bump version

[pam_pcsc_cr.git] / pam_pcsc_cr.c
diff --git a/pam_pcsc_cr.c b/pam_pcsc_cr.c

index a43bd35d6460e562c60e866d7c251f08506364e7..f729fad4a89b15110665620bb0bc2a44e2c473fb 100644 (file)
--- a/pam_pcsc_cr.c
+++ b/pam_pcsc_cr.c
@@ -47,6 +47,9 @@ freely, subject to the following restrictions:
  #ifdef HAVE_SECURITY_PAM_MODULES_H
  # include <security/pam_modules.h>
  #endif
  #ifdef HAVE_SECURITY_PAM_MODULES_H
  # include <security/pam_modules.h>
  #endif
+#ifdef HAVE_SECURITY_PAM_EXT_H
+# include <security/pam_ext.h>
+#endif
  
  #ifndef PAM_EXTERN
  # ifdef PAM_STATIC
  
  #ifndef PAM_EXTERN
  # ifdef PAM_STATIC
@@ -56,6 +59,56 @@ freely, subject to the following restrictions:
  # endif
  #endif
  
  # endif
  #endif
  
+struct _cfg {
+       int noaskpass;
+       int verbose;
+       int injectauth;
+};
+
+#ifndef HAVE_PAM_GET_AUTHTOK
+static int pam_get_authtok(pam_handle_t *pamh, int item, const char **authtok,
+                       const char *prompt)
+{
+       struct _cfg dfl_cfg = {0};
+       struct _cfg *cfg = &dfl_cfg;
+       struct pam_conv *conv;
+       struct pam_message msg;
+       const struct pam_message *msgp;
+       struct pam_response *resp;
+       int pam_err;
+
+       (void)pam_get_data(pamh, "pcsc_cr_cfg_struct", (const void **)&cfg);
+
+       if ((pam_err = pam_get_item(pamh, PAM_AUTHTOK,
+                                       (const void **)authtok))) {
+               if (cfg->verbose) syslog(LOG_ERR,
+                                       "get_item(PAM_AUTHTOK) failed: %s",
+                                       pam_strerror(pamh, pam_err));
+       } else {
+               if (*authtok) return PAM_SUCCESS;
+       }
+
+       if ((pam_err = pam_get_item(pamh, PAM_CONV,
+                               (const void **)&conv))) {
+               if (cfg->verbose) syslog(LOG_ERR,
+                               "get_item(PAM_CONV) failed: %s",
+                               pam_strerror(pamh, pam_err));
+               return pam_err;
+       }
+       msg.msg_style = PAM_PROMPT_ECHO_OFF;
+       msg.msg = prompt;
+       msgp = &msg;
+       resp = NULL;
+       pam_err =  (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
+       if (resp != NULL) {
+               if (pam_err == PAM_SUCCESS) *authtok = resp->resp;
+               else free(resp->resp);
+               free(resp);
+       }
+       return pam_err;
+}
+#endif
+
  static struct _auth_chunk
  token_key(const unsigned char *challenge, const int challengesize)
  {
  static struct _auth_chunk
  token_key(const unsigned char *challenge, const int challengesize)
  {
@@ -77,25 +130,24 @@ static void update_nonce(char *nonce, const int nonsize)
         snprintf(nonce, nonsize, "%d", n+1);
  }
  
         snprintf(nonce, nonsize, "%d", n+1);
  }
  
-struct _cfg {
-       int noaskpass;
-       int verbose;
-       int injectauth;
-};
-
  void parse_cfg(struct _cfg * const cfg, int argc, const char *argv[])
  {
         int i;
  
         for (i = 0; i < argc; i++) {
  void parse_cfg(struct _cfg * const cfg, int argc, const char *argv[])
  {
         int i;
  
         for (i = 0; i < argc; i++) {
-               if (cfg->verbose) syslog(LOG_DEBUG, "arg: \"%s\"", argv[i]);
-               if (strchr(argv[i],':') && strchr(argv[i],'='))
-                       pcsc_option(argv[i]);
-               else if (!strcmp(argv[i], "verbose")) cfg->verbose = 1;
+               if (strchr(argv[i],':') && strchr(argv[i],'=')) {
+                       if (pcsc_option(argv[i]))
+                               syslog(LOG_ERR,
+                               "unrecognized pcsc backedn option \"%s\"",
+                                               argv[i]);
+               } else if (!strcmp(argv[i], "verbose")) cfg->verbose = 1;
                 else if (!strcmp(argv[i], "noaskpass")) cfg->noaskpass = 1;
                 else if (!strcmp(argv[i], "injectauth")) cfg->injectauth = 1;
                 else if (!strncmp(argv[i], "path=", 5))
                                         authfile_template(argv[i]+5);
                 else if (!strcmp(argv[i], "noaskpass")) cfg->noaskpass = 1;
                 else if (!strcmp(argv[i], "injectauth")) cfg->injectauth = 1;
                 else if (!strncmp(argv[i], "path=", 5))
                                         authfile_template(argv[i]+5);
+               else syslog(LOG_ERR, "unrecognized arg: \"%s\"", argv[i]);
+
+               if (cfg->verbose) syslog(LOG_DEBUG, "arg: \"%s\"", argv[i]);
         }
  }
  
         }
  }
  
@@ -104,67 +156,47 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
         int argc, const char *argv[])
  {
         struct _cfg cfg = {0};
         int argc, const char *argv[])
  {
         struct _cfg cfg = {0};
-       const char *tokenid = NULL;
         const char *user;
         const char *password;
         struct _auth_obj ao;
         int pam_err;
  
         parse_cfg(&cfg, argc, argv);
         const char *user;
         const char *password;
         struct _auth_obj ao;
         int pam_err;
  
         parse_cfg(&cfg, argc, argv);
+       (void)pam_set_data(pamh, "pcsc_cr_cfg_struct", &cfg, NULL);
+       if (cfg.verbose) syslog(LOG_INFO, "auth with %s", PACKAGE_STRING);
  
         if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
                 if (cfg.verbose) syslog(LOG_ERR, "get_user failed: %s",
                                         pam_strerror(pamh, pam_err));
                 return pam_err;
         }
  
         if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
                 if (cfg.verbose) syslog(LOG_ERR, "get_user failed: %s",
                                         pam_strerror(pamh, pam_err));
                 return pam_err;
         }
-       if (strspn(user, "0123456789") == strlen(user)) {
-               tokenid = user;
-               user = NULL;
-       }
+       if (cfg.verbose) syslog(LOG_DEBUG, "user=\"%s\"", user?user:"<none>");
  
         if (!cfg.noaskpass) {
  
         if (!cfg.noaskpass) {
-#ifdef _OPENPAM
-               pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
-                                       (const char **)&password, NULL);
-#else
-               struct pam_conv *conv;
-               struct pam_message msg;
-               const struct pam_message *msgp;
-               struct pam_response *resp;
-
-               if ((pam_err = pam_get_item(pamh, PAM_CONV,
-                                       (const void **)&conv))) {
+               if ((pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
+                                       (const char **)&password,
+                                       "Token password:"))) {
                         if (cfg.verbose) syslog(LOG_ERR,
                         if (cfg.verbose) syslog(LOG_ERR,
-                                       "get_item failed: %s",
-                                       pam_strerror(pamh, pam_err));
+                                               "get_authtok failed: %s",
+                                               pam_strerror(pamh, pam_err));
                         return pam_err;
                 }
                         return pam_err;
                 }
-               msg.msg_style = PAM_PROMPT_ECHO_OFF;
-               msg.msg = "Token password:";
-               msgp = &msg;
-               resp = NULL;
-               pam_err =  (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
-               if (resp != NULL) {
-                       if (pam_err == PAM_SUCCESS) password = resp->resp;
-                       else free(resp->resp);
-                       free(resp);
-               }
-#endif
-               if (pam_err) return pam_err;
         } else {
                 password = "";
         }
  
         } else {
                 password = "";
         }
  
-       ao = authfile(tokenid, user, password, update_nonce,
+       ao = authfile(user, password, update_nonce,
                         NULL, 0, NULL, 0, token_key);
         if (ao.err) {
                 if (cfg.verbose) syslog(LOG_INFO, "authfile: %s", ao.err);
                 return PAM_AUTH_ERR;
         } else {
                         NULL, 0, NULL, 0, token_key);
         if (ao.err) {
                 if (cfg.verbose) syslog(LOG_INFO, "authfile: %s", ao.err);
                 return PAM_AUTH_ERR;
         } else {
-               if (!user)
-                       pam_set_item(pamh, PAM_USER, ao.data);
+               /* Just because we can. Probably not much use for that.      */
+               /* Userid written in authfile may differ from the login one. */
+               pam_set_item(pamh, PAM_USER, ao.data);
                 if (cfg.injectauth && ao.payload && ao.payload[0])
                         pam_set_item(pamh, PAM_AUTHTOK, ao.payload);
                 if (cfg.injectauth && ao.payload && ao.payload[0])
                         pam_set_item(pamh, PAM_AUTHTOK, ao.payload);
+               if (cfg.verbose) syslog(LOG_DEBUG, "authenticated");
                 return PAM_SUCCESS;
         }
  }
                 return PAM_SUCCESS;
         }
  }
@@ -205,7 +237,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
  }
  
  #ifdef PAM_MODULE_ENTRY
  }
  
  #ifdef PAM_MODULE_ENTRY
-PAM_MODULE_ENTRY("pam_unix");
+PAM_MODULE_ENTRY("pam_pcsc_cr");
  #endif
  
  #ifdef PAM_STATIC
  #endif
  
  #ifdef PAM_STATIC