openpam_dispatch.c revision 255376 
1/*-
2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2004-2011 Dag-Erling Sm��rgrav
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project by ThinkSec AS and
7 * Network Associates Laboratories, the Security Research Division of
8 * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9 * ("CBOSS"), as part of the DARPA CHATS research program.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 *    notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in the
18 *    documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote
20 *    products derived from this software without specific prior written
21 *    permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * $Id: openpam_dispatch.c 649 2013-03-05 17:58:33Z des $
36 */
37
38#ifdef HAVE_CONFIG_H
39# include "config.h"
40#endif
41
42#include <sys/param.h>
43
44#include <security/pam_appl.h>
45
46#include "openpam_impl.h"
47
48#if !defined(OPENPAM_RELAX_CHECKS)
49static void openpam_check_error_code(int, int);
50#else
51#define openpam_check_error_code(a, b)
52#endif /* !defined(OPENPAM_RELAX_CHECKS) */
53
54/*
55 * OpenPAM internal
56 *
57 * Execute a module chain
58 */
59
60int
61openpam_dispatch(pam_handle_t *pamh,
62	int primitive,
63	int flags)
64{
65	pam_chain_t *chain;
66	int err, fail, r;
67	int debug;
68
69	ENTER();
70	if (pamh == NULL)
71		RETURNC(PAM_SYSTEM_ERR);
72
73	/* prevent recursion */
74	if (pamh->current != NULL) {
75		openpam_log(PAM_LOG_ERROR,
76		    "%s() called while %s::%s() is in progress",
77		    pam_func_name[primitive],
78		    pamh->current->module->path,
79		    pam_sm_func_name[pamh->primitive]);
80		RETURNC(PAM_ABORT);
81	}
82
83	/* pick a chain */
84	switch (primitive) {
85	case PAM_SM_AUTHENTICATE:
86	case PAM_SM_SETCRED:
87		chain = pamh->chains[PAM_AUTH];
88		break;
89	case PAM_SM_ACCT_MGMT:
90		chain = pamh->chains[PAM_ACCOUNT];
91		break;
92	case PAM_SM_OPEN_SESSION:
93	case PAM_SM_CLOSE_SESSION:
94		chain = pamh->chains[PAM_SESSION];
95		break;
96	case PAM_SM_CHAUTHTOK:
97		chain = pamh->chains[PAM_PASSWORD];
98		break;
99	default:
100		RETURNC(PAM_SYSTEM_ERR);
101	}
102
103	/* execute */
104	for (err = fail = 0; chain != NULL; chain = chain->next) {
105		if (chain->module->func[primitive] == NULL) {
106			openpam_log(PAM_LOG_ERROR, "%s: no %s()",
107			    chain->module->path, pam_sm_func_name[primitive]);
108			r = PAM_SYSTEM_ERR;
109		} else {
110			pamh->primitive = primitive;
111			pamh->current = chain;
112			debug = (openpam_get_option(pamh, "debug") != NULL);
113			if (debug)
114				++openpam_debug;
115			openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
116			    pam_sm_func_name[primitive], chain->module->path);
117			r = (chain->module->func[primitive])(pamh, flags,
118			    chain->optc, (const char **)chain->optv);
119			pamh->current = NULL;
120			openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
121			    chain->module->path, pam_sm_func_name[primitive],
122			    pam_strerror(pamh, r));
123			if (debug)
124				--openpam_debug;
125		}
126
127		if (r == PAM_IGNORE)
128			continue;
129		if (r == PAM_SUCCESS) {
130			/*
131			 * For pam_setcred() and pam_chauthtok() with the
132			 * PAM_PRELIM_CHECK flag, treat "sufficient" as
133			 * "optional".
134			 */
135			if ((chain->flag == PAM_SUFFICIENT ||
136			    chain->flag == PAM_BINDING) && !fail &&
137			    primitive != PAM_SM_SETCRED &&
138			    !(primitive == PAM_SM_CHAUTHTOK &&
139				(flags & PAM_PRELIM_CHECK)))
140				break;
141			continue;
142		}
143
144		openpam_check_error_code(primitive, r);
145
146		/*
147		 * Record the return code from the first module to
148		 * fail.  If a required module fails, record the
149		 * return code from the first required module to fail.
150		 */
151		if (err == 0)
152			err = r;
153		if ((chain->flag == PAM_REQUIRED ||
154		    chain->flag == PAM_BINDING) && !fail) {
155			openpam_log(PAM_LOG_LIBDEBUG, "required module failed");
156			fail = 1;
157			err = r;
158		}
159
160		/*
161		 * If a requisite module fails, terminate the chain
162		 * immediately.
163		 */
164		if (chain->flag == PAM_REQUISITE) {
165			openpam_log(PAM_LOG_LIBDEBUG, "requisite module failed");
166			fail = 1;
167			break;
168		}
169	}
170
171	if (!fail && err != PAM_NEW_AUTHTOK_REQD)
172		err = PAM_SUCCESS;
173	RETURNC(err);
174}
175
176#if !defined(OPENPAM_RELAX_CHECKS)
177static void
178openpam_check_error_code(int primitive, int r)
179{
180	/* common error codes */
181	if (r == PAM_SUCCESS ||
182	    r == PAM_SYSTEM_ERR ||
183	    r == PAM_SERVICE_ERR ||
184	    r == PAM_BUF_ERR ||
185	    r == PAM_CONV_ERR ||
186	    r == PAM_PERM_DENIED ||
187	    r == PAM_ABORT)
188		return;
189
190	/* specific error codes */
191	switch (primitive) {
192	case PAM_SM_AUTHENTICATE:
193		if (r == PAM_AUTH_ERR ||
194		    r == PAM_CRED_INSUFFICIENT ||
195		    r == PAM_AUTHINFO_UNAVAIL ||
196		    r == PAM_USER_UNKNOWN ||
197		    r == PAM_MAXTRIES)
198			return;
199		break;
200	case PAM_SM_SETCRED:
201		if (r == PAM_CRED_UNAVAIL ||
202		    r == PAM_CRED_EXPIRED ||
203		    r == PAM_USER_UNKNOWN ||
204		    r == PAM_CRED_ERR)
205			return;
206		break;
207	case PAM_SM_ACCT_MGMT:
208		if (r == PAM_USER_UNKNOWN ||
209		    r == PAM_AUTH_ERR ||
210		    r == PAM_NEW_AUTHTOK_REQD ||
211		    r == PAM_ACCT_EXPIRED)
212			return;
213		break;
214	case PAM_SM_OPEN_SESSION:
215	case PAM_SM_CLOSE_SESSION:
216		if (r == PAM_SESSION_ERR)
217			return;
218		break;
219	case PAM_SM_CHAUTHTOK:
220		if (r == PAM_PERM_DENIED ||
221		    r == PAM_AUTHTOK_ERR ||
222		    r == PAM_AUTHTOK_RECOVERY_ERR ||
223		    r == PAM_AUTHTOK_LOCK_BUSY ||
224		    r == PAM_AUTHTOK_DISABLE_AGING ||
225		    r == PAM_TRY_AGAIN)
226			return;
227		break;
228	}
229
230	openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
231	    pam_sm_func_name[primitive], r);
232}
233#endif /* !defined(OPENPAM_RELAX_CHECKS) */
234
235/*
236 * NODOC
237 *
238 * Error codes:
239 */
240