crates/nonstick: src/libpam/response.rs comparison

comparison src/libpam/response.rs @ 77:351bdc13005e

Update the libpam module to work with the new structure.

author	Paul Fisher <paul@pfish.zone>
date	Sun, 08 Jun 2025 01:03:46 -0400
parents	c30811b4afae
children

comparison

equal deleted inserted replaced

-:e58d24849e82
+:351bdc13005e
-//! Types used when dealing with PAM conversations.
+//! Types used to communicate data from the application to the module.
-use crate::conv::BinaryData;
+use crate::conv::BorrowedBinaryData;
+use crate::libpam::conversation::OwnedMessage;
 use crate::libpam::memory;
-use crate::libpam::memory::{CBinaryData, Immovable, NulError, TooBigError};
+use crate::libpam::memory::{CBinaryData, Immovable};
-use crate::Response;
+use crate::{ErrorCode, Result};
 use std::ffi::{c_int, c_void, CStr};
 use std::ops::{Deref, DerefMut};
-use std::result::Result as StdResult;
-use std::str::Utf8Error;
 use std::{iter, mem, ptr, slice};
 #[repr(transparent)]
 #[derive(Debug)]
-pub struct RawTextResponse(RawResponse);
+pub struct TextAnswer(Answer);
-impl RawTextResponse {
+impl TextAnswer {
-/// Interprets the provided `RawResponse` as a text response.
+/// Interprets the provided `Answer` as a text answer.
 ///
 /// # Safety
 ///
-/// It's up to you to provide a response that is a `RawTextResponse`.
+/// It's up to you to provide an answer that is a `TextAnswer`.
-pub unsafe fn upcast(from: &mut RawResponse) -> &mut Self {
+pub unsafe fn upcast(from: &mut Answer) -> &mut Self {
 // SAFETY: We're provided a valid reference.
-&mut *(from as *mut RawResponse).cast::<Self>()
+&mut *(from as *mut Answer).cast::<Self>()
 }
-/// Fills in the provided `RawResponse` with the given text.
+/// Converts the `Answer` to a `TextAnswer` with the given text.
-///
+fn fill(dest: &mut Answer, text: &str) -> Result<()> {
-/// You are responsible for calling [`free`](Self::free_contents)
+let allocated = memory::malloc_str(text)?;
-/// on the pointer you get back when you're done with it.
+dest.free_contents();
-pub fn fill(dest: &mut RawResponse, text: impl AsRef<str>) -> StdResult<&mut Self, NulError> {
+dest.data = allocated.cast();
-dest.data = memory::malloc_str(text)?.cast();
+Ok(())
-// SAFETY: We just filled this in so we know it's a text response.
+}
-Ok(unsafe { Self::upcast(dest) })
-}
+/// Gets the string stored in this answer.
+pub fn contents(&self) -> Result<&str> {
-/// Gets the string stored in this response.
-pub fn contents(&self) -> StdResult<&str, Utf8Error> {
 if self.0.data.is_null() {
 Ok("")
 } else {
-// SAFETY: This data is either passed from PAM (so we are forced to
+// SAFETY: This data is either passed from PAM (so we are forced
-// trust it) or was created by us in TextResponseInner::alloc.
+// to trust it) or was created by us in TextAnswerInner::alloc.
 // In either case, it's going to be a valid null-terminated string.
-unsafe { CStr::from_ptr(self.0.data.cast()) }.to_str()
+unsafe { CStr::from_ptr(self.0.data.cast()) }
-}
+.to_str()
-}
+.map_err(|_| ErrorCode::ConversationError)
+}
-/// Releases memory owned by this response.
+}
+/// Zeroes out the answer data, frees it, and points our data to `null`.
+///
+/// When this `TextAnswer` is part of an [`Answers`],
+/// this is optional (since that will perform the `free`),
+/// but it will clear potentially sensitive data.
 pub fn free_contents(&mut self) {
-// SAFETY: We know we own this data.
+// SAFETY: We own this data and know it's valid.
+// If it's null, this is a no-op.
 // After we're done, it will be null.
 unsafe {
 memory::zero_c_string(self.0.data);
 libc::free(self.0.data);
 self.0.data = ptr::null_mut()
 }
 }
 }
-/// A [`RawResponse`] with [`CBinaryData`] in it.
+/// A [`Answer`] with [`CBinaryData`] in it.
 #[repr(transparent)]
 #[derive(Debug)]
-pub struct RawBinaryResponse(RawResponse);
+pub struct BinaryAnswer(Answer);
-impl RawBinaryResponse {
+impl BinaryAnswer {
-/// Interprets the provided `RawResponse` as a binary response.
+/// Interprets the provided [`Answer`] as a binary answer.
 ///
 /// # Safety
 ///
-/// It's up to you to provide a response that is a `RawBinaryResponse`.
+/// It's up to you to provide an answer that is a `BinaryAnswer`.
-pub unsafe fn upcast(from: &mut RawResponse) -> &mut Self {
+pub unsafe fn upcast(from: &mut Answer) -> &mut Self {
 // SAFETY: We're provided a valid reference.
-&mut *(from as *mut RawResponse).cast::<Self>()
+&mut *(from as *mut Answer).cast::<Self>()
 }
-/// Fills in a `RawResponse` with the provided binary data.
+/// Fills in a [`Answer`] with the provided binary data.
 ///
 /// The `data_type` is a tag you can use for whatever.
 /// It is passed through PAM unchanged.
 ///
-/// The referenced data is copied to the C heap. We do not take ownership.
+/// The referenced data is copied to the C heap.
-/// You are responsible for calling [`free`](Self::free_contents)
+/// We do not take ownership of the original data.
-/// on the pointer you get back when you're done with it.
+pub fn fill(dest: &mut Answer, data: BorrowedBinaryData) -> Result<()> {
-pub fn fill<'a>(
+let allocated = CBinaryData::alloc(data.data(), data.data_type())?;
-dest: &'a mut RawResponse,
+dest.free_contents();
-data: &[u8],
+dest.data = allocated.cast();
-data_type: u8,
+Ok(())
-) -> StdResult<&'a mut Self, TooBigError> {
+}
-dest.data = CBinaryData::alloc(data, data_type)?.cast();
-// SAFETY: We just filled this in, so we know it's binary.
+/// Gets the binary data in this answer.
-Ok(unsafe { Self::upcast(dest) })
+pub fn data(&self) -> Option<&CBinaryData> {
-}
+// SAFETY: We either got this data from PAM or allocated it ourselves.
+// Either way, we trust that it is either valid data or null.
-/// Gets the binary data in this response.
-pub fn data(&self) -> &[u8] {
-self.contents().map(CBinaryData::contents).unwrap_or(&[])
-}
-/// Gets the `data_type` tag that was embedded with the message.
-pub fn data_type(&self) -> u8 {
-self.contents().map(CBinaryData::data_type).unwrap_or(0)
-}
-fn contents(&self) -> Option<&CBinaryData> {
-// SAFETY: This was either something we got from PAM (in which case
-// we trust it), or something that was created with
-// BinaryResponseInner::alloc. In both cases, it points to valid data.
 unsafe { self.0.data.cast::<CBinaryData>().as_ref() }
 }
-pub fn to_owned(&self) -> BinaryData {
+/// Zeroes out the answer data, frees it, and points our data to `null`.
-BinaryData::new(self.data().into(), self.data_type())
+///
-}
+/// When this `TextAnswer` is part of an [`Answers`],
+/// this is optional (since that will perform the `free`),
-/// Releases memory owned by this response.
+/// but it will clear potentially sensitive data.
-pub fn free_contents(&mut self) {
+pub fn zero_contents(&mut self) {
 // SAFETY: We know that our data pointer is either valid or null.
-// Once we're done, it's null and the response is safe.
+// Once we're done, it's null and the answer is safe.
 unsafe {
 let data_ref = self.0.data.cast::<CBinaryData>().as_mut();
 if let Some(d) = data_ref {
 d.zero_contents()
 }
 self.0.data = ptr::null_mut()
 }
 }
 }
-/// Generic version of response data.
+/// Generic version of answer data.
 ///
-/// This has the same structure as [`RawBinaryResponse`]
+/// This has the same structure as [`BinaryAnswer`]
-/// and [`RawTextResponse`].
+/// and [`TextAnswer`].
 #[repr(C)]
 #[derive(Debug)]
-pub struct RawResponse {
+pub struct Answer {
-/// Pointer to the data returned in a response.
+/// Pointer to the data returned in an answer.
-/// For most responses, this will be a [`CStr`], but for responses to
+/// For most answers, this will be a [`CStr`], but for answers to
 /// [`MessageStyle::BinaryPrompt`]s, this will be [`CBinaryData`]
 /// (a Linux-PAM extension).
 data: *mut c_void,
 /// Unused.
 return_code: c_int,
 _marker: Immovable,
 }
-/// A contiguous block of responses.
+impl Answer {
+/// Frees the contents of this answer.
+///
+/// After this is done, this answer's `data` will be `null`,
+/// which is a valid (empty) state.
+fn free_contents(&mut self) {
+// SAFETY: We have either an owned valid pointer, or null.
+// We can free our owned pointer, and `free(null)` is a no-op.
+unsafe {
+libc::free(self.data);
+self.data = ptr::null_mut();
+}
+}
+}
+/// An owned, contiguous block of [`Answer`]s.
 #[derive(Debug)]
-pub struct OwnedResponses {
+pub struct Answers {
-base: *mut RawResponse,
+base: *mut Answer,
 count: usize,
 }
-impl OwnedResponses {
+impl Answers {
-/// Allocates an owned list of responses on the C heap.
+/// Allocates an owned list of answers on the C heap.
 fn alloc(count: usize) -> Self {
-OwnedResponses {
+Answers {
 // SAFETY: We are doing allocation here.
-base: unsafe { libc::calloc(count, size_of::<RawResponse>()) }.cast(),
+base: unsafe { libc::calloc(count, size_of::<Answer>()) }.cast(),
 count,
 }
 }
-pub fn build(value: &[Response]) -> StdResult<Self, FillError> {
+pub fn build(value: Vec<OwnedMessage>) -> Result<Self> {
-let mut outputs = OwnedResponses::alloc(value.len());
+let mut outputs = Answers::alloc(value.len());
-// If we fail in here after allocating OwnedResponses,
+// Even if we fail during this process, we still end up freeing
-// we still free all memory, even though we don't zero it first.
+// all allocated answer memory.
-// This is an acceptable level of risk.
+for (input, output) in iter::zip(value, outputs.iter_mut()) {
-for (input, output) in iter::zip(value.iter(), outputs.iter_mut()) {
 match input {
-Response::NoResponse => {
+OwnedMessage::MaskedPrompt(p) => TextAnswer::fill(output, p.answer()?.unsecure())?,
-RawTextResponse::fill(output, "")?;
+OwnedMessage::Prompt(p) => TextAnswer::fill(output, &(p.answer()?))?,
-}
+OwnedMessage::BinaryPrompt(p) => BinaryAnswer::fill(output, (&p.answer()?).into())?,
-Response::Text(data) => {
+OwnedMessage::Error(p) => TextAnswer::fill(output, p.answer().map(|_| "")?)?,
-RawTextResponse::fill(output, data)?;
+OwnedMessage::Info(p) => TextAnswer::fill(output, p.answer().map(|_| "")?)?,
-}
+OwnedMessage::RadioPrompt(p) => TextAnswer::fill(output, &(p.answer()?))?,
-Response::MaskedText(data) => {
-RawTextResponse::fill(output, data.unsecure())?;
-}
-Response::Binary(data) => {
-RawBinaryResponse::fill(output, data.data(), data.data_type())?;
-}
 }
 }
 Ok(outputs)
 }
-/// Converts this into a `*RawResponse` for passing to PAM.
+/// Converts this into a `*Answer` for passing to PAM.
 ///
 /// The pointer "owns" its own data (i.e., this will not be dropped).
-pub fn into_ptr(self) -> *mut RawResponse {
+pub fn into_ptr(self) -> *mut Answer {
 let ret = self.base;
 mem::forget(self);
 ret
 }
-/// Takes ownership of a list of responses allocated on the C heap.
+/// Takes ownership of a list of answers allocated on the C heap.
 ///
 /// # Safety
 ///
 /// It's up to you to make sure you pass a valid pointer.
-pub unsafe fn from_c_heap(base: *mut RawResponse, count: usize) -> Self {
+pub unsafe fn from_c_heap(base: *mut Answer, count: usize) -> Self {
-OwnedResponses { base, count }
+Answers { base, count }
 }
 }
-#[derive(Debug, thiserror::Error)]
+impl Deref for Answers {
-#[error("error converting responses: {0}")]
+type Target = [Answer];
-pub enum FillError {
-NulError(#[from] NulError),
-TooBigError(#[from] TooBigError),
-}
-impl Deref for OwnedResponses {
-type Target = [RawResponse];
 fn deref(&self) -> &Self::Target {
 // SAFETY: This is the memory we manage ourselves.
 unsafe { slice::from_raw_parts(self.base, self.count) }
 }
 }
-impl DerefMut for OwnedResponses {
+impl DerefMut for Answers {
 fn deref_mut(&mut self) -> &mut Self::Target {
 // SAFETY: This is the memory we manage ourselves.
 unsafe { slice::from_raw_parts_mut(self.base, self.count) }
 }
 }
-impl Drop for OwnedResponses {
+impl Drop for Answers {
 fn drop(&mut self) {
 // SAFETY: We allocated this ourselves, or it was provided to us by PAM.
 unsafe {
-for resp in self.iter_mut() {
+for answer in self.iter_mut() {
-libc::free(resp.data)
+answer.free_contents()
 }
 libc::free(self.base.cast())
 }
 }
 }
 #[cfg(test)]
 mod tests {
-use super::{BinaryData, OwnedResponses, RawBinaryResponse, RawTextResponse, Response};
+use super::{Answers, BinaryAnswer, TextAnswer, BorrowedBinaryData};
+use crate::BinaryData;
+use crate::conv::{BinaryQAndA, ErrorMsg, InfoMsg, MaskedQAndA, QAndA, RadioQAndA};
+use crate::libpam::conversation::OwnedMessage;
 #[test]
 fn test_round_trip() {
-let responses = [
+let binary_msg = {
-Response::Binary(BinaryData::new(vec![1, 2, 3], 99)),
+let qa = BinaryQAndA::new(&[], 0);
-Response::Text("whats going on".to_owned()),
+qa.set_answer(Ok(BinaryData::new(vec![1, 2, 3], 99)));
-Response::MaskedText("well then".into()),
+OwnedMessage::BinaryPrompt(qa)
-Response::NoResponse,
+};
-Response::Text("bogus".to_owned()),
+macro_rules! answered {
+($typ:ty, $msg:path, $data:expr) => {
+{let qa = <$typ>::new("");
+qa.set_answer(Ok($data)); $msg(qa)}
+}
+}
+let answers = vec![
+binary_msg,
+answered!(QAndA, OwnedMessage::Prompt, "whats going on".to_owned()),
+answered!(MaskedQAndA, OwnedMessage::MaskedPrompt, "well then".into()),
+answered!(ErrorMsg, OwnedMessage::Error, ()),
+answered!(InfoMsg, OwnedMessage::Info, ()),
+answered!(RadioQAndA, OwnedMessage::RadioPrompt, "beep boop".to_owned()),
 ];
-let sent = OwnedResponses::build(&responses).unwrap();
+let n = answers.len();
-let heap_resps = sent.into_ptr();
+let sent = Answers::build(answers).unwrap();
-let mut received = unsafe { OwnedResponses::from_c_heap(heap_resps, 5) };
+let heap_answers = sent.into_ptr();
+let mut received = unsafe { Answers::from_c_heap(heap_answers, n) };
 let assert_text = |want, raw| {
-let up = unsafe { RawTextResponse::upcast(raw) };
+let up = unsafe { TextAnswer::upcast(raw) };
 assert_eq!(want, up.contents().unwrap());
 up.free_contents();
 assert_eq!("", up.contents().unwrap());
 };
 let assert_bin = |want_data: &[u8], want_type, raw| {
-let up = unsafe { RawBinaryResponse::upcast(raw) };
+let up = unsafe { BinaryAnswer::upcast(raw) };
-assert_eq!(want_data, up.data());
+assert_eq!(BinaryData::new(want_data.into(), want_type), up.data().into());
-assert_eq!(want_type, up.data_type());
+up.zero_contents();
-up.free_contents();
+assert_eq!(BinaryData::default(), up.data().into());
-let empty: [u8; 0] = [];
-assert_eq!(&empty, up.data());
-assert_eq!(0, up.data_type());
 };
-if let [zero, one, two, three, four] = &mut received[..] {
+if let [zero, one, two, three, four, five] = &mut received[..] {
 assert_bin(&[1, 2, 3], 99, zero);
 assert_text("whats going on", one);
 assert_text("well then", two);
 assert_text("", three);
-assert_text("bogus", four);
+assert_text("", four);
+assert_text("beep boop", five);
 } else {
-panic!("wrong size!")
+panic!("received wrong size {len}!", len = received.len())
 }
 }
 #[test]
-fn test_text_response() {
+fn test_text_answer() {
-let mut responses = OwnedResponses::alloc(2);
+let mut answers = Answers::alloc(2);
-let text = RawTextResponse::fill(&mut responses[0], "hello").unwrap();
+let zeroth = &mut answers[0];
-let data = text.contents().expect("valid");
+TextAnswer::fill(zeroth, "hello").unwrap();
+let zeroth_text = unsafe { TextAnswer::upcast(zeroth) };
+let data = zeroth_text.contents().expect("valid");
 assert_eq!("hello", data);
-text.free_contents();
+zeroth_text.free_contents();
-text.free_contents();
+zeroth_text.free_contents();
-RawTextResponse::fill(&mut responses[1], "hell\0").expect_err("should error; contains nul");
+TextAnswer::fill(&mut answers[1], "hell\0").expect_err("should error; contains nul");
 }
 #[test]
-fn test_binary_response() {
+fn test_binary_answer() {
-let mut responses = OwnedResponses::alloc(1);
+let mut answers = Answers::alloc(1);
-let real_data = [1, 2, 3, 4, 5, 6, 7, 8];
+let real_data = BinaryData::new(vec![1, 2, 3, 4, 5, 6, 7, 8], 9);
-let resp = RawBinaryResponse::fill(&mut responses[0], &real_data, 7)
+let answer = &mut answers[0];
-.expect("alloc should succeed");
+BinaryAnswer::fill(answer, (&real_data).into()).expect("alloc should succeed");
-let data = resp.data();
+let bin_answer = unsafe { BinaryAnswer::upcast(answer) };
-assert_eq!(&real_data, data);
+assert_eq!(real_data, bin_answer.data().into());
-assert_eq!(7, resp.data_type());
+answer.free_contents();
-resp.free_contents();
+answer.free_contents();
-resp.free_contents();
 }
 #[test]
 #[ignore]
-fn test_binary_response_too_big() {
+fn test_binary_answer_too_big() {
 let big_data: Vec<u8> = vec![0xFFu8; 10_000_000_000];
-let mut responses = OwnedResponses::alloc(1);
+let mut answers = Answers::alloc(1);
-RawBinaryResponse::fill(&mut responses[0], &big_data, 0).expect_err("this is too big!");
+BinaryAnswer::fill(&mut answers[0], BorrowedBinaryData::new(&big_data, 100))
-}
+.expect_err("this is too big!");
 }
+}

Mercurial > crates > nonstick

comparison src/libpam/response.rs @ 77:351bdc13005e