You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
381 lines
12 KiB
381 lines
12 KiB
diff --git a/src/ckpass.c b/src/ckpass.c
|
|
index 1da83c6..f3a14d0 100644
|
|
--- a/src/ckpass.c
|
|
+++ b/src/ckpass.c
|
|
@@ -8,6 +8,8 @@
|
|
** or PAM.
|
|
*/
|
|
|
|
+extern x_malloc(size_t size, const char *file, int line);
|
|
+
|
|
/* Used for unused parameters to silence gcc warnings. */
|
|
#define UNUSED __attribute__((__unused__))
|
|
|
|
@@ -46,7 +48,7 @@
|
|
number information for debugging error messages without the user having to
|
|
pass those in every time. */
|
|
#define xcalloc(n, size) x_calloc((n), (size), __FILE__, __LINE__)
|
|
-#define xmalloc(size) x_malloc((size), __FILE__, __LINE__)
|
|
+#define smartcardauth_xmalloc(size) x_malloc((size), __FILE__, __LINE__)
|
|
#define xrealloc(p, size) x_realloc((p), (size), __FILE__, __LINE__)
|
|
#define xstrdup(p) x_strdup((p), __FILE__, __LINE__)
|
|
#define xstrndup(p, size) x_strndup((p), (size), __FILE__, __LINE__)
|
|
@@ -71,7 +73,7 @@ struct auth_info {
|
|
** This function allocates an array of struct pam_response to return to the
|
|
** PAM libraries that's never freed. For this program, this isn't much of an
|
|
** issue, since it will likely only be called once and then the program will
|
|
-** exit. This function uses malloc and strdup instead of xmalloc and xstrdup
|
|
+** exit. This function uses malloc and strdup instead of smartcardauth_xmalloc and xstrdup
|
|
** intentionally so that the PAM conversation will be closed cleanly if we
|
|
** run out of memory rather than simply terminated.
|
|
**
|
|
@@ -82,8 +84,9 @@ static int pass_conv(int num_msg, const struct pam_message **msgm UNUSED, struct
|
|
int i;
|
|
|
|
*response = malloc(num_msg * sizeof(struct pam_response));
|
|
- if (*response == NULL)
|
|
+ if (*response == NULL) {
|
|
return PAM_CONV_ERR;
|
|
+ }
|
|
for (i = 0; i < num_msg; i++) {
|
|
(*response)[i].resp = strdup((char *)appdata_ptr);
|
|
(*response)[i].resp_retcode = 0;
|
|
@@ -115,17 +118,21 @@ static bool auth_pam(const char *username, char *password)
|
|
conv.conv = pass_conv;
|
|
conv.appdata_ptr = password;
|
|
status = pam_start("nnrpd", username, &conv, &pamh);
|
|
- if (status != PAM_SUCCESS)
|
|
+ if (status != PAM_SUCCESS) {
|
|
die("pam_start failed: %s", pam_strerror(pamh, status));
|
|
+ }
|
|
status = pam_authenticate(pamh, PAM_SILENT);
|
|
- if (status != PAM_SUCCESS)
|
|
+ if (status != PAM_SUCCESS) {
|
|
die("pam_authenticate failed: %s", pam_strerror(pamh, status));
|
|
+ }
|
|
status = pam_acct_mgmt(pamh, PAM_SILENT);
|
|
- if (status != PAM_SUCCESS)
|
|
+ if (status != PAM_SUCCESS) {
|
|
die("pam_acct_mgmt failed: %s", pam_strerror(pamh, status));
|
|
+ }
|
|
status = pam_end(pamh, status);
|
|
- if (status != PAM_SUCCESS)
|
|
+ if (status != PAM_SUCCESS) {
|
|
die("pam_end failed: %s", pam_strerror(pamh, status));
|
|
+ }
|
|
|
|
/* If we get to here, the user successfully authenticated. */
|
|
return true;
|
|
@@ -153,8 +160,9 @@ password_dbm(char *name, const char *file)
|
|
char *password;
|
|
|
|
database = dbm_open(file, O_RDONLY, 0600);
|
|
- if (database == NULL)
|
|
+ if (database == NULL) {
|
|
return NULL;
|
|
+ }
|
|
key.dptr = name;
|
|
key.dsize = strlen(name);
|
|
value = dbm_fetch(database, key);
|
|
@@ -162,7 +170,7 @@ password_dbm(char *name, const char *file)
|
|
dbm_close(database);
|
|
return NULL;
|
|
}
|
|
- password = xmalloc(value.dsize + 1);
|
|
+ password = smartcardauth_xmalloc(value.dsize + 1);
|
|
strlcpy(password, value.dptr, value.dsize + 1);
|
|
dbm_close(database);
|
|
return password;
|
|
@@ -188,8 +196,10 @@ password_shadow(const char *user)
|
|
struct spwd *spwd;
|
|
|
|
spwd = getspnam(user);
|
|
- if (spwd != NULL)
|
|
- return xstrdup(spwd->sp_pwdp);
|
|
+ if (spwd != NULL) {
|
|
+ char* ret = xstrdup(spwd->sp_pwdp);
|
|
+ return ret;
|
|
+ }
|
|
return NULL;
|
|
}
|
|
#endif /* HAVE_GETSPNAM */
|
|
@@ -206,8 +216,10 @@ password_system(const char *username)
|
|
struct passwd *pwd;
|
|
|
|
pwd = getpwnam(username);
|
|
- if (pwd != NULL)
|
|
- return xstrdup(pwd->pw_passwd);
|
|
+ if (pwd != NULL) {
|
|
+ char* ret = xstrdup(pwd->pw_passwd);
|
|
+ return ret;
|
|
+ }
|
|
return NULL;
|
|
}
|
|
|
|
@@ -225,12 +237,15 @@ group_system(const char *username)
|
|
struct group *gr;
|
|
|
|
pwd = getpwnam(username);
|
|
- if (pwd == NULL)
|
|
+ if (pwd == NULL) {
|
|
return NULL;
|
|
+ }
|
|
gr = getgrgid(pwd->pw_gid);
|
|
- if (gr == NULL)
|
|
+ if (gr == NULL) {
|
|
return NULL;
|
|
- return xstrdup(gr->gr_name);
|
|
+ }
|
|
+ char* ret = xstrdup(gr->gr_name);
|
|
+ return ret;
|
|
}
|
|
|
|
|
|
@@ -242,12 +257,13 @@ output_user(const char *username, bool wantgroup)
|
|
{
|
|
if (wantgroup) {
|
|
char *group = group_system(username);
|
|
- if (group == NULL)
|
|
+ if (group == NULL) {
|
|
die("group info for user %s not available", username);
|
|
+ }
|
|
printf("User:%s@%s\n", username, group);
|
|
- }
|
|
- else
|
|
+ } else {
|
|
printf("User:%s\n", username);
|
|
+ }
|
|
}
|
|
|
|
|
|
@@ -264,7 +280,7 @@ check_password(const char* username, const char* password)
|
|
bool wantgroup = false;
|
|
struct auth_info *authinfo = NULL;
|
|
|
|
- authinfo = xmalloc(sizeof(struct auth_info));
|
|
+ authinfo = smartcardauth_xmalloc(sizeof(struct auth_info));
|
|
authinfo->username = username;
|
|
authinfo->password = password;
|
|
|
|
@@ -273,12 +289,14 @@ check_password(const char* username, const char* password)
|
|
return 0;
|
|
}
|
|
password = password_system(authinfo->username);
|
|
- if (password == NULL)
|
|
+ if (password == NULL) {
|
|
return 1;
|
|
- if (strcmp(password, crypt(authinfo->password, password)) != 0)
|
|
+ }
|
|
+ if (strcmp(password, crypt(authinfo->password, password)) != 0) {
|
|
return 1;
|
|
+ }
|
|
|
|
/* The password matched. */
|
|
output_user(authinfo->username, wantgroup);
|
|
return 0;
|
|
-}
|
|
\ No newline at end of file
|
|
+}
|
|
diff --git a/src/ckpasswd.c b/src/ckpasswd.c
|
|
index 9dbdbcf..a0faa15 100644
|
|
--- a/src/ckpasswd.c
|
|
+++ b/src/ckpasswd.c
|
|
@@ -83,8 +83,9 @@ static int pass_conv(int num_msg, const struct pam_message **msgm UNUSED, struct
|
|
int i;
|
|
|
|
*response = malloc(num_msg * sizeof(struct pam_response));
|
|
- if (*response == NULL)
|
|
+ if (*response == NULL) {
|
|
return PAM_CONV_ERR;
|
|
+ }
|
|
for (i = 0; i < num_msg; i++) {
|
|
(*response)[i].resp = strdup((char *)appdata_ptr);
|
|
(*response)[i].resp_retcode = 0;
|
|
@@ -116,17 +117,21 @@ static bool auth_pam(const char *username, char *password)
|
|
conv.conv = pass_conv;
|
|
conv.appdata_ptr = password;
|
|
status = pam_start("nnrpd", username, &conv, &pamh);
|
|
- if (status != PAM_SUCCESS)
|
|
+ if (status != PAM_SUCCESS) {
|
|
die("pam_start failed: %s", pam_strerror(pamh, status));
|
|
+ }
|
|
status = pam_authenticate(pamh, PAM_SILENT);
|
|
- if (status != PAM_SUCCESS)
|
|
+ if (status != PAM_SUCCESS) {
|
|
die("pam_authenticate failed: %s", pam_strerror(pamh, status));
|
|
+ }
|
|
status = pam_acct_mgmt(pamh, PAM_SILENT);
|
|
- if (status != PAM_SUCCESS)
|
|
+ if (status != PAM_SUCCESS) {
|
|
die("pam_acct_mgmt failed: %s", pam_strerror(pamh, status));
|
|
+ }
|
|
status = pam_end(pamh, status);
|
|
- if (status != PAM_SUCCESS)
|
|
+ if (status != PAM_SUCCESS) {
|
|
die("pam_end failed: %s", pam_strerror(pamh, status));
|
|
+ }
|
|
|
|
/* If we get to here, the user successfully authenticated. */
|
|
return true;
|
|
@@ -154,8 +159,9 @@ password_dbm(char *name, const char *file)
|
|
char *password;
|
|
|
|
database = dbm_open(file, O_RDONLY, 0600);
|
|
- if (database == NULL)
|
|
+ if (database == NULL) {
|
|
return NULL;
|
|
+ }
|
|
key.dptr = name;
|
|
key.dsize = strlen(name);
|
|
value = dbm_fetch(database, key);
|
|
@@ -189,8 +195,10 @@ password_shadow(const char *user)
|
|
struct spwd *spwd;
|
|
|
|
spwd = getspnam(user);
|
|
- if (spwd != NULL)
|
|
- return xstrdup(spwd->sp_pwdp);
|
|
+ if (spwd != NULL) {
|
|
+ char* ret = xstrdup(spwd->sp_pwdp);
|
|
+ return ret;
|
|
+ }
|
|
return NULL;
|
|
}
|
|
#endif /* HAVE_GETSPNAM */
|
|
@@ -207,8 +215,10 @@ password_system(const char *username)
|
|
struct passwd *pwd;
|
|
|
|
pwd = getpwnam(username);
|
|
- if (pwd != NULL)
|
|
- return xstrdup(pwd->pw_passwd);
|
|
+ if (pwd != NULL) {
|
|
+ char* ret = xstrdup(pwd->pw_passwd);
|
|
+ return ret;
|
|
+ }
|
|
return NULL;
|
|
}
|
|
|
|
@@ -226,12 +236,15 @@ group_system(const char *username)
|
|
struct group *gr;
|
|
|
|
pwd = getpwnam(username);
|
|
- if (pwd == NULL)
|
|
+ if (pwd == NULL) {
|
|
return NULL;
|
|
+ }
|
|
gr = getgrgid(pwd->pw_gid);
|
|
- if (gr == NULL)
|
|
+ if (gr == NULL) {
|
|
return NULL;
|
|
- return xstrdup(gr->gr_name);
|
|
+ }
|
|
+ char* ret = xstrdup(gr->gr_name);
|
|
+ return ret;
|
|
}
|
|
|
|
|
|
@@ -243,12 +256,13 @@ output_user(const char *username, bool wantgroup)
|
|
{
|
|
if (wantgroup) {
|
|
char *group = group_system(username);
|
|
- if (group == NULL)
|
|
+ if (group == NULL) {
|
|
die("group info for user %s not available", username);
|
|
+ }
|
|
printf("User:%s@%s\n", username, group);
|
|
- }
|
|
- else
|
|
+ } else {
|
|
printf("User:%s\n", username);
|
|
+ }
|
|
}
|
|
|
|
|
|
@@ -276,29 +290,35 @@ main(int argc, char *argv[])
|
|
while ((opt = getopt(argc, argv, "gf:u:p:" OPT_DBM OPT_SHADOW)) != -1) {
|
|
switch (opt) {
|
|
case 'g':
|
|
- if (type == AUTH_DBM || type == AUTH_FILE)
|
|
+ if (type == AUTH_DBM || type == AUTH_FILE) {
|
|
die("-g option is incompatible with -d or -f");
|
|
+ }
|
|
wantgroup = true;
|
|
break;
|
|
case 'd':
|
|
- if (type != AUTH_NONE)
|
|
+ if (type != AUTH_NONE) {
|
|
die("only one of -s, -f, or -d allowed");
|
|
- if (wantgroup)
|
|
+ }
|
|
+ if (wantgroup) {
|
|
die("-g option is incompatible with -d or -f");
|
|
+ }
|
|
type = AUTH_DBM;
|
|
filename = optarg;
|
|
break;
|
|
case 'f':
|
|
- if (type != AUTH_NONE)
|
|
+ if (type != AUTH_NONE) {
|
|
die("only one of -s, -f, or -d allowed");
|
|
- if (wantgroup)
|
|
+ }
|
|
+ if (wantgroup) {
|
|
die("-g option is incompatible with -d or -f");
|
|
+ }
|
|
type = AUTH_FILE;
|
|
filename = optarg;
|
|
break;
|
|
case 's':
|
|
- if (type != AUTH_NONE)
|
|
+ if (type != AUTH_NONE) {
|
|
die("only one of -s, -f, or -d allowed");
|
|
+ }
|
|
type = AUTH_SHADOW;
|
|
break;
|
|
case 'u':
|
|
@@ -319,12 +339,15 @@ main(int argc, char *argv[])
|
|
exit(1);
|
|
}
|
|
}
|
|
- if (argc != optind)
|
|
- die("extra arguments given");
|
|
- if (authinfo != NULL && authinfo->username == NULL)
|
|
+ if (argc != optind) {
|
|
+ die("extra arguments given");
|
|
+ }
|
|
+ if (authinfo != NULL && authinfo->username == NULL) {
|
|
die("-u option is required if -p option is given");
|
|
- if (authinfo != NULL && authinfo->password == NULL)
|
|
+ }
|
|
+ if (authinfo != NULL && authinfo->password == NULL) {
|
|
die("-p option is required if -u option is given");
|
|
+ }
|
|
|
|
// /* Unless a username or password was given on the command line, assume
|
|
// we're being run by nnrpd. */
|
|
@@ -339,8 +362,9 @@ main(int argc, char *argv[])
|
|
switch (type) {
|
|
case AUTH_SHADOW:
|
|
password = password_shadow(authinfo->username);
|
|
- if (password == NULL)
|
|
+ if (password == NULL) {
|
|
password = password_system(authinfo->username);
|
|
+ }
|
|
break;
|
|
// case AUTH_FILE:
|
|
// password = password_file(authinfo->username, filename);
|
|
@@ -357,10 +381,12 @@ main(int argc, char *argv[])
|
|
break;
|
|
}
|
|
|
|
- if (password == NULL)
|
|
+ if (password == NULL) {
|
|
die("user %s unknown", authinfo->username);
|
|
- if (strcmp(password, crypt(authinfo->password, password)) != 0)
|
|
+ }
|
|
+ if (strcmp(password, crypt(authinfo->password, password)) != 0) {
|
|
die("invalid password for user %s", authinfo->username);
|
|
+ }
|
|
|
|
/* The password matched. */
|
|
output_user(authinfo->username, wantgroup);
|