diff --git a/src/ckpass.c b/src/ckpass.c index 1da83c6..f3a14d0 100644 --- a/src/ckpass.c +++ b/src/ckpass.c @@ -8,6 +8,8 @@ ** or PAM. */ +extern x_malloc(size_t size, const char *file, int line); + /* Used for unused parameters to silence gcc warnings. */ #define UNUSED __attribute__((__unused__)) @@ -46,7 +48,7 @@ number information for debugging error messages without the user having to pass those in every time. */ #define xcalloc(n, size) x_calloc((n), (size), __FILE__, __LINE__) -#define xmalloc(size) x_malloc((size), __FILE__, __LINE__) +#define smartcardauth_xmalloc(size) x_malloc((size), __FILE__, __LINE__) #define xrealloc(p, size) x_realloc((p), (size), __FILE__, __LINE__) #define xstrdup(p) x_strdup((p), __FILE__, __LINE__) #define xstrndup(p, size) x_strndup((p), (size), __FILE__, __LINE__) @@ -71,7 +73,7 @@ struct auth_info { ** This function allocates an array of struct pam_response to return to the ** PAM libraries that's never freed. For this program, this isn't much of an ** issue, since it will likely only be called once and then the program will -** exit. This function uses malloc and strdup instead of xmalloc and xstrdup +** exit. This function uses malloc and strdup instead of smartcardauth_xmalloc and xstrdup ** intentionally so that the PAM conversation will be closed cleanly if we ** run out of memory rather than simply terminated. ** @@ -82,8 +84,9 @@ static int pass_conv(int num_msg, const struct pam_message **msgm UNUSED, struct int i; *response = malloc(num_msg * sizeof(struct pam_response)); - if (*response == NULL) + if (*response == NULL) { return PAM_CONV_ERR; + } for (i = 0; i < num_msg; i++) { (*response)[i].resp = strdup((char *)appdata_ptr); (*response)[i].resp_retcode = 0; @@ -115,17 +118,21 @@ static bool auth_pam(const char *username, char *password) conv.conv = pass_conv; conv.appdata_ptr = password; status = pam_start("nnrpd", username, &conv, &pamh); - if (status != PAM_SUCCESS) + if (status != PAM_SUCCESS) { die("pam_start failed: %s", pam_strerror(pamh, status)); + } status = pam_authenticate(pamh, PAM_SILENT); - if (status != PAM_SUCCESS) + if (status != PAM_SUCCESS) { die("pam_authenticate failed: %s", pam_strerror(pamh, status)); + } status = pam_acct_mgmt(pamh, PAM_SILENT); - if (status != PAM_SUCCESS) + if (status != PAM_SUCCESS) { die("pam_acct_mgmt failed: %s", pam_strerror(pamh, status)); + } status = pam_end(pamh, status); - if (status != PAM_SUCCESS) + if (status != PAM_SUCCESS) { die("pam_end failed: %s", pam_strerror(pamh, status)); + } /* If we get to here, the user successfully authenticated. */ return true; @@ -153,8 +160,9 @@ password_dbm(char *name, const char *file) char *password; database = dbm_open(file, O_RDONLY, 0600); - if (database == NULL) + if (database == NULL) { return NULL; + } key.dptr = name; key.dsize = strlen(name); value = dbm_fetch(database, key); @@ -162,7 +170,7 @@ password_dbm(char *name, const char *file) dbm_close(database); return NULL; } - password = xmalloc(value.dsize + 1); + password = smartcardauth_xmalloc(value.dsize + 1); strlcpy(password, value.dptr, value.dsize + 1); dbm_close(database); return password; @@ -188,8 +196,10 @@ password_shadow(const char *user) struct spwd *spwd; spwd = getspnam(user); - if (spwd != NULL) - return xstrdup(spwd->sp_pwdp); + if (spwd != NULL) { + char* ret = xstrdup(spwd->sp_pwdp); + return ret; + } return NULL; } #endif /* HAVE_GETSPNAM */ @@ -206,8 +216,10 @@ password_system(const char *username) struct passwd *pwd; pwd = getpwnam(username); - if (pwd != NULL) - return xstrdup(pwd->pw_passwd); + if (pwd != NULL) { + char* ret = xstrdup(pwd->pw_passwd); + return ret; + } return NULL; } @@ -225,12 +237,15 @@ group_system(const char *username) struct group *gr; pwd = getpwnam(username); - if (pwd == NULL) + if (pwd == NULL) { return NULL; + } gr = getgrgid(pwd->pw_gid); - if (gr == NULL) + if (gr == NULL) { return NULL; - return xstrdup(gr->gr_name); + } + char* ret = xstrdup(gr->gr_name); + return ret; } @@ -242,12 +257,13 @@ output_user(const char *username, bool wantgroup) { if (wantgroup) { char *group = group_system(username); - if (group == NULL) + if (group == NULL) { die("group info for user %s not available", username); + } printf("User:%s@%s\n", username, group); - } - else + } else { printf("User:%s\n", username); + } } @@ -264,7 +280,7 @@ check_password(const char* username, const char* password) bool wantgroup = false; struct auth_info *authinfo = NULL; - authinfo = xmalloc(sizeof(struct auth_info)); + authinfo = smartcardauth_xmalloc(sizeof(struct auth_info)); authinfo->username = username; authinfo->password = password; @@ -273,12 +289,14 @@ check_password(const char* username, const char* password) return 0; } password = password_system(authinfo->username); - if (password == NULL) + if (password == NULL) { return 1; - if (strcmp(password, crypt(authinfo->password, password)) != 0) + } + if (strcmp(password, crypt(authinfo->password, password)) != 0) { return 1; + } /* The password matched. */ output_user(authinfo->username, wantgroup); return 0; -} \ No newline at end of file +} diff --git a/src/ckpasswd.c b/src/ckpasswd.c index 9dbdbcf..a0faa15 100644 --- a/src/ckpasswd.c +++ b/src/ckpasswd.c @@ -83,8 +83,9 @@ static int pass_conv(int num_msg, const struct pam_message **msgm UNUSED, struct int i; *response = malloc(num_msg * sizeof(struct pam_response)); - if (*response == NULL) + if (*response == NULL) { return PAM_CONV_ERR; + } for (i = 0; i < num_msg; i++) { (*response)[i].resp = strdup((char *)appdata_ptr); (*response)[i].resp_retcode = 0; @@ -116,17 +117,21 @@ static bool auth_pam(const char *username, char *password) conv.conv = pass_conv; conv.appdata_ptr = password; status = pam_start("nnrpd", username, &conv, &pamh); - if (status != PAM_SUCCESS) + if (status != PAM_SUCCESS) { die("pam_start failed: %s", pam_strerror(pamh, status)); + } status = pam_authenticate(pamh, PAM_SILENT); - if (status != PAM_SUCCESS) + if (status != PAM_SUCCESS) { die("pam_authenticate failed: %s", pam_strerror(pamh, status)); + } status = pam_acct_mgmt(pamh, PAM_SILENT); - if (status != PAM_SUCCESS) + if (status != PAM_SUCCESS) { die("pam_acct_mgmt failed: %s", pam_strerror(pamh, status)); + } status = pam_end(pamh, status); - if (status != PAM_SUCCESS) + if (status != PAM_SUCCESS) { die("pam_end failed: %s", pam_strerror(pamh, status)); + } /* If we get to here, the user successfully authenticated. */ return true; @@ -154,8 +159,9 @@ password_dbm(char *name, const char *file) char *password; database = dbm_open(file, O_RDONLY, 0600); - if (database == NULL) + if (database == NULL) { return NULL; + } key.dptr = name; key.dsize = strlen(name); value = dbm_fetch(database, key); @@ -189,8 +195,10 @@ password_shadow(const char *user) struct spwd *spwd; spwd = getspnam(user); - if (spwd != NULL) - return xstrdup(spwd->sp_pwdp); + if (spwd != NULL) { + char* ret = xstrdup(spwd->sp_pwdp); + return ret; + } return NULL; } #endif /* HAVE_GETSPNAM */ @@ -207,8 +215,10 @@ password_system(const char *username) struct passwd *pwd; pwd = getpwnam(username); - if (pwd != NULL) - return xstrdup(pwd->pw_passwd); + if (pwd != NULL) { + char* ret = xstrdup(pwd->pw_passwd); + return ret; + } return NULL; } @@ -226,12 +236,15 @@ group_system(const char *username) struct group *gr; pwd = getpwnam(username); - if (pwd == NULL) + if (pwd == NULL) { return NULL; + } gr = getgrgid(pwd->pw_gid); - if (gr == NULL) + if (gr == NULL) { return NULL; - return xstrdup(gr->gr_name); + } + char* ret = xstrdup(gr->gr_name); + return ret; } @@ -243,12 +256,13 @@ output_user(const char *username, bool wantgroup) { if (wantgroup) { char *group = group_system(username); - if (group == NULL) + if (group == NULL) { die("group info for user %s not available", username); + } printf("User:%s@%s\n", username, group); - } - else + } else { printf("User:%s\n", username); + } } @@ -276,29 +290,35 @@ main(int argc, char *argv[]) while ((opt = getopt(argc, argv, "gf:u:p:" OPT_DBM OPT_SHADOW)) != -1) { switch (opt) { case 'g': - if (type == AUTH_DBM || type == AUTH_FILE) + if (type == AUTH_DBM || type == AUTH_FILE) { die("-g option is incompatible with -d or -f"); + } wantgroup = true; break; case 'd': - if (type != AUTH_NONE) + if (type != AUTH_NONE) { die("only one of -s, -f, or -d allowed"); - if (wantgroup) + } + if (wantgroup) { die("-g option is incompatible with -d or -f"); + } type = AUTH_DBM; filename = optarg; break; case 'f': - if (type != AUTH_NONE) + if (type != AUTH_NONE) { die("only one of -s, -f, or -d allowed"); - if (wantgroup) + } + if (wantgroup) { die("-g option is incompatible with -d or -f"); + } type = AUTH_FILE; filename = optarg; break; case 's': - if (type != AUTH_NONE) + if (type != AUTH_NONE) { die("only one of -s, -f, or -d allowed"); + } type = AUTH_SHADOW; break; case 'u': @@ -319,12 +339,15 @@ main(int argc, char *argv[]) exit(1); } } - if (argc != optind) - die("extra arguments given"); - if (authinfo != NULL && authinfo->username == NULL) + if (argc != optind) { + die("extra arguments given"); + } + if (authinfo != NULL && authinfo->username == NULL) { die("-u option is required if -p option is given"); - if (authinfo != NULL && authinfo->password == NULL) + } + if (authinfo != NULL && authinfo->password == NULL) { die("-p option is required if -u option is given"); + } // /* Unless a username or password was given on the command line, assume // we're being run by nnrpd. */ @@ -339,8 +362,9 @@ main(int argc, char *argv[]) switch (type) { case AUTH_SHADOW: password = password_shadow(authinfo->username); - if (password == NULL) + if (password == NULL) { password = password_system(authinfo->username); + } break; // case AUTH_FILE: // password = password_file(authinfo->username, filename); @@ -357,10 +381,12 @@ main(int argc, char *argv[]) break; } - if (password == NULL) + if (password == NULL) { die("user %s unknown", authinfo->username); - if (strcmp(password, crypt(authinfo->password, password)) != 0) + } + if (strcmp(password, crypt(authinfo->password, password)) != 0) { die("invalid password for user %s", authinfo->username); + } /* The password matched. */ output_user(authinfo->username, wantgroup);