diff options
Diffstat (limited to 'src/providers/proxy')
-rw-r--r-- | src/providers/proxy/proxy.h | 7 | ||||
-rw-r--r-- | src/providers/proxy/proxy_auth.c | 14 | ||||
-rw-r--r-- | src/providers/proxy/proxy_child.c | 51 |
3 files changed, 39 insertions, 33 deletions
diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h index cea03382..962cb28f 100644 --- a/src/providers/proxy/proxy.h +++ b/src/providers/proxy/proxy.h @@ -89,11 +89,8 @@ struct proxy_nss_ops { }; struct authtok_conv { - uint32_t authtok_size; - uint8_t *authtok; - - uint32_t newauthtok_size; - uint8_t *newauthtok; + struct sss_auth_token authtok; + struct sss_auth_token newauthtok; bool sent_old; }; diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c index 8088283f..3430f38b 100644 --- a/src/providers/proxy/proxy_auth.c +++ b/src/providers/proxy/proxy_auth.c @@ -712,7 +712,7 @@ static void proxy_child_done(struct tevent_req *req) struct proxy_client_ctx *client_ctx = tevent_req_callback_data(req, struct proxy_client_ctx); struct pam_data *pd = NULL; - char *password; + const char *password; int ret; struct tevent_immediate *imm; @@ -747,17 +747,15 @@ static void proxy_child_done(struct tevent_req *req) /* Check if we need to save the cached credentials */ if ((pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_PAM_CHAUTHTOK) && - pd->pam_status == PAM_SUCCESS && - client_ctx->be_req->be_ctx->domain->cache_credentials) { - password = talloc_strndup(client_ctx->be_req, - (char *) pd->authtok, - pd->authtok_size); - if (!password) { + (pd->pam_status == PAM_SUCCESS) && + client_ctx->be_req->be_ctx->domain->cache_credentials) { + + ret = sss_authtok_get_password(&pd->authtok, &password, NULL); + if (ret) { /* password caching failures are not fatal errors */ DEBUG(2, ("Failed to cache password\n")); goto done; } - talloc_set_destructor((TALLOC_CTX *)password, password_destructor); ret = sysdb_cache_password(client_ctx->be_req->be_ctx->sysdb, pd->user, password); diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c index c575948a..556dbf9b 100644 --- a/src/providers/proxy/proxy_child.c +++ b/src/providers/proxy/proxy_child.c @@ -80,6 +80,9 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm, int i; struct pam_response *reply; struct authtok_conv *auth_data; + const char *password; + size_t pwlen; + errno_t ret; auth_data = talloc_get_type(appdata_ptr, struct authtok_conv); @@ -94,11 +97,13 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm, case PAM_PROMPT_ECHO_OFF: DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg)); reply[i].resp_retcode = 0; - reply[i].resp = calloc(auth_data->authtok_size + 1, - sizeof(char)); + + ret = sss_authtok_get_password(&auth_data->authtok, + &password, &pwlen); + if (ret) goto failed; + reply[i].resp = calloc(pwlen + 1, sizeof(char)); if (reply[i].resp == NULL) goto failed; - memcpy(reply[i].resp, auth_data->authtok, - auth_data->authtok_size); + memcpy(reply[i].resp, password, pwlen + 1); break; default: @@ -124,6 +129,9 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm, int i; struct pam_response *reply; struct authtok_conv *auth_data; + const char *password; + size_t pwlen; + errno_t ret; auth_data = talloc_get_type(appdata_ptr, struct authtok_conv); @@ -141,20 +149,23 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm, reply[i].resp_retcode = 0; if (!auth_data->sent_old) { /* The first prompt will be asking for the old authtok */ - reply[i].resp = calloc(auth_data->authtok_size + 1, - sizeof(char)); + ret = sss_authtok_get_password(&auth_data->authtok, + &password, &pwlen); + if (ret) goto failed; + reply[i].resp = calloc(pwlen + 1, sizeof(char)); if (reply[i].resp == NULL) goto failed; - memcpy(reply[i].resp, auth_data->authtok, - auth_data->authtok_size); + memcpy(reply[i].resp, password, pwlen + 1); auth_data->sent_old = true; } else { /* Subsequent prompts are looking for the new authtok */ - reply[i].resp = calloc(auth_data->newauthtok_size + 1, - sizeof(char)); + ret = sss_authtok_get_password(&auth_data->newauthtok, + &password, &pwlen); + if (ret) goto failed; + reply[i].resp = calloc(pwlen + 1, sizeof(char)); if (reply[i].resp == NULL) goto failed; - memcpy(reply[i].resp, auth_data->newauthtok, - auth_data->newauthtok_size); + memcpy(reply[i].resp, password, pwlen + 1); + auth_data->sent_old = true; } break; @@ -213,8 +224,8 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) } switch (pd->cmd) { case SSS_PAM_AUTHENTICATE: - auth_data->authtok_size = pd->authtok_size; - auth_data->authtok = pd->authtok; + sss_authtok_copy(auth_data, &pd->authtok, + &auth_data->authtok); pam_status = pam_authenticate(pamh, 0); break; case SSS_PAM_SETCRED: @@ -230,21 +241,21 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) pam_status=pam_close_session(pamh, 0); break; case SSS_PAM_CHAUTHTOK: - auth_data->authtok_size = pd->authtok_size; - auth_data->authtok = pd->authtok; + sss_authtok_copy(auth_data, &pd->authtok, + &auth_data->authtok); if (pd->priv != 1) { pam_status = pam_authenticate(pamh, 0); auth_data->sent_old = false; if (pam_status != PAM_SUCCESS) break; } - auth_data->newauthtok_size = pd->newauthtok_size; - auth_data->newauthtok = pd->newauthtok; + sss_authtok_copy(auth_data, &pd->newauthtok, + &auth_data->newauthtok); pam_status = pam_chauthtok(pamh, 0); break; case SSS_PAM_CHAUTHTOK_PRELIM: if (pd->priv != 1) { - auth_data->authtok_size = pd->authtok_size; - auth_data->authtok = pd->authtok; + sss_authtok_copy(auth_data, &pd->authtok, + &auth_data->authtok); pam_status = pam_authenticate(pamh, 0); } else { pam_status = PAM_SUCCESS; |