passkey: Skip processing non-passkey mapping data

In the AD case, the user altSecurityIdentities attribute can
store passkey, smartcard, or ssh public key mapping data. Check
to ensure we are handling passkey data before continuing in
PAM passkey processing.

:relnote: Fixes a crash when PAM passkey processing incorrectly
handles non-passkey data.

Resolves: #7061

src/responder/pam/pamsrv_passkey.c

@@ -489,6 +489,22 @@ errno_t process_passkey_data(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    /* This attribute may contain other mapping data unrelated to passkey. In that case
+     * let's omit it. For example, AD user altSecurityIdentities may store ssh public key
+     * or smart card mapping data */
+    ret = split_on_separator(tmp_ctx, (const char *) el->values[0].data, ':', true, true,
+                             &mappings, NULL);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Incorrectly formatted passkey data [%d]: %s\n",
+                                 ret, sss_strerror(ret));
+        ret = ENOENT;
+        goto done;
+    } else if (strcasecmp(mappings[0], "passkey") != 0) {
+        DEBUG(SSSDBG_TRACE_FUNC, "Mapping data found is not passkey related\n");
+        ret = ENOENT;
+        goto done;
+    }
+
     kh_mappings = talloc_zero_array(tmp_ctx, const char *, el->num_values + 1);
     if (kh_mappings == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
@@ -624,7 +640,10 @@ void pam_passkey_get_user_done(struct tevent_req *req)
     /* Get passkey data */
     DEBUG(SSSDBG_TRACE_ALL, "Processing passkey data\n");
     ret = process_passkey_data(pk_data, result->msgs[0], domain_name, pk_data);
-    if (ret == ENOENT) {
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "process_passkey_data failed: [%d]: %s\n",
+              ret, sss_strerror(ret));
         goto done;
     }
 

src/tests/cmocka/test_pam_srv.c

@@ -99,6 +99,15 @@
      "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEKhSQWMPgAUcz4d7Fjz2hZK7QUlnAttuEW5Xr" \
      "xD06VBaQvIRYJT7e6wM+vFU4z+uQgU9B5ERbgMiBVe99rBL9w=="
 
+#define SSSD_TEST_PUBKEY \
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCa+l8uZ6Q5G58PVMe1na7NrOMTzo2wOZfFwo" \
+    "0fM3RbvfAdlz/wsGwln2+EXA19FiXu/nNj4EwYGP9hymKuYaXzpq40k0VbhEL1v/qzXQvuKZgN" \
+    "x42vxi7NITaaAXuYj8OZQsZTvv+xgkREZmhQ6YqEjTJ0JzpD9fj8Gf8Mgn8pdsb/ZODLMAwEKt" \
+    "Q2DaWqH5jCqzoGEJlRl+kRbnrHc+RQrmj7NnY1voEJNrmzCyJFH5awZyBl/ZdbvpnwCKnVEleB" \
+    "FULrOIfJ9lc/QMmURCMa6RfW5CFrxdtjUwiIxfMiHe+zUY5T9L0Q6FWnlfNz/63Xdcrw1Gc90O" \
+    "CZKcqf/4P9N5flGSGSfiO5fD8gCCJ0c3WhxSVMREDP3ibKDsz8yhw2OuyGcfRo4nnchxy9G703" \
+    "1m2t9rUXc12eS1EKGJiPiT9IuTQ9nCG2PslkqR+KUMiYoS9MqTsAj9HhuTMkFhcYFyufxFmt/S" \
+    "4rIqVwmP8lY4GwwJwOnZwNLj/I2HwC+pk= [email protected]"
 
 int no_cleanup;
 
@@ -4403,6 +4412,55 @@ void test_pam_passkey_auth(void **state)
     assert_int_equal(ret, EOK);
 }
 
+void test_pam_passkey_bad_mapping(void **state)
+{
+    int ret;
+    struct sysdb_attrs *attrs;
+    const char *pubkey = SSSD_TEST_PUBKEY;
+    size_t pk_size;
+    const char *user_verification = "on";
+
+    set_passkey_auth_param(pam_test_ctx->pctx);
+
+    /* Add user verification attribute  */
+    ret = sysdb_domain_update_passkey_user_verification(
+                        pam_test_ctx->tctx->dom->sysdb,
+                        pam_test_ctx->tctx->dom->name,
+                        user_verification);
+    assert_int_equal(ret, EOK);
+
+    mock_input_pam_passkey(pam_test_ctx, "pamuser", "1234", NULL,
+                                         NULL, SSSD_TEST_PASSKEY);
+    mock_parse_inp("pamuser", NULL, EOK);
+
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+    /* Add the test invalid pubkey data for this user */
+    pk_size = strlen(pubkey) + 1;
+
+    attrs = sysdb_new_attrs(pam_test_ctx);
+    assert_non_null(attrs);
+
+    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_PASSKEY, pubkey, pk_size);
+    assert_int_equal(ret, EOK);
+
+    ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom,
+                              pam_test_ctx->pam_user_fqdn,
+                              attrs,
+                              LDB_FLAG_MOD_ADD);
+    assert_int_equal(ret, EOK);
+
+    pam_test_ctx->exp_pam_status = PAM_SUCCESS;
+    set_cmd_cb(test_pam_passkey_auth_check);
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+                          pam_test_ctx->pam_cmds);
+    assert_int_equal(ret, EOK);
+
+    ret = test_ev_loop(pam_test_ctx->tctx);
+    assert_int_equal(ret, EOK);
+}
+
 
 void test_pam_passkey_auth_send(void **state)
 {
@@ -4630,6 +4688,8 @@ int main(int argc, const char *argv[])
                                         pam_test_setup_passkey, pam_test_teardown),
         cmocka_unit_test_setup_teardown(test_pam_passkey_auth,
                                         pam_test_setup_passkey, pam_test_teardown),
+        cmocka_unit_test_setup_teardown(test_pam_passkey_bad_mapping,
+                                        pam_test_setup_passkey, pam_test_teardown),
         cmocka_unit_test_setup_teardown(test_pam_passkey_auth_send,
                                         pam_test_setup_passkey, pam_test_teardown),
         cmocka_unit_test_setup_teardown(test_pam_prompting_passkey_interactive,