Add skeychallenge2() which is like skeychallenge() but takes an

already open fd.  Will be used to make separate challenge/response
invocations of login_skey keep the record locked.  Also properly
escape minus signs in man page.  OK henning@ jmc@

5 files changed, 67 insertions, 43 deletions

diff --git a/lib/libskey/Makefile b/lib/libskey/Makefile
index c2c28a8298e..eda5d9a784b 100644
--- a/lib/libskey/Makefile
+++ b/lib/libskey/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.7 2002/05/16 17:53:29 millert Exp $
+# $OpenBSD: Makefile,v 1.8 2004/08/05 13:31:36 millert Exp $
 
 LIB=	skey
 SRCS=	skeylogin.c skeysubr.c put.c
@@ -10,9 +10,9 @@ MLINKS+=skey.3 atob8.3 skey.3 backspace.3 skey.3 btoa8.3 skey.3 btoe.3 \
 	skey.3 sevenbit.3 skey.3 skey_authenticate.3 \
 	skey.3 skey_get_algorithm.3 skey.3 skey_haskey.3 skey.3 skey_keyinfo.3 \
 	skey.3 skey_passcheck.3 skey.3 skey_set_algorithm.3 \
-	skey.3 skey_unlock.3 skey.3 skeychallenge.3 skey.3 skeygetnext.3 \
-	skey.3 skeylookup.3 skey.3 skeyverify.3 skey.3 skeyzero.3 \
-	skey.3 skipspace.3
+	skey.3 skey_unlock.3 skey.3 skeychallenge.3 skey.3 skeychallenge2.3 \
+	skey.3 skeygetnext.3 skey.3 skeylookup.3 skey.3 skeyverify.3 \
+	skey.3 skeyzero.3 skey.3 skipspace.3
 
 includes:
 	@cd ${.CURDIR}; for i in $(HDRS); do \
diff --git a/lib/libskey/shlib_version b/lib/libskey/shlib_version
index 3066b9771e7..900b4048a96 100644
--- a/lib/libskey/shlib_version
+++ b/lib/libskey/shlib_version
@@ -1,2 +1,2 @@
 major=5
-minor=0
+minor=1
diff --git a/lib/libskey/skey.3 b/lib/libskey/skey.3
index 9bf622c2f0d..0c03af4fcab 100644
--- a/lib/libskey/skey.3
+++ b/lib/libskey/skey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: skey.3,v 1.10 2003/06/17 21:56:24 millert Exp $
+.\" $OpenBSD: skey.3,v 1.11 2004/08/05 13:31:36 millert Exp $
 .\"
 .\" Copyright (c) 2001 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
@@ -39,6 +39,7 @@
 .Nm skey_set_algorithm ,
 .Nm skey_unlock ,
 .Nm skeychallenge ,
+.Nm skeychallenge2 ,
 .Nm skeygetnext ,
 .Nm skeylookup ,
 .Nm skeyverify ,
@@ -89,6 +90,8 @@
 .Ft int
 .Fn skeychallenge "struct skey *rec" "char *user" "char *buf"
 .Ft int
+.Fn skeychallenge2 "int fd" "struct skey *rec" "char *user" "char *buf"
+.Ft int
 .Fn skeygetnext "struct skey *rec"
 .Ft int
 .Fn skeylookup "struct skey *rec" "char *user"
@@ -108,7 +111,7 @@ to an 8-byte binary array stored in
 .Fa out .
 The
 .Fn atob8
-function returns 0 on success and -1 if an invalid hex character is encountered.
+function returns 0 on success and \-1 if an invalid hex character is encountered.
 .Pp
 The
 .Fn backspace
@@ -127,7 +130,7 @@ to a 16-byte string of hex digits stored in
 the caller must supply enough space (17 bytes including the final NUL).
 The
 .Fn btoa8
-function returns 0 on success and -1 if an error occurred.
+function returns 0 on success and \-1 if an error occurred.
 .Pp
 The
 .Fn btoe
@@ -150,8 +153,8 @@ into an 8-byte binary representation.
 The
 .Fn etob
 function returns 1 if the words are all in the database and parity is correct,
-0 if a word is not in the database, -1 if the number of words is incorrect,
-or -2 if there is a parity error.
+0 if a word is not in the database, \-1 if the number of words is incorrect,
+or \-2 if there is a parity error.
 .Pp
 The
 .Fn f
@@ -166,7 +169,7 @@ function converts a single hex digit
 to an integer.
 The
 .Fn htoi
-function returns the converted integer on success or -1 if
+function returns the converted integer on success or \-1 if
 .Fa h
 not a valid hex digit.
 .Pp
@@ -181,7 +184,7 @@ runs them through a hash function and collapses the
 to 64 bits.
 The
 .Fn keycrunch
-function returns 0 on success or -1 if there is a memory allocation failure.
+function returns 0 on success or \-1 if there is a memory allocation failure.
 .Pp
 The
 .Fn put8
@@ -239,7 +242,7 @@ function presents the
 with an S/Key challenge and authenticates the response.
 The
 .Fn skey_authenticate
-function returns 0 if authentication is successful or -1 if not.
+function returns 0 if authentication is successful or \-1 if not.
 .Pp
 The
 .Fn skey_get_algorithm
@@ -252,7 +255,7 @@ The
 .Fn skey_haskey
 function returns 0 if the
 .Fa user
-exists in the S/Key database, 1 if the user does not exist, or -1
+exists in the S/Key database, 1 if the user does not exist, or \-1
 if there was an error reading the database.
 .Pp
 The
@@ -270,7 +273,7 @@ function checks a
 and
 .Fa passwd
 pair against the S/Key database.
-It returns 0 on successful authentication or -1 on failure.
+It returns 0 on successful authentication or \-1 on failure.
 .Pp
 The
 .Fn skey_set_algorithm
@@ -287,7 +290,7 @@ function unlocks the record in the S/Key database specified by
 .Fa rec .
 The
 .Fn skey_unlock
-function returns 0 on success or -1 on failure.
+function returns 0 on success or \-1 on failure.
 Either way, the S/Key database is not closed nor is the database
 file pointer affected.
 .Pp
@@ -303,11 +306,24 @@ It also fills in the skey struct
 and locks the user's record in the S/Key database.
 The
 .Fn skeychallenge
-function returns 0 on success or -1 on failure.
+function returns 0 on success or \-1 on failure.
 On success the S/Key database remains open and the read/write file
 pointer is set to the beginning of the record.
 .Pp
 The
+.Fn skeychallenge2
+function is identical to
+.Fn skeychallenge
+except that instead of opening the user's entry in the S/Key database,
+the open file referenced by
+.Ar fd
+is used instead.
+When
+.Ar fd
+is \-1, the behavior is equivalent to
+.Fn skeychallenge .
+.Pp
+The
 .Fn skeygetnext
 function stores the next record in the S/Key database in
 .Fa rec
@@ -315,7 +331,7 @@ and locks that record in the S/Key database.
 The
 .Fn skeygetnext
 function returns 0 on success, 1 if there are no more entries,
-or -1 if there was an error accessing the S/Key database.
+or \-1 if there was an error accessing the S/Key database.
 The S/Key database remains open after a call to
 .Fn skeygetnext .
 If no error was encountered accessing the S/Key database, the read/write
@@ -336,7 +352,7 @@ The
 .Fn skeylookup
 function returns 0 on success, 1 if
 .Fa user
-was not found, or -1 if there was an error accessing the S/Key database.
+was not found, or \-1 if there was an error accessing the S/Key database.
 If no error was encountered accessing the S/Key database, the read/write
 file pointer is set to the beginning of the record.
 .Pp
@@ -347,7 +363,7 @@ function verifies the user's
 based on the S/Key record
 .Fa rec .
 It returns 0 on success (updating the database), 1 on failure, or
--1 if there was an error accessing the database.
+\-1 if there was an error accessing the database.
 The database is always closed by a call to
 .Fn skeyverify .
 .Sh SEE ALSO
diff --git a/lib/libskey/skey.h b/lib/libskey/skey.h
index 750dd8095f2..6ccaf109b3d 100644
--- a/lib/libskey/skey.h
+++ b/lib/libskey/skey.h
@@ -10,7 +10,7 @@
  *
  * Main client header
  *
- * $OpenBSD: skey.h,v 1.18 2002/05/16 03:50:42 millert Exp $
+ * $OpenBSD: skey.h,v 1.19 2004/08/05 13:31:36 millert Exp $
  */
 
 #ifndef _SKEY_H_
@@ -71,6 +71,7 @@ char *put8(char *, char *);
 int etob(char *, char *);
 void rip(char *);
 int skeychallenge(struct skey *, char *, char *);
+int skeychallenge2(int, struct skey *, char *, char *);
 int skeylookup(struct skey *, char *);
 int skeyverify(struct skey *, char *);
 int skeyzero(struct skey *);
diff --git a/lib/libskey/skeylogin.c b/lib/libskey/skeylogin.c
index cd7642743f0..1d2ff096a84 100644
--- a/lib/libskey/skeylogin.c
+++ b/lib/libskey/skeylogin.c
@@ -10,7 +10,7 @@
  *
  * S/Key verification check, lookups, and authentication.
  *
- * $OpenBSD: skeylogin.c,v 1.51 2003/09/21 23:35:24 millert Exp $
+ * $OpenBSD: skeylogin.c,v 1.52 2004/08/05 13:31:36 millert Exp $
  */
 
 #include <sys/param.h>
@@ -38,22 +38,23 @@
 
 static void skey_fakeprompt(char *, char *);
 static char *tgetline(int, char *, size_t, int);
-static int skeygetent(struct skey *, const char *);
+static int skeygetent(int, struct skey *, const char *);
 
 /*
  * Return an skey challenge string for user 'name'. If successful,
  * fill in the caller's skey structure and return (0). If unsuccessful
  * (e.g., if name is unknown) return (-1).
  *
- * The file read/write pointer is left at the start of the
- * record.
+ * The file read/write pointer is left at the start of the record.
  */
 int
-skeychallenge(struct skey *mp, char *name, char *ss)
+skeychallenge2(int fd, struct skey *mp, char *name, char *ss)
 {
 	int rval;
 
-	rval = skeylookup(mp, name);
+	memset(mp, 0, sizeof(*mp));
+	rval = skeygetent(fd, mp, name);
+
 	switch (rval) {
 	case 0:		/* Lookup succeeded, return challenge */
 		(void)snprintf(ss, SKEY_MAX_CHALLENGE,
@@ -75,6 +76,12 @@ skeychallenge(struct skey *mp, char *name, char *ss)
 	}
 }
 
+int
+skeychallenge(struct skey *mp, char *name, char *ss)
+{
+	return (skeychallenge2(-1, mp, name, ss));
+}
+
 /*
  * Get an entry in the One-time Password database and lock it.
  *
@@ -84,13 +91,12 @@ skeychallenge(struct skey *mp, char *name, char *ss)
  *  1: entry not found
  */
 static int
-skeygetent(struct skey *mp, const char *name)
+skeygetent(int fd, struct skey *mp, const char *name)
 {
 	struct stat statbuf;
 	size_t nread;
 	char *cp, filename[PATH_MAX], *last;
 	FILE *keyfile;
-	int fd;
 
 	/* Check to see that /etc/skey has not been disabled. */
 	if (stat(_PATH_SKEYDIR, &statbuf) != 0)
@@ -100,18 +106,19 @@ skeygetent(struct skey *mp, const char *name)
 		return (-1);
 	}
 
-	/* Open the user's databse entry, creating it as needed. */
-	/* XXX - really want "/etc/skey/L/USER" where L is 1st char of USER */
-	if (snprintf(filename, sizeof(filename), "%s/%s", _PATH_SKEYDIR,
-	    name) >= sizeof(filename)) {
-		errno = ENAMETOOLONG;
-		return (-1);
-	}
-	if ((fd = open(filename, O_RDWR | O_NOFOLLOW | O_NONBLOCK,
-	    S_IRUSR | S_IWUSR)) == -1) {
-		if (errno == ENOENT)
-			goto not_found;
-		return (-1);
+	if (fd == -1) {
+		/* Open the user's databse entry, creating it as needed. */
+		if (snprintf(filename, sizeof(filename), "%s/%s", _PATH_SKEYDIR,
+		    name) >= sizeof(filename)) {
+			errno = ENAMETOOLONG;
+			return (-1);
+		}
+		if ((fd = open(filename, O_RDWR | O_NOFOLLOW | O_NONBLOCK,
+		    S_IRUSR | S_IWUSR)) == -1) {
+			if (errno == ENOENT)
+				goto not_found;
+			return (-1);
+		}
 	}
 
 	/* Lock and stat the user's skey file. */
@@ -183,7 +190,7 @@ int
 skeylookup(struct skey *mp, char *name)
 {
 	memset(mp, 0, sizeof(*mp));
-	return (skeygetent(mp, name));
+	return (skeygetent(-1, mp, name));
 }
 
 /*
@@ -213,7 +220,7 @@ skeygetnext(struct skey *mp)
 	while ((readdir_r(mp->keydir, &entry, &dp)) == 0 && dp == &entry) {
 		/* Skip dot files and zero-length files. */
 		if (entry.d_name[0] != '.' &&
-		    (rval = skeygetent(mp, entry.d_name)) != 1)
+		    (rval = skeygetent(-1, mp, entry.d_name)) != 1)
 			break;
 	}