Relevant BUGIDs:

Purpose of commit: cleanup

Commit summary:
---------------
Use the new pam_syslog and pam_prompt helper functions. Patches by ldv.

4 files changed, 88 insertions, 197 deletions

diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am
index 3c87f1aa..5d7e8017 100644
--- a/modules/pam_userdb/Makefile.am
+++ b/modules/pam_userdb/Makefile.am
@@ -22,5 +22,4 @@ if HAVE_LIBDB
   securelib_LTLIBRARIES = pam_userdb.la
 endif
 
-pam_userdb_la_SOURCES = pam_userdb.c conv.c
 noinst_HEADERS = pam_userdb.h
diff --git a/modules/pam_userdb/conv.c b/modules/pam_userdb/conv.c
deleted file mode 100644
index 33923851..00000000
--- a/modules/pam_userdb/conv.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Conversation related functions
- */
-
-/* $Id */
-/* Copyright at the end of the file */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <security/pam_modules.h>
-#include <security/_pam_macros.h>
-
-#include "pam_userdb.h"
-
-/*
- * dummy conversation function sending exactly one prompt
- * and expecting exactly one response from the other party
- */
-static int converse(pam_handle_t *pamh,
-		    struct pam_message **message,
-		    struct pam_response **response)
-{
-    int retval;
-    const void* void_conv;
-    const struct pam_conv *conv;
-
-    retval = pam_get_item(pamh, PAM_CONV,  &void_conv ) ;
-    conv = void_conv;
-    if (retval == PAM_SUCCESS)
-	retval = conv->conv(1, (const struct pam_message **)message,
-			    response, conv->appdata_ptr);
-
-    return retval; /* propagate error status */
-}
-
-
-static char *_pam_delete(register char *xx)
-{
-    _pam_overwrite(xx);
-    _pam_drop(xx);
-    return NULL;
-}
-
-/*
- * This is a conversation function to obtain the user's password
- */
-int conversation(pam_handle_t *pamh)
-{
-    struct pam_message msg[2],*pmsg[2];
-    struct pam_response *resp;
-    int retval;
-    char * token = NULL;
-
-    pmsg[0] = &msg[0];
-    msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
-    msg[0].msg = "Password: ";
-
-    /* so call the conversation expecting i responses */
-    resp = NULL;
-    retval = converse(pamh, pmsg, &resp);
-
-    if (resp != NULL) {
-	const void *item;
-	/* interpret the response */
-	if (retval == PAM_SUCCESS) {     /* a good conversation */
-	    token = x_strdup(resp[0].resp);
-	    if (token == NULL) {
-		return PAM_AUTHTOK_RECOVER_ERR;
-	    }
-	}
-
-	/* set the auth token */
-	retval = pam_set_item(pamh, PAM_AUTHTOK, token);
-	token = _pam_delete(token);   /* clean it up */
-	if ( (retval != PAM_SUCCESS) ||
-	     (retval = pam_get_item(pamh, PAM_AUTHTOK, &item))
-	     != PAM_SUCCESS ) {
-	    return retval;
-	}
-
-	_pam_drop_reply(resp, 1);
-    } else {
-	retval = (retval == PAM_SUCCESS)
-	    ? PAM_AUTHTOK_RECOVER_ERR:retval ;
-    }
-
-    return retval;
-}
-
-/*
- * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1999
- *                                              All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, and the entire permission notice in its entirety,
- *    including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- *    products derived from this software without specific prior
- *    written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions.  (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index 87a6ffd5..61b0da86 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -46,22 +46,45 @@
 #define PAM_SM_ACCOUNT
 
 #include <security/pam_modules.h>
+#include <security/pam_ext.h>
+#include <security/_pam_macros.h>
 
-/* some syslogging */
-
-static void _pam_log(int err, const char *format, ...)
+/*
+ * Conversation function to obtain the user's password
+ */
+static int
+obtain_authtok(pam_handle_t *pamh)
 {
-    va_list args;
+    char *resp;
+    const void *item;
+    int retval;
+
+    retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, "Password: ");
+
+    if (retval != PAM_SUCCESS)
+	return retval;
+
+    if (resp == NULL)
+	return PAM_AUTHTOK_RECOVER_ERR;
 
-    va_start(args, format);
-    openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH);
-    vsyslog(err, format, args);
-    va_end(args);
-    closelog();
+    /* set the auth token */
+    retval = pam_set_item(pamh, PAM_AUTHTOK, resp);
+
+    /* clean it up */
+    _pam_overwrite(resp);
+    _pam_drop(resp);
+
+    if ( (retval != PAM_SUCCESS) ||
+	 (retval = pam_get_item(pamh, PAM_AUTHTOK, &item))
+	 != PAM_SUCCESS ) {
+	return retval;
+    }
+
+    return retval;
 }
 
 static int
-_pam_parse (int argc, const char **argv,
+_pam_parse (pam_handle_t *pamh, int argc, const char **argv,
 	    char **database, char **cryptmode)
 {
   int ctrl;
@@ -88,21 +111,19 @@ _pam_parse (int argc, const char **argv,
 	{
 	  *database = strdup((*argv) + 3);
 	  if ((*database == NULL) || (strlen (*database) == 0))
-	    _pam_log(LOG_ERR,
-		     "pam_parse: could not parse argument \"%s\"",
-		     *argv);
+	    pam_syslog(pamh, LOG_ERR,
+		       "could not parse argument \"%s\"", *argv);
 	}
       else if (!strncasecmp(*argv,"crypt=", 6))
 	{
 	  *cryptmode = strdup((*argv) + 6);
 	  if ((*cryptmode == NULL) || (strlen (*cryptmode) == 0))
-	    _pam_log(LOG_ERR,
-		     "pam_parse: could not parse argument \"%s\"",
-		     *argv);
+	    pam_syslog(pamh, LOG_ERR,
+		       "could not parse argument \"%s\"", *argv);
 	}
       else
 	{
-	  _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv);
+	  pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
 	}
     }
 
@@ -120,7 +141,7 @@ _pam_parse (int argc, const char **argv,
  *	-2  = System error
  */
 static int
-user_lookup (const char *database, const char *cryptmode,
+user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
 	     const char *user, const char *pass, int ctrl)
 {
     DBM *dbm;
@@ -129,19 +150,20 @@ user_lookup (const char *database, const char *cryptmode,
     /* Open the DB file. */
     dbm = dbm_open(database, O_RDONLY, 0644);
     if (dbm == NULL) {
-	_pam_log(LOG_ERR, "user_lookup: could not open database `%s'",
-		 database);
+	pam_syslog(pamh, LOG_ERR,
+		   "user_lookup: could not open database `%s': %m", database);
 	return -2;
     }
 
     /* dump out the database contents for debugging */
     if (ctrl & PAM_DUMP_ARG) {
-	_pam_log(LOG_INFO, "Database dump:");
+	pam_syslog(pamh, LOG_INFO, "Database dump:");
 	for (key = dbm_firstkey(dbm);  key.dptr != NULL;
 	     key = dbm_nextkey(dbm)) {
 	    data = dbm_fetch(dbm, key);
-	    _pam_log(LOG_INFO, "key[len=%d] = `%s', data[len=%d] = `%s'",
-		     key.dsize, key.dptr, data.dsize, data.dptr);
+	    pam_syslog(pamh, LOG_INFO,
+		       "key[len=%d] = `%s', data[len=%d] = `%s'",
+		       key.dsize, key.dptr, data.dsize, data.dptr);
 	}
     }
 
@@ -164,8 +186,9 @@ user_lookup (const char *database, const char *cryptmode,
     }
 
     if (ctrl & PAM_DEBUG_ARG) {
-	_pam_log(LOG_INFO, "password in database is [%p]`%.*s', len is %d",
-		 data.dptr, data.dsize, (char *) data.dptr, data.dsize);
+	pam_syslog(pamh, LOG_INFO,
+		   "password in database is [%p]`%.*s', len is %d",
+		   data.dptr, data.dsize, (char *) data.dptr, data.dsize);
     }
 
     if (data.dptr != NULL) {
@@ -199,7 +222,7 @@ user_lookup (const char *database, const char *cryptmode,
 	    } else {
 	      compare = -2;
 	      if (ctrl & PAM_DEBUG_ARG) {
-		_pam_log(LOG_INFO, "crypt() returned NULL");
+		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
 	      }
 	    };
 
@@ -221,9 +244,9 @@ user_lookup (const char *database, const char *cryptmode,
 
 	  if (cryptmode && strncasecmp(cryptmode, "none", 4) 
 		&& (ctrl & PAM_DEBUG_ARG)) {
-	    _pam_log(LOG_INFO, "invalid value for crypt parameter: %s",
-		     cryptmode);
-	    _pam_log(LOG_INFO, "defaulting to plaintext password mode");
+	    pam_syslog(pamh, LOG_INFO, "invalid value for crypt parameter: %s",
+		       cryptmode);
+	    pam_syslog(pamh, LOG_INFO, "defaulting to plaintext password mode");
 	  }
 
 	}
@@ -237,8 +260,7 @@ user_lookup (const char *database, const char *cryptmode,
         int saw_user = 0;
 
 	if (ctrl & PAM_DEBUG_ARG) {
-	    _pam_log(LOG_INFO, "error returned by dbm_fetch: %s",
-		     strerror(errno));
+	    pam_syslog(pamh, LOG_INFO, "error returned by dbm_fetch: %m");
 	}
 
 	/* probably we should check dbm_error() here */
@@ -294,9 +316,9 @@ user_lookup (const char *database, const char *cryptmode,
 
 /* --- authentication management functions (only) --- */
 
-PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags,
-			int argc, const char **argv)
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+		    int argc, const char **argv)
 {
      const char *username;
      const void *password;
@@ -305,26 +327,24 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
      int retval = PAM_AUTH_ERR, ctrl;
 
      /* parse arguments */
-     ctrl = _pam_parse(argc, argv, &database, &cryptmode);
+     ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode);
      if ((database == NULL) || (strlen(database) == 0)) {
-        if (ctrl & PAM_DEBUG_ARG)
-            _pam_log(LOG_DEBUG,"can not get the database name");
+        pam_syslog(pamh, LOG_ERR, "can not get the database name");
         return PAM_SERVICE_ERR;
      }
 
      /* Get the username */
      retval = pam_get_user(pamh, &username, NULL);
      if ((retval != PAM_SUCCESS) || (!username)) {
-        if (ctrl & PAM_DEBUG_ARG)
-            _pam_log(LOG_DEBUG,"can not get the username");
+        pam_syslog(pamh, LOG_ERR, "can not get the username");
         return PAM_SERVICE_ERR;
      }
 
      /* Converse just to be sure we have a password */
-     retval = conversation(pamh);
+     retval = obtain_authtok(pamh);
      if (retval != PAM_SUCCESS) {
-	 _pam_log(LOG_ERR, "could not obtain password for `%s'",
-		  username);
+	 pam_syslog(pamh, LOG_ERR, "could not obtain password for `%s'",
+		    username);
 	 return PAM_CONV_ERR;
      }
 
@@ -335,10 +355,10 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
       * do so again. */
      retval = pam_get_item(pamh, PAM_AUTHTOK, &password);
      if ((retval != PAM_SUCCESS) && ((ctrl & PAM_USE_AUTHTOK_ARG) != 0)) {
-        retval = conversation(pamh);
+        retval = obtain_authtok(pamh);
         if (retval != PAM_SUCCESS) {
-           _pam_log(LOG_ERR, "could not obtain password for `%s'",
-                    username);
+           pam_syslog(pamh, LOG_ERR, "could not obtain password for `%s'",
+		      username);
            return PAM_CONV_ERR;
         }
      }
@@ -346,39 +366,39 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
      /* Get the password */
      retval = pam_get_item(pamh, PAM_AUTHTOK, &password);
      if (retval != PAM_SUCCESS) {
-	 _pam_log(LOG_ERR, "Could not retrieve user's password");
+	 pam_syslog(pamh, LOG_ERR, "Could not retrieve user's password");
 	 return -2;
      }
 
      if (ctrl & PAM_DEBUG_ARG)
-	 _pam_log(LOG_INFO, "Verify user `%s' with password `%s'",
-		  username, password);
+	 pam_syslog(pamh, LOG_INFO, "Verify user `%s' with password `%s'",
+		    username, (const char *)password);
 
      /* Now use the username to look up password in the database file */
-     retval = user_lookup(database, cryptmode, username, password, ctrl);
+     retval = user_lookup(pamh, database, cryptmode, username, password, ctrl);
      switch (retval) {
 	 case -2:
 	     /* some sort of system error. The log was already printed */
 	     return PAM_SERVICE_ERR;
 	 case -1:
 	     /* incorrect password */
-	     _pam_log(LOG_WARNING,
-		      "user `%s' denied access (incorrect password)",
-		      username);
+	     pam_syslog(pamh, LOG_WARNING,
+			"user `%s' denied access (incorrect password)",
+			username);
 	     return PAM_AUTH_ERR;
 	 case 1:
 	     /* the user does not exist in the database */
 	     if (ctrl & PAM_DEBUG_ARG)
-		 _pam_log(LOG_NOTICE, "user `%s' not found in the database",
-			  username);
+		 pam_syslog(pamh, LOG_NOTICE,
+			    "user `%s' not found in the database", username);
 	     return PAM_USER_UNKNOWN;
 	 case 0:
 	     /* Otherwise, the authentication looked good */
-	     _pam_log(LOG_NOTICE, "user '%s' granted acces", username);
+	     pam_syslog(pamh, LOG_NOTICE, "user '%s' granted acces", username);
 	     return PAM_SUCCESS;
 	 default:
 	     /* we don't know anything about this return value */
-	     _pam_log(LOG_ERR,
+	     pam_syslog(pamh, LOG_ERR,
 		      "internal module error (retval = %d, user = `%s'",
 		      retval, username);
 	     return PAM_SERVICE_ERR;
@@ -388,15 +408,16 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
      return PAM_IGNORE;
 }
 
-PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags,
-		   int argc, const char **argv)
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
+	       int argc UNUSED, const char **argv UNUSED)
 {
     return PAM_SUCCESS;
 }
 
-PAM_EXTERN
-int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
+		 int argc, const char **argv)
 {
     const char *username;
     char *database = NULL;
@@ -404,18 +425,17 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
     int retval = PAM_AUTH_ERR, ctrl;
 
     /* parse arguments */
-    ctrl = _pam_parse(argc, argv, &database, &cryptmode);
+    ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode);
 
     /* Get the username */
     retval = pam_get_user(pamh, &username, NULL);
     if ((retval != PAM_SUCCESS) || (!username)) {
-        if (ctrl & PAM_DEBUG_ARG)
-            _pam_log(LOG_DEBUG,"can not get the username");
+        pam_syslog(pamh, LOG_ERR,"can not get the username");
         return PAM_SERVICE_ERR;
     }
 
     /* Now use the username to look up password in the database file */
-    retval = user_lookup(database, cryptmode, username, "", ctrl);
+    retval = user_lookup(pamh, database, cryptmode, username, "", ctrl);
     switch (retval) {
         case -2:
 	    /* some sort of system error. The log was already printed */
@@ -431,9 +451,9 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	    return PAM_USER_UNKNOWN;
         default:
 	    /* we don't know anything about this return value */
-	    _pam_log(LOG_ERR,
-		     "internal module error (retval = %d, user = `%s'",
-		     retval, username);
+	    pam_syslog(pamh, LOG_ERR,
+		       "internal module error (retval = %d, user = `%s'",
+		       retval, username);
         return PAM_SERVICE_ERR;
     }
 
diff --git a/modules/pam_userdb/pam_userdb.h b/modules/pam_userdb/pam_userdb.h
index a371fa9f..8fb2e653 100644
--- a/modules/pam_userdb/pam_userdb.h
+++ b/modules/pam_userdb/pam_userdb.h
@@ -22,9 +22,6 @@
 #define MODULE_NAME	"pam_userdb"
 #endif /* MODULE_NAME */
 
-/* function prototypes */
-int conversation(pam_handle_t *);
-
 #endif /* _PAM_USERSDB_H */
 
 /*