diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2016-11-21 09:37:33 +0100 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2016-11-21 09:37:33 +0100 |
commit | 93b77cacdbb7e6f310c4e20f85c3a24ed5ba18ba (patch) | |
tree | 55a7688c9969ef4d01625caa58c7f679098c76eb /src/plugins/auth-pam | |
parent | daa9ef0efeb5e10a1b43820fbab3a4ff5fbd22f1 (diff) | |
parent | 20c8675ba46bda97330a4117c459a59a9f1c465e (diff) |
Merge tag 'upstream/2.4_beta1'
Upstream version 2.4~beta1
Diffstat (limited to 'src/plugins/auth-pam')
-rw-r--r-- | src/plugins/auth-pam/Makefile.am | 1 | ||||
-rw-r--r-- | src/plugins/auth-pam/Makefile.in | 61 | ||||
-rw-r--r-- | src/plugins/auth-pam/auth-pam.c | 91 | ||||
-rw-r--r-- | src/plugins/auth-pam/utils.c | 113 | ||||
-rw-r--r-- | src/plugins/auth-pam/utils.h | 66 |
5 files changed, 212 insertions, 120 deletions
diff --git a/src/plugins/auth-pam/Makefile.am b/src/plugins/auth-pam/Makefile.am index 2aef311..e6dc27e 100644 --- a/src/plugins/auth-pam/Makefile.am +++ b/src/plugins/auth-pam/Makefile.am @@ -18,6 +18,7 @@ dist_doc_DATA = README.auth-pam endif openvpn_plugin_auth_pam_la_SOURCES = \ + utils.c \ auth-pam.c \ pamdl.c pamdl.h \ auth-pam.exports diff --git a/src/plugins/auth-pam/Makefile.in b/src/plugins/auth-pam/Makefile.in index ee67141..90d5058 100644 --- a/src/plugins/auth-pam/Makefile.in +++ b/src/plugins/auth-pam/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -22,17 +22,7 @@ VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -96,6 +86,8 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = src/plugins/auth-pam +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp $(am__dist_doc_DATA_DIST) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ @@ -106,10 +98,9 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_doc_DATA_DIST) \ - $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_HEADER = $(top_builddir)/config.h \ + $(top_builddir)/include/openvpn-plugin.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -143,7 +134,7 @@ am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(docdir)" LTLIBRARIES = $(plugin_LTLIBRARIES) am__DEPENDENCIES_1 = openvpn_plugin_auth_pam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) -am_openvpn_plugin_auth_pam_la_OBJECTS = auth-pam.lo pamdl.lo +am_openvpn_plugin_auth_pam_la_OBJECTS = utils.lo auth-pam.lo pamdl.lo openvpn_plugin_auth_pam_la_OBJECTS = \ $(am_openvpn_plugin_auth_pam_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -168,7 +159,7 @@ AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -I$(top_builddir)/include depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f @@ -218,7 +209,6 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -232,6 +222,7 @@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE = @CMAKE@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -266,25 +257,31 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +LZ4_CFLAGS = @LZ4_CFLAGS@ +LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ LZO_LIBS = @LZO_LIBS@ MAKEINFO = @MAKEINFO@ MAN2HTML = @MAN2HTML@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@ +MBEDTLS_LIBS = @MBEDTLS_LIBS@ MKDIR_P = @MKDIR_P@ NETSTAT = @NETSTAT@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ -OPENSSL_CRYPTO_CFLAGS = @OPENSSL_CRYPTO_CFLAGS@ -OPENSSL_CRYPTO_LIBS = @OPENSSL_CRYPTO_LIBS@ -OPENSSL_SSL_CFLAGS = @OPENSSL_SSL_CFLAGS@ -OPENSSL_SSL_LIBS = @OPENSSL_SSL_LIBS@ +OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@ +OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@ +OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ +OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ +OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ @@ -310,8 +307,6 @@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ -POLARSSL_CFLAGS = @POLARSSL_CFLAGS@ -POLARSSL_LIBS = @POLARSSL_LIBS@ RANLIB = @RANLIB@ RC = @RC@ ROUTE = @ROUTE@ @@ -326,6 +321,11 @@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ +TEST_CFLAGS = @TEST_CFLAGS@ +TEST_LDFLAGS = @TEST_LDFLAGS@ +VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ +VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ +VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -394,6 +394,7 @@ AM_CFLAGS = \ @ENABLE_PLUGIN_AUTH_PAM_TRUE@plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la @ENABLE_PLUGIN_AUTH_PAM_TRUE@dist_doc_DATA = README.auth-pam openvpn_plugin_auth_pam_la_SOURCES = \ + utils.c \ auth-pam.c \ pamdl.c pamdl.h \ auth-pam.exports @@ -421,6 +422,7 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/plugins/auth-pam/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/plugins/auth-pam/Makefile +.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -485,20 +487,21 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-pam.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pamdl.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -743,8 +746,6 @@ uninstall-am: uninstall-dist_docDATA uninstall-pluginLTLIBRARIES tags tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-pluginLTLIBRARIES -.PRECIOUS: Makefile - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 710accc..5ad3ec8 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -39,7 +39,6 @@ #include <stdio.h> #include <string.h> #include <ctype.h> -#include <stdbool.h> #include <unistd.h> #include <stdlib.h> #include <sys/types.h> @@ -48,7 +47,7 @@ #include <fcntl.h> #include <signal.h> #include <syslog.h> -#include <stdint.h> +#include "utils.h" #include <openvpn-plugin.h> @@ -117,94 +116,6 @@ struct user_pass { /* Background process function */ static void pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list); -/* Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith' and return - * a pointer to the NEW string. Does not modify the input strings. Will not enter an - * infinite loop with clever 'searchfor' and 'replacewith' strings. - * Daniel Johnson - Progman2000@usa.net / djohnson@progman.us - * - * Retuns NULL when - * - any parameter is NULL - * - the worst-case result is to large ( >= SIZE_MAX) - */ -static char * -searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith) -{ - if (!tosearch || !searchfor || !replacewith) return NULL; - - size_t tosearchlen = strlen(tosearch); - size_t replacewithlen = strlen(replacewith); - size_t templen = tosearchlen * replacewithlen; - - if (tosearchlen == 0 || strlen(searchfor) == 0 || replacewithlen == 0) { - return NULL; - } - - bool is_potential_integer_overflow = (templen == SIZE_MAX) || (templen / tosearchlen != replacewithlen); - - if (is_potential_integer_overflow) { - return NULL; - } - - // state: all parameters are valid - - const char *searching=tosearch; - char *scratch; - - char temp[templen+1]; - temp[0]=0; - - scratch = strstr(searching,searchfor); - if (!scratch) return strdup(tosearch); - - while (scratch) { - strncat(temp,searching,scratch-searching); - strcat(temp,replacewith); - - searching=scratch+strlen(searchfor); - scratch = strstr(searching,searchfor); - } - return strdup(temp); -} - -/* - * Given an environmental variable name, search - * the envp array for its value, returning it - * if found or NULL otherwise. - */ -static const char * -get_env (const char *name, const char *envp[]) -{ - if (envp) - { - int i; - const int namelen = strlen (name); - for (i = 0; envp[i]; ++i) - { - if (!strncmp (envp[i], name, namelen)) - { - const char *cp = envp[i] + namelen; - if (*cp == '=') - return cp + 1; - } - } - } - return NULL; -} - -/* - * Return the length of a string array - */ -static int -string_array_len (const char *array[]) -{ - int i = 0; - if (array) - { - while (array[i]) - ++i; - } - return i; -} /* * Socket read/write functions. diff --git a/src/plugins/auth-pam/utils.c b/src/plugins/auth-pam/utils.c new file mode 100644 index 0000000..4f2bec1 --- /dev/null +++ b/src/plugins/auth-pam/utils.c @@ -0,0 +1,113 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * OpenVPN plugin module to do PAM authentication using a split + * privilege model. + */ +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + + +#include <string.h> +#include <ctype.h> +#include <stdbool.h> +#include <stdlib.h> +#include <sys/types.h> +#include <stdint.h> + +#include "utils.h" + +char * +searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith) +{ + if (!tosearch || !searchfor || !replacewith) return NULL; + + size_t tosearchlen = strlen(tosearch); + size_t replacewithlen = strlen(replacewith); + size_t templen = tosearchlen * replacewithlen; + + if (tosearchlen == 0 || strlen(searchfor) == 0 || replacewithlen == 0) { + return NULL; + } + + bool is_potential_integer_overflow = (templen == SIZE_MAX) || (templen / tosearchlen != replacewithlen); + + if (is_potential_integer_overflow) { + return NULL; + } + + // state: all parameters are valid + + const char *searching=tosearch; + char *scratch; + + char temp[templen+1]; + temp[0]=0; + + scratch = strstr(searching,searchfor); + if (!scratch) return strdup(tosearch); + + while (scratch) { + strncat(temp,searching,scratch-searching); + strcat(temp,replacewith); + + searching=scratch+strlen(searchfor); + scratch = strstr(searching,searchfor); + } + return strdup(temp); +} + +const char * +get_env (const char *name, const char *envp[]) +{ + if (envp) + { + int i; + const int namelen = strlen (name); + for (i = 0; envp[i]; ++i) + { + if (!strncmp (envp[i], name, namelen)) + { + const char *cp = envp[i] + namelen; + if (*cp == '=') + return cp + 1; + } + } + } + return NULL; +} + +int +string_array_len (const char *array[]) +{ + int i = 0; + if (array) + { + while (array[i]) + ++i; + } + return i; +} diff --git a/src/plugins/auth-pam/utils.h b/src/plugins/auth-pam/utils.h new file mode 100644 index 0000000..2f72040 --- /dev/null +++ b/src/plugins/auth-pam/utils.h @@ -0,0 +1,66 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifndef _PLUGIN_AUTH_PAM_UTILS__H +#define _PLUGIN_AUTH_PAM_UTILS__H + +/** + * Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith' and return + * a pointer to the NEW string. Does not modify the input strings. Will not enter an + * infinite loop with clever 'searchfor' and 'replacewith' strings. + * + * @author Daniel Johnson - Progman2000@usa.net / djohnson@progman.us + * + * @param tosearch haystack to search in + * @param searchfor needle to search for in the haystack + * @param replacewith when a match is found, replace needle with this string + * + * @return Retuns NULL when any parameter is NULL or the worst-case result is to large ( >= SIZE_MAX). + * Otherwise it returns a pointer to a new buffer containing the modified input + */ +char * +searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith); + +/** + * Given an environmental variable name, search + * the envp array for its value + * + * @param name Environment variable to look up + * @param envp Environment variable table with all key/value pairs + * + * @return Returns a pointer to the value of the enviroment variable if found, otherwise NULL is returned. + */ +const char * +get_env (const char *name, const char *envp[]); + +/** + * Return the length of a string array + * + * @param array Pointer to the array to calculate size of + * + */ +int +string_array_len (const char *array[]); + +#endif |