Use pam_authenticate_with_login_password from mod_authnz_pam.mod_intercept_form_submit-0.9.1

3 files changed, 28 insertions, 62 deletions

diff --git a/README b/README
index 54a8b36..c5bcf15 100644
--- a/README
+++ b/README
@@ -99,7 +99,7 @@ Building from sources
 
 When building from sources, command
 
-    apxs -i -a -c mod_intercept_form_submit.c -lpam -Wall -pedantic
+    apxs -i -a -c mod_intercept_form_submit.c -Wall -pedantic
 
 should build and install the module.
 
diff --git a/mod_intercept_form_submit.c b/mod_intercept_form_submit.c
index 3a64196..4543e59 100644
--- a/mod_intercept_form_submit.c
+++ b/mod_intercept_form_submit.c
@@ -22,7 +22,7 @@
 #include "http_config.h"
 #include "http_request.h"
 
-#include <security/pam_appl.h>
+#include "mod_auth.h"
 
 typedef struct ifs_config {
 	char * login_name;
@@ -40,11 +40,17 @@ typedef struct {
 	int password_fragment_start_bucket_offset;
 } ifs_filter_ctx_t;
 
+
 module AP_MODULE_DECLARE_DATA intercept_form_submit_module;
 
 APR_DECLARE_OPTIONAL_FN(int, lookup_identity_hook, (request_rec * r));
 static APR_OPTIONAL_FN_TYPE(lookup_identity_hook) * lookup_identity_hook_fn = NULL;
 
+APR_DECLARE_OPTIONAL_FN(authn_status, pam_authenticate_with_login_password,
+	(request_rec * r, const char * pam_service,
+	const char * login, const char * password, int steps));
+static APR_OPTIONAL_FN_TYPE(pam_authenticate_with_login_password) * pam_authenticate_with_login_password_fn = NULL;
+
 const char * add_login_to_blacklist(cmd_parms * cmd, void * conf_void, const char * arg) {
 	ifs_config * cfg = (ifs_config *) conf_void;
 	if (cfg) {
@@ -66,65 +72,14 @@ static const command_rec directives[] = {
 	{ NULL }
 };
 
-int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, struct pam_response ** resp, void * appdata_ptr) {
-	struct pam_response * response = NULL;
-	if (!msg || !resp || !appdata_ptr)
-		return PAM_CONV_ERR;
-	if (!(response = malloc(num_msg * sizeof(struct pam_response))))
-		return PAM_CONV_ERR;
-	int i;
-	for (i = 0; i < num_msg; i++) {
-		response[i].resp = 0;
-		response[i].resp_retcode = 0;
-		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-			response[i].resp = strdup(appdata_ptr);
-		} else {
-			free(response);
-			return PAM_CONV_ERR;
-		}
-	}
-	* resp = response;
-	return PAM_SUCCESS;
-}
-
 #define _REMOTE_USER_ENV_NAME "REMOTE_USER"
-#define _EXTERNAL_AUTH_ERROR_ENV_NAME "EXTERNAL_AUTH_ERROR"
-int pam_authenticate_with_login_password(request_rec * r, const char * pam_service, char * login, const char * password) {
-	pam_handle_t * pamh = NULL;
-	struct pam_conv pam_conversation = { &pam_authenticate_conv, (void *) password };
-	const char * stage = "PAM transaction failed for service";
-	const char * param = pam_service;
-	int ret;
-	if ((ret = pam_start(pam_service, login, &pam_conversation, &pamh)) == PAM_SUCCESS) {
-		param = login;
-		stage = "PAM authentication failed for user";
-		if ((ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK)) == PAM_SUCCESS) {
-			stage = "PAM account validation failed for user";
-			ret = pam_acct_mgmt(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
-		}
-	}
-	if (ret != PAM_SUCCESS) {
-		const char * strerr = pam_strerror(pamh, ret);
-		ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, "mod_intercept_form_submit: %s %s: %s", stage, param, strerr);
-		apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr));
-		pam_end(pamh, ret);
-		return 0;
-	}
-	apr_table_setn(r->subprocess_env, _REMOTE_USER_ENV_NAME, login);
-	r->user = login;
-	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, r->server, "mod_intercept_form_submit: PAM authentication passed for user %s", login);
-	pam_end(pamh, ret);
-	if (lookup_identity_hook_fn) {
-		ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: calling lookup_identity_hook");
-		lookup_identity_hook_fn(r);
-	} else {
-		ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: not calling lookup_identity_hook, is NULL");
-	}
-	return 1;
-}
+
 void register_lookup_identity_hook_fn(void) {
 	lookup_identity_hook_fn = APR_RETRIEVE_OPTIONAL_FN(lookup_identity_hook);
 }
+void register_pam_authenticate_with_login_password_fn(void) {
+	pam_authenticate_with_login_password_fn = APR_RETRIEVE_OPTIONAL_FN(pam_authenticate_with_login_password);
+}
 
 int hex2char(int c) {
 	if (c >= '0' && c <= '9')
@@ -291,7 +246,15 @@ int intercept_form_submit_process_buffer(ap_filter_t * f, ifs_config * config, c
 		}
 	}
 	if (run_auth) {
-		pam_authenticate_with_login_password(r, config->pam_service, *login_value, *password_value);
+		authn_status auth_result = pam_authenticate_with_login_password_fn(r, config->pam_service, *login_value, *password_value, 3);
+		if (auth_result == AUTH_GRANTED) {
+			if (lookup_identity_hook_fn) {
+				ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: calling lookup_identity_hook");
+				lookup_identity_hook_fn(r);
+			} else {
+				ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: not calling lookup_identity_hook, is NULL");
+			}
+		}
 		if (config->password_redact > 0) {
 			intercept_form_redact_password(f, config);
 		}
@@ -477,6 +440,7 @@ static void register_hooks(apr_pool_t * pool) {
 	ap_hook_insert_filter(intercept_form_submit_init, NULL, NULL, APR_HOOK_MIDDLE);
 	ap_register_input_filter("intercept_form_submit_filter", intercept_form_submit_filter, NULL, AP_FTYPE_RESOURCE);
 	ap_hook_optional_fn_retrieve(register_lookup_identity_hook_fn, NULL, NULL, APR_HOOK_MIDDLE);
+	ap_hook_optional_fn_retrieve(register_pam_authenticate_with_login_password_fn, NULL, NULL, APR_HOOK_MIDDLE);
 }
 
 module AP_MODULE_DECLARE_DATA intercept_form_submit_module = {
diff --git a/mod_intercept_form_submit.spec b/mod_intercept_form_submit.spec
index 17477a1..471ec9a 100644
--- a/mod_intercept_form_submit.spec
+++ b/mod_intercept_form_submit.spec
@@ -6,18 +6,17 @@
 
 Summary: Apache module to intercept login form submission and run PAM authentication.
 Name: mod_intercept_form_submit
-Version: 0.9
+Version: 0.9.1
 Release: 1%{?dist}
 License: ASL 2.0
 Group: System Environment/Daemons
 URL: http://www.adelton.com/apache/mod_intercept_form_submit/
 Source0: http://www.adelton.com/apache/mod_intercept_form_submit/%{name}-%{version}.tar.gz
 BuildRequires: httpd-devel
-BuildRequires: pam-devel
 BuildRequires: pkgconfig
 Requires(pre): httpd
 Requires: httpd
-Requires: pam
+Requires: mod_authnz_pam >= 0.6
 
 # Suppres auto-provides for module DSO
 %{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$}
@@ -33,7 +32,7 @@ the REMOTE_USER environment variable if the authentication passes.
 %setup -q -n %{name}-%{version}
 
 %build
-%{_httpd_apxs} -c mod_intercept_form_submit.c -lpam -Wall -pedantic
+%{_httpd_apxs} -c mod_intercept_form_submit.c -Wall -pedantic
 
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -57,6 +56,9 @@ install -Dp -m 0644 intercept_form_submit.conf $RPM_BUILD_ROOT%{_httpd_confdir}/
 %{_httpd_moddir}/*.so
 
 %changelog
+* Wed Jan 08 2014 Jan Pazdziora - 0.9.1-1
+- Use mod_authnz_pam for the actual PAM authentication.
+
 * Thu Dec 05 2013 Jan Pazdziora - 0.9-1
 - Perform PAM account validation, not just authentication.
 - Support Content-Type with charset parameter.