diff options
author | nectar <nectar@FreeBSD.org> | 2000-11-06 19:56:21 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2000-11-06 19:56:21 +0000 |
commit | 92ec44005a2061a62cfd925e66f7e54cf0d15b73 (patch) | |
tree | bbe4d77cdd9819cb9da308ff94f2223fd76c20b2 /security | |
parent | 2fe5a3768e6607ed5832b2dc404a31b75717476b (diff) | |
download | FreeBSD-ports-92ec44005a2061a62cfd925e66f7e54cf0d15b73.zip FreeBSD-ports-92ec44005a2061a62cfd925e66f7e54cf0d15b73.tar.gz |
Oops,
Diffstat (limited to 'security')
-rw-r--r-- | security/pam_krb5/files/patch-aa | 19 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ab | 21 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ad | 38 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-af | 182 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ah | 120 | ||||
-rw-r--r-- | security/pam_krb5/files/patch-ai | 134 |
6 files changed, 399 insertions, 115 deletions
diff --git a/security/pam_krb5/files/patch-aa b/security/pam_krb5/files/patch-aa index 879bc99..f79c081 100644 --- a/security/pam_krb5/files/patch-aa +++ b/security/pam_krb5/files/patch-aa @@ -1,6 +1,6 @@ --- Makefile.orig Tue Jan 4 19:08:51 2000 -+++ Makefile Mon Nov 6 10:59:16 2000 -@@ -1,48 +1,51 @@ ++++ Makefile Mon Nov 6 13:44:54 2000 +@@ -1,46 +1,49 @@ # # Makefile for pam_krb5 # @@ -68,22 +68,17 @@ - rm -f *.so.1 *.o + rm -f *.so *.o --pam_krb5_auth.o: pam_krb5_auth.c pam_krb5.h -+pam_krb5_auth.o: pam_krb5_auth.c pam_krb5.h krb5compat.h + pam_krb5_auth.o: pam_krb5_auth.c pam_krb5.h $(CC) -c $(CFLAGS) $(INC) $< - - pam_krb5_pass.o: pam_krb5_pass.c pam_krb5.h -@@ -54,6 +57,12 @@ - pam_krb5_sess.o: pam_krb5_sess.c pam_krb5.h +@@ -55,5 +58,11 @@ $(CC) -c $(CFLAGS) $(INC) $< --support.o: support.c pam_krb5.h -+support.o: support.c pam_krb5.h krb5compat.h + support.o: support.c pam_krb5.h + $(CC) -c $(CFLAGS) $(INC) $< + -+compat_heimdal.o: compat_heimdal.c krb5compat.h ++compat_heimdal.o: compat_heimdal.c + $(CC) -c $(CFLAGS) $(INC) $< + -+compat_mit.o: compat_mit.c krb5compat.h ++compat_mit.o: compat_mit.c $(CC) -c $(CFLAGS) $(INC) $< diff --git a/security/pam_krb5/files/patch-ab b/security/pam_krb5/files/patch-ab index 8e35ac8..29f2cac 100644 --- a/security/pam_krb5/files/patch-ab +++ b/security/pam_krb5/files/patch-ab @@ -1,10 +1,23 @@ --- pam_krb5.h.orig Tue Jan 4 19:08:51 2000 -+++ pam_krb5.h Mon Nov 6 10:21:49 2000 -@@ -6,6 +6,6 @@ ++++ pam_krb5.h Mon Nov 6 13:42:22 2000 +@@ -5,7 +5,18 @@ + */ int get_user_info(pam_handle_t *, char *, int, char **); - krb5_error_code pam_prompter(krb5_context, void *, const char *, +-krb5_error_code pam_prompter(krb5_context, void *, const char *, - const char *, int, krb5_prompt[]); -+ int, krb5_prompt[]); int verify_krb_v5_tgt(krb5_context, krb5_ccache, int); void cleanup_cache(pam_handle_t *, void *, int); ++ ++krb5_prompter_fct pam_prompter; ++ ++const char *compat_princ_component(krb5_context, krb5_principal, int); ++void compat_free_data_contents(krb5_context, krb5_data *); ++krb5_error_code compat_cc_next_cred(krb5_context, const krb5_ccache, ++ krb5_cc_cursor *, krb5_creds *); ++ ++#ifndef ENCTYPE_DES_CBC_MD5 ++#define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 ++#endif ++ ++ diff --git a/security/pam_krb5/files/patch-ad b/security/pam_krb5/files/patch-ad index ee26249..ee54cfe 100644 --- a/security/pam_krb5/files/patch-ad +++ b/security/pam_krb5/files/patch-ad @@ -1,5 +1,5 @@ --- pam_krb5_auth.c.orig Tue Jan 4 19:08:51 2000 -+++ pam_krb5_auth.c Mon Nov 6 10:46:08 2000 ++++ pam_krb5_auth.c Mon Nov 6 13:45:48 2000 @@ -7,9 +7,11 @@ static const char rcsid[] = "$Id: pam_krb5_auth.c,v 1.18 2000/01/04 08:44:08 fcusack Exp $"; @@ -12,17 +12,15 @@ #include <strings.h> /* strchr */ #include <syslog.h> /* syslog */ #include <unistd.h> /* chown */ -@@ -19,7 +21,9 @@ +@@ -19,6 +21,7 @@ #include <security/pam_modules.h> #include <krb5.h> +#include <com_err.h> #include "pam_krb5.h" -+#include "krb5compat.h" extern krb5_cc_ops krb5_mcc_ops; - -@@ -42,7 +46,7 @@ +@@ -42,7 +45,7 @@ krb5_get_init_creds_opt opts; int pamret, i; @@ -31,7 +29,7 @@ char *princ_name = NULL; char *pass = NULL, *service = NULL; char *prompt = NULL; -@@ -74,13 +78,13 @@ +@@ -74,13 +77,13 @@ } /* Get service name */ @@ -47,7 +45,7 @@ DLOG("krb5_init_context()", error_message(krbret)); return PAM_SERVICE_ERR; } -@@ -93,7 +97,7 @@ +@@ -93,7 +96,7 @@ krb5_get_init_creds_opt_set_forwardable(&opts, 1); /* For CNS */ @@ -56,7 +54,7 @@ /* Solaris dtlogin doesn't call pam_end() on failure */ if (krbret != KRB5_CC_TYPE_EXISTS) { DLOG("krb5_cc_register()", error_message(krbret)); -@@ -103,14 +107,14 @@ +@@ -103,14 +106,14 @@ } /* Get principal name */ @@ -73,7 +71,7 @@ DLOG("krb5_unparse_name()", error_message(krbret)); pamret = PAM_SERVICE_ERR; goto cleanup2; -@@ -126,18 +130,19 @@ +@@ -126,18 +129,19 @@ (void) sprintf(prompt, "Password for %s: ", princ_name); if (try_first_pass || use_first_pass) @@ -96,7 +94,7 @@ DLOG("pam_set_item()", pam_strerror(pamh, pamret)); free(pass); pamret = PAM_SERVICE_ERR; -@@ -145,25 +150,26 @@ +@@ -145,25 +149,26 @@ } free(pass); /* Now we get it back from the library. */ @@ -128,7 +126,7 @@ DLOG("pam_get_item()", pam_strerror(pamh, pamret)); pamret = PAM_SERVICE_ERR; goto cleanup2; -@@ -177,9 +183,8 @@ +@@ -177,9 +182,8 @@ } /* Get a TGT */ @@ -140,7 +138,7 @@ DLOG("krb5_get_init_creds_password()", error_message(krbret)); if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { pass = NULL; -@@ -193,17 +198,17 @@ +@@ -193,17 +197,17 @@ strcpy(cache_name, "MEMORY:"); (void) tmpnam(&cache_name[7]); @@ -161,7 +159,7 @@ DLOG("krb5_cc_store_cred()", error_message(krbret)); (void) krb5_cc_destroy(pam_context, ccache); pamret = PAM_SERVICE_ERR; -@@ -224,7 +229,7 @@ +@@ -224,7 +228,7 @@ pamret = PAM_AUTH_ERR; goto cleanup; } @@ -170,7 +168,7 @@ DLOG("pam_set_data()", pam_strerror(pamh, pamret)); (void) krb5_cc_destroy(pam_context, ccache); pamret = PAM_SERVICE_ERR; -@@ -288,22 +293,22 @@ +@@ -288,22 +292,22 @@ else if (strcmp(argv[i], "no_ccache") == 0) return PAM_SUCCESS; else if (strstr(argv[i], "ccache=") == argv[i]) @@ -197,7 +195,7 @@ DLOG("krb5_init_context()", error_message(krbret)); return PAM_SERVICE_ERR; } -@@ -311,7 +316,8 @@ +@@ -311,7 +315,8 @@ euid = geteuid(); /* Usually 0 */ /* Retrieve the cache name */ @@ -207,7 +205,7 @@ DLOG("pam_get_data()", pam_strerror(pamh, pamret)); pamret = PAM_CRED_UNAVAIL; goto cleanup3; -@@ -340,7 +346,7 @@ +@@ -340,7 +345,7 @@ pamret = PAM_BUF_ERR; goto cleanup3; } @@ -216,7 +214,7 @@ } else { /* cache_name was supplied */ char *p = calloc(PATH_MAX + 10, 1); /* should be plenty */ -@@ -357,10 +363,10 @@ +@@ -357,10 +362,10 @@ if (*q == '%') { q++; if (*q == 'u') { @@ -229,7 +227,7 @@ p += strlen(p); } else { /* Not a special token */ -@@ -375,24 +381,27 @@ +@@ -375,24 +380,27 @@ } /* Initialize the new ccache */ @@ -261,7 +259,7 @@ DLOG("krb5_cc_start_seq_get()", error_message(krbret)); (void) krb5_cc_destroy(pam_context, ccache_perm); pamret = PAM_SERVICE_ERR; -@@ -400,9 +409,10 @@ +@@ -400,9 +408,10 @@ } /* Copy the creds (should be two of them) */ @@ -275,7 +273,7 @@ DLOG("krb5_cc_store_cred()", error_message(krbret)); (void) krb5_cc_destroy(pam_context, ccache_perm); krb5_free_cred_contents(pam_context, &creds); -@@ -432,7 +442,7 @@ +@@ -432,7 +441,7 @@ } sprintf(cache_env_name, "KRB5CCNAME=%s", cache_name); diff --git a/security/pam_krb5/files/patch-af b/security/pam_krb5/files/patch-af index dd164e8..26167b1 100644 --- a/security/pam_krb5/files/patch-af +++ b/security/pam_krb5/files/patch-af @@ -1,6 +1,6 @@ --- support.c.orig Tue Jan 4 19:08:51 2000 -+++ support.c Mon Nov 6 11:55:47 2000 -@@ -6,12 +6,17 @@ ++++ support.c Mon Nov 6 13:36:39 2000 +@@ -6,11 +6,15 @@ static const char rcsid[] = "$Id: support.c,v 1.8 2000/01/04 09:50:03 fcusack Exp $"; @@ -14,11 +14,9 @@ #include <krb5.h> +#include <com_err.h> #include "pam_krb5.h" -+#include "krb5compat.h" /* - * Get info from the user. Disallow null responses (regardless of flags). -@@ -22,11 +27,12 @@ +@@ -22,11 +26,12 @@ get_user_info(pam_handle_t *pamh, char *prompt, int type, char **response) { int pamret; @@ -33,7 +31,7 @@ return pamret; /* set up conversation call */ -@@ -34,7 +40,7 @@ +@@ -34,7 +39,7 @@ msg.msg_style = type; msg.msg = prompt; @@ -42,35 +40,39 @@ return pamret; /* Caller should ignore errors for non-response conversations */ -@@ -53,8 +59,8 @@ +@@ -51,124 +56,6 @@ + return pamret; + } - - krb5_error_code +- +-krb5_error_code -pam_prompter(krb5_context context, void *data, const char *name, - const char *banner, int num_prompts, krb5_prompt prompts[]) -+pam_prompter(krb5_context context, void *data, const char *banner, int -+ num_prompts, krb5_prompt prompts[]) - { - int pam_prompts = num_prompts; - int pamret, i; -@@ -64,12 +70,9 @@ - struct pam_conv *conv; - pam_handle_t *pamh = (pam_handle_t *) data; - +-{ +- int pam_prompts = num_prompts; +- int pamret, i; +- +- struct pam_message *msg; +- struct pam_response *resp = NULL; +- struct pam_conv *conv; +- pam_handle_t *pamh = (pam_handle_t *) data; +- - if (pamret = pam_get_item(pamh, PAM_CONV, (void **) &conv)) -+ if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) - return KRB5KRB_ERR_GENERIC; - +- return KRB5KRB_ERR_GENERIC; +- - if (name) - pam_prompts++; - - if (banner) - pam_prompts++; - -@@ -80,21 +83,11 @@ - /* Now use pam_prompts as an index */ - pam_prompts = 0; - +- if (banner) +- pam_prompts++; +- +- msg = calloc(sizeof(struct pam_message) * pam_prompts, 1); +- if (!msg) +- return ENOMEM; +- +- /* Now use pam_prompts as an index */ +- pam_prompts = 0; +- - /* Sigh. malloc all the prompts. */ - if (name) { - msg[pam_prompts].msg = malloc(strlen(name) + 1); @@ -81,51 +83,89 @@ - pam_prompts++; - } - - if (banner) { - msg[pam_prompts].msg = malloc(strlen(banner) + 1); - if (!msg[pam_prompts].msg) - goto cleanup; +- if (banner) { +- msg[pam_prompts].msg = malloc(strlen(banner) + 1); +- if (!msg[pam_prompts].msg) +- goto cleanup; - strcpy(msg[pam_prompts].msg, banner); -+ strcpy((char *) msg[pam_prompts].msg, banner); - msg[pam_prompts].msg_style = PAM_TEXT_INFO; - pam_prompts++; - } -@@ -103,13 +96,14 @@ - msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); - if (!msg[pam_prompts].msg) - goto cleanup; +- msg[pam_prompts].msg_style = PAM_TEXT_INFO; +- pam_prompts++; +- } +- +- for (i = 0; i < num_prompts; i++) { +- msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); +- if (!msg[pam_prompts].msg) +- goto cleanup; - sprintf(msg[pam_prompts].msg, "%s: ", prompts[i].prompt); -+ sprintf((char *) msg[pam_prompts].msg, "%s: ", prompts[i].prompt); - msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF - : PAM_PROMPT_ECHO_ON; - pam_prompts++; - } - +- msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF +- : PAM_PROMPT_ECHO_ON; +- pam_prompts++; +- } +- - if (pamret = conv->conv(pam_prompts, &msg, &resp, conv->appdata_ptr)) -+ if ((pamret = conv->conv(pam_prompts, (const struct pam_message **) &msg, -+ &resp, conv->appdata_ptr)) != 0) - goto cleanup; - - if (!resp) -@@ -117,8 +111,6 @@ - - /* Reuse pam_prompts as a starting index */ - pam_prompts = 0; +- goto cleanup; +- +- if (!resp) +- goto cleanup; +- +- /* Reuse pam_prompts as a starting index */ +- pam_prompts = 0; - if (name) - pam_prompts++; - if (banner) - pam_prompts++; - -@@ -142,7 +134,7 @@ - - for (i = 0; i < pam_prompts; i++) { - if (msg[i].msg) +- if (banner) +- pam_prompts++; +- +- for (i = 0; i < num_prompts; i++, pam_prompts++) { +- register int len; +- if (!resp[pam_prompts].resp) { +- pamret = PAM_AUTH_ERR; +- goto cleanup; +- } +- len = strlen(resp[pam_prompts].resp); /* Help out the compiler */ +- if (len > prompts[i].reply->length) { +- pamret = PAM_AUTH_ERR; +- goto cleanup; +- } +- memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len); +- prompts[i].reply->length = len; +- } +- +-cleanup: +- /* pam_prompts is correct at this point */ +- +- for (i = 0; i < pam_prompts; i++) { +- if (msg[i].msg) - free(msg[i].msg); -+ free((char *) msg[i].msg); - } - free(msg); - -@@ -189,8 +181,6 @@ +- } +- free(msg); +- +- if (resp) { +- for (i = 0; i < pam_prompts; i++) { +- /* +- * Note that PAM is underspecified wrt free()'ing resp[i].resp. +- * It's not clear if I should free it, or if the application +- * has to. Therefore most (all?) apps won't free() it, and I +- * can't either, as I am not sure it was malloc()'d. All PAM +- * implementations I've seen leak memory here. Not so bad, IFF +- * you fork/exec for each PAM authentication (as is typical). +- */ +-#if 0 +- if (resp[i].resp) +- free(resp[i].resp); +-#endif /* 0 */ +- } +- /* This does not lose resp[i].resp if the application saved a copy. */ +- free(resp); +- } +- +- return (pamret ? KRB5KRB_ERR_GENERIC : 0); +-} +- +- + /* + * This routine with some modification is from the MIT V5B6 appl/bsd/login.c + * +@@ -189,8 +76,6 @@ krb5_keyblock * keyblock = 0; krb5_data packet; krb5_auth_context auth_context = NULL; @@ -134,7 +174,7 @@ packet.data = 0; -@@ -198,8 +188,8 @@ +@@ -198,8 +83,8 @@ * Get the server principal for the local host. * (Use defaults of "host" and canonicalized local name.) */ @@ -145,7 +185,7 @@ if (debug) syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", "krb5_sname_to_principal()", error_message(retval)); -@@ -207,7 +197,7 @@ +@@ -207,7 +92,7 @@ } /* Extract the name directly. */ @@ -154,7 +194,7 @@ phost[BUFSIZ - 1] = '\0'; /* -@@ -215,8 +205,8 @@ +@@ -215,8 +100,8 @@ * (use default/configured keytab, kvno IGNORE_VNO to get the * first match, and enctype is currently ignored anyhow.) */ @@ -165,7 +205,7 @@ /* Keytab or service key does not exist */ if (debug) syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", -@@ -256,7 +246,7 @@ +@@ -256,7 +141,7 @@ cleanup: if (packet.data) diff --git a/security/pam_krb5/files/patch-ah b/security/pam_krb5/files/patch-ah index 8f62854..480089d 100644 --- a/security/pam_krb5/files/patch-ah +++ b/security/pam_krb5/files/patch-ah @@ -1,8 +1,15 @@ ---- compat_heimdal.c.orig Mon Nov 6 10:21:49 2000 -+++ compat_heimdal.c Mon Nov 6 10:48:37 2000 -@@ -0,0 +1,21 @@ +--- compat_heimdal.c.orig Mon Nov 6 13:27:02 2000 ++++ compat_heimdal.c Mon Nov 6 13:43:10 2000 +@@ -0,0 +1,133 @@ ++#include <errno.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++ +#include <krb5.h> -+#include "krb5compat.h" ++#include <security/pam_appl.h> ++#include <security/pam_modules.h> ++#include "pam_krb5.h" + +const char * +compat_princ_component(krb5_context context, krb5_principal princ, int n) @@ -22,3 +29,108 @@ +{ + return krb5_cc_next_cred(context, id, creds, cursor); +} ++ ++ ++static krb5_error_code ++heimdal_pam_prompter(krb5_context context, void *data, const char *banner, int ++ num_prompts, krb5_prompt prompts[]) ++{ ++ int pam_prompts = num_prompts; ++ int pamret, i; ++ ++ struct pam_message *msg; ++ struct pam_response *resp = NULL; ++ struct pam_conv *conv; ++ pam_handle_t *pamh = (pam_handle_t *) data; ++ ++ if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) ++ return KRB5KRB_ERR_GENERIC; ++ ++ if (banner) ++ pam_prompts++; ++ ++ msg = calloc(sizeof(struct pam_message) * pam_prompts, 1); ++ if (!msg) ++ return ENOMEM; ++ ++ /* Now use pam_prompts as an index */ ++ pam_prompts = 0; ++ ++ if (banner) { ++ msg[pam_prompts].msg = malloc(strlen(banner) + 1); ++ if (!msg[pam_prompts].msg) ++ goto cleanup; ++ strcpy((char *) msg[pam_prompts].msg, banner); ++ msg[pam_prompts].msg_style = PAM_TEXT_INFO; ++ pam_prompts++; ++ } ++ ++ for (i = 0; i < num_prompts; i++) { ++ msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); ++ if (!msg[pam_prompts].msg) ++ goto cleanup; ++ sprintf((char *) msg[pam_prompts].msg, "%s: ", prompts[i].prompt); ++ msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF ++ : PAM_PROMPT_ECHO_ON; ++ pam_prompts++; ++ } ++ ++ if ((pamret = conv->conv(pam_prompts, (const struct pam_message **) &msg, ++ &resp, conv->appdata_ptr)) != 0) ++ goto cleanup; ++ ++ if (!resp) ++ goto cleanup; ++ ++ /* Reuse pam_prompts as a starting index */ ++ pam_prompts = 0; ++ if (banner) ++ pam_prompts++; ++ ++ for (i = 0; i < num_prompts; i++, pam_prompts++) { ++ register int len; ++ if (!resp[pam_prompts].resp) { ++ pamret = PAM_AUTH_ERR; ++ goto cleanup; ++ } ++ len = strlen(resp[pam_prompts].resp); /* Help out the compiler */ ++ if (len > prompts[i].reply->length) { ++ pamret = PAM_AUTH_ERR; ++ goto cleanup; ++ } ++ memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len); ++ prompts[i].reply->length = len; ++ } ++ ++cleanup: ++ /* pam_prompts is correct at this point */ ++ ++ for (i = 0; i < pam_prompts; i++) { ++ if (msg[i].msg) ++ free((char *) msg[i].msg); ++ } ++ free(msg); ++ ++ if (resp) { ++ for (i = 0; i < pam_prompts; i++) { ++ /* ++ * Note that PAM is underspecified wrt free()'ing resp[i].resp. ++ * It's not clear if I should free it, or if the application ++ * has to. Therefore most (all?) apps won't free() it, and I ++ * can't either, as I am not sure it was malloc()'d. All PAM ++ * implementations I've seen leak memory here. Not so bad, IFF ++ * you fork/exec for each PAM authentication (as is typical). ++ */ ++#if 0 ++ if (resp[i].resp) ++ free(resp[i].resp); ++#endif /* 0 */ ++ } ++ /* This does not lose resp[i].resp if the application saved a copy. */ ++ free(resp); ++ } ++ ++ return (pamret ? KRB5KRB_ERR_GENERIC : 0); ++} ++ ++krb5_prompter_fct pam_prompter = heimdal_pam_prompter; diff --git a/security/pam_krb5/files/patch-ai b/security/pam_krb5/files/patch-ai index df90dd5..879febd 100644 --- a/security/pam_krb5/files/patch-ai +++ b/security/pam_krb5/files/patch-ai @@ -1,8 +1,15 @@ ---- compat_mit.c.orig Mon Nov 6 10:21:49 2000 -+++ compat_mit.c Mon Nov 6 10:49:14 2000 -@@ -0,0 +1,21 @@ +--- compat_mit.c.orig Mon Nov 6 13:48:30 2000 ++++ compat_mit.c Mon Nov 6 13:52:48 2000 +@@ -0,0 +1,147 @@ ++#include <errno.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++ +#include <krb5.h> -+#include "krb5compat.h" ++#include <security/pam_appl.h> ++#include <security/pam_modules.h> ++#include "pam_krb5.h" + +const char * +compat_princ_component(krb5_context context, krb5_principal princ, int n) @@ -22,3 +29,122 @@ +{ + return krb5_cc_next_cred(context, id, cursor, creds); +} ++ ++static krb5_error_code ++mit_pam_prompter(krb5_context context, void *data, const char *name, ++ const char *banner, int num_prompts, krb5_prompt prompts[]) ++{ ++ int pam_prompts = num_prompts; ++ int pamret, i; ++ ++ struct pam_message *msg; ++ struct pam_response *resp = NULL; ++ struct pam_conv *conv; ++ pam_handle_t *pamh = (pam_handle_t *) data; ++ ++ if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) ++ return KRB5KRB_ERR_GENERIC; ++ ++ if (name) ++ pam_prompts++; ++ ++ if (banner) ++ pam_prompts++; ++ ++ msg = calloc(sizeof(struct pam_message) * pam_prompts, 1); ++ if (!msg) ++ return ENOMEM; ++ ++ /* Now use pam_prompts as an index */ ++ pam_prompts = 0; ++ ++ /* Sigh. malloc all the prompts. */ ++ if (name) { ++ msg[pam_prompts].msg = malloc(strlen(name) + 1); ++ if (!msg[pam_prompts].msg) ++ goto cleanup; ++ strcpy((char *) msg[pam_prompts].msg, name); ++ msg[pam_prompts].msg_style = PAM_TEXT_INFO; ++ pam_prompts++; ++ } ++ ++ if (banner) { ++ msg[pam_prompts].msg = malloc(strlen(banner) + 1); ++ if (!msg[pam_prompts].msg) ++ goto cleanup; ++ strcpy((char *) msg[pam_prompts].msg, banner); ++ msg[pam_prompts].msg_style = PAM_TEXT_INFO; ++ pam_prompts++; ++ } ++ ++ for (i = 0; i < num_prompts; i++) { ++ msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); ++ if (!msg[pam_prompts].msg) ++ goto cleanup; ++ sprintf((char *) msg[pam_prompts].msg, "%s: ", prompts[i].prompt); ++ msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF ++ : PAM_PROMPT_ECHO_ON; ++ pam_prompts++; ++ } ++ ++ if ((pamret = conv->conv(pam_prompts, (const struct pam_message **) &msg, ++ &resp, conv->appdata_ptr)) != 0) ++ goto cleanup; ++ ++ if (!resp) ++ goto cleanup; ++ ++ /* Reuse pam_prompts as a starting index */ ++ pam_prompts = 0; ++ if (name) ++ pam_prompts++; ++ if (banner) ++ pam_prompts++; ++ ++ for (i = 0; i < num_prompts; i++, pam_prompts++) { ++ register int len; ++ if (!resp[pam_prompts].resp) { ++ pamret = PAM_AUTH_ERR; ++ goto cleanup; ++ } ++ len = strlen(resp[pam_prompts].resp); /* Help out the compiler */ ++ if (len > prompts[i].reply->length) { ++ pamret = PAM_AUTH_ERR; ++ goto cleanup; ++ } ++ memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len); ++ prompts[i].reply->length = len; ++ } ++ ++cleanup: ++ /* pam_prompts is correct at this point */ ++ ++ for (i = 0; i < pam_prompts; i++) { ++ if (msg[i].msg) ++ free((char *) msg[i].msg); ++ } ++ free(msg); ++ ++ if (resp) { ++ for (i = 0; i < pam_prompts; i++) { ++ /* ++ * Note that PAM is underspecified wrt free()'ing resp[i].resp. ++ * It's not clear if I should free it, or if the application ++ * has to. Therefore most (all?) apps won't free() it, and I ++ * can't either, as I am not sure it was malloc()'d. All PAM ++ * implementations I've seen leak memory here. Not so bad, IFF ++ * you fork/exec for each PAM authentication (as is typical). ++ */ ++#if 0 ++ if (resp[i].resp) ++ free(resp[i].resp); ++#endif /* 0 */ ++ } ++ /* This does not lose resp[i].resp if the application saved a copy. */ ++ free(resp); ++ } ++ ++ return (pamret ? KRB5KRB_ERR_GENERIC : 0); ++} ++ ++krb5_prompter_fct pam_prompter = mit_pam_prompter; |