Making the authtok structure really opaque.

Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.

To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.

All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.

Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.

https://fedorahosted.org/sssd/ticket/1830

5 files changed, 31 insertions, 32 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a9b75768c..6c0f429fb 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -284,7 +284,7 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
     const char *password = NULL;
     errno_t ret;
 
-    ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+    ret = sss_authtok_get_password(pd->authtok, &password, NULL);
     if (ret != EOK) {
         DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret)));
         *pam_status = PAM_SYSTEM_ERR;
@@ -397,10 +397,10 @@ static void krb5_auth_store_creds(struct sysdb_ctx *sysdb,
             break;
         case SSS_PAM_AUTHENTICATE:
         case SSS_PAM_CHAUTHTOK_PRELIM:
-            ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+            ret = sss_authtok_get_password(pd->authtok, &password, NULL);
             break;
         case SSS_PAM_CHAUTHTOK:
-            ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL);
+            ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
             break;
         default:
             DEBUG(0, ("unsupported PAM command [%d].\n", pd->cmd));
@@ -490,7 +490,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
         case SSS_PAM_AUTHENTICATE:
         case SSS_CMD_RENEW:
         case SSS_PAM_CHAUTHTOK:
-            if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+            if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
                 DEBUG(1, ("Missing authtok for user [%s].\n", pd->user));
                 state->pam_status = PAM_SYSTEM_ERR;
                 state->dp_err = DP_ERR_FATAL;
@@ -500,7 +500,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
             break;
         case SSS_PAM_CHAUTHTOK_PRELIM:
             if (pd->priv == 1 &&
-                sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+                sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
                 DEBUG(4, ("Password reset by root is not supported.\n"));
                 state->pam_status = PAM_PERM_DENIED;
                 state->dp_err = DP_ERR_OK;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 52127b39a..4ccd75d26 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1201,7 +1201,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
 
     DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n"));
 
-    ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL);
+    ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
     if (ret != EOK) {
         DEBUG(1, ("Failed to fetch current password [%d] %s.\n",
                   ret, strerror(ret)));
@@ -1233,7 +1233,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
         return kerr;
     }
 
-    sss_authtok_set_empty(&kr->pd->authtok);
+    sss_authtok_set_empty(kr->pd->authtok);
 
     if (prelim) {
         DEBUG(SSSDBG_TRACE_LIBS,
@@ -1243,7 +1243,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
         return EOK;
     }
 
-    ret = sss_authtok_get_password(&kr->pd->newauthtok, &newpassword, NULL);
+    ret = sss_authtok_get_password(kr->pd->newauthtok, &newpassword, NULL);
     if (ret != EOK) {
         DEBUG(1, ("Failed to fetch new password [%d] %s.\n",
                   ret, strerror(ret)));
@@ -1307,7 +1307,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
 
     kerr = get_and_save_tgt(kr, newpassword);
 
-    sss_authtok_set_empty(&kr->pd->newauthtok);
+    sss_authtok_set_empty(kr->pd->newauthtok);
 
     if (kerr == 0) {
         kerr = k5c_attach_ccname_msg(kr);
@@ -1324,7 +1324,7 @@ static errno_t tgt_req_child(struct krb5_req *kr)
 
     DEBUG(SSSDBG_TRACE_LIBS, ("Attempting to get a TGT\n"));
 
-    ret = sss_authtok_get_password(&kr->pd->authtok, &password, NULL);
+    ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
     switch (ret) {
         if (ret == EACCES) {
             DEBUG(SSSDBG_OP_FAILURE, ("Invalid authtok type\n"));
@@ -1379,7 +1379,7 @@ static errno_t tgt_req_child(struct krb5_req *kr)
     }
 
 done:
-    sss_authtok_set_empty(&kr->pd->authtok);
+    sss_authtok_set_empty(kr->pd->authtok);
     return ret;
 }
 
@@ -1423,11 +1423,11 @@ static errno_t renew_tgt_child(struct krb5_req *kr)
 
     DEBUG(SSSDBG_TRACE_LIBS, ("Renewing a ticket\n"));
 
-    ret = sss_authtok_get_ccfile(&kr->pd->authtok, &ccname, NULL);
+    ret = sss_authtok_get_ccfile(kr->pd->authtok, &ccname, NULL);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
               ("Unsupported authtok type for TGT renewal [%d].\n",
-               sss_authtok_get_type(&kr->pd->authtok)));
+               sss_authtok_get_type(kr->pd->authtok)));
         return ERR_INVALID_CRED_TYPE;
     }
 
@@ -1527,10 +1527,10 @@ static errno_t unpack_authtok(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
         sss_authtok_set_empty(tok);
         break;
     case SSS_AUTHTOK_TYPE_PASSWORD:
-        ret = sss_authtok_set_password(mem_ctx, tok, (char *)(buf + *p), 0);
+        ret = sss_authtok_set_password(tok, (char *)(buf + *p), 0);
         break;
     case SSS_AUTHTOK_TYPE_CCFILE:
-        ret = sss_authtok_set_ccfile(mem_ctx, tok, (char *)(buf + *p), 0);
+        ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
         break;
     default:
         return EINVAL;
@@ -1598,7 +1598,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
         if (kr->keytab == NULL) return ENOMEM;
         p += len;
 
-        ret = unpack_authtok(pd, &pd->authtok, buf, size, &p);
+        ret = unpack_authtok(pd, pd->authtok, buf, size, &p);
         if (ret) {
             return ret;
         }
@@ -1608,16 +1608,16 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
     } else {
         kr->ccname = NULL;
         kr->keytab = NULL;
-        sss_authtok_set_empty(&pd->authtok);
+        sss_authtok_set_empty(pd->authtok);
     }
 
     if (pd->cmd == SSS_PAM_CHAUTHTOK) {
-        ret = unpack_authtok(pd, &pd->newauthtok, buf, size, &p);
+        ret = unpack_authtok(pd, pd->newauthtok, buf, size, &p);
         if (ret) {
             return ret;
         }
     } else {
-        sss_authtok_set_empty(&pd->newauthtok);
+        sss_authtok_set_empty(pd->newauthtok);
     }
 
     if (pd->cmd == SSS_PAM_ACCT_MGMT) {
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index cc309af34..8ff65130f 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -155,12 +155,12 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
         kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
         kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
         buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
-                     sss_authtok_get_size(&kr->pd->authtok);
+                     sss_authtok_get_size(kr->pd->authtok);
     }
 
     if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
         buf->size += 2*sizeof(uint32_t) +
-                     sss_authtok_get_size(&kr->pd->newauthtok);
+                     sss_authtok_get_size(kr->pd->newauthtok);
     }
 
     if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
@@ -196,14 +196,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
         SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp);
         safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp);
 
-        ret = pack_authtok(buf, &rp, &kr->pd->authtok);
+        ret = pack_authtok(buf, &rp, kr->pd->authtok);
         if (ret) {
             return ret;
         }
     }
 
     if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
-        ret = pack_authtok(buf, &rp, &kr->pd->newauthtok);
+        ret = pack_authtok(buf, &rp, kr->pd->newauthtok);
         if (ret) {
             return ret;
         }
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index f95fa634c..87e0f3c63 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -84,7 +84,7 @@ static void authenticate_user(struct tevent_context *ev,
         return;
     }
 
-    ret = sss_authtok_set_password(pd, &pd->authtok, password, keysize);
+    ret = sss_authtok_set_password(pd->authtok, password, keysize);
     safezero(password, keysize);
     free(password);
     if (ret) {
@@ -246,7 +246,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
         return EINVAL;
     }
 
-    if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+    if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
         DEBUG(1, ("Invalid authtok for user [%s].\n", pd->user));
         return EINVAL;
     }
@@ -262,10 +262,10 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
     const char *password;
     size_t len;
 
-    ret = sss_authtok_get_password(&new_pd->authtok, &password, &len);
+    ret = sss_authtok_get_password(new_pd->authtok, &password, &len);
     if (ret) {
         DEBUG(1, ("Failed to get password [%d][%s].\n", ret, strerror(ret)));
-        sss_authtok_set_empty(&new_pd->authtok);
+        sss_authtok_set_empty(new_pd->authtok);
         talloc_free(new_pd);
         return ret;
     }
@@ -275,13 +275,13 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
     if (new_pd->key_serial == -1) {
         ret = errno;
         DEBUG(1, ("add_key failed [%d][%s].\n", ret, strerror(ret)));
-        sss_authtok_set_empty(&new_pd->authtok);
+        sss_authtok_set_empty(new_pd->authtok);
         talloc_free(new_pd);
         return ret;
     }
     DEBUG(9, ("Saved authtok of user [%s] with serial [%ld].\n",
               new_pd->user, new_pd->key_serial));
-    sss_authtok_set_empty(&new_pd->authtok);
+    sss_authtok_set_empty(new_pd->authtok);
 #endif
 
     key.type = HASH_KEY_ULONG;
diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c
index f2ee5d91f..0b1f26fd3 100644
--- a/src/providers/krb5/krb5_renew_tgt.c
+++ b/src/providers/krb5/krb5_renew_tgt.c
@@ -592,10 +592,9 @@ errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile,
         goto done;
     }
 
-    sss_authtok_set_empty(&renew_data->pd->newauthtok);
+    sss_authtok_set_empty(renew_data->pd->newauthtok);
 
-    ret = sss_authtok_set_ccfile(renew_data->pd, &renew_data->pd->authtok,
-                                 renew_data->ccfile, 0);
+    ret = sss_authtok_set_ccfile(renew_data->pd->authtok, renew_data->ccfile, 0);
     if (ret) {
         DEBUG(1, ("Failed to store ccfile in auth token.\n"));
         goto done;