xref: /titanic_52/usr/src/lib/libpam/pam_framework.c (revision 9525b14bcdeb5b5f6f95ab27c2f48f18bd2ec829)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <syslog.h>
27 #include <dlfcn.h>
28 #include <sys/types.h>
29 #include <sys/stat.h>
30 #include <stdlib.h>
31 #include <strings.h>
32 #include <malloc.h>
33 #include <unistd.h>
34 #include <fcntl.h>
35 #include <errno.h>
36 
37 #include <security/pam_appl.h>
38 #include <security/pam_modules.h>
39 #include <sys/mman.h>
40 
41 #include <libintl.h>
42 
43 #include "pam_impl.h"
44 
45 static char *pam_snames [PAM_NUM_MODULE_TYPES] = {
46 	PAM_ACCOUNT_NAME,
47 	PAM_AUTH_NAME,
48 	PAM_PASSWORD_NAME,
49 	PAM_SESSION_NAME
50 };
51 
52 static char *pam_inames [PAM_MAX_ITEMS] = {
53 /* NONE */		NULL,
54 /* PAM_SERVICE */	"service",
55 /* PAM_USER */		"user",
56 /* PAM_TTY */		"tty",
57 /* PAM_RHOST */ 	"rhost",
58 /* PAM_CONV */		"conv",
59 /* PAM_AUTHTOK */	"authtok",
60 /* PAM_OLDAUTHTOK */	"oldauthtok",
61 /* PAM_RUSER */ 	"ruser",
62 /* PAM_USER_PROMPT */	"user_prompt",
63 /* PAM_REPOSITORY */	"repository",
64 /* PAM_RESOURCE */	"resource",
65 /* PAM_AUSER */ 	"auser",
66 /* Undefined Items */
67 };
68 
69 /*
70  * This extra definition is needed in order to build this library
71  * on pre-64-bit-aware systems.
72  */
73 #if !defined(_LFS64_LARGEFILE)
74 #define	stat64	stat
75 #endif	/* !defined(_LFS64_LARGEFILE) */
76 
77 /* functions to dynamically load modules */
78 static int	load_modules(pam_handle_t *, int, char *, pamtab_t *);
79 static void 	*open_module(pam_handle_t *, char *);
80 static int	load_function(void *, char *, int (**func)());
81 
82 /* functions to read and store the pam.conf configuration file */
83 static int	open_pam_conf(struct pam_fh **, pam_handle_t *, char *);
84 static void	close_pam_conf(struct pam_fh *);
85 static int	read_pam_conf(pam_handle_t *, char *);
86 static int 	get_pam_conf_entry(struct pam_fh *, pam_handle_t *,
87     pamtab_t **);
88 static char	*read_next_token(char **);
89 static char	*nextline(struct pam_fh *, pam_handle_t *, int *);
90 static int	verify_pam_conf(pamtab_t *, char *);
91 
92 /* functions to clean up and free memory */
93 static void	clean_up(pam_handle_t *);
94 static void	free_pamconf(pamtab_t *);
95 static void	free_pam_conf_info(pam_handle_t *);
96 static void	free_env(env_list *);
97 
98 /* convenience functions for I18N/L10N communication */
99 
100 static void	free_resp(int, struct pam_response *);
101 static int	do_conv(pam_handle_t *, int, int,
102     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *,
103     struct pam_response **);
104 
105 static int	log_priority;	/* pam_trace syslog priority & facility */
106 static int	pam_debug = 0;
107 
108 static char *
109 pam_trace_iname(int item_type, char *iname_buf)
110 {
111 	char *name;
112 
113 	if (item_type <= 0 ||
114 	    item_type >= PAM_MAX_ITEMS ||
115 	    (name = pam_inames[item_type]) == NULL) {
116 		(void) sprintf(iname_buf, "%d", item_type);
117 		return (iname_buf);
118 	}
119 	return (name);
120 }
121 
122 static char *
123 pam_trace_fname(int flag)
124 {
125 	if (flag & PAM_BINDING)
126 		return (PAM_BINDING_NAME);
127 	if (flag & PAM_INCLUDE)
128 		return (PAM_INCLUDE_NAME);
129 	if (flag & PAM_OPTIONAL)
130 		return (PAM_OPTIONAL_NAME);
131 	if (flag & PAM_REQUIRED)
132 		return (PAM_REQUIRED_NAME);
133 	if (flag & PAM_REQUISITE)
134 		return (PAM_REQUISITE_NAME);
135 	if (flag & PAM_SUFFICIENT)
136 		return (PAM_SUFFICIENT_NAME);
137 	return ("bad flag name");
138 }
139 
140 static char *
141 pam_trace_cname(pam_handle_t *pamh)
142 {
143 	if (pamh->pam_conf_name[pamh->include_depth] == NULL)
144 		return ("NULL");
145 	return (pamh->pam_conf_name[pamh->include_depth]);
146 }
147 
148 #include <deflt.h>
149 #include <stdarg.h>
150 /*
151  * pam_settrace - setup configuration for pam tracing
152  *
153  * turn on PAM debug if "magic" file exists
154  * if exists (original), pam_debug = PAM_DEBUG_DEFAULT,
155  * log_priority = LOG_DEBUG(7) and log_facility = LOG_AUTH(4).
156  *
157  * if has contents, keywork=value pairs:
158  *
159  *	"log_priority=" 0-7, the pam_trace syslog priority to use
160  *		(see sys/syslog.h)
161  *	"log_facility=" 0-23, the pam_trace syslog facility to use
162  *		(see sys/syslog.h)
163  *	"debug_flags=" PAM_DEBUG_DEFAULT (0x0001), log traditional
164  *			(original) debugging.
165  *		Plus the logical or of:
166  *		    PAM_DEBUG_ITEM (0x0002), log item values and
167  *			pam_get_item.
168  *		    PAM_DEBUG_MODULE (0x0004), log module return status.
169  *		    PAM_DEBUG_CONF (0x0008), log pam.conf parsing.
170  *		    PAM_DEBUG_DATA (0x0010), get/set_data.
171  *		    PAM_DEBUG_CONV (0x0020), conversation/response.
172  *
173  *		    If compiled with DEBUG:
174  *		    PAM_DEBUG_AUTHTOK (0x8000), display AUTHTOK value if
175  *				PAM_DEBUG_ITEM is set and results from
176  *				PAM_PROMPT_ECHO_OFF responses.
177  *		    USE CAREFULLY, THIS EXPOSES THE USER'S PASSWORDS.
178  *
179  *		or set to 0 and off even if PAM_DEBUG file exists.
180  *
181  * Output has the general form:
182  * <whatever was set syslog> PAM[<pid>]: <interface>(<handle> and other info)
183  * <whatever was set syslog> PAM[<pid>]: details requested for <interface> call
184  *	Where:	<pid> is the process ID of the calling process.
185  *		<handle> is the Hex value of the pam_handle associated with the
186  *			call.
187  */
188 
189 static void
190 pam_settrace()
191 {
192 	void	*defp;
193 
194 	if ((defp = defopen_r(PAM_DEBUG)) != NULL) {
195 		char	*arg;
196 		int	code;
197 		int	facility = LOG_AUTH;
198 
199 		pam_debug = PAM_DEBUG_DEFAULT;
200 		log_priority = LOG_DEBUG;
201 
202 		(void) defcntl_r(DC_SETFLAGS, DC_CASE, defp);
203 		if ((arg = defread_r(LOG_PRIORITY, defp)) != NULL) {
204 			code = (int)strtol(arg, NULL, 10);
205 			if ((code & ~LOG_PRIMASK) == 0) {
206 				log_priority = code;
207 			}
208 		}
209 		if ((arg = defread_r(LOG_FACILITY, defp)) != NULL) {
210 			code = (int)strtol(arg, NULL, 10);
211 			if (code < LOG_NFACILITIES) {
212 				facility = code << 3;
213 			}
214 		}
215 		if ((arg = defread_r(DEBUG_FLAGS, defp)) != NULL) {
216 			pam_debug = (int)strtol(arg, NULL, 0);
217 		}
218 		defclose_r(defp);
219 
220 		log_priority |= facility;
221 	}
222 }
223 
224 /*
225  * pam_trace - logs tracing messages
226  *
227  *	flag = debug_flags from /etc/pam_debug
228  *	format and args = message to print (PAM[<pid>]: is prepended).
229  *
230  *	global log_priority = pam_trace syslog (log_priority | log_facility)
231  *		from /etc/pam_debug
232  */
233 /*PRINTFLIKE2*/
234 static void
235 pam_trace(int flag, char *format, ...)
236 {
237 	va_list args;
238 	char message[1024];
239 	int savemask;
240 
241 	if ((pam_debug & flag) == 0)
242 		return;
243 
244 	savemask = setlogmask(LOG_MASK(log_priority & LOG_PRIMASK));
245 	(void) snprintf(message, sizeof (message), "PAM[%ld]: %s",
246 	    (long)getpid(), format);
247 	va_start(args, format);
248 	(void) vsyslog(log_priority, message, args);
249 	va_end(args);
250 	(void) setlogmask(savemask);
251 }
252 
253 /*
254  * __pam_log - logs PAM syslog messages
255  *
256  *	priority = message priority
257  *	format and args = message to log
258  */
259 /*PRINTFLIKE2*/
260 void
261 __pam_log(int priority, const char *format, ...)
262 {
263 	va_list args;
264 	int savemask = setlogmask(LOG_MASK(priority & LOG_PRIMASK));
265 
266 	va_start(args, format);
267 	(void) vsyslog(priority, format, args);
268 	va_end(args);
269 	(void) setlogmask(savemask);
270 }
271 
272 
273 /*
274  *			pam_XXXXX routines
275  *
276  *	These are the entry points to the authentication switch
277  */
278 
279 /*
280  * pam_start		- initiate an authentication transaction and
281  *			  set parameter values to be used during the
282  *			  transaction
283  */
284 
285 int
286 pam_start(const char *service, const char *user,
287     const struct pam_conv *pam_conv, pam_handle_t **pamh)
288 {
289 	int	err;
290 
291 	*pamh = calloc(1, sizeof (struct pam_handle));
292 
293 	pam_settrace();
294 	pam_trace(PAM_DEBUG_DEFAULT,
295 	    "pam_start(%s,%s,%p:%p) - debug = %x",
296 	    service ? service : "NULL", user ? user : "NULL", (void *)pam_conv,
297 	    (void *)*pamh, pam_debug);
298 
299 	if (*pamh == NULL)
300 		return (PAM_BUF_ERR);
301 
302 	(*pamh)->pam_inmodule = RO_OK;		/* OK to set RO items */
303 	if ((err = pam_set_item(*pamh, PAM_SERVICE, (void *)service))
304 	    != PAM_SUCCESS) {
305 		clean_up(*pamh);
306 		*pamh = NULL;
307 		return (err);
308 	}
309 
310 	if ((err = pam_set_item(*pamh, PAM_USER, (void *)user))
311 	    != PAM_SUCCESS) {
312 		clean_up(*pamh);
313 		*pamh = NULL;
314 		return (err);
315 	}
316 
317 	if ((err = pam_set_item(*pamh, PAM_CONV, (void *)pam_conv))
318 	    != PAM_SUCCESS) {
319 		clean_up(*pamh);
320 		*pamh = NULL;
321 		return (err);
322 	}
323 
324 	(*pamh)->pam_inmodule = RW_OK;
325 	return (PAM_SUCCESS);
326 }
327 
328 /*
329  * pam_end - terminate an authentication transaction
330  */
331 
332 int
333 pam_end(pam_handle_t *pamh, int pam_status)
334 {
335 	struct pam_module_data *psd, *p;
336 	fd_list *expired;
337 	fd_list *traverse;
338 	env_list *env_expired;
339 	env_list *env_traverse;
340 
341 	pam_trace(PAM_DEBUG_DEFAULT,
342 	    "pam_end(%p): status = %s", (void *)pamh,
343 	    pam_strerror(pamh, pam_status));
344 
345 	if (pamh == NULL)
346 		return (PAM_SYSTEM_ERR);
347 
348 	/* call the cleanup routines for module specific data */
349 
350 	psd = pamh->ssd;
351 	while (psd) {
352 		if (psd->cleanup) {
353 			psd->cleanup(pamh, psd->data, pam_status);
354 		}
355 		p = psd;
356 		psd = p->next;
357 		free(p->module_data_name);
358 		free(p);
359 	}
360 	pamh->ssd = NULL;
361 
362 	/* dlclose all module fds */
363 	traverse = pamh->fd;
364 	while (traverse) {
365 		expired = traverse;
366 		traverse = traverse->next;
367 		(void) dlclose(expired->mh);
368 		free(expired);
369 	}
370 	pamh->fd = 0;
371 
372 	/* remove all environment variables */
373 	env_traverse = pamh->pam_env;
374 	while (env_traverse) {
375 		env_expired = env_traverse;
376 		env_traverse = env_traverse->next;
377 		free_env(env_expired);
378 	}
379 
380 	clean_up(pamh);
381 	return (PAM_SUCCESS);
382 }
383 
384 /*
385  * pam_set_item		- set the value of a parameter that can be
386  *			  retrieved via a call to pam_get_item()
387  */
388 
389 int
390 pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
391 {
392 	struct pam_item *pip;
393 	int	size;
394 	char	iname_buf[PAM_MAX_MSG_SIZE];
395 
396 	if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
397 		pam_trace(PAM_DEBUG_DEFAULT,
398 		    "pam_set_item(%p:%s)", (void *)pamh,
399 		    pam_trace_iname(item_type, iname_buf));
400 	}
401 
402 	if (pamh == NULL)
403 		return (PAM_SYSTEM_ERR);
404 
405 	/* check read only items */
406 	if ((item_type == PAM_SERVICE) && (pamh->pam_inmodule != RO_OK))
407 		return (PAM_PERM_DENIED);
408 
409 	/*
410 	 * Check that item_type is within valid range
411 	 */
412 
413 	if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
414 		return (PAM_SYMBOL_ERR);
415 
416 	pip = &(pamh->ps_item[item_type]);
417 
418 	switch (item_type) {
419 	case PAM_AUTHTOK:
420 	case PAM_OLDAUTHTOK:
421 		if (pip->pi_addr != NULL)
422 			(void) memset(pip->pi_addr, 0, pip->pi_size);
423 		/*FALLTHROUGH*/
424 	case PAM_SERVICE:
425 	case PAM_USER:
426 	case PAM_TTY:
427 	case PAM_RHOST:
428 	case PAM_RUSER:
429 	case PAM_USER_PROMPT:
430 	case PAM_RESOURCE:
431 	case PAM_AUSER:
432 		if (pip->pi_addr != NULL) {
433 			free(pip->pi_addr);
434 		}
435 
436 		if (item == NULL) {
437 			pip->pi_addr = NULL;
438 			pip->pi_size = 0;
439 		} else {
440 			pip->pi_addr = strdup((char *)item);
441 			if (pip->pi_addr == NULL) {
442 				pip->pi_size = 0;
443 				return (PAM_BUF_ERR);
444 			}
445 			pip->pi_size = strlen(pip->pi_addr);
446 		}
447 		break;
448 	case PAM_CONV:
449 		if (pip->pi_addr != NULL)
450 			free(pip->pi_addr);
451 		size = sizeof (struct pam_conv);
452 		if ((pip->pi_addr = calloc(1, size)) == NULL)
453 			return (PAM_BUF_ERR);
454 		if (item != NULL)
455 			(void) memcpy(pip->pi_addr, item, (unsigned int) size);
456 		else
457 			(void) memset(pip->pi_addr, 0, size);
458 		pip->pi_size = size;
459 		break;
460 	case PAM_REPOSITORY:
461 		if (pip->pi_addr != NULL) {
462 			pam_repository_t *auth_rep;
463 
464 			auth_rep = (pam_repository_t *)pip->pi_addr;
465 			if (auth_rep->type != NULL)
466 				free(auth_rep->type);
467 			if (auth_rep->scope != NULL)
468 				free(auth_rep->scope);
469 			free(auth_rep);
470 		}
471 		if (item != NULL) {
472 			pam_repository_t *s, *d;
473 
474 			size = sizeof (struct pam_repository);
475 			pip->pi_addr = calloc(1, size);
476 			if (pip->pi_addr == NULL)
477 				return (PAM_BUF_ERR);
478 
479 			s = (struct pam_repository *)item;
480 			d = (struct pam_repository *)pip->pi_addr;
481 
482 			d->type = strdup(s->type);
483 			if (d->type == NULL)
484 				return (PAM_BUF_ERR);
485 			d->scope = malloc(s->scope_len);
486 			if (d->scope == NULL)
487 				return (PAM_BUF_ERR);
488 			(void) memcpy(d->scope, s->scope, s->scope_len);
489 			d->scope_len = s->scope_len;
490 		}
491 		pip->pi_size = size;
492 		break;
493 	default:
494 		return (PAM_SYMBOL_ERR);
495 	}
496 	switch (item_type) {
497 	case PAM_CONV:
498 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%p",
499 		    (void *)pamh,
500 		    pam_trace_iname(item_type, iname_buf),
501 		    item ? (void *)((struct pam_conv *)item)->conv :
502 		    (void *)0);
503 		break;
504 	case PAM_REPOSITORY:
505 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
506 		    (void *)pamh,
507 		    pam_trace_iname(item_type, iname_buf),
508 		    item ? (((struct pam_repository *)item)->type ?
509 		    ((struct pam_repository *)item)->type : "NULL") :
510 		    "NULL");
511 		break;
512 	case PAM_AUTHTOK:
513 	case PAM_OLDAUTHTOK:
514 #ifdef	DEBUG
515 		if (pam_debug & PAM_DEBUG_AUTHTOK)
516 			pam_trace(PAM_DEBUG_ITEM,
517 			    "pam_set_item(%p:%s)=%s", (void *)pamh,
518 			    pam_trace_iname(item_type, iname_buf),
519 			    item ? (char *)item : "NULL");
520 		else
521 #endif	/* DEBUG */
522 			pam_trace(PAM_DEBUG_ITEM,
523 			    "pam_set_item(%p:%s)=%s", (void *)pamh,
524 			    pam_trace_iname(item_type, iname_buf),
525 			    item ? "********" : "NULL");
526 		break;
527 	default:
528 		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
529 		    (void *)pamh,
530 		    pam_trace_iname(item_type, iname_buf),
531 		    item ? (char *)item : "NULL");
532 	}
533 
534 	return (PAM_SUCCESS);
535 }
536 
537 /*
538  * pam_get_item		- read the value of a parameter specified in
539  *			  the call to pam_set_item()
540  */
541 
542 int
543 pam_get_item(const pam_handle_t *pamh, int item_type, void **item)
544 {
545 	struct pam_item *pip;
546 	char	iname_buf[PAM_MAX_MSG_SIZE];
547 
548 	if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
549 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)",
550 		    (void *)pamh, pam_trace_iname(item_type, iname_buf));
551 	}
552 
553 	if (pamh == NULL)
554 		return (PAM_SYSTEM_ERR);
555 
556 	if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
557 		return (PAM_SYMBOL_ERR);
558 
559 	if ((pamh->pam_inmodule != WO_OK) &&
560 	    ((item_type == PAM_AUTHTOK || item_type == PAM_OLDAUTHTOK))) {
561 		__pam_log(LOG_AUTH | LOG_NOTICE, "pam_get_item(%s) called from "
562 		    "a non module context",
563 		    pam_trace_iname(item_type, iname_buf));
564 		return (PAM_PERM_DENIED);
565 	}
566 
567 	pip = (struct pam_item *)&(pamh->ps_item[item_type]);
568 
569 	*item = pip->pi_addr;
570 	switch (item_type) {
571 	case PAM_CONV:
572 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%p",
573 		    (void *)pamh,
574 		    pam_trace_iname(item_type, iname_buf),
575 		    (void *)((struct pam_conv *)*item)->conv);
576 		break;
577 	case PAM_REPOSITORY:
578 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
579 		    (void *)pamh,
580 		    pam_trace_iname(item_type, iname_buf),
581 		    *item ? (((struct pam_repository *)*item)->type ?
582 		    ((struct pam_repository *)*item)->type : "NULL") :
583 		    "NULL");
584 		break;
585 	case PAM_AUTHTOK:
586 	case PAM_OLDAUTHTOK:
587 #ifdef	DEBUG
588 		if (pam_debug & PAM_DEBUG_AUTHTOK)
589 			pam_trace(PAM_DEBUG_ITEM,
590 			    "pam_get_item(%p:%s)=%s", (void *)pamh,
591 			    pam_trace_iname(item_type, iname_buf),
592 			    *item ? *(char **)item : "NULL");
593 		else
594 #endif	/* DEBUG */
595 			pam_trace(PAM_DEBUG_ITEM,
596 			    "pam_get_item(%p:%s)=%s", (void *)pamh,
597 			    pam_trace_iname(item_type, iname_buf),
598 			    *item ? "********" : "NULL");
599 		break;
600 	default:
601 		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
602 		    (void *)pamh,
603 		    pam_trace_iname(item_type, iname_buf),
604 		    *item ? *(char **)item : "NULL");
605 	}
606 
607 	return (PAM_SUCCESS);
608 }
609 
610 /*
611  * parse_user_name         - process the user response: ignore
612  *                           '\t' or ' ' before or after a user name.
613  *                           user_input is a null terminated string.
614  *                           *ret_username will be the user name.
615  */
616 
617 static int
618 parse_user_name(char *user_input, char **ret_username)
619 {
620 	register char *ptr;
621 	register int index = 0;
622 	char username[PAM_MAX_RESP_SIZE];
623 
624 	/* Set the default value for *ret_username */
625 	*ret_username = NULL;
626 
627 	/*
628 	 * Set the initial value for username - this is a buffer holds
629 	 * the user name.
630 	 */
631 	bzero((void *)username, PAM_MAX_RESP_SIZE);
632 
633 	/*
634 	 * The user_input is guaranteed to be terminated by a null character.
635 	 */
636 	ptr = user_input;
637 
638 	/* Skip all the leading whitespaces if there are any. */
639 	while ((*ptr == ' ') || (*ptr == '\t'))
640 		ptr++;
641 
642 	if (*ptr == '\0') {
643 		/*
644 		 * We should never get here since the user_input we got
645 		 * in pam_get_user() is not all whitespaces nor just "\0".
646 		 */
647 		return (PAM_BUF_ERR);
648 	}
649 
650 	/*
651 	 * username will be the first string we get from user_input
652 	 * - we skip leading whitespaces and ignore trailing whitespaces
653 	 */
654 	while (*ptr != '\0') {
655 		if ((*ptr == ' ') || (*ptr == '\t'))
656 			break;
657 		else {
658 			username[index] = *ptr;
659 			index++;
660 			ptr++;
661 		}
662 	}
663 
664 	/* ret_username will be freed in pam_get_user(). */
665 	if ((*ret_username = malloc(index + 1)) == NULL)
666 		return (PAM_BUF_ERR);
667 	(void) strcpy(*ret_username, username);
668 	return (PAM_SUCCESS);
669 }
670 
671 /*
672  * Get the value of PAM_USER. If not set, then use the convenience function
673  * to prompt for the user. Use prompt if specified, else use PAM_USER_PROMPT
674  * if it is set, else use default.
675  */
676 #define	WHITESPACE	0
677 #define	USERNAME	1
678 
679 int
680 pam_get_user(pam_handle_t *pamh, char **user, const char *prompt_override)
681 {
682 	int	status;
683 	char	*prompt = NULL;
684 	char    *real_username;
685 	struct pam_response *ret_resp = NULL;
686 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
687 
688 	pam_trace(PAM_DEBUG_DEFAULT,
689 	    "pam_get_user(%p, %p, %s)", (void *)pamh, (void *)*user,
690 	    prompt_override ? prompt_override : "NULL");
691 	if (pamh == NULL)
692 		return (PAM_SYSTEM_ERR);
693 
694 	if ((status = pam_get_item(pamh, PAM_USER, (void **)user))
695 	    != PAM_SUCCESS) {
696 		return (status);
697 	}
698 
699 	/* if the user is set, return it */
700 
701 	if (*user != NULL && *user[0] != '\0') {
702 		return (PAM_SUCCESS);
703 	}
704 
705 	/*
706 	 * if the module is requesting a special prompt, use it.
707 	 * else use PAM_USER_PROMPT.
708 	 */
709 
710 	if (prompt_override != NULL) {
711 		prompt = (char *)prompt_override;
712 	} else {
713 		status = pam_get_item(pamh, PAM_USER_PROMPT, (void**)&prompt);
714 		if (status != PAM_SUCCESS) {
715 			return (status);
716 		}
717 	}
718 
719 	/* if the prompt is not set, use default */
720 
721 	if (prompt == NULL || prompt[0] == '\0') {
722 		prompt = dgettext(TEXT_DOMAIN, "Please enter user name: ");
723 	}
724 
725 	/* prompt for the user */
726 
727 	(void) strncpy(messages[0], prompt, sizeof (messages[0]));
728 
729 	for (;;) {
730 		int state = WHITESPACE;
731 
732 		status = do_conv(pamh, PAM_PROMPT_ECHO_ON, 1, messages,
733 		    NULL, &ret_resp);
734 
735 		if (status != PAM_SUCCESS) {
736 			return (status);
737 		}
738 
739 		if (ret_resp->resp && ret_resp->resp[0] != '\0') {
740 			int len = strlen(ret_resp->resp);
741 			int i;
742 
743 			for (i = 0; i < len; i++) {
744 				if ((ret_resp->resp[i] != ' ') &&
745 				    (ret_resp->resp[i] != '\t')) {
746 					state = USERNAME;
747 					break;
748 				}
749 			}
750 
751 			if (state == USERNAME)
752 				break;
753 		}
754 		/* essentially empty response, try again */
755 		free_resp(1, ret_resp);
756 		ret_resp = NULL;
757 	}
758 
759 	/* set PAM_USER */
760 	/* Parse the user input to get the user name. */
761 	status = parse_user_name(ret_resp->resp, &real_username);
762 
763 	if (status != PAM_SUCCESS) {
764 		if (real_username != NULL)
765 			free(real_username);
766 		free_resp(1, ret_resp);
767 		return (status);
768 	}
769 
770 	status = pam_set_item(pamh, PAM_USER, real_username);
771 
772 	free(real_username);
773 
774 	free_resp(1, ret_resp);
775 	if (status != PAM_SUCCESS) {
776 		return (status);
777 	}
778 
779 	/*
780 	 * finally, get PAM_USER. We have to call pam_get_item to get
781 	 * the value of user because pam_set_item mallocs the memory.
782 	 */
783 
784 	status = pam_get_item(pamh, PAM_USER, (void**)user);
785 	return (status);
786 }
787 
788 /*
789  * Set module specific data
790  */
791 
792 int
793 pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data,
794     void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status))
795 {
796 	struct pam_module_data *psd;
797 
798 	pam_trace(PAM_DEBUG_DATA,
799 	    "pam_set_data(%p:%s:%d)=%p", (void *)pamh,
800 	    module_data_name ? module_data_name : "NULL", pamh->pam_inmodule,
801 	    data);
802 	if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
803 	    module_data_name == NULL) {
804 		return (PAM_SYSTEM_ERR);
805 	}
806 
807 	/* check if module data already exists */
808 
809 	for (psd = pamh->ssd; psd; psd = psd->next) {
810 		if (strcmp(psd->module_data_name, module_data_name) == 0) {
811 			/* clean up original data before setting the new data */
812 			if (psd->cleanup) {
813 				psd->cleanup(pamh, psd->data, PAM_SUCCESS);
814 			}
815 			psd->data = (void *)data;
816 			psd->cleanup = cleanup;
817 			return (PAM_SUCCESS);
818 		}
819 	}
820 
821 	psd = malloc(sizeof (struct pam_module_data));
822 	if (psd == NULL)
823 		return (PAM_BUF_ERR);
824 
825 	psd->module_data_name = strdup(module_data_name);
826 	if (psd->module_data_name == NULL) {
827 		free(psd);
828 		return (PAM_BUF_ERR);
829 	}
830 
831 	psd->data = (void *)data;
832 	psd->cleanup = cleanup;
833 	psd->next = pamh->ssd;
834 	pamh->ssd = psd;
835 	return (PAM_SUCCESS);
836 }
837 
838 /*
839  * get module specific data
840  */
841 
842 int
843 pam_get_data(const pam_handle_t *pamh, const char *module_data_name,
844     const void **data)
845 {
846 	struct pam_module_data *psd;
847 
848 	if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
849 	    module_data_name == NULL) {
850 		pam_trace(PAM_DEBUG_DATA,
851 		    "pam_get_data(%p:%s:%d)=%p", (void *)pamh,
852 		    module_data_name ? module_data_name : "NULL",
853 		    pamh->pam_inmodule, *data);
854 		return (PAM_SYSTEM_ERR);
855 	}
856 
857 	for (psd = pamh->ssd; psd; psd = psd->next) {
858 		if (strcmp(psd->module_data_name, module_data_name) == 0) {
859 			*data = psd->data;
860 			pam_trace(PAM_DEBUG_DATA,
861 			    "pam_get_data(%p:%s)=%p", (void *)pamh,
862 			    module_data_name, *data);
863 			return (PAM_SUCCESS);
864 		}
865 	}
866 	pam_trace(PAM_DEBUG_DATA,
867 	    "pam_get_data(%p:%s)=%s", (void *)pamh, module_data_name,
868 	    "PAM_NO_MODULE_DATA");
869 
870 	return (PAM_NO_MODULE_DATA);
871 }
872 
873 /*
874  * PAM equivalent to strerror()
875  */
876 /* ARGSUSED */
877 const char *
878 pam_strerror(pam_handle_t *pamh, int errnum)
879 {
880 	switch (errnum) {
881 	case PAM_SUCCESS:
882 		return (dgettext(TEXT_DOMAIN, "Success"));
883 	case PAM_OPEN_ERR:
884 		return (dgettext(TEXT_DOMAIN, "Dlopen failure"));
885 	case PAM_SYMBOL_ERR:
886 		return (dgettext(TEXT_DOMAIN, "Symbol not found"));
887 	case PAM_SERVICE_ERR:
888 		return (dgettext(TEXT_DOMAIN,
889 		    "Error in underlying service module"));
890 	case PAM_SYSTEM_ERR:
891 		return (dgettext(TEXT_DOMAIN, "System error"));
892 	case PAM_BUF_ERR:
893 		return (dgettext(TEXT_DOMAIN, "Memory buffer error"));
894 	case PAM_CONV_ERR:
895 		return (dgettext(TEXT_DOMAIN, "Conversation failure"));
896 	case PAM_PERM_DENIED:
897 		return (dgettext(TEXT_DOMAIN, "Permission denied"));
898 	case PAM_MAXTRIES:
899 		return (dgettext(TEXT_DOMAIN,
900 		    "Maximum number of attempts exceeded"));
901 	case PAM_AUTH_ERR:
902 		return (dgettext(TEXT_DOMAIN, "Authentication failed"));
903 	case PAM_NEW_AUTHTOK_REQD:
904 		return (dgettext(TEXT_DOMAIN, "Get new authentication token"));
905 	case PAM_CRED_INSUFFICIENT:
906 		return (dgettext(TEXT_DOMAIN, "Insufficient credentials"));
907 	case PAM_AUTHINFO_UNAVAIL:
908 		return (dgettext(TEXT_DOMAIN,
909 		    "Can not retrieve authentication info"));
910 	case PAM_USER_UNKNOWN:
911 		return (dgettext(TEXT_DOMAIN, "No account present for user"));
912 	case PAM_CRED_UNAVAIL:
913 		return (dgettext(TEXT_DOMAIN,
914 		    "Can not retrieve user credentials"));
915 	case PAM_CRED_EXPIRED:
916 		return (dgettext(TEXT_DOMAIN,
917 		    "User credentials have expired"));
918 	case PAM_CRED_ERR:
919 		return (dgettext(TEXT_DOMAIN,
920 		    "Failure setting user credentials"));
921 	case PAM_ACCT_EXPIRED:
922 		return (dgettext(TEXT_DOMAIN, "User account has expired"));
923 	case PAM_AUTHTOK_EXPIRED:
924 		return (dgettext(TEXT_DOMAIN, "User password has expired"));
925 	case PAM_SESSION_ERR:
926 		return (dgettext(TEXT_DOMAIN,
927 		    "Can not make/remove entry for session"));
928 	case PAM_AUTHTOK_ERR:
929 		return (dgettext(TEXT_DOMAIN,
930 		    "Authentication token manipulation error"));
931 	case PAM_AUTHTOK_RECOVERY_ERR:
932 		return (dgettext(TEXT_DOMAIN,
933 		    "Authentication token can not be recovered"));
934 	case PAM_AUTHTOK_LOCK_BUSY:
935 		return (dgettext(TEXT_DOMAIN,
936 		    "Authentication token lock busy"));
937 	case PAM_AUTHTOK_DISABLE_AGING:
938 		return (dgettext(TEXT_DOMAIN,
939 		    "Authentication token aging disabled"));
940 	case PAM_NO_MODULE_DATA:
941 		return (dgettext(TEXT_DOMAIN,
942 		    "Module specific data not found"));
943 	case PAM_IGNORE:
944 		return (dgettext(TEXT_DOMAIN, "Ignore module"));
945 	case PAM_ABORT:
946 		return (dgettext(TEXT_DOMAIN, "General PAM failure "));
947 	case PAM_TRY_AGAIN:
948 		return (dgettext(TEXT_DOMAIN,
949 		    "Unable to complete operation. Try again"));
950 	default:
951 		return (dgettext(TEXT_DOMAIN, "Unknown error"));
952 	}
953 }
954 
955 static void *
956 sm_name(int ind)
957 {
958 	switch (ind) {
959 	case PAM_AUTHENTICATE:
960 		return (PAM_SM_AUTHENTICATE);
961 	case PAM_SETCRED:
962 		return (PAM_SM_SETCRED);
963 	case PAM_ACCT_MGMT:
964 		return (PAM_SM_ACCT_MGMT);
965 	case PAM_OPEN_SESSION:
966 		return (PAM_SM_OPEN_SESSION);
967 	case PAM_CLOSE_SESSION:
968 		return (PAM_SM_CLOSE_SESSION);
969 	case PAM_CHAUTHTOK:
970 		return (PAM_SM_CHAUTHTOK);
971 	}
972 	return (NULL);
973 }
974 
975 static int
976 (*func(pamtab_t *modulep, int ind))()
977 {
978 	void	*funcp;
979 
980 	if ((funcp = modulep->function_ptr) == NULL)
981 		return (NULL);
982 
983 	switch (ind) {
984 	case PAM_AUTHENTICATE:
985 		return (((struct auth_module *)funcp)->pam_sm_authenticate);
986 	case PAM_SETCRED:
987 		return (((struct auth_module *)funcp)->pam_sm_setcred);
988 	case PAM_ACCT_MGMT:
989 		return (((struct account_module *)funcp)->pam_sm_acct_mgmt);
990 	case PAM_OPEN_SESSION:
991 		return (((struct session_module *)funcp)->pam_sm_open_session);
992 	case PAM_CLOSE_SESSION:
993 		return (((struct session_module *)funcp)->pam_sm_close_session);
994 	case PAM_CHAUTHTOK:
995 		return (((struct password_module *)funcp)->pam_sm_chauthtok);
996 	}
997 	return (NULL);
998 }
999 
1000 /*
1001  * Run through the PAM service module stack for the given module type.
1002  */
1003 static int
1004 run_stack(pam_handle_t *pamh, int flags, int type, int def_err, int ind,
1005     char *function_name)
1006 {
1007 	int	err = PAM_SYSTEM_ERR;  /* preset */
1008 	int	optional_error = 0;
1009 	int	required_error = 0;
1010 	int	success = 0;
1011 	pamtab_t *modulep;
1012 	int	(*sm_func)();
1013 
1014 	if (pamh == NULL)
1015 		return (PAM_SYSTEM_ERR);
1016 
1017 	/* read initial entries from pam.conf */
1018 	if ((err = read_pam_conf(pamh, PAM_CONFIG)) != PAM_SUCCESS) {
1019 		return (err);
1020 	}
1021 
1022 	if ((modulep =
1023 	    pamh->pam_conf_info[pamh->include_depth][type]) == NULL) {
1024 		__pam_log(LOG_AUTH | LOG_ERR, "%s no initial module present",
1025 		    pam_trace_cname(pamh));
1026 		goto exit_return;
1027 	}
1028 
1029 	pamh->pam_inmodule = WO_OK;	/* OK to get AUTHTOK */
1030 include:
1031 	pam_trace(PAM_DEBUG_MODULE,
1032 	    "[%d:%s]:run_stack:%s(%p, %x): %s", pamh->include_depth,
1033 	    pam_trace_cname(pamh), function_name, (void *)pamh, flags,
1034 	    modulep ? modulep->module_path : "NULL");
1035 
1036 	while (modulep != NULL) {
1037 		if (modulep->pam_flag & PAM_INCLUDE) {
1038 			/* save the return location */
1039 			pamh->pam_conf_modulep[pamh->include_depth] =
1040 			    modulep->next;
1041 			pam_trace(PAM_DEBUG_MODULE,
1042 			    "setting for include[%d:%p]",
1043 			    pamh->include_depth, (void *)modulep->next);
1044 			if (pamh->include_depth++ >= PAM_MAX_INCLUDE) {
1045 				__pam_log(LOG_AUTH | LOG_ERR,
1046 				    "run_stack: includes too deep %d "
1047 				    "found trying to include %s from %s, %d "
1048 				    "allowed", pamh->include_depth,
1049 				    modulep->module_path, pamh->pam_conf_name
1050 				    [PAM_MAX_INCLUDE] == NULL ? "NULL" :
1051 				    pamh->pam_conf_name[PAM_MAX_INCLUDE],
1052 				    PAM_MAX_INCLUDE);
1053 				goto exit_return;
1054 			}
1055 			if ((err = read_pam_conf(pamh,
1056 			    modulep->module_path)) != PAM_SUCCESS) {
1057 				__pam_log(LOG_AUTH | LOG_ERR,
1058 				    "run_stack[%d:%s]: can't read included "
1059 				    "conf %s", pamh->include_depth,
1060 				    pam_trace_cname(pamh),
1061 				    modulep->module_path);
1062 				goto exit_return;
1063 			}
1064 			if ((modulep = pamh->pam_conf_info
1065 			    [pamh->include_depth][type]) == NULL) {
1066 				__pam_log(LOG_AUTH | LOG_ERR,
1067 				    "run_stack[%d:%s]: no include module "
1068 				    "present %s", pamh->include_depth,
1069 				    pam_trace_cname(pamh), function_name);
1070 				goto exit_return;
1071 			}
1072 			if (modulep->pam_flag & PAM_INCLUDE) {
1073 				/* first line another include */
1074 				goto include;
1075 			}
1076 			pam_trace(PAM_DEBUG_DEFAULT, "include[%d:%s]"
1077 			    "(%p, %s)=%s", pamh->include_depth,
1078 			    pam_trace_cname(pamh), (void *)pamh,
1079 			    function_name, modulep->module_path);
1080 			if ((err = load_modules(pamh, type, sm_name(ind),
1081 			    pamh->pam_conf_info
1082 			    [pamh->include_depth][type])) != PAM_SUCCESS) {
1083 				pam_trace(PAM_DEBUG_DEFAULT,
1084 				    "[%d:%s]:%s(%p, %x): load_modules failed",
1085 				    pamh->include_depth, pam_trace_cname(pamh),
1086 				    function_name, (void *)pamh, flags);
1087 				goto exit_return;
1088 			}
1089 			if ((modulep = pamh->pam_conf_info
1090 			    [pamh->include_depth][type]) == NULL) {
1091 				__pam_log(LOG_AUTH | LOG_ERR,
1092 				    "%s no initial module present",
1093 				    pam_trace_cname(pamh));
1094 				goto exit_return;
1095 			}
1096 		} else if ((err = load_modules(pamh, type, sm_name(ind),
1097 		    modulep)) != PAM_SUCCESS) {
1098 			pam_trace(PAM_DEBUG_DEFAULT,
1099 			    "[%d:%s]:%s(%p, %x): load_modules failed",
1100 			    pamh->include_depth, pam_trace_cname(pamh),
1101 			    function_name, (void *)pamh, flags);
1102 			goto exit_return;
1103 		}  /* PAM_INCLUDE */
1104 		sm_func = func(modulep, ind);
1105 		if (sm_func) {
1106 			err = sm_func(pamh, flags, modulep->module_argc,
1107 			    (const char **)modulep->module_argv);
1108 
1109 			pam_trace(PAM_DEBUG_MODULE,
1110 			    "[%d:%s]:%s(%p, %x): %s returned %s",
1111 			    pamh->include_depth, pam_trace_cname(pamh),
1112 			    function_name, (void *)pamh, flags,
1113 			    modulep->module_path, pam_strerror(pamh, err));
1114 
1115 			switch (err) {
1116 			case PAM_IGNORE:
1117 				/* do nothing */
1118 				break;
1119 			case PAM_SUCCESS:
1120 				if ((modulep->pam_flag & PAM_SUFFI_BIND) &&
1121 				    !required_error) {
1122 					pamh->pam_inmodule = RW_OK;
1123 					pam_trace(PAM_DEBUG_MODULE,
1124 					    "[%d:%s]:%s(%p, %x): %s: success",
1125 					    pamh->include_depth,
1126 					    pam_trace_cname(pamh),
1127 					    function_name, (void *)pamh, flags,
1128 					    (modulep->pam_flag & PAM_BINDING) ?
1129 					    PAM_BINDING_NAME :
1130 					    PAM_SUFFICIENT_NAME);
1131 					goto exit_return;
1132 				}
1133 				success = 1;
1134 				break;
1135 			case PAM_TRY_AGAIN:
1136 				/*
1137 				 * We need to return immediately, and
1138 				 * we shouldn't reset the AUTHTOK item
1139 				 * since it is not an error per-se.
1140 				 */
1141 				pamh->pam_inmodule = RW_OK;
1142 				pam_trace(PAM_DEBUG_MODULE,
1143 				    "[%d:%s]:%s(%p, %x): TRY_AGAIN: %s",
1144 				    pamh->include_depth, pam_trace_cname(pamh),
1145 				    function_name, (void *)pamh, flags,
1146 				    pam_strerror(pamh, required_error ?
1147 				    required_error : err));
1148 				err = required_error ? required_error : err;
1149 				goto exit_return;
1150 			default:
1151 				if (modulep->pam_flag & PAM_REQUISITE) {
1152 					pamh->pam_inmodule = RW_OK;
1153 					pam_trace(PAM_DEBUG_MODULE,
1154 					    "[%d:%s]:%s(%p, %x): requisite: %s",
1155 					    pamh->include_depth,
1156 					    pam_trace_cname(pamh),
1157 					    function_name, (void *)pamh, flags,
1158 					    pam_strerror(pamh,
1159 					    required_error ? required_error :
1160 					    err));
1161 					err = required_error ?
1162 					    required_error : err;
1163 					goto exit_return;
1164 				} else if (modulep->pam_flag & PAM_REQRD_BIND) {
1165 					if (!required_error)
1166 						required_error = err;
1167 				} else {
1168 					if (!optional_error)
1169 						optional_error = err;
1170 				}
1171 				pam_trace(PAM_DEBUG_DEFAULT,
1172 				    "[%d:%s]:%s(%p, %x): error %s",
1173 				    pamh->include_depth, pam_trace_cname(pamh),
1174 				    function_name, (void *)pamh, flags,
1175 				    pam_strerror(pamh, err));
1176 				break;
1177 			}
1178 		}
1179 		modulep = modulep->next;
1180 	}
1181 
1182 	pam_trace(PAM_DEBUG_MODULE, "[%d:%s]:stack_end:%s(%p, %x): %s %s: %s",
1183 	    pamh->include_depth, pam_trace_cname(pamh), function_name,
1184 	    (void *)pamh, flags, pamh->include_depth ? "included" : "final",
1185 	    required_error ? "required" : success ? "success" :
1186 	    optional_error ? "optional" : "default",
1187 	    pam_strerror(pamh, required_error ? required_error :
1188 	    success ? PAM_SUCCESS : optional_error ? optional_error : def_err));
1189 	if (pamh->include_depth > 0) {
1190 		free_pam_conf_info(pamh);
1191 		pamh->include_depth--;
1192 		/* continue at next entry */
1193 		modulep = pamh->pam_conf_modulep[pamh->include_depth];
1194 		pam_trace(PAM_DEBUG_MODULE, "looping for include[%d:%p]",
1195 		    pamh->include_depth, (void *)modulep);
1196 		goto include;
1197 	}
1198 	free_pam_conf_info(pamh);
1199 	pamh->pam_inmodule = RW_OK;
1200 	if (required_error != 0)
1201 		return (required_error);
1202 	else if (success != 0)
1203 		return (PAM_SUCCESS);
1204 	else if (optional_error != 0)
1205 		return (optional_error);
1206 	else
1207 		return (def_err);
1208 
1209 exit_return:
1210 	/*
1211 	 * All done at whatever depth we're at.
1212 	 * Go back to not having read /etc/pam.conf
1213 	 */
1214 	while (pamh->include_depth > 0) {
1215 		free_pam_conf_info(pamh);
1216 		pamh->include_depth--;
1217 	}
1218 	free_pam_conf_info(pamh);
1219 	pamh->pam_inmodule = RW_OK;
1220 	return (err);
1221 }
1222 
1223 /*
1224  * pam_authenticate - authenticate a user
1225  */
1226 
1227 int
1228 pam_authenticate(pam_handle_t *pamh, int flags)
1229 {
1230 	int	retval;
1231 
1232 	retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_AUTH_ERR,
1233 	    PAM_AUTHENTICATE, "pam_authenticate");
1234 
1235 	if (retval != PAM_SUCCESS)
1236 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1237 	return (retval);
1238 }
1239 
1240 /*
1241  * pam_setcred - modify or retrieve user credentials
1242  */
1243 
1244 int
1245 pam_setcred(pam_handle_t *pamh, int flags)
1246 {
1247 	int	retval;
1248 
1249 	retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_CRED_ERR,
1250 	    PAM_SETCRED, "pam_setcred");
1251 
1252 	if (retval != PAM_SUCCESS)
1253 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1254 	return (retval);
1255 }
1256 
1257 /*
1258  * pam_acct_mgmt - check password aging, account expiration
1259  */
1260 
1261 int
1262 pam_acct_mgmt(pam_handle_t *pamh, int flags)
1263 {
1264 	int	retval;
1265 
1266 	retval = run_stack(pamh, flags, PAM_ACCOUNT_MODULE, PAM_ACCT_EXPIRED,
1267 	    PAM_ACCT_MGMT, "pam_acct_mgmt");
1268 
1269 	if (retval != PAM_SUCCESS &&
1270 	    retval != PAM_NEW_AUTHTOK_REQD) {
1271 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1272 	}
1273 	return (retval);
1274 }
1275 
1276 /*
1277  * pam_open_session - begin session management
1278  */
1279 
1280 int
1281 pam_open_session(pam_handle_t *pamh, int flags)
1282 {
1283 	int	retval;
1284 
1285 	retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
1286 	    PAM_OPEN_SESSION, "pam_open_session");
1287 
1288 	if (retval != PAM_SUCCESS)
1289 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1290 	return (retval);
1291 }
1292 
1293 /*
1294  * pam_close_session - terminate session management
1295  */
1296 
1297 int
1298 pam_close_session(pam_handle_t *pamh, int flags)
1299 {
1300 	int	retval;
1301 
1302 	retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
1303 	    PAM_CLOSE_SESSION, "pam_close_session");
1304 
1305 	if (retval != PAM_SUCCESS)
1306 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1307 	return (retval);
1308 }
1309 
1310 /*
1311  * pam_chauthtok - change user authentication token
1312  */
1313 
1314 int
1315 pam_chauthtok(pam_handle_t *pamh, int flags)
1316 {
1317 	int	retval;
1318 
1319 	/* do not let apps use PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK */
1320 	if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
1321 		pam_trace(PAM_DEBUG_DEFAULT,
1322 		    "pam_chauthtok(%p, %x): %s", (void *)pamh, flags,
1323 		    pam_strerror(pamh, PAM_SYMBOL_ERR));
1324 		return (PAM_SYMBOL_ERR);
1325 	}
1326 
1327 	/* 1st pass: PRELIM CHECK */
1328 	retval = run_stack(pamh, flags | PAM_PRELIM_CHECK, PAM_PASSWORD_MODULE,
1329 	    PAM_AUTHTOK_ERR, PAM_CHAUTHTOK, "pam_chauthtok-prelim");
1330 
1331 	if (retval == PAM_TRY_AGAIN)
1332 		return (retval);
1333 
1334 	if (retval != PAM_SUCCESS) {
1335 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1336 		return (retval);
1337 	}
1338 
1339 	/* 2nd pass: UPDATE AUTHTOK */
1340 	retval = run_stack(pamh, flags | PAM_UPDATE_AUTHTOK,
1341 	    PAM_PASSWORD_MODULE, PAM_AUTHTOK_ERR, PAM_CHAUTHTOK,
1342 	    "pam_chauthtok-update");
1343 
1344 	if (retval != PAM_SUCCESS)
1345 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1346 
1347 	return (retval);
1348 }
1349 
1350 /*
1351  * pam_putenv - add an environment variable to the PAM handle
1352  *	if name_value == 'NAME=VALUE'	then set variable to the value
1353  *	if name_value == 'NAME='	then set variable to an empty value
1354  *	if name_value == 'NAME'		then delete the variable
1355  */
1356 
1357 int
1358 pam_putenv(pam_handle_t *pamh, const char *name_value)
1359 {
1360 	int		error = PAM_SYSTEM_ERR;
1361 	char		*equal_sign = 0;
1362 	char		*name = NULL, *value = NULL, *tmp_value = NULL;
1363 	env_list	*traverse, *trail;
1364 
1365 	pam_trace(PAM_DEBUG_DEFAULT,
1366 	    "pam_putenv(%p, %s)", (void *)pamh,
1367 	    name_value ? name_value : "NULL");
1368 
1369 	if (pamh == NULL || name_value == NULL)
1370 		goto out;
1371 
1372 	/* see if we were passed 'NAME=VALUE', 'NAME=', or 'NAME' */
1373 	if ((equal_sign = strchr(name_value, '=')) != 0) {
1374 		if ((name = calloc(equal_sign - name_value + 1,
1375 		    sizeof (char))) == 0) {
1376 			error = PAM_BUF_ERR;
1377 			goto out;
1378 		}
1379 		(void) strncpy(name, name_value, equal_sign - name_value);
1380 		if ((value = strdup(++equal_sign)) == 0) {
1381 			error = PAM_BUF_ERR;
1382 			goto out;
1383 		}
1384 	} else {
1385 		if ((name = strdup(name_value)) == 0) {
1386 			error = PAM_BUF_ERR;
1387 			goto out;
1388 		}
1389 	}
1390 
1391 	/* check to see if we already have this variable in the PAM handle */
1392 	traverse = pamh->pam_env;
1393 	trail = traverse;
1394 	while (traverse && strncmp(traverse->name, name, strlen(name))) {
1395 		trail = traverse;
1396 		traverse = traverse->next;
1397 	}
1398 
1399 	if (traverse) {
1400 		/* found a match */
1401 		if (value == 0) {
1402 			/* remove the env variable */
1403 			if (pamh->pam_env == traverse)
1404 				pamh->pam_env = traverse->next;
1405 			else
1406 				trail->next = traverse->next;
1407 			free_env(traverse);
1408 		} else if (strlen(value) == 0) {
1409 			/* set env variable to empty value */
1410 			if ((tmp_value = strdup("")) == 0) {
1411 				error = PAM_SYSTEM_ERR;
1412 				goto out;
1413 			}
1414 			free(traverse->value);
1415 			traverse->value = tmp_value;
1416 		} else {
1417 			/* set the new value */
1418 			if ((tmp_value = strdup(value)) == 0) {
1419 				error = PAM_SYSTEM_ERR;
1420 				goto out;
1421 			}
1422 			free(traverse->value);
1423 			traverse->value = tmp_value;
1424 		}
1425 
1426 	} else if (traverse == 0 && value) {
1427 		/*
1428 		 * could not find a match in the PAM handle.
1429 		 * add the new value if there is one
1430 		 */
1431 		if ((traverse = calloc(1, sizeof (env_list))) == 0) {
1432 			error = PAM_BUF_ERR;
1433 			goto out;
1434 		}
1435 		if ((traverse->name = strdup(name)) == 0) {
1436 			free_env(traverse);
1437 			error = PAM_BUF_ERR;
1438 			goto out;
1439 		}
1440 		if ((traverse->value = strdup(value)) == 0) {
1441 			free_env(traverse);
1442 			error = PAM_BUF_ERR;
1443 			goto out;
1444 		}
1445 		if (trail == 0) {
1446 			/* new head of list */
1447 			pamh->pam_env = traverse;
1448 		} else {
1449 			/* adding to end of list */
1450 			trail->next = traverse;
1451 		}
1452 	}
1453 
1454 	error = PAM_SUCCESS;
1455 out:
1456 	if (error != PAM_SUCCESS) {
1457 		if (traverse) {
1458 			if (traverse->name)
1459 				free(traverse->name);
1460 			if (traverse->value)
1461 				free(traverse->value);
1462 			free(traverse);
1463 		}
1464 	}
1465 	if (name)
1466 		free(name);
1467 	if (value)
1468 		free(value);
1469 	return (error);
1470 }
1471 
1472 /*
1473  * pam_getenv - retrieve an environment variable from the PAM handle
1474  */
1475 char *
1476 pam_getenv(pam_handle_t *pamh, const char *name)
1477 {
1478 	int		error = PAM_SYSTEM_ERR;
1479 	env_list	*traverse;
1480 
1481 	pam_trace(PAM_DEBUG_DEFAULT,
1482 	    "pam_getenv(%p, %p)", (void *)pamh, (void *)name);
1483 
1484 	if (pamh == NULL || name == NULL)
1485 		goto out;
1486 
1487 	/* check to see if we already have this variable in the PAM handle */
1488 	traverse = pamh->pam_env;
1489 	while (traverse && strncmp(traverse->name, name, strlen(name))) {
1490 		traverse = traverse->next;
1491 	}
1492 	error = (traverse ? PAM_SUCCESS : PAM_SYSTEM_ERR);
1493 	pam_trace(PAM_DEBUG_DEFAULT,
1494 	    "pam_getenv(%p, %s)=%s", (void *)pamh, name,
1495 	    traverse ? traverse->value : "NULL");
1496 out:
1497 	return (error ? NULL : strdup(traverse->value));
1498 }
1499 
1500 /*
1501  * pam_getenvlist - retrieve all environment variables from the PAM handle
1502  *                  in a NULL terminated array. On error, return NULL.
1503  */
1504 char **
1505 pam_getenvlist(pam_handle_t *pamh)
1506 {
1507 	int		error = PAM_SYSTEM_ERR;
1508 	char		**list = 0;
1509 	int		length = 0;
1510 	env_list	*traverse;
1511 	char		*tenv;
1512 	size_t		tenv_size;
1513 
1514 	pam_trace(PAM_DEBUG_DEFAULT,
1515 	    "pam_getenvlist(%p)", (void *)pamh);
1516 
1517 	if (pamh == NULL)
1518 		goto out;
1519 
1520 	/* find out how many environment variables we have */
1521 	traverse = pamh->pam_env;
1522 	while (traverse) {
1523 		length++;
1524 		traverse = traverse->next;
1525 	}
1526 
1527 	/* allocate the array we will return to the caller */
1528 	if ((list = calloc(length + 1, sizeof (char *))) == NULL) {
1529 		error = PAM_BUF_ERR;
1530 		goto out;
1531 	}
1532 
1533 	/* add the variables one by one */
1534 	length = 0;
1535 	traverse = pamh->pam_env;
1536 	while (traverse != NULL) {
1537 		tenv_size = strlen(traverse->name) +
1538 		    strlen(traverse->value) + 2; /* name=val\0 */
1539 		if ((tenv = malloc(tenv_size)) == NULL) {
1540 			error = PAM_BUF_ERR;
1541 			goto out;
1542 		}
1543 		/*LINTED*/
1544 		(void) sprintf(tenv, "%s=%s", traverse->name, traverse->value);
1545 		list[length++] = tenv;
1546 		traverse = traverse->next;
1547 	}
1548 	list[length] = NULL;
1549 
1550 	error = PAM_SUCCESS;
1551 out:
1552 	if (error != PAM_SUCCESS) {
1553 		/* free the partially constructed list */
1554 		if (list) {
1555 			length = 0;
1556 			while (list[length] != NULL) {
1557 				free(list[length]);
1558 				length++;
1559 			}
1560 			free(list);
1561 		}
1562 	}
1563 	return (error ? NULL : list);
1564 }
1565 
1566 /*
1567  * Routines to load a requested module on demand
1568  */
1569 
1570 /*
1571  * load_modules - load the requested module.
1572  *		  if the dlopen or dlsym fail, then
1573  *		  the module is ignored.
1574  */
1575 
1576 static int
1577 load_modules(pam_handle_t *pamh, int type, char *function_name,
1578     pamtab_t *pam_entry)
1579 {
1580 	void	*mh;
1581 	struct	auth_module *authp;
1582 	struct	account_module *accountp;
1583 	struct	session_module *sessionp;
1584 	struct	password_module *passwdp;
1585 	int	loading_functions = 0; /* are we currently loading functions? */
1586 
1587 	pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=%s:%s",
1588 	    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1589 	    function_name, pam_trace_fname(pam_entry->pam_flag),
1590 	    pam_entry->module_path);
1591 
1592 	while (pam_entry != NULL) {
1593 		pam_trace(PAM_DEBUG_DEFAULT,
1594 		    "while load_modules[%d:%s](%p, %s)=%s",
1595 		    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1596 		    function_name, pam_entry->module_path);
1597 
1598 		if (pam_entry->pam_flag & PAM_INCLUDE) {
1599 			pam_trace(PAM_DEBUG_DEFAULT,
1600 			    "done load_modules[%d:%s](%p, %s)=%s",
1601 			    pamh->include_depth, pam_trace_cname(pamh),
1602 			    (void *)pamh, function_name,
1603 			    pam_entry->module_path);
1604 			return (PAM_SUCCESS);
1605 		}
1606 		switch (type) {
1607 		case PAM_AUTH_MODULE:
1608 
1609 			/* if the function has already been loaded, return */
1610 			authp = pam_entry->function_ptr;
1611 			if (!loading_functions &&
1612 			    (((strcmp(function_name, PAM_SM_AUTHENTICATE)
1613 			    == 0) && authp && authp->pam_sm_authenticate) ||
1614 			    ((strcmp(function_name, PAM_SM_SETCRED) == 0) &&
1615 			    authp && authp->pam_sm_setcred))) {
1616 				return (PAM_SUCCESS);
1617 			}
1618 
1619 			/* function has not been loaded yet */
1620 			loading_functions = 1;
1621 			if (authp == NULL) {
1622 				authp = calloc(1, sizeof (struct auth_module));
1623 				if (authp == NULL)
1624 					return (PAM_BUF_ERR);
1625 			}
1626 
1627 			/* if open_module fails, return error */
1628 			if ((mh = open_module(pamh,
1629 			    pam_entry->module_path)) == NULL) {
1630 				__pam_log(LOG_AUTH | LOG_ERR,
1631 				    "load_modules[%d:%s]: can not open module "
1632 				    "%s", pamh->include_depth,
1633 				    pam_trace_cname(pamh),
1634 				    pam_entry->module_path);
1635 				free(authp);
1636 				return (PAM_OPEN_ERR);
1637 			}
1638 
1639 			/* load the authentication function */
1640 			if (strcmp(function_name, PAM_SM_AUTHENTICATE) == 0) {
1641 				if (load_function(mh, PAM_SM_AUTHENTICATE,
1642 				    &authp->pam_sm_authenticate)
1643 				    != PAM_SUCCESS) {
1644 					/* return error if dlsym fails */
1645 					free(authp);
1646 					return (PAM_SYMBOL_ERR);
1647 				}
1648 
1649 			/* load the setcred function */
1650 			} else if (strcmp(function_name, PAM_SM_SETCRED) == 0) {
1651 				if (load_function(mh, PAM_SM_SETCRED,
1652 				    &authp->pam_sm_setcred) != PAM_SUCCESS) {
1653 					/* return error if dlsym fails */
1654 					free(authp);
1655 					return (PAM_SYMBOL_ERR);
1656 				}
1657 			}
1658 			pam_entry->function_ptr = authp;
1659 			break;
1660 		case PAM_ACCOUNT_MODULE:
1661 			accountp = pam_entry->function_ptr;
1662 			if (!loading_functions &&
1663 			    (strcmp(function_name, PAM_SM_ACCT_MGMT) == 0) &&
1664 			    accountp && accountp->pam_sm_acct_mgmt) {
1665 				return (PAM_SUCCESS);
1666 			}
1667 
1668 			/*
1669 			 * If functions are added to the account module,
1670 			 * verify that one of the other functions hasn't
1671 			 * already loaded it.  See PAM_AUTH_MODULE code.
1672 			 */
1673 			loading_functions = 1;
1674 			accountp = calloc(1, sizeof (struct account_module));
1675 			if (accountp == NULL)
1676 				return (PAM_BUF_ERR);
1677 
1678 			/* if open_module fails, return error */
1679 			if ((mh = open_module(pamh,
1680 			    pam_entry->module_path)) == NULL) {
1681 				__pam_log(LOG_AUTH | LOG_ERR,
1682 				    "load_modules[%d:%s]: can not open module "
1683 				    "%s", pamh->include_depth,
1684 				    pam_trace_cname(pamh),
1685 				    pam_entry->module_path);
1686 				free(accountp);
1687 				return (PAM_OPEN_ERR);
1688 			}
1689 
1690 			if (load_function(mh, PAM_SM_ACCT_MGMT,
1691 			    &accountp->pam_sm_acct_mgmt) != PAM_SUCCESS) {
1692 				__pam_log(LOG_AUTH | LOG_ERR,
1693 				    "load_modules[%d:%s]: pam_sm_acct_mgmt() "
1694 				    "missing", pamh->include_depth,
1695 				    pam_trace_cname(pamh));
1696 				free(accountp);
1697 				return (PAM_SYMBOL_ERR);
1698 			}
1699 			pam_entry->function_ptr = accountp;
1700 			break;
1701 		case PAM_SESSION_MODULE:
1702 			sessionp = pam_entry->function_ptr;
1703 			if (!loading_functions &&
1704 			    (((strcmp(function_name,
1705 			    PAM_SM_OPEN_SESSION) == 0) &&
1706 			    sessionp && sessionp->pam_sm_open_session) ||
1707 			    ((strcmp(function_name,
1708 			    PAM_SM_CLOSE_SESSION) == 0) &&
1709 			    sessionp && sessionp->pam_sm_close_session))) {
1710 				return (PAM_SUCCESS);
1711 			}
1712 
1713 			loading_functions = 1;
1714 			if (sessionp == NULL) {
1715 				sessionp = calloc(1,
1716 				    sizeof (struct session_module));
1717 				if (sessionp == NULL)
1718 					return (PAM_BUF_ERR);
1719 			}
1720 
1721 			/* if open_module fails, return error */
1722 			if ((mh = open_module(pamh,
1723 			    pam_entry->module_path)) == NULL) {
1724 				__pam_log(LOG_AUTH | LOG_ERR,
1725 				    "load_modules[%d:%s]: can not open module "
1726 				    "%s", pamh->include_depth,
1727 				    pam_trace_cname(pamh),
1728 				    pam_entry->module_path);
1729 				free(sessionp);
1730 				return (PAM_OPEN_ERR);
1731 			}
1732 
1733 			if ((strcmp(function_name, PAM_SM_OPEN_SESSION) == 0) &&
1734 			    load_function(mh, PAM_SM_OPEN_SESSION,
1735 			    &sessionp->pam_sm_open_session) != PAM_SUCCESS) {
1736 				free(sessionp);
1737 				return (PAM_SYMBOL_ERR);
1738 			} else if ((strcmp(function_name,
1739 			    PAM_SM_CLOSE_SESSION) == 0) &&
1740 			    load_function(mh, PAM_SM_CLOSE_SESSION,
1741 			    &sessionp->pam_sm_close_session) != PAM_SUCCESS) {
1742 				free(sessionp);
1743 				return (PAM_SYMBOL_ERR);
1744 			}
1745 			pam_entry->function_ptr = sessionp;
1746 			break;
1747 		case PAM_PASSWORD_MODULE:
1748 			passwdp = pam_entry->function_ptr;
1749 			if (!loading_functions &&
1750 			    (strcmp(function_name, PAM_SM_CHAUTHTOK) == 0) &&
1751 			    passwdp && passwdp->pam_sm_chauthtok) {
1752 				return (PAM_SUCCESS);
1753 			}
1754 
1755 			/*
1756 			 * If functions are added to the password module,
1757 			 * verify that one of the other functions hasn't
1758 			 * already loaded it.  See PAM_AUTH_MODULE code.
1759 			 */
1760 			loading_functions = 1;
1761 			passwdp = calloc(1, sizeof (struct password_module));
1762 			if (passwdp == NULL)
1763 				return (PAM_BUF_ERR);
1764 
1765 			/* if open_module fails, continue */
1766 			if ((mh = open_module(pamh,
1767 			    pam_entry->module_path)) == NULL) {
1768 				__pam_log(LOG_AUTH | LOG_ERR,
1769 				    "load_modules[%d:%s]: can not open module "
1770 				    "%s", pamh->include_depth,
1771 				    pam_trace_cname(pamh),
1772 				    pam_entry->module_path);
1773 				free(passwdp);
1774 				return (PAM_OPEN_ERR);
1775 			}
1776 
1777 			if (load_function(mh, PAM_SM_CHAUTHTOK,
1778 			    &passwdp->pam_sm_chauthtok) != PAM_SUCCESS) {
1779 				free(passwdp);
1780 				return (PAM_SYMBOL_ERR);
1781 			}
1782 			pam_entry->function_ptr = passwdp;
1783 			break;
1784 		default:
1785 			pam_trace(PAM_DEBUG_DEFAULT,
1786 			    "load_modules[%d:%s](%p, %s): unsupported type %d",
1787 			    pamh->include_depth, pam_trace_cname(pamh),
1788 			    (void *)pamh, function_name, type);
1789 			break;
1790 		}
1791 
1792 		pam_entry = pam_entry->next;
1793 	} /* while */
1794 
1795 	pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=done",
1796 	    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1797 	    function_name);
1798 
1799 	return (PAM_SUCCESS);
1800 }
1801 
1802 /*
1803  * open_module		- Open the module first checking for
1804  *			  propers modes and ownerships on the file.
1805  */
1806 
1807 static void *
1808 open_module(pam_handle_t *pamh, char *module_so)
1809 {
1810 	struct stat64	stb;
1811 	char		*errmsg;
1812 	void		*lfd;
1813 	fd_list		*module_fds = 0;
1814 	fd_list		*trail = 0;
1815 	fd_list		*traverse = 0;
1816 
1817 	/* Check the ownership and file modes */
1818 	if (stat64(module_so, &stb) < 0) {
1819 		__pam_log(LOG_AUTH | LOG_ERR,
1820 		    "open_module[%d:%s]: stat(%s) failed: %s",
1821 		    pamh->include_depth, pam_trace_cname(pamh), module_so,
1822 		    strerror(errno));
1823 		return (NULL);
1824 	}
1825 	if (stb.st_uid != (uid_t)0) {
1826 		__pam_log(LOG_AUTH | LOG_ALERT,
1827 		    "open_module[%d:%s]: Owner of the module %s is not root",
1828 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1829 		return (NULL);
1830 	}
1831 	if (stb.st_mode & S_IWGRP) {
1832 		__pam_log(LOG_AUTH | LOG_ALERT,
1833 		    "open_module[%d:%s]: module %s writable by group",
1834 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1835 		return (NULL);
1836 	}
1837 	if (stb.st_mode & S_IWOTH) {
1838 		__pam_log(LOG_AUTH | LOG_ALERT,
1839 		    "open_module[%d:%s]: module %s writable by world",
1840 		    pamh->include_depth, pam_trace_cname(pamh), module_so);
1841 		return (NULL);
1842 	}
1843 
1844 	/*
1845 	 * Perform the dlopen()
1846 	 */
1847 	lfd = (void *)dlopen(module_so, RTLD_LAZY);
1848 
1849 	if (lfd == NULL) {
1850 		errmsg = dlerror();
1851 		__pam_log(LOG_AUTH | LOG_ERR, "open_module[%d:%s]: %s "
1852 		    "failed: %s", pamh->include_depth, pam_trace_cname(pamh),
1853 		    module_so, errmsg != NULL ? errmsg : "Unknown error");
1854 		return (NULL);
1855 	} else {
1856 		/* add this fd to the pam handle */
1857 		if ((module_fds = calloc(1, sizeof (fd_list))) == 0) {
1858 			(void) dlclose(lfd);
1859 			lfd = 0;
1860 			return (NULL);
1861 		}
1862 		module_fds->mh = lfd;
1863 
1864 		if (pamh->fd == 0) {
1865 			/* adding new head of list */
1866 			pamh->fd = module_fds;
1867 		} else {
1868 			/* appending to end of list */
1869 			traverse = pamh->fd;
1870 			while (traverse) {
1871 				trail = traverse;
1872 				traverse = traverse->next;
1873 			}
1874 			trail->next = module_fds;
1875 		}
1876 	}
1877 
1878 	return (lfd);
1879 }
1880 
1881 /*
1882  * load_function - call dlsym() to resolve the function address
1883  */
1884 static int
1885 load_function(void *lfd, char *name, int (**func)())
1886 {
1887 	char *errmsg = NULL;
1888 
1889 	if (lfd == NULL)
1890 		return (PAM_SYMBOL_ERR);
1891 
1892 	*func = (int (*)())dlsym(lfd, name);
1893 	if (*func == NULL) {
1894 		errmsg = dlerror();
1895 		__pam_log(LOG_AUTH | LOG_ERR, "dlsym failed %s: error %s",
1896 		    name, errmsg != NULL ? errmsg : "Unknown error");
1897 		return (PAM_SYMBOL_ERR);
1898 	}
1899 
1900 	pam_trace(PAM_DEBUG_DEFAULT,
1901 	    "load_function: successful load of %s", name);
1902 	return (PAM_SUCCESS);
1903 }
1904 
1905 /*
1906  * Routines to read the pam.conf configuration file
1907  */
1908 
1909 /*
1910  * open_pam_conf - open the pam.conf config file
1911  */
1912 
1913 static int
1914 open_pam_conf(struct pam_fh **pam_fh, pam_handle_t *pamh, char *config)
1915 {
1916 	struct stat64	stb;
1917 	int		fd;
1918 
1919 	if ((fd = open(config, O_RDONLY)) == -1) {
1920 		__pam_log(LOG_AUTH | LOG_ALERT,
1921 		    "open_pam_conf[%d:%s]: open(%s) failed: %s",
1922 		    pamh->include_depth, pam_trace_cname(pamh), config,
1923 		    strerror(errno));
1924 		return (0);
1925 	}
1926 	/* Check the ownership and file modes */
1927 	if (fstat64(fd, &stb) < 0) {
1928 		__pam_log(LOG_AUTH | LOG_ALERT,
1929 		    "open_pam_conf[%d:%s]: stat(%s) failed: %s",
1930 		    pamh->include_depth, pam_trace_cname(pamh), config,
1931 		    strerror(errno));
1932 		(void) close(fd);
1933 		return (0);
1934 	}
1935 	if (stb.st_uid != (uid_t)0) {
1936 		__pam_log(LOG_AUTH | LOG_ALERT,
1937 		    "open_pam_conf[%d:%s]: Owner of %s is not root",
1938 		    pamh->include_depth, pam_trace_cname(pamh), config);
1939 		(void) close(fd);
1940 		return (0);
1941 	}
1942 	if (stb.st_mode & S_IWGRP) {
1943 		__pam_log(LOG_AUTH | LOG_ALERT,
1944 		    "open_pam_conf[%d:%s]: %s writable by group",
1945 		    pamh->include_depth, pam_trace_cname(pamh), config);
1946 		(void) close(fd);
1947 		return (0);
1948 	}
1949 	if (stb.st_mode & S_IWOTH) {
1950 		__pam_log(LOG_AUTH | LOG_ALERT,
1951 		    "open_pam_conf[%d:%s]: %s writable by world",
1952 		    pamh->include_depth, pam_trace_cname(pamh), config);
1953 		(void) close(fd);
1954 		return (0);
1955 	}
1956 	if ((*pam_fh = calloc(1, sizeof (struct pam_fh))) == NULL) {
1957 		(void) close(fd);
1958 		return (0);
1959 	}
1960 	(*pam_fh)->fconfig = fd;
1961 	(*pam_fh)->bufsize = (size_t)stb.st_size;
1962 	if (((*pam_fh)->data = mmap(0, (*pam_fh)->bufsize, PROT_READ,
1963 	    MAP_PRIVATE, (*pam_fh)->fconfig, 0)) == MAP_FAILED) {
1964 		(void) close(fd);
1965 		free (*pam_fh);
1966 		return (0);
1967 	}
1968 	(*pam_fh)->bufferp = (*pam_fh)->data;
1969 
1970 	return (1);
1971 }
1972 
1973 /*
1974  * close_pam_conf - close pam.conf
1975  */
1976 
1977 static void
1978 close_pam_conf(struct pam_fh *pam_fh)
1979 {
1980 	(void) munmap(pam_fh->data, pam_fh->bufsize);
1981 	(void) close(pam_fh->fconfig);
1982 	free(pam_fh);
1983 }
1984 
1985 /*
1986  * read_pam_conf - read in each entry in pam.conf and store info
1987  *		   under the pam handle.
1988  */
1989 
1990 static int
1991 read_pam_conf(pam_handle_t *pamh, char *config)
1992 {
1993 	struct pam_fh	*pam_fh;
1994 	pamtab_t	*pamentp;
1995 	pamtab_t	*tpament;
1996 	char		*service;
1997 	int		error;
1998 	int		i = pamh->include_depth;	/* include depth */
1999 	/*
2000 	 * service types:
2001 	 * error (-1), "auth" (0), "account" (1), "session" (2), "password" (3)
2002 	 */
2003 	int service_found[PAM_NUM_MODULE_TYPES+1] = {0, 0, 0, 0, 0};
2004 
2005 	(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
2006 	if (service == NULL || *service == '\0') {
2007 		__pam_log(LOG_AUTH | LOG_ERR, "No service name");
2008 		return (PAM_SYSTEM_ERR);
2009 	}
2010 
2011 	pamh->pam_conf_name[i] = strdup(config);
2012 	pam_trace(PAM_DEBUG_CONF, "read_pam_conf[%d:%s](%p) open(%s)",
2013 	    i, pam_trace_cname(pamh), (void *)pamh, config);
2014 	if (open_pam_conf(&pam_fh, pamh, config) == 0) {
2015 		return (PAM_SYSTEM_ERR);
2016 	}
2017 
2018 	while ((error =
2019 	    get_pam_conf_entry(pam_fh, pamh, &pamentp)) == PAM_SUCCESS &&
2020 	    pamentp) {
2021 
2022 		/* See if entry is this service and valid */
2023 		if (verify_pam_conf(pamentp, service)) {
2024 			pam_trace(PAM_DEBUG_CONF,
2025 			    "read_pam_conf[%d:%s](%p): bad entry error %s",
2026 			    i, pam_trace_cname(pamh), (void *)pamh, service);
2027 
2028 			error = PAM_SYSTEM_ERR;
2029 			free_pamconf(pamentp);
2030 			goto out;
2031 		}
2032 		if (strcasecmp(pamentp->pam_service, service) == 0) {
2033 			pam_trace(PAM_DEBUG_CONF,
2034 			    "read_pam_conf[%d:%s](%p): processing %s",
2035 			    i, pam_trace_cname(pamh), (void *)pamh, service);
2036 			/* process first service entry */
2037 			if (service_found[pamentp->pam_type + 1] == 0) {
2038 				/* purge "other" entries */
2039 				while ((tpament = pamh->pam_conf_info[i]
2040 				    [pamentp->pam_type]) != NULL) {
2041 					pam_trace(PAM_DEBUG_CONF,
2042 					    "read_pam_conf(%p): purging "
2043 					    "\"other\"[%d:%s][%s]",
2044 					    (void *)pamh, i,
2045 					    pam_trace_cname(pamh),
2046 					    pam_snames[pamentp->pam_type]);
2047 					pamh->pam_conf_info[i]
2048 					    [pamentp->pam_type] = tpament->next;
2049 					free_pamconf(tpament);
2050 				}
2051 				/* add first service entry */
2052 				pam_trace(PAM_DEBUG_CONF,
2053 				    "read_pam_conf(%p): adding 1st "
2054 				    "%s[%d:%s][%s]",
2055 				    (void *)pamh, service, i,
2056 				    pam_trace_cname(pamh),
2057 				    pam_snames[pamentp->pam_type]);
2058 				pamh->pam_conf_info[i][pamentp->pam_type] =
2059 				    pamentp;
2060 				service_found[pamentp->pam_type + 1] = 1;
2061 			} else {
2062 				/* append more service entries */
2063 				pam_trace(PAM_DEBUG_CONF,
2064 				    "read_pam_conf(%p): adding more "
2065 				    "%s[%d:%s][%s]",
2066 				    (void *)pamh, service, i,
2067 				    pam_trace_cname(pamh),
2068 				    pam_snames[pamentp->pam_type]);
2069 				tpament =
2070 				    pamh->pam_conf_info[i][pamentp->pam_type];
2071 				while (tpament->next != NULL) {
2072 					tpament = tpament->next;
2073 				}
2074 				tpament->next = pamentp;
2075 			}
2076 		} else if (service_found[pamentp->pam_type + 1] == 0) {
2077 			/* See if "other" entry available and valid */
2078 			if (verify_pam_conf(pamentp, "other")) {
2079 				pam_trace(PAM_DEBUG_CONF,
2080 				    "read_pam_conf(%p): bad entry error %s "
2081 				    "\"other\"[%d:%s]",
2082 				    (void *)pamh, service, i,
2083 				    pam_trace_cname(pamh));
2084 				error = PAM_SYSTEM_ERR;
2085 				free_pamconf(pamentp);
2086 				goto out;
2087 			}
2088 			if (strcasecmp(pamentp->pam_service, "other") == 0) {
2089 				pam_trace(PAM_DEBUG_CONF,
2090 				    "read_pam_conf(%p): processing "
2091 				    "\"other\"[%d:%s]", (void *)pamh, i,
2092 				    pam_trace_cname(pamh));
2093 				if ((tpament = pamh->pam_conf_info[i]
2094 				    [pamentp->pam_type]) == NULL) {
2095 					/* add first "other" entry */
2096 					pam_trace(PAM_DEBUG_CONF,
2097 					    "read_pam_conf(%p): adding 1st "
2098 					    "other[%d:%s][%s]", (void *)pamh, i,
2099 					    pam_trace_cname(pamh),
2100 					    pam_snames[pamentp->pam_type]);
2101 					pamh->pam_conf_info[i]
2102 					    [pamentp->pam_type] = pamentp;
2103 				} else {
2104 					/* append more "other" entries */
2105 					pam_trace(PAM_DEBUG_CONF,
2106 					    "read_pam_conf(%p): adding more "
2107 					    "other[%d:%s][%s]", (void *)pamh, i,
2108 					    pam_trace_cname(pamh),
2109 					    pam_snames[pamentp->pam_type]);
2110 					while (tpament->next != NULL) {
2111 						tpament = tpament->next;
2112 					}
2113 					tpament->next = pamentp;
2114 				}
2115 			} else {
2116 				/* irrelevant entry */
2117 				free_pamconf(pamentp);
2118 			}
2119 		} else {
2120 			/* irrelevant entry */
2121 			free_pamconf(pamentp);
2122 		}
2123 	}
2124 out:
2125 	(void) close_pam_conf(pam_fh);
2126 	if (error != PAM_SUCCESS)
2127 		free_pam_conf_info(pamh);
2128 	return (error);
2129 }
2130 
2131 /*
2132  * get_pam_conf_entry - get a pam.conf entry
2133  */
2134 
2135 static int
2136 get_pam_conf_entry(struct pam_fh *pam_fh, pam_handle_t *pamh, pamtab_t **pam)
2137 {
2138 	char		*cp, *arg;
2139 	int		argc;
2140 	char		*tmp, *tmp_free;
2141 	int		i;
2142 	char		*current_line = NULL;
2143 	int		error = PAM_SYSTEM_ERR;	/* preset to error */
2144 	int		err;
2145 
2146 	/* get the next line from pam.conf */
2147 	if ((cp = nextline(pam_fh, pamh, &err)) == NULL) {
2148 		/* no more lines in pam.conf ==> return */
2149 		error = PAM_SUCCESS;
2150 		*pam = NULL;
2151 		goto out;
2152 	}
2153 
2154 	if ((*pam = calloc(1, sizeof (pamtab_t))) == NULL) {
2155 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2156 		goto out;
2157 	}
2158 
2159 	/* copy full line for error reporting */
2160 	if ((current_line = strdup(cp)) == NULL) {
2161 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2162 		goto out;
2163 	}
2164 
2165 	pam_trace(PAM_DEBUG_CONF,
2166 	    "pam.conf[%s] entry:\t%s", pam_trace_cname(pamh), current_line);
2167 
2168 	/* get service name (e.g. login, su, passwd) */
2169 	if ((arg = read_next_token(&cp)) == 0) {
2170 		__pam_log(LOG_AUTH | LOG_CRIT,
2171 		    "illegal pam.conf[%s] entry: %s: missing SERVICE NAME",
2172 		    pam_trace_cname(pamh), current_line);
2173 		goto out;
2174 	}
2175 	if (((*pam)->pam_service = strdup(arg)) == 0) {
2176 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2177 		goto out;
2178 	}
2179 
2180 	/* get module type (e.g. authentication, acct mgmt) */
2181 	if ((arg = read_next_token(&cp)) == 0) {
2182 		__pam_log(LOG_AUTH | LOG_CRIT,
2183 		    "illegal pam.conf[%s] entry: %s: missing MODULE TYPE",
2184 		    pam_trace_cname(pamh), current_line);
2185 		(*pam)->pam_type = -1;	/* 0 is a valid value */
2186 		goto getflag;
2187 	}
2188 	if (strcasecmp(arg, PAM_AUTH_NAME) == 0) {
2189 		(*pam)->pam_type = PAM_AUTH_MODULE;
2190 	} else if (strcasecmp(arg, PAM_ACCOUNT_NAME) == 0) {
2191 		(*pam)->pam_type = PAM_ACCOUNT_MODULE;
2192 	} else if (strcasecmp(arg, PAM_SESSION_NAME) == 0) {
2193 		(*pam)->pam_type = PAM_SESSION_MODULE;
2194 	} else if (strcasecmp(arg, PAM_PASSWORD_NAME) == 0) {
2195 		(*pam)->pam_type = PAM_PASSWORD_MODULE;
2196 	} else {
2197 		/* error */
2198 		__pam_log(LOG_AUTH | LOG_CRIT,
2199 		    "illegal pam.conf[%s] entry: %s: invalid module "
2200 		    "type: %s", pam_trace_cname(pamh), current_line, arg);
2201 		(*pam)->pam_type = -1;	/* 0 is a valid value */
2202 	}
2203 
2204 getflag:
2205 	/* get pam flag (e.g., requisite, required, sufficient, optional) */
2206 	if ((arg = read_next_token(&cp)) == 0) {
2207 		__pam_log(LOG_AUTH | LOG_CRIT,
2208 		    "illegal pam.conf[%s] entry: %s: missing CONTROL FLAG",
2209 		    pam_trace_cname(pamh), current_line);
2210 		goto getpath;
2211 	}
2212 	if (strcasecmp(arg, PAM_BINDING_NAME) == 0) {
2213 		(*pam)->pam_flag = PAM_BINDING;
2214 	} else if (strcasecmp(arg, PAM_INCLUDE_NAME) == 0) {
2215 		(*pam)->pam_flag = PAM_INCLUDE;
2216 	} else if (strcasecmp(arg, PAM_OPTIONAL_NAME) == 0) {
2217 		(*pam)->pam_flag = PAM_OPTIONAL;
2218 	} else if (strcasecmp(arg, PAM_REQUIRED_NAME) == 0) {
2219 		(*pam)->pam_flag = PAM_REQUIRED;
2220 	} else if (strcasecmp(arg, PAM_REQUISITE_NAME) == 0) {
2221 		(*pam)->pam_flag = PAM_REQUISITE;
2222 	} else if (strcasecmp(arg, PAM_SUFFICIENT_NAME) == 0) {
2223 		(*pam)->pam_flag = PAM_SUFFICIENT;
2224 	} else {
2225 		/* error */
2226 		__pam_log(LOG_AUTH | LOG_CRIT,
2227 		    "illegal pam.conf[%s] entry: %s",
2228 		    pam_trace_cname(pamh), current_line);
2229 		__pam_log(LOG_AUTH | LOG_CRIT,
2230 		    "\tinvalid control flag: %s", arg);
2231 	}
2232 
2233 getpath:
2234 	/* get module path (e.g. /usr/lib/security/pam_unix_auth.so.1) */
2235 	if ((arg = read_next_token(&cp)) == 0) {
2236 		__pam_log(LOG_AUTH | LOG_CRIT,
2237 		    "illegal pam.conf[%s] entry: %s: missing MODULE PATH",
2238 		    pam_trace_cname(pamh), current_line);
2239 		error = PAM_SUCCESS;	/* success */
2240 		goto out;
2241 	}
2242 	if (arg[0] != '/') {
2243 		size_t len;
2244 		/*
2245 		 * If module path does not start with "/", then
2246 		 * prepend PAM_LIB_DIR (/usr/lib/security/).
2247 		 */
2248 		/* sizeof (PAM_LIB_DIR) has room for '\0' */
2249 		len = sizeof (PAM_LIB_DIR) + sizeof (PAM_ISA_DIR) + strlen(arg);
2250 		if (((*pam)->module_path = malloc(len)) == NULL) {
2251 			__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2252 			goto out;
2253 		}
2254 		if ((*pam)->pam_flag & PAM_INCLUDE) {
2255 			(void) snprintf((*pam)->module_path, len, "%s%s",
2256 			    PAM_LIB_DIR, arg);
2257 		} else {
2258 			(void) snprintf((*pam)->module_path, len, "%s%s%s",
2259 			    PAM_LIB_DIR, PAM_ISA_DIR, arg);
2260 		}
2261 	} else {
2262 		/* Full path provided for module */
2263 		char *isa;
2264 
2265 		/* Check for Instruction Set Architecture indicator */
2266 		if ((isa = strstr(arg, PAM_ISA)) != NULL) {
2267 			size_t len;
2268 			len = strlen(arg) - (sizeof (PAM_ISA)-1) +
2269 			    sizeof (PAM_ISA_DIR);
2270 
2271 			/* substitute the architecture dependent path */
2272 			if (((*pam)->module_path = malloc(len)) == NULL) {
2273 				__pam_log(LOG_AUTH | LOG_ERR,
2274 				    "strdup: out of memory");
2275 				goto out;
2276 			}
2277 			*isa = '\000';
2278 			isa += strlen(PAM_ISA);
2279 			(void) snprintf((*pam)->module_path, len, "%s%s%s",
2280 			    arg, PAM_ISA_DIR, isa);
2281 		} else if (((*pam)->module_path = strdup(arg)) == 0) {
2282 			__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2283 			goto out;
2284 		}
2285 	}
2286 
2287 	/* count the number of module-specific options first */
2288 	argc = 0;
2289 	if ((tmp = strdup(cp)) == NULL) {
2290 		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2291 		goto out;
2292 	}
2293 	tmp_free = tmp;
2294 	for (arg = read_next_token(&tmp); arg; arg = read_next_token(&tmp))
2295 		argc++;
2296 	free(tmp_free);
2297 
2298 	/* allocate array for the module-specific options */
2299 	if (argc > 0) {
2300 		if (((*pam)->module_argv =
2301 		    calloc(argc+1, sizeof (char *))) == 0) {
2302 			__pam_log(LOG_AUTH | LOG_ERR, "calloc: out of memory");
2303 			goto out;
2304 		}
2305 		i = 0;
2306 		for (arg = read_next_token(&cp); arg;
2307 		    arg = read_next_token(&cp)) {
2308 			(*pam)->module_argv[i] = strdup(arg);
2309 			if ((*pam)->module_argv[i] == NULL) {
2310 				__pam_log(LOG_AUTH | LOG_ERR, "strdup failed");
2311 				goto out;
2312 			}
2313 			i++;
2314 		}
2315 		(*pam)->module_argv[argc] = NULL;
2316 	}
2317 	(*pam)->module_argc = argc;
2318 
2319 	error = PAM_SUCCESS;	/* success */
2320 	(*pam)->pam_err = err;	/* was the line truncated */
2321 
2322 out:
2323 	if (current_line)
2324 		free(current_line);
2325 	if (error != PAM_SUCCESS) {
2326 		/* on error free this */
2327 		if (*pam)
2328 			free_pamconf(*pam);
2329 	}
2330 	return (error);
2331 }
2332 
2333 
2334 /*
2335  * read_next_token - skip tab and space characters and return the next token
2336  */
2337 
2338 static char *
2339 read_next_token(char **cpp)
2340 {
2341 	register char *cp = *cpp;
2342 	char *start;
2343 
2344 	if (cp == (char *)0) {
2345 		*cpp = (char *)0;
2346 		return ((char *)0);
2347 	}
2348 	while (*cp == ' ' || *cp == '\t')
2349 		cp++;
2350 	if (*cp == '\0') {
2351 		*cpp = (char *)0;
2352 		return ((char *)0);
2353 	}
2354 	start = cp;
2355 	while (*cp && *cp != ' ' && *cp != '\t')
2356 		cp++;
2357 	if (*cp != '\0')
2358 		*cp++ = '\0';
2359 	*cpp = cp;
2360 	return (start);
2361 }
2362 
2363 static char *
2364 pam_conf_strnchr(char *sp, int c, intptr_t count)
2365 {
2366 	while (count) {
2367 		if (*sp == (char)c)
2368 			return ((char *)sp);
2369 		else {
2370 			sp++;
2371 			count--;
2372 		}
2373 	};
2374 	return (NULL);
2375 }
2376 
2377 /*
2378  * nextline - skip all blank lines and comments
2379  */
2380 
2381 static char *
2382 nextline(struct pam_fh *pam_fh, pam_handle_t *pamh, int *err)
2383 {
2384 	char	*ll;
2385 	int	find_a_line = 0;
2386 	char	*data = pam_fh->data;
2387 	char	*bufferp = pam_fh->bufferp;
2388 	char	*bufferendp = &data[pam_fh->bufsize];
2389 	size_t	input_len;
2390 
2391 	/*
2392 	 * Skip the blank line, comment line
2393 	 */
2394 	while (!find_a_line) {
2395 		/* if we are at the end of the buffer, there is no next line */
2396 		if (bufferp == bufferendp)
2397 			return (NULL);
2398 
2399 		/* skip blank line */
2400 		while (*bufferp == '\n') {
2401 			/*
2402 			 * If we are at the end of the buffer, there is
2403 			 * no next line.
2404 			 */
2405 			if (++bufferp == bufferendp) {
2406 				return (NULL);
2407 			}
2408 			/* else we check *bufferp again */
2409 		}
2410 
2411 		/* skip comment line */
2412 		while (*bufferp == '#') {
2413 			if ((ll = pam_conf_strnchr(bufferp, '\n',
2414 			    bufferendp - bufferp)) != NULL) {
2415 				bufferp = ll;
2416 			} else {
2417 				/*
2418 				 * this comment line the last line.
2419 				 * no next line
2420 				 */
2421 				return (NULL);
2422 			}
2423 
2424 			/*
2425 			 * If we are at the end of the buffer, there is
2426 			 * no next line.
2427 			 */
2428 			if (bufferp == bufferendp) {
2429 				return (NULL);
2430 			}
2431 		}
2432 
2433 		if ((*bufferp != '\n') && (*bufferp != '#')) {
2434 			find_a_line = 1;
2435 		}
2436 	}
2437 
2438 	*err = PAM_SUCCESS;
2439 	/* now we find one line */
2440 	if ((ll = pam_conf_strnchr(bufferp, '\n', bufferendp - bufferp))
2441 	    != NULL) {
2442 		if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
2443 			__pam_log(LOG_AUTH | LOG_ERR,
2444 			    "nextline[%d:%s]: pam.conf line too long %.256s",
2445 			    pamh->include_depth, pam_trace_cname(pamh),
2446 			    bufferp);
2447 			input_len = sizeof (pam_fh->line) - 1;
2448 			*err = PAM_SERVICE_ERR;
2449 		}
2450 		(void) strncpy(pam_fh->line, bufferp, input_len);
2451 		pam_fh->line[input_len] = '\0';
2452 		pam_fh->bufferp = ll++;
2453 	} else {
2454 		ll = bufferendp;
2455 		if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
2456 			__pam_log(LOG_AUTH | LOG_ERR,
2457 			    "nextline[%d:%s]: pam.conf line too long %.256s",
2458 			    pamh->include_depth, pam_trace_cname(pamh),
2459 			    bufferp);
2460 			input_len = sizeof (pam_fh->line) - 1;
2461 			*err = PAM_SERVICE_ERR;
2462 		}
2463 		(void) strncpy(pam_fh->line, bufferp, input_len);
2464 		pam_fh->line[input_len] = '\0';
2465 		pam_fh->bufferp = ll;
2466 	}
2467 
2468 	return (pam_fh->line);
2469 }
2470 
2471 /*
2472  * verify_pam_conf - verify that the pam_conf entry is filled in.
2473  *
2474  *	True = Error if there is no service.
2475  *	True = Error if there is a service and it matches the requested service
2476  *		but, the type, flag, line overflow, or path is in error.
2477  */
2478 
2479 static int
2480 verify_pam_conf(pamtab_t *pam, char *service)
2481 {
2482 	return ((pam->pam_service == (char *)NULL) ||
2483 	    ((strcasecmp(pam->pam_service, service) == 0) &&
2484 	    ((pam->pam_type == -1) ||
2485 	    (pam->pam_flag == 0) ||
2486 	    (pam->pam_err != PAM_SUCCESS) ||
2487 	    (pam->module_path == (char *)NULL))));
2488 }
2489 
2490 /*
2491  * Routines to free allocated storage
2492  */
2493 
2494 /*
2495  * clean_up -  free allocated storage in the pam handle
2496  */
2497 
2498 static void
2499 clean_up(pam_handle_t *pamh)
2500 {
2501 	int i;
2502 	pam_repository_t *auth_rep;
2503 
2504 	if (pamh) {
2505 		while (pamh->include_depth >= 0) {
2506 			free_pam_conf_info(pamh);
2507 			pamh->include_depth--;
2508 		}
2509 
2510 		/* Cleanup PAM_REPOSITORY structure */
2511 		auth_rep = pamh->ps_item[PAM_REPOSITORY].pi_addr;
2512 		if (auth_rep != NULL) {
2513 			if (auth_rep->type != NULL)
2514 				free(auth_rep->type);
2515 			if (auth_rep->scope != NULL)
2516 				free(auth_rep->scope);
2517 		}
2518 
2519 		for (i = 0; i < PAM_MAX_ITEMS; i++) {
2520 			if (pamh->ps_item[i].pi_addr != NULL) {
2521 				if (i == PAM_AUTHTOK || i == PAM_OLDAUTHTOK) {
2522 					(void) memset(pamh->ps_item[i].pi_addr,
2523 					    0, pamh->ps_item[i].pi_size);
2524 				}
2525 				free(pamh->ps_item[i].pi_addr);
2526 			}
2527 		}
2528 		free(pamh);
2529 	}
2530 }
2531 
2532 /*
2533  * free_pamconf - free memory used to store pam.conf entry
2534  */
2535 
2536 static void
2537 free_pamconf(pamtab_t *cp)
2538 {
2539 	int i;
2540 
2541 	if (cp) {
2542 		if (cp->pam_service)
2543 			free(cp->pam_service);
2544 		if (cp->module_path)
2545 			free(cp->module_path);
2546 		for (i = 0; i < cp->module_argc; i++) {
2547 			if (cp->module_argv[i])
2548 				free(cp->module_argv[i]);
2549 		}
2550 		if (cp->module_argc > 0)
2551 			free(cp->module_argv);
2552 		if (cp->function_ptr)
2553 			free(cp->function_ptr);
2554 
2555 		free(cp);
2556 	}
2557 }
2558 
2559 /*
2560  * free_pam_conf_info - free memory used to store all pam.conf info
2561  *			under the pam handle
2562  */
2563 
2564 static void
2565 free_pam_conf_info(pam_handle_t *pamh)
2566 {
2567 	pamtab_t *pamentp;
2568 	pamtab_t *pament_trail;
2569 	int i = pamh->include_depth;
2570 	int j;
2571 
2572 	for (j = 0; j < PAM_NUM_MODULE_TYPES; j++) {
2573 		pamentp = pamh->pam_conf_info[i][j];
2574 		pamh->pam_conf_info[i][j] = NULL;
2575 		pament_trail = pamentp;
2576 		while (pamentp) {
2577 			pamentp = pamentp->next;
2578 			free_pamconf(pament_trail);
2579 			pament_trail = pamentp;
2580 		}
2581 	}
2582 	if (pamh->pam_conf_name[i] != NULL) {
2583 		free(pamh->pam_conf_name[i]);
2584 		pamh->pam_conf_name[i] = NULL;
2585 	}
2586 }
2587 
2588 static void
2589 free_env(env_list *pam_env)
2590 {
2591 	if (pam_env) {
2592 		if (pam_env->name)
2593 			free(pam_env->name);
2594 		if (pam_env->value)
2595 			free(pam_env->value);
2596 		free(pam_env);
2597 	}
2598 }
2599 
2600 /*
2601  *	Internal convenience functions for Solaris PAM service modules.
2602  */
2603 
2604 #include <libintl.h>
2605 #include <nl_types.h>
2606 #include <synch.h>
2607 #include <locale.h>
2608 #include <thread.h>
2609 
2610 typedef struct pam_msg_data {
2611 	nl_catd fd;
2612 } pam_msg_data_t;
2613 
2614 /*
2615  * free_resp():
2616  *	free storage for responses used in the call back "pam_conv" functions
2617  */
2618 
2619 void
2620 free_resp(int num_msg, struct pam_response *resp)
2621 {
2622 	int			i;
2623 	struct pam_response	*r;
2624 
2625 	if (resp) {
2626 		r = resp;
2627 		for (i = 0; i < num_msg; i++, r++) {
2628 			if (r->resp) {
2629 				/* clear before freeing -- may be a password */
2630 				bzero(r->resp, strlen(r->resp));
2631 				free(r->resp);
2632 				r->resp = NULL;
2633 			}
2634 		}
2635 		free(resp);
2636 	}
2637 }
2638 
2639 static int
2640 do_conv(pam_handle_t *pamh, int msg_style, int num_msg,
2641     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp,
2642     struct pam_response *ret_respp[])
2643 {
2644 	struct pam_message	*msg;
2645 	struct pam_message	*m;
2646 	int			i;
2647 	int			k;
2648 	int			retcode;
2649 	struct pam_conv		*pam_convp;
2650 
2651 	if ((retcode = pam_get_item(pamh, PAM_CONV,
2652 	    (void **)&pam_convp)) != PAM_SUCCESS) {
2653 		return (retcode);
2654 	}
2655 
2656 	/*
2657 	 * When pam_set_item() is called to set PAM_CONV and the
2658 	 * item is NULL, memset(pip->pi_addr, 0, size) is called.
2659 	 * So at this point, we should check whether pam_convp->conv
2660 	 * is NULL or not.
2661 	 */
2662 	if ((pam_convp == NULL) || (pam_convp->conv == NULL))
2663 		return (PAM_SYSTEM_ERR);
2664 
2665 	i = 0;
2666 	k = num_msg;
2667 
2668 	msg = calloc(num_msg, sizeof (struct pam_message));
2669 	if (msg == NULL) {
2670 		return (PAM_BUF_ERR);
2671 	}
2672 	m = msg;
2673 
2674 	while (k--) {
2675 		/*
2676 		 * fill out the message structure to display prompt message
2677 		 */
2678 		m->msg_style = msg_style;
2679 		m->msg = messages[i];
2680 		pam_trace(PAM_DEBUG_CONV,
2681 		    "pam_conv_msg(%p:%d[%d]=%s)",
2682 		    (void *)pamh, msg_style, i, messages[i]);
2683 		m++;
2684 		i++;
2685 	}
2686 
2687 	/*
2688 	 * The UNIX pam modules always calls __pam_get_authtok() and
2689 	 * __pam_display_msg() with a NULL pointer as the conv_apdp.
2690 	 * In case the conv_apdp is NULL and the pam_convp->appdata_ptr
2691 	 * is not NULL, we should pass the pam_convp->appdata_ptr
2692 	 * to the conversation function.
2693 	 */
2694 	if (conv_apdp == NULL && pam_convp->appdata_ptr != NULL)
2695 		conv_apdp = pam_convp->appdata_ptr;
2696 
2697 	/*
2698 	 * Call conv function to display the prompt.
2699 	 */
2700 	retcode = (pam_convp->conv)(num_msg, &msg, ret_respp, conv_apdp);
2701 	pam_trace(PAM_DEBUG_CONV,
2702 	    "pam_conv_resp(%p pam_conv = %s) ret_respp = %p",
2703 	    (void *)pamh, pam_strerror(pamh, retcode), (void *)ret_respp);
2704 	if (*ret_respp == NULL) {
2705 		pam_trace(PAM_DEBUG_CONV,
2706 		    "pam_conv_resp(%p No response requested)", (void *)pamh);
2707 	} else if ((pam_debug & (PAM_DEBUG_CONV | PAM_DEBUG_AUTHTOK)) != 0) {
2708 		struct pam_response *r = *ret_respp;
2709 
2710 		for (i = 0; i < num_msg; i++, r++) {
2711 			if (r->resp == NULL) {
2712 				pam_trace(PAM_DEBUG_CONV,
2713 				    "pam_conv_resp(%p:"
2714 				    "[%d] NULL response string)",
2715 				    (void *)pamh, i);
2716 			} else {
2717 				if (msg_style == PAM_PROMPT_ECHO_OFF) {
2718 #ifdef	DEBUG
2719 					pam_trace(PAM_DEBUG_AUTHTOK,
2720 					    "pam_conv_resp(%p:[%d]=%s, "
2721 					    "code=%d)",
2722 					    (void *)pamh, i, r->resp,
2723 					    r->resp_retcode);
2724 #endif	/* DEBUG */
2725 					pam_trace(PAM_DEBUG_CONV,
2726 					    "pam_conv_resp(%p:[%d] len=%lu, "
2727 					    "code=%d)",
2728 					    (void *)pamh, i,
2729 					    (ulong_t)strlen(r->resp),
2730 					    r->resp_retcode);
2731 				} else {
2732 					pam_trace(PAM_DEBUG_CONV,
2733 					    "pam_conv_resp(%p:[%d]=%s, "
2734 					    "code=%d)",
2735 					    (void *)pamh, i, r->resp,
2736 					    r->resp_retcode);
2737 				}
2738 			}
2739 		}
2740 	}
2741 
2742 	if (msg)
2743 		free(msg);
2744 	return (retcode);
2745 }
2746 
2747 /*
2748  * __pam_display_msg():
2749  *	display message by calling the call back functions
2750  *	provided by the application through "pam_conv" structure
2751  */
2752 
2753 int
2754 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
2755     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp)
2756 {
2757 	struct pam_response	*ret_respp = NULL;
2758 	int ret;
2759 
2760 	ret = do_conv(pamh, msg_style, num_msg, messages,
2761 	    conv_apdp, &ret_respp);
2762 
2763 	if (ret_respp != NULL)
2764 		free_resp(num_msg, ret_respp);
2765 
2766 	return (ret);
2767 }
2768 
2769 /*
2770  * __pam_get_authtok()
2771  *	retrieves a password of at most PASS_MAX length from the pam
2772  *	handle (pam_get_item) or from the input stream (do_conv).
2773  *
2774  * This function allocates memory for the new authtok.
2775  * Applications calling this function are responsible for
2776  * freeing this memory.
2777  *
2778  * If "source" is
2779  *	PAM_HANDLE
2780  * and "type" is:
2781  *	PAM_AUTHTOK - password is taken from pam handle (PAM_AUTHTOK)
2782  *	PAM_OLDAUTHTOK - password is taken from pam handle (PAM_OLDAUTHTOK)
2783  *
2784  * If "source" is
2785  *	PAM_PROMPT
2786  * and "type" is:
2787  *	0:		Prompt for new passwd, do not even attempt
2788  *			to store it in the pam handle.
2789  *	PAM_AUTHTOK:	Prompt for new passwd, store in pam handle as
2790  *			PAM_AUTHTOK item if this value is not already set.
2791  *	PAM_OLDAUTHTOK:	Prompt for new passwd, store in pam handle as
2792  *			PAM_OLDAUTHTOK item if this value is not
2793  *			already set.
2794  */
2795 int
2796 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
2797     char **authtok)
2798 {
2799 	int error = PAM_SYSTEM_ERR;
2800 	char *new_password = NULL;
2801 	struct pam_response *ret_resp = NULL;
2802 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
2803 
2804 	if ((*authtok = calloc(PASS_MAX+1, sizeof (char))) == NULL)
2805 		return (PAM_BUF_ERR);
2806 
2807 	if (prompt == NULL)
2808 		prompt = dgettext(TEXT_DOMAIN, "password: ");
2809 
2810 	switch (source) {
2811 	case PAM_HANDLE:
2812 
2813 		/* get password from pam handle item list */
2814 
2815 		switch (type) {
2816 		case PAM_AUTHTOK:
2817 		case PAM_OLDAUTHTOK:
2818 
2819 			if ((error = pam_get_item(pamh, type,
2820 			    (void **)&new_password)) != PAM_SUCCESS)
2821 				goto err_ret;
2822 
2823 			if (new_password == NULL || new_password[0] == '\0') {
2824 				free(*authtok);
2825 				*authtok = NULL;
2826 			} else {
2827 				(void) strlcpy(*authtok, new_password,
2828 				    PASS_MAX+1);
2829 			}
2830 			break;
2831 		default:
2832 			__pam_log(LOG_AUTH | LOG_ERR,
2833 			    "__pam_get_authtok() invalid type: %d", type);
2834 			error = PAM_SYMBOL_ERR;
2835 			goto err_ret;
2836 		}
2837 		break;
2838 	case PAM_PROMPT:
2839 
2840 		/*
2841 		 * Prompt for new password and save in pam handle item list
2842 		 * if the that item is not already set.
2843 		 */
2844 
2845 		(void) strncpy(messages[0], prompt, sizeof (messages[0]));
2846 		if ((error = do_conv(pamh, PAM_PROMPT_ECHO_OFF, 1, messages,
2847 		    NULL, &ret_resp)) != PAM_SUCCESS)
2848 			goto err_ret;
2849 
2850 		if (ret_resp->resp == NULL) {
2851 			/* getpass didn't return anything */
2852 			error = PAM_SYSTEM_ERR;
2853 			goto err_ret;
2854 		}
2855 
2856 		/* save the new password if this item was NULL */
2857 		if (type) {
2858 			if ((error = pam_get_item(pamh, type,
2859 			    (void **)&new_password)) != PAM_SUCCESS) {
2860 				free_resp(1, ret_resp);
2861 				goto err_ret;
2862 			}
2863 			if (new_password == NULL)
2864 				(void) pam_set_item(pamh, type, ret_resp->resp);
2865 		}
2866 
2867 		(void) strlcpy(*authtok, ret_resp->resp, PASS_MAX+1);
2868 		free_resp(1, ret_resp);
2869 		break;
2870 	default:
2871 		__pam_log(LOG_AUTH | LOG_ERR,
2872 		    "__pam_get_authtok() invalid source: %d", source);
2873 		error = PAM_SYMBOL_ERR;
2874 		goto err_ret;
2875 	}
2876 
2877 	return (PAM_SUCCESS);
2878 
2879 err_ret:
2880 	bzero(*authtok, PASS_MAX+1);
2881 	free(*authtok);
2882 	*authtok = NULL;
2883 	return (error);
2884 }
2885