Change pam data auth tokens.

Use the new authtok abstraction and interfaces throught the code.

3 files changed, 39 insertions, 33 deletions

diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h
index cea03382..962cb28f 100644
--- a/src/providers/proxy/proxy.h
+++ b/src/providers/proxy/proxy.h
@@ -89,11 +89,8 @@ struct proxy_nss_ops {
 };
 
 struct authtok_conv {
-    uint32_t authtok_size;
-    uint8_t *authtok;
-
-    uint32_t newauthtok_size;
-    uint8_t *newauthtok;
+    struct sss_auth_token authtok;
+    struct sss_auth_token newauthtok;
 
     bool sent_old;
 };
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index 8088283f..3430f38b 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -712,7 +712,7 @@ static void proxy_child_done(struct tevent_req *req)
     struct proxy_client_ctx *client_ctx =
             tevent_req_callback_data(req, struct proxy_client_ctx);
     struct pam_data *pd = NULL;
-    char *password;
+    const char *password;
     int ret;
     struct tevent_immediate *imm;
 
@@ -747,17 +747,15 @@ static void proxy_child_done(struct tevent_req *req)
 
     /* Check if we need to save the cached credentials */
     if ((pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_PAM_CHAUTHTOK) &&
-            pd->pam_status == PAM_SUCCESS &&
-            client_ctx->be_req->be_ctx->domain->cache_credentials) {
-        password = talloc_strndup(client_ctx->be_req,
-                                  (char *) pd->authtok,
-                                  pd->authtok_size);
-        if (!password) {
+        (pd->pam_status == PAM_SUCCESS) &&
+        client_ctx->be_req->be_ctx->domain->cache_credentials) {
+
+        ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+        if (ret) {
             /* password caching failures are not fatal errors */
             DEBUG(2, ("Failed to cache password\n"));
             goto done;
         }
-        talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
 
         ret = sysdb_cache_password(client_ctx->be_req->be_ctx->sysdb,
                                    pd->user, password);
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
index c575948a..556dbf9b 100644
--- a/src/providers/proxy/proxy_child.c
+++ b/src/providers/proxy/proxy_child.c
@@ -80,6 +80,9 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
     int i;
     struct pam_response *reply;
     struct authtok_conv *auth_data;
+    const char *password;
+    size_t pwlen;
+    errno_t ret;
 
     auth_data = talloc_get_type(appdata_ptr, struct authtok_conv);
 
@@ -94,11 +97,13 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
             case PAM_PROMPT_ECHO_OFF:
                 DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg));
                 reply[i].resp_retcode = 0;
-                reply[i].resp = calloc(auth_data->authtok_size + 1,
-                                       sizeof(char));
+
+                ret = sss_authtok_get_password(&auth_data->authtok,
+                                               &password, &pwlen);
+                if (ret) goto failed;
+                reply[i].resp = calloc(pwlen + 1, sizeof(char));
                 if (reply[i].resp == NULL) goto failed;
-                memcpy(reply[i].resp, auth_data->authtok,
-                       auth_data->authtok_size);
+                memcpy(reply[i].resp, password, pwlen + 1);
 
                 break;
             default:
@@ -124,6 +129,9 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
     int i;
     struct pam_response *reply;
     struct authtok_conv *auth_data;
+    const char *password;
+    size_t pwlen;
+    errno_t ret;
 
     auth_data = talloc_get_type(appdata_ptr, struct authtok_conv);
 
@@ -141,20 +149,23 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
                 reply[i].resp_retcode = 0;
                 if (!auth_data->sent_old) {
                     /* The first prompt will be asking for the old authtok */
-                    reply[i].resp = calloc(auth_data->authtok_size + 1,
-                                           sizeof(char));
+                    ret = sss_authtok_get_password(&auth_data->authtok,
+                                                  &password, &pwlen);
+                    if (ret) goto failed;
+                    reply[i].resp = calloc(pwlen + 1, sizeof(char));
                     if (reply[i].resp == NULL) goto failed;
-                    memcpy(reply[i].resp, auth_data->authtok,
-                           auth_data->authtok_size);
+                    memcpy(reply[i].resp, password, pwlen + 1);
                     auth_data->sent_old = true;
                 }
                 else {
                     /* Subsequent prompts are looking for the new authtok */
-                    reply[i].resp = calloc(auth_data->newauthtok_size + 1,
-                                           sizeof(char));
+                    ret = sss_authtok_get_password(&auth_data->newauthtok,
+                                                  &password, &pwlen);
+                    if (ret) goto failed;
+                    reply[i].resp = calloc(pwlen + 1, sizeof(char));
                     if (reply[i].resp == NULL) goto failed;
-                    memcpy(reply[i].resp, auth_data->newauthtok,
-                           auth_data->newauthtok_size);
+                    memcpy(reply[i].resp, password, pwlen + 1);
+                    auth_data->sent_old = true;
                 }
 
                 break;
@@ -213,8 +224,8 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
         }
         switch (pd->cmd) {
             case SSS_PAM_AUTHENTICATE:
-                auth_data->authtok_size = pd->authtok_size;
-                auth_data->authtok = pd->authtok;
+                sss_authtok_copy(auth_data, &pd->authtok,
+                                 &auth_data->authtok);
                 pam_status = pam_authenticate(pamh, 0);
                 break;
             case SSS_PAM_SETCRED:
@@ -230,21 +241,21 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
                 pam_status=pam_close_session(pamh, 0);
                 break;
             case SSS_PAM_CHAUTHTOK:
-                auth_data->authtok_size = pd->authtok_size;
-                auth_data->authtok = pd->authtok;
+                sss_authtok_copy(auth_data, &pd->authtok,
+                                 &auth_data->authtok);
                 if (pd->priv != 1) {
                     pam_status = pam_authenticate(pamh, 0);
                     auth_data->sent_old = false;
                     if (pam_status != PAM_SUCCESS) break;
                 }
-                auth_data->newauthtok_size = pd->newauthtok_size;
-                auth_data->newauthtok = pd->newauthtok;
+                sss_authtok_copy(auth_data, &pd->newauthtok,
+                                 &auth_data->newauthtok);
                 pam_status = pam_chauthtok(pamh, 0);
                 break;
             case SSS_PAM_CHAUTHTOK_PRELIM:
                 if (pd->priv != 1) {
-                    auth_data->authtok_size = pd->authtok_size;
-                    auth_data->authtok = pd->authtok;
+                    sss_authtok_copy(auth_data, &pd->authtok,
+                                     &auth_data->authtok);
                     pam_status = pam_authenticate(pamh, 0);
                 } else {
                     pam_status = PAM_SUCCESS;