source: openpam/trunk/lib/openpam_dispatch.c @ 437

Last change on this file since 437 was 437, checked in by Dag-Erling Smørgrav, 9 years ago

Update copyright and release notes.

  • Property svn:keywords set to Id
File size: 6.3 KB
Line 
1/*-
2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2004-2011 Dag-Erling Smørgrav
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project by ThinkSec AS and
7 * Network Associates Laboratories, the Security Research Division of
8 * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9 * ("CBOSS"), as part of the DARPA CHATS research program.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 *    notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in the
18 *    documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote
20 *    products derived from this software without specific prior written
21 *    permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * $Id: openpam_dispatch.c 437 2011-09-13 12:00:13Z des $
36 */
37
38#ifdef HAVE_CONFIG_H
39# include "config.h"
40#endif
41
42#include <sys/param.h>
43
44#include <security/pam_appl.h>
45
46#include "openpam_impl.h"
47
48#if !defined(OPENPAM_RELAX_CHECKS)
49static void openpam_check_error_code(int, int);
50#else
51#define openpam_check_error_code(a, b)
52#endif /* !defined(OPENPAM_RELAX_CHECKS) */
53
54/*
55 * OpenPAM internal
56 *
57 * Execute a module chain
58 */
59
60int
61openpam_dispatch(pam_handle_t *pamh,
62        int primitive,
63        int flags)
64{
65        pam_chain_t *chain;
66        int err, fail, r;
67        int debug;
68
69        ENTER();
70        if (pamh == NULL)
71                RETURNC(PAM_SYSTEM_ERR);
72
73        /* prevent recursion */
74        if (pamh->current != NULL) {
75                openpam_log(PAM_LOG_ERROR,
76                    "%s() called while %s::%s() is in progress",
77                    _pam_func_name[primitive],
78                    pamh->current->module->path,
79                    _pam_sm_func_name[pamh->primitive]);
80                RETURNC(PAM_ABORT);
81        }
82
83        /* pick a chain */
84        switch (primitive) {
85        case PAM_SM_AUTHENTICATE:
86        case PAM_SM_SETCRED:
87                chain = pamh->chains[PAM_AUTH];
88                break;
89        case PAM_SM_ACCT_MGMT:
90                chain = pamh->chains[PAM_ACCOUNT];
91                break;
92        case PAM_SM_OPEN_SESSION:
93        case PAM_SM_CLOSE_SESSION:
94                chain = pamh->chains[PAM_SESSION];
95                break;
96        case PAM_SM_CHAUTHTOK:
97                chain = pamh->chains[PAM_PASSWORD];
98                break;
99        default:
100                RETURNC(PAM_SYSTEM_ERR);
101        }
102
103        /* execute */
104        for (err = fail = 0; chain != NULL; chain = chain->next) {
105                if (chain->module->func[primitive] == NULL) {
106                        openpam_log(PAM_LOG_ERROR, "%s: no %s()",
107                            chain->module->path, _pam_sm_func_name[primitive]);
108                        continue;
109                } else {
110                        pamh->primitive = primitive;
111                        pamh->current = chain;
112                        debug = (openpam_get_option(pamh, "debug") != NULL);
113                        if (debug)
114                                ++openpam_debug;
115                        openpam_log(PAM_LOG_DEBUG, "calling %s() in %s",
116                            _pam_sm_func_name[primitive], chain->module->path);
117                        r = (chain->module->func[primitive])(pamh, flags,
118                            chain->optc, (const char **)chain->optv);
119                        pamh->current = NULL;
120                        openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
121                            chain->module->path, _pam_sm_func_name[primitive],
122                            pam_strerror(pamh, r));
123                        if (debug)
124                                --openpam_debug;
125                }
126
127                if (r == PAM_IGNORE)
128                        continue;
129                if (r == PAM_SUCCESS) {
130                        /*
131                         * For pam_setcred() and pam_chauthtok() with the
132                         * PAM_PRELIM_CHECK flag, treat "sufficient" as
133                         * "optional".
134                         */
135                        if ((chain->flag == PAM_SUFFICIENT ||
136                            chain->flag == PAM_BINDING) && !fail &&
137                            primitive != PAM_SM_SETCRED &&
138                            !(primitive == PAM_SM_CHAUTHTOK &&
139                                (flags & PAM_PRELIM_CHECK)))
140                                break;
141                        continue;
142                }
143
144                openpam_check_error_code(primitive, r);
145
146                /*
147                 * Record the return code from the first module to
148                 * fail.  If a required module fails, record the
149                 * return code from the first required module to fail.
150                 */
151                if (err == 0)
152                        err = r;
153                if ((chain->flag == PAM_REQUIRED ||
154                    chain->flag == PAM_BINDING) && !fail) {
155                        openpam_log(PAM_LOG_DEBUG, "required module failed");
156                        fail = 1;
157                        err = r;
158                }
159
160                /*
161                 * If a requisite module fails, terminate the chain
162                 * immediately.
163                 */
164                if (chain->flag == PAM_REQUISITE) {
165                        openpam_log(PAM_LOG_DEBUG, "requisite module failed");
166                        fail = 1;
167                        break;
168                }
169        }
170
171        if (!fail && err != PAM_NEW_AUTHTOK_REQD)
172                err = PAM_SUCCESS;
173        RETURNC(err);
174}
175
176#if !defined(OPENPAM_RELAX_CHECKS)
177static void
178openpam_check_error_code(int primitive, int r)
179{
180        /* common error codes */
181        if (r == PAM_SUCCESS ||
182            r == PAM_SERVICE_ERR ||
183            r == PAM_BUF_ERR ||
184            r == PAM_CONV_ERR ||
185            r == PAM_PERM_DENIED ||
186            r == PAM_ABORT)
187                return;
188
189        /* specific error codes */
190        switch (primitive) {
191        case PAM_SM_AUTHENTICATE:
192                if (r == PAM_AUTH_ERR ||
193                    r == PAM_CRED_INSUFFICIENT ||
194                    r == PAM_AUTHINFO_UNAVAIL ||
195                    r == PAM_USER_UNKNOWN ||
196                    r == PAM_MAXTRIES)
197                        return;
198                break;
199        case PAM_SM_SETCRED:
200                if (r == PAM_CRED_UNAVAIL ||
201                    r == PAM_CRED_EXPIRED ||
202                    r == PAM_USER_UNKNOWN ||
203                    r == PAM_CRED_ERR)
204                        return;
205                break;
206        case PAM_SM_ACCT_MGMT:
207                if (r == PAM_USER_UNKNOWN ||
208                    r == PAM_AUTH_ERR ||
209                    r == PAM_NEW_AUTHTOK_REQD ||
210                    r == PAM_ACCT_EXPIRED)
211                        return;
212                break;
213        case PAM_SM_OPEN_SESSION:
214        case PAM_SM_CLOSE_SESSION:
215                if (r == PAM_SESSION_ERR)
216                        return;
217                break;
218        case PAM_SM_CHAUTHTOK:
219                if (r == PAM_PERM_DENIED ||
220                    r == PAM_AUTHTOK_ERR ||
221                    r == PAM_AUTHTOK_RECOVERY_ERR ||
222                    r == PAM_AUTHTOK_LOCK_BUSY ||
223                    r == PAM_AUTHTOK_DISABLE_AGING ||
224                    r == PAM_TRY_AGAIN)
225                        return;
226                break;
227        }
228
229        openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
230            _pam_sm_func_name[primitive], r);
231}
232#endif /* !defined(OPENPAM_RELAX_CHECKS) */
233
234/*
235 * NODOC
236 *
237 * Error codes:
238 */
Note: See TracBrowser for help on using the repository browser.