URL: https://github.com/SSSD/sssd/pull/869 Author: sumit-bose Title: #869: pam: keep pin on the PAM stack for forward_pass Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/869/head:pr869 git checkout pr869
From 6e3f6f408e2528672360e57e7a4871a3c852a7db Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 19 Aug 2019 17:38:04 +0200 Subject: [PATCH] pam: keep pin on the PAM stack for forward_pass Currently only the password or the long-term part of a two-factor authentication was kept on the PM stack if pam_sss.so has the option forward_pass. With this patch the Smartcard PIN can be forwarded to other PAM modules as well. Related https://pagure.io/SSSD/sssd/issue/4067 --- src/sss_client/pam_sss.c | 11 ++++++++++- src/tests/cmocka/test_authtok.c | 5 +++++ src/util/authtok-utils.c | 33 +++++++++++++++++++++++++++++++++ src/util/authtok-utils.h | 10 ++++++++++ 4 files changed, 58 insertions(+), 1 deletion(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index cfd3e3731d..e36407b727 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -2116,6 +2116,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, uint32_t flags) { int ret; + const char *pin = NULL; if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS) || ( pi->pamstack_authtok != NULL @@ -2166,11 +2167,19 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, if (flags & PAM_CLI_FLAGS_FORWARD_PASS) { if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) { ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok); + } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_SC_PIN) { + pin = sss_auth_get_pin_from_sc_blob((uint8_t *) pi->pam_authtok, + pi->pam_authtok_size); + if (pin != NULL) { + ret = pam_set_item(pamh, PAM_AUTHTOK, pin); + } else { + ret = PAM_SYSTEM_ERR; + } } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA && pi->first_factor != NULL) { ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor); } else { - ret = EINVAL; + ret = PAM_SYSTEM_ERR; } if (ret != PAM_SUCCESS) { D(("Failed to set PAM_AUTHTOK [%s], " diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c index 84e209783e..a8f5bdee7f 100644 --- a/src/tests/cmocka/test_authtok.c +++ b/src/tests/cmocka/test_authtok.c @@ -473,6 +473,11 @@ void test_sss_authtok_sc_blobs(void **state) needed_size); #endif + pin = sss_auth_get_pin_from_sc_blob(buf, needed_size); + assert_non_null(pin); + assert_string_equal(pin, "abc"); + pin = NULL; + ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_SC_PIN, buf, needed_size); assert_int_equal(ret, EOK); diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c index e7123df341..e50f867410 100644 --- a/src/util/authtok-utils.c +++ b/src/util/authtok-utils.c @@ -163,3 +163,36 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, return 0; } + +const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len) +{ + size_t c = 0; + uint32_t pin_len; + uint32_t token_name_len; + uint32_t module_name_len; + uint32_t key_id_len; + + if (blob == NULL || blob_len == 0) { + return NULL; + } + + SAFEALIGN_COPY_UINT32(&pin_len, blob, &c); + if (pin_len == 0) { + return NULL; + } + + SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c); + + if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len + + module_name_len + key_id_len) { + return NULL; + } + + if (blob[c + pin_len - 1] != '\0') { + return NULL; + } + + return (const char *) blob + c; +} diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h index c5aace39fe..714c8187e1 100644 --- a/src/util/authtok-utils.h +++ b/src/util/authtok-utils.h @@ -123,4 +123,14 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, char **token_name, size_t *_token_name_len, char **module_name, size_t *_module_name_len, char **key_id, size_t *_key_id_len); + +/** + * @brief Return a pointer to the PIN string in the memory buffer + * + * @param[in] blob Memory buffer containing the 2FA data + * @param[in] blob_len Size of the memory buffer + * + * @return pointer to 0-terminate PIN string in the memory buffer + */ +const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len); #endif /* __AUTHTOK_UTILS_H__ */
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org