static void test_get_user_cfgfile_path(void) {
char *file;
int ret = get_user_cfgfile_path("/foo/bar", "test", "root", &file);
assert(ret == 1);
assert(strcmp(file, "/foo/bar/test") == 0);
free(file);
ret = get_user_cfgfile_path(NULL, "test", "root", &file);
assert(ret == 1);
assert(strcmp(file, "/root/.yubico/test") == 0);
free(file);
}
static void test_get_user_cfgfile_path(void) {
char *file;
struct passwd user;
int ret;
user.pw_name = "root";
user.pw_dir = "/root";
ret = get_user_cfgfile_path("/foo/bar", "test", &user, &file);
assert(ret == 1);
assert(strcmp(file, "/foo/bar/test") == 0);
free(file);
ret = get_user_cfgfile_path(NULL, "test", &user, &file);
assert(ret == 1);
assert(strcmp(file, "/root/.yubico/test") == 0);
free(file);
}
/*
* Authorize authenticated OTP_ID for login as USERNAME using
* AUTHFILE. Return 0 on failures, otherwise success.
*/
static int
authorize_user_token (struct cfg *cfg,
const char *username,
const char *otp_id)
{
int retval;
if (cfg->auth_file)
{
/* Administrator had configured the file and specified is name
as an argument for this module.
*/
retval = check_user_token (cfg, cfg->auth_file, username, otp_id);
}
else
{
char *userfile = NULL;
/* Getting file from user home directory
..... i.e. ~/.yubico/authorized_yubikeys
*/
if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile))
return 0;
retval = check_user_token (cfg, userfile, username, otp_id);
free (userfile);
}
return retval;
#undef USERFILE
}
/*
* Authorize authenticated OTP_ID for login as USERNAME using
* AUTHFILE. Return 0 on failures, otherwise success.
*/
static int
authorize_user_token (struct cfg *cfg,
const char *username,
const char *otp_id,
pam_handle_t *pamh)
{
int retval;
if (cfg->auth_file)
{
/* Administrator had configured the file and specified is name
as an argument for this module.
*/
DBG (("Using system-wide auth_file %s", cfg->auth_file));
retval = check_user_token (cfg, cfg->auth_file, username, otp_id);
}
else
{
char *userfile = NULL;
struct passwd *p;
p = getpwnam (username);
if (p == NULL) {
DBG (("getpwnam: %s", strerror(errno)));
return 0;
}
/* Getting file from user home directory
..... i.e. ~/.yubico/authorized_yubikeys
*/
if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile)) {
D (("Failed figuring out per-user cfgfile"));
return 0;
}
DBG (("Dropping privileges"));
if (drop_privileges(p, pamh) < 0) {
D (("could not drop privileges"));
return 0;
}
retval = check_user_token (cfg, userfile, username, otp_id);
if (restore_privileges(pamh) < 0)
{
DBG (("could not restore privileges"));
return 0;
}
free (userfile);
}
return retval;
}
int
get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn)
{
/* Getting file from user home directory, i.e. ~/.yubico/challenge, or
* from a system wide directory.
*/
/* The challenge to use is located in a file in the user's home directory,
* which therefor can't be encrypted. If an encrypted home directory is used,
* the option chalresp_path can be used to point to a system-wide directory.
*/
const char *filename = NULL; /* not including directory */
char *ptr = NULL;
unsigned int serial = 0;
int ret;
if (! yk_get_serial(yk, 0, 0, &serial)) {
D (("Failed to read serial number (serial-api-visible disabled?)."));
if (! chalresp_path)
filename = "challenge";
else
filename = user->pw_name;
} else {
/* We have serial number */
/* 0xffffffff == 4294967295 == 10 digits */
size_t len = strlen(chalresp_path == NULL ? "challenge" : user->pw_name) + 1 + 10 + 1;
if ((ptr = malloc(len)) != NULL) {
int res = snprintf(ptr, len, "%s-%u", chalresp_path == NULL ? "challenge" : user->pw_name, serial);
filename = ptr;
if (res < 0 || (unsigned long)res > len) {
/* Not enough space, strangely enough. */
free(ptr);
filename = NULL;
}
}
}
if (filename == NULL)
return 0;
ret = get_user_cfgfile_path (chalresp_path, filename, user, fn);
if(ptr) {
free(ptr);
}
return ret;
}
