Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 3369dd6276da9c25aadff687f17e81e31b4c7b59 / . / include / pam_authenticate.hpp
blob: 9854df6150414a1e8725bf0b43651e131e7e5597 [file] [log] [blame]
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]1#pragma once
2
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]3#include <security/pam_appl.h>
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]4
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]5#include <cstring>
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame]6#include <memory>
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]7#include <span>
Ed Tanous5b904292024-04-16 11:10:17 -0700[diff] [blame]8#include <string_view>
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]9
10// function used to get user input
Ed Tanous55c7b7a2018-05-22 15:27:24 -0700[diff] [blame]11inline int pamFunctionConversation(int numMsg, const struct pam_message** msg,
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]12 struct pam_response** resp, void* appdataPtr)
13{
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]14 if ((appdataPtr == nullptr) || (msg == nullptr) || (resp == nullptr))
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]15 {
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]16 return PAM_CONV_ERR;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]17 }
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]18
19 if (numMsg <= 0 || numMsg >= PAM_MAX_NUM_MSG)
Ed Tanousf1eebf02019-03-04 15:57:09 -0800[diff] [blame]20 {
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]21 return PAM_CONV_ERR;
Ed Tanousf1eebf02019-03-04 15:57:09 -0800[diff] [blame]22 }
23
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]24 auto msgCount = static_cast<size_t>(numMsg);
25 auto messages = std::span(msg, msgCount);
26 auto responses = std::span(resp, msgCount);
27
28 for (size_t i = 0; i < msgCount; ++i)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]29 {
30 /* Ignore all PAM messages except prompting for hidden input */
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]31 if (messages[i]->msg_style != PAM_PROMPT_ECHO_OFF)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]32 {
33 continue;
34 }
35
36 /* Assume PAM is only prompting for the password as hidden input */
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]37 /* Allocate memory only when PAM_PROMPT_ECHO_OFF is encounterred */
38
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]39 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]40 char* appPass = reinterpret_cast<char*>(appdataPtr);
41 size_t appPassSize = std::strlen(appPass);
42
43 if ((appPassSize + 1) > PAM_MAX_RESP_SIZE)
44 {
45 return PAM_CONV_ERR;
46 }
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]47 // IDeally we'd like to avoid using malloc here, but because we're
48 // passing off ownership of this to a C application, there aren't a lot
49 // of sane ways to avoid it.
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]50
Ed Tanous7b8270c2023-06-06 11:44:21 -0700[diff] [blame]51 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc)
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]52 void* passPtr = malloc(appPassSize + 1);
53 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
54 char* pass = reinterpret_cast<char*>(passPtr);
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]55 if (pass == nullptr)
56 {
57 return PAM_BUF_ERR;
58 }
59
60 std::strncpy(pass, appPass, appPassSize + 1);
61
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]62 size_t numMsgSize = static_cast<size_t>(numMsg);
Ed Tanousfcc5aa62022-01-07 09:40:43 -0800[diff] [blame]63 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc)
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]64 void* ptr = calloc(numMsgSize, sizeof(struct pam_response));
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]65 if (ptr == nullptr)
66 {
Ed Tanousfcc5aa62022-01-07 09:40:43 -0800[diff] [blame]67 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc)
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]68 free(pass);
69 return PAM_BUF_ERR;
70 }
71
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]72 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]73 *resp = reinterpret_cast<pam_response*>(ptr);
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]74
Patrick Williamsad7fa902023-05-10 19:57:29 -0500[diff] [blame]75 responses[i]->resp = pass;
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]76
77 return PAM_SUCCESS;
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]78 }
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]79
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]80 return PAM_CONV_ERR;
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]81}
82
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]83/**
84 * @brief Attempt username/password authentication via PAM.
85 * @param username The provided username aka account name.
86 * @param password The provided password.
87 * @returns PAM error code or PAM_SUCCESS for success. */
Ed Tanous26ccae32023-02-16 10:28:44 -0800[diff] [blame]88inline int pamAuthenticateUser(std::string_view username,
89 std::string_view password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]90{
91 std::string userStr(username);
92 std::string passStr(password);
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]93
Ed Tanousf9c794f2023-06-06 11:46:49 -0700[diff] [blame]94 char* passStrNoConst = passStr.data();
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]95 const struct pam_conv localConversation = {pamFunctionConversation,
96 passStrNoConst};
Ed Tanous99131cd2019-10-24 11:12:47 -0700[diff] [blame]97 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]98
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]99 int retval = pam_start("webserver", userStr.c_str(), &localConversation,
100 &localAuthHandle);
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]101 if (retval != PAM_SUCCESS)
102 {
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]103 return retval;
104 }
105
106 retval = pam_authenticate(localAuthHandle,
107 PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
108 if (retval != PAM_SUCCESS)
109 {
110 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
111 return retval;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]112 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]113
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]114 /* check that the account is healthy */
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]115 retval = pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK);
116 if (retval != PAM_SUCCESS)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]117 {
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]118 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
119 return retval;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]120 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]121
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]122 return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]123}
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]124
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]125inline int pamUpdatePassword(const std::string& username,
126 const std::string& password)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]127{
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]128 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)
129 char* passStrNoConst = const_cast<char*>(password.c_str());
130 const struct pam_conv localConversation = {pamFunctionConversation,
131 passStrNoConst};
Ed Tanous99131cd2019-10-24 11:12:47 -0700[diff] [blame]132 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]133
Joseph Reynolds96b39e02019-12-05 17:53:35 -0600[diff] [blame]134 int retval = pam_start("webserver", username.c_str(), &localConversation,
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]135 &localAuthHandle);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]136
137 if (retval != PAM_SUCCESS)
138 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]139 return retval;
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]140 }
141
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]142 retval = pam_chauthtok(localAuthHandle, PAM_SILENT);
143 if (retval != PAM_SUCCESS)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]144 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]145 pam_end(localAuthHandle, PAM_SUCCESS);
146 return retval;
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]147 }
148
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]149 return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]150}