|
 |
6cf099 |
From f9a027877ecdd697a052f6135963fb3726692310 Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
6cf099 |
Date: Fri, 26 Jun 2015 17:55:23 +0200
|
|
|
6cf099 |
Subject: [PATCH 33/37] authok: add support for Smart Card related authtokens
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/sss_client/sss_cli.h | 7 ++++
|
|
|
6cf099 |
src/tests/cmocka/test_authtok.c | 75 +++++++++++++++++++++++++++++++++++++++++
|
|
|
6cf099 |
src/util/authtok.c | 64 +++++++++++++++++++++++++++++++++++
|
|
|
6cf099 |
src/util/authtok.h | 41 ++++++++++++++++++++++
|
|
|
6cf099 |
4 files changed, 187 insertions(+)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
|
|
6cf099 |
index 0dfb525bacba5f6928e8ece76e05f60d7f2eebd5..3c4e938ae37c042879b1ae26fe389fa37cef682c 100644
|
|
|
6cf099 |
--- a/src/sss_client/sss_cli.h
|
|
|
6cf099 |
+++ b/src/sss_client/sss_cli.h
|
|
|
6cf099 |
@@ -308,6 +308,13 @@ enum sss_authtok_type {
|
|
|
6cf099 |
SSS_AUTHTOK_TYPE_2FA = 0x0003, /**< Authentication token has two
|
|
|
6cf099 |
* factors, they may or may no contain
|
|
|
6cf099 |
* a trailing \\0 */
|
|
|
6cf099 |
+ SSS_AUTHTOK_TYPE_SC_PIN = 0x0004, /**< Authentication token is a Smart
|
|
|
6cf099 |
+ * Card pin, it may or may no contain
|
|
|
6cf099 |
+ * a trailing \\0 */
|
|
|
6cf099 |
+ SSS_AUTHTOK_TYPE_SC_KEYPAD = 0x0005, /**< Authentication token indicates
|
|
|
6cf099 |
+ * Smart Card authentication is used
|
|
|
6cf099 |
+ * and that the pin will be entered
|
|
|
6cf099 |
+ * at the card reader. */
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
/**
|
|
|
6cf099 |
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
|
|
|
6cf099 |
index 5aa47c7b6b8c955666a9c73d5f9627d6378d13e0..30dcc9c8401103a275bd592fe8afd2c2f396ffb1 100644
|
|
|
6cf099 |
--- a/src/tests/cmocka/test_authtok.c
|
|
|
6cf099 |
+++ b/src/tests/cmocka/test_authtok.c
|
|
|
6cf099 |
@@ -488,6 +488,77 @@ void test_sss_authtok_2fa_blobs_missing_null(void **state)
|
|
|
6cf099 |
MISSING_NULL_CHECK;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
+void test_sss_authtok_sc_keypad(void **state)
|
|
|
6cf099 |
+{
|
|
|
6cf099 |
+ struct test_state *ts;
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ts = talloc_get_type_abort(*state, struct test_state);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ sss_authtok_set_sc_keypad(NULL);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ sss_authtok_set_sc_keypad(ts->authtoken);
|
|
|
6cf099 |
+ assert_int_equal(sss_authtok_get_type(ts->authtoken),
|
|
|
6cf099 |
+ SSS_AUTHTOK_TYPE_SC_KEYPAD);
|
|
|
6cf099 |
+ assert_int_equal(sss_authtok_get_size(ts->authtoken), 0);
|
|
|
6cf099 |
+ assert_null(sss_authtok_get_data(ts->authtoken));
|
|
|
6cf099 |
+}
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+void test_sss_authtok_sc_pin(void **state)
|
|
|
6cf099 |
+{
|
|
|
6cf099 |
+ struct test_state *ts;
|
|
|
6cf099 |
+ int ret;
|
|
|
6cf099 |
+ size_t size;
|
|
|
6cf099 |
+ const char *pin;
|
|
|
6cf099 |
+ size_t len;
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ts = talloc_get_type_abort(*state, struct test_state);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_set_sc_pin(NULL, NULL, 0);
|
|
|
6cf099 |
+ assert_int_equal(ret, EFAULT);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_set_sc_pin(ts->authtoken, NULL, 0);
|
|
|
6cf099 |
+ assert_int_equal(ret, EINVAL);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 0);
|
|
|
6cf099 |
+ assert_int_equal(ret, EOK);
|
|
|
6cf099 |
+ assert_int_equal(sss_authtok_get_type(ts->authtoken),
|
|
|
6cf099 |
+ SSS_AUTHTOK_TYPE_SC_PIN);
|
|
|
6cf099 |
+ size = sss_authtok_get_size(ts->authtoken);
|
|
|
6cf099 |
+ assert_int_equal(size, 9);
|
|
|
6cf099 |
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "12345678\0",
|
|
|
6cf099 |
+ size);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 5);
|
|
|
6cf099 |
+ assert_int_equal(ret, EOK);
|
|
|
6cf099 |
+ assert_int_equal(sss_authtok_get_type(ts->authtoken),
|
|
|
6cf099 |
+ SSS_AUTHTOK_TYPE_SC_PIN);
|
|
|
6cf099 |
+ size = sss_authtok_get_size(ts->authtoken);
|
|
|
6cf099 |
+ assert_int_equal(size, 6);
|
|
|
6cf099 |
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "12345\0",
|
|
|
6cf099 |
+ size);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len;;
|
|
|
6cf099 |
+ assert_int_equal(ret, EOK);
|
|
|
6cf099 |
+ assert_int_equal(len, 5);
|
|
|
6cf099 |
+ assert_string_equal(pin, "12345");
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ sss_authtok_set_empty(ts->authtoken);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len;;
|
|
|
6cf099 |
+ assert_int_equal(ret, ENOENT);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_set_password(ts->authtoken, "12345", 0);
|
|
|
6cf099 |
+ assert_int_equal(ret, EOK);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len;;
|
|
|
6cf099 |
+ assert_int_equal(ret, EACCES);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ sss_authtok_set_empty(ts->authtoken);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ ret = sss_authtok_get_sc_pin(NULL, &pin, &len;;
|
|
|
6cf099 |
+ assert_int_equal(ret, EFAULT);
|
|
|
6cf099 |
+}
|
|
|
6cf099 |
+
|
|
|
6cf099 |
int main(int argc, const char *argv[])
|
|
|
6cf099 |
{
|
|
|
6cf099 |
poptContext pc;
|
|
|
6cf099 |
@@ -517,6 +588,10 @@ int main(int argc, const char *argv[])
|
|
|
6cf099 |
setup, teardown),
|
|
|
6cf099 |
cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs_missing_null,
|
|
|
6cf099 |
setup, teardown),
|
|
|
6cf099 |
+ cmocka_unit_test_setup_teardown(test_sss_authtok_sc_keypad,
|
|
|
6cf099 |
+ setup, teardown),
|
|
|
6cf099 |
+ cmocka_unit_test_setup_teardown(test_sss_authtok_sc_pin,
|
|
|
6cf099 |
+ setup, teardown),
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
|
|
6cf099 |
diff --git a/src/util/authtok.c b/src/util/authtok.c
|
|
|
6cf099 |
index 45761df80175fded8a6c6e5dac8a90180b11d225..6062cd875ce2c6b541ef237e7f7bdddac80366c5 100644
|
|
|
6cf099 |
--- a/src/util/authtok.c
|
|
|
6cf099 |
+++ b/src/util/authtok.c
|
|
|
6cf099 |
@@ -39,6 +39,8 @@ size_t sss_authtok_get_size(struct sss_auth_token *tok)
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_PASSWORD:
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_CCFILE:
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_2FA:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_PIN:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
|
|
6cf099 |
return tok->length;
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_EMPTY:
|
|
|
6cf099 |
return 0;
|
|
|
6cf099 |
@@ -72,6 +74,8 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok,
|
|
|
6cf099 |
return EOK;
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_CCFILE:
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_2FA:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_PIN:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
|
|
6cf099 |
return EACCES;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
@@ -95,6 +99,8 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok,
|
|
|
6cf099 |
return EOK;
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_PASSWORD:
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_2FA:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_PIN:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
|
|
6cf099 |
return EACCES;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
@@ -144,9 +150,11 @@ void sss_authtok_set_empty(struct sss_auth_token *tok)
|
|
|
6cf099 |
return;
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_PASSWORD:
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_2FA:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_PIN:
|
|
|
6cf099 |
safezero(tok->data, tok->length);
|
|
|
6cf099 |
break;
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_CCFILE:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
|
|
6cf099 |
break;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
@@ -187,6 +195,11 @@ errno_t sss_authtok_set(struct sss_auth_token *tok,
|
|
|
6cf099 |
return sss_authtok_set_ccfile(tok, (const char *)data, len);
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_2FA:
|
|
|
6cf099 |
return sss_authtok_set_2fa_from_blob(tok, data, len);
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_PIN:
|
|
|
6cf099 |
+ return sss_authtok_set_sc_pin(tok, (const char*)data, len);
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
|
|
6cf099 |
+ sss_authtok_set_sc_keypad(tok);
|
|
|
6cf099 |
+ return EOK;
|
|
|
6cf099 |
case SSS_AUTHTOK_TYPE_EMPTY:
|
|
|
6cf099 |
sss_authtok_set_empty(tok);
|
|
|
6cf099 |
return EOK;
|
|
|
6cf099 |
@@ -411,3 +424,54 @@ errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
|
|
|
6cf099 |
|
|
|
6cf099 |
return EOK;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
|
|
|
6cf099 |
+ size_t len)
|
|
|
6cf099 |
+{
|
|
|
6cf099 |
+ if (tok == NULL) {
|
|
|
6cf099 |
+ return EFAULT;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+ if (pin == NULL) {
|
|
|
6cf099 |
+ return EINVAL;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ sss_authtok_set_empty(tok);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_SC_PIN,
|
|
|
6cf099 |
+ "sc_pin", pin, len);
|
|
|
6cf099 |
+}
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
|
|
|
6cf099 |
+ size_t *len)
|
|
|
6cf099 |
+{
|
|
|
6cf099 |
+ if (!tok) {
|
|
|
6cf099 |
+ return EFAULT;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+ switch (tok->type) {
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_EMPTY:
|
|
|
6cf099 |
+ return ENOENT;
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_PIN:
|
|
|
6cf099 |
+ *pin = (const char *)tok->data;
|
|
|
6cf099 |
+ if (len) {
|
|
|
6cf099 |
+ *len = tok->length - 1;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+ return EOK;
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_PASSWORD:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_CCFILE:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_2FA:
|
|
|
6cf099 |
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
|
|
6cf099 |
+ return EACCES;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ return EINVAL;
|
|
|
6cf099 |
+}
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+void sss_authtok_set_sc_keypad(struct sss_auth_token *tok)
|
|
|
6cf099 |
+{
|
|
|
6cf099 |
+ if (!tok) {
|
|
|
6cf099 |
+ return;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+ sss_authtok_set_empty(tok);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+ tok->type = SSS_AUTHTOK_TYPE_SC_KEYPAD;
|
|
|
6cf099 |
+}
|
|
|
6cf099 |
diff --git a/src/util/authtok.h b/src/util/authtok.h
|
|
|
6cf099 |
index cb366270832852281a222018f8e27feb1500ff01..f1a01a42306a720fc39e701078550a071835e980 100644
|
|
|
6cf099 |
--- a/src/util/authtok.h
|
|
|
6cf099 |
+++ b/src/util/authtok.h
|
|
|
6cf099 |
@@ -223,4 +223,45 @@ errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
|
|
|
6cf099 |
errno_t sss_authtok_get_2fa(struct sss_auth_token *tok,
|
|
|
6cf099 |
const char **fa1, size_t *fa1_len,
|
|
|
6cf099 |
const char **fa2, size_t *fa2_len);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+/**
|
|
|
6cf099 |
+ * @brief Set a Smart Card pin into a an auth token, replacing any previous data
|
|
|
6cf099 |
+ *
|
|
|
6cf099 |
+ * @param tok A pointer to a sss_auth_token structure to change, also
|
|
|
6cf099 |
+ * used as a memory context to allocate the internal data.
|
|
|
6cf099 |
+ * @param pin A string
|
|
|
6cf099 |
+ * @param len The length of the string or, if 0 is passed,
|
|
|
6cf099 |
+ * then strlen(password) will be used internally.
|
|
|
6cf099 |
+ *
|
|
|
6cf099 |
+ * @return EOK on success
|
|
|
6cf099 |
+ * ENOMEM on error
|
|
|
6cf099 |
+ */
|
|
|
6cf099 |
+errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
|
|
|
6cf099 |
+ size_t len);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+/**
|
|
|
6cf099 |
+ * @brief Returns a Smart Card pin as const string if the auth token is of
|
|
|
6cf099 |
+ * type SSS_AUTHTOK_TYPE_SC_PIN, otherwise it returns an error
|
|
|
6cf099 |
+ *
|
|
|
6cf099 |
+ * @param tok A pointer to an sss_auth_token
|
|
|
6cf099 |
+ * @param pin A pointer to a const char *, that will point to a null
|
|
|
6cf099 |
+ * terminated string
|
|
|
6cf099 |
+ * @param len The length of the pin string
|
|
|
6cf099 |
+ *
|
|
|
6cf099 |
+ * @return EOK on success
|
|
|
6cf099 |
+ * ENOENT if the token is empty
|
|
|
6cf099 |
+ * EACCESS if the token is not a Smart Card pin token
|
|
|
6cf099 |
+ */
|
|
|
6cf099 |
+errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
|
|
|
6cf099 |
+ size_t *len);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+/**
|
|
|
6cf099 |
+ * @brief Sets an auth token to type SSS_AUTHTOK_TYPE_SC_KEYPAD, replacing any
|
|
|
6cf099 |
+ * previous data
|
|
|
6cf099 |
+ *
|
|
|
6cf099 |
+ * @param tok A pointer to a sss_auth_token structure to change, also
|
|
|
6cf099 |
+ * used as a memory context to allocate the internal data.
|
|
|
6cf099 |
+ */
|
|
|
6cf099 |
+void sss_authtok_set_sc_keypad(struct sss_auth_token *tok);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
#endif /* __AUTHTOK_H__ */
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|