From cee84ed12721092bc40bc02dc66ce3efbb2bac74 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 16 Oct 2017 14:13:10 +0200
Subject: [PATCH 38/46] pam_sss: refactoring, use struct cert_auth_info
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Similar as in the PAM responder this patch replaces the individual
certificate authentication related attributes by a struct which can be
used as a list. With the pam_sss can handle multiple SSS_PAM_CERT_INFO
message and place the data in individual list items.

If multiple certificates are returned before prompting for the PIN a
dialog to select a certificate is shown to the users. If available a GDM
PAM extension is used to let the user choose from a list. All coded
needed at runtime to check if the extension is available and handle the
data is provided by GDM as macros. This means that there are no
additional run-time requirements.

Related to https://pagure.io/SSSD/sssd/issue/3560

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Tested-by: Scott Poore <spoore@redhat.com>
(cherry picked from commit 122830e67472390b41edc73f0cfcd5c5705b726b)
---
 contrib/sssd.spec.in         |   9 +
 src/external/pam.m4          |  12 ++
 src/sss_client/pam_message.h |   8 +-
 src/sss_client/pam_sss.c     | 439 ++++++++++++++++++++++++++++++++++---------
 4 files changed, 370 insertions(+), 98 deletions(-)

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1ee64d5a2a64635984260fceced779f4804e8b31..d9323bf1a2d84f4219f8ab11886e5ce87b401c15 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -121,6 +121,12 @@
     %global with_kcm_option --without-kcm
 %endif
 
+%if (0%{?fedora} >= 27 || (0%{?rhel} >= 7 && 0%{?rhel7_minor} > 4))
+    %global with_gdm_pam_extensions 1
+%else
+    %global with_gdm_pam_extensions 0
+%endif
+
 Name: @PACKAGE_NAME@
 Version: @PACKAGE_VERSION@
 Release: 0@PRERELEASE_VERSION@%{?dist}
@@ -233,6 +239,9 @@ BuildRequires: libuuid-devel
 BuildRequires: jansson-devel
 BuildRequires: libcurl-devel
 %endif
+%if (0%{?with_gdm_pam_extensions} == 1)
+BuildRequires: gdm-devel
+%endif
 
 %description
 Provides a set of daemons to manage access to remote directories and
diff --git a/src/external/pam.m4 b/src/external/pam.m4
index 4776b6ae338409f0a2729dfc4cf5962463a40dfd..0dc7f19d0df6a4588cf893ecff6e518111462433 100644
--- a/src/external/pam.m4
+++ b/src/external/pam.m4
@@ -27,3 +27,15 @@ AC_CHECK_FUNCS(pam_modutil_getlogin pam_vsyslog)
 
 dnl restore LIBS
 LIBS="$save_LIBS"
+
+PKG_CHECK_MODULES([GDM_PAM_EXTENSIONS], [gdm-pam-extensions],
+                  [found_gdm_pam_extensions=yes],
+                  [AC_MSG_NOTICE([gdm-pam-extensions were not found. gdm support
+for multiple certificates will not be build.
+])])
+
+AC_SUBST(GDM_PAM_EXTENSIONS_CFLAGS)
+
+AS_IF([test x"$found_gdm_pam_extensions" = xyes],
+      [AC_DEFINE_UNQUOTED(HAVE_GDM_PAM_EXTENSIONS, 1,
+                          [Build with gdm-pam-extensions support])])
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
index f215392f6879f01a0ca12abc8807bac5fc1f1cbb..11526a80a767ff5602b194d14765ff261e8f9707 100644
--- a/src/sss_client/pam_message.h
+++ b/src/sss_client/pam_message.h
@@ -29,6 +29,8 @@
 
 #include "sss_client/sss_cli.h"
 
+struct cert_auth_info;
+
 struct pam_items {
     const char *pam_service;
     const char *pam_user;
@@ -59,11 +61,9 @@ struct pam_items {
     char *first_factor;
     bool password_prompting;
 
-    char *cert_user;
-    char *token_name;
-    char *module_name;
-    char *key_id;
     bool user_name_hint;
+    struct cert_auth_info *cert_list;
+    struct cert_auth_info *selected_cert;
 };
 
 int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer);
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 303809b9ea05b5a8709c05ae230d5f289b57de31..c147d4b3d76443d69e27eb2da042f8eebd1ae6ab 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -36,6 +36,10 @@
 #include <security/pam_modules.h>
 #include <security/pam_appl.h>
 
+#ifdef HAVE_GDM_PAM_EXTENSIONS
+#include <gdm/gdm-pam-extensions.h>
+#endif
+
 #include "sss_pam_compat.h"
 #include "sss_pam_macros.h"
 
@@ -43,6 +47,7 @@
 #include "pam_message.h"
 #include "util/atomic_io.h"
 #include "util/authtok-utils.h"
+#include "util/dlinklist.h"
 
 #include <libintl.h>
 #define _(STRING) dgettext (PACKAGE, STRING)
@@ -118,6 +123,40 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
     sss_pam_close_fd();
 }
 
+struct cert_auth_info {
+    char *cert_user;
+    char *cert;
+    char *token_name;
+    char *module_name;
+    char *key_id;
+    struct cert_auth_info *prev;
+    struct cert_auth_info *next;
+};
+
+static void free_cai(struct cert_auth_info *cai)
+{
+    if (cai != NULL) {
+        free(cai->cert_user);
+        free(cai->cert);
+        free(cai->token_name);
+        free(cai->key_id);
+        free(cai);
+    }
+}
+
+static void free_cert_list(struct cert_auth_info *list)
+{
+    struct cert_auth_info *cai;
+    struct cert_auth_info *cai_next;
+
+    if (list != NULL) {
+        DLIST_FOR_EACH_SAFE(cai, cai_next, list) {
+            DLIST_REMOVE(list, cai);
+            free_cai(cai);
+        }
+    }
+}
+
 static void overwrite_and_free_authtoks(struct pam_items *pi)
 {
     if (pi->pam_authtok != NULL) {
@@ -158,17 +197,9 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
     free(pi->otp_challenge);
     pi->otp_challenge = NULL;
 
-    free(pi->cert_user);
-    pi->cert_user = NULL;
-
-    free(pi->token_name);
-    pi->token_name = NULL;
-
-    free(pi->module_name);
-    pi->module_name = NULL;
-
-    free(pi->key_id);
-    pi->key_id = NULL;
+    free_cert_list(pi->cert_list);
+    pi->cert_list = NULL;
+    pi->selected_cert = NULL;
 }
 
 static int null_strcmp(const char *s1, const char *s2) {
@@ -821,6 +852,90 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen,
     return ret;
 }
 
+static int parse_cert_info(struct pam_items *pi, uint8_t *buf, size_t len,
+                           size_t *p, const char **cert_user)
+{
+    struct cert_auth_info *cai = NULL;
+    size_t offset;
+    int ret;
+
+    if (buf[*p + (len - 1)] != '\0') {
+        D(("cert info does not end with \\0."));
+        return EINVAL;
+    }
+
+    cai = calloc(1, sizeof(struct cert_auth_info));
+    if (cai == NULL) {
+        return ENOMEM;
+    }
+
+    cai->cert_user = strdup((char *) &buf[*p]);
+    if (cai->cert_user == NULL) {
+        D(("strdup failed"));
+        ret = ENOMEM;
+        goto done;
+    }
+    if (cert_user != NULL) {
+        *cert_user = cai->cert_user;
+    }
+
+    offset = strlen(cai->cert_user) + 1;
+    if (offset >= len) {
+        D(("Cert message size mismatch"));
+        ret = EINVAL;
+        goto done;
+    }
+
+    cai->token_name = strdup((char *) &buf[*p + offset]);
+    if (cai->token_name == NULL) {
+        D(("strdup failed"));
+        ret = ENOMEM;
+        goto done;
+    }
+
+    offset += strlen(cai->token_name) + 1;
+    if (offset >= len) {
+        D(("Cert message size mismatch"));
+        ret = EINVAL;
+        goto done;
+    }
+
+    cai->module_name = strdup((char *) &buf[*p + offset]);
+    if (cai->module_name == NULL) {
+        D(("strdup failed"));
+        ret = ENOMEM;
+        goto done;
+    }
+
+    offset += strlen(cai->module_name) + 1;
+    if (offset >= len) {
+        D(("Cert message size mismatch"));
+        ret = EINVAL;
+        goto done;
+    }
+
+    cai->key_id = strdup((char *) &buf[*p + offset]);
+    if (cai->key_id == NULL) {
+        D(("strdup failed"));
+        ret = ENOMEM;
+        goto done;
+    }
+
+    D(("cert user: [%s] token name: [%s] module: [%s] key id: [%s]",
+       cai->cert_user, cai->token_name, cai->module_name,
+       cai->key_id));
+
+    DLIST_ADD(pi->cert_list, cai);
+    ret = 0;
+
+done:
+    if (ret != 0) {
+        free_cai(cai);
+    }
+
+    return ret;
+}
+
 static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
                          struct pam_items *pi)
 {
@@ -832,6 +947,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
     int32_t len;
     int32_t pam_status;
     size_t offset;
+    const char *cert_user;
 
     if (buflen < (2*sizeof(int32_t))) {
         D(("response buffer is too small"));
@@ -988,27 +1104,21 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
                     break;
                 }
 
-                free(pi->cert_user);
-                pi->cert_user = strdup((char *) &buf[p]);
-                if (pi->cert_user == NULL) {
-                    D(("strdup failed"));
-                    break;
-                }
-
-                if (type == SSS_PAM_CERT_INFO && *pi->cert_user == '\0') {
-                    D(("Invalid CERT message"));
-                    break;
-                }
-
                 if (type == SSS_PAM_CERT_INFO_WITH_HINT) {
                     pi->user_name_hint = true;
                 } else {
                     pi->user_name_hint = false;
                 }
 
+                ret = parse_cert_info(pi, buf, len, &p, &cert_user);
+                if (ret != 0) {
+                    D(("Failed to parse cert info"));
+                    break;
+                }
+
                 if ((pi->pam_user == NULL || *(pi->pam_user) == '\0')
-                        && *pi->cert_user != '\0') {
-                    ret = pam_set_item(pamh, PAM_USER, pi->cert_user);
+                        && *cert_user != '\0') {
+                    ret = pam_set_item(pamh, PAM_USER, cert_user);
                     if (ret != PAM_SUCCESS) {
                         D(("Failed to set PAM_USER during "
                            "Smartcard authentication [%s]",
@@ -1027,59 +1137,6 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
 
                     pi->pam_user_size = strlen(pi->pam_user) + 1;
                 }
-
-                offset = strlen(pi->cert_user) + 1;
-                if (offset >= len) {
-                    D(("Cert message size mismatch"));
-                    free(pi->cert_user);
-                    pi->cert_user = NULL;
-                    break;
-                }
-                free(pi->token_name);
-                pi->token_name = strdup((char *) &buf[p + offset]);
-                if (pi->token_name == NULL) {
-                    D(("strdup failed"));
-                    free(pi->cert_user);
-                    pi->cert_user = NULL;
-                    break;
-                }
-
-                offset += strlen(pi->token_name) + 1;
-                if (offset >= len) {
-                    D(("Cert message size mismatch"));
-                    free(pi->cert_user);
-                    pi->cert_user = NULL;
-                    free(pi->token_name);
-                    pi->token_name = NULL;
-                    break;
-                }
-                free(pi->module_name);
-                pi->module_name = strdup((char *) &buf[p + offset]);
-                if (pi->module_name == NULL) {
-                    D(("strdup failed"));
-                    break;
-                }
-
-                offset += strlen(pi->module_name) + 1;
-                if (offset >= len) {
-                    D(("Cert message size mismatch"));
-                    free(pi->cert_user);
-                    pi->cert_user = NULL;
-                    free(pi->token_name);
-                    pi->token_name = NULL;
-                    free(pi->module_name);
-                    pi->module_name = NULL;
-                    break;
-                }
-                free(pi->key_id);
-                pi->key_id = strdup((char *) &buf[p + offset]);
-                if (pi->key_id == NULL) {
-                    D(("strdup failed"));
-                    break;
-                }
-                D(("cert user: [%s] token name: [%s] module: [%s] key id: [%s]",
-                    pi->cert_user, pi->token_name, pi->module_name,
-                    pi->key_id));
                 break;
             case SSS_PASSWORD_PROMPTING:
                 D(("Password prompting available."));
@@ -1175,10 +1232,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
     pi->otp_challenge = NULL;
     pi->password_prompting = false;
 
-    pi->cert_user = NULL;
-    pi->token_name = NULL;
-    pi->module_name = NULL;
-    pi->key_id = NULL;
+    pi->cert_list = NULL;
+    pi->selected_cert = NULL;
 
     return PAM_SUCCESS;
 }
@@ -1484,6 +1539,184 @@ done:
 
 #define SC_PROMPT_FMT "PIN for %s"
 
+#ifndef discard_const
+#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
+#endif
+
+#define CERT_SEL_PROMPT_FMT "Certificate: %s"
+#define SEL_TITLE discard_const("Please select a certificate")
+
+static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi)
+{
+#ifdef HAVE_GDM_PAM_EXTENSIONS
+    int ret;
+    size_t cert_count = 0;
+    size_t c;
+    const struct pam_conv *conv;
+    struct cert_auth_info *cai;
+    GdmPamExtensionChoiceListRequest *request = NULL;
+    GdmPamExtensionChoiceListResponse *response = NULL;
+    struct pam_message prompt_message;
+    const struct pam_message *prompt_messages[1];
+    struct pam_response *reply = NULL;
+    char *prompt;
+
+    if (!GDM_PAM_EXTENSION_SUPPORTED(GDM_PAM_EXTENSION_CHOICE_LIST)) {
+        return ENOTSUP;
+    }
+
+    if (pi->cert_list == NULL) {
+        return EINVAL;
+    }
+
+    DLIST_FOR_EACH(cai, pi->cert_list) {
+        cert_count++;
+    }
+
+    ret = pam_get_item(pamh, PAM_CONV, (const void **)&conv);
+    if (ret != PAM_SUCCESS) {
+        ret = EIO;
+        return ret;
+    }
+
+    request = calloc(1, GDM_PAM_EXTENSION_CHOICE_LIST_REQUEST_SIZE(cert_count));
+    if (request == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+    GDM_PAM_EXTENSION_CHOICE_LIST_REQUEST_INIT(request, SEL_TITLE, cert_count);
+
+    c = 0;
+    DLIST_FOR_EACH(cai, pi->cert_list) {
+        ret = asprintf(&prompt, CERT_SEL_PROMPT_FMT, cai->key_id);
+        if (ret == -1) {
+            ret = ENOMEM;
+            goto done;
+        }
+        request->list.items[c].key = cai->key_id;
+        request->list.items[c++].text = prompt;
+    }
+
+    GDM_PAM_EXTENSION_MESSAGE_TO_BINARY_PROMPT_MESSAGE(request,
+                                                       &prompt_message);
+    prompt_messages[0] = &prompt_message;
+
+    ret = conv->conv(1, prompt_messages, &reply, conv->appdata_ptr);
+    if (ret != PAM_SUCCESS) {
+        ret = EIO;
+        goto done;
+    }
+
+    ret = EIO;
+    response = GDM_PAM_EXTENSION_REPLY_TO_CHOICE_LIST_RESPONSE(reply);
+    if (response->key == NULL) {
+        goto done;
+    }
+
+    DLIST_FOR_EACH(cai, pi->cert_list) {
+        if (strcmp(response->key, cai->key_id) == 0) {
+            pam_info(pamh, "Certificate ‘%s’ selected", cai->key_id);
+            pi->selected_cert = cai;
+            ret = 0;
+            break;
+        }
+    }
+
+done:
+    if (request != NULL) {
+        for (c = 0; c < cert_count; c++) {
+            free(discard_const(request->list.items[c++].text));
+        }
+        free(request);
+    }
+    free(response);
+
+    return ret;
+#else
+    return ENOTSUP;
+#endif
+}
+
+#define TEXT_CERT_SEL_PROMPT_FMT "%s[%zu] Certificate: %s\n"
+#define TEXT_SEL_TITLE discard_const("Please select a certificate by typing " \
+                                     "the corresponding number\n")
+static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi)
+{
+    int ret;
+    size_t cert_count = 0;
+    size_t tries = 0;
+    long int resp = -1;
+    struct cert_auth_info *cai;
+    char *prompt;
+    char *tmp;
+    char *answer;
+    char *ep;
+
+    /* First check if gdm extension is supported */
+    ret = prompt_multi_cert_gdm(pamh, pi);
+    if (ret != ENOTSUP) {
+        return ret;
+    }
+
+    if (pi->cert_list == NULL) {
+        return EINVAL;
+    }
+
+    prompt = strdup(TEXT_SEL_TITLE);
+    if (prompt == NULL) {
+        return ENOMEM;
+    }
+
+    DLIST_FOR_EACH(cai, pi->cert_list) {
+        cert_count++;
+        ret = asprintf(&tmp, TEXT_CERT_SEL_PROMPT_FMT, prompt, cert_count,
+                                                       cai->key_id);
+        free(prompt);
+        if (ret == -1) {
+            return ENOMEM;
+        }
+
+        prompt = tmp;
+    }
+
+    do {
+        ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_ON, prompt, NULL,
+                                  &answer);
+        if (ret != PAM_SUCCESS) {
+            D(("do_pam_conversation failed."));
+            break;
+        }
+
+        errno = 0;
+        resp = strtol(answer, &ep, 10);
+        if (errno == 0 && *ep == '\0' && resp > 0 && resp <= cert_count) {
+            /* do not free answer ealier because ep is pointing to it */
+            free(answer);
+            break;
+        }
+        free(answer);
+        resp = -1;
+    } while (++tries < 5);
+    free(prompt);
+
+    pi->selected_cert = NULL;
+    ret = ENOENT;
+    if (resp > 0 && resp <= cert_count) {
+        cert_count = 0;
+        DLIST_FOR_EACH(cai, pi->cert_list) {
+            cert_count++;
+            if (resp == cert_count) {
+                pam_info(pamh, "Certificate ‘%s’ selected", cai->key_id);
+                pi->selected_cert = cai;
+                ret = 0;
+                break;
+            }
+        }
+    }
+
+    return ret;
+}
+
 static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
 {
     int ret;
@@ -1495,19 +1728,20 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
     const struct pam_message *mesg[2] = { NULL, NULL };
     struct pam_message m[2] = { { 0 }, { 0 } };
     struct pam_response *resp = NULL;
+    struct cert_auth_info *cai = pi->selected_cert;
 
-    if (pi->token_name == NULL || *pi->token_name == '\0') {
+    if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') {
         return EINVAL;
     }
 
-    size = sizeof(SC_PROMPT_FMT) + strlen(pi->token_name);
+    size = sizeof(SC_PROMPT_FMT) + strlen(cai->token_name);
     prompt = malloc(size);
     if (prompt == NULL) {
         D(("malloc failed."));
         return ENOMEM;
     }
 
-    ret = snprintf(prompt, size, SC_PROMPT_FMT, pi->token_name);
+    ret = snprintf(prompt, size, SC_PROMPT_FMT, cai->token_name);
     if (ret < 0 || ret >= size) {
         D(("snprintf failed."));
         free(prompt);
@@ -1604,9 +1838,9 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
         pi->pam_authtok_size=0;
     } else {
 
-        ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
-                                    pi->module_name, 0,
-                                    pi->key_id, 0,
+        ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0,
+                                    cai->module_name, 0,
+                                    cai->key_id, 0,
                                     NULL, 0, &needed_size);
         if (ret != EAGAIN) {
             D(("sss_auth_pack_sc_blob failed."));
@@ -1621,9 +1855,9 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
             goto done;
         }
 
-        ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
-                                    pi->module_name, 0,
-                                    pi->key_id, 0,
+        ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0,
+                                    cai->module_name, 0,
+                                    cai->key_id, 0,
                                     (uint8_t *) pi->pam_authtok, needed_size,
                                     &needed_size);
         if (ret != EOK) {
@@ -1786,7 +2020,17 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
                 ret = prompt_2fa(pamh, pi, _("First Factor: "),
                                  _("Second Factor: "));
             }
-        } else if (pi->token_name != NULL && *(pi->token_name) != '\0') {
+        } else if (pi->cert_list != NULL) {
+            if (pi->cert_list->next == NULL) {
+                /* Only one certificate */
+                pi->selected_cert = pi->cert_list;
+            } else {
+                ret = prompt_multi_cert(pamh, pi);
+                if (ret != 0) {
+                    D(("Failed to select certificate"));
+                    return PAM_AUTHTOK_ERR;
+                }
+            }
             ret = prompt_sc_pin(pamh, pi);
         } else {
             ret = prompt_password(pamh, pi, _("Password: "));
@@ -1905,14 +2149,21 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
     char *prompt = NULL;
     size_t size;
     char *answer = NULL;
+    /* TODO: check multiple cert case */
+    struct cert_auth_info *cai = pi->cert_list;
+
+    if (cai == NULL) {
+        D(("No certificate information available"));
+        return EINVAL;
+    }
 
     login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
     if (login_token_name == NULL) {
         return PAM_SUCCESS;
     }
 
-    while (pi->token_name == NULL
-            || strcmp(login_token_name, pi->token_name) != 0) {
+    while (cai->token_name == NULL
+               || strcmp(login_token_name, cai->token_name) != 0) {
         size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
         prompt = malloc(size);
         if (prompt == NULL) {
-- 
2.13.6