In some code branches, the PAM code "torches" a password by zeroing
it. However, it does this through a const pointer which we otherwise
know is not actually const. Make sure we get better type checking by
doing this through a non-const pointer.
Reviewed-on: http://gerrit.openafs.org/4554
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit
5cd4282758317b24d2f63408ab4c62551bbebc03)
Change-Id: I94b22a31884dc9b184ec094e5cca4b6b0098cb15
Reviewed-on: http://gerrit.openafs.org/6295
Tested-by: Derrick Brashear <shadow@dementix.org>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
int got_authtok = 0; /* got PAM_AUTHTOK upon entry */
PAM_CONST char *user = NULL, *password = NULL;
afs_int32 password_expires = -1;
- int torch_password = 1;
+ char *torch_password = NULL;
int i;
PAM_CONST struct pam_conv *pam_convp = NULL;
int auth_ok;
pam_afs_syslog(LOG_DEBUG, PAMAFS_NOFIRSTPASS, user);
} else if (password[0] == '\0') {
/* Actually we *did* get one but it was empty. */
- torch_password = 0;
pam_afs_syslog(LOG_INFO, PAMAFS_NILPASSWORD, user);
RET(PAM_NEW_AUTHTOK_REQD);
} else {
if (logmask && LOG_MASK(LOG_DEBUG))
pam_afs_syslog(LOG_DEBUG, PAMAFS_GOTPASS, user);
- torch_password = 0;
got_authtok = 1;
}
if (!(use_first_pass || try_first_pass)) {
if (password == NULL) {
char *prompt_password;
- torch_password = 1;
-
if (use_first_pass)
RET(PAM_AUTH_ERR); /* shouldn't happen */
if (try_first_pass)
my_password_buf[sizeof(my_password_buf) - 1] = '\0';
memset(prompt_password, 0, strlen(prompt_password));
free(prompt_password);
- password = my_password_buf;
+ password = torch_password = my_password_buf;
}
* after pam_afs
*/
if (!got_authtok) {
- torch_password = 0;
+ torch_password = NULL;
(void)pam_set_item(pamh, PAM_AUTHTOK, password);
}
char *tmp = strdup(password);
(void)pam_set_data(pamh, pam_afs_lh, tmp, lc_cleanup);
if (torch_password)
- memset((char *)password, 0, strlen(password));
+ memset(torch_password, 0, strlen(torch_password));
}
(void)setlogmask(origmask);
#ifndef AFS_SUN56_ENV
int try_first_pass = 0;
int ignore_root = 0;
int got_authtok = 0; /* got PAM_AUTHTOK upon entry */
- int torch_password = 1;
+ char *torch_password = NULL;
int i;
char my_password_buf[256];
char instance[256];
pam_afs_syslog(LOG_DEBUG, PAMAFS_NOFIRSTPASS, user);
} else if (password[0] == '\0') {
/* Actually we *did* get one but it was empty. */
- torch_password = 0;
pam_afs_syslog(LOG_INFO, PAMAFS_NILPASSWORD, user);
RET(PAM_NEW_AUTHTOK_REQD);
} else {
if (logmask && LOG_MASK(LOG_DEBUG))
pam_afs_syslog(LOG_DEBUG, PAMAFS_GOTPASS, user);
- torch_password = 0;
got_authtok = 1;
}
if (!(use_first_pass || try_first_pass)) {
if (password == NULL) {
char *prompt_password;
- torch_password = 1;
if (use_first_pass)
RET(PAM_AUTH_ERR); /* shouldn't happen */
if (try_first_pass)
my_password_buf[sizeof(my_password_buf) - 1] = '\0';
memset(prompt_password, 0, strlen(password));
free(prompt_password);
- password = my_password_buf;
+ password = torch_password = my_password_buf;
}
if ((code = ka_VerifyUserPassword(KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, (char *)user, /* kerberos name */
pam_afs_syslog(LOG_ERR, PAMAFS_LOGIN_FAILED, user, reason);
RET(PAM_AUTH_ERR);
}
- torch_password = 0;
+ torch_password = NULL;
pam_set_item(pamh, PAM_AUTHTOK, password);
pam_set_item(pamh, PAM_OLDAUTHTOK, password);
if (flags & PAM_PRELIM_CHECK) {
out:
if (password && torch_password) {
- memset((char *)password, 0, strlen(password));
+ memset(torch_password, 0, strlen(torch_password));
}
(void)setlogmask(origmask);
#ifndef AFS_SUN56_ENV
char my_password_buf[256];
char *cell_ptr = NULL;
char sbuffer[100];
- int torch_password = 1;
+ char *torch_password = NULL;
int auth_ok = 0;
char *lh;
PAM_CONST char *user = NULL;
} else if (password[0] == '\0') {
/* Actually we *did* get one but it was empty. */
got_authtok = 1;
- torch_password = 0;
/* So don't use it. */
password = NULL;
if (use_first_pass) {
} else {
if (logmask && LOG_MASK(LOG_DEBUG))
pam_afs_syslog(LOG_DEBUG, PAMAFS_GOTPASS, user);
- torch_password = 0;
got_authtok = 1;
}
if (!(use_first_pass || try_first_pass)) {
if (password == NULL) {
char *prompt_password;
- torch_password = 1;
-
if (use_first_pass)
RET(PAM_AUTH_ERR); /* shouldn't happen */
if (try_first_pass)
my_password_buf[sizeof(my_password_buf) - 1] = '\0';
memset(prompt_password, 0, strlen(prompt_password));
free(prompt_password);
- password = my_password_buf;
+ password = torch_password = my_password_buf;
}
/*
* We only set a PAG here, if we haven't got one before in
/* pam_sm_authenticate should have set this
* if (auth_ok && !got_authtok) {
- * torch_password = 0;
+ * torch_password = NULL;
* (void) pam_set_item(pamh, PAM_AUTHTOK, password);
* }
*/
out:
if (password && torch_password)
- memset((char*)password, 0, strlen(password));
+ memset(torch_password, 0, strlen(torch_password));
(void)setlogmask(origmask);
#ifndef AFS_SUN56_ENV
closelog();
projects / packages / o / openafs.git / commitdiff