diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 4 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 2 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 9 | ||||
-rw-r--r-- | src/sss_client/pam_sss.c | 45 |
4 files changed, 45 insertions, 15 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index be31ddbc4..031847089 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1856,7 +1856,9 @@ static errno_t unpack_authtok(struct sss_auth_token *tok, ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0); break; case SSS_AUTHTOK_TYPE_2FA: - ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p), + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + ret = sss_authtok_set(tok, auth_token_type, (buf + *p), auth_token_length); break; default: diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 69636e0bc..6a3dc9d73 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -78,6 +78,8 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp, auth_token_length = len + 1; break; case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: data = (char *) sss_authtok_get_data(tok); auth_token_length = sss_authtok_get_size(tok); break; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 6b7a9493b..e788a75a4 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -160,15 +160,10 @@ static int extract_authtok_v2(struct sss_auth_token *tok, } break; case SSS_AUTHTOK_TYPE_2FA: - ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, - auth_token_data, auth_token_length); - break; case SSS_AUTHTOK_TYPE_SC_PIN: - ret = sss_authtok_set_sc_pin(tok, (const char *) auth_token_data, - auth_token_length); - break; case SSS_AUTHTOK_TYPE_SC_KEYPAD: - sss_authtok_set_sc_keypad(tok); + ret = sss_authtok_set(tok, auth_token_type, + auth_token_data, auth_token_length); break; default: return EINVAL; diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index fa30889e7..a3d7a8a23 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1476,6 +1476,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) char *answer = NULL; char *prompt; size_t size; + size_t needed_size; if (pi->token_name == NULL || *pi->token_name == '\0' || pi->cert_user == NULL || *pi->cert_user == '\0') { @@ -1509,18 +1510,48 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; pi->pam_authtok_size=0; } else { - pi->pam_authtok = strdup(answer); - _pam_overwrite((void *)answer); - free(answer); - answer=NULL; + + ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0, + pi->module_name, 0, + pi->key_id, 0, + NULL, 0, &needed_size); + if (ret != EAGAIN) { + D(("sss_auth_pack_sc_blob failed.")); + ret = PAM_BUF_ERR; + goto done; + } + + pi->pam_authtok = malloc(needed_size); if (pi->pam_authtok == NULL) { - return PAM_BUF_ERR; + D(("malloc failed.")); + ret = PAM_BUF_ERR; + goto done; } + + ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0, + pi->module_name, 0, + pi->key_id, 0, + (uint8_t *) pi->pam_authtok, needed_size, + &needed_size); + if (ret != EOK) { + D(("sss_auth_pack_sc_blob failed.")); + free((void *)pi->pam_authtok); + ret = PAM_BUF_ERR; + goto done; + } + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN; - pi->pam_authtok_size=strlen(pi->pam_authtok); + pi->pam_authtok_size = needed_size; } - return PAM_SUCCESS; + ret = PAM_SUCCESS; + +done: + _pam_overwrite((void *)answer); + free(answer); + answer=NULL; + + return ret; } static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi) |