Make it clear to the API users that we can not take arbitrary auth tokens.
We can only take a password for now so simplify and clarify the interface.
---
 src/db/sysdb.h                 |    3 +--
 src/db/sysdb_ops.c             |   12 +-----------
 src/providers/krb5/krb5_auth.c |   21 +++++++++++++++++----
 src/responder/pam/pamsrv_cmd.c |   39 ++++++++++++++++++++++++---------------
 src/tests/sysdb-tests.c        |    6 ++----
 5 files changed, 45 insertions(+), 36 deletions(-)

diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 
ed00c165952aa80102b88c9e857355f2ef27d570..892414797304a1ba86a041279aea9bcafe1fd3cd
 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -778,8 +778,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
                                     time_t *delayed_until);
 int sysdb_cache_auth(struct sysdb_ctx *sysdb,
                      const char *name,
-                     const uint8_t *authtok,
-                     size_t authtok_size,
+                     const char *password,
                      struct confdb_ctx *cdb,
                      bool just_check,
                      time_t *_expire_date,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 
80a323b12901b40f6df0c4cd0f0b23b4cf2cf2b2..e213023e3f1f1342984b7b2464a23a4544df9010
 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2674,8 +2674,7 @@ done:
 
 int sysdb_cache_auth(struct sysdb_ctx *sysdb,
                      const char *name,
-                     const uint8_t *authtok,
-                     size_t authtok_size,
+                     const char *password,
                      struct confdb_ctx *cdb,
                      bool just_check,
                      time_t *_expire_date,
@@ -2690,7 +2689,6 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
     struct ldb_message *ldb_msg;
     const char *userhash;
     char *comphash;
-    char *password = NULL;
     uint64_t lastLogin = 0;
     int cred_expiration;
     uint32_t failed_login_attempts = 0;
@@ -2776,13 +2774,6 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
 
     /* TODO: verify user account (disabled, expired ...) */
 
-    password = talloc_strndup(tmp_ctx, (const char *)authtok, authtok_size);
-    if (password == NULL) {
-        DEBUG(1, ("talloc_strndup failed.\n"));
-        ret = ENOMEM;
-        goto done;
-    }
-
     userhash = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_CACHEDPWD, NULL);
     if (userhash == NULL || *userhash == '\0') {
         DEBUG(4, ("Cached credentials not available.\n"));
@@ -2866,7 +2857,6 @@ done:
     if (_delayed_until != NULL) {
         *_delayed_until = delayed_until;
     }
-    if (password) for (i = 0; password[i]; i++) password[i] = 0;
     if (ret) {
         ldb_transaction_cancel(sysdb->ldb);
     } else {
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 
7104b3127e04891fed7370a6241c60865372632b..5ef6cfc28625c55d850b73dc8cc621f33da1bdce
 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -278,16 +278,23 @@ static void krb5_auth_cache_creds(struct krb5_ctx 
*krb5_ctx,
                                   struct pam_data *pd, uid_t uid,
                                   int *pam_status, int *dp_err)
 {
+    char *password = NULL;
     errno_t ret;
 
-    ret = sysdb_cache_auth(sysdb, pd->user, pd->authtok,
-                           pd->authtok_size, cdb, true, NULL,
-                           NULL);
+    password = talloc_strndup(state, pd->authtok, pd->authtok_size);
+    if (!password) {
+        DEBUG(0, ("Out of memory copying password\n"));
+        *pam_status = PAM_SYSTEM_ERR;
+        *dp_err = DP_ERR_OK;
+        return;
+    }
+
+    ret = sysdb_cache_auth(sysdb, pd->user, password, cdb, true, NULL, NULL);
     if (ret != EOK) {
         DEBUG(1, ("Offline authentication failed\n"));
         *pam_status = cached_login_pam_status(ret);
         *dp_err = DP_ERR_OK;
-        return;
+        goto done;
     }
 
     ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid);
@@ -297,6 +304,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx 
*krb5_ctx,
     }
     *pam_status = PAM_AUTHINFO_UNAVAIL;
     *dp_err = DP_ERR_OFFLINE;
+
+done:
+    if (password) {
+        for (i = 0; password[i]; i++) password[i] = 0;
+        talloc_zfree(password);
+    }
 }
 
 static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 
4269642206cc0295c0046de4e59a3ad8f1044d1a..ed7438f8d1509568bcd12bbbe7ab73984780bcdd
 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -733,7 +733,6 @@ static void pam_reply(struct pam_auth_req *preq)
     struct timeval tv;
     struct tevent_timer *te;
     struct pam_data *pd;
-    struct sysdb_ctx *sysdb;
     struct pam_ctx *pctx;
     uint32_t user_info_type;
     time_t exp_date = -1;
@@ -753,24 +752,34 @@ static void pam_reply(struct pam_auth_req *preq)
             if ((preq->domain != NULL) &&
                 (preq->domain->cache_credentials == true) &&
                 (pd->offline_auth == false)) {
+                const char *password = NULL;
 
-                    /* do auth with offline credentials */
-                    pd->offline_auth = true;
+                /* do auth with offline credentials */
+                pd->offline_auth = true;
 
-                    sysdb = preq->domain->sysdb;
-                    if (sysdb == NULL) {
-                        DEBUG(0, ("Fatal: Sysdb CTX not found for "
-                                  "domain [%s]!\n", preq->domain->name));
-                        goto done;
-                    }
+                if (preq->domain->sysdb == NULL) {
+                    DEBUG(0, ("Fatal: Sysdb CTX not found for domain"
+                              " [%s]!\n", preq->domain->name));
+                    goto done;
+                }
 
-                    ret = sysdb_cache_auth(sysdb, pd->user,
-                                           pd->authtok, pd->authtok_size,
-                                           pctx->rctx->cdb, false,
-                                           &exp_date, &delay_until);
+                password = talloc_strndup(preq, pd->authtok, pd->authtok_size);
+                if (!password) {
+                    DEBUG(0, ("Fatal: Out of memory copying password\n"));
+                    goto done;
+                }
 
-                    pam_handle_cached_login(preq, ret, exp_date, delay_until);
-                    return;
+                ret = sysdb_cache_auth(preq->domain->sysdb,
+                                       pd->user, password,
+                                       pctx->rctx->cdb, false,
+                                       &exp_date, &delay_until);
+
+                pam_handle_cached_login(preq, ret, exp_date, delay_until);
+                if (password) {
+                    for (i = 0; password[i]; i++) password[i] = 0;
+                    talloc_zfree(password);
+                }
+                return;
             }
             break;
         case SSS_PAM_CHAUTHTOK_PRELIM:
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 
74b75233d7a5cf027ffdf581cbc9942ba2cc2b95..06cda816d79986d099d24457c40af7264b5a1a44
 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1576,8 +1576,7 @@ static void 
cached_authentication_without_expiration(const char *username,
         return;
     }
 
-    ret = sysdb_cache_auth(test_ctx->sysdb, data->username,
-                           (const uint8_t *)password, strlen(password),
+    ret = sysdb_cache_auth(test_ctx->sysdb, data->username, password,
                            test_ctx->confdb, false, &expire_date, 
&delayed_until);
 
     fail_unless(ret == expected_result, "sysdb_cache_auth request does not "
@@ -1636,8 +1635,7 @@ static void cached_authentication_with_expiration(const 
char *username,
                               data->attrs, SYSDB_MOD_REP);
     fail_unless(ret == EOK, "Could not modify user %s", data->username);
 
-    ret = sysdb_cache_auth(test_ctx->sysdb, data->username,
-                           (const uint8_t *) password, strlen(password),
+    ret = sysdb_cache_auth(test_ctx->sysdb, data->username, password,
                            test_ctx->confdb, false, &expire_date, 
&delayed_until);
 
     fail_unless(ret == expected_result,
-- 
1.7.1

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to