mirror of
https://github.com/Yubico/yubico-pam.git
synced 2024-12-01 15:24:12 +01:00
Make get_user_challenge_file() also include YubiKey serial number,
and move it to util.c.
This commit is contained in:
parent
fe12e98e38
commit
c1f8ba8804
42
pam_yubico.c
42
pam_yubico.c
@ -353,25 +353,6 @@ struct cfg
|
||||
char *chalresp_path;
|
||||
};
|
||||
|
||||
int
|
||||
get_user_challenge_file(const char *chalresp_path, const char *username, char **fn)
|
||||
{
|
||||
/* Getting file from user home directory, i.e. ~/.yubico/challenge, or
|
||||
* from a system wide directory.
|
||||
*
|
||||
* Format is hex(challenge):hex(response):slot num
|
||||
*/
|
||||
|
||||
/* The challenge to use is located in a file in the user's home directory,
|
||||
* which therefor can't be encrypted. If an encrypted home directory is used,
|
||||
* the option chalresp_path can be used to point to a system-wide directory.
|
||||
*/
|
||||
|
||||
char *filename = "challenge";
|
||||
|
||||
return get_user_cfgfile_path (chalresp_path, filename, username, fn);
|
||||
}
|
||||
|
||||
static int
|
||||
do_challenge_response(struct cfg *cfg, const char *username)
|
||||
{
|
||||
@ -391,7 +372,18 @@ do_challenge_response(struct cfg *cfg, const char *username)
|
||||
ret = PAM_AUTH_ERR;
|
||||
flags |= YK_FLAG_MAYBLOCK;
|
||||
|
||||
if (! get_user_challenge_file (cfg->chalresp_path, username, &userfile)) {
|
||||
if (! init_yubikey(&yk)) {
|
||||
D(("Failed initializing YubiKey"));
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (! check_firmware_version(yk, false, true)) {
|
||||
D(("YubiKey does not support Challenge-Response (version 2.2 required)"));
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
||||
if (! get_user_challenge_file (yk, cfg->chalresp_path, username, &userfile)) {
|
||||
D(("Failed getting user challenge file for user %s", username));
|
||||
goto out;
|
||||
}
|
||||
@ -404,16 +396,6 @@ do_challenge_response(struct cfg *cfg, const char *username)
|
||||
if (! load_chalresp_state(f, &state))
|
||||
goto out;
|
||||
|
||||
if (! init_yubikey(&yk)) {
|
||||
D(("Failed initializing YubiKey"));
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (! check_firmware_version(yk, false, true)) {
|
||||
D(("YubiKey does not support Challenge-Response (version 2.2 required)"));
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len,
|
||||
true, flags, false,
|
||||
buf, sizeof(buf), &response_len)) {
|
||||
|
44
util.c
44
util.c
@ -185,6 +185,43 @@ int challenge_response(YK_KEY *yk, int slot,
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const char *username, char **fn)
|
||||
{
|
||||
/* Getting file from user home directory, i.e. ~/.yubico/challenge, or
|
||||
* from a system wide directory.
|
||||
*
|
||||
* Format is hex(challenge):hex(response):slot num
|
||||
*/
|
||||
|
||||
/* The challenge to use is located in a file in the user's home directory,
|
||||
* which therefor can't be encrypted. If an encrypted home directory is used,
|
||||
* the option chalresp_path can be used to point to a system-wide directory.
|
||||
*/
|
||||
|
||||
const char *filename; /* not including directory */
|
||||
unsigned int serial = 0;
|
||||
|
||||
if (! yk_get_serial(yk, 0, 0, &serial)) {
|
||||
D (("Failed to read serial number (serial-api-visible disabled?)."));
|
||||
if (! chalresp_path)
|
||||
filename = "challenge";
|
||||
else
|
||||
filename = username;
|
||||
} else {
|
||||
/* We have serial number */
|
||||
int res = asprintf (&filename, "%s-%i", chalresp_path == NULL ? "challenge" : username, serial);
|
||||
|
||||
if (res < 1)
|
||||
filename = NULL;
|
||||
}
|
||||
|
||||
if (filename == NULL)
|
||||
return 0;
|
||||
|
||||
return get_user_cfgfile_path (chalresp_path, filename, username, fn);
|
||||
}
|
||||
|
||||
int
|
||||
load_chalresp_state(FILE *f, CR_STATE *state)
|
||||
{
|
||||
@ -201,9 +238,12 @@ load_chalresp_state(FILE *f, CR_STATE *state)
|
||||
* (twice because we hex encode the challenge and response)
|
||||
*/
|
||||
r = fscanf(f, "v1:%126[0-9a-z]:%40[0-9a-z]:%d", &challenge_hex, &response_hex, &slot);
|
||||
D(("Challenge: %s, response: %s, slot: %d", challenge_hex, response_hex, slot));
|
||||
if (r != 3)
|
||||
if (r != 3) {
|
||||
D(("Could not parse contents of chalres_state file (%i)", r));
|
||||
goto out;
|
||||
}
|
||||
|
||||
D(("Challenge: %s, response: %s, slot: %d", challenge_hex, response_hex, slot));
|
||||
|
||||
if (! yubikey_hex_p(challenge_hex)) {
|
||||
D(("Invalid challenge hex input : %s", challenge_hex));
|
||||
|
11
util.h
11
util.h
@ -31,12 +31,16 @@
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef __PAM_YUBICO_UTIL_H_INCLUDED__
|
||||
#define __PAM_YUBICO_UTIL_H_INCLUDED__
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#include <ykclient.h>
|
||||
#include <ykcore.h>
|
||||
#include <ykstatus.h>
|
||||
#include <ykdef.h>
|
||||
|
||||
#ifndef D
|
||||
#if defined(DEBUG_PAM)
|
||||
# if defined(HAVE_SECURITY__PAM_MACROS_H)
|
||||
# define DEBUG
|
||||
@ -49,7 +53,6 @@
|
||||
} while (0)
|
||||
# endif /* HAVE_SECURITY__PAM_MACROS_H */
|
||||
#endif /* DEBUG_PAM */
|
||||
#endif /* D */
|
||||
|
||||
/* Challenges can be 0..63 or 64 bytes long, depending on YubiKey configuration.
|
||||
* We settle for 63 bytes to have something that works with all configurations.
|
||||
@ -68,7 +71,9 @@ struct chalresp_state {
|
||||
typedef struct chalresp_state CR_STATE;
|
||||
|
||||
int generate_random(char *buf, int len);
|
||||
|
||||
int get_user_cfgfile_path(const char *common_path, const char *filename, const char *username, char **fn);
|
||||
int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const char *username, char **fn);
|
||||
|
||||
int load_chalresp_state(FILE *f, CR_STATE *state);
|
||||
int write_chalresp_state(FILE *f, CR_STATE *state);
|
||||
@ -79,3 +84,5 @@ int challenge_response(YK_KEY *yk, int slot,
|
||||
unsigned char *challenge, unsigned int len,
|
||||
bool hmac, unsigned int flags, bool verbose,
|
||||
unsigned char *response, int res_size, int *res_len);
|
||||
|
||||
#endif /* __PAM_YUBICO_UTIL_H_INCLUDED__ */
|
||||
|
Loading…
Reference in New Issue
Block a user