 63 insertions(+), 6 deletions(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index f2b3c74b483e527932dda42279d14a9ac184b475..10a178f839ec011c09a6da4575efbb026f3f7700 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1352,15 +1352,71 @@ done:
     pam_check_user_done(preq, ret);
 }
 
+static errno_t get_results_from_all_domains(TALLOC_CTX *mem_ctx,
+                                            struct cache_req_result **results,
+                                            struct ldb_result **ldb_results)
+{
+    int ret;
+    size_t count = 0;
+    size_t c;
+    size_t d;
+    size_t r = 0;
+    struct ldb_result *res;
+
+    for (d = 0; results != NULL && results[d] != NULL; d++) {
+        count += results[d]->count;
+    }
+
+    res = talloc_zero(mem_ctx, struct ldb_result);
+    if (res == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
+        return ENOMEM;
+    }
+
+    if (count == 0) {
+        *ldb_results = res;
+        return EOK;
+    }
+
+    res->msgs = talloc_zero_array(res, struct ldb_message *, count);
+    if (res->msgs == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
+        return ENOMEM;
+    }
+    res->count = count;
+
+    for (d = 0; results != NULL && results[d] != NULL; d++) {
+        for (c = 0; c < results[d]->count; c++) {
+            if (r >= count) {
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "More results found then counted before.\n");
+                ret = EINVAL;
+                goto done;
+            }
+            res->msgs[r++] = talloc_steal(res->msgs, results[d]->msgs[c]);
+        }
+    }
+
+    *ldb_results = res;
+    ret = EOK;
+
+done:
+    if (ret != EOK) {
+        talloc_free(res);
+    }
+
+    return ret;
+}
+
 static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
 {
     int ret;
-    struct cache_req_result *result;
+    struct cache_req_result **results;
     struct pam_auth_req *preq = tevent_req_callback_data(req,
                                                          struct pam_auth_req);
     const char *cert_user;
 
-    ret = cache_req_user_by_cert_recv(preq, req, &result);
+    ret = cache_req_recv(preq, req, &results);
     talloc_zfree(req);
     if (ret != EOK && ret != ENOENT) {
         DEBUG(SSSDBG_OP_FAILURE, "cache_req_user_by_cert request failed.\n");
@@ -1368,12 +1424,13 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
     }
 
     if (ret == EOK) {
-        if (preq->domain == NULL) {
-            preq->domain = result->domain;
+        ret = get_results_from_all_domains(preq, results,
+                                           &preq->cert_user_objs);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "get_results_from_all_domains failed.\n");
+            goto done;
         }
 
-        preq->cert_user_objs = talloc_steal(preq, result->ldb_result);
-
         if (preq->pd->logon_name == NULL) {
             if (preq->pd->cmd != SSS_PAM_PREAUTH) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
-- 
2.9.3