pam: enhance Smartcard authentication token

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2016-09-27 16:03:22 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-02-23 10:15:13 +0100
commit: 52f45837ded98564968da42229b37db6a36ad627 (patch)
tree: 03a4b020678ef93c26f219e05bde7a35d0773fc4 /src/sss_client
parent: ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3 (diff)
download: sssd-52f45837ded98564968da42229b37db6a36ad627.tar.gz
sssd-52f45837ded98564968da42229b37db6a36ad627.tar.xz
sssd-52f45837ded98564968da42229b37db6a36ad627.zip
1 files changed, 38 insertions, 7 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index fa30889e7..a3d7a8a23 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1476,6 +1476,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
     char *answer = NULL;
     char *prompt;
     size_t size;
+    size_t needed_size;
 
     if (pi->token_name == NULL || *pi->token_name == '\0'
             || pi->cert_user == NULL || *pi->cert_user == '\0') {
@@ -1509,18 +1510,48 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
         pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
         pi->pam_authtok_size=0;
     } else {
-        pi->pam_authtok = strdup(answer);
-        _pam_overwrite((void *)answer);
-        free(answer);
-        answer=NULL;
+
+        ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
+                                    pi->module_name, 0,
+                                    pi->key_id, 0,
+                                    NULL, 0, &needed_size);
+        if (ret != EAGAIN) {
+            D(("sss_auth_pack_sc_blob failed."));
+            ret = PAM_BUF_ERR;
+            goto done;
+        }
+
+        pi->pam_authtok = malloc(needed_size);
         if (pi->pam_authtok == NULL) {
-            return PAM_BUF_ERR;
+            D(("malloc failed."));
+            ret = PAM_BUF_ERR;
+            goto done;
         }
+
+        ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
+                                    pi->module_name, 0,
+                                    pi->key_id, 0,
+                                    (uint8_t *) pi->pam_authtok, needed_size,
+                                    &needed_size);
+        if (ret != EOK) {
+            D(("sss_auth_pack_sc_blob failed."));
+            free((void *)pi->pam_authtok);
+            ret = PAM_BUF_ERR;
+            goto done;
+        }
+
         pi->pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
-        pi->pam_authtok_size=strlen(pi->pam_authtok);
+        pi->pam_authtok_size = needed_size;
     }
 
-    return PAM_SUCCESS;
+    ret = PAM_SUCCESS;
+
+done:
+    _pam_overwrite((void *)answer);
+    free(answer);
+    answer=NULL;
+
+    return ret;
 }
 
 static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi)
author	Sumit Bose <sbose@redhat.com>	2016-09-27 16:03:22 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-02-23 10:15:13 +0100
commit	52f45837ded98564968da42229b37db6a36ad627 (patch)
tree	03a4b020678ef93c26f219e05bde7a35d0773fc4 /src/sss_client
parent	ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3 (diff)
download	sssd-52f45837ded98564968da42229b37db6a36ad627.tar.gz sssd-52f45837ded98564968da42229b37db6a36ad627.tar.xz sssd-52f45837ded98564968da42229b37db6a36ad627.zip