Making the authtok structure really opaque.

Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.

To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.

All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.

Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.

https://fedorahosted.org/sssd/ticket/1830

2 files changed, 12 insertions, 14 deletions

diff --git a/src/responder/pam/pam_LOCAL_domain.c b/src/responder/pam/pam_LOCAL_domain.c
index 72ea61e85..4aec3e4df 100644
--- a/src/responder/pam/pam_LOCAL_domain.c
+++ b/src/responder/pam/pam_LOCAL_domain.c
@@ -164,7 +164,7 @@ static void do_pam_chauthtok(struct LOCAL_request *lreq)
 
     pd = lreq->preq->pd;
 
-    ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL);
+    ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
     if (ret) {
         /* TODO: should we allow null passwords via a config option ? */
         if (ret == ENOENT) {
@@ -204,7 +204,7 @@ static void do_pam_chauthtok(struct LOCAL_request *lreq)
                       lreq->error, ret, done);
 
 done:
-    sss_authtok_set_empty(&pd->newauthtok);
+    sss_authtok_set_empty(pd->newauthtok);
 }
 
 int LOCAL_pam_handler(struct pam_auth_req *preq)
@@ -288,7 +288,7 @@ int LOCAL_pam_handler(struct pam_auth_req *preq)
                 DEBUG(4, ("allowing root to reset a password.\n"));
                 break;
             }
-            ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+            ret = sss_authtok_get_password(pd->authtok, &password, NULL);
             NEQ_CHECK_OR_JUMP(ret, EOK, ("Failed to get password.\n"),
                                lreq->error, ret, done);
 
@@ -336,8 +336,8 @@ int LOCAL_pam_handler(struct pam_auth_req *preq)
     }
 
 done:
-    sss_authtok_set_empty(&pd->newauthtok);
-    sss_authtok_set_empty(&pd->authtok);
+    sss_authtok_set_empty(pd->newauthtok);
+    sss_authtok_set_empty(pd->authtok);
     prepare_reply(lreq);
     return EOK;
 }
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index fa6cf23cd..e6300a759 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -65,8 +65,7 @@ static int extract_authtok_v2(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
         sss_authtok_set_empty(tok);
         break;
     case SSS_AUTHTOK_TYPE_PASSWORD:
-        ret = sss_authtok_set_password(mem_ctx, tok,
-                                       (const char *)auth_token_data,
+        ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
                                        auth_token_length);
         break;
     default:
@@ -197,12 +196,12 @@ static int pam_parse_in_data_v2(struct sss_domain_info *domains,
                     if (ret != EOK) return ret;
                     break;
                 case SSS_PAM_ITEM_AUTHTOK:
-                    ret = extract_authtok_v2(pd, &pd->authtok,
+                    ret = extract_authtok_v2(pd, pd->authtok,
                                              size, body, blen, &c);
                     if (ret != EOK) return ret;
                     break;
                 case SSS_PAM_ITEM_NEWAUTHTOK:
-                    ret = extract_authtok_v2(pd, &pd->newauthtok,
+                    ret = extract_authtok_v2(pd, pd->newauthtok,
                                              size, body, blen, &c);
                     if (ret != EOK) return ret;
                     break;
@@ -260,8 +259,7 @@ static int extract_authtok_v1(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
         sss_authtok_set_empty(tok);
         break;
     case SSS_AUTHTOK_TYPE_PASSWORD:
-        ret = sss_authtok_set_password(mem_ctx, tok,
-                                       (const char *)auth_token_data,
+        ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
                                        auth_token_length);
         break;
     default:
@@ -310,12 +308,12 @@ static int pam_parse_in_data(struct sss_domain_info *domains,
     if (body[end++] != '\0') return EINVAL;
     pd->rhost = (char *) &body[start];
 
-    ret = extract_authtok_v1(pd, &pd->authtok, body, blen, &end);
+    ret = extract_authtok_v1(pd, pd->authtok, body, blen, &end);
     if (ret) {
         DEBUG(1, ("Invalid auth token\n"));
         return ret;
     }
-    ret = extract_authtok_v1(pd, &pd->newauthtok, body, blen, &end);
+    ret = extract_authtok_v1(pd, pd->newauthtok, body, blen, &end);
     if (ret) {
         DEBUG(1, ("Invalid new auth token\n"));
         return ret;
@@ -489,7 +487,7 @@ static void pam_reply(struct pam_auth_req *preq)
                     goto done;
                 }
 
-                ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+                ret = sss_authtok_get_password(pd->authtok, &password, NULL);
                 if (ret) {
                     DEBUG(0, ("Failed to get password.\n"));
                     goto done;