72 static int pam_vprompt(pam_handle_t *pamh, int style, char **response,  in pam_vprompt()  argument
88 	if (PAM_SUCCESS != pam_get_item(pamh, PAM_CONV, (const void **) &conv)  in pam_vprompt()
98 				pam_syslog(pamh, LOG_CRIT, "strdup() failed: %s",  in pam_vprompt()
121 int prompt(int flags, pam_handle_t *pamh, int style, char **response,  in prompt()  argument
139 			r = pam_vprompt(pamh, style, &p, fmt, args);  in prompt()
142 			r = pam_vprompt(pamh, style, response, fmt, args);  in prompt()
161 void module_data_cleanup(pam_handle_t *pamh, void *data, int error_status)  in module_data_cleanup()  argument
176 static int module_initialize(pam_handle_t * pamh,  in module_initialize()  argument
183 		pam_syslog(pamh, LOG_CRIT, "calloc() failed: %s",  in module_initialize()
203 		pam_syslog(pamh, LOG_ALERT, "Loading PKCS#11 engine failed: %s\n",  in module_initialize()
205 		prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("Error loading PKCS#11 module"));  in module_initialize()
211 		pam_syslog(pamh, LOG_ALERT, "Initializing PKCS#11 engine failed: %s\n",  in module_initialize()
213 		prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("Error initializing PKCS#11 module"));  in module_initialize()
225 	r = pam_set_data(pamh, PACKAGE, data, module_data_cleanup);  in module_initialize()
235 	module_data_cleanup(pamh, data, r);  in module_initialize()
240 static int module_refresh(pam_handle_t *pamh,  in module_refresh()  argument
249 	if (PAM_SUCCESS != pam_get_data(pamh, PACKAGE, (void *)&module_data)  in module_refresh()
251 		r = module_initialize(pamh, flags, argc, argv, &module_data);  in module_refresh()
263 			pam_syslog(pamh, LOG_ALERT, "Initializing PKCS#11 engine failed: %s\n",  in module_refresh()
265 			prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("Error initializing PKCS#11 module"));  in module_refresh()
285 	r = pam_get_user(pamh, user, NULL);  in module_refresh()
287 		pam_syslog(pamh, LOG_ERR, "pam_get_user() failed %s",  in module_refresh()
288 				pam_strerror(pamh, r));  in module_refresh()
304 static int key_login(pam_handle_t *pamh, int flags, PKCS11_SLOT *slot, const char *pin_regex)  in key_login()  argument
321 	if (PAM_SUCCESS == pam_get_item(pamh, PAM_AUTHTOK, (void *)&password)  in key_login()
325 			pam_syslog(pamh, LOG_CRIT, "strdup() failed: %s",  in key_login()
339 			prompt(flags, pamh, PAM_TEXT_INFO, NULL,  in key_login()
344 			if (PAM_SUCCESS != prompt(flags, pamh,  in key_login()
365 			pam_syslog(pamh, LOG_CRIT, "PIN regex didn't match: %s",  in key_login()
370 			prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("Invalid PIN"));  in key_login()
378 			prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("PIN not verified; PIN locked"));  in key_login()
380 			prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("PIN not verified; one try remaining"));  in key_login()
382 			prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("PIN not verified"));  in key_login()
387 	pam_set_item(pamh, PAM_AUTHTOK, password);  in key_login()
400 static int key_change_login(pam_handle_t *pamh, int flags, PKCS11_SLOT *slot, const char *pin_regex)  in key_change_login()  argument
416 				&& 1 != key_login(pamh, flags, slot, pin_regex))) {  in key_change_login()
423 			prompt(flags, pamh, PAM_TEXT_INFO, NULL,  in key_change_login()
427 			prompt(flags, pamh, PAM_TEXT_INFO, NULL,  in key_change_login()
433 			if (PAM_SUCCESS == prompt(flags, pamh,  in key_change_login()
444 			if (PAM_SUCCESS != prompt(flags, pamh,  in key_change_login()
450 			if (PAM_SUCCESS != pam_get_item(pamh, PAM_AUTHTOK, (void *)&old)  in key_change_login()
456 				pam_syslog(pamh, LOG_CRIT, "strdup() failed: %s",  in key_change_login()
462 		if (PAM_SUCCESS != prompt(flags, pamh,  in key_change_login()
465 				|| PAM_SUCCESS != prompt(flags, pamh,  in key_change_login()
471 			prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("PINs don't match"));  in key_change_login()
478 			prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("PIN not changed; PIN locked"));  in key_change_login()
480 			prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("PIN not changed; one try remaining"));  in key_change_login()
482 			prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("PIN not changed"));  in key_change_login()
487 	pam_set_item(pamh, PAM_AUTHTOK, new);  in key_change_login()
508 static int key_find(pam_handle_t *pamh, int flags, const char *user,  in key_find()  argument
537 			pam_syslog(pamh, LOG_DEBUG, "%s: PIN locked",  in key_find()
541 		pam_syslog(pamh, LOG_DEBUG, "Searching %s for keys",  in key_find()
560 					pam_syslog(pamh, LOG_DEBUG, "Found %s",  in key_find()
589 					pam_syslog(pamh, LOG_DEBUG, "Found %s",  in key_find()
606 		pam_syslog(pamh, LOG_DEBUG, "No authorized key found");  in key_find()
610 		prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("No token found"));  in key_find()
612 		prompt(flags, pamh, PAM_ERROR_MSG , NULL, _("No authorized keys on token"));  in key_find()
618 static int randomize(pam_handle_t *pamh, unsigned char *r, unsigned int r_len)  in randomize()  argument
625 		pam_syslog(pamh, LOG_CRIT, "Error reading from /dev/urandom: %s",  in randomize()
634 static int key_verify(pam_handle_t *pamh, int flags, PKCS11_KEY *authkey)  in key_verify()  argument
661 	if (1 != randomize(pamh, challenge, sizeof challenge)) {  in key_verify()
672 		pam_syslog(pamh, LOG_DEBUG, "Error verifying key: %s\n",  in key_verify()
674 		prompt(flags, pamh, PAM_ERROR_MSG, NULL, _("Error verifying key"));  in key_verify()
691 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,  in pam_sm_authenticate()  argument
702 	r = module_refresh(pamh, flags, argc, argv,  in pam_sm_authenticate()
708 	if (1 != key_find(pamh, flags, user, ctx, slots, nslots,  in pam_sm_authenticate()
713 	if (1 != key_login(pamh, flags, authslot, pin_regex)  in pam_sm_authenticate()
714 			|| 1 != key_verify(pamh, flags, authkey)) {  in pam_sm_authenticate()
727 	module_data_cleanup(pamh, global_module_data, r);  in pam_sm_authenticate()
732 PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc,  in pam_sm_setcred()  argument
739 PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,  in pam_sm_acct_mgmt()  argument
748 PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc,  in pam_sm_open_session()  argument
751 	pam_syslog(pamh, LOG_DEBUG,  in pam_sm_open_session()
756 PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, int argc,  in pam_sm_close_session()  argument
759 	pam_syslog(pamh, LOG_DEBUG,  in pam_sm_close_session()
764 PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc,  in pam_sm_chauthtok()  argument
774 	r = module_refresh(pamh, flags, argc, argv,  in pam_sm_chauthtok()
787 	if (1 != key_find(pamh, flags, user, ctx, slots, nslots,  in pam_sm_chauthtok()
799 		if (1 != key_change_login(pamh, flags, authslot, pin_regex)) {  in pam_sm_chauthtok()
813 	module_data_cleanup(pamh, global_module_data, r);  in pam_sm_chauthtok()