xref: /illumos-gate/usr/src/lib/libpam/pam_framework.c (revision bf430c99)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

#include <syslog.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <strings.h>
#include <malloc.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>

#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <sys/mman.h>

#include <libintl.h>

#include "pam_impl.h"

static char *pam_snames [PAM_NUM_MODULE_TYPES] = {
	PAM_ACCOUNT_NAME,
	PAM_AUTH_NAME,
	PAM_PASSWORD_NAME,
	PAM_SESSION_NAME
};

static char *pam_inames [PAM_MAX_ITEMS] = {
/* NONE */		NULL,
/* PAM_SERVICE */	"service",
/* PAM_USER */		"user",
/* PAM_TTY */		"tty",
/* PAM_RHOST */ 	"rhost",
/* PAM_CONV */		"conv",
/* PAM_AUTHTOK */	"authtok",
/* PAM_OLDAUTHTOK */	"oldauthtok",
/* PAM_RUSER */ 	"ruser",
/* PAM_USER_PROMPT */	"user_prompt",
/* PAM_REPOSITORY */	"repository",
/* PAM_RESOURCE */	"resource",
/* PAM_AUSER */ 	"auser",
/* Undefined Items */
};

/*
 * This extra definition is needed in order to build this library
 * on pre-64-bit-aware systems.
 */
#if !defined(_LFS64_LARGEFILE)
#define	stat64	stat
#endif	/* !defined(_LFS64_LARGEFILE) */

/* functions to dynamically load modules */
static int	load_modules(pam_handle_t *, int, char *, pamtab_t *);
static void 	*open_module(pam_handle_t *, char *);
static int	load_function(void *, char *, int (**func)());

/* functions to read and store the pam.conf configuration file */
static int	open_pam_conf(struct pam_fh **, pam_handle_t *, char *);
static void	close_pam_conf(struct pam_fh *);
static int	read_pam_conf(pam_handle_t *, char *);
static int 	get_pam_conf_entry(struct pam_fh *, pam_handle_t *,
    pamtab_t **);
static char	*read_next_token(char **);
static char	*nextline(struct pam_fh *, pam_handle_t *, int *);
static int	verify_pam_conf(pamtab_t *, char *);

/* functions to clean up and free memory */
static void	clean_up(pam_handle_t *);
static void	free_pamconf(pamtab_t *);
static void	free_pam_conf_info(pam_handle_t *);
static void	free_env(env_list *);

/* convenience functions for I18N/L10N communication */

static void	free_resp(int, struct pam_response *);
static int	do_conv(pam_handle_t *, int, int,
    char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *,
    struct pam_response **);

static int	log_priority;	/* pam_trace syslog priority & facility */
static int	pam_debug = 0;

static char *
pam_trace_iname(int item_type, char *iname_buf)
{
	char *name;

	/*
	 * XXX -- Contracted Consolidation Private
	 *	  to be eliminated when dtlogin contract is terminated
	 * Version number requested by PAM's client
	 */
	if (item_type == PAM_MSG_VERSION)
		return ("msg_version");

	if (item_type <= 0 ||
	    item_type >= PAM_MAX_ITEMS ||
	    (name = pam_inames[item_type]) == NULL) {
		(void) sprintf(iname_buf, "%d", item_type);
		return (iname_buf);
	}
	return (name);
}

static char *
pam_trace_fname(int flag)
{
	if (flag & PAM_BINDING)
		return (PAM_BINDING_NAME);
	if (flag & PAM_INCLUDE)
		return (PAM_INCLUDE_NAME);
	if (flag & PAM_OPTIONAL)
		return (PAM_OPTIONAL_NAME);
	if (flag & PAM_REQUIRED)
		return (PAM_REQUIRED_NAME);
	if (flag & PAM_REQUISITE)
		return (PAM_REQUISITE_NAME);
	if (flag & PAM_SUFFICIENT)
		return (PAM_SUFFICIENT_NAME);
	return ("bad flag name");
}

static char *
pam_trace_cname(pam_handle_t *pamh)
{
	if (pamh->pam_conf_name[pamh->include_depth] == NULL)
		return ("NULL");
	return (pamh->pam_conf_name[pamh->include_depth]);
}

#include <deflt.h>
#include <stdarg.h>
/*
 * pam_settrace - setup configuration for pam tracing
 *
 * turn on PAM debug if "magic" file exists
 * if exists (original), pam_debug = PAM_DEBUG_DEFAULT,
 * log_priority = LOG_DEBUG(7) and log_facility = LOG_AUTH(4).
 *
 * if has contents, keywork=value pairs:
 *
 *	"log_priority=" 0-7, the pam_trace syslog priority to use
 *		(see sys/syslog.h)
 *	"log_facility=" 0-23, the pam_trace syslog facility to use
 *		(see sys/syslog.h)
 *	"debug_flags=" PAM_DEBUG_DEFAULT (0x0001), log traditional
 *			(original) debugging.
 *		Plus the logical or of:
 *		    PAM_DEBUG_ITEM (0x0002), log item values and
 *			pam_get_item.
 *		    PAM_DEBUG_MODULE (0x0004), log module return status.
 *		    PAM_DEBUG_CONF (0x0008), log pam.conf parsing.
 *		    PAM_DEBUG_DATA (0x0010), get/set_data.
 *		    PAM_DEBUG_CONV (0x0020), conversation/response.
 *
 *		    If compiled with DEBUG:
 *		    PAM_DEBUG_AUTHTOK (0x8000), display AUTHTOK value if
 *				PAM_DEBUG_ITEM is set and results from
 *				PAM_PROMPT_ECHO_OFF responses.
 *		    USE CAREFULLY, THIS EXPOSES THE USER'S PASSWORDS.
 *
 *		or set to 0 and off even if PAM_DEBUG file exists.
 *
 * Output has the general form:
 * <whatever was set syslog> PAM[<pid>]: <interface>(<handle> and other info)
 * <whatever was set syslog> PAM[<pid>]: details requested for <interface> call
 *	Where:	<pid> is the process ID of the calling process.
 *		<handle> is the Hex value of the pam_handle associated with the
 *			call.
 */

static void
pam_settrace()
{
	if (defopen(PAM_DEBUG) == 0) {
		char	*arg;
		int	code;
		int	facility = LOG_AUTH;

		pam_debug = PAM_DEBUG_DEFAULT;
		log_priority = LOG_DEBUG;

		(void) defcntl(DC_SETFLAGS, DC_CASE);
		if ((arg = defread(LOG_PRIORITY)) != NULL) {
			code = (int)strtol(arg, NULL, 10);
			if ((code & ~LOG_PRIMASK) == 0) {
				log_priority = code;
			}
		}
		if ((arg = defread(LOG_FACILITY)) != NULL) {
			code = (int)strtol(arg, NULL, 10);
			if (code < LOG_NFACILITIES) {
				facility = code << 3;
			}
		}
		if ((arg = defread(DEBUG_FLAGS)) != NULL) {
			pam_debug = (int)strtol(arg, NULL, 0);
		}
		(void) defopen(NULL);	/* close */

		log_priority |= facility;
	}
}

/*
 * pam_trace - logs tracing messages
 *
 *	flag = debug_flags from /etc/pam_debug
 *	format and args = message to print (PAM[<pid>]: is prepended).
 *
 *	global log_priority = pam_trace syslog (log_priority | log_facility)
 *		from /etc/pam_debug
 */
/*PRINTFLIKE2*/
static void
pam_trace(int flag, char *format, ...)
{
	va_list args;
	char message[1024];
	int savemask;

	if ((pam_debug & flag) == 0)
		return;

	savemask = setlogmask(LOG_MASK(log_priority & LOG_PRIMASK));
	(void) snprintf(message, sizeof (message), "PAM[%ld]: %s",
	    (long)getpid(), format);
	va_start(args, format);
	(void) vsyslog(log_priority, message, args);
	va_end(args);
	(void) setlogmask(savemask);
}

/*
 * __pam_log - logs PAM syslog messages
 *
 *	priority = message priority
 *	format and args = message to log
 */
/*PRINTFLIKE2*/
void
__pam_log(int priority, const char *format, ...)
{
	va_list args;
	int savemask = setlogmask(LOG_MASK(priority & LOG_PRIMASK));

	va_start(args, format);
	(void) vsyslog(priority, format, args);
	va_end(args);
	(void) setlogmask(savemask);
}


/*
 *			pam_XXXXX routines
 *
 *	These are the entry points to the authentication switch
 */

/*
 * pam_start		- initiate an authentication transaction and
 *			  set parameter values to be used during the
 *			  transaction
 */

int
pam_start(const char *service, const char *user,
    const struct pam_conv *pam_conv, pam_handle_t **pamh)
{
	int	err;

	*pamh = (struct pam_handle *)calloc(1, sizeof (struct pam_handle));

	pam_settrace();
	pam_trace(PAM_DEBUG_DEFAULT,
	    "pam_start(%s,%s,%p:%p) - debug = %x",
	    service ? service : "NULL", user ? user : "NULL", (void *)pam_conv,
	    (void *)*pamh, pam_debug);

	if (*pamh == NULL)
		return (PAM_BUF_ERR);

	(*pamh)->pam_inmodule = RO_OK;		/* OK to set RO items */
	if ((err = pam_set_item(*pamh, PAM_SERVICE, (void *)service))
	    != PAM_SUCCESS) {
		clean_up(*pamh);
		*pamh = NULL;
		return (err);
	}

	if ((err = pam_set_item(*pamh, PAM_USER, (void *)user))
	    != PAM_SUCCESS) {
		clean_up(*pamh);
		*pamh = NULL;
		return (err);
	}

	if ((err = pam_set_item(*pamh, PAM_CONV, (void *)pam_conv))
	    != PAM_SUCCESS) {
		clean_up(*pamh);
		*pamh = NULL;
		return (err);
	}

	(*pamh)->pam_inmodule = RW_OK;
	return (PAM_SUCCESS);
}

/*
 * pam_end - terminate an authentication transaction
 */

int
pam_end(pam_handle_t *pamh, int pam_status)
{
	struct pam_module_data *psd, *p;
	fd_list *expired;
	fd_list *traverse;
	env_list *env_expired;
	env_list *env_traverse;

	pam_trace(PAM_DEBUG_DEFAULT,
	    "pam_end(%p): status = %s", (void *)pamh,
	    pam_strerror(pamh, pam_status));

	if (pamh == NULL)
		return (PAM_SYSTEM_ERR);

	/* call the cleanup routines for module specific data */

	psd = pamh->ssd;
	while (psd) {
		if (psd->cleanup) {
			psd->cleanup(pamh, psd->data, pam_status);
		}
		p = psd;
		psd = p->next;
		free(p->module_data_name);
		free(p);
	}
	pamh->ssd = NULL;

	/* dlclose all module fds */
	traverse = pamh->fd;
	while (traverse) {
		expired = traverse;
		traverse = traverse->next;
		(void) dlclose(expired->mh);
		free(expired);
	}
	pamh->fd = 0;

	/* remove all environment variables */
	env_traverse = pamh->pam_env;
	while (env_traverse) {
		env_expired = env_traverse;
		env_traverse = env_traverse->next;
		free_env(env_expired);
	}

	clean_up(pamh);
	return (PAM_SUCCESS);
}

/*
 * pam_set_item		- set the value of a parameter that can be
 *			  retrieved via a call to pam_get_item()
 */

int
pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
{
	struct pam_item *pip;
	int	size;
	char	iname_buf[PAM_MAX_MSG_SIZE];

	if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
		pam_trace(PAM_DEBUG_DEFAULT,
		    "pam_set_item(%p:%s)", (void *)pamh,
		    pam_trace_iname(item_type, iname_buf));
	}

	if (pamh == NULL)
		return (PAM_SYSTEM_ERR);

	/* check read only items */
	if ((item_type == PAM_SERVICE) && (pamh->pam_inmodule != RO_OK))
		return (PAM_PERM_DENIED);

	/*
	 * XXX -- Contracted Consolidation Private
	 *	  to be eliminated when dtlogin contract is terminated
	 * Check if tag is Sun proprietary
	 */
	if (item_type == PAM_MSG_VERSION) {
		if (pamh->pam_client_message_version_number)
			free(pamh->pam_client_message_version_number);

		if (item == NULL)
			pamh->pam_client_message_version_number = NULL;
		else
			if ((pamh->pam_client_message_version_number =
			    strdup((char *)item)) == NULL)
				return (PAM_BUF_ERR);

		pam_trace(PAM_DEBUG_ITEM,
		    "pam_set_item(%p:%s)=%s", (void *)pamh,
		    pam_trace_iname(item_type, iname_buf),
		    item ? (char *)item : "NULL");
		return (PAM_SUCCESS);
	}

	/*
	 * Check that item_type is within valid range
	 */

	if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
		return (PAM_SYMBOL_ERR);

	pip = &(pamh->ps_item[item_type]);

	switch (item_type) {
	case PAM_AUTHTOK:
	case PAM_OLDAUTHTOK:
		if (pip->pi_addr != NULL)
			(void) memset(pip->pi_addr, 0, pip->pi_size);
		/*FALLTHROUGH*/
	case PAM_SERVICE:
	case PAM_USER:
	case PAM_TTY:
	case PAM_RHOST:
	case PAM_RUSER:
	case PAM_USER_PROMPT:
	case PAM_RESOURCE:
	case PAM_AUSER:
		if (pip->pi_addr != NULL) {
			free(pip->pi_addr);
		}

		if (item == NULL) {
			pip->pi_addr = NULL;
			pip->pi_size = 0;
		} else {
			pip->pi_addr = strdup((char *)item);
			if (pip->pi_addr == NULL) {
				pip->pi_size = 0;
				return (PAM_BUF_ERR);
			}
			pip->pi_size = strlen(pip->pi_addr);
		}
		break;
	case PAM_CONV:
		if (pip->pi_addr != NULL)
			free(pip->pi_addr);
		size = sizeof (struct pam_conv);
		if ((pip->pi_addr = (void *)calloc(1, size)) == NULL)
			return (PAM_BUF_ERR);
		if (item != NULL)
			(void) memcpy(pip->pi_addr, item, (unsigned int) size);
		else
			(void) memset(pip->pi_addr, 0, size);
		pip->pi_size = size;
		break;
	case PAM_REPOSITORY:
		if (pip->pi_addr != NULL) {
			pam_repository_t *auth_rep;

			auth_rep = (pam_repository_t *)pip->pi_addr;
			if (auth_rep->type != NULL)
				free(auth_rep->type);
			if (auth_rep->scope != NULL)
				free(auth_rep->scope);
			free(auth_rep);
		}
		if (item != NULL) {
			pam_repository_t *s, *d;

			size = sizeof (struct pam_repository);
			pip->pi_addr = (void *)calloc(1, size);
			if (pip->pi_addr == NULL)
				return (PAM_BUF_ERR);

			s = (struct pam_repository *)item;
			d = (struct pam_repository *)pip->pi_addr;

			d->type = strdup(s->type);
			if (d->type == NULL)
				return (PAM_BUF_ERR);
			d->scope = malloc(s->scope_len);
			if (d->scope == NULL)
				return (PAM_BUF_ERR);
			(void) memcpy(d->scope, s->scope, s->scope_len);
			d->scope_len = s->scope_len;
		}
		pip->pi_size = size;
		break;
	default:
		return (PAM_SYMBOL_ERR);
	}
	switch (item_type) {
	case PAM_CONV:
		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%p",
		    (void *)pamh,
		    pam_trace_iname(item_type, iname_buf),
		    item ? (void *)((struct pam_conv *)item)->conv :
		    (void *)0);
		break;
	case PAM_REPOSITORY:
		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
		    (void *)pamh,
		    pam_trace_iname(item_type, iname_buf),
		    item ? (((struct pam_repository *)item)->type ?
		    ((struct pam_repository *)item)->type : "NULL") :
		    "NULL");
		break;
	case PAM_AUTHTOK:
	case PAM_OLDAUTHTOK:
#ifdef	DEBUG
		if (pam_debug & PAM_DEBUG_AUTHTOK)
			pam_trace(PAM_DEBUG_ITEM,
			    "pam_set_item(%p:%s)=%s", (void *)pamh,
			    pam_trace_iname(item_type, iname_buf),
			    item ? (char *)item : "NULL");
		else
#endif	/* DEBUG */
			pam_trace(PAM_DEBUG_ITEM,
			    "pam_set_item(%p:%s)=%s", (void *)pamh,
			    pam_trace_iname(item_type, iname_buf),
			    item ? "********" : "NULL");
		break;
	default:
		pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
		    (void *)pamh,
		    pam_trace_iname(item_type, iname_buf),
		    item ? (char *)item : "NULL");
	}

	return (PAM_SUCCESS);
}

/*
 * pam_get_item		- read the value of a parameter specified in
 *			  the call to pam_set_item()
 */

int
pam_get_item(const pam_handle_t *pamh, int item_type, void **item)
{
	struct pam_item *pip;
	char	iname_buf[PAM_MAX_MSG_SIZE];

	if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)",
		    (void *)pamh, pam_trace_iname(item_type, iname_buf));
	}

	if (pamh == NULL)
		return (PAM_SYSTEM_ERR);

	/*
	 * XXX -- Contracted Consolidation Private
	 *	  to be eliminated when dtlogin contract is terminated
	 * Check if tag is Sun proprietary
	 */
	if (item_type == PAM_MSG_VERSION) {
		*item = pamh->pam_client_message_version_number;
		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
		    (void *)pamh, pam_trace_iname(item_type, iname_buf),
		    *item ? (char *)*item : "NULL");
		return (PAM_SUCCESS);
	}

	if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
		return (PAM_SYMBOL_ERR);

	if ((pamh->pam_inmodule != WO_OK) &&
	    ((item_type == PAM_AUTHTOK || item_type == PAM_OLDAUTHTOK))) {
		__pam_log(LOG_AUTH | LOG_NOTICE, "pam_get_item(%s) called from "
		    "a non module context",
		    pam_trace_iname(item_type, iname_buf));
		return (PAM_PERM_DENIED);
	}

	pip = (struct pam_item *)&(pamh->ps_item[item_type]);

	*item = pip->pi_addr;
	switch (item_type) {
	case PAM_CONV:
		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%p",
		    (void *)pamh,
		    pam_trace_iname(item_type, iname_buf),
		    (void *)((struct pam_conv *)*item)->conv);
		break;
	case PAM_REPOSITORY:
		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
		    (void *)pamh,
		    pam_trace_iname(item_type, iname_buf),
		    *item ? (((struct pam_repository *)*item)->type ?
		    ((struct pam_repository *)*item)->type : "NULL") :
		    "NULL");
		break;
	case PAM_AUTHTOK:
	case PAM_OLDAUTHTOK:
#ifdef	DEBUG
		if (pam_debug & PAM_DEBUG_AUTHTOK)
			pam_trace(PAM_DEBUG_ITEM,
			    "pam_get_item(%p:%s)=%s", (void *)pamh,
			    pam_trace_iname(item_type, iname_buf),
			    *item ? *(char **)item : "NULL");
		else
#endif	/* DEBUG */
			pam_trace(PAM_DEBUG_ITEM,
			    "pam_get_item(%p:%s)=%s", (void *)pamh,
			    pam_trace_iname(item_type, iname_buf),
			    *item ? "********" : "NULL");
		break;
	default:
		pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
		    (void *)pamh,
		    pam_trace_iname(item_type, iname_buf),
		    *item ? *(char **)item : "NULL");
	}

	return (PAM_SUCCESS);
}

/*
 * parse_user_name         - process the user response: ignore
 *                           '\t' or ' ' before or after a user name.
 *                           user_input is a null terminated string.
 *                           *ret_username will be the user name.
 */

static int
parse_user_name(char *user_input, char **ret_username)
{
	register char *ptr;
	register int index = 0;
	char username[PAM_MAX_RESP_SIZE];

	/* Set the default value for *ret_username */
	*ret_username = NULL;

	/*
	 * Set the initial value for username - this is a buffer holds
	 * the user name.
	 */
	bzero((void *)username, PAM_MAX_RESP_SIZE);

	/*
	 * The user_input is guaranteed to be terminated by a null character.
	 */
	ptr = user_input;

	/* Skip all the leading whitespaces if there are any. */
	while ((*ptr == ' ') || (*ptr == '\t'))
		ptr++;

	if (*ptr == '\0') {
		/*
		 * We should never get here since the user_input we got
		 * in pam_get_user() is not all whitespaces nor just "\0".
		 */
		return (PAM_BUF_ERR);
	}

	/*
	 * username will be the first string we get from user_input
	 * - we skip leading whitespaces and ignore trailing whitespaces
	 */
	while (*ptr != '\0') {
		if ((*ptr == ' ') || (*ptr == '\t'))
			break;
		else {
			username[index] = *ptr;
			index++;
			ptr++;
		}
	}

	/* ret_username will be freed in pam_get_user(). */
	if ((*ret_username = (char *)malloc((index + 1)*(sizeof (char))))
	    == NULL)
		return (PAM_BUF_ERR);
	(void) strcpy(*ret_username, username);
	return (PAM_SUCCESS);
}

/*
 * Get the value of PAM_USER. If not set, then use the convenience function
 * to prompt for the user. Use prompt if specified, else use PAM_USER_PROMPT
 * if it is set, else use default.
 */
#define	WHITESPACE	0
#define	USERNAME	1

int
pam_get_user(pam_handle_t *pamh, char **user, const char *prompt_override)
{
	int	status;
	char	*prompt = NULL;
	char    *real_username;

	struct pam_response *ret_resp = NULL;
	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];

	pam_trace(PAM_DEBUG_DEFAULT,
	    "pam_get_user(%p, %p, %s)", (void *)pamh, (void *)*user,
	    prompt_override ? prompt_override : "NULL");
	if (pamh == NULL)
		return (PAM_SYSTEM_ERR);

	if ((status = pam_get_item(pamh, PAM_USER, (void **)user))
	    != PAM_SUCCESS) {
		return (status);
	}

	/* if the user is set, return it */

	if (*user != NULL && *user[0] != '\0') {
		return (PAM_SUCCESS);
	}

	/*
	 * if the module is requesting a special prompt, use it.
	 * else use PAM_USER_PROMPT.
	 */

	if (prompt_override != NULL) {
		prompt = (char *)prompt_override;
	} else {
		status = pam_get_item(pamh, PAM_USER_PROMPT, (void**)&prompt);
		if (status != PAM_SUCCESS) {
			return (status);
		}
	}

	/* if the prompt is not set, use default */

	if (prompt == NULL || prompt[0] == '\0') {
		prompt = dgettext(TEXT_DOMAIN, "Please enter user name: ");
	}

	/* prompt for the user */

	(void) strncpy(messages[0], prompt, sizeof (messages[0]));

	for (;;) {
		int state = WHITESPACE;

		status = do_conv(pamh, PAM_PROMPT_ECHO_ON, 1, messages,
		    NULL, &ret_resp);

		if (status != PAM_SUCCESS) {
			return (status);
		}

		if (ret_resp->resp && ret_resp->resp[0] != '\0') {
			int len = strlen(ret_resp->resp);
			int i;

			for (i = 0; i < len; i++) {
				if ((ret_resp->resp[i] != ' ') &&
					(ret_resp->resp[i] != '\t')) {
					state = USERNAME;
					break;
				}
			}

			if (state == USERNAME)
				break;
		}
	}

	/* set PAM_USER */
	/* Parse the user input to get the user name. */
	status = parse_user_name(ret_resp->resp, &real_username);

	if (status != PAM_SUCCESS) {
		if (real_username != NULL)
			free(real_username);
		free_resp(1, ret_resp);
		return (status);
	}

	status = pam_set_item(pamh, PAM_USER, real_username);

	free(real_username);

	free_resp(1, ret_resp);
	if (status != PAM_SUCCESS) {
		return (status);
	}

	/*
	 * finally, get PAM_USER. We have to call pam_get_item to get
	 * the value of user because pam_set_item mallocs the memory.
	 */

	status = pam_get_item(pamh, PAM_USER, (void**)user);
	return (status);
}

/*
 * Set module specific data
 */

int
pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data,
    void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status))
{
	struct pam_module_data *psd;

	pam_trace(PAM_DEBUG_DATA,
	    "pam_set_data(%p:%s:%d)=%p", (void *)pamh,
	    module_data_name ? module_data_name : "NULL", pamh->pam_inmodule,
	    data);
	if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
	    module_data_name == NULL) {
		return (PAM_SYSTEM_ERR);
	}

	/* check if module data already exists */

	for (psd = pamh->ssd; psd; psd = psd->next) {
		if (strcmp(psd->module_data_name, module_data_name) == 0) {
			/* clean up original data before setting the new data */
			if (psd->cleanup) {
				psd->cleanup(pamh, psd->data, PAM_SUCCESS);
			}
			psd->data = (void *)data;
			psd->cleanup = cleanup;
			return (PAM_SUCCESS);
		}
	}

	psd = malloc(sizeof (struct pam_module_data));
	if (psd == NULL)
		return (PAM_BUF_ERR);

	psd->module_data_name = strdup(module_data_name);
	if (psd->module_data_name == NULL) {
		free(psd);
		return (PAM_BUF_ERR);
	}

	psd->data = (void *)data;
	psd->cleanup = cleanup;
	psd->next = pamh->ssd;
	pamh->ssd = psd;
	return (PAM_SUCCESS);
}

/*
 * get module specific data
 */

int
pam_get_data(const pam_handle_t *pamh, const char *module_data_name,
    const void **data)
{
	struct pam_module_data *psd;

	if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
	    module_data_name == NULL) {
		pam_trace(PAM_DEBUG_DATA,
		    "pam_get_data(%p:%s:%d)=%p", (void *)pamh,
		    module_data_name ? module_data_name : "NULL",
		    pamh->pam_inmodule, *data);
		return (PAM_SYSTEM_ERR);
	}

	for (psd = pamh->ssd; psd; psd = psd->next) {
		if (strcmp(psd->module_data_name, module_data_name) == 0) {
			*data = psd->data;
			pam_trace(PAM_DEBUG_DATA,
			    "pam_get_data(%p:%s)=%p", (void *)pamh,
			    module_data_name, *data);
			return (PAM_SUCCESS);
		}
	}
	pam_trace(PAM_DEBUG_DATA,
	    "pam_get_data(%p:%s)=%s", (void *)pamh, module_data_name,
	    "PAM_NO_MODULE_DATA");

	return (PAM_NO_MODULE_DATA);
}

/*
 * PAM equivalent to strerror()
 */
/* ARGSUSED */
const char *
pam_strerror(pam_handle_t *pamh, int errnum)
{
	switch (errnum) {
	case PAM_SUCCESS:
		return (dgettext(TEXT_DOMAIN, "Success"));
	case PAM_OPEN_ERR:
		return (dgettext(TEXT_DOMAIN, "Dlopen failure"));
	case PAM_SYMBOL_ERR:
		return (dgettext(TEXT_DOMAIN, "Symbol not found"));
	case PAM_SERVICE_ERR:
		return (dgettext(TEXT_DOMAIN,
		    "Error in underlying service module"));
	case PAM_SYSTEM_ERR:
		return (dgettext(TEXT_DOMAIN, "System error"));
	case PAM_BUF_ERR:
		return (dgettext(TEXT_DOMAIN, "Memory buffer error"));
	case PAM_CONV_ERR:
		return (dgettext(TEXT_DOMAIN, "Conversation failure"));
	case PAM_PERM_DENIED:
		return (dgettext(TEXT_DOMAIN, "Permission denied"));
	case PAM_MAXTRIES:
		return (dgettext(TEXT_DOMAIN,
		    "Maximum number of attempts exceeded"));
	case PAM_AUTH_ERR:
		return (dgettext(TEXT_DOMAIN, "Authentication failed"));
	case PAM_NEW_AUTHTOK_REQD:
		return (dgettext(TEXT_DOMAIN, "Get new authentication token"));
	case PAM_CRED_INSUFFICIENT:
		return (dgettext(TEXT_DOMAIN, "Insufficient credentials"));
	case PAM_AUTHINFO_UNAVAIL:
		return (dgettext(TEXT_DOMAIN,
		    "Can not retrieve authentication info"));
	case PAM_USER_UNKNOWN:
		return (dgettext(TEXT_DOMAIN, "No account present for user"));
	case PAM_CRED_UNAVAIL:
		return (dgettext(TEXT_DOMAIN,
		    "Can not retrieve user credentials"));
	case PAM_CRED_EXPIRED:
		return (dgettext(TEXT_DOMAIN,
		    "User credentials have expired"));
	case PAM_CRED_ERR:
		return (dgettext(TEXT_DOMAIN,
		    "Failure setting user credentials"));
	case PAM_ACCT_EXPIRED:
		return (dgettext(TEXT_DOMAIN, "User account has expired"));
	case PAM_AUTHTOK_EXPIRED:
		return (dgettext(TEXT_DOMAIN, "User password has expired"));
	case PAM_SESSION_ERR:
		return (dgettext(TEXT_DOMAIN,
		    "Can not make/remove entry for session"));
	case PAM_AUTHTOK_ERR:
		return (dgettext(TEXT_DOMAIN,
		    "Authentication token manipulation error"));
	case PAM_AUTHTOK_RECOVERY_ERR:
		return (dgettext(TEXT_DOMAIN,
		    "Authentication token can not be recovered"));
	case PAM_AUTHTOK_LOCK_BUSY:
		return (dgettext(TEXT_DOMAIN,
		    "Authentication token lock busy"));
	case PAM_AUTHTOK_DISABLE_AGING:
		return (dgettext(TEXT_DOMAIN,
		    "Authentication token aging disabled"));
	case PAM_NO_MODULE_DATA:
		return (dgettext(TEXT_DOMAIN,
		    "Module specific data not found"));
	case PAM_IGNORE:
		return (dgettext(TEXT_DOMAIN, "Ignore module"));
	case PAM_ABORT:
		return (dgettext(TEXT_DOMAIN, "General PAM failure "));
	case PAM_TRY_AGAIN:
		return (dgettext(TEXT_DOMAIN,
		    "Unable to complete operation. Try again"));
	default:
		return (dgettext(TEXT_DOMAIN, "Unknown error"));
	}
}

static void *
sm_name(int ind)
{
	switch (ind) {
	case PAM_AUTHENTICATE:
		return (PAM_SM_AUTHENTICATE);
	case PAM_SETCRED:
		return (PAM_SM_SETCRED);
	case PAM_ACCT_MGMT:
		return (PAM_SM_ACCT_MGMT);
	case PAM_OPEN_SESSION:
		return (PAM_SM_OPEN_SESSION);
	case PAM_CLOSE_SESSION:
		return (PAM_SM_CLOSE_SESSION);
	case PAM_CHAUTHTOK:
		return (PAM_SM_CHAUTHTOK);
	}
	return (NULL);
}

static int
(*func(pamtab_t *modulep, int ind))()
{
	void	*funcp;

	if ((funcp = modulep->function_ptr) == NULL)
		return (NULL);

	switch (ind) {
	case PAM_AUTHENTICATE:
		return (((struct auth_module *)funcp)->pam_sm_authenticate);
	case PAM_SETCRED:
		return (((struct auth_module *)funcp)->pam_sm_setcred);
	case PAM_ACCT_MGMT:
		return (((struct account_module *)funcp)->pam_sm_acct_mgmt);
	case PAM_OPEN_SESSION:
		return (((struct session_module *)funcp)->pam_sm_open_session);
	case PAM_CLOSE_SESSION:
		return (((struct session_module *)funcp)->pam_sm_close_session);
	case PAM_CHAUTHTOK:
		return (((struct password_module *)funcp)->pam_sm_chauthtok);
	}
	return (NULL);
}

/*
 * Run through the PAM service module stack for the given module type.
 */
static int
run_stack(pam_handle_t *pamh, int flags, int type, int def_err, int ind,
    char *function_name)
{
	int	err = PAM_SYSTEM_ERR;  /* preset */
	int	optional_error = 0;
	int	required_error = 0;
	int	success = 0;
	pamtab_t *modulep;
	int	(*sm_func)();

	if (pamh == NULL)
		return (PAM_SYSTEM_ERR);

	/* read initial entries from pam.conf */
	if ((err = read_pam_conf(pamh, PAM_CONFIG)) != PAM_SUCCESS) {
		return (err);
	}

	if ((modulep =
	    pamh->pam_conf_info[pamh->include_depth][type]) == NULL) {
		__pam_log(LOG_AUTH | LOG_ERR, "%s no initial module present",
		    pam_trace_cname(pamh));
		goto exit_return;
	}

	pamh->pam_inmodule = WO_OK;	/* OK to get AUTHTOK */
include:
	pam_trace(PAM_DEBUG_MODULE,
	    "[%d:%s]:run_stack:%s(%p, %x): %s", pamh->include_depth,
	    pam_trace_cname(pamh), function_name, (void *)pamh, flags,
	    modulep ? modulep->module_path : "NULL");

	while (modulep != NULL) {
		if (modulep->pam_flag & PAM_INCLUDE) {
			/* save the return location */
			pamh->pam_conf_modulep[pamh->include_depth] =
			    modulep->next;
			pam_trace(PAM_DEBUG_MODULE,
			    "setting for include[%d:%p]",
			    pamh->include_depth, (void *)modulep->next);
			if (pamh->include_depth++ >= PAM_MAX_INCLUDE) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "run_stack: includes too deep %d "
				    "found trying to include %s from %s, %d "
				    "allowed", pamh->include_depth,
				    modulep->module_path, pamh->pam_conf_name
				    [PAM_MAX_INCLUDE] == NULL ? "NULL" :
				    pamh->pam_conf_name[PAM_MAX_INCLUDE],
				    PAM_MAX_INCLUDE);
				goto exit_return;
			}
			if ((err = read_pam_conf(pamh,
			    modulep->module_path)) != PAM_SUCCESS) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "run_stack[%d:%s]: can't read included "
				    "conf %s", pamh->include_depth,
				    pam_trace_cname(pamh),
				    modulep->module_path);
				goto exit_return;
			}
			if ((modulep = pamh->pam_conf_info
			    [pamh->include_depth][type]) == NULL) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "run_stack[%d:%s]: no include module "
				    "present %s", pamh->include_depth,
				    pam_trace_cname(pamh), function_name);
				goto exit_return;
			}
			if (modulep->pam_flag & PAM_INCLUDE) {
				/* first line another include */
				goto include;
			}
			pam_trace(PAM_DEBUG_DEFAULT, "include[%d:%s]"
			    "(%p, %s)=%s", pamh->include_depth,
			    pam_trace_cname(pamh), (void *)pamh,
			    function_name, modulep->module_path);
			if ((err = load_modules(pamh, type, sm_name(ind),
			    pamh->pam_conf_info
			    [pamh->include_depth][type])) != PAM_SUCCESS) {
				pam_trace(PAM_DEBUG_DEFAULT,
				    "[%d:%s]:%s(%p, %x): load_modules failed",
				    pamh->include_depth, pam_trace_cname(pamh),
				    function_name, (void *)pamh, flags);
				goto exit_return;
			}
			if ((modulep = pamh->pam_conf_info
			    [pamh->include_depth][type]) == NULL) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "%s no initial module present",
				    pam_trace_cname(pamh));
				goto exit_return;
			}
		} else if ((err = load_modules(pamh, type, sm_name(ind),
		    modulep)) != PAM_SUCCESS) {
			pam_trace(PAM_DEBUG_DEFAULT,
			    "[%d:%s]:%s(%p, %x): load_modules failed",
			    pamh->include_depth, pam_trace_cname(pamh),
			    function_name, (void *)pamh, flags);
			goto exit_return;
		}  /* PAM_INCLUDE */
		sm_func = func(modulep, ind);
		if (sm_func) {
			err = sm_func(pamh, flags, modulep->module_argc,
			    (const char **)modulep->module_argv);

			pam_trace(PAM_DEBUG_MODULE,
			    "[%d:%s]:%s(%p, %x): %s returned %s",
			    pamh->include_depth, pam_trace_cname(pamh),
			    function_name, (void *)pamh, flags,
			    modulep->module_path, pam_strerror(pamh, err));

			switch (err) {
			case PAM_IGNORE:
				/* do nothing */
				break;
			case PAM_SUCCESS:
				if ((modulep->pam_flag & PAM_SUFFI_BIND) &&
				    !required_error) {
					pamh->pam_inmodule = RW_OK;
					pam_trace(PAM_DEBUG_MODULE,
					    "[%d:%s]:%s(%p, %x): %s: success",
					    pamh->include_depth,
					    pam_trace_cname(pamh),
					    function_name, (void *)pamh, flags,
					    (modulep->pam_flag & PAM_BINDING) ?
					    PAM_BINDING_NAME :
					    PAM_SUFFICIENT_NAME);
					goto exit_return;
				}
				success = 1;
				break;
			case PAM_TRY_AGAIN:
				/*
				 * We need to return immediately, and
				 * we shouldn't reset the AUTHTOK item
				 * since it is not an error per-se.
				 */
				pamh->pam_inmodule = RW_OK;
				pam_trace(PAM_DEBUG_MODULE,
				    "[%d:%s]:%s(%p, %x): TRY_AGAIN: %s",
				    pamh->include_depth, pam_trace_cname(pamh),
				    function_name, (void *)pamh, flags,
				    pam_strerror(pamh, required_error ?
				    required_error : err));
				err = required_error ? required_error : err;
				goto exit_return;
			default:
				if (modulep->pam_flag & PAM_REQUISITE) {
					pamh->pam_inmodule = RW_OK;
					pam_trace(PAM_DEBUG_MODULE,
					    "[%d:%s]:%s(%p, %x): requisite: %s",
					    pamh->include_depth,
					    pam_trace_cname(pamh),
					    function_name, (void *)pamh, flags,
					    pam_strerror(pamh,
					    required_error ? required_error :
					    err));
					err = required_error ?
					    required_error : err;
					goto exit_return;
				} else if (modulep->pam_flag & PAM_REQRD_BIND) {
					if (!required_error)
						required_error = err;
				} else {
					if (!optional_error)
						optional_error = err;
				}
				pam_trace(PAM_DEBUG_DEFAULT,
				    "[%d:%s]:%s(%p, %x): error %s",
				    pamh->include_depth, pam_trace_cname(pamh),
				    function_name, (void *)pamh, flags,
				    pam_strerror(pamh, err));
				break;
			}
		}
		modulep = modulep->next;
	}

	pam_trace(PAM_DEBUG_MODULE, "[%d:%s]:stack_end:%s(%p, %x): %s %s: %s",
	    pamh->include_depth, pam_trace_cname(pamh), function_name,
	    (void *)pamh, flags, pamh->include_depth ? "included" : "final",
	    required_error ? "required" : success ? "success" :
	    optional_error ? "optional" : "default",
	    pam_strerror(pamh, required_error ? required_error :
	    success ? PAM_SUCCESS : optional_error ? optional_error : def_err));
	if (pamh->include_depth > 0) {
		free_pam_conf_info(pamh);
		pamh->include_depth--;
		/* continue at next entry */
		modulep = pamh->pam_conf_modulep[pamh->include_depth];
		pam_trace(PAM_DEBUG_MODULE, "looping for include[%d:%p]",
		    pamh->include_depth, (void *)modulep);
		goto include;
	}
	free_pam_conf_info(pamh);
	pamh->pam_inmodule = RW_OK;
	if (required_error != 0)
		return (required_error);
	else if (success != 0)
		return (PAM_SUCCESS);
	else if (optional_error != 0)
		return (optional_error);
	else
		return (def_err);

exit_return:
	/*
	 * All done at whatever depth we're at.
	 * Go back to not having read /etc/pam.conf
	 */
	while (pamh->include_depth > 0) {
		free_pam_conf_info(pamh);
		pamh->include_depth--;
	}
	free_pam_conf_info(pamh);
	pamh->pam_inmodule = RW_OK;
	return (err);
}

/*
 * pam_authenticate - authenticate a user
 */

int
pam_authenticate(pam_handle_t *pamh, int flags)
{
	int	retval;

	retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_AUTH_ERR,
	    PAM_AUTHENTICATE, "pam_authenticate");

	if (retval != PAM_SUCCESS)
		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
	return (retval);
}

/*
 * pam_setcred - modify or retrieve user credentials
 */

int
pam_setcred(pam_handle_t *pamh, int flags)
{
	int	retval;

	retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_CRED_ERR,
	    PAM_SETCRED, "pam_setcred");

	if (retval != PAM_SUCCESS)
		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
	return (retval);
}

/*
 * pam_acct_mgmt - check password aging, account expiration
 */

int
pam_acct_mgmt(pam_handle_t *pamh, int flags)
{
	int	retval;

	retval = run_stack(pamh, flags, PAM_ACCOUNT_MODULE, PAM_ACCT_EXPIRED,
	    PAM_ACCT_MGMT, "pam_acct_mgmt");

	if (retval != PAM_SUCCESS &&
	    retval != PAM_NEW_AUTHTOK_REQD) {
		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
	}
	return (retval);
}

/*
 * pam_open_session - begin session management
 */

int
pam_open_session(pam_handle_t *pamh, int flags)
{
	int	retval;

	retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
	    PAM_OPEN_SESSION, "pam_open_session");

	if (retval != PAM_SUCCESS)
		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
	return (retval);
}

/*
 * pam_close_session - terminate session management
 */

int
pam_close_session(pam_handle_t *pamh, int flags)
{
	int	retval;

	retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
	    PAM_CLOSE_SESSION, "pam_close_session");

	if (retval != PAM_SUCCESS)
		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
	return (retval);
}

/*
 * pam_chauthtok - change user authentication token
 */

int
pam_chauthtok(pam_handle_t *pamh, int flags)
{
	int	retval;

	/* do not let apps use PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK */
	if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
		pam_trace(PAM_DEBUG_DEFAULT,
		    "pam_chauthtok(%p, %x): %s", (void *)pamh, flags,
		    pam_strerror(pamh, PAM_SYMBOL_ERR));
		return (PAM_SYMBOL_ERR);
	}

	/* 1st pass: PRELIM CHECK */
	retval = run_stack(pamh, flags | PAM_PRELIM_CHECK, PAM_PASSWORD_MODULE,
	    PAM_AUTHTOK_ERR, PAM_CHAUTHTOK, "pam_chauthtok-prelim");

	if (retval == PAM_TRY_AGAIN)
		return (retval);

	if (retval != PAM_SUCCESS) {
		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
		return (retval);
	}

	/* 2nd pass: UPDATE AUTHTOK */
	retval = run_stack(pamh, flags | PAM_UPDATE_AUTHTOK,
	    PAM_PASSWORD_MODULE, PAM_AUTHTOK_ERR, PAM_CHAUTHTOK,
	    "pam_chauthtok-update");

	if (retval != PAM_SUCCESS)
		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);

	return (retval);
}

/*
 * pam_putenv - add an environment variable to the PAM handle
 *	if name_value == 'NAME=VALUE'	then set variable to the value
 *	if name_value == 'NAME='	then set variable to an empty value
 *	if name_value == 'NAME'		then delete the variable
 */

int
pam_putenv(pam_handle_t *pamh, const char *name_value)
{
	int		error = PAM_SYSTEM_ERR;
	char		*equal_sign = 0;
	char		*name = NULL, *value = NULL, *tmp_value = NULL;
	env_list	*traverse, *trail;

	pam_trace(PAM_DEBUG_DEFAULT,
	    "pam_putenv(%p, %s)", (void *)pamh,
	    name_value ? name_value : "NULL");

	if (pamh == NULL || name_value == NULL)
		goto out;

	/* see if we were passed 'NAME=VALUE', 'NAME=', or 'NAME' */
	if ((equal_sign = strchr(name_value, '=')) != 0) {
		if ((name = (char *)calloc(equal_sign - name_value + 1,
		    sizeof (char))) == 0) {
			error = PAM_BUF_ERR;
			goto out;
		}
		(void) strncpy(name, name_value, equal_sign - name_value);
		if ((value = strdup(++equal_sign)) == 0) {
			error = PAM_BUF_ERR;
			goto out;
		}
	} else {
		if ((name = strdup(name_value)) == 0) {
			error = PAM_BUF_ERR;
			goto out;
		}
	}

	/* check to see if we already have this variable in the PAM handle */
	traverse = pamh->pam_env;
	trail = traverse;
	while (traverse && strncmp(traverse->name, name, strlen(name))) {
		trail = traverse;
		traverse = traverse->next;
	}

	if (traverse) {
		/* found a match */
		if (value == 0) {
			/* remove the env variable */
			if (pamh->pam_env == traverse)
				pamh->pam_env = traverse->next;
			else
				trail->next = traverse->next;
			free_env(traverse);
		} else if (strlen(value) == 0) {
			/* set env variable to empty value */
			if ((tmp_value = strdup("")) == 0) {
				error = PAM_SYSTEM_ERR;
				goto out;
			}
			free(traverse->value);
			traverse->value = tmp_value;
		} else {
			/* set the new value */
			if ((tmp_value = strdup(value)) == 0) {
				error = PAM_SYSTEM_ERR;
				goto out;
			}
			free(traverse->value);
			traverse->value = tmp_value;
		}

	} else if (traverse == 0 && value) {
		/*
		 * could not find a match in the PAM handle.
		 * add the new value if there is one
		 */
		if ((traverse = (env_list *)calloc
					(1,
					sizeof (env_list))) == 0) {
			error = PAM_BUF_ERR;
			goto out;
		}
		if ((traverse->name = strdup(name)) == 0) {
			free_env(traverse);
			error = PAM_BUF_ERR;
			goto out;
		}
		if ((traverse->value = strdup(value)) == 0) {
			free_env(traverse);
			error = PAM_BUF_ERR;
			goto out;
		}
		if (trail == 0) {
			/* new head of list */
			pamh->pam_env = traverse;
		} else {
			/* adding to end of list */
			trail->next = traverse;
		}
	}

	error = PAM_SUCCESS;
out:
	if (error != PAM_SUCCESS) {
		if (traverse) {
			if (traverse->name)
				free(traverse->name);
			if (traverse->value)
				free(traverse->value);
			free(traverse);
		}
	}
	if (name)
		free(name);
	if (value)
		free(value);
	return (error);
}

/*
 * pam_getenv - retrieve an environment variable from the PAM handle
 */
char *
pam_getenv(pam_handle_t *pamh, const char *name)
{
	int		error = PAM_SYSTEM_ERR;
	env_list	*traverse;

	pam_trace(PAM_DEBUG_DEFAULT,
	    "pam_getenv(%p, %p)", (void *)pamh, (void *)name);

	if (pamh == NULL || name == NULL)
		goto out;

	/* check to see if we already have this variable in the PAM handle */
	traverse = pamh->pam_env;
	while (traverse && strncmp(traverse->name, name, strlen(name))) {
		traverse = traverse->next;
	}
	error = (traverse ? PAM_SUCCESS : PAM_SYSTEM_ERR);
	pam_trace(PAM_DEBUG_DEFAULT,
	    "pam_getenv(%p, %s)=%s", (void *)pamh, name,
	    traverse ? traverse->value : "NULL");
out:
	return (error ? NULL : strdup(traverse->value));
}

/*
 * pam_getenvlist - retrieve all environment variables from the PAM handle
 */
char **
pam_getenvlist(pam_handle_t *pamh)
{
	int		error = PAM_SYSTEM_ERR;
	char		**list = 0;
	int		length = 0;
	env_list	*traverse;
	char		env_buf[1024];

	pam_trace(PAM_DEBUG_DEFAULT,
	    "pam_getenvlist(%p)", (void *)pamh);

	if (pamh == NULL)
		goto out;

	/* find out how many environment variables we have */
	traverse = pamh->pam_env;
	while (traverse) {
		length++;
		traverse = traverse->next;
	}

	/* allocate the array we will return to the caller */
	if ((list = (char **)calloc(length + 1, sizeof (char *))) == 0) {
		error = PAM_BUF_ERR;
		goto out;
	}

	/* add the variables one by one */
	length = 0;
	traverse = pamh->pam_env;
	while (traverse) {
		(void) snprintf(env_buf, sizeof (env_buf), "%s=%s",
		    traverse->name, traverse->value);
		if ((list[length] = strdup(env_buf)) == 0) {
			error = PAM_BUF_ERR;
			goto out;
		}
		length++;
		traverse = traverse->next;
	}

	/* null terminate the list */
	list[length] = 0;

	error = PAM_SUCCESS;
out:
	if (error != PAM_SUCCESS) {
		/* free the partially constructed list */
		if (list) {
			length = 0;
			while (list[length] != NULL) {
				free(list[length]);
				length++;
			}
			free(list);
		}
	}
	return (error ? NULL : list);
}

/*
 * Routines to load a requested module on demand
 */

/*
 * load_modules - load the requested module.
 *		  if the dlopen or dlsym fail, then
 *		  the module is ignored.
 */

static int
load_modules(pam_handle_t *pamh, int type, char *function_name,
    pamtab_t *pam_entry)
{
	void	*mh;
	struct	auth_module *authp;
	struct	account_module *accountp;
	struct	session_module *sessionp;
	struct	password_module *passwdp;
	int	loading_functions = 0; /* are we currently loading functions? */

	pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=%s:%s",
		pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
		function_name, pam_trace_fname(pam_entry->pam_flag),
		pam_entry->module_path);

	while (pam_entry != NULL) {
		pam_trace(PAM_DEBUG_DEFAULT,
		    "while load_modules[%d:%s](%p, %s)=%s",
		    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
		    function_name, pam_entry->module_path);

		if (pam_entry->pam_flag & PAM_INCLUDE) {
			pam_trace(PAM_DEBUG_DEFAULT,
			    "done load_modules[%d:%s](%p, %s)=%s",
			    pamh->include_depth, pam_trace_cname(pamh),
			    (void *)pamh, function_name,
			    pam_entry->module_path);
			return (PAM_SUCCESS);
		}
		switch (type) {
		case PAM_AUTH_MODULE:

			/* if the function has already been loaded, return */
			authp = pam_entry->function_ptr;
			if (!loading_functions &&
				(((strcmp(function_name, PAM_SM_AUTHENTICATE)
				== 0) &&
				authp && authp->pam_sm_authenticate) ||
				((strcmp(function_name, PAM_SM_SETCRED) == 0) &&
				authp && authp->pam_sm_setcred))) {
				return (PAM_SUCCESS);
			}

			/* function has not been loaded yet */
			loading_functions = 1;
			if (authp == NULL) {
				authp = (struct auth_module *)calloc(1,
				    sizeof (struct auth_module));
				if (authp == NULL)
					return (PAM_BUF_ERR);
			}

			/* if open_module fails, return error */
			if ((mh = open_module(pamh,
			    pam_entry->module_path)) == NULL) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "load_modules[%d:%s]: can not open module "
				    "%s", pamh->include_depth,
				    pam_trace_cname(pamh),
				    pam_entry->module_path);
				free(authp);
				return (PAM_OPEN_ERR);
			}

			/* load the authentication function */
			if (strcmp(function_name, PAM_SM_AUTHENTICATE) == 0) {
				if (load_function(mh, PAM_SM_AUTHENTICATE,
				    &authp->pam_sm_authenticate)
				    != PAM_SUCCESS) {
					/* return error if dlsym fails */
					free(authp);
					return (PAM_SYMBOL_ERR);
				}

			/* load the setcred function */
			} else if (strcmp(function_name, PAM_SM_SETCRED) == 0) {
				if (load_function(mh, PAM_SM_SETCRED,
				    &authp->pam_sm_setcred) != PAM_SUCCESS) {
					/* return error if dlsym fails */
					free(authp);
					return (PAM_SYMBOL_ERR);
				}
			}
			pam_entry->function_ptr = authp;
			break;
		case PAM_ACCOUNT_MODULE:
			accountp = pam_entry->function_ptr;
			if (!loading_functions &&
			    (strcmp(function_name, PAM_SM_ACCT_MGMT) == 0) &&
			    accountp && accountp->pam_sm_acct_mgmt) {
				return (PAM_SUCCESS);
			}

			/*
			 * If functions are added to the account module,
			 * verify that one of the other functions hasn't
			 * already loaded it.  See PAM_AUTH_MODULE code.
			 */
			loading_functions = 1;
			accountp = (struct account_module *)calloc(1,
			    sizeof (struct account_module));
			if (accountp == NULL)
				return (PAM_BUF_ERR);

			/* if open_module fails, return error */
			if ((mh = open_module(pamh,
			    pam_entry->module_path)) == NULL) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "load_modules[%d:%s]: can not open module "
				    "%s", pamh->include_depth,
				    pam_trace_cname(pamh),
				    pam_entry->module_path);
				free(accountp);
				return (PAM_OPEN_ERR);
			}

			if (load_function(mh, PAM_SM_ACCT_MGMT,
			    &accountp->pam_sm_acct_mgmt) != PAM_SUCCESS) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "load_modules[%d:%s]: pam_sm_acct_mgmt() "
				    "missing", pamh->include_depth,
				    pam_trace_cname(pamh));
				free(accountp);
				return (PAM_SYMBOL_ERR);
			}
			pam_entry->function_ptr = accountp;
			break;
		case PAM_SESSION_MODULE:
			sessionp = pam_entry->function_ptr;
			if (!loading_functions &&
			    (((strcmp(function_name,
			    PAM_SM_OPEN_SESSION) == 0) &&
			    sessionp && sessionp->pam_sm_open_session) ||
			    ((strcmp(function_name,
			    PAM_SM_CLOSE_SESSION) == 0) &&
			    sessionp && sessionp->pam_sm_close_session))) {
				return (PAM_SUCCESS);
			}

			loading_functions = 1;
			if (sessionp == NULL) {
				sessionp = (struct session_module *)
				    calloc(1, sizeof (struct session_module));
				if (sessionp == NULL)
					return (PAM_BUF_ERR);
			}

			/* if open_module fails, return error */
			if ((mh = open_module(pamh,
			    pam_entry->module_path)) == NULL) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "load_modules[%d:%s]: can not open module "
				    "%s", pamh->include_depth,
				    pam_trace_cname(pamh),
				    pam_entry->module_path);
				free(sessionp);
				return (PAM_OPEN_ERR);
			}

			if ((strcmp(function_name, PAM_SM_OPEN_SESSION) == 0) &&
			    load_function(mh, PAM_SM_OPEN_SESSION,
				&sessionp->pam_sm_open_session)
				!= PAM_SUCCESS) {
				free(sessionp);
				return (PAM_SYMBOL_ERR);
			} else if ((strcmp(function_name,
					PAM_SM_CLOSE_SESSION) == 0) &&
				    load_function(mh, PAM_SM_CLOSE_SESSION,
					&sessionp->pam_sm_close_session)
					!= PAM_SUCCESS) {
				free(sessionp);
				return (PAM_SYMBOL_ERR);
			}
			pam_entry->function_ptr = sessionp;
			break;
		case PAM_PASSWORD_MODULE:
			passwdp = pam_entry->function_ptr;
			if (!loading_functions &&
			    (strcmp(function_name, PAM_SM_CHAUTHTOK) == 0) &&
			    passwdp && passwdp->pam_sm_chauthtok) {
				return (PAM_SUCCESS);
			}

			/*
			 * If functions are added to the password module,
			 * verify that one of the other functions hasn't
			 * already loaded it.  See PAM_AUTH_MODULE code.
			 */
			loading_functions = 1;
			passwdp = (struct password_module *)
				calloc(1, sizeof (struct password_module));
			if (passwdp == NULL)
				return (PAM_BUF_ERR);

			/* if open_module fails, continue */
			if ((mh = open_module(pamh,
			    pam_entry->module_path)) == NULL) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "load_modules[%d:%s]: can not open module "
				    "%s", pamh->include_depth,
				    pam_trace_cname(pamh),
				    pam_entry->module_path);
				free(passwdp);
				return (PAM_OPEN_ERR);
			}

			if (load_function(mh, PAM_SM_CHAUTHTOK,
			    &passwdp->pam_sm_chauthtok) != PAM_SUCCESS) {
				free(passwdp);
				return (PAM_SYMBOL_ERR);
			}
			pam_entry->function_ptr = passwdp;
			break;
		default:
			pam_trace(PAM_DEBUG_DEFAULT,
			    "load_modules[%d:%s](%p, %s): unsupported type %d",
			    pamh->include_depth, pam_trace_cname(pamh),
			    (void *)pamh, function_name, type);
			break;
		}

		pam_entry = pam_entry->next;
	} /* while */

	pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=done",
	    pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
	    function_name);

	return (PAM_SUCCESS);
}

/*
 * open_module		- Open the module first checking for
 *			  propers modes and ownerships on the file.
 */

static void *
open_module(pam_handle_t *pamh, char *module_so)
{
	struct stat64	stb;
	char		*errmsg;
	void		*lfd;
	fd_list		*module_fds = 0;
	fd_list		*trail = 0;
	fd_list		*traverse = 0;

	/* Check the ownership and file modes */
	if (stat64(module_so, &stb) < 0) {
		__pam_log(LOG_AUTH | LOG_ERR,
		    "open_module[%d:%s]: stat(%s) failed: %s",
		    pamh->include_depth, pam_trace_cname(pamh), module_so,
		    strerror(errno));
		return (NULL);
	}
	if (stb.st_uid != (uid_t)0) {
		__pam_log(LOG_AUTH | LOG_ALERT,
		    "open_module[%d:%s]: Owner of the module %s is not root",
		    pamh->include_depth, pam_trace_cname(pamh), module_so);
		return (NULL);
	}
	if (stb.st_mode & S_IWGRP) {
		__pam_log(LOG_AUTH | LOG_ALERT,
		    "open_module[%d:%s]: module %s writable by group",
		    pamh->include_depth, pam_trace_cname(pamh), module_so);
		return (NULL);
	}
	if (stb.st_mode & S_IWOTH) {
		__pam_log(LOG_AUTH | LOG_ALERT,
		    "open_module[%d:%s]: module %s writable by world",
		    pamh->include_depth, pam_trace_cname(pamh), module_so);
		return (NULL);
	}

	/*
	 * Perform the dlopen()
	 */
	lfd = (void *)dlopen(module_so, RTLD_LAZY);

	if (lfd == NULL) {
		errmsg = dlerror();
		__pam_log(LOG_AUTH | LOG_ERR, "open_module[%d:%s]: %s "
		    "failed: %s", pamh->include_depth, pam_trace_cname(pamh),
		    module_so, errmsg != NULL ? errmsg : "Unknown error");
		return (NULL);
	} else {
		/* add this fd to the pam handle */
		if ((module_fds = (fd_list *)calloc(1, sizeof (fd_list)))
		    == 0) {
			(void) dlclose(lfd);
			lfd = 0;
			return (NULL);
		}
		module_fds->mh = lfd;

		if (pamh->fd == 0) {
			/* adding new head of list */
			pamh->fd = module_fds;
		} else {
			/* appending to end of list */
			traverse = pamh->fd;
			while (traverse) {
				trail = traverse;
				traverse = traverse->next;
			}
			trail->next = module_fds;
		}
	}

	return (lfd);
}

/*
 * load_function - call dlsym() to resolve the function address
 */
static int
load_function(void *lfd, char *name, int (**func)())
{
	char *errmsg = NULL;

	if (lfd == NULL)
		return (PAM_SYMBOL_ERR);

	*func = (int (*)())dlsym(lfd, name);
	if (*func == NULL) {
		errmsg = dlerror();
		__pam_log(LOG_AUTH | LOG_ERR, "dlsym failed %s: error %s",
		    name, errmsg != NULL ? errmsg : "Unknown error");
		return (PAM_SYMBOL_ERR);
	}

	pam_trace(PAM_DEBUG_DEFAULT,
	    "load_function: successful load of %s", name);
	return (PAM_SUCCESS);
}

/*
 * Routines to read the pam.conf configuration file
 */

/*
 * open_pam_conf - open the pam.conf config file
 */

static int
open_pam_conf(struct pam_fh **pam_fh, pam_handle_t *pamh, char *config)
{
	struct stat64	stb;
	int		fd;

	if ((fd = open(config, O_RDONLY)) == -1) {
		__pam_log(LOG_AUTH | LOG_ALERT,
		    "open_pam_conf[%d:%s]: open(%s) failed: %s",
		    pamh->include_depth, pam_trace_cname(pamh), config,
		    strerror(errno));
		return (0);
	}
	/* Check the ownership and file modes */
	if (fstat64(fd, &stb) < 0) {
		__pam_log(LOG_AUTH | LOG_ALERT,
		    "open_pam_conf[%d:%s]: stat(%s) failed: %s",
		    pamh->include_depth, pam_trace_cname(pamh), config,
		    strerror(errno));
		(void) close(fd);
		return (0);
	}
	if (stb.st_uid != (uid_t)0) {
		__pam_log(LOG_AUTH | LOG_ALERT,
		    "open_pam_conf[%d:%s]: Owner of %s is not root",
		    pamh->include_depth, pam_trace_cname(pamh), config);
		(void) close(fd);
		return (0);
	}
	if (stb.st_mode & S_IWGRP) {
		__pam_log(LOG_AUTH | LOG_ALERT,
		    "open_pam_conf[%d:%s]: %s writable by group",
		    pamh->include_depth, pam_trace_cname(pamh), config);
		(void) close(fd);
		return (0);
	}
	if (stb.st_mode & S_IWOTH) {
		__pam_log(LOG_AUTH | LOG_ALERT,
		    "open_pam_conf[%d:%s]: %s writable by world",
		    pamh->include_depth, pam_trace_cname(pamh), config);
		(void) close(fd);
		return (0);
	}
	if ((*pam_fh = calloc(1, sizeof (struct pam_fh))) == NULL) {
		(void) close(fd);
		return (0);
	}
	(*pam_fh)->fconfig = fd;
	(*pam_fh)->bufsize = (size_t)stb.st_size;
	if (((*pam_fh)->data = mmap(0, (*pam_fh)->bufsize, PROT_READ,
	    MAP_PRIVATE, (*pam_fh)->fconfig, 0)) == MAP_FAILED) {
		(void) close(fd);
		free (*pam_fh);
		return (0);
	}
	(*pam_fh)->bufferp = (*pam_fh)->data;

	return (1);
}

/*
 * close_pam_conf - close pam.conf
 */

static void
close_pam_conf(struct pam_fh *pam_fh)
{
	(void) munmap(pam_fh->data, pam_fh->bufsize);
	(void) close(pam_fh->fconfig);
	free(pam_fh);
}

/*
 * read_pam_conf - read in each entry in pam.conf and store info
 *		   under the pam handle.
 */

static int
read_pam_conf(pam_handle_t *pamh, char *config)
{
	struct pam_fh	*pam_fh;
	pamtab_t	*pamentp;
	pamtab_t	*tpament;
	char		*service;
	int		error;
	int		i = pamh->include_depth;	/* include depth */
	/*
	 * service types:
	 * error (-1), "auth" (0), "account" (1), "session" (2), "password" (3)
	 */
	int service_found[PAM_NUM_MODULE_TYPES+1] = {0, 0, 0, 0, 0};

	(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
	if (service == NULL || *service == '\0') {
		__pam_log(LOG_AUTH | LOG_ERR, "No service name");
		return (PAM_SYSTEM_ERR);
	}

	pamh->pam_conf_name[i] = strdup(config);
	pam_trace(PAM_DEBUG_CONF, "read_pam_conf[%d:%s](%p) open(%s)",
	    i, pam_trace_cname(pamh), (void *)pamh, config);
	if (open_pam_conf(&pam_fh, pamh, config) == 0) {
		return (PAM_SYSTEM_ERR);
	}

	while ((error =
	    get_pam_conf_entry(pam_fh, pamh, &pamentp)) == PAM_SUCCESS &&
	    pamentp) {

		/* See if entry is this service and valid */
		if (verify_pam_conf(pamentp, service)) {
			pam_trace(PAM_DEBUG_CONF,
			    "read_pam_conf[%d:%s](%p): bad entry error %s",
			    i, pam_trace_cname(pamh), (void *)pamh, service);

			error = PAM_SYSTEM_ERR;
			free_pamconf(pamentp);
			goto out;
		}
		if (strcasecmp(pamentp->pam_service, service) == 0) {
			pam_trace(PAM_DEBUG_CONF,
			    "read_pam_conf[%d:%s](%p): processing %s",
			    i, pam_trace_cname(pamh), (void *)pamh, service);
			/* process first service entry */
			if (service_found[pamentp->pam_type + 1] == 0) {
				/* purge "other" entries */
				while ((tpament = pamh->pam_conf_info[i]
				    [pamentp->pam_type]) != NULL) {
					pam_trace(PAM_DEBUG_CONF,
					    "read_pam_conf(%p): purging "
					    "\"other\"[%d:%s][%s]",
					    (void *)pamh, i,
					    pam_trace_cname(pamh),
					    pam_snames[pamentp->pam_type]);
					pamh->pam_conf_info[i]
					    [pamentp->pam_type] = tpament->next;
					free_pamconf(tpament);
				}
				/* add first service entry */
				pam_trace(PAM_DEBUG_CONF,
				    "read_pam_conf(%p): adding 1st "
				    "%s[%d:%s][%s]",
				    (void *)pamh, service, i,
				    pam_trace_cname(pamh),
				    pam_snames[pamentp->pam_type]);
				pamh->pam_conf_info[i][pamentp->pam_type] =
				    pamentp;
				service_found[pamentp->pam_type + 1] = 1;
			} else {
				/* append more service entries */
				pam_trace(PAM_DEBUG_CONF,
				    "read_pam_conf(%p): adding more "
				    "%s[%d:%s][%s]",
				    (void *)pamh, service, i,
				    pam_trace_cname(pamh),
				    pam_snames[pamentp->pam_type]);
				tpament =
				    pamh->pam_conf_info[i][pamentp->pam_type];
				while (tpament->next != NULL) {
					tpament = tpament->next;
				}
				tpament->next = pamentp;
			}
		} else if (service_found[pamentp->pam_type + 1] == 0) {
			/* See if "other" entry available and valid */
			if (verify_pam_conf(pamentp, "other")) {
				pam_trace(PAM_DEBUG_CONF,
				    "read_pam_conf(%p): bad entry error %s "
				    "\"other\"[%d:%s]",
				    (void *)pamh, service, i,
				    pam_trace_cname(pamh));
				error = PAM_SYSTEM_ERR;
				free_pamconf(pamentp);
				goto out;
			}
			if (strcasecmp(pamentp->pam_service, "other") == 0) {
				pam_trace(PAM_DEBUG_CONF,
				    "read_pam_conf(%p): processing "
				    "\"other\"[%d:%s]", (void *)pamh, i,
				    pam_trace_cname(pamh));
				if ((tpament = pamh->pam_conf_info[i]
				    [pamentp->pam_type]) == NULL) {
					/* add first "other" entry */
					pam_trace(PAM_DEBUG_CONF,
					    "read_pam_conf(%p): adding 1st "
					    "other[%d:%s][%s]", (void *)pamh, i,
					    pam_trace_cname(pamh),
					    pam_snames[pamentp->pam_type]);
					pamh->pam_conf_info[i]
					    [pamentp->pam_type] = pamentp;
				} else {
					/* append more "other" entries */
					pam_trace(PAM_DEBUG_CONF,
					    "read_pam_conf(%p): adding more "
					    "other[%d:%s][%s]", (void *)pamh, i,
					    pam_trace_cname(pamh),
					    pam_snames[pamentp->pam_type]);
					while (tpament->next != NULL) {
						tpament = tpament->next;
					}
					tpament->next = pamentp;
				}
			} else {
				/* irrelevent entry */
				free_pamconf(pamentp);
			}
		} else {
			/* irrelevent entry */
			free_pamconf(pamentp);
		}
	}
out:
	(void) close_pam_conf(pam_fh);
	if (error != PAM_SUCCESS)
		free_pam_conf_info(pamh);
	return (error);
}

/*
 * get_pam_conf_entry - get a pam.conf entry
 */

static int
get_pam_conf_entry(struct pam_fh *pam_fh, pam_handle_t *pamh, pamtab_t **pam)
{
	char		*cp, *arg;
	int		argc;
	char		*tmp, *tmp_free;
	int		i;
	char		*current_line = NULL;
	int		error = PAM_SYSTEM_ERR;	/* preset to error */
	int		err;

	/* get the next line from pam.conf */
	if ((cp = nextline(pam_fh, pamh, &err)) == NULL) {
		/* no more lines in pam.conf ==> return */
		error = PAM_SUCCESS;
		*pam = NULL;
		goto out;
	}

	if ((*pam = (pamtab_t *)calloc(1, sizeof (pamtab_t))) == NULL) {
		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
		goto out;
	}

	/* copy full line for error reporting */
	if ((current_line = strdup(cp)) == NULL) {
		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
		goto out;
	}

	pam_trace(PAM_DEBUG_CONF,
	    "pam.conf[%s] entry:\t%s", pam_trace_cname(pamh), current_line);

	/* get service name (e.g. login, su, passwd) */
	if ((arg = read_next_token(&cp)) == 0) {
		__pam_log(LOG_AUTH | LOG_CRIT,
		    "illegal pam.conf[%s] entry: %s: missing SERVICE NAME",
		    pam_trace_cname(pamh), current_line);
		goto out;
	}
	if (((*pam)->pam_service = strdup(arg)) == 0) {
		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
		goto out;
	}

	/* get module type (e.g. authentication, acct mgmt) */
	if ((arg = read_next_token(&cp)) == 0) {
		__pam_log(LOG_AUTH | LOG_CRIT,
		    "illegal pam.conf[%s] entry: %s: missing MODULE TYPE",
		    pam_trace_cname(pamh), current_line);
		(*pam)->pam_type = -1;	/* 0 is a valid value */
		goto getflag;
	}
	if (strcasecmp(arg, PAM_AUTH_NAME) == 0) {
		(*pam)->pam_type = PAM_AUTH_MODULE;
	} else if (strcasecmp(arg, PAM_ACCOUNT_NAME) == 0) {
		(*pam)->pam_type = PAM_ACCOUNT_MODULE;
	} else if (strcasecmp(arg, PAM_SESSION_NAME) == 0) {
		(*pam)->pam_type = PAM_SESSION_MODULE;
	} else if (strcasecmp(arg, PAM_PASSWORD_NAME) == 0) {
		(*pam)->pam_type = PAM_PASSWORD_MODULE;
	} else {
		/* error */
		__pam_log(LOG_AUTH | LOG_CRIT,
		    "illegal pam.conf[%s] entry: %s: invalid module "
		    "type: %s", pam_trace_cname(pamh), current_line, arg);
		(*pam)->pam_type = -1;	/* 0 is a valid value */
	}

getflag:
	/* get pam flag (e.g., requisite, required, sufficient, optional) */
	if ((arg = read_next_token(&cp)) == 0) {
		__pam_log(LOG_AUTH | LOG_CRIT,
		    "illegal pam.conf[%s] entry: %s: missing CONTROL FLAG",
		    pam_trace_cname(pamh), current_line);
		goto getpath;
	}
	if (strcasecmp(arg, PAM_BINDING_NAME) == 0) {
		(*pam)->pam_flag = PAM_BINDING;
	} else if (strcasecmp(arg, PAM_INCLUDE_NAME) == 0) {
		(*pam)->pam_flag = PAM_INCLUDE;
	} else if (strcasecmp(arg, PAM_OPTIONAL_NAME) == 0) {
		(*pam)->pam_flag = PAM_OPTIONAL;
	} else if (strcasecmp(arg, PAM_REQUIRED_NAME) == 0) {
		(*pam)->pam_flag = PAM_REQUIRED;
	} else if (strcasecmp(arg, PAM_REQUISITE_NAME) == 0) {
		(*pam)->pam_flag = PAM_REQUISITE;
	} else if (strcasecmp(arg, PAM_SUFFICIENT_NAME) == 0) {
		(*pam)->pam_flag = PAM_SUFFICIENT;
	} else {
		/* error */
		__pam_log(LOG_AUTH | LOG_CRIT,
		    "illegal pam.conf[%s] entry: %s",
		    pam_trace_cname(pamh), current_line);
		__pam_log(LOG_AUTH | LOG_CRIT,
		    "\tinvalid control flag: %s", arg);
	}

getpath:
	/* get module path (e.g. /usr/lib/security/pam_unix_auth.so.1) */
	if ((arg = read_next_token(&cp)) == 0) {
		__pam_log(LOG_AUTH | LOG_CRIT,
		    "illegal pam.conf[%s] entry: %s: missing MODULE PATH",
		    pam_trace_cname(pamh), current_line);
		error = PAM_SUCCESS;	/* success */
		goto out;
	}
	if (arg[0] != '/') {
		size_t len;
		/*
		 * If module path does not start with "/", then
		 * prepend PAM_LIB_DIR (/usr/lib/security/).
		 */
		/* sizeof (PAM_LIB_DIR) has room for '\0' */
		len = sizeof (PAM_LIB_DIR) + sizeof (PAM_ISA_DIR) + strlen(arg);
		if (((*pam)->module_path = malloc(len)) == NULL) {
			__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
			goto out;
		}
		if ((*pam)->pam_flag & PAM_INCLUDE) {
			(void) snprintf((*pam)->module_path, len, "%s%s",
			    PAM_LIB_DIR, arg);
		} else {
			(void) snprintf((*pam)->module_path, len, "%s%s%s",
			    PAM_LIB_DIR, PAM_ISA_DIR, arg);
		}
	} else {
		/* Full path provided for module */
		char *isa;

		/* Check for Instruction Set Architecture indicator */
		if ((isa = strstr(arg, PAM_ISA)) != NULL) {
			size_t len;
			len = strlen(arg) - (sizeof (PAM_ISA)-1) +
			    sizeof (PAM_ISA_DIR);

			/* substitute the architecture dependent path */
			if (((*pam)->module_path = malloc(len)) == NULL) {
				__pam_log(LOG_AUTH | LOG_ERR,
				    "strdup: out of memory");
				goto out;
			}
			*isa = '\000';
			isa += strlen(PAM_ISA);
			(void) snprintf((*pam)->module_path, len, "%s%s%s",
			    arg, PAM_ISA_DIR, isa);
		} else if (((*pam)->module_path = strdup(arg)) == 0) {
			__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
			goto out;
		}
	}

	/* count the number of module-specific options first */
	argc = 0;
	if ((tmp = strdup(cp)) == NULL) {
		__pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
		goto out;
	}
	tmp_free = tmp;
	for (arg = read_next_token(&tmp); arg; arg = read_next_token(&tmp))
		argc++;
	free(tmp_free);

	/* allocate array for the module-specific options */
	if (argc > 0) {
		if (((*pam)->module_argv = (char **)
			calloc(argc+1, sizeof (char *))) == 0) {
			__pam_log(LOG_AUTH | LOG_ERR, "calloc: out of memory");
			goto out;
		}
		i = 0;
		for (arg = read_next_token(&cp); arg;
			arg = read_next_token(&cp)) {
			(*pam)->module_argv[i] = strdup(arg);
			if ((*pam)->module_argv[i] == NULL) {
				__pam_log(LOG_AUTH | LOG_ERR, "strdup failed");
				goto out;
			}
			i++;
		}
		(*pam)->module_argv[argc] = NULL;
	}
	(*pam)->module_argc = argc;

	error = PAM_SUCCESS;	/* success */
	(*pam)->pam_err = err;	/* was the line truncated */

out:
	if (current_line)
		free(current_line);
	if (error != PAM_SUCCESS) {
		/* on error free this */
		if (*pam)
			free_pamconf(*pam);
	}
	return (error);
}


/*
 * read_next_token - skip tab and space characters and return the next token
 */

static char *
read_next_token(char **cpp)
{
	register char *cp = *cpp;
	char *start;

	if (cp == (char *)0) {
		*cpp = (char *)0;
		return ((char *)0);
	}
	while (*cp == ' ' || *cp == '\t')
		cp++;
	if (*cp == '\0') {
		*cpp = (char *)0;
		return ((char *)0);
	}
	start = cp;
	while (*cp && *cp != ' ' && *cp != '\t')
		cp++;
	if (*cp != '\0')
		*cp++ = '\0';
	*cpp = cp;
	return (start);
}

static char *
pam_conf_strnchr(char *sp, int c, intptr_t count)
{
	while (count) {
		if (*sp == (char)c)
			return ((char *)sp);
		else {
			sp++;
			count--;
		}
	};
	return (NULL);
}

/*
 * nextline - skip all blank lines and comments
 */

static char *
nextline(struct pam_fh *pam_fh, pam_handle_t *pamh, int *err)
{
	char	*ll;
	int	find_a_line = 0;
	char	*data = pam_fh->data;
	char	*bufferp = pam_fh->bufferp;
	char	*bufferendp = &data[pam_fh->bufsize];
	size_t	input_len;

	/*
	 * Skip the blank line, comment line
	 */
	while (!find_a_line) {
		/* if we are at the end of the buffer, there is no next line */
		if (bufferp == bufferendp)
			return (NULL);

		/* skip blank line */
		while (*bufferp == '\n') {
			/*
			 * If we are at the end of the buffer, there is
			 * no next line.
			 */
			if (++bufferp == bufferendp) {
				return (NULL);
			}
			/* else we check *bufferp again */
		}

		/* skip comment line */
		while (*bufferp == '#') {
			if ((ll = pam_conf_strnchr(bufferp, '\n',
				bufferendp - bufferp)) != NULL) {
				bufferp = ll;
			} else {
				/*
				 * this comment line the last line.
				 * no next line
				 */
				return (NULL);
			}

			/*
			 * If we are at the end of the buffer, there is
			 * no next line.
			 */
			if (bufferp == bufferendp) {
				return (NULL);
			}
		}

		if ((*bufferp != '\n') && (*bufferp != '#')) {
			find_a_line = 1;
		}
	}

	*err = PAM_SUCCESS;
	/* now we find one line */
	if ((ll = pam_conf_strnchr(bufferp, '\n', bufferendp - bufferp))
	    != NULL) {
		if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
			__pam_log(LOG_AUTH | LOG_ERR,
			    "nextline[%d:%s]: pam.conf line too long %.256s",
			    pamh->include_depth, pam_trace_cname(pamh),
			    bufferp);
			input_len = sizeof (pam_fh->line) - 1;
			*err = PAM_SERVICE_ERR;
		}
		(void) strncpy(pam_fh->line, bufferp, input_len);
		pam_fh->line[input_len] = '\0';
		pam_fh->bufferp = ll++;
	} else {
		ll = bufferendp;
		if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
			__pam_log(LOG_AUTH | LOG_ERR,
			    "nextline[%d:%s]: pam.conf line too long %.256s",
			    pamh->include_depth, pam_trace_cname(pamh),
			    bufferp);
			input_len = sizeof (pam_fh->line) - 1;
			*err = PAM_SERVICE_ERR;
		}
		(void) strncpy(pam_fh->line, bufferp, input_len);
		pam_fh->line[input_len] = '\0';
		pam_fh->bufferp = ll;
	}

	return (pam_fh->line);
}

/*
 * verify_pam_conf - verify that the pam_conf entry is filled in.
 *
 *	True = Error if there is no service.
 *	True = Error if there is a service and it matches the requested service
 *		but, the type, flag, line overflow, or path is in error.
 */

static int
verify_pam_conf(pamtab_t *pam, char *service)
{
	return ((pam->pam_service == (char *)NULL) ||
	    ((strcasecmp(pam->pam_service, service) == 0) &&
	    ((pam->pam_type == -1) ||
	    (pam->pam_flag == 0) ||
	    (pam->pam_err != PAM_SUCCESS) ||
	    (pam->module_path == (char *)NULL))));
}

/*
 * Routines to free allocated storage
 */

/*
 * clean_up -  free allocated storage in the pam handle
 */

static void
clean_up(pam_handle_t *pamh)
{
	int i;
	pam_repository_t *auth_rep;

	if (pamh) {
		/* Cleanup Sun proprietary tag information */
		if (pamh->pam_client_message_version_number)
			free(pamh->pam_client_message_version_number);

		while (pamh->include_depth >= 0) {
			free_pam_conf_info(pamh);
			pamh->include_depth--;
		}

		/* Cleanup PAM_REPOSITORY structure */
		auth_rep = pamh->ps_item[PAM_REPOSITORY].pi_addr;
		if (auth_rep != NULL) {
			if (auth_rep->type != NULL)
				free(auth_rep->type);
			if (auth_rep->scope != NULL)
				free(auth_rep->scope);
		}

		for (i = 0; i < PAM_MAX_ITEMS; i++) {
			if (pamh->ps_item[i].pi_addr != NULL) {
				if (i == PAM_AUTHTOK || i == PAM_OLDAUTHTOK) {
					(void) memset(pamh->ps_item[i].pi_addr,
					    0, pamh->ps_item[i].pi_size);
				}
				free(pamh->ps_item[i].pi_addr);
			}
		}
		free(pamh);
	}
}

/*
 * free_pamconf - free memory used to store pam.conf entry
 */

static void
free_pamconf(pamtab_t *cp)
{
	int i;

	if (cp) {
		if (cp->pam_service)
			free(cp->pam_service);
		if (cp->module_path)
			free(cp->module_path);
		for (i = 0; i < cp->module_argc; i++) {
			if (cp->module_argv[i])
				free(cp->module_argv[i]);
		}
		if (cp->module_argc > 0)
			free(cp->module_argv);
		if (cp->function_ptr)
			free(cp->function_ptr);

		free(cp);
	}
}

/*
 * free_pam_conf_info - free memory used to store all pam.conf info
 *			under the pam handle
 */

static void
free_pam_conf_info(pam_handle_t *pamh)
{
	pamtab_t *pamentp;
	pamtab_t *pament_trail;
	int i = pamh->include_depth;
	int j;

	for (j = 0; j < PAM_NUM_MODULE_TYPES; j++) {
		pamentp = pamh->pam_conf_info[i][j];
		pamh->pam_conf_info[i][j] = NULL;
		pament_trail = pamentp;
		while (pamentp) {
			pamentp = pamentp->next;
			free_pamconf(pament_trail);
			pament_trail = pamentp;
		}
	}
	if (pamh->pam_conf_name[i] != NULL) {
		free(pamh->pam_conf_name[i]);
		pamh->pam_conf_name[i] = NULL;
	}
}

static void
free_env(env_list *pam_env)
{
	if (pam_env) {
		if (pam_env->name)
			free(pam_env->name);
		if (pam_env->value)
			free(pam_env->value);
		free(pam_env);
	}
}

/*
 *	Internal convenience functions for Solaris PAM service modules.
 */

#include <libintl.h>
#include <nl_types.h>
#include <synch.h>
#include <locale.h>
#include <thread.h>

typedef struct pam_msg_data {
	nl_catd fd;
} pam_msg_data_t;

/*
 * free_resp():
 *	free storage for responses used in the call back "pam_conv" functions
 */

void
free_resp(int num_msg, struct pam_response *resp)
{
	int			i;
	struct pam_response	*r;

	if (resp) {
		r = resp;
		for (i = 0; i < num_msg; i++, r++) {
			if (r->resp) {
				/* clear before freeing -- may be a password */
				bzero(r->resp, strlen(r->resp));
				free(r->resp);
				r->resp = NULL;
			}
		}
		free(resp);
	}
}

static int
do_conv(pam_handle_t *pamh, int msg_style, int num_msg,
    char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp,
    struct pam_response *ret_respp[])
{
	struct pam_message	*msg;
	struct pam_message	*m;
	int			i;
	int			k;
	int			retcode;
	struct pam_conv		*pam_convp;

	if ((retcode = pam_get_item(pamh, PAM_CONV,
	    (void **)&pam_convp)) != PAM_SUCCESS) {
		return (retcode);
	}

	/*
	 * When pam_set_item() is called to set PAM_CONV and the
	 * item is NULL, memset(pip->pi_addr, 0, size) is called.
	 * So at this point, we should check whether pam_convp->conv
	 * is NULL or not.
	 */
	if ((pam_convp == NULL) || (pam_convp->conv == NULL))
		return (PAM_SYSTEM_ERR);

	i = 0;
	k = num_msg;

	msg = (struct pam_message *)calloc(num_msg,
	    sizeof (struct pam_message));
	if (msg == NULL) {
		return (PAM_BUF_ERR);
	}
	m = msg;

	while (k--) {
		/*
		 * fill out the message structure to display prompt message
		 */
		m->msg_style = msg_style;
		m->msg = messages[i];
		pam_trace(PAM_DEBUG_CONV,
		    "pam_conv_msg(%p:%d[%d]=%s)",
		    (void *)pamh, msg_style, i, messages[i]);
		m++;
		i++;
	}

	/*
	 * The UNIX pam modules always calls __pam_get_authtok() and
	 * __pam_display_msg() with a NULL pointer as the conv_apdp.
	 * In case the conv_apdp is NULL and the pam_convp->appdata_ptr
	 * is not NULL, we should pass the pam_convp->appdata_ptr
	 * to the conversation function.
	 */
	if (conv_apdp == NULL && pam_convp->appdata_ptr != NULL)
		conv_apdp = pam_convp->appdata_ptr;

	/*
	 * Call conv function to display the prompt.
	 */
	retcode = (pam_convp->conv)(num_msg, &msg, ret_respp, conv_apdp);
	pam_trace(PAM_DEBUG_CONV,
	    "pam_conv_resp(%p pam_conv = %s) ret_respp = %p",
	    (void *)pamh, pam_strerror(pamh, retcode), (void *)ret_respp);
	if (*ret_respp == NULL) {
		pam_trace(PAM_DEBUG_CONV,
		    "pam_conv_resp(%p No response requested)", (void *)pamh);
	} else if ((pam_debug & (PAM_DEBUG_CONV | PAM_DEBUG_AUTHTOK)) != 0) {
		struct pam_response *r = *ret_respp;

		for (i = 0; i < num_msg; i++, r++) {
			if (r->resp == NULL) {
				pam_trace(PAM_DEBUG_CONV,
				    "pam_conv_resp(%p:"
				    "[%d] NULL response string)",
				    (void *)pamh, i);
			} else {
				if (msg_style == PAM_PROMPT_ECHO_OFF) {
#ifdef	DEBUG
					pam_trace(PAM_DEBUG_AUTHTOK,
					    "pam_conv_resp(%p:[%d]=%s, "
					    "code=%d)",
					    (void *)pamh, i, r->resp,
					    r->resp_retcode);
#endif	/* DEBUG */
					pam_trace(PAM_DEBUG_CONV,
					    "pam_conv_resp(%p:[%d] len=%lu, "
					    "code=%d)",
					    (void *)pamh, i,
					    (ulong_t)strlen(r->resp),
					    r->resp_retcode);
				} else {
					pam_trace(PAM_DEBUG_CONV,
					    "pam_conv_resp(%p:[%d]=%s, "
					    "code=%d)",
					    (void *)pamh, i, r->resp,
					    r->resp_retcode);
				}
			}
		}
	}

	if (msg)
		free(msg);
	return (retcode);
}

/*
 * __pam_display_msg():
 *	display message by calling the call back functions
 *	provided by the application through "pam_conv" structure
 */

int
__pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
    char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp)
{
	struct pam_response	*ret_respp = NULL;

	return (do_conv(pamh, msg_style, num_msg, messages,
	    conv_apdp, &ret_respp));
}

/*
 * __pam_get_authtok()
 *	retrieves a password of at most PASS_MAX length from the pam
 *	handle (pam_get_item) or from the input stream (do_conv).
 *
 * This function allocates memory for the new authtok.
 * Applications calling this function are responsible for
 * freeing this memory.
 *
 * If "source" is
 *	PAM_HANDLE
 * and "type" is:
 *	PAM_AUTHTOK - password is taken from pam handle (PAM_AUTHTOK)
 *	PAM_OLDAUTHTOK - password is taken from pam handle (PAM_OLDAUTHTOK)
 *
 * If "source" is
 *	PAM_PROMPT
 * and "type" is:
 *	0:		Prompt for new passwd, do not even attempt
 *			to store it in the pam handle.
 *	PAM_AUTHTOK:	Prompt for new passwd, store in pam handle as
 *			PAM_AUTHTOK item if this value is not already set.
 *	PAM_OLDAUTHTOK:	Prompt for new passwd, store in pam handle as
 *			PAM_OLDAUTHTOK item if this value is not
 *			already set.
 */
int
__pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
    char **authtok)
{
	int error = PAM_SYSTEM_ERR;
	char *new_password = NULL;
	struct pam_response *ret_resp = NULL;
	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];

	if ((*authtok = calloc(PASS_MAX+1, sizeof (char))) == NULL)
		return (PAM_BUF_ERR);

	if (prompt == NULL)
		prompt = dgettext(TEXT_DOMAIN, "password: ");

	switch (source) {
	case PAM_HANDLE:

		/* get password from pam handle item list */

		switch (type) {
		case PAM_AUTHTOK:
		case PAM_OLDAUTHTOK:

			if ((error = pam_get_item(pamh, type,
			    (void **)&new_password)) != PAM_SUCCESS)
				goto err_ret;

			if (new_password == NULL || new_password[0] == '\0') {
				free(*authtok);
				*authtok = NULL;
			} else {
				(void) strlcpy(*authtok, new_password,
				    PASS_MAX+1);
			}
			break;
		default:
			__pam_log(LOG_AUTH | LOG_ERR,
			    "__pam_get_authtok() invalid type: %d", type);
			error = PAM_SYMBOL_ERR;
			goto err_ret;
		}
		break;
	case PAM_PROMPT:

		/*
		 * Prompt for new password and save in pam handle item list
		 * if the that item is not already set.
		 */

		(void) strncpy(messages[0], prompt, sizeof (messages[0]));
		if ((error = do_conv(pamh, PAM_PROMPT_ECHO_OFF, 1, messages,
		    NULL, &ret_resp)) != PAM_SUCCESS)
			goto err_ret;

		if (ret_resp->resp == NULL) {
			/* getpass didn't return anything */
			error = PAM_SYSTEM_ERR;
			goto err_ret;
		}

		/* save the new password if this item was NULL */
		if (type) {
			if ((error = pam_get_item(pamh, type,
			    (void **)&new_password)) != PAM_SUCCESS) {
				free_resp(1, ret_resp);
				goto err_ret;
			}
			if (new_password == NULL)
				(void) pam_set_item(pamh, type, ret_resp->resp);
		}

		(void) strlcpy(*authtok, ret_resp->resp, PASS_MAX+1);
		free_resp(1, ret_resp);
		break;
	default:
		__pam_log(LOG_AUTH | LOG_ERR,
		    "__pam_get_authtok() invalid source: %d", source);
		error = PAM_SYMBOL_ERR;
		goto err_ret;
	}

	return (PAM_SUCCESS);

err_ret:
	bzero(*authtok, PASS_MAX+1);
	free(*authtok);
	*authtok = NULL;
	return (error);
}