diff options
author | Loïc Collignon <loic.collignon@iot.bzh> | 2017-10-26 16:27:49 +0200 |
---|---|---|
committer | Loïc Collignon <loic.collignon@iot.bzh> | 2017-10-26 16:28:29 +0200 |
commit | f8b3ccaa4edd4836885dc3e22062b69e80883f36 (patch) | |
tree | f3278c3046acdb884fcb1bce89219cf862fcdd6b | |
parent | f014ffc2223d1b3bd80a14df7698a6b19a08df35 (diff) |
add nfc pam module
Change-Id: Icc42361f64948e2c2ab082fa973793f19737df2d
Signed-off-by: Loïc Collignon <loic.collignon@iot.bzh>
-rw-r--r-- | pam_agl/CMakeLists.txt | 27 | ||||
-rw-r--r-- | pam_agl/pam_agl_nfc.c | 152 | ||||
-rw-r--r-- | pam_agl/pam_agl_usb.c (renamed from pam_agl/pam_agl.c) | 69 |
3 files changed, 185 insertions, 63 deletions
diff --git a/pam_agl/CMakeLists.txt b/pam_agl/CMakeLists.txt index 17c85be..7cd39cc 100644 --- a/pam_agl/CMakeLists.txt +++ b/pam_agl/CMakeLists.txt @@ -25,22 +25,29 @@ include(FindPkgConfig) set(PAM_INCLUDE_DIR "/usr/include/") set(PAM_LIBRARY "/lib64/libpam.so.0") include_directories(${PAM_INCLUDE_DIR}) +if (NOT DEFINED CMAKE_INSTALL_LIBDIR) + get_filename_component(CMAKE_INSTALL_LIBDIR ${PAM_LIBRARY} DIRECTORY) +endif() # Find json-c pkg_check_modules(${JSON_C} REQUIRED json-c) include_directories(${${JSON_C}_INCLUDE_DIRS}) add_compile_options(${${JSON_C}_CFLAGS}) -# Add the target -add_library(pam_agl SHARED pam_agl.c) -target_link_libraries(pam_agl ${PAM_LIBRARY} ${${JSON_C}_LIBRARIES}) -#list (APPEND link_libraries ${${JSON_C}_LDFLAGS}) -set_property(TARGET pam_agl PROPERTY POSITION_INDEPENDENT_CODE ON) -set_property(TARGET pam_agl PROPERTY PREFIX "") +# Add the pam_agl_usb target +add_library(pam_agl_usb SHARED pam_agl_usb.c) +target_link_libraries(pam_agl_usb ${PAM_LIBRARY} ${${JSON_C}_LIBRARIES}) +set_property(TARGET pam_agl_usb PROPERTY POSITION_INDEPENDENT_CODE ON) +set_property(TARGET pam_agl_usb PROPERTY PREFIX "") -if (NOT DEFINED CMAKE_INSTALL_LIBDIR) - get_filename_component(CMAKE_INSTALL_LIBDIR ${PAM_LIBRARY} DIRECTORY) -endif() +install(TARGETS pam_agl_usb + LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}/security/") + +# Add the pam_agl_nfc target +add_library(pam_agl_nfc SHARED pam_agl_nfc.c) +target_link_libraries(pam_agl_nfc ${PAM_LIBRARY} ${${JSON_C}_LIBRARIES}) +set_property(TARGET pam_agl_nfc PROPERTY POSITION_INDEPENDENT_CODE ON) +set_property(TARGET pam_agl_nfc PROPERTY PREFIX "") -install(TARGETS pam_agl +install(TARGETS pam_agl_nfc LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}/security/") diff --git a/pam_agl/pam_agl_nfc.c b/pam_agl/pam_agl_nfc.c new file mode 100644 index 0000000..b25ba5c --- /dev/null +++ b/pam_agl/pam_agl_nfc.c @@ -0,0 +1,152 @@ +#include <fcntl.h> +#include <stdarg.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <uuid/uuid.h> +#include <json-c/json.h> + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD +#include <security/pam_modules.h> +#include <security/pam_appl.h> + +#include <security/pam_client.h> +#include <security/pam_ext.h> +#include <security/pam_filter.h> +#include <security/pam_misc.h> +#include <security/pam_modutil.h> + +#define DATABASE_FILE "/etc/agl/keys.json" + +int authenticate(pam_handle_t* pamh, const char* uid) +{ + struct json_object* database; + struct json_object* nfc; + struct json_object* key; + + database = json_object_from_file(DATABASE_FILE); + if (!database) + { + printf("[PAM DEBUG] Failed to parse the database\n"); + return PAM_SERVICE_ERR; + } + + if (json_object_object_get_ex(database, "nfc", &nfc)) + { + if (json_object_object_get_ex(nfc, uid, &key)) + { + printf("[PAM] Key found!\n"); + printf("[PAM DEBUG] pam_set_item(\"%s\")\n", uid); + pam_set_item(pamh, PAM_USER, uid); + + const char* pam_authtok; + if (pam_get_item(pamh, PAM_AUTHTOK, (const void**)&pam_authtok) == PAM_SUCCESS && !pam_authtok) + pam_set_item(pamh, PAM_AUTHTOK, uid); + + json_object_put(database); + return PAM_SUCCESS; + } + } + + printf("[PAM] Key not found!\n"); + if (database) json_object_put(database); + return PAM_AUTH_ERR; +} + +int check_device(pam_handle_t* pamh, const char* device) +{ + char* idkey; + int ret; + + ret = read_device(device, &idkey); + if (ret != PAM_SUCCESS) return ret; + + printf("[PAM DEBUG] Data read:\n%s\n", idkey); + + json_object* idkey_json = json_tokener_parse(idkey); + if (!idkey_json) + { + free(idkey); + printf("[PAM DEBUG] Failed to parse json data!\n"); + return PAM_SERVICE_ERR; + } + + json_object* uuid_json; + if(!json_object_object_get_ex(idkey_json, "uuid", &uuid_json)) + { + free(idkey); + printf("[PAM DEBUG] The json does not contains a valid uuid\n"); + return PAM_SERVICE_ERR; + } + + const char* uuid = json_object_get_string(uuid_json); + printf("[PAM DEBUG] uuid: %s\n", uuid); + + ret = authenticate(pamh, uuid); + free(idkey); + json_object_put(idkey_json); + return ret; +} + +void log_pam(const char* fname, int flags, int argc, const char** argv, const char* device) +{ + printf("[PAM DEBUG] ---------- %s ----------\n", fname); + printf("[PAM DEBUG] flags: %d\n", flags); + for(int i = 0; i < argc; ++i) + { + printf("[PAM DEBUG] argv[%d]: %s\n", i, argv[i]); + } + printf("[PAM DEBUG] device: %s\n", device); + printf("[PAM DEBUG] ----------------------------------------\n"); +} + +/*! + @brief The pam_sm_authenticate function is the service module's implementation + of the pam_authenticate(3) interface. + This function performs the task of authenticating the user. + + @param[in] pamh Unknown. + @param[in] flags PAM_SILENT and/or PAM_DISALLOW_NULL_AUTHTOK. + @return PAM_SUCCESS if ok. +*/ +PAM_EXTERN int pam_sm_authenticate(pam_handle_t* pamh, int flags, int argc, const char** argv) +{ + const char* uid = pam_getenv(pamh, "UID"); + log_pam("pam_sm_authenticate", flags, argc, argv, uid); + return authenticate(pamh, uid); +} + +PAM_EXTERN int pam_sm_setcred(pam_handle_t* pamh, int flags, int argc, const char** argv) +{ + log_pam("pam_sm_setcred", flags, argc, argv, pam_getenv(pamh, "DEVICE")); + return PAM_SUCCESS; +} + +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const char** argv) +{ + log_pam("pam_sm_acct_mgmt", flags, argc, argv, pam_getenv(pamh, "DEVICE")); + return PAM_SUCCESS; +} + +PAM_EXTERN int pam_sm_open_session(pam_handle_t* pamh, int flags, int argc, const char** argv) +{ + log_pam("pam_sm_open_session", flags, argc, argv, pam_getenv(pamh, "DEVICE")); + return PAM_SUCCESS; +} + +PAM_EXTERN int pam_sm_close_session(pam_handle_t* pamh, int flags, int argc, const char** argv) +{ + log_pam("pam_sm_close_session", flags, argc, argv, pam_getenv(pamh, "DEVICE")); + return PAM_SUCCESS; +} + +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t* pamh, int flags, int argc, const char** argv) +{ + log_pam("pam_sm_chauthtok", flags, argc, argv, pam_getenv(pamh, "DEVICE")); + return PAM_SUCCESS; +} diff --git a/pam_agl/pam_agl.c b/pam_agl/pam_agl_usb.c index c85979d..7afe73d 100644 --- a/pam_agl/pam_agl.c +++ b/pam_agl/pam_agl_usb.c @@ -29,37 +29,6 @@ int is_valid_mn(const char* v) return v && v[0] == 'I' && v[1] == 'D' && v[2] == 'K' && v[3] == 'Y'; } -char* get_file_content(const char* path) -{ - char* buffer; - long length; - FILE* f; - - buffer = NULL; - length = 0; - - f = fopen(path, "rb"); - if (f) - { - fseek(f, 0, SEEK_END); - length = ftell(f); - fseek(f, 0, SEEK_SET); - buffer = malloc(length + 1); - if (buffer) - { - if (fread (buffer, 1, length, f) != length) - { - free(buffer); - buffer = NULL; - } - else buffer[length] = 0; - } - fclose (f); - } - - return buffer; -} - int read_device(const char* device, char** idkey) { int fd; @@ -90,41 +59,35 @@ int read_device(const char* device, char** idkey) int authenticate(pam_handle_t* pamh, const char* uuid) { - char* file_content; struct json_object* database; + struct json_object* usb; struct json_object* key; - file_content = get_file_content(DATABASE_FILE); - if (!file_content) - { - printf("[PAM DEBUG] Failed to read database file (%s)\n", DATABASE_FILE); - return PAM_SERVICE_ERR; - } - - database = json_tokener_parse(file_content); + database = json_object_from_file(DATABASE_FILE); if (!database) { printf("[PAM DEBUG] Failed to parse the database\n"); return PAM_SERVICE_ERR; } - if (json_object_object_get_ex(database, uuid, &key)) - { - printf("[PAM] Key found!\n"); - printf("[PAM DEBUG] pam_set_item(\"%s\")\n", uuid); - pam_set_item(pamh, PAM_USER, uuid); + if (json_object_object_get_ex(database, "usb", &usb)) + { + if (json_object_object_get_ex(usb, uuid, &key)) + { + printf("[PAM] Key found!\n"); + printf("[PAM DEBUG] pam_set_item(\"%s\")\n", uuid); + pam_set_item(pamh, PAM_USER, uuid); + + const char* pam_authtok; + if (pam_get_item(pamh, PAM_AUTHTOK, (const void**)&pam_authtok) == PAM_SUCCESS && !pam_authtok) + pam_set_item(pamh, PAM_AUTHTOK, uuid); - const char* pam_authtok; - if (pam_get_item(pamh, PAM_AUTHTOK, (const void**)&pam_authtok) == PAM_SUCCESS && !pam_authtok) - pam_set_item(pamh, PAM_AUTHTOK, uuid); - - json_object_put(database); - free(file_content); - return PAM_SUCCESS; + json_object_put(database); + return PAM_SUCCESS; + } } printf("[PAM] Key not found!\n"); - free(file_content); if (database) json_object_put(database); return PAM_AUTH_ERR; } |