Imported Upstream version 5.1.2

6 files changed, 286 insertions, 17 deletions

diff --git a/src/libcharon/plugins/xauth_pam/Makefile.am b/src/libcharon/plugins/xauth_pam/Makefile.am
index a7d4f6436..1875f81d3 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.am
+++ b/src/libcharon/plugins/xauth_pam/Makefile.am
@@ -14,6 +14,7 @@ endif
 
 libstrongswan_xauth_pam_la_SOURCES = \
 	xauth_pam_plugin.h xauth_pam_plugin.c \
+	xauth_pam_listener.h xauth_pam_listener.c \
 	xauth_pam.h xauth_pam.c
 
 libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index dbcc4f405..1ee269e04 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -129,7 +129,7 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_xauth_pam_la_LIBADD =
 am_libstrongswan_xauth_pam_la_OBJECTS = xauth_pam_plugin.lo \
-	xauth_pam.lo
+	xauth_pam_listener.lo xauth_pam.lo
 libstrongswan_xauth_pam_la_OBJECTS =  \
 	$(am_libstrongswan_xauth_pam_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -218,8 +218,6 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CHECK_CFLAGS = @CHECK_CFLAGS@
-CHECK_LIBS = @CHECK_LIBS@
 COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
 COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
@@ -287,6 +285,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -375,12 +378,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
 random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
@@ -395,6 +402,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -417,6 +425,7 @@ AM_CFLAGS = \
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-xauth-pam.la
 libstrongswan_xauth_pam_la_SOURCES = \
 	xauth_pam_plugin.h xauth_pam_plugin.c \
+	xauth_pam_listener.h xauth_pam_listener.c \
 	xauth_pam.h xauth_pam.c
 
 libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
@@ -511,6 +520,7 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam_listener.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_pam_plugin.Plo@am__quote@
 
 .c.o:
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam.c b/src/libcharon/plugins/xauth_pam/xauth_pam.c
index 8ba2c764d..71c79ecc0 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam.c
@@ -116,7 +116,11 @@ static void attr2string(char *buf, size_t len, chunk_t chunk)
 {
 	if (chunk.len && chunk.len < len)
 	{
-		snprintf(buf, len, "%.*s", (int)chunk.len, chunk.ptr);
+		chunk_t sane;
+
+		chunk_printable(chunk, &sane, '?');
+		snprintf(buf, len, "%.*s", (int)sane.len, sane.ptr);
+		chunk_clear(&sane);
 	}
 }
 
@@ -138,7 +142,7 @@ METHOD(xauth_method_t, process, status_t,
 				/* trim to username part if email address given */
 				if (lib->settings->get_bool(lib->settings,
 											"%s.plugins.xauth-pam.trim_email",
-											TRUE, charon->name))
+											TRUE, lib->ns))
 				{
 					pos = memchr(chunk.ptr, '@', chunk.len);
 					if (pos)
@@ -171,9 +175,8 @@ METHOD(xauth_method_t, process, status_t,
 	service = lib->settings->get_str(lib->settings,
 				"%s.plugins.xauth-pam.pam_service",
 					lib->settings->get_str(lib->settings,
-						"%s.plugins.eap-gtc.pam_service",
-						"login", charon->name),
-				charon->name);
+						"%s.plugins.eap-gtc.pam_service", "login", lib->ns),
+				lib->ns);
 
 	if (authenticate(service, user, pass))
 	{
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
new file mode 100644
index 000000000..eb06f54bb
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2013 Endian srl
+ * Author: Andrea Bonomi - <a.bonomi@endian.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "xauth_pam_listener.h"
+
+#include <daemon.h>
+#include <library.h>
+
+#include <security/pam_appl.h>
+
+typedef struct private_xauth_pam_listener_t private_xauth_pam_listener_t;
+
+/**
+ * Private data of an xauth_pam_listener_t object.
+ */
+struct private_xauth_pam_listener_t {
+
+	/**
+	 * Public xauth_pam_listener_t interface.
+	 */
+	xauth_pam_listener_t public;
+
+	/**
+	 * PAM service
+	 */
+	char *service;
+};
+
+/**
+ * PAM conv callback function
+ */
+static int conv(int num_msg, const struct pam_message **msg,
+				struct pam_response **resp, void *data)
+{
+	int i;
+
+	for (i = 0; i < num_msg; i++)
+	{
+		/* ignore any text info, but fail on any interaction request */
+		if (msg[i]->msg_style != PAM_TEXT_INFO)
+		{
+			return PAM_CONV_ERR;
+		}
+	}
+	return PAM_SUCCESS;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_xauth_pam_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	struct pam_conv null_conv = {
+		.conv = conv,
+	};
+	pam_handle_t *pamh = NULL;
+	char *user;
+	int ret;
+
+	if (asprintf(&user, "%Y", ike_sa->get_other_eap_id(ike_sa)) != -1)
+	{
+		ret = pam_start(this->service, user, &null_conv, &pamh);
+		if (ret == PAM_SUCCESS)
+		{
+			if (up)
+			{
+				ret = pam_open_session(pamh, 0);
+				if (ret != PAM_SUCCESS)
+				{
+					DBG1(DBG_IKE, "XAuth pam_open_session for '%s' failed: %s",
+						 user, pam_strerror(pamh, ret));
+				}
+			}
+			else
+			{
+				ret = pam_close_session(pamh, 0);
+				if (ret != PAM_SUCCESS)
+				{
+					DBG1(DBG_IKE, "XAuth pam_close_session for '%s' failed: %s",
+						 user, pam_strerror(pamh, ret));
+				}
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "XAuth pam_start for '%s' failed: %s",
+				 user, pam_strerror(pamh, ret));
+		}
+		pam_end(pamh, ret);
+		free(user);
+	}
+	return TRUE;
+}
+
+METHOD(xauth_pam_listener_t, listener_destroy, void,
+	private_xauth_pam_listener_t *this)
+{
+	free(this);
+}
+
+xauth_pam_listener_t *xauth_pam_listener_create()
+{
+	private_xauth_pam_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_updown = _ike_updown,
+			},
+			.destroy = _listener_destroy,
+		},
+		/* Look for PAM service, with a legacy fallback for the eap-gtc plugin.
+		 * Default to "login". */
+		.service = lib->settings->get_str(lib->settings,
+						"%s.plugins.xauth-pam.pam_service",
+							lib->settings->get_str(lib->settings,
+								"%s.plugins.eap-gtc.pam_service",
+							"login", lib->ns),
+						lib->ns),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
new file mode 100644
index 000000000..5b15410f4
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2013 Endian srl
+ * Author: Andrea Bonomi - <a.bonomi@endian.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup xauth_pam_i xauth_pam
+ * @{ @ingroup xauth_pam
+ */
+
+#ifndef XAUTH_PAM_LISENER_H_
+#define XAUTH_PAM_LISTENER_H_
+
+typedef struct xauth_pam_listener_t xauth_pam_listener_t;
+
+#include <bus/listeners/listener.h>
+
+/**
+ * Listener
+ */
+struct xauth_pam_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a xauth_pam_listener_t.
+	 */
+	void (*destroy)(xauth_pam_listener_t *this);
+};
+
+/**
+ * Create a xauth_pam_listener instance.
+ */
+xauth_pam_listener_t *xauth_pam_listener_create();
+
+
+#endif /** XAUTH_PAM_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
index 2ef9a6c8f..497ad3dd9 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -15,6 +15,7 @@
 
 #include "xauth_pam_plugin.h"
 #include "xauth_pam.h"
+#include "xauth_pam_listener.h"
 
 #include <daemon.h>
 
@@ -22,26 +23,73 @@
 #define CAP_AUDIT_WRITE 29
 #endif
 
+typedef struct private_xauth_pam_plugin_t private_xauth_pam_plugin_t;
+
+/**
+ * private data of xauth_pam plugin
+ */
+struct private_xauth_pam_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	xauth_pam_plugin_t public;
+
+	/**
+	 * Listener
+	 */
+	xauth_pam_listener_t *listener;
+
+	/**
+	 * Do PAM session management?
+	 */
+	bool session;
+};
+
+/**
+ * Register XAuth method and listener
+ */
+static bool register_listener(private_xauth_pam_plugin_t *this,
+							  plugin_feature_t *feature, bool reg, void *data)
+{
+	if (reg)
+	{
+		charon->bus->add_listener(charon->bus, &this->listener->listener);
+	}
+	else
+	{
+		charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_name, char*,
-	xauth_pam_plugin_t *this)
+	private_xauth_pam_plugin_t *this)
 {
 	return "xauth-pam";
 }
 
 METHOD(plugin_t, get_features, int,
-	xauth_pam_plugin_t *this, plugin_feature_t *features[])
+	private_xauth_pam_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
 		PLUGIN_CALLBACK(xauth_method_register, xauth_pam_create_server),
 			PLUGIN_PROVIDE(XAUTH_SERVER, "pam"),
+		PLUGIN_CALLBACK((plugin_feature_callback_t)register_listener, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "pam-session"),
 	};
 	*features = f;
+	if (!this->session)
+	{
+		return 2;
+	}
 	return countof(f);
 }
 
 METHOD(plugin_t, destroy, void,
-	xauth_pam_plugin_t *this)
+	private_xauth_pam_plugin_t *this)
 {
+	this->listener->destroy(this->listener),
 	free(this);
 }
 
@@ -50,7 +98,7 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *xauth_pam_plugin_create()
 {
-	xauth_pam_plugin_t *this;
+	private_xauth_pam_plugin_t *this;
 
 	/* required for PAM authentication */
 	if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
@@ -60,12 +108,17 @@ plugin_t *xauth_pam_plugin_create()
 	}
 
 	INIT(this,
-		.plugin = {
-			.get_name = _get_name,
-			.get_features = _get_features,
-			.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
 		},
+		.session = lib->settings->get_str(lib->settings,
+						"%s.plugins.xauth-pam.session", FALSE, lib->ns),
+		.listener = xauth_pam_listener_create(),
 	);
 
-	return &this->plugin;
+	return &this->public.plugin;
 }