xref: /illumos-gate/usr/src/lib/libpam/pam_framework.c (revision 5328fc53d11d7151861fa272e4fb0248b8f0e145)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Copyright (c) 2019, Joyent, Inc.
28  */
29 
30 #include <syslog.h>
31 #include <dlfcn.h>
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 #include <stdlib.h>
35 #include <strings.h>
36 #include <malloc.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 
41 #include <security/pam_appl.h>
42 #include <security/pam_modules.h>
43 #include <sys/mman.h>
44 
45 #include <libintl.h>
46 
47 #include "pam_impl.h"
48 
49 static char *pam_snames [PAM_NUM_MODULE_TYPES] = {
50 	PAM_ACCOUNT_NAME,
51 	PAM_AUTH_NAME,
52 	PAM_PASSWORD_NAME,
53 	PAM_SESSION_NAME
54 };
55 
56 static char *pam_inames [PAM_MAX_ITEMS] = {
57 /* NONE */		NULL,
58 /* PAM_SERVICE */	"service",
59 /* PAM_USER */		"user",
60 /* PAM_TTY */		"tty",
61 /* PAM_RHOST */		"rhost",
62 /* PAM_CONV */		"conv",
63 /* PAM_AUTHTOK */	"authtok",
64 /* PAM_OLDAUTHTOK */	"oldauthtok",
65 /* PAM_RUSER */		"ruser",
66 /* PAM_USER_PROMPT */	"user_prompt",
67 /* PAM_REPOSITORY */	"repository",
68 /* PAM_RESOURCE */	"resource",
69 /* PAM_AUSER */		"auser",
70 /* Undefined Items */
71 };
72 
73 /*
74  * This extra definition is needed in order to build this library
75  * on pre-64-bit-aware systems.
76  */
77 #if !defined(_LFS64_LARGEFILE)
78 #define	stat64	stat
79 #endif	/* !defined(_LFS64_LARGEFILE) */
80 
81 /* functions to dynamically load modules */
82 static int	load_modules(pam_handle_t *, int, char *, pamtab_t *);
83 static void	*open_module(pam_handle_t *, char *);
84 static int	load_function(void *, char *, int (**func)());
85 
86 /* functions to read and store the pam.conf configuration file */
87 static int	open_pam_conf(struct pam_fh **, pam_handle_t *, char *);
88 static void	close_pam_conf(struct pam_fh *);
89 static int	read_pam_conf(pam_handle_t *, char *);
90 static int	get_pam_conf_entry(struct pam_fh *, pam_handle_t *,
91     pamtab_t **);
92 static char	*read_next_token(char **);
93 static char	*nextline(struct pam_fh *, pam_handle_t *, int *);
94 static int	verify_pam_conf(pamtab_t *, char *);
95 
96 /* functions to clean up and free memory */
97 static void	clean_up(pam_handle_t *);
98 static void	free_pamconf(pamtab_t *);
99 static void	free_pam_conf_info(pam_handle_t *);
100 static void	free_env(env_list *);
101 
102 /* convenience functions for I18N/L10N communication */
103 
104 static void	free_resp(int, struct pam_response *);
105 static int	do_conv(pam_handle_t *, int, int,
106     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *,
107     struct pam_response **);
108 
109 static int	log_priority;	/* pam_trace syslog priority & facility */
110 static int	pam_debug = 0;
111 
112 static char *
113 pam_trace_iname(int item_type, char *iname_buf)
114 {
115 	char *name;
116 
117 	if (item_type <= 0 ||
118 	    item_type >= PAM_MAX_ITEMS ||
119 	    (name = pam_inames[item_type]) == NULL) {
120 		(void) sprintf(iname_buf, "%d", item_type);
121 		return (iname_buf);
122 	}
123 	return (name);
124 }
125 
126 static char *
127 pam_trace_fname(int flag)
128 {
129 	if (flag & PAM_BINDING)
130 		return (PAM_BINDING_NAME);
131 	if (flag & PAM_INCLUDE)
132 		return (PAM_INCLUDE_NAME);
133 	if (flag & PAM_OPTIONAL)
134 		return (PAM_OPTIONAL_NAME);
135 	if (flag & PAM_REQUIRED)
136 		return (PAM_REQUIRED_NAME);
137 	if (flag & PAM_REQUISITE)
138 		return (PAM_REQUISITE_NAME);
139 	if (flag & PAM_SUFFICIENT)
140 		return (PAM_SUFFICIENT_NAME);
141 	return ("bad flag name");
142 }
143 
144 static char *
145 pam_trace_cname(pam_handle_t *pamh)
146 {
147 	if (pamh->pam_conf_name[pamh->include_depth] == NULL)
148 		return ("NULL");
149 	return (pamh->pam_conf_name[pamh->include_depth]);
150 }
151 
152 #include <deflt.h>
153 #include <stdarg.h>
154 /*
155  * pam_settrace - setup configuration for pam tracing
156  *
157  * turn on PAM debug if "magic" file exists
158  * if exists (original), pam_debug = PAM_DEBUG_DEFAULT,
159  * log_priority = LOG_DEBUG(7) and log_facility = LOG_AUTH(4).
160  *
161  * if has contents, keywork=value pairs:
162  *
163  *	"log_priority=" 0-7, the pam_trace syslog priority to use
164  *		(see sys/syslog.h)
165  *	"log_facility=" 0-23, the pam_trace syslog facility to use
166  *		(see sys/syslog.h)
167  *	"debug_flags=" PAM_DEBUG_DEFAULT (0x0001), log traditional
168  *			(original) debugging.
169  *		Plus the logical or of:
170  *		    PAM_DEBUG_ITEM (0x0002), log item values and
171  *			pam_get_item.
172  *		    PAM_DEBUG_MODULE (0x0004), log module return status.
173  *		    PAM_DEBUG_CONF (0x0008), log pam.conf parsing.
174  *		    PAM_DEBUG_DATA (0x0010), get/set_data.
175  *		    PAM_DEBUG_CONV (0x0020), conversation/response.
176  *
177  *		    If compiled with DEBUG:
178  *		    PAM_DEBUG_AUTHTOK (0x8000), display AUTHTOK value if
179  *				PAM_DEBUG_ITEM is set and results from
180  *				PAM_PROMPT_ECHO_OFF responses.
181  *		    USE CAREFULLY, THIS EXPOSES THE USER'S PASSWORDS.
182  *
183  *		or set to 0 and off even if PAM_DEBUG file exists.
184  *
185  * Output has the general form:
186  * <whatever was set syslog> PAM[<pid>]: <interface>(<handle> and other info)
187  * <whatever was set syslog> PAM[<pid>]: details requested for <interface> call
188  *	Where:	<pid> is the process ID of the calling process.
189  *		<handle> is the Hex value of the pam_handle associated with the
190  *			call.
191  */
192 
193 static void
194 pam_settrace()
195 {
196 	void	*defp;
197 
198 	if ((defp = defopen_r(PAM_DEBUG)) != NULL) {
199 		char	*arg;
200 		int	code;
201 		int	facility = LOG_AUTH;
202 
203 		pam_debug = PAM_DEBUG_DEFAULT;
204 		log_priority = LOG_DEBUG;
205 
206 		(void) defcntl_r(DC_SETFLAGS, DC_CASE, defp);
207 		if ((arg = defread_r(LOG_PRIORITY, defp)) != NULL) {
208 			code = (int)strtol(arg, NULL, 10);
209 			if ((code & ~LOG_PRIMASK) == 0) {
210 				log_priority = code;
211 			}
212 		}
213 		if ((arg = defread_r(LOG_FACILITY, defp)) != NULL) {
214 			code = (int)strtol(arg, NULL, 10);
215 			if (code < LOG_NFACILITIES) {
216 				facility = code << 3;
217 			}
218 		}
219 		if ((arg = defread_r(DEBUG_FLAGS, defp)) != NULL) {
220 			pam_debug = (int)strtol(arg, NULL, 0);
221 		}
222 		defclose_r(defp);
223 
224 		log_priority |= facility;
225 	}
226 }
227 
228 /*
229  * pam_trace - logs tracing messages
230  *
231  *	flag = debug_flags from /etc/pam_debug
232  *	format and args = message to print (PAM[<pid>]: is prepended).
233  *
234  *	global log_priority = pam_trace syslog (log_priority | log_facility)
235  *		from /etc/pam_debug
236  */
237 /*PRINTFLIKE2*/
238 static void
239 pam_trace(int flag, char *format, ...)
240 {
241 	va_list args;
242 	char message[1024];
243 	int savemask;
244 
245 	if ((pam_debug & flag) == 0)
246 		return;
247 
248 	savemask = setlogmask(LOG_MASK(log_priority & LOG_PRIMASK));
249 	(void) snprintf(message, sizeof (message), "PAM[%ld]: %s",
250 	    (long)getpid(), format);
251 	va_start(args, format);
252 	(void) vsyslog(log_priority, message, args);
253 	va_end(args);
254 	(void) setlogmask(savemask);
255 }
256 
257 /*
258  * __pam_log - logs PAM syslog messages
259  *
260  *	priority = message priority
261  *	format and args = message to log
262  */
263 /*PRINTFLIKE2*/
264 void
265 __pam_log(int priority, const char *format, ...)
266 {
267 	va_list args;
268 	int savemask = setlogmask(LOG_MASK(priority & LOG_PRIMASK));
269 
270 	va_start(args, format);
271 	(void) vsyslog(priority, format, args);
272 	va_end(args);
273 	(void) setlogmask(savemask);
274 }
275 
276 
277 /*
278  *			pam_XXXXX routines
279  *
280  *	These are the entry points to the authentication switch
281  */
282 
283 /*
284  * pam_start		- initiate an authentication transaction and
285  *			  set parameter values to be used during the
286  *			  transaction
287  */
288 
289 int
290 pam_start(const char *service, const char *user,
291     const struct pam_conv *pam_conv, pam_handle_t **pamh)
292 {
293 	int	err;
294 
295 	*pamh = calloc(1, sizeof (struct pam_handle));
296 
297 	pam_settrace();
298 	pam_trace(PAM_DEBUG_DEFAULT,
299 	    "pam_start(%s,%s,%p:%p) - debug = %x",
300 	    service ? service : "NULL", user ? user : "NULL", (void *)pam_conv,
301 	    (void *)*pamh, pam_debug);
302 
303 	if (*pamh == NULL)
304 		return (PAM_BUF_ERR);
305 
306 	(*pamh)->pam_inmodule = RO_OK;		/* OK to set RO items */
307 	if ((err = pam_set_item(*pamh, PAM_SERVICE, (void *)service))
308 	    != PAM_SUCCESS) {
309 		clean_up(*pamh);
310 		*pamh = NULL;
311 		return (err);
312 	}
313 
314 	if ((err = pam_set_item(*pamh, PAM_USER, (void *)user))
315 	    != PAM_SUCCESS) {
316 		clean_up(*pamh);
317 		*pamh = NULL;
318 		return (err);
319 	}
320 
321 	if ((err = pam_set_item(*pamh, PAM_CONV, (void *)pam_conv))
322 	    != PAM_SUCCESS) {
323 		clean_up(*pamh);
324 		*pamh = NULL;
325 		return (err);
326 	}
327 
328 	(*pamh)->pam_inmodule = RW_OK;
329 	return (PAM_SUCCESS);
330 }
331 
332 /*
333  * pam_end - terminate an authentication transaction
334  */
335 
336 int
337 pam_end(pam_handle_t *pamh, int pam_status)
338 {
339 	struct pam_module_data *psd, *p;
340 	fd_list *expired;
341 	fd_list *traverse;
342 	env_list *env_expired;
343 	env_list *env_traverse;
344 
345 	pam_trace(PAM_DEBUG_DEFAULT,
346 	    "pam_end(%p): status = %s", (void *)pamh,
347 	    pam_strerror(pamh, pam_status));
348 
349 	if (pamh == NULL)
350 		return (PAM_SYSTEM_ERR);
351 
352 	/* call the cleanup routines for module specific data */
353 
354 	psd = pamh->ssd;
355 	while (psd) {
356 		if (psd->cleanup) {
357 			psd->cleanup(pamh, psd->data, pam_status);
358 		}
359 		p = psd;
360 		psd = p->next;
361 		free(p->module_data_name);
362 		free(p);
363 	}
364 	pamh->ssd = NULL;
365 
366 	/* dlclose all module fds */
367 	traverse = pamh->fd;
368 	while (traverse) {
369 		expired = traverse;
370 		traverse = traverse->next;
371 		(void) dlclose(expired->mh);
372 		free(expired);
373 	}
374 	pamh->fd = 0;
375 
376 	/* remove all environment variables */
377 	env_traverse = pamh->pam_env;
378 	while (env_traverse) {
379 		env_expired = env_traverse;
380 		env_traverse = env_traverse->next;
381 		free_env(env_expired);
382 	}
383 
384 	clean_up(pamh);
385 	return (PAM_SUCCESS);
386 }
387 
388 /*
389  * pam_set_item		- set the value of a parameter that can be
390  *			  retrieved via a call to pam_get_item()
391  */
392 
393 int
394 pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
395 {
396 	struct pam_item *pip;
397 	int	size;
398 	char	iname_buf[PAM_MAX_MSG_SIZE];
399 
400 	if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
401 		pam_trace(PAM_DEBUG_DEFAULT,
402 		    "pam_set_item(%p:%s)", (void *)pamh,
403 		    pam_trace_iname(item_type, iname_buf));
404 	}
405 
406 	if (pamh == NULL)
407 		return (PAM_SYSTEM_ERR);
408 
409 	/* check read only items */
410 	if ((item_type == PAM_SERVICE) && (pamh->pam_inmodule != RO_OK))
411 		return (PAM_PERM_DENIED);
412 
413 	/*
414 	 * Check that item_type is within valid range
415 	 */
416 
417 	if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
418 		return (PAM_SYMBOL_ERR);
419 
420 	pip = &(pamh->ps_item[item_type]);
421 
422 	switch (item_type) {
423 	case PAM_AUTHTOK:
424 	case PAM_OLDAUTHTOK:
425 		if (pip->pi_addr != NULL)
426 			(void) memset(pip->pi_addr, 0, pip->pi_size);
427 		/*FALLTHROUGH*/
428 	case PAM_SERVICE:
429 	case PAM_USER:
430 	case PAM_TTY:
431 	case PAM_RHOST:
432 	case PAM_RUSER:
433 	case PAM_USER_PROMPT:
434 	case PAM_RESOURCE:
435 	case PAM_AUSER:
436 		if (pip->pi_addr != NULL) {
437 			free(pip->pi_addr);
438 		}
439 
440 		if (item == NULL) {
441 			pip->pi_addr = NULL;
442 			pip->pi_size = 0;
443 		} else {
444 			pip->pi_addr = strdup((char *)item);
445 			if (pip->pi_addr == NULL) {
446 				pip->pi_size = 0;
447 				return (PAM_BUF_ERR);
448 			}
449 			pip->pi_size = strlen(pip->pi_addr);
450 		}
451 		break;
452 	case PAM_CONV:
453 		if (pip->pi_addr != NULL)
454 			free(pip->pi_addr);
455 		size = sizeof (struct pam_conv);
456 		if ((pip->pi_addr = calloc(1, size)) == NULL)
457 			return (PAM_BUF_ERR);
458 		if (item != NULL)
459 			(void) memcpy(pip->pi_addr, item, (unsigned int) size);
460 		else
461 			(void) memset(pip->pi_addr, 0, size);
462 		pip->pi_size = size;
463 		break;
464 	case PAM_REPOSITORY:
465 		if (pip->pi_addr != NULL) {
466 			pam_repository_t *auth_rep;
467 
468 			auth_rep = (pam_repository_t *)pip->pi_addr;
469 			if (auth_rep->type != NULL)
470 				free(auth_rep->type);
471 			if (auth_rep->scope != NULL)
472 				free(auth_rep->scope);
473 			free(auth_rep);
474 		}
475 		if (item != NULL) {
476 			pam_repository_t *s, *d;
477 
478 			size = sizeof (struct pam_repository);
479 			pip->pi_addr = calloc(1, size);
480 			if (pip->pi_addr == NULL)
481 				return (PAM_BUF_ERR);
482 
483 			s = (struct pam_repository *)item;
484 			d = (struct pam_repository *)pip->pi_addr;
485 
486 			d->type = strdup(s->type);
487 			if (d->type == NULL)
488 				return (PAM_BUF_ERR);
489 			d->scope = malloc(s->scope_len);
490 			if (d->scope == NULL)
491 				return (PAM_BUF_ERR);
492 			(void) memcpy(d->scope, s->scope, s->scope_len);
493 			d->scope_len = s->scope_len;
494 		}
495 		pip->pi_size = size;
496 		break;
497 	default:
498 		return (PAM_SYMBOL_ERR);
499 	}
500 	switch (item_type) {
501 	case PAM_CONV:
502 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%p",
503 		    (void *)pamh,
504 		    pam_trace_iname(item_type, iname_buf),
505 		    item ? (void *)((struct pam_conv *)item)->conv :
506 		    (void *)0);
507 		break;
508 	case PAM_REPOSITORY:
509 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
510 		    (void *)pamh,
511 		    pam_trace_iname(item_type, iname_buf),
512 		    item ? (((struct pam_repository *)item)->type ?
513 		    ((struct pam_repository *)item)->type : "NULL") :
514 		    "NULL");
515 		break;
516 	case PAM_AUTHTOK:
517 	case PAM_OLDAUTHTOK:
518 #ifdef	DEBUG
519 		if (pam_debug & PAM_DEBUG_AUTHTOK)
520 			pam_trace(PAM_DEBUG_ITEM,
521 			    "pam_set_item(%p:%s)=%s", (void *)pamh,
522 			    pam_trace_iname(item_type, iname_buf),
523 			    item ? (char *)item : "NULL");
524 		else
525 #endif	/* DEBUG */
526 			pam_trace(PAM_DEBUG_ITEM,
527 			    "pam_set_item(%p:%s)=%s", (void *)pamh,
528 			    pam_trace_iname(item_type, iname_buf),
529 			    item ? "********" : "NULL");
530 		break;
531 	default:
532 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
533 		    (void *)pamh,
534 		    pam_trace_iname(item_type, iname_buf),
535 		    item ? (char *)item : "NULL");
536 	}
537 
538 	return (PAM_SUCCESS);
539 }
540 
541 /*
542  * pam_get_item		- read the value of a parameter specified in
543  *			  the call to pam_set_item()
544  */
545 
546 int
547 pam_get_item(const pam_handle_t *pamh, int item_type, void **item)
548 {
549 	struct pam_item *pip;
550 	char	iname_buf[PAM_MAX_MSG_SIZE];
551 
552 	if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
553 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)",
554 		    (void *)pamh, pam_trace_iname(item_type, iname_buf));
555 	}
556 
557 	if (pamh == NULL)
558 		return (PAM_SYSTEM_ERR);
559 
560 	if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
561 		return (PAM_SYMBOL_ERR);
562 
563 	if ((pamh->pam_inmodule != WO_OK) &&
564 	    ((item_type == PAM_AUTHTOK || item_type == PAM_OLDAUTHTOK))) {
565 		__pam_log(LOG_AUTH | LOG_NOTICE, "pam_get_item(%s) called from "
566 		    "a non module context",
567 		    pam_trace_iname(item_type, iname_buf));
568 		return (PAM_PERM_DENIED);
569 	}
570 
571 	pip = (struct pam_item *)&(pamh->ps_item[item_type]);
572 
573 	*item = pip->pi_addr;
574 	switch (item_type) {
575 	case PAM_CONV:
576 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%p",
577 		    (void *)pamh,
578 		    pam_trace_iname(item_type, iname_buf),
579 		    (void *)((struct pam_conv *)*item)->conv);
580 		break;
581 	case PAM_REPOSITORY:
582 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
583 		    (void *)pamh,
584 		    pam_trace_iname(item_type, iname_buf),
585 		    *item ? (((struct pam_repository *)*item)->type ?
586 		    ((struct pam_repository *)*item)->type : "NULL") :
587 		    "NULL");
588 		break;
589 	case PAM_AUTHTOK:
590 	case PAM_OLDAUTHTOK:
591 #ifdef	DEBUG
592 		if (pam_debug & PAM_DEBUG_AUTHTOK)
593 			pam_trace(PAM_DEBUG_ITEM,
594 			    "pam_get_item(%p:%s)=%s", (void *)pamh,
595 			    pam_trace_iname(item_type, iname_buf),
596 			    *item ? *(char **)item : "NULL");
597 		else
598 #endif	/* DEBUG */
599 			pam_trace(PAM_DEBUG_ITEM,
600 			    "pam_get_item(%p:%s)=%s", (void *)pamh,
601 			    pam_trace_iname(item_type, iname_buf),
602 			    *item ? "********" : "NULL");
603 		break;
604 	default:
605 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
606 		    (void *)pamh,
607 		    pam_trace_iname(item_type, iname_buf),
608 		    *item ? *(char **)item : "NULL");
609 	}
610 
611 	return (PAM_SUCCESS);
612 }
613 
614 /*
615  * parse_user_name         - process the user response: ignore
616  *                           '\t' or ' ' before or after a user name.
617  *                           user_input is a null terminated string.
618  *                           *ret_username will be the user name.
619  */
620 
621 static int
622 parse_user_name(char *user_input, char **ret_username)
623 {
624 	register char *ptr;
625 	register int index = 0;
626 	char username[PAM_MAX_RESP_SIZE];
627 
628 	/* Set the default value for *ret_username */
629 	*ret_username = NULL;
630 
631 	/*
632 	 * Set the initial value for username - this is a buffer holds
633 	 * the user name.
634 	 */
635 	bzero((void *)username, PAM_MAX_RESP_SIZE);
636 
637 	/*
638 	 * The user_input is guaranteed to be terminated by a null character.
639 	 */
640 	ptr = user_input;
641 
642 	/* Skip all the leading whitespaces if there are any. */
643 	while ((*ptr == ' ') || (*ptr == '\t'))
644 		ptr++;
645 
646 	if (*ptr == '\0') {
647 		/*
648 		 * We should never get here since the user_input we got
649 		 * in pam_get_user() is not all whitespaces nor just "\0".
650 		 */
651 		return (PAM_BUF_ERR);
652 	}
653 
654 	/*
655 	 * username will be the first string we get from user_input
656 	 * - we skip leading whitespaces and ignore trailing whitespaces
657 	 */
658 	while (*ptr != '\0') {
659 		if ((*ptr == ' ') || (*ptr == '\t'))
660 			break;
661 		else {
662 			username[index] = *ptr;
663 			index++;
664 			ptr++;
665 		}
666 	}
667 
668 	/* ret_username will be freed in pam_get_user(). */
669 	if ((*ret_username = malloc(index + 1)) == NULL)
670 		return (PAM_BUF_ERR);
671 	(void) strcpy(*ret_username, username);
672 	return (PAM_SUCCESS);
673 }
674 
675 /*
676  * Get the value of PAM_USER. If not set, then use the convenience function
677  * to prompt for the user. Use prompt if specified, else use PAM_USER_PROMPT
678  * if it is set, else use default.
679  */
680 #define	WHITESPACE	0
681 #define	USERNAME	1
682 
683 int
684 pam_get_user(pam_handle_t *pamh, char **user, const char *prompt_override)
685 {
686 	int	status;
687 	char	*prompt = NULL;
688 	char    *real_username;
689 	struct pam_response *ret_resp = NULL;
690 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
691 
692 	pam_trace(PAM_DEBUG_DEFAULT,
693 	    "pam_get_user(%p, %p, %s)", (void *)pamh, (void *)*user,
694 	    prompt_override ? prompt_override : "NULL");
695 	if (pamh == NULL)
696 		return (PAM_SYSTEM_ERR);
697 
698 	if ((status = pam_get_item(pamh, PAM_USER, (void **)user))
699 	    != PAM_SUCCESS) {
700 		return (status);
701 	}
702 
703 	/* if the user is set, return it */
704 
705 	if (*user != NULL && *user[0] != '\0') {
706 		return (PAM_SUCCESS);
707 	}
708 
709 	/*
710 	 * if the module is requesting a special prompt, use it.
711 	 * else use PAM_USER_PROMPT.
712 	 */
713 
714 	if (prompt_override != NULL) {
715 		prompt = (char *)prompt_override;
716 	} else {
717 		status = pam_get_item(pamh, PAM_USER_PROMPT, (void**)&prompt);
718 		if (status != PAM_SUCCESS) {
719 			return (status);
720 		}
721 	}
722 
723 	/* if the prompt is not set, use default */
724 
725 	if (prompt == NULL || prompt[0] == '\0') {
726 		prompt = dgettext(TEXT_DOMAIN, "Please enter user name: ");
727 	}
728 
729 	/* prompt for the user */
730 
731 	(void) strncpy(messages[0], prompt, sizeof (messages[0]));
732 
733 	for (;;) {
734 		int state = WHITESPACE;
735 
736 		status = do_conv(pamh, PAM_PROMPT_ECHO_ON, 1, messages,
737 		    NULL, &ret_resp);
738 
739 		if (status != PAM_SUCCESS) {
740 			return (status);
741 		}
742 
743 		if (ret_resp->resp && ret_resp->resp[0] != '\0') {
744 			int len = strlen(ret_resp->resp);
745 			int i;
746 
747 			for (i = 0; i < len; i++) {
748 				if ((ret_resp->resp[i] != ' ') &&
749 				    (ret_resp->resp[i] != '\t')) {
750 					state = USERNAME;
751 					break;
752 				}
753 			}
754 
755 			if (state == USERNAME)
756 				break;
757 		}
758 		/* essentially empty response, try again */
759 		free_resp(1, ret_resp);
760 		ret_resp = NULL;
761 	}
762 
763 	/* set PAM_USER */
764 	/* Parse the user input to get the user name. */
765 	status = parse_user_name(ret_resp->resp, &real_username);
766 
767 	if (status != PAM_SUCCESS) {
768 		if (real_username != NULL)
769 			free(real_username);
770 		free_resp(1, ret_resp);
771 		return (status);
772 	}
773 
774 	status = pam_set_item(pamh, PAM_USER, real_username);
775 
776 	free(real_username);
777 
778 	free_resp(1, ret_resp);
779 	if (status != PAM_SUCCESS) {
780 		return (status);
781 	}
782 
783 	/*
784 	 * finally, get PAM_USER. We have to call pam_get_item to get
785 	 * the value of user because pam_set_item mallocs the memory.
786 	 */
787 
788 	status = pam_get_item(pamh, PAM_USER, (void**)user);
789 	return (status);
790 }
791 
792 /*
793  * Set module specific data
794  */
795 
796 int
797 pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data,
798     void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status))
799 {
800 	struct pam_module_data *psd;
801 
802 	pam_trace(PAM_DEBUG_DATA,
803 	    "pam_set_data(%p:%s:%d)=%p", (void *)pamh,
804 	    (module_data_name != NULL) ? module_data_name : "NULL",
805 	    (pamh != NULL) ? pamh->pam_inmodule : -1, data);
806 	if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
807 	    module_data_name == NULL) {
808 		return (PAM_SYSTEM_ERR);
809 	}
810 
811 	/* check if module data already exists */
812 
813 	for (psd = pamh->ssd; psd; psd = psd->next) {
814 		if (strcmp(psd->module_data_name, module_data_name) == 0) {
815 			/* clean up original data before setting the new data */
816 			if (psd->cleanup) {
817 				psd->cleanup(pamh, psd->data, PAM_SUCCESS);
818 			}
819 			psd->data = (void *)data;
820 			psd->cleanup = cleanup;
821 			return (PAM_SUCCESS);
822 		}
823 	}
824 
825 	psd = malloc(sizeof (struct pam_module_data));
826 	if (psd == NULL)
827 		return (PAM_BUF_ERR);
828 
829 	psd->module_data_name = strdup(module_data_name);
830 	if (psd->module_data_name == NULL) {
831 		free(psd);
832 		return (PAM_BUF_ERR);
833 	}
834 
835 	psd->data = (void *)data;
836 	psd->cleanup = cleanup;
837 	psd->next = pamh->ssd;
838 	pamh->ssd = psd;
839 	return (PAM_SUCCESS);
840 }
841 
842 /*
843  * get module specific data
844  */
845 
846 int
847 pam_get_data(const pam_handle_t *pamh, const char *module_data_name,
848     const void **data)
849 {
850 	struct pam_module_data *psd;
851 
852 	if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
853 	    module_data_name == NULL) {
854 		pam_trace(PAM_DEBUG_DATA,
855 		    "pam_get_data(%p:%s:%d)=%p", (void *)pamh,
856 		    module_data_name ? module_data_name : "NULL",
857 		    pamh->pam_inmodule, *data);
858 		return (PAM_SYSTEM_ERR);
859 	}
860 
861 	for (psd = pamh->ssd; psd; psd = psd->next) {
862 		if (strcmp(psd->module_data_name, module_data_name) == 0) {
863 			*data = psd->data;
864 			pam_trace(PAM_DEBUG_DATA,
865 			    "pam_get_data(%p:%s)=%p", (void *)pamh,
866 			    module_data_name, *data);
867 			return (PAM_SUCCESS);
868 		}
869 	}
870 	pam_trace(PAM_DEBUG_DATA,
871 	    "pam_get_data(%p:%s)=%s", (void *)pamh, module_data_name,
872 	    "PAM_NO_MODULE_DATA");
873 
874 	return (PAM_NO_MODULE_DATA);
875 }
876 
877 /*
878  * PAM equivalent to strerror()
879  */
880 /* ARGSUSED */
881 const char *
882 pam_strerror(pam_handle_t *pamh, int errnum)
883 {
884 	switch (errnum) {
885 	case PAM_SUCCESS:
886 		return (dgettext(TEXT_DOMAIN, "Success"));
887 	case PAM_OPEN_ERR:
888 		return (dgettext(TEXT_DOMAIN, "Dlopen failure"));
889 	case PAM_SYMBOL_ERR:
890 		return (dgettext(TEXT_DOMAIN, "Symbol not found"));
891 	case PAM_SERVICE_ERR:
892 		return (dgettext(TEXT_DOMAIN,
893 		    "Error in underlying service module"));
894 	case PAM_SYSTEM_ERR:
895 		return (dgettext(TEXT_DOMAIN, "System error"));
896 	case PAM_BUF_ERR:
897 		return (dgettext(TEXT_DOMAIN, "Memory buffer error"));
898 	case PAM_CONV_ERR:
899 		return (dgettext(TEXT_DOMAIN, "Conversation failure"));
900 	case PAM_PERM_DENIED:
901 		return (dgettext(TEXT_DOMAIN, "Permission denied"));
902 	case PAM_MAXTRIES:
903 		return (dgettext(TEXT_DOMAIN,
904 		    "Maximum number of attempts exceeded"));
905 	case PAM_AUTH_ERR:
906 		return (dgettext(TEXT_DOMAIN, "Authentication failed"));
907 	case PAM_NEW_AUTHTOK_REQD:
908 		return (dgettext(TEXT_DOMAIN, "Get new authentication token"));
909 	case PAM_CRED_INSUFFICIENT:
910 		return (dgettext(TEXT_DOMAIN, "Insufficient credentials"));
911 	case PAM_AUTHINFO_UNAVAIL:
912 		return (dgettext(TEXT_DOMAIN,
913 		    "Can not retrieve authentication info"));
914 	case PAM_USER_UNKNOWN:
915 		return (dgettext(TEXT_DOMAIN, "No account present for user"));
916 	case PAM_CRED_UNAVAIL:
917 		return (dgettext(TEXT_DOMAIN,
918 		    "Can not retrieve user credentials"));
919 	case PAM_CRED_EXPIRED:
920 		return (dgettext(TEXT_DOMAIN,
921 		    "User credentials have expired"));
922 	case PAM_CRED_ERR:
923 		return (dgettext(TEXT_DOMAIN,
924 		    "Failure setting user credentials"));
925 	case PAM_ACCT_EXPIRED:
926 		return (dgettext(TEXT_DOMAIN, "User account has expired"));
927 	case PAM_AUTHTOK_EXPIRED:
928 		return (dgettext(TEXT_DOMAIN, "User password has expired"));
929 	case PAM_SESSION_ERR:
930 		return (dgettext(TEXT_DOMAIN,
931 		    "Can not make/remove entry for session"));
932 	case PAM_AUTHTOK_ERR:
933 		return (dgettext(TEXT_DOMAIN,
934 		    "Authentication token manipulation error"));
935 	case PAM_AUTHTOK_RECOVERY_ERR:
936 		return (dgettext(TEXT_DOMAIN,
937 		    "Authentication token can not be recovered"));
938 	case PAM_AUTHTOK_LOCK_BUSY:
939 		return (dgettext(TEXT_DOMAIN,
940 		    "Authentication token lock busy"));
941 	case PAM_AUTHTOK_DISABLE_AGING:
942 		return (dgettext(TEXT_DOMAIN,
943 		    "Authentication token aging disabled"));
944 	case PAM_NO_MODULE_DATA:
945 		return (dgettext(TEXT_DOMAIN,
946 		    "Module specific data not found"));
947 	case PAM_IGNORE:
948 		return (dgettext(TEXT_DOMAIN, "Ignore module"));
949 	case PAM_ABORT:
950 		return (dgettext(TEXT_DOMAIN, "General PAM failure "));
951 	case PAM_TRY_AGAIN:
952 		return (dgettext(TEXT_DOMAIN,
953 		    "Unable to complete operation. Try again"));
954 	default:
955 		return (dgettext(TEXT_DOMAIN, "Unknown error"));
956 	}
957 }
958 
959 static void *
960 sm_name(int ind)
961 {
962 	switch (ind) {
963 	case PAM_AUTHENTICATE:
964 		return (PAM_SM_AUTHENTICATE);
965 	case PAM_SETCRED:
966 		return (PAM_SM_SETCRED);
967 	case PAM_ACCT_MGMT:
968 		return (PAM_SM_ACCT_MGMT);
969 	case PAM_OPEN_SESSION:
970 		return (PAM_SM_OPEN_SESSION);
971 	case PAM_CLOSE_SESSION:
972 		return (PAM_SM_CLOSE_SESSION);
973 	case PAM_CHAUTHTOK:
974 		return (PAM_SM_CHAUTHTOK);
975 	}
976 	return (NULL);
977 }
978 
979 static int
980 (*func(pamtab_t *modulep, int ind))()
981 {
982 	void	*funcp;
983 
984 	if ((funcp = modulep->function_ptr) == NULL)
985 		return (NULL);
986 
987 	switch (ind) {
988 	case PAM_AUTHENTICATE:
989 		return (((struct auth_module *)funcp)->pam_sm_authenticate);
990 	case PAM_SETCRED:
991 		return (((struct auth_module *)funcp)->pam_sm_setcred);
992 	case PAM_ACCT_MGMT:
993 		return (((struct account_module *)funcp)->pam_sm_acct_mgmt);
994 	case PAM_OPEN_SESSION:
995 		return (((struct session_module *)funcp)->pam_sm_open_session);
996 	case PAM_CLOSE_SESSION:
997 		return (((struct session_module *)funcp)->pam_sm_close_session);
998 	case PAM_CHAUTHTOK:
999 		return (((struct password_module *)funcp)->pam_sm_chauthtok);
1000 	}
1001 	return (NULL);
1002 }
1003 
1004 /*
1005  * Run through the PAM service module stack for the given module type.
1006  */
1007 static int
1008 run_stack(pam_handle_t *pamh, int flags, int type, int def_err, int ind,
1009     char *function_name)
1010 {
1011 	int	err = PAM_SYSTEM_ERR;  /* preset */
1012 	int	optional_error = 0;
1013 	int	required_error = 0;
1014 	int	success = 0;
1015 	pamtab_t *modulep;
1016 	int	(*sm_func)();
1017 
1018 	if (pamh == NULL)
1019 		return (PAM_SYSTEM_ERR);
1020 
1021 	/* read initial entries from pam.conf */
1022 	if ((err = read_pam_conf(pamh, PAM_CONFIG)) != PAM_SUCCESS) {
1023 		return (err);
1024 	}
1025 
1026 	if ((modulep =
1027 	    pamh->pam_conf_info[pamh->include_depth][type]) == NULL) {
1028 		__pam_log(LOG_AUTH | LOG_ERR, "%s no initial module present",
1029 		    pam_trace_cname(pamh));
1030 		goto exit_return;
1031 	}
1032 
1033 	pamh->pam_inmodule = WO_OK;	/* OK to get AUTHTOK */
1034 include:
1035 	pam_trace(PAM_DEBUG_MODULE,
1036 	    "[%d:%s]:run_stack:%s(%p, %x): %s", pamh->include_depth,
1037 	    pam_trace_cname(pamh), function_name, (void *)pamh, flags,
1038 	    modulep ? modulep->module_path : "NULL");
1039 
1040 	while (modulep != NULL) {
1041 		if (modulep->pam_flag & PAM_INCLUDE) {
1042 			/* save the return location */
1043 			pamh->pam_conf_modulep[pamh->include_depth] =
1044 			    modulep->next;
1045 			pam_trace(PAM_DEBUG_MODULE,
1046 			    "setting for include[%d:%p]",
1047 			    pamh->include_depth, (void *)modulep->next);
1048 			if (pamh->include_depth++ >= PAM_MAX_INCLUDE) {
1049 				__pam_log(LOG_AUTH | LOG_ERR,
1050 				    "run_stack: includes too deep %d "
1051 				    "found trying to include %s from %s, %d "
1052 				    "allowed", pamh->include_depth,
1053 				    modulep->module_path, pamh->pam_conf_name
1054 				    [PAM_MAX_INCLUDE] == NULL ? "NULL" :
1055 				    pamh->pam_conf_name[PAM_MAX_INCLUDE],
1056 				    PAM_MAX_INCLUDE);
1057 				goto exit_return;
1058 			}
1059 			if ((err = read_pam_conf(pamh,
1060 			    modulep->module_path)) != PAM_SUCCESS) {
1061 				__pam_log(LOG_AUTH | LOG_ERR,
1062 				    "run_stack[%d:%s]: can't read included "
1063 				    "conf %s", pamh->include_depth,
1064 				    pam_trace_cname(pamh),
1065 				    modulep->module_path);
1066 				goto exit_return;
1067 			}
1068 			if ((modulep = pamh->pam_conf_info
1069 			    [pamh->include_depth][type]) == NULL) {
1070 				__pam_log(LOG_AUTH | LOG_ERR,
1071 				    "run_stack[%d:%s]: no include module "
1072 				    "present %s", pamh->include_depth,
1073 				    pam_trace_cname(pamh), function_name);
1074 				goto exit_return;
1075 			}
1076 			if (modulep->pam_flag & PAM_INCLUDE) {
1077 				/* first line another include */
1078 				goto include;
1079 			}
1080 			pam_trace(PAM_DEBUG_DEFAULT, "include[%d:%s]"
1081 			    "(%p, %s)=%s", pamh->include_depth,
1082 			    pam_trace_cname(pamh), (void *)pamh,
1083 			    function_name, modulep->module_path);
1084 			if ((err = load_modules(pamh, type, sm_name(ind),
1085 			    pamh->pam_conf_info
1086 			    [pamh->include_depth][type])) != PAM_SUCCESS) {
1087 				pam_trace(PAM_DEBUG_DEFAULT,
1088 				    "[%d:%s]:%s(%p, %x): load_modules failed",
1089 				    pamh->include_depth, pam_trace_cname(pamh),
1090 				    function_name, (void *)pamh, flags);
1091 				goto exit_return;
1092 			}
1093 			if ((modulep = pamh->pam_conf_info
1094 			    [pamh->include_depth][type]) == NULL) {
1095 				__pam_log(LOG_AUTH | LOG_ERR,
1096 				    "%s no initial module present",
1097 				    pam_trace_cname(pamh));
1098 				goto exit_return;
1099 			}
1100 		} else if ((err = load_modules(pamh, type, sm_name(ind),
1101 		    modulep)) != PAM_SUCCESS) {
1102 			pam_trace(PAM_DEBUG_DEFAULT,
1103 			    "[%d:%s]:%s(%p, %x): load_modules failed",
1104 			    pamh->include_depth, pam_trace_cname(pamh),
1105 			    function_name, (void *)pamh, flags);
1106 			goto exit_return;
1107 		}  /* PAM_INCLUDE */
1108 		sm_func = func(modulep, ind);
1109 		if (sm_func) {
1110 			err = sm_func(pamh, flags, modulep->module_argc,
1111 			    (const char **)modulep->module_argv);
1112 
1113 			pam_trace(PAM_DEBUG_MODULE,
1114 			    "[%d:%s]:%s(%p, %x): %s returned %s",
1115 			    pamh->include_depth, pam_trace_cname(pamh),
1116 			    function_name, (void *)pamh, flags,
1117 			    modulep->module_path, pam_strerror(pamh, err));
1118 
1119 			switch (err) {
1120 			case PAM_IGNORE:
1121 				/* do nothing */
1122 				break;
1123 			case PAM_SUCCESS:
1124 				if ((modulep->pam_flag & PAM_SUFFI_BIND) &&
1125 				    !required_error) {
1126 					pamh->pam_inmodule = RW_OK;
1127 					pam_trace(PAM_DEBUG_MODULE,
1128 					    "[%d:%s]:%s(%p, %x): %s: success",
1129 					    pamh->include_depth,
1130 					    pam_trace_cname(pamh),
1131 					    function_name, (void *)pamh, flags,
1132 					    (modulep->pam_flag & PAM_BINDING) ?
1133 					    PAM_BINDING_NAME :
1134 					    PAM_SUFFICIENT_NAME);
1135 					goto exit_return;
1136 				}
1137 				success = 1;
1138 				break;
1139 			case PAM_TRY_AGAIN:
1140 				/*
1141 				 * We need to return immediately, and
1142 				 * we shouldn't reset the AUTHTOK item
1143 				 * since it is not an error per-se.
1144 				 */
1145 				pamh->pam_inmodule = RW_OK;
1146 				pam_trace(PAM_DEBUG_MODULE,
1147 				    "[%d:%s]:%s(%p, %x): TRY_AGAIN: %s",
1148 				    pamh->include_depth, pam_trace_cname(pamh),
1149 				    function_name, (void *)pamh, flags,
1150 				    pam_strerror(pamh, required_error ?
1151 				    required_error : err));
1152 				err = required_error ? required_error : err;
1153 				goto exit_return;
1154 			default:
1155 				if (modulep->pam_flag & PAM_REQUISITE) {
1156 					pamh->pam_inmodule = RW_OK;
1157 					pam_trace(PAM_DEBUG_MODULE,
1158 					    "[%d:%s]:%s(%p, %x): requisite: %s",
1159 					    pamh->include_depth,
1160 					    pam_trace_cname(pamh),
1161 					    function_name, (void *)pamh, flags,
1162 					    pam_strerror(pamh,
1163 					    required_error ? required_error :
1164 					    err));
1165 					err = required_error ?
1166 					    required_error : err;
1167 					goto exit_return;
1168 				} else if (modulep->pam_flag & PAM_REQRD_BIND) {
1169 					if (!required_error)
1170 						required_error = err;
1171 				} else {
1172 					if (!optional_error)
1173 						optional_error = err;
1174 				}
1175 				pam_trace(PAM_DEBUG_DEFAULT,
1176 				    "[%d:%s]:%s(%p, %x): error %s",
1177 				    pamh->include_depth, pam_trace_cname(pamh),
1178 				    function_name, (void *)pamh, flags,
1179 				    pam_strerror(pamh, err));
1180 				break;
1181 			}
1182 		}
1183 		modulep = modulep->next;
1184 	}
1185 
1186 	pam_trace(PAM_DEBUG_MODULE, "[%d:%s]:stack_end:%s(%p, %x): %s %s: %s",
1187 	    pamh->include_depth, pam_trace_cname(pamh), function_name,
1188 	    (void *)pamh, flags, pamh->include_depth ? "included" : "final",
1189 	    required_error ? "required" : success ? "success" :
1190 	    optional_error ? "optional" : "default",
1191 	    pam_strerror(pamh, required_error ? required_error :
1192 	    success ? PAM_SUCCESS : optional_error ? optional_error : def_err));
1193 	if (pamh->include_depth > 0) {
1194 		free_pam_conf_info(pamh);
1195 		pamh->include_depth--;
1196 		/* continue at next entry */
1197 		modulep = pamh->pam_conf_modulep[pamh->include_depth];
1198 		pam_trace(PAM_DEBUG_MODULE, "looping for include[%d:%p]",
1199 		    pamh->include_depth, (void *)modulep);
1200 		goto include;
1201 	}
1202 	free_pam_conf_info(pamh);
1203 	pamh->pam_inmodule = RW_OK;
1204 	if (required_error != 0)
1205 		return (required_error);
1206 	else if (success != 0)
1207 		return (PAM_SUCCESS);
1208 	else if (optional_error != 0)
1209 		return (optional_error);
1210 	else
1211 		return (def_err);
1212 
1213 exit_return:
1214 	/*
1215 	 * All done at whatever depth we're at.
1216 	 * Go back to not having read /etc/pam.conf
1217 	 */
1218 	while (pamh->include_depth > 0) {
1219 		free_pam_conf_info(pamh);
1220 		pamh->include_depth--;
1221 	}
1222 	free_pam_conf_info(pamh);
1223 	pamh->pam_inmodule = RW_OK;
1224 	return (err);
1225 }
1226 
1227 /*
1228  * pam_authenticate - authenticate a user
1229  */
1230 
1231 int
1232 pam_authenticate(pam_handle_t *pamh, int flags)
1233 {
1234 	int	retval;
1235 
1236 	retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_AUTH_ERR,
1237 	    PAM_AUTHENTICATE, "pam_authenticate");
1238 
1239 	if (retval != PAM_SUCCESS)
1240 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1241 	return (retval);
1242 }
1243 
1244 /*
1245  * pam_setcred - modify or retrieve user credentials
1246  */
1247 
1248 int
1249 pam_setcred(pam_handle_t *pamh, int flags)
1250 {
1251 	int	retval;
1252 
1253 	retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_CRED_ERR,
1254 	    PAM_SETCRED, "pam_setcred");
1255 
1256 	if (retval != PAM_SUCCESS)
1257 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1258 	return (retval);
1259 }
1260 
1261 /*
1262  * pam_acct_mgmt - check password aging, account expiration
1263  */
1264 
1265 int
1266 pam_acct_mgmt(pam_handle_t *pamh, int flags)
1267 {
1268 	int	retval;
1269 
1270 	retval = run_stack(pamh, flags, PAM_ACCOUNT_MODULE, PAM_ACCT_EXPIRED,
1271 	    PAM_ACCT_MGMT, "pam_acct_mgmt");
1272 
1273 	if (retval != PAM_SUCCESS &&
1274 	    retval != PAM_NEW_AUTHTOK_REQD) {
1275 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1276 	}
1277 	return (retval);
1278 }
1279 
1280 /*
1281  * pam_open_session - begin session management
1282  */
1283 
1284 int
1285 pam_open_session(pam_handle_t *pamh, int flags)
1286 {
1287 	int	retval;
1288 
1289 	retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
1290 	    PAM_OPEN_SESSION, "pam_open_session");
1291 
1292 	if (retval != PAM_SUCCESS)
1293 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1294 	return (retval);
1295 }
1296 
1297 /*
1298  * pam_close_session - terminate session management
1299  */
1300 
1301 int
1302 pam_close_session(pam_handle_t *pamh, int flags)
1303 {
1304 	int	retval;
1305 
1306 	retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
1307 	    PAM_CLOSE_SESSION, "pam_close_session");
1308 
1309 	if (retval != PAM_SUCCESS)
1310 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1311 	return (retval);
1312 }
1313 
1314 /*
1315  * pam_chauthtok - change user authentication token
1316  */
1317 
1318 int
1319 pam_chauthtok(pam_handle_t *pamh, int flags)
1320 {
1321 	int	retval;
1322 
1323 	/* do not let apps use PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK */
1324 	if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
1325 		pam_trace(PAM_DEBUG_DEFAULT,
1326 		    "pam_chauthtok(%p, %x): %s", (void *)pamh, flags,
1327 		    pam_strerror(pamh, PAM_SYMBOL_ERR));
1328 		return (PAM_SYMBOL_ERR);
1329 	}
1330 
1331 	/* 1st pass: PRELIM CHECK */
1332 	retval = run_stack(pamh, flags | PAM_PRELIM_CHECK, PAM_PASSWORD_MODULE,
1333 	    PAM_AUTHTOK_ERR, PAM_CHAUTHTOK, "pam_chauthtok-prelim");
1334 
1335 	if (retval == PAM_TRY_AGAIN)
1336 		return (retval);
1337 
1338 	if (retval != PAM_SUCCESS) {
1339 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1340 		return (retval);
1341 	}
1342 
1343 	/* 2nd pass: UPDATE AUTHTOK */
1344 	retval = run_stack(pamh, flags | PAM_UPDATE_AUTHTOK,
1345 	    PAM_PASSWORD_MODULE, PAM_AUTHTOK_ERR, PAM_CHAUTHTOK,
1346 	    "pam_chauthtok-update");
1347 
1348 	if (retval != PAM_SUCCESS)
1349 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1350 
1351 	return (retval);
1352 }
1353 
1354 /*
1355  * pam_putenv - add an environment variable to the PAM handle
1356  *	if name_value == 'NAME=VALUE'	then set variable to the value
1357  *	if name_value == 'NAME='	then set variable to an empty value
1358  *	if name_value == 'NAME'		then delete the variable
1359  */
1360 
1361 int
1362 pam_putenv(pam_handle_t *pamh, const char *name_value)
1363 {
1364 	int		error = PAM_SYSTEM_ERR;
1365 	char		*equal_sign = 0;
1366 	char		*name = NULL, *value = NULL, *tmp_value = NULL;
1367 	env_list	*traverse, *trail;
1368 
1369 	pam_trace(PAM_DEBUG_DEFAULT,
1370 	    "pam_putenv(%p, %s)", (void *)pamh,
1371 	    name_value ? name_value : "NULL");
1372 
1373 	if (pamh == NULL || name_value == NULL)
1374 		goto out;
1375 
1376 	/* see if we were passed 'NAME=VALUE', 'NAME=', or 'NAME' */
1377 	if ((equal_sign = strchr(name_value, '=')) != 0) {
1378 		if ((name = calloc(equal_sign - name_value + 1,
1379 		    sizeof (char))) == 0) {
1380 			error = PAM_BUF_ERR;
1381 			goto out;
1382 		}
1383 		(void) strncpy(name, name_value, equal_sign - name_value);
1384 		if ((value = strdup(++equal_sign)) == 0) {
1385 			error = PAM_BUF_ERR;
1386 			goto out;
1387 		}
1388 	} else {
1389 		if ((name = strdup(name_value)) == 0) {
1390 			error = PAM_BUF_ERR;
1391 			goto out;
1392 		}
1393 	}
1394 
1395 	/* check to see if we already have this variable in the PAM handle */
1396 	traverse = pamh->pam_env;
1397 	trail = traverse;
1398 	while (traverse && strncmp(traverse->name, name, strlen(name))) {
1399 		trail = traverse;
1400 		traverse = traverse->next;
1401 	}
1402 
1403 	if (traverse) {
1404 		/* found a match */
1405 		if (value == 0) {
1406 			/* remove the env variable */
1407 			if (pamh->pam_env == traverse)
1408 				pamh->pam_env = traverse->next;
1409 			else
1410 				trail->next = traverse->next;
1411 			free_env(traverse);
1412 		} else if (strlen(value) == 0) {
1413 			/* set env variable to empty value */
1414 			if ((tmp_value = strdup("")) == 0) {
1415 				error = PAM_SYSTEM_ERR;
1416 				goto out;
1417 			}
1418 			free(traverse->value);
1419 			traverse->value = tmp_value;
1420 		} else {
1421 			/* set the new value */
1422 			if ((tmp_value = strdup(value)) == 0) {
1423 				error = PAM_SYSTEM_ERR;
1424 				goto out;
1425 			}
1426 			free(traverse->value);
1427 			traverse->value = tmp_value;
1428 		}
1429 
1430 	} else if (traverse == 0 && value) {
1431 		/*
1432 		 * could not find a match in the PAM handle.
1433 		 * add the new value if there is one
1434 		 */
1435 		if ((traverse = calloc(1, sizeof (env_list))) == 0) {
1436 			error = PAM_BUF_ERR;
1437 			goto out;
1438 		}
1439 		if ((traverse->name = strdup(name)) == 0) {
1440 			free_env(traverse);
1441 			error = PAM_BUF_ERR;
1442 			goto out;
1443 		}
1444 		if ((traverse->value = strdup(value)) == 0) {
1445 			free_env(traverse);
1446 			error = PAM_BUF_ERR;
1447 			goto out;
1448 		}
1449 		if (trail == 0) {
1450 			/* new head of list */
1451 			pamh->pam_env = traverse;
1452 		} else {
1453 			/* adding to end of list */
1454 			trail->next = traverse;
1455 		}
1456 	}
1457 
1458 	error = PAM_SUCCESS;
1459 out:
1460 	if (error != PAM_SUCCESS) {
1461 		if (traverse) {
1462 			if (traverse->name)
1463 				free(traverse->name);
1464 			if (traverse->value)
1465 				free(traverse->value);
1466 			free(traverse);
1467 		}
1468 	}
1469 	if (name)
1470 		free(name);
1471 	if (value)
1472 		free(value);
1473 	return (error);
1474 }
1475 
1476 /*
1477  * pam_getenv - retrieve an environment variable from the PAM handle
1478  */
1479 char *
1480 pam_getenv(pam_handle_t *pamh, const char *name)
1481 {
1482 	int		error = PAM_SYSTEM_ERR;
1483 	env_list	*traverse;
1484 
1485 	pam_trace(PAM_DEBUG_DEFAULT,
1486 	    "pam_getenv(%p, %p)", (void *)pamh, (void *)name);
1487 
1488 	if (pamh == NULL || name == NULL)
1489 		goto out;
1490 
1491 	/* check to see if we already have this variable in the PAM handle */
1492 	traverse = pamh->pam_env;
1493 	while (traverse && strncmp(traverse->name, name, strlen(name))) {
1494 		traverse = traverse->next;
1495 	}
1496 	error = (traverse ? PAM_SUCCESS : PAM_SYSTEM_ERR);
1497 	pam_trace(PAM_DEBUG_DEFAULT,
1498 	    "pam_getenv(%p, %s)=%s", (void *)pamh, name,
1499 	    traverse ? traverse->value : "NULL");
1500 out:
1501 	return (error ? NULL : strdup(traverse->value));
1502 }
1503 
1504 /*
1505  * pam_getenvlist - retrieve all environment variables from the PAM handle
1506  *                  in a NULL terminated array. On error, return NULL.
1507  */
1508 char **
1509 pam_getenvlist(pam_handle_t *pamh)
1510 {
1511 	int		error = PAM_SYSTEM_ERR;
1512 	char		**list = 0;
1513 	int		length = 0;
1514 	env_list	*traverse;
1515 	char		*tenv;
1516 	size_t		tenv_size;
1517 
1518 	pam_trace(PAM_DEBUG_DEFAULT,
1519 	    "pam_getenvlist(%p)", (void *)pamh);
1520 
1521 	if (pamh == NULL)
1522 		goto out;
1523 
1524 	/* find out how many environment variables we have */
1525 	traverse = pamh->pam_env;
1526 	while (traverse) {
1527 		length++;
1528 		traverse = traverse->next;
1529 	}
1530 
1531 	/* allocate the array we will return to the caller */
1532 	if ((list = calloc(length + 1, sizeof (char *))) == NULL) {
1533 		error = PAM_BUF_ERR;
1534 		goto out;
1535 	}
1536 
1537 	/* add the variables one by one */
1538 	length = 0;
1539 	traverse = pamh->pam_env;
1540 	while (traverse != NULL) {
1541 		tenv_size = strlen(traverse->name) +
1542 		    strlen(traverse->value) + 2; /* name=val\0 */
1543 		if ((tenv = malloc(tenv_size)) == NULL) {
1544 			error = PAM_BUF_ERR;
1545 			goto out;
1546 		}
1547 		/*LINTED*/
1548 		(void) sprintf(tenv, "%s=%s", traverse->name, traverse->value);
1549 		list[length++] = tenv;
1550 		traverse = traverse->next;
1551 	}
1552 	list[length] = NULL;
1553 
1554 	error = PAM_SUCCESS;
1555 out:
1556 	if (error != PAM_SUCCESS) {
1557 		/* free the partially constructed list */
1558 		if (list) {
1559 			length = 0;
1560 			while (list[length] != NULL) {
1561 				free(list[length]);
1562 				length++;
1563 			}
1564 			free(list);
1565 		}
1566 	}
1567 	return (error ? NULL : list);
1568 }
1569 
1570 /*
1571  * Routines to load a requested module on demand
1572  */
1573 
1574 /*
1575  * load_modules - load the requested module.
1576  *		  if the dlopen or dlsym fail, then
1577  *		  the module is ignored.
1578  */
1579 
1580 static int
1581 load_modules(pam_handle_t *pamh, int type, char *function_name,
1582     pamtab_t *pam_entry)
1583 {
1584 	void	*mh;
1585 	struct	auth_module *authp;
1586 	struct	account_module *accountp;
1587 	struct	session_module *sessionp;
1588 	struct	password_module *passwdp;
1589 	int	loading_functions = 0; /* are we currently loading functions? */
1590 
1591 	pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=%s:%s",
1592 	    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1593 	    function_name, pam_trace_fname(pam_entry->pam_flag),
1594 	    pam_entry->module_path);
1595 
1596 	while (pam_entry != NULL) {
1597 		pam_trace(PAM_DEBUG_DEFAULT,
1598 		    "while load_modules[%d:%s](%p, %s)=%s",
1599 		    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1600 		    function_name, pam_entry->module_path);
1601 
1602 		if (pam_entry->pam_flag & PAM_INCLUDE) {
1603 			pam_trace(PAM_DEBUG_DEFAULT,
1604 			    "done load_modules[%d:%s](%p, %s)=%s",
1605 			    pamh->include_depth, pam_trace_cname(pamh),
1606 			    (void *)pamh, function_name,
1607 			    pam_entry->module_path);
1608 			return (PAM_SUCCESS);
1609 		}
1610 		switch (type) {
1611 		case PAM_AUTH_MODULE:
1612 
1613 			/* if the function has already been loaded, return */
1614 			authp = pam_entry->function_ptr;
1615 			if (!loading_functions &&
1616 			    (((strcmp(function_name, PAM_SM_AUTHENTICATE)
1617 			    == 0) && authp && authp->pam_sm_authenticate) ||
1618 			    ((strcmp(function_name, PAM_SM_SETCRED) == 0) &&
1619 			    authp && authp->pam_sm_setcred))) {
1620 				return (PAM_SUCCESS);
1621 			}
1622 
1623 			/* function has not been loaded yet */
1624 			loading_functions = 1;
1625 			if (authp == NULL) {
1626 				authp = calloc(1, sizeof (struct auth_module));
1627 				if (authp == NULL)
1628 					return (PAM_BUF_ERR);
1629 			}
1630 
1631 			/* if open_module fails, return error */
1632 			if ((mh = open_module(pamh,
1633 			    pam_entry->module_path)) == NULL) {
1634 				__pam_log(LOG_AUTH | LOG_ERR,
1635 				    "load_modules[%d:%s]: can not open module "
1636 				    "%s", pamh->include_depth,
1637 				    pam_trace_cname(pamh),
1638 				    pam_entry->module_path);
1639 				free(authp);
1640 				return (PAM_OPEN_ERR);
1641 			}
1642 
1643 			/* load the authentication function */
1644 			if (strcmp(function_name, PAM_SM_AUTHENTICATE) == 0) {
1645 				if (load_function(mh, PAM_SM_AUTHENTICATE,
1646 				    &authp->pam_sm_authenticate)
1647 				    != PAM_SUCCESS) {
1648 					/* return error if dlsym fails */
1649 					free(authp);
1650 					return (PAM_SYMBOL_ERR);
1651 				}
1652 
1653 			/* load the setcred function */
1654 			} else if (strcmp(function_name, PAM_SM_SETCRED) == 0) {
1655 				if (load_function(mh, PAM_SM_SETCRED,
1656 				    &authp->pam_sm_setcred) != PAM_SUCCESS) {
1657 					/* return error if dlsym fails */
1658 					free(authp);
1659 					return (PAM_SYMBOL_ERR);
1660 				}
1661 			}
1662 			pam_entry->function_ptr = authp;
1663 			break;
1664 		case PAM_ACCOUNT_MODULE:
1665 			accountp = pam_entry->function_ptr;
1666 			if (!loading_functions &&
1667 			    (strcmp(function_name, PAM_SM_ACCT_MGMT) == 0) &&
1668 			    accountp && accountp->pam_sm_acct_mgmt) {
1669 				return (PAM_SUCCESS);
1670 			}
1671 
1672 			/*
1673 			 * If functions are added to the account module,
1674 			 * verify that one of the other functions hasn't
1675 			 * already loaded it.  See PAM_AUTH_MODULE code.
1676 			 */
1677 			loading_functions = 1;
1678 			accountp = calloc(1, sizeof (struct account_module));
1679 			if (accountp == NULL)
1680 				return (PAM_BUF_ERR);
1681 
1682 			/* if open_module fails, return error */
1683 			if ((mh = open_module(pamh,
1684 			    pam_entry->module_path)) == NULL) {
1685 				__pam_log(LOG_AUTH | LOG_ERR,
1686 				    "load_modules[%d:%s]: can not open module "
1687 				    "%s", pamh->include_depth,
1688 				    pam_trace_cname(pamh),
1689 				    pam_entry->module_path);
1690 				free(accountp);
1691 				return (PAM_OPEN_ERR);
1692 			}
1693 
1694 			if (load_function(mh, PAM_SM_ACCT_MGMT,
1695 			    &accountp->pam_sm_acct_mgmt) != PAM_SUCCESS) {
1696 				__pam_log(LOG_AUTH | LOG_ERR,
1697 				    "load_modules[%d:%s]: pam_sm_acct_mgmt() "
1698 				    "missing", pamh->include_depth,
1699 				    pam_trace_cname(pamh));
1700 				free(accountp);
1701 				return (PAM_SYMBOL_ERR);
1702 			}
1703 			pam_entry->function_ptr = accountp;
1704 			break;
1705 		case PAM_SESSION_MODULE:
1706 			sessionp = pam_entry->function_ptr;
1707 			if (!loading_functions &&
1708 			    (((strcmp(function_name,
1709 			    PAM_SM_OPEN_SESSION) == 0) &&
1710 			    sessionp && sessionp->pam_sm_open_session) ||
1711 			    ((strcmp(function_name,
1712 			    PAM_SM_CLOSE_SESSION) == 0) &&
1713 			    sessionp && sessionp->pam_sm_close_session))) {
1714 				return (PAM_SUCCESS);
1715 			}
1716 
1717 			loading_functions = 1;
1718 			if (sessionp == NULL) {
1719 				sessionp = calloc(1,
1720 				    sizeof (struct session_module));
1721 				if (sessionp == NULL)
1722 					return (PAM_BUF_ERR);
1723 			}
1724 
1725 			/* if open_module fails, return error */
1726 			if ((mh = open_module(pamh,
1727 			    pam_entry->module_path)) == NULL) {
1728 				__pam_log(LOG_AUTH | LOG_ERR,
1729 				    "load_modules[%d:%s]: can not open module "
1730 				    "%s", pamh->include_depth,
1731 				    pam_trace_cname(pamh),
1732 				    pam_entry->module_path);
1733 				free(sessionp);
1734 				return (PAM_OPEN_ERR);
1735 			}
1736 
1737 			if ((strcmp(function_name, PAM_SM_OPEN_SESSION) == 0) &&
1738 			    load_function(mh, PAM_SM_OPEN_SESSION,
1739 			    &sessionp->pam_sm_open_session) != PAM_SUCCESS) {
1740 				free(sessionp);
1741 				return (PAM_SYMBOL_ERR);
1742 			} else if ((strcmp(function_name,
1743 			    PAM_SM_CLOSE_SESSION) == 0) &&
1744 			    load_function(mh, PAM_SM_CLOSE_SESSION,
1745 			    &sessionp->pam_sm_close_session) != PAM_SUCCESS) {
1746 				free(sessionp);
1747 				return (PAM_SYMBOL_ERR);
1748 			}
1749 			pam_entry->function_ptr = sessionp;
1750 			break;
1751 		case PAM_PASSWORD_MODULE:
1752 			passwdp = pam_entry->function_ptr;
1753 			if (!loading_functions &&
1754 			    (strcmp(function_name, PAM_SM_CHAUTHTOK) == 0) &&
1755 			    passwdp && passwdp->pam_sm_chauthtok) {
1756 				return (PAM_SUCCESS);
1757 			}
1758 
1759 			/*
1760 			 * If functions are added to the password module,
1761 			 * verify that one of the other functions hasn't
1762 			 * already loaded it.  See PAM_AUTH_MODULE code.
1763 			 */
1764 			loading_functions = 1;
1765 			passwdp = calloc(1, sizeof (struct password_module));
1766 			if (passwdp == NULL)
1767 				return (PAM_BUF_ERR);
1768 
1769 			/* if open_module fails, continue */
1770 			if ((mh = open_module(pamh,
1771 			    pam_entry->module_path)) == NULL) {
1772 				__pam_log(LOG_AUTH | LOG_ERR,
1773 				    "load_modules[%d:%s]: can not open module "
1774 				    "%s", pamh->include_depth,
1775 				    pam_trace_cname(pamh),
1776 				    pam_entry->module_path);
1777 				free(passwdp);
1778 				return (PAM_OPEN_ERR);
1779 			}
1780 
1781 			if (load_function(mh, PAM_SM_CHAUTHTOK,
1782 			    &passwdp->pam_sm_chauthtok) != PAM_SUCCESS) {
1783 				free(passwdp);
1784 				return (PAM_SYMBOL_ERR);
1785 			}
1786 			pam_entry->function_ptr = passwdp;
1787 			break;
1788 		default:
1789 			pam_trace(PAM_DEBUG_DEFAULT,
1790 			    "load_modules[%d:%s](%p, %s): unsupported type %d",
1791 			    pamh->include_depth, pam_trace_cname(pamh),
1792 			    (void *)pamh, function_name, type);
1793 			break;
1794 		}
1795 
1796 		pam_entry = pam_entry->next;
1797 	} /* while */
1798 
1799 	pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=done",
1800 	    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1801 	    function_name);
1802 
1803 	return (PAM_SUCCESS);
1804 }
1805 
1806 /*
1807  * open_module		- Open the module first checking for
1808  *			  propers modes and ownerships on the file.
1809  */
1810 
1811 static void *
1812 open_module(pam_handle_t *pamh, char *module_so)
1813 {
1814 	struct stat64	stb;
1815 	char		*errmsg;
1816 	void		*lfd;
1817 	fd_list		*module_fds = 0;
1818 	fd_list		*trail = 0;
1819 	fd_list		*traverse = 0;
1820 
1821 	/* Check the ownership and file modes */
1822 	if (stat64(module_so, &stb) < 0) {
1823 		__pam_log(LOG_AUTH | LOG_ERR,
1824 		    "open_module[%d:%s]: stat(%s) failed: %s",
1825 		    pamh->include_depth, pam_trace_cname(pamh), module_so,
1826 		    strerror(errno));
1827 		return (NULL);
1828 	}
1829 	if (stb.st_uid != (uid_t)0) {
1830 		__pam_log(LOG_AUTH | LOG_ALERT,
1831 		    "open_module[%d:%s]: Owner of the module %s is not root",
1832 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1833 		return (NULL);
1834 	}
1835 	if (stb.st_mode & S_IWGRP) {
1836 		__pam_log(LOG_AUTH | LOG_ALERT,
1837 		    "open_module[%d:%s]: module %s writable by group",
1838 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1839 		return (NULL);
1840 	}
1841 	if (stb.st_mode & S_IWOTH) {
1842 		__pam_log(LOG_AUTH | LOG_ALERT,
1843 		    "open_module[%d:%s]: module %s writable by world",
1844 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1845 		return (NULL);
1846 	}
1847 
1848 	/*
1849 	 * Perform the dlopen()
1850 	 */
1851 	lfd = (void *)dlopen(module_so, RTLD_LAZY);
1852 
1853 	if (lfd == NULL) {
1854 		errmsg = dlerror();
1855 		__pam_log(LOG_AUTH | LOG_ERR, "open_module[%d:%s]: %s "
1856 		    "failed: %s", pamh->include_depth, pam_trace_cname(pamh),
1857 		    module_so, errmsg != NULL ? errmsg : "Unknown error");
1858 		return (NULL);
1859 	} else {
1860 		/* add this fd to the pam handle */
1861 		if ((module_fds = calloc(1, sizeof (fd_list))) == 0) {
1862 			(void) dlclose(lfd);
1863 			lfd = 0;
1864 			return (NULL);
1865 		}
1866 		module_fds->mh = lfd;
1867 
1868 		if (pamh->fd == 0) {
1869 			/* adding new head of list */
1870 			pamh->fd = module_fds;
1871 		} else {
1872 			/* appending to end of list */
1873 			traverse = pamh->fd;
1874 			while (traverse) {
1875 				trail = traverse;
1876 				traverse = traverse->next;
1877 			}
1878 			trail->next = module_fds;
1879 		}
1880 	}
1881 
1882 	return (lfd);
1883 }
1884 
1885 /*
1886  * load_function - call dlsym() to resolve the function address
1887  */
1888 static int
1889 load_function(void *lfd, char *name, int (**func)())
1890 {
1891 	char *errmsg = NULL;
1892 
1893 	if (lfd == NULL)
1894 		return (PAM_SYMBOL_ERR);
1895 
1896 	*func = (int (*)())dlsym(lfd, name);
1897 	if (*func == NULL) {
1898 		errmsg = dlerror();
1899 		__pam_log(LOG_AUTH | LOG_ERR, "dlsym failed %s: error %s",
1900 		    name, errmsg != NULL ? errmsg : "Unknown error");
1901 		return (PAM_SYMBOL_ERR);
1902 	}
1903 
1904 	pam_trace(PAM_DEBUG_DEFAULT,
1905 	    "load_function: successful load of %s", name);
1906 	return (PAM_SUCCESS);
1907 }
1908 
1909 /*
1910  * Routines to read the pam.conf configuration file
1911  */
1912 
1913 /*
1914  * open_pam_conf - open the pam.conf config file
1915  */
1916 
1917 static int
1918 open_pam_conf(struct pam_fh **pam_fh, pam_handle_t *pamh, char *config)
1919 {
1920 	struct stat64	stb;
1921 	int		fd;
1922 
1923 	if ((fd = open(config, O_RDONLY)) == -1) {
1924 		__pam_log(LOG_AUTH | LOG_ALERT,
1925 		    "open_pam_conf[%d:%s]: open(%s) failed: %s",
1926 		    pamh->include_depth, pam_trace_cname(pamh), config,
1927 		    strerror(errno));
1928 		return (0);
1929 	}
1930 	/* Check the ownership and file modes */
1931 	if (fstat64(fd, &stb) < 0) {
1932 		__pam_log(LOG_AUTH | LOG_ALERT,
1933 		    "open_pam_conf[%d:%s]: stat(%s) failed: %s",
1934 		    pamh->include_depth, pam_trace_cname(pamh), config,
1935 		    strerror(errno));
1936 		(void) close(fd);
1937 		return (0);
1938 	}
1939 	if (stb.st_uid != (uid_t)0) {
1940 		__pam_log(LOG_AUTH | LOG_ALERT,
1941 		    "open_pam_conf[%d:%s]: Owner of %s is not root",
1942 		    pamh->include_depth, pam_trace_cname(pamh), config);
1943 		(void) close(fd);
1944 		return (0);
1945 	}
1946 	if (stb.st_mode & S_IWGRP) {
1947 		__pam_log(LOG_AUTH | LOG_ALERT,
1948 		    "open_pam_conf[%d:%s]: %s writable by group",
1949 		    pamh->include_depth, pam_trace_cname(pamh), config);
1950 		(void) close(fd);
1951 		return (0);
1952 	}
1953 	if (stb.st_mode & S_IWOTH) {
1954 		__pam_log(LOG_AUTH | LOG_ALERT,
1955 		    "open_pam_conf[%d:%s]: %s writable by world",
1956 		    pamh->include_depth, pam_trace_cname(pamh), config);
1957 		(void) close(fd);
1958 		return (0);
1959 	}
1960 	if ((*pam_fh = calloc(1, sizeof (struct pam_fh))) == NULL) {
1961 		(void) close(fd);
1962 		return (0);
1963 	}
1964 	(*pam_fh)->fconfig = fd;
1965 	(*pam_fh)->bufsize = (size_t)stb.st_size;
1966 	if (((*pam_fh)->data = mmap(0, (*pam_fh)->bufsize, PROT_READ,
1967 	    MAP_PRIVATE, (*pam_fh)->fconfig, 0)) == MAP_FAILED) {
1968 		(void) close(fd);
1969 		free (*pam_fh);
1970 		return (0);
1971 	}
1972 	(*pam_fh)->bufferp = (*pam_fh)->data;
1973 
1974 	return (1);
1975 }
1976 
1977 /*
1978  * close_pam_conf - close pam.conf
1979  */
1980 
1981 static void
1982 close_pam_conf(struct pam_fh *pam_fh)
1983 {
1984 	(void) munmap(pam_fh->data, pam_fh->bufsize);
1985 	(void) close(pam_fh->fconfig);
1986 	free(pam_fh);
1987 }
1988 
1989 /*
1990  * read_pam_conf - read in each entry in pam.conf and store info
1991  *		   under the pam handle.
1992  */
1993 
1994 static int
1995 read_pam_conf(pam_handle_t *pamh, char *config)
1996 {
1997 	struct pam_fh	*pam_fh;
1998 	pamtab_t	*pamentp;
1999 	pamtab_t	*tpament;
2000 	char		*service;
2001 	int		error;
2002 	int		i = pamh->include_depth;	/* include depth */
2003 	/*
2004 	 * service types:
2005 	 * error (-1), "auth" (0), "account" (1), "session" (2), "password" (3)
2006 	 */
2007 	int service_found[PAM_NUM_MODULE_TYPES+1] = {0, 0, 0, 0, 0};
2008 
2009 	(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
2010 	if (service == NULL || *service == '\0') {
2011 		__pam_log(LOG_AUTH | LOG_ERR, "No service name");
2012 		return (PAM_SYSTEM_ERR);
2013 	}
2014 
2015 	pamh->pam_conf_name[i] = strdup(config);
2016 	pam_trace(PAM_DEBUG_CONF, "read_pam_conf[%d:%s](%p) open(%s)",
2017 	    i, pam_trace_cname(pamh), (void *)pamh, config);
2018 	if (open_pam_conf(&pam_fh, pamh, config) == 0) {
2019 		return (PAM_SYSTEM_ERR);
2020 	}
2021 
2022 	while ((error =
2023 	    get_pam_conf_entry(pam_fh, pamh, &pamentp)) == PAM_SUCCESS &&
2024 	    pamentp) {
2025 
2026 		/* See if entry is this service and valid */
2027 		if (verify_pam_conf(pamentp, service)) {
2028 			pam_trace(PAM_DEBUG_CONF,
2029 			    "read_pam_conf[%d:%s](%p): bad entry error %s",
2030 			    i, pam_trace_cname(pamh), (void *)pamh, service);
2031 
2032 			error = PAM_SYSTEM_ERR;
2033 			free_pamconf(pamentp);
2034 			goto out;
2035 		}
2036 		if (strcasecmp(pamentp->pam_service, service) == 0) {
2037 			pam_trace(PAM_DEBUG_CONF,
2038 			    "read_pam_conf[%d:%s](%p): processing %s",
2039 			    i, pam_trace_cname(pamh), (void *)pamh, service);
2040 			/* process first service entry */
2041 			if (service_found[pamentp->pam_type + 1] == 0) {
2042 				/* purge "other" entries */
2043 				while ((tpament = pamh->pam_conf_info[i]
2044 				    [pamentp->pam_type]) != NULL) {
2045 					pam_trace(PAM_DEBUG_CONF,
2046 					    "read_pam_conf(%p): purging "
2047 					    "\"other\"[%d:%s][%s]",
2048 					    (void *)pamh, i,
2049 					    pam_trace_cname(pamh),
2050 					    pam_snames[pamentp->pam_type]);
2051 					pamh->pam_conf_info[i]
2052 					    [pamentp->pam_type] = tpament->next;
2053 					free_pamconf(tpament);
2054 				}
2055 				/* add first service entry */
2056 				pam_trace(PAM_DEBUG_CONF,
2057 				    "read_pam_conf(%p): adding 1st "
2058 				    "%s[%d:%s][%s]",
2059 				    (void *)pamh, service, i,
2060 				    pam_trace_cname(pamh),
2061 				    pam_snames[pamentp->pam_type]);
2062 				pamh->pam_conf_info[i][pamentp->pam_type] =
2063 				    pamentp;
2064 				service_found[pamentp->pam_type + 1] = 1;
2065 			} else {
2066 				/* append more service entries */
2067 				pam_trace(PAM_DEBUG_CONF,
2068 				    "read_pam_conf(%p): adding more "
2069 				    "%s[%d:%s][%s]",
2070 				    (void *)pamh, service, i,
2071 				    pam_trace_cname(pamh),
2072 				    pam_snames[pamentp->pam_type]);
2073 				tpament =
2074 				    pamh->pam_conf_info[i][pamentp->pam_type];
2075 				while (tpament->next != NULL) {
2076 					tpament = tpament->next;
2077 				}
2078 				tpament->next = pamentp;
2079 			}
2080 		} else if (service_found[pamentp->pam_type + 1] == 0) {
2081 			/* See if "other" entry available and valid */
2082 			if (verify_pam_conf(pamentp, "other")) {
2083 				pam_trace(PAM_DEBUG_CONF,
2084 				    "read_pam_conf(%p): bad entry error %s "
2085 				    "\"other\"[%d:%s]",
2086 				    (void *)pamh, service, i,
2087 				    pam_trace_cname(pamh));
2088 				error = PAM_SYSTEM_ERR;
2089 				free_pamconf(pamentp);
2090 				goto out;
2091 			}
2092 			if (strcasecmp(pamentp->pam_service, "other") == 0) {
2093 				pam_trace(PAM_DEBUG_CONF,
2094 				    "read_pam_conf(%p): processing "
2095 				    "\"other\"[%d:%s]", (void *)pamh, i,
2096 				    pam_trace_cname(pamh));
2097 				if ((tpament = pamh->pam_conf_info[i]
2098 				    [pamentp->pam_type]) == NULL) {
2099 					/* add first "other" entry */
2100 					pam_trace(PAM_DEBUG_CONF,
2101 					    "read_pam_conf(%p): adding 1st "
2102 					    "other[%d:%s][%s]", (void *)pamh, i,
2103 					    pam_trace_cname(pamh),
2104 					    pam_snames[pamentp->pam_type]);
2105 					pamh->pam_conf_info[i]
2106 					    [pamentp->pam_type] = pamentp;
2107 				} else {
2108 					/* append more "other" entries */
2109 					pam_trace(PAM_DEBUG_CONF,
2110 					    "read_pam_conf(%p): adding more "
2111 					    "other[%d:%s][%s]", (void *)pamh, i,
2112 					    pam_trace_cname(pamh),
2113 					    pam_snames[pamentp->pam_type]);
2114 					while (tpament->next != NULL) {
2115 						tpament = tpament->next;
2116 					}
2117 					tpament->next = pamentp;
2118 				}
2119 			} else {
2120 				/* irrelevant entry */
2121 				free_pamconf(pamentp);
2122 			}
2123 		} else {
2124 			/* irrelevant entry */
2125 			free_pamconf(pamentp);
2126 		}
2127 	}
2128 out:
2129 	(void) close_pam_conf(pam_fh);
2130 	if (error != PAM_SUCCESS)
2131 		free_pam_conf_info(pamh);
2132 	return (error);
2133 }
2134 
2135 /*
2136  * get_pam_conf_entry - get a pam.conf entry
2137  */
2138 
2139 static int
2140 get_pam_conf_entry(struct pam_fh *pam_fh, pam_handle_t *pamh, pamtab_t **pam)
2141 {
2142 	char		*cp, *arg;
2143 	int		argc;
2144 	char		*tmp, *tmp_free;
2145 	int		i;
2146 	char		*current_line = NULL;
2147 	int		error = PAM_SYSTEM_ERR;	/* preset to error */
2148 	int		err;
2149 
2150 	/* get the next line from pam.conf */
2151 	if ((cp = nextline(pam_fh, pamh, &err)) == NULL) {
2152 		/* no more lines in pam.conf ==> return */
2153 		error = PAM_SUCCESS;
2154 		*pam = NULL;
2155 		goto out;
2156 	}
2157 
2158 	if ((*pam = calloc(1, sizeof (pamtab_t))) == NULL) {
2159 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2160 		goto out;
2161 	}
2162 
2163 	/* copy full line for error reporting */
2164 	if ((current_line = strdup(cp)) == NULL) {
2165 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2166 		goto out;
2167 	}
2168 
2169 	pam_trace(PAM_DEBUG_CONF,
2170 	    "pam.conf[%s] entry:\t%s", pam_trace_cname(pamh), current_line);
2171 
2172 	/* get service name (e.g. login, su, passwd) */
2173 	if ((arg = read_next_token(&cp)) == 0) {
2174 		__pam_log(LOG_AUTH | LOG_CRIT,
2175 		    "illegal pam.conf[%s] entry: %s: missing SERVICE NAME",
2176 		    pam_trace_cname(pamh), current_line);
2177 		goto out;
2178 	}
2179 	if (((*pam)->pam_service = strdup(arg)) == 0) {
2180 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2181 		goto out;
2182 	}
2183 
2184 	/* get module type (e.g. authentication, acct mgmt) */
2185 	if ((arg = read_next_token(&cp)) == 0) {
2186 		__pam_log(LOG_AUTH | LOG_CRIT,
2187 		    "illegal pam.conf[%s] entry: %s: missing MODULE TYPE",
2188 		    pam_trace_cname(pamh), current_line);
2189 		(*pam)->pam_type = -1;	/* 0 is a valid value */
2190 		goto getflag;
2191 	}
2192 	if (strcasecmp(arg, PAM_AUTH_NAME) == 0) {
2193 		(*pam)->pam_type = PAM_AUTH_MODULE;
2194 	} else if (strcasecmp(arg, PAM_ACCOUNT_NAME) == 0) {
2195 		(*pam)->pam_type = PAM_ACCOUNT_MODULE;
2196 	} else if (strcasecmp(arg, PAM_SESSION_NAME) == 0) {
2197 		(*pam)->pam_type = PAM_SESSION_MODULE;
2198 	} else if (strcasecmp(arg, PAM_PASSWORD_NAME) == 0) {
2199 		(*pam)->pam_type = PAM_PASSWORD_MODULE;
2200 	} else {
2201 		/* error */
2202 		__pam_log(LOG_AUTH | LOG_CRIT,
2203 		    "illegal pam.conf[%s] entry: %s: invalid module "
2204 		    "type: %s", pam_trace_cname(pamh), current_line, arg);
2205 		(*pam)->pam_type = -1;	/* 0 is a valid value */
2206 	}
2207 
2208 getflag:
2209 	/* get pam flag (e.g., requisite, required, sufficient, optional) */
2210 	if ((arg = read_next_token(&cp)) == 0) {
2211 		__pam_log(LOG_AUTH | LOG_CRIT,
2212 		    "illegal pam.conf[%s] entry: %s: missing CONTROL FLAG",
2213 		    pam_trace_cname(pamh), current_line);
2214 		goto getpath;
2215 	}
2216 	if (strcasecmp(arg, PAM_BINDING_NAME) == 0) {
2217 		(*pam)->pam_flag = PAM_BINDING;
2218 	} else if (strcasecmp(arg, PAM_INCLUDE_NAME) == 0) {
2219 		(*pam)->pam_flag = PAM_INCLUDE;
2220 	} else if (strcasecmp(arg, PAM_OPTIONAL_NAME) == 0) {
2221 		(*pam)->pam_flag = PAM_OPTIONAL;
2222 	} else if (strcasecmp(arg, PAM_REQUIRED_NAME) == 0) {
2223 		(*pam)->pam_flag = PAM_REQUIRED;
2224 	} else if (strcasecmp(arg, PAM_REQUISITE_NAME) == 0) {
2225 		(*pam)->pam_flag = PAM_REQUISITE;
2226 	} else if (strcasecmp(arg, PAM_SUFFICIENT_NAME) == 0) {
2227 		(*pam)->pam_flag = PAM_SUFFICIENT;
2228 	} else {
2229 		/* error */
2230 		__pam_log(LOG_AUTH | LOG_CRIT,
2231 		    "illegal pam.conf[%s] entry: %s",
2232 		    pam_trace_cname(pamh), current_line);
2233 		__pam_log(LOG_AUTH | LOG_CRIT,
2234 		    "\tinvalid control flag: %s", arg);
2235 	}
2236 
2237 getpath:
2238 	/* get module path (e.g. /usr/lib/security/pam_unix_auth.so.1) */
2239 	if ((arg = read_next_token(&cp)) == 0) {
2240 		__pam_log(LOG_AUTH | LOG_CRIT,
2241 		    "illegal pam.conf[%s] entry: %s: missing MODULE PATH",
2242 		    pam_trace_cname(pamh), current_line);
2243 		error = PAM_SUCCESS;	/* success */
2244 		goto out;
2245 	}
2246 	if (arg[0] != '/') {
2247 		size_t len;
2248 		/*
2249 		 * If module path does not start with "/", then
2250 		 * prepend PAM_LIB_DIR (/usr/lib/security/).
2251 		 */
2252 		/* sizeof (PAM_LIB_DIR) has room for '\0' */
2253 		len = sizeof (PAM_LIB_DIR) + sizeof (PAM_ISA_DIR) + strlen(arg);
2254 		if (((*pam)->module_path = malloc(len)) == NULL) {
2255 			__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2256 			goto out;
2257 		}
2258 		if ((*pam)->pam_flag & PAM_INCLUDE) {
2259 			(void) snprintf((*pam)->module_path, len, "%s%s",
2260 			    PAM_LIB_DIR, arg);
2261 		} else {
2262 			(void) snprintf((*pam)->module_path, len, "%s%s%s",
2263 			    PAM_LIB_DIR, PAM_ISA_DIR, arg);
2264 		}
2265 	} else {
2266 		/* Full path provided for module */
2267 		char *isa;
2268 
2269 		/* Check for Instruction Set Architecture indicator */
2270 		if ((isa = strstr(arg, PAM_ISA)) != NULL) {
2271 			size_t len;
2272 			len = strlen(arg) - (sizeof (PAM_ISA)-1) +
2273 			    sizeof (PAM_ISA_DIR);
2274 
2275 			/* substitute the architecture dependent path */
2276 			if (((*pam)->module_path = malloc(len)) == NULL) {
2277 				__pam_log(LOG_AUTH | LOG_ERR,
2278 				    "strdup: out of memory");
2279 				goto out;
2280 			}
2281 			*isa = '\000';
2282 			isa += strlen(PAM_ISA);
2283 			(void) snprintf((*pam)->module_path, len, "%s%s%s",
2284 			    arg, PAM_ISA_DIR, isa);
2285 		} else if (((*pam)->module_path = strdup(arg)) == 0) {
2286 			__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2287 			goto out;
2288 		}
2289 	}
2290 
2291 	/* count the number of module-specific options first */
2292 	argc = 0;
2293 	if ((tmp = strdup(cp)) == NULL) {
2294 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2295 		goto out;
2296 	}
2297 	tmp_free = tmp;
2298 	for (arg = read_next_token(&tmp); arg; arg = read_next_token(&tmp))
2299 		argc++;
2300 	free(tmp_free);
2301 
2302 	/* allocate array for the module-specific options */
2303 	if (argc > 0) {
2304 		if (((*pam)->module_argv =
2305 		    calloc(argc+1, sizeof (char *))) == 0) {
2306 			__pam_log(LOG_AUTH | LOG_ERR, "calloc: out of memory");
2307 			goto out;
2308 		}
2309 		i = 0;
2310 		for (arg = read_next_token(&cp); arg;
2311 		    arg = read_next_token(&cp)) {
2312 			(*pam)->module_argv[i] = strdup(arg);
2313 			if ((*pam)->module_argv[i] == NULL) {
2314 				__pam_log(LOG_AUTH | LOG_ERR, "strdup failed");
2315 				goto out;
2316 			}
2317 			i++;
2318 		}
2319 		(*pam)->module_argv[argc] = NULL;
2320 	}
2321 	(*pam)->module_argc = argc;
2322 
2323 	error = PAM_SUCCESS;	/* success */
2324 	(*pam)->pam_err = err;	/* was the line truncated */
2325 
2326 out:
2327 	if (current_line)
2328 		free(current_line);
2329 	if (error != PAM_SUCCESS) {
2330 		/* on error free this */
2331 		if (*pam)
2332 			free_pamconf(*pam);
2333 	}
2334 	return (error);
2335 }
2336 
2337 
2338 /*
2339  * read_next_token - skip tab and space characters and return the next token
2340  */
2341 
2342 static char *
2343 read_next_token(char **cpp)
2344 {
2345 	register char *cp = *cpp;
2346 	char *start;
2347 
2348 	if (cp == (char *)0) {
2349 		*cpp = (char *)0;
2350 		return ((char *)0);
2351 	}
2352 	while (*cp == ' ' || *cp == '\t')
2353 		cp++;
2354 	if (*cp == '\0') {
2355 		*cpp = (char *)0;
2356 		return ((char *)0);
2357 	}
2358 	start = cp;
2359 	while (*cp && *cp != ' ' && *cp != '\t')
2360 		cp++;
2361 	if (*cp != '\0')
2362 		*cp++ = '\0';
2363 	*cpp = cp;
2364 	return (start);
2365 }
2366 
2367 static char *
2368 pam_conf_strnchr(char *sp, int c, intptr_t count)
2369 {
2370 	while (count) {
2371 		if (*sp == (char)c)
2372 			return ((char *)sp);
2373 		else {
2374 			sp++;
2375 			count--;
2376 		}
2377 	};
2378 	return (NULL);
2379 }
2380 
2381 /*
2382  * nextline - skip all blank lines and comments
2383  */
2384 
2385 static char *
2386 nextline(struct pam_fh *pam_fh, pam_handle_t *pamh, int *err)
2387 {
2388 	char	*ll;
2389 	int	find_a_line = 0;
2390 	char	*data = pam_fh->data;
2391 	char	*bufferp = pam_fh->bufferp;
2392 	char	*bufferendp = &data[pam_fh->bufsize];
2393 	size_t	input_len;
2394 
2395 	/*
2396 	 * Skip the blank line, comment line
2397 	 */
2398 	while (!find_a_line) {
2399 		/* if we are at the end of the buffer, there is no next line */
2400 		if (bufferp == bufferendp)
2401 			return (NULL);
2402 
2403 		/* skip blank line */
2404 		while (*bufferp == '\n') {
2405 			/*
2406 			 * If we are at the end of the buffer, there is
2407 			 * no next line.
2408 			 */
2409 			if (++bufferp == bufferendp) {
2410 				return (NULL);
2411 			}
2412 			/* else we check *bufferp again */
2413 		}
2414 
2415 		/* skip comment line */
2416 		while (*bufferp == '#') {
2417 			if ((ll = pam_conf_strnchr(bufferp, '\n',
2418 			    bufferendp - bufferp)) != NULL) {
2419 				bufferp = ll;
2420 			} else {
2421 				/*
2422 				 * this comment line the last line.
2423 				 * no next line
2424 				 */
2425 				return (NULL);
2426 			}
2427 
2428 			/*
2429 			 * If we are at the end of the buffer, there is
2430 			 * no next line.
2431 			 */
2432 			if (bufferp == bufferendp) {
2433 				return (NULL);
2434 			}
2435 		}
2436 
2437 		if ((*bufferp != '\n') && (*bufferp != '#')) {
2438 			find_a_line = 1;
2439 		}
2440 	}
2441 
2442 	*err = PAM_SUCCESS;
2443 	/* now we find one line */
2444 	if ((ll = pam_conf_strnchr(bufferp, '\n', bufferendp - bufferp))
2445 	    != NULL) {
2446 		if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
2447 			__pam_log(LOG_AUTH | LOG_ERR,
2448 			    "nextline[%d:%s]: pam.conf line too long %.256s",
2449 			    pamh->include_depth, pam_trace_cname(pamh),
2450 			    bufferp);
2451 			input_len = sizeof (pam_fh->line) - 1;
2452 			*err = PAM_SERVICE_ERR;
2453 		}
2454 		(void) strncpy(pam_fh->line, bufferp, input_len);
2455 		pam_fh->line[input_len] = '\0';
2456 		pam_fh->bufferp = ll++;
2457 	} else {
2458 		ll = bufferendp;
2459 		if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
2460 			__pam_log(LOG_AUTH | LOG_ERR,
2461 			    "nextline[%d:%s]: pam.conf line too long %.256s",
2462 			    pamh->include_depth, pam_trace_cname(pamh),
2463 			    bufferp);
2464 			input_len = sizeof (pam_fh->line) - 1;
2465 			*err = PAM_SERVICE_ERR;
2466 		}
2467 		(void) strncpy(pam_fh->line, bufferp, input_len);
2468 		pam_fh->line[input_len] = '\0';
2469 		pam_fh->bufferp = ll;
2470 	}
2471 
2472 	return (pam_fh->line);
2473 }
2474 
2475 /*
2476  * verify_pam_conf - verify that the pam_conf entry is filled in.
2477  *
2478  *	True = Error if there is no service.
2479  *	True = Error if there is a service and it matches the requested service
2480  *		but, the type, flag, line overflow, or path is in error.
2481  */
2482 
2483 static int
2484 verify_pam_conf(pamtab_t *pam, char *service)
2485 {
2486 	return ((pam->pam_service == (char *)NULL) ||
2487 	    ((strcasecmp(pam->pam_service, service) == 0) &&
2488 	    ((pam->pam_type == -1) ||
2489 	    (pam->pam_flag == 0) ||
2490 	    (pam->pam_err != PAM_SUCCESS) ||
2491 	    (pam->module_path == (char *)NULL))));
2492 }
2493 
2494 /*
2495  * Routines to free allocated storage
2496  */
2497 
2498 /*
2499  * clean_up -  free allocated storage in the pam handle
2500  */
2501 
2502 static void
2503 clean_up(pam_handle_t *pamh)
2504 {
2505 	int i;
2506 	pam_repository_t *auth_rep;
2507 
2508 	if (pamh) {
2509 		while (pamh->include_depth >= 0) {
2510 			free_pam_conf_info(pamh);
2511 			pamh->include_depth--;
2512 		}
2513 
2514 		/* Cleanup PAM_REPOSITORY structure */
2515 		auth_rep = pamh->ps_item[PAM_REPOSITORY].pi_addr;
2516 		if (auth_rep != NULL) {
2517 			if (auth_rep->type != NULL)
2518 				free(auth_rep->type);
2519 			if (auth_rep->scope != NULL)
2520 				free(auth_rep->scope);
2521 		}
2522 
2523 		for (i = 0; i < PAM_MAX_ITEMS; i++) {
2524 			if (pamh->ps_item[i].pi_addr != NULL) {
2525 				if (i == PAM_AUTHTOK || i == PAM_OLDAUTHTOK) {
2526 					(void) memset(pamh->ps_item[i].pi_addr,
2527 					    0, pamh->ps_item[i].pi_size);
2528 				}
2529 				free(pamh->ps_item[i].pi_addr);
2530 			}
2531 		}
2532 		free(pamh);
2533 	}
2534 }
2535 
2536 /*
2537  * free_pamconf - free memory used to store pam.conf entry
2538  */
2539 
2540 static void
2541 free_pamconf(pamtab_t *cp)
2542 {
2543 	int i;
2544 
2545 	if (cp) {
2546 		if (cp->pam_service)
2547 			free(cp->pam_service);
2548 		if (cp->module_path)
2549 			free(cp->module_path);
2550 		for (i = 0; i < cp->module_argc; i++) {
2551 			if (cp->module_argv[i])
2552 				free(cp->module_argv[i]);
2553 		}
2554 		if (cp->module_argc > 0)
2555 			free(cp->module_argv);
2556 		if (cp->function_ptr)
2557 			free(cp->function_ptr);
2558 
2559 		free(cp);
2560 	}
2561 }
2562 
2563 /*
2564  * free_pam_conf_info - free memory used to store all pam.conf info
2565  *			under the pam handle
2566  */
2567 
2568 static void
2569 free_pam_conf_info(pam_handle_t *pamh)
2570 {
2571 	pamtab_t *pamentp;
2572 	pamtab_t *pament_trail;
2573 	int i = pamh->include_depth;
2574 	int j;
2575 
2576 	for (j = 0; j < PAM_NUM_MODULE_TYPES; j++) {
2577 		pamentp = pamh->pam_conf_info[i][j];
2578 		pamh->pam_conf_info[i][j] = NULL;
2579 		pament_trail = pamentp;
2580 		while (pamentp) {
2581 			pamentp = pamentp->next;
2582 			free_pamconf(pament_trail);
2583 			pament_trail = pamentp;
2584 		}
2585 	}
2586 	if (pamh->pam_conf_name[i] != NULL) {
2587 		free(pamh->pam_conf_name[i]);
2588 		pamh->pam_conf_name[i] = NULL;
2589 	}
2590 }
2591 
2592 static void
2593 free_env(env_list *pam_env)
2594 {
2595 	if (pam_env) {
2596 		if (pam_env->name)
2597 			free(pam_env->name);
2598 		if (pam_env->value)
2599 			free(pam_env->value);
2600 		free(pam_env);
2601 	}
2602 }
2603 
2604 /*
2605  *	Internal convenience functions for Solaris PAM service modules.
2606  */
2607 
2608 #include <libintl.h>
2609 #include <nl_types.h>
2610 #include <synch.h>
2611 #include <locale.h>
2612 #include <thread.h>
2613 
2614 typedef struct pam_msg_data {
2615 	nl_catd fd;
2616 } pam_msg_data_t;
2617 
2618 /*
2619  * free_resp():
2620  *	free storage for responses used in the call back "pam_conv" functions
2621  */
2622 
2623 void
2624 free_resp(int num_msg, struct pam_response *resp)
2625 {
2626 	int			i;
2627 	struct pam_response	*r;
2628 
2629 	if (resp) {
2630 		r = resp;
2631 		for (i = 0; i < num_msg; i++, r++) {
2632 			if (r->resp) {
2633 				/* clear before freeing -- may be a password */
2634 				bzero(r->resp, strlen(r->resp));
2635 				free(r->resp);
2636 				r->resp = NULL;
2637 			}
2638 		}
2639 		free(resp);
2640 	}
2641 }
2642 
2643 static int
2644 do_conv(pam_handle_t *pamh, int msg_style, int num_msg,
2645     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp,
2646     struct pam_response *ret_respp[])
2647 {
2648 	struct pam_message	*msg;
2649 	struct pam_message	*m;
2650 	int			i;
2651 	int			k;
2652 	int			retcode;
2653 	struct pam_conv		*pam_convp;
2654 
2655 	if ((retcode = pam_get_item(pamh, PAM_CONV,
2656 	    (void **)&pam_convp)) != PAM_SUCCESS) {
2657 		return (retcode);
2658 	}
2659 
2660 	/*
2661 	 * When pam_set_item() is called to set PAM_CONV and the
2662 	 * item is NULL, memset(pip->pi_addr, 0, size) is called.
2663 	 * So at this point, we should check whether pam_convp->conv
2664 	 * is NULL or not.
2665 	 */
2666 	if ((pam_convp == NULL) || (pam_convp->conv == NULL))
2667 		return (PAM_SYSTEM_ERR);
2668 
2669 	i = 0;
2670 	k = num_msg;
2671 
2672 	msg = calloc(num_msg, sizeof (struct pam_message));
2673 	if (msg == NULL) {
2674 		return (PAM_BUF_ERR);
2675 	}
2676 	m = msg;
2677 
2678 	while (k--) {
2679 		/*
2680 		 * fill out the message structure to display prompt message
2681 		 */
2682 		m->msg_style = msg_style;
2683 		m->msg = messages[i];
2684 		pam_trace(PAM_DEBUG_CONV,
2685 		    "pam_conv_msg(%p:%d[%d]=%s)",
2686 		    (void *)pamh, msg_style, i, messages[i]);
2687 		m++;
2688 		i++;
2689 	}
2690 
2691 	/*
2692 	 * The UNIX pam modules always calls __pam_get_authtok() and
2693 	 * __pam_display_msg() with a NULL pointer as the conv_apdp.
2694 	 * In case the conv_apdp is NULL and the pam_convp->appdata_ptr
2695 	 * is not NULL, we should pass the pam_convp->appdata_ptr
2696 	 * to the conversation function.
2697 	 */
2698 	if (conv_apdp == NULL && pam_convp->appdata_ptr != NULL)
2699 		conv_apdp = pam_convp->appdata_ptr;
2700 
2701 	/*
2702 	 * Call conv function to display the prompt.
2703 	 */
2704 	retcode = (pam_convp->conv)(num_msg, &msg, ret_respp, conv_apdp);
2705 	pam_trace(PAM_DEBUG_CONV,
2706 	    "pam_conv_resp(%p pam_conv = %s) ret_respp = %p",
2707 	    (void *)pamh, pam_strerror(pamh, retcode), (void *)ret_respp);
2708 	if (*ret_respp == NULL) {
2709 		pam_trace(PAM_DEBUG_CONV,
2710 		    "pam_conv_resp(%p No response requested)", (void *)pamh);
2711 	} else if ((pam_debug & (PAM_DEBUG_CONV | PAM_DEBUG_AUTHTOK)) != 0) {
2712 		struct pam_response *r = *ret_respp;
2713 
2714 		for (i = 0; i < num_msg; i++, r++) {
2715 			if (r->resp == NULL) {
2716 				pam_trace(PAM_DEBUG_CONV,
2717 				    "pam_conv_resp(%p:"
2718 				    "[%d] NULL response string)",
2719 				    (void *)pamh, i);
2720 			} else {
2721 				if (msg_style == PAM_PROMPT_ECHO_OFF) {
2722 #ifdef	DEBUG
2723 					pam_trace(PAM_DEBUG_AUTHTOK,
2724 					    "pam_conv_resp(%p:[%d]=%s, "
2725 					    "code=%d)",
2726 					    (void *)pamh, i, r->resp,
2727 					    r->resp_retcode);
2728 #endif	/* DEBUG */
2729 					pam_trace(PAM_DEBUG_CONV,
2730 					    "pam_conv_resp(%p:[%d] len=%lu, "
2731 					    "code=%d)",
2732 					    (void *)pamh, i,
2733 					    (ulong_t)strlen(r->resp),
2734 					    r->resp_retcode);
2735 				} else {
2736 					pam_trace(PAM_DEBUG_CONV,
2737 					    "pam_conv_resp(%p:[%d]=%s, "
2738 					    "code=%d)",
2739 					    (void *)pamh, i, r->resp,
2740 					    r->resp_retcode);
2741 				}
2742 			}
2743 		}
2744 	}
2745 
2746 	if (msg)
2747 		free(msg);
2748 	return (retcode);
2749 }
2750 
2751 /*
2752  * __pam_display_msg():
2753  *	display message by calling the call back functions
2754  *	provided by the application through "pam_conv" structure
2755  */
2756 
2757 int
2758 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
2759     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp)
2760 {
2761 	struct pam_response	*ret_respp = NULL;
2762 	int ret;
2763 
2764 	ret = do_conv(pamh, msg_style, num_msg, messages,
2765 	    conv_apdp, &ret_respp);
2766 
2767 	if (ret_respp != NULL)
2768 		free_resp(num_msg, ret_respp);
2769 
2770 	return (ret);
2771 }
2772 
2773 /*
2774  * __pam_get_authtok()
2775  *	retrieves a password of at most PASS_MAX length from the pam
2776  *	handle (pam_get_item) or from the input stream (do_conv).
2777  *
2778  * This function allocates memory for the new authtok.
2779  * Applications calling this function are responsible for
2780  * freeing this memory.
2781  *
2782  * If "source" is
2783  *	PAM_HANDLE
2784  * and "type" is:
2785  *	PAM_AUTHTOK - password is taken from pam handle (PAM_AUTHTOK)
2786  *	PAM_OLDAUTHTOK - password is taken from pam handle (PAM_OLDAUTHTOK)
2787  *
2788  * If "source" is
2789  *	PAM_PROMPT
2790  * and "type" is:
2791  *	0:		Prompt for new passwd, do not even attempt
2792  *			to store it in the pam handle.
2793  *	PAM_AUTHTOK:	Prompt for new passwd, store in pam handle as
2794  *			PAM_AUTHTOK item if this value is not already set.
2795  *	PAM_OLDAUTHTOK:	Prompt for new passwd, store in pam handle as
2796  *			PAM_OLDAUTHTOK item if this value is not
2797  *			already set.
2798  */
2799 int
2800 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
2801     char **authtok)
2802 {
2803 	int error = PAM_SYSTEM_ERR;
2804 	char *new_password = NULL;
2805 	struct pam_response *ret_resp = NULL;
2806 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
2807 
2808 	if ((*authtok = calloc(PASS_MAX+1, sizeof (char))) == NULL)
2809 		return (PAM_BUF_ERR);
2810 
2811 	if (prompt == NULL)
2812 		prompt = dgettext(TEXT_DOMAIN, "password: ");
2813 
2814 	switch (source) {
2815 	case PAM_HANDLE:
2816 
2817 		/* get password from pam handle item list */
2818 
2819 		switch (type) {
2820 		case PAM_AUTHTOK:
2821 		case PAM_OLDAUTHTOK:
2822 
2823 			if ((error = pam_get_item(pamh, type,
2824 			    (void **)&new_password)) != PAM_SUCCESS)
2825 				goto err_ret;
2826 
2827 			if (new_password == NULL || new_password[0] == '\0') {
2828 				free(*authtok);
2829 				*authtok = NULL;
2830 			} else {
2831 				(void) strlcpy(*authtok, new_password,
2832 				    PASS_MAX+1);
2833 			}
2834 			break;
2835 		default:
2836 			__pam_log(LOG_AUTH | LOG_ERR,
2837 			    "__pam_get_authtok() invalid type: %d", type);
2838 			error = PAM_SYMBOL_ERR;
2839 			goto err_ret;
2840 		}
2841 		break;
2842 	case PAM_PROMPT:
2843 
2844 		/*
2845 		 * Prompt for new password and save in pam handle item list
2846 		 * if the that item is not already set.
2847 		 */
2848 
2849 		(void) strncpy(messages[0], prompt, sizeof (messages[0]));
2850 		if ((error = do_conv(pamh, PAM_PROMPT_ECHO_OFF, 1, messages,
2851 		    NULL, &ret_resp)) != PAM_SUCCESS)
2852 			goto err_ret;
2853 
2854 		if (ret_resp->resp == NULL) {
2855 			/* getpass didn't return anything */
2856 			error = PAM_SYSTEM_ERR;
2857 			goto err_ret;
2858 		}
2859 
2860 		/* save the new password if this item was NULL */
2861 		if (type) {
2862 			if ((error = pam_get_item(pamh, type,
2863 			    (void **)&new_password)) != PAM_SUCCESS) {
2864 				free_resp(1, ret_resp);
2865 				goto err_ret;
2866 			}
2867 			if (new_password == NULL)
2868 				(void) pam_set_item(pamh, type, ret_resp->resp);
2869 		}
2870 
2871 		(void) strlcpy(*authtok, ret_resp->resp, PASS_MAX+1);
2872 		free_resp(1, ret_resp);
2873 		break;
2874 	default:
2875 		__pam_log(LOG_AUTH | LOG_ERR,
2876 		    "__pam_get_authtok() invalid source: %d", source);
2877 		error = PAM_SYMBOL_ERR;
2878 		goto err_ret;
2879 	}
2880 
2881 	return (PAM_SUCCESS);
2882 
2883 err_ret:
2884 	bzero(*authtok, PASS_MAX+1);
2885 	free(*authtok);
2886 	*authtok = NULL;
2887 	return (error);
2888 }
2889