# Linux-PAM. True, they are a little anal. Pay attention to the comments
# they generate.
-HEADER_DIRS=-I./include -I$(absolute_srcdir)/libpam/include -I$(absolute_srcdir)
+HEADER_DIRS=-I./include -I$(absolute_srcdir)/libpam/include \
+ -I$(absolute_srcdir) -I$(absolute_srcdir)/libpamc/include
WARNINGS=@WARNINGS@
OS_CFLAGS=@OS_CFLAGS@
PIC=@PIC@
echo to ../$(DISTNAME) . ; fi
@diff ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/Make.Rules Make.Rules
make distclean
- cd .. ; tar zvfc $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL).tar.gz --exclude CVS --exclude .cvsignore --exclude '.#*' $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/*
+ cd .. ; tar zvfc $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL).tar.gz \
+ --exclude CVS --exclude .cvsignore --exclude '.#*' \
+ $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/*
-## =================
-
-ifdef LEGACY_OLD_MAKEFILE
-
-# major and minor numbers of this release
-MAJOR_REL=0
-MINOR_REL=72
-DEBUG_REL=no
-#DEBUG_REL=yes
-
-# this should be the name of this directory (under CVS)
-DISTNAME = Linux-PAM
-# this should be the name of this directory (when generating the release)
-RELNAME = $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)
-
-# this is the name of the archive file
-DISTFILE = $(RELNAME).tar.gz
-
-# define this to indicate to subdirectories that they are part of the
-# full source tree.
-FULL_LINUX_PAM_SOURCE_TREE=yes
-export FULL_LINUX_PAM_SOURCE_TREE
-
-DYNLOAD="dl"
-DYNTYPE="so"
-
-# Comment out either line to disable that type of linking for *modules only*
-# Both at once is a legal configuration!
-DYNAMIC=-DPAM_DYNAMIC
-#STATIC=-DPAM_STATIC
-
-# Comment out these lines to disable building dynamic/static libpam.*
-DYNAMIC_LIBPAM=yes
-#STATIC_LIBPAM=yes
-
-# All combinations of the above four variable definitions are legal,
-# however, not defining either dynamic or static modules and yet
-# creating a some flavor of LIBPAM will make an authentication library
-# that always fails!
-
-# Here we indicate which libraries are present on the local system
-# they control the building of some modules in this distribution
-# Note, these definitions are all "export"ed below...
-
-HAVE_PWDBLIB=yes
-HAVE_CRACKLIB=yes
-HAVE_AFSLIBS=no
-HAVE_KRBLIBS=no
-
-# NB. The following is the generic defines for compilation.
-# They can be overridden in the default.defs file below
-#
-WARNINGS = -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
- -Wpointer-arith -Wcast-qual -Wcast-align \
- -Wtraditional -Wstrict-prototypes -Wmissing-prototypes \
- -Wnested-externs -Winline -Wshadow -pedantic
-PIC=-fPIC
-
-# Mode to install shared libraries with
-SHLIBMODE=755
-
-#
-# Conditional defines..
-#
-
-ifdef DYNAMIC
-# need the dynamic library functions
-LIBDL=-l$(DYNLOAD)
-ifdef STATIC_LIBPAM
-# needed because pam_xxx() fn's are now in statically linked library
-RDYNAMIC = -rdynamic
-endif
-endif
-
-# Here we include the defines for the preferred operating system
-# these include things like CC, CFLAGS and destination directories
-# etc.. By default, this is a symbolic link to one of the .defs files
-# the .../defs/ directory. Please take a moment to check that you are
-# using the correct one.
-
-include default.defs
-
-# to turn on the fprintf(stderr, ..) debugging lines throughout the
-# distribution uncomment this line
-#EXTRAS += -DDEBUG
-
-# For serious memory allocation tracing uncomment the following
-#MEMORY_DEBUG=-DMEMORY_DEBUG
-
-#######################################################################
-# The pam_unix module in this file will not work on NIS based systems.#
-#######################################################################
-
-# ////////////////////////////////////////////////////
-# // You should not modify anything below this line //
-# ////////////////////////////////////////////////////
-
-# the sub-directories to make things in
-
-DIRS = modules libpam conf libpam_misc libpamc examples
-
-#
-# basic defines
-#
-
-INCLUDEDIR=-I$(shell pwd)/include
-PAMLIB=-L$(shell pwd)/libpam
-PAMMISCLIB=-L$(shell pwd)/libpam_misc
-ifeq ($(DEBUG_REL),yes)
- PAMLIB += -lpamd
- PAMMISCLIB += -lpamd_misc
-else
- PAMLIB += -lpam
- PAMMISCLIB += -lpam_misc
-endif
-
-
-# This is Linux-PAM and not a version from Sun etc..
-# [Note, this does not describe the operating system you are using
-# only that you are compiling the "Linux" (read FREE) implementation
-# of Pluggable Authentication Modules.
-EXTRAS += -DLINUX_PAM
-
-#
-# build composite defines
-#
-
-LOADLIBES = $(PAMLIB) $(RDYNAMIC) $(PAMMISCLIB) $(LIBDL) $(ULIBS)
-
-CFLAGS += $(EXTRAS) $(MEMORY_DEBUG) $(WARNINGS) $(INCLUDEDIR) $(PIC)
-ifneq ($(strip $(OS)),)
-CFLAGS += -D$(OS)
-endif
-ifneq ($(strip $(ARCH)),)
-CFLAGS += -D$(ARCH)
-endif
-
-#
-# export the libraries-available info; the modules should know how
-# to deal with this...
-#
-export HAVE_PWDBLIB
-export HAVE_CRACKLIB
-export HAVE_AFSLIBS
-export HAVE_KRBLIBS
-
-#
-# generic exports
-#
-export MAJOR_REL # the major release of this distribution
-export MINOR_REL # the minor release of this distribution
-export DEBUG_REL # for installing a debugging version of PAM
-export OS # operating system
-export ARCH # architecture
-export CC # the C compiler
-export INSTALL # to do instalations with
-export MKDIR # to ensure directories exist
-export CFLAGS # CC flags used to compile everything
-export LD_D # build a shared object file (module)
-export LD_L # build a shared library (e.g. libpam)
-export USESONAME # does shlib link command require soname option
-export SOSWITCH # shlib lib soname switch name
-export LINKLIBS # libraries to append when making dynamic libs
-export NEEDSONAME # does shared library link need versioned lib
-export LD # build a generic library
-export LDCONFIG # rebuild the shared libraries
-export AR # build a static library
-export RANLIB # reorder a static library
-export LOADLIBES # libraries needed for application linking
-export PAMLIB # where to find the local libpam.xx file
-export DYNTYPE # which suffix is used for libraries
-export SHLIBMODE # file mode for shared objects
-export EXTRALS # libraries that some modules need
-export LIBDL # extra library for libpam.so
-#
-# where to install things
-#
-export FAKEROOT # for package maintainers
-#
-export PREFIX # basic prefix for all other directories
-export SUPLEMENTED # where to store module helper binaries
-export LIBDIR # where libpam and libpam_misc go
-export SECUREDIR # where the modules will be placed
-export INCLUDED # where to store pam---.h files
-export CONFIGED # where pam.conf and pam.d/ go
-export SCONFIGED # where modules' config files go
-
-#
-# Conditional exporting ( ... these go on for a while... )
-#
-ifdef DYNAMIC
-export DYNAMIC
-endif
-ifdef STATIC
-export STATIC
-endif
-ifdef DYNAMIC_LIBPAM
-export DYNAMIC_LIBPAM
-endif
-ifdef STATIC_LIBPAM
-export STATIC_LIBPAM
-endif
-ifdef MEMORY_DEBUG
-export MEMORY_DEBUG
-endif
-
-##
-## the rules
-##
-
-all: .freezemake headers
-
- @for i in $(DIRS) ; do \
- $(MAKE) -C $$i all ; \
- if [ $$? -ne 0 ]; then break ; fi ; \
- done
-
-.freezemake: Makefile
- @touch .freezemake
- @echo "*WARNING*: If you are running a system that is dependent"
- @echo " on PAM to work. DO NOT make sterile NOR make remove."
- @echo " These options will delete the PAM files on your system"
- @echo " and make it unusable!"
- @echo ""
- @echo "If you are in any doubt, just do 'make all' (or just"
- @echo "'make'). It is likely that this is the SAFEST thing to do...."
- @exit 1
-
-install:
- @for i in $(DIRS) ; do \
- $(MAKE) -C $$i install ; \
- if [ $$? -ne 0 ]; then break ; fi ; \
- done
-
-sterile: .freezemake
- @$(MAKE) remove
- @$(MAKE) extraclean
-
-remove: .freezemake
- @for i in $(DIRS) ; do \
- $(MAKE) -C $$i remove ; \
- done
-
-clean:
- @rm -f *~ core
- @for i in $(DIRS) ; do \
- $(MAKE) -C $$i clean ; \
- done
-
-headers:
- @mkdir -p include/security && cd include/security \
- && ln -fs ../../libpam/include/security/*.h . \
- && ln -fs ../../libpam_misc/*.h . \
- && ln -fs ../../libpamc/include/security/*.h .
-
-cl_headers:
- @cd include/security ; rm -f *.h
-
-extraclean:
- make cl_headers
- @for i in $(DIRS) doc ; do \
- $(MAKE) -C $$i extraclean ; \
- done
-
-check:
- @$(MAKE) -C conf check
-
-open:
- @find . \( -type f -a -perm 644 \) -print
-
-release:
- @egrep '^DEBUG\_REL\=yes' Makefile|grep -v grep > /dev/null ;\
- if [ $$? -eq 0 ]; then \
- echo "You should first set DEBUG_REL to no" ; exit 1 ; fi
- $(MAKE) extraclean
- rm -f .freezemake
- touch .filelist
- chmod 600 .filelist
- cd .. ; find $(RELNAME) \! -type d -print | fgrep -v 'conf/.md5sum' > $(RELNAME)/.filelist
- chmod 400 .filelist
- $(MAKE) check
- (cat .filelist ; echo $(RELNAME)/conf/.md5sum) | (cd .. ; tar -cz -f$(DISTFILE) -T-)
-
-endif # LEGACY_OLD_MAKEFILE
#define __PAMMISC_H
#include <security/pam_appl.h>
+#include <security/pam_client.h>
/* include some useful macros */
extern const char *pam_misc_conv_warn_line; /* warning notice */
extern const char *pam_misc_conv_die_line; /* cut-off remark */
extern int pam_misc_conv_died; /* 1 = cut-off time reached (0 not) */
-extern int (*pam_binary_handler_fn)(const void *send, void **receive);
-
+extern int (*pam_binary_handler_fn)(void *appdata, pamc_bp_t *prompt_p);
+extern void (*pam_binary_handler_free)(void *appdata, pamc_bp_t *prompt_p);
/*
* Environment helper functions
*/
int pam_misc_conv_died=0; /* application can probe this for timeout */
-static void pam_misc_conv_delete_binary(void **delete_me)
+/*
+ * These functions are for binary prompt manipulation.
+ * The manner in which a binary prompt is processed is application
+ * specific, so these function pointers are provided and can be
+ * initialized by the application prior to the conversation function
+ * being used.
+ */
+
+static void pam_misc_conv_delete_binary(void *appdata,
+ pamc_bp_t *delete_me)
{
- if (delete_me && *delete_me) {
- unsigned char *packet = *(unsigned char **)delete_me;
- int length;
-
- length = (packet[0]<<24)+(packet[1]<<16)+(packet[2]<<8)+packet[3];
- memset(packet, 0, length);
- free(packet);
- *delete_me = packet = NULL;
- }
+ PAM_BP_RENEW(delete_me, 0, 0);
}
-/* These function pointers are for application specific binary
- conversations. One or both of the arguments to the first function
- must be non-NULL. The first function must return PAM_SUCCESS or
- PAM_CONV_ERR. If input is non-NULL, a response is expected, this
- response should be malloc()'d and will eventually be free()'d by
- the calling module. The structure of this malloc()'d response is as
- follows:
-
- { int length, char data[length] }
-
- For convenience, the pointer used by the two function pointer
- prototypes is 'void *'.
-
- The ...free() fn pointer is used to discard a binary message that
- is not of the default form. It should be explicitly overwritten
- when using some other convention for the structure of a binary
- prompt (not recommended). */
-
-int (*pam_binary_handler_fn)(const void *send, void **receive) = NULL;
-void (*pam_binary_handler_free)(void **packet_p) = pam_misc_conv_delete_binary;
+int (*pam_binary_handler_fn)(void *appdata, pamc_bp_t *prompt_p) = NULL;
+void (*pam_binary_handler_free)(void *appdata, pamc_bp_t *prompt_p)
+ = pam_misc_conv_delete_binary;
/* the following code is used to get text input */
break;
case PAM_BINARY_PROMPT:
{
- void *pack_out=NULL;
- const void *pack_in = msgm[count]->msg;
+ pamc_bp_t binary_prompt = NULL;
+
+ if (!msgm[count]->msg || !pam_binary_handler_fn) {
+ goto failed_conversation;
+ }
+
+ PAM_BP_RENEW(&binary_prompt,
+ PAM_BP_RCONTROL(msgm[count]->msg),
+ PAM_BP_LENGTH(msgm[count]->msg));
+ PAM_BP_FILL(binary_prompt, 0, PAM_BP_LENGTH(msgm[count]->msg),
+ PAM_BP_RDATA(msgm[count]->msg));
- if (!pam_binary_handler_fn
- || pam_binary_handler_fn(pack_in, &pack_out) != PAM_SUCCESS
- || pack_out == NULL) {
+ if (pam_binary_handler_fn(appdata_ptr,
+ &binary_prompt) != PAM_SUCCESS
+ || (binary_prompt == NULL)) {
goto failed_conversation;
}
- string = (char *) pack_out;
- pack_out = NULL;
+ string = (char *) binary_prompt;
+ binary_prompt = NULL;
break;
}
free(reply[count].resp);
break;
case PAM_BINARY_PROMPT:
- pam_binary_handler_free((void **) &reply[count].resp);
+ pam_binary_handler_free(appdata_ptr,
+ (pamc_bp_t *) &reply[count].resp);
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
# define PAM_BP_FREE free
#endif /* PAM_BP_FREE */
-#define __PAM_BP_OCTET(x,y) (*((y) + (__u8 *)(x)))
+#define __PAM_BP_WOCTET(x,y) (*((y) + (__u8 *)(x)))
+#define __PAM_BP_ROCTET(x,y) (*((y) + (const __u8 *)(x)))
#define PAM_BP_MIN_SIZE (sizeof(__u32) + sizeof(__u8))
#define PAM_BP_MAX_LENGTH 0x20000 /* an advisory limit */
-#define PAM_BP_CONTROL(x) (__PAM_BP_OCTET(x,4))
-#define PAM_BP_SIZE(x) ((__PAM_BP_OCTET(x,0)<<24)+ \
- (__PAM_BP_OCTET(x,1)<<16)+ \
- (__PAM_BP_OCTET(x,2)<< 8)+ \
- (__PAM_BP_OCTET(x,3) ))
+#define PAM_BP_WCONTROL(x) (__PAM_BP_WOCTET(x,4))
+#define PAM_BP_RCONTROL(x) (__PAM_BP_ROCTET(x,4))
+#define PAM_BP_SIZE(x) ((__PAM_BP_ROCTET(x,0)<<24)+ \
+ (__PAM_BP_ROCTET(x,1)<<16)+ \
+ (__PAM_BP_ROCTET(x,2)<< 8)+ \
+ (__PAM_BP_ROCTET(x,3) ))
#define PAM_BP_LENGTH(x) (PAM_BP_SIZE(x) - PAM_BP_MIN_SIZE)
-#define PAM_BP_DATA(x) (PAM_BP_MIN_SIZE + (__u8 *) (x))
+#define PAM_BP_WDATA(x) (PAM_BP_MIN_SIZE + (__u8 *) (x))
+#define PAM_BP_RDATA(x) (PAM_BP_MIN_SIZE + (const __u8 *) (x))
/* Note, this macro always '\0' terminates renewed packets */
do { \
if (old_p) { \
if (*(old_p)) { \
- __u32 __size = PAM_BP_SIZE(*(old_p)); \
+ __u32 __size; \
+ __size = PAM_BP_SIZE(*(old_p)); \
memset(*(old_p), 0, __size); \
PAM_BP_FREE(*(old_p)); \
} \
\
__size = PAM_BP_MIN_SIZE + data_length; \
if ((*(old_p) = PAM_BP_CALLOC(1, 1+__size))) { \
- __PAM_BP_OCTET(*(old_p), 3) = __size & 0xFF; \
- __PAM_BP_OCTET(*(old_p), 2) = (__size>>=8) & 0xFF; \
- __PAM_BP_OCTET(*(old_p), 1) = (__size>>=8) & 0xFF; \
- __PAM_BP_OCTET(*(old_p), 0) = (__size>>=8) & 0xFF; \
+ __PAM_BP_WOCTET(*(old_p), 3) = __size & 0xFF; \
+ __PAM_BP_WOCTET(*(old_p), 2) = (__size>>=8) & 0xFF; \
+ __PAM_BP_WOCTET(*(old_p), 1) = (__size>>=8) & 0xFF; \
+ __PAM_BP_WOCTET(*(old_p), 0) = (__size>>=8) & 0xFF; \
(*(old_p))->control = cntrl; \
} else { \
PAM_BP_ASSERT("out of memory for binary prompt"); \
if (bp_length < ((length)+(offset))) { \
PAM_BP_ASSERT("attempt to write over end of prompt"); \
} \
- memcpy((offset) + PAM_BP_DATA(prompt), (data), (length)); \
+ memcpy((offset) + PAM_BP_WDATA(prompt), (data), (length)); \
} while (0)
#define PAM_BP_EXTRACT(prmpt, offset, length, data) \
do { \
- int bp_length; \
- __u8 *prompt = (__u8 *) (prmpt); \
- bp_length = PAM_BP_LENGTH(prompt); \
- if (((offset) < 0) || bp_length < ((length)+(offset)) \
- || (length) < 0) { \
+ int __bp_length; \
+ const __u8 *__prompt = (const __u8 *) (prmpt); \
+ __bp_length = PAM_BP_LENGTH(__prompt); \
+ if (((offset) < 0) || (__bp_length < ((length)+(offset))) \
+ || ((length) < 0)) { \
PAM_BP_ASSERT("invalid extraction from prompt"); \
} \
- memcpy((data), (offset) + PAM_BP_DATA(prompt), (length)); \
+ memcpy((data), (offset) + PAM_BP_RDATA(__prompt), (length)); \
} while (0)
/* construct the whole reply prompt */
size = PAM_BP_SIZE(raw);
- control = PAM_BP_CONTROL(raw);
+ control = PAM_BP_RCONTROL(raw);
memset(raw, 0, sizeof(raw));
D(("agent replied with prompt of size %d and control %u",
or die "you'll need /usr/bin/md5sum installed";
my $oldfd = select MD5in; $|=1; select $oldfd;
+ if ($debug) {
+ print STDERR "agent: ". "telling md5: <$data>\n";
+ }
print MD5in "$data";
close MD5in;
my $reply = <MD5out>;
PAM_BP_RENEW(&new->current_prompt, PAM_BPC_SELECT,
sizeof(PS_AGENT_ID) + strlen(rusername) + 1
+ strlen(rhostname) + 1 + 32);
- sprintf(PAM_BP_DATA(new->current_prompt),
+ sprintf(PAM_BP_WDATA(new->current_prompt),
PS_AGENT_ID "/%s@%s|%.32s", rusername, rhostname,
new->server_cookie);
/* find | */
length = PAM_BP_LENGTH(new->current_reply);
for (i=0; i<length; ++i) {
- if (PAM_BP_DATA(new->current_reply)[i] == '|') {
+ if (PAM_BP_RDATA(new->current_reply)[i] == '|') {
break;
}
}
}
/* copy client cookie */
- memcpy(new->client_cookie, PAM_BP_DATA(new->current_reply)+i, 32);
+ memcpy(new->client_cookie, PAM_BP_RDATA(new->current_reply)+i, 32);
/* generate a prompt that is length(seqid) + length(|) + 32 long */
PAM_BP_RENEW(&new->current_prompt, PAM_BPC_OK, i+32);
/* copy the head of the response prompt */
- memcpy(PAM_BP_DATA(new->current_prompt),
- PAM_BP_DATA(new->current_reply), i);
+ memcpy(PAM_BP_WDATA(new->current_prompt),
+ PAM_BP_RDATA(new->current_reply), i);
PAM_BP_RENEW(&new->current_reply, 0, 0);
/* look up the secret */
/* construct md5[<client_cookie>|<server_cookie>|<secret_data>] */
if (! create_digest(new->client_cookie, new->server_cookie,
new->secret_data,
- PAM_BP_DATA(new->current_prompt)+i)) {
+ PAM_BP_WDATA(new->current_prompt)+i)) {
D(("md5 digesting failed"));
new->state = PS_STATE_DEAD;
return PAM_ABORT;
return PAM_ABORT;
}
- cf = strcmp(expectation, PAM_BP_DATA(new->current_reply));
+ cf = strcmp(expectation, PAM_BP_RDATA(new->current_reply));
memset(expectation, 0, sizeof(expectation));
if (cf || new->invalid_secret) {
D(("failed to authenticate"));
PAM_BP_RENEW(&new_data->current_prompt,
PAM_BP_CONTROL(old_data->current_prompt), length);
PAM_BP_FILL(new_data->current_prompt, 0, length,
- PAM_BP_DATA(old_data->current_prompt));
+ PAM_BP_RDATA(old_data->current_prompt));
}
/* don't need to duplicate current_reply */
} else {
temp_packet.length = temp_packet.at = 0;
temp_packet.buffer = NULL;
- append_string(&temp_packet, "/bin/echo -n '", 0);
+ append_string(&temp_packet, "echo -n '", 0);
append_string(&temp_packet, raw, 0);
append_string(&temp_packet, "'|/usr/bin/md5sum -", 1);
+ fprintf(stderr, "am attempting to run [%s]\n", temp_packet.buffer);
+
pipe = popen(temp_packet.buffer, "r");
if (pipe == NULL) {
fprintf(stderr, "server: failed to run\n [%s]\n", temp_packet.buffer);
data_length = PAM_BP_LENGTH(prompt);
packet->at = 0;
append_data(packet, data_length, NULL);
+
PAM_BP_EXTRACT(prompt, 0, data_length, packet->buffer);
+
+ fprintf(stderr, "server received[%d]: {%d|0x%.2x|%s}\n",
+ data_length,
+ PAM_BP_SIZE(prompt), PAM_BP_RCONTROL(prompt),
+ PAM_BP_RDATA(prompt));
}
int main(int argc, char **argv)
retval = pamc_converse(pch, &prompt);
fprintf(stderr, "server: after conversation\n");
- if (PAM_BP_CONTROL(prompt) != PAM_BPC_OK) {
+ if (PAM_BP_RCONTROL(prompt) != PAM_BPC_OK) {
fprintf(stderr, "server: prompt had unexpected control type: %u\n",
- PAM_BP_CONTROL(prompt));
+ PAM_BP_RCONTROL(prompt));
exit(1);
}
retval = pamc_converse(pch, &prompt);
fprintf(stderr, "server: after 2nd conversation\n");
- if (PAM_BP_CONTROL(prompt) != PAM_BPC_DONE) {
+ if (PAM_BP_RCONTROL(prompt) != PAM_BPC_DONE) {
fprintf(stderr, "server: 2nd prompt had unexpected control type: %u\n",
- PAM_BP_CONTROL(prompt));
+ PAM_BP_RCONTROL(prompt));
exit(1);
}
projects / linux-pam / commitdiff