afs_password.c

Bug Summary

File:	pam/afs_password.c
Location:	line 169, column 6
Description:	Value stored to 'try_first_pass' is never read

Annotated Source Code

1	/*
2	* Copyright 2000, International Business Machines Corporation and others.
3	* All Rights Reserved.
4	*
5	* This software has been released under the terms of the IBM Public
6	* License. For details, see the LICENSE file in the top-level source
7	* directory or online at http://www.openafs.org/dl/license10.html
8	*/
9
10	#include <afsconfig.h>
11	#include <afs/param.h>
12
13	#include <roken.h>
14
15	#ifdef HAVE_SYS_WAIT_H1
16	#include <sys/wait.h>
17	#endif
18
19	#include <security/pam_appl.h>
20	#include <security/pam_modules.h>
21
22	#include <afs/kautils.h>
23	#include "afs_message.h"
24	#include "afs_util.h"
25	#include "afs_pam_msg.h"
26
27	#define RET(x){ retcode = (x); goto out; } { retcode = (x); goto out; }
28
29	extern int
30	pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, const char **argv)
31	{
32	int retcode = PAM_SUCCESS;
33	int errcode = PAM_SUCCESS;
34	int code;
35	int origmask;
36	int logmask = LOG_UPTO(LOG_INFO)((1 << ((6)+1)) - 1);
37	int nowarn = 0;
38	int use_first_pass = 0;
39	int try_first_pass = 0;
40	int ignore_root = 0;
41	int got_authtok = 0; /* got PAM_AUTHTOK upon entry */
42	char torch_password = NULL((void )0);
43	int i;
44	char my_password_buf[256];
45	char instance[256];
46	char realm[256];
47	char cell[256];
48	char *localcell;
49	PAM_CONST char user = NULL((void )0), password = NULL((void )0);
50	char new_password = NULL((void )0), verify_password = NULL((void )0);
51	char upwd_buf[2048]; /* size is a guess. */
52	char reason = NULL((void )0);
53	struct ktc_encryptionKey oldkey, newkey;
54	struct ktc_token token;
55	struct ubik_client *conn = 0;
56	PAM_CONST struct pam_conv pam_convp = NULL((void )0);
57	struct passwd unix_pwd, upwd = NULL((void )0);
58
59	#ifndef AFS_SUN5_ENV
60	openlog(pam_afs_ident, LOG_CONS0x02, LOG_AUTH(4<<3));
61	#endif
62	origmask = setlogmask(logmask);
63
64	/*
65	* Parse the user options. Log an error for any unknown options.
66	*
67	* Todo options: PAM_SILENT
68	*/
69	for (i = 0; i < argc; i++) {
70	if (strcasecmp(argv[i], "debug") == 0) {
71	logmask \|= LOG_MASK(LOG_DEBUG)(1 << (7));
72	(void)setlogmask(logmask);
73	} else if (strcasecmp(argv[i], "nowarn") == 0) {
74	nowarn = 1;
75	} else if (strcasecmp(argv[i], "use_first_pass") == 0) {
76	use_first_pass = 1;
77	} else if (strcasecmp(argv[i], "try_first_pass") == 0) {
78	try_first_pass = 1;
79	} else if (strcasecmp(argv[i], "ignore_root") == 0) {
80	ignore_root = 1;
81	} else {
82	pam_afs_syslog(LOG_ERR3, PAMAFS_UNKNOWNOPT1, argv[i]);
83	}
84	}
85
86	if (use_first_pass)
87	try_first_pass = 0;
88
89	if (logmask && LOG_MASK(LOG_DEBUG)(1 << (7))) {
90	pam_afs_syslog(LOG_DEBUG7, PAMAFS_OPTIONS17, nowarn, use_first_pass,
91	try_first_pass);
92	pam_afs_syslog(LOG_DEBUG7, PAMAFS_PAMERROR14, flags);
93	}
94
95	/* Try to get the user-interaction info, if available. */
96	errcode = pam_get_item(pamh, PAM_CONV, (PAM_CONST void **)&pam_convp);
97	if (errcode != PAM_SUCCESS) {
98	pam_afs_syslog(LOG_WARNING4, PAMAFS_NO_USER_INT18);
99	pam_convp = NULL((void *)0);
100	}
101
102	/* Who are we trying to authenticate here? */
103	if ((errcode =
104	pam_get_user(pamh, &user,
105	"AFS username: ")) != PAM_SUCCESS) {
106	pam_afs_syslog(LOG_ERR3, PAMAFS_NOUSER2, errcode);
107	RET(PAM_USER_UNKNOWN){ retcode = (PAM_USER_UNKNOWN); goto out; };
108	}
109
110	if (logmask && LOG_MASK(LOG_DEBUG)(1 << (7)))
111	pam_afs_syslog(LOG_DEBUG7, PAMAFS_USERNAMEDEBUG3, user);
112
113	/*
114	* If the user has a "local" (or via nss, possibly nss_dce) pwent,
115	* and its uid==0, and "ignore_root" was given in pam.conf,
116	* ignore the user.
117	*/
118	#if defined(AFS_HPUX_ENV) \|\| defined(AFS_DARWIN100_ENV) \|\| defined(AFS_SUN5_ENV)
119	#if defined(AFS_HPUX110_ENV) \|\| defined(AFS_DARWIN100_ENV) \|\| defined(AFS_SUN5_ENV)
120	i = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf), &upwd);
121	#else /* AFS_HPUX110_ENV */
122	i = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf));
123	if (i == 0) /* getpwnam_r success */
124	upwd = &unix_pwd;
125	#endif /* else AFS_HPUX110_ENV */
126	if (ignore_root && i == 0 && upwd && upwd->pw_uid == 0) {
127	pam_afs_syslog(LOG_INFO6, PAMAFS_IGNORINGROOT26, user);
128	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
129	}
130	#else
131	#if defined(AFS_LINUX20_ENV) \|\| defined(AFS_FBSD_ENV1) \|\| defined(AFS_DFBSD_ENV) \|\| defined(AFS_NBSD_ENV)
132	upwd = getpwnam(user);
133	#else
134	upwd = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf));
135	#endif
136	if (ignore_root && upwd != NULL((void *)0) && upwd->pw_uid == 0) {
137	pam_afs_syslog(LOG_INFO6, PAMAFS_IGNORINGROOT26, user);
138	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
139	}
140	#endif
141
142	errcode = pam_get_item(pamh, PAM_AUTHTOK, (PAM_CONST void **)&password);
143	if (errcode != PAM_SUCCESS \|\| password == NULL((void *)0)) {
144	if (use_first_pass) {
145	pam_afs_syslog(LOG_ERR3, PAMAFS_PASSWD_REQ4, user);
146	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
147	}
148	password = NULL((void )0); / In case it isn't already NULL */
149	if (logmask && LOG_MASK(LOG_DEBUG)(1 << (7)))
150	pam_afs_syslog(LOG_DEBUG7, PAMAFS_NOFIRSTPASS8, user);
151	} else if (password[0] == '\0') {
152	/* Actually we did get one but it was empty. */
153	pam_afs_syslog(LOG_INFO6, PAMAFS_NILPASSWORD21, user);
154	RET(PAM_NEW_AUTHTOK_REQD){ retcode = (PAM_NEW_AUTHTOK_REQD); goto out; };
155	} else {
156	if (logmask && LOG_MASK(LOG_DEBUG)(1 << (7)))
157	pam_afs_syslog(LOG_DEBUG7, PAMAFS_GOTPASS7, user);
158	got_authtok = 1;
159	}
160	if (!(use_first_pass \|\| try_first_pass)) {
161	password = NULL((void *)0);
162	}
163
164	if (password == NULL((void *)0)) {
165	char *prompt_password;
166	if (use_first_pass)
167	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; }; /* shouldn't happen */
168	if (try_first_pass)
169	try_first_pass = 0;
	Value stored to 'try_first_pass' is never read
170	if (pam_convp == NULL((void )0) \|\| pam_convp->conv == NULL((void )0)) {
171	pam_afs_syslog(LOG_ERR3, PAMAFS_CANNOT_PROMPT6);
172	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
173	}
174
175	errcode = pam_afs_prompt(pam_convp, &prompt_password, 0, PAMAFS_PWD_PROMPT5);
176	if (errcode != PAM_SUCCESS \|\| prompt_password == NULL((void *)0)) {
177	pam_afs_syslog(LOG_ERR3, PAMAFS_GETPASS_FAILED9);
178	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
179	}
180	if (prompt_password[0] == '\0') {
181	pam_afs_syslog(LOG_INFO6, PAMAFS_NILPASSWORD21, user);
182	RET(PAM_NEW_AUTHTOK_REQD){ retcode = (PAM_NEW_AUTHTOK_REQD); goto out; };
183	}
184
185	/*
186	* We aren't going to free the password later (we will wipe it,
187	* though), because the storage for it if we get it from other
188	* paths may belong to someone else. Since we do need to free
189	* this storage, copy it to a buffer that won't need to be freed
190	* later, and free this storage now.
191	*/
192	strncpy(my_password_buf, prompt_password, sizeof(my_password_buf));
193	my_password_buf[sizeof(my_password_buf) - 1] = '\0';
194	memset(prompt_password, 0, strlen(password));
195	free(prompt_password);
196	password = torch_password = my_password_buf;
197	}
198
199	if ((code = ka_VerifyUserPassword(KA_USERAUTH_VERSION1 + KA_USERAUTH_DOSETPAG0x010000, (char )user, / kerberos name */
200	NULL((void )0), / instance */
201	NULL((void )0), / realm */
202	(char )password, / password */
203	0, /* spare 2 */
204	&reason /* error string */ )) != 0) {
205	pam_afs_syslog(LOG_ERR3, PAMAFS_LOGIN_FAILED13, user, reason);
206	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
207	}
208	torch_password = NULL((void *)0);
209	pam_set_item(pamh, PAM_AUTHTOK, password);
210	pam_set_item(pamh, PAM_OLDAUTHTOK, password);
211	if (flags & PAM_PRELIM_CHECK) {
212	/* only auth check was requested, so return success here */
213	return (PAM_SUCCESS);
214	}
215	if (!(flags & PAM_UPDATE_AUTHTOK)) {
216	/* these lines are never executed ... */
217	/* UPDATE_AUTHTOK flag is required, return with error */
218	pam_afs_syslog(LOG_ERR3, PAMAFS_FLAGS43, "PAM_UPDATE_AUTHTOK");
219	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
220	}
221
222	/* get the new passwd and verify it */
223	errcode =
224	pam_afs_prompt(pam_convp, &new_password, 0, PAMAFS_NEW_PWD_PROMPT40);
225	if (errcode != PAM_SUCCESS \|\| new_password == NULL((void *)0)) {
226	pam_afs_syslog(LOG_ERR3, PAMAFS_GETPASS_FAILED9);
227	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
228	}
229	if (new_password[0] == '\0') {
230	pam_afs_syslog(LOG_INFO6, PAMAFS_NILPASSWORD21, user);
231	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
232	}
233	errcode =
234	pam_afs_prompt(pam_convp, &verify_password, 0,
235	PAMAFS_VERIFY_PWD_PROMPT41);
236	if (errcode != PAM_SUCCESS \|\| verify_password == NULL((void *)0)) {
237	pam_afs_syslog(LOG_ERR3, PAMAFS_GETPASS_FAILED9);
238	memset(new_password, 0, strlen(new_password));
239	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
240	}
241	if (verify_password[0] == '\0') {
242	pam_afs_syslog(LOG_INFO6, PAMAFS_NILPASSWORD21, user);
243	memset(new_password, 0, strlen(new_password));
244	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
245	}
246	if (strcmp(new_password, verify_password) != 0) {
247	pam_afs_syslog(LOG_INFO6, PAMAFS_NE_PASSWORD45);
248	memset(new_password, 0, strlen(new_password));
249	memset(verify_password, 0, strlen(verify_password));
250	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
251	}
252	memset(verify_password, 0, strlen(verify_password));
253	/* checking password length and quality is up to other PAM modules */
254
255	/* set the new password */
256	if ((code = ka_Init(0)) != 0) {
257	pam_afs_syslog(LOG_ERR3, PAMAFS_KAERROR44, code);
258	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
259	}
260	if ((code = rx_Init(0)) != 0) {
261	pam_afs_syslog(LOG_ERR3, PAMAFS_KAERROR44, code);
262	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
263	}
264	strcpy(instance, "");
265	if ((localcell = ka_LocalCell()) == NULL((void *)0)) {
266	pam_afs_syslog(LOG_ERR3, PAMAFS_NOCELLNAME24);
267	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
268	}
269	strcpy(realm, localcell);
270	strcpy(cell, realm);
271	/* oldkey is not used in ka_ChangePassword (only for ka_auth) */
272	ka_StringToKey((char *)password, realm, &oldkey);
273	ka_StringToKey(new_password, realm, &newkey);
274	if ((code =
275	ka_GetAdminToken((char *)user, instance, realm, &oldkey, 20, &token,
276	0)) != 0) {
277	pam_afs_syslog(LOG_ERR3, PAMAFS_KAERROR44, code);
278	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
279	}
280	if ((code =
281	ka_AuthServerConn(realm, KA_MAINTENANCE_SERVICE733, &token,
282	&conn)) != 0) {
283	pam_afs_syslog(LOG_ERR3, PAMAFS_KAERROR44, code);
284	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
285	}
286	if ((code = ka_ChangePassword((char )user, / kerberos name */
287	instance, /* instance */
288	conn, /* conn */
289	0, /* old password unused */
290	&newkey /* new password */ )) != 0) {
291	pam_afs_syslog(LOG_ERR3, PAMAFS_KAPASS_FAIL42);
292	memset(new_password, 0, strlen(new_password));
293	RET(PAM_AUTH_ERR){ retcode = (PAM_AUTH_ERR); goto out; };
294	} else {
295	pam_set_item(pamh, PAM_AUTHTOK, new_password);
296	RET(PAM_SUCCESS){ retcode = (PAM_SUCCESS); goto out; };
297	}
298
299	out:
300	if (password && torch_password) {
301	memset(torch_password, 0, strlen(torch_password));
302	}
303	(void)setlogmask(origmask);
304	#ifndef AFS_SUN5_ENV
305	closelog();
306	#endif
307	return retcode;
308	}