diff options
| author | Sumit Bose <sbose@redhat.com> | 2017-05-08 16:02:36 +0200 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-06-01 16:33:56 +0200 |
| commit | 6073cfc40747cd6d3142f0f98b880fc390dd7aad (patch) | |
| tree | 9aa7b3cc0c0c84e522f6cb808e2d282a5206f80f /src/responder | |
| parent | a192a1d72e92dae3e71e062b333e51a5095a0395 (diff) | |
| download | sssd-6073cfc40747cd6d3142f0f98b880fc390dd7aad.tar.gz sssd-6073cfc40747cd6d3142f0f98b880fc390dd7aad.tar.xz sssd-6073cfc40747cd6d3142f0f98b880fc390dd7aad.zip | |
add_pam_cert_response: add support for SSS_PAM_CERT_INFO_WITH_HINT
Related to https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Diffstat (limited to 'src/responder')
| -rw-r--r-- | src/responder/pam/pamsrv.h | 2 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 3 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_p11.c | 21 |
3 files changed, 18 insertions, 8 deletions
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index b569748fe..57a37b725 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -101,7 +101,7 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, errno_t add_pam_cert_response(struct pam_data *pd, const char *user, const char *token_name, const char *module_name, - const char *key_id); + const char *key_id, enum response_type type); bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd); diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 36dba3796..080cfafa7 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1846,7 +1846,8 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) ret = add_pam_cert_response(preq->pd, cert_user, preq->token_name, preq->module_name, - preq->key_id); + preq->key_id, + SSS_PAM_CERT_INFO); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n"); preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c index 365300b90..4dce43800 100644 --- a/src/responder/pam/pamsrv_p11.c +++ b/src/responder/pam/pamsrv_p11.c @@ -580,7 +580,7 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username, const char *token_name, const char *module_name, - const char *key_id) + const char *key_id, enum response_type type) { uint8_t *msg = NULL; char *env = NULL; @@ -590,14 +590,23 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username, size_t module_len; size_t key_id_len; int ret; + const char *username = ""; - if (sysdb_username == NULL || token_name == NULL || module_name == NULL - || key_id == NULL) { + if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type); + return EINVAL; + } + + if ((type == SSS_PAM_CERT_INFO && sysdb_username == NULL) + || token_name == NULL || module_name == NULL || key_id == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n"); return EINVAL; } - user_len = strlen(sysdb_username) + 1; + if (sysdb_username != NULL) { + username = sysdb_username; + } + user_len = strlen(username) + 1; slot_len = strlen(token_name) + 1; module_len = strlen(module_name) + 1; key_id_len = strlen(key_id) + 1; @@ -616,12 +625,12 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username, * re_expression config option was set in a way that user@domain cannot be * handled anymore some more logic has to be added here. But for the time * being I think using sysdb_username is fine. */ - memcpy(msg, sysdb_username, user_len); + memcpy(msg, username, user_len); memcpy(msg + user_len, token_name, slot_len); memcpy(msg + user_len + slot_len, module_name, module_len); memcpy(msg + user_len + slot_len + module_len, key_id, key_id_len); - ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg); + ret = pam_add_response(pd, type, msg_len, msg); talloc_free(msg); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, |