Blob Blame History Raw
diff -Naur libreswan-3.15-orig/programs/pluto/ikev1_xauth.c libreswan-3.15/programs/pluto/ikev1_xauth.c
--- libreswan-3.15-orig/programs/pluto/ikev1_xauth.c	2015-08-24 16:52:43.000000000 -0400
+++ libreswan-3.15/programs/pluto/ikev1_xauth.c	2015-09-03 11:32:27.525000000 -0400
@@ -1001,81 +1001,6 @@
 	return STF_OK;
 }
 
-#ifdef XAUTH_HAVE_PAM
-
-/** Do authentication via PAM (Plugable Authentication Modules)
- *
- * We try to authenticate the user in our own PAM session.
- *
- * @return bool success
- */
-/* IN AN AUTH THREAD */
-static bool do_pam_authentication(void *varg)
-{
-	struct xauth_thread_arg *arg = varg;
-	int retval;
-	pam_handle_t *pamh = NULL;
-	struct pam_conv conv;
-	const char *what;
-
-	/* This do-while structure is designed to allow a logical cascade
-	 * without excessive indentation.  No actual looping happens.
-	 * Failure is handled by "break".
-	 */
-	do {
-		ipstr_buf ra;
-
-		conv.conv = pam_conv;
-		conv.appdata_ptr = varg;
-
-		what = "pam_start";
-		retval = pam_start("pluto", arg->name, &conv, &pamh);
-		if (retval != PAM_SUCCESS)
-			break;
-
-		DBG(DBG_CONTROL, DBG_log("pam_start SUCCESS"));
-
-		/* Send the remote host address to PAM */
-		what = "pam_set_item";
-		retval = pam_set_item(pamh, PAM_RHOST,
-				      ipstr(&arg->st->st_remoteaddr, &ra));
-		if (retval != PAM_SUCCESS)
-			break;
-
-		DBG(DBG_CONTROL, DBG_log("pam_set_item SUCCESS"));
-
-		/* Two factor authentication - Check that the user is valid,
-		 * and then check if they are permitted access
-		 */
-		what = "pam_authenticate";
-		retval = pam_authenticate(pamh, PAM_SILENT); /* is user really user? */
-
-		if (retval != PAM_SUCCESS)
-			break;
-
-		DBG(DBG_CONTROL, DBG_log("pam_authenticate SUCCESS"));
-
-		what = "pam_acct_mgmt";
-		retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
-		if (retval != PAM_SUCCESS)
-			break;
-
-		/* success! */
-		libreswan_log("XAUTH: PAM_SUCCESS");
-		pam_end(pamh, PAM_SUCCESS);
-		return TRUE;
-	} while (FALSE);
-
-	/* common failure code */
-
-	DBG(DBG_CONTROL,
-	    DBG_log("%s failed with '%s", what, pam_strerror(pamh, retval)));
-	libreswan_log("XAUTH: %s failed with '%s'", what, pam_strerror(pamh, retval));
-	pam_end(pamh, retval);
-	return FALSE;
-}
-#endif /* XAUTH_HAVE_PAM */
-
 /** Do authentication via /etc/ipsec.d/passwd file using MD5 passwords
  *
  * Structure is one entry per line.
@@ -1256,6 +1181,43 @@
 	return win;
 }
 
+/* IN AN AUTH THREAD */
+static bool ikev1_do_pam_authentication(const struct xauth_thread_arg *arg)
+{
+	struct state *st = arg->st;
+	libreswan_log("XAUTH: pam authentication being called to authenticate user %s",
+			arg->name);
+	struct pam_thread_arg parg;
+	ipstr_buf ra;
+	struct timeval start_time;
+	struct timeval served_time;
+	struct timeval served_delta;
+	bool results = FALSE;
+
+	parg.name = arg->name;
+	parg.password =  arg->password;
+	parg.c_name = arg->connname;
+	parg.ra = clone_str(ipstr(&st->st_remoteaddr, &ra), "st remote address");
+	parg.st_serialno = st->st_serialno;
+	parg.c_instance_serial = st->st_connection->instance_serial;
+	parg.atype = "XAUTH";
+	gettimeofday(&start_time, NULL);
+	results = do_pam_authentication(&parg);
+	gettimeofday(&served_time, NULL);
+	timersub(&served_time, &start_time, &served_delta);
+	DBG(DBG_CONTROL, DBG_log("XAUTH PAM helper thread call "
+				"state #%lu, %s[%lu] user=%s %s. "
+				"elapsed time %lu.%06lu",
+				parg.st_serialno, parg.c_name,
+				parg.c_instance_serial, parg.name,
+				results ? "SUCCESS" : "FAIL",
+				(unsigned long)served_delta.tv_sec,
+				(unsigned long)(served_delta.tv_usec * 1000000)));
+
+	pfreeany(parg.ra);
+	return (results);
+}
+
 /*
  * Main authentication routine will then call the actual compiled-in
  * method to verify the user/password
@@ -1330,10 +1292,7 @@
 	switch (st->st_connection->xauthby) {
 #ifdef XAUTH_HAVE_PAM
 	case XAUTHBY_PAM:
-		libreswan_log(
-			"XAUTH: pam authentication being called to authenticate user %s",
-			arg->name);
-		results = do_pam_authentication(varg);
+		results = ikev1_do_pam_authentication(arg);
 		break;
 #endif
 	case XAUTHBY_FILE:
diff -Naur libreswan-3.15-orig/programs/pluto/ikev2_parent.c libreswan-3.15/programs/pluto/ikev2_parent.c
--- libreswan-3.15-orig/programs/pluto/ikev2_parent.c	2015-09-03 11:29:05.518000000 -0400
+++ libreswan-3.15/programs/pluto/ikev2_parent.c	2015-09-03 11:32:27.526000000 -0400
@@ -2417,7 +2417,7 @@
 	pthread_setcanceltype  (PTHREAD_CANCEL_ASYNCHRONOUS,  NULL);
 	pthread_setcancelstate (PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
 
-	p->pam_status = ikev2_do_pam_authentication(&p->pam);
+	p->pam_status = do_pam_authentication(&p->pam);
 	gettimeofday(&p->done_time, NULL);
 	timersub(&p->done_time, &p->start_time, &done_delta);
 
@@ -2580,6 +2580,7 @@
 	p->pam.ra = clone_str(ipstr(&st->st_remoteaddr, &ra), "st remote address");
 	p->pam.c_instance_serial = st->st_connection->instance_serial;
 	p->pam.st_serialno = st->st_serialno;
+	p->pam.atype = "IKEv2";
 
 	p->next = pluto_v2_pam_helpers;
 	pluto_v2_pam_helpers = p;
diff -Naur libreswan-3.15-orig/programs/pluto/pam_conv.c libreswan-3.15/programs/pluto/pam_conv.c
--- libreswan-3.15-orig/programs/pluto/pam_conv.c	2015-08-24 16:52:43.000000000 -0400
+++ libreswan-3.15/programs/pluto/pam_conv.c	2015-09-03 11:32:27.526000000 -0400
@@ -10,7 +10,7 @@
  * Copyright (C) 2012-2013 Paul Wouters <pwouters@redhat.com>
  * Copyright (C) 2012-2013 Philippe Vouters <philippe.vouters@laposte.net>
  * Copyright (C) 2013 David McCullough <ucdevel@gmail.com>
- * Copyright (C) 2013 Antony Antony <antony@phenome.org>
+ * Copyright (C) 2013-2015 Antony Antony <antony@phenome.org>
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -109,15 +109,25 @@
 	return PAM_SUCCESS;
 }
 
+static void log_pam_step(const struct pam_thread_arg *arg, const char *what,
+		const char *how)
+{
+	DBG(DBG_CONTROL, DBG_log("%s helper thread %s %s for "
+                                "state #%lu, %s[%lu] user=%s.",
+				arg->atype, what, how,
+				arg->st_serialno, arg->c_name,
+				arg->c_instance_serial, arg->name));
+
+}
+
 /*
  * Do IKEv2 second authentication via PAM (Plugable Authentication Modules)
  *
  * @return bool success
  */
 /* IN AN AUTH THREAD */
-bool ikev2_do_pam_authentication(void *varg)
+bool do_pam_authentication(struct pam_thread_arg *arg)
 {
-	struct pam_thread_arg *arg = varg;
 	int retval;
 	pam_handle_t *pamh = NULL;
 	struct pam_conv conv;
@@ -129,22 +139,20 @@
 	 */
 	do {
 		conv.conv = pam_conv;
-		conv.appdata_ptr = varg;
+		conv.appdata_ptr = arg;
 
 		what = "pam_start";
 		retval = pam_start("pluto", arg->name, &conv, &pamh);
 		if (retval != PAM_SUCCESS)
 			break;
-
-		DBG(DBG_CONTROL, DBG_log("pam_start SUCCESS"));
+		log_pam_step(arg, what, "SUCCESS");
 
 		/* Send the remote host address to PAM */
 		what = "pam_set_item";
 		retval = pam_set_item(pamh, PAM_RHOST, arg->ra);
 		if (retval != PAM_SUCCESS)
 			break;
-
-		DBG(DBG_CONTROL, DBG_log("pam_set_item SUCCESS"));
+		log_pam_step(arg, what, "SUCCESS");
 
 		/* Two factor authentication - Check that the user is valid,
 		 * and then check if they are permitted access
@@ -154,16 +162,16 @@
 
 		if (retval != PAM_SUCCESS)
 			break;
+		log_pam_step(arg, what, "SUCCESS");
 
-		DBG(DBG_CONTROL, DBG_log("pam_authenticate SUCCESS"));
-
-		what = "pam_acct_mgmt";
 		retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
 		if (retval != PAM_SUCCESS)
 			break;
 
+		what = "pam";
+		log_pam_step(arg, what, "SUCCESS");
+
 		/* success! */
-		libreswan_log("IKEv2: PAM_SUCCESS");
 		pam_end(pamh, PAM_SUCCESS);
 		return TRUE;
 	} while (FALSE);
diff -Naur libreswan-3.15-orig/programs/pluto/pam_conv.h libreswan-3.15/programs/pluto/pam_conv.h
--- libreswan-3.15-orig/programs/pluto/pam_conv.h	2015-08-24 16:52:43.000000000 -0400
+++ libreswan-3.15/programs/pluto/pam_conv.h	2015-09-03 11:32:27.527000000 -0400
@@ -23,9 +23,10 @@
 	char *ra;
 	so_serial_t st_serialno;
 	unsigned long c_instance_serial;
+	char *atype;  /* string XAUTH or IKEv2 */
 };
 
-extern bool ikev2_do_pam_authentication(void *varg);
+extern bool do_pam_authentication(struct pam_thread_arg *arg);
 int pam_conv(int num_msg, const struct pam_message **msgm,
 					  struct pam_response **response, void
 					  *appdata_ptr);