Merge branch 'pr-121'

pam_yubico.c

@@ -473,6 +473,35 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
 
   ret = PAM_AUTH_ERR;
 
+  pwres = getpwnam_r (username, &pass, pwbuf, pwbuflen, &p);
+  if (p == NULL) {
+      DBG ("getpwnam_r: %s", strerror(pwres));
+      goto out;
+  }
+
+  DBG("Checking for user challenge files");
+  switch(check_user_challenge_file(cfg->chalresp_path, p, cfg->debug_file)) {
+    case AUTH_FOUND:
+      DBG("Challenge files found");
+      break;
+    case AUTH_NOT_FOUND:
+      DBG("No challenge files found");
+      if (cfg->nullok) {
+        ret = PAM_IGNORE;
+      } else {
+        ret = PAM_USER_UNKNOWN;
+      }
+      goto out;
+    case AUTH_ERROR:
+      DBG ("Internal error while looking for user challenge files");
+      ret = PAM_AUTHINFO_UNAVAIL;
+      goto out;
+    default:
+      DBG ("Unhandled value while looking for user challenge files");
+      ret = PAM_AUTHINFO_UNAVAIL;
+      goto out;
+  }
+
   if (! init_yubikey(&yk)) {
     DBG("Failed initializing YubiKey");
     goto out;
@@ -483,12 +512,6 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
     goto out;
   }
 
-  pwres = getpwnam_r (username, &pass, pwbuf, pwbuflen, &p);
-  if (p == NULL) {
-      DBG ("getpwnam_r: %s", strerror(pwres));
-      goto out;
-  }
-
   if (! get_user_challenge_file (yk, cfg->chalresp_path, p, &userfile, cfg->debug_file)) {
     DBG("Failed getting user challenge file for user %s", username);
     goto out;

tests/util_test.c

@@ -35,6 +35,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <unistd.h>
 
 #include <pwd.h>
 
@@ -144,6 +145,122 @@ static void test_load_chalresp_state(void) {
   fclose(file);
 }
 
+static void test_check_user_challenge_file(void) {
+  int ret;
+  char * tmpdir_path;
+  char * buf;
+  FILE * file;
+  struct passwd user;
+
+  buf = malloc(256);
+
+#define create_tmpdir_dir(path) \
+  strcpy(buf, tmpdir_path); \
+  strcat(buf, "/"); \
+  strcat(buf, path); \
+  mkdir(buf, 0755);
+
+#define remove_tmpdir_dir(path) \
+  strcpy(buf, tmpdir_path); \
+  strcat(buf, "/"); \
+  strcat(buf, path); \
+  rmdir(buf);
+
+#define create_tmpdir_file(path) \
+  strcpy(buf, tmpdir_path); \
+  strcat(buf, "/"); \
+  strcat(buf, path); \
+  file = fopen(buf, "w"); \
+  fclose(file);
+
+#define remove_tmpdir_file(path) \
+  strcpy(buf, tmpdir_path); \
+  strcat(buf, "/"); \
+  strcat(buf, path); \
+  unlink(buf);
+
+  /* create temporary directory */
+  tmpdir_path = tempnam(NULL, "pamtest");
+  assert(tmpdir_path != NULL);
+
+  ret = mkdir(tmpdir_path, 0755);
+  assert(ret == 0);
+
+  /* set user data */
+  user.pw_name = "tester";
+  user.pw_dir = tmpdir_path;
+
+  /* execute tests */
+  /* no asserts here as we have directory to remove */
+
+  int case_001_empty_chalresp_dir;
+  case_001_empty_chalresp_dir = check_user_challenge_file(tmpdir_path, &user, stdout);
+
+  int case_002_one_challenge_file;
+  create_tmpdir_file("tester");
+  case_002_one_challenge_file = check_user_challenge_file(tmpdir_path, &user, stdout);
+  remove_tmpdir_file("tester");
+
+  int case_003_multiple_challenge_files;
+  create_tmpdir_file("tester-001");
+  create_tmpdir_file("tester-002");
+  case_003_multiple_challenge_files = check_user_challenge_file(tmpdir_path, &user, stdout);
+  remove_tmpdir_file("tester-002");
+  remove_tmpdir_file("tester-001");
+
+  int case_004_other_users_files;
+  create_tmpdir_file("tester1");
+  create_tmpdir_file("tester1-001");
+  case_004_other_users_files = check_user_challenge_file(tmpdir_path, &user, stdout);
+  remove_tmpdir_file("tester1-001");
+  remove_tmpdir_file("tester1");
+
+  int case_005_no_chalresp_no_yubico;
+  case_005_no_chalresp_no_yubico = check_user_challenge_file(NULL, &user, stdout);
+
+  int case_006_no_chalresp_empty_yubico;
+  create_tmpdir_dir(".yubico");
+  case_006_no_chalresp_empty_yubico = check_user_challenge_file(NULL, &user, stdout);
+  remove_tmpdir_dir(".yubico");
+
+  int case_007_no_chalresp_one_challenge_file;
+  create_tmpdir_dir(".yubico");
+  create_tmpdir_file(".yubico/challenge");
+  case_007_no_chalresp_one_challenge_file = check_user_challenge_file(NULL, &user, stdout);
+  remove_tmpdir_file(".yubico/challenge");
+  remove_tmpdir_dir(".yubico");
+
+  int case_008_no_chalresp_multiple_challenge_files;
+  create_tmpdir_dir(".yubico");
+  create_tmpdir_file(".yubico/challenge-001");
+  create_tmpdir_file(".yubico/challenge-002");
+  case_008_no_chalresp_multiple_challenge_files = check_user_challenge_file(NULL, &user, stdout);
+  remove_tmpdir_file(".yubico/challenge-002");
+  remove_tmpdir_file(".yubico/challenge-001");
+  remove_tmpdir_dir(".yubico");
+
+  /* remove temporary directory */
+  ret = rmdir(tmpdir_path);
+  assert(ret == 0);
+  free(tmpdir_path);
+  free(buf);
+
+  /* check test results */
+  assert(case_001_empty_chalresp_dir == AUTH_NOT_FOUND);
+  assert(case_002_one_challenge_file == AUTH_FOUND);
+  assert(case_003_multiple_challenge_files == AUTH_FOUND);
+  assert(case_004_other_users_files == AUTH_NOT_FOUND);
+  assert(case_005_no_chalresp_no_yubico == AUTH_NOT_FOUND);
+  assert(case_006_no_chalresp_empty_yubico == AUTH_NOT_FOUND);
+  assert(case_007_no_chalresp_one_challenge_file == AUTH_FOUND);
+  assert(case_008_no_chalresp_multiple_challenge_files == AUTH_FOUND);
+
+#undef create_tmpdir_dir
+#undef remove_tmpdir_dir
+#undef create_tmpdir_file
+#undef remove_tmpdir_file
+}
+
 #endif /* HAVE_CR */
 
 static void test_filter_printf(void) {
@@ -171,6 +288,7 @@ int main (void) {
   test_check_user_token();
 #if HAVE_CR
   test_load_chalresp_state();
+  test_check_user_challenge_file();
 #endif /* HAVE_CR */
   return 0;
 }

util.c

@@ -38,6 +38,7 @@
 #include <sys/stat.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <glob.h>
 #include <unistd.h>
 
 #include "util.h"
@@ -281,6 +282,71 @@ int challenge_response(YK_KEY *yk, int slot,
 	return 1;
 }
 
+int
+check_user_challenge_file(const char *chalresp_path, const struct passwd *user, FILE *debug_file)
+{
+  /*
+   * This function will look for users challenge files.
+   *
+   * Returns one of AUTH_FOUND, AUTH_NOT_FOUND, AUTH_ERROR
+   */
+  size_t len;
+  int r;
+  int ret = AUTH_NOT_FOUND;
+  char *userfile = NULL;
+  char *userfile_pattern = NULL;
+  glob_t userfile_glob;
+  const char *filename = NULL;
+
+  if (! chalresp_path) {
+    filename = "challenge";
+  } else {
+    filename = user->pw_name;
+  }
+
+  /* check for userfile challenge files */
+  r = get_user_cfgfile_path(chalresp_path, filename, user, &userfile);
+  if (!r) {
+    D (debug_file, "Failed to get user cfgfile path");
+    ret = AUTH_ERROR;
+    goto out;
+  }
+
+  if (!access(userfile, F_OK)) {
+    ret = AUTH_FOUND;
+    goto out;
+  }
+
+  /* check for userfile-* challenge files */
+  len = strlen(userfile) + 2 + 1;
+  if ((userfile_pattern = malloc(len)) == NULL) {
+    D (debug_file, "Failed to allocate memory for userfile pattern: %s", strerror(errno));
+    ret = AUTH_ERROR;
+    goto out;
+  }
+  snprintf(userfile_pattern, len, "%s-*", userfile);
+
+  r = glob(userfile_pattern, 0, NULL, &userfile_glob);
+  globfree(&userfile_glob);
+  switch (r) {
+    case GLOB_NOMATCH:
+      /* No matches found, so continue */
+      break;
+    case 0:
+      ret = AUTH_FOUND;
+      goto out;
+    default:
+      D (debug_file, "Error while checking for %s challenge files: %s", userfile_pattern, strerror(errno));
+      ret = AUTH_ERROR;
+      goto out;
+  }
+
+out:
+  free(userfile_pattern);
+  free(userfile);
+  return ret;
+}
+
 int
 get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn, FILE *debug_file)
 {

util.h

@@ -80,6 +80,7 @@ typedef struct chalresp_state CR_STATE;
 
 int generate_random(void *buf, int len);
 
+int check_user_challenge_file(const char *chalresp_path, const struct passwd *user, FILE *debug_file);
 int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn, FILE *debug_file);
 
 int load_chalresp_state(FILE *f, CR_STATE *state, bool verbose, FILE *debug_file);