diff options
Diffstat (limited to 'src/responder/pam/pamsrv_cmd.c')
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 341 |
1 files changed, 0 insertions, 341 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 2823f8133..de60494b1 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -124,87 +124,6 @@ static bool is_domain_requested(struct pam_data *pd, const char *domain_name) return false; } -static int extract_authtok_v2(struct sss_auth_token *tok, - size_t data_size, uint8_t *body, size_t blen, - size_t *c) -{ - uint32_t auth_token_type; - uint32_t auth_token_length; - uint8_t *auth_token_data; - int ret = EOK; - - if (data_size < sizeof(uint32_t) || *c+data_size > blen || - SIZE_T_OVERFLOW(*c, data_size)) return EINVAL; - - SAFEALIGN_COPY_UINT32_CHECK(&auth_token_type, &body[*c], blen, c); - auth_token_length = data_size - sizeof(uint32_t); - auth_token_data = body+(*c); - - switch (auth_token_type) { - case SSS_AUTHTOK_TYPE_EMPTY: - sss_authtok_set_empty(tok); - break; - case SSS_AUTHTOK_TYPE_PASSWORD: - if (auth_token_length == 0) { - sss_authtok_set_empty(tok); - } else { - ret = sss_authtok_set_password(tok, (const char *)auth_token_data, - auth_token_length); - } - break; - case SSS_AUTHTOK_TYPE_2FA: - ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, - auth_token_data, auth_token_length); - break; - case SSS_AUTHTOK_TYPE_SC_PIN: - ret = sss_authtok_set_sc_pin(tok, (const char *) auth_token_data, - auth_token_length); - break; - case SSS_AUTHTOK_TYPE_SC_KEYPAD: - sss_authtok_set_sc_keypad(tok); - break; - default: - return EINVAL; - } - - *c += auth_token_length; - - return ret; -} - -static int extract_string(char **var, size_t size, uint8_t *body, size_t blen, - size_t *c) { - uint8_t *str; - - if (*c+size > blen || SIZE_T_OVERFLOW(*c, size)) return EINVAL; - - str = body+(*c); - - if (str[size-1]!='\0') return EINVAL; - - /* If the string isn't valid UTF-8, fail */ - if (!sss_utf8_check(str, size-1)) { - return EINVAL; - } - - *c += size; - - *var = (char *) str; - - return EOK; -} - -static int extract_uint32_t(uint32_t *var, size_t size, uint8_t *body, - size_t blen, size_t *c) { - - if (size != sizeof(uint32_t) || *c+size > blen || SIZE_T_OVERFLOW(*c, size)) - return EINVAL; - - SAFEALIGN_COPY_UINT32_CHECK(var, &body[*c], blen, c); - - return EOK; -} - static int pd_set_primary_name(const struct ldb_message *msg,struct pam_data *pd) { const char *name; @@ -225,204 +144,6 @@ static int pd_set_primary_name(const struct ldb_message *msg,struct pam_data *pd return EOK; } -static int pam_parse_in_data_v2(struct pam_data *pd, - uint8_t *body, size_t blen) -{ - size_t c; - uint32_t type; - uint32_t size; - int ret; - uint32_t start; - uint32_t terminator; - char *requested_domains; - - if (blen < 4*sizeof(uint32_t)+2) { - DEBUG(SSSDBG_CRIT_FAILURE, "Received data is invalid.\n"); - return EINVAL; - } - - SAFEALIGN_COPY_UINT32(&start, body, NULL); - SAFEALIGN_COPY_UINT32(&terminator, body + blen - sizeof(uint32_t), NULL); - - if (start != SSS_START_OF_PAM_REQUEST - || terminator != SSS_END_OF_PAM_REQUEST) { - DEBUG(SSSDBG_CRIT_FAILURE, "Received data is invalid.\n"); - return EINVAL; - } - - c = sizeof(uint32_t); - do { - SAFEALIGN_COPY_UINT32_CHECK(&type, &body[c], blen, &c); - - if (type == SSS_END_OF_PAM_REQUEST) { - if (c != blen) return EINVAL; - } else { - SAFEALIGN_COPY_UINT32_CHECK(&size, &body[c], blen, &c); - /* the uint32_t end maker SSS_END_OF_PAM_REQUEST does not count to - * the remaining buffer */ - if (size > (blen - c - sizeof(uint32_t))) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data size.\n"); - return EINVAL; - } - - switch(type) { - case SSS_PAM_ITEM_USER: - ret = extract_string(&pd->logon_name, size, body, blen, &c); - if (ret != EOK) return ret; - break; - case SSS_PAM_ITEM_SERVICE: - ret = extract_string(&pd->service, size, body, blen, &c); - if (ret != EOK) return ret; - break; - case SSS_PAM_ITEM_TTY: - ret = extract_string(&pd->tty, size, body, blen, &c); - if (ret != EOK) return ret; - break; - case SSS_PAM_ITEM_RUSER: - ret = extract_string(&pd->ruser, size, body, blen, &c); - if (ret != EOK) return ret; - break; - case SSS_PAM_ITEM_RHOST: - ret = extract_string(&pd->rhost, size, body, blen, &c); - if (ret != EOK) return ret; - break; - case SSS_PAM_ITEM_REQUESTED_DOMAINS: - ret = extract_string(&requested_domains, size, body, blen, - &c); - if (ret != EOK) return ret; - - ret = split_on_separator(pd, requested_domains, ',', true, - true, &pd->requested_domains, - NULL); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Failed to parse requested_domains list!\n"); - return ret; - } - break; - case SSS_PAM_ITEM_CLI_PID: - ret = extract_uint32_t(&pd->cli_pid, size, - body, blen, &c); - if (ret != EOK) return ret; - break; - case SSS_PAM_ITEM_AUTHTOK: - ret = extract_authtok_v2(pd->authtok, - size, body, blen, &c); - if (ret != EOK) return ret; - break; - case SSS_PAM_ITEM_NEWAUTHTOK: - ret = extract_authtok_v2(pd->newauthtok, - size, body, blen, &c); - if (ret != EOK) return ret; - break; - default: - DEBUG(SSSDBG_CRIT_FAILURE, - "Ignoring unknown data type [%d].\n", type); - c += size; - } - } - - } while(c < blen); - - return EOK; - -} - -static int pam_parse_in_data_v3(struct pam_data *pd, - uint8_t *body, size_t blen) -{ - int ret; - - ret = pam_parse_in_data_v2(pd, body, blen); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "pam_parse_in_data_v2 failed.\n"); - return ret; - } - - if (pd->cli_pid == 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Missing client PID.\n"); - return EINVAL; - } - - return EOK; -} - -static int extract_authtok_v1(struct sss_auth_token *tok, - uint8_t *body, size_t blen, size_t *c) -{ - uint32_t auth_token_type; - uint32_t auth_token_length; - uint8_t *auth_token_data; - int ret = EOK; - - SAFEALIGN_COPY_UINT32_CHECK(&auth_token_type, &body[*c], blen, c); - SAFEALIGN_COPY_UINT32_CHECK(&auth_token_length, &body[*c], blen, c); - auth_token_data = body+(*c); - - switch (auth_token_type) { - case SSS_AUTHTOK_TYPE_EMPTY: - sss_authtok_set_empty(tok); - break; - case SSS_AUTHTOK_TYPE_PASSWORD: - ret = sss_authtok_set_password(tok, (const char *)auth_token_data, - auth_token_length); - break; - default: - return EINVAL; - } - - *c += auth_token_length; - - return ret; -} - -static int pam_parse_in_data(struct pam_data *pd, - uint8_t *body, size_t blen) -{ - size_t start; - size_t end; - size_t last; - int ret; - - last = blen - 1; - end = 0; - - /* user name */ - for (start = end; end < last; end++) if (body[end] == '\0') break; - if (body[end++] != '\0') return EINVAL; - pd->logon_name = (char *) &body[start]; - - for (start = end; end < last; end++) if (body[end] == '\0') break; - if (body[end++] != '\0') return EINVAL; - pd->service = (char *) &body[start]; - - for (start = end; end < last; end++) if (body[end] == '\0') break; - if (body[end++] != '\0') return EINVAL; - pd->tty = (char *) &body[start]; - - for (start = end; end < last; end++) if (body[end] == '\0') break; - if (body[end++] != '\0') return EINVAL; - pd->ruser = (char *) &body[start]; - - for (start = end; end < last; end++) if (body[end] == '\0') break; - if (body[end++] != '\0') return EINVAL; - pd->rhost = (char *) &body[start]; - - ret = extract_authtok_v1(pd->authtok, body, blen, &end); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid auth token\n"); - return ret; - } - ret = extract_authtok_v1(pd->newauthtok, body, blen, &end); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid new auth token\n"); - return ret; - } - - DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd); - - return EOK; -} /*=Save-Last-Login-State===================================================*/ @@ -911,68 +632,6 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret); * PAM_ENVIRONMENT, so that we can save performing some calls and cache * data. */ -static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *pd) -{ - uint8_t *body; - size_t blen; - errno_t ret; - uint32_t terminator; - - sss_packet_get_body(cctx->creq->in, &body, &blen); - if (blen >= sizeof(uint32_t)) { - SAFEALIGN_COPY_UINT32(&terminator, - body + blen - sizeof(uint32_t), - NULL); - if (terminator != SSS_END_OF_PAM_REQUEST) { - DEBUG(SSSDBG_CRIT_FAILURE, "Received data not terminated.\n"); - ret = EINVAL; - goto done; - } - } - - switch (cctx->cli_protocol_version->version) { - case 1: - ret = pam_parse_in_data(pd, body, blen); - break; - case 2: - ret = pam_parse_in_data_v2(pd, body, blen); - break; - case 3: - ret = pam_parse_in_data_v3(pd, body, blen); - break; - default: - DEBUG(SSSDBG_CRIT_FAILURE, "Illegal protocol version [%d].\n", - cctx->cli_protocol_version->version); - ret = EINVAL; - } - if (ret != EOK) { - goto done; - } - - if (pd->logon_name != NULL) { - ret = sss_parse_name_for_domains(pd, cctx->rctx->domains, - cctx->rctx->default_domain, - pd->logon_name, - &pd->domain, &pd->user); - } else { - /* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the - * name is determined with the help of a certificate */ - if (pd->cmd == SSS_PAM_PREAUTH - && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx, - struct pam_ctx), pd)) { - ret = EOK; - } else { - DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n"); - ret = ERR_NO_CREDS; - goto done; - } - } - - DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd); - -done: - return ret; -} static int pam_auth_req_destructor(struct pam_auth_req *preq) { |