summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2015-07-10 17:54:07 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-07-31 09:52:01 +0200
commita8d887323f83984679a7d9b827a70146656bb7b2 (patch)
treee6b93747e75ac876e7c8acf6a1b79db0ec65fb04
parent10703cd558016685ee778e333f1d4490238d46e7 (diff)
downloadsssd-a8d887323f83984679a7d9b827a70146656bb7b2.tar.gz
sssd-a8d887323f83984679a7d9b827a70146656bb7b2.tar.xz
sssd-a8d887323f83984679a7d9b827a70146656bb7b2.zip
PAM: add certificate support to PAM (pre-)auth requests
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat
-rw-r--r--Makefile.am5
-rw-r--r--configure.ac3
-rw-r--r--src/confdb/confdb.h2
-rw-r--r--src/responder/pam/pamsrv.c34
-rw-r--r--src/responder/pam/pamsrv.h22
-rw-r--r--src/responder/pam/pamsrv_cmd.c312
-rw-r--r--src/responder/pam/pamsrv_p11.c527
-rw-r--r--src/sss_client/sss_cli.h1
-rw-r--r--src/tests/cmocka/p11_nssdb/cert9.dbbin0 -> 13312 bytes
-rw-r--r--src/tests/cmocka/p11_nssdb/key4.dbbin0 -> 14336 bytes
-rw-r--r--src/tests/cmocka/test_pam_srv.c509
-rw-r--r--src/util/util_errors.c1
-rw-r--r--src/util/util_errors.h1
13 files changed, 1378 insertions, 39 deletions
diff --git a/Makefile.am b/Makefile.am
index e4add9757..fd78c1bb7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -382,6 +382,8 @@ dist_noinst_DATA = \
contrib/ci/distro.sh \
contrib/ci/misc.sh \
contrib/ci/sssd.supp \
+ src/tests/cmocka/p11_nssdb/cert9.db \
+ src/tests/cmocka/p11_nssdb/key4.db \
$(NULL)
###############################
@@ -1086,6 +1088,7 @@ sssd_pam_SOURCES = \
src/responder/pam/pam_LOCAL_domain.c \
src/responder/pam/pamsrv.c \
src/responder/pam/pamsrv_cmd.c \
+ src/responder/pam/pamsrv_p11.c \
src/responder/pam/pamsrv_dp.c \
src/responder/pam/pam_helpers.c \
$(SSSD_RESPONDER_OBJ)
@@ -1877,11 +1880,13 @@ pam_srv_tests_SOURCES = \
src/tests/cmocka/test_pam_srv.c \
src/sss_client/pam_message.c \
src/responder/pam/pamsrv_cmd.c \
+ src/responder/pam/pamsrv_p11.c \
src/responder/pam/pam_helpers.c \
src/responder/pam/pamsrv_dp.c \
src/responder/pam/pam_LOCAL_domain.c \
$(NULL)
pam_srv_tests_CFLAGS = \
+ -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
$(AM_CFLAGS) \
$(NULL)
pam_srv_tests_LDFLAGS = \
diff --git a/configure.ac b/configure.ac
index 4b4f8f322..254752bc2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -400,6 +400,9 @@ abs_build_dir=`pwd`
AC_DEFINE_UNQUOTED([ABS_BUILD_DIR], ["$abs_build_dir"], [Absolute path to the build directory])
AC_SUBST([abs_builddir], $abs_build_dir)
+my_srcdir=`readlink -f $srcdir`
+AC_DEFINE_UNQUOTED([ABS_SRC_DIR], ["$my_srcdir"], [Absolute path to the source directory])
+
AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd
po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 0b0ae0dcf..c3cdf49e0 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -115,6 +115,8 @@
#define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users"
#define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains"
#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
+#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
+#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index aa0d2796b..3fe467c3c 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -50,6 +50,8 @@
#define ALL_DOMAIMS_ARE_PUBLIC "all"
#define NO_DOMAIMS_ARE_PUBLIC "none"
#define DEFAULT_ALLOWED_UIDS ALL_UIDS_ALLOWED
+#define DEFAULT_PAM_CERT_AUTH false
+#define DEFAULT_PAM_CERT_DB_PATH SYSCONFDIR"/pki/nssdb"
struct mon_cli_iface monitor_pam_methods = {
{ &mon_cli_iface_meta, 0 },
@@ -302,6 +304,38 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
goto done;
}
+ /* Check if certificate based authentication is enabled */
+ ret = confdb_get_bool(pctx->rctx->cdb,
+ CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_CERT_AUTH,
+ DEFAULT_PAM_CERT_AUTH,
+ &pctx->cert_auth);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to determine get cert db path.\n");
+ goto done;
+ }
+
+ pctx->p11_child_debug_fd = -1;
+ if (pctx->cert_auth) {
+ ret = p11_child_init(pctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "p11_child_init failed.\n");
+ goto done;
+ }
+
+ ret = confdb_get_string(pctx->rctx->cdb, pctx,
+ CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_CERT_DB_PATH,
+ DEFAULT_PAM_CERT_DB_PATH,
+ &pctx->nss_db);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Failed to determine if certificate based authentication is " \
+ "enabled or not.\n");
+ goto done;
+ }
+ }
+
ret = EOK;
done:
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 027800646..59831f2e7 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -43,6 +43,10 @@ struct pam_ctx {
/* List of domains that are accessible even for untrusted users. */
char **public_domains;
int public_domains_count;
+
+ bool cert_auth;
+ int p11_child_debug_fd;
+ char *nss_db;
};
struct pam_auth_dp_req {
@@ -65,6 +69,9 @@ struct pam_auth_req {
bool cached_auth_failed;
struct pam_auth_dp_req *dpreq_spy;
+
+ struct ldb_message *cert_user_obj;
+ char *token_name;
};
struct sss_cmd_table *get_pam_cmds(void);
@@ -73,4 +80,19 @@ int pam_dp_send_req(struct pam_auth_req *preq, int timeout);
int LOCAL_pam_handler(struct pam_auth_req *preq);
+errno_t p11_child_init(struct pam_ctx *pctx);
+
+struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ int child_debug_fd,
+ const char *nss_db,
+ time_t timeout,
+ struct pam_data *pd);
+errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ char **cert, char **token_name);
+
+errno_t add_pam_cert_response(struct pam_data *pd, const char *user,
+ const char *token_name);
+
+bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
#endif /* __PAMSRV_H__ */
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 9c32f40ff..3b84fb864 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -31,6 +31,7 @@
#include "providers/data_provider.h"
#include "responder/pam/pamsrv.h"
#include "responder/pam/pam_helpers.h"
+#include "responder/common/responder_cache_req.h"
#include "db/sysdb.h"
enum pam_verbosity {
@@ -49,6 +50,7 @@ static errno_t
pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain,
const char *name,
uint64_t *_value);
+
static void pam_reply(struct pam_auth_req *preq);
static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
@@ -154,6 +156,13 @@ static int extract_authtok_v2(struct sss_auth_token *tok,
ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA,
auth_token_data, auth_token_length);
break;
+ case SSS_AUTHTOK_TYPE_SC_PIN:
+ ret = sss_authtok_set_sc_pin(tok, (const char *) auth_token_data,
+ auth_token_length);
+ break;
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
+ sss_authtok_set_sc_keypad(tok);
+ break;
default:
return EINVAL;
}
@@ -892,6 +901,7 @@ static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
}
static void pam_forwarder_cb(struct tevent_req *req);
+static void pam_forwarder_cert_cb(struct tevent_req *req);
static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr);
static int pam_check_user_search(struct pam_auth_req *preq);
@@ -939,9 +949,22 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p
goto done;
}
- ret = sss_parse_name_for_domains(pd, cctx->rctx->domains,
- cctx->rctx->default_domain, pd->logon_name,
- &pd->domain, &pd->user);
+ if (pd->logon_name != NULL) {
+ ret = sss_parse_name_for_domains(pd, cctx->rctx->domains,
+ cctx->rctx->default_domain,
+ pd->logon_name,
+ &pd->domain, &pd->user);
+ } else {
+ /* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the
+ * name is determined with the help of a certificate */
+ if (pd->cmd == SSS_PAM_PREAUTH) {
+ ret = EOK;
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n");
+ ret = EINVAL;
+ goto done;
+ }
+ }
DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd);
@@ -1052,49 +1075,66 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
goto done;
}
- /* now check user is valid */
- if (pd->domain) {
- preq->domain = responder_get_domain(cctx->rctx, pd->domain);
- if (!preq->domain) {
- ret = ENOENT;
- goto done;
- }
-
- ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout,
- preq->domain, pd->user);
- if (ncret == EEXIST) {
- /* User found in the negative cache */
- ret = ENOENT;
- goto done;
- }
- } else {
- for (dom = preq->cctx->rctx->domains;
- dom;
- dom = get_next_domain(dom, false)) {
- if (dom->fqnames) continue;
+ if (pd->user != NULL) {
+ /* now check user is valid */
+ if (pd->domain) {
+ preq->domain = responder_get_domain(cctx->rctx, pd->domain);
+ if (!preq->domain) {
+ ret = ENOENT;
+ goto done;
+ }
ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout,
- dom, pd->user);
- if (ncret == ENOENT) {
- /* User not found in the negative cache
- * Proceed with PAM actions
- */
- break;
+ preq->domain, pd->user);
+ if (ncret == EEXIST) {
+ /* User found in the negative cache */
+ ret = ENOENT;
+ goto done;
+ }
+ } else {
+ for (dom = preq->cctx->rctx->domains;
+ dom;
+ dom = get_next_domain(dom, false)) {
+ if (dom->fqnames) continue;
+
+ ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout,
+ dom, pd->user);
+ if (ncret == ENOENT) {
+ /* User not found in the negative cache
+ * Proceed with PAM actions
+ */
+ break;
+ }
+
+ /* Try the next domain */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "User [%s@%s] filtered out (negative cache). "
+ "Trying next domain.\n", pd->user, dom->name);
}
- /* Try the next domain */
- DEBUG(SSSDBG_TRACE_FUNC,
- "User [%s@%s] filtered out (negative cache). "
- "Trying next domain.\n", pd->user, dom->name);
+ if (!dom) {
+ ret = ENOENT;
+ goto done;
+ }
+ preq->domain = dom;
}
+ }
- if (!dom) {
- ret = ENOENT;
- goto done;
+ if (may_do_cert_auth(pctx, pd)) {
+ req = pam_check_cert_send(cctx, cctx->ev, pctx->p11_child_debug_fd,
+ pctx->nss_db, 10, pd);
+ if (req == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
+ ret = ENOMEM;
+ } else {
+ tevent_req_set_callback(req, pam_forwarder_cert_cb, preq);
+ ret = EAGAIN;
}
- preq->domain = dom;
+
+ goto done;
}
+
if (preq->domain->provider == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Domain [%s] has no auth provider.\n", preq->domain->name);
@@ -1113,6 +1153,142 @@ done:
return pam_check_user_done(preq, ret);
}
+static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req);
+static void pam_forwarder_cert_cb(struct tevent_req *req)
+{
+ struct pam_auth_req *preq = tevent_req_callback_data(req,
+ struct pam_auth_req);
+ struct cli_ctx *cctx = preq->cctx;
+ struct pam_data *pd;
+ errno_t ret = EOK;
+ char *cert;
+ struct pam_ctx *pctx =
+ talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+
+ ret = pam_check_cert_recv(req, preq, &cert, &preq->token_name);
+ talloc_free(req);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_cert request failed.\n");
+ goto done;
+ }
+
+ pd = preq->pd;
+
+ if (cert == NULL) {
+ if (pd->logon_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "No certificate found and no logon name given, " \
+ "authentication not possible.\n");;
+ ret = ENOENT;
+ } else {
+ if (pd->cmd == SSS_PAM_AUTHENTICATE) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "No certificate returned, authentication failed.\n");
+ ret = ENOENT;
+ } else {
+ ret = pam_check_user_search(preq);
+ if (ret == EOK) {
+ pam_dom_forwarder(preq);
+ }
+ }
+
+ }
+ goto done;
+ }
+
+
+ req = cache_req_user_by_cert_send(preq, cctx->ev, cctx->rctx,
+ pctx->ncache, pctx->neg_timeout,
+ 0, NULL, cert);
+ if (req == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "cache_req_user_by_cert_send failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ tevent_req_set_callback(req, pam_forwarder_lookup_by_cert_done, preq);
+ return;
+
+done:
+ pam_check_user_done(preq, ret);
+}
+
+static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
+{
+ int ret;
+ struct ldb_result *res;
+ struct sss_domain_info *domain;
+ struct pam_auth_req *preq = tevent_req_callback_data(req,
+ struct pam_auth_req);
+ const char *cert_user;
+
+
+ ret = cache_req_user_by_cert_recv(preq, req, &res, &domain, NULL);
+ talloc_zfree(req);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE, "cache_req_user_by_cert request failed.\n");
+ goto done;
+ }
+
+ if (ret == EOK && res->count > 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Search by certificate returned more than one result.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ if (ret == EOK) {
+ if (preq->domain == NULL) {
+ preq->domain = domain;
+ }
+
+ preq->cert_user_obj = talloc_steal(preq, res->msgs[0]);
+
+ if (preq->pd->logon_name == NULL) {
+ cert_user = ldb_msg_find_attr_as_string(preq->cert_user_obj,
+ SYSDB_NAME, NULL);
+ if (cert_user == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Certificate user object has not name.\n");
+ ret = ENOENT;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_FUNC_DATA, "Found certificate user [%s].\n",
+ cert_user);
+
+ ret = add_pam_cert_response(preq->pd, cert_user, preq->token_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n");
+ }
+
+ preq->pd->domain = talloc_strdup(preq->pd, domain->name);
+ if (preq->pd->domain == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ preq->pd->pam_status = PAM_SUCCESS;
+ pam_reply(preq);
+ return;
+ }
+ } else {
+ if (preq->pd->logon_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Missing logon name and no certificate user found.\n");
+ ret = ENOENT;
+ goto done;
+ }
+ }
+
+ ret = pam_check_user_search(preq);
+ if (ret == EOK) {
+ pam_dom_forwarder(preq);
+ }
+
+done:
+ pam_check_user_done(preq, ret);
+}
+
static void pam_forwarder_cb(struct tevent_req *req)
{
struct pam_auth_req *preq = tevent_req_callback_data(req,
@@ -1120,6 +1296,8 @@ static void pam_forwarder_cb(struct tevent_req *req)
struct cli_ctx *cctx = preq->cctx;
struct pam_data *pd;
errno_t ret = EOK;
+ struct pam_ctx *pctx =
+ talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
ret = sss_dp_get_domains_recv(req);
talloc_free(req);
@@ -1158,6 +1336,20 @@ static void pam_forwarder_cb(struct tevent_req *req)
}
}
+ if (may_do_cert_auth(pctx, pd)) {
+ req = pam_check_cert_send(cctx, cctx->ev, pctx->p11_child_debug_fd,
+ pctx->nss_db, 10, pd);
+ if (req == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
+ ret = ENOMEM;
+ } else {
+ tevent_req_set_callback(req, pam_forwarder_cert_cb, preq);
+ ret = EAGAIN;
+ }
+
+ goto done;
+ }
+
ret = pam_check_user_search(preq);
if (ret == EOK) {
pam_dom_forwarder(preq);
@@ -1542,6 +1734,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
int ret;
struct pam_ctx *pctx =
talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+ const char *cert_user;
if (!preq->pd->domain) {
preq->pd->domain = preq->domain->name;
@@ -1579,6 +1772,51 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
return;
}
+ if (may_do_cert_auth(pctx, preq->pd) && preq->cert_user_obj != NULL) {
+ /* Check if user matches certificate user */
+ cert_user = ldb_msg_find_attr_as_string(preq->cert_user_obj, SYSDB_NAME,
+ NULL);
+ if (cert_user == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Certificate user object has not name.\n");
+ preq->pd->pam_status = PAM_USER_UNKNOWN;
+ pam_reply(preq);
+ return;
+ }
+
+ /* pam_check_user_search() calls pd_set_primary_name() is the search
+ * was successful, so pd->user contains the canonical name as well */
+ if (strcmp(cert_user, preq->pd->user) == 0) {
+
+ preq->pd->pam_status = PAM_SUCCESS;
+
+ if (preq->pd->cmd == SSS_PAM_PREAUTH) {
+ ret = add_pam_cert_response(preq->pd, cert_user,
+ preq->token_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n");
+ preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+ }
+ }
+
+ preq->callback = pam_reply;
+ pam_reply(preq);
+ return;
+ } else {
+ if (preq->pd->cmd == SSS_PAM_PREAUTH) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "User and certificate user do not match, " \
+ "continue with other authentication methods.\n");
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "User and certificate user do not match.\n");
+ preq->pd->pam_status = PAM_AUTH_ERR;
+ pam_reply(preq);
+ return;
+ }
+ }
+ }
+
if (!NEED_CHECK_PROVIDER(preq->domain->provider) ) {
preq->callback = pam_reply;
ret = LOCAL_pam_handler(preq);
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
new file mode 100644
index 000000000..afb28fd52
--- /dev/null
+++ b/src/responder/pam/pamsrv_p11.c
@@ -0,0 +1,527 @@
+/*
+ SSSD
+
+ PAM Responder - certificate realted requests
+
+ Copyright (C) Sumit Bose <sbose@redhat.com> 2015
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <time.h>
+
+#include "util/util.h"
+#include "providers/data_provider.h"
+#include "util/child_common.h"
+#include "util/strtonum.h"
+#include "responder/pam/pamsrv.h"
+
+
+#ifndef SSSD_LIBEXEC_PATH
+#error "SSSD_LIBEXEC_PATH not defined"
+#endif /* SSSD_LIBEXEC_PATH */
+
+#define P11_CHILD_LOG_FILE "p11_child"
+#define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
+
+errno_t p11_child_init(struct pam_ctx *pctx)
+{
+ return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
+}
+
+bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
+{
+ size_t c;
+ const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard",
+ "gdm-password", "kdm", "sudo", "sudo-i",
+ NULL };
+ if (!pctx->cert_auth) {
+ return false;
+ }
+
+ if (pd->cmd != SSS_PAM_PREAUTH && pd->cmd != SSS_PAM_AUTHENTICATE) {
+ return false;
+ }
+
+ if (pd->cmd == SSS_PAM_AUTHENTICATE
+ && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN
+ && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
+ return false;
+ }
+
+ /* TODO: make services configurable */
+ if (pd->service == NULL || *pd->service == '\0') {
+ return false;
+ }
+ for (c = 0; sc_services[c] != NULL; c++) {
+ if (strcmp(pd->service, sc_services[c]) == 0) {
+ break;
+ }
+ }
+ if (sc_services[c] == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Smartcard authentication for service [%s] not supported.\n",
+ pd->service);
+ return false;
+ }
+
+ return true;
+}
+
+static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx,
+ struct pam_data *pd,
+ uint8_t **_buf, size_t *_len)
+{
+ int ret;
+ uint8_t *buf;
+ size_t len;
+ const char *pin = NULL;
+
+ if (pd == NULL || pd->authtok == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing authtok.\n");
+ return EINVAL;
+ }
+
+ switch (sss_authtok_get_type(pd->authtok)) {
+ case SSS_AUTHTOK_TYPE_SC_PIN:
+ ret = sss_authtok_get_sc_pin(pd->authtok, &pin, &len);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc_pin failed.\n");
+ return ret;
+ }
+ if (pin == NULL || len == 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing PIN.\n");
+ return EINVAL;
+ }
+
+ buf = talloc_size(mem_ctx, len);
+ if (buf == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
+ return ENOMEM;
+ }
+
+ safealign_memcpy(buf, pin, len, NULL);
+
+ break;
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
+ /* Nothing to send */
+ len = 0;
+ buf = NULL;
+ break;
+ default:
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type [%d].\n",
+ sss_authtok_get_type(pd->authtok));
+ return EINVAL;
+ }
+
+ *_len = len;
+ *_buf = buf;
+
+ return EOK;
+}
+
+static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf,
+ ssize_t buf_len, char **_cert,
+ char **_token_name)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx = NULL;
+ uint8_t *p;
+ uint8_t *pn;
+ char *cert = NULL;
+ char *token_name = NULL;
+
+ if (buf_len < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Error occured while reading data from p11_child.\n");
+ return EIO;
+ }
+
+ if (buf_len == 0) {
+ DEBUG(SSSDBG_TRACE_LIBS, "No certificate found.\n");
+ ret = EOK;
+ goto done;
+ }
+
+ p = memchr(buf, '\n', buf_len);
+ if (p == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Missing new-line in p11_child response.\n");
+ return EINVAL;
+ }
+ if (p == buf) {
+ DEBUG(SSSDBG_OP_FAILURE, "Missing counter in p11_child response.\n");
+ return EINVAL;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ token_name = talloc_strndup(tmp_ctx, (char*) buf, (p - buf));
+ if (token_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ p++;
+ pn = memchr(p, '\n', buf_len - (p - buf));
+ if (pn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Missing new-line in p11_child response.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ if (pn == p) {
+ DEBUG(SSSDBG_OP_FAILURE, "Missing cert in p11_child response.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ cert = talloc_strndup(tmp_ctx, (char *) p, (pn - p));
+ if(cert == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Found cert [%s].\n", cert);
+
+ ret = EOK;
+
+done:
+ if (ret == EOK) {
+ *_token_name = talloc_steal(mem_ctx, token_name);
+ *_cert = talloc_steal(mem_ctx, cert);
+ }
+
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
+struct pam_check_cert_state {
+ int child_status;
+ struct sss_child_ctx_old *child_ctx;
+ struct tevent_timer *timeout_handler;
+ struct tevent_context *ev;
+
+ int write_to_child_fd;
+ int read_from_child_fd;
+ char *cert;
+ char *token_name;
+};
+
+static void p11_child_write_done(struct tevent_req *subreq);
+static void p11_child_done(struct tevent_req *subreq);
+static void p11_child_timeout(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval tv, void *pvt);
+
+struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ int child_debug_fd,
+ const char *nss_db,
+ time_t timeout,
+ struct pam_data *pd)
+{
+ errno_t ret;
+ struct tevent_req *req;
+ struct tevent_req *subreq;
+ struct pam_check_cert_state *state;
+ pid_t child_pid;
+ struct timeval tv;
+ int pipefd_to_child[2];
+ int pipefd_from_child[2];
+ const char *extra_args[5] = {NULL, NULL, NULL, NULL, NULL};
+ uint8_t *write_buf = NULL;
+ size_t write_buf_len = 0;
+
+ req = tevent_req_create(mem_ctx, &state, struct pam_check_cert_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ if (nss_db == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing NSS DB.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ /* extra_args are added in revers order */
+ extra_args[1] = "--nssdb";
+ extra_args[0] = nss_db;
+ if (pd->cmd == SSS_PAM_AUTHENTICATE) {
+ extra_args[2] = "--auth";
+ switch (sss_authtok_get_type(pd->authtok)) {
+ case SSS_AUTHTOK_TYPE_SC_PIN:
+ extra_args[3] = "--pin";
+ break;
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
+ extra_args[3] = "--keypad";
+ break;
+ default:
+ DEBUG(SSSDBG_OP_FAILURE, "Unsupported authtok type.\n");
+ ret = EINVAL;
+ goto done;
+ }
+ } else if (pd->cmd == SSS_PAM_PREAUTH) {
+ extra_args[2] = "--pre";
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM command [%d}.\n", pd->cmd);
+ ret = EINVAL;
+ goto done;
+ }
+
+ state->ev = ev;
+ state->child_status = EFAULT;
+ state->read_from_child_fd = -1;
+ state->write_to_child_fd = -1;
+ state->cert = NULL;
+ state->token_name = NULL;
+
+ ret = pipe(pipefd_from_child);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "pipe failed [%d][%s].\n", ret, strerror(ret));
+ goto done;
+ }
+ ret = pipe(pipefd_to_child);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "pipe failed [%d][%s].\n", ret, strerror(ret));
+ goto done;
+ }
+
+ if (child_debug_fd == -1) {
+ child_debug_fd = STDERR_FILENO;
+ }
+
+ child_pid = fork();
+ if (child_pid == 0) { /* child */
+ ret = exec_child_ex(state, pipefd_to_child, pipefd_from_child,
+ P11_CHILD_PATH, child_debug_fd, extra_args,
+ STDIN_FILENO, STDOUT_FILENO);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec p11 child: [%d][%s].\n",
+ ret, strerror(ret));
+ goto done;
+ }
+ } else if (child_pid > 0) { /* parent */
+
+ state->read_from_child_fd = pipefd_from_child[0];
+ close(pipefd_from_child[1]);
+ sss_fd_nonblocking(state->read_from_child_fd);
+
+ state->write_to_child_fd = pipefd_to_child[1];
+ close(pipefd_to_child[0]);
+ sss_fd_nonblocking(state->write_to_child_fd);
+
+ /* Set up SIGCHLD handler */
+ ret = child_handler_setup(ev, child_pid, NULL, NULL, &state->child_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n",
+ ret, sss_strerror(ret));
+ ret = ERR_P11_CHILD;
+ goto done;
+ }
+
+ /* Set up timeout handler */
+ tv = tevent_timeval_current_ofs(timeout, 0);
+ state->timeout_handler = tevent_add_timer(ev, req, tv,
+ p11_child_timeout, req);
+ if(state->timeout_handler == NULL) {
+ ret = ERR_P11_CHILD;
+ goto done;
+ }
+
+ if (pd->cmd == SSS_PAM_AUTHENTICATE) {
+ ret = get_p11_child_write_buffer(state, pd, &write_buf,
+ &write_buf_len);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "get_p11_child_write_buffer failed.\n");
+ goto done;
+ }
+ }
+
+ if (write_buf_len != 0) {
+ subreq = write_pipe_send(state, ev, write_buf, write_buf_len,
+ state->write_to_child_fd);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "write_pipe_send failed.\n");
+ ret = ERR_P11_CHILD;
+ goto done;
+ }
+ tevent_req_set_callback(subreq, p11_child_write_done, req);
+ } else {
+ subreq = read_pipe_send(state, ev, state->read_from_child_fd);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "read_pipe_send failed.\n");
+ ret = ERR_P11_CHILD;
+ goto done;
+ }
+ tevent_req_set_callback(subreq, p11_child_done, req);
+ }
+
+ /* Now either wait for the timeout to fire or the child
+ * to finish
+ */
+ } else { /* error */
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, "fork failed [%d][%s].\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ tevent_req_post(req, ev);
+ }
+ return req;
+}
+
+static void p11_child_write_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct pam_check_cert_state *state = tevent_req_data(req,
+ struct pam_check_cert_state);
+ int ret;
+
+ ret = write_pipe_recv(subreq);
+ talloc_zfree(subreq);
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ close(state->write_to_child_fd);
+ state->write_to_child_fd = -1;
+
+ subreq = read_pipe_send(state, state->ev, state->read_from_child_fd);
+ if (subreq == NULL) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+ tevent_req_set_callback(subreq, p11_child_done, req);
+}
+
+static void p11_child_done(struct tevent_req *subreq)
+{
+ uint8_t *buf;
+ ssize_t buf_len;
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct pam_check_cert_state *state = tevent_req_data(req,
+ struct pam_check_cert_state);
+ int ret;
+
+ talloc_zfree(state->timeout_handler);
+
+ ret = read_pipe_recv(subreq, state, &buf, &buf_len);
+ talloc_zfree(subreq);
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ close(state->read_from_child_fd);
+ state->read_from_child_fd = -1;
+
+ ret = parse_p11_child_response(state, buf, buf_len, &state->cert,
+ &state->token_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "parse_p11_child_respose failed.\n");
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ tevent_req_done(req);
+ return;
+}
+
+static void p11_child_timeout(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval tv, void *pvt)
+{
+ struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
+ struct pam_check_cert_state *state =
+ tevent_req_data(req, struct pam_check_cert_state);
+
+ DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for p11_child.\n");
+ child_handler_destroy(state->child_ctx);
+ state->child_ctx = NULL;
+ state->child_status = ETIMEDOUT;
+ tevent_req_error(req, ERR_P11_CHILD);
+}
+
+errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ char **cert, char **token_name)
+{
+ struct pam_check_cert_state *state =
+ tevent_req_data(req, struct pam_check_cert_state);
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ if (cert != NULL) {
+ *cert = talloc_steal(mem_ctx, state->cert);
+ }
+
+ if (token_name != NULL) {
+ *token_name = talloc_steal(mem_ctx, state->token_name);
+ }
+
+ return EOK;
+}
+
+errno_t add_pam_cert_response(struct pam_data *pd, const char *user,
+ const char *token_name)
+{
+ uint8_t *msg = NULL;
+ size_t user_len;
+ size_t msg_len;
+ size_t slot_len;
+ int ret;
+
+ if (user == NULL || token_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
+ return EINVAL;
+ }
+
+ user_len = strlen(user) + 1;
+ slot_len = strlen(token_name) + 1;
+ msg_len = user_len + slot_len;
+
+ msg = talloc_zero_size(pd, msg_len);
+ if (msg == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
+ return ENOMEM;
+ }
+
+ memcpy(msg, user, user_len);
+ memcpy(msg + user_len, token_name, slot_len);
+
+ ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
+ talloc_free(msg);
+
+ return ret;
+}
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 3c4e938ae..f39ceba5e 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -417,6 +417,7 @@ enum response_type {
* @param Three zero terminated strings, if one of the
* strings is missing the message will contain only
* an empty string (\0) for that component. */
+ SSS_PAM_CERT_INFO,
SSS_OTP, /**< Indicates that the autotok was a OTP, so don't
* cache it. There is no message.
* @param None. */
diff --git a/src/tests/cmocka/p11_nssdb/cert9.db b/src/tests/cmocka/p11_nssdb/cert9.db
new file mode 100644
index 000000000..c639f5cac
--- /dev/null
+++ b/src/tests/cmocka/p11_nssdb/cert9.db
Binary files differ
diff --git a/src/tests/cmocka/p11_nssdb/key4.db b/src/tests/cmocka/p11_nssdb/key4.db
new file mode 100644
index 000000000..4eb06ee0a
--- /dev/null
+++ b/src/tests/cmocka/p11_nssdb/key4.db
Binary files differ
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 0f6c272df..3c70c5990 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -32,7 +32,10 @@
#include "sss_client/pam_message.h"
#include "sss_client/sss_cli.h"
+#include "util/crypto/sss_crypto.h"
+#ifdef HAVE_NSS
#include "util/crypto/nss/nss_util.h"
+#endif
#define TESTS_PATH "tests_pam"
#define TEST_CONF_DB "test_pam_conf.ldb"
@@ -40,6 +43,34 @@
#define TEST_SUBDOM_NAME "test.subdomain"
#define TEST_ID_PROVIDER "ldap"
+#define NSS_DB_PATH "./sssd_test_nssdb"
+#define NSS_DB "sql:"NSS_DB_PATH
+
+#define TEST_TOKEN_NAME "SSSD Test Token"
+#define TEST_TOKEN_CERT \
+"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
+"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA2MjMx" \
+"NjMyMDdaFw0xNzA2MjMxNjMyMDdaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \
+"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \
+"ADCCAQoCggEBALXUq56VlY+Z0aWLLpFAjFfbElPBXGQsbZb85J3cGyPjaMHC9wS+" \
+"wjB6Ve4HmQyPLx8hbINdDmbawMHYQvTScLYfsqLtj0Lqw20sUUmedk+Es5Oh9VHo" \
+"nd8MavYx25Du2u+T0iSgNIDikXguiwCmtAj8VC49ebbgITcjJGzMmiiuJkV3o93Y" \
+"vvYF0VjLGDQbQWOy7IxzYJeNVJnZWKo67CHdok6qOrm9rxQt81rzwV/mGLbCMUbr" \
+"+N4M8URtd7EmzaYZQmNm//s2owFrCYMxpLiURPj+URZVuB72504/Ix7X0HCbA/AV" \
+"26J27fPY5nc8DMwfhUDCbTqPH/JEjd3mvY8CAwEAAaOCASYwggEiMB8GA1UdIwQY" \
+"MBaAFJOq+KAQmPEnNp8Wok23eGTdE7aDMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \
+"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \
+"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \
+"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \
+"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \
+"IEF1dGhvcml0eTAdBgNVHQ4EFgQUFaDNd5a53QGpaw5m63hnwXicMQ8wDQYJKoZI" \
+"hvcNAQELBQADggEBADH7Nj00qqGhGJeXJQAsepqSskz/wooqXh8vgVyb8SS4N0/c" \
+"0aQtVmY81xamlXE12ZFpwDX43d+EufBkwCUKFX/+8JFDd2doAyeJxv1xM22kKRpc" \
+"AqITPgMsa9ToGMWxjbVpc/X/5YfZixWPF0/eZUTotBj9oaR039UrhGfyN7OguF/G" \
+"rzmxtB5y4ZrMpcD/Oe90mkd9HY7sA/fB8OWOUgeRfQoh97HNS0UiDWsPtfxmjQG5" \
+"zotpoBIZmdH+ipYsu58HohHVlM9Wi5H4QmiiXl+Soldkq7eXYlafcmT7wv8+cKwz" \
+"Nz0Tm3+eYpFqRo3skr6QzXi525Jkg3r6r+kkhxU=" \
+
struct pam_test_ctx {
struct sss_test_ctx *tctx;
struct sss_domain_info *subdom;
@@ -56,6 +87,84 @@ struct pam_test_ctx {
/* Must be global because it is needed in some wrappers */
struct pam_test_ctx *pam_test_ctx;
+static errno_t setup_nss_db(void)
+{
+ int ret;
+ FILE *fp;
+ int status;
+ pid_t child_pid;
+
+ ret = mkdir(NSS_DB_PATH, 0775);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to create " NSS_DB_PATH ".\n");
+ return ret;
+ }
+
+ child_pid = fork();
+ if (child_pid == 0) { /* child */
+ ret = execlp("certutil", "certutil", "-N", "--empty-password", "-d",
+ NSS_DB, NULL);
+ if (ret == -1) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "execl() failed.\n");
+ exit(-1);
+ }
+ } else if (child_pid > 0) {
+ wait(&status);
+ } else {
+ ret = errno;
+ DEBUG(SSSDBG_FATAL_FAILURE, "fork() failed\n");
+ return ret;
+ }
+
+ fp = fopen(NSS_DB_PATH"/pkcs11.txt", "w");
+ if (fp == NULL) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "fopen() failed.\n");
+ return ret;
+ }
+ ret = fprintf(fp, "library=libsoftokn3.so\nname=soft\n");
+ if (ret < 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
+ return ret;
+ }
+ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR);
+ if (ret < 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
+ return ret;
+ }
+ ret = fclose(fp);
+ if (ret != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "fclose() failed.\n");
+ return ret;
+ }
+
+ return EOK;
+}
+
+static void cleanup_nss_db(void)
+{
+ int ret;
+
+ ret = unlink(NSS_DB_PATH"/cert9.db");
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to remove cert9.db.\n");
+ }
+
+ ret = unlink(NSS_DB_PATH"/key4.db");
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to remove key4.db.\n");
+ }
+
+ ret = unlink(NSS_DB_PATH"/pkcs11.txt");
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to remove pkcs11.db.\n");
+ }
+
+ ret = rmdir(NSS_DB_PATH);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to remove " NSS_DB_PATH "\n");
+ }
+}
+
struct pam_ctx *mock_pctx(TALLOC_CTX *mem_ctx)
{
struct pam_ctx *pctx;
@@ -113,6 +222,7 @@ void test_pam_setup(struct sss_test_conf_param params[],
assert_non_null(pam_test_ctx->cctx);
pam_test_ctx->cctx->cli_protocol_version = register_cli_protocol_version();
+ pam_test_ctx->cctx->ev = pam_test_ctx->tctx->ev;
}
static int pam_test_setup(void **state)
@@ -141,6 +251,22 @@ static int pam_test_setup(void **state)
discard_const("pamuser"),
pam_test_ctx->pctx->id_timeout);
assert_int_equal(ret, EOK);
+
+ /* Prime the cache with a user for wrong matches */
+ ret = sysdb_add_user(pam_test_ctx->tctx->dom,
+ "wronguser", 321, 654, "wrong user",
+ "/home/wringuser", "/bin/sh", NULL,
+ NULL, 300, 0);
+ assert_int_equal(ret, EOK);
+
+ /* Add entry to the initgr cache to make sure no initgr request is sent to
+ * the backend */
+ ret = pam_initgr_cache_set(pam_test_ctx->pctx->rctx->ev,
+ pam_test_ctx->pctx->id_table,
+ discard_const("wronguser"),
+ pam_test_ctx->pctx->id_timeout);
+ assert_int_equal(ret, EOK);
+
return 0;
}
@@ -151,12 +277,19 @@ static int pam_test_teardown(void **state)
ret = sysdb_delete_user(pam_test_ctx->tctx->dom, "pamuser", 0);
assert_int_equal(ret, EOK);
+ ret = sysdb_delete_user(pam_test_ctx->tctx->dom, "wronguser", 0);
+ assert_int_equal(ret, EOK);
+
talloc_free(pam_test_ctx);
return 0;
}
typedef int (*cmd_cb_fn_t)(uint32_t, uint8_t *, size_t);
+
+int __real_read_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint8_t **buf, ssize_t *len);
+
void __real_sss_packet_get_body(struct sss_packet *packet,
uint8_t **body, size_t *blen);
@@ -239,8 +372,13 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name,
size_t needed_size;
uint8_t *authtok;
- pi.pam_user = name;
- pi.pam_user_size = strlen(pi.pam_user) + 1;
+ if (name != NULL) {
+ pi.pam_user = name;
+ pi.pam_user_size = strlen(pi.pam_user) + 1;
+ } else {
+ pi.pam_user = "";
+ pi.pam_user_size = 0;
+ }
if (pwd != NULL) {
if (fa2 != NULL) {
@@ -287,6 +425,52 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name,
will_return(__wrap_sss_packet_get_body, buf_size);
}
+static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
+ const char *pin)
+{
+ size_t buf_size;
+ uint8_t *m_buf;
+ uint8_t *buf;
+ struct pam_items pi = { 0 };
+ int ret;
+
+ if (name != NULL) {
+ pi.pam_user = name;
+ pi.pam_user_size = strlen(pi.pam_user) + 1;
+ } else {
+ pi.pam_user = "";
+ pi.pam_user_size = 0;
+ }
+
+ if (pin != NULL) {
+ pi.pam_authtok = discard_const(pin);
+ pi.pam_authtok_size = strlen(pi.pam_authtok) + 1;
+ pi.pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
+ }
+
+ pi.pam_service = "login";
+ pi.pam_service_size = strlen(pi.pam_service) + 1;
+ pi.pam_tty = "/dev/tty";
+ pi.pam_tty_size = strlen(pi.pam_tty) + 1;
+ pi.pam_ruser = "remuser";
+ pi.pam_ruser_size = strlen(pi.pam_ruser) + 1;
+ pi.pam_rhost = "remhost";
+ pi.pam_rhost_size = strlen(pi.pam_rhost) + 1;
+ pi.requested_domains = "";
+ pi.cli_pid = 12345;
+
+ ret = pack_message_v3(&pi, &buf_size, &m_buf);
+ assert_int_equal(ret, 0);
+
+ buf = talloc_memdup(mem_ctx, m_buf, buf_size);
+ free(m_buf);
+ assert_non_null(buf);
+
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+ will_return(__wrap_sss_packet_get_body, buf);
+ will_return(__wrap_sss_packet_get_body, buf_size);
+}
+
static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
{
size_t rp = 0;
@@ -312,6 +496,46 @@ static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
return EOK;
}
+static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
+{
+ size_t rp = 0;
+ uint32_t val;
+
+ assert_int_equal(status, 0);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 2);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 9);
+
+ assert_int_equal(*(body + rp + val - 1), 0);
+ assert_string_equal(body + rp, TEST_DOM_NAME);
+ rp += val;
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, SSS_PAM_CERT_INFO);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+
+ assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
+ assert_string_equal(body + rp, "pamuser");
+ rp += sizeof("pamuser");
+
+ assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
+ assert_string_equal(body + rp, TEST_TOKEN_NAME);
+
+ return EOK;
+}
+
+
static int test_pam_offline_chauthtok_check(uint32_t status,
uint8_t *body, size_t blen)
{
@@ -372,6 +596,23 @@ static int test_pam_wrong_pw_offline_auth_check(uint32_t status,
return test_pam_simple_check(status, body, blen);
}
+static int test_pam_user_unknown_check(uint32_t status,
+ uint8_t *body, size_t blen)
+{
+ size_t rp = 0;
+ uint32_t val;
+
+ assert_int_equal(status, 0);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, PAM_USER_UNKNOWN);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 0);
+
+ return EOK;
+}
+
void test_pam_authenticate(void **state)
{
int ret;
@@ -859,6 +1100,245 @@ void test_pam_offline_chauthtok(void **state)
assert_int_equal(ret, EOK);
}
+static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath)
+{
+ pam_test_ctx->pctx->cert_auth = true;
+ pam_test_ctx->pctx->nss_db = discard_const(dbpath);
+}
+
+void test_pam_preauth_cert_nocert(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ set_cmd_cb(test_pam_simple_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+static int test_lookup_by_cert_cb(void *pvt)
+{
+ int ret;
+ struct sysdb_attrs *attrs;
+ unsigned char *der = NULL;
+ size_t der_size;
+
+ if (pvt != NULL) {
+
+ attrs = sysdb_new_attrs(pam_test_ctx);
+ assert_non_null(attrs);
+
+ der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
+ assert_non_null(der);
+
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+ talloc_free(der);
+ assert_int_equal(ret, EOK);
+
+ ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, "pamuser", attrs,
+ LDB_FLAG_MOD_ADD);
+ assert_int_equal(ret, EOK);
+ }
+
+ return EOK;
+}
+
+static int test_lookup_by_cert_wrong_user_cb(void *pvt)
+{
+ int ret;
+ struct sysdb_attrs *attrs;
+ unsigned char *der = NULL;
+ size_t der_size;
+
+ if (pvt != NULL) {
+ attrs = sysdb_new_attrs(pam_test_ctx);
+ assert_non_null(attrs);
+
+ der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
+ assert_non_null(der);
+
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+ talloc_free(der);
+ assert_int_equal(ret, EOK);
+
+ ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, "wronguser", attrs,
+ LDB_FLAG_MOD_ADD);
+ assert_int_equal(ret, EOK);
+ }
+
+ return EOK;
+}
+
+
+void test_pam_preauth_cert_nomatch(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, NULL);
+
+ set_cmd_cb(test_pam_simple_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_preauth_cert_match(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
+ discard_const(TEST_TOKEN_CERT));
+
+ set_cmd_cb(test_pam_cert_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_preauth_cert_match_wrong_user(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_wrong_user_cb,
+ discard_const(TEST_TOKEN_CERT));
+
+ set_cmd_cb(test_pam_simple_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+
+void test_pam_preauth_cert_no_logon_name(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
+ discard_const(TEST_TOKEN_CERT));
+
+ set_cmd_cb(test_pam_cert_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_preauth_no_cert_no_logon_name(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
+
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ set_cmd_cb(test_pam_user_unknown_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_preauth_cert_no_logon_name_no_match(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb, NULL);
+
+ set_cmd_cb(test_pam_user_unknown_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_cert_auth(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456");
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
+ discard_const(TEST_TOKEN_CERT));
+
+ set_cmd_cb(test_pam_simple_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
int main(int argc, const char *argv[])
{
int rv;
@@ -925,6 +1405,23 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok,
pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nomatch,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_wrong_user,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_no_cert_no_logon_name,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(
+ test_pam_preauth_cert_no_logon_name_no_match,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth,
+ pam_test_setup, pam_test_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
@@ -950,8 +1447,16 @@ int main(int argc, const char *argv[])
test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
test_dom_suite_setup(TESTS_PATH);
+ cleanup_nss_db();
+ rv = setup_nss_db();
+ if (rv != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "setup_nss_db failed.\n");
+ exit(-1);
+ }
+
rv = cmocka_run_group_tests(tests, NULL, NULL);
if (rv == 0 && !no_cleanup) {
+ cleanup_nss_db();
test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
}
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 61818c9fc..735f6dcfc 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -78,6 +78,7 @@ struct err_string error_to_str[] = {
{ "Unsupported trust direction" }, /* ERR_TRUST_NOT_SUPPORTED */
{ "Retrieving keytab failed" }, /* ERR_IPA_GETKEYTAB_FAILED */
{ "Trusted forest root unknown" }, /* ERR_TRUST_FOREST_UNKNOWN */
+ { "p11_child failed" }, /* ERR_P11_CHILD */
{ "ERR_LAST" } /* ERR_LAST */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 7e03f00e8..fbfbdef33 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -100,6 +100,7 @@ enum sssd_errors {
ERR_TRUST_NOT_SUPPORTED,
ERR_IPA_GETKEYTAB_FAILED,
ERR_TRUST_FOREST_UNKNOWN,
+ ERR_P11_CHILD,
ERR_LAST /* ALWAYS LAST */
};
generated by cgit (git 2.34.1) at 2024-04-16 07:13:29 +0000