Making the authtok structure really opaque.

Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.

To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.

All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.

Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.

https://fedorahosted.org/sssd/ticket/1830

3 files changed, 10 insertions, 14 deletions

diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h
index 305cbe978..db0fcb438 100644
--- a/src/providers/proxy/proxy.h
+++ b/src/providers/proxy/proxy.h
@@ -89,8 +89,8 @@ struct proxy_nss_ops {
 };
 
 struct authtok_conv {
-    struct sss_auth_token authtok;
-    struct sss_auth_token newauthtok;
+    struct sss_auth_token *authtok;
+    struct sss_auth_token *newauthtok;
 
     bool sent_old;
 };
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index 3e6a514ab..011de4fbb 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -750,7 +750,7 @@ static void proxy_child_done(struct tevent_req *req)
     if ((pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_PAM_CHAUTHTOK) &&
         (pd->pam_status == PAM_SUCCESS) && be_ctx->domain->cache_credentials) {
 
-        ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+        ret = sss_authtok_get_password(pd->authtok, &password, NULL);
         if (ret) {
             /* password caching failures are not fatal errors */
             DEBUG(2, ("Failed to cache password\n"));
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
index 556dbf9b5..efdf9120a 100644
--- a/src/providers/proxy/proxy_child.c
+++ b/src/providers/proxy/proxy_child.c
@@ -98,7 +98,7 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
                 DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg));
                 reply[i].resp_retcode = 0;
 
-                ret = sss_authtok_get_password(&auth_data->authtok,
+                ret = sss_authtok_get_password(auth_data->authtok,
                                                &password, &pwlen);
                 if (ret) goto failed;
                 reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -149,7 +149,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
                 reply[i].resp_retcode = 0;
                 if (!auth_data->sent_old) {
                     /* The first prompt will be asking for the old authtok */
-                    ret = sss_authtok_get_password(&auth_data->authtok,
+                    ret = sss_authtok_get_password(auth_data->authtok,
                                                   &password, &pwlen);
                     if (ret) goto failed;
                     reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -159,7 +159,7 @@ static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm,
                 }
                 else {
                     /* Subsequent prompts are looking for the new authtok */
-                    ret = sss_authtok_get_password(&auth_data->newauthtok,
+                    ret = sss_authtok_get_password(auth_data->newauthtok,
                                                   &password, &pwlen);
                     if (ret) goto failed;
                     reply[i].resp = calloc(pwlen + 1, sizeof(char));
@@ -224,8 +224,7 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
         }
         switch (pd->cmd) {
             case SSS_PAM_AUTHENTICATE:
-                sss_authtok_copy(auth_data, &pd->authtok,
-                                 &auth_data->authtok);
+                sss_authtok_copy(pd->authtok, auth_data->authtok);
                 pam_status = pam_authenticate(pamh, 0);
                 break;
             case SSS_PAM_SETCRED:
@@ -241,21 +240,18 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd)
                 pam_status=pam_close_session(pamh, 0);
                 break;
             case SSS_PAM_CHAUTHTOK:
-                sss_authtok_copy(auth_data, &pd->authtok,
-                                 &auth_data->authtok);
+                sss_authtok_copy(pd->authtok, auth_data->authtok);
                 if (pd->priv != 1) {
                     pam_status = pam_authenticate(pamh, 0);
                     auth_data->sent_old = false;
                     if (pam_status != PAM_SUCCESS) break;
                 }
-                sss_authtok_copy(auth_data, &pd->newauthtok,
-                                 &auth_data->newauthtok);
+                sss_authtok_copy(pd->newauthtok, auth_data->newauthtok);
                 pam_status = pam_chauthtok(pamh, 0);
                 break;
             case SSS_PAM_CHAUTHTOK_PRELIM:
                 if (pd->priv != 1) {
-                    sss_authtok_copy(auth_data, &pd->authtok,
-                                     &auth_data->authtok);
+                    sss_authtok_copy(pd->authtok, auth_data->authtok);
                     pam_status = pam_authenticate(pamh, 0);
                 } else {
                     pam_status = PAM_SUCCESS;