|
 |
bac598 |
From b8800d3e1b43f2eb28b2df7adb2bcb323bf2d1f1 Mon Sep 17 00:00:00 2001
|
|
|
bac598 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
bac598 |
Date: Sat, 14 Nov 2020 17:52:35 +0100
|
|
|
bac598 |
Subject: [PATCH 15/16] pam_sss: add certificate label to reply to pam_sss
|
|
|
bac598 |
|
|
|
bac598 |
Add the certificate label to the data send back and forth to the pam
|
|
|
bac598 |
module to avoid the ambiguity if two certificates use the same key.
|
|
|
bac598 |
|
|
|
bac598 |
Resolves: https://github.com/SSSD/sssd/issues/5400
|
|
|
bac598 |
|
|
|
bac598 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
bac598 |
---
|
|
|
bac598 |
src/responder/pam/pamsrv_p11.c | 13 ++++++++++---
|
|
|
bac598 |
src/sss_client/pam_sss.c | 15 +++++++++++++++
|
|
|
bac598 |
src/tests/cmocka/test_pam_srv.c | 20 ++++++++++++++++----
|
|
|
bac598 |
3 files changed, 41 insertions(+), 7 deletions(-)
|
|
|
bac598 |
|
|
|
bac598 |
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
|
bac598 |
index 23f94927a..e1fd72e64 100644
|
|
|
bac598 |
--- a/src/responder/pam/pamsrv_p11.c
|
|
|
bac598 |
+++ b/src/responder/pam/pamsrv_p11.c
|
|
|
bac598 |
@@ -1086,11 +1086,13 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
|
|
bac598 |
const char *token_name;
|
|
|
bac598 |
const char *module_name;
|
|
|
bac598 |
const char *key_id;
|
|
|
bac598 |
+ const char *label;
|
|
|
bac598 |
char *prompt;
|
|
|
bac598 |
size_t user_len;
|
|
|
bac598 |
size_t token_len;
|
|
|
bac598 |
size_t module_len;
|
|
|
bac598 |
size_t key_id_len;
|
|
|
bac598 |
+ size_t label_len;
|
|
|
bac598 |
size_t prompt_len;
|
|
|
bac598 |
size_t nss_name_len;
|
|
|
bac598 |
const char *username = "";
|
|
|
bac598 |
@@ -1113,16 +1115,18 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
|
|
bac598 |
token_name = sss_cai_get_token_name(cert_info);
|
|
|
bac598 |
module_name = sss_cai_get_module_name(cert_info);
|
|
|
bac598 |
key_id = sss_cai_get_key_id(cert_info);
|
|
|
bac598 |
+ label = sss_cai_get_label(cert_info);
|
|
|
bac598 |
|
|
|
bac598 |
user_len = strlen(username) + 1;
|
|
|
bac598 |
token_len = strlen(token_name) + 1;
|
|
|
bac598 |
module_len = strlen(module_name) + 1;
|
|
|
bac598 |
key_id_len = strlen(key_id) + 1;
|
|
|
bac598 |
+ label_len = strlen(label) + 1;
|
|
|
bac598 |
prompt_len = strlen(prompt) + 1;
|
|
|
bac598 |
nss_name_len = strlen(nss_username) +1;
|
|
|
bac598 |
|
|
|
bac598 |
- msg_len = user_len + token_len + module_len + key_id_len + prompt_len
|
|
|
bac598 |
- + nss_name_len;
|
|
|
bac598 |
+ msg_len = user_len + token_len + module_len + key_id_len + label_len
|
|
|
bac598 |
+ + prompt_len + nss_name_len;
|
|
|
bac598 |
|
|
|
bac598 |
msg = talloc_zero_size(mem_ctx, msg_len);
|
|
|
bac598 |
if (msg == NULL) {
|
|
|
bac598 |
@@ -1136,8 +1140,11 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
|
|
bac598 |
memcpy(msg + user_len + token_len, module_name, module_len);
|
|
|
bac598 |
memcpy(msg + user_len + token_len + module_len, key_id, key_id_len);
|
|
|
bac598 |
memcpy(msg + user_len + token_len + module_len + key_id_len,
|
|
|
bac598 |
+ label, label_len);
|
|
|
bac598 |
+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len,
|
|
|
bac598 |
prompt, prompt_len);
|
|
|
bac598 |
- memcpy(msg + user_len + token_len + module_len + key_id_len + prompt_len,
|
|
|
bac598 |
+ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len
|
|
|
bac598 |
+ + prompt_len,
|
|
|
bac598 |
nss_username, nss_name_len);
|
|
|
bac598 |
talloc_free(prompt);
|
|
|
bac598 |
|
|
|
bac598 |
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
|
bac598 |
index cffbfa770..c539d6de6 100644
|
|
|
bac598 |
--- a/src/sss_client/pam_sss.c
|
|
|
bac598 |
+++ b/src/sss_client/pam_sss.c
|
|
|
bac598 |
@@ -142,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai)
|
|
|
bac598 |
free(cai->token_name);
|
|
|
bac598 |
free(cai->module_name);
|
|
|
bac598 |
free(cai->key_id);
|
|
|
bac598 |
+ free(cai->label);
|
|
|
bac598 |
free(cai->prompt_str);
|
|
|
bac598 |
free(cai->choice_list_id);
|
|
|
bac598 |
free(cai);
|
|
|
bac598 |
@@ -936,6 +937,20 @@ static int parse_cert_info(struct pam_items *pi, uint8_t *buf, size_t len,
|
|
|
bac598 |
goto done;
|
|
|
bac598 |
}
|
|
|
bac598 |
|
|
|
bac598 |
+ cai->label = strdup((char *) &buf[*p + offset]);
|
|
|
bac598 |
+ if (cai->label == NULL) {
|
|
|
bac598 |
+ D(("strdup failed"));
|
|
|
bac598 |
+ ret = ENOMEM;
|
|
|
bac598 |
+ goto done;
|
|
|
bac598 |
+ }
|
|
|
bac598 |
+
|
|
|
bac598 |
+ offset += strlen(cai->label) + 1;
|
|
|
bac598 |
+ if (offset >= len) {
|
|
|
bac598 |
+ D(("Cert message size mismatch"));
|
|
|
bac598 |
+ ret = EINVAL;
|
|
|
bac598 |
+ goto done;
|
|
|
bac598 |
+ }
|
|
|
bac598 |
+
|
|
|
bac598 |
cai->prompt_str = strdup((char *) &buf[*p + offset]);
|
|
|
bac598 |
if (cai->prompt_str == NULL) {
|
|
|
bac598 |
D(("strdup failed"));
|
|
|
bac598 |
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
|
bac598 |
index cb05042de..5506fbf34 100644
|
|
|
bac598 |
--- a/src/tests/cmocka/test_pam_srv.c
|
|
|
bac598 |
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
|
bac598 |
@@ -62,13 +62,16 @@
|
|
|
bac598 |
#define TEST_TOKEN_NAME "SSSD Test Token"
|
|
|
bac598 |
#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
|
|
|
bac598 |
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
|
|
|
bac598 |
+#define TEST_LABEL "SSSD test cert 0001"
|
|
|
bac598 |
#define TEST_MODULE_NAME SOFTHSM2_PATH
|
|
|
bac598 |
#define TEST_PROMPT "SSSD test cert 0001\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD"
|
|
|
bac598 |
#define TEST2_PROMPT "SSSD test cert 0002\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD"
|
|
|
bac598 |
#define TEST5_PROMPT "SSSD test cert 0005\nCN=SSSD test cert 0005,OU=SSSD test,O=SSSD"
|
|
|
bac598 |
|
|
|
bac598 |
#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9"
|
|
|
bac598 |
+#define TEST2_LABEL "SSSD test cert 0002"
|
|
|
bac598 |
#define TEST5_KEY_ID "1195833C424AB00297F582FC43FFFFAB47A64CC9"
|
|
|
bac598 |
+#define TEST5_LABEL "SSSD test cert 0005"
|
|
|
bac598 |
|
|
|
bac598 |
static char CACHED_AUTH_TIMEOUT_STR[] = "4";
|
|
|
bac598 |
static const int CACHED_AUTH_TIMEOUT = 4;
|
|
|
bac598 |
@@ -673,6 +676,7 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
|
|
bac598 |
+ sizeof(TEST_TOKEN_NAME)
|
|
|
bac598 |
+ sizeof(TEST_MODULE_NAME)
|
|
|
bac598 |
+ sizeof(TEST_KEY_ID)
|
|
|
bac598 |
+ + sizeof(TEST_LABEL)
|
|
|
bac598 |
+ sizeof(TEST_PROMPT)
|
|
|
bac598 |
+ sizeof("pamuser")));
|
|
|
bac598 |
|
|
|
bac598 |
@@ -692,6 +696,10 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
|
|
bac598 |
assert_string_equal(body + rp, TEST_KEY_ID);
|
|
|
bac598 |
rp += sizeof(TEST_KEY_ID);
|
|
|
bac598 |
|
|
|
bac598 |
+ assert_int_equal(*(body + rp + sizeof(TEST_LABEL) - 1), 0);
|
|
|
bac598 |
+ assert_string_equal(body + rp, TEST_LABEL);
|
|
|
bac598 |
+ rp += sizeof(TEST_LABEL);
|
|
|
bac598 |
+
|
|
|
bac598 |
assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0);
|
|
|
bac598 |
assert_string_equal(body + rp, TEST_PROMPT);
|
|
|
bac598 |
rp += sizeof(TEST_PROMPT);
|
|
|
bac598 |
@@ -740,6 +748,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
|
|
bac598 |
TEST_TOKEN_NAME,
|
|
|
bac598 |
TEST_MODULE_NAME,
|
|
|
bac598 |
TEST_KEY_ID,
|
|
|
bac598 |
+ TEST_LABEL,
|
|
|
bac598 |
TEST_PROMPT,
|
|
|
bac598 |
NULL,
|
|
|
bac598 |
NULL };
|
|
|
bac598 |
@@ -749,6 +758,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
|
|
bac598 |
TEST_TOKEN_NAME,
|
|
|
bac598 |
TEST_MODULE_NAME,
|
|
|
bac598 |
TEST2_KEY_ID,
|
|
|
bac598 |
+ TEST2_LABEL,
|
|
|
bac598 |
TEST2_PROMPT,
|
|
|
bac598 |
NULL,
|
|
|
bac598 |
NULL };
|
|
|
bac598 |
@@ -756,10 +766,10 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
|
|
bac598 |
assert_int_equal(status, 0);
|
|
|
bac598 |
|
|
|
bac598 |
check_strings[0] = name;
|
|
|
bac598 |
- check_strings[5] = nss_name;
|
|
|
bac598 |
+ check_strings[6] = nss_name;
|
|
|
bac598 |
check_len = check_string_array_len(check_strings);
|
|
|
bac598 |
check2_strings[0] = name;
|
|
|
bac598 |
- check2_strings[5] = nss_name;
|
|
|
bac598 |
+ check2_strings[6] = nss_name;
|
|
|
bac598 |
check2_len = check_string_array_len(check2_strings);
|
|
|
bac598 |
|
|
|
bac598 |
|
|
|
bac598 |
@@ -843,6 +853,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
|
|
|
bac598 |
TEST_TOKEN2_NAME,
|
|
|
bac598 |
TEST_MODULE_NAME,
|
|
|
bac598 |
TEST2_KEY_ID,
|
|
|
bac598 |
+ TEST2_LABEL,
|
|
|
bac598 |
TEST2_PROMPT,
|
|
|
bac598 |
NULL,
|
|
|
bac598 |
NULL };
|
|
|
bac598 |
@@ -850,7 +861,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
|
|
|
bac598 |
assert_int_equal(status, 0);
|
|
|
bac598 |
|
|
|
bac598 |
check2_strings[0] = name;
|
|
|
bac598 |
- check2_strings[5] = nss_name;
|
|
|
bac598 |
+ check2_strings[6] = nss_name;
|
|
|
bac598 |
check2_len = check_string_array_len(check2_strings);
|
|
|
bac598 |
|
|
|
bac598 |
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
bac598 |
@@ -895,7 +906,7 @@ static int test_pam_cert_X_token_X_check_ex(uint32_t status, uint8_t *body,
|
|
|
bac598 |
assert_int_equal(status, 0);
|
|
|
bac598 |
|
|
|
bac598 |
check_strings[0] = name;
|
|
|
bac598 |
- check_strings[5] = nss_name;
|
|
|
bac598 |
+ check_strings[6] = nss_name;
|
|
|
bac598 |
check_len = check_string_array_len(check_strings);
|
|
|
bac598 |
|
|
|
bac598 |
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
|
bac598 |
@@ -946,6 +957,7 @@ static int test_pam_cert5_check(uint32_t status, uint8_t *body, size_t blen)
|
|
|
bac598 |
TEST_TOKEN_NAME,
|
|
|
bac598 |
TEST_MODULE_NAME,
|
|
|
bac598 |
TEST5_KEY_ID,
|
|
|
bac598 |
+ TEST5_LABEL,
|
|
|
bac598 |
TEST5_PROMPT,
|
|
|
bac598 |
NULL,
|
|
|
bac598 |
NULL };
|
|
|
bac598 |
--
|
|
|
bac598 |
2.21.3
|
|
|
bac598 |
|