diff options
| author | Simo Sorce <simo@redhat.com> | 2012-10-18 18:43:56 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2013-01-10 12:24:59 -0500 |
| commit | 64af76e2bef2565caa9738f675c108a4b3789237 (patch) | |
| tree | fa24e7f17f07136494a4c515c63b8795be7130e4 /src/providers/krb5 | |
| parent | 918b2a5a91f1c551d48f4bffed2a28c36fdb4be1 (diff) | |
| download | sssd-64af76e2bef2565caa9738f675c108a4b3789237.tar.gz sssd-64af76e2bef2565caa9738f675c108a4b3789237.tar.xz sssd-64af76e2bef2565caa9738f675c108a4b3789237.zip | |
Change pam data auth tokens.
Use the new authtok abstraction and interfaces throught the code.
Diffstat (limited to 'src/providers/krb5')
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 58 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 148 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 59 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_delayed_online_authentication.c | 50 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_renew_tgt.c | 18 |
5 files changed, 186 insertions, 147 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index bd014a49d..398f06a84 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -278,12 +278,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, struct pam_data *pd, uid_t uid, int *pam_status, int *dp_err) { - char *password = NULL; + const char *password = NULL; errno_t ret; - password = talloc_strndup(state, pd->authtok, pd->authtok_size); - if (!password) { - DEBUG(0, ("Out of memory copying password\n")); + ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + if (ret != EOK) { + DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret))); *pam_status = PAM_SYSTEM_ERR; *dp_err = DP_ERR_OK; return; @@ -294,7 +294,7 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, DEBUG(1, ("Offline authentication failed\n")); *pam_status = cached_login_pam_status(ret); *dp_err = DP_ERR_OK; - goto done; + return; } ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid); @@ -304,12 +304,6 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, } *pam_status = PAM_AUTHINFO_UNAVAIL; *dp_err = DP_ERR_OFFLINE; - -done: - if (password) { - for (i = 0; password[i]; i++) password[i] = 0; - talloc_zfree(password); - } } static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr, @@ -385,16 +379,9 @@ static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr, static void krb5_auth_store_creds(struct sysdb_ctx *sysdb, struct pam_data *pd) { - TALLOC_CTX *tmp_ctx; - char *password = NULL; + const char *password = NULL; int ret = EOK; - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) { - DEBUG(0, ("Out of memory when trying to store credentials\n")); - return; - } - switch(pd->cmd) { case SSS_CMD_RENEW: /* The authtok is set to the credential cache @@ -404,42 +391,35 @@ static void krb5_auth_store_creds(struct sysdb_ctx *sysdb, struct pam_data *pd) break; case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK_PRELIM: - password = talloc_size(tmp_ctx, pd->authtok_size + 1); - if (password != NULL) { - memcpy(password, pd->authtok, pd->authtok_size); - password[pd->authtok_size] = '\0'; - } + ret = sss_authtok_get_password(&pd->authtok, &password, NULL); break; case SSS_PAM_CHAUTHTOK: - password = talloc_size(tmp_ctx, pd->newauthtok_size + 1); - if (password != NULL) { - memcpy(password, pd->newauthtok, pd->newauthtok_size); - password[pd->newauthtok_size] = '\0'; - } + ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL); break; default: DEBUG(0, ("unsupported PAM command [%d].\n", pd->cmd)); } + if (ret != EOK) { + DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret))); + /* password caching failures are not fatal errors */ + return; + } + if (password == NULL) { if (pd->cmd != SSS_CMD_RENEW) { DEBUG(0, ("password not available, offline auth may not work.\n")); /* password caching failures are not fatal errors */ } - talloc_zfree(tmp_ctx); return; } - talloc_set_destructor((TALLOC_CTX *)password, password_destructor); - ret = sysdb_cache_password(sysdb, pd->user, password); if (ret) { DEBUG(2, ("Failed to cache password, offline auth may not work." " (%d)[%s]!?\n", ret, strerror(ret))); /* password caching failures are not fatal errors */ } - - talloc_zfree(tmp_ctx); } /* krb5_auth request */ @@ -504,9 +484,17 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, case SSS_PAM_AUTHENTICATE: case SSS_CMD_RENEW: case SSS_PAM_CHAUTHTOK: + if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + DEBUG(1, ("Missing authtok for user [%s].\n", pd->user)); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_FATAL; + ret = EINVAL; + goto done; + } break; case SSS_PAM_CHAUTHTOK_PRELIM: - if (pd->priv == 1 && pd->authtok_size == 0) { + if (pd->priv == 1 && + sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { DEBUG(4, ("Password reset by root is not supported.\n")); state->pam_status = PAM_PERM_DENIED; state->dp_err = DP_ERR_OK; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 66e22f433..d1a42d56f 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -950,7 +950,7 @@ done: } static krb5_error_code get_and_save_tgt(struct krb5_req *kr, - char *password) + const char *password) { krb5_error_code kerr = 0; int ret; @@ -971,7 +971,8 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, DEBUG(SSSDBG_TRACE_FUNC, ("Attempting kinit for realm [%s]\n",realm_name)); kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, - password, sss_krb5_prompter, kr, 0, + discard_const(password), + sss_krb5_prompter, kr, 0, NULL, kr->options); if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); @@ -1066,8 +1067,8 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) { int ret; krb5_error_code kerr = 0; - char *pass_str = NULL; - char *newpass_str = NULL; + const char *password = NULL; + const char *newpassword = NULL; int pam_status = PAM_SYSTEM_ERR; int result_code = -1; krb5_data result_code_string; @@ -1082,20 +1083,15 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n")); - if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) { + ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL); + if (ret != EOK) { + DEBUG(1, ("Failed to fetch current password [%d] %s.\n", + ret, strerror(ret))); pam_status = PAM_CRED_INSUFFICIENT; kerr = KRB5KRB_ERR_GENERIC; goto sendresponse; } - pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok, - kr->pd->authtok_size); - if (pass_str == NULL) { - DEBUG(1, ("talloc_strndup failed.\n")); - kerr = KRB5KRB_ERR_GENERIC; - goto sendresponse; - } - if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { /* We do not need a password expiration warning here. */ prompter = NULL; @@ -1112,7 +1108,8 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) DEBUG(SSSDBG_TRACE_FUNC, ("Attempting kinit for realm [%s]\n",realm_name)); kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, - pass_str, prompter, kr, 0, + discard_const(password), + prompter, kr, 0, SSSD_KRB5_CHANGEPW_PRINCIPAL, chagepw_options); sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options); @@ -1121,9 +1118,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) goto sendresponse; } - memset(pass_str, 0, kr->pd->authtok_size); - talloc_zfree(pass_str); - memset(kr->pd->authtok, 0, kr->pd->authtok_size); + sss_authtok_set_empty(&kr->pd->authtok); if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { DEBUG(SSSDBG_TRACE_LIBS, @@ -1134,17 +1129,18 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) goto sendresponse; } - newpass_str = talloc_strndup(kr, (const char *) kr->pd->newauthtok, - kr->pd->newauthtok_size); - if (newpass_str == NULL) { - DEBUG(1, ("talloc_strndup failed.\n")); + ret = sss_authtok_get_password(&kr->pd->newauthtok, &newpassword, NULL); + if (ret != EOK) { + DEBUG(1, ("Failed to fetch new password [%d] %s.\n", + ret, strerror(ret))); kerr = KRB5KRB_ERR_GENERIC; goto sendresponse; } memset(&result_code_string, 0, sizeof(krb5_data)); memset(&result_string, 0, sizeof(krb5_data)); - kerr = krb5_change_password(kr->ctx, kr->creds, newpass_str, &result_code, + kerr = krb5_change_password(kr->ctx, kr->creds, + discard_const(newpassword), &result_code, &result_code_string, &result_string); if (kerr == KRB5_KDC_UNREACH) { @@ -1200,10 +1196,9 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) krb5_free_cred_contents(kr->ctx, kr->creds); - kerr = get_and_save_tgt(kr, newpass_str); - memset(newpass_str, 0, kr->pd->newauthtok_size); - talloc_zfree(newpass_str); - memset(kr->pd->newauthtok, 0, kr->pd->newauthtok_size); + kerr = get_and_save_tgt(kr, newpassword); + + sss_authtok_set_empty(&kr->pd->newauthtok); pam_status = kerr_to_status(kerr); @@ -1220,28 +1215,21 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) { int ret; krb5_error_code kerr = 0; - char *pass_str = NULL; + const char *password = NULL; int pam_status = PAM_SYSTEM_ERR; krb5_get_init_creds_opt *chagepw_options; DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n")); - if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) { + ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL); + if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Unknown authtok type\n")); pam_status = PAM_CRED_INSUFFICIENT; kerr = KRB5KRB_ERR_GENERIC; goto sendresponse; } - pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok, - kr->pd->authtok_size); - if (pass_str == NULL) { - DEBUG(1, ("talloc_strndup failed.\n")); - kerr = KRB5KRB_ERR_GENERIC; - goto sendresponse; - } - - kerr = get_and_save_tgt(kr, pass_str); + kerr = get_and_save_tgt(kr, password); /* If the password is expired the KDC will always return KRB5KDC_ERR_KEY_EXP regardless if the supplied password is correct or @@ -1264,7 +1252,8 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) } kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, - pass_str, sss_krb5_prompter, kr, 0, + discard_const(password), + sss_krb5_prompter, kr, 0, SSSD_KRB5_CHANGEPW_PRINCIPAL, chagepw_options); @@ -1276,9 +1265,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) } } - memset(pass_str, 0, kr->pd->authtok_size); - talloc_zfree(pass_str); - memset(kr->pd->authtok, 0, kr->pd->authtok_size); + sss_authtok_set_empty(&kr->pd->authtok); pam_status = kerr_to_status(kerr); @@ -1333,25 +1320,20 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) int ret; int status = PAM_AUTHTOK_ERR; int kerr; - char *ccname; + const char *ccname; krb5_ccache ccache = NULL; DEBUG(SSSDBG_TRACE_LIBS, ("Renewing a ticket\n")); - if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_CCFILE) { - DEBUG(1, ("Unsupported authtok type for TGT renewal [%d].\n", - kr->pd->authtok_type)); + ret = sss_authtok_get_ccfile(&kr->pd->authtok, &ccname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Unsupported authtok type for TGT renewal [%d].\n", + sss_authtok_get_type(&kr->pd->authtok))); kerr = EINVAL; goto done; } - ccname = talloc_strndup(kr, (char *) kr->pd->authtok, kr->pd->authtok_size); - if (ccname == NULL) { - DEBUG(1, ("talloc_strndup failed.\n")); - kerr = ENOMEM; - goto done; - } - kerr = krb5_cc_resolve(kr->ctx, ccname, &ccache); if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); @@ -1444,6 +1426,38 @@ static errno_t create_empty_ccache(int fd, struct krb5_req *kr) return ret; } +static errno_t unpack_authtok(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok, + uint8_t *buf, size_t size, size_t *p) +{ + uint32_t auth_token_type; + uint32_t auth_token_length; + errno_t ret = EOK; + + SAFEALIGN_COPY_UINT32_CHECK(&auth_token_type, buf + *p, size, p); + SAFEALIGN_COPY_UINT32_CHECK(&auth_token_length, buf + *p, size, p); + if ((*p + auth_token_length) > size) { + return EINVAL; + } + switch (auth_token_type) { + case SSS_AUTHTOK_TYPE_EMPTY: + sss_authtok_set_empty(tok); + break; + case SSS_AUTHTOK_TYPE_PASSWORD: + ret = sss_authtok_set_password(mem_ctx, tok, (char *)(buf + *p), 0); + break; + case SSS_AUTHTOK_TYPE_CCFILE: + ret = sss_authtok_set_ccfile(mem_ctx, tok, (char *)(buf + *p), 0); + break; + default: + return EINVAL; + } + + if (ret == EOK) { + *p += auth_token_length; + } + return ret; +} + static errno_t unpack_buffer(uint8_t *buf, size_t size, struct pam_data *pd, struct krb5_req *kr, uint32_t *offline) { @@ -1451,6 +1465,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, struct pam_data *pd, uint32_t len; uint32_t validate; uint32_t different_realm; + errno_t ret; DEBUG(SSSDBG_TRACE_LIBS, ("total buffer size: [%d]\n", size)); @@ -1491,35 +1506,26 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, struct pam_data *pd, if (kr->keytab == NULL) return ENOMEM; p += len; - SAFEALIGN_COPY_UINT32_CHECK(&pd->authtok_type, buf + p, size, &p); - SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); - if ((p + len) > size) return EINVAL; - pd->authtok = (uint8_t *)talloc_strndup(pd, (char *)(buf + p), len); - if (pd->authtok == NULL) return ENOMEM; - pd->authtok_size = len + 1; - p += len; + ret = unpack_authtok(pd, &pd->authtok, buf, size, &p); + if (ret) { + return ret; + } DEBUG(SSSDBG_CONF_SETTINGS, ("ccname: [%s] keytab: [%s]\n", kr->ccname, kr->keytab)); } else { kr->ccname = NULL; kr->keytab = NULL; - pd->authtok = NULL; - pd->authtok_size = 0; + sss_authtok_set_empty(&pd->authtok); } if (pd->cmd == SSS_PAM_CHAUTHTOK) { - SAFEALIGN_COPY_UINT32_CHECK(&pd->newauthtok_type, buf + p, size, &p); - SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); - - if ((p + len) > size) return EINVAL; - pd->newauthtok = (uint8_t *)talloc_strndup(pd, (char *)(buf + p), len); - if (pd->newauthtok == NULL) return ENOMEM; - pd->newauthtok_size = len + 1; - p += len; + ret = unpack_authtok(pd, &pd->newauthtok, buf, size, &p); + if (ret) { + return ret; + } } else { - pd->newauthtok = NULL; - pd->newauthtok_size = 0; + sss_authtok_set_empty(&pd->newauthtok); } if (pd->cmd == SSS_PAM_ACCT_MGMT) { diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index e792db3f7..5adbcf700 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -85,6 +85,43 @@ static int child_io_destructor(void *ptr) return EOK; } +static errno_t pack_authtok(struct io_buffer *buf, size_t *rp, + struct sss_auth_token *tok) +{ + uint32_t auth_token_type; + uint32_t auth_token_length; + const char *data; + size_t len; + errno_t ret = EOK; + + auth_token_type = sss_authtok_get_type(tok); + + switch (auth_token_type) { + case SSS_AUTHTOK_TYPE_EMPTY: + auth_token_length = 0; + data = ""; + break; + case SSS_AUTHTOK_TYPE_PASSWORD: + ret = sss_authtok_get_password(tok, &data, &len); + auth_token_length = len + 1; + break; + case SSS_AUTHTOK_TYPE_CCFILE: + ret = sss_authtok_get_password(tok, &data, &len); + auth_token_length = len + 1; + break; + default: + ret = EINVAL; + } + + if (ret == EOK) { + SAFEALIGN_COPY_UINT32(&buf->data[*rp], &auth_token_type, rp); + SAFEALIGN_COPY_UINT32(&buf->data[*rp], &auth_token_length, rp); + safealign_memcpy(&buf->data[*rp], data, auth_token_length, rp); + } + + return ret; +} + static errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) { @@ -94,6 +131,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, uint32_t validate; uint32_t different_realm; size_t username_len = 0; + errno_t ret; keytab = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_KEYTAB); if (keytab == NULL) { @@ -117,11 +155,12 @@ static errno_t create_send_buffer(struct krb5child_req *kr, kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || kr->pd->cmd == SSS_PAM_CHAUTHTOK) { buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) + - kr->pd->authtok_size; + sss_authtok_get_size(&kr->pd->authtok); } if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { - buf->size += 2*sizeof(uint32_t) + kr->pd->newauthtok_size; + buf->size += 2*sizeof(uint32_t) + + sss_authtok_get_size(&kr->pd->newauthtok); } if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { @@ -157,17 +196,17 @@ static errno_t create_send_buffer(struct krb5child_req *kr, SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp); safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp); - SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->pd->authtok_type, &rp); - SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->pd->authtok_size, &rp); - safealign_memcpy(&buf->data[rp], kr->pd->authtok, - kr->pd->authtok_size, &rp); + ret = pack_authtok(buf, &rp, &kr->pd->authtok); + if (ret) { + return ret; + } } if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { - SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->pd->newauthtok_type, &rp); - SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->pd->newauthtok_size, &rp); - safealign_memcpy(&buf->data[rp], kr->pd->newauthtok, - kr->pd->newauthtok_size, &rp); + ret = pack_authtok(buf, &rp, &kr->pd->newauthtok); + if (ret) { + return ret; + } } if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c index d5dea3bb4..f95fa634c 100644 --- a/src/providers/krb5/krb5_delayed_online_authentication.c +++ b/src/providers/krb5/krb5_delayed_online_authentication.c @@ -71,27 +71,29 @@ static void authenticate_user(struct tevent_context *ev, DEBUG_PAM_DATA(9, pd); - if (pd->authtok == NULL || pd->authtok_size == 0) { - DEBUG(1, ("Missing authtok for user [%s].\n", pd->user)); - return; - } - #ifdef USE_KEYRING + char *password; long keysize; long keyrevoke; - int ret; - keysize = keyctl_read(pd->key_serial, (char *) pd->authtok, - pd->authtok_size); - keyrevoke = keyctl_revoke(pd->key_serial); + errno_t ret; + + keysize = keyctl_read_alloc(pd->key_serial, (void **)&password); if (keysize == -1) { ret = errno; DEBUG(1, ("keyctl_read failed [%d][%s].\n", ret, strerror(ret))); return; - } else if (keysize != pd->authtok_size) { - DEBUG(1, ("keyctl_read returned key with wrong size, " - "expect [%d] got [%d].\n", pd->authtok_size, keysize)); + } + + ret = sss_authtok_set_password(pd, &pd->authtok, password, keysize); + safezero(password, keysize); + free(password); + if (ret) { + DEBUG(1, ("failed to set password in auth token [%d][%s].\n", + ret, strerror(ret))); return; } + + keyrevoke = keyctl_revoke(pd->key_serial); if (keyrevoke == -1) { ret = errno; DEBUG(1, ("keyctl_revoke failed [%d][%s].\n", ret, strerror(ret))); @@ -244,8 +246,8 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, return EINVAL; } - if (pd->authtok_size == 0 || pd->authtok == NULL) { - DEBUG(1, ("Missing authtok for user [%s].\n", pd->user)); + if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + DEBUG(1, ("Invalid authtok for user [%s].\n", pd->user)); return EINVAL; } @@ -257,17 +259,29 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, #ifdef USE_KEYRING - new_pd->key_serial = add_key("user", new_pd->user, new_pd->authtok, - new_pd->authtok_size, KEY_SPEC_SESSION_KEYRING); + const char *password; + size_t len; + + ret = sss_authtok_get_password(&new_pd->authtok, &password, &len); + if (ret) { + DEBUG(1, ("Failed to get password [%d][%s].\n", ret, strerror(ret))); + sss_authtok_set_empty(&new_pd->authtok); + talloc_free(new_pd); + return ret; + } + + new_pd->key_serial = add_key("user", new_pd->user, password, len, + KEY_SPEC_SESSION_KEYRING); if (new_pd->key_serial == -1) { ret = errno; - DEBUG(1, ("add_key fialed [%d][%s].\n", ret, strerror(ret))); + DEBUG(1, ("add_key failed [%d][%s].\n", ret, strerror(ret))); + sss_authtok_set_empty(&new_pd->authtok); talloc_free(new_pd); return ret; } DEBUG(9, ("Saved authtok of user [%s] with serial [%ld].\n", new_pd->user, new_pd->key_serial)); - memset(new_pd->authtok, 0, new_pd->authtok_size); + sss_authtok_set_empty(&new_pd->authtok); #endif key.type = HASH_KEY_ULONG; diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c index b5eee697f..853154250 100644 --- a/src/providers/krb5/krb5_renew_tgt.c +++ b/src/providers/krb5/krb5_renew_tgt.c @@ -593,22 +593,14 @@ errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile, goto done; } - if (renew_data->pd->newauthtok_type != SSS_AUTHTOK_TYPE_EMPTY) { - talloc_zfree(renew_data->pd->newauthtok); - renew_data->pd->newauthtok_size = 0; - renew_data->pd->newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY; - } + sss_authtok_set_empty(&renew_data->pd->newauthtok); - talloc_zfree(renew_data->pd->authtok); - renew_data->pd->authtok = (uint8_t *) talloc_strdup(renew_data->pd, - renew_data->ccfile); - if (renew_data->pd->authtok == NULL) { - DEBUG(1, ("talloc_strdup failed.\n")); - ret = ENOMEM; + ret = sss_authtok_set_ccfile(renew_data->pd, &renew_data->pd->authtok, + renew_data->ccfile, 0); + if (ret) { + DEBUG(1, ("Failed to store ccfile in auth token.\n")); goto done; } - renew_data->pd->authtok_size = strlen((char *) renew_data->pd->authtok) + 1; - renew_data->pd->authtok_type = SSS_AUTHTOK_TYPE_CCFILE; renew_data->pd->cmd = SSS_CMD_RENEW; |