source: openpam/trunk/lib/libpam/openpam_dispatch.c @ 890

Last change on this file since 890 was 890, checked in by Dag-Erling Smørgrav, 5 years ago

Bump dates if required on files modified in 2014 or later.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 6.8 KB
Line 
1/*-
2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2004-2015 Dag-Erling Smørgrav
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project by ThinkSec AS and
7 * Network Associates Laboratories, the Security Research Division of
8 * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9 * ("CBOSS"), as part of the DARPA CHATS research program.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 *    notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in the
18 *    documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote
20 *    products derived from this software without specific prior written
21 *    permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * $Id: openpam_dispatch.c 890 2016-01-11 16:22:09Z des $
36 */
37
38#ifdef HAVE_CONFIG_H
39# include "config.h"
40#endif
41
42#include <sys/param.h>
43
44#include <stdint.h>
45
46#include <security/pam_appl.h>
47
48#include "openpam_impl.h"
49
50#if !defined(OPENPAM_RELAX_CHECKS)
51static void openpam_check_error_code(int, int);
52#else
53#define openpam_check_error_code(a, b)
54#endif /* !defined(OPENPAM_RELAX_CHECKS) */
55
56/*
57 * OpenPAM internal
58 *
59 * Execute a module chain
60 */
61
62int
63openpam_dispatch(pam_handle_t *pamh,
64        int primitive,
65        int flags)
66{
67        pam_chain_t *chain;
68        int err, fail, nsuccess, r;
69        int debug;
70
71        ENTER();
72        if (pamh == NULL)
73                RETURNC(PAM_SYSTEM_ERR);
74
75        /* prevent recursion */
76        if (pamh->current != NULL) {
77                openpam_log(PAM_LOG_ERROR,
78                    "%s() called while %s::%s() is in progress",
79                    pam_func_name[primitive],
80                    pamh->current->module->path,
81                    pam_sm_func_name[pamh->primitive]);
82                RETURNC(PAM_ABORT);
83        }
84
85        /* pick a chain */
86        switch (primitive) {
87        case PAM_SM_AUTHENTICATE:
88        case PAM_SM_SETCRED:
89                chain = pamh->chains[PAM_AUTH];
90                break;
91        case PAM_SM_ACCT_MGMT:
92                chain = pamh->chains[PAM_ACCOUNT];
93                break;
94        case PAM_SM_OPEN_SESSION:
95        case PAM_SM_CLOSE_SESSION:
96                chain = pamh->chains[PAM_SESSION];
97                break;
98        case PAM_SM_CHAUTHTOK:
99                chain = pamh->chains[PAM_PASSWORD];
100                break;
101        default:
102                RETURNC(PAM_SYSTEM_ERR);
103        }
104
105        /* execute */
106        err = PAM_SUCCESS;
107        fail = nsuccess = 0;
108        for (; chain != NULL; chain = chain->next) {
109                if (chain->module->func[primitive] == NULL) {
110                        openpam_log(PAM_LOG_ERROR, "%s: no %s()",
111                            chain->module->path, pam_sm_func_name[primitive]);
112                        r = PAM_SYSTEM_ERR;
113                } else {
114                        pamh->primitive = primitive;
115                        pamh->current = chain;
116                        debug = (openpam_get_option(pamh, "debug") != NULL);
117                        if (debug)
118                                ++openpam_debug;
119                        openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
120                            pam_sm_func_name[primitive], chain->module->path);
121                        r = (chain->module->func[primitive])(pamh, flags,
122                            chain->optc, (const char **)(intptr_t)chain->optv);
123                        pamh->current = NULL;
124                        openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
125                            chain->module->path, pam_sm_func_name[primitive],
126                            pam_strerror(pamh, r));
127                        if (debug)
128                                --openpam_debug;
129                }
130
131                if (r == PAM_IGNORE)
132                        continue;
133                if (r == PAM_SUCCESS) {
134                        ++nsuccess;
135                        /*
136                         * For pam_setcred() and pam_chauthtok() with the
137                         * PAM_PRELIM_CHECK flag, treat "sufficient" as
138                         * "optional".
139                         */
140                        if ((chain->flag == PAM_SUFFICIENT ||
141                            chain->flag == PAM_BINDING) && !fail &&
142                            primitive != PAM_SM_SETCRED &&
143                            !(primitive == PAM_SM_CHAUTHTOK &&
144                                (flags & PAM_PRELIM_CHECK)))
145                                break;
146                        continue;
147                }
148
149                openpam_check_error_code(primitive, r);
150
151                /*
152                 * Record the return code from the first module to
153                 * fail.  If a required module fails, record the
154                 * return code from the first required module to fail.
155                 */
156                if (err == PAM_SUCCESS)
157                        err = r;
158                if ((chain->flag == PAM_REQUIRED ||
159                    chain->flag == PAM_BINDING) && !fail) {
160                        openpam_log(PAM_LOG_LIBDEBUG, "required module failed");
161                        fail = 1;
162                        err = r;
163                }
164
165                /*
166                 * If a requisite module fails, terminate the chain
167                 * immediately.
168                 */
169                if (chain->flag == PAM_REQUISITE) {
170                        openpam_log(PAM_LOG_LIBDEBUG, "requisite module failed");
171                        fail = 1;
172                        break;
173                }
174        }
175
176        if (!fail && err != PAM_NEW_AUTHTOK_REQD)
177                err = PAM_SUCCESS;
178
179        /*
180         * Require the chain to be non-empty, and at least one module
181         * in the chain to be successful, so that we don't fail open.
182         */
183        if (err == PAM_SUCCESS && nsuccess < 1) {
184                openpam_log(PAM_LOG_ERROR,
185                    "all modules were unsuccessful for %s()",
186                    pam_sm_func_name[primitive]);
187                err = PAM_SYSTEM_ERR;
188        }
189
190        RETURNC(err);
191}
192
193#if !defined(OPENPAM_RELAX_CHECKS)
194static void
195openpam_check_error_code(int primitive, int r)
196{
197        /* common error codes */
198        if (r == PAM_SUCCESS ||
199            r == PAM_SYSTEM_ERR ||
200            r == PAM_SERVICE_ERR ||
201            r == PAM_BUF_ERR ||
202            r == PAM_CONV_ERR ||
203            r == PAM_PERM_DENIED ||
204            r == PAM_ABORT)
205                return;
206
207        /* specific error codes */
208        switch (primitive) {
209        case PAM_SM_AUTHENTICATE:
210                if (r == PAM_AUTH_ERR ||
211                    r == PAM_CRED_INSUFFICIENT ||
212                    r == PAM_AUTHINFO_UNAVAIL ||
213                    r == PAM_USER_UNKNOWN ||
214                    r == PAM_MAXTRIES)
215                        return;
216                break;
217        case PAM_SM_SETCRED:
218                if (r == PAM_CRED_UNAVAIL ||
219                    r == PAM_CRED_EXPIRED ||
220                    r == PAM_USER_UNKNOWN ||
221                    r == PAM_CRED_ERR)
222                        return;
223                break;
224        case PAM_SM_ACCT_MGMT:
225                if (r == PAM_USER_UNKNOWN ||
226                    r == PAM_AUTH_ERR ||
227                    r == PAM_NEW_AUTHTOK_REQD ||
228                    r == PAM_ACCT_EXPIRED)
229                        return;
230                break;
231        case PAM_SM_OPEN_SESSION:
232        case PAM_SM_CLOSE_SESSION:
233                if (r == PAM_SESSION_ERR)
234                        return;
235                break;
236        case PAM_SM_CHAUTHTOK:
237                if (r == PAM_PERM_DENIED ||
238                    r == PAM_AUTHTOK_ERR ||
239                    r == PAM_AUTHTOK_RECOVERY_ERR ||
240                    r == PAM_AUTHTOK_LOCK_BUSY ||
241                    r == PAM_AUTHTOK_DISABLE_AGING ||
242                    r == PAM_TRY_AGAIN)
243                        return;
244                break;
245        }
246
247        openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
248            pam_sm_func_name[primitive], r);
249}
250#endif /* !defined(OPENPAM_RELAX_CHECKS) */
251
252/*
253 * NODOC
254 *
255 * Error codes:
256 */
Note: See TracBrowser for help on using the repository browser.