source: openpam/trunk/lib/libpam/openpam_dispatch.c @ 802

Last change on this file since 802 was 802, checked in by Dag-Erling Smørgrav, 6 years ago

From NetBSD: require at least one service function to have succeeded.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 6.7 KB
Line 
1/*-
2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2004-2011 Dag-Erling Smørgrav
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project by ThinkSec AS and
7 * Network Associates Laboratories, the Security Research Division of
8 * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9 * ("CBOSS"), as part of the DARPA CHATS research program.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 *    notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in the
18 *    documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote
20 *    products derived from this software without specific prior written
21 *    permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * $Id: openpam_dispatch.c 802 2014-09-09 08:08:13Z des $
36 */
37
38#ifdef HAVE_CONFIG_H
39# include "config.h"
40#endif
41
42#include <sys/param.h>
43
44#include <security/pam_appl.h>
45
46#include "openpam_impl.h"
47
48#if !defined(OPENPAM_RELAX_CHECKS)
49static void openpam_check_error_code(int, int);
50#else
51#define openpam_check_error_code(a, b)
52#endif /* !defined(OPENPAM_RELAX_CHECKS) */
53
54/*
55 * OpenPAM internal
56 *
57 * Execute a module chain
58 */
59
60int
61openpam_dispatch(pam_handle_t *pamh,
62        int primitive,
63        int flags)
64{
65        pam_chain_t *chain;
66        int err, fail, nsuccess, r;
67        int debug;
68
69        ENTER();
70        if (pamh == NULL)
71                RETURNC(PAM_SYSTEM_ERR);
72
73        /* prevent recursion */
74        if (pamh->current != NULL) {
75                openpam_log(PAM_LOG_ERROR,
76                    "%s() called while %s::%s() is in progress",
77                    pam_func_name[primitive],
78                    pamh->current->module->path,
79                    pam_sm_func_name[pamh->primitive]);
80                RETURNC(PAM_ABORT);
81        }
82
83        /* pick a chain */
84        switch (primitive) {
85        case PAM_SM_AUTHENTICATE:
86        case PAM_SM_SETCRED:
87                chain = pamh->chains[PAM_AUTH];
88                break;
89        case PAM_SM_ACCT_MGMT:
90                chain = pamh->chains[PAM_ACCOUNT];
91                break;
92        case PAM_SM_OPEN_SESSION:
93        case PAM_SM_CLOSE_SESSION:
94                chain = pamh->chains[PAM_SESSION];
95                break;
96        case PAM_SM_CHAUTHTOK:
97                chain = pamh->chains[PAM_PASSWORD];
98                break;
99        default:
100                RETURNC(PAM_SYSTEM_ERR);
101        }
102
103        /* execute */
104        err = PAM_SUCCESS;
105        fail = nsuccess = 0;
106        for (; chain != NULL; chain = chain->next) {
107                if (chain->module->func[primitive] == NULL) {
108                        openpam_log(PAM_LOG_ERROR, "%s: no %s()",
109                            chain->module->path, pam_sm_func_name[primitive]);
110                        r = PAM_SYSTEM_ERR;
111                } else {
112                        pamh->primitive = primitive;
113                        pamh->current = chain;
114                        debug = (openpam_get_option(pamh, "debug") != NULL);
115                        if (debug)
116                                ++openpam_debug;
117                        openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
118                            pam_sm_func_name[primitive], chain->module->path);
119                        r = (chain->module->func[primitive])(pamh, flags,
120                            chain->optc, (const char **)chain->optv);
121                        pamh->current = NULL;
122                        openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
123                            chain->module->path, pam_sm_func_name[primitive],
124                            pam_strerror(pamh, r));
125                        if (debug)
126                                --openpam_debug;
127                }
128
129                if (r == PAM_IGNORE)
130                        continue;
131                if (r == PAM_SUCCESS) { 
132                        ++nsuccess;
133                        /*
134                         * For pam_setcred() and pam_chauthtok() with the
135                         * PAM_PRELIM_CHECK flag, treat "sufficient" as
136                         * "optional".
137                         */
138                        if ((chain->flag == PAM_SUFFICIENT ||
139                            chain->flag == PAM_BINDING) && !fail &&
140                            primitive != PAM_SM_SETCRED &&
141                            !(primitive == PAM_SM_CHAUTHTOK &&
142                                (flags & PAM_PRELIM_CHECK)))
143                                break;
144                        continue;
145                }
146
147                openpam_check_error_code(primitive, r);
148
149                /*
150                 * Record the return code from the first module to
151                 * fail.  If a required module fails, record the
152                 * return code from the first required module to fail.
153                 */
154                if (err == PAM_SUCCESS)
155                        err = r;
156                if ((chain->flag == PAM_REQUIRED ||
157                    chain->flag == PAM_BINDING) && !fail) {
158                        openpam_log(PAM_LOG_LIBDEBUG, "required module failed");
159                        fail = 1;
160                        err = r;
161                }
162
163                /*
164                 * If a requisite module fails, terminate the chain
165                 * immediately.
166                 */
167                if (chain->flag == PAM_REQUISITE) {
168                        openpam_log(PAM_LOG_LIBDEBUG, "requisite module failed");
169                        fail = 1;
170                        break;
171                }
172        }
173
174        if (!fail && err != PAM_NEW_AUTHTOK_REQD)
175                err = PAM_SUCCESS;
176
177        /*
178         * Require the chain to be non-empty, and at least one module
179         * in the chain to be successful, so that we don't fail open.
180         */
181        if (err == PAM_SUCCESS && nsuccess < 1) {
182                openpam_log(PAM_LOG_ERROR,
183                    "all modules were unsuccessful for %s()",
184                    pam_sm_func_name[primitive]);
185                err = PAM_SYSTEM_ERR;
186        }
187
188        RETURNC(err);
189}
190
191#if !defined(OPENPAM_RELAX_CHECKS)
192static void
193openpam_check_error_code(int primitive, int r)
194{
195        /* common error codes */
196        if (r == PAM_SUCCESS ||
197            r == PAM_SYSTEM_ERR ||
198            r == PAM_SERVICE_ERR ||
199            r == PAM_BUF_ERR ||
200            r == PAM_CONV_ERR ||
201            r == PAM_PERM_DENIED ||
202            r == PAM_ABORT)
203                return;
204
205        /* specific error codes */
206        switch (primitive) {
207        case PAM_SM_AUTHENTICATE:
208                if (r == PAM_AUTH_ERR ||
209                    r == PAM_CRED_INSUFFICIENT ||
210                    r == PAM_AUTHINFO_UNAVAIL ||
211                    r == PAM_USER_UNKNOWN ||
212                    r == PAM_MAXTRIES)
213                        return;
214                break;
215        case PAM_SM_SETCRED:
216                if (r == PAM_CRED_UNAVAIL ||
217                    r == PAM_CRED_EXPIRED ||
218                    r == PAM_USER_UNKNOWN ||
219                    r == PAM_CRED_ERR)
220                        return;
221                break;
222        case PAM_SM_ACCT_MGMT:
223                if (r == PAM_USER_UNKNOWN ||
224                    r == PAM_AUTH_ERR ||
225                    r == PAM_NEW_AUTHTOK_REQD ||
226                    r == PAM_ACCT_EXPIRED)
227                        return;
228                break;
229        case PAM_SM_OPEN_SESSION:
230        case PAM_SM_CLOSE_SESSION:
231                if (r == PAM_SESSION_ERR)
232                        return;
233                break;
234        case PAM_SM_CHAUTHTOK:
235                if (r == PAM_PERM_DENIED ||
236                    r == PAM_AUTHTOK_ERR ||
237                    r == PAM_AUTHTOK_RECOVERY_ERR ||
238                    r == PAM_AUTHTOK_LOCK_BUSY ||
239                    r == PAM_AUTHTOK_DISABLE_AGING ||
240                    r == PAM_TRY_AGAIN)
241                        return;
242                break;
243        }
244
245        openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
246            pam_sm_func_name[primitive], r);
247}
248#endif /* !defined(OPENPAM_RELAX_CHECKS) */
249
250/*
251 * NODOC
252 *
253 * Error codes:
254 */
Note: See TracBrowser for help on using the repository browser.