-/* Copyright 2015 Nathan Holstein */
+/*
+ * Copyright (c) 2015 Nathan Holstein <nathan.holstein@gmail.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <sys/types.h>
+#include <err.h>
#include <errno.h>
+#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
-#include "openbsd.h"
+#include <security/pam_appl.h>
+
+#include "includes.h"
+
+#define PAM_SERVICE "doas"
+
+static char *
+pam_prompt(const char *msg, int echo_on, int *pam)
+{
+ char buf[PAM_MAX_RESP_SIZE];
+ int flags = RPP_REQUIRE_TTY | (echo_on ? RPP_ECHO_ON : RPP_ECHO_OFF);
+ char *ret = readpassphrase(msg, buf, sizeof(buf), flags);
+ if (!ret)
+ *pam = PAM_CONV_ERR;
+ else if (!(ret = strdup(ret)))
+ *pam = PAM_BUF_ERR;
+ explicit_bzero(buf, sizeof(buf));
+ return ret;
+}
+
+static int
+pam_conv(int nmsgs, const struct pam_message **msgs,
+ struct pam_response **rsps, __UNUSED void *ptr)
+{
+ struct pam_response *rsp;
+ int i, style;
+ int pam = PAM_SUCCESS;
+
+ if (!(rsp = calloc(nmsgs, sizeof(struct pam_response))))
+ errx(1, "couldn't malloc pam_response");
+ *rsps = rsp;
+
+ for (i = 0; i < nmsgs; i++) {
+ switch (style = msgs[i]->msg_style) {
+ case PAM_PROMPT_ECHO_OFF:
+ case PAM_PROMPT_ECHO_ON:
+ rsp[i].resp = pam_prompt(msgs[i]->msg,
+ style == PAM_PROMPT_ECHO_ON, &pam);
+ break;
+
+ case PAM_ERROR_MSG:
+ case PAM_TEXT_INFO:
+ if (fprintf(style == PAM_ERROR_MSG ? stderr : stdout,
+ "%s\n", msgs[i]->msg) < 0)
+ pam = PAM_CONV_ERR;
+ break;
+
+ default:
+ errx(1, "invalid PAM msg_style %d", style);
+ }
+ }
+
+ return PAM_SUCCESS;
+}
int
auth_userokay(char *name, char *style, char *type, char *password)
{
- if (style || type || password) {
- fprintf(stderr, "auth_userokay(name, NULL, NULL, NULL)!\n");
- exit(1);
- }
+ static const struct pam_conv conv = {
+ .conv = pam_conv,
+ .appdata_ptr = NULL,
+ };
+
+ int ret, auth;
+ pam_handle_t *pamh = NULL;
+
+ if (!name)
+ return 0;
+ if (style || type || password)
+ errx(1, "auth_userokay(name, NULL, NULL, NULL)!\n");
+
+ ret = pam_start(PAM_SERVICE, name, &conv, &pamh);
+ if (ret != PAM_SUCCESS)
+ errx(1, "pam_start(\"%s\", \"%s\", ?, ?): failed\n",
+ PAM_SERVICE, name);
+
+ auth = pam_authenticate(pamh, 0);
- fprintf(stderr, "failing auth check for %s\n", name);
+ ret = pam_close_session(pamh, 0);
+ if (ret != PAM_SUCCESS)
+ errx(1, "pam_close_session(): %s\n", pam_strerror(pamh, ret));
- return 0;
+ return auth == PAM_SUCCESS;
}