Making the authtok structure really opaque.

Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.

To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.

All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.

Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.

https://fedorahosted.org/sssd/ticket/1830

2 files changed, 15 insertions, 9 deletions

diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index e10c5b0e9..f4e6d28f0 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -722,7 +722,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
     }
 
     if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) &&
-        (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) {
+        (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) {
         DEBUG(4, ("Password reset by root is not supported.\n"));
         pd->pam_status = PAM_PERM_DENIED;
         dp_err = DP_ERR_OK;
@@ -747,7 +747,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
     state->ctx = ctx;
 
     subreq = auth_send(breq, be_ctx->ev, ctx,
-                       state->username, &pd->authtok, true);
+                       state->username, pd->authtok, true);
     if (!subreq) goto done;
 
     tevent_req_set_callback(subreq, sdap_auth4chpass_done, state);
@@ -820,13 +820,13 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
             const char *password;
             const char *new_password;
 
-            ret = sss_authtok_get_password(&state->pd->authtok,
+            ret = sss_authtok_get_password(state->pd->authtok,
                                            &password, NULL);
             if (ret) {
                 state->pd->pam_status = PAM_SYSTEM_ERR;
                 goto done;
             }
-            ret = sss_authtok_get_password(&state->pd->newauthtok,
+            ret = sss_authtok_get_password(state->pd->newauthtok,
                                            &new_password, NULL);
             if (ret) {
                 state->pd->pam_status = PAM_SYSTEM_ERR;
@@ -990,7 +990,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
         state->pd = pd;
 
         subreq = auth_send(breq, be_ctx->ev, ctx,
-                           pd->user, &pd->authtok,
+                           pd->user, pd->authtok,
                            pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ? true : false);
         if (!subreq) goto done;
 
@@ -1102,7 +1102,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
 
     if (ret == EOK && be_ctx->domain->cache_credentials) {
 
-        ret = sss_authtok_get_password(&state->pd->authtok, &password, NULL);
+        ret = sss_authtok_get_password(state->pd->authtok, &password, NULL);
         if (ret == EOK) {
             ret = sysdb_cache_password(be_ctx->domain->sysdb, be_ctx->domain,
                                        state->pd->user, password);
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 280268a1c..b05edf6f9 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1573,7 +1573,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
                                             SDAP_DEFAULT_BIND_DN);
     const char *authtok_type;
     struct dp_opt_blob authtok_blob;
-    struct sss_auth_token authtok = { 0 };
+    struct sss_auth_token *authtok;
     errno_t ret;
 
     /* Set the LDAP expiration time
@@ -1599,6 +1599,12 @@ static void sdap_cli_auth_step(struct tevent_req *req)
 
     authtok_type = dp_opt_get_string(state->opts->basic,
                                      SDAP_DEFAULT_AUTHTOK_TYPE);
+    authtok = sss_authtok_new(state);
+    if(authtok == NULL) {
+        tevent_req_error(req, ENOMEM);
+        return;
+    }
+
     if (authtok_type != NULL) {
         if (strcasecmp(authtok_type, "password") != 0) {
             DEBUG(SSSDBG_TRACE_LIBS, ("Invalid authtoken type\n"));
@@ -1609,7 +1615,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
         authtok_blob = dp_opt_get_blob(state->opts->basic,
                                        SDAP_DEFAULT_AUTHTOK);
         if (authtok_blob.data) {
-            ret = sss_authtok_set_password(state, &authtok,
+            ret = sss_authtok_set_password(authtok,
                                         (const char *)authtok_blob.data,
                                         authtok_blob.length);
             if (ret) {
@@ -1623,7 +1629,7 @@ static void sdap_cli_auth_step(struct tevent_req *req)
                             state->sh, sasl_mech,
                             dp_opt_get_string(state->opts->basic,
                                               SDAP_SASL_AUTHID),
-                            user_dn, &authtok);
+                            user_dn, authtok);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;