From e989620bd2b4f7094dee3ef740ba92d0cf45d0c8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 19 Aug 2019 17:38:04 +0200
Subject: [PATCH] pam: keep pin on the PAM stack for forward_pass
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently only the password or the long-term part of a two-factor
authentication was kept on the PM stack if pam_sss.so has the option
forward_pass. With this patch the Smartcard PIN can be forwarded to
other PAM modules as well.

Related https://pagure.io/SSSD/sssd/issue/4067

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/sss_client/pam_sss.c        | 11 ++++++++++-
 src/tests/cmocka/test_authtok.c |  5 +++++
 src/util/authtok-utils.c        | 33 +++++++++++++++++++++++++++++++++
 src/util/authtok-utils.h        | 10 ++++++++++
 4 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index cfd3e3731..e36407b72 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2116,6 +2116,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
                                           uint32_t flags)
 {
     int ret;
+    const char *pin = NULL;
 
     if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
             || ( pi->pamstack_authtok != NULL
@@ -2166,11 +2167,19 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
         if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
             if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
                 ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
+            } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_SC_PIN) {
+                pin = sss_auth_get_pin_from_sc_blob((uint8_t *) pi->pam_authtok,
+                                                    pi->pam_authtok_size);
+                if (pin != NULL) {
+                    ret = pam_set_item(pamh, PAM_AUTHTOK, pin);
+                } else {
+                    ret = PAM_SYSTEM_ERR;
+                }
             } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
                            && pi->first_factor != NULL) {
                 ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor);
             } else {
-                ret = EINVAL;
+                ret = PAM_SYSTEM_ERR;
             }
             if (ret != PAM_SUCCESS) {
                 D(("Failed to set PAM_AUTHTOK [%s], "
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
index 84e209783..a8f5bdee7 100644
--- a/src/tests/cmocka/test_authtok.c
+++ b/src/tests/cmocka/test_authtok.c
@@ -473,6 +473,11 @@ void test_sss_authtok_sc_blobs(void **state)
                         needed_size);
 #endif
 
+    pin = sss_auth_get_pin_from_sc_blob(buf, needed_size);
+    assert_non_null(pin);
+    assert_string_equal(pin, "abc");
+    pin = NULL;
+
     ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_SC_PIN, buf,
                           needed_size);
     assert_int_equal(ret, EOK);
diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c
index e7123df34..e50f86741 100644
--- a/src/util/authtok-utils.c
+++ b/src/util/authtok-utils.c
@@ -163,3 +163,36 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len,
 
     return 0;
 }
+
+const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len)
+{
+    size_t c = 0;
+    uint32_t pin_len;
+    uint32_t token_name_len;
+    uint32_t module_name_len;
+    uint32_t key_id_len;
+
+    if (blob == NULL || blob_len == 0) {
+        return NULL;
+    }
+
+    SAFEALIGN_COPY_UINT32(&pin_len, blob, &c);
+    if (pin_len == 0) {
+        return NULL;
+    }
+
+    SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c);
+    SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c);
+    SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c);
+
+    if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len
+                                         + module_name_len + key_id_len) {
+        return NULL;
+    }
+
+    if (blob[c + pin_len - 1] != '\0') {
+        return NULL;
+    }
+
+    return (const char *) blob + c;
+}
diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h
index c5aace39f..714c8187e 100644
--- a/src/util/authtok-utils.h
+++ b/src/util/authtok-utils.h
@@ -123,4 +123,14 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx,
                                  char **token_name, size_t *_token_name_len,
                                  char **module_name, size_t *_module_name_len,
                                  char **key_id, size_t *_key_id_len);
+
+/**
+ * @brief Return a pointer to the PIN string in the memory buffer
+ *
+ * @param[in]  blob              Memory buffer containing the 2FA data
+ * @param[in]  blob_len          Size of the memory buffer
+ *
+ * @return     pointer to 0-terminate PIN string in the memory buffer
+ */
+const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len);
 #endif /*  __AUTHTOK_UTILS_H__ */
-- 
2.20.1