summaryrefslogtreecommitdiff
path: root/src/providers/proxy
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/proxy')
-rw-r--r--src/providers/proxy/proxy.h7
-rw-r--r--src/providers/proxy/proxy_auth.c14
-rw-r--r--src/providers/proxy/proxy_child.c51
3 files changed, 39 insertions, 33 deletions
diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h
index cea03382..962cb28f 100644
--- a/src/providers/proxy/proxy.h
+++ b/src/providers/proxy/proxy.h
@@ -89,11 +89,8 @@ struct proxy_nss_ops {
};
struct authtok_conv {
- uint32_t authtok_size;
- uint8_t *authtok;
-
- uint32_t newauthtok_size;
- uint8_t *newauthtok;
+ struct sss_auth_token authtok;
+ struct sss_auth_token newauthtok;
bool sent_old;
};
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index 8088283f..3430f38b 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -712,7 +712,7 @@ static void proxy_child_done(struct tevent_req *req)
struct proxy_client_ctx *client_ctx =
tevent_req_callback_data(req, struct proxy_client_ctx);
struct pam_data *pd = NULL;
- char *password;
+ const char *password;
int ret;
struct tevent_immediate *imm;
@@ -747,17 +747,15 @@ static void proxy_child_done(struct tevent_req *req)
/* Check if we need to save the cached credentials */
if ((pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_PAM_CHAUTHTOK) &&
- pd->pam_status == PAM_SUCCESS &&
- client_ctx->be_req->be_ctx->domain->cache_credentials) {
- password = talloc_strndup(client_ctx->be_req,
- (char *) pd->authtok,
- pd->authtok_size);
- if (!password) {
+ (pd->pam_status == PAM_SUCCESS) &&
+ client_ctx->be_req->be_ctx->domain->cache_credentials) {
+
+ ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ if (ret) {
/* password caching failures are not fatal errors */
DEBUG(2, ("Failed to cache password\n"));
goto done;
}
- talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
ret = sysdb_cache_password(client_ctx->be_req->be_ctx->sysdb,
pd->user, password);
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
index c575948a..556dbf9b 100644
--- a/src/providers/proxy/proxy_child.c
+++ b/src/providers/proxy/proxy_child.c
@@ -80,6 +80,9 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
int i;
struct pam_response *reply;
struct authtok_conv *auth_data;
+ const char *password;
+ size_t pwlen;
+ errno_t ret;
auth_data = talloc_get_type(appdata_ptr, struct authtok_conv);
@@ -94,11 +97,13 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
case PAM_PROMPT_ECHO_OFF:
DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg));
reply[i].resp_retcode = 0;
- reply[i].resp = calloc(auth_data->authtok_size + 1,
- sizeof(char));
+
+ ret = sss_authtok_get_password(&auth_data->authtok,
+ &password, &pwlen);
+ if (ret) goto failed;
+ reply[i].resp = calloc(pwlen + 1, sizeof(char));
if (reply[i].resp == NULL) goto failed;
- memcpy(reply[i].resp, auth_data->authtok,
- auth_data->authtok_size);
+ memcpy(reply[i].resp, password, pwlen + 1);
break;
default:
@@ -124,6 +129,9 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
int i;
struct pam_response *reply;
struct authtok_conv *auth_data;
+ const char *password;
+ size_t pwlen;
+ errno_t ret;
auth_data = talloc_get_type(appdata_ptr, struct authtok_conv);
@@ -141,20 +149,23 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
reply[i].resp_retcode = 0;
if (!auth_data->sent_old) {
/* The first prompt will be asking for the old authtok */
- reply[i].resp = calloc(auth_data->authtok_size + 1,
- sizeof(char));
+ ret = sss_authtok_get_password(&auth_data->authtok,
+ &password, &pwlen);
+ if (ret) goto failed;
+ reply[i].resp = calloc(pwlen + 1, sizeof(char));
if (reply[i].resp == NULL) goto failed;
- memcpy(reply[i].resp, auth_data->authtok,
- auth_data->authtok_size);
+ memcpy(reply[i].resp, password, pwlen + 1);
auth_data->sent_old = true;
}
else {
/* Subsequent prompts are looking for the new authtok */
- reply[i].resp = calloc(auth_data->newauthtok_size + 1,
- sizeof(char));
+ ret = sss_authtok_get_password(&auth_data->newauthtok,
+ &password, &pwlen);
+ if (ret) goto failed;
+ reply[i].resp = calloc(pwlen + 1, sizeof(char));
if (reply[i].resp == NULL) goto failed;
- memcpy(reply[i].resp, auth_data->newauthtok,
- auth_data->newauthtok_size);
+ memcpy(reply[i].resp, password, pwlen + 1);
+ auth_data->sent_old = true;
}
break;
@@ -213,8 +224,8 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
}
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
- auth_data->authtok_size = pd->authtok_size;
- auth_data->authtok = pd->authtok;
+ sss_authtok_copy(auth_data, &pd->authtok,
+ &auth_data->authtok);
pam_status = pam_authenticate(pamh, 0);
break;
case SSS_PAM_SETCRED:
@@ -230,21 +241,21 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
pam_status=pam_close_session(pamh, 0);
break;
case SSS_PAM_CHAUTHTOK:
- auth_data->authtok_size = pd->authtok_size;
- auth_data->authtok = pd->authtok;
+ sss_authtok_copy(auth_data, &pd->authtok,
+ &auth_data->authtok);
if (pd->priv != 1) {
pam_status = pam_authenticate(pamh, 0);
auth_data->sent_old = false;
if (pam_status != PAM_SUCCESS) break;
}
- auth_data->newauthtok_size = pd->newauthtok_size;
- auth_data->newauthtok = pd->newauthtok;
+ sss_authtok_copy(auth_data, &pd->newauthtok,
+ &auth_data->newauthtok);
pam_status = pam_chauthtok(pamh, 0);
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pd->priv != 1) {
- auth_data->authtok_size = pd->authtok_size;
- auth_data->authtok = pd->authtok;
+ sss_authtok_copy(auth_data, &pd->authtok,
+ &auth_data->authtok);
pam_status = pam_authenticate(pamh, 0);
} else {
pam_status = PAM_SUCCESS;