pam_goatherd: Handle IPv6 bracket notation

pam_goatherd.c

@@ -141,7 +141,7 @@ static int check_hotp(struct cfg cfg, size_t n_server, const char *user, const c
 
 	// resolve name and connect
     dbgp("connecting...");
-    struct addrinfo hint = { .ai_socktype = SOCK_STREAM };
+    struct addrinfo hint = { .ai_socktype = SOCK_STREAM, .ai_family = AF_UNSPEC };
     struct addrinfo *addris_start;
     if ((err = getaddrinfo(cfg.servers[n_server], cfg.ports[n_server], &hint, &addris_start)) != 0)
     {
@@ -272,14 +272,51 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
                 // allocate on the stack and avoid free() headaches (needs
                 // _GNU_SOURCE).
                 char *serverport = strdupa(&argv[i][strlen(arg_server)]);
-                char *saveptr;
 
-                // TODO: handle IPv6 addrs
-                cfg.servers[n_servers] = strtok_r(serverport, ":", &saveptr);
-                cfg.ports[n_servers] = strtok_r(NULL, ":", &saveptr);
-                if (!cfg.ports[n_servers]) {
-                    dbgp2("Fatal: need port for", serverport);
-                    return PAM_AUTHINFO_UNAVAIL;
+                if (serverport[0] == '\0')
+                {
+                    continue;
+                }
+
+                // Gotta handle IPv6 addresses differently because they contain colons
+                if (serverport[0] == '[')
+                {
+                    char *closing_bracket = strchr(serverport+1, ']');
+                    if (!closing_bracket)
+                    {
+                        dbgp2("Fatal: expecting closing bracket in server address", serverport);
+                        return PAM_AUTHINFO_UNAVAIL;
+                    }
+                    if (closing_bracket[1] != ':')
+                    {
+                        dbgp2("Fatal: expecting :port after closing bracket in server address", serverport);
+                        return PAM_AUTHINFO_UNAVAIL;
+                    }
+                    if (closing_bracket[2] == '\0')
+                    {
+                        dbgp2("Fatal: expecting port after colon in server address", serverport);
+                        return PAM_AUTHINFO_UNAVAIL;
+                    }
+
+                    closing_bracket[0] = '\0';
+                    cfg.servers[n_servers] = serverport+1;
+                    cfg.ports[n_servers] = closing_bracket+2;
+                } else {
+                    char *colon = strchr(serverport, ':');
+                    if (!colon)
+                    {
+                        dbgp2("Fatal: need port for", serverport);
+                        return PAM_AUTHINFO_UNAVAIL;
+                    }
+                    if (colon[1] == '\0')
+                    {
+                        dbgp2("Fatal: expecting port after colon in server address", serverport);
+                        return PAM_AUTHINFO_UNAVAIL;
+                    }
+
+                    colon[0] = '\0';
+                    cfg.servers[n_servers] = serverport;
+                    cfg.ports[n_servers] = colon+1;
                 }
 
                 n_servers++;

test_pam_goatherd.sh

@@ -51,7 +51,7 @@ else
     echo "(failure expected)"
 fi
 
-ghdb 1 serve -addr 127.0.0.1:9989 -tls-key test.key -tls-cert test.crt &
+ghdb 1 serve -addr [::1]:9989 -tls-key test.key -tls-cert test.crt &
 
 echo blub | if pw pamtester single_server someuser authenticate; then
     die "FAIL: Auth succeeded but user is not valid"
@@ -77,7 +77,7 @@ fi
 echo
 echo "== Multi server tests =="
 
-echo auth requisite $PWD/pam_goatherd.so certs=test.crt server=localhost:9989 server=localhost:9988 server=localhost:9987 >$servicedir/three_servers
+echo auth requisite $PWD/pam_goatherd.so certs=test.crt server=[::1]:9989 server=127.0.0.1:9988 server=localhost:9987 >$servicedir/three_servers
 
 oathtool -d 8 -c 2 $(echo -n $secret | xxd -p) | \
     if pw pamtester three_servers someuser authenticate; then