>From 7eb6f979f333bb3c9c02f6187835e4f48414b4d5 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Thu, 14 Mar 2013 09:10:39 +0100 Subject: [PATCH 2/2] Making the authtok structure really opaque. Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830 --- src/providers/data_provider.h | 4 +- src/providers/dp_auth_util.c | 16 +++--- src/providers/dp_pam_data_util.c | 60 +++++++++++++++++----- src/providers/ipa/ipa_auth.c | 2 +- src/providers/krb5/krb5_auth.c | 10 ++-- src/providers/krb5/krb5_child.c | 28 +++++----- src/providers/krb5/krb5_child_handler.c | 8 +-- .../krb5/krb5_delayed_online_authentication.c | 12 ++--- src/providers/krb5/krb5_renew_tgt.c | 5 +- src/providers/ldap/ldap_auth.c | 12 ++--- src/providers/ldap/sdap_async_connection.c | 12 +++-- src/providers/proxy/proxy.h | 4 +- src/providers/proxy/proxy_auth.c | 2 +- src/providers/proxy/proxy_child.c | 18 +++---- src/responder/pam/pam_LOCAL_domain.c | 10 ++-- src/responder/pam/pamsrv_cmd.c | 16 +++--- src/tests/krb5_child-test.c | 4 +- src/util/authtok.c | 48 ++++++++++------- src/util/authtok.h | 52 ++++++++++--------- 19 files changed, 186 insertions(+), 137 deletions(-) diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 2ce16e8599b3623a03acdc4947dab0f3926ca8aa..8f385b79816145cc5795eed17651cadb15143bc1 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -176,8 +176,8 @@ struct pam_data { char *tty; char *ruser; char *rhost; - struct sss_auth_token authtok; - struct sss_auth_token newauthtok; + struct sss_auth_token *authtok; + struct sss_auth_token *newauthtok; uint32_t cli_pid; int pam_status; diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c index 54f0ee8ed6f1d537410a91f93e55316fc9b89886..0bf10a7d2fdea38e5b38d2da7f249788fbc7f71c 100644 --- a/src/providers/dp_auth_util.c +++ b/src/providers/dp_auth_util.c @@ -40,12 +40,12 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) tty = pd->tty ? pd->tty : ""; ruser = pd->ruser ? pd->ruser : ""; rhost = pd->rhost ? pd->rhost : ""; - authtok_type = (uint32_t)sss_authtok_get_type(&pd->authtok); - authtok_data = sss_authtok_get_data(&pd->authtok); - authtok_length = sss_authtok_get_size(&pd->authtok); - new_authtok_type = (uint32_t)sss_authtok_get_type(&pd->newauthtok); - new_authtok_data = sss_authtok_get_data(&pd->newauthtok); - new_authtok_length = sss_authtok_get_size(&pd->newauthtok); + authtok_type = (uint32_t)sss_authtok_get_type(pd->authtok); + authtok_data = sss_authtok_get_data(pd->authtok); + authtok_length = sss_authtok_get_size(pd->authtok); + new_authtok_type = (uint32_t)sss_authtok_get_type(pd->newauthtok); + new_authtok_data = sss_authtok_get_data(pd->newauthtok); + new_authtok_length = sss_authtok_get_size(pd->newauthtok); db_ret = dbus_message_append_args(msg, DBUS_TYPE_INT32, &(pd->cmd), @@ -112,13 +112,13 @@ bool dp_unpack_pam_request(DBusMessage *msg, TALLOC_CTX *mem_ctx, return false; } - ret = sss_authtok_set(*new_pd, &((*new_pd)->authtok), authtok_type, + ret = sss_authtok_set((*new_pd)->authtok, authtok_type, authtok_data, authtok_length); if (ret) { DEBUG(1, ("Failed to set auth token: %d [%s]\n", ret, strerror(ret))); return false; } - ret = sss_authtok_set(*new_pd, &((*new_pd)->newauthtok), new_authtok_type, + ret = sss_authtok_set((*new_pd)->newauthtok, new_authtok_type, new_authtok_data, new_authtok_length); if (ret) { DEBUG(1, ("Failed to set auth token: %d [%s]\n", ret, strerror(ret))); diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c index 64f0d69bd0e8ebc28df958c393b40afcb5e18c31..4c33f58369322bc6ab2512990d334155f7354a68 100644 --- a/src/providers/dp_pam_data_util.c +++ b/src/providers/dp_pam_data_util.c @@ -53,8 +53,8 @@ int pam_data_destructor(void *ptr) struct pam_data *pd = talloc_get_type(ptr, struct pam_data); /* make sure to wipe any password from memory before freeing */ - sss_authtok_wipe_password(&pd->authtok); - sss_authtok_wipe_password(&pd->newauthtok); + sss_authtok_wipe_password(pd->authtok); + sss_authtok_wipe_password(pd->newauthtok); return 0; } @@ -65,13 +65,29 @@ struct pam_data *create_pam_data(TALLOC_CTX *mem_ctx) pd = talloc_zero(mem_ctx, struct pam_data); if (pd == NULL) { - DEBUG(1, ("talloc_zero failed.\n")); - return NULL; + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + goto failed; + } + + pd->authtok = sss_authtok_new(pd); + if (pd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + goto failed; + } + + pd->newauthtok = sss_authtok_new(pd); + if (pd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + goto failed; } talloc_set_destructor((TALLOC_CTX *) pd, pam_data_destructor); return pd; + +failed: + talloc_free(pd); + return NULL; } errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src, @@ -122,14 +138,34 @@ errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src, pd->cli_pid = src->cli_pid; - ret = sss_authtok_copy(pd, &src->authtok, &pd->authtok); - if (ret) { - goto failed; + /* if structure pam_data was allocated on stack and zero initialized, + * than src->authtok and src->newauthtok are NULL, therefore + * instead of copying, new empty authtok will be created. + */ + if (src->authtok) { + ret = sss_authtok_copy(src->authtok, pd->authtok); + if (ret) { + goto failed; + } + } else { + pd->authtok = sss_authtok_new(pd); + if (pd->authtok == NULL) { + ret = ENOMEM; + goto failed; + } } - ret = sss_authtok_copy(pd, &src->newauthtok, &pd->newauthtok); - if (ret) { - goto failed; + if (src->newauthtok) { + ret = sss_authtok_copy(src->newauthtok, pd->newauthtok); + if (ret) { + goto failed; + } + } else { + pd->newauthtok = sss_authtok_new(pd); + if (pd->newauthtok == NULL) { + ret = ENOMEM; + goto failed; + } } *dst = pd; @@ -151,8 +187,8 @@ void pam_print_data(int l, struct pam_data *pd) DEBUG(l, ("tty: %s\n", PAM_SAFE_ITEM(pd->tty))); DEBUG(l, ("ruser: %s\n", PAM_SAFE_ITEM(pd->ruser))); DEBUG(l, ("rhost: %s\n", PAM_SAFE_ITEM(pd->rhost))); - DEBUG(l, ("authtok type: %d\n", sss_authtok_get_type(&pd->authtok))); - DEBUG(l, ("newauthtok type: %d\n", sss_authtok_get_type(&pd->newauthtok))); + DEBUG(l, ("authtok type: %d\n", sss_authtok_get_type(pd->authtok))); + DEBUG(l, ("newauthtok type: %d\n", sss_authtok_get_type(pd->newauthtok))); DEBUG(l, ("priv: %d\n", pd->priv)); DEBUG(l, ("cli_pid: %d\n", pd->cli_pid)); } diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index 5cb3d402e1460c57770484e594d62345e88a6568..b528c544df90efd30570273d9731223b531e77f6 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -371,7 +371,7 @@ static void ipa_migration_flag_connect_done(struct tevent_req *req) } req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn, - &state->pd->authtok); + state->pd->authtok); if (req == NULL) { DEBUG(SSSDBG_OP_FAILURE, ("sdap_auth_send failed.\n")); goto done; diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index a9b75768cb01d330b6a56eb444b0f9c51beff923..6c0f429fbb30aae8ee2c4e4973aa0e0590ec169a 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -284,7 +284,7 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, const char *password = NULL; errno_t ret; - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); if (ret != EOK) { DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret))); *pam_status = PAM_SYSTEM_ERR; @@ -397,10 +397,10 @@ static void krb5_auth_store_creds(struct sysdb_ctx *sysdb, break; case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK_PRELIM: - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); break; case SSS_PAM_CHAUTHTOK: - ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL); + ret = sss_authtok_get_password(pd->newauthtok, &password, NULL); break; default: DEBUG(0, ("unsupported PAM command [%d].\n", pd->cmd)); @@ -490,7 +490,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, case SSS_PAM_AUTHENTICATE: case SSS_CMD_RENEW: case SSS_PAM_CHAUTHTOK: - if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { DEBUG(1, ("Missing authtok for user [%s].\n", pd->user)); state->pam_status = PAM_SYSTEM_ERR; state->dp_err = DP_ERR_FATAL; @@ -500,7 +500,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, break; case SSS_PAM_CHAUTHTOK_PRELIM: if (pd->priv == 1 && - sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { DEBUG(4, ("Password reset by root is not supported.\n")); state->pam_status = PAM_PERM_DENIED; state->dp_err = DP_ERR_OK; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 52127b39ad92b1f66a20c38ced32c2778dcdc590..4ccd75d26abf46cd07a70031569a29576223f0a2 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1201,7 +1201,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n")); - ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL); + ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL); if (ret != EOK) { DEBUG(1, ("Failed to fetch current password [%d] %s.\n", ret, strerror(ret))); @@ -1233,7 +1233,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) return kerr; } - sss_authtok_set_empty(&kr->pd->authtok); + sss_authtok_set_empty(kr->pd->authtok); if (prelim) { DEBUG(SSSDBG_TRACE_LIBS, @@ -1243,7 +1243,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) return EOK; } - ret = sss_authtok_get_password(&kr->pd->newauthtok, &newpassword, NULL); + ret = sss_authtok_get_password(kr->pd->newauthtok, &newpassword, NULL); if (ret != EOK) { DEBUG(1, ("Failed to fetch new password [%d] %s.\n", ret, strerror(ret))); @@ -1307,7 +1307,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) kerr = get_and_save_tgt(kr, newpassword); - sss_authtok_set_empty(&kr->pd->newauthtok); + sss_authtok_set_empty(kr->pd->newauthtok); if (kerr == 0) { kerr = k5c_attach_ccname_msg(kr); @@ -1324,7 +1324,7 @@ static errno_t tgt_req_child(struct krb5_req *kr) DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n")); - ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL); + ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL); switch (ret) { if (ret == EACCES) { DEBUG(SSSDBG_OP_FAILURE, ("Invalid authtok type\n")); @@ -1379,7 +1379,7 @@ static errno_t tgt_req_child(struct krb5_req *kr) } done: - sss_authtok_set_empty(&kr->pd->authtok); + sss_authtok_set_empty(kr->pd->authtok); return ret; } @@ -1423,11 +1423,11 @@ static errno_t renew_tgt_child(struct krb5_req *kr) DEBUG(SSSDBG_TRACE_LIBS, ("Renewing a ticket\n")); - ret = sss_authtok_get_ccfile(&kr->pd->authtok, &ccname, NULL); + ret = sss_authtok_get_ccfile(kr->pd->authtok, &ccname, NULL); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Unsupported authtok type for TGT renewal [%d].\n", - sss_authtok_get_type(&kr->pd->authtok))); + sss_authtok_get_type(kr->pd->authtok))); return ERR_INVALID_CRED_TYPE; } @@ -1527,10 +1527,10 @@ static errno_t unpack_authtok(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok, sss_authtok_set_empty(tok); break; case SSS_AUTHTOK_TYPE_PASSWORD: - ret = sss_authtok_set_password(mem_ctx, tok, (char *)(buf + *p), 0); + ret = sss_authtok_set_password(tok, (char *)(buf + *p), 0); break; case SSS_AUTHTOK_TYPE_CCFILE: - ret = sss_authtok_set_ccfile(mem_ctx, tok, (char *)(buf + *p), 0); + ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0); break; default: return EINVAL; @@ -1598,7 +1598,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, if (kr->keytab == NULL) return ENOMEM; p += len; - ret = unpack_authtok(pd, &pd->authtok, buf, size, &p); + ret = unpack_authtok(pd, pd->authtok, buf, size, &p); if (ret) { return ret; } @@ -1608,16 +1608,16 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, } else { kr->ccname = NULL; kr->keytab = NULL; - sss_authtok_set_empty(&pd->authtok); + sss_authtok_set_empty(pd->authtok); } if (pd->cmd == SSS_PAM_CHAUTHTOK) { - ret = unpack_authtok(pd, &pd->newauthtok, buf, size, &p); + ret = unpack_authtok(pd, pd->newauthtok, buf, size, &p); if (ret) { return ret; } } else { - sss_authtok_set_empty(&pd->newauthtok); + sss_authtok_set_empty(pd->newauthtok); } if (pd->cmd == SSS_PAM_ACCT_MGMT) { diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index cc309af34a9f93a93169dac8d839bd6b677aee7d..8ff65130fb42e71e653814d5159f3f45e059cd59 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -155,12 +155,12 @@ static errno_t create_send_buffer(struct krb5child_req *kr, kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || kr->pd->cmd == SSS_PAM_CHAUTHTOK) { buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) + - sss_authtok_get_size(&kr->pd->authtok); + sss_authtok_get_size(kr->pd->authtok); } if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { buf->size += 2*sizeof(uint32_t) + - sss_authtok_get_size(&kr->pd->newauthtok); + sss_authtok_get_size(kr->pd->newauthtok); } if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { @@ -196,14 +196,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr, SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp); safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp); - ret = pack_authtok(buf, &rp, &kr->pd->authtok); + ret = pack_authtok(buf, &rp, kr->pd->authtok); if (ret) { return ret; } } if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { - ret = pack_authtok(buf, &rp, &kr->pd->newauthtok); + ret = pack_authtok(buf, &rp, kr->pd->newauthtok); if (ret) { return ret; } diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c index f95fa634c34ebee37bffb785abe4ef5b35318a82..87e0f3c631def0d437aa4268e8a3cfcb439be7e0 100644 --- a/src/providers/krb5/krb5_delayed_online_authentication.c +++ b/src/providers/krb5/krb5_delayed_online_authentication.c @@ -84,7 +84,7 @@ static void authenticate_user(struct tevent_context *ev, return; } - ret = sss_authtok_set_password(pd, &pd->authtok, password, keysize); + ret = sss_authtok_set_password(pd->authtok, password, keysize); safezero(password, keysize); free(password); if (ret) { @@ -246,7 +246,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, return EINVAL; } - if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { DEBUG(1, ("Invalid authtok for user [%s].\n", pd->user)); return EINVAL; } @@ -262,10 +262,10 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, const char *password; size_t len; - ret = sss_authtok_get_password(&new_pd->authtok, &password, &len); + ret = sss_authtok_get_password(new_pd->authtok, &password, &len); if (ret) { DEBUG(1, ("Failed to get password [%d][%s].\n", ret, strerror(ret))); - sss_authtok_set_empty(&new_pd->authtok); + sss_authtok_set_empty(new_pd->authtok); talloc_free(new_pd); return ret; } @@ -275,13 +275,13 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, if (new_pd->key_serial == -1) { ret = errno; DEBUG(1, ("add_key failed [%d][%s].\n", ret, strerror(ret))); - sss_authtok_set_empty(&new_pd->authtok); + sss_authtok_set_empty(new_pd->authtok); talloc_free(new_pd); return ret; } DEBUG(9, ("Saved authtok of user [%s] with serial [%ld].\n", new_pd->user, new_pd->key_serial)); - sss_authtok_set_empty(&new_pd->authtok); + sss_authtok_set_empty(new_pd->authtok); #endif key.type = HASH_KEY_ULONG; diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c index f2ee5d91f3bd4b17074e2b1d5df28e9690cf7337..0b1f26fd3a646e29a2f39ae6699714ca5318b66f 100644 --- a/src/providers/krb5/krb5_renew_tgt.c +++ b/src/providers/krb5/krb5_renew_tgt.c @@ -592,10 +592,9 @@ errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile, goto done; } - sss_authtok_set_empty(&renew_data->pd->newauthtok); + sss_authtok_set_empty(renew_data->pd->newauthtok); - ret = sss_authtok_set_ccfile(renew_data->pd, &renew_data->pd->authtok, - renew_data->ccfile, 0); + ret = sss_authtok_set_ccfile(renew_data->pd->authtok, renew_data->ccfile, 0); if (ret) { DEBUG(1, ("Failed to store ccfile in auth token.\n")); goto done; diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index e10c5b0e95c34bf5fcc6a3bf4047145a1bb6f059..f4e6d28f0bd2c1fbf18f093780808c0db9f43478 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -722,7 +722,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) } if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) && - (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) { + (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) { DEBUG(4, ("Password reset by root is not supported.\n")); pd->pam_status = PAM_PERM_DENIED; dp_err = DP_ERR_OK; @@ -747,7 +747,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) state->ctx = ctx; subreq = auth_send(breq, be_ctx->ev, ctx, - state->username, &pd->authtok, true); + state->username, pd->authtok, true); if (!subreq) goto done; tevent_req_set_callback(subreq, sdap_auth4chpass_done, state); @@ -820,13 +820,13 @@ static void sdap_auth4chpass_done(struct tevent_req *req) const char *password; const char *new_password; - ret = sss_authtok_get_password(&state->pd->authtok, + ret = sss_authtok_get_password(state->pd->authtok, &password, NULL); if (ret) { state->pd->pam_status = PAM_SYSTEM_ERR; goto done; } - ret = sss_authtok_get_password(&state->pd->newauthtok, + ret = sss_authtok_get_password(state->pd->newauthtok, &new_password, NULL); if (ret) { state->pd->pam_status = PAM_SYSTEM_ERR; @@ -990,7 +990,7 @@ void sdap_pam_auth_handler(struct be_req *breq) state->pd = pd; subreq = auth_send(breq, be_ctx->ev, ctx, - pd->user, &pd->authtok, + pd->user, pd->authtok, pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ? true : false); if (!subreq) goto done; @@ -1102,7 +1102,7 @@ static void sdap_pam_auth_done(struct tevent_req *req) if (ret == EOK && be_ctx->domain->cache_credentials) { - ret = sss_authtok_get_password(&state->pd->authtok, &password, NULL); + ret = sss_authtok_get_password(state->pd->authtok, &password, NULL); if (ret == EOK) { ret = sysdb_cache_password(be_ctx->domain->sysdb, be_ctx->domain, state->pd->user, password); diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 280268a1c3d435b11ba7953795509b86cfa91528..b05edf6f9ffc0b712f5dd44cc0b830e5602a5804 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -1573,7 +1573,7 @@ static void sdap_cli_auth_step(struct tevent_req *req) SDAP_DEFAULT_BIND_DN); const char *authtok_type; struct dp_opt_blob authtok_blob; - struct sss_auth_token authtok = { 0 }; + struct sss_auth_token *authtok; errno_t ret; /* Set the LDAP expiration time @@ -1599,6 +1599,12 @@ static void sdap_cli_auth_step(struct tevent_req *req) authtok_type = dp_opt_get_string(state->opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE); + authtok = sss_authtok_new(state); + if(authtok == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + if (authtok_type != NULL) { if (strcasecmp(authtok_type, "password") != 0) { DEBUG(SSSDBG_TRACE_LIBS, ("Invalid authtoken type\n")); @@ -1609,7 +1615,7 @@ static void sdap_cli_auth_step(struct tevent_req *req) authtok_blob = dp_opt_get_blob(state->opts->basic, SDAP_DEFAULT_AUTHTOK); if (authtok_blob.data) { - ret = sss_authtok_set_password(state, &authtok, + ret = sss_authtok_set_password(authtok, (const char *)authtok_blob.data, authtok_blob.length); if (ret) { @@ -1623,7 +1629,7 @@ static void sdap_cli_auth_step(struct tevent_req *req) state->sh, sasl_mech, dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID), - user_dn, &authtok); + user_dn, authtok); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h index 305cbe978fcd0be0c966034eff08a2af92b11f26..db0fcb43875c5e63759fe8e0d031263e289c0677 100644 --- a/src/providers/proxy/proxy.h +++ b/src/providers/proxy/proxy.h @@ -89,8 +89,8 @@ struct proxy_nss_ops { }; struct authtok_conv { - struct sss_auth_token authtok; - struct sss_auth_token newauthtok; + struct sss_auth_token *authtok; + struct sss_auth_token *newauthtok; bool sent_old; }; diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c index 3e6a514abc408c71dd0f3a0379823f86cf8bf37a..011de4fbb8d855e7f1b75d51bafb5b23998fe79a 100644 --- a/src/providers/proxy/proxy_auth.c +++ b/src/providers/proxy/proxy_auth.c @@ -750,7 +750,7 @@ static void proxy_child_done(struct tevent_req *req) if ((pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_PAM_CHAUTHTOK) && (pd->pam_status == PAM_SUCCESS) && be_ctx->domain->cache_credentials) { - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); if (ret) { /* password caching failures are not fatal errors */ DEBUG(2, ("Failed to cache password\n")); diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c index 556dbf9b5488d75f0fa60386958f61b95d61fba2..efdf9120a8ec529283aa3f2c6cacd98d659a6ef7 100644 --- a/src/providers/proxy/proxy_child.c +++ b/src/providers/proxy/proxy_child.c @@ -98,7 +98,7 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm, DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg)); reply[i].resp_retcode = 0; - ret = sss_authtok_get_password(&auth_data->authtok, + ret = sss_authtok_get_password(auth_data->authtok, &password, &pwlen); if (ret) goto failed; reply[i].resp = calloc(pwlen + 1, sizeof(char)); @@ -149,7 +149,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm, reply[i].resp_retcode = 0; if (!auth_data->sent_old) { /* The first prompt will be asking for the old authtok */ - ret = sss_authtok_get_password(&auth_data->authtok, + ret = sss_authtok_get_password(auth_data->authtok, &password, &pwlen); if (ret) goto failed; reply[i].resp = calloc(pwlen + 1, sizeof(char)); @@ -159,7 +159,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm, } else { /* Subsequent prompts are looking for the new authtok */ - ret = sss_authtok_get_password(&auth_data->newauthtok, + ret = sss_authtok_get_password(auth_data->newauthtok, &password, &pwlen); if (ret) goto failed; reply[i].resp = calloc(pwlen + 1, sizeof(char)); @@ -224,8 +224,7 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) } switch (pd->cmd) { case SSS_PAM_AUTHENTICATE: - sss_authtok_copy(auth_data, &pd->authtok, - &auth_data->authtok); + sss_authtok_copy(pd->authtok, auth_data->authtok); pam_status = pam_authenticate(pamh, 0); break; case SSS_PAM_SETCRED: @@ -241,21 +240,18 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) pam_status=pam_close_session(pamh, 0); break; case SSS_PAM_CHAUTHTOK: - sss_authtok_copy(auth_data, &pd->authtok, - &auth_data->authtok); + sss_authtok_copy(pd->authtok, auth_data->authtok); if (pd->priv != 1) { pam_status = pam_authenticate(pamh, 0); auth_data->sent_old = false; if (pam_status != PAM_SUCCESS) break; } - sss_authtok_copy(auth_data, &pd->newauthtok, - &auth_data->newauthtok); + sss_authtok_copy(pd->newauthtok, auth_data->newauthtok); pam_status = pam_chauthtok(pamh, 0); break; case SSS_PAM_CHAUTHTOK_PRELIM: if (pd->priv != 1) { - sss_authtok_copy(auth_data, &pd->authtok, - &auth_data->authtok); + sss_authtok_copy(pd->authtok, auth_data->authtok); pam_status = pam_authenticate(pamh, 0); } else { pam_status = PAM_SUCCESS; diff --git a/src/responder/pam/pam_LOCAL_domain.c b/src/responder/pam/pam_LOCAL_domain.c index 72ea61e85628d1f5a382c1133fddcfea31a73e8c..4aec3e4df8313a36ad18ef9d5ea93e14a845fe5c 100644 --- a/src/responder/pam/pam_LOCAL_domain.c +++ b/src/responder/pam/pam_LOCAL_domain.c @@ -164,7 +164,7 @@ static void do_pam_chauthtok(struct LOCAL_request *lreq) pd = lreq->preq->pd; - ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL); + ret = sss_authtok_get_password(pd->newauthtok, &password, NULL); if (ret) { /* TODO: should we allow null passwords via a config option ? */ if (ret == ENOENT) { @@ -204,7 +204,7 @@ static void do_pam_chauthtok(struct LOCAL_request *lreq) lreq->error, ret, done); done: - sss_authtok_set_empty(&pd->newauthtok); + sss_authtok_set_empty(pd->newauthtok); } int LOCAL_pam_handler(struct pam_auth_req *preq) @@ -288,7 +288,7 @@ int LOCAL_pam_handler(struct pam_auth_req *preq) DEBUG(4, ("allowing root to reset a password.\n")); break; } - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); NEQ_CHECK_OR_JUMP(ret, EOK, ("Failed to get password.\n"), lreq->error, ret, done); @@ -336,8 +336,8 @@ int LOCAL_pam_handler(struct pam_auth_req *preq) } done: - sss_authtok_set_empty(&pd->newauthtok); - sss_authtok_set_empty(&pd->authtok); + sss_authtok_set_empty(pd->newauthtok); + sss_authtok_set_empty(pd->authtok); prepare_reply(lreq); return EOK; } diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index fa6cf23cd2d5752900b6c6c1a08a1ad17f816ec8..e6300a759832e61202db1e2c2379ee98be7a51e3 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -65,8 +65,7 @@ static int extract_authtok_v2(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok, sss_authtok_set_empty(tok); break; case SSS_AUTHTOK_TYPE_PASSWORD: - ret = sss_authtok_set_password(mem_ctx, tok, - (const char *)auth_token_data, + ret = sss_authtok_set_password(tok, (const char *)auth_token_data, auth_token_length); break; default: @@ -197,12 +196,12 @@ static int pam_parse_in_data_v2(struct sss_domain_info *domains, if (ret != EOK) return ret; break; case SSS_PAM_ITEM_AUTHTOK: - ret = extract_authtok_v2(pd, &pd->authtok, + ret = extract_authtok_v2(pd, pd->authtok, size, body, blen, &c); if (ret != EOK) return ret; break; case SSS_PAM_ITEM_NEWAUTHTOK: - ret = extract_authtok_v2(pd, &pd->newauthtok, + ret = extract_authtok_v2(pd, pd->newauthtok, size, body, blen, &c); if (ret != EOK) return ret; break; @@ -260,8 +259,7 @@ static int extract_authtok_v1(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok, sss_authtok_set_empty(tok); break; case SSS_AUTHTOK_TYPE_PASSWORD: - ret = sss_authtok_set_password(mem_ctx, tok, - (const char *)auth_token_data, + ret = sss_authtok_set_password(tok, (const char *)auth_token_data, auth_token_length); break; default: @@ -310,12 +308,12 @@ static int pam_parse_in_data(struct sss_domain_info *domains, if (body[end++] != '\0') return EINVAL; pd->rhost = (char *) &body[start]; - ret = extract_authtok_v1(pd, &pd->authtok, body, blen, &end); + ret = extract_authtok_v1(pd, pd->authtok, body, blen, &end); if (ret) { DEBUG(1, ("Invalid auth token\n")); return ret; } - ret = extract_authtok_v1(pd, &pd->newauthtok, body, blen, &end); + ret = extract_authtok_v1(pd, pd->newauthtok, body, blen, &end); if (ret) { DEBUG(1, ("Invalid new auth token\n")); return ret; @@ -489,7 +487,7 @@ static void pam_reply(struct pam_auth_req *preq) goto done; } - ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + ret = sss_authtok_get_password(pd->authtok, &password, NULL); if (ret) { DEBUG(0, ("Failed to get password.\n")); goto done; diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c index 302cf3c8e242a0a44dbe6eef0641a391e63eae5a..423f8bb8427df8e8c1be25113f1406cff8def2c4 100644 --- a/src/tests/krb5_child-test.c +++ b/src/tests/krb5_child-test.c @@ -176,10 +176,10 @@ create_dummy_pam_data(TALLOC_CTX *mem_ctx, const char *user, pd->user = talloc_strdup(pd, user); if (!pd->user) goto fail; - ret = sss_authtok_set_password(pd, &pd->authtok, password, 0); + ret = sss_authtok_set_password(pd->authtok, password, 0); if (ret) goto fail; - (void)sss_authtok_get_password(&pd->authtok, &authtok, &authtok_len); + (void)sss_authtok_get_password(pd->authtok, &authtok, &authtok_len); DEBUG(SSSDBG_FUNC_DATA, ("Authtok [%s] len [%d]\n", authtok, (int)authtok_len)); diff --git a/src/util/authtok.c b/src/util/authtok.c index 1c54d04cceece494c2eb6fe2244f3d03d20ce017..83e6a1c942a0abc136422bf062be47cbc687bb72 100644 --- a/src/util/authtok.c +++ b/src/util/authtok.c @@ -19,6 +19,12 @@ #include "authtok.h" +struct sss_auth_token { + enum sss_authtok_type type; + uint8_t *data; + size_t length; +}; + enum sss_authtok_type sss_authtok_get_type(struct sss_auth_token *tok) { return tok->type; @@ -80,8 +86,7 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok, return EINVAL; } -static errno_t sss_authtok_set_string(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +static errno_t sss_authtok_set_string(struct sss_auth_token *tok, enum sss_authtok_type type, const char *context_name, const char *str, size_t len) @@ -101,7 +106,7 @@ static errno_t sss_authtok_set_string(TALLOC_CTX *mem_ctx, size = len + 1; - tok->data = talloc_named(mem_ctx, size, "%s", context_name); + tok->data = talloc_named(tok, size, "%s", context_name); if (!tok->data) { return ENOMEM; } @@ -131,38 +136,33 @@ void sss_authtok_set_empty(struct sss_auth_token *tok) tok->length = 0; } -errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set_password(struct sss_auth_token *tok, const char *password, size_t len) { sss_authtok_set_empty(tok); - return sss_authtok_set_string(mem_ctx, tok, - SSS_AUTHTOK_TYPE_PASSWORD, + return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_PASSWORD, "password", password, len); } -errno_t sss_authtok_set_ccfile(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok, const char *ccfile, size_t len) { sss_authtok_set_empty(tok); - return sss_authtok_set_string(mem_ctx, tok, - SSS_AUTHTOK_TYPE_CCFILE, + return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_CCFILE, "ccfile", ccfile, len); } -errno_t sss_authtok_set(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set(struct sss_auth_token *tok, enum sss_authtok_type type, uint8_t *data, size_t len) { switch (type) { case SSS_AUTHTOK_TYPE_PASSWORD: - return sss_authtok_set_password(mem_ctx, tok, (const char *)data, len); + return sss_authtok_set_password(tok, (const char *)data, len); case SSS_AUTHTOK_TYPE_CCFILE: - return sss_authtok_set_ccfile(mem_ctx, tok, (const char *)data, len); + return sss_authtok_set_ccfile(tok, (const char *)data, len); case SSS_AUTHTOK_TYPE_EMPTY: sss_authtok_set_empty(tok); return EOK; @@ -171,8 +171,7 @@ errno_t sss_authtok_set(TALLOC_CTX *mem_ctx, return EINVAL; } -errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, - struct sss_auth_token *src, +errno_t sss_authtok_copy(struct sss_auth_token *src, struct sss_auth_token *dst) { sss_authtok_set_empty(dst); @@ -181,7 +180,7 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, return EOK; } - dst->data = talloc_memdup(mem_ctx, src->data, src->length); + dst->data = talloc_memdup(dst, src->data, src->length); if (!dst->data) { return ENOMEM; } @@ -191,6 +190,19 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, return EOK; } +struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx) +{ + struct sss_auth_token *token; + + token = talloc_zero(mem_ctx, struct sss_auth_token); + if (token == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n")); + } + + return token; +} + + void sss_authtok_wipe_password(struct sss_auth_token *tok) { if (tok->type != SSS_AUTHTOK_TYPE_PASSWORD) { diff --git a/src/util/authtok.h b/src/util/authtok.h index 21cfe4a1c85489f7456651042bdf8041d7c55f58..8f327d4c0839482efb5bca57d9267786c3bab6c7 100644 --- a/src/util/authtok.h +++ b/src/util/authtok.h @@ -23,15 +23,9 @@ #include "util/util.h" #include "sss_client/sss_cli.h" -/* Auth token structure, - * please never use directly. - * Use sss_authtok_* accesor functions instead +/* Use sss_authtok_* accesor functions instead of struct sss_auth_token */ -struct sss_auth_token { - enum sss_authtok_type type; - uint8_t *data; - size_t length; -}; +struct sss_auth_token; /** * @brief Returns the token type @@ -79,8 +73,8 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok, /** * @brief Set a password into a an auth token, replacing any previous data * - * @param mem_ctx A memory context use to allocate the internal data - * @param tok A pointer to a sss_auth_token structure to change + * @param tok A pointer to a sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. * @param password A string * @param len The length of the string or, if 0 is passed, * then strlen(password) will be used internally. @@ -88,8 +82,7 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok, * @return EOK on success * ENOMEM on error */ -errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set_password(struct sss_auth_token *tok, const char *password, size_t len); /** @@ -98,7 +91,7 @@ errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx, * * @param tok A pointer to an sss_auth_token * @param ccfile A pointer to a const char *, that will point to a null - * terminated string + * terminated string, also used as a memory context use to allocate the internal data * @param len The length of the string * * @return EOK on success @@ -111,16 +104,15 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok, /** * @brief Set a cc file name into a an auth token, replacing any previous data * - * @param mem_ctx A memory context use to allocate the internal data - * @param tok A pointer to a sss_auth_token structure to change + * @param tok A pointer to a sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. * @param ccfile A null terminated string * @param len The length of the string * * @return EOK on success * ENOMEM on error */ -errno_t sss_authtok_set_ccfile(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok, const char *ccfile, size_t len); /** @@ -136,8 +128,8 @@ void sss_authtok_set_empty(struct sss_auth_token *tok); /** * @brief Set an auth token by type, replacing any previous data * - * @param mem_ctx A memory context use to allocate the internal data - * @param tok A pointer to a sss_auth_token structure to change + * @param tok A pointer to a sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. * @param type A valid authtok type * @param ccfile A data pointer * @param len The length of the data @@ -145,23 +137,21 @@ void sss_authtok_set_empty(struct sss_auth_token *tok); * @return EOK on success * ENOMEM or EINVAL on error */ -errno_t sss_authtok_set(TALLOC_CTX *mem_ctx, - struct sss_auth_token *tok, +errno_t sss_authtok_set(struct sss_auth_token *tok, enum sss_authtok_type type, uint8_t *data, size_t len); /** * @brief Copy an auth token from source to destination * - * @param mem_ctx The memory context to use for allocations on dst * @param src The source auth token - * @param dst The destination auth token + * @param dst The destination auth token, also used as a memory context + * to allocate dst internal data. * * @return EOK on success * ENOMEM on error */ -errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, - struct sss_auth_token *src, +errno_t sss_authtok_copy(struct sss_auth_token *src, struct sss_auth_token *dst); /** @@ -177,4 +167,16 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx, */ void sss_authtok_wipe_password(struct sss_auth_token *tok); +/** + * @brief Create new empty struct sss_auth_token. + * + * @param mem_ctx A memory context use to allocate the internal data + * @return A pointer to new empty struct sss_auth_token + * NULL in case of failure + * + * NOTE: This function is the only way, how to create new empty + * struct sss_auth_token. + */ +struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx); + #endif /* __AUTHTOK_H__ */ -- 1.8.1.4