diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-01-07 18:11:16 +0100 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2015-05-08 09:13:14 +0200 |
| commit | bc052ea17d858c19f9cb9c9e2bc602e754f68831 (patch) | |
| tree | 52db7435221cac1a10ce130c5db4dfffe796f95d | |
| parent | 80b5dbe123ec94c5a8fcb99f9a4953c1513deb58 (diff) | |
| download | sssd-bc052ea17d858c19f9cb9c9e2bc602e754f68831.tar.gz sssd-bc052ea17d858c19f9cb9c9e2bc602e754f68831.tar.xz sssd-bc052ea17d858c19f9cb9c9e2bc602e754f68831.zip | |
utils: add sss_authtok_[gs]et_2fa
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
| -rw-r--r-- | Makefile.am | 5 | ||||
| -rw-r--r-- | src/sss_client/pam_sss.c | 1 | ||||
| -rw-r--r-- | src/sss_client/sss_cli.h | 3 | ||||
| -rw-r--r-- | src/tests/cmocka/test_authtok.c | 189 | ||||
| -rw-r--r-- | src/util/authtok-utils.c | 74 | ||||
| -rw-r--r-- | src/util/authtok-utils.h | 70 | ||||
| -rw-r--r-- | src/util/authtok.c | 181 | ||||
| -rw-r--r-- | src/util/authtok.h | 44 |
8 files changed, 564 insertions, 3 deletions
diff --git a/Makefile.am b/Makefile.am index 0b30d3c97..e0fccbf19 100644 --- a/Makefile.am +++ b/Makefile.am @@ -519,6 +519,7 @@ dist_noinst_HEADERS = \ src/util/atomic_io.h \ src/util/auth_utils.h \ src/util/authtok.h \ + src/util/authtok-utils.h \ src/util/util_safealign.h \ src/util/util_sss_idmap.h \ src/monitor/monitor.h \ @@ -754,6 +755,7 @@ libsss_util_la_SOURCES = \ src/util/murmurhash3.c \ src/util/atomic_io.c \ src/util/authtok.c \ + src/util/authtok-utils.c \ src/util/sss_selinux.c \ src/util/domain_info_utils.c \ src/util/util_lock.c \ @@ -1855,6 +1857,7 @@ test_negcache_LDADD = \ test_authtok_SOURCES = \ src/tests/cmocka/test_authtok.c \ src/util/authtok.c \ + src/util/authtok-utils.c \ src/util/util.c test_authtok_CFLAGS = \ $(AM_CFLAGS) \ @@ -2781,6 +2784,7 @@ krb5_child_SOURCES = \ src/util/find_uid.c \ src/util/atomic_io.c \ src/util/authtok.c \ + src/util/authtok-utils.c \ src/util/util.c \ src/util/signal.c \ src/util/strtonum.c \ @@ -2812,6 +2816,7 @@ ldap_child_SOURCES = \ src/util/sss_krb5.c \ src/util/atomic_io.c \ src/util/authtok.c \ + src/util/authtok-utils.c \ src/util/util.c \ src/util/signal.c \ src/util/become_user.c \ diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 6916575bb..83769a153 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -41,6 +41,7 @@ #include "sss_cli.h" #include "util/atomic_io.h" +#include "util/authtok-utils.h" #include <libintl.h> #define _(STRING) dgettext (PACKAGE, STRING) diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index d508a0671..9a19d7d47 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -301,6 +301,9 @@ enum sss_authtok_type { * a Kerberos credential cache file, * it may or may no contain * a trailing \\0 */ + SSS_AUTHTOK_TYPE_2FA = 0x0003, /**< Authentication token has two + * factors, they may or may no contain + * a trailing \\0 */ }; /** diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c index 0c7b7197f..5aa47c7b6 100644 --- a/src/tests/cmocka/test_authtok.c +++ b/src/tests/cmocka/test_authtok.c @@ -57,7 +57,7 @@ static int teardown(void **state) assert_non_null(ts); - assert_true(check_leaks_pop(ts) == true); + assert_true(check_leaks_pop(ts)); talloc_free(ts); assert_true(leak_check_teardown()); return 0; @@ -118,8 +118,8 @@ static void test_sss_authtok_password(void **state) assert_int_equal(len - 1, ret_len); ret = sss_authtok_set_password(ts->authtoken, data, len); - assert_int_equal(ret, EOK); + ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len); assert_int_equal(ret, EOK); assert_string_equal(data, pwd); @@ -311,6 +311,183 @@ static void test_sss_authtok_copy(void **state) talloc_free(data); } +void test_sss_authtok_2fa(void **state) +{ + int ret; + const char *fa1; + size_t fa1_size; + const char *fa2; + size_t fa2_size; + struct test_state *ts; + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_authtok_set_2fa(NULL, "a", 0, "b", 0); + assert_int_equal(ret, EINVAL); + + /* Test missing first factor */ + ret = sss_authtok_set_2fa(ts->authtoken, NULL, 1, "b", 1); + assert_int_equal(ret, EINVAL); + /* Test missing second factor */ + ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, NULL, 1); + assert_int_equal(ret, EINVAL); + /* Test wrong first factor length */ + ret = sss_authtok_set_2fa(ts->authtoken, "ab", 1, "b", 1); + assert_int_equal(ret, EINVAL); + /* Test wrong second factor length */ + ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 1); + assert_int_equal(ret, EINVAL); + + ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 2); + assert_int_equal(ret, EOK); + assert_int_equal(sss_authtok_get_size(ts->authtoken), + 2 * sizeof(uint32_t) + 5); + assert_int_equal(sss_authtok_get_type(ts->authtoken), SSS_AUTHTOK_TYPE_2FA); +#if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(sss_authtok_get_data(ts->authtoken), + "\2\0\0\0\3\0\0\0a\0bc\0", + 2 * sizeof(uint32_t) + 5); +#else + assert_memory_equal(sss_authtok_get_data(ts->authtoken), + "\0\0\0\2\0\0\0\3a\0bc\0", + 2 * sizeof(uint32_t) + 5); +#endif + + ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); + assert_int_equal(ret, EOK); + assert_int_equal(fa1_size, 1); + assert_string_equal(fa1, "a"); + assert_int_equal(fa2_size, 2); + assert_string_equal(fa2, "bc"); + + sss_authtok_set_empty(ts->authtoken); + + /* check return code of empty token */ + ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); + assert_int_equal(ret, ENOENT); + + /* check return code for other token type */ + ret = sss_authtok_set_password(ts->authtoken, "abc", 0); + assert_int_equal(ret, EOK); + + ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); + assert_int_equal(ret, EACCES); + + sss_authtok_set_empty(ts->authtoken); + + /* check return code for garbage */ + ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_2FA, + (const uint8_t *) "1111222233334444", 16); + assert_int_equal(ret, EINVAL); + + sss_authtok_set_empty(ts->authtoken); +} + +void test_sss_authtok_2fa_blobs(void **state) +{ + int ret; + struct test_state *ts; + size_t needed_size; + uint8_t *buf; + char *fa1; + size_t fa1_len; + char *fa2; + size_t fa2_len; + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_auth_pack_2fa_blob(NULL, 0, "defg", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EINVAL); + + ret = sss_auth_pack_2fa_blob("abc", 0, NULL, 0, NULL, 0, &needed_size); + assert_int_equal(ret, EINVAL); + + ret = sss_auth_pack_2fa_blob("", 0, "defg", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EINVAL); + + ret = sss_auth_pack_2fa_blob("abc", 0, "", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EINVAL); + + ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EAGAIN); + + buf = talloc_size(ts, needed_size); + assert_non_null(buf); + + ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, buf, needed_size, + &needed_size); + assert_int_equal(ret, EOK); + +#if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(buf, "\4\0\0\0\5\0\0\0abc\0defg\0", needed_size); +#else + assert_memory_equal(buf, "\0\0\0\4\0\0\0\5abc\0defg\0", needed_size); +#endif + + ret = sss_auth_unpack_2fa_blob(ts, buf, needed_size, &fa1, &fa1_len, &fa2, + &fa2_len); + assert_int_equal(ret, EOK); + assert_int_equal(fa1_len, 3); + assert_string_equal(fa1, "abc"); + assert_int_equal(fa2_len, 4); + assert_string_equal(fa2, "defg"); + + talloc_free(buf); + talloc_free(fa1); + talloc_free(fa2); +} + +#define MISSING_NULL_CHECK do { \ + assert_int_equal(ret, EOK); \ + assert_int_equal(fa1_len, 3); \ + assert_string_equal(fa1, "abc"); \ + assert_int_equal(fa2_len, 4); \ + assert_string_equal(fa2, "defg"); \ + \ + talloc_free(fa1); \ + talloc_free(fa2); \ +} while (0) + +void test_sss_authtok_2fa_blobs_missing_null(void **state) +{ + int ret; + struct test_state *ts; + char *fa1; + size_t fa1_len; + char *fa2; + size_t fa2_len; +#if __BYTE_ORDER == __LITTLE_ENDIAN + uint8_t b0[] = {0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00}; + uint8_t b1[] = {0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00}; + uint8_t b2[] = {0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'}; + uint8_t b3[] = {0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g'}; +#else + uint8_t b0[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00}; + uint8_t b1[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00}; + uint8_t b2[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'}; + uint8_t b3[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 'd', 'e', 'f', 'g'}; +#endif + + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_auth_unpack_2fa_blob(ts, b0, sizeof(b0), &fa1, &fa1_len, &fa2, + &fa2_len); + MISSING_NULL_CHECK; + + ret = sss_auth_unpack_2fa_blob(ts, b1, sizeof(b1), &fa1, &fa1_len, &fa2, + &fa2_len); + MISSING_NULL_CHECK; + + ret = sss_auth_unpack_2fa_blob(ts, b2, sizeof(b2), &fa1, &fa1_len, &fa2, + &fa2_len); + MISSING_NULL_CHECK; + + ret = sss_auth_unpack_2fa_blob(ts, b3, sizeof(b3), &fa1, &fa1_len, &fa2, + &fa2_len); + MISSING_NULL_CHECK; +} + int main(int argc, const char *argv[]) { poptContext pc; @@ -333,7 +510,13 @@ int main(int argc, const char *argv[]) cmocka_unit_test_setup_teardown(test_sss_authtok_wipe_password, setup, teardown), cmocka_unit_test_setup_teardown(test_sss_authtok_copy, - setup, teardown) + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_2fa, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs_missing_null, + setup, teardown), }; /* Set debug level to invalid value so we can deside if -d 0 was used. */ diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c new file mode 100644 index 000000000..65fba9022 --- /dev/null +++ b/src/util/authtok-utils.c @@ -0,0 +1,74 @@ +/* + SSSD - auth utils helpers + + Copyright (C) Sumit Bose <sbose@redhat.com> 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +/* This file is use by SSSD clients and the main daemons. Please do not add + * code which is specific to only one of them. */ + +#include <errno.h> + +#include "sss_client/sss_cli.h" + +errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len, + uint8_t *buf, size_t buf_len, + size_t *_2fa_blob_len) +{ + size_t c; + uint32_t tmp_uint32_t; + + if (fa1 == NULL || *fa1 == '\0' || fa1_len > UINT32_MAX + || fa2 == NULL || *fa2 == '\0' || fa2_len > UINT32_MAX + || (buf == NULL && buf_len != 0)) { + return EINVAL; + } + + if (fa1_len == 0) { + fa1_len = strlen(fa1); + } else { + if (fa1[fa1_len] != '\0') { + return EINVAL; + } + } + + if (fa2_len == 0) { + fa2_len = strlen(fa2); + } else { + if (fa2[fa2_len] != '\0') { + return EINVAL; + } + } + + *_2fa_blob_len = fa1_len + fa2_len + 2 + 2 * sizeof(uint32_t); + if (buf == NULL || buf_len < *_2fa_blob_len) { + return EAGAIN; + } + + c = 0; + tmp_uint32_t = (uint32_t) fa1_len + 1; + SAFEALIGN_COPY_UINT32(buf, &tmp_uint32_t, &c); + tmp_uint32_t = (uint32_t) fa2_len + 1; + SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); + + memcpy(buf + c, fa1, fa1_len + 1); + c += fa1_len + 1; + + memcpy(buf + c, fa2, fa2_len + 1); + + return 0; +} diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h new file mode 100644 index 000000000..07aef3c18 --- /dev/null +++ b/src/util/authtok-utils.h @@ -0,0 +1,70 @@ +/* + SSSD - auth utils helpers + + Copyright (C) Sumit Bose <simo@redhat.com> 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef __AUTHTOK_UTILS_H__ +#define __AUTHTOK_UTILS_H__ + +#include <talloc.h> + +#include "sss_client/sss_cli.h" + +/** + * @brief Fill memory buffer with 2FA blob + * + * @param[in] fa1 First authentication factor, null terminated + * @param[in] fa1_len Length of the first authentication factor, if 0 + * strlen() will be called internally + * @param[in] fa2 Second authentication factor, null terminated + * @param[in] fa2_len Length of the second authentication factor, if 0 + * strlen() will be called internally + * @param[in] buf memory buffer of size buf_len + * @param[in] buf_len size of memory buffer buf + * + * @param[out] _2fa_blob_len size of the 2FA blob + * + * @return EOK on success + * EINVAL if input data is not consistent + * EAGAIN if provided buffer is too small, _2fa_blob_len + * contains the size needed to store the 2FA blob + */ +errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len, + uint8_t *buf, size_t buf_len, + size_t *_2fa_blob_len); + +/** + * @brief Extract 2FA data from memory buffer + * + * @param[in] mem_ctx Talloc memory context to allocate the 2FA data on + * @param[in] blob Memory buffer containing the 2FA data + * @param[in] blob_len Size of the memory buffer + * @param[out] _fa1 First authentication factor, null terminated + * @param[out] _fa1_len Length of the first authentication factor + * @param[out] _fa2 Second authentication factor, null terminated + * @param[out] _fa2_len Length of the second authentication factor + * + * @return EOK on success + * EINVAL if input data is not consistent + * EINVAL if no memory can be allocated + */ +errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_len, + char **fa1, size_t *_fa1_len, + char **fa2, size_t *_fa2_len); +#endif /* __AUTHTOK_UTILS_H__ */ diff --git a/src/util/authtok.c b/src/util/authtok.c index b7bc17ed0..45761df80 100644 --- a/src/util/authtok.c +++ b/src/util/authtok.c @@ -38,6 +38,7 @@ size_t sss_authtok_get_size(struct sss_auth_token *tok) switch (tok->type) { case SSS_AUTHTOK_TYPE_PASSWORD: case SSS_AUTHTOK_TYPE_CCFILE: + case SSS_AUTHTOK_TYPE_2FA: return tok->length; case SSS_AUTHTOK_TYPE_EMPTY: return 0; @@ -70,6 +71,7 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok, } return EOK; case SSS_AUTHTOK_TYPE_CCFILE: + case SSS_AUTHTOK_TYPE_2FA: return EACCES; } @@ -92,6 +94,7 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok, } return EOK; case SSS_AUTHTOK_TYPE_PASSWORD: + case SSS_AUTHTOK_TYPE_2FA: return EACCES; } @@ -140,6 +143,7 @@ void sss_authtok_set_empty(struct sss_auth_token *tok) case SSS_AUTHTOK_TYPE_EMPTY: return; case SSS_AUTHTOK_TYPE_PASSWORD: + case SSS_AUTHTOK_TYPE_2FA: safezero(tok->data, tok->length); break; case SSS_AUTHTOK_TYPE_CCFILE: @@ -169,6 +173,9 @@ errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok, "ccfile", ccfile, len); } +static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok, + const uint8_t *data, size_t len); + errno_t sss_authtok_set(struct sss_auth_token *tok, enum sss_authtok_type type, const uint8_t *data, size_t len) @@ -178,6 +185,8 @@ errno_t sss_authtok_set(struct sss_auth_token *tok, return sss_authtok_set_password(tok, (const char *)data, len); case SSS_AUTHTOK_TYPE_CCFILE: return sss_authtok_set_ccfile(tok, (const char *)data, len); + case SSS_AUTHTOK_TYPE_2FA: + return sss_authtok_set_2fa_from_blob(tok, data, len); case SSS_AUTHTOK_TYPE_EMPTY: sss_authtok_set_empty(tok); return EOK; @@ -230,3 +239,175 @@ void sss_authtok_wipe_password(struct sss_auth_token *tok) safezero(tok->data, tok->length); } +errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_len, + char **fa1, size_t *_fa1_len, + char **fa2, size_t *_fa2_len) +{ + size_t c; + uint32_t fa1_len; + uint32_t fa2_len; + + if (blob_len < 2 * sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); + return EINVAL; + } + + c = 0; + SAFEALIGN_COPY_UINT32(&fa1_len, blob, &c); + SAFEALIGN_COPY_UINT32(&fa2_len, blob + c, &c); + + if (blob_len != 2 * sizeof(uint32_t) + fa1_len + fa2_len) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); + return EINVAL; + } + + if (fa1_len != 0) { + *fa1 = talloc_strndup(mem_ctx, (const char *) blob + c, fa1_len); + if (*fa1 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + return ENOMEM; + } + } else { + *fa1 = NULL; + } + + if (fa2_len != 0) { + *fa2 = talloc_strndup(mem_ctx, (const char *) blob + c + fa1_len, + fa2_len); + if (*fa2 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + talloc_free(*fa1); + return ENOMEM; + } + } else { + *fa2 = NULL; + } + + /* Re-calculate length for the case where \0 was missing in the blob */ + *_fa1_len = (*fa1 == NULL) ? 0 : strlen(*fa1); + *_fa2_len = (*fa2 == NULL) ? 0 : strlen(*fa2); + + return EOK; +} + +static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok, + const uint8_t *data, size_t len) +{ + TALLOC_CTX *tmp_ctx; + int ret; + char *fa1; + size_t fa1_len; + char *fa2; + size_t fa2_len; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sss_auth_unpack_2fa_blob(tmp_ctx, data, len, &fa1, &fa1_len, + &fa2, &fa2_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_2fa_blob failed.\n"); + goto done; + } + + ret = sss_authtok_set_2fa(tok, fa1, fa1_len, fa2, fa2_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_set_2fa failed.\n"); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + sss_authtok_set_empty(tok); + } + + return ret; +} + +errno_t sss_authtok_get_2fa(struct sss_auth_token *tok, + const char **fa1, size_t *fa1_len, + const char **fa2, size_t *fa2_len) +{ + size_t c; + uint32_t tmp_uint32_t; + + if (tok->type != SSS_AUTHTOK_TYPE_2FA) { + return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES; + } + + if (tok->length < 2 * sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); + return EINVAL; + } + + c = 0; + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c); + *fa1_len = tmp_uint32_t - 1; + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); + *fa2_len = tmp_uint32_t - 1; + + if (*fa1_len == 0 || *fa2_len == 0 + || tok->length != 2 * sizeof(uint32_t) + *fa1_len + *fa2_len + 2) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); + return EINVAL; + } + + if (tok->data[c + *fa1_len] != '\0' + || tok->data[c + *fa1_len + 1 + *fa2_len] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing terminating null character.\n"); + return EINVAL; + } + + *fa1 = (const char *) tok->data + c; + *fa2 = (const char *) tok->data + c + *fa1_len + 1; + + return EOK; +} + +errno_t sss_authtok_set_2fa(struct sss_auth_token *tok, + const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len) +{ + int ret; + size_t needed_size; + + if (tok == NULL) { + return EINVAL; + } + + sss_authtok_set_empty(tok); + + ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, NULL, 0, + &needed_size); + if (ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_auth_pack_2fa_blob unexpectedly returned [%d].\n", ret); + return EINVAL; + } + + tok->data = talloc_size(tok, needed_size); + if (tok->data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, tok->data, + needed_size, &needed_size); + if (ret != EOK) { + talloc_free(tok->data); + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_2fa_blob failed.\n"); + return ret; + } + tok->length = needed_size; + tok->type = SSS_AUTHTOK_TYPE_2FA; + + return EOK; +} diff --git a/src/util/authtok.h b/src/util/authtok.h index 1f6def4c3..cb3662708 100644 --- a/src/util/authtok.h +++ b/src/util/authtok.h @@ -21,6 +21,7 @@ #define __AUTHTOK_H__ #include "util/util.h" +#include "util/authtok-utils.h" #include "sss_client/sss_cli.h" /* Use sss_authtok_* accesor functions instead of struct sss_auth_token @@ -179,4 +180,47 @@ void sss_authtok_wipe_password(struct sss_auth_token *tok); */ struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx); +/** + * @brief Set authtoken with 2FA data + * + * @param tok A pointer to a sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param[in] fa1 First authentication factor, null terminated + * @param[in] fa1_len Length of the first authentication factor, if 0 + * strlen() will be called internally + * @param[in] fa2 Second authentication factor, null terminated + * @param[in] fa2_len Length of the second authentication factor, if 0 + * strlen() will be called internally + * + * @return EOK on success + * ENOMEM if memory allocation failed + * EINVAL if input data is not consistent + */ +errno_t sss_authtok_set_2fa(struct sss_auth_token *tok, + const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len); + +/** + * @brief Get 2FA factors from authtoken + * + * @param tok A pointer to a sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param[out] fa1 A pointer to a const char *, that will point to a + * null terminated string holding the first + * authentication factor, may not be modified or freed + * @param[out] fa1_len Length of the first authentication factor + * @param[out] fa2 A pointer to a const char *, that will point to a + * null terminated string holding the second + * authentication factor, may not be modified or freed + * @param[out] fa2_len Length of the second authentication factor + * + * @return EOK on success + * ENOMEM if memory allocation failed + * EINVAL if input data is not consistent + * ENOENT if the token is empty + * EACCESS if the token is not a 2FA token + */ +errno_t sss_authtok_get_2fa(struct sss_auth_token *tok, + const char **fa1, size_t *fa1_len, + const char **fa2, size_t *fa2_len); #endif /* __AUTHTOK_H__ */ |