auth-pam.c File Reference

#include <security/pam_appl.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <syslog.h>
#include <limits.h>
#include "utils.h"
#include <arpa/inet.h>
#include <openvpn-plugin.h>

Include dependency graph for auth-pam.c:

Go to the source code of this file.

Data Structures
struct	auth_pam_context
struct	name_value
struct	name_value_list
struct	user_pass

Macros
#define	DEBUG(verb)   ((verb) >= 4)
#define	COMMAND_VERIFY   0
#define	COMMAND_EXIT   1
#define	RESPONSE_INIT_SUCCEEDED   10
#define	RESPONSE_INIT_FAILED   11
#define	RESPONSE_VERIFY_SUCCEEDED   12
#define	RESPONSE_VERIFY_FAILED   13
#define	RESPONSE_DEFER   14
#define	N_NAME_VALUE   16

Functions
static void	pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list)
static int	recv_control (int fd)
static int	send_control (int fd, int code)
static int	recv_string (int fd, char *buffer, int len)
static int	send_string (int fd, const char *string)
static void	close_fds_except (int keep)
static void	set_signals (void)
static int	name_value_match (const char *query, const char *match)
static void	split_scrv1_password (struct user_pass *up)
OPENVPN_EXPORT int	openvpn_plugin_open_v3 (const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret)
	This function is called when OpenVPN loads the plug-in. More...
OPENVPN_EXPORT int	openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
	This function is called by OpenVPN each time the OpenVPN reaches a point where plug-in calls should happen. More...
OPENVPN_EXPORT void	openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
	This cleans up the last part of the plug-in, allows it to shut down cleanly and release the plug-in global context buffer. More...
OPENVPN_EXPORT void	openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)
static int	my_conv (int n, const struct pam_message **msg_array, struct pam_response **response_array, void *appdata_ptr)
static int	pam_auth (const char *service, const struct user_pass *up)
static void	do_deferred_pam_auth (int fd, const char *ac_file_name, const char *service, const struct user_pass *up)

Variables
static plugin_log_t	plugin_log = NULL
static plugin_secure_memzero_t	plugin_secure_memzero = NULL
static plugin_base64_decode_t	plugin_base64_decode = NULL
static char *	MODULE = "AUTH-PAM"

Macro Definition Documentation

COMMAND_EXIT

#define COMMAND_EXIT   1

Definition at line 59 of file auth-pam.c.

COMMAND_VERIFY

#define COMMAND_VERIFY   0

Definition at line 58 of file auth-pam.c.

DEBUG

#define DEBUG

(

verb

)

((verb) >= 4)

Definition at line 55 of file auth-pam.c.

N_NAME_VALUE

#define N_NAME_VALUE   16

Definition at line 101 of file auth-pam.c.

RESPONSE_DEFER

#define RESPONSE_DEFER   14

Definition at line 66 of file auth-pam.c.

RESPONSE_INIT_FAILED

#define RESPONSE_INIT_FAILED   11

Definition at line 63 of file auth-pam.c.

RESPONSE_INIT_SUCCEEDED

#define RESPONSE_INIT_SUCCEEDED   10

Definition at line 62 of file auth-pam.c.

RESPONSE_VERIFY_FAILED

#define RESPONSE_VERIFY_FAILED   13

Definition at line 65 of file auth-pam.c.

RESPONSE_VERIFY_SUCCEEDED

#define RESPONSE_VERIFY_SUCCEEDED   12

Definition at line 64 of file auth-pam.c.

Function Documentation

close_fds_except()

static void close_fds_except ( int  keep )

static

Definition at line 251 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3().

do_deferred_pam_auth()

static void do_deferred_pam_auth ( int  fd, const char *  ac_file_name, const char *  service, const struct user_pass *  up  )

static

Definition at line 850 of file auth-pam.c.

References MODULE, pam_auth(), PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, RESPONSE_DEFER, send_control(), service, user_pass::username, and write.

Referenced by pam_server().

my_conv()

static int my_conv ( int  n, const struct pam_message **  msg_array, struct pam_response **  response_array, void *  appdata_ptr  )

static

Definition at line 648 of file auth-pam.c.

References user_pass::common_name, name_value_list::data, DEBUG, name_value_list::len, MODULE, msg, name_value::name, user_pass::name_value_list, name_value_match(), user_pass::password, PLOG_NOTE, plugin_log, user_pass::response, searchandreplace(), user_pass::username, name_value::value, and user_pass::verb.

Referenced by pam_auth().

name_value_match()

static int name_value_match ( const char *  query, const char *  match  )

static

Definition at line 284 of file auth-pam.c.

Referenced by my_conv().

openvpn_plugin_abort_v1()

OPENVPN_EXPORT void openvpn_plugin_abort_v1

(

openvpn_plugin_handle_t

handle

)

Definition at line 631 of file auth-pam.c.

References COMMAND_EXIT, and send_control().

openvpn_plugin_close_v1()

OPENVPN_EXPORT void openvpn_plugin_close_v1

(

openvpn_plugin_handle_t

handle

)

This cleans up the last part of the plug-in, allows it to shut down cleanly and release the plug-in global context buffer.

Parameters

handle

Pointer to the plug-in global context buffer, which need to be released by this function

Definition at line 600 of file auth-pam.c.

References COMMAND_EXIT, DEBUG, MODULE, PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, and send_control().

openvpn_plugin_func_v1()

OPENVPN_EXPORT int openvpn_plugin_func_v1	(	openvpn_plugin_handle_t	handle,
		const int	type,
		const char *	argv[],
		const char *	envp[]
	)

This function is called by OpenVPN each time the OpenVPN reaches a point where plug-in calls should happen.

It only happens for those plug-in hooks enabled in openvpn_plugin_open_v3().

For the arguments, see the include/openvpn-plugin.h file for details on the function parameters

Parameters

handle	Pointer to the plug-in global context buffer, which need to be released by this function
type	Type of the hook
argv	String array pointer to arguments for the hook
envp	String array pointer to current environment variables

Returns

Must return OPENVPN_PLUGIN_FUNC_SUCCESS or OPENVPN_PLUGIN_FUNC_DEFERRED on success. Otherwise it should return OPENVPN_FUNC_ERROR, which will stop and reject the client session from progressing.

Definition at line 523 of file auth-pam.c.

References COMMAND_VERIFY, DEBUG, get_env(), MODULE, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_DEFERRED, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, recv_control(), RESPONSE_DEFER, RESPONSE_VERIFY_SUCCEEDED, send_control(), send_string(), and status.

openvpn_plugin_open_v3()

OPENVPN_EXPORT int openvpn_plugin_open_v3	(	const int	v3structver,
		struct openvpn_plugin_args_open_in const *	args,
		struct openvpn_plugin_args_open_return *	ret
	)

This function is called when OpenVPN loads the plug-in.

The purpose is to initialize the plug-in and tell OpenVPN which plug-in hooks this plug-in wants to be involved in

For the arguments, see the include/openvpn-plugin.h file for details on the function parameters

Parameters

v3structver	An integer containing the API version of the plug-in structs OpenVPN uses
args	A pointer to the argument struct for information and features provided by OpenVPN to the plug-in
ret	A pointer to the struct OpenVPN uses to receive information back from the plug-in

Returns

Must return OPENVPN_PLUGIN_FUNC_SUCCESS when everything completed successfully. Otherwise it must be returned OPENVPN_PLUGIN_FUNC_ERROR, which will stop OpenVPN from running

Definition at line 358 of file auth-pam.c.

References openvpn_plugin_args_open_in::argv, openvpn_plugin_args_open_in::callbacks, close_fds_except(), daemonize(), name_value_list::data, openvpn_plugin_args_open_in::envp, get_env(), openvpn_plugin_args_open_return::handle, name_value_list::len, MODULE, N_NAME_VALUE, name_value::name, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, OPENVPN_PLUGIN_MASK, pam_server(), PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_base64_decode, openvpn_plugin_callbacks::plugin_base64_decode, plugin_log, openvpn_plugin_callbacks::plugin_log, plugin_secure_memzero, openvpn_plugin_callbacks::plugin_secure_memzero, recv_control(), RESPONSE_INIT_SUCCEEDED, set_signals(), status, string_array_len(), openvpn_plugin_args_open_return::type_mask, and name_value::value.

pam_auth()

static int pam_auth ( const char *  service, const struct user_pass *  up  )

static

Definition at line 791 of file auth-pam.c.

References name_value_list::len, MODULE, my_conv(), user_pass::name_value_list, PLOG_ERR, plugin_log, user_pass::remote, service, status, and user_pass::username.

Referenced by do_deferred_pam_auth(), and pam_server().

pam_server()

static void pam_server ( int  fd, const char *  service, int  verb, const struct name_value_list *  name_value_list  )

static

Definition at line 917 of file auth-pam.c.

References COMMAND_EXIT, COMMAND_VERIFY, user_pass::common_name, DEBUG, do_deferred_pam_auth(), MODULE, user_pass::name_value_list, pam_auth(), user_pass::password, PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, plugin_secure_memzero, recv_control(), recv_string(), user_pass::remote, user_pass::response, RESPONSE_INIT_FAILED, RESPONSE_INIT_SUCCEEDED, RESPONSE_VERIFY_FAILED, RESPONSE_VERIFY_SUCCEEDED, send_control(), service, split_scrv1_password(), user_pass::username, and user_pass::verb.

Referenced by openvpn_plugin_open_v3().

recv_control()

static int recv_control ( int  fd )

static

Definition at line 138 of file auth-pam.c.

References read.

Referenced by openvpn_plugin_func_v1(), openvpn_plugin_open_v3(), and pam_server().

recv_string()

static int recv_string ( int  fd, char *  buffer, int  len  )

static

Definition at line 169 of file auth-pam.c.

References name_value_list::len, and read.

Referenced by pam_server().

send_control()

static int send_control ( int  fd, int  code  )

static

Definition at line 154 of file auth-pam.c.

References write.

Referenced by do_deferred_pam_auth(), openvpn_plugin_abort_v1(), openvpn_plugin_close_v1(), openvpn_plugin_func_v1(), and pam_server().

send_string()

static int send_string ( int  fd, const char *  string  )

static

Definition at line 186 of file auth-pam.c.

References name_value_list::len, and write.

Referenced by openvpn_plugin_func_v1().

set_signals()

static void set_signals ( void  )

static

Definition at line 269 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3().

split_scrv1_password()

static void split_scrv1_password ( struct user_pass *  up )

static

Definition at line 303 of file auth-pam.c.

References DEBUG, MODULE, user_pass::password, PLOG_ERR, PLOG_NOTE, plugin_base64_decode, plugin_log, plugin_secure_memzero, user_pass::response, and user_pass::verb.

Referenced by pam_server().

Variable Documentation

MODULE

char* MODULE = "AUTH-PAM"

static

Definition at line 74 of file auth-pam.c.

Referenced by do_deferred_pam_auth(), my_conv(), openvpn_plugin_close_v1(), openvpn_plugin_func_v1(), openvpn_plugin_open_v3(), pam_auth(), pam_server(), and split_scrv1_password().

plugin_base64_decode

plugin_base64_decode_t plugin_base64_decode = NULL

static

Definition at line 71 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3(), and split_scrv1_password().

plugin_log

plugin_log_t plugin_log = NULL

static

Definition at line 69 of file auth-pam.c.

Referenced by do_deferred_pam_auth(), my_conv(), openvpn_plugin_close_v1(), openvpn_plugin_func_v1(), openvpn_plugin_open_v3(), pam_auth(), pam_server(), and split_scrv1_password().

plugin_secure_memzero

plugin_secure_memzero_t plugin_secure_memzero = NULL

static

Definition at line 70 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3(), pam_server(), and split_scrv1_password().