[SSSD] [sssd PR#137][synchronized] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Author: sumit-bose Title: #137: Initial pkinit support Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/137/head:pr137 git checkout pr137 From 0c0b2103dd5cd3bedaacbd239a6cfef66b5c75aa Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 19 Sep 2016 16:56:46 +0200 Subject: [PATCH 01/10] PAM: store user object in the preq context --- src/responder/pam/pamsrv.h | 1 + src/responder/pam/pamsrv_cmd.c | 12 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 75045d0..e356812 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -68,6 +68,7 @@ struct pam_auth_req { struct pam_auth_dp_req *dpreq_spy; +struct ldb_message *user_obj; struct ldb_message *cert_user_obj; char *token_name; }; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index e73a819..e74dd16 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq) struct pam_ctx *pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); static const char *user_attrs[] = SYSDB_PW_ATTRS; -struct ldb_message *msg; struct ldb_result *res; const char *sysdb_name; @@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq) } if (preq->pd->name_is_upn) { -ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg); +ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, + &preq->user_obj); if (ret == EOK) { /* Since sysdb_search_user_by_upn() searches the whole cache we * have to set the domain so that it matches the result. */ -sysdb_name = ldb_msg_find_attr_as_string(msg, +sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj, SYSDB_NAME, NULL); if (sysdb_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n"); @@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) } else if (res->count == 0) { ret = ENOENT; } else { -msg = res->msgs[0]; +preq->user_obj = res->msgs[0]; } } if (ret != EOK && ret != ENOENT) { @@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* if we need to check the remote account go on */ if (preq->check_provider) { -cacheExpire = ldb_msg_find_attr_as_uint64(msg, +cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj, SYSDB_CACHE_EXPIRE, 0); if (cacheExpire < time(NULL)) { break; @@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) "Returning info for user [%s@%s]\n", name, dom->name); /* We might have searched by alias. Pass on the primary name */ -ret = pd_set_primary_name(msg, preq->pd); +ret = pd_set_primary_name(preq->user_obj, preq->pd); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n"); return ret; From 2ee4652d4c8cc687ac705d20ab81e7faf5408432 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 25 Jan 2017 17:34:54 +0100 Subject: [PATCH 02/10] PAM: fix memory leak in pam_sss Since there can be multiple rounds trips between the PAM client and SSSD it might be possible that the same data is send multiple times by SSSD. So before overriding the old data it should be freed. I've seen this with the domain name which is send both in the pre-auth and the auth responses. To be on the safe side I added free() for some other items as well. --- src/sss_client/pam_sss.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 03613b8..8f97af7 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -869,6 +869,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, break; } D(("domain name: [%s]", &buf[p])); +free(pi->domain_name); pi->domain_name = strdup((char *) &buf[p]); if (pi->domain_name == NULL) { D(("strdup failed")); @@ -937,6 +938,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, break; } +free(pi->otp_vendor); pi->otp_vendor = strdup((char *) &buf[p]
[SSSD] [sssd PR#137][synchronized] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Author: sumit-bose Title: #137: Initial pkinit support Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/137/head:pr137 git checkout pr137 From c93632dce2d4bb18a36b43216335255f7327 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 19 Sep 2016 16:56:46 +0200 Subject: [PATCH 01/10] PAM: store user object in the preq context --- src/responder/pam/pamsrv.h | 1 + src/responder/pam/pamsrv_cmd.c | 12 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 75045d0..e356812 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -68,6 +68,7 @@ struct pam_auth_req { struct pam_auth_dp_req *dpreq_spy; +struct ldb_message *user_obj; struct ldb_message *cert_user_obj; char *token_name; }; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index e73a819..e74dd16 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq) struct pam_ctx *pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); static const char *user_attrs[] = SYSDB_PW_ATTRS; -struct ldb_message *msg; struct ldb_result *res; const char *sysdb_name; @@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq) } if (preq->pd->name_is_upn) { -ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg); +ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, + &preq->user_obj); if (ret == EOK) { /* Since sysdb_search_user_by_upn() searches the whole cache we * have to set the domain so that it matches the result. */ -sysdb_name = ldb_msg_find_attr_as_string(msg, +sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj, SYSDB_NAME, NULL); if (sysdb_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n"); @@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) } else if (res->count == 0) { ret = ENOENT; } else { -msg = res->msgs[0]; +preq->user_obj = res->msgs[0]; } } if (ret != EOK && ret != ENOENT) { @@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* if we need to check the remote account go on */ if (preq->check_provider) { -cacheExpire = ldb_msg_find_attr_as_uint64(msg, +cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj, SYSDB_CACHE_EXPIRE, 0); if (cacheExpire < time(NULL)) { break; @@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) "Returning info for user [%s@%s]\n", name, dom->name); /* We might have searched by alias. Pass on the primary name */ -ret = pd_set_primary_name(msg, preq->pd); +ret = pd_set_primary_name(preq->user_obj, preq->pd); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n"); return ret; From 3696a22cfe572247a4482bc448692d8bbc836873 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 25 Jan 2017 17:34:54 +0100 Subject: [PATCH 02/10] PAM: fix memory leak in pam_sss Since there can be multiple rounds trips between the PAM client and SSSD it might be possible that the same data is send multiple times by SSSD. So before overriding the old data it should be freed. I've seen this with the domain name which is send both in the pre-auth and the auth responses. To be on the safe side I added free() for some other items as well. --- src/sss_client/pam_sss.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index b4175ae..7ccc24f 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -865,6 +865,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, break; } D(("domain name: [%s]", &buf[p])); +free(pi->domain_name); pi->domain_name = strdup((char *) &buf[p]); if (pi->domain_name == NULL) { D(("strdup failed")); @@ -933,6 +934,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, break; } +free(pi->otp_vendor); pi->otp_vendor = strdup((char *) &buf[p]
[SSSD] [sssd PR#137][synchronized] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Author: sumit-bose Title: #137: Initial pkinit support Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/137/head:pr137 git checkout pr137 From 86548625ca404842bebfc889274811d8ba01c64c Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 19 Sep 2016 16:56:46 +0200 Subject: [PATCH 01/10] PAM: store user object in the preq context --- src/responder/pam/pamsrv.h | 1 + src/responder/pam/pamsrv_cmd.c | 12 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 75045d0..e356812 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -68,6 +68,7 @@ struct pam_auth_req { struct pam_auth_dp_req *dpreq_spy; +struct ldb_message *user_obj; struct ldb_message *cert_user_obj; char *token_name; }; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index e73a819..e74dd16 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq) struct pam_ctx *pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); static const char *user_attrs[] = SYSDB_PW_ATTRS; -struct ldb_message *msg; struct ldb_result *res; const char *sysdb_name; @@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq) } if (preq->pd->name_is_upn) { -ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg); +ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, + &preq->user_obj); if (ret == EOK) { /* Since sysdb_search_user_by_upn() searches the whole cache we * have to set the domain so that it matches the result. */ -sysdb_name = ldb_msg_find_attr_as_string(msg, +sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj, SYSDB_NAME, NULL); if (sysdb_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n"); @@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) } else if (res->count == 0) { ret = ENOENT; } else { -msg = res->msgs[0]; +preq->user_obj = res->msgs[0]; } } if (ret != EOK && ret != ENOENT) { @@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* if we need to check the remote account go on */ if (preq->check_provider) { -cacheExpire = ldb_msg_find_attr_as_uint64(msg, +cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj, SYSDB_CACHE_EXPIRE, 0); if (cacheExpire < time(NULL)) { break; @@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) "Returning info for user [%s@%s]\n", name, dom->name); /* We might have searched by alias. Pass on the primary name */ -ret = pd_set_primary_name(msg, preq->pd); +ret = pd_set_primary_name(preq->user_obj, preq->pd); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n"); return ret; From f588249b4fe49b83eabd9cb1bd8979e6479774c6 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 25 Jan 2017 17:34:54 +0100 Subject: [PATCH 02/10] PAM: fix memory leak in pam_sss Since there can be multiple rounds trips between the PAM client and SSSD it might be possible that the same data is send multiple times by SSSD. So before overriding the old data it should be freed. I've seen this with the domain name which is send both in the pre-auth and the auth responses. To be on the safe side I added free() for some other items as well. --- src/sss_client/pam_sss.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index b4175ae..7ccc24f 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -865,6 +865,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, break; } D(("domain name: [%s]", &buf[p])); +free(pi->domain_name); pi->domain_name = strdup((char *) &buf[p]); if (pi->domain_name == NULL) { D(("strdup failed")); @@ -933,6 +934,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, break; } +free(pi->otp_vendor); pi->otp_vendor = strdup((char *) &buf[p]
[SSSD] [sssd PR#137][synchronized] Initial pkinit support
URL: https://github.com/SSSD/sssd/pull/137 Author: sumit-bose Title: #137: Initial pkinit support Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/137/head:pr137 git checkout pr137 From f00c519abdd485e2c310661c2df21b0551856609 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 19 Sep 2016 16:56:46 +0200 Subject: [PATCH 01/10] PAM: store user object in the preq context --- src/responder/pam/pamsrv.h | 1 + src/responder/pam/pamsrv_cmd.c | 12 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 75045d0..e356812 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -68,6 +68,7 @@ struct pam_auth_req { struct pam_auth_dp_req *dpreq_spy; +struct ldb_message *user_obj; struct ldb_message *cert_user_obj; char *token_name; }; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index e73a819..e74dd16 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq) struct pam_ctx *pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); static const char *user_attrs[] = SYSDB_PW_ATTRS; -struct ldb_message *msg; struct ldb_result *res; const char *sysdb_name; @@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq) } if (preq->pd->name_is_upn) { -ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg); +ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, + &preq->user_obj); if (ret == EOK) { /* Since sysdb_search_user_by_upn() searches the whole cache we * have to set the domain so that it matches the result. */ -sysdb_name = ldb_msg_find_attr_as_string(msg, +sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj, SYSDB_NAME, NULL); if (sysdb_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n"); @@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) } else if (res->count == 0) { ret = ENOENT; } else { -msg = res->msgs[0]; +preq->user_obj = res->msgs[0]; } } if (ret != EOK && ret != ENOENT) { @@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* if we need to check the remote account go on */ if (preq->check_provider) { -cacheExpire = ldb_msg_find_attr_as_uint64(msg, +cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj, SYSDB_CACHE_EXPIRE, 0); if (cacheExpire < time(NULL)) { break; @@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) "Returning info for user [%s@%s]\n", name, dom->name); /* We might have searched by alias. Pass on the primary name */ -ret = pd_set_primary_name(msg, preq->pd); +ret = pd_set_primary_name(preq->user_obj, preq->pd); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n"); return ret; From ab7411d29b3850bb54a5135c67fbcabc9466bfa4 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 25 Jan 2017 17:34:54 +0100 Subject: [PATCH 02/10] PAM: fix memory leak in pam_sss Since there can be multiple rounds trips between the PAM client and SSSD it might be possible that the same data is send multiple times by SSSD. So before overriding the old data it should be freed. I've seen this with the domain name which is send both in the pre-auth and the auth responses. To be on the safe side I added free() for some other items as well. --- src/sss_client/pam_sss.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index b4175ae..7ccc24f 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -865,6 +865,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, break; } D(("domain name: [%s]", &buf[p])); +free(pi->domain_name); pi->domain_name = strdup((char *) &buf[p]); if (pi->domain_name == NULL) { D(("strdup failed")); @@ -933,6 +934,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, break; } +free(pi->otp_vendor); pi->otp_vendor = strdup((char *) &buf[p]