xref: /titanic_41/usr/src/lib/libpam/pam_framework.c (revision 56a424cca6b3f91f31bdab72a4626c48c779fe8b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <syslog.h>
29 #include <dlfcn.h>
30 #include <sys/types.h>
31 #include <sys/stat.h>
32 #include <stdlib.h>
33 #include <strings.h>
34 #include <malloc.h>
35 #include <unistd.h>
36 #include <fcntl.h>
37 #include <errno.h>
38 
39 #include <security/pam_appl.h>
40 #include <security/pam_modules.h>
41 #include <sys/mman.h>
42 
43 #include <libintl.h>
44 
45 #include "pam_impl.h"
46 
47 static char *pam_snames [PAM_NUM_MODULE_TYPES] = {
48 	PAM_ACCOUNT_NAME,
49 	PAM_AUTH_NAME,
50 	PAM_PASSWORD_NAME,
51 	PAM_SESSION_NAME
52 };
53 
54 static char *pam_inames [PAM_MAX_ITEMS] = {
55 /* NONE */		NULL,
56 /* PAM_SERVICE */	"service",
57 /* PAM_USER */		"user",
58 /* PAM_TTY */		"tty",
59 /* PAM_RHOST */ 	"rhost",
60 /* PAM_CONV */		"conv",
61 /* PAM_AUTHTOK */	"authtok",
62 /* PAM_OLDAUTHTOK */	"oldauthtok",
63 /* PAM_RUSER */ 	"ruser",
64 /* PAM_USER_PROMPT */	"user_prompt",
65 /* PAM_REPOSITORY */	"repository",
66 /* PAM_RESOURCE */	"resource",
67 /* PAM_AUSER */ 	"auser",
68 /* Undefined Items */
69 };
70 
71 /*
72  * This extra definition is needed in order to build this library
73  * on pre-64-bit-aware systems.
74  */
75 #if !defined(_LFS64_LARGEFILE)
76 #define	stat64	stat
77 #endif	/* !defined(_LFS64_LARGEFILE) */
78 
79 /* functions to dynamically load modules */
80 static int	load_modules(pam_handle_t *, int, char *, pamtab_t *);
81 static void 	*open_module(pam_handle_t *, char *);
82 static int	load_function(void *, char *, int (**func)());
83 
84 /* functions to read and store the pam.conf configuration file */
85 static int	open_pam_conf(struct pam_fh **, pam_handle_t *, char *);
86 static void	close_pam_conf(struct pam_fh *);
87 static int	read_pam_conf(pam_handle_t *, char *);
88 static int 	get_pam_conf_entry(struct pam_fh *, pam_handle_t *,
89     pamtab_t **);
90 static char	*read_next_token(char **);
91 static char	*nextline(struct pam_fh *, pam_handle_t *, int *);
92 static int	verify_pam_conf(pamtab_t *, char *);
93 
94 /* functions to clean up and free memory */
95 static void	clean_up(pam_handle_t *);
96 static void	free_pamconf(pamtab_t *);
97 static void	free_pam_conf_info(pam_handle_t *);
98 static void	free_env(env_list *);
99 
100 /* convenience functions for I18N/L10N communication */
101 
102 static void	free_resp(int, struct pam_response *);
103 static int	do_conv(pam_handle_t *, int, int,
104     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *,
105     struct pam_response **);
106 
107 static int	log_priority;	/* pam_trace syslog priority & facility */
108 static int	pam_debug = 0;
109 
110 static char *
111 pam_trace_iname(int item_type, char *iname_buf)
112 {
113 	char *name;
114 
115 	/*
116 	 * XXX -- Contracted Consolidation Private
117 	 *	  to be eliminated when dtlogin contract is terminated
118 	 * Version number requested by PAM's client
119 	 */
120 	if (item_type == PAM_MSG_VERSION)
121 		return ("msg_version");
122 
123 	if (item_type <= 0 ||
124 	    item_type >= PAM_MAX_ITEMS ||
125 	    (name = pam_inames[item_type]) == NULL) {
126 		(void) sprintf(iname_buf, "%d", item_type);
127 		return (iname_buf);
128 	}
129 	return (name);
130 }
131 
132 static char *
133 pam_trace_fname(int flag)
134 {
135 	if (flag & PAM_BINDING)
136 		return (PAM_BINDING_NAME);
137 	if (flag & PAM_INCLUDE)
138 		return (PAM_INCLUDE_NAME);
139 	if (flag & PAM_OPTIONAL)
140 		return (PAM_OPTIONAL_NAME);
141 	if (flag & PAM_REQUIRED)
142 		return (PAM_REQUIRED_NAME);
143 	if (flag & PAM_REQUISITE)
144 		return (PAM_REQUISITE_NAME);
145 	if (flag & PAM_SUFFICIENT)
146 		return (PAM_SUFFICIENT_NAME);
147 	return ("bad flag name");
148 }
149 
150 static char *
151 pam_trace_cname(pam_handle_t *pamh)
152 {
153 	if (pamh->pam_conf_name[pamh->include_depth] == NULL)
154 		return ("NULL");
155 	return (pamh->pam_conf_name[pamh->include_depth]);
156 }
157 
158 #include <deflt.h>
159 #include <stdarg.h>
160 /*
161  * pam_settrace - setup configuration for pam tracing
162  *
163  * turn on PAM debug if "magic" file exists
164  * if exists (original), pam_debug = PAM_DEBUG_DEFAULT,
165  * log_priority = LOG_DEBUG(7) and log_facility = LOG_AUTH(4).
166  *
167  * if has contents, keywork=value pairs:
168  *
169  *	"log_priority=" 0-7, the pam_trace syslog priority to use
170  *		(see sys/syslog.h)
171  *	"log_facility=" 0-23, the pam_trace syslog facility to use
172  *		(see sys/syslog.h)
173  *	"debug_flags=" PAM_DEBUG_DEFAULT (0x0001), log traditional
174  *			(original) debugging.
175  *		Plus the logical or of:
176  *		    PAM_DEBUG_ITEM (0x0002), log item values and
177  *			pam_get_item.
178  *		    PAM_DEBUG_MODULE (0x0004), log module return status.
179  *		    PAM_DEBUG_CONF (0x0008), log pam.conf parsing.
180  *		    PAM_DEBUG_DATA (0x0010), get/set_data.
181  *		    PAM_DEBUG_CONV (0x0020), conversation/response.
182  *
183  *		    If compiled with DEBUG:
184  *		    PAM_DEBUG_AUTHTOK (0x8000), display AUTHTOK value if
185  *				PAM_DEBUG_ITEM is set and results from
186  *				PAM_PROMPT_ECHO_OFF responses.
187  *		    USE CAREFULLY, THIS EXPOSES THE USER'S PASSWORDS.
188  *
189  *		or set to 0 and off even if PAM_DEBUG file exists.
190  *
191  * Output has the general form:
192  * <whatever was set syslog> PAM[<pid>]: <interface>(<handle> and other info)
193  * <whatever was set syslog> PAM[<pid>]: details requested for <interface> call
194  *	Where:	<pid> is the process ID of the calling process.
195  *		<handle> is the Hex value of the pam_handle associated with the
196  *			call.
197  */
198 
199 static void
200 pam_settrace()
201 {
202 	if (defopen(PAM_DEBUG) == 0) {
203 		char	*arg;
204 		int	code;
205 		int	facility = LOG_AUTH;
206 
207 		pam_debug = PAM_DEBUG_DEFAULT;
208 		log_priority = LOG_DEBUG;
209 
210 		(void) defcntl(DC_SETFLAGS, DC_CASE);
211 		if ((arg = defread(LOG_PRIORITY)) != NULL) {
212 			code = (int)strtol(arg, NULL, 10);
213 			if ((code & ~LOG_PRIMASK) == 0) {
214 				log_priority = code;
215 			}
216 		}
217 		if ((arg = defread(LOG_FACILITY)) != NULL) {
218 			code = (int)strtol(arg, NULL, 10);
219 			if (code < LOG_NFACILITIES) {
220 				facility = code << 3;
221 			}
222 		}
223 		if ((arg = defread(DEBUG_FLAGS)) != NULL) {
224 			pam_debug = (int)strtol(arg, NULL, 0);
225 		}
226 		(void) defopen(NULL);	/* close */
227 
228 		log_priority |= facility;
229 	}
230 }
231 
232 /*
233  * pam_trace - logs tracing messages
234  *
235  *	flag = debug_flags from /etc/pam_debug
236  *	format and args = message to print (PAM[<pid>]: is prepended).
237  *
238  *	global log_priority = pam_trace syslog (log_priority | log_facility)
239  *		from /etc/pam_debug
240  */
241 /*PRINTFLIKE2*/
242 static void
243 pam_trace(int flag, char *format, ...)
244 {
245 	va_list args;
246 	char message[1024];
247 	int savemask;
248 
249 	if ((pam_debug & flag) == 0)
250 		return;
251 
252 	savemask = setlogmask(LOG_MASK(log_priority & LOG_PRIMASK));
253 	(void) snprintf(message, sizeof (message), "PAM[%ld]: %s",
254 	    (long)getpid(), format);
255 	va_start(args, format);
256 	(void) vsyslog(log_priority, message, args);
257 	va_end(args);
258 	(void) setlogmask(savemask);
259 }
260 
261 /*
262  * __pam_log - logs PAM syslog messages
263  *
264  *	priority = message priority
265  *	format and args = message to log
266  */
267 /*PRINTFLIKE2*/
268 void
269 __pam_log(int priority, const char *format, ...)
270 {
271 	va_list args;
272 	int savemask = setlogmask(LOG_MASK(priority & LOG_PRIMASK));
273 
274 	va_start(args, format);
275 	(void) vsyslog(priority, format, args);
276 	va_end(args);
277 	(void) setlogmask(savemask);
278 }
279 
280 
281 /*
282  *			pam_XXXXX routines
283  *
284  *	These are the entry points to the authentication switch
285  */
286 
287 /*
288  * pam_start		- initiate an authentication transaction and
289  *			  set parameter values to be used during the
290  *			  transaction
291  */
292 
293 int
294 pam_start(const char *service, const char *user,
295     const struct pam_conv *pam_conv, pam_handle_t **pamh)
296 {
297 	int	err;
298 
299 	*pamh = (struct pam_handle *)calloc(1, sizeof (struct pam_handle));
300 
301 	pam_settrace();
302 	pam_trace(PAM_DEBUG_DEFAULT,
303 	    "pam_start(%s,%s,%p:%p) - debug = %x",
304 	    service ? service : "NULL", user ? user : "NULL", (void *)pam_conv,
305 	    (void *)*pamh, pam_debug);
306 
307 	if (*pamh == NULL)
308 		return (PAM_BUF_ERR);
309 
310 	(*pamh)->pam_inmodule = RO_OK;		/* OK to set RO items */
311 	if ((err = pam_set_item(*pamh, PAM_SERVICE, (void *)service))
312 	    != PAM_SUCCESS) {
313 		clean_up(*pamh);
314 		*pamh = NULL;
315 		return (err);
316 	}
317 
318 	if ((err = pam_set_item(*pamh, PAM_USER, (void *)user))
319 	    != PAM_SUCCESS) {
320 		clean_up(*pamh);
321 		*pamh = NULL;
322 		return (err);
323 	}
324 
325 	if ((err = pam_set_item(*pamh, PAM_CONV, (void *)pam_conv))
326 	    != PAM_SUCCESS) {
327 		clean_up(*pamh);
328 		*pamh = NULL;
329 		return (err);
330 	}
331 
332 	(*pamh)->pam_inmodule = RW_OK;
333 	return (PAM_SUCCESS);
334 }
335 
336 /*
337  * pam_end - terminate an authentication transaction
338  */
339 
340 int
341 pam_end(pam_handle_t *pamh, int pam_status)
342 {
343 	struct pam_module_data *psd, *p;
344 	fd_list *expired;
345 	fd_list *traverse;
346 	env_list *env_expired;
347 	env_list *env_traverse;
348 
349 	pam_trace(PAM_DEBUG_DEFAULT,
350 	    "pam_end(%p): status = %s", (void *)pamh,
351 	    pam_strerror(pamh, pam_status));
352 
353 	if (pamh == NULL)
354 		return (PAM_SYSTEM_ERR);
355 
356 	/* call the cleanup routines for module specific data */
357 
358 	psd = pamh->ssd;
359 	while (psd) {
360 		if (psd->cleanup) {
361 			psd->cleanup(pamh, psd->data, pam_status);
362 		}
363 		p = psd;
364 		psd = p->next;
365 		free(p->module_data_name);
366 		free(p);
367 	}
368 	pamh->ssd = NULL;
369 
370 	/* dlclose all module fds */
371 	traverse = pamh->fd;
372 	while (traverse) {
373 		expired = traverse;
374 		traverse = traverse->next;
375 		(void) dlclose(expired->mh);
376 		free(expired);
377 	}
378 	pamh->fd = 0;
379 
380 	/* remove all environment variables */
381 	env_traverse = pamh->pam_env;
382 	while (env_traverse) {
383 		env_expired = env_traverse;
384 		env_traverse = env_traverse->next;
385 		free_env(env_expired);
386 	}
387 
388 	clean_up(pamh);
389 	return (PAM_SUCCESS);
390 }
391 
392 /*
393  * pam_set_item		- set the value of a parameter that can be
394  *			  retrieved via a call to pam_get_item()
395  */
396 
397 int
398 pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
399 {
400 	struct pam_item *pip;
401 	int	size;
402 	char	iname_buf[PAM_MAX_MSG_SIZE];
403 
404 	if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
405 		pam_trace(PAM_DEBUG_DEFAULT,
406 		    "pam_set_item(%p:%s)", (void *)pamh,
407 		    pam_trace_iname(item_type, iname_buf));
408 	}
409 
410 	if (pamh == NULL)
411 		return (PAM_SYSTEM_ERR);
412 
413 	/* check read only items */
414 	if ((item_type == PAM_SERVICE) && (pamh->pam_inmodule != RO_OK))
415 		return (PAM_PERM_DENIED);
416 
417 	/*
418 	 * XXX -- Contracted Consolidation Private
419 	 *	  to be eliminated when dtlogin contract is terminated
420 	 * Check if tag is Sun proprietary
421 	 */
422 	if (item_type == PAM_MSG_VERSION) {
423 		if (pamh->pam_client_message_version_number)
424 			free(pamh->pam_client_message_version_number);
425 
426 		if (item == NULL)
427 			pamh->pam_client_message_version_number = NULL;
428 		else
429 			if ((pamh->pam_client_message_version_number =
430 			    strdup((char *)item)) == NULL)
431 				return (PAM_BUF_ERR);
432 
433 		pam_trace(PAM_DEBUG_ITEM,
434 		    "pam_set_item(%p:%s)=%s", (void *)pamh,
435 		    pam_trace_iname(item_type, iname_buf),
436 		    item ? (char *)item : "NULL");
437 		return (PAM_SUCCESS);
438 	}
439 
440 	/*
441 	 * Check that item_type is within valid range
442 	 */
443 
444 	if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
445 		return (PAM_SYMBOL_ERR);
446 
447 	pip = &(pamh->ps_item[item_type]);
448 
449 	switch (item_type) {
450 	case PAM_AUTHTOK:
451 	case PAM_OLDAUTHTOK:
452 		if (pip->pi_addr != NULL)
453 			(void) memset(pip->pi_addr, 0, pip->pi_size);
454 		/*FALLTHROUGH*/
455 	case PAM_SERVICE:
456 	case PAM_USER:
457 	case PAM_TTY:
458 	case PAM_RHOST:
459 	case PAM_RUSER:
460 	case PAM_USER_PROMPT:
461 	case PAM_RESOURCE:
462 	case PAM_AUSER:
463 		if (pip->pi_addr != NULL) {
464 			free(pip->pi_addr);
465 		}
466 
467 		if (item == NULL) {
468 			pip->pi_addr = NULL;
469 			pip->pi_size = 0;
470 		} else {
471 			pip->pi_addr = strdup((char *)item);
472 			if (pip->pi_addr == NULL) {
473 				pip->pi_size = 0;
474 				return (PAM_BUF_ERR);
475 			}
476 			pip->pi_size = strlen(pip->pi_addr);
477 		}
478 		break;
479 	case PAM_CONV:
480 		if (pip->pi_addr != NULL)
481 			free(pip->pi_addr);
482 		size = sizeof (struct pam_conv);
483 		if ((pip->pi_addr = (void *)calloc(1, size)) == NULL)
484 			return (PAM_BUF_ERR);
485 		if (item != NULL)
486 			(void) memcpy(pip->pi_addr, item, (unsigned int) size);
487 		else
488 			(void) memset(pip->pi_addr, 0, size);
489 		pip->pi_size = size;
490 		break;
491 	case PAM_REPOSITORY:
492 		if (pip->pi_addr != NULL) {
493 			pam_repository_t *auth_rep;
494 
495 			auth_rep = (pam_repository_t *)pip->pi_addr;
496 			if (auth_rep->type != NULL)
497 				free(auth_rep->type);
498 			if (auth_rep->scope != NULL)
499 				free(auth_rep->scope);
500 			free(auth_rep);
501 		}
502 		if (item != NULL) {
503 			pam_repository_t *s, *d;
504 
505 			size = sizeof (struct pam_repository);
506 			pip->pi_addr = (void *)calloc(1, size);
507 			if (pip->pi_addr == NULL)
508 				return (PAM_BUF_ERR);
509 
510 			s = (struct pam_repository *)item;
511 			d = (struct pam_repository *)pip->pi_addr;
512 
513 			d->type = strdup(s->type);
514 			if (d->type == NULL)
515 				return (PAM_BUF_ERR);
516 			d->scope = malloc(s->scope_len);
517 			if (d->scope == NULL)
518 				return (PAM_BUF_ERR);
519 			(void) memcpy(d->scope, s->scope, s->scope_len);
520 			d->scope_len = s->scope_len;
521 		}
522 		pip->pi_size = size;
523 		break;
524 	default:
525 		return (PAM_SYMBOL_ERR);
526 	}
527 	switch (item_type) {
528 	case PAM_CONV:
529 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%p",
530 		    (void *)pamh,
531 		    pam_trace_iname(item_type, iname_buf),
532 		    item ? (void *)((struct pam_conv *)item)->conv :
533 		    (void *)0);
534 		break;
535 	case PAM_REPOSITORY:
536 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
537 		    (void *)pamh,
538 		    pam_trace_iname(item_type, iname_buf),
539 		    item ? (((struct pam_repository *)item)->type ?
540 		    ((struct pam_repository *)item)->type : "NULL") :
541 		    "NULL");
542 		break;
543 	case PAM_AUTHTOK:
544 	case PAM_OLDAUTHTOK:
545 #ifdef	DEBUG
546 		if (pam_debug & PAM_DEBUG_AUTHTOK)
547 			pam_trace(PAM_DEBUG_ITEM,
548 			    "pam_set_item(%p:%s)=%s", (void *)pamh,
549 			    pam_trace_iname(item_type, iname_buf),
550 			    item ? (char *)item : "NULL");
551 		else
552 #endif	/* DEBUG */
553 			pam_trace(PAM_DEBUG_ITEM,
554 			    "pam_set_item(%p:%s)=%s", (void *)pamh,
555 			    pam_trace_iname(item_type, iname_buf),
556 			    item ? "********" : "NULL");
557 		break;
558 	default:
559 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
560 		    (void *)pamh,
561 		    pam_trace_iname(item_type, iname_buf),
562 		    item ? (char *)item : "NULL");
563 	}
564 
565 	return (PAM_SUCCESS);
566 }
567 
568 /*
569  * pam_get_item		- read the value of a parameter specified in
570  *			  the call to pam_set_item()
571  */
572 
573 int
574 pam_get_item(const pam_handle_t *pamh, int item_type, void **item)
575 {
576 	struct pam_item *pip;
577 	char	iname_buf[PAM_MAX_MSG_SIZE];
578 
579 	if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
580 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)",
581 		    (void *)pamh, pam_trace_iname(item_type, iname_buf));
582 	}
583 
584 	if (pamh == NULL)
585 		return (PAM_SYSTEM_ERR);
586 
587 	/*
588 	 * XXX -- Contracted Consolidation Private
589 	 *	  to be eliminated when dtlogin contract is terminated
590 	 * Check if tag is Sun proprietary
591 	 */
592 	if (item_type == PAM_MSG_VERSION) {
593 		*item = pamh->pam_client_message_version_number;
594 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
595 		    (void *)pamh, pam_trace_iname(item_type, iname_buf),
596 		    *item ? (char *)*item : "NULL");
597 		return (PAM_SUCCESS);
598 	}
599 
600 	if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
601 		return (PAM_SYMBOL_ERR);
602 
603 	if ((pamh->pam_inmodule != WO_OK) &&
604 	    ((item_type == PAM_AUTHTOK || item_type == PAM_OLDAUTHTOK))) {
605 		__pam_log(LOG_AUTH | LOG_NOTICE, "pam_get_item(%s) called from "
606 		    "a non module context",
607 		    pam_trace_iname(item_type, iname_buf));
608 		return (PAM_PERM_DENIED);
609 	}
610 
611 	pip = (struct pam_item *)&(pamh->ps_item[item_type]);
612 
613 	*item = pip->pi_addr;
614 	switch (item_type) {
615 	case PAM_CONV:
616 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%p",
617 		    (void *)pamh,
618 		    pam_trace_iname(item_type, iname_buf),
619 		    (void *)((struct pam_conv *)*item)->conv);
620 		break;
621 	case PAM_REPOSITORY:
622 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
623 		    (void *)pamh,
624 		    pam_trace_iname(item_type, iname_buf),
625 		    *item ? (((struct pam_repository *)*item)->type ?
626 		    ((struct pam_repository *)*item)->type : "NULL") :
627 		    "NULL");
628 		break;
629 	case PAM_AUTHTOK:
630 	case PAM_OLDAUTHTOK:
631 #ifdef	DEBUG
632 		if (pam_debug & PAM_DEBUG_AUTHTOK)
633 			pam_trace(PAM_DEBUG_ITEM,
634 			    "pam_get_item(%p:%s)=%s", (void *)pamh,
635 			    pam_trace_iname(item_type, iname_buf),
636 			    *item ? *(char **)item : "NULL");
637 		else
638 #endif	/* DEBUG */
639 			pam_trace(PAM_DEBUG_ITEM,
640 			    "pam_get_item(%p:%s)=%s", (void *)pamh,
641 			    pam_trace_iname(item_type, iname_buf),
642 			    *item ? "********" : "NULL");
643 		break;
644 	default:
645 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
646 		    (void *)pamh,
647 		    pam_trace_iname(item_type, iname_buf),
648 		    *item ? *(char **)item : "NULL");
649 	}
650 
651 	return (PAM_SUCCESS);
652 }
653 
654 /*
655  * parse_user_name         - process the user response: ignore
656  *                           '\t' or ' ' before or after a user name.
657  *                           user_input is a null terminated string.
658  *                           *ret_username will be the user name.
659  */
660 
661 static int
662 parse_user_name(char *user_input, char **ret_username)
663 {
664 	register char *ptr;
665 	register int index = 0;
666 	char username[PAM_MAX_RESP_SIZE];
667 
668 	/* Set the default value for *ret_username */
669 	*ret_username = NULL;
670 
671 	/*
672 	 * Set the initial value for username - this is a buffer holds
673 	 * the user name.
674 	 */
675 	bzero((void *)username, PAM_MAX_RESP_SIZE);
676 
677 	/*
678 	 * The user_input is guaranteed to be terminated by a null character.
679 	 */
680 	ptr = user_input;
681 
682 	/* Skip all the leading whitespaces if there are any. */
683 	while ((*ptr == ' ') || (*ptr == '\t'))
684 		ptr++;
685 
686 	if (*ptr == '\0') {
687 		/*
688 		 * We should never get here since the user_input we got
689 		 * in pam_get_user() is not all whitespaces nor just "\0".
690 		 */
691 		return (PAM_BUF_ERR);
692 	}
693 
694 	/*
695 	 * username will be the first string we get from user_input
696 	 * - we skip leading whitespaces and ignore trailing whitespaces
697 	 */
698 	while (*ptr != '\0') {
699 		if ((*ptr == ' ') || (*ptr == '\t'))
700 			break;
701 		else {
702 			username[index] = *ptr;
703 			index++;
704 			ptr++;
705 		}
706 	}
707 
708 	/* ret_username will be freed in pam_get_user(). */
709 	if ((*ret_username = (char *)malloc((index + 1)*(sizeof (char))))
710 	    == NULL)
711 		return (PAM_BUF_ERR);
712 	(void) strcpy(*ret_username, username);
713 	return (PAM_SUCCESS);
714 }
715 
716 /*
717  * Get the value of PAM_USER. If not set, then use the convenience function
718  * to prompt for the user. Use prompt if specified, else use PAM_USER_PROMPT
719  * if it is set, else use default.
720  */
721 #define	WHITESPACE	0
722 #define	USERNAME	1
723 
724 int
725 pam_get_user(pam_handle_t *pamh, char **user, const char *prompt_override)
726 {
727 	int	status;
728 	char	*prompt = NULL;
729 	char    *real_username;
730 
731 	struct pam_response *ret_resp = NULL;
732 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
733 
734 	pam_trace(PAM_DEBUG_DEFAULT,
735 	    "pam_get_user(%p, %p, %s)", (void *)pamh, (void *)*user,
736 	    prompt_override ? prompt_override : "NULL");
737 	if (pamh == NULL)
738 		return (PAM_SYSTEM_ERR);
739 
740 	if ((status = pam_get_item(pamh, PAM_USER, (void **)user))
741 	    != PAM_SUCCESS) {
742 		return (status);
743 	}
744 
745 	/* if the user is set, return it */
746 
747 	if (*user != NULL && *user[0] != '\0') {
748 		return (PAM_SUCCESS);
749 	}
750 
751 	/*
752 	 * if the module is requesting a special prompt, use it.
753 	 * else use PAM_USER_PROMPT.
754 	 */
755 
756 	if (prompt_override != NULL) {
757 		prompt = (char *)prompt_override;
758 	} else {
759 		status = pam_get_item(pamh, PAM_USER_PROMPT, (void**)&prompt);
760 		if (status != PAM_SUCCESS) {
761 			return (status);
762 		}
763 	}
764 
765 	/* if the prompt is not set, use default */
766 
767 	if (prompt == NULL || prompt[0] == '\0') {
768 		prompt = dgettext(TEXT_DOMAIN, "Please enter user name: ");
769 	}
770 
771 	/* prompt for the user */
772 
773 	(void) strncpy(messages[0], prompt, sizeof (messages[0]));
774 
775 	for (;;) {
776 		int state = WHITESPACE;
777 
778 		status = do_conv(pamh, PAM_PROMPT_ECHO_ON, 1, messages,
779 		    NULL, &ret_resp);
780 
781 		if (status != PAM_SUCCESS) {
782 			return (status);
783 		}
784 
785 		if (ret_resp->resp && ret_resp->resp[0] != '\0') {
786 			int len = strlen(ret_resp->resp);
787 			int i;
788 
789 			for (i = 0; i < len; i++) {
790 				if ((ret_resp->resp[i] != ' ') &&
791 					(ret_resp->resp[i] != '\t')) {
792 					state = USERNAME;
793 					break;
794 				}
795 			}
796 
797 			if (state == USERNAME)
798 				break;
799 		}
800 	}
801 
802 	/* set PAM_USER */
803 	/* Parse the user input to get the user name. */
804 	status = parse_user_name(ret_resp->resp, &real_username);
805 
806 	if (status != PAM_SUCCESS) {
807 		if (real_username != NULL)
808 			free(real_username);
809 		free_resp(1, ret_resp);
810 		return (status);
811 	}
812 
813 	status = pam_set_item(pamh, PAM_USER, real_username);
814 
815 	free(real_username);
816 
817 	free_resp(1, ret_resp);
818 	if (status != PAM_SUCCESS) {
819 		return (status);
820 	}
821 
822 	/*
823 	 * finally, get PAM_USER. We have to call pam_get_item to get
824 	 * the value of user because pam_set_item mallocs the memory.
825 	 */
826 
827 	status = pam_get_item(pamh, PAM_USER, (void**)user);
828 	return (status);
829 }
830 
831 /*
832  * Set module specific data
833  */
834 
835 int
836 pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data,
837     void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status))
838 {
839 	struct pam_module_data *psd;
840 
841 	pam_trace(PAM_DEBUG_DATA,
842 	    "pam_set_data(%p:%s:%d)=%p", (void *)pamh,
843 	    module_data_name ? module_data_name : "NULL", pamh->pam_inmodule,
844 	    data);
845 	if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
846 	    module_data_name == NULL) {
847 		return (PAM_SYSTEM_ERR);
848 	}
849 
850 	/* check if module data already exists */
851 
852 	for (psd = pamh->ssd; psd; psd = psd->next) {
853 		if (strcmp(psd->module_data_name, module_data_name) == 0) {
854 			/* clean up original data before setting the new data */
855 			if (psd->cleanup) {
856 				psd->cleanup(pamh, psd->data, PAM_SUCCESS);
857 			}
858 			psd->data = (void *)data;
859 			psd->cleanup = cleanup;
860 			return (PAM_SUCCESS);
861 		}
862 	}
863 
864 	psd = malloc(sizeof (struct pam_module_data));
865 	if (psd == NULL)
866 		return (PAM_BUF_ERR);
867 
868 	psd->module_data_name = strdup(module_data_name);
869 	if (psd->module_data_name == NULL) {
870 		free(psd);
871 		return (PAM_BUF_ERR);
872 	}
873 
874 	psd->data = (void *)data;
875 	psd->cleanup = cleanup;
876 	psd->next = pamh->ssd;
877 	pamh->ssd = psd;
878 	return (PAM_SUCCESS);
879 }
880 
881 /*
882  * get module specific data
883  */
884 
885 int
886 pam_get_data(const pam_handle_t *pamh, const char *module_data_name,
887     const void **data)
888 {
889 	struct pam_module_data *psd;
890 
891 	if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
892 	    module_data_name == NULL) {
893 		pam_trace(PAM_DEBUG_DATA,
894 		    "pam_get_data(%p:%s:%d)=%p", (void *)pamh,
895 		    module_data_name ? module_data_name : "NULL",
896 		    pamh->pam_inmodule, *data);
897 		return (PAM_SYSTEM_ERR);
898 	}
899 
900 	for (psd = pamh->ssd; psd; psd = psd->next) {
901 		if (strcmp(psd->module_data_name, module_data_name) == 0) {
902 			*data = psd->data;
903 			pam_trace(PAM_DEBUG_DATA,
904 			    "pam_get_data(%p:%s)=%p", (void *)pamh,
905 			    module_data_name, *data);
906 			return (PAM_SUCCESS);
907 		}
908 	}
909 	pam_trace(PAM_DEBUG_DATA,
910 	    "pam_get_data(%p:%s)=%s", (void *)pamh, module_data_name,
911 	    "PAM_NO_MODULE_DATA");
912 
913 	return (PAM_NO_MODULE_DATA);
914 }
915 
916 /*
917  * PAM equivalent to strerror()
918  */
919 /* ARGSUSED */
920 const char *
921 pam_strerror(pam_handle_t *pamh, int errnum)
922 {
923 	switch (errnum) {
924 	case PAM_SUCCESS:
925 		return (dgettext(TEXT_DOMAIN, "Success"));
926 	case PAM_OPEN_ERR:
927 		return (dgettext(TEXT_DOMAIN, "Dlopen failure"));
928 	case PAM_SYMBOL_ERR:
929 		return (dgettext(TEXT_DOMAIN, "Symbol not found"));
930 	case PAM_SERVICE_ERR:
931 		return (dgettext(TEXT_DOMAIN,
932 		    "Error in underlying service module"));
933 	case PAM_SYSTEM_ERR:
934 		return (dgettext(TEXT_DOMAIN, "System error"));
935 	case PAM_BUF_ERR:
936 		return (dgettext(TEXT_DOMAIN, "Memory buffer error"));
937 	case PAM_CONV_ERR:
938 		return (dgettext(TEXT_DOMAIN, "Conversation failure"));
939 	case PAM_PERM_DENIED:
940 		return (dgettext(TEXT_DOMAIN, "Permission denied"));
941 	case PAM_MAXTRIES:
942 		return (dgettext(TEXT_DOMAIN,
943 		    "Maximum number of attempts exceeded"));
944 	case PAM_AUTH_ERR:
945 		return (dgettext(TEXT_DOMAIN, "Authentication failed"));
946 	case PAM_NEW_AUTHTOK_REQD:
947 		return (dgettext(TEXT_DOMAIN, "Get new authentication token"));
948 	case PAM_CRED_INSUFFICIENT:
949 		return (dgettext(TEXT_DOMAIN, "Insufficient credentials"));
950 	case PAM_AUTHINFO_UNAVAIL:
951 		return (dgettext(TEXT_DOMAIN,
952 		    "Can not retrieve authentication info"));
953 	case PAM_USER_UNKNOWN:
954 		return (dgettext(TEXT_DOMAIN, "No account present for user"));
955 	case PAM_CRED_UNAVAIL:
956 		return (dgettext(TEXT_DOMAIN,
957 		    "Can not retrieve user credentials"));
958 	case PAM_CRED_EXPIRED:
959 		return (dgettext(TEXT_DOMAIN,
960 		    "User credentials have expired"));
961 	case PAM_CRED_ERR:
962 		return (dgettext(TEXT_DOMAIN,
963 		    "Failure setting user credentials"));
964 	case PAM_ACCT_EXPIRED:
965 		return (dgettext(TEXT_DOMAIN, "User account has expired"));
966 	case PAM_AUTHTOK_EXPIRED:
967 		return (dgettext(TEXT_DOMAIN, "User password has expired"));
968 	case PAM_SESSION_ERR:
969 		return (dgettext(TEXT_DOMAIN,
970 		    "Can not make/remove entry for session"));
971 	case PAM_AUTHTOK_ERR:
972 		return (dgettext(TEXT_DOMAIN,
973 		    "Authentication token manipulation error"));
974 	case PAM_AUTHTOK_RECOVERY_ERR:
975 		return (dgettext(TEXT_DOMAIN,
976 		    "Authentication token can not be recovered"));
977 	case PAM_AUTHTOK_LOCK_BUSY:
978 		return (dgettext(TEXT_DOMAIN,
979 		    "Authentication token lock busy"));
980 	case PAM_AUTHTOK_DISABLE_AGING:
981 		return (dgettext(TEXT_DOMAIN,
982 		    "Authentication token aging disabled"));
983 	case PAM_NO_MODULE_DATA:
984 		return (dgettext(TEXT_DOMAIN,
985 		    "Module specific data not found"));
986 	case PAM_IGNORE:
987 		return (dgettext(TEXT_DOMAIN, "Ignore module"));
988 	case PAM_ABORT:
989 		return (dgettext(TEXT_DOMAIN, "General PAM failure "));
990 	case PAM_TRY_AGAIN:
991 		return (dgettext(TEXT_DOMAIN,
992 		    "Unable to complete operation. Try again"));
993 	default:
994 		return (dgettext(TEXT_DOMAIN, "Unknown error"));
995 	}
996 }
997 
998 static void *
999 sm_name(int ind)
1000 {
1001 	switch (ind) {
1002 	case PAM_AUTHENTICATE:
1003 		return (PAM_SM_AUTHENTICATE);
1004 	case PAM_SETCRED:
1005 		return (PAM_SM_SETCRED);
1006 	case PAM_ACCT_MGMT:
1007 		return (PAM_SM_ACCT_MGMT);
1008 	case PAM_OPEN_SESSION:
1009 		return (PAM_SM_OPEN_SESSION);
1010 	case PAM_CLOSE_SESSION:
1011 		return (PAM_SM_CLOSE_SESSION);
1012 	case PAM_CHAUTHTOK:
1013 		return (PAM_SM_CHAUTHTOK);
1014 	}
1015 	return (NULL);
1016 }
1017 
1018 static int
1019 (*func(pamtab_t *modulep, int ind))()
1020 {
1021 	void	*funcp;
1022 
1023 	if ((funcp = modulep->function_ptr) == NULL)
1024 		return (NULL);
1025 
1026 	switch (ind) {
1027 	case PAM_AUTHENTICATE:
1028 		return (((struct auth_module *)funcp)->pam_sm_authenticate);
1029 	case PAM_SETCRED:
1030 		return (((struct auth_module *)funcp)->pam_sm_setcred);
1031 	case PAM_ACCT_MGMT:
1032 		return (((struct account_module *)funcp)->pam_sm_acct_mgmt);
1033 	case PAM_OPEN_SESSION:
1034 		return (((struct session_module *)funcp)->pam_sm_open_session);
1035 	case PAM_CLOSE_SESSION:
1036 		return (((struct session_module *)funcp)->pam_sm_close_session);
1037 	case PAM_CHAUTHTOK:
1038 		return (((struct password_module *)funcp)->pam_sm_chauthtok);
1039 	}
1040 	return (NULL);
1041 }
1042 
1043 /*
1044  * Run through the PAM service module stack for the given module type.
1045  */
1046 static int
1047 run_stack(pam_handle_t *pamh, int flags, int type, int def_err, int ind,
1048     char *function_name)
1049 {
1050 	int	err = PAM_SYSTEM_ERR;  /* preset */
1051 	int	optional_error = 0;
1052 	int	required_error = 0;
1053 	int	success = 0;
1054 	pamtab_t *modulep;
1055 	int	(*sm_func)();
1056 
1057 	if (pamh == NULL)
1058 		return (PAM_SYSTEM_ERR);
1059 
1060 	/* read initial entries from pam.conf */
1061 	if ((err = read_pam_conf(pamh, PAM_CONFIG)) != PAM_SUCCESS) {
1062 		return (err);
1063 	}
1064 
1065 	if ((modulep =
1066 	    pamh->pam_conf_info[pamh->include_depth][type]) == NULL) {
1067 		__pam_log(LOG_AUTH | LOG_ERR, "%s no initial module present",
1068 		    pam_trace_cname(pamh));
1069 		goto exit_return;
1070 	}
1071 
1072 	pamh->pam_inmodule = WO_OK;	/* OK to get AUTHTOK */
1073 include:
1074 	pam_trace(PAM_DEBUG_MODULE,
1075 	    "[%d:%s]:run_stack:%s(%p, %x): %s", pamh->include_depth,
1076 	    pam_trace_cname(pamh), function_name, (void *)pamh, flags,
1077 	    modulep ? modulep->module_path : "NULL");
1078 
1079 	while (modulep != NULL) {
1080 		if (modulep->pam_flag & PAM_INCLUDE) {
1081 			/* save the return location */
1082 			pamh->pam_conf_modulep[pamh->include_depth] =
1083 			    modulep->next;
1084 			pam_trace(PAM_DEBUG_MODULE,
1085 			    "setting for include[%d:%p]",
1086 			    pamh->include_depth, (void *)modulep->next);
1087 			if (pamh->include_depth++ >= PAM_MAX_INCLUDE) {
1088 				__pam_log(LOG_AUTH | LOG_ERR,
1089 				    "run_stack: includes too deep %d "
1090 				    "found trying to include %s from %s, %d "
1091 				    "allowed", pamh->include_depth,
1092 				    modulep->module_path, pamh->pam_conf_name
1093 				    [PAM_MAX_INCLUDE] == NULL ? "NULL" :
1094 				    pamh->pam_conf_name[PAM_MAX_INCLUDE],
1095 				    PAM_MAX_INCLUDE);
1096 				goto exit_return;
1097 			}
1098 			if ((err = read_pam_conf(pamh,
1099 			    modulep->module_path)) != PAM_SUCCESS) {
1100 				__pam_log(LOG_AUTH | LOG_ERR,
1101 				    "run_stack[%d:%s]: can't read included "
1102 				    "conf %s", pamh->include_depth,
1103 				    pam_trace_cname(pamh),
1104 				    modulep->module_path);
1105 				goto exit_return;
1106 			}
1107 			if ((modulep = pamh->pam_conf_info
1108 			    [pamh->include_depth][type]) == NULL) {
1109 				__pam_log(LOG_AUTH | LOG_ERR,
1110 				    "run_stack[%d:%s]: no include module "
1111 				    "present %s", pamh->include_depth,
1112 				    pam_trace_cname(pamh), function_name);
1113 				goto exit_return;
1114 			}
1115 			if (modulep->pam_flag & PAM_INCLUDE) {
1116 				/* first line another include */
1117 				goto include;
1118 			}
1119 			pam_trace(PAM_DEBUG_DEFAULT, "include[%d:%s]"
1120 			    "(%p, %s)=%s", pamh->include_depth,
1121 			    pam_trace_cname(pamh), (void *)pamh,
1122 			    function_name, modulep->module_path);
1123 			if ((err = load_modules(pamh, type, sm_name(ind),
1124 			    pamh->pam_conf_info
1125 			    [pamh->include_depth][type])) != PAM_SUCCESS) {
1126 				pam_trace(PAM_DEBUG_DEFAULT,
1127 				    "[%d:%s]:%s(%p, %x): load_modules failed",
1128 				    pamh->include_depth, pam_trace_cname(pamh),
1129 				    function_name, (void *)pamh, flags);
1130 				goto exit_return;
1131 			}
1132 			if ((modulep = pamh->pam_conf_info
1133 			    [pamh->include_depth][type]) == NULL) {
1134 				__pam_log(LOG_AUTH | LOG_ERR,
1135 				    "%s no initial module present",
1136 				    pam_trace_cname(pamh));
1137 				goto exit_return;
1138 			}
1139 		} else if ((err = load_modules(pamh, type, sm_name(ind),
1140 		    modulep)) != PAM_SUCCESS) {
1141 			pam_trace(PAM_DEBUG_DEFAULT,
1142 			    "[%d:%s]:%s(%p, %x): load_modules failed",
1143 			    pamh->include_depth, pam_trace_cname(pamh),
1144 			    function_name, (void *)pamh, flags);
1145 			goto exit_return;
1146 		}  /* PAM_INCLUDE */
1147 		sm_func = func(modulep, ind);
1148 		if (sm_func) {
1149 			err = sm_func(pamh, flags, modulep->module_argc,
1150 			    (const char **)modulep->module_argv);
1151 
1152 			pam_trace(PAM_DEBUG_MODULE,
1153 			    "[%d:%s]:%s(%p, %x): %s returned %s",
1154 			    pamh->include_depth, pam_trace_cname(pamh),
1155 			    function_name, (void *)pamh, flags,
1156 			    modulep->module_path, pam_strerror(pamh, err));
1157 
1158 			switch (err) {
1159 			case PAM_IGNORE:
1160 				/* do nothing */
1161 				break;
1162 			case PAM_SUCCESS:
1163 				if ((modulep->pam_flag & PAM_SUFFI_BIND) &&
1164 				    !required_error) {
1165 					pamh->pam_inmodule = RW_OK;
1166 					pam_trace(PAM_DEBUG_MODULE,
1167 					    "[%d:%s]:%s(%p, %x): %s: success",
1168 					    pamh->include_depth,
1169 					    pam_trace_cname(pamh),
1170 					    function_name, (void *)pamh, flags,
1171 					    (modulep->pam_flag & PAM_BINDING) ?
1172 					    PAM_BINDING_NAME :
1173 					    PAM_SUFFICIENT_NAME);
1174 					goto exit_return;
1175 				}
1176 				success = 1;
1177 				break;
1178 			case PAM_TRY_AGAIN:
1179 				/*
1180 				 * We need to return immediately, and
1181 				 * we shouldn't reset the AUTHTOK item
1182 				 * since it is not an error per-se.
1183 				 */
1184 				pamh->pam_inmodule = RW_OK;
1185 				pam_trace(PAM_DEBUG_MODULE,
1186 				    "[%d:%s]:%s(%p, %x): TRY_AGAIN: %s",
1187 				    pamh->include_depth, pam_trace_cname(pamh),
1188 				    function_name, (void *)pamh, flags,
1189 				    pam_strerror(pamh, required_error ?
1190 				    required_error : err));
1191 				err = required_error ? required_error : err;
1192 				goto exit_return;
1193 			default:
1194 				if (modulep->pam_flag & PAM_REQUISITE) {
1195 					pamh->pam_inmodule = RW_OK;
1196 					pam_trace(PAM_DEBUG_MODULE,
1197 					    "[%d:%s]:%s(%p, %x): requisite: %s",
1198 					    pamh->include_depth,
1199 					    pam_trace_cname(pamh),
1200 					    function_name, (void *)pamh, flags,
1201 					    pam_strerror(pamh,
1202 					    required_error ? required_error :
1203 					    err));
1204 					err = required_error ?
1205 					    required_error : err;
1206 					goto exit_return;
1207 				} else if (modulep->pam_flag & PAM_REQRD_BIND) {
1208 					if (!required_error)
1209 						required_error = err;
1210 				} else {
1211 					if (!optional_error)
1212 						optional_error = err;
1213 				}
1214 				pam_trace(PAM_DEBUG_DEFAULT,
1215 				    "[%d:%s]:%s(%p, %x): error %s",
1216 				    pamh->include_depth, pam_trace_cname(pamh),
1217 				    function_name, (void *)pamh, flags,
1218 				    pam_strerror(pamh, err));
1219 				break;
1220 			}
1221 		}
1222 		modulep = modulep->next;
1223 	}
1224 
1225 	pam_trace(PAM_DEBUG_MODULE, "[%d:%s]:stack_end:%s(%p, %x): %s %s: %s",
1226 	    pamh->include_depth, pam_trace_cname(pamh), function_name,
1227 	    (void *)pamh, flags, pamh->include_depth ? "included" : "final",
1228 	    required_error ? "required" : success ? "success" :
1229 	    optional_error ? "optional" : "default",
1230 	    pam_strerror(pamh, required_error ? required_error :
1231 	    success ? PAM_SUCCESS : optional_error ? optional_error : def_err));
1232 	if (pamh->include_depth > 0) {
1233 		free_pam_conf_info(pamh);
1234 		pamh->include_depth--;
1235 		/* continue at next entry */
1236 		modulep = pamh->pam_conf_modulep[pamh->include_depth];
1237 		pam_trace(PAM_DEBUG_MODULE, "looping for include[%d:%p]",
1238 		    pamh->include_depth, (void *)modulep);
1239 		goto include;
1240 	}
1241 	free_pam_conf_info(pamh);
1242 	pamh->pam_inmodule = RW_OK;
1243 	if (required_error != 0)
1244 		return (required_error);
1245 	else if (success != 0)
1246 		return (PAM_SUCCESS);
1247 	else if (optional_error != 0)
1248 		return (optional_error);
1249 	else
1250 		return (def_err);
1251 
1252 exit_return:
1253 	/*
1254 	 * All done at whatever depth we're at.
1255 	 * Go back to not having read /etc/pam.conf
1256 	 */
1257 	while (pamh->include_depth > 0) {
1258 		free_pam_conf_info(pamh);
1259 		pamh->include_depth--;
1260 	}
1261 	free_pam_conf_info(pamh);
1262 	pamh->pam_inmodule = RW_OK;
1263 	return (err);
1264 }
1265 
1266 /*
1267  * pam_authenticate - authenticate a user
1268  */
1269 
1270 int
1271 pam_authenticate(pam_handle_t *pamh, int flags)
1272 {
1273 	int	retval;
1274 
1275 	retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_AUTH_ERR,
1276 	    PAM_AUTHENTICATE, "pam_authenticate");
1277 
1278 	if (retval != PAM_SUCCESS)
1279 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1280 	return (retval);
1281 }
1282 
1283 /*
1284  * pam_setcred - modify or retrieve user credentials
1285  */
1286 
1287 int
1288 pam_setcred(pam_handle_t *pamh, int flags)
1289 {
1290 	int	retval;
1291 
1292 	retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_CRED_ERR,
1293 	    PAM_SETCRED, "pam_setcred");
1294 
1295 	if (retval != PAM_SUCCESS)
1296 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1297 	return (retval);
1298 }
1299 
1300 /*
1301  * pam_acct_mgmt - check password aging, account expiration
1302  */
1303 
1304 int
1305 pam_acct_mgmt(pam_handle_t *pamh, int flags)
1306 {
1307 	int	retval;
1308 
1309 	retval = run_stack(pamh, flags, PAM_ACCOUNT_MODULE, PAM_ACCT_EXPIRED,
1310 	    PAM_ACCT_MGMT, "pam_acct_mgmt");
1311 
1312 	if (retval != PAM_SUCCESS &&
1313 	    retval != PAM_NEW_AUTHTOK_REQD) {
1314 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1315 	}
1316 	return (retval);
1317 }
1318 
1319 /*
1320  * pam_open_session - begin session management
1321  */
1322 
1323 int
1324 pam_open_session(pam_handle_t *pamh, int flags)
1325 {
1326 	int	retval;
1327 
1328 	retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
1329 	    PAM_OPEN_SESSION, "pam_open_session");
1330 
1331 	if (retval != PAM_SUCCESS)
1332 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1333 	return (retval);
1334 }
1335 
1336 /*
1337  * pam_close_session - terminate session management
1338  */
1339 
1340 int
1341 pam_close_session(pam_handle_t *pamh, int flags)
1342 {
1343 	int	retval;
1344 
1345 	retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
1346 	    PAM_CLOSE_SESSION, "pam_close_session");
1347 
1348 	if (retval != PAM_SUCCESS)
1349 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1350 	return (retval);
1351 }
1352 
1353 /*
1354  * pam_chauthtok - change user authentication token
1355  */
1356 
1357 int
1358 pam_chauthtok(pam_handle_t *pamh, int flags)
1359 {
1360 	int	retval;
1361 
1362 	/* do not let apps use PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK */
1363 	if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
1364 		pam_trace(PAM_DEBUG_DEFAULT,
1365 		    "pam_chauthtok(%p, %x): %s", (void *)pamh, flags,
1366 		    pam_strerror(pamh, PAM_SYMBOL_ERR));
1367 		return (PAM_SYMBOL_ERR);
1368 	}
1369 
1370 	/* 1st pass: PRELIM CHECK */
1371 	retval = run_stack(pamh, flags | PAM_PRELIM_CHECK, PAM_PASSWORD_MODULE,
1372 	    PAM_AUTHTOK_ERR, PAM_CHAUTHTOK, "pam_chauthtok-prelim");
1373 
1374 	if (retval == PAM_TRY_AGAIN)
1375 		return (retval);
1376 
1377 	if (retval != PAM_SUCCESS) {
1378 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1379 		return (retval);
1380 	}
1381 
1382 	/* 2nd pass: UPDATE AUTHTOK */
1383 	retval = run_stack(pamh, flags | PAM_UPDATE_AUTHTOK,
1384 	    PAM_PASSWORD_MODULE, PAM_AUTHTOK_ERR, PAM_CHAUTHTOK,
1385 	    "pam_chauthtok-update");
1386 
1387 	if (retval != PAM_SUCCESS)
1388 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1389 
1390 	return (retval);
1391 }
1392 
1393 /*
1394  * pam_putenv - add an environment variable to the PAM handle
1395  *	if name_value == 'NAME=VALUE'	then set variable to the value
1396  *	if name_value == 'NAME='	then set variable to an empty value
1397  *	if name_value == 'NAME'		then delete the variable
1398  */
1399 
1400 int
1401 pam_putenv(pam_handle_t *pamh, const char *name_value)
1402 {
1403 	int		error = PAM_SYSTEM_ERR;
1404 	char		*equal_sign = 0;
1405 	char		*name = NULL, *value = NULL, *tmp_value = NULL;
1406 	env_list	*traverse, *trail;
1407 
1408 	pam_trace(PAM_DEBUG_DEFAULT,
1409 	    "pam_putenv(%p, %s)", (void *)pamh,
1410 	    name_value ? name_value : "NULL");
1411 
1412 	if (pamh == NULL || name_value == NULL)
1413 		goto out;
1414 
1415 	/* see if we were passed 'NAME=VALUE', 'NAME=', or 'NAME' */
1416 	if ((equal_sign = strchr(name_value, '=')) != 0) {
1417 		if ((name = (char *)calloc(equal_sign - name_value + 1,
1418 		    sizeof (char))) == 0) {
1419 			error = PAM_BUF_ERR;
1420 			goto out;
1421 		}
1422 		(void) strncpy(name, name_value, equal_sign - name_value);
1423 		if ((value = strdup(++equal_sign)) == 0) {
1424 			error = PAM_BUF_ERR;
1425 			goto out;
1426 		}
1427 	} else {
1428 		if ((name = strdup(name_value)) == 0) {
1429 			error = PAM_BUF_ERR;
1430 			goto out;
1431 		}
1432 	}
1433 
1434 	/* check to see if we already have this variable in the PAM handle */
1435 	traverse = pamh->pam_env;
1436 	trail = traverse;
1437 	while (traverse && strncmp(traverse->name, name, strlen(name))) {
1438 		trail = traverse;
1439 		traverse = traverse->next;
1440 	}
1441 
1442 	if (traverse) {
1443 		/* found a match */
1444 		if (value == 0) {
1445 			/* remove the env variable */
1446 			if (pamh->pam_env == traverse)
1447 				pamh->pam_env = traverse->next;
1448 			else
1449 				trail->next = traverse->next;
1450 			free_env(traverse);
1451 		} else if (strlen(value) == 0) {
1452 			/* set env variable to empty value */
1453 			if ((tmp_value = strdup("")) == 0) {
1454 				error = PAM_SYSTEM_ERR;
1455 				goto out;
1456 			}
1457 			free(traverse->value);
1458 			traverse->value = tmp_value;
1459 		} else {
1460 			/* set the new value */
1461 			if ((tmp_value = strdup(value)) == 0) {
1462 				error = PAM_SYSTEM_ERR;
1463 				goto out;
1464 			}
1465 			free(traverse->value);
1466 			traverse->value = tmp_value;
1467 		}
1468 
1469 	} else if (traverse == 0 && value) {
1470 		/*
1471 		 * could not find a match in the PAM handle.
1472 		 * add the new value if there is one
1473 		 */
1474 		if ((traverse = (env_list *)calloc
1475 					(1,
1476 					sizeof (env_list))) == 0) {
1477 			error = PAM_BUF_ERR;
1478 			goto out;
1479 		}
1480 		if ((traverse->name = strdup(name)) == 0) {
1481 			free_env(traverse);
1482 			error = PAM_BUF_ERR;
1483 			goto out;
1484 		}
1485 		if ((traverse->value = strdup(value)) == 0) {
1486 			free_env(traverse);
1487 			error = PAM_BUF_ERR;
1488 			goto out;
1489 		}
1490 		if (trail == 0) {
1491 			/* new head of list */
1492 			pamh->pam_env = traverse;
1493 		} else {
1494 			/* adding to end of list */
1495 			trail->next = traverse;
1496 		}
1497 	}
1498 
1499 	error = PAM_SUCCESS;
1500 out:
1501 	if (error != PAM_SUCCESS) {
1502 		if (traverse) {
1503 			if (traverse->name)
1504 				free(traverse->name);
1505 			if (traverse->value)
1506 				free(traverse->value);
1507 			free(traverse);
1508 		}
1509 	}
1510 	if (name)
1511 		free(name);
1512 	if (value)
1513 		free(value);
1514 	return (error);
1515 }
1516 
1517 /*
1518  * pam_getenv - retrieve an environment variable from the PAM handle
1519  */
1520 char *
1521 pam_getenv(pam_handle_t *pamh, const char *name)
1522 {
1523 	int		error = PAM_SYSTEM_ERR;
1524 	env_list	*traverse;
1525 
1526 	pam_trace(PAM_DEBUG_DEFAULT,
1527 	    "pam_getenv(%p, %p)", (void *)pamh, (void *)name);
1528 
1529 	if (pamh == NULL || name == NULL)
1530 		goto out;
1531 
1532 	/* check to see if we already have this variable in the PAM handle */
1533 	traverse = pamh->pam_env;
1534 	while (traverse && strncmp(traverse->name, name, strlen(name))) {
1535 		traverse = traverse->next;
1536 	}
1537 	error = (traverse ? PAM_SUCCESS : PAM_SYSTEM_ERR);
1538 	pam_trace(PAM_DEBUG_DEFAULT,
1539 	    "pam_getenv(%p, %s)=%s", (void *)pamh, name,
1540 	    traverse ? traverse->value : "NULL");
1541 out:
1542 	return (error ? NULL : strdup(traverse->value));
1543 }
1544 
1545 /*
1546  * pam_getenvlist - retrieve all environment variables from the PAM handle
1547  */
1548 char **
1549 pam_getenvlist(pam_handle_t *pamh)
1550 {
1551 	int		error = PAM_SYSTEM_ERR;
1552 	char		**list = 0;
1553 	int		length = 0;
1554 	env_list	*traverse;
1555 	char		env_buf[1024];
1556 
1557 	pam_trace(PAM_DEBUG_DEFAULT,
1558 	    "pam_getenvlist(%p)", (void *)pamh);
1559 
1560 	if (pamh == NULL)
1561 		goto out;
1562 
1563 	/* find out how many environment variables we have */
1564 	traverse = pamh->pam_env;
1565 	while (traverse) {
1566 		length++;
1567 		traverse = traverse->next;
1568 	}
1569 
1570 	/* allocate the array we will return to the caller */
1571 	if ((list = (char **)calloc(length + 1, sizeof (char *))) == 0) {
1572 		error = PAM_BUF_ERR;
1573 		goto out;
1574 	}
1575 
1576 	/* add the variables one by one */
1577 	length = 0;
1578 	traverse = pamh->pam_env;
1579 	while (traverse) {
1580 		(void) snprintf(env_buf, sizeof (env_buf), "%s=%s",
1581 		    traverse->name, traverse->value);
1582 		if ((list[length] = strdup(env_buf)) == 0) {
1583 			error = PAM_BUF_ERR;
1584 			goto out;
1585 		}
1586 		length++;
1587 		traverse = traverse->next;
1588 	}
1589 
1590 	/* null terminate the list */
1591 	list[length] = 0;
1592 
1593 	error = PAM_SUCCESS;
1594 out:
1595 	if (error != PAM_SUCCESS) {
1596 		/* free the partially constructed list */
1597 		if (list) {
1598 			length = 0;
1599 			while (list[length] != NULL) {
1600 				free(list[length]);
1601 				length++;
1602 			}
1603 			free(list);
1604 		}
1605 	}
1606 	return (error ? NULL : list);
1607 }
1608 
1609 /*
1610  * Routines to load a requested module on demand
1611  */
1612 
1613 /*
1614  * load_modules - load the requested module.
1615  *		  if the dlopen or dlsym fail, then
1616  *		  the module is ignored.
1617  */
1618 
1619 static int
1620 load_modules(pam_handle_t *pamh, int type, char *function_name,
1621     pamtab_t *pam_entry)
1622 {
1623 	void	*mh;
1624 	struct	auth_module *authp;
1625 	struct	account_module *accountp;
1626 	struct	session_module *sessionp;
1627 	struct	password_module *passwdp;
1628 	int	loading_functions = 0; /* are we currently loading functions? */
1629 
1630 	pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=%s:%s",
1631 		pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1632 		function_name, pam_trace_fname(pam_entry->pam_flag),
1633 		pam_entry->module_path);
1634 
1635 	while (pam_entry != NULL) {
1636 		pam_trace(PAM_DEBUG_DEFAULT,
1637 		    "while load_modules[%d:%s](%p, %s)=%s",
1638 		    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1639 		    function_name, pam_entry->module_path);
1640 
1641 		if (pam_entry->pam_flag & PAM_INCLUDE) {
1642 			pam_trace(PAM_DEBUG_DEFAULT,
1643 			    "done load_modules[%d:%s](%p, %s)=%s",
1644 			    pamh->include_depth, pam_trace_cname(pamh),
1645 			    (void *)pamh, function_name,
1646 			    pam_entry->module_path);
1647 			return (PAM_SUCCESS);
1648 		}
1649 		switch (type) {
1650 		case PAM_AUTH_MODULE:
1651 
1652 			/* if the function has already been loaded, return */
1653 			authp = pam_entry->function_ptr;
1654 			if (!loading_functions &&
1655 				(((strcmp(function_name, PAM_SM_AUTHENTICATE)
1656 				== 0) &&
1657 				authp && authp->pam_sm_authenticate) ||
1658 				((strcmp(function_name, PAM_SM_SETCRED) == 0) &&
1659 				authp && authp->pam_sm_setcred))) {
1660 				return (PAM_SUCCESS);
1661 			}
1662 
1663 			/* function has not been loaded yet */
1664 			loading_functions = 1;
1665 			if (authp == NULL) {
1666 				authp = (struct auth_module *)calloc(1,
1667 				    sizeof (struct auth_module));
1668 				if (authp == NULL)
1669 					return (PAM_BUF_ERR);
1670 			}
1671 
1672 			/* if open_module fails, return error */
1673 			if ((mh = open_module(pamh,
1674 			    pam_entry->module_path)) == NULL) {
1675 				__pam_log(LOG_AUTH | LOG_ERR,
1676 				    "load_modules[%d:%s]: can not open module "
1677 				    "%s", pamh->include_depth,
1678 				    pam_trace_cname(pamh),
1679 				    pam_entry->module_path);
1680 				free(authp);
1681 				return (PAM_OPEN_ERR);
1682 			}
1683 
1684 			/* load the authentication function */
1685 			if (strcmp(function_name, PAM_SM_AUTHENTICATE) == 0) {
1686 				if (load_function(mh, PAM_SM_AUTHENTICATE,
1687 				    &authp->pam_sm_authenticate)
1688 				    != PAM_SUCCESS) {
1689 					/* return error if dlsym fails */
1690 					free(authp);
1691 					return (PAM_SYMBOL_ERR);
1692 				}
1693 
1694 			/* load the setcred function */
1695 			} else if (strcmp(function_name, PAM_SM_SETCRED) == 0) {
1696 				if (load_function(mh, PAM_SM_SETCRED,
1697 				    &authp->pam_sm_setcred) != PAM_SUCCESS) {
1698 					/* return error if dlsym fails */
1699 					free(authp);
1700 					return (PAM_SYMBOL_ERR);
1701 				}
1702 			}
1703 			pam_entry->function_ptr = authp;
1704 			break;
1705 		case PAM_ACCOUNT_MODULE:
1706 			accountp = pam_entry->function_ptr;
1707 			if (!loading_functions &&
1708 			    (strcmp(function_name, PAM_SM_ACCT_MGMT) == 0) &&
1709 			    accountp && accountp->pam_sm_acct_mgmt) {
1710 				return (PAM_SUCCESS);
1711 			}
1712 
1713 			/*
1714 			 * If functions are added to the account module,
1715 			 * verify that one of the other functions hasn't
1716 			 * already loaded it.  See PAM_AUTH_MODULE code.
1717 			 */
1718 			loading_functions = 1;
1719 			accountp = (struct account_module *)calloc(1,
1720 			    sizeof (struct account_module));
1721 			if (accountp == NULL)
1722 				return (PAM_BUF_ERR);
1723 
1724 			/* if open_module fails, return error */
1725 			if ((mh = open_module(pamh,
1726 			    pam_entry->module_path)) == NULL) {
1727 				__pam_log(LOG_AUTH | LOG_ERR,
1728 				    "load_modules[%d:%s]: can not open module "
1729 				    "%s", pamh->include_depth,
1730 				    pam_trace_cname(pamh),
1731 				    pam_entry->module_path);
1732 				free(accountp);
1733 				return (PAM_OPEN_ERR);
1734 			}
1735 
1736 			if (load_function(mh, PAM_SM_ACCT_MGMT,
1737 			    &accountp->pam_sm_acct_mgmt) != PAM_SUCCESS) {
1738 				__pam_log(LOG_AUTH | LOG_ERR,
1739 				    "load_modules[%d:%s]: pam_sm_acct_mgmt() "
1740 				    "missing", pamh->include_depth,
1741 				    pam_trace_cname(pamh));
1742 				free(accountp);
1743 				return (PAM_SYMBOL_ERR);
1744 			}
1745 			pam_entry->function_ptr = accountp;
1746 			break;
1747 		case PAM_SESSION_MODULE:
1748 			sessionp = pam_entry->function_ptr;
1749 			if (!loading_functions &&
1750 			    (((strcmp(function_name,
1751 			    PAM_SM_OPEN_SESSION) == 0) &&
1752 			    sessionp && sessionp->pam_sm_open_session) ||
1753 			    ((strcmp(function_name,
1754 			    PAM_SM_CLOSE_SESSION) == 0) &&
1755 			    sessionp && sessionp->pam_sm_close_session))) {
1756 				return (PAM_SUCCESS);
1757 			}
1758 
1759 			loading_functions = 1;
1760 			if (sessionp == NULL) {
1761 				sessionp = (struct session_module *)
1762 				    calloc(1, sizeof (struct session_module));
1763 				if (sessionp == NULL)
1764 					return (PAM_BUF_ERR);
1765 			}
1766 
1767 			/* if open_module fails, return error */
1768 			if ((mh = open_module(pamh,
1769 			    pam_entry->module_path)) == NULL) {
1770 				__pam_log(LOG_AUTH | LOG_ERR,
1771 				    "load_modules[%d:%s]: can not open module "
1772 				    "%s", pamh->include_depth,
1773 				    pam_trace_cname(pamh),
1774 				    pam_entry->module_path);
1775 				free(sessionp);
1776 				return (PAM_OPEN_ERR);
1777 			}
1778 
1779 			if ((strcmp(function_name, PAM_SM_OPEN_SESSION) == 0) &&
1780 			    load_function(mh, PAM_SM_OPEN_SESSION,
1781 				&sessionp->pam_sm_open_session)
1782 				!= PAM_SUCCESS) {
1783 				free(sessionp);
1784 				return (PAM_SYMBOL_ERR);
1785 			} else if ((strcmp(function_name,
1786 					PAM_SM_CLOSE_SESSION) == 0) &&
1787 				    load_function(mh, PAM_SM_CLOSE_SESSION,
1788 					&sessionp->pam_sm_close_session)
1789 					!= PAM_SUCCESS) {
1790 				free(sessionp);
1791 				return (PAM_SYMBOL_ERR);
1792 			}
1793 			pam_entry->function_ptr = sessionp;
1794 			break;
1795 		case PAM_PASSWORD_MODULE:
1796 			passwdp = pam_entry->function_ptr;
1797 			if (!loading_functions &&
1798 			    (strcmp(function_name, PAM_SM_CHAUTHTOK) == 0) &&
1799 			    passwdp && passwdp->pam_sm_chauthtok) {
1800 				return (PAM_SUCCESS);
1801 			}
1802 
1803 			/*
1804 			 * If functions are added to the password module,
1805 			 * verify that one of the other functions hasn't
1806 			 * already loaded it.  See PAM_AUTH_MODULE code.
1807 			 */
1808 			loading_functions = 1;
1809 			passwdp = (struct password_module *)
1810 				calloc(1, sizeof (struct password_module));
1811 			if (passwdp == NULL)
1812 				return (PAM_BUF_ERR);
1813 
1814 			/* if open_module fails, continue */
1815 			if ((mh = open_module(pamh,
1816 			    pam_entry->module_path)) == NULL) {
1817 				__pam_log(LOG_AUTH | LOG_ERR,
1818 				    "load_modules[%d:%s]: can not open module "
1819 				    "%s", pamh->include_depth,
1820 				    pam_trace_cname(pamh),
1821 				    pam_entry->module_path);
1822 				free(passwdp);
1823 				return (PAM_OPEN_ERR);
1824 			}
1825 
1826 			if (load_function(mh, PAM_SM_CHAUTHTOK,
1827 			    &passwdp->pam_sm_chauthtok) != PAM_SUCCESS) {
1828 				free(passwdp);
1829 				return (PAM_SYMBOL_ERR);
1830 			}
1831 			pam_entry->function_ptr = passwdp;
1832 			break;
1833 		default:
1834 			pam_trace(PAM_DEBUG_DEFAULT,
1835 			    "load_modules[%d:%s](%p, %s): unsupported type %d",
1836 			    pamh->include_depth, pam_trace_cname(pamh),
1837 			    (void *)pamh, function_name, type);
1838 			break;
1839 		}
1840 
1841 		pam_entry = pam_entry->next;
1842 	} /* while */
1843 
1844 	pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=done",
1845 	    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1846 	    function_name);
1847 
1848 	return (PAM_SUCCESS);
1849 }
1850 
1851 /*
1852  * open_module		- Open the module first checking for
1853  *			  propers modes and ownerships on the file.
1854  */
1855 
1856 static void *
1857 open_module(pam_handle_t *pamh, char *module_so)
1858 {
1859 	struct stat64	stb;
1860 	char		*errmsg;
1861 	void		*lfd;
1862 	fd_list		*module_fds = 0;
1863 	fd_list		*trail = 0;
1864 	fd_list		*traverse = 0;
1865 
1866 	/* Check the ownership and file modes */
1867 	if (stat64(module_so, &stb) < 0) {
1868 		__pam_log(LOG_AUTH | LOG_ERR,
1869 		    "open_module[%d:%s]: stat(%s) failed: %s",
1870 		    pamh->include_depth, pam_trace_cname(pamh), module_so,
1871 		    strerror(errno));
1872 		return (NULL);
1873 	}
1874 	if (stb.st_uid != (uid_t)0) {
1875 		__pam_log(LOG_AUTH | LOG_ALERT,
1876 		    "open_module[%d:%s]: Owner of the module %s is not root",
1877 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1878 		return (NULL);
1879 	}
1880 	if (stb.st_mode & S_IWGRP) {
1881 		__pam_log(LOG_AUTH | LOG_ALERT,
1882 		    "open_module[%d:%s]: module %s writable by group",
1883 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1884 		return (NULL);
1885 	}
1886 	if (stb.st_mode & S_IWOTH) {
1887 		__pam_log(LOG_AUTH | LOG_ALERT,
1888 		    "open_module[%d:%s]: module %s writable by world",
1889 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1890 		return (NULL);
1891 	}
1892 
1893 	/*
1894 	 * Perform the dlopen()
1895 	 */
1896 	lfd = (void *)dlopen(module_so, RTLD_LAZY);
1897 
1898 	if (lfd == NULL) {
1899 		errmsg = dlerror();
1900 		__pam_log(LOG_AUTH | LOG_ERR, "open_module[%d:%s]: %s "
1901 		    "failed: %s", pamh->include_depth, pam_trace_cname(pamh),
1902 		    module_so, errmsg != NULL ? errmsg : "Unknown error");
1903 		return (NULL);
1904 	} else {
1905 		/* add this fd to the pam handle */
1906 		if ((module_fds = (fd_list *)calloc(1, sizeof (fd_list)))
1907 		    == 0) {
1908 			(void) dlclose(lfd);
1909 			lfd = 0;
1910 			return (NULL);
1911 		}
1912 		module_fds->mh = lfd;
1913 
1914 		if (pamh->fd == 0) {
1915 			/* adding new head of list */
1916 			pamh->fd = module_fds;
1917 		} else {
1918 			/* appending to end of list */
1919 			traverse = pamh->fd;
1920 			while (traverse) {
1921 				trail = traverse;
1922 				traverse = traverse->next;
1923 			}
1924 			trail->next = module_fds;
1925 		}
1926 	}
1927 
1928 	return (lfd);
1929 }
1930 
1931 /*
1932  * load_function - call dlsym() to resolve the function address
1933  */
1934 static int
1935 load_function(void *lfd, char *name, int (**func)())
1936 {
1937 	char *errmsg = NULL;
1938 
1939 	if (lfd == NULL)
1940 		return (PAM_SYMBOL_ERR);
1941 
1942 	*func = (int (*)())dlsym(lfd, name);
1943 	if (*func == NULL) {
1944 		errmsg = dlerror();
1945 		__pam_log(LOG_AUTH | LOG_ERR, "dlsym failed %s: error %s",
1946 		    name, errmsg != NULL ? errmsg : "Unknown error");
1947 		return (PAM_SYMBOL_ERR);
1948 	}
1949 
1950 	pam_trace(PAM_DEBUG_DEFAULT,
1951 	    "load_function: successful load of %s", name);
1952 	return (PAM_SUCCESS);
1953 }
1954 
1955 /*
1956  * Routines to read the pam.conf configuration file
1957  */
1958 
1959 /*
1960  * open_pam_conf - open the pam.conf config file
1961  */
1962 
1963 static int
1964 open_pam_conf(struct pam_fh **pam_fh, pam_handle_t *pamh, char *config)
1965 {
1966 	struct stat64	stb;
1967 	int		fd;
1968 
1969 	if ((fd = open(config, O_RDONLY)) == -1) {
1970 		__pam_log(LOG_AUTH | LOG_ALERT,
1971 		    "open_pam_conf[%d:%s]: open(%s) failed: %s",
1972 		    pamh->include_depth, pam_trace_cname(pamh), config,
1973 		    strerror(errno));
1974 		return (0);
1975 	}
1976 	/* Check the ownership and file modes */
1977 	if (fstat64(fd, &stb) < 0) {
1978 		__pam_log(LOG_AUTH | LOG_ALERT,
1979 		    "open_pam_conf[%d:%s]: stat(%s) failed: %s",
1980 		    pamh->include_depth, pam_trace_cname(pamh), config,
1981 		    strerror(errno));
1982 		(void) close(fd);
1983 		return (0);
1984 	}
1985 	if (stb.st_uid != (uid_t)0) {
1986 		__pam_log(LOG_AUTH | LOG_ALERT,
1987 		    "open_pam_conf[%d:%s]: Owner of %s is not root",
1988 		    pamh->include_depth, pam_trace_cname(pamh), config);
1989 		(void) close(fd);
1990 		return (0);
1991 	}
1992 	if (stb.st_mode & S_IWGRP) {
1993 		__pam_log(LOG_AUTH | LOG_ALERT,
1994 		    "open_pam_conf[%d:%s]: %s writable by group",
1995 		    pamh->include_depth, pam_trace_cname(pamh), config);
1996 		(void) close(fd);
1997 		return (0);
1998 	}
1999 	if (stb.st_mode & S_IWOTH) {
2000 		__pam_log(LOG_AUTH | LOG_ALERT,
2001 		    "open_pam_conf[%d:%s]: %s writable by world",
2002 		    pamh->include_depth, pam_trace_cname(pamh), config);
2003 		(void) close(fd);
2004 		return (0);
2005 	}
2006 	if ((*pam_fh = calloc(1, sizeof (struct pam_fh))) == NULL) {
2007 		(void) close(fd);
2008 		return (0);
2009 	}
2010 	(*pam_fh)->fconfig = fd;
2011 	(*pam_fh)->bufsize = (size_t)stb.st_size;
2012 	if (((*pam_fh)->data = mmap(0, (*pam_fh)->bufsize, PROT_READ,
2013 	    MAP_PRIVATE, (*pam_fh)->fconfig, 0)) == MAP_FAILED) {
2014 		(void) close(fd);
2015 		free (*pam_fh);
2016 		return (0);
2017 	}
2018 	(*pam_fh)->bufferp = (*pam_fh)->data;
2019 
2020 	return (1);
2021 }
2022 
2023 /*
2024  * close_pam_conf - close pam.conf
2025  */
2026 
2027 static void
2028 close_pam_conf(struct pam_fh *pam_fh)
2029 {
2030 	(void) munmap(pam_fh->data, pam_fh->bufsize);
2031 	(void) close(pam_fh->fconfig);
2032 	free(pam_fh);
2033 }
2034 
2035 /*
2036  * read_pam_conf - read in each entry in pam.conf and store info
2037  *		   under the pam handle.
2038  */
2039 
2040 static int
2041 read_pam_conf(pam_handle_t *pamh, char *config)
2042 {
2043 	struct pam_fh	*pam_fh;
2044 	pamtab_t	*pamentp;
2045 	pamtab_t	*tpament;
2046 	char		*service;
2047 	int		error;
2048 	int		i = pamh->include_depth;	/* include depth */
2049 	/*
2050 	 * service types:
2051 	 * error (-1), "auth" (0), "account" (1), "session" (2), "password" (3)
2052 	 */
2053 	int service_found[PAM_NUM_MODULE_TYPES+1] = {0, 0, 0, 0, 0};
2054 
2055 	(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
2056 	if (service == NULL || *service == '\0') {
2057 		__pam_log(LOG_AUTH | LOG_ERR, "No service name");
2058 		return (PAM_SYSTEM_ERR);
2059 	}
2060 
2061 	pamh->pam_conf_name[i] = strdup(config);
2062 	pam_trace(PAM_DEBUG_CONF, "read_pam_conf[%d:%s](%p) open(%s)",
2063 	    i, pam_trace_cname(pamh), (void *)pamh, config);
2064 	if (open_pam_conf(&pam_fh, pamh, config) == 0) {
2065 		return (PAM_SYSTEM_ERR);
2066 	}
2067 
2068 	while ((error =
2069 	    get_pam_conf_entry(pam_fh, pamh, &pamentp)) == PAM_SUCCESS &&
2070 	    pamentp) {
2071 
2072 		/* See if entry is this service and valid */
2073 		if (verify_pam_conf(pamentp, service)) {
2074 			pam_trace(PAM_DEBUG_CONF,
2075 			    "read_pam_conf[%d:%s](%p): bad entry error %s",
2076 			    i, pam_trace_cname(pamh), (void *)pamh, service);
2077 
2078 			error = PAM_SYSTEM_ERR;
2079 			free_pamconf(pamentp);
2080 			goto out;
2081 		}
2082 		if (strcasecmp(pamentp->pam_service, service) == 0) {
2083 			pam_trace(PAM_DEBUG_CONF,
2084 			    "read_pam_conf[%d:%s](%p): processing %s",
2085 			    i, pam_trace_cname(pamh), (void *)pamh, service);
2086 			/* process first service entry */
2087 			if (service_found[pamentp->pam_type + 1] == 0) {
2088 				/* purge "other" entries */
2089 				while ((tpament = pamh->pam_conf_info[i]
2090 				    [pamentp->pam_type]) != NULL) {
2091 					pam_trace(PAM_DEBUG_CONF,
2092 					    "read_pam_conf(%p): purging "
2093 					    "\"other\"[%d:%s][%s]",
2094 					    (void *)pamh, i,
2095 					    pam_trace_cname(pamh),
2096 					    pam_snames[pamentp->pam_type]);
2097 					pamh->pam_conf_info[i]
2098 					    [pamentp->pam_type] = tpament->next;
2099 					free_pamconf(tpament);
2100 				}
2101 				/* add first service entry */
2102 				pam_trace(PAM_DEBUG_CONF,
2103 				    "read_pam_conf(%p): adding 1st "
2104 				    "%s[%d:%s][%s]",
2105 				    (void *)pamh, service, i,
2106 				    pam_trace_cname(pamh),
2107 				    pam_snames[pamentp->pam_type]);
2108 				pamh->pam_conf_info[i][pamentp->pam_type] =
2109 				    pamentp;
2110 				service_found[pamentp->pam_type + 1] = 1;
2111 			} else {
2112 				/* append more service entries */
2113 				pam_trace(PAM_DEBUG_CONF,
2114 				    "read_pam_conf(%p): adding more "
2115 				    "%s[%d:%s][%s]",
2116 				    (void *)pamh, service, i,
2117 				    pam_trace_cname(pamh),
2118 				    pam_snames[pamentp->pam_type]);
2119 				tpament =
2120 				    pamh->pam_conf_info[i][pamentp->pam_type];
2121 				while (tpament->next != NULL) {
2122 					tpament = tpament->next;
2123 				}
2124 				tpament->next = pamentp;
2125 			}
2126 		} else if (service_found[pamentp->pam_type + 1] == 0) {
2127 			/* See if "other" entry available and valid */
2128 			if (verify_pam_conf(pamentp, "other")) {
2129 				pam_trace(PAM_DEBUG_CONF,
2130 				    "read_pam_conf(%p): bad entry error %s "
2131 				    "\"other\"[%d:%s]",
2132 				    (void *)pamh, service, i,
2133 				    pam_trace_cname(pamh));
2134 				error = PAM_SYSTEM_ERR;
2135 				free_pamconf(pamentp);
2136 				goto out;
2137 			}
2138 			if (strcasecmp(pamentp->pam_service, "other") == 0) {
2139 				pam_trace(PAM_DEBUG_CONF,
2140 				    "read_pam_conf(%p): processing "
2141 				    "\"other\"[%d:%s]", (void *)pamh, i,
2142 				    pam_trace_cname(pamh));
2143 				if ((tpament = pamh->pam_conf_info[i]
2144 				    [pamentp->pam_type]) == NULL) {
2145 					/* add first "other" entry */
2146 					pam_trace(PAM_DEBUG_CONF,
2147 					    "read_pam_conf(%p): adding 1st "
2148 					    "other[%d:%s][%s]", (void *)pamh, i,
2149 					    pam_trace_cname(pamh),
2150 					    pam_snames[pamentp->pam_type]);
2151 					pamh->pam_conf_info[i]
2152 					    [pamentp->pam_type] = pamentp;
2153 				} else {
2154 					/* append more "other" entries */
2155 					pam_trace(PAM_DEBUG_CONF,
2156 					    "read_pam_conf(%p): adding more "
2157 					    "other[%d:%s][%s]", (void *)pamh, i,
2158 					    pam_trace_cname(pamh),
2159 					    pam_snames[pamentp->pam_type]);
2160 					while (tpament->next != NULL) {
2161 						tpament = tpament->next;
2162 					}
2163 					tpament->next = pamentp;
2164 				}
2165 			} else {
2166 				/* irrelevent entry */
2167 				free_pamconf(pamentp);
2168 			}
2169 		} else {
2170 			/* irrelevent entry */
2171 			free_pamconf(pamentp);
2172 		}
2173 	}
2174 out:
2175 	(void) close_pam_conf(pam_fh);
2176 	if (error != PAM_SUCCESS)
2177 		free_pam_conf_info(pamh);
2178 	return (error);
2179 }
2180 
2181 /*
2182  * get_pam_conf_entry - get a pam.conf entry
2183  */
2184 
2185 static int
2186 get_pam_conf_entry(struct pam_fh *pam_fh, pam_handle_t *pamh, pamtab_t **pam)
2187 {
2188 	char		*cp, *arg;
2189 	int		argc;
2190 	char		*tmp, *tmp_free;
2191 	int		i;
2192 	char		*current_line = NULL;
2193 	int		error = PAM_SYSTEM_ERR;	/* preset to error */
2194 	int		err;
2195 
2196 	/* get the next line from pam.conf */
2197 	if ((cp = nextline(pam_fh, pamh, &err)) == NULL) {
2198 		/* no more lines in pam.conf ==> return */
2199 		error = PAM_SUCCESS;
2200 		*pam = NULL;
2201 		goto out;
2202 	}
2203 
2204 	if ((*pam = (pamtab_t *)calloc(1, sizeof (pamtab_t))) == NULL) {
2205 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2206 		goto out;
2207 	}
2208 
2209 	/* copy full line for error reporting */
2210 	if ((current_line = strdup(cp)) == NULL) {
2211 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2212 		goto out;
2213 	}
2214 
2215 	pam_trace(PAM_DEBUG_CONF,
2216 	    "pam.conf[%s] entry:\t%s", pam_trace_cname(pamh), current_line);
2217 
2218 	/* get service name (e.g. login, su, passwd) */
2219 	if ((arg = read_next_token(&cp)) == 0) {
2220 		__pam_log(LOG_AUTH | LOG_CRIT,
2221 		    "illegal pam.conf[%s] entry: %s: missing SERVICE NAME",
2222 		    pam_trace_cname(pamh), current_line);
2223 		goto out;
2224 	}
2225 	if (((*pam)->pam_service = strdup(arg)) == 0) {
2226 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2227 		goto out;
2228 	}
2229 
2230 	/* get module type (e.g. authentication, acct mgmt) */
2231 	if ((arg = read_next_token(&cp)) == 0) {
2232 		__pam_log(LOG_AUTH | LOG_CRIT,
2233 		    "illegal pam.conf[%s] entry: %s: missing MODULE TYPE",
2234 		    pam_trace_cname(pamh), current_line);
2235 		(*pam)->pam_type = -1;	/* 0 is a valid value */
2236 		goto getflag;
2237 	}
2238 	if (strcasecmp(arg, PAM_AUTH_NAME) == 0) {
2239 		(*pam)->pam_type = PAM_AUTH_MODULE;
2240 	} else if (strcasecmp(arg, PAM_ACCOUNT_NAME) == 0) {
2241 		(*pam)->pam_type = PAM_ACCOUNT_MODULE;
2242 	} else if (strcasecmp(arg, PAM_SESSION_NAME) == 0) {
2243 		(*pam)->pam_type = PAM_SESSION_MODULE;
2244 	} else if (strcasecmp(arg, PAM_PASSWORD_NAME) == 0) {
2245 		(*pam)->pam_type = PAM_PASSWORD_MODULE;
2246 	} else {
2247 		/* error */
2248 		__pam_log(LOG_AUTH | LOG_CRIT,
2249 		    "illegal pam.conf[%s] entry: %s: invalid module "
2250 		    "type: %s", pam_trace_cname(pamh), current_line, arg);
2251 		(*pam)->pam_type = -1;	/* 0 is a valid value */
2252 	}
2253 
2254 getflag:
2255 	/* get pam flag (e.g., requisite, required, sufficient, optional) */
2256 	if ((arg = read_next_token(&cp)) == 0) {
2257 		__pam_log(LOG_AUTH | LOG_CRIT,
2258 		    "illegal pam.conf[%s] entry: %s: missing CONTROL FLAG",
2259 		    pam_trace_cname(pamh), current_line);
2260 		goto getpath;
2261 	}
2262 	if (strcasecmp(arg, PAM_BINDING_NAME) == 0) {
2263 		(*pam)->pam_flag = PAM_BINDING;
2264 	} else if (strcasecmp(arg, PAM_INCLUDE_NAME) == 0) {
2265 		(*pam)->pam_flag = PAM_INCLUDE;
2266 	} else if (strcasecmp(arg, PAM_OPTIONAL_NAME) == 0) {
2267 		(*pam)->pam_flag = PAM_OPTIONAL;
2268 	} else if (strcasecmp(arg, PAM_REQUIRED_NAME) == 0) {
2269 		(*pam)->pam_flag = PAM_REQUIRED;
2270 	} else if (strcasecmp(arg, PAM_REQUISITE_NAME) == 0) {
2271 		(*pam)->pam_flag = PAM_REQUISITE;
2272 	} else if (strcasecmp(arg, PAM_SUFFICIENT_NAME) == 0) {
2273 		(*pam)->pam_flag = PAM_SUFFICIENT;
2274 	} else {
2275 		/* error */
2276 		__pam_log(LOG_AUTH | LOG_CRIT,
2277 		    "illegal pam.conf[%s] entry: %s",
2278 		    pam_trace_cname(pamh), current_line);
2279 		__pam_log(LOG_AUTH | LOG_CRIT,
2280 		    "\tinvalid control flag: %s", arg);
2281 	}
2282 
2283 getpath:
2284 	/* get module path (e.g. /usr/lib/security/pam_unix_auth.so.1) */
2285 	if ((arg = read_next_token(&cp)) == 0) {
2286 		__pam_log(LOG_AUTH | LOG_CRIT,
2287 		    "illegal pam.conf[%s] entry: %s: missing MODULE PATH",
2288 		    pam_trace_cname(pamh), current_line);
2289 		error = PAM_SUCCESS;	/* success */
2290 		goto out;
2291 	}
2292 	if (arg[0] != '/') {
2293 		size_t len;
2294 		/*
2295 		 * If module path does not start with "/", then
2296 		 * prepend PAM_LIB_DIR (/usr/lib/security/).
2297 		 */
2298 		/* sizeof (PAM_LIB_DIR) has room for '\0' */
2299 		len = sizeof (PAM_LIB_DIR) + sizeof (PAM_ISA_DIR) + strlen(arg);
2300 		if (((*pam)->module_path = malloc(len)) == NULL) {
2301 			__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2302 			goto out;
2303 		}
2304 		if ((*pam)->pam_flag & PAM_INCLUDE) {
2305 			(void) snprintf((*pam)->module_path, len, "%s%s",
2306 			    PAM_LIB_DIR, arg);
2307 		} else {
2308 			(void) snprintf((*pam)->module_path, len, "%s%s%s",
2309 			    PAM_LIB_DIR, PAM_ISA_DIR, arg);
2310 		}
2311 	} else {
2312 		/* Full path provided for module */
2313 		char *isa;
2314 
2315 		/* Check for Instruction Set Architecture indicator */
2316 		if ((isa = strstr(arg, PAM_ISA)) != NULL) {
2317 			size_t len;
2318 			len = strlen(arg) - (sizeof (PAM_ISA)-1) +
2319 			    sizeof (PAM_ISA_DIR);
2320 
2321 			/* substitute the architecture dependent path */
2322 			if (((*pam)->module_path = malloc(len)) == NULL) {
2323 				__pam_log(LOG_AUTH | LOG_ERR,
2324 				    "strdup: out of memory");
2325 				goto out;
2326 			}
2327 			*isa = '\000';
2328 			isa += strlen(PAM_ISA);
2329 			(void) snprintf((*pam)->module_path, len, "%s%s%s",
2330 			    arg, PAM_ISA_DIR, isa);
2331 		} else if (((*pam)->module_path = strdup(arg)) == 0) {
2332 			__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2333 			goto out;
2334 		}
2335 	}
2336 
2337 	/* count the number of module-specific options first */
2338 	argc = 0;
2339 	if ((tmp = strdup(cp)) == NULL) {
2340 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2341 		goto out;
2342 	}
2343 	tmp_free = tmp;
2344 	for (arg = read_next_token(&tmp); arg; arg = read_next_token(&tmp))
2345 		argc++;
2346 	free(tmp_free);
2347 
2348 	/* allocate array for the module-specific options */
2349 	if (argc > 0) {
2350 		if (((*pam)->module_argv = (char **)
2351 			calloc(argc+1, sizeof (char *))) == 0) {
2352 			__pam_log(LOG_AUTH | LOG_ERR, "calloc: out of memory");
2353 			goto out;
2354 		}
2355 		i = 0;
2356 		for (arg = read_next_token(&cp); arg;
2357 			arg = read_next_token(&cp)) {
2358 			(*pam)->module_argv[i] = strdup(arg);
2359 			if ((*pam)->module_argv[i] == NULL) {
2360 				__pam_log(LOG_AUTH | LOG_ERR, "strdup failed");
2361 				goto out;
2362 			}
2363 			i++;
2364 		}
2365 		(*pam)->module_argv[argc] = NULL;
2366 	}
2367 	(*pam)->module_argc = argc;
2368 
2369 	error = PAM_SUCCESS;	/* success */
2370 	(*pam)->pam_err = err;	/* was the line truncated */
2371 
2372 out:
2373 	if (current_line)
2374 		free(current_line);
2375 	if (error != PAM_SUCCESS) {
2376 		/* on error free this */
2377 		if (*pam)
2378 			free_pamconf(*pam);
2379 	}
2380 	return (error);
2381 }
2382 
2383 
2384 /*
2385  * read_next_token - skip tab and space characters and return the next token
2386  */
2387 
2388 static char *
2389 read_next_token(char **cpp)
2390 {
2391 	register char *cp = *cpp;
2392 	char *start;
2393 
2394 	if (cp == (char *)0) {
2395 		*cpp = (char *)0;
2396 		return ((char *)0);
2397 	}
2398 	while (*cp == ' ' || *cp == '\t')
2399 		cp++;
2400 	if (*cp == '\0') {
2401 		*cpp = (char *)0;
2402 		return ((char *)0);
2403 	}
2404 	start = cp;
2405 	while (*cp && *cp != ' ' && *cp != '\t')
2406 		cp++;
2407 	if (*cp != '\0')
2408 		*cp++ = '\0';
2409 	*cpp = cp;
2410 	return (start);
2411 }
2412 
2413 static char *
2414 pam_conf_strnchr(char *sp, int c, intptr_t count)
2415 {
2416 	while (count) {
2417 		if (*sp == (char)c)
2418 			return ((char *)sp);
2419 		else {
2420 			sp++;
2421 			count--;
2422 		}
2423 	};
2424 	return (NULL);
2425 }
2426 
2427 /*
2428  * nextline - skip all blank lines and comments
2429  */
2430 
2431 static char *
2432 nextline(struct pam_fh *pam_fh, pam_handle_t *pamh, int *err)
2433 {
2434 	char	*ll;
2435 	int	find_a_line = 0;
2436 	char	*data = pam_fh->data;
2437 	char	*bufferp = pam_fh->bufferp;
2438 	char	*bufferendp = &data[pam_fh->bufsize];
2439 	size_t	input_len;
2440 
2441 	/*
2442 	 * Skip the blank line, comment line
2443 	 */
2444 	while (!find_a_line) {
2445 		/* if we are at the end of the buffer, there is no next line */
2446 		if (bufferp == bufferendp)
2447 			return (NULL);
2448 
2449 		/* skip blank line */
2450 		while (*bufferp == '\n') {
2451 			/*
2452 			 * If we are at the end of the buffer, there is
2453 			 * no next line.
2454 			 */
2455 			if (++bufferp == bufferendp) {
2456 				return (NULL);
2457 			}
2458 			/* else we check *bufferp again */
2459 		}
2460 
2461 		/* skip comment line */
2462 		while (*bufferp == '#') {
2463 			if ((ll = pam_conf_strnchr(bufferp, '\n',
2464 				bufferendp - bufferp)) != NULL) {
2465 				bufferp = ll;
2466 			} else {
2467 				/*
2468 				 * this comment line the last line.
2469 				 * no next line
2470 				 */
2471 				return (NULL);
2472 			}
2473 
2474 			/*
2475 			 * If we are at the end of the buffer, there is
2476 			 * no next line.
2477 			 */
2478 			if (bufferp == bufferendp) {
2479 				return (NULL);
2480 			}
2481 		}
2482 
2483 		if ((*bufferp != '\n') && (*bufferp != '#')) {
2484 			find_a_line = 1;
2485 		}
2486 	}
2487 
2488 	*err = PAM_SUCCESS;
2489 	/* now we find one line */
2490 	if ((ll = pam_conf_strnchr(bufferp, '\n', bufferendp - bufferp))
2491 	    != NULL) {
2492 		if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
2493 			__pam_log(LOG_AUTH | LOG_ERR,
2494 			    "nextline[%d:%s]: pam.conf line too long %.256s",
2495 			    pamh->include_depth, pam_trace_cname(pamh),
2496 			    bufferp);
2497 			input_len = sizeof (pam_fh->line) - 1;
2498 			*err = PAM_SERVICE_ERR;
2499 		}
2500 		(void) strncpy(pam_fh->line, bufferp, input_len);
2501 		pam_fh->line[input_len] = '\0';
2502 		pam_fh->bufferp = ll++;
2503 	} else {
2504 		ll = bufferendp;
2505 		if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
2506 			__pam_log(LOG_AUTH | LOG_ERR,
2507 			    "nextline[%d:%s]: pam.conf line too long %.256s",
2508 			    pamh->include_depth, pam_trace_cname(pamh),
2509 			    bufferp);
2510 			input_len = sizeof (pam_fh->line) - 1;
2511 			*err = PAM_SERVICE_ERR;
2512 		}
2513 		(void) strncpy(pam_fh->line, bufferp, input_len);
2514 		pam_fh->line[input_len] = '\0';
2515 		pam_fh->bufferp = ll;
2516 	}
2517 
2518 	return (pam_fh->line);
2519 }
2520 
2521 /*
2522  * verify_pam_conf - verify that the pam_conf entry is filled in.
2523  *
2524  *	True = Error if there is no service.
2525  *	True = Error if there is a service and it matches the requested service
2526  *		but, the type, flag, line overflow, or path is in error.
2527  */
2528 
2529 static int
2530 verify_pam_conf(pamtab_t *pam, char *service)
2531 {
2532 	return ((pam->pam_service == (char *)NULL) ||
2533 	    ((strcasecmp(pam->pam_service, service) == 0) &&
2534 	    ((pam->pam_type == -1) ||
2535 	    (pam->pam_flag == 0) ||
2536 	    (pam->pam_err != PAM_SUCCESS) ||
2537 	    (pam->module_path == (char *)NULL))));
2538 }
2539 
2540 /*
2541  * Routines to free allocated storage
2542  */
2543 
2544 /*
2545  * clean_up -  free allocated storage in the pam handle
2546  */
2547 
2548 static void
2549 clean_up(pam_handle_t *pamh)
2550 {
2551 	int i;
2552 	pam_repository_t *auth_rep;
2553 
2554 	if (pamh) {
2555 		/* Cleanup Sun proprietary tag information */
2556 		if (pamh->pam_client_message_version_number)
2557 			free(pamh->pam_client_message_version_number);
2558 
2559 		while (pamh->include_depth >= 0) {
2560 			free_pam_conf_info(pamh);
2561 			pamh->include_depth--;
2562 		}
2563 
2564 		/* Cleanup PAM_REPOSITORY structure */
2565 		auth_rep = pamh->ps_item[PAM_REPOSITORY].pi_addr;
2566 		if (auth_rep != NULL) {
2567 			if (auth_rep->type != NULL)
2568 				free(auth_rep->type);
2569 			if (auth_rep->scope != NULL)
2570 				free(auth_rep->scope);
2571 		}
2572 
2573 		for (i = 0; i < PAM_MAX_ITEMS; i++) {
2574 			if (pamh->ps_item[i].pi_addr != NULL) {
2575 				if (i == PAM_AUTHTOK || i == PAM_OLDAUTHTOK) {
2576 					(void) memset(pamh->ps_item[i].pi_addr,
2577 					    0, pamh->ps_item[i].pi_size);
2578 				}
2579 				free(pamh->ps_item[i].pi_addr);
2580 			}
2581 		}
2582 		free(pamh);
2583 	}
2584 }
2585 
2586 /*
2587  * free_pamconf - free memory used to store pam.conf entry
2588  */
2589 
2590 static void
2591 free_pamconf(pamtab_t *cp)
2592 {
2593 	int i;
2594 
2595 	if (cp) {
2596 		if (cp->pam_service)
2597 			free(cp->pam_service);
2598 		if (cp->module_path)
2599 			free(cp->module_path);
2600 		for (i = 0; i < cp->module_argc; i++) {
2601 			if (cp->module_argv[i])
2602 				free(cp->module_argv[i]);
2603 		}
2604 		if (cp->module_argc > 0)
2605 			free(cp->module_argv);
2606 		if (cp->function_ptr)
2607 			free(cp->function_ptr);
2608 
2609 		free(cp);
2610 	}
2611 }
2612 
2613 /*
2614  * free_pam_conf_info - free memory used to store all pam.conf info
2615  *			under the pam handle
2616  */
2617 
2618 static void
2619 free_pam_conf_info(pam_handle_t *pamh)
2620 {
2621 	pamtab_t *pamentp;
2622 	pamtab_t *pament_trail;
2623 	int i = pamh->include_depth;
2624 	int j;
2625 
2626 	for (j = 0; j < PAM_NUM_MODULE_TYPES; j++) {
2627 		pamentp = pamh->pam_conf_info[i][j];
2628 		pamh->pam_conf_info[i][j] = NULL;
2629 		pament_trail = pamentp;
2630 		while (pamentp) {
2631 			pamentp = pamentp->next;
2632 			free_pamconf(pament_trail);
2633 			pament_trail = pamentp;
2634 		}
2635 	}
2636 	if (pamh->pam_conf_name[i] != NULL) {
2637 		free(pamh->pam_conf_name[i]);
2638 		pamh->pam_conf_name[i] = NULL;
2639 	}
2640 }
2641 
2642 static void
2643 free_env(env_list *pam_env)
2644 {
2645 	if (pam_env) {
2646 		if (pam_env->name)
2647 			free(pam_env->name);
2648 		if (pam_env->value)
2649 			free(pam_env->value);
2650 		free(pam_env);
2651 	}
2652 }
2653 
2654 /*
2655  *	Internal convenience functions for Solaris PAM service modules.
2656  */
2657 
2658 #include <libintl.h>
2659 #include <nl_types.h>
2660 #include <synch.h>
2661 #include <locale.h>
2662 #include <thread.h>
2663 
2664 typedef struct pam_msg_data {
2665 	nl_catd fd;
2666 } pam_msg_data_t;
2667 
2668 /*
2669  * free_resp():
2670  *	free storage for responses used in the call back "pam_conv" functions
2671  */
2672 
2673 void
2674 free_resp(int num_msg, struct pam_response *resp)
2675 {
2676 	int			i;
2677 	struct pam_response	*r;
2678 
2679 	if (resp) {
2680 		r = resp;
2681 		for (i = 0; i < num_msg; i++, r++) {
2682 			if (r->resp) {
2683 				/* clear before freeing -- may be a password */
2684 				bzero(r->resp, strlen(r->resp));
2685 				free(r->resp);
2686 				r->resp = NULL;
2687 			}
2688 		}
2689 		free(resp);
2690 	}
2691 }
2692 
2693 static int
2694 do_conv(pam_handle_t *pamh, int msg_style, int num_msg,
2695     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp,
2696     struct pam_response *ret_respp[])
2697 {
2698 	struct pam_message	*msg;
2699 	struct pam_message	*m;
2700 	int			i;
2701 	int			k;
2702 	int			retcode;
2703 	struct pam_conv		*pam_convp;
2704 
2705 	if ((retcode = pam_get_item(pamh, PAM_CONV,
2706 	    (void **)&pam_convp)) != PAM_SUCCESS) {
2707 		return (retcode);
2708 	}
2709 
2710 	/*
2711 	 * When pam_set_item() is called to set PAM_CONV and the
2712 	 * item is NULL, memset(pip->pi_addr, 0, size) is called.
2713 	 * So at this point, we should check whether pam_convp->conv
2714 	 * is NULL or not.
2715 	 */
2716 	if ((pam_convp == NULL) || (pam_convp->conv == NULL))
2717 		return (PAM_SYSTEM_ERR);
2718 
2719 	i = 0;
2720 	k = num_msg;
2721 
2722 	msg = (struct pam_message *)calloc(num_msg,
2723 	    sizeof (struct pam_message));
2724 	if (msg == NULL) {
2725 		return (PAM_BUF_ERR);
2726 	}
2727 	m = msg;
2728 
2729 	while (k--) {
2730 		/*
2731 		 * fill out the message structure to display prompt message
2732 		 */
2733 		m->msg_style = msg_style;
2734 		m->msg = messages[i];
2735 		pam_trace(PAM_DEBUG_CONV,
2736 		    "pam_conv_msg(%p:%d[%d]=%s)",
2737 		    (void *)pamh, msg_style, i, messages[i]);
2738 		m++;
2739 		i++;
2740 	}
2741 
2742 	/*
2743 	 * The UNIX pam modules always calls __pam_get_authtok() and
2744 	 * __pam_display_msg() with a NULL pointer as the conv_apdp.
2745 	 * In case the conv_apdp is NULL and the pam_convp->appdata_ptr
2746 	 * is not NULL, we should pass the pam_convp->appdata_ptr
2747 	 * to the conversation function.
2748 	 */
2749 	if (conv_apdp == NULL && pam_convp->appdata_ptr != NULL)
2750 		conv_apdp = pam_convp->appdata_ptr;
2751 
2752 	/*
2753 	 * Call conv function to display the prompt.
2754 	 */
2755 	retcode = (pam_convp->conv)(num_msg, &msg, ret_respp, conv_apdp);
2756 	pam_trace(PAM_DEBUG_CONV,
2757 	    "pam_conv_resp(%p pam_conv = %s) ret_respp = %p",
2758 	    (void *)pamh, pam_strerror(pamh, retcode), (void *)ret_respp);
2759 	if (*ret_respp == NULL) {
2760 		pam_trace(PAM_DEBUG_CONV,
2761 		    "pam_conv_resp(%p No response requested)", (void *)pamh);
2762 	} else if ((pam_debug & (PAM_DEBUG_CONV | PAM_DEBUG_AUTHTOK)) != 0) {
2763 		struct pam_response *r = *ret_respp;
2764 
2765 		for (i = 0; i < num_msg; i++, r++) {
2766 			if (r->resp == NULL) {
2767 				pam_trace(PAM_DEBUG_CONV,
2768 				    "pam_conv_resp(%p:"
2769 				    "[%d] NULL response string)",
2770 				    (void *)pamh, i);
2771 			} else {
2772 				if (msg_style == PAM_PROMPT_ECHO_OFF) {
2773 #ifdef	DEBUG
2774 					pam_trace(PAM_DEBUG_AUTHTOK,
2775 					    "pam_conv_resp(%p:[%d]=%s, "
2776 					    "code=%d)",
2777 					    (void *)pamh, i, r->resp,
2778 					    r->resp_retcode);
2779 #endif	/* DEBUG */
2780 					pam_trace(PAM_DEBUG_CONV,
2781 					    "pam_conv_resp(%p:[%d] len=%lu, "
2782 					    "code=%d)",
2783 					    (void *)pamh, i,
2784 					    (ulong_t)strlen(r->resp),
2785 					    r->resp_retcode);
2786 				} else {
2787 					pam_trace(PAM_DEBUG_CONV,
2788 					    "pam_conv_resp(%p:[%d]=%s, "
2789 					    "code=%d)",
2790 					    (void *)pamh, i, r->resp,
2791 					    r->resp_retcode);
2792 				}
2793 			}
2794 		}
2795 	}
2796 
2797 	if (msg)
2798 		free(msg);
2799 	return (retcode);
2800 }
2801 
2802 /*
2803  * __pam_display_msg():
2804  *	display message by calling the call back functions
2805  *	provided by the application through "pam_conv" structure
2806  */
2807 
2808 int
2809 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
2810     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp)
2811 {
2812 	struct pam_response	*ret_respp = NULL;
2813 
2814 	return (do_conv(pamh, msg_style, num_msg, messages,
2815 	    conv_apdp, &ret_respp));
2816 }
2817 
2818 /*
2819  * __pam_get_authtok()
2820  *	retrieves a password of at most PASS_MAX length from the pam
2821  *	handle (pam_get_item) or from the input stream (do_conv).
2822  *
2823  * This function allocates memory for the new authtok.
2824  * Applications calling this function are responsible for
2825  * freeing this memory.
2826  *
2827  * If "source" is
2828  *	PAM_HANDLE
2829  * and "type" is:
2830  *	PAM_AUTHTOK - password is taken from pam handle (PAM_AUTHTOK)
2831  *	PAM_OLDAUTHTOK - password is taken from pam handle (PAM_OLDAUTHTOK)
2832  *
2833  * If "source" is
2834  *	PAM_PROMPT
2835  * and "type" is:
2836  *	0:		Prompt for new passwd, do not even attempt
2837  *			to store it in the pam handle.
2838  *	PAM_AUTHTOK:	Prompt for new passwd, store in pam handle as
2839  *			PAM_AUTHTOK item if this value is not already set.
2840  *	PAM_OLDAUTHTOK:	Prompt for new passwd, store in pam handle as
2841  *			PAM_OLDAUTHTOK item if this value is not
2842  *			already set.
2843  */
2844 int
2845 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
2846     char **authtok)
2847 {
2848 	int error = PAM_SYSTEM_ERR;
2849 	char *new_password = NULL;
2850 	struct pam_response *ret_resp = NULL;
2851 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
2852 
2853 	if ((*authtok = calloc(PASS_MAX+1, sizeof (char))) == NULL)
2854 		return (PAM_BUF_ERR);
2855 
2856 	if (prompt == NULL)
2857 		prompt = dgettext(TEXT_DOMAIN, "password: ");
2858 
2859 	switch (source) {
2860 	case PAM_HANDLE:
2861 
2862 		/* get password from pam handle item list */
2863 
2864 		switch (type) {
2865 		case PAM_AUTHTOK:
2866 		case PAM_OLDAUTHTOK:
2867 
2868 			if ((error = pam_get_item(pamh, type,
2869 			    (void **)&new_password)) != PAM_SUCCESS)
2870 				goto err_ret;
2871 
2872 			if (new_password == NULL || new_password[0] == '\0') {
2873 				free(*authtok);
2874 				*authtok = NULL;
2875 			} else {
2876 				(void) strlcpy(*authtok, new_password,
2877 				    PASS_MAX+1);
2878 			}
2879 			break;
2880 		default:
2881 			__pam_log(LOG_AUTH | LOG_ERR,
2882 			    "__pam_get_authtok() invalid type: %d", type);
2883 			error = PAM_SYMBOL_ERR;
2884 			goto err_ret;
2885 		}
2886 		break;
2887 	case PAM_PROMPT:
2888 
2889 		/*
2890 		 * Prompt for new password and save in pam handle item list
2891 		 * if the that item is not already set.
2892 		 */
2893 
2894 		(void) strncpy(messages[0], prompt, sizeof (messages[0]));
2895 		if ((error = do_conv(pamh, PAM_PROMPT_ECHO_OFF, 1, messages,
2896 		    NULL, &ret_resp)) != PAM_SUCCESS)
2897 			goto err_ret;
2898 
2899 		if (ret_resp->resp == NULL) {
2900 			/* getpass didn't return anything */
2901 			error = PAM_SYSTEM_ERR;
2902 			goto err_ret;
2903 		}
2904 
2905 		/* save the new password if this item was NULL */
2906 		if (type) {
2907 			if ((error = pam_get_item(pamh, type,
2908 			    (void **)&new_password)) != PAM_SUCCESS) {
2909 				free_resp(1, ret_resp);
2910 				goto err_ret;
2911 			}
2912 			if (new_password == NULL)
2913 				(void) pam_set_item(pamh, type, ret_resp->resp);
2914 		}
2915 
2916 		(void) strlcpy(*authtok, ret_resp->resp, PASS_MAX+1);
2917 		free_resp(1, ret_resp);
2918 		break;
2919 	default:
2920 		__pam_log(LOG_AUTH | LOG_ERR,
2921 		    "__pam_get_authtok() invalid source: %d", source);
2922 		error = PAM_SYMBOL_ERR;
2923 		goto err_ret;
2924 	}
2925 
2926 	return (PAM_SUCCESS);
2927 
2928 err_ret:
2929 	bzero(*authtok, PASS_MAX+1);
2930 	free(*authtok);
2931 	*authtok = NULL;
2932 	return (error);
2933 }
2934