p11: add PKCS11_LOGIN_TOKEN_NAME environment variable

The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome Settings Daemon to determine the name of the token used for login. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SSSD · Jun 9, 2016 · d862246 · d862246
1 parent 325ed9f
commit d862246
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 1 deletion.
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
@@ -504,10 +504,15 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
     return EOK;
 }
 
+/* The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome
+ * Settings Daemon to determine the name of the token used for login */
+#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
+
 errno_t add_pam_cert_response(struct pam_data *pd, const char *user,
                               const char *token_name)
 {
     uint8_t *msg = NULL;
+    char *env = NULL;
     size_t user_len;
     size_t msg_len;
     size_t slot_len;
@@ -533,6 +538,26 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *user,
 
     ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
     talloc_free(msg);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "pam_add_response failed to add certificate info.\n");
+        return ret;
+    }
+
+    env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME, token_name);
+    if (env == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+        return ENOMEM;
+    }
+
+    ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
+                           (uint8_t *)env);
+    talloc_free(env);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "pam_add_response failed to add environment variable.\n");
+        return ret;
+    }
 
     return ret;
 }
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
@@ -596,6 +596,8 @@ static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
     return EOK;
 }
 
+#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
+
 static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
 {
     size_t rp = 0;
@@ -607,7 +609,7 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
     assert_int_equal(val, pam_test_ctx->exp_pam_status);
 
     SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-    assert_int_equal(val, 2);
+    assert_int_equal(val, 3);
 
     SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
     assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
@@ -619,6 +621,16 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
     assert_string_equal(body + rp, TEST_DOM_NAME);
     rp += val;
 
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+    assert_int_equal(val, SSS_PAM_ENV_ITEM);
+
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+    assert_int_equal(val, (strlen(PKCS11_LOGIN_TOKEN_ENV_NAME "=")
+                           + sizeof(TEST_TOKEN_NAME)));
+    assert_string_equal(body + rp,
+                        PKCS11_LOGIN_TOKEN_ENV_NAME "=" TEST_TOKEN_NAME);
+    rp += val;
+
     SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
     assert_int_equal(val, SSS_PAM_CERT_INFO);