OpenVPN
Data Structures | Macros | Functions | Variables
auth-pam.c File Reference
#include <security/pam_appl.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <syslog.h>
#include <limits.h>
#include "utils.h"
#include <arpa/inet.h>
#include <openvpn-plugin.h>
Include dependency graph for auth-pam.c:

Go to the source code of this file.

Data Structures

struct  auth_pam_context
 
struct  name_value
 
struct  name_value_list
 
struct  user_pass
 

Macros

#define DEBUG(verb)   ((verb) >= 4)
 
#define COMMAND_VERIFY   0
 
#define COMMAND_EXIT   1
 
#define RESPONSE_INIT_SUCCEEDED   10
 
#define RESPONSE_INIT_FAILED   11
 
#define RESPONSE_VERIFY_SUCCEEDED   12
 
#define RESPONSE_VERIFY_FAILED   13
 
#define RESPONSE_DEFER   14
 
#define N_NAME_VALUE   16
 

Functions

static void pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list)
 
static int recv_control (int fd)
 
static int send_control (int fd, int code)
 
static int recv_string (int fd, char *buffer, int len)
 
static int send_string (int fd, const char *string)
 
static void close_fds_except (int keep)
 
static void set_signals (void)
 
static int name_value_match (const char *query, const char *match)
 
static void split_scrv1_password (struct user_pass *up)
 
OPENVPN_EXPORT int openvpn_plugin_open_v3 (const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret)
 This function is called when OpenVPN loads the plug-in. More...
 
OPENVPN_EXPORT int openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
 This function is called by OpenVPN each time the OpenVPN reaches a point where plug-in calls should happen. More...
 
OPENVPN_EXPORT void openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
 This cleans up the last part of the plug-in, allows it to shut down cleanly and release the plug-in global context buffer. More...
 
OPENVPN_EXPORT void openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)
 
static int my_conv (int n, const struct pam_message **msg_array, struct pam_response **response_array, void *appdata_ptr)
 
static int pam_auth (const char *service, const struct user_pass *up)
 
static void do_deferred_pam_auth (int fd, const char *ac_file_name, const char *service, const struct user_pass *up)
 

Variables

static plugin_log_t plugin_log = NULL
 
static plugin_secure_memzero_t plugin_secure_memzero = NULL
 
static plugin_base64_decode_t plugin_base64_decode = NULL
 
static char * MODULE = "AUTH-PAM"
 

Macro Definition Documentation

◆ COMMAND_EXIT

#define COMMAND_EXIT   1

Definition at line 59 of file auth-pam.c.

◆ COMMAND_VERIFY

#define COMMAND_VERIFY   0

Definition at line 58 of file auth-pam.c.

◆ DEBUG

#define DEBUG (   verb)    ((verb) >= 4)

Definition at line 55 of file auth-pam.c.

◆ N_NAME_VALUE

#define N_NAME_VALUE   16

Definition at line 101 of file auth-pam.c.

◆ RESPONSE_DEFER

#define RESPONSE_DEFER   14

Definition at line 66 of file auth-pam.c.

◆ RESPONSE_INIT_FAILED

#define RESPONSE_INIT_FAILED   11

Definition at line 63 of file auth-pam.c.

◆ RESPONSE_INIT_SUCCEEDED

#define RESPONSE_INIT_SUCCEEDED   10

Definition at line 62 of file auth-pam.c.

◆ RESPONSE_VERIFY_FAILED

#define RESPONSE_VERIFY_FAILED   13

Definition at line 65 of file auth-pam.c.

◆ RESPONSE_VERIFY_SUCCEEDED

#define RESPONSE_VERIFY_SUCCEEDED   12

Definition at line 64 of file auth-pam.c.

Function Documentation

◆ close_fds_except()

static void close_fds_except ( int  keep)
static

Definition at line 251 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3().

◆ do_deferred_pam_auth()

static void do_deferred_pam_auth ( int  fd,
const char *  ac_file_name,
const char *  service,
const struct user_pass up 
)
static

◆ my_conv()

static int my_conv ( int  n,
const struct pam_message **  msg_array,
struct pam_response **  response_array,
void *  appdata_ptr 
)
static

◆ name_value_match()

static int name_value_match ( const char *  query,
const char *  match 
)
static

Definition at line 284 of file auth-pam.c.

Referenced by my_conv().

◆ openvpn_plugin_abort_v1()

OPENVPN_EXPORT void openvpn_plugin_abort_v1 ( openvpn_plugin_handle_t  handle)

Definition at line 631 of file auth-pam.c.

References COMMAND_EXIT, and send_control().

◆ openvpn_plugin_close_v1()

OPENVPN_EXPORT void openvpn_plugin_close_v1 ( openvpn_plugin_handle_t  handle)

This cleans up the last part of the plug-in, allows it to shut down cleanly and release the plug-in global context buffer.

Parameters
handlePointer to the plug-in global context buffer, which need to be released by this function

Definition at line 600 of file auth-pam.c.

References COMMAND_EXIT, DEBUG, MODULE, PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, and send_control().

◆ openvpn_plugin_func_v1()

OPENVPN_EXPORT int openvpn_plugin_func_v1 ( openvpn_plugin_handle_t  handle,
const int  type,
const char *  argv[],
const char *  envp[] 
)

This function is called by OpenVPN each time the OpenVPN reaches a point where plug-in calls should happen.

It only happens for those plug-in hooks enabled in openvpn_plugin_open_v3().

For the arguments, see the include/openvpn-plugin.h file for details on the function parameters

Parameters
argsPointer to a struct with details about the plug-in call from the main OpenVPN process.
returndataPointer to a struct where the plug-in can provide information back to OpenVPN to be processed
Returns
Must return OPENVPN_PLUGIN_FUNC_SUCCESS or OPENVPN_PLUGIN_FUNC_DEFERRED on success. Otherwise it should return OPENVPN_FUNC_ERROR, which will stop and reject the client session from progressing.

Definition at line 523 of file auth-pam.c.

References COMMAND_VERIFY, DEBUG, get_env(), MODULE, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_DEFERRED, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, recv_control(), RESPONSE_DEFER, RESPONSE_VERIFY_SUCCEEDED, send_control(), send_string(), and status.

◆ openvpn_plugin_open_v3()

OPENVPN_EXPORT int openvpn_plugin_open_v3 ( const int  v3structver,
struct openvpn_plugin_args_open_in const *  args,
struct openvpn_plugin_args_open_return ret 
)

This function is called when OpenVPN loads the plug-in.

The purpose is to initialize the plug-in and tell OpenVPN which plug-in hooks this plug-in wants to be involved in

For the arguments, see the include/openvpn-plugin.h file for details on the function parameters

Parameters
v3structverAn integer containing the API version of the plug-in structs OpenVPN uses
argsA pointer to the argument struct for information and features provided by OpenVPN to the plug-in
retA pointer to the struct OpenVPN uses to receive information back from the plug-in
Returns
Must return OPENVPN_PLUGIN_FUNC_SUCCESS when everything completed successfully. Otherwise it must be returned OPENVPN_PLUGIN_FUNC_ERROR, which will stop OpenVPN from running

Definition at line 358 of file auth-pam.c.

References openvpn_plugin_args_open_in::argv, openvpn_plugin_args_open_in::callbacks, close_fds_except(), daemonize(), name_value_list::data, openvpn_plugin_args_open_in::envp, get_env(), openvpn_plugin_args_open_return::handle, name_value_list::len, MODULE, N_NAME_VALUE, name_value::name, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, OPENVPN_PLUGIN_MASK, pam_server(), PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_base64_decode, openvpn_plugin_callbacks::plugin_base64_decode, plugin_log, openvpn_plugin_callbacks::plugin_log, plugin_secure_memzero, openvpn_plugin_callbacks::plugin_secure_memzero, recv_control(), RESPONSE_INIT_SUCCEEDED, set_signals(), status, string_array_len(), openvpn_plugin_args_open_return::type_mask, and name_value::value.

◆ pam_auth()

static int pam_auth ( const char *  service,
const struct user_pass up 
)
static

◆ pam_server()

static void pam_server ( int  fd,
const char *  service,
int  verb,
const struct name_value_list name_value_list 
)
static

◆ recv_control()

static int recv_control ( int  fd)
static

Definition at line 138 of file auth-pam.c.

References read.

Referenced by openvpn_plugin_func_v1(), openvpn_plugin_open_v3(), and pam_server().

◆ recv_string()

static int recv_string ( int  fd,
char *  buffer,
int  len 
)
static

Definition at line 169 of file auth-pam.c.

References name_value_list::len, and read.

Referenced by pam_server().

◆ send_control()

static int send_control ( int  fd,
int  code 
)
static

◆ send_string()

static int send_string ( int  fd,
const char *  string 
)
static

Definition at line 186 of file auth-pam.c.

References name_value_list::len, and write.

Referenced by openvpn_plugin_func_v1().

◆ set_signals()

static void set_signals ( void  )
static

Definition at line 269 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3().

◆ split_scrv1_password()

static void split_scrv1_password ( struct user_pass up)
static

Variable Documentation

◆ MODULE

char* MODULE = "AUTH-PAM"
static

◆ plugin_base64_decode

plugin_base64_decode_t plugin_base64_decode = NULL
static

Definition at line 71 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3(), and split_scrv1_password().

◆ plugin_log

plugin_log_t plugin_log = NULL
static

◆ plugin_secure_memzero

plugin_secure_memzero_t plugin_secure_memzero = NULL
static

Definition at line 70 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3(), pam_server(), and split_scrv1_password().