Change pam_get_authtok()'s prototype so the caller can specify

what token it wants.  Also introduce PAM_OLDAUTHTOK_PROMPT.

Sponsored by:	DARPA, NAI Labs


git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@100 185d5e19-27fe-0310-9dcf-9bff6b9f3609

include/security/openpam.h

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/include/security/openpam.h#12 $
+ * $P4: //depot/projects/openpam/include/security/openpam.h#13 $
  */
 
 #ifndef _SECURITY_OPENPAM_H_INCLUDED
@@ -65,6 +65,7 @@ pam_error(pam_handle_t *_pamh,
 
 int
 pam_get_authtok(pam_handle_t *_pamh,
+	int _item,
 	const char **_authtok,
 	const char *_prompt);
 

include/security/pam_constants.h

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/include/security/pam_constants.h#12 $
+ * $P4: //depot/projects/openpam/include/security/pam_constants.h#13 $
  */
 
 #ifndef _PAM_CONSTANTS_H_INCLUDED
@@ -119,6 +119,7 @@ enum {
 	PAM_RUSER			=   8,
 	PAM_USER_PROMPT			=   9,
 	PAM_AUTHTOK_PROMPT		=  10,		/* OpenPAM extension */
+	PAM_OLDAUTHTOK_PROMPT		=  11,		/* OpenPAM extension */
 	PAM_NUM_ITEMS					/* OpenPAM extension */
 };
 

lib/pam_get_authtok.c

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_get_authtok.c#12 $
+ * $P4: //depot/projects/openpam/lib/pam_get_authtok.c#13 $
  */
 
 #include <sys/param.h>
@@ -41,6 +41,9 @@
 
 #include "openpam_impl.h"
 
+const char authtok_prompt[] = "Password:";
+const char oldauthtok_prompt[] = "Old Password:";
+
 /*
  * OpenPAM extension
  *
@@ -49,34 +52,51 @@
 
 int
 pam_get_authtok(pam_handle_t *pamh,
+	int item,
 	const char **authtok,
 	const char *prompt)
 {
-	char *p, *resp;
-	int r, style;
+	const char *default_prompt;
+	char *resp;
+	int pitem, r, style;
 
 	if (pamh == NULL || authtok == NULL)
 		return (PAM_SYSTEM_ERR);
 
+	*authtok = NULL;
+	switch (item) {
+	case PAM_AUTHTOK:
+		pitem = PAM_AUTHTOK_PROMPT;
+		default_prompt = authtok_prompt;
+		break;
+	case PAM_OLDAUTHTOK:
+		pitem = PAM_OLDAUTHTOK_PROMPT;
+		default_prompt = oldauthtok_prompt;
+		break;
+	default:
+		return (PAM_SYMBOL_ERR);
+	}
+
 	if (openpam_get_option(pamh, "try_first_pass") ||
 	    openpam_get_option(pamh, "use_first_pass")) {
-		r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
+		r = pam_get_item(pamh, item, (const void **)authtok);
 		if (r == PAM_SUCCESS && *authtok != NULL)
 			return (PAM_SUCCESS);
 		else if (openpam_get_option(pamh, "use_first_pass"))
 			return (r == PAM_SUCCESS ? PAM_AUTH_ERR : r);
 	}
-	if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
-	    (const void **)&p) != PAM_SUCCESS || p == NULL)
-		if (prompt == NULL)
-			prompt = "Password:";
+	if (prompt == NULL) {
+		r = pam_get_item(pamh, pitem, (const void **)&prompt);
+		if (r != PAM_SUCCESS || prompt == NULL)
+			prompt = default_prompt;
+	}
 	style = openpam_get_option(pamh, "echo_pass") ?
 	    PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
-	r = pam_prompt(pamh, style, &resp, "%s", p ? p : prompt);
+	r = pam_prompt(pamh, style, &resp, "%s", prompt);
 	if (r != PAM_SUCCESS)
 		return (r);
 	*authtok = resp;
-	return (pam_set_item(pamh, PAM_AUTHTOK, *authtok));
+	return (pam_set_item(pamh, item, *authtok));
 }
 
 /*
@@ -87,3 +107,26 @@ pam_get_authtok(pam_handle_t *pamh,
  *	=pam_set_item
  *	!PAM_SYMBOL_ERR
  */
+
+/**
+ * The =pam_get_authtok function returns the cached authentication token,
+ * or prompts the user if no token is currently cached.  Either way, a
+ * pointer to the authentication token is stored in the location pointed
+ * to by the =authtok argument.
+ *
+ * The =item argument must have one of the following values:
+ *
+ *	=PAM_AUTHTOK
+ *		Returns the current authentication token, or the new token
+ *		when changing authentication tokens.
+ *	=PAM_OLDAUTHTOK
+ *		Returns the previous authentication token when changing
+ *		authentication tokens.
+ *
+ * The =prompt argument specifies a prompt to use if no token is cached.
+ * If =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item, as
+ * appropriate, will be used.  If that item is also =NULL, a hardcoded
+ * default prompt will be used.
+ *
+ * >pam_get_item
+ */

lib/pam_get_item.c

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_get_item.c#10 $
+ * $P4: //depot/projects/openpam/lib/pam_get_item.c#11 $
  */
 
 #include <sys/param.h>
@@ -66,6 +66,7 @@ pam_get_item(pam_handle_t *pamh,
 	case PAM_CONV:
 	case PAM_USER_PROMPT:
 	case PAM_AUTHTOK_PROMPT:
+	case PAM_OLDAUTHTOK_PROMPT:
 		*item = pamh->item[item_type];
 		return (PAM_SUCCESS);
 	default:
@@ -112,6 +113,9 @@ pam_get_item(pam_handle_t *pamh,
  *	=PAM_AUTHTOK_PROMPT:
  *		The prompt to use when asking the applicant for an
  *		authentication token.
+ *	=PAM_OLDAUTHTOK_PROMPT:
+ *		The prompt to use when asking the applicant for an
+ *		expired authentication token prior to changing it.
  *
  * See =pam_start for a description of =struct pam_conv.
  *

lib/pam_set_item.c

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_set_item.c#12 $
+ * $P4: //depot/projects/openpam/lib/pam_set_item.c#13 $
  */
 
 #include <sys/param.h>
@@ -73,6 +73,7 @@ pam_set_item(pam_handle_t *pamh,
 	case PAM_RUSER:
 	case PAM_USER_PROMPT:
 	case PAM_AUTHTOK_PROMPT:
+	case PAM_OLDAUTHTOK_PROMPT:
 		if (*slot != NULL)
 			size = strlen(*slot) + 1;
 		if (item != NULL)