diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-11-05 18:20:27 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-11-26 16:39:49 +0100 |
| commit | 544a20de7667f05c1a406c4dea0706b0ab507430 (patch) | |
| tree | dca48b12957626f2ebae2fb2b0f9a96ef617713e /src/responder/pam/pamsrv_p11.c | |
| parent | d0de7701d44c7a75210a9cb04634913ce3a94bfb (diff) | |
| download | sssd-544a20de7667f05c1a406c4dea0706b0ab507430.tar.gz sssd-544a20de7667f05c1a406c4dea0706b0ab507430.tar.xz sssd-544a20de7667f05c1a406c4dea0706b0ab507430.zip | |
p11: enable ocsp checks
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder/pam/pamsrv_p11.c')
| -rw-r--r-- | src/responder/pam/pamsrv_p11.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c index afb28fd52..58310a253 100644 --- a/src/responder/pam/pamsrv_p11.c +++ b/src/responder/pam/pamsrv_p11.c @@ -236,6 +236,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, int child_debug_fd, const char *nss_db, time_t timeout, + const char *verify_opts, struct pam_data *pd) { errno_t ret; @@ -246,9 +247,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, struct timeval tv; int pipefd_to_child[2]; int pipefd_from_child[2]; - const char *extra_args[5] = {NULL, NULL, NULL, NULL, NULL}; + const char *extra_args[7] = { NULL }; uint8_t *write_buf = NULL; size_t write_buf_len = 0; + size_t arg_c; req = tevent_req_create(mem_ctx, &state, struct pam_check_cert_state); if (req == NULL) { @@ -262,16 +264,21 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, } /* extra_args are added in revers order */ - extra_args[1] = "--nssdb"; - extra_args[0] = nss_db; + arg_c = 0; + extra_args[arg_c++] = nss_db; + extra_args[arg_c++] = "--nssdb"; + if (verify_opts != NULL) { + extra_args[arg_c++] = verify_opts; + extra_args[arg_c++] = "--verify"; + } if (pd->cmd == SSS_PAM_AUTHENTICATE) { - extra_args[2] = "--auth"; + extra_args[arg_c++] = "--auth"; switch (sss_authtok_get_type(pd->authtok)) { case SSS_AUTHTOK_TYPE_SC_PIN: - extra_args[3] = "--pin"; + extra_args[arg_c++] = "--pin"; break; case SSS_AUTHTOK_TYPE_SC_KEYPAD: - extra_args[3] = "--keypad"; + extra_args[arg_c++] = "--keypad"; break; default: DEBUG(SSSDBG_OP_FAILURE, "Unsupported authtok type.\n"); @@ -279,7 +286,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, goto done; } } else if (pd->cmd == SSS_PAM_PREAUTH) { - extra_args[2] = "--pre"; + extra_args[arg_c++] = "--pre"; } else { DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM command [%d}.\n", pd->cmd); ret = EINVAL; |