1
0
mirror of https://github.com/Yubico/yubico-pam.git synced 2024-12-01 15:24:12 +01:00

Make get_user_challenge_file() also include YubiKey serial number,

and move it to util.c.
This commit is contained in:
Fredrik Thulin 2011-03-17 17:55:04 +01:00
parent fe12e98e38
commit c1f8ba8804
3 changed files with 63 additions and 34 deletions

View File

@ -353,25 +353,6 @@ struct cfg
char *chalresp_path;
};
int
get_user_challenge_file(const char *chalresp_path, const char *username, char **fn)
{
/* Getting file from user home directory, i.e. ~/.yubico/challenge, or
* from a system wide directory.
*
* Format is hex(challenge):hex(response):slot num
*/
/* The challenge to use is located in a file in the user's home directory,
* which therefor can't be encrypted. If an encrypted home directory is used,
* the option chalresp_path can be used to point to a system-wide directory.
*/
char *filename = "challenge";
return get_user_cfgfile_path (chalresp_path, filename, username, fn);
}
static int
do_challenge_response(struct cfg *cfg, const char *username)
{
@ -391,7 +372,18 @@ do_challenge_response(struct cfg *cfg, const char *username)
ret = PAM_AUTH_ERR;
flags |= YK_FLAG_MAYBLOCK;
if (! get_user_challenge_file (cfg->chalresp_path, username, &userfile)) {
if (! init_yubikey(&yk)) {
D(("Failed initializing YubiKey"));
goto out;
}
if (! check_firmware_version(yk, false, true)) {
D(("YubiKey does not support Challenge-Response (version 2.2 required)"));
goto out;
}
if (! get_user_challenge_file (yk, cfg->chalresp_path, username, &userfile)) {
D(("Failed getting user challenge file for user %s", username));
goto out;
}
@ -404,16 +396,6 @@ do_challenge_response(struct cfg *cfg, const char *username)
if (! load_chalresp_state(f, &state))
goto out;
if (! init_yubikey(&yk)) {
D(("Failed initializing YubiKey"));
goto out;
}
if (! check_firmware_version(yk, false, true)) {
D(("YubiKey does not support Challenge-Response (version 2.2 required)"));
goto out;
}
if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len,
true, flags, false,
buf, sizeof(buf), &response_len)) {

44
util.c
View File

@ -185,6 +185,43 @@ int challenge_response(YK_KEY *yk, int slot,
return 1;
}
int
get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const char *username, char **fn)
{
/* Getting file from user home directory, i.e. ~/.yubico/challenge, or
* from a system wide directory.
*
* Format is hex(challenge):hex(response):slot num
*/
/* The challenge to use is located in a file in the user's home directory,
* which therefor can't be encrypted. If an encrypted home directory is used,
* the option chalresp_path can be used to point to a system-wide directory.
*/
const char *filename; /* not including directory */
unsigned int serial = 0;
if (! yk_get_serial(yk, 0, 0, &serial)) {
D (("Failed to read serial number (serial-api-visible disabled?)."));
if (! chalresp_path)
filename = "challenge";
else
filename = username;
} else {
/* We have serial number */
int res = asprintf (&filename, "%s-%i", chalresp_path == NULL ? "challenge" : username, serial);
if (res < 1)
filename = NULL;
}
if (filename == NULL)
return 0;
return get_user_cfgfile_path (chalresp_path, filename, username, fn);
}
int
load_chalresp_state(FILE *f, CR_STATE *state)
{
@ -201,9 +238,12 @@ load_chalresp_state(FILE *f, CR_STATE *state)
* (twice because we hex encode the challenge and response)
*/
r = fscanf(f, "v1:%126[0-9a-z]:%40[0-9a-z]:%d", &challenge_hex, &response_hex, &slot);
D(("Challenge: %s, response: %s, slot: %d", challenge_hex, response_hex, slot));
if (r != 3)
if (r != 3) {
D(("Could not parse contents of chalres_state file (%i)", r));
goto out;
}
D(("Challenge: %s, response: %s, slot: %d", challenge_hex, response_hex, slot));
if (! yubikey_hex_p(challenge_hex)) {
D(("Invalid challenge hex input : %s", challenge_hex));

11
util.h
View File

@ -31,12 +31,16 @@
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __PAM_YUBICO_UTIL_H_INCLUDED__
#define __PAM_YUBICO_UTIL_H_INCLUDED__
#include <stdio.h>
#include <ykclient.h>
#include <ykcore.h>
#include <ykstatus.h>
#include <ykdef.h>
#ifndef D
#if defined(DEBUG_PAM)
# if defined(HAVE_SECURITY__PAM_MACROS_H)
# define DEBUG
@ -49,7 +53,6 @@
} while (0)
# endif /* HAVE_SECURITY__PAM_MACROS_H */
#endif /* DEBUG_PAM */
#endif /* D */
/* Challenges can be 0..63 or 64 bytes long, depending on YubiKey configuration.
* We settle for 63 bytes to have something that works with all configurations.
@ -68,7 +71,9 @@ struct chalresp_state {
typedef struct chalresp_state CR_STATE;
int generate_random(char *buf, int len);
int get_user_cfgfile_path(const char *common_path, const char *filename, const char *username, char **fn);
int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const char *username, char **fn);
int load_chalresp_state(FILE *f, CR_STATE *state);
int write_chalresp_state(FILE *f, CR_STATE *state);
@ -79,3 +84,5 @@ int challenge_response(YK_KEY *yk, int slot,
unsigned char *challenge, unsigned int len,
bool hmac, unsigned int flags, bool verbose,
unsigned char *response, int res_size, int *res_len);
#endif /* __PAM_YUBICO_UTIL_H_INCLUDED__ */