From bcb392e60c1935a98738988c5289585acd89ce82 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 21 Feb 2022 18:02:47 +0100
Subject: [PATCH 87/88] pam: better SC fallback message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If no suitable certificates were found or if gdm-smartcard was somehow
activated without a Smartcard present ask to (re)-insert a Smartcard.

Resolves: https://github.com/SSSD/sssd/issues/6022

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 4d2277f8c3065771a8c3bbc7938309a4905640f0)

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/sss_client/pam_sss.c | 47 +++++++++++++++++++++++-----------------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 7084ce953..feb4837fb 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1787,40 +1787,39 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi)
     return ret;
 }
 
+#define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard")
+
 static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
 {
     int ret;
     char *answer = NULL;
-    char *prompt;
-    size_t size;
+    char *prompt = NULL;
     size_t needed_size;
     const struct pam_conv *conv;
     const struct pam_message *mesg[2] = { NULL, NULL };
     struct pam_message m[2] = { { 0 }, { 0 } };
     struct pam_response *resp = NULL;
     struct cert_auth_info *cai = pi->selected_cert;
-    struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
-                                        NULL, NULL, NULL, NULL, NULL, NULL };
 
     if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
-        cai = &empty_cai;
+        ret = asprintf(&prompt, SC_INSERT_PROMPT);
     } else if (cai == NULL || cai->token_name == NULL
                     || *cai->token_name == '\0') {
-        return EINVAL;
+        return PAM_SYSTEM_ERR;
+    } else {
+        ret = asprintf(&prompt, SC_PROMPT_FMT, cai->token_name);
     }
 
-    size = sizeof(SC_PROMPT_FMT) + strlen(cai->token_name);
-    prompt = malloc(size);
-    if (prompt == NULL) {
-        D(("malloc failed."));
-        return ENOMEM;
+    if (ret == -1) {
+        D(("asprintf failed."));
+        return PAM_SYSTEM_ERR;
     }
 
-    ret = snprintf(prompt, size, SC_PROMPT_FMT, cai->token_name);
-    if (ret < 0 || ret >= size) {
-        D(("snprintf failed."));
-        free(prompt);
-        return EFAULT;
+    if (cai == NULL) {
+        ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
+        if (ret != PAM_SUCCESS) {
+            D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
+        }
     }
 
     if (pi->user_name_hint) {
@@ -1907,10 +1906,18 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
         }
     }
 
-    if (answer == NULL) {
-        pi->pam_authtok = NULL;
-        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
-        pi->pam_authtok_size=0;
+    if (cai == NULL) {
+        /* it is expected that the user just replaces the Smartcard which
+         * would trigger gdm to restart the PAM module, so it is not
+         * expected that this part of the code is reached. */
+        ret = PAM_AUTHINFO_UNAVAIL;
+        goto done;
+    }
+
+    if (answer == NULL || *answer == '\0') {
+        D(("Missing PIN."));
+        ret = PAM_CRED_INSUFFICIENT;
+        goto done;
     } else {
 
         ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0,
-- 
2.35.3