diff options
Diffstat (limited to 'packages')
3 files changed, 26 insertions, 10 deletions
diff --git a/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc b/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc index dd1b1bd..4969567 100644 --- a/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc +++ b/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc @@ -218,6 +218,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, challenge = challenges[0]; } + if (challenge.status != "READY") { + // Call continueSession with the START_ALTERNATE flag. + if (!ContinueSession(true, email, "", session_id, challenge, &response)) { + PAM_SYSLOG(pamh, LOG_ERR, + "Bad response from two-factor continue session request: %s", + response.empty() ? "empty response" : response.c_str()); + return PAM_PERM_DENIED; + } + } + char* user_token = NULL; if (challenge.type == INTERNAL_TWO_FACTOR) { if (pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &user_token, @@ -247,7 +257,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, return PAM_PERM_DENIED; } - if (!ContinueSession(email, user_token, session_id, challenge, &response)) { + if (!ContinueSession(false, email, user_token, session_id, challenge, + &response)) { PAM_SYSLOG(pamh, LOG_ERR, "Bad response from two-factor continue session request: %s", response.empty() ? "empty response" : response.c_str()); diff --git a/packages/google-compute-engine-oslogin/utils/oslogin_utils.cc b/packages/google-compute-engine-oslogin/utils/oslogin_utils.cc index 6677a19..0ec4c8b 100644 --- a/packages/google-compute-engine-oslogin/utils/oslogin_utils.cc +++ b/packages/google-compute-engine-oslogin/utils/oslogin_utils.cc @@ -612,7 +612,7 @@ bool StartSession(const string& email, string* response) { return ret; } -bool ContinueSession(const string& email, const string& user_token, +bool ContinueSession(bool alt, const string& email, const string& user_token, const string& session_id, const Challenge& challenge, string* response) { bool ret = true; @@ -623,18 +623,22 @@ bool ContinueSession(const string& email, const string& user_token, json_object_object_add(jobj, "challengeId", json_object_new_int(challenge.id)); - if (challenge.type != AUTHZEN) { + if (alt) { + json_object_object_add(jobj, "action", + json_object_new_string("START_ALTERNATE")); + } else { + json_object_object_add(jobj, "action", + json_object_new_string("RESPOND")); + } + + // AUTHZEN type and START_ALTERNATE action don't provide credentials. + if (challenge.type != AUTHZEN && !alt) { jresp = json_object_new_object(); json_object_object_add(jresp, "credential", json_object_new_string(user_token.c_str())); json_object_object_add(jobj, "proposalResponse", jresp); } - if (challenge.status != "READY") { - json_object_object_add(jobj, "action", - json_object_new_string("START_ALTERNATE")); - } - const char* data = NULL; data = json_object_to_json_string_ext(jobj, JSON_C_TO_STRING_PLAIN); @@ -648,7 +652,8 @@ bool ContinueSession(const string& email, const string& user_token, } json_object_put(jobj); - if (challenge.type != AUTHZEN) { + // Match condition where we created this to avoid double-free. + if (challenge.type != AUTHZEN && !alt) { json_object_put(jresp); } diff --git a/packages/google-compute-engine-oslogin/utils/oslogin_utils.h b/packages/google-compute-engine-oslogin/utils/oslogin_utils.h index 3788521..6cd2024 100644 --- a/packages/google-compute-engine-oslogin/utils/oslogin_utils.h +++ b/packages/google-compute-engine-oslogin/utils/oslogin_utils.h @@ -193,7 +193,7 @@ bool ParseJsonToChallenges(const string& json, vector<Challenge> *challenges); bool StartSession(const string& email, string* response); // Calls the continueSession API. -bool ContinueSession(const string& email, const string& user_token, +bool ContinueSession(bool alt, const string& email, const string& user_token, const string& session_id, const Challenge& challenge, string* response); |