pam_get_authtok.c revision 228690
191094Sdes/*- 2115619Sdes * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 3228690Sdes * Copyright (c) 2004-2011 Dag-Erling Sm��rgrav 491094Sdes * All rights reserved. 591094Sdes * 691094Sdes * This software was developed for the FreeBSD Project by ThinkSec AS and 799158Sdes * Network Associates Laboratories, the Security Research Division of 899158Sdes * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 999158Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 1091094Sdes * 1191094Sdes * Redistribution and use in source and binary forms, with or without 1291094Sdes * modification, are permitted provided that the following conditions 1391094Sdes * are met: 1491094Sdes * 1. Redistributions of source code must retain the above copyright 1591094Sdes * notice, this list of conditions and the following disclaimer. 1691094Sdes * 2. Redistributions in binary form must reproduce the above copyright 1791094Sdes * notice, this list of conditions and the following disclaimer in the 1891094Sdes * documentation and/or other materials provided with the distribution. 1991094Sdes * 3. The name of the author may not be used to endorse or promote 2091094Sdes * products derived from this software without specific prior written 2191094Sdes * permission. 2291094Sdes * 2391094Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2491094Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2591094Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2691094Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2791094Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2891094Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2991094Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3091094Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3191094Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3291094Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3391094Sdes * SUCH DAMAGE. 3491094Sdes * 35228690Sdes * $Id: pam_get_authtok.c 455 2011-10-29 18:31:11Z des $ 3691094Sdes */ 3791094Sdes 38228690Sdes#ifdef HAVE_CONFIG_H 39228690Sdes# include "config.h" 40228690Sdes#endif 41228690Sdes 4291094Sdes#include <sys/param.h> 4391094Sdes 4493982Sdes#include <stdlib.h> 4596364Sdes#include <string.h> 4693982Sdes 4791094Sdes#include <security/pam_appl.h> 4891094Sdes#include <security/openpam.h> 4991094Sdes 5091094Sdes#include "openpam_impl.h" 5191094Sdes 52117610Sdesstatic const char authtok_prompt[] = "Password:"; 53117610Sdesstatic const char oldauthtok_prompt[] = "Old Password:"; 54117610Sdesstatic const char newauthtok_prompt[] = "New Password:"; 5593982Sdes 5691094Sdes/* 5791094Sdes * OpenPAM extension 5891094Sdes * 5991094Sdes * Retrieve authentication token 6091094Sdes */ 6191094Sdes 6291094Sdesint 6391094Sdespam_get_authtok(pam_handle_t *pamh, 6493982Sdes int item, 6591094Sdes const char **authtok, 6691094Sdes const char *prompt) 6791094Sdes{ 68228690Sdes char prompt_buf[1024]; 69228690Sdes size_t prompt_size; 70125647Sdes const void *oldauthtok, *prevauthtok, *promptp; 71228690Sdes const char *prompt_option, *default_prompt; 7293982Sdes char *resp, *resp2; 7393982Sdes int pitem, r, style, twice; 7491094Sdes 75107937Sdes ENTER(); 7691094Sdes if (pamh == NULL || authtok == NULL) 77107937Sdes RETURNC(PAM_SYSTEM_ERR); 7893982Sdes *authtok = NULL; 7993982Sdes twice = 0; 8093982Sdes switch (item) { 8193982Sdes case PAM_AUTHTOK: 8293982Sdes pitem = PAM_AUTHTOK_PROMPT; 83228690Sdes prompt_option = "authtok_prompt"; 8493982Sdes default_prompt = authtok_prompt; 8593982Sdes r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok); 8693982Sdes if (r == PAM_SUCCESS && oldauthtok != NULL) { 8793982Sdes default_prompt = newauthtok_prompt; 8893982Sdes twice = 1; 8993982Sdes } 9093982Sdes break; 9193982Sdes case PAM_OLDAUTHTOK: 9293982Sdes pitem = PAM_OLDAUTHTOK_PROMPT; 93228690Sdes prompt_option = "oldauthtok_prompt"; 9493982Sdes default_prompt = oldauthtok_prompt; 9593982Sdes twice = 0; 9693982Sdes break; 9793982Sdes default: 98107937Sdes RETURNC(PAM_SYMBOL_ERR); 9993982Sdes } 10091100Sdes if (openpam_get_option(pamh, "try_first_pass") || 10191100Sdes openpam_get_option(pamh, "use_first_pass")) { 102125647Sdes r = pam_get_item(pamh, item, &prevauthtok); 103125647Sdes if (r == PAM_SUCCESS && prevauthtok != NULL) { 104125647Sdes *authtok = prevauthtok; 105107937Sdes RETURNC(PAM_SUCCESS); 106125647Sdes } 10791100Sdes else if (openpam_get_option(pamh, "use_first_pass")) 108107937Sdes RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r); 10991100Sdes } 110228690Sdes /* pam policy overrides the module's choice */ 111228690Sdes if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL) 112228690Sdes prompt = promptp; 113228690Sdes /* no prompt provided, see if there is one tucked away somewhere */ 114228690Sdes if (prompt == NULL) 115228690Sdes if (pam_get_item(pamh, pitem, &promptp) && promptp != NULL) 116125647Sdes prompt = promptp; 117228690Sdes /* fall back to hardcoded default */ 118228690Sdes if (prompt == NULL) 119228690Sdes prompt = default_prompt; 120228690Sdes /* expand */ 121228690Sdes prompt_size = sizeof prompt_buf; 122228690Sdes r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt); 123228690Sdes if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf) 124228690Sdes prompt = prompt_buf; 12591100Sdes style = openpam_get_option(pamh, "echo_pass") ? 12691100Sdes PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; 12793982Sdes r = pam_prompt(pamh, style, &resp, "%s", prompt); 12891094Sdes if (r != PAM_SUCCESS) 129107937Sdes RETURNC(r); 13093982Sdes if (twice) { 13193982Sdes r = pam_prompt(pamh, style, &resp2, "Retype %s", prompt); 13293982Sdes if (r != PAM_SUCCESS) { 133115619Sdes FREE(resp); 134107937Sdes RETURNC(r); 13593982Sdes } 136115619Sdes if (strcmp(resp, resp2) != 0) 137115619Sdes FREE(resp); 138115619Sdes FREE(resp2); 13993982Sdes } 14093982Sdes if (resp == NULL) 141107937Sdes RETURNC(PAM_TRY_AGAIN); 14294706Sdes r = pam_set_item(pamh, item, resp); 143115619Sdes FREE(resp); 14493982Sdes if (r != PAM_SUCCESS) 145107937Sdes RETURNC(r); 146110556Sdes r = pam_get_item(pamh, item, (const void **)authtok); 147110556Sdes RETURNC(r); 14891094Sdes} 14991100Sdes 15091100Sdes/* 15191100Sdes * Error codes: 15291100Sdes * 15391100Sdes * =pam_get_item 15491100Sdes * =pam_prompt 15591100Sdes * =pam_set_item 15691100Sdes * !PAM_SYMBOL_ERR 15793982Sdes * PAM_TRY_AGAIN 15891100Sdes */ 15993982Sdes 16093982Sdes/** 16193982Sdes * The =pam_get_authtok function returns the cached authentication token, 162141098Sdes * or prompts the user if no token is currently cached. 163141098Sdes * Either way, a pointer to the authentication token is stored in the 164141098Sdes * location pointed to by the =authtok argument. 16593982Sdes * 16693982Sdes * The =item argument must have one of the following values: 16793982Sdes * 16895908Sdes * =PAM_AUTHTOK: 16993982Sdes * Returns the current authentication token, or the new token 17093982Sdes * when changing authentication tokens. 17195908Sdes * =PAM_OLDAUTHTOK: 17293982Sdes * Returns the previous authentication token when changing 17393982Sdes * authentication tokens. 17493982Sdes * 17593982Sdes * The =prompt argument specifies a prompt to use if no token is cached. 17693982Sdes * If it is =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item, 177141098Sdes * as appropriate, will be used. 178141098Sdes * If that item is also =NULL, a hardcoded default prompt will be used. 179228690Sdes * Either way, the prompt is expanded using =openpam_subst before it is 180228690Sdes * passed to the conversation function. 18193982Sdes * 182228690Sdes * If =pam_get_authtok is called from a module and the ;authtok_prompt / 183228690Sdes * ;oldauthtok_prompt option is set in the policy file, the value of that 184228690Sdes * option takes precedence over both the =prompt argument and the 185228690Sdes * =PAM_AUTHTOK_PROMPT / =PAM_OLDAUTHTOK_PROMPT item. 186228690Sdes * 18793982Sdes * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK 18893982Sdes * item, =pam_get_authtok will ask the user to confirm the new token by 189141098Sdes * retyping it. 190141098Sdes * If there is a mismatch, =pam_get_authtok will return =PAM_TRY_AGAIN. 19193982Sdes * 19293982Sdes * >pam_get_item 19393982Sdes * >pam_get_user 194228690Sdes * >openpam_subst 19593982Sdes */ 196