diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c --- a/lib/libpam/modules/pam_krb5/pam_krb5.c +++ b/lib/libpam/modules/pam_krb5/pam_krb5.c @@ -114,7 +114,7 @@ int argc __unused, const char *argv[] __unused) { krb5_error_code krbret; - krb5_context pam_context; + krb5_context krbctx; int debug; const char *auth_service; krb5_principal auth_princ; @@ -154,7 +154,7 @@ goto cleanup6; } - krbret = krb5_init_context(&pam_context); + krbret = krb5_init_context(&krbctx); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; @@ -164,7 +164,7 @@ PAM_LOG("Context initialised"); debug = openpam_get_option(pamh, PAM_OPT_DEBUG) ? 1 : 0; - krbret = verify_krb_v5_tgt_begin(pam_context, srvdup, debug, + krbret = verify_krb_v5_tgt_begin(krbctx, srvdup, debug, &auth_service, &auth_princ, auth_phost); if (krbret != 0) { /* failed to find key */ /* Keytab or service key does not exist */ @@ -180,7 +180,7 @@ } } - krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE); + krbret = krb5_cc_register(krbctx, &krb5_mcc_ops, FALSE); if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) { PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; @@ -197,10 +197,10 @@ PAM_LOG("Created principal: %s", principal); - krbret = krb5_parse_name(pam_context, principal, &princ); + krbret = krb5_parse_name(krbctx, principal, &princ); free(principal); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_parse_name()"); + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_parse_name()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup3; @@ -210,9 +210,9 @@ /* Now convert the principal name into something human readable */ princ_name = NULL; - krbret = krb5_unparse_name(pam_context, princ, &princ_name); + krbret = krb5_unparse_name(krbctx, princ, &princ_name); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_unparse_name()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; @@ -235,11 +235,11 @@ /* Verify the local user exists (AFTER getting the password) */ if (strchr(user, '@')) { /* get a local account name for this principal */ - krbret = krb5_aname_to_localname(pam_context, princ, + krbret = krb5_aname_to_localname(krbctx, princ, sizeof(luser), luser); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_aname_to_localname()"); retval = PAM_USER_UNKNOWN; goto cleanup2; @@ -264,15 +264,15 @@ } /* Initialize credentials request options. */ - krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + krbret = krb5_get_init_creds_opt_alloc(krbctx, &opts); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_get_init_creds_opt_alloc()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup2; } - krb5_get_init_creds_opt_set_default_flags(pam_context, + krb5_get_init_creds_opt_set_default_flags(krbctx, service, NULL, opts); if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE)) @@ -282,12 +282,12 @@ /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); - krbret = krb5_get_init_creds_password(pam_context, &creds, princ, + krbret = krb5_get_init_creds_password(krbctx, &creds, princ, pass, NULL, pamh, 0, NULL, opts); - krb5_get_init_creds_opt_free(pam_context, opts); + krb5_get_init_creds_opt_free(krbctx, opts); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_get_init_creds_password()"); retval = PAM_AUTH_ERR; goto cleanup2; @@ -296,28 +296,28 @@ PAM_LOG("Got TGT"); /* Generate a temporary cache */ - krbret = krb5_cc_new_unique(pam_context, krb5_cc_type_memory, NULL, &ccache); + krbret = krb5_cc_new_unique(krbctx, krb5_cc_type_memory, NULL, &ccache); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_new_unique()"); retval = PAM_SERVICE_ERR; goto cleanup; } - krbret = krb5_cc_initialize(pam_context, ccache, princ); + krbret = krb5_cc_initialize(krbctx, ccache, princ); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_initialize()"); retval = PAM_SERVICE_ERR; goto cleanup; } - krbret = krb5_cc_store_cred(pam_context, ccache, &creds); + krbret = krb5_cc_store_cred(krbctx, ccache, &creds); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_store_cred()"); - krb5_cc_destroy(pam_context, ccache); + krb5_cc_destroy(krbctx, ccache); retval = PAM_SERVICE_ERR; goto cleanup; } @@ -325,14 +325,14 @@ PAM_LOG("Credentials stashed"); /* Verify them */ - krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup, + krbret = verify_krb_v5_tgt(krbctx, ccache, srvdup, debug, auth_service, auth_princ, auth_phost); free(srvdup); srvdup = NULL; if (krbret == -1) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - krb5_cc_destroy(pam_context, ccache); + krb5_cc_destroy(krbctx, ccache); retval = PAM_AUTH_ERR; goto cleanup; } @@ -341,7 +341,7 @@ retval = pam_get_data(pamh, "ccache", &ccache_data); if (retval == PAM_SUCCESS) { - krb5_cc_destroy(pam_context, ccache); + krb5_cc_destroy(krbctx, ccache); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_AUTH_ERR; goto cleanup; @@ -349,8 +349,8 @@ PAM_LOG("Credentials stash not pre-existing"); - asprintf(&ccache_name, "%s:%s", krb5_cc_get_type(pam_context, - ccache), krb5_cc_get_name(pam_context, ccache)); + asprintf(&ccache_name, "%s:%s", krb5_cc_get_type(krbctx, + ccache), krb5_cc_get_name(krbctx, ccache)); if (ccache_name == NULL) { PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_BUF_ERR; @@ -358,7 +358,7 @@ } retval = pam_set_data(pamh, "ccache", ccache_name, cleanup_cache); if (retval != 0) { - krb5_cc_destroy(pam_context, ccache); + krb5_cc_destroy(krbctx, ccache); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup; @@ -367,21 +367,21 @@ PAM_LOG("Credentials stash saved"); cleanup: - krb5_free_cred_contents(pam_context, &creds); + krb5_free_cred_contents(krbctx, &creds); PAM_LOG("Done cleanup"); cleanup2: - krb5_free_principal(pam_context, princ); + krb5_free_principal(krbctx, princ); if (princ_name) free(princ_name); PAM_LOG("Done cleanup2"); cleanup3: - krb5_free_context(pam_context); + krb5_free_context(krbctx); PAM_LOG("Done cleanup3"); cleanup4: - verify_krb_v5_tgt_cleanup(pam_context, debug, + verify_krb_v5_tgt_cleanup(krbctx, debug, auth_service, auth_princ, auth_phost); PAM_LOG("Done cleanup4"); @@ -407,7 +407,7 @@ #else krb5_error_code krbret; - krb5_context pam_context; + krb5_context krbctx; krb5_principal princ; krb5_creds creds; krb5_ccache ccache_temp, ccache_perm; @@ -448,7 +448,7 @@ PAM_LOG("Got user: %s", (const char *)user); - krbret = krb5_init_context(&pam_context); + krbret = krb5_init_context(&krbctx); if (krbret != 0) { PAM_LOG("Error krb5_init_context() failed"); return (PAM_SERVICE_ERR); @@ -467,9 +467,9 @@ retval = PAM_CRED_UNAVAIL; goto cleanup3; } - krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp); + krbret = krb5_cc_resolve(krbctx, cache_data, &ccache_temp); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_resolve(\"%s\")", (const char *)cache_data); retval = PAM_SERVICE_ERR; goto cleanup3; @@ -540,22 +540,22 @@ PAM_LOG("Got cache_name: %s", cache_name); /* Initialize the new ccache */ - krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ); + krbret = krb5_cc_get_principal(krbctx, ccache_temp, &princ); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_get_principal()"); retval = PAM_SERVICE_ERR; goto cleanup3; } - krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm); + krbret = krb5_cc_resolve(krbctx, cache_name, &ccache_perm); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_cc_resolve()"); + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_resolve()"); retval = PAM_SERVICE_ERR; goto cleanup2; } - krbret = krb5_cc_initialize(pam_context, ccache_perm, princ); + krbret = krb5_cc_initialize(krbctx, ccache_perm, princ); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_initialize()"); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -564,11 +564,11 @@ PAM_LOG("Cache initialised"); /* Prepare for iteration over creds */ - krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor); + krbret = krb5_cc_start_seq_get(krbctx, ccache_temp, &cursor); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_start_seq_get()"); - krb5_cc_destroy(pam_context, ccache_perm); + krb5_cc_destroy(krbctx, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -576,27 +576,27 @@ PAM_LOG("Prepared for iteration"); /* Copy the creds (should be two of them) */ - while (krb5_cc_next_cred(pam_context, ccache_temp, &cursor, &creds) == 0) { - krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds); + while (krb5_cc_next_cred(krbctx, ccache_temp, &cursor, &creds) == 0) { + krbret = krb5_cc_store_cred(krbctx, ccache_perm, &creds); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_store_cred()"); - krb5_cc_destroy(pam_context, ccache_perm); - krb5_free_cred_contents(pam_context, &creds); + krb5_cc_destroy(krbctx, ccache_perm); + krb5_free_cred_contents(krbctx, &creds); retval = PAM_SERVICE_ERR; goto cleanup2; } - krb5_free_cred_contents(pam_context, &creds); + krb5_free_cred_contents(krbctx, &creds); PAM_LOG("Iteration"); } - krb5_cc_end_seq_get(pam_context, ccache_temp, &cursor); + krb5_cc_end_seq_get(krbctx, ccache_temp, &cursor); PAM_LOG("Done iterating"); if (strstr(cache_name, "FILE:") == cache_name) { if (chown(&cache_name[5], pwd->pw_uid, pwd->pw_gid) == -1) { PAM_LOG("Error chown(): %s", strerror(errno)); - krb5_cc_destroy(pam_context, ccache_perm); + krb5_cc_destroy(krbctx, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -604,21 +604,21 @@ if (chmod(&cache_name[5], (S_IRUSR | S_IWUSR)) == -1) { PAM_LOG("Error chmod(): %s", strerror(errno)); - krb5_cc_destroy(pam_context, ccache_perm); + krb5_cc_destroy(krbctx, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; } PAM_LOG("Done chmod()"); } - krb5_cc_close(pam_context, ccache_perm); + krb5_cc_close(krbctx, ccache_perm); PAM_LOG("Cache closed"); retval = pam_setenv(pamh, "KRB5CCNAME", cache_name, 1); if (retval != PAM_SUCCESS) { PAM_LOG("Error pam_setenv(): %s", pam_strerror(pamh, retval)); - krb5_cc_destroy(pam_context, ccache_perm); + krb5_cc_destroy(krbctx, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -626,10 +626,10 @@ PAM_LOG("Environment done: KRB5CCNAME=%s", cache_name); cleanup2: - krb5_free_principal(pam_context, princ); + krb5_free_principal(krbctx, princ); PAM_LOG("Done cleanup2"); cleanup3: - krb5_free_context(pam_context); + krb5_free_context(krbctx); PAM_LOG("Done cleanup3"); seteuid(euid); @@ -652,7 +652,7 @@ int argc __unused, const char *argv[] __unused) { krb5_error_code krbret; - krb5_context pam_context; + krb5_context krbctx; krb5_ccache ccache; krb5_principal princ; int retval; @@ -671,7 +671,7 @@ PAM_LOG("Got credentials"); - krbret = krb5_init_context(&pam_context); + krbret = krb5_init_context(&krbctx); if (krbret != 0) { PAM_LOG("Error krb5_init_context() failed"); return (PAM_PERM_DENIED); @@ -679,20 +679,20 @@ PAM_LOG("Context initialised"); - krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache); + krbret = krb5_cc_resolve(krbctx, (const char *)ccache_name, &ccache); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_resolve(\"%s\")", (const char *)ccache_name); - krb5_free_context(pam_context); + krb5_free_context(krbctx); return (PAM_PERM_DENIED); } PAM_LOG("Got ccache %s", (const char *)ccache_name); - krbret = krb5_cc_get_principal(pam_context, ccache, &princ); + krbret = krb5_cc_get_principal(krbctx, ccache, &princ); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_get_principal()"); retval = PAM_PERM_DENIED; goto cleanup; @@ -700,16 +700,16 @@ PAM_LOG("Got principal"); - if (krb5_kuserok(pam_context, princ, (const char *)user)) + if (krb5_kuserok(krbctx, princ, (const char *)user)) retval = PAM_SUCCESS; else retval = PAM_PERM_DENIED; - krb5_free_principal(pam_context, princ); + krb5_free_principal(krbctx, princ); PAM_LOG("Done kuserok()"); cleanup: - krb5_free_context(pam_context); + krb5_free_context(krbctx); PAM_LOG("Done cleanup"); return (retval); @@ -724,7 +724,7 @@ int argc __unused, const char *argv[] __unused) { krb5_error_code krbret; - krb5_context pam_context; + krb5_context krbctx; krb5_creds creds; krb5_principal princ; krb5_get_init_creds_opt *opts; @@ -743,7 +743,7 @@ PAM_LOG("Got user: %s", (const char *)user); - krbret = krb5_init_context(&pam_context); + krbret = krb5_init_context(&krbctx); if (krbret != 0) { PAM_LOG("Error krb5_init_context() failed"); return (PAM_SERVICE_ERR); @@ -752,9 +752,9 @@ PAM_LOG("Context initialised"); /* Get principal name */ - krbret = krb5_parse_name(pam_context, (const char *)user, &princ); + krbret = krb5_parse_name(krbctx, (const char *)user, &princ); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_parse_name()"); retval = PAM_USER_UNKNOWN; goto cleanup3; @@ -762,9 +762,9 @@ /* Now convert the principal name into something human readable */ princ_name = NULL; - krbret = krb5_unparse_name(pam_context, princ, &princ_name); + krbret = krb5_unparse_name(krbctx, princ, &princ_name); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_unparse_name()"); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -780,9 +780,9 @@ PAM_LOG("Got password"); /* Initialize credentials request options. */ - krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + krbret = krb5_get_init_creds_opt_alloc(krbctx, &opts); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_get_init_creds_opt_alloc()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; @@ -792,11 +792,11 @@ PAM_LOG("Credentials options initialised"); memset(&creds, 0, sizeof(krb5_creds)); - krbret = krb5_get_init_creds_password(pam_context, &creds, princ, + krbret = krb5_get_init_creds_password(krbctx, &creds, princ, pass, NULL, pamh, 0, "kadmin/changepw", opts); - krb5_get_init_creds_opt_free(pam_context, opts); + krb5_get_init_creds_opt_free(krbctx, opts); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_get_init_creds_password()"); retval = PAM_AUTH_ERR; goto cleanup2; @@ -822,11 +822,11 @@ retval = PAM_BUF_ERR; goto cleanup; } - krbret = krb5_set_password(pam_context, &creds, passdup, NULL, + krbret = krb5_set_password(krbctx, &creds, passdup, NULL, &result_code, &result_code_string, &result_string); free(passdup); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_change_password()"); retval = PAM_AUTHTOK_ERR; goto cleanup; @@ -845,16 +845,16 @@ free(result_code_string.data); cleanup: - krb5_free_cred_contents(pam_context, &creds); + krb5_free_cred_contents(krbctx, &creds); PAM_LOG("Done cleanup"); cleanup2: - krb5_free_principal(pam_context, princ); + krb5_free_principal(krbctx, princ); if (princ_name) free(princ_name); PAM_LOG("Done cleanup2"); cleanup3: - krb5_free_context(pam_context); + krb5_free_context(krbctx); PAM_LOG("Done cleanup3"); @@ -1018,17 +1018,17 @@ static void cleanup_cache(pam_handle_t *pamh __unused, void *data, int pam_end_status __unused) { - krb5_context pam_context; + krb5_context krbctx; krb5_ccache ccache; krb5_error_code krbret; - if (krb5_init_context(&pam_context)) + if (krb5_init_context(&krbctx)) return; - krbret = krb5_cc_resolve(pam_context, data, &ccache); + krbret = krb5_cc_resolve(krbctx, data, &ccache); if (krbret == 0) - krb5_cc_destroy(pam_context, ccache); - krb5_free_context(pam_context); + krb5_cc_destroy(krbctx, ccache); + krb5_free_context(krbctx); free(data); }