contrib/openpam/lib/openpam_dispatch.c

   1 /*-
   2  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
   3  * Copyright (c) 2004-2011 Dag-Erling Smørgrav
   4  * All rights reserved.
   5  *
   6  * This software was developed for the FreeBSD Project by ThinkSec AS and
   7  * Network Associates Laboratories, the Security Research Division of
   8  * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
   9  * ("CBOSS"), as part of the DARPA CHATS research program.
  10  *
  11  * Redistribution and use in source and binary forms, with or without
  12  * modification, are permitted provided that the following conditions
  13  * are met:
  14  * 1. Redistributions of source code must retain the above copyright
  15  *    notice, this list of conditions and the following disclaimer.
  16  * 2. Redistributions in binary form must reproduce the above copyright
  17  *    notice, this list of conditions and the following disclaimer in the
  18  *    documentation and/or other materials provided with the distribution.
  19  * 3. The name of the author may not be used to endorse or promote
  20  *    products derived from this software without specific prior written
  21  *    permission.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  33  * SUCH DAMAGE.
  34  *
  35  * $Id: openpam_dispatch.c 501 2011-12-07 01:28:05Z des $
  36  */
  37
  38 #ifdef HAVE_CONFIG_H
  39 # include "config.h"
  40 #endif
  41
  42 #include <sys/param.h>
  43
  44 #include <security/pam_appl.h>
  45
  46 #include "openpam_impl.h"
  47
  48 #if !defined(OPENPAM_RELAX_CHECKS)
  49 static void openpam_check_error_code(int, int);
  50 #else
  51 #define openpam_check_error_code(a, b)
  52 #endif /* !defined(OPENPAM_RELAX_CHECKS) */
  53
  54 /*
  55  * OpenPAM internal
  56  *
  57  * Execute a module chain
  58  */
  59
  60 int
  61 openpam_dispatch(pam_handle_t *pamh,
  62         int primitive,
  63         int flags)
  64 {
  65         pam_chain_t *chain;
  66         int err, fail, r;
  67         int debug;
  68
  69         ENTER();
  70         if (pamh == NULL)
  71                 RETURNC(PAM_SYSTEM_ERR);
  72
  73         /* prevent recursion */
  74         if (pamh->current != NULL) {
  75                 openpam_log(PAM_LOG_ERROR,
  76                     "%s() called while %s::%s() is in progress",
  77                     pam_func_name[primitive],
  78                     pamh->current->module->path,
  79                     pam_sm_func_name[pamh->primitive]);
  80                 RETURNC(PAM_ABORT);
  81         }
  82
  83         /* pick a chain */
  84         switch (primitive) {
  85         case PAM_SM_AUTHENTICATE:
  86         case PAM_SM_SETCRED:
  87                 chain = pamh->chains[PAM_AUTH];
  88                 break;
  89         case PAM_SM_ACCT_MGMT:
  90                 chain = pamh->chains[PAM_ACCOUNT];
  91                 break;
  92         case PAM_SM_OPEN_SESSION:
  93         case PAM_SM_CLOSE_SESSION:
  94                 chain = pamh->chains[PAM_SESSION];
  95                 break;
  96         case PAM_SM_CHAUTHTOK:
  97                 chain = pamh->chains[PAM_PASSWORD];
  98                 break;
  99         default:
 100                 RETURNC(PAM_SYSTEM_ERR);
 101         }
 102
 103         /* execute */
 104         for (err = fail = 0; chain != NULL; chain = chain->next) {
 105                 if (chain->module->func[primitive] == NULL) {
 106                         openpam_log(PAM_LOG_ERROR, "%s: no %s()",
 107                             chain->module->path, pam_sm_func_name[primitive]);
 108                         r = PAM_SYSTEM_ERR;
 109                 } else {
 110                         pamh->primitive = primitive;
 111                         pamh->current = chain;
 112                         debug = (openpam_get_option(pamh, "debug") != NULL);
 113                         if (debug)
 114                                 ++openpam_debug;
 115                         openpam_log(PAM_LOG_DEBUG, "calling %s() in %s",
 116                             pam_sm_func_name[primitive], chain->module->path);
 117                         r = (chain->module->func[primitive])(pamh, flags,
 118                             chain->optc, (const char **)chain->optv);
 119                         pamh->current = NULL;
 120                         openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
 121                             chain->module->path, pam_sm_func_name[primitive],
 122                             pam_strerror(pamh, r));
 123                         if (debug)
 124                                 --openpam_debug;
 125                 }
 126
 127                 if (r == PAM_IGNORE)
 128                         continue;
 129                 if (r == PAM_SUCCESS) {
 130                         /*
 131                          * For pam_setcred() and pam_chauthtok() with the
 132                          * PAM_PRELIM_CHECK flag, treat "sufficient" as
 133                          * "optional".
 134                          */
 135                         if ((chain->flag == PAM_SUFFICIENT ||
 136                             chain->flag == PAM_BINDING) && !fail &&
 137                             primitive != PAM_SM_SETCRED &&
 138                             !(primitive == PAM_SM_CHAUTHTOK &&
 139                                 (flags & PAM_PRELIM_CHECK)))
 140                                 break;
 141                         continue;
 142                 }
 143
 144                 openpam_check_error_code(primitive, r);
 145
 146                 /*
 147                  * Record the return code from the first module to
 148                  * fail.  If a required module fails, record the
 149                  * return code from the first required module to fail.
 150                  */
 151                 if (err == 0)
 152                         err = r;
 153                 if ((chain->flag == PAM_REQUIRED ||
 154                     chain->flag == PAM_BINDING) && !fail) {
 155                         openpam_log(PAM_LOG_DEBUG, "required module failed");
 156                         fail = 1;
 157                         err = r;
 158                 }
 159
 160                 /*
 161                  * If a requisite module fails, terminate the chain
 162                  * immediately.
 163                  */
 164                 if (chain->flag == PAM_REQUISITE) {
 165                         openpam_log(PAM_LOG_DEBUG, "requisite module failed");
 166                         fail = 1;
 167                         break;
 168                 }
 169         }
 170
 171         if (!fail && err != PAM_NEW_AUTHTOK_REQD)
 172                 err = PAM_SUCCESS;
 173         RETURNC(err);
 174 }
 175
 176 #if !defined(OPENPAM_RELAX_CHECKS)
 177 static void
 178 openpam_check_error_code(int primitive, int r)
 179 {
 180         /* common error codes */
 181         if (r == PAM_SUCCESS ||
 182             r == PAM_SERVICE_ERR ||
 183             r == PAM_BUF_ERR ||
 184             r == PAM_CONV_ERR ||
 185             r == PAM_PERM_DENIED ||
 186             r == PAM_ABORT)
 187                 return;
 188
 189         /* specific error codes */
 190         switch (primitive) {
 191         case PAM_SM_AUTHENTICATE:
 192                 if (r == PAM_AUTH_ERR ||
 193                     r == PAM_CRED_INSUFFICIENT ||
 194                     r == PAM_AUTHINFO_UNAVAIL ||
 195                     r == PAM_USER_UNKNOWN ||
 196                     r == PAM_MAXTRIES)
 197                         return;
 198                 break;
 199         case PAM_SM_SETCRED:
 200                 if (r == PAM_CRED_UNAVAIL ||
 201                     r == PAM_CRED_EXPIRED ||
 202                     r == PAM_USER_UNKNOWN ||
 203                     r == PAM_CRED_ERR)
 204                         return;
 205                 break;
 206         case PAM_SM_ACCT_MGMT:
 207                 if (r == PAM_USER_UNKNOWN ||
 208                     r == PAM_AUTH_ERR ||
 209                     r == PAM_NEW_AUTHTOK_REQD ||
 210                     r == PAM_ACCT_EXPIRED)
 211                         return;
 212                 break;
 213         case PAM_SM_OPEN_SESSION:
 214         case PAM_SM_CLOSE_SESSION:
 215                 if (r == PAM_SESSION_ERR)
 216                         return;
 217                 break;
 218         case PAM_SM_CHAUTHTOK:
 219                 if (r == PAM_PERM_DENIED ||
 220                     r == PAM_AUTHTOK_ERR ||
 221                     r == PAM_AUTHTOK_RECOVERY_ERR ||
 222                     r == PAM_AUTHTOK_LOCK_BUSY ||
 223                     r == PAM_AUTHTOK_DISABLE_AGING ||
 224                     r == PAM_TRY_AGAIN)
 225                         return;
 226                 break;
 227         }
 228
 229         openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
 230             pam_sm_func_name[primitive], r);
 231 }
 232 #endif /* !defined(OPENPAM_RELAX_CHECKS) */
 233
 234 /*
 235  * NODOC
 236  *
 237  * Error codes:
 238  */