summaryrefslogtreecommitdiff
path: root/src/plugins/auth-pam/auth-pam.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 13:16:46 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 13:16:46 +0200
commit766cdd4b4d1fcb31addf6727dbcfd3d99e390456 (patch)
tree76932876ae57f139fa1b3f82b375e4e526b507d7 /src/plugins/auth-pam/auth-pam.c
parentd73f7253d939e293abf9e27b4b7f37df1ec12a39 (diff)
parent9683f890944ffb114f5f8214f694e0b339cf5a5a (diff)
Merge tag 'upstream/2.4.3'
Upstream version 2.4.3
Diffstat (limited to 'src/plugins/auth-pam/auth-pam.c')
-rw-r--r--src/plugins/auth-pam/auth-pam.c38
1 files changed, 29 insertions, 9 deletions
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index d3e2c89..ae514d7 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -63,6 +62,9 @@
#define RESPONSE_VERIFY_SUCCEEDED 12
#define RESPONSE_VERIFY_FAILED 13
+/* Pointers to functions exported from openvpn */
+static plugin_secure_memzero_t plugin_secure_memzero = NULL;
+
/*
* Plugin state, used by foreground
*/
@@ -274,8 +276,10 @@ name_value_match(const char *query, const char *match)
return strncasecmp(match, query, strlen(match)) == 0;
}
-OPENVPN_EXPORT openvpn_plugin_handle_t
-openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[])
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3(const int v3structver,
+ struct openvpn_plugin_args_open_in const *args,
+ struct openvpn_plugin_args_open_return *ret)
{
pid_t pid;
int fd[2];
@@ -285,6 +289,16 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
const int base_parms = 2;
+ const char **argv = args->argv;
+ const char **envp = args->envp;
+
+ /* Check API compatibility -- struct version 4 or higher needed */
+ if (v3structver < 4)
+ {
+ fprintf(stderr, "AUTH-PAM: This plugin is incompatible with the running version of OpenVPN\n");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
/*
* Allocate our context
*/
@@ -298,7 +312,10 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
/*
* Intercept the --auth-user-pass-verify callback.
*/
- *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+
+ /* Save global pointers to functions exported from openvpn */
+ plugin_secure_memzero = args->callbacks->plugin_secure_memzero;
/*
* Make sure we have two string arguments: the first is the .so name,
@@ -386,7 +403,8 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
if (status == RESPONSE_INIT_SUCCEEDED)
{
context->foreground_fd = fd[0];
- return (openvpn_plugin_handle_t) context;
+ ret->handle = (openvpn_plugin_handle_t *) context;
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
}
else
@@ -420,7 +438,7 @@ error:
{
free(context);
}
- return NULL;
+ return OPENVPN_PLUGIN_FUNC_ERROR;
}
OPENVPN_EXPORT int
@@ -785,6 +803,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
goto done;
}
}
+ plugin_secure_memzero(up.password, sizeof(up.password));
break;
case COMMAND_EXIT:
@@ -802,6 +821,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
}
done:
+ plugin_secure_memzero(up.password, sizeof(up.password));
#ifdef USE_PAM_DLOPEN
dlclose_pam();
#endif