Merge remote-tracking branch 'origin/branch-netatalk-3-0' into develop

[netatalk.git] / etc / uams / uams_dhx_pam.c

diff --git a/etc/uams/uams_dhx_pam.c b/etc/uams/uams_dhx_pam.c
index 8493c650c0a08b6c47acd5658b57d720d3902c74..bc19c7851b294f7eb151f1a384db4c23e23465e5 100644 (file)
--- a/etc/uams/uams_dhx_pam.c
+++ b/etc/uams/uams_dhx_pam.c
@@ -1,5 +1,4 @@
 /*
- * $Id: uams_dhx_pam.c,v 1.18 2001-11-16 15:45:15 srittau Exp $
  *
  * Copyright (c) 1990,1993 Regents of The University of Michigan.
  * Copyright (c) 1999 Adrian Sun (asun@u.washington.edu) 
@@ -14,23 +13,32 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <syslog.h>
+#include <atalk/logger.h>
 
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif /* HAVE_UNISTD_H */
 #include <errno.h>
-
+#ifdef HAVE_SECURITY_PAM_APPL_H
 #include <security/pam_appl.h>
+#endif
+#ifdef HAVE_PAM_PAM_APPL_H
+#include <pam/pam_appl.h>
+#endif
+#include <arpa/inet.h>
 
-#ifdef OPENSSL_DHX
+#if defined(GNUTLS_DHX)
+#include <gnutls/openssl.h>
+#elif defined(OPENSSL_DHX)
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/cast.h>
+#include <openssl/err.h>
 #else /* OPENSSL_DHX */
 #include <bn.h>
 #include <dh.h>
 #include <cast.h>
+#include <err.h>
 #endif /* OPENSSL_DHX */
 
 #include <atalk/afp.h>
@@ -49,14 +57,14 @@
 /* the secret key */
 static CAST_KEY castkey;
 static struct passwd *dhxpwd;
-static u_int8_t randbuf[KEYSIZE];
+static uint8_t randbuf[KEYSIZE];
 
 /* diffie-hellman bits */
 static unsigned char msg2_iv[] = "CJalbert";
 static unsigned char msg3_iv[] = "LWallace";
-static const u_int8_t p[] = {0xBA, 0x28, 0x73, 0xDF, 0xB0, 0x60, 0x57, 0xD4,
+static const uint8_t p[] = {0xBA, 0x28, 0x73, 0xDF, 0xB0, 0x60, 0x57, 0xD4,
                             0x3F, 0x20, 0x24, 0x74, 0x4C, 0xEE, 0xE7, 0x5B};
-static const u_int8_t g = 0x07;
+static const uint8_t g = 0x07;
 
 
 /* Static variables used to communicate between the conversation function
@@ -71,9 +79,13 @@ static char *PAM_password;
  * echo off means password.
  */
 static int PAM_conv (int num_msg,
+#ifdef LINUX
                      const struct pam_message **msg,
+#else
+                     struct pam_message **msg,
+#endif
                      struct pam_response **resp,
-                     void *appdata_ptr) {
+                     void *appdata_ptr _U_) {
   int count = 0;
   struct pam_response *reply;
   
@@ -83,7 +95,7 @@ static int PAM_conv (int num_msg,
 
   if (num_msg < 1) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
                  strerror(errno));
     /* Log Entry */
     return PAM_CONV_ERR;
@@ -94,7 +106,7 @@ static int PAM_conv (int num_msg,
 
   if (!reply) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
                  strerror(errno));
     /* Log Entry */
     return PAM_CONV_ERR;
@@ -107,7 +119,7 @@ static int PAM_conv (int num_msg,
     case PAM_PROMPT_ECHO_ON:
       if (!(string = COPY_STRING(PAM_username))) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: username failure -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: username failure -- %s",
                  strerror(errno));
     /* Log Entry */
        goto pam_fail_conv;
@@ -116,7 +128,7 @@ static int PAM_conv (int num_msg,
     case PAM_PROMPT_ECHO_OFF:
       if (!(string = COPY_STRING(PAM_password))) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: passwd failure: --: %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: passwd failure: --: %s",
                  strerror(errno));
     /* Log Entry */
        goto pam_fail_conv;
@@ -131,7 +143,7 @@ static int PAM_conv (int num_msg,
     case PAM_ERROR_MSG:
     default:
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Binary_Prompt -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Binary_Prompt -- %s",
                  strerror(errno));
     /* Log Entry */
       goto pam_fail_conv;
@@ -146,8 +158,7 @@ static int PAM_conv (int num_msg,
 
   *resp = reply;
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM Success -- %s",
-                 strerror(errno));
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM Success");
     /* Log Entry */
   return PAM_SUCCESS;
 
@@ -164,7 +175,7 @@ pam_fail_conv:
   }
   free(reply);
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
                  strerror(errno));
     /* Log Entry */
     return PAM_CONV_ERR;
@@ -176,24 +187,18 @@ static struct pam_conv PAM_conversation = {
 };
 
 
-static int dhx_setup(void *obj, char *ibuf, int ibuflen, 
-                    char *rbuf, int *rbuflen)
+static int dhx_setup(void *obj, char *ibuf, size_t ibuflen _U_, 
+                    char *rbuf, size_t *rbuflen)
 {
-    u_int16_t sessid;
-    int i;
+    uint16_t sessid;
+    size_t i;
     BIGNUM *bn, *gbn, *pbn;
     DH *dh;
 
-    /* TODO: seed dhx_setup properly... this is a hack */
-#ifdef sun
-       /* *SEVERE* hack... fix */
-       RAND_load_file("/var/adm/messages", KEYSIZE);
-#endif /* sun */
-
     /* get the client's public key */
-    if (!(bn = BN_bin2bn(ibuf, KEYSIZE, NULL))) {
+    if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM No Public Key -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM No Public Key -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -203,7 +208,7 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
     if (!(gbn = BN_bin2bn(&g, sizeof(g), NULL))) {
       BN_clear_free(bn);
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM No Primes: GBN -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM No Primes: GBN -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -213,7 +218,7 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
       BN_free(gbn);
       BN_clear_free(bn);
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM No Primes: PBN -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM No Primes: PBN -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -225,7 +230,7 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
       BN_free(gbn);
       BN_clear_free(bn);
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM DH was equal to DH_New... Go figure... -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM DH was equal to DH_New... Go figure... -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -234,19 +239,29 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
     /* generate key and make sure that we have enough space */
     dh->p = pbn;
     dh->g = gbn;
-    if (!DH_generate_key(dh) || (BN_num_bytes(dh->pub_key) > KEYSIZE)) {
-    /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Err Generating Key -- Not enough Space? -- %s",
-                 strerror(errno));
-    /* Log Entry */
-    goto pam_fail;
+    if (DH_generate_key(dh) == 0) {
+       unsigned long dherror;
+       char errbuf[256];
+
+       ERR_load_crypto_strings();
+       dherror = ERR_get_error();
+       ERR_error_string_n(dherror, errbuf, 256);
+
+       LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Err Generating Key (OpenSSL error code: %u, %s)", dherror, errbuf);
+
+       ERR_free_strings();
+       goto pam_fail;
+    }
+    if (BN_num_bytes(dh->pub_key) > KEYSIZE) {
+       LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Err Generating Key -- Not enough Space? -- %s", strerror(errno));
+       goto pam_fail;
     }
 
     /* figure out the key. store the key in rbuf for now. */
-    i = DH_compute_key(rbuf, bn, dh);
+    i = DH_compute_key((unsigned char *)rbuf, bn, dh);
     
     /* set the key */
-    CAST_set_key(&castkey, i, rbuf);
+    CAST_set_key(&castkey, i, (unsigned char *)rbuf);
     
     /* session id. it's just a hashed version of the object pointer. */
     sessid = dhxhash(obj);
@@ -255,7 +270,7 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
     *rbuflen += sizeof(sessid);
     
     /* public key */
-    BN_bn2bin(dh->pub_key, rbuf); 
+    BN_bn2bin(dh->pub_key, (unsigned char *)rbuf); 
     rbuf += KEYSIZE;
     *rbuflen += KEYSIZE;
 
@@ -265,7 +280,7 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
                             &i) < 0) {
       *rbuflen = 0;
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Buffer Encryption Err. -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Buffer Encryption Err. -- %s",
                  strerror(errno));
     /* Log Entry */
       goto pam_fail;
@@ -278,7 +293,7 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
                             (void *) &buf, NULL) < 0) {
       *rbuflen = 0;
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Signature Retieval Failure -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Signature Retieval Failure -- %s",
                  strerror(errno));
     /* Log Entry */
       goto pam_fail;
@@ -289,7 +304,7 @@ static int dhx_setup(void *obj, char *ibuf, int ibuflen,
 #endif /* 0 */
 
     /* encrypt using cast */
-    CAST_cbc_encrypt(rbuf, rbuf, CRYPTBUFLEN, &castkey, msg2_iv, 
+    CAST_cbc_encrypt((unsigned char *)rbuf, (unsigned char *)rbuf, CRYPTBUFLEN, &castkey, msg2_iv, 
                     CAST_ENCRYPT);
     *rbuflen += CRYPTBUFLEN;
     BN_free(bn);
@@ -300,70 +315,108 @@ pam_fail:
     BN_free(bn);
     DH_free(dh);
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Fail - Cast Encryption -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Fail - Cast Encryption -- %s",
                  strerror(errno));
     /* Log Entry */
     return AFPERR_PARAM;
 }
 
+/* -------------------------------- */
+static int login(void *obj, char *username, int ulen,  struct passwd **uam_pwd _U_,
+                    char *ibuf, size_t ibuflen,
+                    char *rbuf, size_t *rbuflen)
+{
+    if (( dhxpwd = uam_getname(obj, username, ulen)) == NULL ) {
+        LOG(log_info, logtype_uams, "uams_dhx_pam.c: unknown username [%s]", username);
+        return AFPERR_NOTAUTH;
+    }
+
+    PAM_username = username;
+    LOG(log_info, logtype_uams, "dhx login: %s", username);
+    return dhx_setup(obj, ibuf, ibuflen, rbuf, rbuflen);
+}
 
+/* -------------------------------- */
 /* dhx login: things are done in a slightly bizarre order to avoid
  * having to clean things up if there's an error. */
 static int pam_login(void *obj, struct passwd **uam_pwd,
-                    char *ibuf, int ibuflen,
-                    char *rbuf, int *rbuflen)
+                    char *ibuf, size_t ibuflen,
+                    char *rbuf, size_t *rbuflen)
 {
-    char *buf;
-    int len, i;
+    char *username;
+    size_t len, ulen;
 
     *rbuflen = 0;
 
     /* grab some of the options */
-    if (uam_afpserver_option(obj, UAM_OPTION_USERNAME, (void *) &buf,
-                            &i) < 0) {
-    /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: uam_afpserver_option didn't meet uam_option_username  -- %s",
+    if (uam_afpserver_option(obj, UAM_OPTION_USERNAME, (void *) &username, &ulen) < 0) {
+        LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: uam_afpserver_option didn't meet uam_option_username  -- %s",
                  strerror(errno));
-    /* Log Entry */
-      return AFPERR_PARAM;
+        return AFPERR_PARAM;
     }
 
     len = (unsigned char) *ibuf++;
-    if ( len > i ) {
-    /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Signature Retieval Failure -- %s",
+    if ( len > ulen ) {
+        LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Signature Retieval Failure -- %s",
                  strerror(errno));
-    /* Log Entry */
-       return( AFPERR_PARAM );
+       return AFPERR_PARAM;
     }
 
-    memcpy(buf, ibuf, len );
+    memcpy(username, ibuf, len );
     ibuf += len;
-    buf[ len ] = '\0';
+    username[ len ] = '\0';
+
     if ((unsigned long) ibuf & 1) /* pad to even boundary */
       ++ibuf;
 
-    if (( dhxpwd = uam_getname(buf, i)) == NULL ) {
-    /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: User entered a null value -- %s",
+    return (login(obj, username, ulen, uam_pwd, ibuf, ibuflen, rbuf, rbuflen));
+}
+
+/* ----------------------------- */
+static int pam_login_ext(void *obj, char *uname, struct passwd **uam_pwd,
+                    char *ibuf, size_t ibuflen,
+                    char *rbuf, size_t *rbuflen)
+{
+    char *username;
+    int len;
+    size_t ulen;
+    uint16_t  temp16;
+
+    *rbuflen = 0;
+
+    /* grab some of the options */
+    if (uam_afpserver_option(obj, UAM_OPTION_USERNAME, (void *) &username, &ulen) < 0) {
+        LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: uam_afpserver_option didn't meet uam_option_username  -- %s",
+                 strerror(errno));
+        return AFPERR_PARAM;
+    }
+
+    if (*uname != 3)
+        return AFPERR_PARAM;
+    uname++;
+    memcpy(&temp16, uname, sizeof(temp16));
+    len = ntohs(temp16);
+
+    if ( !len || len > ulen ) {
+        LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Signature Retrieval Failure -- %s",
                  strerror(errno));
-    /* Log Entry */
        return AFPERR_PARAM;
     }
+    memcpy(username, uname +2, len );
+    username[ len ] = '\0';
 
-    PAM_username = buf;
-    syslog( LOG_INFO, "dhx login: %s", buf);
-    return dhx_setup(obj, ibuf, ibuflen, rbuf, rbuflen);
+    return (login(obj, username, ulen, uam_pwd, ibuf, ibuflen, rbuf, rbuflen));
 }
 
+/* -------------------------------- */
 
 static int pam_logincont(void *obj, struct passwd **uam_pwd,
-                        char *ibuf, int ibuflen, 
-                        char *rbuf, int *rbuflen)
+                        char *ibuf, size_t ibuflen _U_, 
+                        char *rbuf, size_t *rbuflen)
 {
-    char *hostname;
+    const char *hostname;
     BIGNUM *bn1, *bn2, *bn3;
-    u_int16_t sessid;
+    uint16_t sessid;
     int err, PAM_error;
 
     *rbuflen = 0;
@@ -372,7 +425,7 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
     memcpy(&sessid, ibuf, sizeof(sessid));
     if (sessid != dhxhash(obj)) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM Session ID - DHXHash Mismatch -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM Session ID - DHXHash Mismatch -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -382,17 +435,17 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
     if (uam_afpserver_option(obj, UAM_OPTION_CLIENTNAME,
                             (void *) &hostname, NULL) < 0)
        {
-       syslog(LOG_INFO, "uams_dhx_pam.c :PAM: unable to retrieve client hostname");
+       LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: unable to retrieve client hostname");
        hostname = NULL;
        }
 
-    CAST_cbc_encrypt(ibuf, rbuf, CRYPT2BUFLEN, &castkey,
+    CAST_cbc_encrypt((unsigned char *)ibuf, (unsigned char *)rbuf, CRYPT2BUFLEN, &castkey,
                     msg3_iv, CAST_DECRYPT);
     memset(&castkey, 0, sizeof(castkey));
 
     /* check to make sure that the random number is the same. we
      * get sent back an incremented random number. */
-    if (!(bn1 = BN_bin2bn(rbuf, KEYSIZE, NULL)))
+    if (!(bn1 = BN_bin2bn((unsigned char *)rbuf, KEYSIZE, NULL)))
       return AFPERR_PARAM;
 
     if (!(bn2 = BN_bin2bn(randbuf, sizeof(randbuf), NULL))) {
@@ -431,8 +484,8 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
                          &pamh);
     if (PAM_error != PAM_SUCCESS) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %s",
-                 pam_strerror(pamh,PAM_error), strerror(errno));
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+                 pam_strerror(pamh,PAM_error));
     /* Log Entry */
       goto logincont_err;
     }
@@ -445,25 +498,26 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
       if (PAM_error == PAM_MAXTRIES) 
        err = AFPERR_PWDEXPR;
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %s",
-                 pam_strerror(pamh, PAM_error), strerror(errno));
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+                 pam_strerror(pamh, PAM_error));
     /* Log Entry */
       goto logincont_err;
     }      
 
     PAM_error = pam_acct_mgmt(pamh, 0);
-    if (PAM_error != PAM_SUCCESS) {
-      if (PAM_error == PAM_ACCT_EXPIRED)
+    if (PAM_error != PAM_SUCCESS ) {
+      /* Log Entry */
+      LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+         pam_strerror(pamh, PAM_error));
+      /* Log Entry */
+      if (PAM_error == PAM_NEW_AUTHTOK_REQD)   /* password expired */
        err = AFPERR_PWDEXPR;
 #ifdef PAM_AUTHTOKEN_REQD
       else if (PAM_error == PAM_AUTHTOKEN_REQD) 
        err = AFPERR_PWDCHNG;
 #endif
-    /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %s",
-                 pam_strerror(pamh, PAM_error), strerror(errno));
-    /* Log Entry */
-      goto logincont_err;
+      else
+        goto logincont_err;
     }
 
 #ifndef PAM_CRED_ESTABLISH
@@ -472,8 +526,8 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
     PAM_error = pam_setcred(pamh, PAM_CRED_ESTABLISH);
     if (PAM_error != PAM_SUCCESS) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %s",
-                 pam_strerror(pamh, PAM_error), strerror(errno));
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+                 pam_strerror(pamh, PAM_error));
     /* Log Entry */
       goto logincont_err;
     }
@@ -481,8 +535,8 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
     PAM_error = pam_open_session(pamh, 0);
     if (PAM_error != PAM_SUCCESS) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %s",
-                 pam_strerror(pamh, PAM_error), strerror(errno));
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+                 pam_strerror(pamh, PAM_error));
     /* Log Entry */
       goto logincont_err;
     }
@@ -490,8 +544,10 @@ static int pam_logincont(void *obj, struct passwd **uam_pwd,
     memset(rbuf, 0, PASSWDLEN); /* zero out the password */
     *uam_pwd = dhxpwd;
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM Auth OK!");
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM Auth OK!");
     /* Log Entry */
+    if ( err == AFPERR_PWDEXPR)
+       return err;
     return AFP_OK;
 
 logincont_err:
@@ -502,7 +558,7 @@ logincont_err:
 }
 
 /* logout */
-static void pam_logout() {
+static void pam_logout(void) {
     pam_close_session(pamh, 0);
     pam_end(pamh, 0);
     pamh = NULL;
@@ -512,17 +568,21 @@ static void pam_logout() {
 /* change pw for dhx needs a couple passes to get everything all
  * right. basically, it's like the login/logincont sequence */
 static int pam_changepw(void *obj, char *username,
-                       struct passwd *pwd, char *ibuf, int ibuflen,
-                       char *rbuf, int *rbuflen)
+                       struct passwd *pwd _U_, char *ibuf, size_t ibuflen,
+                       char *rbuf, size_t *rbuflen)
 {
     BIGNUM *bn1, *bn2, *bn3;
 
     char *hostname;
     pam_handle_t *lpamh;
     uid_t uid;
-    u_int16_t sessid;
+    uint16_t sessid;
     int PAM_error;
 
+    if (ibuflen < sizeof(sessid)) {
+      return AFPERR_PARAM;
+    }
+
     /* grab the id */
     memcpy(&sessid, ibuf, sizeof(sessid));
     ibuf += sizeof(sessid);
@@ -539,7 +599,7 @@ static int pam_changepw(void *obj, char *username,
     /* check out the session id */
     if (sessid != dhxhash(obj)) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Session ID not Equal to DHX Hash -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Session ID not Equal to DHX Hash -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -549,22 +609,22 @@ static int pam_changepw(void *obj, char *username,
     if (uam_afpserver_option(obj, UAM_OPTION_HOSTNAME,
                             (void *) &hostname, NULL) < 0) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Hostname Null?? -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Hostname Null?? -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_MISC;
     }
 
     /* grab the client's nonce, old password, and new password. */
-    CAST_cbc_encrypt(ibuf, ibuf, CHANGEPWBUFLEN, &castkey,
+    CAST_cbc_encrypt((unsigned char *)ibuf, (unsigned char *)ibuf, CHANGEPWBUFLEN, &castkey,
                     msg3_iv, CAST_DECRYPT);
     memset(&castkey, 0, sizeof(castkey));
 
     /* check to make sure that the random number is the same. we
      * get sent back an incremented random number. */
-    if (!(bn1 = BN_bin2bn(ibuf, KEYSIZE, NULL))) {
+    if (!(bn1 = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Random Number Not the same or not incremented-- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Random Number Not the same or not incremented-- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -573,7 +633,7 @@ static int pam_changepw(void *obj, char *username,
     if (!(bn2 = BN_bin2bn(randbuf, sizeof(randbuf), NULL))) {
       BN_free(bn1);
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Random Number Not the same or not incremented -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Random Number Not the same or not incremented -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -587,7 +647,7 @@ static int pam_changepw(void *obj, char *username,
       BN_free(bn2);
       BN_free(bn1);
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Random Number did not Zero -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Random Number did not Zero -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -602,7 +662,7 @@ static int pam_changepw(void *obj, char *username,
     if (!BN_is_one(bn3)) {
       BN_free(bn3);
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: After Random Number not Zero, is it one more? -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: After Random Number not Zero, is it one more? -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -620,7 +680,7 @@ static int pam_changepw(void *obj, char *username,
                          &lpamh);
     if (PAM_error != PAM_SUCCESS) {
     /* Log Entry */
-           syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Needless to say, PAM_error is != to PAM_SUCCESS -- %s",
+           LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Needless to say, PAM_error is != to PAM_SUCCESS -- %s",
                  strerror(errno));
     /* Log Entry */
       return AFPERR_PARAM;
@@ -661,8 +721,8 @@ static int pam_changepw(void *obj, char *username,
 
 static int uam_setup(const char *path)
 {
-  if (uam_register(UAM_SERVER_LOGIN, path, "DHCAST128", pam_login, 
-                  pam_logincont, pam_logout) < 0)
+  if (uam_register(UAM_SERVER_LOGIN_EXT, path, "DHCAST128", pam_login, 
+                  pam_logincont, pam_logout, pam_login_ext) < 0)
     return -1;
 
   if (uam_register(UAM_SERVER_CHANGEPW, path, "DHCAST128", 
@@ -690,5 +750,11 @@ UAM_MODULE_EXPORT struct uam_export uams_dhx = {
   uam_setup, uam_cleanup
 };
 
+UAM_MODULE_EXPORT struct uam_export uams_dhx_pam = {
+  UAM_MODULE_SERVER,
+  UAM_MODULE_VERSION,
+  uam_setup, uam_cleanup
+};
+
 #endif /* USE_PAM && UAM_DHX */