glib Functionsmiscellaneous functionsSynopsisglib.idle_addcallback...glib.timeout_addintervalcallback...glib.timeout_add_secondsintervalcallback...glib.io_add_watchfdconditioncallback...glib.source_removetagglib.main_context_defaultglib.markup_escape_texttextglib.child_watch_addpidfunctiondataNonepriorityglib.PRIORITY_DEFAULTglib.spawn_asyncargvenvpNoneworking_directoryNoneflags0child_setupNoneuser_dataNonestandard_inputNonestandard_outputNonestandard_errorNoneglib.get_current_timeglib.get_user_cache_dirglib.get_user_config_dirglib.get_user_data_dirglib.get_user_special_dirdirectoryglib.main_depthglib.threads_initglib.filename_display_namefilenameglib.filename_display_basenamefilenameglib.filename_from_utf8utf8stringDescriptionThese functions are part of the PyGObject glib
module but are not directly associated with a specific class.Functionsglib.idle_addglib.idle_addcallback...callback :a function to call when
PyGTK is idle... :optionals arguments to be passed to
callbackReturns :an integer IDThe glib.idle_add() function adds a
function (specified by callback) to be called
whenever there are no higher priority events pending to the default main
loop. The function is given the default idle priority,
glib.PRIORITY_DEFAULT_IDLE. Additional arguments to
pass to callback can be specified after
callback. The idle priority can be specified as a
keyword-value pair with the keyword "priority". If
callback returns FALSE it is
automatically removed from the list of event sources and will not be called
again.glib.timeout_addglib.timeout_addintervalcallback...interval :the time between calls to the function, in
milliseconds callback :the function to call... :zero or more arguments that will be passed to
callbackReturns :an integer ID of the event
sourceThe glib.timeout_add() function sets a
function (specified by callback) to be called at
regular intervals (specified by interval, with the
default priority, glib.PRIORITY_DEFAULT. Additional
arguments to pass to callback can be specified after
callback. The idle priority may be specified as a
keyword-value pair with the keyword "priority".The function is called repeatedly until it returns
FALSE, at which point the timeout is automatically
destroyed and the function will not be called again. The first call to the
function will be at the end of the first interval. Note that timeout
functions may be delayed, due to the processing of other event sources. Thus
they should not be relied on for precise timing. After each call to the
timeout function, the time of the next timeout is recalculated based on the
current time and the given interval (it does not try to 'catch up' time lost
in delays).glib.timeout_add_secondsglib.timeout_add_secondsintervalcallback...interval :the time between calls to the function, in
seconds callback :the function to call... :zero or more arguments that will be passed to
callbackReturns :an integer ID of the event
sourceThe glib.timeout_add_seconds() is similar to
glib.timeout_add() except
that interval must be specified in seconds, not
milliseconds, and the function should cause less CPU wakeups, which is important
for laptops' batteries.Unlike glib.timeout_add(), this function operates at
whole second granularity. The initial starting point of the timer is determined
by the implementation and the implementation is expected to group multiple timers
together so that they fire all at the same time. To allow this grouping, the
interval to the first timer is rounded and can deviate up to one second from the
specified interval. Subsequent timer iterations will generally run at the
specified interval.Note that timeout functions may be delayed, due to the processing of other
event sources. Thus they should not be relied on for precise timing. After each
call to the timeout function, the time of the next timeout is recalculated based
on the current time and the given interval.The grouping of timers to fire at the same time results in a more power and
CPU efficient behavior so if your timer is in multiples of seconds and you don't
require the first timer exactly one second from now, the use of
glib.timeout_add_seconds() is preferred
over glib.timeout_add().glib.io_add_watchglib.io_add_watchfdconditioncallback...fd :a Python file object or an integer file
descriptor IDcondition :a condition maskcallback :a function to call... :additional arguments to pass to
callbackReturns :an integer ID of the event sourceThe glib.io_add_watch() function
arranges for the file (specified by fd) to be
monitored by the main loop for the specified
condition. fd may be a Python
file object or an integer file descriptor. The value of condition is a
combination of:glib.IO_INThere is data to read.glib.IO_OUTData can be written (without blocking). glib.IO_PRIThere is urgent data to read.glib.IO_ERRError condition.glib.IO_HUPHung up (the connection has been broken, usually for
pipes and sockets).Additional arguments to pass to callback
can be specified after callback. The idle priority
may be specified as a keyword-value pair with the keyword "priority". The
signature of the callback function is:
def callback(source, cb_condition, ...)
where source is
fd, the file descriptor;
cb_condition is the condition that triggered the
signal; and, ... are the zero or more arguments that
were passed to the glib.io_add_watch()
function.If the callback function returns FALSE it
will be automatically removed from the list of event sources and will not be
called again. If it returns TRUE it will be called again
when the condition is matched.glib.source_removeglib.source_removetagtag :an integer IDReturns :TRUE if the event source was
removedThe glib.source_remove() function
removes the event source specified by tag (as returned by the glib.idle_add(),
glib.timeout_add()
and glib.io_add_watch()
functions)glib.main_context_defaultglib.main_context_defaultReturns :the default glib.MainContext
objectThe glib.main_context_default() function
returns the default glib.MainContext object.glib.markup_escape_textglib.markup_escape_texttexttext :the UTF-8 string to be
escapedReturns :the escaped textThis function is available in PyGTK 2.8 and above.The glib.markup_escape_text() function
escapes the string specified by text so that the
markup parser will parse it verbatim. Less than, greater than, ampersand,
etc. are replaced with the corresponding entities. This function would
typically be used when writing out a file to be parsed with the markup
parser.Note that this function doesn't protect whitespace and line
endings from being processed according to the XML rules for normalization of
line endings and attribute values.glib.child_watch_addglib.child_watch_addpidfunctiondataNonepriorityglib.PRIORITY_DEFAULTpid :process id of a child process to watchfunction :the function to calldata :the optional data to pass to
functionpriority :the priority of the idle source - one of the
Returns :the id of event source.This function is available in PyGTK 2.6 and above.The glib.child_watch_add() function sets
the function specified by function to be called with
the user data specified by data when the child
indicated by pid exits. The signature for the
callback is:
def callback(pid, condition, user_data)
where pid is is the child process id,
condition is the status information about the child
process and user_data is data
PyGTK supports only a single callback per process id.glib.spawn_asyncglib.spawn_asyncargvenvpNoneworking_directoryNoneflags0child_setupNoneuser_dataNonestandard_inputNonestandard_outputNonestandard_errorNoneargv :a sequence of strings containing the arguments
of the child processenvp :the child's environment or
None to inherit the parent's
environment.working_directory :the child's current working directory, or
None to inherit parent'sflags :flags from the .child_setup :a function to run in the child just before
calling exec()user_data :the user data for the
child_setup functionstandard_input :if TRUE return the file
descriptor for the child's stdinstandard_output :if TRUE return the file
descriptor for the child's stdoutstandard_error :if TRUE return the file
descriptor for the child's stderrReturns :a 4-tuple containing the child's process id and
the stdin, stdout and stderr file descriptor integers.This function is available in PyGTK 2.6 and above.The glib.spawn_async() function executes
a child program asynchronously (your program will not block waiting for the
child to exit). The child program is specified by the only argument that
must be provided, argv. argv
should be a sequence of strings, to be passed as the argument vector for the
child. The first string in argv is of course the name
of the program to execute. By default, the name of the program must be a
full path; the PATH shell variable will only be searched if
you pass the glib.SPAWN_SEARCH_PATH flag in
flags. The function returns a 4-tuple containing the
child's process id and the file descriptors for the child's stdin, stdout
and stderr. The stdin, stdout and stderr file descriptors are returned only
ofthe corresponding standard_input,
standard_output or
standard_error params are
TRUE.On Windows, the low-level child process creation API
(CreateProcess()) doesn't use argument vectors, but a
command line. The C runtime library's spawn*() family
of functions (which glib.spawn_async()
eventually calls) paste the argument vector elements into a command line,
and the C runtime startup code does a corresponding reconstruction of an
argument vector from the command line, to be passed to
main(). Complications arise when you have argument
vector elements that contain spaces of double quotes. The
spawn*() functions don't do any quoting or escaping,
but on the other hand the startup code does do unquoting and unescaping in
order to enable receiving arguments with embedded spaces or double
quotes. To work around this asymmetry, the glib.spawn_async()
function will do quoting and escaping on argument vector elements that need
it before calling the C runtime spawn()
function.envp is a sequence of strings, where each
string has the form KEY=VALUE. This will become the
child's environment. If envp is
None or not specified, the child inherits its
parent's environment.flags should be the bitwise
OR of the you want to affect the
function's behaviour. The glib.SPAWN_DO_NOT_REAP_CHILD
flag means that the child will not automatically be reaped; you must use a
GChildWatch source to be notified about the death of the child
process. Eventually you must call g_spawn_close_pid() on the child_pid, in
order to free resources which may be associated with the child process. (On
Unix, using a GChildWatch source is equivalent to calling
waitpid() or handling the SIGCHLD
signal manually. On Windows, calling g_spawn_close_pid() is equivalent to
calling CloseHandle() on the process handle
returned).glib.SPAWN_LEAVE_DESCRIPTORS_OPEN means
that the parent's open file descriptors will be inherited by the child;
otherwise all descriptors except stdin/stdout/stderr will be closed before
calling exec() in the
child. glib.SPAWN_SEARCH_PATH means that
argv[0] need not be an absolute path, it will be
looked for in the user's
PATH. glib.SPAWN_STDOUT_TO_DEV_NULL
means that the child's standard output will be discarded, instead of going
to the same location as the parent's standard output. If you use this flag,
standard_output must be
None. glib.SPAWN_STDERR_TO_DEV_NULL
means that the child's standard error will be discarded, instead of going to
the same location as the parent's standard error. If you use this flag,
standard_error must be
None. glib.SPAWN_CHILD_INHERITS_STDIN
means that the child will inherit the parent's standard input (by default,
the child's standard input is attached to
/dev/null). If you use this flag,
standard_input must be
None. glib.SPAWN_FILE_AND_ARGV_ZERO
means that the first element of argv is the file to
execute, while the remaining elements are the actual argument vector to pass
to the file. Normally the glib.spawn_async()
function uses argv[0] as the file to execute, and
passes all of argv to the child.child_setup and
user_data are a function and user data. On POSIX
platforms, the function is called in the child after GLib has performed all
the setup it plans to perform (including creating pipes, closing file
descriptors, etc.) but before calling exec(). That is,
child_setup is called just before calling
exec() in the child. Obviously actions taken in this
function will only affect the child, not the parent. On Windows, there is no
separate fork() and exec()
functionality. Child processes are created and run right away with one API
call,
CreateProcess(). child_setup is
called in the parent process just before creating the child process. You
should carefully consider what you do in child_setup
if you intend your software to be portable to Windows.The returned child process id can be used to send signals to the
child, or to wait for the child if you specified the
glib.SPAWN_DO_NOT_REAP_CHILD flag. On Windows, child
pid will be returned only if you specified the
glib.SPAWN_DO_NOT_REAP_CHILD flag.The caller of the glib.spawn_async()
must close any returned file descriptors when they are no longer in
use.If standard_input is
None, the child's standard input is attached to
/dev/null unless
glib.SPAWN_CHILD_INHERITS_STDIN is set.If standard_error is
None, the child's standard error goes to the same
location as the parent's standard error unless
glib.SPAWN_STDERR_TO_DEV_NULL is set.If standard_output is
None, the child's standard output goes to the same
location as the parent's standard output unless
glib.SPAWN_STDOUT_TO_DEV_NULL is set.If an error occurs, the glib.GError exception will be
raised.glib.get_current_timeglib.get_current_timeReturns :the current time as the number of seconds and
microseconds from the epoch.This function is available in PyGTK 2.8 and above.The glib.get_current_time() function
reurns the current time of day as the number of seconds and microseconds
from the epoch.glib.get_user_cache_dirglib.get_user_cache_dirReturns :
a strings with a path to user's cache directory.
This function is available in PyGObject 2.18 and above.Returns a base directory in which to store non-essential,
cached data specific to particular user.On UNIX platforms this is determined using the mechanisms
described in the
XDG
Base Directory Specification.glib.get_user_config_dirglib.get_user_config_dirReturns :
a strings with a path to user's configuration directory.
This function is available in PyGObject 2.18 and above.Returns a base directory in which to store user-specific
application configuration information such as user preferences
and settings. On UNIX platforms this is determined using the mechanisms
described in the
XDG
Base Directory Specification.glib.get_user_data_dirglib.get_user_data_dirReturns :
a strings with a path to user's data directory.
This function is available in PyGObject 2.18 and above.Returns a base directory in which to access application
data such as icons that is customized for a particular
userOn UNIX platforms this is determined using the mechanisms
described in the
XDG
Base Directory Specification.glib.get_user_special_dirglib.get_user_special_dirdirectorydirectory :
the logical id of special directory,
see User
Directory constants for the list of supported
values
Returns :
a strings with a path to the requested directory.
This function is available in PyGObject 2.18 and above.Returns the full path of a special directory using its
logical id.On Unix this is done using the XDG special user
directories. For compatibility with existing practise,
glib.USER_DIRECTORY_DESKTOP
falls back to $HOME/Desktop when XDG
special user directories have not been set up.Depending on the platform, the user might be able to
change the path of the special directory without requiring the
session to restart; GLib will not reflect any change once the
special directories are loaded.glib.main_depthglib.main_depthReturns :the depth of the stack of calls to the main
context.This function is available in PyGTK 2.8 and above.The main_depth() function returns the depth
of the stack of calls in the main context. That is, when called from the
toplevel, it gives 0. When called from within a callback from the glib.MainContext.iteration()
method (or the glib.MainLoop.run()
method, etc.) it returns 1. When called from within a callback to a
recursive call to the glib.MainContext.iteration()
method), it returns 2. And so forth.glib.threads_initglib.threads_initReturns :This function is available in PyGTK 2.4 and above.The threads_init() function initializes the
the use of Python threading in the glib module. This function is
different than the gtk.gdk.threads_init()
function as that function also initializes the gdk threads.glib.signal_accumulator_true_handledglib.signal_accumulator_true_handledThis function is available in PyGTK 2.8 and above.The signal_accumulator_true_handled()
function is only used as accumulator argument when registering
signals.glib.filename_display_nameglib.filename_display_namefilenamefilename :a pathname in the file name
encodingReturns :an UTF8 rendition of
filename.This function is available in PyGTK 2.10 and above.The filename_display_name() function
converts a filename into a valid UTF-8 string. The conversion is not
necessarily reversible, so you should keep the original around and use
the return value of this function only for display purposes. Unlike
g_filename_to_utf8(), the result is guaranteed to be non-None even if
the filename actually isn't in the file name encoding.If you know the whole pathname of the file you should use the
glib.filename_display_basename()
function, since that allows location-based translation of
filenames.glib.filename_display_basenameglib.filename_display_basenamefilenamefilename :an absolute pathname in the file name
encodingReturns :an UTF8 rendition of
filename.This function is available in PyGTK 2.10 and above.The filename_display_basename() function
returns the display basename for the particular filename, guaranteed
to be valid UTF-8. The display name might not be identical to the
filename, for instance there might be problems converting it to UTF-8,
and some files can be translated in the display.You must pass the whole absolute pathname to this functions so
that translation of well known locations can be done.This function is preferred over the glib.filename_display_name()
function if you know the whole path, as it allows translation.glib.filename_from_utf8glib.filename_from_utf8utf8stringutf8string :a UTF-8 encoded string.Returns :a filename encoded in the GLib filename
encoding.This function is available in PyGTK 2.10 and above.The filename_from_utf8() function converts
a string from UTF-8 to the encoding GLib uses for filenames. Note that
on Windows GLib uses UTF-8 for filenames.12331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600
/* Authors: Sumit Bose <sbose@redhat.com> Copyright (C) 2009 Red Hat Copyright (C) 2010, rhafer@suse.de, Novell Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.*/#define PAM_SM_AUTH#define PAM_SM_ACCOUNT#define PAM_SM_SESSION#define PAM_SM_PASSWORD#include"config.h"#include <sys/types.h>#include <unistd.h>#include <stdlib.h>#include <stdint.h>#include <stdio.h>#include <syslog.h>#include <time.h>#include <sys/stat.h>#include <fcntl.h>#include <errno.h>#include <locale.h>#include <stdbool.h>#include <security/pam_modules.h>#include <security/pam_ext.h>#include <security/pam_modutil.h>#include"sss_pam_macros.h"#include"sss_cli.h"#include <libintl.h>#define _(STRING) dgettext (PACKAGE, STRING)#define FLAGS_USE_FIRST_PASS (1 << 0)#define FLAGS_FORWARD_PASS (1 << 1)#define FLAGS_USE_AUTHTOK (1 << 2)#define PWEXP_FLAG"pam_sss:password_expired_flag"#define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"#define PW_RESET_MSG_MAX_SIZE 4096#define OPT_RETRY_KEY"retry="struct pam_items {const char* pam_service;const char* pam_user;const char* pam_tty;const char* pam_ruser;const char* pam_rhost;char* pam_authtok;char* pam_newauthtok;const char* pamstack_authtok;const char* pamstack_oldauthtok;size_t pam_service_size;size_t pam_user_size;size_t pam_tty_size;size_t pam_ruser_size;size_t pam_rhost_size;int pam_authtok_type;size_t pam_authtok_size;int pam_newauthtok_type;size_t pam_newauthtok_size;
pid_t cli_pid;const char*login_name;char*domain_name;};#define DEBUG_MGS_LEN 1024#define MAX_AUTHTOK_SIZE (1024*1024)#define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s !='\0')? s :"(not available)")static voidlogger(pam_handle_t *pamh,int level,const char*fmt, ...) {va_list ap;va_start(ap, fmt);#ifdef DEBUGva_list apd;char debug_msg[DEBUG_MGS_LEN];int ret;va_copy(apd, ap);
ret =vsnprintf(debug_msg, DEBUG_MGS_LEN, fmt, apd);if(ret >= DEBUG_MGS_LEN) {D(("the following message is truncated:%s", debug_msg));}else if(ret <0) {D(("vsnprintf failed to format debug message!"));}else{D((debug_msg));}va_end(apd);#endifpam_vsyslog(pamh, LOG_AUTHPRIV|level, fmt, ap);va_end(ap);}static voidfree_exp_data(pam_handle_t *pamh,void*ptr,int err){free(ptr);
ptr = NULL;}static size_tadd_authtok_item(enum pam_item_type type,enum sss_authtok_type authtok_type,const char*tok,const size_t size,uint8_t*buf) {size_t rp=0;uint32_t c;if(tok == NULL)return0;
c = type;memcpy(&buf[rp], &c,sizeof(uint32_t));
rp +=sizeof(uint32_t);
c = size +sizeof(uint32_t);memcpy(&buf[rp], &c,sizeof(uint32_t));
rp +=sizeof(uint32_t);
c = authtok_type;memcpy(&buf[rp], &c,sizeof(uint32_t));
rp +=sizeof(uint32_t);memcpy(&buf[rp], tok, size);
rp += size;return rp;}static size_tadd_uint32_t_item(enum pam_item_type type,const uint32_t val,uint8_t*buf) {size_t rp=0;uint32_t c;
c = type;memcpy(&buf[rp], &c,sizeof(uint32_t));
rp +=sizeof(uint32_t);
c =sizeof(uint32_t);memcpy(&buf[rp], &c,sizeof(uint32_t));
rp +=sizeof(uint32_t);
c = val;memcpy(&buf[rp], &c,sizeof(uint32_t));
rp +=sizeof(uint32_t);return rp;}static size_tadd_string_item(enum pam_item_type type,const char*str,const size_t size,uint8_t*buf) {size_t rp=0;uint32_t c;if(str == NULL || *str =='\0')return0;
c = type;memcpy(&buf[rp], &c,sizeof(uint32_t));
rp +=sizeof(uint32_t);
c = size;memcpy(&buf[rp], &c,sizeof(uint32_t));
rp +=sizeof(uint32_t);memcpy(&buf[rp], str, size);
rp += size;return rp;}static voidoverwrite_and_free_pam_items(struct pam_items *pi){if(pi->pam_authtok != NULL) {_pam_overwrite_n((void*)pi->pam_authtok, pi->pam_authtok_size);free((void*)pi->pam_authtok);
pi->pam_authtok = NULL;}if(pi->pam_newauthtok != NULL) {_pam_overwrite_n((void*)pi->pam_newauthtok, pi->pam_newauthtok_size);free((void*)pi->pam_newauthtok);
pi->pam_newauthtok = NULL;}
pi->pamstack_authtok = NULL;
pi->pamstack_oldauthtok = NULL;free(pi->domain_name);
pi->domain_name = NULL;}static intpack_message_v3(struct pam_items *pi,size_t*size,uint8_t**buffer) {int len;uint8_t*buf;int rp;uint32_t terminator = SSS_END_OF_PAM_REQUEST;
len =sizeof(uint32_t) +2*sizeof(uint32_t) + pi->pam_user_size +sizeof(uint32_t);
len += *pi->pam_service !='\0'?2*sizeof(uint32_t) + pi->pam_service_size :0;
len += *pi->pam_tty !='\0'?2*sizeof(uint32_t) + pi->pam_tty_size :0;
len += *pi->pam_ruser !='\0'?2*sizeof(uint32_t) + pi->pam_ruser_size :0;
len += *pi->pam_rhost !='\0'?2*sizeof(uint32_t) + pi->pam_rhost_size :0;
len += pi->pam_authtok != NULL ?3*sizeof(uint32_t) + pi->pam_authtok_size :0;
len += pi->pam_newauthtok != NULL ?3*sizeof(uint32_t) + pi->pam_newauthtok_size :0;
len +=3*sizeof(uint32_t);/* cli_pid */
buf =malloc(len);if(buf == NULL) {D(("malloc failed."));return PAM_BUF_ERR;}
rp =0;((uint32_t*)(&buf[rp]))[0] = SSS_START_OF_PAM_REQUEST;
rp +=sizeof(uint32_t);
rp +=add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size,&buf[rp]);
rp +=add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service,
pi->pam_service_size, &buf[rp]);
rp +=add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size,&buf[rp]);
rp +=add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size,&buf[rp]);
rp +=add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size,&buf[rp]);
rp +=add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid,&buf[rp]);
rp +=add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type,
pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
rp +=add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type,
pi->pam_newauthtok, pi->pam_newauthtok_size,&buf[rp]);memcpy(&buf[rp], &terminator,sizeof(uint32_t));
rp +=sizeof(uint32_t);if(rp != len) {D(("error during packet creation."));free(buf);return PAM_BUF_ERR;}*size = len;*buffer = buf;return0;}static intnull_strcmp(const char*s1,const char*s2) {if(s1 == NULL && s2 == NULL)return0;if(s1 == NULL && s2 != NULL)return-1;if(s1 != NULL && s2 == NULL)return1;returnstrcmp(s1, s2);}enum{
SSS_PAM_CONV_DONE =0,
SSS_PAM_CONV_STD,
SSS_PAM_CONV_REENTER,};static intdo_pam_conversation(pam_handle_t *pamh,const int msg_style,const char*msg,const char*reenter_msg,char**_answer){int ret;int state = SSS_PAM_CONV_STD;struct pam_conv *conv;const struct pam_message *mesg[1];struct pam_message *pam_msg;struct pam_response *resp=NULL;char*answer = NULL;if((msg_style == PAM_TEXT_INFO || msg_style == PAM_ERROR_MSG) &&
msg == NULL)return PAM_SYSTEM_ERR;if((msg_style == PAM_PROMPT_ECHO_OFF ||
msg_style == PAM_PROMPT_ECHO_ON) &&(msg == NULL || _answer == NULL))return PAM_SYSTEM_ERR;if(msg_style == PAM_TEXT_INFO || msg_style == PAM_ERROR_MSG) {logger(pamh, LOG_INFO,"User%smessage:%s",
msg_style == PAM_TEXT_INFO ?"info":"error",
msg);}
ret=pam_get_item(pamh, PAM_CONV, (const void**) &conv);if(ret != PAM_SUCCESS)return ret;do{
pam_msg =malloc(sizeof(struct pam_message));if(pam_msg == NULL) {D(("Malloc failed."));
ret = PAM_SYSTEM_ERR;goto failed;}
pam_msg->msg_style = msg_style;if(state == SSS_PAM_CONV_REENTER) {
pam_msg->msg = reenter_msg;}else{
pam_msg->msg = msg;}
mesg[0] = (const struct pam_message *) pam_msg;
ret=conv->conv(1, mesg, &resp,
conv->appdata_ptr);free(pam_msg);if(ret != PAM_SUCCESS) {D(("Conversation failure:%s.",pam_strerror(pamh,ret)));goto failed;}if(msg_style == PAM_PROMPT_ECHO_OFF ||
msg_style == PAM_PROMPT_ECHO_ON) {if(resp == NULL) {D(("response expected, but resp==NULL"));
ret = PAM_SYSTEM_ERR;goto failed;}if(state == SSS_PAM_CONV_REENTER) {if(null_strcmp(answer, resp[0].resp) !=0) {logger(pamh, LOG_NOTICE,"Passwords do not match.");_pam_overwrite((void*)resp[0].resp);free(resp[0].resp);if(answer != NULL) {_pam_overwrite((void*) answer);free(answer);
answer = NULL;}
ret =do_pam_conversation(pamh, PAM_ERROR_MSG,_("Passwords do not match"),
NULL, NULL);if(ret != PAM_SUCCESS) {D(("do_pam_conversation failed."));
ret = PAM_SYSTEM_ERR;goto failed;}
ret = PAM_CRED_ERR;goto failed;}_pam_overwrite((void*)resp[0].resp);free(resp[0].resp);}else{if(resp[0].resp == NULL) {D(("Empty password"));
answer = NULL;}else{
answer =strndup(resp[0].resp, MAX_AUTHTOK_SIZE);_pam_overwrite((void*)resp[0].resp);free(resp[0].resp);if(answer == NULL) {D(("strndup failed"));
ret = PAM_BUF_ERR;goto failed;}}}free(resp);
resp = NULL;}if(reenter_msg != NULL && state == SSS_PAM_CONV_STD) {
state = SSS_PAM_CONV_REENTER;}else{
state = SSS_PAM_CONV_DONE;}}while(state != SSS_PAM_CONV_DONE);if(_answer) *_answer = answer;return PAM_SUCCESS;
failed:free(answer);return ret;}static errno_t display_pw_reset_message(pam_handle_t *pamh,const char*domain_name,const char*suffix){int ret;struct stat stat_buf;char*msg_buf = NULL;int fd = -1;size_t size;size_t total_len;char*filename = NULL;