lib/libpam/openpam_dispatch.c

193326Sed/*-
193326Sed * Copyright (c) 2002 Networks Associates Technologies, Inc.
193326Sed * All rights reserved.
193326Sed *
193326Sed * This software was developed for the FreeBSD Project by ThinkSec AS and
193326Sed * NAI Labs, the Security Research Division of Network Associates, Inc.
193326Sed * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
193326Sed * DARPA CHATS research program.
193326Sed *
193326Sed * Redistribution and use in source and binary forms, with or without
193326Sed * modification, are permitted provided that the following conditions
193326Sed * are met:
193326Sed * 1. Redistributions of source code must retain the above copyright
193326Sed *    notice, this list of conditions and the following disclaimer.
193326Sed * 2. Redistributions in binary form must reproduce the above copyright
193326Sed *    notice, this list of conditions and the following disclaimer in the
193326Sed *    documentation and/or other materials provided with the distribution.
193326Sed * 3. The name of the author may not be used to endorse or promote
193326Sed *    products derived from this software without specific prior written
202379Srdivacky *    permission.
224145Sdim *
218893Sdim * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
193326Sed * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
224145Sdim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
193326Sed * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
193326Sed * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
193326Sed * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
198092Srdivacky * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
193326Sed * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
193326Sed * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
193326Sed * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
193326Sed * SUCH DAMAGE.
193326Sed *
198092Srdivacky * $Id$
207619Srdivacky */
193326Sed
193326Sed#include <sys/param.h>
198398Srdivacky
193326Sed#include <security/pam_appl.h>
210299Sed
193326Sed#include "openpam_impl.h"
193326Sed
193326Sed#if !defined(OPENPAM_RELAX_CHECKS)
212904Sdimstatic void _openpam_check_error_code(int, int);
193326Sed#else
193326Sed#define _openpam_check_error_code(a, b)
221345Sdim#endif /* !defined(OPENPAM_RELAX_CHECKS) */
198092Srdivacky
193326Sed/*
218893Sdim * OpenPAM internal
193326Sed *
193326Sed * Execute a module chain
193326Sed */
193326Sed
193326Sedint
193326Sedopenpam_dispatch(pam_handle_t *pamh,
193326Sed	int primitive,
193326Sed	int flags)
193326Sed{
193326Sed	pam_chain_t *chain;
193326Sed	int err, fail, r;
204643Srdivacky
193326Sed	if (pamh == NULL)
193326Sed		return (PAM_SYSTEM_ERR);
193326Sed
193326Sed	/* prevent recursion */
193326Sed	if (pamh->current != NULL) {
224145Sdim		openpam_log(PAM_LOG_ERROR, "indirect recursion");
193326Sed		return (PAM_ABORT);
193326Sed	}
193326Sed
193326Sed	/* pick a chain */
193326Sed	switch (primitive) {
193326Sed	case PAM_SM_AUTHENTICATE:
208600Srdivacky	case PAM_SM_SETCRED:
212904Sdim		chain = pamh->chains[PAM_AUTH];
218893Sdim		break;
218893Sdim	case PAM_SM_ACCT_MGMT:
193326Sed		chain = pamh->chains[PAM_ACCOUNT];
210299Sed		break;
210299Sed	case PAM_SM_OPEN_SESSION:
210299Sed	case PAM_SM_CLOSE_SESSION:
210299Sed		chain = pamh->chains[PAM_SESSION];
210299Sed		break;
210299Sed	case PAM_SM_CHAUTHTOK:
210299Sed		chain = pamh->chains[PAM_PASSWORD];
212904Sdim		break;
212904Sdim	default:
212904Sdim		return (PAM_SYSTEM_ERR);
212904Sdim	}
210299Sed
212904Sdim	/* execute */
210299Sed	for (err = fail = 0; chain != NULL; chain = chain->next) {
210299Sed		openpam_log(PAM_LOG_DEBUG, "calling %s() in %s",
210299Sed		    _pam_sm_func_name[primitive], chain->module->path);
210299Sed		if (chain->module->func[primitive] == NULL) {
210299Sed			openpam_log(PAM_LOG_ERROR, "%s: no %s()",
212904Sdim			    chain->module->path, _pam_sm_func_name[primitive]);
212904Sdim			continue;
212904Sdim		} else {
212904Sdim			pamh->current = chain;
212904Sdim			r = (chain->module->func[primitive])(pamh, flags,
210299Sed			    chain->optc, (const char **)chain->optv);
210299Sed			pamh->current = NULL;
218893Sdim			openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
218893Sdim			    chain->module->path, _pam_sm_func_name[primitive],
218893Sdim			    pam_strerror(pamh, r));
218893Sdim		}
218893Sdim
218893Sdim		if (r == PAM_IGNORE)
218893Sdim			continue;
218893Sdim		if (r == PAM_SUCCESS) {
218893Sdim			/*
218893Sdim			 * For pam_setcred(), treat "sufficient" as
218893Sdim			 * "optional".
218893Sdim			 *
218893Sdim			 * Note that Solaris libpam does not terminate
218893Sdim			 * the chain here if a required module has
218893Sdim			 * previously failed.  I'm not sure why.
218893Sdim			 */
218893Sdim			if (chain->flag == PAM_SUFFICIENT &&
218893Sdim			    primitive != PAM_SM_SETCRED)
218893Sdim				break;
218893Sdim			continue;
218893Sdim		}
218893Sdim
212904Sdim		_openpam_check_error_code(primitive, r);
212904Sdim
212904Sdim		/*
212904Sdim		 * Record the return code from the first module to
210299Sed		 * fail.  If a required module fails, record the
212904Sdim		 * return code from the first required module to fail.
212904Sdim		 */
212904Sdim		if (err == 0)
212904Sdim			err = r;
212904Sdim		if (chain->flag == PAM_REQUIRED && !fail) {
212904Sdim			openpam_log(PAM_LOG_DEBUG, "required module failed");
210299Sed			fail = 1;
210299Sed			err = r;
210299Sed		}
210299Sed
210299Sed		/*
210299Sed		 * If a requisite module fails, terminate the chain
210299Sed		 * immediately.
210299Sed		 */
210299Sed		if (chain->flag == PAM_REQUISITE) {
210299Sed			openpam_log(PAM_LOG_DEBUG, "requisite module failed");
210299Sed			fail = 1;
210299Sed			break;
210299Sed		}
210299Sed	}
210299Sed
210299Sed	if (!fail)
210299Sed		err = PAM_SUCCESS;
210299Sed	openpam_log(PAM_LOG_DEBUG, "returning: %s", pam_strerror(pamh, err));
210299Sed	return (err);
210299Sed}
212904Sdim
212904Sdim#if !defined(OPENPAM_RELAX_CHECKS)
212904Sdimstatic void
212904Sdim_openpam_check_error_code(int primitive, int r)
212904Sdim{
212904Sdim	/* common error codes */
212904Sdim	if (r == PAM_SUCCESS ||
212904Sdim	    r == PAM_SERVICE_ERR ||
212904Sdim	    r == PAM_BUF_ERR ||
212904Sdim	    r == PAM_CONV_ERR ||
212904Sdim	    r == PAM_PERM_DENIED ||
210299Sed	    r == PAM_ABORT)
210299Sed		return;
210299Sed
210299Sed	/* specific error codes */
210299Sed	switch (primitive) {
210299Sed	case PAM_SM_AUTHENTICATE:
210299Sed		if (r == PAM_AUTH_ERR ||
210299Sed		    r == PAM_CRED_INSUFFICIENT ||
212904Sdim		    r == PAM_AUTHINFO_UNAVAIL ||
212904Sdim		    r == PAM_USER_UNKNOWN ||
212904Sdim		    r == PAM_MAXTRIES)
212904Sdim			return;
210299Sed		break;
212904Sdim	case PAM_SM_SETCRED:
210299Sed		if (r == PAM_CRED_UNAVAIL ||
212904Sdim		    r == PAM_CRED_EXPIRED ||
224145Sdim		    r == PAM_USER_UNKNOWN ||
224145Sdim		    r == PAM_CRED_ERR)
210299Sed			return;
224145Sdim		break;
224145Sdim	case PAM_SM_ACCT_MGMT:
224145Sdim		if (r == PAM_USER_UNKNOWN ||
224145Sdim		    r == PAM_AUTH_ERR ||
224145Sdim		    r == PAM_NEW_AUTHTOK_REQD ||
224145Sdim		    r == PAM_ACCT_EXPIRED)
224145Sdim			return;
224145Sdim		break;
210299Sed	case PAM_SM_OPEN_SESSION:
224145Sdim	case PAM_SM_CLOSE_SESSION:
224145Sdim		if (r == PAM_SESSION_ERR)
224145Sdim			return;
224145Sdim		break;
224145Sdim	case PAM_SM_CHAUTHTOK:
224145Sdim		if (r == PAM_PERM_DENIED ||
224145Sdim		    r == PAM_AUTHTOK_ERR ||
224145Sdim		    r == PAM_AUTHTOK_RECOVERY_ERR ||
224145Sdim		    r == PAM_AUTHTOK_LOCK_BUSY ||
224145Sdim		    r == PAM_AUTHTOK_DISABLE_AGING)
224145Sdim			return;
224145Sdim		break;
224145Sdim	}
224145Sdim
224145Sdim	openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
224145Sdim	    _pam_sm_func_name[primitive], r);
224145Sdim}
224145Sdim#endif /* !defined(OPENPAM_RELAX_CHECKS) */
224145Sdim
224145Sdim/*
224145Sdim * NODOC
224145Sdim *
210299Sed * Error codes:
210299Sed */
210299Sed