X-Git-Url: http://www.average.org/gitweb/?p=pam_pcsc_cr.git;a=blobdiff_plain;f=pam_pcsc_cr.c;h=13a92e048253ef6abf5f4bfccbd8a46df3acba41;hp=e69de29bb2d1d6434b8b29ae775ad8c2e48c5391;hb=b7d64e8a15a3a652d0844596307b787bc1711fa4;hpb=6fe5a6db779c104d4aa103c2f30a5c5cab98afb7 diff --git a/pam_pcsc_cr.c b/pam_pcsc_cr.c index e69de29..13a92e0 100644 --- a/pam_pcsc_cr.c +++ b/pam_pcsc_cr.c @@ -0,0 +1,193 @@ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif +#include +#include +#include +#include +#include +#include +#include +#include "authobj.h" +#include "authfile.h" +#include "pcsc_cr.h" + +#ifndef PIC +# define PAM_STATIC +#endif + +#define PAM_SM_AUTH + +#ifdef HAVE_SECURITY_PAM_APPL_H +# include +#endif +#ifdef HAVE_SECURITY_PAM_MODULES_H +# include +#endif + +#ifndef PAM_EXTERN +# ifdef PAM_STATIC +# define PAM_EXTERN static +# else +# define PAM_EXTERN extern +# endif +#endif + +static struct _auth_chunk +token_key(const unsigned char *challenge, const int challengesize) +{ + struct _auth_chunk ho = {0}; + long rc; + int keysize = sizeof(ho.data); + + if ((rc = pcsc_cr(challenge, challengesize, ho.data, &keysize))) { + ho.err = pcsc_errstr(rc); + } + return ho; +} + +static void update_nonce(char *nonce, const int nonsize) +{ + int n = 0; + + sscanf(nonce, "%d", &n); + snprintf(nonce, nonsize, "%d", n+1); +} + +struct _cfg { + int noaskpass; + int verbose; +}; + +void parse_cfg(struct _cfg * const cfg, int argc, const char *argv[]) +{ + int i; + + for (i = 0; i < argc; i++) { + if (strchr(argv[i],':') && strchr(argv[i],'=')) + pcsc_option(argv[i]); + else if (!strcmp(argv[i], "verbose")) cfg->verbose = 1; + else if (!strcmp(argv[i], "noaskpass")) cfg->noaskpass = 1; + } +} + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + struct _cfg cfg = {0}; + const char *tokenid = NULL; + const char *user; + const char *password; + struct _auth_obj ao; + int pam_err; + + parse_cfg(&cfg, argc, argv); + + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + if (cfg.verbose) syslog(LOG_ERR, "get_user failed: %s", + pam_strerror(pamh, pam_err)); + return (pam_err); + } + if (strspn(user, "0123456789") == strlen(user)) { + tokenid = user; + user = NULL; + } + + if (!cfg.noaskpass) { +#ifdef _OPENPAM + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, + (const char **)&password, NULL); +#else + struct pam_conv *conv; + struct pam_message msg; + const struct pam_message *msgp; + struct pam_response *resp; + + if ((pam_err = pam_get_item(pamh, PAM_CONV, + (const void **)&conv))) { + if (cfg.verbose) syslog(LOG_ERR, + "get_item failed: %s", + pam_strerror(pamh, pam_err)); + return pam_err; + } + msg.msg_style = PAM_PROMPT_ECHO_OFF; + msg.msg = "Token password:"; + msgp = &msg; + resp = NULL; + pam_err = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr); + if (resp != NULL) { + if (pam_err == PAM_SUCCESS) password = resp->resp; + else free(resp->resp); + free(resp); + } +#endif + if (pam_err) return pam_err; + } else { + password = ""; + } + + ao = authfile(tokenid, user, password, update_nonce, + NULL, 0, NULL, 0, token_key); + if (ao.err) { + if (cfg.verbose) syslog(LOG_INFO, "authfile: %s", ao.err); + return PAM_AUTH_ERR; + } else { + if (!user) + pam_set_item(pamh, PAM_USER, ao.data); + if (ao.payload && ao.payload[0]) + pam_set_item(pamh, PAM_AUTHTOK, ao.payload); + return PAM_SUCCESS; + } +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + return PAM_SERVICE_ERR; +} + +#ifdef PAM_MODULE_ENTRY +PAM_MODULE_ENTRY("pam_unix"); +#endif + +#ifdef PAM_STATIC +struct pam_module _pam_pcsc_cr_modstruct = { + "pam_pcsc_cr", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok +}; +#endif