/*
- * $Id: uams_dhx_pam.c,v 1.13 2001-02-27 17:07:43 rufustfirefly Exp $
+ * $Id: uams_dhx_pam.c,v 1.33 2010-03-30 10:25:49 franklahm Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
#ifdef HAVE_CONFIG_H
#include "config.h"
-#endif
+#endif /* HAVE_CONFIG_H */
#if defined(USE_PAM) && defined(UAM_DHX)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <syslog.h>
+#include <atalk/logger.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
-
+#include <errno.h>
+#ifdef HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
+#endif
+#ifdef HAVE_PAM_PAM_APPL_H
+#include <pam/pam_appl.h>
+#endif
+#include <arpa/inet.h>
-#ifdef OPENSSL_DHX
+#if defined(GNUTLS_DHX)
+#include <gnutls/openssl.h>
+#elif defined(OPENSSL_DHX)
#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/cast.h>
-#else
+#include <openssl/err.h>
+#else /* OPENSSL_DHX */
#include <bn.h>
#include <dh.h>
#include <cast.h>
-#endif
+#include <err.h>
+#endif /* OPENSSL_DHX */
#include <atalk/afp.h>
#include <atalk/uam.h>
/* the secret key */
static CAST_KEY castkey;
static struct passwd *dhxpwd;
-static u_int8_t randbuf[KEYSIZE];
+static uint8_t randbuf[KEYSIZE];
/* diffie-hellman bits */
static unsigned char msg2_iv[] = "CJalbert";
static unsigned char msg3_iv[] = "LWallace";
-static const u_int8_t p[] = {0xBA, 0x28, 0x73, 0xDF, 0xB0, 0x60, 0x57, 0xD4,
+static const uint8_t p[] = {0xBA, 0x28, 0x73, 0xDF, 0xB0, 0x60, 0x57, 0xD4,
0x3F, 0x20, 0x24, 0x74, 0x4C, 0xEE, 0xE7, 0x5B};
-static const u_int8_t g = 0x07;
+static const uint8_t g = 0x07;
/* Static variables used to communicate between the conversation function
* echo off means password.
*/
static int PAM_conv (int num_msg,
- const struct pam_message **msg,
+ struct pam_message **msg,
struct pam_response **resp,
- void *appdata_ptr) {
+ void *appdata_ptr _U_) {
int count = 0;
struct pam_response *reply;
#define COPY_STRING(s) (s) ? strdup(s) : NULL
+ errno = 0;
+
if (num_msg < 1) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM DHX Conversation Err -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
+ strerror(errno));
/* Log Entry */
return PAM_CONV_ERR;
}
if (!reply) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM DHX Conversation Err -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
+ strerror(errno));
/* Log Entry */
return PAM_CONV_ERR;
}
case PAM_PROMPT_ECHO_ON:
if (!(string = COPY_STRING(PAM_username))) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: username failure -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: username failure -- %s",
+ strerror(errno));
/* Log Entry */
goto pam_fail_conv;
}
case PAM_PROMPT_ECHO_OFF:
if (!(string = COPY_STRING(PAM_password))) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: passwd failure: --: %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: passwd failure: --: %s",
+ strerror(errno));
/* Log Entry */
goto pam_fail_conv;
}
case PAM_TEXT_INFO:
#ifdef PAM_BINARY_PROMPT
case PAM_BINARY_PROMPT:
-#endif
+#endif /* PAM_BINARY_PROMPT */
/* ignore it... */
break;
case PAM_ERROR_MSG:
default:
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Binary_Prompt -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Binary_Prompt -- %s",
+ strerror(errno));
/* Log Entry */
goto pam_fail_conv;
}
*resp = reply;
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM Success -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM Success");
/* Log Entry */
return PAM_SUCCESS;
}
free(reply);
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM DHX Conversation Err -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM DHX Conversation Err -- %s",
+ strerror(errno));
/* Log Entry */
return PAM_CONV_ERR;
}
};
-static int dhx_setup(void *obj, char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+static int dhx_setup(void *obj, char *ibuf, size_t ibuflen _U_,
+ char *rbuf, size_t *rbuflen)
{
- u_int16_t sessid;
- int i;
+ uint16_t sessid;
+ size_t i;
BIGNUM *bn, *gbn, *pbn;
DH *dh;
/* get the client's public key */
if (!(bn = BN_bin2bn(ibuf, KEYSIZE, NULL))) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM No Public Key -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM No Public Key -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
if (!(gbn = BN_bin2bn(&g, sizeof(g), NULL))) {
BN_clear_free(bn);
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM No Primes: GBN -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM No Primes: GBN -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
BN_free(gbn);
BN_clear_free(bn);
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM No Primes: PBN -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM No Primes: PBN -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
BN_free(gbn);
BN_clear_free(bn);
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM DH was equal to DH_New... Go figure... -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM DH was equal to DH_New... Go figure... -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
/* generate key and make sure that we have enough space */
dh->p = pbn;
dh->g = gbn;
- if (!DH_generate_key(dh) || (BN_num_bytes(dh->pub_key) > KEYSIZE)) {
- /* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Err Generating Key -- Not enough Space? -- %m");
- /* Log Entry */
- goto pam_fail;
+ if (DH_generate_key(dh) == 0) {
+ unsigned long dherror;
+ char errbuf[256];
+
+ ERR_load_crypto_strings();
+ dherror = ERR_get_error();
+ ERR_error_string_n(dherror, errbuf, 256);
+
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Err Generating Key (OpenSSL error code: %u, %s)", dherror, errbuf);
+
+ ERR_free_strings();
+ goto pam_fail;
+ }
+ if (BN_num_bytes(dh->pub_key) > KEYSIZE) {
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Err Generating Key -- Not enough Space? -- %s", strerror(errno));
+ goto pam_fail;
}
/* figure out the key. store the key in rbuf for now. */
&i) < 0) {
*rbuflen = 0;
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Buffer Encryption Err. -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Buffer Encryption Err. -- %s",
+ strerror(errno));
/* Log Entry */
goto pam_fail;
}
(void *) &buf, NULL) < 0) {
*rbuflen = 0;
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Signature Retieval Failure -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Signature Retieval Failure -- %s",
+ strerror(errno));
/* Log Entry */
goto pam_fail;
}
memcpy(rbuf + KEYSIZE, buf, KEYSIZE);
-#else
+#else /* 0 */
memset(rbuf + KEYSIZE, 0, KEYSIZE);
-#endif
+#endif /* 0 */
/* encrypt using cast */
CAST_cbc_encrypt(rbuf, rbuf, CRYPTBUFLEN, &castkey, msg2_iv,
BN_free(bn);
DH_free(dh);
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Fail - Cast Encryption -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Fail - Cast Encryption -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
+/* -------------------------------- */
+static int login(void *obj, char *username, int ulen, struct passwd **uam_pwd _U_,
+ char *ibuf, size_t ibuflen,
+ char *rbuf, size_t *rbuflen)
+{
+ if (( dhxpwd = uam_getname(obj, username, ulen)) == NULL ) {
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c: unknown username [%s]", username);
+ return AFPERR_NOTAUTH;
+ }
+ PAM_username = username;
+ LOG(log_info, logtype_uams, "dhx login: %s", username);
+ return dhx_setup(obj, ibuf, ibuflen, rbuf, rbuflen);
+}
+
+/* -------------------------------- */
/* dhx login: things are done in a slightly bizarre order to avoid
* having to clean things up if there's an error. */
static int pam_login(void *obj, struct passwd **uam_pwd,
- char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+ char *ibuf, size_t ibuflen,
+ char *rbuf, size_t *rbuflen)
{
- char *buf;
- int len, i;
+ char *username;
+ size_t len, ulen;
*rbuflen = 0;
/* grab some of the options */
- if (uam_afpserver_option(obj, UAM_OPTION_USERNAME, (void *) &buf,
- &i) < 0) {
- /* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: uam_afpserver_option didn't meet uam_option_username -- %m");
- /* Log Entry */
- return AFPERR_PARAM;
+ if (uam_afpserver_option(obj, UAM_OPTION_USERNAME, (void *) &username, &ulen) < 0) {
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: uam_afpserver_option didn't meet uam_option_username -- %s",
+ strerror(errno));
+ return AFPERR_PARAM;
}
len = (unsigned char) *ibuf++;
- if ( len > i ) {
- /* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Signature Retieval Failure -- %m");
- /* Log Entry */
- return( AFPERR_PARAM );
+ if ( len > ulen ) {
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Signature Retieval Failure -- %s",
+ strerror(errno));
+ return AFPERR_PARAM;
}
- memcpy(buf, ibuf, len );
+ memcpy(username, ibuf, len );
ibuf += len;
- buf[ len ] = '\0';
+ username[ len ] = '\0';
+
if ((unsigned long) ibuf & 1) /* pad to even boundary */
++ibuf;
- if (( dhxpwd = uam_getname(buf, i)) == NULL ) {
- /* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: User entered a null value -- %m");
- /* Log Entry */
+ return (login(obj, username, ulen, uam_pwd, ibuf, ibuflen, rbuf, rbuflen));
+}
+
+/* ----------------------------- */
+static int pam_login_ext(void *obj, char *uname, struct passwd **uam_pwd,
+ char *ibuf, size_t ibuflen,
+ char *rbuf, size_t *rbuflen)
+{
+ char *username;
+ int len;
+ size_t ulen;
+ uint16_t temp16;
+
+ *rbuflen = 0;
+
+ /* grab some of the options */
+ if (uam_afpserver_option(obj, UAM_OPTION_USERNAME, (void *) &username, &ulen) < 0) {
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: uam_afpserver_option didn't meet uam_option_username -- %s",
+ strerror(errno));
+ return AFPERR_PARAM;
+ }
+
+ if (*uname != 3)
+ return AFPERR_PARAM;
+ uname++;
+ memcpy(&temp16, uname, sizeof(temp16));
+ len = ntohs(temp16);
+
+ if ( !len || len > ulen ) {
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Signature Retrieval Failure -- %s",
+ strerror(errno));
return AFPERR_PARAM;
}
+ memcpy(username, uname +2, len );
+ username[ len ] = '\0';
- PAM_username = buf;
- syslog( LOG_INFO, "dhx login: %s", buf);
- return dhx_setup(obj, ibuf, ibuflen, rbuf, rbuflen);
+ return (login(obj, username, ulen, uam_pwd, ibuf, ibuflen, rbuf, rbuflen));
}
+/* -------------------------------- */
static int pam_logincont(void *obj, struct passwd **uam_pwd,
- char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+ char *ibuf, size_t ibuflen _U_,
+ char *rbuf, size_t *rbuflen)
{
- char *hostname;
+ const char *hostname;
BIGNUM *bn1, *bn2, *bn3;
- u_int16_t sessid;
+ uint16_t sessid;
int err, PAM_error;
*rbuflen = 0;
memcpy(&sessid, ibuf, sizeof(sessid));
if (sessid != dhxhash(obj)) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM Session ID - DHXHash Mismatch -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM Session ID - DHXHash Mismatch -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
ibuf += sizeof(sessid);
- if (uam_afpserver_option(obj, UAM_OPTION_HOSTNAME,
+ if (uam_afpserver_option(obj, UAM_OPTION_CLIENTNAME,
(void *) &hostname, NULL) < 0)
- return AFPERR_MISC;
+ {
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: unable to retrieve client hostname");
+ hostname = NULL;
+ }
CAST_cbc_encrypt(ibuf, rbuf, CRYPT2BUFLEN, &castkey,
msg3_iv, CAST_DECRYPT);
&pamh);
if (PAM_error != PAM_SUCCESS) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %m", pam_strerror(pamh,PAM_error));
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+ pam_strerror(pamh,PAM_error));
/* Log Entry */
goto logincont_err;
}
if (PAM_error == PAM_MAXTRIES)
err = AFPERR_PWDEXPR;
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %m", pam_strerror(pamh, PAM_error));
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+ pam_strerror(pamh, PAM_error));
/* Log Entry */
goto logincont_err;
}
PAM_error = pam_acct_mgmt(pamh, 0);
- if (PAM_error != PAM_SUCCESS) {
- if (PAM_error == PAM_ACCT_EXPIRED)
+ if (PAM_error != PAM_SUCCESS ) {
+ /* Log Entry */
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+ pam_strerror(pamh, PAM_error));
+ /* Log Entry */
+ if (PAM_error == PAM_NEW_AUTHTOK_REQD) /* password expired */
err = AFPERR_PWDEXPR;
#ifdef PAM_AUTHTOKEN_REQD
else if (PAM_error == PAM_AUTHTOKEN_REQD)
err = AFPERR_PWDCHNG;
#endif
- /* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %m", pam_strerror(pamh, PAM_error));
- /* Log Entry */
- goto logincont_err;
+ else
+ goto logincont_err;
}
#ifndef PAM_CRED_ESTABLISH
PAM_error = pam_setcred(pamh, PAM_CRED_ESTABLISH);
if (PAM_error != PAM_SUCCESS) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %m", pam_strerror(pamh, PAM_error));
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+ pam_strerror(pamh, PAM_error));
/* Log Entry */
goto logincont_err;
}
PAM_error = pam_open_session(pamh, 0);
if (PAM_error != PAM_SUCCESS) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM_Error: %s -- %m", pam_strerror(pamh, PAM_error));
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM_Error: %s",
+ pam_strerror(pamh, PAM_error));
/* Log Entry */
goto logincont_err;
}
memset(rbuf, 0, PASSWDLEN); /* zero out the password */
*uam_pwd = dhxpwd;
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: PAM Auth OK!: %s -- %m", AFP_OK);
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: PAM Auth OK!");
/* Log Entry */
+ if ( err == AFPERR_PWDEXPR)
+ return err;
return AFP_OK;
logincont_err:
}
/* logout */
-static void pam_logout() {
+static void pam_logout(void) {
pam_close_session(pamh, 0);
pam_end(pamh, 0);
pamh = NULL;
/* change pw for dhx needs a couple passes to get everything all
* right. basically, it's like the login/logincont sequence */
static int pam_changepw(void *obj, char *username,
- struct passwd *pwd, char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+ struct passwd *pwd _U_, char *ibuf, size_t ibuflen,
+ char *rbuf, size_t *rbuflen)
{
BIGNUM *bn1, *bn2, *bn3;
char *hostname;
pam_handle_t *lpamh;
uid_t uid;
- u_int16_t sessid;
+ uint16_t sessid;
int PAM_error;
+ if (ibuflen < sizeof(sessid)) {
+ return AFPERR_PARAM;
+ }
+
/* grab the id */
memcpy(&sessid, ibuf, sizeof(sessid));
ibuf += sizeof(sessid);
/* check out the session id */
if (sessid != dhxhash(obj)) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Session ID not Equal to DHX Hash -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Session ID not Equal to DHX Hash -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
if (uam_afpserver_option(obj, UAM_OPTION_HOSTNAME,
(void *) &hostname, NULL) < 0) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Hostname Null?? -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Hostname Null?? -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_MISC;
}
* get sent back an incremented random number. */
if (!(bn1 = BN_bin2bn(ibuf, KEYSIZE, NULL))) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Random Number Not the same or not incremented-- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Random Number Not the same or not incremented-- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
if (!(bn2 = BN_bin2bn(randbuf, sizeof(randbuf), NULL))) {
BN_free(bn1);
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Random Number Not the same or not incremented -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Random Number Not the same or not incremented -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
BN_free(bn2);
BN_free(bn1);
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Random Number did not Zero -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Random Number did not Zero -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
if (!BN_is_one(bn3)) {
BN_free(bn3);
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: After Random Number not Zero, is it one more? -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: After Random Number not Zero, is it one more? -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
&lpamh);
if (PAM_error != PAM_SUCCESS) {
/* Log Entry */
- syslog(LOG_INFO, "uams_dhx_pam.c :PAM: Needless to say, PAM_error is != to PAM_SUCCESS -- %m");
+ LOG(log_info, logtype_uams, "uams_dhx_pam.c :PAM: Needless to say, PAM_error is != to PAM_SUCCESS -- %s",
+ strerror(errno));
/* Log Entry */
return AFPERR_PARAM;
}
static int uam_setup(const char *path)
{
- if (uam_register(UAM_SERVER_LOGIN, path, "DHCAST128", pam_login,
- pam_logincont, pam_logout) < 0)
+ if (uam_register(UAM_SERVER_LOGIN_EXT, path, "DHCAST128", pam_login,
+ pam_logincont, pam_logout, pam_login_ext) < 0)
return -1;
if (uam_register(UAM_SERVER_CHANGEPW, path, "DHCAST128",
uam_setup, uam_cleanup
};
+UAM_MODULE_EXPORT struct uam_export uams_dhx_pam = {
+ UAM_MODULE_SERVER,
+ UAM_MODULE_VERSION,
+ uam_setup, uam_cleanup
+};
+
#endif /* USE_PAM && UAM_DHX */
projects / netatalk.git / blobdiff