diff options
author | Sumit Bose <sbose@redhat.com> | 2016-09-27 16:03:22 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-02-23 10:15:13 +0100 |
commit | 52f45837ded98564968da42229b37db6a36ad627 (patch) | |
tree | 03a4b020678ef93c26f219e05bde7a35d0773fc4 | |
parent | ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3 (diff) | |
download | sssd-52f45837ded98564968da42229b37db6a36ad627.tar.gz sssd-52f45837ded98564968da42229b37db6a36ad627.tar.xz sssd-52f45837ded98564968da42229b37db6a36ad627.zip |
pam: enhance Smartcard authentication token
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/providers/krb5/krb5_child.c | 4 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 2 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 9 | ||||
-rw-r--r-- | src/sss_client/pam_sss.c | 45 |
4 files changed, 45 insertions, 15 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index be31ddbc4..031847089 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1856,7 +1856,9 @@ static errno_t unpack_authtok(struct sss_auth_token *tok, ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0); break; case SSS_AUTHTOK_TYPE_2FA: - ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p), + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + ret = sss_authtok_set(tok, auth_token_type, (buf + *p), auth_token_length); break; default: diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 69636e0bc..6a3dc9d73 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -78,6 +78,8 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp, auth_token_length = len + 1; break; case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: data = (char *) sss_authtok_get_data(tok); auth_token_length = sss_authtok_get_size(tok); break; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 6b7a9493b..e788a75a4 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -160,15 +160,10 @@ static int extract_authtok_v2(struct sss_auth_token *tok, } break; case SSS_AUTHTOK_TYPE_2FA: - ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, - auth_token_data, auth_token_length); - break; case SSS_AUTHTOK_TYPE_SC_PIN: - ret = sss_authtok_set_sc_pin(tok, (const char *) auth_token_data, - auth_token_length); - break; case SSS_AUTHTOK_TYPE_SC_KEYPAD: - sss_authtok_set_sc_keypad(tok); + ret = sss_authtok_set(tok, auth_token_type, + auth_token_data, auth_token_length); break; default: return EINVAL; diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index fa30889e7..a3d7a8a23 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1476,6 +1476,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) char *answer = NULL; char *prompt; size_t size; + size_t needed_size; if (pi->token_name == NULL || *pi->token_name == '\0' || pi->cert_user == NULL || *pi->cert_user == '\0') { @@ -1509,18 +1510,48 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; pi->pam_authtok_size=0; } else { - pi->pam_authtok = strdup(answer); - _pam_overwrite((void *)answer); - free(answer); - answer=NULL; + + ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0, + pi->module_name, 0, + pi->key_id, 0, + NULL, 0, &needed_size); + if (ret != EAGAIN) { + D(("sss_auth_pack_sc_blob failed.")); + ret = PAM_BUF_ERR; + goto done; + } + + pi->pam_authtok = malloc(needed_size); if (pi->pam_authtok == NULL) { - return PAM_BUF_ERR; + D(("malloc failed.")); + ret = PAM_BUF_ERR; + goto done; } + + ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0, + pi->module_name, 0, + pi->key_id, 0, + (uint8_t *) pi->pam_authtok, needed_size, + &needed_size); + if (ret != EOK) { + D(("sss_auth_pack_sc_blob failed.")); + free((void *)pi->pam_authtok); + ret = PAM_BUF_ERR; + goto done; + } + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN; - pi->pam_authtok_size=strlen(pi->pam_authtok); + pi->pam_authtok_size = needed_size; } - return PAM_SUCCESS; + ret = PAM_SUCCESS; + +done: + _pam_overwrite((void *)answer); + free(answer); + answer=NULL; + + return ret; } static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi) |