6 files changed, 84 insertions, 0 deletions

diff --git a/libpam/include/security/_pam_macros.h b/libpam/include/security/_pam_macros.h
index f7da10a7..72aaf468 100644
--- a/libpam/include/security/_pam_macros.h
+++ b/libpam/include/security/_pam_macros.h
@@ -25,6 +25,15 @@ do {                             \
                *__xx__++ = '\0'; \
 } while (0)
 
+#define _pam_overwrite_n(x,n)   \
+do {                             \
+     register char *__xx__;      \
+     register int __i__ = 0;    \
+     if ((__xx__=(x)))           \
+        for (;__i__<n; __i__++) \
+            __xx__[__i__] = 0; \
+} while (0)
+
 /*
  * Don't just free it, forget it too.
  */
diff --git a/libpam/include/security/_pam_types.h b/libpam/include/security/_pam_types.h
index 45bae97b..2f7e807f 100644
--- a/libpam/include/security/_pam_types.h
+++ b/libpam/include/security/_pam_types.h
@@ -138,8 +138,11 @@ typedef struct pam_handle pam_handle_t;
 #define PAM_OLDAUTHTOK     7	/* The old authentication token */
 #define PAM_RUSER          8	/* The remote user name */
 #define PAM_USER_PROMPT    9    /* the prompt for getting a username */
+/* Linux-PAM extensions */
 #define PAM_FAIL_DELAY     10   /* app supplied function to override failure
 				   delays */
+#define PAM_XDISPLAY       11   /* X display name */
+#define PAM_XAUTHDATA      12   /* X server authentication data */
 
 /* -------------- Special defines used by Linux-PAM -------------- */
 
@@ -279,6 +282,17 @@ struct pam_conv {
     void *appdata_ptr;
 };
 
+/* Used by the PAM_XAUTHDATA pam item.  Contains X authentication
+   data used by modules to connect to the user's X display.  Note:
+   this structure is intentionally compatible with xcb_auth_info_t. */
+
+struct pam_xauth_data {
+    int namelen;
+    char *name;
+    int datalen;
+    char *data;
+};
+
 /* ... adapted from the pam_appl.h file created by Theodore Ts'o and
  *
  * Copyright Theodore Ts'o, 1996.  All rights reserved.
diff --git a/libpam/pam_end.c b/libpam/pam_end.c
index de1c26ed..f400c325 100644
--- a/libpam/pam_end.c
+++ b/libpam/pam_end.c
@@ -73,6 +73,15 @@ int pam_end(pam_handle_t *pamh, int pam_status)
 
     _pam_drop(pamh->former.substates);
 
+    _pam_overwrite(pamh->xdisplay);
+    _pam_drop(pamh->xdisplay);
+
+    _pam_overwrite(pamh->xauth.name);
+    _pam_drop(pamh->xauth.name);
+    _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen);
+    _pam_drop(pamh->xauth.data);
+    _pam_overwrite_n(&pamh->xauth, sizeof(pamh->xauth));
+
     /* and finally liberate the memory for the pam_handle structure */
 
     _pam_drop(pamh);
diff --git a/libpam/pam_item.c b/libpam/pam_item.c
index 52efe80b..41d90087 100644
--- a/libpam/pam_item.c
+++ b/libpam/pam_item.c
@@ -138,6 +138,24 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item)
 	pamh->fail_delay.delay_fn_ptr = item;
 	break;
 
+    case PAM_XDISPLAY:
+	RESET(pamh->xdisplay, item);
+	break;
+
+    case PAM_XAUTHDATA:
+	if (pamh->xauth.namelen) {
+	    _pam_overwrite(pamh->xauth.name);
+	    free(pamh->xauth.name);
+	}
+	if (pamh->xauth.datalen) {
+	    _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen);
+	    free(pamh->xauth.data);
+	}
+	pamh->xauth = *((const struct pam_xauth_data *) item);
+	pamh->xauth.name = _pam_strdup(pamh->xauth.name);
+	pamh->xauth.data = _pam_memdup(pamh->xauth.data, pamh->xauth.datalen);
+	break;
+
     default:
 	retval = PAM_BAD_ITEM;
     }
@@ -220,6 +238,14 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item)
 	*item = pamh->fail_delay.delay_fn_ptr;
 	break;
 
+    case PAM_XDISPLAY:
+	*item = pamh->xdisplay;
+	break;
+
+    case PAM_XAUTHDATA:
+	*item = &pamh->xauth;
+	break;
+
     default:
 	retval = PAM_BAD_ITEM;
     }
diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c
index 770c9cce..574a570e 100644
--- a/libpam/pam_misc.c
+++ b/libpam/pam_misc.c
@@ -137,6 +137,28 @@ char *_pam_strdup(const char *x)
      return new;                 /* return the duplicate or NULL on error */
 }
 
+/*
+ * Safe duplication of memory buffers. "Paranoid"; don't leave
+ * evidence of old token around for later stack analysis.
+ */
+
+char *_pam_memdup(const char *x, int len)
+{
+     register char *new=NULL;
+
+     if (x != NULL) {
+         if ((new = malloc(len)) == NULL) {
+             len = 0;
+             pam_syslog(NULL, LOG_CRIT, "_pam_memdup: failed to get memory");
+         } else {
+             memcpy (new, x, len);
+         }
+         x = NULL;
+     }
+
+     return new;                 /* return the duplicate or NULL on error */
+}
+
 /* Generate argv, argc from s */
 /* caller must free(argv)     */
 
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
index bf32ad44..333f4d0f 100644
--- a/libpam/pam_private.h
+++ b/libpam/pam_private.h
@@ -152,9 +152,11 @@ struct pam_handle {
     char *rhost;
     char *ruser;
     char *tty;
+    char *xdisplay;
     struct pam_data *data;
     struct pam_environ *env;      /* structure to maintain environment list */
     struct _pam_fail_delay fail_delay;   /* helper function for easy delays */
+    struct pam_xauth_data xauth;        /* auth info for X display */
     struct service handlers;
     struct _pam_former_state former;  /* library state - support for
 					 event driven applications */
@@ -267,6 +269,8 @@ char *_pam_StrTok(char *from, const char *format, char **next);
 
 char *_pam_strdup(const char *s);
 
+char *_pam_memdup(const char *s, int len);
+
 int _pam_mkargv(char *s, char ***argv, int *argc);
 
 void _pam_sanitize(pam_handle_t *pamh);