70e9980ac6
- Resolves: rhbz#1060325 - Does sssd-ad use the most suitable attribute for group name - Resolves: upstream #2335 - Investigate using the krb5 responder for driving the PAM conversation with OTPs - Enable cmocka tests for secondary architectures
503 lines
15 KiB
Diff
503 lines
15 KiB
Diff
From 5f7544073f03badac2c2c9f20bcff67aff003fe8 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Wed, 18 Mar 2015 16:02:47 +0100
|
|
Subject: [PATCH 113/114] pam_sss: move message encoding into separate file
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
(cherry picked from commit bf6c3f07d653d474da9e43b2b7cced57fc4ea069)
|
|
---
|
|
Makefile.am | 2 +
|
|
src/sss_client/pam_message.c | 178 +++++++++++++++++++++++++++++++++++++++++++
|
|
src/sss_client/pam_message.h | 61 +++++++++++++++
|
|
src/sss_client/pam_sss.c | 177 +-----------------------------------------
|
|
4 files changed, 242 insertions(+), 176 deletions(-)
|
|
create mode 100644 src/sss_client/pam_message.c
|
|
create mode 100644 src/sss_client/pam_message.h
|
|
|
|
diff --git a/Makefile.am b/Makefile.am
|
|
index 312901da3315e2d0471055541a114a8be36dc976..84819fc6a20d9e713786a55c2b6aa909405aa459 100644
|
|
--- a/Makefile.am
|
|
+++ b/Makefile.am
|
|
@@ -614,6 +614,7 @@ dist_noinst_HEADERS = \
|
|
src/tests/cmocka/common_mock_resp.h \
|
|
src/tests/cmocka/common_mock_sdap.h \
|
|
src/tests/cmocka/common_mock_sysdb_objects.h \
|
|
+ src/sss_client/pam_message.h \
|
|
src/sss_client/ssh/sss_ssh_client.h \
|
|
src/sss_client/sudo/sss_sudo.h \
|
|
src/sss_client/libwbclient/libwbclient.h \
|
|
@@ -2350,6 +2351,7 @@ endif
|
|
pamlib_LTLIBRARIES = pam_sss.la
|
|
pam_sss_la_SOURCES = \
|
|
src/sss_client/pam_sss.c \
|
|
+ src/sss_client/pam_message.c \
|
|
src/sss_client/common.c \
|
|
src/sss_client/sss_cli.h \
|
|
src/util/atomic_io.c \
|
|
diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..b8104c680d0e733b713c665e6206dc4b0d379237
|
|
--- /dev/null
|
|
+++ b/src/sss_client/pam_message.c
|
|
@@ -0,0 +1,178 @@
|
|
+/*
|
|
+ Authors:
|
|
+ Sumit Bose <sbose@redhat.com>
|
|
+
|
|
+ PAM client - create message blob
|
|
+
|
|
+ Copyright (C) 2015 Red Hat
|
|
+
|
|
+ This program is free software; you can redistribute it and/or modify
|
|
+ it under the terms of the GNU Lesser General Public License as published by
|
|
+ the Free Software Foundation; either version 3 of the License, or
|
|
+ (at your option) any later version.
|
|
+
|
|
+ This program is distributed in the hope that it will be useful,
|
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ GNU Lesser General Public License for more details.
|
|
+
|
|
+ You should have received a copy of the GNU Lesser General Public License
|
|
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+*/
|
|
+
|
|
+#include <stdlib.h>
|
|
+#include <security/pam_modules.h>
|
|
+
|
|
+#include "sss_pam_compat.h"
|
|
+#include "sss_pam_macros.h"
|
|
+
|
|
+#include "pam_message.h"
|
|
+
|
|
+#include "sss_cli.h"
|
|
+
|
|
+static size_t add_authtok_item(enum pam_item_type type,
|
|
+ enum sss_authtok_type authtok_type,
|
|
+ const char *tok, const size_t size,
|
|
+ uint8_t *buf)
|
|
+{
|
|
+ size_t rp = 0;
|
|
+ uint32_t c;
|
|
+
|
|
+ if (tok == NULL) return 0;
|
|
+
|
|
+ c = type;
|
|
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
+ rp += sizeof(uint32_t);
|
|
+
|
|
+ c = size + sizeof(uint32_t);
|
|
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
+ rp += sizeof(uint32_t);
|
|
+
|
|
+ c = authtok_type;
|
|
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
+ rp += sizeof(uint32_t);
|
|
+
|
|
+ memcpy(&buf[rp], tok, size);
|
|
+ rp += size;
|
|
+
|
|
+ return rp;
|
|
+}
|
|
+
|
|
+static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val,
|
|
+ uint8_t *buf)
|
|
+{
|
|
+ size_t rp = 0;
|
|
+ uint32_t c;
|
|
+
|
|
+ c = type;
|
|
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
+ rp += sizeof(uint32_t);
|
|
+
|
|
+ c = sizeof(uint32_t);
|
|
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
+ rp += sizeof(uint32_t);
|
|
+
|
|
+ c = val;
|
|
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
+ rp += sizeof(uint32_t);
|
|
+
|
|
+ return rp;
|
|
+}
|
|
+
|
|
+static size_t add_string_item(enum pam_item_type type, const char *str,
|
|
+ const size_t size, uint8_t *buf)
|
|
+{
|
|
+ size_t rp = 0;
|
|
+ uint32_t c;
|
|
+
|
|
+ if (str == NULL || *str == '\0') return 0;
|
|
+
|
|
+ c = type;
|
|
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
+ rp += sizeof(uint32_t);
|
|
+
|
|
+ c = size;
|
|
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
+ rp += sizeof(uint32_t);
|
|
+
|
|
+ memcpy(&buf[rp], str, size);
|
|
+ rp += size;
|
|
+
|
|
+ return rp;
|
|
+}
|
|
+
|
|
+int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
|
|
+{
|
|
+ int len;
|
|
+ uint8_t *buf;
|
|
+ size_t rp;
|
|
+
|
|
+ len = sizeof(uint32_t) +
|
|
+ 2*sizeof(uint32_t) + pi->pam_user_size +
|
|
+ sizeof(uint32_t);
|
|
+ len += *pi->pam_service != '\0' ?
|
|
+ 2*sizeof(uint32_t) + pi->pam_service_size : 0;
|
|
+ len += *pi->pam_tty != '\0' ?
|
|
+ 2*sizeof(uint32_t) + pi->pam_tty_size : 0;
|
|
+ len += *pi->pam_ruser != '\0' ?
|
|
+ 2*sizeof(uint32_t) + pi->pam_ruser_size : 0;
|
|
+ len += *pi->pam_rhost != '\0' ?
|
|
+ 2*sizeof(uint32_t) + pi->pam_rhost_size : 0;
|
|
+ len += pi->pam_authtok != NULL ?
|
|
+ 3*sizeof(uint32_t) + pi->pam_authtok_size : 0;
|
|
+ len += pi->pam_newauthtok != NULL ?
|
|
+ 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0;
|
|
+ len += 3*sizeof(uint32_t); /* cli_pid */
|
|
+ len += *pi->requested_domains != '\0' ?
|
|
+ 2*sizeof(uint32_t) + pi->requested_domains_size : 0;
|
|
+
|
|
+ buf = malloc(len);
|
|
+ if (buf == NULL) {
|
|
+ D(("malloc failed."));
|
|
+ return PAM_BUF_ERR;
|
|
+ }
|
|
+
|
|
+ rp = 0;
|
|
+ SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp);
|
|
+
|
|
+ rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size,
|
|
+ &buf[rp]);
|
|
+
|
|
+ rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service,
|
|
+ pi->pam_service_size, &buf[rp]);
|
|
+
|
|
+ rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size,
|
|
+ &buf[rp]);
|
|
+
|
|
+ rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size,
|
|
+ &buf[rp]);
|
|
+
|
|
+ rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size,
|
|
+ &buf[rp]);
|
|
+
|
|
+ rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size,
|
|
+ &buf[rp]);
|
|
+
|
|
+ rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid,
|
|
+ &buf[rp]);
|
|
+
|
|
+ rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type,
|
|
+ pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
|
|
+
|
|
+ rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type,
|
|
+ pi->pam_newauthtok, pi->pam_newauthtok_size,
|
|
+ &buf[rp]);
|
|
+
|
|
+ SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
|
|
+
|
|
+ if (rp != len) {
|
|
+ D(("error during packet creation."));
|
|
+ free(buf);
|
|
+ return PAM_BUF_ERR;
|
|
+ }
|
|
+
|
|
+ *size = len;
|
|
+ *buffer = buf;
|
|
+
|
|
+ return 0;
|
|
+}
|
|
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
|
|
new file mode 100644
|
|
index 0000000000000000000000000000000000000000..8ade6d871b840d4d0153bbf56e0d458861ab3816
|
|
--- /dev/null
|
|
+++ b/src/sss_client/pam_message.h
|
|
@@ -0,0 +1,61 @@
|
|
+/*
|
|
+ Authors:
|
|
+ Sumit Bose <sbose@redhat.com>
|
|
+
|
|
+ Copyright (C) 2015 Red Hat
|
|
+
|
|
+ PAM client - create message blob
|
|
+
|
|
+ This program is free software; you can redistribute it and/or modify
|
|
+ it under the terms of the GNU Lesser General Public License as published by
|
|
+ the Free Software Foundation; either version 3 of the License, or
|
|
+ (at your option) any later version.
|
|
+
|
|
+ This program is distributed in the hope that it will be useful,
|
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ GNU Lesser General Public License for more details.
|
|
+
|
|
+ You should have received a copy of the GNU Lesser General Public License
|
|
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+*/
|
|
+
|
|
+#ifndef _PAM_MESSAGE_H_
|
|
+#define _PAM_MESSAGE_H_
|
|
+
|
|
+#include <unistd.h>
|
|
+#include <stdint.h>
|
|
+
|
|
+struct pam_items {
|
|
+ const char *pam_service;
|
|
+ const char *pam_user;
|
|
+ const char *pam_tty;
|
|
+ const char *pam_ruser;
|
|
+ const char *pam_rhost;
|
|
+ char *pam_authtok;
|
|
+ char *pam_newauthtok;
|
|
+ const char *pamstack_authtok;
|
|
+ const char *pamstack_oldauthtok;
|
|
+ size_t pam_service_size;
|
|
+ size_t pam_user_size;
|
|
+ size_t pam_tty_size;
|
|
+ size_t pam_ruser_size;
|
|
+ size_t pam_rhost_size;
|
|
+ int pam_authtok_type;
|
|
+ size_t pam_authtok_size;
|
|
+ int pam_newauthtok_type;
|
|
+ size_t pam_newauthtok_size;
|
|
+ pid_t cli_pid;
|
|
+ const char *login_name;
|
|
+ char *domain_name;
|
|
+ const char *requested_domains;
|
|
+ size_t requested_domains_size;
|
|
+ char *otp_vendor;
|
|
+ char *otp_token_id;
|
|
+ char *otp_challenge;
|
|
+ char *first_factor;
|
|
+};
|
|
+
|
|
+int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer);
|
|
+
|
|
+#endif /* _PAM_MESSAGE_H_ */
|
|
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
index f11871a47d1b29f44c179e57a33d8f41be79078d..e01c5031650d3837a23f8a7404d334a9d2f55441 100644
|
|
--- a/src/sss_client/pam_sss.c
|
|
+++ b/src/sss_client/pam_sss.c
|
|
@@ -40,6 +40,7 @@
|
|
#include "sss_pam_macros.h"
|
|
|
|
#include "sss_cli.h"
|
|
+#include "pam_message.h"
|
|
#include "util/atomic_io.h"
|
|
#include "util/authtok-utils.h"
|
|
|
|
@@ -65,36 +66,6 @@
|
|
#define EXP_ACC_MSG _("Permission denied. ")
|
|
#define SRV_MSG _("Server message: ")
|
|
|
|
-struct pam_items {
|
|
- const char* pam_service;
|
|
- const char* pam_user;
|
|
- const char* pam_tty;
|
|
- const char* pam_ruser;
|
|
- const char* pam_rhost;
|
|
- char* pam_authtok;
|
|
- char* pam_newauthtok;
|
|
- const char* pamstack_authtok;
|
|
- const char* pamstack_oldauthtok;
|
|
- size_t pam_service_size;
|
|
- size_t pam_user_size;
|
|
- size_t pam_tty_size;
|
|
- size_t pam_ruser_size;
|
|
- size_t pam_rhost_size;
|
|
- int pam_authtok_type;
|
|
- size_t pam_authtok_size;
|
|
- int pam_newauthtok_type;
|
|
- size_t pam_newauthtok_size;
|
|
- pid_t cli_pid;
|
|
- const char *login_name;
|
|
- char *domain_name;
|
|
- const char *requested_domains;
|
|
- size_t requested_domains_size;
|
|
- char *otp_vendor;
|
|
- char *otp_token_id;
|
|
- char *otp_challenge;
|
|
- char *first_factor;
|
|
-};
|
|
-
|
|
#define DEBUG_MGS_LEN 1024
|
|
#define MAX_AUTHTOK_SIZE (1024*1024)
|
|
#define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)")
|
|
@@ -146,75 +117,6 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
|
|
sss_pam_close_fd();
|
|
}
|
|
|
|
-static size_t add_authtok_item(enum pam_item_type type,
|
|
- enum sss_authtok_type authtok_type,
|
|
- const char *tok, const size_t size,
|
|
- uint8_t *buf) {
|
|
- size_t rp=0;
|
|
- uint32_t c;
|
|
-
|
|
- if (tok == NULL) return 0;
|
|
-
|
|
- c = type;
|
|
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
- rp += sizeof(uint32_t);
|
|
-
|
|
- c = size + sizeof(uint32_t);
|
|
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
- rp += sizeof(uint32_t);
|
|
-
|
|
- c = authtok_type;
|
|
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
- rp += sizeof(uint32_t);
|
|
-
|
|
- memcpy(&buf[rp], tok, size);
|
|
- rp += size;
|
|
-
|
|
- return rp;
|
|
-}
|
|
-
|
|
-
|
|
-static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val,
|
|
- uint8_t *buf) {
|
|
- size_t rp=0;
|
|
- uint32_t c;
|
|
-
|
|
- c = type;
|
|
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
- rp += sizeof(uint32_t);
|
|
-
|
|
- c = sizeof(uint32_t);
|
|
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
- rp += sizeof(uint32_t);
|
|
-
|
|
- c = val;
|
|
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
- rp += sizeof(uint32_t);
|
|
-
|
|
- return rp;
|
|
-}
|
|
-
|
|
-static size_t add_string_item(enum pam_item_type type, const char *str,
|
|
- const size_t size, uint8_t *buf) {
|
|
- size_t rp=0;
|
|
- uint32_t c;
|
|
-
|
|
- if (str == NULL || *str == '\0') return 0;
|
|
-
|
|
- c = type;
|
|
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
- rp += sizeof(uint32_t);
|
|
-
|
|
- c = size;
|
|
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
|
- rp += sizeof(uint32_t);
|
|
-
|
|
- memcpy(&buf[rp], str, size);
|
|
- rp += size;
|
|
-
|
|
- return rp;
|
|
-}
|
|
-
|
|
static void overwrite_and_free_authtoks(struct pam_items *pi)
|
|
{
|
|
if (pi->pam_authtok != NULL) {
|
|
@@ -256,83 +158,6 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
|
|
pi->otp_challenge = NULL;
|
|
}
|
|
|
|
-static int pack_message_v3(struct pam_items *pi, size_t *size,
|
|
- uint8_t **buffer) {
|
|
- int len;
|
|
- uint8_t *buf;
|
|
- size_t rp;
|
|
-
|
|
- len = sizeof(uint32_t) +
|
|
- 2*sizeof(uint32_t) + pi->pam_user_size +
|
|
- sizeof(uint32_t);
|
|
- len += *pi->pam_service != '\0' ?
|
|
- 2*sizeof(uint32_t) + pi->pam_service_size : 0;
|
|
- len += *pi->pam_tty != '\0' ?
|
|
- 2*sizeof(uint32_t) + pi->pam_tty_size : 0;
|
|
- len += *pi->pam_ruser != '\0' ?
|
|
- 2*sizeof(uint32_t) + pi->pam_ruser_size : 0;
|
|
- len += *pi->pam_rhost != '\0' ?
|
|
- 2*sizeof(uint32_t) + pi->pam_rhost_size : 0;
|
|
- len += pi->pam_authtok != NULL ?
|
|
- 3*sizeof(uint32_t) + pi->pam_authtok_size : 0;
|
|
- len += pi->pam_newauthtok != NULL ?
|
|
- 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0;
|
|
- len += 3*sizeof(uint32_t); /* cli_pid */
|
|
- len += *pi->requested_domains != '\0' ?
|
|
- 2*sizeof(uint32_t) + pi->requested_domains_size : 0;
|
|
-
|
|
-
|
|
- buf = malloc(len);
|
|
- if (buf == NULL) {
|
|
- D(("malloc failed."));
|
|
- return PAM_BUF_ERR;
|
|
- }
|
|
-
|
|
- rp = 0;
|
|
- SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp);
|
|
-
|
|
- rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size,
|
|
- &buf[rp]);
|
|
-
|
|
- rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service,
|
|
- pi->pam_service_size, &buf[rp]);
|
|
-
|
|
- rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size,
|
|
- &buf[rp]);
|
|
-
|
|
- rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size,
|
|
- &buf[rp]);
|
|
-
|
|
- rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size,
|
|
- &buf[rp]);
|
|
-
|
|
- rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size,
|
|
- &buf[rp]);
|
|
-
|
|
- rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid,
|
|
- &buf[rp]);
|
|
-
|
|
- rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type,
|
|
- pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
|
|
-
|
|
- rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type,
|
|
- pi->pam_newauthtok, pi->pam_newauthtok_size,
|
|
- &buf[rp]);
|
|
-
|
|
- SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
|
|
-
|
|
- if (rp != len) {
|
|
- D(("error during packet creation."));
|
|
- free(buf);
|
|
- return PAM_BUF_ERR;
|
|
- }
|
|
-
|
|
- *size = len;
|
|
- *buffer = buf;
|
|
-
|
|
- return 0;
|
|
-}
|
|
-
|
|
static int null_strcmp(const char *s1, const char *s2) {
|
|
if (s1 == NULL && s2 == NULL) return 0;
|
|
if (s1 == NULL && s2 != NULL) return -1;
|
|
--
|
|
2.4.0
|
|
|