static int pam_parse_in_data(struct sss_domain_info *domains,
const char *default_domain,
struct pam_data *pd,
uint8_t *body, size_t blen)
{
size_t start;
size_t end;
size_t last;
int ret;
last = blen - 1;
end = 0;
/* user name */
for (start = end; end < last; end++) if (body[end] == '\0') break;
if (body[end++] != '\0') return EINVAL;
ret = sss_parse_name_for_domains(pd, domains, default_domain,
(char *)&body[start], &pd->domain, &pd->user);
if (ret != EOK) return ret;
for (start = end; end < last; end++) if (body[end] == '\0') break;
if (body[end++] != '\0') return EINVAL;
pd->service = (char *) &body[start];
for (start = end; end < last; end++) if (body[end] == '\0') break;
if (body[end++] != '\0') return EINVAL;
pd->tty = (char *) &body[start];
for (start = end; end < last; end++) if (body[end] == '\0') break;
if (body[end++] != '\0') return EINVAL;
pd->ruser = (char *) &body[start];
for (start = end; end < last; end++) if (body[end] == '\0') break;
if (body[end++] != '\0') return EINVAL;
pd->rhost = (char *) &body[start];
ret = extract_authtok_v1(pd->authtok, body, blen, &end);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid auth token\n");
return ret;
}
ret = extract_authtok_v1(pd->newauthtok, body, blen, &end);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid new auth token\n");
return ret;
}
DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd);
return EOK;
}
static int pam_parse_in_data_v2(struct sss_domain_info *domains,
const char *default_domain,
struct pam_data *pd,
uint8_t *body, size_t blen)
{
size_t c;
uint32_t type;
uint32_t size;
char *pam_user;
int ret;
uint32_t start;
uint32_t terminator;
if (blen < 4*sizeof(uint32_t)+2) {
DEBUG(SSSDBG_CRIT_FAILURE, "Received data is invalid.\n");
return EINVAL;
}
SAFEALIGN_COPY_UINT32(&start, body, NULL);
SAFEALIGN_COPY_UINT32(&terminator, body + blen - sizeof(uint32_t), NULL);
if (start != SSS_START_OF_PAM_REQUEST
|| terminator != SSS_END_OF_PAM_REQUEST) {
DEBUG(SSSDBG_CRIT_FAILURE, "Received data is invalid.\n");
return EINVAL;
}
c = sizeof(uint32_t);
do {
SAFEALIGN_COPY_UINT32_CHECK(&type, &body[c], blen, &c);
if (type == SSS_END_OF_PAM_REQUEST) {
if (c != blen) return EINVAL;
} else {
SAFEALIGN_COPY_UINT32_CHECK(&size, &body[c], blen, &c);
/* the uint32_t end maker SSS_END_OF_PAM_REQUEST does not count to
* the remaining buffer */
if (size > (blen - c - sizeof(uint32_t))) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data size.\n");
return EINVAL;
}
switch(type) {
case SSS_PAM_ITEM_USER:
ret = extract_string(&pam_user, size, body, blen, &c);
if (ret != EOK) return ret;
ret = sss_parse_name_for_domains(pd, domains,
default_domain, pam_user,
&pd->domain, &pd->user);
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_SERVICE:
ret = extract_string(&pd->service, size, body, blen, &c);
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_TTY:
ret = extract_string(&pd->tty, size, body, blen, &c);
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_RUSER:
ret = extract_string(&pd->ruser, size, body, blen, &c);
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_RHOST:
ret = extract_string(&pd->rhost, size, body, blen, &c);
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_CLI_PID:
ret = extract_uint32_t(&pd->cli_pid, size,
body, blen, &c);
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_AUTHTOK:
ret = extract_authtok_v2(pd->authtok,
size, body, blen, &c);
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_NEWAUTHTOK:
ret = extract_authtok_v2(pd->newauthtok,
size, body, blen, &c);
if (ret != EOK) return ret;
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
"Ignoring unknown data type [%d].\n", type);
c += size;
}
}
} while(c < blen);
if (pd->user == NULL || *pd->user == '\0') return EINVAL;
DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd);
return EOK;
}
errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
struct confdb_ctx *cdb,
struct resp_ctx *rctx)
{
errno_t ret;
bool filter_set = false;
char **filter_list = NULL;
char *name = NULL;
struct sss_domain_info *dom = NULL;
struct sss_domain_info *domain_list = rctx->domains;
char *domainname = NULL;
char *conf_path = NULL;
TALLOC_CTX *tmpctx = talloc_new(NULL);
int i;
/* Populate domain-specific negative cache entries */
for (dom = domain_list; dom; dom = get_next_domain(dom, false)) {
conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL,
dom->name);
if (!conf_path) {
ret = ENOMEM;
goto done;
}
talloc_zfree(filter_list);
ret = confdb_get_string_as_list(cdb, tmpctx, conf_path,
CONFDB_NSS_FILTER_USERS,
&filter_list);
if (ret == ENOENT) continue;
if (ret != EOK) goto done;
filter_set = true;
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
rctx->default_domain,
filter_list[i],
&domainname, &name);
if (ret != EOK) {
DEBUG(1, ("Invalid name in filterUsers list: [%s] (%d)\n",
filter_list[i], ret));
continue;
}
if (domainname && strcmp(domainname, dom->name)) {
DEBUG(1, ("Mismatch between domain name (%s) and name "
"set in FQN (%s), skipping user %s\n",
dom->name, domainname, name));
continue;
}
ret = sss_ncache_set_user(ncache, true, dom, name);
if (ret != EOK) {
DEBUG(1, ("Failed to store permanent user filter for [%s]"
" (%d [%s])\n", filter_list[i],
ret, strerror(ret)));
continue;
}
}
}
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_FILTER_USERS, &filter_list);
if (ret == ENOENT) {
if (!filter_set) {
filter_list = talloc_array(tmpctx, char *, 2);
if (!filter_list) {
ret = ENOMEM;
goto done;
}
filter_list[0] = talloc_strdup(tmpctx, "root");
if (!filter_list[0]) {
ret = ENOMEM;
goto done;
}
filter_list[1] = NULL;
}
}
