source: openpam/trunk/lib/openpam_dispatch.c @ 81

Last change on this file since 81 was 81, checked in by Dag-Erling Smørgrav, 18 years ago
  • pam_sm_chauthtok() can return PAM_TRY_AGAIN.
  • "sufficient" should not terminate the chain if the PAM_PRELIM_CHECK flag is set.

Sponsored by: DARPA, NAI Labs

  • Property svn:keywords set to Id LastChangedRevision HeadURL LastChangedDate LastChangedBy
File size: 6.0 KB
Line 
1/*-
2 * Copyright (c) 2002 Networks Associates Technologies, Inc.
3 * All rights reserved.
4 *
5 * This software was developed for the FreeBSD Project by ThinkSec AS and
6 * NAI Labs, the Security Research Division of Network Associates, Inc.
7 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8 * DARPA CHATS research program.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote
19 *    products derived from this software without specific prior written
20 *    permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $Id: openpam_dispatch.c 81 2002-02-23 18:06:45Z des $
35 */
36
37#include <sys/param.h>
38
39#include <security/pam_appl.h>
40
41#include "openpam_impl.h"
42
43#if !defined(OPENPAM_RELAX_CHECKS)
44static void _openpam_check_error_code(int, int);
45#else
46#define _openpam_check_error_code(a, b)
47#endif /* !defined(OPENPAM_RELAX_CHECKS) */
48
49/*
50 * OpenPAM internal
51 *
52 * Execute a module chain
53 */
54
55int
56openpam_dispatch(pam_handle_t *pamh,
57        int primitive,
58        int flags)
59{
60        pam_chain_t *chain;
61        int err, fail, r;
62
63        if (pamh == NULL)
64                return (PAM_SYSTEM_ERR);
65
66        /* prevent recursion */
67        if (pamh->current != NULL) {
68                openpam_log(PAM_LOG_ERROR, "indirect recursion");
69                return (PAM_ABORT);
70        }
71
72        /* pick a chain */
73        switch (primitive) {
74        case PAM_SM_AUTHENTICATE:
75        case PAM_SM_SETCRED:
76                chain = pamh->chains[PAM_AUTH];
77                break;
78        case PAM_SM_ACCT_MGMT:
79                chain = pamh->chains[PAM_ACCOUNT];
80                break;
81        case PAM_SM_OPEN_SESSION:
82        case PAM_SM_CLOSE_SESSION:
83                chain = pamh->chains[PAM_SESSION];
84                break;
85        case PAM_SM_CHAUTHTOK:
86                chain = pamh->chains[PAM_PASSWORD];
87                break;
88        default:
89                return (PAM_SYSTEM_ERR);
90        }
91
92        /* execute */
93        for (err = fail = 0; chain != NULL; chain = chain->next) {
94                openpam_log(PAM_LOG_DEBUG, "calling %s() in %s",
95                    _pam_sm_func_name[primitive], chain->module->path);
96                if (chain->module->func[primitive] == NULL) {
97                        openpam_log(PAM_LOG_ERROR, "%s: no %s()",
98                            chain->module->path, _pam_sm_func_name[primitive]);
99                        continue;
100                } else {
101                        pamh->current = chain;
102                        r = (chain->module->func[primitive])(pamh, flags,
103                            chain->optc, (const char **)chain->optv);
104                        pamh->current = NULL;
105                        openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
106                            chain->module->path, _pam_sm_func_name[primitive],
107                            pam_strerror(pamh, r));
108                }
109
110                if (r == PAM_IGNORE)
111                        continue;
112                if (r == PAM_SUCCESS) {
113                        /*
114                         * For pam_setcred() and pam_chauthtok() with the
115                         * PAM_PRELIM_CHECK flag, treat "sufficient" as
116                         * "optional".
117                         *
118                         * Note that Solaris libpam does not terminate
119                         * the chain here if a required module has
120                         * previously failed.  I'm not sure why.
121                         */
122                        if (chain->flag == PAM_SUFFICIENT &&
123                            primitive != PAM_SM_SETCRED &&
124                            (primitive != PAM_SM_CHAUTHTOK ||
125                                !(flags & PAM_PRELIM_CHECK)))
126                                break;
127                        continue;
128                }
129
130                _openpam_check_error_code(primitive, r);
131
132                /*
133                 * Record the return code from the first module to
134                 * fail.  If a required module fails, record the
135                 * return code from the first required module to fail.
136                 */
137                if (err == 0)
138                        err = r;
139                if (chain->flag == PAM_REQUIRED && !fail) {
140                        openpam_log(PAM_LOG_DEBUG, "required module failed");
141                        fail = 1;
142                        err = r;
143                }
144
145                /*
146                 * If a requisite module fails, terminate the chain
147                 * immediately.
148                 */
149                if (chain->flag == PAM_REQUISITE) {
150                        openpam_log(PAM_LOG_DEBUG, "requisite module failed");
151                        fail = 1;
152                        break;
153                }
154        }
155
156        if (!fail)
157                err = PAM_SUCCESS;
158        openpam_log(PAM_LOG_DEBUG, "returning: %s", pam_strerror(pamh, err));
159        return (err);
160}
161
162#if !defined(OPENPAM_RELAX_CHECKS)
163static void
164_openpam_check_error_code(int primitive, int r)
165{
166        /* common error codes */
167        if (r == PAM_SUCCESS ||
168            r == PAM_SERVICE_ERR ||
169            r == PAM_BUF_ERR ||
170            r == PAM_CONV_ERR ||
171            r == PAM_PERM_DENIED ||
172            r == PAM_ABORT)
173                return;
174
175        /* specific error codes */
176        switch (primitive) {
177        case PAM_SM_AUTHENTICATE:
178                if (r == PAM_AUTH_ERR ||
179                    r == PAM_CRED_INSUFFICIENT ||
180                    r == PAM_AUTHINFO_UNAVAIL ||
181                    r == PAM_USER_UNKNOWN ||
182                    r == PAM_MAXTRIES)
183                        return;
184                break;
185        case PAM_SM_SETCRED:
186                if (r == PAM_CRED_UNAVAIL ||
187                    r == PAM_CRED_EXPIRED ||
188                    r == PAM_USER_UNKNOWN ||
189                    r == PAM_CRED_ERR)
190                        return;
191                break;
192        case PAM_SM_ACCT_MGMT:
193                if (r == PAM_USER_UNKNOWN ||
194                    r == PAM_AUTH_ERR ||
195                    r == PAM_NEW_AUTHTOK_REQD ||
196                    r == PAM_ACCT_EXPIRED)
197                        return;
198                break;
199        case PAM_SM_OPEN_SESSION:
200        case PAM_SM_CLOSE_SESSION:
201                if (r == PAM_SESSION_ERR)
202                        return;
203                break;
204        case PAM_SM_CHAUTHTOK:
205                if (r == PAM_PERM_DENIED ||
206                    r == PAM_AUTHTOK_ERR ||
207                    r == PAM_AUTHTOK_RECOVERY_ERR ||
208                    r == PAM_AUTHTOK_LOCK_BUSY ||
209                    r == PAM_AUTHTOK_DISABLE_AGING ||
210                    r == PAM_TRY_AGAIN)
211                        return;
212                break;
213        }
214
215        openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
216            _pam_sm_func_name[primitive], r);
217}
218#endif /* !defined(OPENPAM_RELAX_CHECKS) */
219
220/*
221 * NODOC
222 *
223 * Error codes:
224 */
Note: See TracBrowser for help on using the repository browser.