@@ -3,6 +3,15 @@ Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

 $Id$

+2005.10.xx -- Version 2.1-beta3

+

+* NOTE TO PACKAGE MAINTAINERS: Moved "plugin"

+  directory to "plugins".  This is

+  to work around a strange problem with the

+  "make dist" target in the automake-generated

+  makefile, where the target tries to do a

+  rather bogus "gcc -g -O2 -I. plugin.c -o plugin".

+

 2005.10.13 -- Version 2.1-beta2

 * Added --socket-flags directive with TCP_NODELAY

@@ -60,6 +60,18 @@ OPTIONAL (for developers only):

 *************************************************************************

+CHECK OUT SOURCE FROM SUBVERSION REPOSITORY:

+

+  Check out stable version:

+

+    svn checkout http://svn.openvpn.net/projects/openvpn/trunk/openvpn openvpn

+

+  Check out beta21 branch:

+

+    svn checkout http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn openvpn

+

+*************************************************************************

+

 BUILD COMMANDS FROM TARBALL:

 	./configure

@@ -68,7 +80,7 @@ BUILD COMMANDS FROM TARBALL:

 *************************************************************************

-BUILD COMMANDS FROM CVS:

+BUILD COMMANDS FROM SUBVERSION REPOSITORY CHECKOUT:

 	autoreconf -i -v

 	./configure

@@ -77,7 +89,7 @@ BUILD COMMANDS FROM CVS:

 *************************************************************************

-BUILD A TARBALL FROM CVS:

+BUILD A TARBALL FROM SUBVERSION REPOSITORY CHECKOUT:

 	autoreconf -i -v

 	./configure

@@ -121,7 +121,7 @@ EXTRA_DIST = \

 	service-win32 \

 	contrib \

 	debug \

-	plugin \

+	plugins \

         management

 dist-hook:

@@ -101,13 +101,13 @@ and portability to most major OS platforms.

 %__strip %{name}

 # Build down-root plugin

-pushd plugin/down-root

+pushd plugins/down-root

 %__make

 popd

 # Build auth-pam plugin

 %if %{build_auth_pam}

-pushd plugin/auth-pam

+pushd plugins/auth-pam

 %__make

 popd

 %endif

@@ -151,16 +151,16 @@ popd

 # Install the plugins

 #

-%__mkdir_p %{buildroot}%{_datadir}/%{name}/plugin/lib

+%__mkdir_p %{buildroot}%{_datadir}/%{name}/plugins/lib

 for pi in auth-pam down-root; do

-  %__mv -f plugin/$pi/README plugin/README.$pi

-  if [ -e plugin/$pi/openvpn-$pi.so ]; then

-    %__install -c -m 755 plugin/$pi/openvpn-$pi.so %{buildroot}%{_datadir}/openvpn/plugin/lib/openvpn-$pi.so

+  %__mv -f plugins/$pi/README plugins/README.$pi

+  if [ -e plugins/$pi/openvpn-$pi.so ]; then

+    %__install -c -m 755 plugins/$pi/openvpn-$pi.so %{buildroot}%{_datadir}/openvpn/plugins/lib/openvpn-$pi.so

   fi

 done

-%__mv -f plugin/README plugin/README.plugins

+%__mv -f plugins/README plugins/README.plugins

 #

 # Clean section

@@ -220,10 +220,14 @@ fi

 %endif

 # Install extra %doc stuff

-%doc contrib/ easy-rsa/ management/ sample-*/ plugin/README.*

+%doc contrib/ easy-rsa/ management/ sample-*/ plugins/README.*

 %changelog

+* Mon Oct 13 2005 James Yonan

+- Renamed plugin directory to plugins to

+  work around automake issue.

+

 * Mon Aug 2 2005 James Yonan

 - Fixed build problem with --define 'without_pam 1'

deleted file mode 100644

@@ -1,47 +0,0 @@

-OpenVPN Plugins

-

-Starting with OpenVPN 2.0-beta17, compiled plugin modules are

-supported on any *nix OS which includes libdl or on Windows.

-One or more modules may be loaded into OpenVPN using

-the --plugin directive, and each plugin module is capable of

-intercepting any of the script callbacks which OpenVPN supports:

-

-(1) up

-(2) down

-(3) route-up

-(4) ipchange

-(5) tls-verify

-(6) auth-user-pass-verify

-(7) client-connect

-(8) client-disconnect

-(9) learn-address

-

-See the openvpn-plugin.h file in the top-level directory of the

-OpenVPN source distribution for more detailed information

-on the plugin interface.

-

-Included Plugins

-

-auth-pam -- Authenticate using PAM and a split privilege

-            execution model which functions even if

-            root privileges or the execution environment

-            have been altered with --user/--group/--chroot.

-            Tested on Linux only.

-

-down-root -- Enable the running of down scripts with root privileges

-             even if --user/--group/--chroot have been used

-             to drop root privileges or change the execution

-             environment.  Not applicable on Windows.

-

-examples -- A simple example that demonstrates a portable

-            plugin, i.e. one which can be built for *nix

-            or Windows from the same source.

-

-Building Plugins

-

-cd to the top-level directory of a plugin, and use the

-"make" command to build it.  The examples plugin is

-built using a build script, not a makefile.

deleted file mode 100644

@@ -1 +0,0 @@

-*.so

deleted file mode 100755

@@ -1,30 +0,0 @@

-#

-# Build the OpenVPN auth-pam plugin module.

-#

-

-# If PAM modules are not linked against libpam.so, set DLOPEN_PAM to 1. This

-# must be done on SUSE 9.1, at least.

-DLOPEN_PAM=1

-

-ifeq ($(DLOPEN_PAM),1)

-	LIBPAM=-ldl

-else

-	LIBPAM=-lpam

-endif

-

-# This directory is where we will look for openvpn-plugin.h

-INCLUDE=-I../..

-

-CC_FLAGS=-O2 -Wall -DDLOPEN_PAM=$(DLOPEN_PAM)

-

-openvpn-auth-pam.so : auth-pam.o pamdl.o

-	gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)

-

-auth-pam.o : auth-pam.c pamdl.h

-	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} auth-pam.c

-

-pamdl.o : pamdl.c pamdl.h

-	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} pamdl.c

-

-clean :

-	rm -f *.o *.so

deleted file mode 100644

@@ -1,74 +0,0 @@

-openvpn-auth-pam

-

-SYNOPSIS

-

-The openvpn-auth-pam module implements username/password

-authentication via PAM, and essentially allows any authentication

-method supported by PAM (such as LDAP, RADIUS, or Linux Shadow

-passwords) to be used with OpenVPN.  While PAM supports

-username/password authentication, this can be combined with X509

-certificates to provide two indepedent levels of authentication.

-

-This module uses a split privilege execution model which will

-function even if you drop openvpn daemon privileges using the user,

-group, or chroot directives.

-

-BUILD

-

-To build openvpn-auth-pam, you will need to have the pam-devel

-package installed.

-

-Build with the "make" command.  The module will be named

-openvpn-auth-pam.so

-

-USAGE

-

-To use this plugin module, add to your OpenVPN config file:

-

-  plugin openvpn-auth-pam.so service-type

-

-The required service-type parameter corresponds to

-the PAM service definition file usually found

-in /etc/pam.d.

-

-This plugin also supports the usage of a list of name/value

-pairs to answer PAM module queries.

-

-For example:

-

-  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"

-

-tells auth-pam to (a) use the "login" PAM module, (b) answer a

-"login" query with the username given by the OpenVPN client, and

-(c) answer a "password" query with the password given by the

-OpenVPN client.  This provides flexibility in dealing with the different

-types of query strings which different PAM modules might generate.

-For example, suppose you were using a PAM module called

-"test" which queried for "name" rather than "login":

-

-  plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"

-

-While "USERNAME" and "PASSWORD" are special strings which substitute

-to client-supplied values, it is also possible to name literal values

-to use as PAM module query responses.  For example, suppose that the

-login module queried for a third parameter, "domain" which

-is to be answered with the constant value "mydomain.com":

-

-  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"

-

-The following OpenVPN directives can also influence

-the operation of this plugin:

-

-  client-cert-not-required

-  username-as-common-name

-

-Run OpenVPN with --verb 7 or higher to get debugging output from

-this plugin, including the list of queries presented by the

-underlying PAM module.  This is a useful debugging tool to figure

-out which queries a given PAM module is making, so that you can

-craft the appropriate plugin directive to answer it.

-

-CAVEATS

-

-This module will only work on *nix systems which support PAM,

-not Windows.

deleted file mode 100644

@@ -1,761 +0,0 @@

-/*

- *  OpenVPN -- An application to securely tunnel IP networks

- *             over a single TCP/UDP port, with support for SSL/TLS-based

- *             session authentication and key exchange,

- *             packet encryption, packet authentication, and

- *             packet compression.

- *

- *  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

- *

- *  This program is free software; you can redistribute it and/or modify

- *  it under the terms of the GNU General Public License version 2

- *  as published by the Free Software Foundation.

- *

- *  This program is distributed in the hope that it will be useful,

- *  but WITHOUT ANY WARRANTY; without even the implied warranty of

- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- *  GNU General Public License for more details.

- *

- *  You should have received a copy of the GNU General Public License

- *  along with this program (see the file COPYING included with this

- *  distribution); if not, write to the Free Software Foundation, Inc.,

- *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

- */

-

-/*

- * OpenVPN plugin module to do PAM authentication using a split

- * privilege model.

- */

-

-#if DLOPEN_PAM

-#include <dlfcn.h>

-#include "pamdl.h"

-#else

-#include <security/pam_appl.h>

-#endif

-

-#include <stdio.h>

-#include <string.h>

-#include <ctype.h>

-#include <unistd.h>

-#include <stdlib.h>

-#include <sys/types.h>

-#include <sys/socket.h>

-#include <sys/wait.h>

-#include <fcntl.h>

-#include <signal.h>

-#include <syslog.h>

-

-#include "openvpn-plugin.h"

-

-#define DEBUG(verb) ((verb) >= 4)

-

-/* Command codes for foreground -> background communication */

-#define COMMAND_VERIFY 0

-#define COMMAND_EXIT   1

-

-/* Response codes for background -> foreground communication */

-#define RESPONSE_INIT_SUCCEEDED   10

-#define RESPONSE_INIT_FAILED      11

-#define RESPONSE_VERIFY_SUCCEEDED 12

-#define RESPONSE_VERIFY_FAILED    13

-

-/*

- * Plugin state, used by foreground

- */

-struct auth_pam_context

-{

-  /* Foreground's socket to background process */

-  int foreground_fd;

-

-  /* Process ID of background process */

-  pid_t background_pid;

-

-  /* Verbosity level of OpenVPN */

-  int verb;

-};

-

-/*

- * Name/Value pairs for conversation function.

- * Special Values:

- *

- *  "USERNAME" -- substitute client-supplied username

- *  "PASSWORD" -- substitute client-specified password

- */

-

-#define N_NAME_VALUE 16

-

-struct name_value {

-  const char *name;

-  const char *value;

-};

-

-struct name_value_list {

-  int len;

-  struct name_value data[N_NAME_VALUE];

-};

-

-/*

- * Used to pass the username/password

- * to the PAM conversation function.

- */

-struct user_pass {

-  int verb;

-

-  char username[128];

-  char password[128];

-

-  const struct name_value_list *name_value_list;

-};

-

-/* Background process function */

-static void pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list);

-

-/*

- * Given an environmental variable name, search

- * the envp array for its value, returning it

- * if found or NULL otherwise.

- */

-static const char *

-get_env (const char *name, const char *envp[])

-{

-  if (envp)

-    {

-      int i;

-      const int namelen = strlen (name);

-      for (i = 0; envp[i]; ++i)

-	{

-	  if (!strncmp (envp[i], name, namelen))

-	    {

-	      const char *cp = envp[i] + namelen;

-	      if (*cp == '=')

-		return cp + 1;

-	    }

-	}

-    }

-  return NULL;

-}

-

-/*

- * Return the length of a string array

- */

-static int

-string_array_len (const char *array[])

-{

-  int i = 0;

-  if (array)

-    {

-      while (array[i])

-	++i;

-    }

-  return i;

-}

-

-/*

- * Socket read/write functions.

- */

-

-static int

-recv_control (int fd)

-{

-  unsigned char c;

-  const ssize_t size = read (fd, &c, sizeof (c));

-  if (size == sizeof (c))

-    return c;

-  else

-    {

-      /*fprintf (stderr, "AUTH-PAM: DEBUG recv_control.read=%d\n", (int)size);*/

-      return -1;

-    }

-}

-

-static int

-send_control (int fd, int code)

-{

-  unsigned char c = (unsigned char) code;

-  const ssize_t size = write (fd, &c, sizeof (c));

-  if (size == sizeof (c))

-    return (int) size;

-  else

-    return -1;

-}

-

-static int

-recv_string (int fd, char *buffer, int len)

-{

-  if (len > 0)

-    {

-      ssize_t size;

-      memset (buffer, 0, len);

-      size = read (fd, buffer, len);

-      buffer[len-1] = 0;

-      if (size >= 1)

-	return (int)size;

-    }

-  return -1;

-}

-

-static int

-send_string (int fd, const char *string)

-{

-  const int len = strlen (string) + 1;

-  const ssize_t size = write (fd, string, len);

-  if (size == len)

-    return (int) size;

-  else

-    return -1;

-}

-

-#ifdef DO_DAEMONIZE

-

-/*

- * Daemonize if "daemon" env var is true.

- * Preserve stderr across daemonization if

- * "daemon_log_redirect" env var is true.

- */

-static void

-daemonize (const char *envp[])

-{

-  const char *daemon_string = get_env ("daemon", envp);

-  if (daemon_string && daemon_string[0] == '1')

-    {

-      const char *log_redirect = get_env ("daemon_log_redirect", envp);

-      int fd = -1;

-      if (log_redirect && log_redirect[0] == '1')

-	fd = dup (2);

-      if (daemon (0, 0) < 0)

-	{

-	  fprintf (stderr, "AUTH-PAM: daemonization failed\n");

-	}

-      else if (fd >= 3)

-	{

-	  dup2 (fd, 2);

-	  close (fd);

-	}

-    }

-}

-

-#endif

-

-/*

- * Close most of parent's fds.

- * Keep stdin/stdout/stderr, plus one

- * other fd which is presumed to be

- * our pipe back to parent.

- * Admittedly, a bit of a kludge,

- * but posix doesn't give us a kind

- * of FD_CLOEXEC which will stop

- * fds from crossing a fork().

- */

-static void

-close_fds_except (int keep)

-{

-  int i;

-  closelog ();

-  for (i = 3; i <= 100; ++i)

-    {

-      if (i != keep)

-	close (i);

-    }

-}

-

-/*

- * Usually we ignore signals, because our parent will

- * deal with them.

- */

-static void

-set_signals (void)

-{

-  signal (SIGTERM, SIG_DFL);

-

-  signal (SIGINT, SIG_IGN);

-  signal (SIGHUP, SIG_IGN);

-  signal (SIGUSR1, SIG_IGN);

-  signal (SIGUSR2, SIG_IGN);

-  signal (SIGPIPE, SIG_IGN);

-}

-

-/*

- * Return 1 if query matches match.

- */

-static int

-name_value_match (const char *query, const char *match)

-{

-  while (!isalnum (*query))

-    {

-      if (*query == '\0')

-	return 0;

-      ++query;

-    }

-  return strncasecmp (match, query, strlen (match)) == 0;

-}

-

-OPENVPN_EXPORT openvpn_plugin_handle_t

-openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])

-{

-  pid_t pid;

-  int fd[2];

-

-  struct auth_pam_context *context;

-  struct name_value_list name_value_list;

-

-  const int base_parms = 2;

-

-  /*

-   * Allocate our context

-   */

-  context = (struct auth_pam_context *) calloc (1, sizeof (struct auth_pam_context));

-  context->foreground_fd = -1;

-

-  /*

-   * Intercept the --auth-user-pass-verify callback.

-   */

-  *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);

-

-  /*

-   * Make sure we have two string arguments: the first is the .so name,

-   * the second is the PAM service type.

-   */

-  if (string_array_len (argv) < base_parms)

-    {

-      fprintf (stderr, "AUTH-PAM: need PAM service parameter\n");

-      goto error;

-    }

-

-  /*

-   * See if we have optional name/value pairs to match against

-   * PAM module queried fields in the conversation function.

-   */

-  name_value_list.len = 0;

-  if (string_array_len (argv) > base_parms)

-    {

-      const int nv_len = string_array_len (argv) - base_parms;

-      int i;

-

-      if ((nv_len & 1) == 1 || (nv_len / 2) > N_NAME_VALUE)

-	{

-	  fprintf (stderr, "AUTH-PAM: bad name/value list length\n");

-	  goto error;

-	}

-

-      name_value_list.len = nv_len / 2;

-      for (i = 0; i < name_value_list.len; ++i)

-	{

-	  const int base = base_parms + i * 2;

-	  name_value_list.data[i].name = argv[base];

-	  name_value_list.data[i].value = argv[base+1];

-	}

-    }

-

-  /*

-   * Get verbosity level from environment

-   */

-  {

-    const char *verb_string = get_env ("verb", envp);

-    if (verb_string)

-      context->verb = atoi (verb_string);

-  }

-

-  /*

-   * Make a socket for foreground and background processes

-   * to communicate.

-   */

-  if (socketpair (PF_UNIX, SOCK_DGRAM, 0, fd) == -1)

-    {

-      fprintf (stderr, "AUTH-PAM: socketpair call failed\n");

-      goto error;

-    }

-

-  /*

-   * Fork off the privileged process.  It will remain privileged

-   * even after the foreground process drops its privileges.

-   */

-  pid = fork ();

-

-  if (pid)

-    {

-      int status;

-

-      /*

-       * Foreground Process

-       */

-

-      context->background_pid = pid;

-

-      /* close our copy of child's socket */

-      close (fd[1]);

-

-      /* don't let future subprocesses inherit child socket */

-      if (fcntl (fd[0], F_SETFD, FD_CLOEXEC) < 0)

-	fprintf (stderr, "AUTH-PAM: Set FD_CLOEXEC flag on socket file descriptor failed\n");

-

-      /* wait for background child process to initialize */

-      status = recv_control (fd[0]);

-      if (status == RESPONSE_INIT_SUCCEEDED)

-	{

-	  context->foreground_fd = fd[0];

-	  return (openvpn_plugin_handle_t) context;

-	}

-    }

-  else

-    {

-      /*

-       * Background Process

-       */

-

-      /* close all parent fds except our socket back to parent */

-      close_fds_except (fd[1]);

-

-      /* Ignore most signals (the parent will receive them) */

-      set_signals ();

-

-#ifdef DO_DAEMONIZE

-      /* Daemonize if --daemon option is set. */

-      daemonize (envp);

-#endif

-

-      /* execute the event loop */

-      pam_server (fd[1], argv[1], context->verb, &name_value_list);

-

-      close (fd[1]);

-

-      exit (0);

-      return 0; /* NOTREACHED */

-    }

-

- error:

-  if (context)

-    free (context);

-  return NULL;

-}

-

-OPENVPN_EXPORT int

-openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])

-{

-  struct auth_pam_context *context = (struct auth_pam_context *) handle;

-

-  if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY && context->foreground_fd >= 0)

-    {

-      /* get username/password from envp string array */

-      const char *username = get_env ("username", envp);

-      const char *password = get_env ("password", envp);

-

-      if (username && strlen (username) > 0 && password)

-	{

-	  if (send_control (context->foreground_fd, COMMAND_VERIFY) == -1

-	      || send_string (context->foreground_fd, username) == -1

-	      || send_string (context->foreground_fd, password) == -1)

-	    {

-	      fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");

-	    }

-	  else

-	    {

-	      const int status = recv_control (context->foreground_fd);

-	      if (status == RESPONSE_VERIFY_SUCCEEDED)

-		return OPENVPN_PLUGIN_FUNC_SUCCESS;

-	      if (status == -1)

-		fprintf (stderr, "AUTH-PAM: Error receiving auth confirmation from background process\n");

-	    }

-	}

-    }

-  return OPENVPN_PLUGIN_FUNC_ERROR;

-}

-

-OPENVPN_EXPORT void

-openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)

-{

-  struct auth_pam_context *context = (struct auth_pam_context *) handle;

-

-  if (DEBUG (context->verb))

-    fprintf (stderr, "AUTH-PAM: close\n");

-

-  if (context->foreground_fd >= 0)

-    {

-      /* tell background process to exit */

-      if (send_control (context->foreground_fd, COMMAND_EXIT) == -1)

-	fprintf (stderr, "AUTH-PAM: Error signaling background process to exit\n");

-

-      /* wait for background process to exit */

-      if (context->background_pid > 0)

-	waitpid (context->background_pid, NULL, 0);

-

-      close (context->foreground_fd);

-      context->foreground_fd = -1;

-    }

-

-  free (context);

-}

-

-OPENVPN_EXPORT void

-openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)

-{

-  struct auth_pam_context *context = (struct auth_pam_context *) handle;

-

-  /* tell background process to exit */

-  if (context->foreground_fd >= 0)

-    {

-      send_control (context->foreground_fd, COMMAND_EXIT);

-      close (context->foreground_fd);

-      context->foreground_fd = -1;

-    }

-}

-

-/*

- * PAM conversation function

- */

-static int

-my_conv (int n, const struct pam_message **msg_array,

-	 struct pam_response **response_array, void *appdata_ptr)

-{

-  const struct user_pass *up = ( const struct user_pass *) appdata_ptr;

-  struct pam_response *aresp;

-  int i;

-  int ret = PAM_SUCCESS;

-

-  *response_array = NULL;

-

-  if (n <= 0 || n > PAM_MAX_NUM_MSG)

-    return (PAM_CONV_ERR);

-  if ((aresp = calloc (n, sizeof *aresp)) == NULL)

-    return (PAM_BUF_ERR);

-

-  /* loop through each PAM-module query */

-  for (i = 0; i < n; ++i)

-    {

-      const struct pam_message *msg = msg_array[i];

-      aresp[i].resp_retcode = 0;

-      aresp[i].resp = NULL;

-

-      if (DEBUG (up->verb))

-	{

-	  fprintf (stderr, "AUTH-PAM: BACKGROUND: my_conv[%d] query='%s' style=%d\n",

-		   i,

-		   msg->msg ? msg->msg : "NULL",

-		   msg->msg_style);

-	}

-

-      if (up->name_value_list && up->name_value_list->len > 0)

-	{

-	  /* use name/value list match method */

-	  const struct name_value_list *list = up->name_value_list;

-	  int j;

-

-	  /* loop through name/value pairs */

-	  for (j = 0; j < list->len; ++j)

-	    {

-	      const char *match_name = list->data[j].name;

-	      const char *match_value = list->data[j].value;

-

-	      if (name_value_match (msg->msg, match_name))

-		{

-		  /* found name/value match */

-		  const char *return_value = NULL;

-

-		  if (DEBUG (up->verb))

-		    fprintf (stderr, "AUTH-PAM: BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'\n",

-			     msg->msg,

-			     match_name,

-			     match_value);

-

-		  if (!strcmp (match_value, "USERNAME"))

-		    return_value = up->username;

-		  else if (!strcmp (match_value, "PASSWORD"))

-		    return_value = up->password;

-		  else

-		    return_value = match_value;

-

-		  aresp[i].resp = strdup (return_value);

-		  if (aresp[i].resp == NULL)

-		    ret = PAM_CONV_ERR;

-		  break;

-		}

-	    }

-

-	  if (j == list->len)

-	    ret = PAM_CONV_ERR;

-	}

-      else

-	{

-	  /* use PAM_PROMPT_ECHO_x hints */

-	  switch (msg->msg_style)

-	    {

-	    case PAM_PROMPT_ECHO_OFF:

-	      aresp[i].resp = strdup (up->password);

-	      if (aresp[i].resp == NULL)

-		ret = PAM_CONV_ERR;

-	      break;

-