summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
authorLukas Slebodnik <lslebodn@redhat.com>2013-03-14 09:10:39 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-04-02 17:01:08 +0200
commit9acfb09f7969a69f58bd45c856b01700541853ca (patch)
tree51b08598dde631e49910dc3c5865460208a6a9f5 /src/providers
parent53b58615fbc13eddcd6e2f28066b67cb5f16b6d3 (diff)
downloadsssd-9acfb09f7969a69f58bd45c856b01700541853ca.tar.gz
sssd-9acfb09f7969a69f58bd45c856b01700541853ca.tar.bz2
sssd-9acfb09f7969a69f58bd45c856b01700541853ca.zip
Making the authtok structure really opaque.
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/data_provider.h4
-rw-r--r--src/providers/dp_auth_util.c16
-rw-r--r--src/providers/dp_pam_data_util.c60
-rw-r--r--src/providers/ipa/ipa_auth.c2
-rw-r--r--src/providers/krb5/krb5_auth.c10
-rw-r--r--src/providers/krb5/krb5_child.c28
-rw-r--r--src/providers/krb5/krb5_child_handler.c8
-rw-r--r--src/providers/krb5/krb5_delayed_online_authentication.c12
-rw-r--r--src/providers/krb5/krb5_renew_tgt.c5
-rw-r--r--src/providers/ldap/ldap_auth.c12
-rw-r--r--src/providers/ldap/sdap_async_connection.c12
-rw-r--r--src/providers/proxy/proxy.h4
-rw-r--r--src/providers/proxy/proxy_auth.c2
-rw-r--r--src/providers/proxy/proxy_child.c18
14 files changed, 115 insertions, 78 deletions
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 2ce16e85..8f385b79 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -176,8 +176,8 @@ struct pam_data {
char *tty;
char *ruser;
char *rhost;
- struct sss_auth_token authtok;
- struct sss_auth_token newauthtok;
+ struct sss_auth_token *authtok;
+ struct sss_auth_token *newauthtok;
uint32_t cli_pid;
int pam_status;
diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c
index 54f0ee8e..0bf10a7d 100644
--- a/src/providers/dp_auth_util.c
+++ b/src/providers/dp_auth_util.c
@@ -40,12 +40,12 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd)
tty = pd->tty ? pd->tty : "";
ruser = pd->ruser ? pd->ruser : "";
rhost = pd->rhost ? pd->rhost : "";
- authtok_type = (uint32_t)sss_authtok_get_type(&pd->authtok);
- authtok_data = sss_authtok_get_data(&pd->authtok);
- authtok_length = sss_authtok_get_size(&pd->authtok);
- new_authtok_type = (uint32_t)sss_authtok_get_type(&pd->newauthtok);
- new_authtok_data = sss_authtok_get_data(&pd->newauthtok);
- new_authtok_length = sss_authtok_get_size(&pd->newauthtok);
+ authtok_type = (uint32_t)sss_authtok_get_type(pd->authtok);
+ authtok_data = sss_authtok_get_data(pd->authtok);
+ authtok_length = sss_authtok_get_size(pd->authtok);
+ new_authtok_type = (uint32_t)sss_authtok_get_type(pd->newauthtok);
+ new_authtok_data = sss_authtok_get_data(pd->newauthtok);
+ new_authtok_length = sss_authtok_get_size(pd->newauthtok);
db_ret = dbus_message_append_args(msg,
DBUS_TYPE_INT32, &(pd->cmd),
@@ -112,13 +112,13 @@ bool dp_unpack_pam_request(DBusMessage *msg, TALLOC_CTX *mem_ctx,
return false;
}
- ret = sss_authtok_set(*new_pd, &((*new_pd)->authtok), authtok_type,
+ ret = sss_authtok_set((*new_pd)->authtok, authtok_type,
authtok_data, authtok_length);
if (ret) {
DEBUG(1, ("Failed to set auth token: %d [%s]\n", ret, strerror(ret)));
return false;
}
- ret = sss_authtok_set(*new_pd, &((*new_pd)->newauthtok), new_authtok_type,
+ ret = sss_authtok_set((*new_pd)->newauthtok, new_authtok_type,
new_authtok_data, new_authtok_length);
if (ret) {
DEBUG(1, ("Failed to set auth token: %d [%s]\n", ret, strerror(ret)));
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index 64f0d69b..4c33f583 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -53,8 +53,8 @@ int pam_data_destructor(void *ptr)
struct pam_data *pd = talloc_get_type(ptr, struct pam_data);
/* make sure to wipe any password from memory before freeing */
- sss_authtok_wipe_password(&pd->authtok);
- sss_authtok_wipe_password(&pd->newauthtok);
+ sss_authtok_wipe_password(pd->authtok);
+ sss_authtok_wipe_password(pd->newauthtok);
return 0;
}
@@ -65,13 +65,29 @@ struct pam_data *create_pam_data(TALLOC_CTX *mem_ctx)
pd = talloc_zero(mem_ctx, struct pam_data);
if (pd == NULL) {
- DEBUG(1, ("talloc_zero failed.\n"));
- return NULL;
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
+ goto failed;
+ }
+
+ pd->authtok = sss_authtok_new(pd);
+ if (pd == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
+ goto failed;
+ }
+
+ pd->newauthtok = sss_authtok_new(pd);
+ if (pd == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
+ goto failed;
}
talloc_set_destructor((TALLOC_CTX *) pd, pam_data_destructor);
return pd;
+
+failed:
+ talloc_free(pd);
+ return NULL;
}
errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src,
@@ -122,14 +138,34 @@ errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src,
pd->cli_pid = src->cli_pid;
- ret = sss_authtok_copy(pd, &src->authtok, &pd->authtok);
- if (ret) {
- goto failed;
+ /* if structure pam_data was allocated on stack and zero initialized,
+ * than src->authtok and src->newauthtok are NULL, therefore
+ * instead of copying, new empty authtok will be created.
+ */
+ if (src->authtok) {
+ ret = sss_authtok_copy(src->authtok, pd->authtok);
+ if (ret) {
+ goto failed;
+ }
+ } else {
+ pd->authtok = sss_authtok_new(pd);
+ if (pd->authtok == NULL) {
+ ret = ENOMEM;
+ goto failed;
+ }
}
- ret = sss_authtok_copy(pd, &src->newauthtok, &pd->newauthtok);
- if (ret) {
- goto failed;
+ if (src->newauthtok) {
+ ret = sss_authtok_copy(src->newauthtok, pd->newauthtok);
+ if (ret) {
+ goto failed;
+ }
+ } else {
+ pd->newauthtok = sss_authtok_new(pd);
+ if (pd->newauthtok == NULL) {
+ ret = ENOMEM;
+ goto failed;
+ }
}
*dst = pd;
@@ -151,8 +187,8 @@ void pam_print_data(int l, struct pam_data *pd)
DEBUG(l, ("tty: %s\n", PAM_SAFE_ITEM(pd->tty)));
DEBUG(l, ("ruser: %s\n", PAM_SAFE_ITEM(pd->ruser)));
DEBUG(l, ("rhost: %s\n", PAM_SAFE_ITEM(pd->rhost)));
- DEBUG(l, ("authtok type: %d\n", sss_authtok_get_type(&pd->authtok)));
- DEBUG(l, ("newauthtok type: %d\n", sss_authtok_get_type(&pd->newauthtok)));
+ DEBUG(l, ("authtok type: %d\n", sss_authtok_get_type(pd->authtok)));
+ DEBUG(l, ("newauthtok type: %d\n", sss_authtok_get_type(pd->newauthtok)));
DEBUG(l, ("priv: %d\n", pd->priv));
DEBUG(l, ("cli_pid: %d\n", pd->cli_pid));
}
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 5cb3d402..b528c544 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -371,7 +371,7 @@ static void ipa_migration_flag_connect_done(struct tevent_req *req)
}
req = sdap_auth_send(state, state->ev, state->sh, NULL, NULL, dn,
- &state->pd->authtok);
+ state->pd->authtok);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, ("sdap_auth_send failed.\n"));
goto done;
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a9b75768..6c0f429f 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -284,7 +284,7 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
const char *password = NULL;
errno_t ret;
- ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
if (ret != EOK) {
DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret)));
*pam_status = PAM_SYSTEM_ERR;
@@ -397,10 +397,10 @@ static void krb5_auth_store_creds(struct sysdb_ctx *sysdb,
break;
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK_PRELIM:
- ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
break;
case SSS_PAM_CHAUTHTOK:
- ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
break;
default:
DEBUG(0, ("unsupported PAM command [%d].\n", pd->cmd));
@@ -490,7 +490,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
case SSS_PAM_AUTHENTICATE:
case SSS_CMD_RENEW:
case SSS_PAM_CHAUTHTOK:
- if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
DEBUG(1, ("Missing authtok for user [%s].\n", pd->user));
state->pam_status = PAM_SYSTEM_ERR;
state->dp_err = DP_ERR_FATAL;
@@ -500,7 +500,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pd->priv == 1 &&
- sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
DEBUG(4, ("Password reset by root is not supported.\n"));
state->pam_status = PAM_PERM_DENIED;
state->dp_err = DP_ERR_OK;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 52127b39..4ccd75d2 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1201,7 +1201,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n"));
- ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
if (ret != EOK) {
DEBUG(1, ("Failed to fetch current password [%d] %s.\n",
ret, strerror(ret)));
@@ -1233,7 +1233,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
return kerr;
}
- sss_authtok_set_empty(&kr->pd->authtok);
+ sss_authtok_set_empty(kr->pd->authtok);
if (prelim) {
DEBUG(SSSDBG_TRACE_LIBS,
@@ -1243,7 +1243,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
return EOK;
}
- ret = sss_authtok_get_password(&kr->pd->newauthtok, &newpassword, NULL);
+ ret = sss_authtok_get_password(kr->pd->newauthtok, &newpassword, NULL);
if (ret != EOK) {
DEBUG(1, ("Failed to fetch new password [%d] %s.\n",
ret, strerror(ret)));
@@ -1307,7 +1307,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
kerr = get_and_save_tgt(kr, newpassword);
- sss_authtok_set_empty(&kr->pd->newauthtok);
+ sss_authtok_set_empty(kr->pd->newauthtok);
if (kerr == 0) {
kerr = k5c_attach_ccname_msg(kr);
@@ -1324,7 +1324,7 @@ static errno_t tgt_req_child(struct krb5_req *kr)
DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n"));
- ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
switch (ret) {
if (ret == EACCES) {
DEBUG(SSSDBG_OP_FAILURE, ("Invalid authtok type\n"));
@@ -1379,7 +1379,7 @@ static errno_t tgt_req_child(struct krb5_req *kr)
}
done:
- sss_authtok_set_empty(&kr->pd->authtok);
+ sss_authtok_set_empty(kr->pd->authtok);
return ret;
}
@@ -1423,11 +1423,11 @@ static errno_t renew_tgt_child(struct krb5_req *kr)
DEBUG(SSSDBG_TRACE_LIBS, ("Renewing a ticket\n"));
- ret = sss_authtok_get_ccfile(&kr->pd->authtok, &ccname, NULL);
+ ret = sss_authtok_get_ccfile(kr->pd->authtok, &ccname, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
("Unsupported authtok type for TGT renewal [%d].\n",
- sss_authtok_get_type(&kr->pd->authtok)));
+ sss_authtok_get_type(kr->pd->authtok)));
return ERR_INVALID_CRED_TYPE;
}
@@ -1527,10 +1527,10 @@ static errno_t unpack_authtok(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
sss_authtok_set_empty(tok);
break;
case SSS_AUTHTOK_TYPE_PASSWORD:
- ret = sss_authtok_set_password(mem_ctx, tok, (char *)(buf + *p), 0);
+ ret = sss_authtok_set_password(tok, (char *)(buf + *p), 0);
break;
case SSS_AUTHTOK_TYPE_CCFILE:
- ret = sss_authtok_set_ccfile(mem_ctx, tok, (char *)(buf + *p), 0);
+ ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
break;
default:
return EINVAL;
@@ -1598,7 +1598,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
if (kr->keytab == NULL) return ENOMEM;
p += len;
- ret = unpack_authtok(pd, &pd->authtok, buf, size, &p);
+ ret = unpack_authtok(pd, pd->authtok, buf, size, &p);
if (ret) {
return ret;
}
@@ -1608,16 +1608,16 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
} else {
kr->ccname = NULL;
kr->keytab = NULL;
- sss_authtok_set_empty(&pd->authtok);
+ sss_authtok_set_empty(pd->authtok);
}
if (pd->cmd == SSS_PAM_CHAUTHTOK) {
- ret = unpack_authtok(pd, &pd->newauthtok, buf, size, &p);
+ ret = unpack_authtok(pd, pd->newauthtok, buf, size, &p);
if (ret) {
return ret;
}
} else {
- sss_authtok_set_empty(&pd->newauthtok);
+ sss_authtok_set_empty(pd->newauthtok);
}
if (pd->cmd == SSS_PAM_ACCT_MGMT) {
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index cc309af3..8ff65130 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -155,12 +155,12 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
- sss_authtok_get_size(&kr->pd->authtok);
+ sss_authtok_get_size(kr->pd->authtok);
}
if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
buf->size += 2*sizeof(uint32_t) +
- sss_authtok_get_size(&kr->pd->newauthtok);
+ sss_authtok_get_size(kr->pd->newauthtok);
}
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
@@ -196,14 +196,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp);
safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp);
- ret = pack_authtok(buf, &rp, &kr->pd->authtok);
+ ret = pack_authtok(buf, &rp, kr->pd->authtok);
if (ret) {
return ret;
}
}
if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
- ret = pack_authtok(buf, &rp, &kr->pd->newauthtok);
+ ret = pack_authtok(buf, &rp, kr->pd->newauthtok);
if (ret) {
return ret;
}
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index f95fa634..87e0f3c6 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -84,7 +84,7 @@ static void authenticate_user(struct tevent_context *ev,
return;
}
- ret = sss_authtok_set_password(pd, &pd->authtok, password, keysize);
+ ret = sss_authtok_set_password(pd->authtok, password, keysize);
safezero(password, keysize);
free(password);
if (ret) {
@@ -246,7 +246,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
return EINVAL;
}
- if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
DEBUG(1, ("Invalid authtok for user [%s].\n", pd->user));
return EINVAL;
}
@@ -262,10 +262,10 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
const char *password;
size_t len;
- ret = sss_authtok_get_password(&new_pd->authtok, &password, &len);
+ ret = sss_authtok_get_password(new_pd->authtok, &password, &len);
if (ret) {
DEBUG(1, ("Failed to get password [%d][%s].\n", ret, strerror(ret)));
- sss_authtok_set_empty(&new_pd->authtok);
+ sss_authtok_set_empty(new_pd->authtok);
talloc_free(new_pd);
return ret;
}
@@ -275,13 +275,13 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
if (new_pd->key_serial == -1) {
ret = errno;
DEBUG(1, ("add_key failed [%d][%s].\n", ret, strerror(ret)));
- sss_authtok_set_empty(&new_pd->authtok);
+ sss_authtok_set_empty(new_pd->authtok);
talloc_free(new_pd);
return ret;
}
DEBUG(9, ("Saved authtok of user [%s] with serial [%ld].\n",
new_pd->user, new_pd->key_serial));
- sss_authtok_set_empty(&new_pd->authtok);
+ sss_authtok_set_empty(new_pd->authtok);
#endif
key.type = HASH_KEY_ULONG;
diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c
index f2ee5d91..0b1f26fd 100644
--- a/src/providers/krb5/krb5_renew_tgt.c
+++ b/src/providers/krb5/krb5_renew_tgt.c
@@ -592,10 +592,9 @@ errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile,
goto done;
}
- sss_authtok_set_empty(&renew_data->pd->newauthtok);
+ sss_authtok_set_empty(renew_data->pd->newauthtok);
- ret = sss_authtok_set_ccfile(renew_data->pd, &renew_data->pd->authtok,
- renew_data->ccfile, 0);
+ ret = sss_authtok_set_ccfile(renew_data->pd->authtok, renew_data->ccfile, 0);
if (ret) {
DEBUG(1, ("Failed to store ccfile in auth token.\n"));
goto done;
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index e10c5b0e..f4e6d28f 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -722,7 +722,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
}
if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) &&
- (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) {
+ (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) {
DEBUG(4, ("Password reset by root is not supported.\n"));
pd->pam_status = PAM_PERM_DENIED;
dp_err = DP_ERR_OK;
@@ -747,7 +747,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
state->ctx = ctx;
subreq = auth_send(breq, be_ctx->ev, ctx,
- state->username, &pd->authtok, true);
+ state->username, pd->authtok, true);
if (!subreq) goto done;
tevent_req_set_callback(subreq, sdap_auth4chpass_done, state);
@@ -820,13 +820,13 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
const char *password;
const char *new_password;
- ret = sss_authtok_get_password(&state->pd->authtok,
+ ret = sss_authtok_get_password(state->pd->authtok,
&password, NULL);
if (ret) {
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
- ret = sss_authtok_get_password(&state->pd->newauthtok,
+ ret = sss_authtok_get_password(state->pd->newauthtok,
&new_password, NULL);
if (ret) {
state->pd->pam_status = PAM_SYSTEM_ERR;
@@ -990,7 +990,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
state->pd = pd;
subreq = auth_send(breq, be_ctx->ev, ctx,
- pd->user, &pd->authtok,
+ pd->user, pd->authtok,
pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ? true : false);
if (!subreq) goto done;
@@ -1102,7 +1102,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
if (ret == EOK && be_ctx->domain->cache_credentials) {
- ret = sss_authtok_get_password(&state->pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(state->pd->authtok, &password, NULL);
if (ret == EOK) {
ret = sysdb_cache_password(be_ctx->domain->sysdb, be_ctx->domain,
state->pd->user, password);
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 280268a1..b05edf6f 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1573,7 +1573,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
SDAP_DEFAULT_BIND_DN);
const char *authtok_type;
struct dp_opt_blob authtok_blob;
- struct sss_auth_token authtok = { 0 };
+ struct sss_auth_token *authtok;
errno_t ret;
/* Set the LDAP expiration time
@@ -1599,6 +1599,12 @@ static void sdap_cli_auth_step(struct tevent_req *req)
authtok_type = dp_opt_get_string(state->opts->basic,
SDAP_DEFAULT_AUTHTOK_TYPE);
+ authtok = sss_authtok_new(state);
+ if(authtok == NULL) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
if (authtok_type != NULL) {
if (strcasecmp(authtok_type, "password") != 0) {
DEBUG(SSSDBG_TRACE_LIBS, ("Invalid authtoken type\n"));
@@ -1609,7 +1615,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
authtok_blob = dp_opt_get_blob(state->opts->basic,
SDAP_DEFAULT_AUTHTOK);
if (authtok_blob.data) {
- ret = sss_authtok_set_password(state, &authtok,
+ ret = sss_authtok_set_password(authtok,
(const char *)authtok_blob.data,
authtok_blob.length);
if (ret) {
@@ -1623,7 +1629,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
state->sh, sasl_mech,
dp_opt_get_string(state->opts->basic,
SDAP_SASL_AUTHID),
- user_dn, &authtok);
+ user_dn, authtok);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h
index 305cbe97..db0fcb43 100644
--- a/src/providers/proxy/proxy.h
+++ b/src/providers/proxy/proxy.h
@@ -89,8 +89,8 @@ struct proxy_nss_ops {
};
struct authtok_conv {
- struct sss_auth_token authtok;
- struct sss_auth_token newauthtok;
+ struct sss_auth_token *authtok;
+ struct sss_auth_token *newauthtok;
bool sent_old;
};
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index 3e6a514a..011de4fb 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -750,7 +750,7 @@ static void proxy_child_done(struct tevent_req *req)
if ((pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_PAM_CHAUTHTOK) &&
(pd->pam_status == PAM_SUCCESS) && be_ctx->domain->cache_credentials) {
- ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
if (ret) {
/* password caching failures are not fatal errors */
DEBUG(2, ("Failed to cache password\n"));
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
index 556dbf9b..efdf9120 100644
--- a/src/providers/proxy/proxy_child.c
+++ b/src/providers/proxy/proxy_child.c
@@ -98,7 +98,7 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg));
reply[i].resp_retcode = 0;
- ret = sss_authtok_get_password(&auth_data->authtok,
+ ret = sss_authtok_get_password(auth_data->authtok,
&password, &pwlen);
if (ret) goto failed;
reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -149,7 +149,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
reply[i].resp_retcode = 0;
if (!auth_data->sent_old) {
/* The first prompt will be asking for the old authtok */
- ret = sss_authtok_get_password(&auth_data->authtok,
+ ret = sss_authtok_get_password(auth_data->authtok,
&password, &pwlen);
if (ret) goto failed;
reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -159,7 +159,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
}
else {
/* Subsequent prompts are looking for the new authtok */
- ret = sss_authtok_get_password(&auth_data->newauthtok,
+ ret = sss_authtok_get_password(auth_data->newauthtok,
&password, &pwlen);
if (ret) goto failed;
reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -224,8 +224,7 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
}
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
- sss_authtok_copy(auth_data, &pd->authtok,
- &auth_data->authtok);
+ sss_authtok_copy(pd->authtok, auth_data->authtok);
pam_status = pam_authenticate(pamh, 0);
break;
case SSS_PAM_SETCRED:
@@ -241,21 +240,18 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
pam_status=pam_close_session(pamh, 0);
break;
case SSS_PAM_CHAUTHTOK:
- sss_authtok_copy(auth_data, &pd->authtok,
- &auth_data->authtok);
+ sss_authtok_copy(pd->authtok, auth_data->authtok);
if (pd->priv != 1) {
pam_status = pam_authenticate(pamh, 0);
auth_data->sent_old = false;
if (pam_status != PAM_SUCCESS) break;
}
- sss_authtok_copy(auth_data, &pd->newauthtok,
- &auth_data->newauthtok);
+ sss_authtok_copy(pd->newauthtok, auth_data->newauthtok);
pam_status = pam_chauthtok(pamh, 0);
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pd->priv != 1) {
- sss_authtok_copy(auth_data, &pd->authtok,
- &auth_data->authtok);
+ sss_authtok_copy(pd->authtok, auth_data->authtok);
pam_status = pam_authenticate(pamh, 0);
} else {
pam_status = PAM_SUCCESS;