pam: enhance Smartcard authentication token

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2016-09-27 16:03:22 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-02-23 10:15:13 +0100
commit: 52f45837ded98564968da42229b37db6a36ad627 (patch)
tree: 03a4b020678ef93c26f219e05bde7a35d0773fc4
parent: ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3 (diff)
download: sssd-52f45837ded98564968da42229b37db6a36ad627.tar.gz
sssd-52f45837ded98564968da42229b37db6a36ad627.tar.xz
sssd-52f45837ded98564968da42229b37db6a36ad627.zip
4 files changed, 45 insertions, 15 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index be31ddbc4..031847089 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1856,7 +1856,9 @@ static errno_t unpack_authtok(struct sss_auth_token *tok,
         ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
         break;
     case SSS_AUTHTOK_TYPE_2FA:
-        ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p),
+    case SSS_AUTHTOK_TYPE_SC_PIN:
+    case SSS_AUTHTOK_TYPE_SC_KEYPAD:
+        ret = sss_authtok_set(tok, auth_token_type, (buf + *p),
                               auth_token_length);
         break;
     default:
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 69636e0bc..6a3dc9d73 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -78,6 +78,8 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp,
         auth_token_length = len + 1;
         break;
     case SSS_AUTHTOK_TYPE_2FA:
+    case SSS_AUTHTOK_TYPE_SC_PIN:
+    case SSS_AUTHTOK_TYPE_SC_KEYPAD:
         data = (char *) sss_authtok_get_data(tok);
         auth_token_length = sss_authtok_get_size(tok);
         break;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 6b7a9493b..e788a75a4 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -160,15 +160,10 @@ static int extract_authtok_v2(struct sss_auth_token *tok,
         }
         break;
     case SSS_AUTHTOK_TYPE_2FA:
-        ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA,
-                              auth_token_data, auth_token_length);
-        break;
     case SSS_AUTHTOK_TYPE_SC_PIN:
-        ret = sss_authtok_set_sc_pin(tok, (const char *) auth_token_data,
-                                     auth_token_length);
-        break;
     case SSS_AUTHTOK_TYPE_SC_KEYPAD:
-        sss_authtok_set_sc_keypad(tok);
+        ret = sss_authtok_set(tok, auth_token_type,
+                              auth_token_data, auth_token_length);
         break;
     default:
         return EINVAL;
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index fa30889e7..a3d7a8a23 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1476,6 +1476,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
     char *answer = NULL;
     char *prompt;
     size_t size;
+    size_t needed_size;
 
     if (pi->token_name == NULL || *pi->token_name == '\0'
             || pi->cert_user == NULL || *pi->cert_user == '\0') {
@@ -1509,18 +1510,48 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
         pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
         pi->pam_authtok_size=0;
     } else {
-        pi->pam_authtok = strdup(answer);
-        _pam_overwrite((void *)answer);
-        free(answer);
-        answer=NULL;
+
+        ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
+                                    pi->module_name, 0,
+                                    pi->key_id, 0,
+                                    NULL, 0, &needed_size);
+        if (ret != EAGAIN) {
+            D(("sss_auth_pack_sc_blob failed."));
+            ret = PAM_BUF_ERR;
+            goto done;
+        }
+
+        pi->pam_authtok = malloc(needed_size);
         if (pi->pam_authtok == NULL) {
-            return PAM_BUF_ERR;
+            D(("malloc failed."));
+            ret = PAM_BUF_ERR;
+            goto done;
         }
+
+        ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
+                                    pi->module_name, 0,
+                                    pi->key_id, 0,
+                                    (uint8_t *) pi->pam_authtok, needed_size,
+                                    &needed_size);
+        if (ret != EOK) {
+            D(("sss_auth_pack_sc_blob failed."));
+            free((void *)pi->pam_authtok);
+            ret = PAM_BUF_ERR;
+            goto done;
+        }
+
         pi->pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
-        pi->pam_authtok_size=strlen(pi->pam_authtok);
+        pi->pam_authtok_size = needed_size;
     }
 
-    return PAM_SUCCESS;
+    ret = PAM_SUCCESS;
+
+done:
+    _pam_overwrite((void *)answer);
+    free(answer);
+    answer=NULL;
+
+    return ret;
 }
 
 static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi)
author	Sumit Bose <sbose@redhat.com>	2016-09-27 16:03:22 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-02-23 10:15:13 +0100
commit	52f45837ded98564968da42229b37db6a36ad627 (patch)
tree	03a4b020678ef93c26f219e05bde7a35d0773fc4
parent	ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3 (diff)
download	sssd-52f45837ded98564968da42229b37db6a36ad627.tar.gz sssd-52f45837ded98564968da42229b37db6a36ad627.tar.xz sssd-52f45837ded98564968da42229b37db6a36ad627.zip