rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-01-20 19:52:16 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of github.com:Yubico/yubico-pam

Browse Source
This commit is contained in:
Klas Lindfors 2016-06-16 13:16:15 +02:00
commit ebe6633425
2 changed files with 66 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
pam_yubico.c
View File

@ -357,7 +357,7 @@ authorize_user_token_ldap (struct cfg *cfg,
/* Only values containing this prefix are considered. */ /* Only values containing this prefix are considered. */
if ((!cfg->yubi_attr_prefix || !strncmp (cfg->yubi_attr_prefix, vals[i]->bv_val, yubi_attr_prefix_len))) if ((!cfg->yubi_attr_prefix || !strncmp (cfg->yubi_attr_prefix, vals[i]->bv_val, yubi_attr_prefix_len)))
{ {
if(!strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (token_id))) if(!strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (vals[i]->bv_val + yubi_attr_prefix_len)))
{ {
DBG (("Token Found :: %s", vals[i]->bv_val)); DBG (("Token Found :: %s", vals[i]->bv_val));
retval = 1; retval = 1;
@ -988,16 +988,13 @@ pam_sm_authenticate (pam_handle_t * pamh,
} }
password_len = strlen (password); password_len = strlen (password);
if (password_len < (cfg->token_id_length + TOKEN_OTP_LEN))
{
DBG (("OTP too short to be considered : %zu < %u", password_len, (cfg->token_id_length + TOKEN_OTP_LEN)));
retval = PAM_AUTH_ERR;
goto done;
}
/* In case the input was systempassword+YubiKeyOTP, we want to skip over /* In case the input was systempassword+YubiKeyOTP, we want to skip over
"systempassword" when copying the token_id and OTP to separate buffers */ "systempassword" when copying the token_id and OTP to separate buffers */
skip_bytes = password_len - (cfg->token_id_length + TOKEN_OTP_LEN); if(password_len > cfg->token_id_length + TOKEN_OTP_LEN)
{
skip_bytes = password_len - (cfg->token_id_length + TOKEN_OTP_LEN);
}
DBG (("Skipping first %i bytes. Length is %zu, token_id set to %u and token OTP always %u.", DBG (("Skipping first %i bytes. Length is %zu, token_id set to %u and token OTP always %u.",
skip_bytes, password_len, cfg->token_id_length, TOKEN_OTP_LEN)); skip_bytes, password_len, cfg->token_id_length, TOKEN_OTP_LEN));
@ -1040,21 +1037,6 @@ pam_sm_authenticate (pam_handle_t * pamh,
ykclient_strerror (rc))); ykclient_strerror (rc)));
DBG (("ykclient url used: %s", ykclient_get_last_url(ykc))); DBG (("ykclient url used: %s", ykclient_get_last_url(ykc)));
switch (rc)
{
case YKCLIENT_OK:
break;
case YKCLIENT_BAD_OTP:
case YKCLIENT_REPLAYED_OTP:
retval = PAM_AUTH_ERR;
goto done;
default:
retval = PAM_AUTHINFO_UNAVAIL;
goto done;
}
/* authorize the user with supplied token id */ /* authorize the user with supplied token id */
if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL) if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
valid_token = authorize_user_token_ldap (cfg, user, otp_id); valid_token = authorize_user_token_ldap (cfg, user, otp_id);
@ -1064,7 +1046,21 @@ pam_sm_authenticate (pam_handle_t * pamh,
switch(valid_token) switch(valid_token)
{ {
case 1: case 1:
retval = PAM_SUCCESS; switch (rc)
{
case YKCLIENT_OK:
retval = PAM_SUCCESS;
break;
case YKCLIENT_BAD_OTP:
case YKCLIENT_REPLAYED_OTP:
retval = PAM_AUTH_ERR;
break;
default:
retval = PAM_AUTHINFO_UNAVAIL;
break;
}
break; break;
case 0: case 0:
DBG (("Internal error while validating user")); DBG (("Internal error while validating user"));

46
tests/pam_test.c
View File

@ -64,6 +64,8 @@ static struct data {
{"foo", "vvincrediblltrerdegkkrkkneieultcjdghrejjbckh"}, {"foo", "vvincrediblltrerdegkkrkkneieultcjdghrejjbckh"},
{"foo", "vvincredibletrerdegkkrkkneieultcjdghrejjbckl"}, {"foo", "vvincredibletrerdegkkrkkneieultcjdghrejjbckl"},
{"test", "ccccccbchvthlivuitriujjifivbvtrjkjfirllluurj"}, {"test", "ccccccbchvthlivuitriujjifivbvtrjkjfirllluurj"},
{"foo", ""},
{"bar", ""},
}; };
@ -194,6 +196,26 @@ static int test_authenticate3(void) {
return pam_sm_authenticate(4, 0, sizeof(cfg) / sizeof(char*), cfg); return pam_sm_authenticate(4, 0, sizeof(cfg) / sizeof(char*), cfg);
} }
static int test_authenticate4(void) {
const char *cfg[] = {
"id=1",
"urllist=http://localhost:"YKVAL_PORT1"/wsapi/2/verify;http://localhost:"YKVAL_PORT2"/wsapi/2/verify",
"authfile="AUTHFILE,
"debug",
};
return pam_sm_authenticate(5, 0, sizeof(cfg) / sizeof(char*), cfg);
}
static int test_authenticate5(void) {
const char *cfg[] = {
"id=1",
"urllist=http://localhost:"YKVAL_PORT1"/wsapi/2/verify;http://localhost:"YKVAL_PORT2"/wsapi/2/verify",
"authfile="AUTHFILE,
"debug",
};
return pam_sm_authenticate(6, 0, sizeof(cfg) / sizeof(char*), cfg);
}
static int test_fail_authenticate1(void) { static int test_fail_authenticate1(void) {
const char *cfg[] = { const char *cfg[] = {
"id=1", "id=1",
@ -244,6 +266,14 @@ static int test_authenticate_ldap3(void) {
return pam_sm_authenticate(4, 0, sizeof(ldap_cfg2) / sizeof(char*), ldap_cfg2); return pam_sm_authenticate(4, 0, sizeof(ldap_cfg2) / sizeof(char*), ldap_cfg2);
} }
static int test_authenticate_ldap4(void) {
return pam_sm_authenticate(5, 0, sizeof(ldap_cfg) / sizeof(char*), ldap_cfg);
}
static int test_authenticate_ldap5(void) {
return pam_sm_authenticate(6, 0, sizeof(ldap_cfg) / sizeof(char*), ldap_cfg);
}
static pid_t run_mock(const char *port, const char *type) { static pid_t run_mock(const char *port, const char *type) {
pid_t pid = fork(); pid_t pid = fork();
if(pid == 0) { if(pid == 0) {
@ -287,6 +317,14 @@ int main(void) {
ret = 6; ret = 6;
goto out; goto out;
} }
if(test_authenticate4() != PAM_AUTH_ERR) {
ret = 7;
goto out;
}
if(test_authenticate5() != PAM_USER_UNKNOWN) {
ret = 8;
goto out;
}
#ifdef HAVE_LIBLDAP #ifdef HAVE_LIBLDAP
if(test_authenticate_ldap1() != PAM_SUCCESS) { if(test_authenticate_ldap1() != PAM_SUCCESS) {
ret = 1001; ret = 1001;
@ -308,6 +346,14 @@ int main(void) {
ret = 1005; ret = 1005;
goto out; goto out;
} }
if(test_authenticate_ldap4() != PAM_AUTH_ERR) {
ret = 1006;
goto out;
}
if(test_authenticate_ldap5() != PAM_USER_UNKNOWN) {
ret = 1007;
goto out;
}
#endif #endif
out: out: