X-Git-Url: https://git.armaanb.net/?a=blobdiff_plain;f=pam.c;h=01f82b3048ac208a9733811a0883c5929c5d516e;hb=262ce3c75abc008ae4086e2f72edbf9d9f1ae815;hp=b921069b195a8a4d89b714f07d264bcc50cfb4d5;hpb=22b68970dd6a3f5018bbf3e68a5f9e35d5948c2e;p=opendoas.git

diff --git a/pam.c b/pam.c
index b921069..01f82b3 100644
--- a/pam.c
+++ b/pam.c
@@ -37,7 +37,9 @@
 
 #include <security/pam_appl.h>
 
-#include "includes.h"
+#include "openbsd.h"
+#include "doas.h"
+#include "insults.h"
 
 #ifndef HOST_NAME_MAX
 #define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
@@ -123,7 +125,7 @@ fail:
 	for (i = 0; i < nmsgs; i++) {
 		if (rsp[i].resp == NULL)
 			continue;
-		switch (style = msgs[i]->msg_style) {
+		switch (msgs[i]->msg_style) {
 		case PAM_PROMPT_ECHO_OFF:
 		case PAM_PROMPT_ECHO_ON:
 			explicit_bzero(rsp[i].resp, strlen(rsp[i].resp));
@@ -131,6 +133,7 @@ fail:
 		}
 		rsp[i].resp = NULL;
 	}
+	free(rsp);
 
 	return PAM_CONV_ERR;
 }
@@ -243,7 +246,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 #endif
 
 	if (!user || !myname)
-		errx(1, "Authorization failed");
+		authfail();
 
 	ret = pam_start(PAM_SERVICE_NAME, myname, &conv, &pamh);
 	if (ret != PAM_SUCCESS)
@@ -275,7 +278,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 
 	if (!nopass) {
 		if (!interactive)
-			errx(1, "Authorization required");
+			authfail();
 
 		/* doas style prompt for pam */
 		char host[HOST_NAME_MAX + 1];
@@ -289,7 +292,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 		if (ret != PAM_SUCCESS) {
 			pamcleanup(ret, sess, cred);
 			syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
-			errx(1, "Authorization failed");
+			authfail();
 		}
 	}
 
@@ -302,7 +305,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 	if (ret != PAM_SUCCESS) {
 		pamcleanup(ret, sess, cred);
 		syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
-		errx(1, "Authorization failed");
+		authfail();
 	}
 
 	/* set PAM_USER to the user we want to be */
@@ -311,9 +314,9 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 		warn("pam_set_item(?, PAM_USER, \"%s\"): %s", user,
 		    pam_strerror(pamh, ret));
 
-	ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+	ret = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
 	if (ret != PAM_SUCCESS)
-		warn("pam_setcred(?, PAM_ESTABLISH_CRED): %s", pam_strerror(pamh, ret));
+		warn("pam_setcred(?, PAM_REINITIALIZE_CRED): %s", pam_strerror(pamh, ret));
 	else
 		cred = 1;