summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/providers/data_provider.h4
-rw-r--r--src/providers/dp_auth_util.c16
-rw-r--r--src/providers/dp_pam_data_util.c60
-rw-r--r--src/providers/ipa/ipa_auth.c2
-rw-r--r--src/providers/krb5/krb5_auth.c10
-rw-r--r--src/providers/krb5/krb5_child.c28
-rw-r--r--src/providers/krb5/krb5_child_handler.c8
-rw-r--r--src/providers/krb5/krb5_delayed_online_authentication.c12
-rw-r--r--src/providers/krb5/krb5_renew_tgt.c5
-rw-r--r--src/providers/ldap/ldap_auth.c12
-rw-r--r--src/providers/ldap/sdap_async_connection.c12
-rw-r--r--src/providers/proxy/proxy.h4
-rw-r--r--src/providers/proxy/proxy_auth.c2
-rw-r--r--src/providers/proxy/proxy_child.c18
-rw-r--r--src/responder/pam/pam_LOCAL_domain.c10
-rw-r--r--src/responder/pam/pamsrv_cmd.c16
-rw-r--r--src/tests/krb5_child-test.c4
-rw-r--r--src/util/authtok.c48
-rw-r--r--src/util/authtok.h52
19 files changed, 186 insertions, 137 deletions
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 2ce16e85..8f385b79 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -176,8 +176,8 @@ struct pam_data {
char *tty;
char *ruser;
char *rhost;
- struct sss_auth_token authtok;
- struct sss_auth_token newauthtok;
+ struct sss_auth_token *authtok;
+ struct sss_auth_token *newauthtok;
uint32_t cli_pid;
int pam_status;
diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c
index 54f0ee8e..0bf10a7d 100644
--- a/src/providers/dp_auth_util.c
+++ b/src/providers/dp_auth_util.c
@@ -40,12 +40,12 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd)
tty = pd->tty ? pd->tty : "";
ruser = pd->ruser ? pd->ruser : "";
rhost = pd->rhost ? pd->rhost : "";
- authtok_type = (uint32_t)sss_authtok_get_type(&pd->authtok);
- authtok_data = sss_authtok_get_data(&pd->authtok);
- authtok_length = sss_authtok_get_size(&pd->authtok);
- new_authtok_type = (uint32_t)sss_authtok_get_type(&pd->newauthtok);
- new_authtok_data = sss_authtok_get_data(&pd->newauthtok);
- new_authtok_length = sss_authtok_get_size(&pd->newauthtok);
+ authtok_type = (uint32_t)sss_authtok_get_type(pd->authtok);
+ authtok_data = sss_authtok_get_data(pd->authtok);
+ authtok_length = sss_authtok_get_size(pd->authtok);
+ new_authtok_type = (uint32_t)sss_authtok_get_type(pd->newauthtok);
+ new_authtok_data = sss_authtok_get_data(pd->newauthtok);
+ new_authtok_length = sss_authtok_get_size(pd->newauthtok);
db_ret = dbus_message_append_args(msg,
DBUS_TYPE_INT32, &(pd->cmd),
@@ -112,13 +112,13 @@ bool dp_unpack_pam_request(DBusMessage *msg, TALLOC_CTX *mem_ctx,
return false;
}
- ret = sss_authtok_set(*new_pd, &((*new_pd)->authtok), authtok_type,
+ ret = sss_authtok_set((*new_pd)->authtok, authtok_type,
authtok_data, authtok_length);
if (ret) {
DEBUG(1, ("Failed to set auth token: %d [%s]\n", ret, strerror(ret)));
return false;
}
- ret = sss_authtok_set(*new_pd, &((*new_pd)->newauthtok), new_authtok_type,
+ ret = sss_authtok_set((*new_pd)->newauthtok, new_authtok_type,
new_authtok_data, new_authtok_length);
if (ret) {
DEBUG(1, ("Failed to set auth token: %d [%s]\n", ret, strerror(ret)));
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index 64f0d69b..4c33f583 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -53,8 +53,8 @@ int pam_data_destructor(void *ptr)
struct pam_data *pd = talloc_get_type(ptr, struct pam_data);
/* make sure to wipe any password from memory before freeing */
- sss_authtok_wipe_password(&pd->authtok);
- sss_authtok_wipe_password(&pd->newauthtok);
+ sss_authtok_wipe_password(pd->authtok);
+ sss_authtok_wipe_password(pd->newauthtok);
return 0;
}
@@ -65,13 +65,29 @@ struct pam_data *create_pam_data(TALLOC_CTX *mem_ctx)
pd = talloc_zero(mem_ctx, struct pam_data);
if (pd == NULL) {
- DEBUG(1, ("talloc_zero failed.\n"));
- return NULL;
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
+ goto failed;
+ }
+
+ pd->authtok = sss_authtok_new(pd);
+ if (pd == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
+ goto failed;
+ }
+
+ pd->newauthtok = sss_authtok_new(pd);
+ if (pd == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
+ goto failed;
}
talloc_set_destructor((TALLOC_CTX *) pd, pam_data_destructor);
return pd;
+
+failed:
+ talloc_free(pd);
+ return NULL;
}
errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src,
@@ -122,14 +138,34 @@ errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src,
pd->cli_pid = src->cli_pid;
- ret = sss_authtok_copy(pd, &src->authtok, &pd->authtok);
- if (ret) {
- goto failed;
+ /* if structure pam_data was allocated on stack and zero initialized,
+ * than src->authtok and src->newauthtok are NULL, therefore
+ * instead of copying, new empty authtok will be created.
+ */
+ if (src->authtok) {
+ ret = sss_authtok_copy(src->authtok, pd->authtok);
+ if (ret) {
+ goto failed;
+ }
+ } else {
+ pd->authtok = sss_authtok_new(pd);
+ if (pd->authtok == NULL) {
+ ret = ENOMEM;
+ goto failed;
+ }
}
- ret = sss_authtok_copy(pd, &src->newauthtok, &pd->newauthtok);
- if (ret) {
- goto failed;
+ if (src->newauthtok) {
+ ret = sss_authtok_copy(src->newauthtok, pd->newauthtok);
+ if (ret) {
+ goto failed;
+ }
+ } else {
+ pd->newauthtok = sss_authtok_new(pd);
+ if (pd->newauthtok == NULL) {
+ ret = ENOMEM;
+ goto failed;
+ }
}
*dst = pd;
@@ -151,8 +187,8 @@ void pam_print_data(int l, struct pam_data *pd)
DEBUG(l, ("tty: %s\n", PAM_SAFE_ITEM(pd->tty)));
DEBUG(l, ("ruser: %s\n", PAM_SAFE_ITEM(pd->ruser)));
DEBUG(l, ("rhost: %s\n", PAM_SAFE_ITEM(pd->rhost)));
- DEBUG(l, ("authtok type: %d\n", sss_authtok_get_type(&pd->authtok)));
- DEBUG(l, ("newauthtok type: %d\n", sss_authtok_get_type(&pd->newauthtok)));
+ DEBUG(l, ("authtok type: %d\n", sss_authtok_get_type(pd->authtok)));
+ DEBUG(l, ("newauthtok type: %d\n", sss_authtok_get_type(pd->newauthtok)));
DEBUG(l, ("priv: %d\n", pd->priv));
DEBUG(l, ("cli_pid: %d\n", pd->cli_pid));
}
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 5cb3d402..b528c544 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -371,7 +371,7 @@ static void ipa_migration_flag_connect_done(struct tevent_req *req)
}
req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn,
- &state->pd->authtok);
+ state->pd->authtok);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, ("sdap_auth_send failed.\n"));
goto done;
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a9b75768..6c0f429f 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -284,7 +284,7 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
const char *password = NULL;
errno_t ret;
- ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
if (ret != EOK) {
DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret)));
*pam_status = PAM_SYSTEM_ERR;
@@ -397,10 +397,10 @@ static void krb5_auth_store_creds(struct sysdb_ctx *sysdb,
break;
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK_PRELIM:
- ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
break;
case SSS_PAM_CHAUTHTOK:
- ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
break;
default:
DEBUG(0, ("unsupported PAM command [%d].\n", pd->cmd));
@@ -490,7 +490,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
case SSS_PAM_AUTHENTICATE:
case SSS_CMD_RENEW:
case SSS_PAM_CHAUTHTOK:
- if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
DEBUG(1, ("Missing authtok for user [%s].\n", pd->user));
state->pam_status = PAM_SYSTEM_ERR;
state->dp_err = DP_ERR_FATAL;
@@ -500,7 +500,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pd->priv == 1 &&
- sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
DEBUG(4, ("Password reset by root is not supported.\n"));
state->pam_status = PAM_PERM_DENIED;
state->dp_err = DP_ERR_OK;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 52127b39..4ccd75d2 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1201,7 +1201,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n"));
- ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
if (ret != EOK) {
DEBUG(1, ("Failed to fetch current password [%d] %s.\n",
ret, strerror(ret)));
@@ -1233,7 +1233,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
return kerr;
}
- sss_authtok_set_empty(&kr->pd->authtok);
+ sss_authtok_set_empty(kr->pd->authtok);
if (prelim) {
DEBUG(SSSDBG_TRACE_LIBS,
@@ -1243,7 +1243,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
return EOK;
}
- ret = sss_authtok_get_password(&kr->pd->newauthtok, &newpassword, NULL);
+ ret = sss_authtok_get_password(kr->pd->newauthtok, &newpassword, NULL);
if (ret != EOK) {
DEBUG(1, ("Failed to fetch new password [%d] %s.\n",
ret, strerror(ret)));
@@ -1307,7 +1307,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
kerr = get_and_save_tgt(kr, newpassword);
- sss_authtok_set_empty(&kr->pd->newauthtok);
+ sss_authtok_set_empty(kr->pd->newauthtok);
if (kerr == 0) {
kerr = k5c_attach_ccname_msg(kr);
@@ -1324,7 +1324,7 @@ static errno_t tgt_req_child(struct krb5_req *kr)
DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n"));
- ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
switch (ret) {
if (ret == EACCES) {
DEBUG(SSSDBG_OP_FAILURE, ("Invalid authtok type\n"));
@@ -1379,7 +1379,7 @@ static errno_t tgt_req_child(struct krb5_req *kr)
}
done:
- sss_authtok_set_empty(&kr->pd->authtok);
+ sss_authtok_set_empty(kr->pd->authtok);
return ret;
}
@@ -1423,11 +1423,11 @@ static errno_t renew_tgt_child(struct krb5_req *kr)
DEBUG(SSSDBG_TRACE_LIBS, ("Renewing a ticket\n"));
- ret = sss_authtok_get_ccfile(&kr->pd->authtok, &ccname, NULL);
+ ret = sss_authtok_get_ccfile(kr->pd->authtok, &ccname, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
("Unsupported authtok type for TGT renewal [%d].\n",
- sss_authtok_get_type(&kr->pd->authtok)));
+ sss_authtok_get_type(kr->pd->authtok)));
return ERR_INVALID_CRED_TYPE;
}
@@ -1527,10 +1527,10 @@ static errno_t unpack_authtok(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
sss_authtok_set_empty(tok);
break;
case SSS_AUTHTOK_TYPE_PASSWORD:
- ret = sss_authtok_set_password(mem_ctx, tok, (char *)(buf + *p), 0);
+ ret = sss_authtok_set_password(tok, (char *)(buf + *p), 0);
break;
case SSS_AUTHTOK_TYPE_CCFILE:
- ret = sss_authtok_set_ccfile(mem_ctx, tok, (char *)(buf + *p), 0);
+ ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
break;
default:
return EINVAL;
@@ -1598,7 +1598,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
if (kr->keytab == NULL) return ENOMEM;
p += len;
- ret = unpack_authtok(pd, &pd->authtok, buf, size, &p);
+ ret = unpack_authtok(pd, pd->authtok, buf, size, &p);
if (ret) {
return ret;
}
@@ -1608,16 +1608,16 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
} else {
kr->ccname = NULL;
kr->keytab = NULL;
- sss_authtok_set_empty(&pd->authtok);
+ sss_authtok_set_empty(pd->authtok);
}
if (pd->cmd == SSS_PAM_CHAUTHTOK) {
- ret = unpack_authtok(pd, &pd->newauthtok, buf, size, &p);
+ ret = unpack_authtok(pd, pd->newauthtok, buf, size, &p);
if (ret) {
return ret;
}
} else {
- sss_authtok_set_empty(&pd->newauthtok);
+ sss_authtok_set_empty(pd->newauthtok);
}
if (pd->cmd == SSS_PAM_ACCT_MGMT) {
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index cc309af3..8ff65130 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -155,12 +155,12 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
- sss_authtok_get_size(&kr->pd->authtok);
+ sss_authtok_get_size(kr->pd->authtok);
}
if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
buf->size += 2*sizeof(uint32_t) +
- sss_authtok_get_size(&kr->pd->newauthtok);
+ sss_authtok_get_size(kr->pd->newauthtok);
}
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
@@ -196,14 +196,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp);
safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp);
- ret = pack_authtok(buf, &rp, &kr->pd->authtok);
+ ret = pack_authtok(buf, &rp, kr->pd->authtok);
if (ret) {
return ret;
}
}
if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
- ret = pack_authtok(buf, &rp, &kr->pd->newauthtok);
+ ret = pack_authtok(buf, &rp, kr->pd->newauthtok);
if (ret) {
return ret;
}
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index f95fa634..87e0f3c6 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -84,7 +84,7 @@ static void authenticate_user(struct tevent_context *ev,
return;
}
- ret = sss_authtok_set_password(pd, &pd->authtok, password, keysize);
+ ret = sss_authtok_set_password(pd->authtok, password, keysize);
safezero(password, keysize);
free(password);
if (ret) {
@@ -246,7 +246,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
return EINVAL;
}
- if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
DEBUG(1, ("Invalid authtok for user [%s].\n", pd->user));
return EINVAL;
}
@@ -262,10 +262,10 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
const char *password;
size_t len;
- ret = sss_authtok_get_password(&new_pd->authtok, &password, &len);
+ ret = sss_authtok_get_password(new_pd->authtok, &password, &len);
if (ret) {
DEBUG(1, ("Failed to get password [%d][%s].\n", ret, strerror(ret)));
- sss_authtok_set_empty(&new_pd->authtok);
+ sss_authtok_set_empty(new_pd->authtok);
talloc_free(new_pd);
return ret;
}
@@ -275,13 +275,13 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
if (new_pd->key_serial == -1) {
ret = errno;
DEBUG(1, ("add_key failed [%d][%s].\n", ret, strerror(ret)));
- sss_authtok_set_empty(&new_pd->authtok);
+ sss_authtok_set_empty(new_pd->authtok);
talloc_free(new_pd);
return ret;
}
DEBUG(9, ("Saved authtok of user [%s] with serial [%ld].\n",
new_pd->user, new_pd->key_serial));
- sss_authtok_set_empty(&new_pd->authtok);
+ sss_authtok_set_empty(new_pd->authtok);
#endif
key.type = HASH_KEY_ULONG;
diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c
index f2ee5d91..0b1f26fd 100644
--- a/src/providers/krb5/krb5_renew_tgt.c
+++ b/src/providers/krb5/krb5_renew_tgt.c
@@ -592,10 +592,9 @@ errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile,
goto done;
}
- sss_authtok_set_empty(&renew_data->pd->newauthtok);
+ sss_authtok_set_empty(renew_data->pd->newauthtok);
- ret = sss_authtok_set_ccfile(renew_data->pd, &renew_data->pd->authtok,
- renew_data->ccfile, 0);
+ ret = sss_authtok_set_ccfile(renew_data->pd->authtok, renew_data->ccfile, 0);
if (ret) {
DEBUG(1, ("Failed to store ccfile in auth token.\n"));
goto done;
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index e10c5b0e..f4e6d28f 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -722,7 +722,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
}
if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) &&
- (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) {
+ (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) {
DEBUG(4, ("Password reset by root is not supported.\n"));
pd->pam_status = PAM_PERM_DENIED;
dp_err = DP_ERR_OK;
@@ -747,7 +747,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
state->ctx = ctx;
subreq = auth_send(breq, be_ctx->ev, ctx,
- state->username, &pd->authtok, true);
+ state->username, pd->authtok, true);
if (!subreq) goto done;
tevent_req_set_callback(subreq, sdap_auth4chpass_done, state);
@@ -820,13 +820,13 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
const char *password;
const char *new_password;
- ret = sss_authtok_get_password(&state->pd->authtok,
+ ret = sss_authtok_get_password(state->pd->authtok,
&password, NULL);
if (ret) {
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
- ret = sss_authtok_get_password(&state->pd->newauthtok,
+ ret = sss_authtok_get_password(state->pd->newauthtok,
&new_password, NULL);
if (ret) {
state->pd->pam_status = PAM_SYSTEM_ERR;
@@ -990,7 +990,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
state->pd = pd;
subreq = auth_send(breq, be_ctx->ev, ctx,
- pd->user, &pd->authtok,
+ pd->user, pd->authtok,
pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ? true : false);
if (!subreq) goto done;
@@ -1102,7 +1102,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
if (ret == EOK && be_ctx->domain->cache_credentials) {
- ret = sss_authtok_get_password(&state->pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(state->pd->authtok, &password, NULL);
if (ret == EOK) {
ret = sysdb_cache_password(be_ctx->domain->sysdb, be_ctx->domain,
state->pd->user, password);
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 280268a1..b05edf6f 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1573,7 +1573,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
SDAP_DEFAULT_BIND_DN);
const char *authtok_type;
struct dp_opt_blob authtok_blob;
- struct sss_auth_token authtok = { 0 };
+ struct sss_auth_token *authtok;
errno_t ret;
/* Set the LDAP expiration time
@@ -1599,6 +1599,12 @@ static void sdap_cli_auth_step(struct tevent_req *req)
authtok_type = dp_opt_get_string(state->opts->basic,
SDAP_DEFAULT_AUTHTOK_TYPE);
+ authtok = sss_authtok_new(state);
+ if(authtok == NULL) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
if (authtok_type != NULL) {
if (strcasecmp(authtok_type, "password") != 0) {
DEBUG(SSSDBG_TRACE_LIBS, ("Invalid authtoken type\n"));
@@ -1609,7 +1615,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
authtok_blob = dp_opt_get_blob(state->opts->basic,
SDAP_DEFAULT_AUTHTOK);
if (authtok_blob.data) {
- ret = sss_authtok_set_password(state, &authtok,
+ ret = sss_authtok_set_password(authtok,
(const char *)authtok_blob.data,
authtok_blob.length);
if (ret) {
@@ -1623,7 +1629,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
state->sh, sasl_mech,
dp_opt_get_string(state->opts->basic,
SDAP_SASL_AUTHID),
- user_dn, &authtok);
+ user_dn, authtok);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h
index 305cbe97..db0fcb43 100644
--- a/src/providers/proxy/proxy.h
+++ b/src/providers/proxy/proxy.h
@@ -89,8 +89,8 @@ struct proxy_nss_ops {
};
struct authtok_conv {
- struct sss_auth_token authtok;
- struct sss_auth_token newauthtok;
+ struct sss_auth_token *authtok;
+ struct sss_auth_token *newauthtok;
bool sent_old;
};
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index 3e6a514a..011de4fb 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -750,7 +750,7 @@ static void proxy_child_done(struct tevent_req *req)
if ((pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_PAM_CHAUTHTOK) &&
(pd->pam_status == PAM_SUCCESS) && be_ctx->domain->cache_credentials) {
- ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
if (ret) {
/* password caching failures are not fatal errors */
DEBUG(2, ("Failed to cache password\n"));
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
index 556dbf9b..efdf9120 100644
--- a/src/providers/proxy/proxy_child.c
+++ b/src/providers/proxy/proxy_child.c
@@ -98,7 +98,7 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg));
reply[i].resp_retcode = 0;
- ret = sss_authtok_get_password(&auth_data->authtok,
+ ret = sss_authtok_get_password(auth_data->authtok,
&password, &pwlen);
if (ret) goto failed;
reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -149,7 +149,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
reply[i].resp_retcode = 0;
if (!auth_data->sent_old) {
/* The first prompt will be asking for the old authtok */
- ret = sss_authtok_get_password(&auth_data->authtok,
+ ret = sss_authtok_get_password(auth_data->authtok,
&password, &pwlen);
if (ret) goto failed;
reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -159,7 +159,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
}
else {
/* Subsequent prompts are looking for the new authtok */
- ret = sss_authtok_get_password(&auth_data->newauthtok,
+ ret = sss_authtok_get_password(auth_data->newauthtok,
&password, &pwlen);
if (ret) goto failed;
reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -224,8 +224,7 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
}
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
- sss_authtok_copy(auth_data, &pd->authtok,
- &auth_data->authtok);
+ sss_authtok_copy(pd->authtok, auth_data->authtok);
pam_status = pam_authenticate(pamh, 0);
break;
case SSS_PAM_SETCRED:
@@ -241,21 +240,18 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
pam_status=pam_close_session(pamh, 0);
break;
case SSS_PAM_CHAUTHTOK:
- sss_authtok_copy(auth_data, &pd->authtok,
- &auth_data->authtok);
+ sss_authtok_copy(pd->authtok, auth_data->authtok);
if (pd->priv != 1) {
pam_status = pam_authenticate(pamh, 0);
auth_data->sent_old = false;
if (pam_status != PAM_SUCCESS) break;
}
- sss_authtok_copy(auth_data, &pd->newauthtok,
- &auth_data->newauthtok);
+ sss_authtok_copy(pd->newauthtok, auth_data->newauthtok);
pam_status = pam_chauthtok(pamh, 0);
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pd->priv != 1) {
- sss_authtok_copy(auth_data, &pd->authtok,
- &auth_data->authtok);
+ sss_authtok_copy(pd->authtok, auth_data->authtok);
pam_status = pam_authenticate(pamh, 0);
} else {
pam_status = PAM_SUCCESS;
diff --git a/src/responder/pam/pam_LOCAL_domain.c b/src/responder/pam/pam_LOCAL_domain.c
index 72ea61e8..4aec3e4d 100644
--- a/src/responder/pam/pam_LOCAL_domain.c
+++ b/src/responder/pam/pam_LOCAL_domain.c
@@ -164,7 +164,7 @@ static void do_pam_chauthtok(struct LOCAL_request *lreq)
pd = lreq->preq->pd;
- ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
if (ret) {
/* TODO: should we allow null passwords via a config option ? */
if (ret == ENOENT) {
@@ -204,7 +204,7 @@ static void do_pam_chauthtok(struct LOCAL_request *lreq)
lreq->error, ret, done);
done:
- sss_authtok_set_empty(&pd->newauthtok);
+ sss_authtok_set_empty(pd->newauthtok);
}
int LOCAL_pam_handler(struct pam_auth_req *preq)
@@ -288,7 +288,7 @@ int LOCAL_pam_handler(struct pam_auth_req *preq)
DEBUG(4, ("allowing root to reset a password.\n"));
break;
}
- ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
NEQ_CHECK_OR_JUMP(ret, EOK, ("Failed to get password.\n"),
lreq->error, ret, done);
@@ -336,8 +336,8 @@ int LOCAL_pam_handler(struct pam_auth_req *preq)
}
done:
- sss_authtok_set_empty(&pd->newauthtok);
- sss_authtok_set_empty(&pd->authtok);
+ sss_authtok_set_empty(pd->newauthtok);
+ sss_authtok_set_empty(pd->authtok);
prepare_reply(lreq);
return EOK;
}
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index fa6cf23c..e6300a75 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -65,8 +65,7 @@ static int extract_authtok_v2(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
sss_authtok_set_empty(tok);
break;
case SSS_AUTHTOK_TYPE_PASSWORD:
- ret = sss_authtok_set_password(mem_ctx, tok,
- (const char *)auth_token_data,
+ ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
auth_token_length);
break;
default:
@@ -197,12 +196,12 @@ static int pam_parse_in_data_v2(struct sss_domain_info *domains,
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_AUTHTOK:
- ret = extract_authtok_v2(pd, &pd->authtok,
+ ret = extract_authtok_v2(pd, pd->authtok,
size, body, blen, &c);
if (ret != EOK) return ret;
break;
case SSS_PAM_ITEM_NEWAUTHTOK:
- ret = extract_authtok_v2(pd, &pd->newauthtok,
+ ret = extract_authtok_v2(pd, pd->newauthtok,
size, body, blen, &c);
if (ret != EOK) return ret;
break;
@@ -260,8 +259,7 @@ static int extract_authtok_v1(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
sss_authtok_set_empty(tok);
break;
case SSS_AUTHTOK_TYPE_PASSWORD:
- ret = sss_authtok_set_password(mem_ctx, tok,
- (const char *)auth_token_data,
+ ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
auth_token_length);
break;
default:
@@ -310,12 +308,12 @@ static int pam_parse_in_data(struct sss_domain_info *domains,
if (body[end++] != '\0') return EINVAL;
pd->rhost = (char *) &body[start];
- ret = extract_authtok_v1(pd, &pd->authtok, body, blen, &end);
+ ret = extract_authtok_v1(pd, pd->authtok, body, blen, &end);
if (ret) {
DEBUG(1, ("Invalid auth token\n"));
return ret;
}
- ret = extract_authtok_v1(pd, &pd->newauthtok, body, blen, &end);
+ ret = extract_authtok_v1(pd, pd->newauthtok, body, blen, &end);
if (ret) {
DEBUG(1, ("Invalid new auth token\n"));
return ret;
@@ -489,7 +487,7 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
if (ret) {
DEBUG(0, ("Failed to get password.\n"));
goto done;
diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
index 302cf3c8..423f8bb8 100644
--- a/src/tests/krb5_child-test.c
+++ b/src/tests/krb5_child-test.c
@@ -176,10 +176,10 @@ create_dummy_pam_data(TALLOC_CTX *mem_ctx, const char *user,
pd->user = talloc_strdup(pd, user);
if (!pd->user) goto fail;
- ret = sss_authtok_set_password(pd, &pd->authtok, password, 0);
+ ret = sss_authtok_set_password(pd->authtok, password, 0);
if (ret) goto fail;
- (void)sss_authtok_get_password(&pd->authtok, &authtok, &authtok_len);
+ (void)sss_authtok_get_password(pd->authtok, &authtok, &authtok_len);
DEBUG(SSSDBG_FUNC_DATA, ("Authtok [%s] len [%d]\n",
authtok, (int)authtok_len));
diff --git a/src/util/authtok.c b/src/util/authtok.c
index 1c54d04c..83e6a1c9 100644
--- a/src/util/authtok.c
+++ b/src/util/authtok.c
@@ -19,6 +19,12 @@
#include "authtok.h"
+struct sss_auth_token {
+ enum sss_authtok_type type;
+ uint8_t *data;
+ size_t length;
+};
+
enum sss_authtok_type sss_authtok_get_type(struct sss_auth_token *tok)
{
return tok->type;
@@ -80,8 +86,7 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok,
return EINVAL;
}
-static errno_t sss_authtok_set_string(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *tok,
+static errno_t sss_authtok_set_string(struct sss_auth_token *tok,
enum sss_authtok_type type,
const char *context_name,
const char *str, size_t len)
@@ -101,7 +106,7 @@ static errno_t sss_authtok_set_string(TALLOC_CTX *mem_ctx,
size = len + 1;
- tok->data = talloc_named(mem_ctx, size, "%s", context_name);
+ tok->data = talloc_named(tok, size, "%s", context_name);
if (!tok->data) {
return ENOMEM;
}
@@ -131,38 +136,33 @@ void sss_authtok_set_empty(struct sss_auth_token *tok)
tok->length = 0;
}
-errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *tok,
+errno_t sss_authtok_set_password(struct sss_auth_token *tok,
const char *password, size_t len)
{
sss_authtok_set_empty(tok);
- return sss_authtok_set_string(mem_ctx, tok,
- SSS_AUTHTOK_TYPE_PASSWORD,
+ return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_PASSWORD,
"password", password, len);
}
-errno_t sss_authtok_set_ccfile(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *tok,
+errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok,
const char *ccfile, size_t len)
{
sss_authtok_set_empty(tok);
- return sss_authtok_set_string(mem_ctx, tok,
- SSS_AUTHTOK_TYPE_CCFILE,
+ return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_CCFILE,
"ccfile", ccfile, len);
}
-errno_t sss_authtok_set(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *tok,
+errno_t sss_authtok_set(struct sss_auth_token *tok,
enum sss_authtok_type type,
uint8_t *data, size_t len)
{
switch (type) {
case SSS_AUTHTOK_TYPE_PASSWORD:
- return sss_authtok_set_password(mem_ctx, tok, (const char *)data, len);
+ return sss_authtok_set_password(tok, (const char *)data, len);
case SSS_AUTHTOK_TYPE_CCFILE:
- return sss_authtok_set_ccfile(mem_ctx, tok, (const char *)data, len);
+ return sss_authtok_set_ccfile(tok, (const char *)data, len);
case SSS_AUTHTOK_TYPE_EMPTY:
sss_authtok_set_empty(tok);
return EOK;
@@ -171,8 +171,7 @@ errno_t sss_authtok_set(TALLOC_CTX *mem_ctx,
return EINVAL;
}
-errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *src,
+errno_t sss_authtok_copy(struct sss_auth_token *src,
struct sss_auth_token *dst)
{
sss_authtok_set_empty(dst);
@@ -181,7 +180,7 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx,
return EOK;
}
- dst->data = talloc_memdup(mem_ctx, src->data, src->length);
+ dst->data = talloc_memdup(dst, src->data, src->length);
if (!dst->data) {
return ENOMEM;
}
@@ -191,6 +190,19 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx,
return EOK;
}
+struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx)
+{
+ struct sss_auth_token *token;
+
+ token = talloc_zero(mem_ctx, struct sss_auth_token);
+ if (token == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
+ }
+
+ return token;
+}
+
+
void sss_authtok_wipe_password(struct sss_auth_token *tok)
{
if (tok->type != SSS_AUTHTOK_TYPE_PASSWORD) {
diff --git a/src/util/authtok.h b/src/util/authtok.h
index 21cfe4a1..8f327d4c 100644
--- a/src/util/authtok.h
+++ b/src/util/authtok.h
@@ -23,15 +23,9 @@
#include "util/util.h"
#include "sss_client/sss_cli.h"
-/* Auth token structure,
- * please never use directly.
- * Use sss_authtok_* accesor functions instead
+/* Use sss_authtok_* accesor functions instead of struct sss_auth_token
*/
-struct sss_auth_token {
- enum sss_authtok_type type;
- uint8_t *data;
- size_t length;
-};
+struct sss_auth_token;
/**
* @brief Returns the token type
@@ -79,8 +73,8 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok,
/**
* @brief Set a password into a an auth token, replacing any previous data
*
- * @param mem_ctx A memory context use to allocate the internal data
- * @param tok A pointer to a sss_auth_token structure to change
+ * @param tok A pointer to a sss_auth_token structure to change, also
+ * used as a memory context to allocate the internal data.
* @param password A string
* @param len The length of the string or, if 0 is passed,
* then strlen(password) will be used internally.
@@ -88,8 +82,7 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok,
* @return EOK on success
* ENOMEM on error
*/
-errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *tok,
+errno_t sss_authtok_set_password(struct sss_auth_token *tok,
const char *password, size_t len);
/**
@@ -98,7 +91,7 @@ errno_t sss_authtok_set_password(TALLOC_CTX *mem_ctx,
*
* @param tok A pointer to an sss_auth_token
* @param ccfile A pointer to a const char *, that will point to a null
- * terminated string
+ * terminated string, also used as a memory context use to allocate the internal data
* @param len The length of the string
*
* @return EOK on success
@@ -111,16 +104,15 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok,
/**
* @brief Set a cc file name into a an auth token, replacing any previous data
*
- * @param mem_ctx A memory context use to allocate the internal data
- * @param tok A pointer to a sss_auth_token structure to change
+ * @param tok A pointer to a sss_auth_token structure to change, also
+ * used as a memory context to allocate the internal data.
* @param ccfile A null terminated string
* @param len The length of the string
*
* @return EOK on success
* ENOMEM on error
*/
-errno_t sss_authtok_set_ccfile(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *tok,
+errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok,
const char *ccfile, size_t len);
/**
@@ -136,8 +128,8 @@ void sss_authtok_set_empty(struct sss_auth_token *tok);
/**
* @brief Set an auth token by type, replacing any previous data
*
- * @param mem_ctx A memory context use to allocate the internal data
- * @param tok A pointer to a sss_auth_token structure to change
+ * @param tok A pointer to a sss_auth_token structure to change, also
+ * used as a memory context to allocate the internal data.
* @param type A valid authtok type
* @param ccfile A data pointer
* @param len The length of the data
@@ -145,23 +137,21 @@ void sss_authtok_set_empty(struct sss_auth_token *tok);
* @return EOK on success
* ENOMEM or EINVAL on error
*/
-errno_t sss_authtok_set(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *tok,
+errno_t sss_authtok_set(struct sss_auth_token *tok,
enum sss_authtok_type type,
uint8_t *data, size_t len);
/**
* @brief Copy an auth token from source to destination
*
- * @param mem_ctx The memory context to use for allocations on dst
* @param src The source auth token
- * @param dst The destination auth token
+ * @param dst The destination auth token, also used as a memory context
+ * to allocate dst internal data.
*
* @return EOK on success
* ENOMEM on error
*/
-errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx,
- struct sss_auth_token *src,
+errno_t sss_authtok_copy(struct sss_auth_token *src,
struct sss_auth_token *dst);
/**
@@ -177,4 +167,16 @@ errno_t sss_authtok_copy(TALLOC_CTX *mem_ctx,
*/
void sss_authtok_wipe_password(struct sss_auth_token *tok);
+/**
+ * @brief Create new empty struct sss_auth_token.
+ *
+ * @param mem_ctx A memory context use to allocate the internal data
+ * @return A pointer to new empty struct sss_auth_token
+ * NULL in case of failure
+ *
+ * NOTE: This function is the only way, how to create new empty
+ * struct sss_auth_token.
+ */
+struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx);
+
#endif /* __AUTHTOK_H__ */