From e989620bd2b4f7094dee3ef740ba92d0cf45d0c8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 19 Aug 2019 17:38:04 +0200
Subject: [PATCH] pam: keep pin on the PAM stack for forward_pass
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently only the password or the long-term part of a two-factor
authentication was kept on the PM stack if pam_sss.so has the option
forward_pass. With this patch the Smartcard PIN can be forwarded to
other PAM modules as well.
Related https://pagure.io/SSSD/sssd/issue/4067
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sss_client/pam_sss.c | 11 ++++++++++-
src/tests/cmocka/test_authtok.c | 5 +++++
src/util/authtok-utils.c | 33 +++++++++++++++++++++++++++++++++
src/util/authtok-utils.h | 10 ++++++++++
4 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index cfd3e3731..e36407b72 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2116,6 +2116,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
uint32_t flags)
{
int ret;
+ const char *pin = NULL;
if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|| ( pi->pamstack_authtok != NULL
@@ -2166,11 +2167,19 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
+ } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_SC_PIN) {
+ pin = sss_auth_get_pin_from_sc_blob((uint8_t *) pi->pam_authtok,
+ pi->pam_authtok_size);
+ if (pin != NULL) {
+ ret = pam_set_item(pamh, PAM_AUTHTOK, pin);
+ } else {
+ ret = PAM_SYSTEM_ERR;
+ }
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
&& pi->first_factor != NULL) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor);
} else {
- ret = EINVAL;
+ ret = PAM_SYSTEM_ERR;
}
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_AUTHTOK [%s], "
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
index 84e209783..a8f5bdee7 100644
--- a/src/tests/cmocka/test_authtok.c
+++ b/src/tests/cmocka/test_authtok.c
@@ -473,6 +473,11 @@ void test_sss_authtok_sc_blobs(void **state)
needed_size);
#endif
+ pin = sss_auth_get_pin_from_sc_blob(buf, needed_size);
+ assert_non_null(pin);
+ assert_string_equal(pin, "abc");
+ pin = NULL;
+
ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_SC_PIN, buf,
needed_size);
assert_int_equal(ret, EOK);
diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c
index e7123df34..e50f86741 100644
--- a/src/util/authtok-utils.c
+++ b/src/util/authtok-utils.c
@@ -163,3 +163,36 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len,
return 0;
}
+
+const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len)
+{
+ size_t c = 0;
+ uint32_t pin_len;
+ uint32_t token_name_len;
+ uint32_t module_name_len;
+ uint32_t key_id_len;
+
+ if (blob == NULL || blob_len == 0) {
+ return NULL;
+ }
+
+ SAFEALIGN_COPY_UINT32(&pin_len, blob, &c);
+ if (pin_len == 0) {
+ return NULL;
+ }
+
+ SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c);
+ SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c);
+ SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c);
+
+ if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len
+ + module_name_len + key_id_len) {
+ return NULL;
+ }
+
+ if (blob[c + pin_len - 1] != '\0') {
+ return NULL;
+ }
+
+ return (const char *) blob + c;
+}
diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h
index c5aace39f..714c8187e 100644
--- a/src/util/authtok-utils.h
+++ b/src/util/authtok-utils.h
@@ -123,4 +123,14 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx,
char **token_name, size_t *_token_name_len,
char **module_name, size_t *_module_name_len,
char **key_id, size_t *_key_id_len);
+
+/**
+ * @brief Return a pointer to the PIN string in the memory buffer
+ *
+ * @param[in] blob Memory buffer containing the 2FA data
+ * @param[in] blob_len Size of the memory buffer
+ *
+ * @return pointer to 0-terminate PIN string in the memory buffer
+ */
+const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len);
#endif /* __AUTHTOK_UTILS_H__ */
--
2.20.1