1/*-
2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2004-2017 Dag-Erling Sm��rgrav
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project by ThinkSec AS and
7 * Network Associates Laboratories, the Security Research Division of
8 * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9 * ("CBOSS"), as part of the DARPA CHATS research program.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 *    notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in the
18 *    documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote
20 *    products derived from this software without specific prior written
21 *    permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#ifdef HAVE_CONFIG_H
37# include "config.h"
38#endif
39
40#include <sys/param.h>
41
42#include <stdint.h>
43
44#include <security/pam_appl.h>
45
46#include "openpam_impl.h"
47
48#if !defined(OPENPAM_RELAX_CHECKS)
49static void openpam_check_error_code(int, int);
50#else
51#define openpam_check_error_code(a, b)
52#endif /* !defined(OPENPAM_RELAX_CHECKS) */
53
54/*
55 * OpenPAM internal
56 *
57 * Execute a module chain
58 */
59
60int
61openpam_dispatch(pam_handle_t *pamh,
62	int primitive,
63	int flags)
64{
65	pam_chain_t *chain;
66	int err, fail, nsuccess, r;
67	int debug;
68
69	ENTER();
70
71	/* prevent recursion */
72	if (pamh->current != NULL) {
73		openpam_log(PAM_LOG_ERROR,
74		    "%s() called while %s::%s() is in progress",
75		    pam_func_name[primitive],
76		    pamh->current->module->path,
77		    pam_sm_func_name[pamh->primitive]);
78		RETURNC(PAM_ABORT);
79	}
80
81	/* pick a chain */
82	switch (primitive) {
83	case PAM_SM_AUTHENTICATE:
84	case PAM_SM_SETCRED:
85		chain = pamh->chains[PAM_AUTH];
86		break;
87	case PAM_SM_ACCT_MGMT:
88		chain = pamh->chains[PAM_ACCOUNT];
89		break;
90	case PAM_SM_OPEN_SESSION:
91	case PAM_SM_CLOSE_SESSION:
92		chain = pamh->chains[PAM_SESSION];
93		break;
94	case PAM_SM_CHAUTHTOK:
95		chain = pamh->chains[PAM_PASSWORD];
96		break;
97	default:
98		RETURNC(PAM_SYSTEM_ERR);
99	}
100
101	/* execute */
102	err = PAM_SUCCESS;
103	fail = nsuccess = 0;
104	for (; chain != NULL; chain = chain->next) {
105		if (chain->module->func[primitive] == NULL) {
106			openpam_log(PAM_LOG_ERROR, "%s: no %s()",
107			    chain->module->path, pam_sm_func_name[primitive]);
108			r = PAM_SYMBOL_ERR;
109		} else {
110			pamh->primitive = primitive;
111			pamh->current = chain;
112			debug = (openpam_get_option(pamh, "debug") != NULL);
113			if (debug)
114				++openpam_debug;
115			openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
116			    pam_sm_func_name[primitive], chain->module->path);
117			r = (chain->module->func[primitive])(pamh, flags,
118			    chain->optc, (const char **)(intptr_t)chain->optv);
119			pamh->current = NULL;
120			openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
121			    chain->module->path, pam_sm_func_name[primitive],
122			    pam_strerror(pamh, r));
123			if (debug)
124				--openpam_debug;
125		}
126
127		if (r == PAM_IGNORE)
128			continue;
129		if (r == PAM_SUCCESS) {
130			++nsuccess;
131			/*
132			 * For pam_setcred() and pam_chauthtok() with the
133			 * PAM_PRELIM_CHECK flag, treat "sufficient" as
134			 * "optional".
135			 */
136			if ((chain->flag == PAM_SUFFICIENT ||
137			    chain->flag == PAM_BINDING) && !fail &&
138			    primitive != PAM_SM_SETCRED &&
139			    !(primitive == PAM_SM_CHAUTHTOK &&
140				(flags & PAM_PRELIM_CHECK)))
141				break;
142			continue;
143		}
144
145		openpam_check_error_code(primitive, r);
146
147		/*
148		 * Record the return code from the first module to
149		 * fail.  If a required module fails, record the
150		 * return code from the first required module to fail.
151		 */
152		if (err == PAM_SUCCESS)
153			err = r;
154		if ((chain->flag == PAM_REQUIRED ||
155		    chain->flag == PAM_BINDING) && !fail) {
156			openpam_log(PAM_LOG_LIBDEBUG, "required module failed");
157			fail = 1;
158			err = r;
159		}
160
161		/*
162		 * If a requisite module fails, terminate the chain
163		 * immediately.
164		 */
165		if (chain->flag == PAM_REQUISITE) {
166			openpam_log(PAM_LOG_LIBDEBUG, "requisite module failed");
167			fail = 1;
168			break;
169		}
170	}
171
172	if (!fail && err != PAM_NEW_AUTHTOK_REQD)
173		err = PAM_SUCCESS;
174
175	/*
176	 * Require the chain to be non-empty, and at least one module
177	 * in the chain to be successful, so that we don't fail open.
178	 */
179	if (err == PAM_SUCCESS && nsuccess < 1) {
180		openpam_log(PAM_LOG_ERROR,
181		    "all modules were unsuccessful for %s()",
182		    pam_sm_func_name[primitive]);
183		err = PAM_SYSTEM_ERR;
184	}
185
186	RETURNC(err);
187}
188
189#if !defined(OPENPAM_RELAX_CHECKS)
190static void
191openpam_check_error_code(int primitive, int r)
192{
193	/* common error codes */
194	if (r == PAM_SUCCESS ||
195	    r == PAM_SYSTEM_ERR ||
196	    r == PAM_SERVICE_ERR ||
197	    r == PAM_BUF_ERR ||
198	    r == PAM_CONV_ERR ||
199	    r == PAM_PERM_DENIED ||
200	    r == PAM_ABORT)
201		return;
202
203	/* specific error codes */
204	switch (primitive) {
205	case PAM_SM_AUTHENTICATE:
206		if (r == PAM_AUTH_ERR ||
207		    r == PAM_CRED_INSUFFICIENT ||
208		    r == PAM_AUTHINFO_UNAVAIL ||
209		    r == PAM_USER_UNKNOWN ||
210		    r == PAM_MAXTRIES)
211			return;
212		break;
213	case PAM_SM_SETCRED:
214		if (r == PAM_CRED_UNAVAIL ||
215		    r == PAM_CRED_EXPIRED ||
216		    r == PAM_USER_UNKNOWN ||
217		    r == PAM_CRED_ERR)
218			return;
219		break;
220	case PAM_SM_ACCT_MGMT:
221		if (r == PAM_USER_UNKNOWN ||
222		    r == PAM_AUTH_ERR ||
223		    r == PAM_NEW_AUTHTOK_REQD ||
224		    r == PAM_ACCT_EXPIRED)
225			return;
226		break;
227	case PAM_SM_OPEN_SESSION:
228	case PAM_SM_CLOSE_SESSION:
229		if (r == PAM_SESSION_ERR)
230			return;
231		break;
232	case PAM_SM_CHAUTHTOK:
233		if (r == PAM_PERM_DENIED ||
234		    r == PAM_AUTHTOK_ERR ||
235		    r == PAM_AUTHTOK_RECOVERY_ERR ||
236		    r == PAM_AUTHTOK_LOCK_BUSY ||
237		    r == PAM_AUTHTOK_DISABLE_AGING ||
238		    r == PAM_TRY_AGAIN)
239			return;
240		break;
241	}
242
243	openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
244	    pam_sm_func_name[primitive], r);
245}
246#endif /* !defined(OPENPAM_RELAX_CHECKS) */
247
248/*
249 * NODOC
250 *
251 * Error codes:
252 */
253