Merge af16a9e into d4ed13d

.github/workflows/codeql-analysis.yml

@@ -32,7 +32,7 @@ jobs:
       run: |
         sudo apt update
         sudo apt install -y libykclient-dev libykpers-1-dev libyubikey-dev \
-          libpam-dev help2man asciidoc-base
+          libpam-dev help2man asciidoc-base libmysqlclient-dev
         autoreconf --install
         ./configure
         make

.github/workflows/scan.yml

@@ -8,7 +8,7 @@ on:
 env:
   SCAN_IMG:
     yubico-yes-docker-local.jfrog.io/static-code-analysis/c:v1
-  COMPILE_DEPS: "libykclient-dev libykpers-1-dev libyubikey-dev"
+  COMPILE_DEPS: "libykclient-dev libykpers-1-dev libyubikey-dev libmysqlclient-dev"
 
 jobs:
   build:

.travis.yml

@@ -1,4 +1,3 @@
-sudo: required
 language: c
 os:
   - linux
@@ -7,13 +6,14 @@ compiler:
   - gcc
   - clang
 env:
-  - CONFIGURE_ARGS="" EXTRA="libldap2-dev libykpers-1-dev libnet-ldap-server-perl"
-  - CONFIGURE_ARGS="--without-ldap" EXTRA="libykpers-1-dev"
-  - CONFIGURE_ARGS="--without-cr" EXTRA="libldap2-dev libnet-ldap-server-perl"
-  - CONFIGURE_ARGS="--without-ldap --without-cr"
+  - CONFIGURE_ARGS="" EXTRA="libldap2-dev libykpers-1-dev libnet-ldap-server-perl libmysqlclient-dev"
+  - CONFIGURE_ARGS="--without-ldap" EXTRA="libykpers-1-dev libmysqlclient-dev"
+  - CONFIGURE_ARGS="--without-cr" EXTRA="libldap2-dev libnet-ldap-server-perl libmysqlclient-dev"
+  - CONFIGURE_ARGS="--without-ldap --without-cr" EXTRA="libmysqlclient-dev"
 script: tests/aux/build-and-test.sh
-matrix:
+jobs:
+  install: travis_wait 30 mvn install
   include:
     - compiler: gcc
       os: linux
-      env: COVERAGE="--enable-coverage" EXTRA="libldap2-dev libykpers-1-dev libnet-ldap-server-perl lcov"
+      env: COVERAGE="--enable-coverage" EXTRA="libldap2-dev libykpers-1-dev libnet-ldap-server-perl lcov libmysqlclient-dev"

Makefile.am

@@ -45,7 +45,12 @@ pam_yubico_la_LDFLAGS = -module -avoid-version
 
 noinst_LTLIBRARIES = libpam_util.la libpam_real.la
 libpam_util_la_SOURCES = util.c util.h
-libpam_util_la_LIBADD = @LTLIBYUBIKEY@ @YKPERS_LIBS@
+libpam_util_la_LIBADD = @LTLIBYUBIKEY@ @YKPERS_LIBS@ 
+
+# if MYSQL_SUPPORT
+AM_CFLAGS += @MYSQL_CFLAGS@
+libpam_util_la_LIBADD += @MYSQL_LIBS@
+# endif
 
 libpam_real_la_SOURCES = pam_yubico.c
 

configure.ac

@@ -75,6 +75,19 @@ AC_ARG_WITH([ldap],
                  [libldap not found, will not be compiled (--without-ldap to disable ldap support)])],
               [])])
 
+AC_ARG_WITH([mysql],
+            [AS_HELP_STRING([--without-mysql],
+              [disable support for mysql])],
+            [],
+            [with_mysql=yes])
+AS_IF([test "x$with_mysql" != xno],
+  [
+    PKG_CHECK_MODULES([MYSQL], [mysqlclient],
+    [AC_DEFINE([HAVE_MYSQL], [1],[Define if you have mysqlclient])],
+    [AC_MSG_WARN(
+                 [libmysqlclient not found, will not be compiled (--without-mysql to disable mysql support)])])
+  ])
+AM_CONDITIONAL(MYSQL_SUPPORT,test "x$with_mysql" != xno)
 
 AC_LIB_HAVE_LINKFLAGS([ykclient],, [#include <ykclient.h>],
                       [ykclient_set_proxy(0, 0)])
@@ -194,4 +207,4 @@ AC_MSG_NOTICE([Summary of build options:
   Library types:      Shared=${enable_shared}, Static=${enable_static}
   LDAP:               ${with_ldap}
   Challenge-Response: ${with_cr}
-])
+])

pam_yubico.8.txt

@@ -116,6 +116,18 @@ CA certitificate file for the LDAP connection.
 *chalresp_path*=_path_::
 Path of a system-wide directory where challenge-response files can be found for users. Default location is `$HOME/.yubico/`.
 
+*mysql_server*=_mysqlserver_::
+Hostname/Adress of mysql server. Example 10.0.0.1
+
+*mysql_user*=_mysqluser_::
+User for accessing to the database. Strongly recommended to use a specific user with read only access.
+
+*mysql_password*=_mysqlpassword_::
+Mysql password associated to the user.
+
+*mysql_database*=_mysqldatabase_::
+the name of the database. Example : otp
+
 == EXAMPLES
 
   auth sufficient pam_yubico.so id=16 debug

pam_yubico.c

@@ -134,6 +134,11 @@ struct cfg
   const char *user_attr;
   const char *yubi_attr;
   const char *yubi_attr_prefix;
+  const char *mysql_server;
+  const char *mysql_user;
+  const char *mysql_password;
+  const char *mysql_database;
+
   unsigned int token_id_length;
   enum key_mode mode;
   const char *chalresp_path;
@@ -164,8 +169,19 @@ authorize_user_token (struct cfg *cfg,
 		      pam_handle_t *pamh)
 {
   int retval = AUTH_ERROR;
-
-  if (cfg->auth_file)
+  if (cfg->mysql_server)
+    {
+      #if HAVE_MYSQL
+        /* Administrator had configured the database and specified is name
+          as an argument for this module.
+        */
+      DBG ("Using Mariadb or Mysql Database");
+      retval = check_user_token_mysql(cfg->mysql_server, cfg->mysql_user, cfg->mysql_password, cfg->mysql_database, username, otp_id, cfg->debug, cfg->debug_file);
+      #else
+        DBG (("Trying to use MYSQL, but this function is not compiled in pam_yubico!!"));
+      #endif
+    }
+  else if (cfg->auth_file)
     {
       /* Administrator had configured the file and specified is name
          as an argument for this module.
@@ -874,6 +890,15 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
 	cfg->mode = CLIENT;
       if (strncmp (argv[i], "chalresp_path=", 14) == 0)
 	cfg->chalresp_path = argv[i] + 14;
+      if (strncmp (argv[i], "mysql_server=", 13) == 0)
+	cfg->mysql_server = argv[i] + 13;
+       if (strncmp (argv[i], "mysql_user=", 11) == 0)
+	cfg->mysql_user = argv[i] + 11;
+       if (strncmp (argv[i], "mysql_password=", 15) == 0)
+	cfg->mysql_password = argv[i] + 15;
+      if (strncmp (argv[i], "mysql_database=", 15) == 0)
+	cfg->mysql_database = argv[i] + 15;
+
       if (strncmp (argv[i], "debug_file=", 11) == 0)
         {
           const char *filename = argv[i] + 11;
@@ -939,6 +964,9 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
   DBG ("token_id_length=%u", cfg->token_id_length);
   DBG ("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" );
   DBG ("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)");
+  DBG ("mysql_server=%s", cfg->mysql_server ? cfg->mysql_server : "(null)");
+  DBG ("mysql_user=%s", cfg->mysql_user ? cfg->mysql_user : "(null)");
+  DBG ("mysql_database=%s", cfg->mysql_database ? cfg->mysql_database : "(null)");
 
   if (fd != -1)
     close(fd);

tests/aux/build-and-test.sh

@@ -7,7 +7,7 @@ autoreconf -i
 if [ "x$TRAVIS_OS_NAME" != "xosx" ]; then
     sudo add-apt-repository -y ppa:yubico/stable
     sudo apt-get update -qq || true
-    sudo apt-get install -qq -y --no-install-recommends libykclient-dev libpam0g-dev libyubikey-dev asciidoc docbook-xsl xsltproc libxml2-utils $EXTRA
+    sudo apt-get install -qq -y --no-install-recommends libykclient-dev libpam0g-dev libyubikey-dev asciidoc docbook-xsl xsltproc libxml2-utils libmysqlclient-dev $EXTRA
 else
     brew update
     brew install pkg-config
@@ -17,6 +17,7 @@ else
     brew install libyubikey
     brew install ykclient
     brew install ykpers
+    brew install mysql-connector-c #Mysql
     cpanp install Net::LDAP::Server
 
     # this is required so asciidoc can find the xml catalog