openpam_dispatch.c revision 107937 
1/*-
2 * Copyright (c) 2002 Networks Associates Technology, Inc.
3 * All rights reserved.
4 *
5 * This software was developed for the FreeBSD Project by ThinkSec AS and
6 * Network Associates Laboratories, the Security Research Division of
7 * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
8 * ("CBOSS"), as part of the DARPA CHATS research program.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 * 3. The name of the author may not be used to endorse or promote
19 *    products derived from this software without specific prior written
20 *    permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $P4: //depot/projects/openpam/lib/openpam_dispatch.c#18 $
35 */
36
37#include <sys/param.h>
38
39#include <security/pam_appl.h>
40
41#include "openpam_impl.h"
42
43#if !defined(OPENPAM_RELAX_CHECKS)
44static void _openpam_check_error_code(int, int);
45#else
46#define _openpam_check_error_code(a, b)
47#endif /* !defined(OPENPAM_RELAX_CHECKS) */
48
49/*
50 * OpenPAM internal
51 *
52 * Execute a module chain
53 */
54
55int
56openpam_dispatch(pam_handle_t *pamh,
57	int primitive,
58	int flags)
59{
60	pam_chain_t *chain;
61	int err, fail, r;
62
63	ENTER();
64	if (pamh == NULL)
65		RETURNC(PAM_SYSTEM_ERR);
66
67	/* prevent recursion */
68	if (pamh->current != NULL) {
69		openpam_log(PAM_LOG_ERROR,
70		    "%s() called while %s::%s() is in progress",
71		    _pam_func_name[primitive],
72		    pamh->current->module->path,
73		    _pam_sm_func_name[pamh->primitive]);
74		RETURNC(PAM_ABORT);
75	}
76
77	/* pick a chain */
78	switch (primitive) {
79	case PAM_SM_AUTHENTICATE:
80	case PAM_SM_SETCRED:
81		chain = pamh->chains[PAM_AUTH];
82		break;
83	case PAM_SM_ACCT_MGMT:
84		chain = pamh->chains[PAM_ACCOUNT];
85		break;
86	case PAM_SM_OPEN_SESSION:
87	case PAM_SM_CLOSE_SESSION:
88		chain = pamh->chains[PAM_SESSION];
89		break;
90	case PAM_SM_CHAUTHTOK:
91		chain = pamh->chains[PAM_PASSWORD];
92		break;
93	default:
94		RETURNC(PAM_SYSTEM_ERR);
95	}
96
97	/* execute */
98	for (err = fail = 0; chain != NULL; chain = chain->next) {
99		openpam_log(PAM_LOG_DEBUG, "calling %s() in %s",
100		    _pam_sm_func_name[primitive], chain->module->path);
101		if (chain->module->func[primitive] == NULL) {
102			openpam_log(PAM_LOG_ERROR, "%s: no %s()",
103			    chain->module->path, _pam_sm_func_name[primitive]);
104			continue;
105		} else {
106			pamh->primitive = primitive;
107			pamh->current = chain;
108			r = (chain->module->func[primitive])(pamh, flags,
109			    chain->optc, (const char **)chain->optv);
110			pamh->current = NULL;
111			openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
112			    chain->module->path, _pam_sm_func_name[primitive],
113			    pam_strerror(pamh, r));
114		}
115
116		if (r == PAM_IGNORE)
117			continue;
118		if (r == PAM_SUCCESS) {
119			/*
120			 * For pam_setcred() and pam_chauthtok() with the
121			 * PAM_PRELIM_CHECK flag, treat "sufficient" as
122			 * "optional".
123			 */
124			if ((chain->flag == PAM_SUFFICIENT ||
125			    chain->flag == PAM_BINDING) && !fail &&
126			    primitive != PAM_SM_SETCRED &&
127			    !(primitive == PAM_SM_CHAUTHTOK &&
128				(flags & PAM_PRELIM_CHECK)))
129				break;
130			continue;
131		}
132
133		_openpam_check_error_code(primitive, r);
134
135		/*
136		 * Record the return code from the first module to
137		 * fail.  If a required module fails, record the
138		 * return code from the first required module to fail.
139		 */
140		if (err == 0)
141			err = r;
142		if ((chain->flag == PAM_REQUIRED ||
143		    chain->flag == PAM_BINDING) && !fail) {
144			openpam_log(PAM_LOG_DEBUG, "required module failed");
145			fail = 1;
146			err = r;
147		}
148
149		/*
150		 * If a requisite module fails, terminate the chain
151		 * immediately.
152		 */
153		if (chain->flag == PAM_REQUISITE) {
154			openpam_log(PAM_LOG_DEBUG, "requisite module failed");
155			fail = 1;
156			break;
157		}
158	}
159
160	if (!fail && err != PAM_NEW_AUTHTOK_REQD)
161		err = PAM_SUCCESS;
162	RETURNC(err);
163}
164
165#if !defined(OPENPAM_RELAX_CHECKS)
166static void
167_openpam_check_error_code(int primitive, int r)
168{
169	/* common error codes */
170	if (r == PAM_SUCCESS ||
171	    r == PAM_SERVICE_ERR ||
172	    r == PAM_BUF_ERR ||
173	    r == PAM_CONV_ERR ||
174	    r == PAM_PERM_DENIED ||
175	    r == PAM_ABORT)
176		return;
177
178	/* specific error codes */
179	switch (primitive) {
180	case PAM_SM_AUTHENTICATE:
181		if (r == PAM_AUTH_ERR ||
182		    r == PAM_CRED_INSUFFICIENT ||
183		    r == PAM_AUTHINFO_UNAVAIL ||
184		    r == PAM_USER_UNKNOWN ||
185		    r == PAM_MAXTRIES)
186			return;
187		break;
188	case PAM_SM_SETCRED:
189		if (r == PAM_CRED_UNAVAIL ||
190		    r == PAM_CRED_EXPIRED ||
191		    r == PAM_USER_UNKNOWN ||
192		    r == PAM_CRED_ERR)
193			return;
194		break;
195	case PAM_SM_ACCT_MGMT:
196		if (r == PAM_USER_UNKNOWN ||
197		    r == PAM_AUTH_ERR ||
198		    r == PAM_NEW_AUTHTOK_REQD ||
199		    r == PAM_ACCT_EXPIRED)
200			return;
201		break;
202	case PAM_SM_OPEN_SESSION:
203	case PAM_SM_CLOSE_SESSION:
204		if (r == PAM_SESSION_ERR)
205			return;
206		break;
207	case PAM_SM_CHAUTHTOK:
208		if (r == PAM_PERM_DENIED ||
209		    r == PAM_AUTHTOK_ERR ||
210		    r == PAM_AUTHTOK_RECOVERY_ERR ||
211		    r == PAM_AUTHTOK_LOCK_BUSY ||
212		    r == PAM_AUTHTOK_DISABLE_AGING ||
213		    r == PAM_TRY_AGAIN)
214			return;
215		break;
216	}
217
218	openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
219	    _pam_sm_func_name[primitive], r);
220}
221#endif /* !defined(OPENPAM_RELAX_CHECKS) */
222
223/*
224 * NODOC
225 *
226 * Error codes:
227 */
228