[SSSD] [sssd PR#137][synchronized] Initial pkinit support

[sumit-bose]

   URL: https://github.com/SSSD/sssd/pull/137
Author: sumit-bose
 Title: #137: Initial pkinit support
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/137/head:pr137
git checkout pr137
From c93632dce2d4bb18a36b43216335255f7327 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 19 Sep 2016 16:56:46 +0200
Subject: [PATCH 01/10] PAM: store user object in the preq context

---
 src/responder/pam/pamsrv.h |  1 +
 src/responder/pam/pamsrv_cmd.c | 12 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 75045d0..e356812 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -68,6 +68,7 @@ struct pam_auth_req {
 
 struct pam_auth_dp_req *dpreq_spy;
 
+struct ldb_message *user_obj;
 struct ldb_message *cert_user_obj;
 char *token_name;
 };
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index e73a819..e74dd16 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 struct pam_ctx *pctx =
 talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
 static const char *user_attrs[] = SYSDB_PW_ATTRS;
-struct ldb_message *msg;
 struct ldb_result *res;
 const char *sysdb_name;
 
@@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 }
 
 if (preq->pd->name_is_upn) {
-ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, );
+ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs,
+   >user_obj);
 if (ret == EOK) {
 /* Since sysdb_search_user_by_upn() searches the whole cache we
 * have to set the domain so that it matches the result. */
-sysdb_name = ldb_msg_find_attr_as_string(msg,
+sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj,
  SYSDB_NAME, NULL);
 if (sysdb_name == NULL) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
@@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 } else if (res->count == 0) {
 ret = ENOENT;
 } else {
-msg = res->msgs[0];
+preq->user_obj = res->msgs[0];
 }
 }
 if (ret != EOK && ret != ENOENT) {
@@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 
 /* if we need to check the remote account go on */
 if (preq->check_provider) {
-cacheExpire = ldb_msg_find_attr_as_uint64(msg,
+cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj,
   SYSDB_CACHE_EXPIRE, 0);
 if (cacheExpire < time(NULL)) {
 break;
@@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
   "Returning info for user [%s@%s]\n", name, dom->name);
 
 /* We might have searched by alias. Pass on the primary name */
-ret = pd_set_primary_name(msg, preq->pd);
+ret = pd_set_primary_name(preq->user_obj, preq->pd);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n");
 return ret;

From 3696a22cfe572247a4482bc448692d8bbc836873 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 25 Jan 2017 17:34:54 +0100
Subject: [PATCH 02/10] PAM: fix memory leak in pam_sss

Since there can be multiple rounds trips between the PAM client and SSSD
it might be possible that the same data is send multiple times by SSSD.
So before overriding the old data it should be freed. I've seen this
with the domain name which is send both in the pre-auth and the auth
responses. To be on the safe side I added free() for some other items as
well.
---
 src/sss_client/pam_sss.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b4175ae..7ccc24f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -865,6 +865,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
 break;
 }
 D(("domain name: [%s]", [p]));
+free(pi->domain_name);
 pi->domain_name = strdup((char *) [p]);
 if (pi->domain_name == NULL) {
 D(("strdup failed"));
@@ -933,6 +934,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
 break;
 }
 
+free(pi->otp_vendor);
 pi->otp_vendor = 

[SSSD] [sssd PR#137][synchronized] Initial pkinit support

[sumit-bose]

   URL: https://github.com/SSSD/sssd/pull/137
Author: sumit-bose
 Title: #137: Initial pkinit support
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/137/head:pr137
git checkout pr137
From 86548625ca404842bebfc889274811d8ba01c64c Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 19 Sep 2016 16:56:46 +0200
Subject: [PATCH 01/10] PAM: store user object in the preq context

---
 src/responder/pam/pamsrv.h |  1 +
 src/responder/pam/pamsrv_cmd.c | 12 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 75045d0..e356812 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -68,6 +68,7 @@ struct pam_auth_req {
 
 struct pam_auth_dp_req *dpreq_spy;
 
+struct ldb_message *user_obj;
 struct ldb_message *cert_user_obj;
 char *token_name;
 };
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index e73a819..e74dd16 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 struct pam_ctx *pctx =
 talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
 static const char *user_attrs[] = SYSDB_PW_ATTRS;
-struct ldb_message *msg;
 struct ldb_result *res;
 const char *sysdb_name;
 
@@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 }
 
 if (preq->pd->name_is_upn) {
-ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, );
+ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs,
+   >user_obj);
 if (ret == EOK) {
 /* Since sysdb_search_user_by_upn() searches the whole cache we
 * have to set the domain so that it matches the result. */
-sysdb_name = ldb_msg_find_attr_as_string(msg,
+sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj,
  SYSDB_NAME, NULL);
 if (sysdb_name == NULL) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
@@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 } else if (res->count == 0) {
 ret = ENOENT;
 } else {
-msg = res->msgs[0];
+preq->user_obj = res->msgs[0];
 }
 }
 if (ret != EOK && ret != ENOENT) {
@@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 
 /* if we need to check the remote account go on */
 if (preq->check_provider) {
-cacheExpire = ldb_msg_find_attr_as_uint64(msg,
+cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj,
   SYSDB_CACHE_EXPIRE, 0);
 if (cacheExpire < time(NULL)) {
 break;
@@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
   "Returning info for user [%s@%s]\n", name, dom->name);
 
 /* We might have searched by alias. Pass on the primary name */
-ret = pd_set_primary_name(msg, preq->pd);
+ret = pd_set_primary_name(preq->user_obj, preq->pd);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n");
 return ret;

From f588249b4fe49b83eabd9cb1bd8979e6479774c6 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 25 Jan 2017 17:34:54 +0100
Subject: [PATCH 02/10] PAM: fix memory leak in pam_sss

Since there can be multiple rounds trips between the PAM client and SSSD
it might be possible that the same data is send multiple times by SSSD.
So before overriding the old data it should be freed. I've seen this
with the domain name which is send both in the pre-auth and the auth
responses. To be on the safe side I added free() for some other items as
well.
---
 src/sss_client/pam_sss.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b4175ae..7ccc24f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -865,6 +865,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
 break;
 }
 D(("domain name: [%s]", [p]));
+free(pi->domain_name);
 pi->domain_name = strdup((char *) [p]);
 if (pi->domain_name == NULL) {
 D(("strdup failed"));
@@ -933,6 +934,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
 break;
 }
 
+free(pi->otp_vendor);
 pi->otp_vendor = 

[SSSD] [sssd PR#137][synchronized] Initial pkinit support

[sumit-bose]

   URL: https://github.com/SSSD/sssd/pull/137
Author: sumit-bose
 Title: #137: Initial pkinit support
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/137/head:pr137
git checkout pr137
From f00c519abdd485e2c310661c2df21b0551856609 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 19 Sep 2016 16:56:46 +0200
Subject: [PATCH 01/10] PAM: store user object in the preq context

---
 src/responder/pam/pamsrv.h |  1 +
 src/responder/pam/pamsrv_cmd.c | 12 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 75045d0..e356812 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -68,6 +68,7 @@ struct pam_auth_req {
 
 struct pam_auth_dp_req *dpreq_spy;
 
+struct ldb_message *user_obj;
 struct ldb_message *cert_user_obj;
 char *token_name;
 };
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index e73a819..e74dd16 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 struct pam_ctx *pctx =
 talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
 static const char *user_attrs[] = SYSDB_PW_ATTRS;
-struct ldb_message *msg;
 struct ldb_result *res;
 const char *sysdb_name;
 
@@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 }
 
 if (preq->pd->name_is_upn) {
-ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, );
+ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs,
+   >user_obj);
 if (ret == EOK) {
 /* Since sysdb_search_user_by_upn() searches the whole cache we
 * have to set the domain so that it matches the result. */
-sysdb_name = ldb_msg_find_attr_as_string(msg,
+sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj,
  SYSDB_NAME, NULL);
 if (sysdb_name == NULL) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
@@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 } else if (res->count == 0) {
 ret = ENOENT;
 } else {
-msg = res->msgs[0];
+preq->user_obj = res->msgs[0];
 }
 }
 if (ret != EOK && ret != ENOENT) {
@@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 
 /* if we need to check the remote account go on */
 if (preq->check_provider) {
-cacheExpire = ldb_msg_find_attr_as_uint64(msg,
+cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj,
   SYSDB_CACHE_EXPIRE, 0);
 if (cacheExpire < time(NULL)) {
 break;
@@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
   "Returning info for user [%s@%s]\n", name, dom->name);
 
 /* We might have searched by alias. Pass on the primary name */
-ret = pd_set_primary_name(msg, preq->pd);
+ret = pd_set_primary_name(preq->user_obj, preq->pd);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n");
 return ret;

From ab7411d29b3850bb54a5135c67fbcabc9466bfa4 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 25 Jan 2017 17:34:54 +0100
Subject: [PATCH 02/10] PAM: fix memory leak in pam_sss

Since there can be multiple rounds trips between the PAM client and SSSD
it might be possible that the same data is send multiple times by SSSD.
So before overriding the old data it should be freed. I've seen this
with the domain name which is send both in the pre-auth and the auth
responses. To be on the safe side I added free() for some other items as
well.
---
 src/sss_client/pam_sss.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b4175ae..7ccc24f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -865,6 +865,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
 break;
 }
 D(("domain name: [%s]", [p]));
+free(pi->domain_name);
 pi->domain_name = strdup((char *) [p]);
 if (pi->domain_name == NULL) {
 D(("strdup failed"));
@@ -933,6 +934,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
 break;
 }
 
+free(pi->otp_vendor);
 pi->otp_vendor =