diff --git a/Makefile.am b/Makefile.am index 98ad976..d70e2a7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -49,8 +49,6 @@ libpam_util_la_LIBADD = @LTLIBYUBIKEY@ @YKPERS_LIBS@ libpam_real_la_SOURCES = pam_yubico.c -DEFS = -DDEBUG_PAM -DPAM_DEBUG @DEFS@ - # The command line tools. if YKPERS diff --git a/README b/README index 85ce51f..6e684df 100644 --- a/README +++ b/README @@ -151,7 +151,9 @@ and the validation server. If you want to get one for use with the default YubiCloud service, go https://upgrade.yubico.com/getapikey[here]. -debug:: to enable debug output to stdout. +debug:: to enable debug output. + +debug_file:: filename to write debug to, stdout is default. alwaysok:: to enable all authentication attempts to succeed diff --git a/drop_privs.c b/drop_privs.c index afb090a..6b4e72f 100644 --- a/drop_privs.c +++ b/drop_privs.c @@ -55,40 +55,40 @@ int pam_modutil_drop_priv(pam_handle_t *pamh, struct _ykpam_privs *privs, struct privs->saved_egid = getegid(); if ((privs->saved_euid == pw->pw_uid) && (privs->saved_egid == pw->pw_gid)) { - D (("Privilges already dropped, pretend it is all right")); + D (privs->debug_file, "Privilges already dropped, pretend it is all right"); return 0; } privs->saved_groups_length = getgroups(0, NULL); if (privs->saved_groups_length < 0) { - D (("getgroups: %s", strerror(errno))); + D (privs->debug_file, "getgroups: %s", strerror(errno)); return -1; } if (privs->saved_groups_length > SAVED_GROUPS_MAX_LEN) { - D (("to many groups, limiting.")); + D (privs->debug_file, "to many groups, limiting."); privs->saved_groups_length = SAVED_GROUPS_MAX_LEN; } if (privs->saved_groups_length > 0) { if (getgroups(privs->saved_groups_length, privs->saved_groups) < 0) { - D (("getgroups: %s", strerror(errno))); + D (privs->debug_file, "getgroups: %s", strerror(errno)); goto free_out; } } if (initgroups(pw->pw_name, pw->pw_gid) < 0) { - D (("initgroups: %s", strerror(errno))); + D (privs->debug_file, "initgroups: %s", strerror(errno)); goto free_out; } if (setegid(pw->pw_gid) < 0) { - D (("setegid: %s", strerror(errno))); + D (privs->debug_file, "setegid: %s", strerror(errno)); goto free_out; } if (seteuid(pw->pw_uid) < 0) { - D (("seteuid: %s", strerror(errno))); + D (privs->debug_file, "seteuid: %s", strerror(errno)); goto free_out; } @@ -99,22 +99,22 @@ free_out: int pam_modutil_regain_priv(pam_handle_t *pamh, struct _ykpam_privs *privs) { if ((privs->saved_euid == geteuid()) && (privs->saved_egid == getegid())) { - D (("Privilges already as requested, pretend it is all right")); + D (privs->debug_file, "Privilges already as requested, pretend it is all right"); return 0; } if (seteuid(privs->saved_euid) < 0) { - D (("seteuid: %s", strerror(errno))); + D (privs->debug_file, "seteuid: %s", strerror(errno)); return -1; } if (setegid(privs->saved_egid) < 0) { - D (("setegid: %s", strerror(errno))); + D (privs->debug_file, "setegid: %s", strerror(errno)); return -1; } if (setgroups(privs->saved_groups_length, privs->saved_groups) < 0) { - D (("setgroups: %s", strerror(errno))); + D (privs->debug_file, "setgroups: %s", strerror(errno)); return -1; } diff --git a/drop_privs.h b/drop_privs.h index 284adb4..4e18f78 100644 --- a/drop_privs.h +++ b/drop_privs.h @@ -34,6 +34,7 @@ #else #include +#include #ifdef HAVE_SECURITY_PAM_APPL_H #include @@ -49,11 +50,12 @@ struct _ykpam_privs { gid_t saved_egid; gid_t *saved_groups; int saved_groups_length; + FILE *debug_file; }; #define PAM_MODUTIL_DEF_PRIVS(n) \ gid_t n##_saved_groups[SAVED_GROUPS_MAX_LEN]; \ - struct _ykpam_privs n = {-1, -1, n##_saved_groups, SAVED_GROUPS_MAX_LEN} + struct _ykpam_privs n = {-1, -1, n##_saved_groups, SAVED_GROUPS_MAX_LEN, cfg->debug_file} int pam_modutil_drop_priv(pam_handle_t *, struct _ykpam_privs *, struct passwd *); int pam_modutil_regain_priv(pam_handle_t *, struct _ykpam_privs *); diff --git a/pam_yubico.8.txt b/pam_yubico.8.txt index 0855858..b195cb3 100644 --- a/pam_yubico.8.txt +++ b/pam_yubico.8.txt @@ -15,7 +15,10 @@ The module is for authentication of YubiKeys, either with online validation of O == OPTIONS *debug*:: -Turns on debugging to STDOUT +Turns on debugging. + +*debug_file*=_file_:: +File name to write debug to. Defaults to stdout. *mode=*[_client_|_challenge-response_]:: Set the mode of operation, client for OTP validation and challenge-response for challenge-response validation, client is the default. diff --git a/pam_yubico.c b/pam_yubico.c index 733c7cf..2a43f43 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -127,12 +127,13 @@ struct cfg unsigned int token_id_length; enum key_mode mode; const char *chalresp_path; + FILE *debug_file; }; #ifdef DBG #undef DBG #endif -#define DBG(x) if (cfg->debug) { D(x); } +#define DBG(x...) if (cfg->debug) { D(cfg->debug_file, x); } /* * Authorize authenticated OTP_ID for login as USERNAME using @@ -151,8 +152,8 @@ authorize_user_token (struct cfg *cfg, /* Administrator had configured the file and specified is name as an argument for this module. */ - DBG (("Using system-wide auth_file %s", cfg->auth_file)); - retval = check_user_token (cfg->auth_file, username, otp_id, cfg->debug); + DBG ("Using system-wide auth_file %s", cfg->auth_file); + retval = check_user_token (cfg->auth_file, username, otp_id, cfg->debug, cfg->debug_file); } else { @@ -165,7 +166,7 @@ authorize_user_token (struct cfg *cfg, pwres = getpwnam_r (username, &pass, buf, buflen, &p); if (p == NULL) { - DBG (("getpwnam_r: %s", strerror(pwres))); + DBG ("getpwnam_r: %s", strerror(pwres)); return 0; } @@ -173,18 +174,18 @@ authorize_user_token (struct cfg *cfg, ..... i.e. ~/.yubico/authorized_yubikeys */ if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", p, &userfile)) { - D (("Failed figuring out per-user cfgfile")); + DBG ("Failed figuring out per-user cfgfile"); return 0; } - DBG (("Dropping privileges")); + DBG ("Dropping privileges"); if(pam_modutil_drop_priv(pamh, &privs, p)) { - DBG (("could not drop privileges")); + DBG ("could not drop privileges"); retval = 0; goto free_out; } - retval = check_user_token (userfile, username, otp_id, cfg->debug); + retval = check_user_token (userfile, username, otp_id, cfg->debug, cfg->debug_file); if(pam_modutil_regain_priv(pamh, &privs)) { DBG (("could not restore privileges")); @@ -259,7 +260,7 @@ authorize_user_token_ldap (struct cfg *cfg, rc = ldap_initialize (&ld, cfg->ldap_uri); if (rc != LDAP_SUCCESS) { - DBG (("ldap_initialize: %s", ldap_err2string (rc))); + DBG ("ldap_initialize: %s", ldap_err2string (rc)); retval = 0; goto done; } @@ -268,7 +269,7 @@ authorize_user_token_ldap (struct cfg *cfg, { if ((ld = ldap_init (cfg->ldapserver, PORT_NUMBER)) == NULL) { - DBG (("ldap_init")); + DBG ("ldap_init"); retval = 0; goto done; } @@ -283,16 +284,15 @@ authorize_user_token_ldap (struct cfg *cfg, } /* Bind anonymously to the LDAP server. */ if (cfg->ldap_bind_user && cfg->ldap_bind_password) { - DBG (("try bind with: %s:[%s]", cfg->ldap_bind_user, cfg->ldap_bind_password)); + DBG ("try bind with: %s:[%s]", cfg->ldap_bind_user, cfg->ldap_bind_password); rc = ldap_simple_bind_s (ld, cfg->ldap_bind_user, cfg->ldap_bind_password); } else { - DBG (("try bind anonymous")); + DBG ("try bind anonymous"); rc = ldap_simple_bind_s (ld, NULL, NULL); } if (rc != LDAP_SUCCESS) { - DBG (("ldap_simple_bind_s: %s", ldap_err2string (rc))); - retval = 0; + DBG ("ldap_simple_bind_s: %s", ldap_err2string (rc)); goto done; } @@ -300,7 +300,7 @@ authorize_user_token_ldap (struct cfg *cfg, if (cfg->user_attr && cfg->yubi_attr && cfg->ldapdn) { i = (strlen(cfg->user_attr) + strlen(cfg->ldapdn) + strlen(user) + 3) * sizeof(char); if ((find = malloc(i)) == NULL) { - DBG (("Failed allocating %zu bytes", i)); + DBG ("Failed allocating %zu bytes", i); retval = 0; goto done; } @@ -315,15 +315,15 @@ authorize_user_token_ldap (struct cfg *cfg, } attrs[0] = (char *) cfg->yubi_attr; - DBG(("LDAP : look up object base='%s' filter='%s', ask for attribute '%s'", find, - filter ? filter:"(null)", cfg->yubi_attr)); + DBG("LDAP : look up object base='%s' filter='%s', ask for attribute '%s'", find, + filter ? filter:"(null)", cfg->yubi_attr); /* Search for the entry. */ if ((rc = ldap_search_ext_s (ld, find, scope, filter, attrs, 0, NULL, NULL, LDAP_NO_LIMIT, LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS) { - DBG (("ldap_search_ext_s: %s", ldap_err2string (rc))); + DBG ("ldap_search_ext_s: %s", ldap_err2string (rc)); retval = 0; goto done; @@ -349,17 +349,17 @@ authorize_user_token_ldap (struct cfg *cfg, /* Compare each value for the attribute against the token id. */ for (i = 0; vals[i] != NULL; i++) { - DBG(("LDAP : Found %i values - checking if any of them match '%s:%s:%s'", + DBG("LDAP : Found %i values - checking if any of them match '%s:%s:%s'", ldap_count_values_len(vals), vals[i]->bv_val, - cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "", token_id)); + cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "", token_id); /* Only values containing this prefix are considered. */ if ((!cfg->yubi_attr_prefix || !strncmp (cfg->yubi_attr_prefix, vals[i]->bv_val, yubi_attr_prefix_len))) { if(!strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (vals[i]->bv_val + yubi_attr_prefix_len))) { - DBG (("Token Found :: %s", vals[i]->bv_val)); + DBG ("Token Found :: %s", vals[i]->bv_val); retval = 1; } } @@ -393,7 +393,7 @@ authorize_user_token_ldap (struct cfg *cfg, #if HAVE_CR static int -display_error(pam_handle_t *pamh, const char *message) { +display_error(pam_handle_t *pamh, const char *message, struct cfg *cfg) { struct pam_conv *conv; const struct pam_message *pmsg[1]; struct pam_message msg[1]; @@ -402,12 +402,12 @@ display_error(pam_handle_t *pamh, const char *message) { retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv); if (retval != PAM_SUCCESS) { - D(("get conv returned error: %s", pam_strerror (pamh, retval))); + DBG("get conv returned error: %s", pam_strerror (pamh, retval)); return retval; } if(!conv || !conv->conv){ - D(("conv() function invalid")); + DBG("conv() function invalid"); return PAM_CONV_ERR; } pmsg[0] = &msg[0]; @@ -416,13 +416,13 @@ display_error(pam_handle_t *pamh, const char *message) { retval = conv->conv(1, pmsg, &resp, conv->appdata_ptr); if (retval != PAM_SUCCESS) { - D(("conv returned error: %s", pam_strerror (pamh, retval))); + DBG("conv returned error: %s", pam_strerror (pamh, retval)); return retval; } if (resp) { - D(("conv returned: '%s'", resp->resp)); + DBG("conv returned: '%s'", resp->resp); if (resp->resp) free (resp->resp); free (resp); @@ -460,62 +460,62 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) ret = PAM_AUTH_ERR; if (! init_yubikey(&yk)) { - DBG(("Failed initializing YubiKey")); + DBG("Failed initializing YubiKey"); goto out; } - if (! check_firmware_version(yk, cfg->debug, true)) { - DBG(("YubiKey does not support Challenge-Response (version 2.2 required)")); + if (! check_firmware_version(yk, cfg->debug, true, cfg->debug_file)) { + DBG("YubiKey does not support Challenge-Response (version 2.2 required)"); goto out; } pwres = getpwnam_r (username, &pass, pwbuf, pwbuflen, &p); if (p == NULL) { - DBG (("getpwnam_r: %s", strerror(pwres))); + DBG ("getpwnam_r: %s", strerror(pwres)); goto out; } - if (! get_user_challenge_file (yk, cfg->chalresp_path, p, &userfile)) { - DBG(("Failed getting user challenge file for user %s", username)); + if (! get_user_challenge_file (yk, cfg->chalresp_path, p, &userfile, cfg->debug_file)) { + DBG("Failed getting user challenge file for user %s", username); goto out; } - DBG(("Loading challenge from file %s", userfile)); + DBG("Loading challenge from file %s", userfile); /* Drop privileges before opening user file (if we're not using system-wide dir). */ if (!cfg->chalresp_path) { if (pam_modutil_drop_priv(pamh, &privs, p)) { - DBG (("could not drop privileges")); + DBG ("could not drop privileges"); goto out; } } fd = open(userfile, O_RDONLY, 0); if (fd < 0) { - DBG (("Cannot open file: %s (%s)", userfile, strerror(errno))); + DBG ("Cannot open file: %s (%s)", userfile, strerror(errno)); goto restpriv_out; } if (fstat(fd, &st) < 0) { - DBG (("Cannot stat file: %s (%s)", userfile, strerror(errno))); + DBG ("Cannot stat file: %s (%s)", userfile, strerror(errno)); close(fd); goto restpriv_out; } if (!S_ISREG(st.st_mode)) { - DBG (("%s is not a regular file", userfile)); + DBG ("%s is not a regular file", userfile); close(fd); goto restpriv_out; } f = fdopen(fd, "r"); if (f == NULL) { - DBG (("fdopen: %s", strerror(errno))); + DBG ("fdopen: %s", strerror(errno)); close(fd); goto restpriv_out; } - if (! load_chalresp_state(f, &state, cfg->debug)) + if (! load_chalresp_state(f, &state, cfg->debug, cfg->debug_file)) goto restpriv_out; if (fclose(f) < 0) { @@ -526,7 +526,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) if (!cfg->chalresp_path) { if (pam_modutil_regain_priv(pamh, &privs)) { - DBG (("could not restore privileges")); + DBG ("could not restore privileges"); goto out; } } @@ -534,7 +534,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len, true, true, false, buf, sizeof(buf), &response_len)) { - DBG(("Challenge-response FAILED")); + DBG("Challenge-response FAILED"); goto out; } @@ -552,15 +552,15 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) if (memcmp(buf, state.response, state.response_len) == 0) { ret = PAM_SUCCESS; } else { - DBG(("Unexpected C/R response : %s", response_hex)); + DBG("Unexpected C/R response : %s", response_hex); goto out; } - DBG(("Got the expected response, generating new challenge (%u bytes).", CR_CHALLENGE_SIZE)); + DBG("Got the expected response, generating new challenge (%u bytes).", CR_CHALLENGE_SIZE); errstr = "Error generating new challenge, please check syslog or contact your system administrator"; if (generate_random(state.challenge, sizeof(state.challenge))) { - DBG(("Failed generating new challenge!")); + DBG("Failed generating new challenge!"); goto out; } @@ -568,7 +568,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) if (! challenge_response(yk, state.slot, state.challenge, CR_CHALLENGE_SIZE, true, true, false, buf, sizeof(buf), &response_len)) { - DBG(("Second challenge-response FAILED")); + DBG("Second challenge-response FAILED"); goto out; } @@ -586,7 +586,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) * Write the challenge and response we will expect the next time to the state file. */ if (response_len > sizeof(state.response)) { - DBG(("Got too long response ??? (%u/%zu)", response_len, sizeof(state.response))); + DBG("Got too long response ??? (%u/%zu)", response_len, sizeof(state.response)); goto out; } memcpy (state.response, buf, response_len); @@ -597,7 +597,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) /* Drop privileges before creating new challenge file. */ if (!cfg->chalresp_path) { if (pam_modutil_drop_priv(pamh, &privs, p)) { - DBG (("could not drop privileges")); + DBG ("could not drop privileges"); goto out; } } @@ -611,16 +611,16 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) fd = mkstemp(tmpfile); if (fd < 0) { - DBG (("Cannot open file: %s (%s)", tmpfile, strerror(errno))); + DBG ("Cannot open file: %s (%s)", tmpfile, strerror(errno)); goto restpriv_out; } if (fchmod (fd, st.st_mode) != 0) { - DBG (("could not set correct file permissions")); + DBG ("could not set correct file permissions"); goto restpriv_out; } if (fchown (fd, st.st_uid, st.st_gid) != 0) { - DBG (("could not set correct file ownership")); + DBG ("could not set correct file ownership"); goto restpriv_out; } @@ -658,19 +658,19 @@ restpriv_out: if (yk_errno) { if (yk_errno == YK_EUSBERR) { syslog(LOG_ERR, "USB error: %s", yk_usb_strerror()); - DBG(("USB error: %s", yk_usb_strerror())); + DBG("USB error: %s", yk_usb_strerror()); } else { syslog(LOG_ERR, "Yubikey core error: %s", yk_strerror(yk_errno)); - DBG(("Yubikey core error: %s", yk_strerror(yk_errno))); + DBG("Yubikey core error: %s", yk_strerror(yk_errno)); } } if (errstr) - display_error(pamh, errstr); + display_error(pamh, errstr, cfg); if (errno) { syslog(LOG_ERR, "Challenge response failed: %s", strerror(errno)); - DBG(("Challenge response failed: %s", strerror(errno))); + DBG("Challenge response failed: %s", strerror(errno)); } if (yk) @@ -695,6 +695,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg) cfg->client_id = 0; cfg->token_id_length = DEFAULT_TOKEN_ID_LEN; cfg->mode = CLIENT; + cfg->debug_file = stdout; for (i = 0; i < argc; i++) { @@ -752,41 +753,54 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg) cfg->mode = CLIENT; if (strncmp (argv[i], "chalresp_path=", 14) == 0) cfg->chalresp_path = argv[i] + 14; + if (strncmp (argv[i], "debug_file=", 11) == 0) + { + if(strncmp (argv[i] + 11, "stderr", 6) == 0) + { + cfg->debug_file = stderr; + } + else + { + FILE *file = fopen(argv[i] + 11, "a"); + if(file) + { + cfg->debug_file = file; + } + } + } } - if (cfg->debug) - { - D (("called.")); - D (("flags %d argc %d", flags, argc)); - for (i = 0; i < argc; i++) - D (("argv[%d]=%s", i, argv[i])); - D (("id=%u", cfg->client_id)); - D (("key=%s", cfg->client_key ? cfg->client_key : "(null)")); - D (("debug=%d", cfg->debug)); - D (("alwaysok=%d", cfg->alwaysok)); - D (("verbose_otp=%d", cfg->verbose_otp)); - D (("try_first_pass=%d", cfg->try_first_pass)); - D (("use_first_pass=%d", cfg->use_first_pass)); - D (("authfile=%s", cfg->auth_file ? cfg->auth_file : "(null)")); - D (("ldapserver=%s", cfg->ldapserver ? cfg->ldapserver : "(null)")); - D (("ldap_uri=%s", cfg->ldap_uri ? cfg->ldap_uri : "(null)")); - D (("ldap_bind_user=%s", cfg->ldap_bind_user ? cfg->ldap_bind_user : "(null)")); - D (("ldap_bind_password=%s", cfg->ldap_bind_password ? cfg->ldap_bind_password : "(null)")); - D (("ldap_filter=%s", cfg->ldap_filter ? cfg->ldap_filter : "(null)")); - D (("ldap_cacertfile=%s", cfg->ldap_cacertfile ? cfg->ldap_cacertfile : "(null)")); - D (("ldapdn=%s", cfg->ldapdn ? cfg->ldapdn : "(null)")); - D (("user_attr=%s", cfg->user_attr ? cfg->user_attr : "(null)")); - D (("yubi_attr=%s", cfg->yubi_attr ? cfg->yubi_attr : "(null)")); - D (("yubi_attr_prefix=%s", cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "(null)")); - D (("url=%s", cfg->url ? cfg->url : "(null)")); - D (("urllist=%s", cfg->urllist ? cfg->urllist : "(null)")); - D (("capath=%s", cfg->capath ? cfg->capath : "(null)")); - D (("cainfo=%s", cfg->cainfo ? cfg->cainfo : "(null)")); - D (("proxy=%s", cfg->proxy ? cfg->proxy : "(null)")); - D (("token_id_length=%d", cfg->token_id_length)); - D (("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" )); - D (("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)")); - } + DBG ("called."); + DBG ("flags %d argc %d", flags, argc); + for (i = 0; i < argc; i++) + DBG ("argv[%d]=%s", i, argv[i]); + DBG ("id=%u", cfg->client_id); + DBG ("key=%s", cfg->client_key ? cfg->client_key : "(null)"); + DBG ("debug=%d", cfg->debug); + DBG ("debug_file=%d", fileno(cfg->debug_file)); + DBG ("alwaysok=%d", cfg->alwaysok); + DBG ("verbose_otp=%d", cfg->verbose_otp); + DBG ("try_first_pass=%d", cfg->try_first_pass); + DBG ("use_first_pass=%d", cfg->use_first_pass); + DBG ("authfile=%s", cfg->auth_file ? cfg->auth_file : "(null)"); + DBG ("ldapserver=%s", cfg->ldapserver ? cfg->ldapserver : "(null)"); + DBG ("ldap_uri=%s", cfg->ldap_uri ? cfg->ldap_uri : "(null)"); + DBG ("ldap_bind_user=%s", cfg->ldap_bind_user ? cfg->ldap_bind_user : "(null)"); + DBG ("ldap_bind_password=%s", cfg->ldap_bind_password ? cfg->ldap_bind_password : "(null)"); + DBG ("ldap_filter=%s", cfg->ldap_filter ? cfg->ldap_filter : "(null)"); + DBG ("ldap_cacertfile=%s", cfg->ldap_cacertfile ? cfg->ldap_cacertfile : "(null)"); + DBG ("ldapdn=%s", cfg->ldapdn ? cfg->ldapdn : "(null)"); + DBG ("user_attr=%s", cfg->user_attr ? cfg->user_attr : "(null)"); + DBG ("yubi_attr=%s", cfg->yubi_attr ? cfg->yubi_attr : "(null)"); + DBG ("yubi_attr_prefix=%s", cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "(null)"); + DBG ("url=%s", cfg->url ? cfg->url : "(null)"); + DBG ("urllist=%s", cfg->urllist ? cfg->urllist : "(null)"); + DBG ("capath=%s", cfg->capath ? cfg->capath : "(null)"); + DBG ("cainfo=%s", cfg->cainfo ? cfg->cainfo : "(null)"); + DBG ("proxy=%s", cfg->proxy ? cfg->proxy : "(null)"); + DBG ("token_id_length=%d", cfg->token_id_length); + DBG ("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" ); + DBG ("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)"); } PAM_EXTERN int @@ -816,11 +830,11 @@ pam_sm_authenticate (pam_handle_t * pamh, parse_cfg (flags, argc, argv, cfg); - DBG (("pam_yubico version: %s", VERSION)); + DBG ("pam_yubico version: %s", VERSION); if (cfg->token_id_length > MAX_TOKEN_ID_LEN) { - DBG (("configuration error: token_id_length too long. Maximum acceptable value : %u", MAX_TOKEN_ID_LEN)); + DBG ("configuration error: token_id_length too long. Maximum acceptable value : %u", MAX_TOKEN_ID_LEN); retval = PAM_AUTHINFO_UNAVAIL; goto done; } @@ -828,19 +842,19 @@ pam_sm_authenticate (pam_handle_t * pamh, retval = pam_get_user (pamh, &user, NULL); if (retval != PAM_SUCCESS) { - DBG (("get user returned error: %s", pam_strerror (pamh, retval))); + DBG ("get user returned error: %s", pam_strerror (pamh, retval)); goto done; } - DBG (("get user returned: %s", user)); + DBG ("get user returned: %s", user); if (cfg->mode == CHRESP) { #if HAVE_CR - return do_challenge_response(pamh, cfg, user); + retval = do_challenge_response(pamh, cfg, user); #else - DBG (("no support for challenge/response")); + DBG ("no support for challenge/response"); retval = PAM_AUTH_ERR; - goto done; #endif + goto done; } if (cfg->try_first_pass || cfg->use_first_pass) @@ -848,30 +862,30 @@ pam_sm_authenticate (pam_handle_t * pamh, retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password); if (retval != PAM_SUCCESS) { - DBG (("get password returned error: %s", - pam_strerror (pamh, retval))); + DBG ("get password returned error: %s", + pam_strerror (pamh, retval)); goto done; } - DBG (("get password returned: %s", password)); + DBG ("get password returned: %s", password); } if (cfg->use_first_pass && password == NULL) { - DBG (("use_first_pass set and no password, giving up")); + DBG ("use_first_pass set and no password, giving up"); retval = PAM_AUTH_ERR; goto done; } if(ykclient_global_init() != YKCLIENT_OK) { - DBG (("Failed initializing ykclient library")); + DBG ("Failed initializing ykclient library"); retval = PAM_AUTHINFO_UNAVAIL; goto done; } rc = ykclient_init (&ykc); if (rc != YKCLIENT_OK) { - DBG (("ykclient_init() failed (%d): %s", rc, ykclient_strerror (rc))); + DBG ("ykclient_init() failed (%d): %s", rc, ykclient_strerror (rc)); retval = PAM_AUTHINFO_UNAVAIL; goto done; } @@ -879,8 +893,8 @@ pam_sm_authenticate (pam_handle_t * pamh, rc = ykclient_set_client_b64 (ykc, cfg->client_id, cfg->client_key); if (rc != YKCLIENT_OK) { - DBG (("ykclient_set_client_b64() failed (%d): %s", - rc, ykclient_strerror (rc))); + DBG ("ykclient_set_client_b64() failed (%d): %s", + rc, ykclient_strerror (rc)); retval = PAM_AUTHINFO_UNAVAIL; goto done; } @@ -902,8 +916,8 @@ pam_sm_authenticate (pam_handle_t * pamh, rc = ykclient_set_url_template (ykc, cfg->url); if (rc != YKCLIENT_OK) { - DBG (("ykclient_set_url_template() failed (%d): %s", - rc, ykclient_strerror (rc))); + DBG ("ykclient_set_url_template() failed (%d): %s", + rc, ykclient_strerror (rc)); retval = PAM_AUTHINFO_UNAVAIL; goto done; } @@ -919,7 +933,7 @@ pam_sm_authenticate (pam_handle_t * pamh, { if(templates == 10) { - DBG (("maximum 10 urls supported in list.")); + DBG ("maximum 10 urls supported in list."); retval = PAM_AUTHINFO_UNAVAIL; goto done; } @@ -929,8 +943,8 @@ pam_sm_authenticate (pam_handle_t * pamh, rc = ykclient_set_url_bases (ykc, templates, (const char **)urls); if (rc != YKCLIENT_OK) { - DBG (("ykclient_set_url_bases() failed (%d): %s", - rc, ykclient_strerror (rc))); + DBG ("ykclient_set_url_bases() failed (%d): %s", + rc, ykclient_strerror (rc)); retval = PAM_AUTHINFO_UNAVAIL; goto done; } @@ -941,7 +955,7 @@ pam_sm_authenticate (pam_handle_t * pamh, retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv); if (retval != PAM_SUCCESS) { - DBG (("get conv returned error: %s", pam_strerror (pamh, retval))); + DBG ("get conv returned error: %s", pam_strerror (pamh, retval)); goto done; } @@ -971,18 +985,18 @@ pam_sm_authenticate (pam_handle_t * pamh, if (retval != PAM_SUCCESS) { - DBG (("conv returned error: %s", pam_strerror (pamh, retval))); + DBG ("conv returned error: %s", pam_strerror (pamh, retval)); goto done; } if (resp->resp == NULL) { - DBG (("conv returned NULL passwd?")); + DBG ("conv returned NULL passwd?"); retval = PAM_AUTH_ERR; goto done; } - DBG (("conv returned %zu bytes", strlen(resp->resp))); + DBG ("conv returned %zu bytes", strlen(resp->resp)); password = resp->resp; } @@ -996,15 +1010,15 @@ pam_sm_authenticate (pam_handle_t * pamh, skip_bytes = password_len - (cfg->token_id_length + TOKEN_OTP_LEN); } - DBG (("Skipping first %i bytes. Length is %zu, token_id set to %u and token OTP always %u.", - skip_bytes, password_len, cfg->token_id_length, TOKEN_OTP_LEN)); + DBG ("Skipping first %i bytes. Length is %zu, token_id set to %u and token OTP always %u.", + skip_bytes, password_len, cfg->token_id_length, TOKEN_OTP_LEN); /* Copy full YubiKey output (public ID + OTP) into otp */ strncpy (otp, password + skip_bytes, sizeof (otp) - 1); /* Copy only public ID into otp_id. Destination buffer is zeroed. */ strncpy (otp_id, password + skip_bytes, cfg->token_id_length); - DBG (("OTP: %s ID: %s ", otp, otp_id)); + DBG ("OTP: %s ID: %s ", otp, otp_id); /* user entered their system password followed by generated OTP? */ if (password_len > TOKEN_OTP_LEN + cfg->token_id_length) @@ -1018,13 +1032,13 @@ pam_sm_authenticate (pam_handle_t * pamh, onlypasswd[password_len - (TOKEN_OTP_LEN + cfg->token_id_length)] = '\0'; - DBG (("Extracted a probable system password entered before the OTP - " - "setting item PAM_AUTHTOK")); + DBG ("Extracted a probable system password entered before the OTP - " + "setting item PAM_AUTHTOK"); retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd); if (retval != PAM_SUCCESS) { - DBG (("set_item returned error: %s", pam_strerror (pamh, retval))); + DBG ("set_item returned error: %s", pam_strerror (pamh, retval)); goto done; } } @@ -1033,9 +1047,9 @@ pam_sm_authenticate (pam_handle_t * pamh, rc = ykclient_request (ykc, otp); - DBG (("ykclient return value (%d): %s", rc, - ykclient_strerror (rc))); - DBG (("ykclient url used: %s", ykclient_get_last_url(ykc))); + DBG ("ykclient return value (%d): %s", rc, + ykclient_strerror (rc)); + DBG ("ykclient url used: %s", ykclient_get_last_url(ykc)); /* authorize the user with supplied token id */ if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL) @@ -1063,19 +1077,19 @@ pam_sm_authenticate (pam_handle_t * pamh, } break; case 0: - DBG (("Internal error while validating user")); + DBG ("Internal error while validating user"); retval = PAM_AUTHINFO_UNAVAIL; break; case -1: - DBG (("Unauthorized token for this user")); + DBG ("Unauthorized token for this user"); retval = PAM_AUTH_ERR; break; case -2: - DBG (("Unknown user")); + DBG ("Unknown user"); retval = PAM_USER_UNKNOWN; break; default: - DBG (("Unhandled value for token-user validation")) + DBG ("Unhandled value for token-user validation"); retval = PAM_AUTHINFO_UNAVAIL; } @@ -1099,10 +1113,10 @@ done: } if (cfg->alwaysok && retval != PAM_SUCCESS) { - DBG (("alwaysok needed (otherwise return with %d)", retval)); + DBG ("alwaysok needed (otherwise return with %d)", retval); retval = PAM_SUCCESS; } - DBG (("done. [%s]", pam_strerror (pamh, retval))); + DBG ("done. [%s]", pam_strerror (pamh, retval)); pam_set_data (pamh, "yubico_setcred_return", (void*)(intptr_t)retval, NULL); if (resp) @@ -1117,6 +1131,11 @@ done: free((char*)msg[0].msg); } + if(cfg->debug_file != stderr && cfg->debug_file != stdout) + { + fclose(cfg->debug_file); + } + return retval; } @@ -1129,17 +1148,27 @@ pam_sm_setcred ( } PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __attribute__((unused)), - int argc __attribute__((unused)), const char **argv __attribute__((unused))) +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { + struct cfg cfg_st; + struct cfg *cfg = &cfg_st; /* for DBG macro */ int retval; int rc = pam_get_data(pamh, "yubico_setcred_return", (const void**)&retval); + + parse_cfg (flags, argc, argv, cfg); if (rc == PAM_SUCCESS && retval == PAM_SUCCESS) { - D (("pam_sm_acct_mgmt returing PAM_SUCCESS")); - return PAM_SUCCESS; + DBG ("pam_sm_acct_mgmt returing PAM_SUCCESS"); + retval = PAM_SUCCESS; + } else { + DBG ("pam_sm_acct_mgmt returing PAM_AUTH_ERR:%d", rc); + retval = PAM_AUTH_ERR; } - D (("pam_sm_acct_mgmt returing PAM_AUTH_ERR:%d", rc)); - return PAM_AUTH_ERR; + + if(cfg->debug_file != stderr && cfg->debug_file != stdout) { + fclose(cfg->debug_file); + } + + return retval; } PAM_EXTERN int @@ -1148,7 +1177,6 @@ pam_sm_open_session( int argc __attribute__((unused)), const char *argv[] __attribute__((unused))) { - D(("pam_sm_open_session")); return (PAM_SUCCESS); } @@ -1157,7 +1185,6 @@ pam_sm_close_session( pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)), int argc __attribute__((unused)), const char *argv[] __attribute__((unused))) { - D(("pam_sm_close_session")); return (PAM_SUCCESS); } @@ -1166,7 +1193,6 @@ pam_sm_chauthtok( pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)), int argc __attribute__((unused)), const char *argv[] __attribute__((unused))) { - D(("pam_sm_chauthtok")); return (PAM_SERVICE_ERR); } diff --git a/tests/util_test.c b/tests/util_test.c index 61899f3..cc68e65 100644 --- a/tests/util_test.c +++ b/tests/util_test.c @@ -74,27 +74,27 @@ static void test_check_user_token(void) { fprintf(handle, "foo2:cccccccccccc\n"); fclose(handle); - ret = check_user_token(file, "foobar", "hhhvhvhdhbid", 1); + ret = check_user_token(file, "foobar", "hhhvhvhdhbid", 1, stdout); assert(ret == 1); - ret = check_user_token(file, "foobar", "hnhbhnhbhnhb", 1); + ret = check_user_token(file, "foobar", "hnhbhnhbhnhb", 1, stdout); assert(ret == 1); - ret = check_user_token(file, "foobar", "hnhbhnhbhnhc", 1); + ret = check_user_token(file, "foobar", "hnhbhnhbhnhc", 1, stdout); assert(ret == -1); - ret = check_user_token(file, "kaka", "hihbhdhrhbhj", 1); + ret = check_user_token(file, "kaka", "hihbhdhrhbhj", 1, stdout); assert(ret == 1); - ret = check_user_token(file, "bar", "hnhbhnhbhnhb", 1); + ret = check_user_token(file, "bar", "hnhbhnhbhnhb", 1, stdout); assert(ret == 1); - ret = check_user_token(file, "foo", "hdhrhbhjhvhu", 1); + ret = check_user_token(file, "foo", "hdhrhbhjhvhu", 1, stdout); assert(ret == -2); - ret = check_user_token(file, "foo2", "cccccccccccc", 1); + ret = check_user_token(file, "foo2", "cccccccccccc", 1, stdout); assert(ret == 1); - ret = check_user_token(file, "foo2", "vvvvvvvvvvvv", 1); + ret = check_user_token(file, "foo2", "vvvvvvvvvvvv", 1, stdout); assert(ret == 1); - ret = check_user_token(file, "foo2", "vvvvvvvvvvcc", 1); + ret = check_user_token(file, "foo2", "vvvvvvvvvvcc", 1, stdout); assert(ret == -1); - ret = check_user_token(file, "foo2", "", 1); + ret = check_user_token(file, "foo2", "", 1, stdout); assert(ret == -1); - ret = check_user_token(file, "foo", "", 1); + ret = check_user_token(file, "foo", "", 1, stdout); assert(ret == -2); remove(file); } @@ -115,7 +115,7 @@ static void test_load_chalresp_state(void) { memset(&state, 0, sizeof(state)); fprintf(file, "v2:%s:%s:%s:%d:%d\n", CHALLENGE1, RESPONSE1, SALT1, 1000, 2); rewind(file); - ret = load_chalresp_state(file, &state, true); + ret = load_chalresp_state(file, &state, true, stdout); assert(ret == 1); assert(state.iterations == 1000); assert(state.slot == 2); @@ -127,7 +127,7 @@ static void test_load_chalresp_state(void) { memset(&state, 0, sizeof(state)); fprintf(file, "v1:%s:%s:%d\n", CHALLENGE2, RESPONSE2, 1); rewind(file); - ret = load_chalresp_state(file, &state, true); + ret = load_chalresp_state(file, &state, true, stdout); assert(ret == 1); assert(state.iterations == CR_DEFAULT_ITERATIONS); assert(state.slot == 1); @@ -139,7 +139,7 @@ static void test_load_chalresp_state(void) { /* slot 3 should fail.. */ fprintf(file, "v2:%s:%s:%s:%d:%d\n", CHALLENGE1, RESPONSE1, SALT1, 1000, 3); rewind(file); - ret = load_chalresp_state(file, &state, true); + ret = load_chalresp_state(file, &state, true, stdout); assert(ret == 0); fclose(file); } diff --git a/util.c b/util.c index 3798faf..b04ecaf 100644 --- a/util.c +++ b/util.c @@ -97,7 +97,8 @@ int check_user_token (const char *authfile, const char *username, const char *otp_id, - int verbose) + int verbose, + FILE *debug_file) { char buf[1024]; char *s_user, *s_token; @@ -109,20 +110,20 @@ check_user_token (const char *authfile, fd = open(authfile, O_RDONLY, 0); if (fd < 0) { if(verbose) - D (("Cannot open file: %s (%s)", authfile, strerror(errno))); + D (debug_file, "Cannot open file: %s (%s)", authfile, strerror(errno)); return retval; } if (fstat(fd, &st) < 0) { if(verbose) - D (("Cannot stat file: %s (%s)", authfile, strerror(errno))); + D (debug_file, "Cannot stat file: %s (%s)", authfile, strerror(errno)); close(fd); return retval; } if (!S_ISREG(st.st_mode)) { if(verbose) - D (("%s is not a regular file", authfile)); + D (debug_file, "%s is not a regular file", authfile); close(fd); return retval; } @@ -130,7 +131,7 @@ check_user_token (const char *authfile, opwfile = fdopen(fd, "r"); if (opwfile == NULL) { if(verbose) - D (("fdopen: %s", strerror(errno))); + D (debug_file, "fdopen: %s", strerror(errno)); close(fd); return retval; } @@ -144,27 +145,26 @@ check_user_token (const char *authfile, if (buf[0] == '#') { /* This is a comment and we may skip it. */ if(verbose) - D (("Skipping comment line: %s", buf)); + D (debug_file, "Skipping comment line: %s", buf); continue; } if(verbose) - D (("Authorization line: %s", buf)); + D (debug_file, "Authorization line: %s", buf); s_user = strtok_r (buf, ":", &saveptr); if (s_user && strcmp (username, s_user) == 0) { if(verbose) - D (("Matched user: %s", s_user)); + D (debug_file, "Matched user: %s", s_user); retval = -1; //We found at least one line for the user do { s_token = strtok_r (NULL, ":", &saveptr); if(verbose) - D (("Authorization token: %s", s_token)); + D (debug_file, "Authorization token: %s", s_token); if (s_token && strcmp (otp_id, s_token) == 0) { if(verbose) - D (("Match user/token as %s/%s", username, otp_id)); - fclose (opwfile); + D (debug_file, "Match user/token as %s/%s", username, otp_id); return 1; } } @@ -196,7 +196,7 @@ int generate_random(void *buf, int len) } int -check_firmware_version(YK_KEY *yk, bool verbose, bool quiet) +check_firmware_version(YK_KEY *yk, bool verbose, bool quiet, FILE *debug_file) { YK_STATUS *st = ykds_alloc(); @@ -206,11 +206,10 @@ check_firmware_version(YK_KEY *yk, bool verbose, bool quiet) } if (verbose) { - D(("YubiKey Firmware version: %d.%d.%d\n", + D(debug_file, "YubiKey Firmware version: %d.%d.%d\n", ykds_version_major(st), ykds_version_minor(st), - ykds_version_build(st))); - fflush(stdout); + ykds_version_build(st)); } if (ykds_version_major(st) < 2 || @@ -282,7 +281,7 @@ int challenge_response(YK_KEY *yk, int slot, } int -get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn) +get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn, FILE *debug_file) { /* Getting file from user home directory, i.e. ~/.yubico/challenge, or * from a system wide directory. @@ -299,7 +298,7 @@ get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct pass int ret; if (! yk_get_serial(yk, 0, 0, &serial)) { - D (("Failed to read serial number (serial-api-visible disabled?).")); + D (debug_file, "Failed to read serial number (serial-api-visible disabled?)."); if (! chalresp_path) filename = "challenge"; else @@ -330,7 +329,7 @@ get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct pass } int -load_chalresp_state(FILE *f, CR_STATE *state, bool verbose) +load_chalresp_state(FILE *f, CR_STATE *state, bool verbose, FILE *debug_file) { /* * Load the current challenge and expected response information from a file handle. @@ -354,13 +353,13 @@ load_chalresp_state(FILE *f, CR_STATE *state, bool verbose) r = fscanf(f, "v2:%126[0-9a-z]:%40[0-9a-z]:%64[0-9a-z]:%d:%d", challenge_hex, response_hex, salt_hex, &iterations, &slot); if(r == 5) { if (! yubikey_hex_p(salt_hex)) { - D(("Invalid salt hex input : %s", salt_hex)); + D(debug_file, "Invalid salt hex input : %s", salt_hex); goto out; } if(verbose) { - D(("Challenge: %s, hashed response: %s, salt: %s, iterations: %d, slot: %d", - challenge_hex, response_hex, salt_hex, iterations, slot)); + D(debug_file, "Challenge: %s, hashed response: %s, salt: %s, iterations: %d, slot: %d", + challenge_hex, response_hex, salt_hex, iterations, slot); } yubikey_hex_decode(state->salt, salt_hex, sizeof(state->salt)); @@ -369,12 +368,12 @@ load_chalresp_state(FILE *f, CR_STATE *state, bool verbose) rewind(f); r = fscanf(f, "v1:%126[0-9a-z]:%40[0-9a-z]:%d", challenge_hex, response_hex, &slot); if (r != 3) { - D(("Could not parse contents of chalresp_state file (%i)", r)); + D(debug_file, "Could not parse contents of chalresp_state file (%i)", r); goto out; } if (verbose) { - D(("Challenge: %s, expected response: %s, slot: %d", challenge_hex, response_hex, slot)); + D(debug_file, "Challenge: %s, expected response: %s, slot: %d", challenge_hex, response_hex, slot); } iterations = CR_DEFAULT_ITERATIONS; @@ -384,17 +383,17 @@ load_chalresp_state(FILE *f, CR_STATE *state, bool verbose) if (! yubikey_hex_p(challenge_hex)) { - D(("Invalid challenge hex input : %s", challenge_hex)); + D(debug_file, "Invalid challenge hex input : %s", challenge_hex); goto out; } if (! yubikey_hex_p(response_hex)) { - D(("Invalid expected response hex input : %s", response_hex)); + D(debug_file, "Invalid expected response hex input : %s", response_hex); goto out; } if (slot != 1 && slot != 2) { - D(("Invalid slot input : %i", slot)); + D(debug_file, "Invalid slot input : %i", slot); goto out; } diff --git a/util.h b/util.h index 38526ef..69c69c0 100644 --- a/util.h +++ b/util.h @@ -38,23 +38,14 @@ #include #include -#if defined(DEBUG_PAM) -# if defined(HAVE_SECURITY__PAM_MACROS_H) -# define DEBUG -# include -# else -# define D(x) do { \ - printf ("debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \ - printf x; \ - printf ("\n"); \ - } while (0) -# endif /* HAVE_SECURITY__PAM_MACROS_H */ -#else -# define D(x) -#endif /* DEBUG_PAM */ +#define D(file, x...) do { \ + fprintf (file, "debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \ + fprintf (file, x); \ + fprintf (file, "\n"); \ +} while (0) int get_user_cfgfile_path(const char *common_path, const char *filename, const struct passwd *user, char **fn); -int check_user_token(const char *authfile, const char *username, const char *otp_id, int verbose); +int check_user_token(const char *authfile, const char *username, const char *otp_id, int verbose, FILE *debug_file); #if HAVE_CR #include @@ -83,13 +74,13 @@ typedef struct chalresp_state CR_STATE; int generate_random(void *buf, int len); -int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn); +int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn, FILE *debug_file); -int load_chalresp_state(FILE *f, CR_STATE *state, bool verbose); +int load_chalresp_state(FILE *f, CR_STATE *state, bool verbose, FILE *debug_file); int write_chalresp_state(FILE *f, CR_STATE *state); int init_yubikey(YK_KEY **yk); -int check_firmware_version(YK_KEY *yk, bool verbose, bool quiet); +int check_firmware_version(YK_KEY *yk, bool verbose, bool quiet, FILE *debug_file); int challenge_response(YK_KEY *yk, int slot, char *challenge, unsigned int len, bool hmac, bool may_block, bool verbose, diff --git a/ykpamcfg.c b/ykpamcfg.c index 9e50dbd..16dbb86 100644 --- a/ykpamcfg.c +++ b/ykpamcfg.c @@ -41,7 +41,6 @@ #include -#undef DEBUG_PAM #include "util.h" #define ACTION_ADD_HMAC_CHALRESP "add_hmac_chalresp" @@ -185,7 +184,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u } } - if (! get_user_challenge_file(yk, output_dir, p, &fn)) { + if (! get_user_challenge_file(yk, output_dir, p, &fn, stdout)) { fprintf (stderr, "Failed getting chalresp state filename\n"); goto out; } @@ -294,7 +293,7 @@ main(int argc, char **argv) if (! init_yubikey (&yk)) goto err; - if (! check_firmware_version(yk, verbose, false)) + if (! check_firmware_version(yk, verbose, false, stdout)) goto err; if (! do_add_hmac_chalresp (yk, slot, verbose, output_dir, iterations, &exit_code))