Context Navigation

source: openpam/trunk/lib/libpam/openpam_dispatch.c @ 935

Last change on this file since 935 was 935, checked in by Dag-Erling Smørgrav, 4 years ago
Bump copyright year.
Property svn:eol-style set to `native` Property svn:keywords set to `Id`
File size: 6.7 KB

Line
1	/*-
2	* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3	* Copyright (c) 2004-2017 Dag-Erling Smørgrav
4	* All rights reserved.
5	*
6	* This software was developed for the FreeBSD Project by ThinkSec AS and
7	* Network Associates Laboratories, the Security Research Division of
8	* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
9	* ("CBOSS"), as part of the DARPA CHATS research program.
10	*
11	* Redistribution and use in source and binary forms, with or without
12	* modification, are permitted provided that the following conditions
13	* are met:
14	* 1. Redistributions of source code must retain the above copyright
15	* notice, this list of conditions and the following disclaimer.
16	* 2. Redistributions in binary form must reproduce the above copyright
17	* notice, this list of conditions and the following disclaimer in the
18	* documentation and/or other materials provided with the distribution.
19	* 3. The name of the author may not be used to endorse or promote
20	* products derived from this software without specific prior written
21	* permission.
22	*
23	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33	* SUCH DAMAGE.
34	*
35	* $Id: openpam_dispatch.c 935 2017-04-26 21:04:10Z des $
36	*/
37
38	#ifdef HAVE_CONFIG_H
39	# include "config.h"
40	#endif
41
42	#include <sys/param.h>
43
44	#include <stdint.h>
45
46	#include <security/pam_appl.h>
47
48	#include "openpam_impl.h"
49
50	#if !defined(OPENPAM_RELAX_CHECKS)
51	static void openpam_check_error_code(int, int);
52	#else
53	#define openpam_check_error_code(a, b)
54	#endif /* !defined(OPENPAM_RELAX_CHECKS) */
55
56	/*
57	* OpenPAM internal
58	*
59	* Execute a module chain
60	*/
61
62	int
63	openpam_dispatch(pam_handle_t *pamh,
64	int primitive,
65	int flags)
66	{
67	pam_chain_t *chain;
68	int err, fail, nsuccess, r;
69	int debug;
70
71	ENTER();
72
73	/* prevent recursion */
74	if (pamh->current != NULL) {
75	openpam_log(PAM_LOG_ERROR,
76	"%s() called while %s::%s() is in progress",
77	pam_func_name[primitive],
78	pamh->current->module->path,
79	pam_sm_func_name[pamh->primitive]);
80	RETURNC(PAM_ABORT);
81	}
82
83	/* pick a chain */
84	switch (primitive) {
85	case PAM_SM_AUTHENTICATE:
86	case PAM_SM_SETCRED:
87	chain = pamh->chains[PAM_AUTH];
88	break;
89	case PAM_SM_ACCT_MGMT:
90	chain = pamh->chains[PAM_ACCOUNT];
91	break;
92	case PAM_SM_OPEN_SESSION:
93	case PAM_SM_CLOSE_SESSION:
94	chain = pamh->chains[PAM_SESSION];
95	break;
96	case PAM_SM_CHAUTHTOK:
97	chain = pamh->chains[PAM_PASSWORD];
98	break;
99	default:
100	RETURNC(PAM_SYSTEM_ERR);
101	}
102
103	/* execute */
104	err = PAM_SUCCESS;
105	fail = nsuccess = 0;
106	for (; chain != NULL; chain = chain->next) {
107	if (chain->module->func[primitive] == NULL) {
108	openpam_log(PAM_LOG_ERROR, "%s: no %s()",
109	chain->module->path, pam_sm_func_name[primitive]);
110	r = PAM_SYMBOL_ERR;
111	} else {
112	pamh->primitive = primitive;
113	pamh->current = chain;
114	debug = (openpam_get_option(pamh, "debug") != NULL);
115	if (debug)
116	++openpam_debug;
117	openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
118	pam_sm_func_name[primitive], chain->module->path);
119	r = (chain->module->func[primitive])(pamh, flags,
120	chain->optc, (const char **)(intptr_t)chain->optv);
121	pamh->current = NULL;
122	openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
123	chain->module->path, pam_sm_func_name[primitive],
124	pam_strerror(pamh, r));
125	if (debug)
126	--openpam_debug;
127	}
128
129	if (r == PAM_IGNORE)
130	continue;
131	if (r == PAM_SUCCESS) {
132	++nsuccess;
133	/*
134	* For pam_setcred() and pam_chauthtok() with the
135	* PAM_PRELIM_CHECK flag, treat "sufficient" as
136	* "optional".
137	*/
138	if ((chain->flag == PAM_SUFFICIENT \|\|
139	chain->flag == PAM_BINDING) && !fail &&
140	primitive != PAM_SM_SETCRED &&
141	!(primitive == PAM_SM_CHAUTHTOK &&
142	(flags & PAM_PRELIM_CHECK)))
143	break;
144	continue;
145	}
146
147	openpam_check_error_code(primitive, r);
148
149	/*
150	* Record the return code from the first module to
151	* fail. If a required module fails, record the
152	* return code from the first required module to fail.
153	*/
154	if (err == PAM_SUCCESS)
155	err = r;
156	if ((chain->flag == PAM_REQUIRED \|\|
157	chain->flag == PAM_BINDING) && !fail) {
158	openpam_log(PAM_LOG_LIBDEBUG, "required module failed");
159	fail = 1;
160	err = r;
161	}
162
163	/*
164	* If a requisite module fails, terminate the chain
165	* immediately.
166	*/
167	if (chain->flag == PAM_REQUISITE) {
168	openpam_log(PAM_LOG_LIBDEBUG, "requisite module failed");
169	fail = 1;
170	break;
171	}
172	}
173
174	if (!fail && err != PAM_NEW_AUTHTOK_REQD)
175	err = PAM_SUCCESS;
176
177	/*
178	* Require the chain to be non-empty, and at least one module
179	* in the chain to be successful, so that we don't fail open.
180	*/
181	if (err == PAM_SUCCESS && nsuccess < 1) {
182	openpam_log(PAM_LOG_ERROR,
183	"all modules were unsuccessful for %s()",
184	pam_sm_func_name[primitive]);
185	err = PAM_SYSTEM_ERR;
186	}
187
188	RETURNC(err);
189	}
190
191	#if !defined(OPENPAM_RELAX_CHECKS)
192	static void
193	openpam_check_error_code(int primitive, int r)
194	{
195	/* common error codes */
196	if (r == PAM_SUCCESS \|\|
197	r == PAM_SYSTEM_ERR \|\|
198	r == PAM_SERVICE_ERR \|\|
199	r == PAM_BUF_ERR \|\|
200	r == PAM_CONV_ERR \|\|
201	r == PAM_PERM_DENIED \|\|
202	r == PAM_ABORT)
203	return;
204
205	/* specific error codes */
206	switch (primitive) {
207	case PAM_SM_AUTHENTICATE:
208	if (r == PAM_AUTH_ERR \|\|
209	r == PAM_CRED_INSUFFICIENT \|\|
210	r == PAM_AUTHINFO_UNAVAIL \|\|
211	r == PAM_USER_UNKNOWN \|\|
212	r == PAM_MAXTRIES)
213	return;
214	break;
215	case PAM_SM_SETCRED:
216	if (r == PAM_CRED_UNAVAIL \|\|
217	r == PAM_CRED_EXPIRED \|\|
218	r == PAM_USER_UNKNOWN \|\|
219	r == PAM_CRED_ERR)
220	return;
221	break;
222	case PAM_SM_ACCT_MGMT:
223	if (r == PAM_USER_UNKNOWN \|\|
224	r == PAM_AUTH_ERR \|\|
225	r == PAM_NEW_AUTHTOK_REQD \|\|
226	r == PAM_ACCT_EXPIRED)
227	return;
228	break;
229	case PAM_SM_OPEN_SESSION:
230	case PAM_SM_CLOSE_SESSION:
231	if (r == PAM_SESSION_ERR)
232	return;
233	break;
234	case PAM_SM_CHAUTHTOK:
235	if (r == PAM_PERM_DENIED \|\|
236	r == PAM_AUTHTOK_ERR \|\|
237	r == PAM_AUTHTOK_RECOVERY_ERR \|\|
238	r == PAM_AUTHTOK_LOCK_BUSY \|\|
239	r == PAM_AUTHTOK_DISABLE_AGING \|\|
240	r == PAM_TRY_AGAIN)
241	return;
242	break;
243	}
244
245	openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
246	pam_sm_func_name[primitive], r);
247	}
248	#endif /* !defined(OPENPAM_RELAX_CHECKS) */
249
250	/*
251	* NODOC
252	*
253	* Error codes:
254	*/

Note: See TracBrowser for help on using the repository browser.

Download in other formats: