gitignore *.a

[pam_pcsc_cr.git] / pam_pcsc_cr.c

diff --git a/pam_pcsc_cr.c b/pam_pcsc_cr.c
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..13a92e048253ef6abf5f4bfccbd8a46df3acba41 100644 (file)
--- a/pam_pcsc_cr.c
+++ b/pam_pcsc_cr.c
@@ -0,0 +1,193 @@
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <syslog.h>
+#include "authobj.h"
+#include "authfile.h"
+#include "pcsc_cr.h"
+
+#ifndef PIC
+# define PAM_STATIC
+#endif
+
+#define PAM_SM_AUTH
+
+#ifdef HAVE_SECURITY_PAM_APPL_H
+# include <security/pam_appl.h>
+#endif
+#ifdef HAVE_SECURITY_PAM_MODULES_H
+# include <security/pam_modules.h>
+#endif
+
+#ifndef PAM_EXTERN
+# ifdef PAM_STATIC
+#  define PAM_EXTERN static
+# else
+#  define PAM_EXTERN extern
+# endif
+#endif
+
+static struct _auth_chunk
+token_key(const unsigned char *challenge, const int challengesize)
+{
+       struct _auth_chunk ho = {0};
+       long rc;
+       int keysize = sizeof(ho.data);
+
+       if ((rc = pcsc_cr(challenge, challengesize, ho.data, &keysize))) {
+               ho.err = pcsc_errstr(rc);
+       }
+       return ho;
+}
+
+static void update_nonce(char *nonce, const int nonsize)
+{
+       int n = 0;
+
+       sscanf(nonce, "%d", &n);
+       snprintf(nonce, nonsize, "%d", n+1);
+}
+
+struct _cfg {
+       int noaskpass;
+       int verbose;
+};
+
+void parse_cfg(struct _cfg * const cfg, int argc, const char *argv[])
+{
+       int i;
+
+       for (i = 0; i < argc; i++) {
+               if (strchr(argv[i],':') && strchr(argv[i],'='))
+                       pcsc_option(argv[i]);
+               else if (!strcmp(argv[i], "verbose")) cfg->verbose = 1;
+               else if (!strcmp(argv[i], "noaskpass")) cfg->noaskpass = 1;
+       }
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+       int argc, const char *argv[])
+{
+       struct _cfg cfg = {0};
+       const char *tokenid = NULL;
+       const char *user;
+       const char *password;
+       struct _auth_obj ao;
+       int pam_err;
+
+       parse_cfg(&cfg, argc, argv);
+
+       if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
+               if (cfg.verbose) syslog(LOG_ERR, "get_user failed: %s",
+                                       pam_strerror(pamh, pam_err));
+               return (pam_err);
+       }
+       if (strspn(user, "0123456789") == strlen(user)) {
+               tokenid = user;
+               user = NULL;
+       }
+
+       if (!cfg.noaskpass) {
+#ifdef _OPENPAM
+               pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
+                                       (const char **)&password, NULL);
+#else
+               struct pam_conv *conv;
+               struct pam_message msg;
+               const struct pam_message *msgp;
+               struct pam_response *resp;
+
+               if ((pam_err = pam_get_item(pamh, PAM_CONV,
+                                       (const void **)&conv))) {
+                       if (cfg.verbose) syslog(LOG_ERR,
+                                       "get_item failed: %s",
+                                       pam_strerror(pamh, pam_err));
+                       return pam_err;
+               }
+               msg.msg_style = PAM_PROMPT_ECHO_OFF;
+               msg.msg = "Token password:";
+               msgp = &msg;
+               resp = NULL;
+               pam_err =  (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
+               if (resp != NULL) {
+                       if (pam_err == PAM_SUCCESS) password = resp->resp;
+                       else free(resp->resp);
+                       free(resp);
+               }
+#endif
+               if (pam_err) return pam_err;
+       } else {
+               password = "";
+       }
+
+       ao = authfile(tokenid, user, password, update_nonce,
+                       NULL, 0, NULL, 0, token_key);
+       if (ao.err) {
+               if (cfg.verbose) syslog(LOG_INFO, "authfile: %s", ao.err);
+               return PAM_AUTH_ERR;
+       } else {
+               if (!user)
+                       pam_set_item(pamh, PAM_USER, ao.data);
+               if (ao.payload && ao.payload[0])
+                       pam_set_item(pamh, PAM_AUTHTOK, ao.payload);
+               return PAM_SUCCESS;
+       }
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+       int argc, const char *argv[])
+{
+       return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+       int argc, const char *argv[])
+{
+       return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags,
+       int argc, const char *argv[])
+{
+       return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags,
+       int argc, const char *argv[])
+{
+       return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags,
+       int argc, const char *argv[])
+{
+       return PAM_SERVICE_ERR;
+}
+
+#ifdef PAM_MODULE_ENTRY
+PAM_MODULE_ENTRY("pam_unix");
+#endif
+
+#ifdef PAM_STATIC
+struct pam_module _pam_pcsc_cr_modstruct = {
+       "pam_pcsc_cr",
+       pam_sm_authenticate,
+       pam_sm_setcred,
+       pam_sm_acct_mgmt,
+       pam_sm_open_session,
+       pam_sm_close_session,
+       pam_sm_chauthtok
+};
+#endif