Skip to content

pam: handle protected authentication path #8599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alexey-tikhonov merged 5 commits into from
May 11, 2026
Merged

pam: handle protected authentication path #8599

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c815d74
p11_child: ignore failure of C_GetTokenInfo
sumit-bose Feb 20, 2026
49816d3
pam: handle protected authentication path
sumit-bose Feb 23, 2026
d8e130b
authtok: remove sss_authtok_set_sc_keypad()
sumit-bose Feb 27, 2026
f07b3b2
pam_sss: fix potential memory leak
sumit-bose Apr 24, 2026
330455c
pam: refactor pack_cert_data
sumit-bose Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 14 additions & 9 deletions src/p11_child/p11_child_openssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1761,7 +1761,8 @@ errno_t do_slot(CK_FUNCTION_LIST *module, size_t module_id, CK_SLOT_ID slot_id,
struct p11_ctx *p11_ctx, enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
const char *key_id_in, const char *label_in,
const char *uri_str, char **_multi) {
const char *uri_str, char **_multi)
{
int ret;
CK_RV rv;
char *module_file_name = NULL;
Expand All @@ -1773,6 +1774,7 @@ errno_t do_slot(CK_FUNCTION_LIST *module, size_t module_id, CK_SLOT_ID slot_id,
struct cert_list *next_item = NULL;
bool pkcs11_session = false;
bool pkcs11_login = false;
bool has_protected_authentication_path = false;

slot_name = p11_kit_space_strdup(info->slotDescription,
sizeof(info->slotDescription));
Expand All @@ -1790,6 +1792,8 @@ errno_t do_slot(CK_FUNCTION_LIST *module, size_t module_id, CK_SLOT_ID slot_id,
goto done;
}

has_protected_authentication_path = (token_info->flags & CKF_PROTECTED_AUTHENTICATION_PATH);

module_file_name = p11_kit_module_get_filename(module);
if (module_file_name == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "p11_kit_module_get_filename failed.\n");
Expand Down Expand Up @@ -1824,10 +1828,9 @@ errno_t do_slot(CK_FUNCTION_LIST *module, size_t module_id, CK_SLOT_ID slot_id,
if (mode == OP_AUTH) {
DEBUG(SSSDBG_TRACE_ALL, "Login required.\n");
DEBUG(SSSDBG_TRACE_ALL, "Token flags [%lu].\n", token_info->flags);
if ((pin != NULL)
|| (token_info->flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
if ((pin != NULL) || has_protected_authentication_path) {

if (token_info->flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
if (has_protected_authentication_path) {
DEBUG(SSSDBG_TRACE_ALL, "Protected authentication path.\n");
pin = NULL;
}
Expand Down Expand Up @@ -1936,9 +1939,12 @@ errno_t do_slot(CK_FUNCTION_LIST *module, size_t module_id, CK_SLOT_ID slot_id,
DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n",
item->id);

*_multi = talloc_asprintf_append(*_multi, "%s\n%s\n%s\n%s\n%s\n",
*_multi = talloc_asprintf_append(*_multi, "%s\n%s\n%s\n%s\n%s\n%s\n",
token_name, module_file_name, item->id,
item->label, item->cert_b64);
item->label,
has_protected_authentication_path ?
"true" : "false",
item->cert_b64);
if (*_multi == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to append certificate to the output string.\n");
Expand Down Expand Up @@ -2150,10 +2156,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
if (rv != CKR_OK) {
DEBUG(SSSDBG_OP_FAILURE,
"C_GetTokenInfo failed [%lu][%s].\n",
"C_GetTokenInfo failed [%lu][%s], skipping.\n",
rv, p11_kit_strerror(rv));
ret = EIO;
goto done;
continue;
}

if (!(token_info.flags & CKF_TOKEN_INITIALIZED)) {
Expand Down
1 change: 1 addition & 0 deletions src/responder/pam/pamsrv.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ const char *sss_cai_get_token_name(struct cert_auth_info *i);
const char *sss_cai_get_module_name(struct cert_auth_info *i);
const char *sss_cai_get_key_id(struct cert_auth_info *i);
const char *sss_cai_get_label(struct cert_auth_info *i);
bool sss_cai_get_has_protected_authentication_path(struct cert_auth_info *i);
struct cert_auth_info *sss_cai_get_next(struct cert_auth_info *i);
struct ldb_result *sss_cai_get_cert_user_objs(struct cert_auth_info *i);
void sss_cai_set_cert_user_objs(struct cert_auth_info *i,
Expand Down
5 changes: 4 additions & 1 deletion src/responder/pam/pamsrv_cmd.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2904,7 +2904,10 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
found = true;
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
ret = sss_authtok_set_sc(preq->pd->authtok,
SSS_AUTHTOK_TYPE_SC_PIN, NULL, 0,
sss_cai_get_has_protected_authentication_path(preq->current_cert)
? SSS_AUTHTOK_TYPE_SC_KEYPAD
: SSS_AUTHTOK_TYPE_SC_PIN,
NULL, 0,
sss_cai_get_token_name(preq->current_cert), 0,
sss_cai_get_module_name(preq->current_cert), 0,
sss_cai_get_key_id(preq->current_cert), 0,
Expand Down
78 changes: 65 additions & 13 deletions src/responder/pam/pamsrv_p11.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ struct cert_auth_info {
char *module_name;
char *key_id;
char *label;
bool has_protected_authentication_path;
struct ldb_result *cert_user_objs;
struct cert_auth_info *prev;
struct cert_auth_info *next;
Expand Down Expand Up @@ -69,6 +70,11 @@ const char *sss_cai_get_label(struct cert_auth_info *i)
return i != NULL ? i->label : NULL;
}

bool sss_cai_get_has_protected_authentication_path(struct cert_auth_info *i)
{
return i != NULL ? i->has_protected_authentication_path : false;
}

struct cert_auth_info *sss_cai_get_next(struct cert_auth_info *i)
{
return i != NULL ? i->next : NULL;
Expand Down Expand Up @@ -659,6 +665,37 @@ static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf,
goto done;
}

if (pn == p) {
DEBUG(SSSDBG_OP_FAILURE,
"Missing protected authentication path info in p11_child "
"response.\n");
ret = EINVAL;
goto done;
}

if ((pn - p) == 4 && strncmp((char *) p, "true", 4) == 0) {
cert_auth_info->has_protected_authentication_path = true;
} else if ((pn - p) == 5 && strncmp((char *) p, "false", 5) == 0) {
cert_auth_info->has_protected_authentication_path = false;
Comment thread
alexey-tikhonov marked this conversation as resolved.
} else {
DEBUG(SSSDBG_OP_FAILURE,
"Unexpected response where true/false was expected.\n");
ret = EINVAL;
goto done;
}
DEBUG(SSSDBG_TRACE_ALL, "Found protected authentication path [%s].\n",
cert_auth_info->has_protected_authentication_path ? "true"
: "false");

p = ++pn;
pn = memchr(p, '\n', buf_len - (p - buf));
if (pn == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
"Missing new-line in p11_child response.\n");
ret = EINVAL;
goto done;
}

if (pn == p) {
DEBUG(SSSDBG_OP_FAILURE, "Missing cert in p11_child response.\n");
ret = EINVAL;
Expand Down Expand Up @@ -1057,8 +1094,11 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
size_t label_len;
size_t prompt_len;
size_t nss_name_len;
size_t has_pap_len;
const char *username = "";
const char *nss_username = "";
const char *has_protected_authentication_path;
size_t offset = 0;

if (sysdb_username != NULL) {
username = sysdb_username;
Expand All @@ -1068,6 +1108,12 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
nss_username = nss_name;
}

if (sss_cai_get_has_protected_authentication_path(cert_info)) {
has_protected_authentication_path = "true";
} else {
has_protected_authentication_path = "false";
}

prompt = get_cert_prompt(mem_ctx, cert_info);
if (prompt == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "get_cert_prompt failed.\n");
Expand All @@ -1085,10 +1131,11 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
key_id_len = strlen(key_id) + 1;
label_len = strlen(label) + 1;
prompt_len = strlen(prompt) + 1;
nss_name_len = strlen(nss_username) +1;
nss_name_len = strlen(nss_username) + 1;
has_pap_len = strlen(has_protected_authentication_path) + 1;

msg_len = user_len + token_len + module_len + key_id_len + label_len
+ prompt_len + nss_name_len;
+ prompt_len + nss_name_len + has_pap_len;

msg = talloc_zero_size(mem_ctx, msg_len);
if (msg == NULL) {
Expand All @@ -1097,18 +1144,23 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
return ENOMEM;
}

memcpy(msg, username, user_len);
memcpy(msg + user_len, token_name, token_len);
memcpy(msg + user_len + token_len, module_name, module_len);
memcpy(msg + user_len + token_len + module_len, key_id, key_id_len);
memcpy(msg + user_len + token_len + module_len + key_id_len,
label, label_len);
memcpy(msg + user_len + token_len + module_len + key_id_len + label_len,
prompt, prompt_len);
memcpy(msg + user_len + token_len + module_len + key_id_len + label_len
+ prompt_len,
nss_username, nss_name_len);
safealign_memcpy(msg, username, user_len, &offset);
safealign_memcpy(msg + offset, token_name, token_len, &offset);
safealign_memcpy(msg + offset, module_name, module_len, &offset);
safealign_memcpy(msg + offset, key_id, key_id_len, &offset);
safealign_memcpy(msg + offset, label, label_len, &offset);
safealign_memcpy(msg + offset, prompt, prompt_len, &offset);
safealign_memcpy(msg + offset, nss_username, nss_name_len, &offset);
safealign_memcpy(msg + offset, has_protected_authentication_path,
has_pap_len, &offset);
talloc_free(prompt);
if (offset != msg_len) {
DEBUG(SSSDBG_OP_FAILURE,
"Expected [%zu] and copied [%zu] number of bytes do not match.\n",
msg_len, offset);
talloc_free(msg);
return EIO;
}

if (_msg != NULL) {
*_msg = msg;
Expand Down
Loading
Loading