diff options
| -rw-r--r-- | src/providers/data_provider.h | 4 | ||||
| -rw-r--r-- | src/providers/dp_auth_util.c | 16 | ||||
| -rw-r--r-- | src/providers/dp_pam_data_util.c | 60 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_auth.c | 2 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 10 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 28 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 8 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_delayed_online_authentication.c | 12 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_renew_tgt.c | 5 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_auth.c | 12 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 12 | ||||
| -rw-r--r-- | src/providers/proxy/proxy.h | 4 | ||||
| -rw-r--r-- | src/providers/proxy/proxy_auth.c | 2 | ||||
| -rw-r--r-- | src/providers/proxy/proxy_child.c | 18 | ||||
| -rw-r--r-- | src/responder/pam/pam_LOCAL_domain.c | 10 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 16 | ||||
| -rw-r--r-- | src/tests/krb5_child-test.c | 4 | ||||
| -rw-r--r-- | src/util/authtok.c | 48 | ||||
| -rw-r--r-- | src/util/authtok.h | 52 |
19 files changed, 186 insertions, 137 deletions
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 2ce16e859..8f385b798 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -176,8 +176,8 @@ struct pam_data { char *tty; char *ruser; char *rhost; - struct sss_auth_token authtok; - struct sss_auth_token newauthtok; + struct sss_auth_token *authtok; + struct sss_auth_token *newauthtok; uint32_t cli_pid; int pam_status; diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c index 54f0ee8ed..0bf10a7d2 100644 --- a/src/providers/dp_auth_util.c +++ b/src/providers/dp_auth_util.c @@ -40,12 +40,12 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) tty = pd->tty ? pd->tty : ""; ruser = pd->ruser ? pd->ruser : ""; rhost = pd->rhost ? pd->rhost : ""; - authtok_type = (uint32_t)sss_authtok_get_type(&pd->authtok); - authtok_data = sss_authtok_get_data(&pd->authtok); - authtok_length = sss_authtok_get_size(&pd->authtok); - new_authtok_type = (uint32_t)sss_authtok_get_type(&pd->newauthtok); - new_authtok_data = sss_authtok_get_data(&pd->newauthtok); - new_authtok_length = sss_authtok_get_size(&pd->newauthtok); + authtok_type = (uint32_t)sss_authtok_get_type(pd->authtok); + authtok_data = sss_authtok_get_data(pd->authtok); + authtok_length = sss_authtok_get_size(pd->authtok); + new_authtok_type = (uint32_t)sss_authtok_get_type(pd->newauthtok); + new_authtok_data = sss_authtok_get_data(pd->newauthtok); + new_authtok_length = sss_authtok_get_size(pd->newauthtok); db_ret = dbus_message_append_args(msg, DBUS_TYPE_INT32, &(pd->cmd), @@ -112,13 +112,13 @@ bool dp_unpack_pam_request(DBusMessage *msg, TALLOC_CTX *mem_ctx, return false; } - ret = sss_authtok_set(*new_pd, &((*new_pd)->authtok), authtok_type, + ret = sss_authtok_set((*new_pd)->authtok, authtok_type, authtok_data, authtok_length); if (ret) { DEBUG(1, ("Failed to set auth token: %d [%s]\n", ret, strerror(ret))); return false; } - ret = sss_authtok_set(*new_pd, &((*new_pd)->newauthtok), new_authtok_type, + ret = sss_authtok_set((*new_pd)->newauthtok, new_authtok_type, new_authtok_data, new_authtok_length); if (ret) { DEBUG(1, ("Failed to set auth token: %d [%s]\n", ret, strerror(ret))); diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c index 64f0d69bd..4c33f5836 100644 --- a/src/providers/dp_pam_data_util.c +++ b/src/providers/dp_pam_data_util.c @@ -53,8 +53,8 @@ int pam_data_destructor(void *ptr) struct pam_data *pd = talloc_get_type(ptr, struct pam_data); /* make sure to wipe any password from memory before freeing */ - sss_authtok_wipe_password(&pd->authtok); - sss_authtok_wipe_password(&pd->newauthtok); + sss_authtok_wipe_password(pd->authtok); + sss_authtok_wipe_password(pd->newauthtok); return 0; } @@ -65,13 +65,29 @@ struct pam_data *create_pam_data(TALLOC_CTX *mem_ctx) pd = talloc_zero(mem_ctx, struct pam_data); if (pd == NULL) { - DEBUG(1, ("talloc_zero failed.\n")); - return NULL; + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + goto failed; + } + + pd->authtok = sss_authtok_new(pd); + if (pd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + goto failed; + } + + pd->newauthtok = sss_authtok_new(pd); + if (pd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + goto failed; } talloc_set_destructor((TALLOC_CTX *) pd, pam_data_destructor); return pd; + +failed: + talloc_free(pd); + return NULL; } errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src, @@ -122,14 +138,34 @@ errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src, pd->cli_pid = src->cli_pid; - ret = sss_authtok_copy(pd, &src->authtok, &pd->authtok); - if (ret) { - goto failed; + /* if structure pam_data was allocated on stack and zero initialized, + * than src->authtok and src->newauthtok are NULL, therefore + * instead of copying, new empty authtok will be created. + */ + if (src->authtok) { + ret = sss_authtok_copy(src->authtok, pd->authtok); + if (ret) { + goto failed; + } + } else { + pd->authtok = sss_authtok_new(pd); + if (pd->authtok == NULL) { + ret = ENOMEM; + goto failed; + } } - ret = sss_authtok_copy(pd, &src->newauthtok, &pd->newauthtok); - if (ret) { - goto failed; + if (src->newauthtok) { + ret = sss_authtok_copy(src->newauthtok, pd->newauthtok); + if (ret) { + goto failed; + } + } else { + pd->newauthtok = sss_authtok_new(pd); + if (pd->newauthtok == NULL) { + ret = ENOMEM; + goto failed; + } } *dst = pd; @@ -151,8 +187,8 @@ void pam_print_data(int l, struct pam_data *pd) DEBUG(l, ("tty: %s\n", PAM_SAFE_ITEM(pd->tty))); DEBUG(l, ("ruser: %s\n", PAM_SAFE_ITEM(pd->ruser))); DEBUG(l, ("rhost: %s\n", PAM_SAFE_ITEM(pd->rhost))); - DEBUG(l, ("authtok type: %d\n", sss_authtok_get_type(&pd->authtok))); - DEBUG(l, ("newauthtok type: %d\n", sss_authtok_get_type(&pd->newauthtok))); + DEBUG(l, ("authtok type: %d\n", sss_authtok_get_type(pd->authtok))); + DEBUG(l, ("newauthtok type: %d\n", sss_authtok_get_type(pd->newauthtok))); DEBUG(l, ("priv: %d\n", pd->priv)); DEBUG(l, ("cli_pid: %d\n", pd->cli_pid)); } diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index 5cb3d402e..b528c544d 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -371,7 +371,7 @@ static void ipa_migration_flag_connect_done(struct tevent_req *req) } req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn, - &state->pd->authtok); + state->pd->authtok); if (req == NULL) { DEBUG(SSSDBG_OP_FAILURE, ("sdap_auth_send failed.\n")); goto done; diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index a9b75768c..6c0f429fb 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -284,7 +284,7 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, const char *password = NULL; errno_t ret; - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); if (ret != EOK) { DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret))); *pam_status = PAM_SYSTEM_ERR; @@ -397,10 +397,10 @@ static void krb5_auth_store_creds(struct sysdb_ctx *sysdb, break; case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK_PRELIM: - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); break; case SSS_PAM_CHAUTHTOK: - ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL); + ret = sss_authtok_get_password(pd->newauthtok, &password, NULL); break; default: DEBUG(0, ("unsupported PAM command [%d].\n", pd->cmd)); @@ -490,7 +490,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, case SSS_PAM_AUTHENTICATE: case SSS_CMD_RENEW: case SSS_PAM_CHAUTHTOK: - if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { DEBUG(1, ("Missing authtok for user [%s].\n", pd->user)); state->pam_status = PAM_SYSTEM_ERR; state->dp_err = DP_ERR_FATAL; @@ -500,7 +500,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, break; case SSS_PAM_CHAUTHTOK_PRELIM: if (pd->priv == 1 && - sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { DEBUG(4, ("Password reset by root is not supported.\n")); state->pam_status = PAM_PERM_DENIED; state->dp_err = DP_ERR_OK; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 52127b39a..4ccd75d26 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1201,7 +1201,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n")); - ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL); + ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL); if (ret != EOK) { DEBUG(1, ("Failed to fetch current password [%d] %s.\n", ret, strerror(ret))); @@ -1233,7 +1233,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) return kerr; } - sss_authtok_set_empty(&kr->pd->authtok); + sss_authtok_set_empty(kr->pd->authtok); if (prelim) { DEBUG(SSSDBG_TRACE_LIBS, @@ -1243,7 +1243,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) return EOK; } - ret = sss_authtok_get_password(&kr->pd->newauthtok, &newpassword, NULL); + ret = sss_authtok_get_password(kr->pd->newauthtok, &newpassword, NULL); if (ret != EOK) { DEBUG(1, ("Failed to fetch new password [%d] %s.\n", ret, strerror(ret))); @@ -1307,7 +1307,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) kerr = get_and_save_tgt(kr, newpassword); - sss_authtok_set_empty(&kr->pd->newauthtok); + sss_authtok_set_empty(kr->pd->newauthtok); if (kerr == 0) { kerr = k5c_attach_ccname_msg(kr); @@ -1324,7 +1324,7 @@ static errno_t tgt_req_child(struct krb5_req *kr) DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n")); - ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL); + ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL); switch (ret) { if (ret == EACCES) { DEBUG(SSSDBG_OP_FAILURE, ("Invalid authtok type\n")); @@ -1379,7 +1379,7 @@ static errno_t tgt_req_child(struct krb5_req *kr) } done: - sss_authtok_set_empty(&kr->pd->authtok); + sss_authtok_set_empty(kr->pd->authtok); return ret; } @@ -1423,11 +1423,11 @@ static errno_t renew_tgt_child(struct krb5_req *kr) DEBUG(SSSDBG_TRACE_LIBS, ("Renewing a ticket\n")); - ret = sss_authtok_get_ccfile(&kr->pd->authtok, &ccname, NULL); + ret = sss_authtok_get_ccfile(kr->pd->authtok, &ccname, NULL); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Unsupported authtok type for TGT renewal [%d].\n", - sss_authtok_get_type(&kr->pd->authtok))); + sss_authtok_get_type(kr->pd->authtok))); return ERR_INVALID_CRED_TYPE; } @@ -1527,10 +1527,10 @@ static errno_t unpack_authtok(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok, sss_authtok_set_empty(tok); break; case SSS_AUTHTOK_TYPE_PASSWORD: - ret = sss_authtok_set_password(mem_ctx, tok, (char *)(buf + *p), 0); + ret = sss_authtok_set_password(tok, (char *)(buf + *p), 0); break; case SSS_AUTHTOK_TYPE_CCFILE: - ret = sss_authtok_set_ccfile(mem_ctx, tok, (char *)(buf + *p), 0); + ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0); break; default: return EINVAL; @@ -1598,7 +1598,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, if (kr->keytab == NULL) return ENOMEM; p += len; - ret = unpack_authtok(pd, &pd->authtok, buf, size, &p); + ret = unpack_authtok(pd, pd->authtok, buf, size, &p); if (ret) { return ret; } @@ -1608,16 +1608,16 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, } else { kr->ccname = NULL; kr->keytab = NULL; - sss_authtok_set_empty(&pd->authtok); + sss_authtok_set_empty(pd->authtok); } if (pd->cmd == SSS_PAM_CHAUTHTOK) { - ret = unpack_authtok(pd, &pd->newauthtok, buf, size, &p); + ret = unpack_authtok(pd, pd->newauthtok, buf, size, &p); if (ret) { return ret; } } else { - sss_authtok_set_empty(&pd->newauthtok); + sss_authtok_set_empty(pd->newauthtok); } if (pd->cmd == SSS_PAM_ACCT_MGMT) { diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index cc309af34..8ff65130f 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -155,12 +155,12 @@ static errno_t create_send_buffer(struct krb5child_req *kr, kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || kr->pd->cmd == SSS_PAM_CHAUTHTOK) { buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) + - sss_authtok_get_size(&kr->pd->authtok); + sss_authtok_get_size(kr->pd->authtok); } if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { buf->size += 2*sizeof(uint32_t) + - sss_authtok_get_size(&kr->pd->newauthtok); + sss_authtok_get_size(kr->pd->newauthtok); } if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { @@ -196,14 +196,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr, SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp); safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp); - ret = pack_authtok(buf, &rp, &kr->pd->authtok); + ret = pack_authtok(buf, &rp, kr->pd->authtok); if (ret) { return ret; } } if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { - ret = pack_authtok(buf, &rp, &kr->pd->newauthtok); + ret = pack_authtok(buf, &rp, kr->pd->newauthtok); if (ret) { return ret; } diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c index f95fa634c..87e0f3c63 100644 --- a/src/providers/krb5/krb5_delayed_online_authentication.c +++ b/src/providers/krb5/krb5_delayed_online_authentication.c @@ -84,7 +84,7 @@ static void authenticate_user(struct tevent_context *ev, return; } - ret = sss_authtok_set_password(pd, &pd->authtok, password, keysize); + ret = sss_authtok_set_password(pd->authtok, password, keysize); safezero(password, keysize); free(password); if (ret) { @@ -246,7 +246,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, return EINVAL; } - if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { DEBUG(1, ("Invalid authtok for user [%s].\n", pd->user)); return EINVAL; } @@ -262,10 +262,10 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, const char *password; size_t len; - ret = sss_authtok_get_password(&new_pd->authtok, &password, &len); + ret = sss_authtok_get_password(new_pd->authtok, &password, &len); if (ret) { DEBUG(1, ("Failed to get password [%d][%s].\n", ret, strerror(ret))); - sss_authtok_set_empty(&new_pd->authtok); + sss_authtok_set_empty(new_pd->authtok); talloc_free(new_pd); return ret; } @@ -275,13 +275,13 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, if (new_pd->key_serial == -1) { ret = errno; DEBUG(1, ("add_key failed [%d][%s].\n", ret, strerror(ret))); - sss_authtok_set_empty(&new_pd->authtok); + sss_authtok_set_empty(new_pd->authtok); talloc_free(new_pd); return ret; } DEBUG(9, ("Saved authtok of user [%s] with serial [%ld].\n", new_pd->user, new_pd->key_serial)); - sss_authtok_set_empty(&new_pd->authtok); + sss_authtok_set_empty(new_pd->authtok); #endif key.type = HASH_KEY_ULONG; diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c index f2ee5d91f..0b1f26fd3 100644 --- a/src/providers/krb5/krb5_renew_tgt.c +++ b/src/providers/krb5/krb5_renew_tgt.c @@ -592,10 +592,9 @@ errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile, goto done; } - sss_authtok_set_empty(&renew_data->pd->newauthtok); + sss_authtok_set_empty(renew_data->pd->newauthtok); - ret = sss_authtok_set_ccfile(renew_data->pd, &renew_data->pd->authtok, - renew_data->ccfile, 0); + ret = sss_authtok_set_ccfile(renew_data->pd->authtok, renew_data->ccfile, 0); if (ret) { DEBUG(1, ("Failed to store ccfile in auth token.\n")); goto done; diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index e10c5b0e9..f4e6d28f0 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -722,7 +722,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) } if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) && - (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) { + (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) { DEBUG(4, ("Password reset by root is not supported.\n")); pd->pam_status = PAM_PERM_DENIED; dp_err = DP_ERR_OK; @@ -747,7 +747,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) state->ctx = ctx; subreq = auth_send(breq, be_ctx->ev, ctx, - state->username, &pd->authtok, true); + state->username, pd->authtok, true); if (!subreq) goto done; tevent_req_set_callback(subreq, sdap_auth4chpass_done, state); @@ -820,13 +820,13 @@ static void sdap_auth4chpass_done(struct tevent_req *req) const char *password; const char *new_password; - ret = sss_authtok_get_password(&state->pd->authtok, + ret = sss_authtok_get_password(state->pd->authtok, &password, NULL); if (ret) { state->pd->pam_status = PAM_SYSTEM_ERR; goto done; } - ret = sss_authtok_get_password(&state->pd->newauthtok, + ret = sss_authtok_get_password(state->pd->newauthtok, &new_password, NULL); if (ret) { state->pd->pam_status = PAM_SYSTEM_ERR; @@ -990,7 +990,7 @@ void sdap_pam_auth_handler(struct be_req *breq) state->pd = pd; subreq = auth_send(breq, be_ctx->ev, ctx, - pd->user, &pd->authtok, + pd->user, pd->authtok, pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ? true : false); if (!subreq) goto done; @@ -1102,7 +1102,7 @@ static void sdap_pam_auth_done(struct tevent_req *req) if (ret == EOK && be_ctx->domain->cache_credentials) { - ret = sss_authtok_get_password(&state->pd->authtok, &password, NULL); + ret = sss_authtok_get_password(state->pd->authtok, &password, NULL); if (ret == EOK) { ret = sysdb_cache_password(be_ctx->domain->sysdb, be_ctx->domain, state->pd->user, password); diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 280268a1c..b05edf6f9 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -1573,7 +1573,7 @@ static void sdap_cli_auth_step(struct tevent_req *req) SDAP_DEFAULT_BIND_DN); const char *authtok_type; struct dp_opt_blob authtok_blob; - struct sss_auth_token authtok = { 0 }; + struct sss_auth_token *authtok; errno_t ret; /* Set the LDAP expiration time @@ -1599,6 +1599,12 @@ static void sdap_cli_auth_step(struct tevent_req *req) authtok_type = dp_opt_get_string(state->opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE); + authtok = sss_authtok_new(state); + if(authtok == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + if (authtok_type != NULL) { if (strcasecmp(authtok_type, "password") != 0) { DEBUG(SSSDBG_TRACE_LIBS, ("Invalid authtoken type\n")); @@ -1609,7 +1615,7 @@ static void sdap_cli_auth_step(struct tevent_req *req) authtok_blob = dp_opt_get_blob(state->opts->basic, SDAP_DEFAULT_AUTHTOK); if (authtok_blob.data) { - ret = sss_authtok_set_password(state, &authtok, + ret = sss_authtok_set_password(authtok, (const char *)authtok_blob.data, authtok_blob.length); if (ret) { @@ -1623,7 +1629,7 @@ static void sdap_cli_auth_step(struct tevent_req *req) state->sh, sasl_mech, dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID), - user_dn, &authtok); + user_dn, authtok); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h index 305cbe978..db0fcb438 100644 --- a/src/providers/proxy/proxy.h +++ b/src/providers/proxy/proxy.h @@ -89,8 +89,8 @@ struct proxy_nss_ops { }; struct authtok_conv { - struct sss_auth_token authtok; - struct sss_auth_token newauthtok; + struct sss_auth_token *authtok; + struct sss_auth_token *newauthtok; bool sent_old; }; diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c index 3e6a514ab..011de4fbb 100644 --- a/src/providers/proxy/proxy_auth.c +++ b/src/providers/proxy/proxy_auth.c @@ -750,7 +750,7 @@ static void proxy_child_done(struct tevent_req *req) if ((pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_PAM_CHAUTHTOK) && (pd->pam_status == PAM_SUCCESS) && be_ctx->domain->cache_credentials) { - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); if (ret) { /* password caching failures are not fatal errors */ DEBUG(2, ("Failed to cache password\n")); diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c index 556dbf9b5..efdf9120a 100644 --- a/src/providers/proxy/proxy_child.c +++ b/src/providers/proxy/proxy_child.c @@ -98,7 +98,7 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm, DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg)); reply[i].resp_retcode = 0; - ret = sss_authtok_get_password(&auth_data->authtok, + ret = sss_authtok_get_password(auth_data->authtok, &password, &pwlen); if (ret) goto failed; reply[i].resp = calloc(pwlen + 1, sizeof(char)); @@ -149,7 +149,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm, reply[i].resp_retcode = 0; if (!auth_data->sent_old) { /* The first prompt will be asking for the old authtok */ - ret = sss_authtok_get_password(&auth_data->authtok, + ret = sss_authtok_get_password(auth_data->authtok, &password, &pwlen); if (ret) goto failed; reply[i].resp = calloc(pwlen + 1, sizeof(char)); @@ -159,7 +159,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm, } else { /* Subsequent prompts are looking for the new authtok */ - ret = sss_authtok_get_password(&auth_data->newauthtok, + ret = sss_authtok_get_password(auth_data->newauthtok, &password, &pwlen); if (ret) goto failed; reply[i].resp = calloc(pwlen + 1, sizeof(char)); @@ -224,8 +224,7 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) } switch (pd->cmd) { case SSS_PAM_AUTHENTICATE: - sss_authtok_copy(auth_data, &pd->authtok, - &auth_data->authtok); + sss_authtok_copy(pd->authtok, auth_data->authtok); pam_status = pam_authenticate(pamh, 0); break; case SSS_PAM_SETCRED: @@ -241,21 +240,18 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) pam_status=pam_close_session(pamh, 0); break; case SSS_PAM_CHAUTHTOK: - sss_authtok_copy(auth_data, &pd->authtok, - &auth_data->authtok); + sss_authtok_copy(pd->authtok, auth_data->authtok); if (pd->priv != 1) { pam_status = pam_authenticate(pamh, 0); auth_data->sent_old = false; if (pam_status != PAM_SUCCESS) break; } - sss_authtok_copy(auth_data, &pd->newauthtok, - &auth_data->newauthtok); + sss_authtok_copy(pd->newauthtok, auth_data->newauthtok); pam_status = pam_chauthtok(pamh, 0); break; case SSS_PAM_CHAUTHTOK_PRELIM: if (pd->priv != 1) { - sss_authtok_copy(auth_data, &pd->authtok, - &auth_data->authtok); + sss_authtok_copy(pd->authtok, auth_data->authtok); pam_status = pam_authenticate(pamh, 0); } else { pam_status = PAM_SUCCESS; diff --git a/src/responder/pam/pam_LOCAL_domain.c b/src/responder/pam/pam_LOCAL_domain.c index 72ea61e85..4aec3e4df 100644 --- a/src/responder/pam/pam_LOCAL_domain.c +++ b/src/responder/pam/pam_LOCAL_domain.c @@ -164,7 +164,7 @@ static void do_pam_chauthtok(struct LOCAL_request *lreq) pd = lreq->preq->pd; - ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL); + ret = sss_authtok_get_password(pd->newauthtok, &password, NULL); if (ret) { /* TODO: should we allow null passwords via a config option ? */ if (ret == ENOENT) { @@ -204,7 +204,7 @@ static void do_pam_chauthtok(struct LOCAL_request *lreq) lreq->error, ret, done); done: - sss_authtok_set_empty(&pd->newauthtok); + sss_authtok_set_empty(pd->newauthtok); } int LOCAL_pam_handler(struct pam_auth_req *preq) @@ -288,7 +288,7 @@ int LOCAL_pam_handler(struct pam_auth_req *preq) DEBUG(4, ("allowing root to reset a password.\n")); break; } - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); NEQ_CHECK_OR_JUMP(ret, EOK, ("Failed to get password.\n"), lreq->error, ret, done); @@ -336,8 +336,8 @@ int LOCAL_pam_handler(struct pam_auth_req *preq) } done: - sss_authtok_set_empty(&pd->newauthtok); - sss_authtok_set_empty(&pd->authtok); + sss_authtok_set_empty(pd->newauthtok); + sss_authtok_set_empty(pd->authtok); prepare_reply(lreq); return EOK; } diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index fa6cf23cd..e6300a759 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -65,8 +65,7 @@ static int extract_authtok_v2(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok, sss_authtok_set_empty(tok); break; case SSS_AUTHTOK_TYPE_PASSWORD: - ret = sss_authtok_set_password(mem_ctx, tok, - (const char *)auth_token_data, + ret = sss_authtok_set_password(tok, (const char *)auth_token_data, auth_token_length); break; default: @@ -197,12 +196,12 @@ static int pam_parse_in_data_v2(struct sss_domain_info *domains, if (ret != EOK) return ret; break; case SSS_PAM_ITEM_AUTHTOK: - ret = extract_authtok_v2(pd, &pd->authtok, + ret = extract_authtok_v2(pd, pd->authtok, size, body, blen, &c); if (ret != EOK) return ret; break; case SSS_PAM_ITEM_NEWAUTHTOK: - ret = extract_authtok_v2(pd, &pd->newauthtok, + ret = extract_authtok_v2(pd, pd->newauthtok, size, body, blen, &c); if (ret != EOK) return ret; break; @@ -260,8 +259,7 @@ static int extract_authtok_v1(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok, sss_authtok_set_empty(tok); break; case SSS_AUTHTOK_TYPE_PASSWORD: - ret = sss_authtok_set_password(mem_ctx, tok, - (const char *)auth_token_data, + ret = sss_authtok_set_password(tok, (const char *)auth_token_data, auth_token_length); break; default: @@ -310,12 +308,12 @@ static int pam_parse_in_data(struct sss_domain_info *domains, if (body[end++] != '\0') return EINVAL; pd->rhost = (char *) &body[start]; - ret = extract_authtok_v1(pd, &pd->authtok, body, blen, &end); + ret = extract_authtok_v1(pd, pd->authtok, body, blen, &end); if (ret) { DEBUG(1, ("Invalid auth token\n")); return ret; } - ret = extract_authtok_v1(pd, &pd->newauthtok, body, blen, &end); + ret = extract_authtok_v1(pd, pd->newauthtok, body, blen, &end); if (ret) { DEBUG(1, ("Invalid new auth token\n")); return ret; @@ -489,7 +487,7 @@ static void pam_reply(struct pam_auth_req *preq) goto done; } - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); if (ret) { DEBUG(0, ("Failed to get password.\n")); goto done; diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c index 302cf3c8e..423f8bb84 100644 --- a/src/tests/krb5_child-test.c +++ b/src/tests/krb5_child-test.c @@ -176,10 +176,10 @@ create_dummy_pam_data(TALLOC_CTX *mem_ctx, const char *user, pd->user = talloc_strdup(pd, user); if (!pd->user) goto fail; - ret = sss_authtok_set_password(pd, &pd->authtok, password, 0); + ret = sss_authtok_set_password(pd->authtok, password, 0); if (ret) goto fail; - (void)sss_authtok_get_password(&pd->authtok, &authtok, &authtok_len); + (void)sss_authtok_get_password(pd->authtok, &authtok, &authtok_len); DEBUG(SSSDBG_FUNC_DATA, ("Authtok [%s] len [%d]\n", authtok, (int)authtok_len)); diff --git a/src/util/authtok.c b/src/util/authtok.c index 1c54d04cc..83e6a1c94 100644 --- a/src/util/authtok.c +++ b/src/util/authtok.c @@ -19,6 +19,12 @@ #include "authtok.h" +struct sss_auth_token { + enum sss_authtok_type type; + uint8_t *data; + size_t length; +}; + enum sss_authtok_type sss_authtok_get_type(struct sss_auth_token *tok) { return tok->type; @@ -80,8 +86,7 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok, return EINVAL; } -static errno_t sss_authtok_set_string(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +static errno_t sss_authtok_set_string(struct sss_auth_token *tok, enum sss_authtok_type type, const char *context_name, const char *str, size_t len) @@ -101,7 +106,7 @@ static errno_t sss_authtok_set_string(TALLOC_CTX *mem_ctx, size = len + 1; - tok->data = talloc_named(mem_ctx, size, "%s", context_name); + tok->data = talloc_named(tok, size, "%s", context_name); if (!tok->data) { return ENOMEM; } @@ -131,38 +136,33 @@ void sss_authtok_set_empty(struct sss_auth_token *tok) tok->length = 0; } -errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set_password(struct sss_auth_token *tok, const char *password, size_t len) { sss_authtok_set_empty(tok); - return sss_authtok_set_string(mem_ctx, tok, - SSS_AUTHTOK_TYPE_PASSWORD, + return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_PASSWORD, "password", password, len); } -errno_t sss_authtok_set_ccfile(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok, const char *ccfile, size_t len) { sss_authtok_set_empty(tok); - return sss_authtok_set_string(mem_ctx, tok, - SSS_AUTHTOK_TYPE_CCFILE, + return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_CCFILE, "ccfile", ccfile, len); } -errno_t sss_authtok_set(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set(struct sss_auth_token *tok, enum sss_authtok_type type, uint8_t *data, size_t len) { switch (type) { case SSS_AUTHTOK_TYPE_PASSWORD: - return sss_authtok_set_password(mem_ctx, tok, (const char *)data, len); + return sss_authtok_set_password(tok, (const char *)data, len); case SSS_AUTHTOK_TYPE_CCFILE: - return sss_authtok_set_ccfile(mem_ctx, tok, (const char *)data, len); + return sss_authtok_set_ccfile(tok, (const char *)data, len); case SSS_AUTHTOK_TYPE_EMPTY: sss_authtok_set_empty(tok); return EOK; @@ -171,8 +171,7 @@ errno_t sss_authtok_set(TALLOC_CTX *mem_ctx, return EINVAL; } -errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, - struct sss_auth_token *src, +errno_t sss_authtok_copy(struct sss_auth_token *src, struct sss_auth_token *dst) { sss_authtok_set_empty(dst); @@ -181,7 +180,7 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, return EOK; } - dst->data = talloc_memdup(mem_ctx, src->data, src->length); + dst->data = talloc_memdup(dst, src->data, src->length); if (!dst->data) { return ENOMEM; } @@ -191,6 +190,19 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, return EOK; } +struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx) +{ + struct sss_auth_token *token; + + token = talloc_zero(mem_ctx, struct sss_auth_token); + if (token == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + } + + return token; +} + + void sss_authtok_wipe_password(struct sss_auth_token *tok) { if (tok->type != SSS_AUTHTOK_TYPE_PASSWORD) { diff --git a/src/util/authtok.h b/src/util/authtok.h index 21cfe4a1c..8f327d4c0 100644 --- a/src/util/authtok.h +++ b/src/util/authtok.h @@ -23,15 +23,9 @@ #include "util/util.h" #include "sss_client/sss_cli.h" -/* Auth token structure, - * please never use directly. - * Use sss_authtok_* accesor functions instead +/* Use sss_authtok_* accesor functions instead of struct sss_auth_token */ -struct sss_auth_token { - enum sss_authtok_type type; - uint8_t *data; - size_t length; -}; +struct sss_auth_token; /** * @brief Returns the token type @@ -79,8 +73,8 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok, /** * @brief Set a password into a an auth token, replacing any previous data * - * @param mem_ctx A memory context use to allocate the internal data - * @param tok A pointer to a sss_auth_token structure to change + * @param tok A pointer to a sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. * @param password A string * @param len The length of the string or, if 0 is passed, * then strlen(password) will be used internally. @@ -88,8 +82,7 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok, * @return EOK on success * ENOMEM on error */ -errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set_password(struct sss_auth_token *tok, const char *password, size_t len); /** @@ -98,7 +91,7 @@ errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx, * * @param tok A pointer to an sss_auth_token * @param ccfile A pointer to a const char *, that will point to a null - * terminated string + * terminated string, also used as a memory context use to allocate the internal data * @param len The length of the string * * @return EOK on success @@ -111,16 +104,15 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok, /** * @brief Set a cc file name into a an auth token, replacing any previous data * - * @param mem_ctx A memory context use to allocate the internal data - * @param tok A pointer to a sss_auth_token structure to change + * @param tok A pointer to a sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. * @param ccfile A null terminated string * @param len The length of the string * * @return EOK on success * ENOMEM on error */ -errno_t sss_authtok_set_ccfile(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok, const char *ccfile, size_t len); /** @@ -136,8 +128,8 @@ void sss_authtok_set_empty(struct sss_auth_token *tok); /** * @brief Set an auth token by type, replacing any previous data * - * @param mem_ctx A memory context use to allocate the internal data - * @param tok A pointer to a sss_auth_token structure to change + * @param tok A pointer to a sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. * @param type A valid authtok type * @param ccfile A data pointer * @param len The length of the data @@ -145,23 +137,21 @@ void sss_authtok_set_empty(struct sss_auth_token *tok); * @return EOK on success * ENOMEM or EINVAL on error */ -errno_t sss_authtok_set(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set(struct sss_auth_token *tok, enum sss_authtok_type type, uint8_t *data, size_t len); /** * @brief Copy an auth token from source to destination * - * @param mem_ctx The memory context to use for allocations on dst * @param src The source auth token - * @param dst The destination auth token + * @param dst The destination auth token, also used as a memory context + * to allocate dst internal data. * * @return EOK on success * ENOMEM on error */ -errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, - struct sss_auth_token *src, +errno_t sss_authtok_copy(struct sss_auth_token *src, struct sss_auth_token *dst); /** @@ -177,4 +167,16 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, */ void sss_authtok_wipe_password(struct sss_auth_token *tok); +/** + * @brief Create new empty struct sss_auth_token. + * + * @param mem_ctx A memory context use to allocate the internal data + * @return A pointer to new empty struct sss_auth_token + * NULL in case of failure + * + * NOTE: This function is the only way, how to create new empty + * struct sss_auth_token. + */ +struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx); + #endif /* __AUTHTOK_H__ */ |