diff options
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 58 |
1 files changed, 23 insertions, 35 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index bd014a49..398f06a8 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -278,12 +278,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, struct pam_data *pd, uid_t uid, int *pam_status, int *dp_err) { - char *password = NULL; + const char *password = NULL; errno_t ret; - password = talloc_strndup(state, pd->authtok, pd->authtok_size); - if (!password) { - DEBUG(0, ("Out of memory copying password\n")); + ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + if (ret != EOK) { + DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret))); *pam_status = PAM_SYSTEM_ERR; *dp_err = DP_ERR_OK; return; @@ -294,7 +294,7 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, DEBUG(1, ("Offline authentication failed\n")); *pam_status = cached_login_pam_status(ret); *dp_err = DP_ERR_OK; - goto done; + return; } ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid); @@ -304,12 +304,6 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, } *pam_status = PAM_AUTHINFO_UNAVAIL; *dp_err = DP_ERR_OFFLINE; - -done: - if (password) { - for (i = 0; password[i]; i++) password[i] = 0; - talloc_zfree(password); - } } static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr, @@ -385,16 +379,9 @@ static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr, static void krb5_auth_store_creds(struct sysdb_ctx *sysdb, struct pam_data *pd) { - TALLOC_CTX *tmp_ctx; - char *password = NULL; + const char *password = NULL; int ret = EOK; - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) { - DEBUG(0, ("Out of memory when trying to store credentials\n")); - return; - } - switch(pd->cmd) { case SSS_CMD_RENEW: /* The authtok is set to the credential cache @@ -404,42 +391,35 @@ static void krb5_auth_store_creds(struct sysdb_ctx *sysdb, struct pam_data *pd) break; case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK_PRELIM: - password = talloc_size(tmp_ctx, pd->authtok_size + 1); - if (password != NULL) { - memcpy(password, pd->authtok, pd->authtok_size); - password[pd->authtok_size] = '\0'; - } + ret = sss_authtok_get_password(&pd->authtok, &password, NULL); break; case SSS_PAM_CHAUTHTOK: - password = talloc_size(tmp_ctx, pd->newauthtok_size + 1); - if (password != NULL) { - memcpy(password, pd->newauthtok, pd->newauthtok_size); - password[pd->newauthtok_size] = '\0'; - } + ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL); break; default: DEBUG(0, ("unsupported PAM command [%d].\n", pd->cmd)); } + if (ret != EOK) { + DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret))); + /* password caching failures are not fatal errors */ + return; + } + if (password == NULL) { if (pd->cmd != SSS_CMD_RENEW) { DEBUG(0, ("password not available, offline auth may not work.\n")); /* password caching failures are not fatal errors */ } - talloc_zfree(tmp_ctx); return; } - talloc_set_destructor((TALLOC_CTX *)password, password_destructor); - ret = sysdb_cache_password(sysdb, pd->user, password); if (ret) { DEBUG(2, ("Failed to cache password, offline auth may not work." " (%d)[%s]!?\n", ret, strerror(ret))); /* password caching failures are not fatal errors */ } - - talloc_zfree(tmp_ctx); } /* krb5_auth request */ @@ -504,9 +484,17 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, case SSS_PAM_AUTHENTICATE: case SSS_CMD_RENEW: case SSS_PAM_CHAUTHTOK: + if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + DEBUG(1, ("Missing authtok for user [%s].\n", pd->user)); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_FATAL; + ret = EINVAL; + goto done; + } break; case SSS_PAM_CHAUTHTOK_PRELIM: - if (pd->priv == 1 && pd->authtok_size == 0) { + if (pd->priv == 1 && + sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { DEBUG(4, ("Password reset by root is not supported.\n")); state->pam_status = PAM_PERM_DENIED; state->dp_err = DP_ERR_OK; |