auth-pam.c File Reference

#include <security/pam_appl.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <syslog.h>
#include <limits.h>
#include "utils.h"
#include <arpa/inet.h>
#include <openvpn-plugin.h>

Include dependency graph for auth-pam.c:

Go to the source code of this file.

Data Structures
struct	auth_pam_context
struct	name_value
struct	name_value_list
struct	user_pass

Macros
#define	DEBUG(verb)   ((verb) >= 4)
#define	COMMAND_VERIFY   0
#define	COMMAND_EXIT   1
#define	RESPONSE_INIT_SUCCEEDED   10
#define	RESPONSE_INIT_FAILED   11
#define	RESPONSE_VERIFY_SUCCEEDED   12
#define	RESPONSE_VERIFY_FAILED   13
#define	RESPONSE_DEFER   14
#define	N_NAME_VALUE   16

Functions
static void	pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list)
static int	recv_control (int fd)
static int	send_control (int fd, int code)
static int	recv_string (int fd, char *buffer, int len)
static int	send_string (int fd, const char *string)
static void	close_fds_except (int keep)
static void	set_signals (void)
static int	name_value_match (const char *query, const char *match)
static void	split_scrv1_password (struct user_pass *up)
OPENVPN_EXPORT int	openvpn_plugin_open_v3 (const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret)
	This function is called when OpenVPN loads the plug-in. More...
OPENVPN_EXPORT int	openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
	This function is called by OpenVPN each time the OpenVPN reaches a point where plug-in calls should happen. More...
OPENVPN_EXPORT void	openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
	This cleans up the last part of the plug-in, allows it to shut down cleanly and release the plug-in global context buffer. More...
OPENVPN_EXPORT void	openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)
static int	my_conv (int n, const struct pam_message **msg_array, struct pam_response **response_array, void *appdata_ptr)
static int	pam_auth (const char *service, const struct user_pass *up)
static void	do_deferred_pam_auth (int fd, const char *ac_file_name, const char *service, const struct user_pass *up)

Variables
static plugin_log_t	plugin_log = NULL
static plugin_secure_memzero_t	plugin_secure_memzero = NULL
static plugin_base64_decode_t	plugin_base64_decode = NULL
static char *	MODULE = "AUTH-PAM"

Macro Definition Documentation

COMMAND_EXIT

#define COMMAND_EXIT   1

Definition at line 59 of file auth-pam.c.

COMMAND_VERIFY

#define COMMAND_VERIFY   0

Definition at line 58 of file auth-pam.c.

DEBUG

#define DEBUG

(

verb

)

((verb) >= 4)

Definition at line 55 of file auth-pam.c.

N_NAME_VALUE

#define N_NAME_VALUE   16

Definition at line 101 of file auth-pam.c.

RESPONSE_DEFER

#define RESPONSE_DEFER   14

Definition at line 66 of file auth-pam.c.

RESPONSE_INIT_FAILED

#define RESPONSE_INIT_FAILED   11

Definition at line 63 of file auth-pam.c.

RESPONSE_INIT_SUCCEEDED

#define RESPONSE_INIT_SUCCEEDED   10

Definition at line 62 of file auth-pam.c.

RESPONSE_VERIFY_FAILED

#define RESPONSE_VERIFY_FAILED   13

Definition at line 65 of file auth-pam.c.

RESPONSE_VERIFY_SUCCEEDED

#define RESPONSE_VERIFY_SUCCEEDED   12

Definition at line 64 of file auth-pam.c.

Function Documentation

close_fds_except()

static void close_fds_except ( int  keep )

static

Definition at line 251 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3().

do_deferred_pam_auth()

static void do_deferred_pam_auth ( int  fd, const char *  ac_file_name, const char *  service, const struct user_pass *  up  )

static

Definition at line 850 of file auth-pam.c.

References MODULE, pam_auth(), PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, RESPONSE_DEFER, send_control(), service, user_pass::username, and write.

Referenced by pam_server().

my_conv()

static int my_conv ( int  n, const struct pam_message **  msg_array, struct pam_response **  response_array, void *  appdata_ptr  )

static

Definition at line 648 of file auth-pam.c.

References user_pass::common_name, name_value_list::data, DEBUG, name_value_list::len, MODULE, msg, name_value::name, user_pass::name_value_list, name_value_match(), user_pass::password, PLOG_NOTE, plugin_log, user_pass::response, searchandreplace(), user_pass::username, name_value::value, and user_pass::verb.

Referenced by pam_auth().

name_value_match()

static int name_value_match ( const char *  query, const char *  match  )

static

Definition at line 284 of file auth-pam.c.

Referenced by my_conv().

openvpn_plugin_abort_v1()

OPENVPN_EXPORT void openvpn_plugin_abort_v1

(

openvpn_plugin_handle_t

handle

)

Definition at line 631 of file auth-pam.c.

References COMMAND_EXIT, and send_control().

openvpn_plugin_close_v1()

OPENVPN_EXPORT void openvpn_plugin_close_v1

(

openvpn_plugin_handle_t

handle

)

This cleans up the last part of the plug-in, allows it to shut down cleanly and release the plug-in global context buffer.

Parameters

handle

Pointer to the plug-in global context buffer, which need to be released by this function

Definition at line 600 of file auth-pam.c.

References COMMAND_EXIT, DEBUG, MODULE, PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, and send_control().

openvpn_plugin_func_v1()

OPENVPN_EXPORT int openvpn_plugin_func_v1	(	openvpn_plugin_handle_t	handle,
		const int	type,
		const char *	argv[],
		const char *	envp[]
	)

This function is called by OpenVPN each time the OpenVPN reaches a point where plug-in calls should happen.

It only happens for those plug-in hooks enabled in openvpn_plugin_open_v3().

For the arguments, see the include/openvpn-plugin.h file for details on the function parameters

Parameters

args	Pointer to a struct with details about the plug-in call from the main OpenVPN process.
returndata	Pointer to a struct where the plug-in can provide information back to OpenVPN to be processed

Returns

Must return OPENVPN_PLUGIN_FUNC_SUCCESS or OPENVPN_PLUGIN_FUNC_DEFERRED on success. Otherwise it should return OPENVPN_FUNC_ERROR, which will stop and reject the client session from progressing.

Definition at line 523 of file auth-pam.c.

References COMMAND_VERIFY, DEBUG, get_env(), MODULE, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_DEFERRED, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, recv_control(), RESPONSE_DEFER, RESPONSE_VERIFY_SUCCEEDED, send_control(), send_string(), and status.

openvpn_plugin_open_v3()

OPENVPN_EXPORT int openvpn_plugin_open_v3	(	const int	v3structver,
		struct openvpn_plugin_args_open_in const *	args,
		struct openvpn_plugin_args_open_return *	ret
	)

This function is called when OpenVPN loads the plug-in.

The purpose is to initialize the plug-in and tell OpenVPN which plug-in hooks this plug-in wants to be involved in

For the arguments, see the include/openvpn-plugin.h file for details on the function parameters

Parameters

v3structver	An integer containing the API version of the plug-in structs OpenVPN uses
args	A pointer to the argument struct for information and features provided by OpenVPN to the plug-in
ret	A pointer to the struct OpenVPN uses to receive information back from the plug-in

Returns

Must return OPENVPN_PLUGIN_FUNC_SUCCESS when everything completed successfully. Otherwise it must be returned OPENVPN_PLUGIN_FUNC_ERROR, which will stop OpenVPN from running

Definition at line 358 of file auth-pam.c.

References openvpn_plugin_args_open_in::argv, openvpn_plugin_args_open_in::callbacks, close_fds_except(), daemonize(), name_value_list::data, openvpn_plugin_args_open_in::envp, get_env(), openvpn_plugin_args_open_return::handle, name_value_list::len, MODULE, N_NAME_VALUE, name_value::name, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_FUNC_ERROR, OPENVPN_PLUGIN_FUNC_SUCCESS, OPENVPN_PLUGIN_MASK, pam_server(), PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_base64_decode, openvpn_plugin_callbacks::plugin_base64_decode, plugin_log, openvpn_plugin_callbacks::plugin_log, plugin_secure_memzero, openvpn_plugin_callbacks::plugin_secure_memzero, recv_control(), RESPONSE_INIT_SUCCEEDED, set_signals(), status, string_array_len(), openvpn_plugin_args_open_return::type_mask, and name_value::value.

pam_auth()

static int pam_auth ( const char *  service, const struct user_pass *  up  )

static

Definition at line 791 of file auth-pam.c.

References name_value_list::len, MODULE, my_conv(), user_pass::name_value_list, PLOG_ERR, plugin_log, user_pass::remote, service, status, and user_pass::username.

Referenced by do_deferred_pam_auth(), and pam_server().

pam_server()

static void pam_server ( int  fd, const char *  service, int  verb, const struct name_value_list *  name_value_list  )

static

Definition at line 917 of file auth-pam.c.

References COMMAND_EXIT, COMMAND_VERIFY, user_pass::common_name, DEBUG, do_deferred_pam_auth(), MODULE, user_pass::name_value_list, pam_auth(), user_pass::password, PLOG_ERR, PLOG_ERRNO, PLOG_NOTE, plugin_log, plugin_secure_memzero, recv_control(), recv_string(), user_pass::remote, user_pass::response, RESPONSE_INIT_FAILED, RESPONSE_INIT_SUCCEEDED, RESPONSE_VERIFY_FAILED, RESPONSE_VERIFY_SUCCEEDED, send_control(), service, split_scrv1_password(), user_pass::username, and user_pass::verb.

Referenced by openvpn_plugin_open_v3().

recv_control()

static int recv_control ( int  fd )

static

Definition at line 138 of file auth-pam.c.

References read.

Referenced by openvpn_plugin_func_v1(), openvpn_plugin_open_v3(), and pam_server().

recv_string()

static int recv_string ( int  fd, char *  buffer, int  len  )

static

Definition at line 169 of file auth-pam.c.

References name_value_list::len, and read.

Referenced by pam_server().

send_control()

static int send_control ( int  fd, int  code  )

static

Definition at line 154 of file auth-pam.c.

References write.

Referenced by do_deferred_pam_auth(), openvpn_plugin_abort_v1(), openvpn_plugin_close_v1(), openvpn_plugin_func_v1(), and pam_server().

send_string()

static int send_string ( int  fd, const char *  string  )

static

Definition at line 186 of file auth-pam.c.

References name_value_list::len, and write.

Referenced by openvpn_plugin_func_v1().

set_signals()

static void set_signals ( void  )

static

Definition at line 269 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3().

split_scrv1_password()

static void split_scrv1_password ( struct user_pass *  up )

static

Definition at line 303 of file auth-pam.c.

References DEBUG, MODULE, user_pass::password, PLOG_ERR, PLOG_NOTE, plugin_base64_decode, plugin_log, plugin_secure_memzero, user_pass::response, and user_pass::verb.

Referenced by pam_server().

Variable Documentation

MODULE

char* MODULE = "AUTH-PAM"

static

Definition at line 74 of file auth-pam.c.

Referenced by do_deferred_pam_auth(), my_conv(), openvpn_plugin_close_v1(), openvpn_plugin_func_v1(), openvpn_plugin_open_v3(), pam_auth(), pam_server(), and split_scrv1_password().

plugin_base64_decode

plugin_base64_decode_t plugin_base64_decode = NULL

static

Definition at line 71 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3(), and split_scrv1_password().

plugin_log

plugin_log_t plugin_log = NULL

static

Definition at line 69 of file auth-pam.c.

Referenced by do_deferred_pam_auth(), my_conv(), openvpn_plugin_close_v1(), openvpn_plugin_func_v1(), openvpn_plugin_open_v3(), pam_auth(), pam_server(), and split_scrv1_password().

plugin_secure_memzero

plugin_secure_memzero_t plugin_secure_memzero = NULL

static

Definition at line 70 of file auth-pam.c.

Referenced by openvpn_plugin_open_v3(), pam_server(), and split_scrv1_password().