passkey: Add preflight operation

Also refactor PAM passkey child related operations

Author: justin-stephenson

Makefile.am

@@ -1523,9 +1523,11 @@ sssd_pam_SOURCES = \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
     src/responder/pam/pam_helpers.c \
+    src/krb5_plugin/common/utils.c \
     $(SSSD_RESPONDER_OBJ)
 if BUILD_PASSKEY
-    sssd_pam_SOURCES += src/responder/pam/pamsrv_passkey.c
+    sssd_pam_SOURCES += src/responder/pam/pamsrv_passkey.c \
+                        src/krb5_plugin/passkey/passkey_utils.c
 endif
 sssd_pam_CFLAGS = \
     $(AM_CFLAGS) \
@@ -1535,6 +1537,7 @@ sssd_pam_LDADD = \
     $(LIBADD_DL) \
     $(TDB_LIBS) \
     $(SSSD_LIBS) \
+    $(JANSSON_LIBS) \
     $(SELINUX_LIBS) \
     $(PAM_LIBS) \
     $(GSSAPI_KRB5_LIBS) \
@@ -2570,6 +2573,7 @@ pam_srv_tests_SOURCES = \
     src/responder/pam/pamsrv_dp.c \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
+    src/krb5_plugin/common/utils.c \
     $(NULL)
 pam_srv_tests_CFLAGS = \
     -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
@@ -2591,6 +2595,7 @@ pam_srv_tests_LDADD = \
     $(PAM_LIBS) \
     $(SSSD_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
+    $(JANSSON_LIBS) \
     $(GSSAPI_KRB5_LIBS) \
     libsss_test_common.la \
     libsss_idmap.la \
@@ -2599,7 +2604,8 @@ pam_srv_tests_LDADD = \
     libsss_sbus.la \
     $(NULL)
 if BUILD_PASSKEY
-     pam_srv_tests_SOURCES += src/responder/pam/pamsrv_passkey.c
+     pam_srv_tests_SOURCES += src/responder/pam/pamsrv_passkey.c \
+                              src/krb5_plugin/passkey/passkey_utils.c
 endif # BUILD_PASSKEY
 
 EXTRA_ssh_srv_tests_DEPENDENCIES = \

src/krb5_plugin/passkey/passkey.h

@@ -22,6 +22,7 @@
 #define _PASSKEY_H_
 
 #include <stdlib.h>
+#include <stdbool.h>
 #include <krb5/preauth_plugin.h>
 
 #ifndef discard_const
@@ -100,6 +101,11 @@ sss_passkey_message_encode_padata(const struct sss_passkey_message *data);
 struct sss_passkey_message *
 sss_passkey_message_decode_padata(krb5_pa_data *padata);
 
+int
+sss_passkey_preflight_from_json(const char *json_str,
+                                bool *_pin_required,
+                                int *_attempts);
+
 krb5_pa_data **
 sss_passkey_message_encode_padata_array(const struct sss_passkey_message *data);
 

src/krb5_plugin/passkey/passkey_utils.c

@@ -24,6 +24,7 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdbool.h>
 #include <string.h>
 #include <jansson.h>
 #include <arpa/inet.h>
@@ -561,6 +562,42 @@ sss_passkey_message_from_reply_json(enum sss_passkey_phase phase,
     return message;
 }
 
+int
+sss_passkey_preflight_from_json(const char *json_str,
+                                bool *_pin_required,
+                                int *_attempts)
+{
+    json_t *jroot;
+    json_error_t jret;
+    int ret;
+    bool pin_required;
+    int attempts;
+
+    jroot = json_loads(json_str, 0, &jret);
+    if (jroot == NULL) {
+        return ENOMEM;
+    }
+
+    ret = json_unpack(jroot, "{s:b, s:i}",
+                "pin_required", &pin_required,
+                "attempts", &attempts);
+    if (ret != 0) {
+        ret = EINVAL;
+        goto done;
+    }
+
+    *_pin_required = pin_required;
+    *_attempts = attempts;
+
+    ret = 0;
+done:
+    if (jroot != NULL) {
+        json_decref(jroot);
+    }
+
+    return ret;
+}
+
 char *
 sss_passkey_message_encode(const struct sss_passkey_message *data)
 {

src/responder/pam/pamsrv.h

@@ -106,6 +106,7 @@ struct pam_auth_req {
     bool initial_cert_auth_successful;
 
     bool passkey_data_exists;
+    struct pam_preflight_data *pam_pf_data;
     uint32_t client_id_num;
 };
 

src/responder/pam/pamsrv_cmd.c

@@ -1270,6 +1270,16 @@ void pam_reply(struct pam_auth_req *preq)
                              local_sc_auth_allow ? "True" : "False",
                              local_passkey_auth_allow ? "True" : "False");
 
+    /* Passkey preflight data */
+    if (preq->pam_pf_data == NULL) {
+        preq->pam_pf_data = talloc_zero(preq, struct pam_preflight_data);
+        if (preq->pam_pf_data == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_pf_data == NULL\n");
+            ret = ENOMEM;
+            goto done;
+        }
+    }
+
     if (pd->cmd == SSS_PAM_AUTHENTICATE
             && !preq->cert_auth_local
             && (pd->pam_status == PAM_AUTHINFO_UNAVAIL
@@ -1513,8 +1523,14 @@ void pam_reply(struct pam_auth_req *preq)
             && !pk_preauth_done
             && preq->passkey_data_exists
             && local_passkey_auth_allow) {
-            ret = passkey_local(cctx, cctx->ev, pctx, preq, pd);
-            pam_check_user_done(preq, ret);
+            /* First execute passkey child preflight operation, once completed another call to pam_reply() *
+             * is made with preq->pam_pf_data->obtained set to true */
+            ret = passkey_child_execute(cctx, cctx, cctx->ev, preq, pctx, pd, PAM_PASSKEY_OP_PREFLIGHT);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "Passkey child execute failed %s [%d].\n", sss_strerror(ret), ret);
+                goto done;
+            }
             return;
         }
 #endif /* BUILD_PASSKEY */
@@ -1898,6 +1914,9 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
     struct pam_auth_req *preq;
     struct pam_data *pd;
     int ret;
+#ifdef BUILD_PASSKEY
+    enum passkey_child_op passkey_op = PAM_PASSKEY_OP_INVALID;
+#endif
     struct pam_ctx *pctx =
             talloc_get_type(cctx->rctx->pvt_ctx, struct pam_ctx);
     struct tevent_req *req;
@@ -1979,11 +1998,14 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
     if ((pd->cmd == SSS_PAM_AUTHENTICATE)) {
         if (may_do_passkey_auth(pctx, pd)) {
             if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY_KRB) {
-                ret = passkey_kerberos(pctx, preq->pd, preq);
-                goto done;
+                passkey_op = PAM_PASSKEY_OP_KERBEROS_AUTH;
             } else if ((sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY) ||
                       (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_EMPTY)) {
-                ret = passkey_local(cctx, cctx->ev, pctx, preq, pd);
+                passkey_op = PAM_PASSKEY_OP_LOCAL_AUTH;
+            }
+
+            if (passkey_op == PAM_PASSKEY_OP_KERBEROS_AUTH || passkey_op == PAM_PASSKEY_OP_LOCAL_AUTH) {
+                ret = passkey_child_execute(cctx, cctx, cctx->ev, preq, pctx, pd, passkey_op);
                 goto done;
             }
         }
@@ -2350,6 +2372,9 @@ static void pam_forwarder_cb(struct tevent_req *req)
     struct cli_ctx *cctx = preq->cctx;
     struct pam_data *pd;
     errno_t ret = EOK;
+#ifdef BUILD_PASSKEY
+    enum passkey_child_op passkey_op = PAM_PASSKEY_OP_INVALID;
+#endif
     struct pam_ctx *pctx =
             talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
 
@@ -2399,11 +2424,14 @@ static void pam_forwarder_cb(struct tevent_req *req)
     if ((pd->cmd == SSS_PAM_AUTHENTICATE)) {
         if (may_do_passkey_auth(pctx, pd)) {
             if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY_KRB) {
-                ret = passkey_kerberos(pctx, preq->pd, preq);
-                goto done;
+                passkey_op = PAM_PASSKEY_OP_KERBEROS_AUTH;
             } else if ((sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY) ||
                       (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_EMPTY)) {
-                ret = passkey_local(cctx, cctx->ev, pctx, preq, pd);
+                passkey_op = PAM_PASSKEY_OP_LOCAL_AUTH;
+            }
+
+            if (passkey_op == PAM_PASSKEY_OP_KERBEROS_AUTH || passkey_op == PAM_PASSKEY_OP_LOCAL_AUTH) {
+                ret = passkey_child_execute(cctx, cctx, cctx->ev, preq, pctx, pd, passkey_op);
                 goto done;
             }
         }