From 7fba0a36b45d510611efe21df3523e89a9601ffd Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 7 Sep 2024 18:52:15 +0100
Subject: [PATCH] pam dynamic module

---
 doc/doc-txt/NewStuff                         |  2 +-
 src/OS/Makefile-Base                         |  5 +---
 src/scripts/Configure-Makefile               |  2 +-
 src/scripts/MakeLinks                        |  1 +
 src/src/EDITME                               |  5 ++++
 src/src/exim.h                               |  3 +++
 src/src/expand.c                             | 19 ++++++++-----
 src/src/functions.h                          |  1 -
 src/src/miscmods/Makefile                    |  2 ++
 src/src/{auths/call_pam.c => miscmods/pam.c} | 28 +++++++++++++++++---
 src/src/miscmods/pam_api.h                   | 14 ++++++++++
 src/src/miscmods/radius_api.h                | 14 ++++++++++
 12 files changed, 79 insertions(+), 17 deletions(-)
 rename src/src/{auths/call_pam.c => miscmods/pam.c} (92%)
 create mode 100644 src/src/miscmods/pam_api.h
 create mode 100644 src/src/miscmods/radius_api.h

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index fe94e46c7..935efb59a 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -14,7 +14,7 @@ Version 4.98
 
  3. Events smtp:fail:protocol and smtp:fail:syntax
 
- 4. JSON and LDAP lookup support, RADIUS, SPF, DKIM, DMARC and ARC support,
+ 4. JSON and LDAP lookup support, PAM, RADIUS, SPF, DKIM, DMARC and ARC support,
     all the router and authenticator drivers, and all the transport drivers
     except smtp, can now be built as loadable modules
 
diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base
index ddd7cf5ac..22b56aae5 100644
--- a/src/OS/Makefile-Base
+++ b/src/OS/Makefile-Base
@@ -509,7 +509,7 @@ OBJ_LOOKUPS = lf_quote.o lf_check_file.o lf_sqlperform.o
 OBJ_ROUTERS = rf_change_domain.o rf_expand_data.o rf_get_errors_address.o \
 	rf_get_munge_headers.o rf_get_transport.o rf_get_ugid.o \
 	rf_lookup_hostlist.o rf_queue_add.o rf_self_action.o rf_set_ugid.o
-OBJ_AUTHS = call_pam.o call_pwcheck.o check_serv_cond.o \
+OBJ_AUTHS = call_pwcheck.o check_serv_cond.o \
 	get_data.o get_no64_data.o pwcheck.o
 
 OBJ_EXIM = acl.o base64.o child.o crypt16.o daemon.o dbfn.o debug.o deliver.o \
@@ -968,9 +968,6 @@ rf_set_ugid.o:           routers/rf_set_ugid.c
 auth-spa.o:         auths/auth-spa.c
 	@echo "$(CC) $<"
 	$(FE)$(CC) -c $(CFLAGS) -I. $(INCLUDE) $<
-call_pam.o:         auths/call_pam.c
-	@echo "$(CC) $<"
-	$(FE)$(CC) -c $(CFLAGS) -I. $(INCLUDE) $<
 call_pwcheck.o:     auths/call_pwcheck.c auths/pwcheck.h
 	@echo "$(CC) $<"
 	$(FE)$(CC) -c $(CFLAGS) -I. $(INCLUDE) $<
diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 96a6cce22..4fc917dc9 100755
--- a/src/scripts/Configure-Makefile
+++ b/src/scripts/Configure-Makefile
@@ -309,7 +309,7 @@ done <<-END
  routers    ROUTER	ACCEPT DNSLOOKUP IPLITERAL IPLOOKUP MANUALROUTE QUERYPROGRAM REDIRECT
  transports TRANSPORT	APPENDFILE AUTOREPLY LMTP PIPE QUEUEFILE SMTP
  auths	    AUTH	CRAM_MD5 CYRUS_SASL DOVECOT EXTERNAL GSASL HEIMDAL_GSSAPI PLAINTEXT SPA TLS
- miscmods   SUPPORT	ARC _DKIM DMARC RADIUS SPF
+ miscmods   SUPPORT	ARC _DKIM DMARC PAM RADIUS SPF
 END
 
 # See if there is a definition of EXIM_PERL in what we have built so far.
diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks
index 1b272a5c9..a3a3131a2 100755
--- a/src/scripts/MakeLinks
+++ b/src/scripts/MakeLinks
@@ -102,6 +102,7 @@ for f in dummy.c \
 	pdkim/crypt_ver.h pdkim/pdkim.c pdkim/pdkim.h \
 	pdkim/pdkim_hash.h pdkim/signing.c pdkim/signing.h \
 	dmarc.c dmarc.h dmarc_api.h \
+	pam.c pam_api.h \
 	radius.c radius_api.h \
 	spf.c spf.h spf_api.h
 do
diff --git a/src/src/EDITME b/src/src/EDITME
index 9d458842a..c12d74c35 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -1089,6 +1089,8 @@ ZCAT_COMMAND=/usr/bin/zcat
 # distributions (see http://ftp.kernel.org/pub/linux/libs/pam/). The Exim
 # support, which is intended for use in conjunction with the SMTP AUTH
 # facilities, is included only when requested by the following setting:
+#
+# For a dynamic module build add SUPPORT_PAM=2 and SUPPORT_PAM_LIBS=-lpam
 
 # SUPPORT_PAM=yes
 
@@ -1146,6 +1148,9 @@ ZCAT_COMMAND=/usr/bin/zcat
 # which is intended for use in conjunction with the SMTP AUTH facilities,
 # is included only when requested by setting the following parameter to the
 # location of your Radius configuration file:
+#
+# For a dynamic module build add SUPPORT_RADIUS=2 and (if needed)
+# SUPPORT_RADIUS_LIBS=-l<foo>
 
 # RADIUS_CONFIG_FILE=/etc/radiusclient/radiusclient.conf
 # RADIUS_CONFIG_FILE=/etc/radius.conf
diff --git a/src/src/exim.h b/src/src/exim.h
index 550f1a7bd..a3b7112a6 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -561,6 +561,9 @@ config.h, mytypes.h, and store.h, so we don't need to mention them explicitly.
 #ifdef RADIUS_CONFIG_FILE
 # include "miscmods/radius_api.h"
 #endif
+#ifdef SUPPORT_PAM
+# include "miscmods/pam_api.h"
+#endif
 
 /* The following stuff must follow the inclusion of config.h because it
 requires various things that are set therein. */
diff --git a/src/src/expand.c b/src/src/expand.c
index cdfe93cdc..d9e71897e 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -2767,12 +2767,19 @@ switch(cond_type = identify_operator(&s, &opname))
     /* Various authentication tests - all optionally compiled */
 
     case ECOND_PAM:
-    #ifdef SUPPORT_PAM
-    rc = auth_call_pam(sub[0], &expand_string_message);
-    goto END_AUTH;
-    #else
-    goto COND_FAILED_NOT_COMPILED;
-    #endif  /* SUPPORT_PAM */
+#ifdef SUPPORT_PAM
+      {
+      const misc_module_info * mi = misc_mod_find(US"pam", NULL);
+      typedef int (*fn_t)(const uschar *, uschar **);
+      if (!mi)
+	goto COND_FAILED_NOT_COMPILED;
+      rc = (((fn_t *) mi->functions)[PAM_AUTH_CALL])
+					  (sub[0], &expand_string_message);
+      goto END_AUTH;
+      }
+#else
+      goto COND_FAILED_NOT_COMPILED;
+#endif  /* SUPPORT_PAM */
 
     case ECOND_RADIUS:
 #ifdef RADIUS_CONFIG_FILE
diff --git a/src/src/functions.h b/src/src/functions.h
index 493b2287e..cb470bcb3 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -111,7 +111,6 @@ extern void    add_driver_info(driver_info **, const driver_info *, size_t);
 
 
 extern void    assert_no_variables(void *, int, const char *, int);
-extern int     auth_call_pam(const uschar *, uschar **);
 extern int     auth_call_pwcheck(uschar *, uschar **);
 extern int     auth_call_saslauthd(const uschar *, const uschar *,
 	         const uschar *, const uschar *, uschar **);
diff --git a/src/src/miscmods/Makefile b/src/src/miscmods/Makefile
index a15fd9b38..8f53088ff 100644
--- a/src/src/miscmods/Makefile
+++ b/src/src/miscmods/Makefile
@@ -37,6 +37,8 @@ dkim.o  dkim.so:	$(HDRS) dkim.h dkim.c dkim_transport.c \
 			signing.h signing.c
 dmarc.o dmarc.so:	$(HDRS) pdkim.h dmarc.h dmarc.c
 dummy.o:		dummy.c
+pam.o   pam.so:		$(HDRS) pam.c
+radius.o radius.so:	$(HDRS) radius.c
 spf.o   spf.so:		$(HDRS) spf.h spf.c
 
 dkim.o:
diff --git a/src/src/auths/call_pam.c b/src/src/miscmods/pam.c
similarity index 92%
rename from src/src/auths/call_pam.c
rename to src/src/miscmods/pam.c
index 3ff15711d..1f1b2e2eb 100644
--- a/src/src/auths/call_pam.c
+++ b/src/src/miscmods/pam.c
@@ -2,8 +2,8 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
+/* Copyright (c) The Exim Maintainers 2020 - 2024 */
 /* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 - 2021 */
 /* See the file NOTICE for conditions of use and distribution. */
 /* SPDX-License-Identifier: GPL-2.0-or-later */
 
@@ -28,9 +28,9 @@ static void dummy(int x) { dummy2(x-1); }
 #else  /* SUPPORT_PAM */
 
 #ifdef PAM_H_IN_PAM
-#include <pam/pam_appl.h>
+# include <pam/pam_appl.h>
 #else
-#include <security/pam_appl.h>
+# include <security/pam_appl.h>
 #endif
 
 /* According to the specification, it should be possible to have an application
@@ -128,7 +128,7 @@ Returns:   OK if authentication succeeded
            ERROR some other error condition
 */
 
-int
+static int
 auth_call_pam(const uschar *s, uschar **errptr)
 {
 pam_handle_t *pamh = NULL;
@@ -200,6 +200,26 @@ if (pam_error == PAM_USER_UNKNOWN ||
 return ERROR;
 }
 
+
+
+/******************************************************************************/
+/* Module API */
+
+static void * pam_functions[] = {
+  [RADIUS_AUTH_CALL] =	auth_call_pam,
+};
+
+misc_module_info rad_module_info =
+{
+  .name =		US"pam",
+# ifdef DYNLOOKUP
+  .dyn_magic =		MISC_MODULE_MAGIC,
+# endif
+
+  .functions =		pam_functions,
+  .functions_count =	nelem(pam_functions),
+};
+
 #endif  /* SUPPORT_PAM */
 
 /* End of call_pam.c */
diff --git a/src/src/miscmods/pam_api.h b/src/src/miscmods/pam_api.h
new file mode 100644
index 000000000..d83f27aa0
--- /dev/null
+++ b/src/src/miscmods/pam_api.h
@@ -0,0 +1,14 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2024 */
+/* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+/* API definitions for the pam module */
+
+
+/* Function table entry numbers */
+
+#define	PAM_AUTH_CALL		0
diff --git a/src/src/miscmods/radius_api.h b/src/src/miscmods/radius_api.h
new file mode 100644
index 000000000..361a01ce3
--- /dev/null
+++ b/src/src/miscmods/radius_api.h
@@ -0,0 +1,14 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2024 */
+/* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+/* API definitions for the radius module */
+
+
+/* Function table entry numbers */
+
+#define	RADIUS_AUTH_CALL		0
-- 
2.30.2