dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0033-authok-add-support-for-Smart-Card-related-authtokens.patch

6cf099
From f9a027877ecdd697a052f6135963fb3726692310 Mon Sep 17 00:00:00 2001
6cf099
From: Sumit Bose <sbose@redhat.com>
6cf099
Date: Fri, 26 Jun 2015 17:55:23 +0200
6cf099
Subject: [PATCH 33/37] authok: add support for Smart Card related authtokens
6cf099
6cf099
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
6cf099
---
6cf099
 src/sss_client/sss_cli.h        |  7 ++++
6cf099
 src/tests/cmocka/test_authtok.c | 75 +++++++++++++++++++++++++++++++++++++++++
6cf099
 src/util/authtok.c              | 64 +++++++++++++++++++++++++++++++++++
6cf099
 src/util/authtok.h              | 41 ++++++++++++++++++++++
6cf099
 4 files changed, 187 insertions(+)
6cf099
6cf099
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
6cf099
index 0dfb525bacba5f6928e8ece76e05f60d7f2eebd5..3c4e938ae37c042879b1ae26fe389fa37cef682c 100644
6cf099
--- a/src/sss_client/sss_cli.h
6cf099
+++ b/src/sss_client/sss_cli.h
6cf099
@@ -308,6 +308,13 @@ enum sss_authtok_type {
6cf099
     SSS_AUTHTOK_TYPE_2FA =       0x0003, /**< Authentication token has two
6cf099
                                           * factors, they may or may no contain
6cf099
                                           * a trailing \\0 */
6cf099
+    SSS_AUTHTOK_TYPE_SC_PIN =    0x0004, /**< Authentication token is a Smart
6cf099
+                                          * Card pin, it may or may no contain
6cf099
+                                          * a trailing \\0 */
6cf099
+    SSS_AUTHTOK_TYPE_SC_KEYPAD = 0x0005, /**< Authentication token indicates
6cf099
+                                          * Smart Card authentication is used
6cf099
+                                          * and that the pin will be entered
6cf099
+                                          * at the card reader. */
6cf099
 };
6cf099
 
6cf099
 /**
6cf099
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
6cf099
index 5aa47c7b6b8c955666a9c73d5f9627d6378d13e0..30dcc9c8401103a275bd592fe8afd2c2f396ffb1 100644
6cf099
--- a/src/tests/cmocka/test_authtok.c
6cf099
+++ b/src/tests/cmocka/test_authtok.c
6cf099
@@ -488,6 +488,77 @@ void test_sss_authtok_2fa_blobs_missing_null(void **state)
6cf099
     MISSING_NULL_CHECK;
6cf099
 }
6cf099
 
6cf099
+void test_sss_authtok_sc_keypad(void **state)
6cf099
+{
6cf099
+    struct test_state *ts;
6cf099
+
6cf099
+    ts = talloc_get_type_abort(*state, struct test_state);
6cf099
+
6cf099
+    sss_authtok_set_sc_keypad(NULL);
6cf099
+
6cf099
+    sss_authtok_set_sc_keypad(ts->authtoken);
6cf099
+    assert_int_equal(sss_authtok_get_type(ts->authtoken),
6cf099
+                     SSS_AUTHTOK_TYPE_SC_KEYPAD);
6cf099
+    assert_int_equal(sss_authtok_get_size(ts->authtoken), 0);
6cf099
+    assert_null(sss_authtok_get_data(ts->authtoken));
6cf099
+}
6cf099
+
6cf099
+void test_sss_authtok_sc_pin(void **state)
6cf099
+{
6cf099
+    struct test_state *ts;
6cf099
+    int ret;
6cf099
+    size_t size;
6cf099
+    const char *pin;
6cf099
+    size_t len;
6cf099
+
6cf099
+    ts = talloc_get_type_abort(*state, struct test_state);
6cf099
+
6cf099
+    ret = sss_authtok_set_sc_pin(NULL, NULL, 0);
6cf099
+    assert_int_equal(ret, EFAULT);
6cf099
+
6cf099
+    ret = sss_authtok_set_sc_pin(ts->authtoken, NULL, 0);
6cf099
+    assert_int_equal(ret, EINVAL);
6cf099
+
6cf099
+    ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 0);
6cf099
+    assert_int_equal(ret, EOK);
6cf099
+    assert_int_equal(sss_authtok_get_type(ts->authtoken),
6cf099
+                     SSS_AUTHTOK_TYPE_SC_PIN);
6cf099
+    size = sss_authtok_get_size(ts->authtoken);
6cf099
+    assert_int_equal(size, 9);
6cf099
+    assert_memory_equal(sss_authtok_get_data(ts->authtoken), "12345678\0",
6cf099
+                                             size);
6cf099
+
6cf099
+    ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 5);
6cf099
+    assert_int_equal(ret, EOK);
6cf099
+    assert_int_equal(sss_authtok_get_type(ts->authtoken),
6cf099
+                     SSS_AUTHTOK_TYPE_SC_PIN);
6cf099
+    size = sss_authtok_get_size(ts->authtoken);
6cf099
+    assert_int_equal(size, 6);
6cf099
+    assert_memory_equal(sss_authtok_get_data(ts->authtoken), "12345\0",
6cf099
+                                             size);
6cf099
+
6cf099
+    ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len;;
6cf099
+    assert_int_equal(ret, EOK);
6cf099
+    assert_int_equal(len, 5);
6cf099
+    assert_string_equal(pin, "12345");
6cf099
+
6cf099
+    sss_authtok_set_empty(ts->authtoken);
6cf099
+
6cf099
+    ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len;;
6cf099
+    assert_int_equal(ret, ENOENT);
6cf099
+
6cf099
+    ret = sss_authtok_set_password(ts->authtoken, "12345", 0);
6cf099
+    assert_int_equal(ret, EOK);
6cf099
+
6cf099
+    ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len;;
6cf099
+    assert_int_equal(ret, EACCES);
6cf099
+
6cf099
+    sss_authtok_set_empty(ts->authtoken);
6cf099
+
6cf099
+    ret = sss_authtok_get_sc_pin(NULL, &pin, &len;;
6cf099
+    assert_int_equal(ret, EFAULT);
6cf099
+}
6cf099
+
6cf099
 int main(int argc, const char *argv[])
6cf099
 {
6cf099
     poptContext pc;
6cf099
@@ -517,6 +588,10 @@ int main(int argc, const char *argv[])
6cf099
                                         setup, teardown),
6cf099
         cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs_missing_null,
6cf099
                                         setup, teardown),
6cf099
+        cmocka_unit_test_setup_teardown(test_sss_authtok_sc_keypad,
6cf099
+                                        setup, teardown),
6cf099
+        cmocka_unit_test_setup_teardown(test_sss_authtok_sc_pin,
6cf099
+                                        setup, teardown),
6cf099
     };
6cf099
 
6cf099
     /* Set debug level to invalid value so we can deside if -d 0 was used. */
6cf099
diff --git a/src/util/authtok.c b/src/util/authtok.c
6cf099
index 45761df80175fded8a6c6e5dac8a90180b11d225..6062cd875ce2c6b541ef237e7f7bdddac80366c5 100644
6cf099
--- a/src/util/authtok.c
6cf099
+++ b/src/util/authtok.c
6cf099
@@ -39,6 +39,8 @@ size_t sss_authtok_get_size(struct sss_auth_token *tok)
6cf099
     case SSS_AUTHTOK_TYPE_PASSWORD:
6cf099
     case SSS_AUTHTOK_TYPE_CCFILE:
6cf099
     case SSS_AUTHTOK_TYPE_2FA:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_PIN:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_KEYPAD:
6cf099
         return tok->length;
6cf099
     case SSS_AUTHTOK_TYPE_EMPTY:
6cf099
         return 0;
6cf099
@@ -72,6 +74,8 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok,
6cf099
         return EOK;
6cf099
     case SSS_AUTHTOK_TYPE_CCFILE:
6cf099
     case SSS_AUTHTOK_TYPE_2FA:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_PIN:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_KEYPAD:
6cf099
         return EACCES;
6cf099
     }
6cf099
 
6cf099
@@ -95,6 +99,8 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok,
6cf099
         return EOK;
6cf099
     case SSS_AUTHTOK_TYPE_PASSWORD:
6cf099
     case SSS_AUTHTOK_TYPE_2FA:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_PIN:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_KEYPAD:
6cf099
         return EACCES;
6cf099
     }
6cf099
 
6cf099
@@ -144,9 +150,11 @@ void sss_authtok_set_empty(struct sss_auth_token *tok)
6cf099
         return;
6cf099
     case SSS_AUTHTOK_TYPE_PASSWORD:
6cf099
     case SSS_AUTHTOK_TYPE_2FA:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_PIN:
6cf099
         safezero(tok->data, tok->length);
6cf099
         break;
6cf099
     case SSS_AUTHTOK_TYPE_CCFILE:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_KEYPAD:
6cf099
         break;
6cf099
     }
6cf099
 
6cf099
@@ -187,6 +195,11 @@ errno_t sss_authtok_set(struct sss_auth_token *tok,
6cf099
         return sss_authtok_set_ccfile(tok, (const char *)data, len);
6cf099
     case SSS_AUTHTOK_TYPE_2FA:
6cf099
         return sss_authtok_set_2fa_from_blob(tok, data, len);
6cf099
+    case SSS_AUTHTOK_TYPE_SC_PIN:
6cf099
+        return sss_authtok_set_sc_pin(tok, (const char*)data, len);
6cf099
+    case SSS_AUTHTOK_TYPE_SC_KEYPAD:
6cf099
+        sss_authtok_set_sc_keypad(tok);
6cf099
+        return EOK;
6cf099
     case SSS_AUTHTOK_TYPE_EMPTY:
6cf099
         sss_authtok_set_empty(tok);
6cf099
         return EOK;
6cf099
@@ -411,3 +424,54 @@ errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
6cf099
 
6cf099
     return EOK;
6cf099
 }
6cf099
+
6cf099
+errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
6cf099
+                               size_t len)
6cf099
+{
6cf099
+    if (tok == NULL) {
6cf099
+        return EFAULT;
6cf099
+    }
6cf099
+    if (pin == NULL) {
6cf099
+        return EINVAL;
6cf099
+    }
6cf099
+
6cf099
+    sss_authtok_set_empty(tok);
6cf099
+
6cf099
+    return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_SC_PIN,
6cf099
+                                  "sc_pin", pin, len);
6cf099
+}
6cf099
+
6cf099
+errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
6cf099
+                               size_t *len)
6cf099
+{
6cf099
+    if (!tok) {
6cf099
+        return EFAULT;
6cf099
+    }
6cf099
+    switch (tok->type) {
6cf099
+    case SSS_AUTHTOK_TYPE_EMPTY:
6cf099
+        return ENOENT;
6cf099
+    case SSS_AUTHTOK_TYPE_SC_PIN:
6cf099
+        *pin = (const char *)tok->data;
6cf099
+        if (len) {
6cf099
+            *len = tok->length - 1;
6cf099
+        }
6cf099
+        return EOK;
6cf099
+    case SSS_AUTHTOK_TYPE_PASSWORD:
6cf099
+    case SSS_AUTHTOK_TYPE_CCFILE:
6cf099
+    case SSS_AUTHTOK_TYPE_2FA:
6cf099
+    case SSS_AUTHTOK_TYPE_SC_KEYPAD:
6cf099
+        return EACCES;
6cf099
+    }
6cf099
+
6cf099
+    return EINVAL;
6cf099
+}
6cf099
+
6cf099
+void sss_authtok_set_sc_keypad(struct sss_auth_token *tok)
6cf099
+{
6cf099
+    if (!tok) {
6cf099
+        return;
6cf099
+    }
6cf099
+    sss_authtok_set_empty(tok);
6cf099
+
6cf099
+    tok->type = SSS_AUTHTOK_TYPE_SC_KEYPAD;
6cf099
+}
6cf099
diff --git a/src/util/authtok.h b/src/util/authtok.h
6cf099
index cb366270832852281a222018f8e27feb1500ff01..f1a01a42306a720fc39e701078550a071835e980 100644
6cf099
--- a/src/util/authtok.h
6cf099
+++ b/src/util/authtok.h
6cf099
@@ -223,4 +223,45 @@ errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
6cf099
 errno_t sss_authtok_get_2fa(struct sss_auth_token *tok,
6cf099
                             const char **fa1, size_t *fa1_len,
6cf099
                             const char **fa2, size_t *fa2_len);
6cf099
+
6cf099
+/**
6cf099
+ * @brief Set a Smart Card pin into a an auth token, replacing any previous data
6cf099
+ *
6cf099
+ * @param tok        A pointer to a sss_auth_token structure to change, also
6cf099
+ *                   used as a memory context to allocate the internal data.
6cf099
+ * @param pin        A string
6cf099
+ * @param len        The length of the string or, if 0 is passed,
6cf099
+ *                   then strlen(password) will be used internally.
6cf099
+ *
6cf099
+ * @return       EOK on success
6cf099
+ *               ENOMEM on error
6cf099
+ */
6cf099
+errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
6cf099
+                               size_t len);
6cf099
+
6cf099
+/**
6cf099
+ * @brief Returns a Smart Card pin as const string if the auth token is of
6cf099
+ *        type SSS_AUTHTOK_TYPE_SC_PIN, otherwise it returns an error
6cf099
+ *
6cf099
+ * @param tok    A pointer to an sss_auth_token
6cf099
+ * @param pin    A pointer to a const char *, that will point to a null
6cf099
+ *               terminated string
6cf099
+ * @param len    The length of the pin string
6cf099
+ *
6cf099
+ * @return       EOK on success
6cf099
+ *               ENOENT if the token is empty
6cf099
+ *               EACCESS if the token is not a Smart Card pin token
6cf099
+ */
6cf099
+errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
6cf099
+                               size_t *len);
6cf099
+
6cf099
+/**
6cf099
+ * @brief Sets an auth token to type SSS_AUTHTOK_TYPE_SC_KEYPAD, replacing any
6cf099
+ *        previous data
6cf099
+ *
6cf099
+ * @param tok        A pointer to a sss_auth_token structure to change, also
6cf099
+ *                   used as a memory context to allocate the internal data.
6cf099
+ */
6cf099
+void sss_authtok_set_sc_keypad(struct sss_auth_token *tok);
6cf099
+
6cf099
 #endif /*  __AUTHTOK_H__ */
6cf099
-- 
6cf099
2.4.3
6cf099