X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=etc%2Fuams%2Fuams_dhx_pam.c;h=b3bd931052c54b424cd328579be35f67531b7813;hb=b35812db1e932c31154b7da72c564dabe95fd03d;hp=0e7eed434e790de3a225816bcc35006b73a6cfc8;hpb=d7c1ee14c81a3c6496e6285fd3e1aab275f224d4;p=netatalk.git

diff --git a/etc/uams/uams_dhx_pam.c b/etc/uams/uams_dhx_pam.c
index 0e7eed43..b3bd9310 100644
--- a/etc/uams/uams_dhx_pam.c
+++ b/etc/uams/uams_dhx_pam.c
@@ -1,5 +1,5 @@
 /*
- * $Id: uams_dhx_pam.c,v 1.24 2003-01-08 22:16:24 didg Exp $
+ * $Id: uams_dhx_pam.c,v 1.33 2010-03-30 10:25:49 franklahm Exp $
  *
  * Copyright (c) 1990,1993 Regents of The University of Michigan.
  * Copyright (c) 1999 Adrian Sun (asun@u.washington.edu) 
@@ -20,8 +20,13 @@
 #include <unistd.h>
 #endif /* HAVE_UNISTD_H */
 #include <errno.h>
-
+#ifdef HAVE_SECURITY_PAM_APPL_H
 #include <security/pam_appl.h>
+#endif
+#ifdef HAVE_PAM_PAM_APPL_H
+#include <pam/pam_appl.h>
+#endif
+
 
 #if defined(GNUTLS_DHX)
 #include <gnutls/openssl.h>
@@ -29,10 +34,12 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/cast.h>
+#include <openssl/err.h>
 #else /* OPENSSL_DHX */
 #include <bn.h>
 #include <dh.h>
 #include <cast.h>
+#include <err.h>
 #endif /* OPENSSL_DHX */
 
 #include <atalk/afp.h>
@@ -75,7 +82,7 @@ static char *PAM_password;
 static int PAM_conv (int num_msg,
                      const struct pam_message **msg,
                      struct pam_response **resp,
-                     void *appdata_ptr) {
+                     void *appdata_ptr _U_) {
   int count = 0;
   struct pam_response *reply;
   
@@ -177,20 +184,14 @@ static struct pam_conv PAM_conversation = {
 };
 
 
-static int dhx_setup(void *obj, char *ibuf, int ibuflen, 
-		     char *rbuf, int *rbuflen)
+static int dhx_setup(void *obj, char *ibuf, size_t ibuflen _U_, 
+		     char *rbuf, size_t *rbuflen)
 {
     u_int16_t sessid;
-    int i;
+    size_t i;
     BIGNUM *bn, *gbn, *pbn;
     DH *dh;
 
-    /* TODO: seed dhx_setup properly... this is a hack */
-#ifdef sun
-    	/* *SEVERE* hack... fix */
-	RAND_load_file("/var/adm/messages", KEYSIZE);
-#endif /* sun */
-
     /* get the client's public key */
     if (!(bn = BN_bin2bn(ibuf, KEYSIZE, NULL))) {
     /* Log Entry */
@@ -235,12 +236,22 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
     /* generate key and make sure that we have enough space */
     dh->p = pbn;
     dh->g = gbn;
-    if (!DH_generate_key(dh) || (BN_num_bytes(dh->pub_key) > KEYSIZE)) {
-    /* Log Entry */
-           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Err Generating Key -- Not enough Space? -- %s",
-		  strerror(errno));
-    /* Log Entry */
-    goto pam_fail;
+    if (DH_generate_key(dh) == 0) {
+	unsigned long dherror;
+	char errbuf[256];
+
+	ERR_load_crypto_strings();
+	dherror = ERR_get_error();
+	ERR_error_string_n(dherror, errbuf, 256);
+
+	LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Err Generating Key (OpenSSL error code: %u, %s)", dherror, errbuf);
+
+	ERR_free_strings();
+	goto pam_fail;
+    }
+    if (BN_num_bytes(dh->pub_key) > KEYSIZE) {
+	LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Err Generating Key -- Not enough Space? -- %s", strerror(errno));
+	goto pam_fail;
     }
 
     /* figure out the key. store the key in rbuf for now. */
@@ -308,13 +319,13 @@ pam_fail:
 }
 
 /* -------------------------------- */
-static int login(void *obj, char *username, int ulen,  struct passwd **uam_pwd,
-		     char *ibuf, int ibuflen,
-		     char *rbuf, int *rbuflen)
+static int login(void *obj, char *username, int ulen,  struct passwd **uam_pwd _U_,
+		     char *ibuf, size_t ibuflen,
+		     char *rbuf, size_t *rbuflen)
 {
-    if (( dhxpwd = uam_getname(username, ulen)) == NULL ) {
-        LOG(log_info, logtype_uams, "uams_dhx_pam.c: unknown username");
-	return AFPERR_PARAM;
+    if (( dhxpwd = uam_getname(obj, username, ulen)) == NULL ) {
+        LOG(log_info, logtype_uams, "uams_dhx_pam.c: unknown username [%s]", username);
+        return AFPERR_NOTAUTH;
     }
 
     PAM_username = username;
@@ -326,11 +337,11 @@ static int login(void *obj, char *username, int ulen,  struct passwd **uam_pwd,
 /* dhx login: things are done in a slightly bizarre order to avoid
  * having to clean things up if there's an error. */
 static int pam_login(void *obj, struct passwd **uam_pwd,
-		     char *ibuf, int ibuflen,
-		     char *rbuf, int *rbuflen)
+		     char *ibuf, size_t ibuflen,
+		     char *rbuf, size_t *rbuflen)
 {
     char *username;
-    int len, ulen;
+    size_t len, ulen;
 
     *rbuflen = 0;
 
@@ -360,8 +371,8 @@ static int pam_login(void *obj, struct passwd **uam_pwd,
 
 /* ----------------------------- */
 static int pam_login_ext(void *obj, char *uname, struct passwd **uam_pwd,
-		     char *ibuf, int ibuflen,
-		     char *rbuf, int *rbuflen)
+		     char *ibuf, size_t ibuflen,
+		     char *rbuf, size_t *rbuflen)
 {
     char *username;
     int len, ulen;
@@ -396,10 +407,10 @@ static int pam_login_ext(void *obj, char *uname, struct passwd **uam_pwd,
 /* -------------------------------- */
 
 static int pam_logincont(void *obj, struct passwd **uam_pwd,
-			 char *ibuf, int ibuflen, 
-			 char *rbuf, int *rbuflen)
+			 char *ibuf, size_t ibuflen _U_, 
+			 char *rbuf, size_t *rbuflen)
 {
-    char *hostname;
+    const char *hostname;
     BIGNUM *bn1, *bn2, *bn3;
     u_int16_t sessid;
     int err, PAM_error;
@@ -490,18 +501,19 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
     }      
 
     PAM_error = pam_acct_mgmt(pamh, 0);
-    if (PAM_error != PAM_SUCCESS) {
-      if (PAM_error == PAM_ACCT_EXPIRED)
+    if (PAM_error != PAM_SUCCESS ) {
+      /* Log Entry */
+      LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+	  pam_strerror(pamh, PAM_error));
+      /* Log Entry */
+      if (PAM_error == PAM_NEW_AUTHTOK_REQD)	/* password expired */
 	err = AFPERR_PWDEXPR;
 #ifdef PAM_AUTHTOKEN_REQD
       else if (PAM_error == PAM_AUTHTOKEN_REQD) 
 	err = AFPERR_PWDCHNG;
 #endif
-    /* Log Entry */
-           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
-		  pam_strerror(pamh, PAM_error));
-    /* Log Entry */
-      goto logincont_err;
+      else
+        goto logincont_err;
     }
 
 #ifndef PAM_CRED_ESTABLISH
@@ -530,6 +542,8 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
     /* Log Entry */
            LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM Auth OK!");
     /* Log Entry */
+    if ( err == AFPERR_PWDEXPR)
+	return err;
     return AFP_OK;
 
 logincont_err:
@@ -540,7 +554,7 @@ logincont_err:
 }
 
 /* logout */
-static void pam_logout() {
+static void pam_logout(void) {
     pam_close_session(pamh, 0);
     pam_end(pamh, 0);
     pamh = NULL;
@@ -550,8 +564,8 @@ static void pam_logout() {
 /* change pw for dhx needs a couple passes to get everything all
  * right. basically, it's like the login/logincont sequence */
 static int pam_changepw(void *obj, char *username,
-			struct passwd *pwd, char *ibuf, int ibuflen,
-			char *rbuf, int *rbuflen)
+			struct passwd *pwd _U_, char *ibuf, size_t ibuflen,
+			char *rbuf, size_t *rbuflen)
 {
     BIGNUM *bn1, *bn2, *bn3;
 
@@ -561,6 +575,10 @@ static int pam_changepw(void *obj, char *username,
     u_int16_t sessid;
     int PAM_error;
 
+    if (ibuflen < sizeof(sessid)) {
+      return AFPERR_PARAM;
+    }
+
     /* grab the id */
     memcpy(&sessid, ibuf, sizeof(sessid));
     ibuf += sizeof(sessid);