source: openpam/trunk/lib/libpam/openpam_dispatch.c @ 649

Last change on this file since 649 was 649, checked in by Dag-Erling Smørgrav, 8 years ago

PAM_LOG_DEBUG -> PAM_LOG_LIBDEBUG

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 6.4 KB
Line 
1/*-
2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2004-2011 Dag-Erling Smørgrav
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project by ThinkSec AS and
7 * Network Associates Laboratories, the Security Research Division of
8 * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9 * ("CBOSS"), as part of the DARPA CHATS research program.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 *    notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in the
18 *    documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote
20 *    products derived from this software without specific prior written
21 *    permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * $Id: openpam_dispatch.c 649 2013-03-05 17:58:33Z des $
36 */
37
38#ifdef HAVE_CONFIG_H
39# include "config.h"
40#endif
41
42#include <sys/param.h>
43
44#include <security/pam_appl.h>
45
46#include "openpam_impl.h"
47
48#if !defined(OPENPAM_RELAX_CHECKS)
49static void openpam_check_error_code(int, int);
50#else
51#define openpam_check_error_code(a, b)
52#endif /* !defined(OPENPAM_RELAX_CHECKS) */
53
54/*
55 * OpenPAM internal
56 *
57 * Execute a module chain
58 */
59
60int
61openpam_dispatch(pam_handle_t *pamh,
62        int primitive,
63        int flags)
64{
65        pam_chain_t *chain;
66        int err, fail, r;
67        int debug;
68
69        ENTER();
70        if (pamh == NULL)
71                RETURNC(PAM_SYSTEM_ERR);
72
73        /* prevent recursion */
74        if (pamh->current != NULL) {
75                openpam_log(PAM_LOG_ERROR,
76                    "%s() called while %s::%s() is in progress",
77                    pam_func_name[primitive],
78                    pamh->current->module->path,
79                    pam_sm_func_name[pamh->primitive]);
80                RETURNC(PAM_ABORT);
81        }
82
83        /* pick a chain */
84        switch (primitive) {
85        case PAM_SM_AUTHENTICATE:
86        case PAM_SM_SETCRED:
87                chain = pamh->chains[PAM_AUTH];
88                break;
89        case PAM_SM_ACCT_MGMT:
90                chain = pamh->chains[PAM_ACCOUNT];
91                break;
92        case PAM_SM_OPEN_SESSION:
93        case PAM_SM_CLOSE_SESSION:
94                chain = pamh->chains[PAM_SESSION];
95                break;
96        case PAM_SM_CHAUTHTOK:
97                chain = pamh->chains[PAM_PASSWORD];
98                break;
99        default:
100                RETURNC(PAM_SYSTEM_ERR);
101        }
102
103        /* execute */
104        for (err = fail = 0; chain != NULL; chain = chain->next) {
105                if (chain->module->func[primitive] == NULL) {
106                        openpam_log(PAM_LOG_ERROR, "%s: no %s()",
107                            chain->module->path, pam_sm_func_name[primitive]);
108                        r = PAM_SYSTEM_ERR;
109                } else {
110                        pamh->primitive = primitive;
111                        pamh->current = chain;
112                        debug = (openpam_get_option(pamh, "debug") != NULL);
113                        if (debug)
114                                ++openpam_debug;
115                        openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
116                            pam_sm_func_name[primitive], chain->module->path);
117                        r = (chain->module->func[primitive])(pamh, flags,
118                            chain->optc, (const char **)chain->optv);
119                        pamh->current = NULL;
120                        openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
121                            chain->module->path, pam_sm_func_name[primitive],
122                            pam_strerror(pamh, r));
123                        if (debug)
124                                --openpam_debug;
125                }
126
127                if (r == PAM_IGNORE)
128                        continue;
129                if (r == PAM_SUCCESS) {
130                        /*
131                         * For pam_setcred() and pam_chauthtok() with the
132                         * PAM_PRELIM_CHECK flag, treat "sufficient" as
133                         * "optional".
134                         */
135                        if ((chain->flag == PAM_SUFFICIENT ||
136                            chain->flag == PAM_BINDING) && !fail &&
137                            primitive != PAM_SM_SETCRED &&
138                            !(primitive == PAM_SM_CHAUTHTOK &&
139                                (flags & PAM_PRELIM_CHECK)))
140                                break;
141                        continue;
142                }
143
144                openpam_check_error_code(primitive, r);
145
146                /*
147                 * Record the return code from the first module to
148                 * fail.  If a required module fails, record the
149                 * return code from the first required module to fail.
150                 */
151                if (err == 0)
152                        err = r;
153                if ((chain->flag == PAM_REQUIRED ||
154                    chain->flag == PAM_BINDING) && !fail) {
155                        openpam_log(PAM_LOG_LIBDEBUG, "required module failed");
156                        fail = 1;
157                        err = r;
158                }
159
160                /*
161                 * If a requisite module fails, terminate the chain
162                 * immediately.
163                 */
164                if (chain->flag == PAM_REQUISITE) {
165                        openpam_log(PAM_LOG_LIBDEBUG, "requisite module failed");
166                        fail = 1;
167                        break;
168                }
169        }
170
171        if (!fail && err != PAM_NEW_AUTHTOK_REQD)
172                err = PAM_SUCCESS;
173        RETURNC(err);
174}
175
176#if !defined(OPENPAM_RELAX_CHECKS)
177static void
178openpam_check_error_code(int primitive, int r)
179{
180        /* common error codes */
181        if (r == PAM_SUCCESS ||
182            r == PAM_SYSTEM_ERR ||
183            r == PAM_SERVICE_ERR ||
184            r == PAM_BUF_ERR ||
185            r == PAM_CONV_ERR ||
186            r == PAM_PERM_DENIED ||
187            r == PAM_ABORT)
188                return;
189
190        /* specific error codes */
191        switch (primitive) {
192        case PAM_SM_AUTHENTICATE:
193                if (r == PAM_AUTH_ERR ||
194                    r == PAM_CRED_INSUFFICIENT ||
195                    r == PAM_AUTHINFO_UNAVAIL ||
196                    r == PAM_USER_UNKNOWN ||
197                    r == PAM_MAXTRIES)
198                        return;
199                break;
200        case PAM_SM_SETCRED:
201                if (r == PAM_CRED_UNAVAIL ||
202                    r == PAM_CRED_EXPIRED ||
203                    r == PAM_USER_UNKNOWN ||
204                    r == PAM_CRED_ERR)
205                        return;
206                break;
207        case PAM_SM_ACCT_MGMT:
208                if (r == PAM_USER_UNKNOWN ||
209                    r == PAM_AUTH_ERR ||
210                    r == PAM_NEW_AUTHTOK_REQD ||
211                    r == PAM_ACCT_EXPIRED)
212                        return;
213                break;
214        case PAM_SM_OPEN_SESSION:
215        case PAM_SM_CLOSE_SESSION:
216                if (r == PAM_SESSION_ERR)
217                        return;
218                break;
219        case PAM_SM_CHAUTHTOK:
220                if (r == PAM_PERM_DENIED ||
221                    r == PAM_AUTHTOK_ERR ||
222                    r == PAM_AUTHTOK_RECOVERY_ERR ||
223                    r == PAM_AUTHTOK_LOCK_BUSY ||
224                    r == PAM_AUTHTOK_DISABLE_AGING ||
225                    r == PAM_TRY_AGAIN)
226                        return;
227                break;
228        }
229
230        openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
231            pam_sm_func_name[primitive], r);
232}
233#endif /* !defined(OPENPAM_RELAX_CHECKS) */
234
235/*
236 * NODOC
237 *
238 * Error codes:
239 */
Note: See TracBrowser for help on using the repository browser.