1 | /*- |
---|
2 | * Copyright (c) 2002-2003 Networks Associates Technology, Inc. |
---|
3 | * Copyright (c) 2004-2011 Dag-Erling Smørgrav |
---|
4 | * All rights reserved. |
---|
5 | * |
---|
6 | * This software was developed for the FreeBSD Project by ThinkSec AS and |
---|
7 | * Network Associates Laboratories, the Security Research Division of |
---|
8 | * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 |
---|
9 | * ("CBOSS"), as part of the DARPA CHATS research program. |
---|
10 | * |
---|
11 | * Redistribution and use in source and binary forms, with or without |
---|
12 | * modification, are permitted provided that the following conditions |
---|
13 | * are met: |
---|
14 | * 1. Redistributions of source code must retain the above copyright |
---|
15 | * notice, this list of conditions and the following disclaimer. |
---|
16 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
17 | * notice, this list of conditions and the following disclaimer in the |
---|
18 | * documentation and/or other materials provided with the distribution. |
---|
19 | * 3. The name of the author may not be used to endorse or promote |
---|
20 | * products derived from this software without specific prior written |
---|
21 | * permission. |
---|
22 | * |
---|
23 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
---|
24 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
25 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
26 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
---|
27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
28 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
29 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
30 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
31 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
32 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
33 | * SUCH DAMAGE. |
---|
34 | * |
---|
35 | * $Id: openpam_dispatch.c 437 2011-09-13 12:00:13Z des $ |
---|
36 | */ |
---|
37 | |
---|
38 | #ifdef HAVE_CONFIG_H |
---|
39 | # include "config.h" |
---|
40 | #endif |
---|
41 | |
---|
42 | #include <sys/param.h> |
---|
43 | |
---|
44 | #include <security/pam_appl.h> |
---|
45 | |
---|
46 | #include "openpam_impl.h" |
---|
47 | |
---|
48 | #if !defined(OPENPAM_RELAX_CHECKS) |
---|
49 | static void openpam_check_error_code(int, int); |
---|
50 | #else |
---|
51 | #define openpam_check_error_code(a, b) |
---|
52 | #endif /* !defined(OPENPAM_RELAX_CHECKS) */ |
---|
53 | |
---|
54 | /* |
---|
55 | * OpenPAM internal |
---|
56 | * |
---|
57 | * Execute a module chain |
---|
58 | */ |
---|
59 | |
---|
60 | int |
---|
61 | openpam_dispatch(pam_handle_t *pamh, |
---|
62 | int primitive, |
---|
63 | int flags) |
---|
64 | { |
---|
65 | pam_chain_t *chain; |
---|
66 | int err, fail, r; |
---|
67 | int debug; |
---|
68 | |
---|
69 | ENTER(); |
---|
70 | if (pamh == NULL) |
---|
71 | RETURNC(PAM_SYSTEM_ERR); |
---|
72 | |
---|
73 | /* prevent recursion */ |
---|
74 | if (pamh->current != NULL) { |
---|
75 | openpam_log(PAM_LOG_ERROR, |
---|
76 | "%s() called while %s::%s() is in progress", |
---|
77 | _pam_func_name[primitive], |
---|
78 | pamh->current->module->path, |
---|
79 | _pam_sm_func_name[pamh->primitive]); |
---|
80 | RETURNC(PAM_ABORT); |
---|
81 | } |
---|
82 | |
---|
83 | /* pick a chain */ |
---|
84 | switch (primitive) { |
---|
85 | case PAM_SM_AUTHENTICATE: |
---|
86 | case PAM_SM_SETCRED: |
---|
87 | chain = pamh->chains[PAM_AUTH]; |
---|
88 | break; |
---|
89 | case PAM_SM_ACCT_MGMT: |
---|
90 | chain = pamh->chains[PAM_ACCOUNT]; |
---|
91 | break; |
---|
92 | case PAM_SM_OPEN_SESSION: |
---|
93 | case PAM_SM_CLOSE_SESSION: |
---|
94 | chain = pamh->chains[PAM_SESSION]; |
---|
95 | break; |
---|
96 | case PAM_SM_CHAUTHTOK: |
---|
97 | chain = pamh->chains[PAM_PASSWORD]; |
---|
98 | break; |
---|
99 | default: |
---|
100 | RETURNC(PAM_SYSTEM_ERR); |
---|
101 | } |
---|
102 | |
---|
103 | /* execute */ |
---|
104 | for (err = fail = 0; chain != NULL; chain = chain->next) { |
---|
105 | if (chain->module->func[primitive] == NULL) { |
---|
106 | openpam_log(PAM_LOG_ERROR, "%s: no %s()", |
---|
107 | chain->module->path, _pam_sm_func_name[primitive]); |
---|
108 | continue; |
---|
109 | } else { |
---|
110 | pamh->primitive = primitive; |
---|
111 | pamh->current = chain; |
---|
112 | debug = (openpam_get_option(pamh, "debug") != NULL); |
---|
113 | if (debug) |
---|
114 | ++openpam_debug; |
---|
115 | openpam_log(PAM_LOG_DEBUG, "calling %s() in %s", |
---|
116 | _pam_sm_func_name[primitive], chain->module->path); |
---|
117 | r = (chain->module->func[primitive])(pamh, flags, |
---|
118 | chain->optc, (const char **)chain->optv); |
---|
119 | pamh->current = NULL; |
---|
120 | openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s", |
---|
121 | chain->module->path, _pam_sm_func_name[primitive], |
---|
122 | pam_strerror(pamh, r)); |
---|
123 | if (debug) |
---|
124 | --openpam_debug; |
---|
125 | } |
---|
126 | |
---|
127 | if (r == PAM_IGNORE) |
---|
128 | continue; |
---|
129 | if (r == PAM_SUCCESS) { |
---|
130 | /* |
---|
131 | * For pam_setcred() and pam_chauthtok() with the |
---|
132 | * PAM_PRELIM_CHECK flag, treat "sufficient" as |
---|
133 | * "optional". |
---|
134 | */ |
---|
135 | if ((chain->flag == PAM_SUFFICIENT || |
---|
136 | chain->flag == PAM_BINDING) && !fail && |
---|
137 | primitive != PAM_SM_SETCRED && |
---|
138 | !(primitive == PAM_SM_CHAUTHTOK && |
---|
139 | (flags & PAM_PRELIM_CHECK))) |
---|
140 | break; |
---|
141 | continue; |
---|
142 | } |
---|
143 | |
---|
144 | openpam_check_error_code(primitive, r); |
---|
145 | |
---|
146 | /* |
---|
147 | * Record the return code from the first module to |
---|
148 | * fail. If a required module fails, record the |
---|
149 | * return code from the first required module to fail. |
---|
150 | */ |
---|
151 | if (err == 0) |
---|
152 | err = r; |
---|
153 | if ((chain->flag == PAM_REQUIRED || |
---|
154 | chain->flag == PAM_BINDING) && !fail) { |
---|
155 | openpam_log(PAM_LOG_DEBUG, "required module failed"); |
---|
156 | fail = 1; |
---|
157 | err = r; |
---|
158 | } |
---|
159 | |
---|
160 | /* |
---|
161 | * If a requisite module fails, terminate the chain |
---|
162 | * immediately. |
---|
163 | */ |
---|
164 | if (chain->flag == PAM_REQUISITE) { |
---|
165 | openpam_log(PAM_LOG_DEBUG, "requisite module failed"); |
---|
166 | fail = 1; |
---|
167 | break; |
---|
168 | } |
---|
169 | } |
---|
170 | |
---|
171 | if (!fail && err != PAM_NEW_AUTHTOK_REQD) |
---|
172 | err = PAM_SUCCESS; |
---|
173 | RETURNC(err); |
---|
174 | } |
---|
175 | |
---|
176 | #if !defined(OPENPAM_RELAX_CHECKS) |
---|
177 | static void |
---|
178 | openpam_check_error_code(int primitive, int r) |
---|
179 | { |
---|
180 | /* common error codes */ |
---|
181 | if (r == PAM_SUCCESS || |
---|
182 | r == PAM_SERVICE_ERR || |
---|
183 | r == PAM_BUF_ERR || |
---|
184 | r == PAM_CONV_ERR || |
---|
185 | r == PAM_PERM_DENIED || |
---|
186 | r == PAM_ABORT) |
---|
187 | return; |
---|
188 | |
---|
189 | /* specific error codes */ |
---|
190 | switch (primitive) { |
---|
191 | case PAM_SM_AUTHENTICATE: |
---|
192 | if (r == PAM_AUTH_ERR || |
---|
193 | r == PAM_CRED_INSUFFICIENT || |
---|
194 | r == PAM_AUTHINFO_UNAVAIL || |
---|
195 | r == PAM_USER_UNKNOWN || |
---|
196 | r == PAM_MAXTRIES) |
---|
197 | return; |
---|
198 | break; |
---|
199 | case PAM_SM_SETCRED: |
---|
200 | if (r == PAM_CRED_UNAVAIL || |
---|
201 | r == PAM_CRED_EXPIRED || |
---|
202 | r == PAM_USER_UNKNOWN || |
---|
203 | r == PAM_CRED_ERR) |
---|
204 | return; |
---|
205 | break; |
---|
206 | case PAM_SM_ACCT_MGMT: |
---|
207 | if (r == PAM_USER_UNKNOWN || |
---|
208 | r == PAM_AUTH_ERR || |
---|
209 | r == PAM_NEW_AUTHTOK_REQD || |
---|
210 | r == PAM_ACCT_EXPIRED) |
---|
211 | return; |
---|
212 | break; |
---|
213 | case PAM_SM_OPEN_SESSION: |
---|
214 | case PAM_SM_CLOSE_SESSION: |
---|
215 | if (r == PAM_SESSION_ERR) |
---|
216 | return; |
---|
217 | break; |
---|
218 | case PAM_SM_CHAUTHTOK: |
---|
219 | if (r == PAM_PERM_DENIED || |
---|
220 | r == PAM_AUTHTOK_ERR || |
---|
221 | r == PAM_AUTHTOK_RECOVERY_ERR || |
---|
222 | r == PAM_AUTHTOK_LOCK_BUSY || |
---|
223 | r == PAM_AUTHTOK_DISABLE_AGING || |
---|
224 | r == PAM_TRY_AGAIN) |
---|
225 | return; |
---|
226 | break; |
---|
227 | } |
---|
228 | |
---|
229 | openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d", |
---|
230 | _pam_sm_func_name[primitive], r); |
---|
231 | } |
---|
232 | #endif /* !defined(OPENPAM_RELAX_CHECKS) */ |
---|
233 | |
---|
234 | /* |
---|
235 | * NODOC |
---|
236 | * |
---|
237 | * Error codes: |
---|
238 | */ |
---|