From e989620bd2b4f7094dee3ef740ba92d0cf45d0c8 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 19 Aug 2019 17:38:04 +0200 Subject: [PATCH] pam: keep pin on the PAM stack for forward_pass MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently only the password or the long-term part of a two-factor authentication was kept on the PM stack if pam_sss.so has the option forward_pass. With this patch the Smartcard PIN can be forwarded to other PAM modules as well. Related https://pagure.io/SSSD/sssd/issue/4067 Reviewed-by: Pavel Březina --- src/sss_client/pam_sss.c | 11 ++++++++++- src/tests/cmocka/test_authtok.c | 5 +++++ src/util/authtok-utils.c | 33 +++++++++++++++++++++++++++++++++ src/util/authtok-utils.h | 10 ++++++++++ 4 files changed, 58 insertions(+), 1 deletion(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index cfd3e3731..e36407b72 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -2116,6 +2116,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, uint32_t flags) { int ret; + const char *pin = NULL; if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS) || ( pi->pamstack_authtok != NULL @@ -2166,11 +2167,19 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, if (flags & PAM_CLI_FLAGS_FORWARD_PASS) { if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) { ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok); + } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_SC_PIN) { + pin = sss_auth_get_pin_from_sc_blob((uint8_t *) pi->pam_authtok, + pi->pam_authtok_size); + if (pin != NULL) { + ret = pam_set_item(pamh, PAM_AUTHTOK, pin); + } else { + ret = PAM_SYSTEM_ERR; + } } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA && pi->first_factor != NULL) { ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor); } else { - ret = EINVAL; + ret = PAM_SYSTEM_ERR; } if (ret != PAM_SUCCESS) { D(("Failed to set PAM_AUTHTOK [%s], " diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c index 84e209783..a8f5bdee7 100644 --- a/src/tests/cmocka/test_authtok.c +++ b/src/tests/cmocka/test_authtok.c @@ -473,6 +473,11 @@ void test_sss_authtok_sc_blobs(void **state) needed_size); #endif + pin = sss_auth_get_pin_from_sc_blob(buf, needed_size); + assert_non_null(pin); + assert_string_equal(pin, "abc"); + pin = NULL; + ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_SC_PIN, buf, needed_size); assert_int_equal(ret, EOK); diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c index e7123df34..e50f86741 100644 --- a/src/util/authtok-utils.c +++ b/src/util/authtok-utils.c @@ -163,3 +163,36 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, return 0; } + +const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len) +{ + size_t c = 0; + uint32_t pin_len; + uint32_t token_name_len; + uint32_t module_name_len; + uint32_t key_id_len; + + if (blob == NULL || blob_len == 0) { + return NULL; + } + + SAFEALIGN_COPY_UINT32(&pin_len, blob, &c); + if (pin_len == 0) { + return NULL; + } + + SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c); + + if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len + + module_name_len + key_id_len) { + return NULL; + } + + if (blob[c + pin_len - 1] != '\0') { + return NULL; + } + + return (const char *) blob + c; +} diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h index c5aace39f..714c8187e 100644 --- a/src/util/authtok-utils.h +++ b/src/util/authtok-utils.h @@ -123,4 +123,14 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, char **token_name, size_t *_token_name_len, char **module_name, size_t *_module_name_len, char **key_id, size_t *_key_id_len); + +/** + * @brief Return a pointer to the PIN string in the memory buffer + * + * @param[in] blob Memory buffer containing the 2FA data + * @param[in] blob_len Size of the memory buffer + * + * @return pointer to 0-terminate PIN string in the memory buffer + */ +const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len); #endif /* __AUTHTOK_UTILS_H__ */ -- 2.20.1