sssd/0001-PAM-only-allow-missing-user-name-for-certificate-aut.patch
Lukas Slebodnik 69b9d3f518 Fix few segfaults
- Resolves: upstream #2811 - PAM responder crashed if user was not set
- Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step
2015-10-07 13:42:03 +02:00

127 lines
4.5 KiB
Diff

From c9c1296ae9a7bd75164ccc3a175c2f5d809435f9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 1 Oct 2015 10:10:22 +0200
Subject: [PATCH 1/3] PAM: only allow missing user name for certificate
authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/2811
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 2e76b32e74abedb23665808bacc73cafd1097c37)
(cherry picked from commit ba9d5c0456a2fbb9adf9b4b4dffbfb190628a273)
---
src/responder/pam/pamsrv_cmd.c | 12 +++++++++---
src/tests/cmocka/test_pam_srv.c | 38 ++++++++++++++++++++++++++++++++++++++
2 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 27dddcf43c1ff6eb465e1cb58d6dddf21413dcc4..2823f8133eb74d245be0750193ed842c0fdb26d3 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -957,11 +957,13 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p
} else {
/* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the
* name is determined with the help of a certificate */
- if (pd->cmd == SSS_PAM_PREAUTH) {
+ if (pd->cmd == SSS_PAM_PREAUTH
+ && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx,
+ struct pam_ctx), pd)) {
ret = EOK;
} else {
DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n");
- ret = EINVAL;
+ ret = ERR_NO_CREDS;
goto done;
}
}
@@ -1104,7 +1106,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
}
goto done;
} else if (ret != EOK) {
- ret = EINVAL;
goto done;
}
@@ -1610,6 +1611,11 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret)
pam_reply(preq);
break;
+ case ERR_NO_CREDS:
+ preq->pd->pam_status = PAM_CRED_INSUFFICIENT;
+ pam_reply(preq);
+ break;
+
default:
preq->pd->pam_status = PAM_SYSTEM_ERR;
pam_reply(preq);
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index ab33433fdce8d6030331a57e2b7cbd97ce5637df..dbdc4ae08a12914481137fe8fb5a24d242d3032f 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -623,6 +623,23 @@ static int test_pam_wrong_pw_offline_auth_check(uint32_t status,
return test_pam_simple_check(status, body, blen);
}
+static int test_pam_creds_insufficient_check(uint32_t status,
+ uint8_t *body, size_t blen)
+{
+ size_t rp = 0;
+ uint32_t val;
+
+ assert_int_equal(status, 0);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, PAM_CRED_INSUFFICIENT);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 0);
+
+ return EOK;
+}
+
static int test_pam_user_unknown_check(uint32_t status,
uint8_t *body, size_t blen)
{
@@ -1127,6 +1144,25 @@ void test_pam_offline_chauthtok(void **state)
assert_int_equal(ret, EOK);
}
+void test_pam_preauth_no_logon_name(void **state)
+{
+ int ret;
+
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ set_cmd_cb(test_pam_creds_insufficient_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath)
{
pam_test_ctx->pctx->cert_auth = true;
@@ -1432,6 +1468,8 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok,
pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name,
+ pam_test_setup, pam_test_teardown),
/* p11_child is not built without NSS */
#ifdef HAVE_NSS
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert,
--
2.5.0