1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
--- pam_mysql.c.orig Sun Sep 15 10:28:58 2002
+++ pam_mysql.c Thu Feb 13 14:58:21 2003
@@ -23,6 +23,7 @@
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <time.h>
/* AFAIK, only FreeBSD has MD5Data() defined in md5.h
@@ -54,7 +55,53 @@
#define DEBUG
#include <security/pam_modules.h>
+#ifdef _OPENPAM
+#include <security/pam_appl.h>
+#else
#include <security/pam_misc.h>
+#endif
+
+#ifdef _OPENPAM
+/* some macros not defined in OpenPAM */
+
+/* Good policy to strike out passwords with some characters not just
+ free the memory */
+
+#define _pam_overwrite(x) \
+do { \
+ register char *__xx__; \
+ if ((__xx__=(x))) \
+ while (*__xx__) \
+ *__xx__++ = '\0'; \
+} while (0)
+
+/*
+ * Don't just free it, forget it too.
+ */
+
+#define _pam_drop(X) \
+do { \
+ if (X) { \
+ free(X); \
+ X=NULL; \
+ } \
+} while (0)
+
+#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
+do { \
+ int reply_i; \
+ \
+ for (reply_i=0; reply_i<replies; ++reply_i) { \
+ if (reply[reply_i].resp) { \
+ _pam_overwrite(reply[reply_i].resp); \
+ free(reply[reply_i].resp); \
+ } \
+ } \
+ if (reply) \
+ free(reply); \
+} while (0)
+
+#endif
struct optionstruct {
char host[257];
@@ -620,7 +667,11 @@
retval = conv->conv(nargs,
(const struct pam_message **) message,
response, conv->appdata_ptr);
- if ((retval != PAM_SUCCESS) && (retval != PAM_CONV_AGAIN))
+ if ((retval != PAM_SUCCESS)
+#ifndef _OPENPAM
+ && (retval != PAM_CONV_AGAIN)
+#endif
+ )
syslog(LOG_DEBUG, "pam_mysql: conversation failure [%s]",
pam_strerror(pamh, retval));
} else {
@@ -827,8 +878,12 @@
if (retval != PAM_SUCCESS) {
if (resp != NULL)
_pam_drop_reply(resp,i);
+#ifndef _OPENPAM
return ((retval == PAM_CONV_AGAIN)
? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL);
+#else
+ return PAM_AUTHINFO_UNAVAIL;
+#endif
}
/* we have a password so set AUTHTOK
|