-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathpam_tid.c
186 lines (159 loc) · 6.09 KB
/
pam_tid.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
/*
* Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
* Portions Copyright (c) 2001 PADL Software Pty Ltd. All rights reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* Portions Copyright (c) 2000 Apple Computer, Inc. All Rights
* Reserved. This file contains Original Code and/or Modifications of
* Original Code as defined in and that are subject to the Apple Public
* Source License Version 1.1 (the "License"). You may not use this file
* except in compliance with the License. Please obtain a copy of the
* License at http://www.apple.com/publicsource and read it before using
* this file.
*
* The Original Code and all software distributed under the License are
* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT. Please see the
* License for the specific language governing rights and limitations
* under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/******************************************************************
* The purpose of this module is to provide a Touch ID
* based authentication module for Mac OS X.
******************************************************************/
#include <CoreFoundation/CoreFoundation.h>
#include <coreauthd_spi.h>
#include <pwd.h>
#include <LocalAuthentication/LAPrivateDefines.h>
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#include <security/pam_modules.h>
#include <security/pam_appl.h>
#include <Security/Authorization.h>
#include <vproc_priv.h>
#include "Logging.h"
#include "Common.h"
#ifdef PAM_USE_OS_LOG
PAM_DEFINE_LOG(touchid)
#define PAM_LOG PAM_LOG_touchid()
#endif
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
_LOG_DEBUG("pam_tid: pam_sm_authenticate");
int retval = PAM_AUTH_ERR;
CFTypeRef context = NULL;
CFErrorRef error = NULL;
CFMutableDictionaryRef options = NULL;
CFNumberRef key = NULL;
CFNumberRef value = NULL;
CFNumberRef key2 = NULL;
CFNumberRef value2 = NULL;
AuthorizationRef authorizationRef = NULL;
int tmp;
const char *user = NULL;
struct passwd *pwd = NULL;
struct passwd pwdbuf;
/* determine the required bufsize for getpwnam_r */
long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
if (bufsize == -1) {
bufsize = 2 * PATH_MAX;
}
/* get information about user to authenticate for */
char *buffer = malloc(bufsize);
if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || !user ||
getpwnam_r(user, &pwdbuf, buffer, bufsize, &pwd) != 0 || !pwd) {
_LOG_ERROR("unable to obtain the username.");
retval = PAM_AUTHINFO_UNAVAIL;
goto cleanup;
}
// check if we are running under Aqua session
char *manager;
if (vproc_swap_string(NULL, VPROC_GSK_MGR_NAME, NULL, &manager) != NULL) {
_LOG_ERROR("unable to determine session.");
retval = PAM_AUTH_ERR;
goto cleanup;
}
bool runningInAquaSession = manager ? !strcmp(manager, VPROCMGR_SESSION_AQUA) : FALSE;
free(manager);
if (!runningInAquaSession) {
_LOG_ERROR("UI not available.");
retval = PAM_AUTH_ERR;
goto cleanup;
}
// check if user is eligible to use Touch ID. If not, fail.
/* prepare the options dictionary, aka rewrite @{ @(LAOptionNotInteractive) : @YES } without Foundation */
tmp = kLAOptionNotInteractive;
key = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tmp);
tmp = 1;
value = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tmp);
tmp = kLAOptionUserId;
key2 = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tmp);
tmp = pwd->pw_uid;
value2 = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tmp);
if (! (key && value && key2 && value2)) {
_LOG_ERROR("unable to create data structures.");
retval = PAM_AUTH_ERR;
goto cleanup;
}
options = CFDictionaryCreateMutable(kCFAllocatorDefault, 2, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(options, key, value);
CFDictionarySetValue(options, key2, value2);
context = LACreateNewContextWithACMContext(NULL, &error);
if (!context) {
_LOG_ERROR("unable to create context.");
retval = PAM_AUTH_ERR;
goto cleanup;
}
/* evaluate policy */
if (!LAEvaluatePolicy(context, kLAPolicyDeviceOwnerAuthenticationWithBiometrics, options, &error)) {
// error is intended as failure means Touch ID is not usable which is in fact not an error but the state we need to handle
if (CFErrorGetCode(error) != kLAErrorNotInteractive) {
_LOG_DEBUG("policy evaluation failed: %ld", CFErrorGetCode(error));
retval = PAM_AUTH_ERR;
goto cleanup;
}
}
OSStatus status = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &authorizationRef);
if (status == errAuthorizationSuccess) {
AuthorizationItem myItems = {"com.apple.security.sudo", 0, NULL, 0};
AuthorizationRights myRights = {1, &myItems};
AuthorizationRights *authorizedRights = NULL;
AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
status = AuthorizationCopyRights(authorizationRef, &myRights, kAuthorizationEmptyEnvironment, flags, &authorizedRights);
_LOG_DEBUG("Authorization result: %d", (int)status);
if (authorizedRights)
AuthorizationFreeItemSet(authorizedRights);
AuthorizationFree(authorizationRef, kAuthorizationFlagDefaults);
}
/* we passed the Touch ID authentication successfully */
if (status == errAuthorizationSuccess) {
retval = PAM_SUCCESS;
}
cleanup:
CFReleaseSafe(context);
CFReleaseSafe(key);
CFReleaseSafe(value);
CFReleaseSafe(key2);
CFReleaseSafe(value2);
CFReleaseSafe(options);
CFReleaseSafe(error);
free(buffer);
_LOG_DEBUG("pam_tid: pam_sm_authenticate returned %d", retval);
return retval;
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
return PAM_SUCCESS;
}
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
return PAM_SUCCESS;
}