918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce SSSD - auth utils
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce Copyright (C) Simo Sorce <simo@redhat.com> 2012
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce This program is free software; you can redistribute it and/or modify
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce it under the terms of the GNU General Public License as published by
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce the Free Software Foundation; either version 3 of the License, or
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce (at your option) any later version.
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce This program is distributed in the hope that it will be useful,
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce but WITHOUT ANY WARRANTY; without even the implied warranty of
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce GNU General Public License for more details.
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce You should have received a copy of the GNU General Public License
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce along with this program. If not, see <http://www.gnu.org/licenses/>.
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorceenum sss_authtok_type sss_authtok_get_type(struct sss_auth_token *tok)
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorcesize_t sss_authtok_get_size(struct sss_auth_token *tok)
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorceuint8_t *sss_authtok_get_data(struct sss_auth_token *tok)
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorceerrno_t sss_authtok_get_password(struct sss_auth_token *tok,
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorceerrno_t sss_authtok_get_ccfile(struct sss_auth_token *tok,
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnikstatic errno_t sss_authtok_set_string(struct sss_auth_token *tok,
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorce /* we do not allow zero length typed tokens */
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik tok->data = talloc_named(tok, size, "%s", context_name);
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorcevoid sss_authtok_set_empty(struct sss_auth_token *tok)
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnikerrno_t sss_authtok_set_password(struct sss_auth_token *tok,
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_PASSWORD,
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnikerrno_t sss_authtok_set_ccfile(struct sss_auth_token *tok,
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_CCFILE,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bosestatic errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok,
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnikerrno_t sss_authtok_set(struct sss_auth_token *tok,
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik return sss_authtok_set_password(tok, (const char *)data, len);
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik return sss_authtok_set_ccfile(tok, (const char *)data, len);
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose return sss_authtok_set_2fa_from_blob(tok, data, len);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose return sss_authtok_set_sc_from_blob(tok, data, len);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose return sss_authtok_set_sc_from_blob(tok, data, len);
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnikerrno_t sss_authtok_copy(struct sss_auth_token *src,
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik dst->data = talloc_memdup(dst, src->data, src->length);
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnikstruct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx)
9acfb09f7969a69f58bd45c856b01700541853caLukas Slebodnik token = talloc_zero(mem_ctx, struct sss_auth_token);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
918b2a5a91f1c551d48f4bffed2a28c36fdb4be1Simo Sorcevoid sss_authtok_wipe_password(struct sss_auth_token *tok)
439f664bfb0cbed7e85ebd68647deed7414598d4Pallavi Jha if (!tok || tok->type != SSS_AUTHTOK_TYPE_PASSWORD) {
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Boseerrno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose if (blob_len != 2 * sizeof(uint32_t) + fa1_len + fa2_len) {
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose *fa1 = talloc_strndup(mem_ctx, (const char *) blob + c, fa1_len);
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose *fa2 = talloc_strndup(mem_ctx, (const char *) blob + c + fa1_len,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose /* Re-calculate length for the case where \0 was missing in the blob */
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bosestatic errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose ret = sss_auth_unpack_2fa_blob(tmp_ctx, data, len, &fa1, &fa1_len,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_2fa_blob failed.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose ret = sss_authtok_set_2fa(tok, fa1, fa1_len, fa2, fa2_len);
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_set_2fa failed.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Boseerrno_t sss_authtok_get_2fa(struct sss_auth_token *tok,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES;
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c);
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose || tok->length != 2 * sizeof(uint32_t) + *fa1_len + *fa2_len + 2) {
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose || tok->data[c + *fa1_len + 1 + *fa2_len] != '\0') {
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "Missing terminating null character.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose *fa2 = (const char *) tok->data + c + *fa1_len + 1;
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Boseerrno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, NULL, 0,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose "sss_auth_pack_2fa_blob unexpectedly returned [%d].\n", ret);
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, tok->data,
bc052ea17d858c19f9cb9c9e2bc602e754f68831Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_2fa_blob failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Boseerrno_t sss_authtok_set_sc(struct sss_auth_token *tok,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "Invalid type [%d].\n", type);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Boseerrno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose ret = sss_auth_unpack_sc_blob(tmp_ctx, data, len, &pin, &pin_len,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_sc_blob failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose ret = sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, pin_len,
10703cd558016685ee778e333f1d4490238d46e7Sumit Boseerrno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose return sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, len,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Boseerrno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **_pin,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n");
10703cd558016685ee778e333f1d4490238d46e7Sumit Bosevoid sss_authtok_set_sc_keypad(struct sss_auth_token *tok)
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Boseerrno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose } else if (blob_len > 0
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose && strnlen((const char *) blob, blob_len) == blob_len - 1) {
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose *pin = talloc_strndup(mem_ctx, (const char *) blob + c, pin_len);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose *token_name = talloc_strndup(mem_ctx, (const char *) blob + c + pin_len,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose /* Re-calculate length for the case where \0 was missing in the blob */
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose *_token_name_len = (*token_name == NULL) ? 0 : strlen(*token_name);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose *_module_name_len = (*module_name == NULL) ? 0 : strlen(*module_name);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose *_key_id_len = (*key_id == NULL) ? 0 : strlen(*key_id);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Boseerrno_t sss_authtok_get_sc(struct sss_auth_token *tok,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose const char **_token_name, size_t *_token_name_len,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose const char **_module_name, size_t *_module_name_len,
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES;
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose if (tok->length != 4 * sizeof(uint32_t) + 4 + pin_len + token_name_len
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose *_token_name = (const char *) tok->data + c + pin_len + 1;
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose *_module_name = (const char *) tok->data + c + pin_len + 1
dd17a3aaddab6f122dff3bd15b7005464c07c0eaSumit Bose *_key_id = (const char *) tok->data + c + pin_len + 1