Blame - include/pam_authenticate.hpp - openbmc/bmcweb

blob: 7af28ad987aa2fa898f16c54e9d2a12edbc43612 [file] [log] [blame]

Ed Tanous	911ac31	2017-08-15 09:37:42 -0700	[diff] [blame]	1	#pragma once
				2
Ed Tanous	f3d847c	2017-06-12 16:01:42 -0700	[diff] [blame]	3	#include <security/pam_appl.h>
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	4
				5	#include <boost/utility/string_view.hpp>
Gunnar Mills	1214b7e	2020-06-04 10:11:30 -0500	[diff] [blame]	6
Ed Tanous	911ac31	2017-08-15 09:37:42 -0700	[diff] [blame]	7	#include <cstring>
Ed Tanous	e0d918b	2018-03-27 17:41:04 -0700	[diff] [blame]	8	#include <memory>
Patrick Williams	ad7fa90	2023-05-10 19:57:29 -0500	[diff] [blame]	9	#include <span>
Ed Tanous	f3d847c	2017-06-12 16:01:42 -0700	[diff] [blame]	10
				11	// function used to get user input
Ed Tanous	55c7b7a	2018-05-22 15:27:24 -0700	[diff] [blame]	12	inline int pamFunctionConversation(int numMsg, const struct pam_message** msg,
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	13	struct pam_response** resp, void* appdataPtr)
				14	{
Patrick Williams	ad7fa90	2023-05-10 19:57:29 -0500	[diff] [blame]	15	if ((appdataPtr == nullptr) \|\| (msg == nullptr) \|\| (resp == nullptr))
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	16	{
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	17	return PAM_CONV_ERR;
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	18	}
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	19
				20	if (numMsg <= 0 \|\| numMsg >= PAM_MAX_NUM_MSG)
Ed Tanous	f1eebf0	2019-03-04 15:57:09 -0800	[diff] [blame]	21	{
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	22	return PAM_CONV_ERR;
Ed Tanous	f1eebf0	2019-03-04 15:57:09 -0800	[diff] [blame]	23	}
				24
Patrick Williams	ad7fa90	2023-05-10 19:57:29 -0500	[diff] [blame]	25	auto msgCount = static_cast<size_t>(numMsg);
				26	auto messages = std::span(msg, msgCount);
				27	auto responses = std::span(resp, msgCount);
				28
				29	for (size_t i = 0; i < msgCount; ++i)
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	30	{
				31	/* Ignore all PAM messages except prompting for hidden input */
Patrick Williams	ad7fa90	2023-05-10 19:57:29 -0500	[diff] [blame]	32	if (messages[i]->msg_style != PAM_PROMPT_ECHO_OFF)
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	33	{
				34	continue;
				35	}
				36
				37	/* Assume PAM is only prompting for the password as hidden input */
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	38	/* Allocate memory only when PAM_PROMPT_ECHO_OFF is encounterred */
				39
Ed Tanous	46ff87b	2022-01-07 09:25:51 -0800	[diff] [blame]	40	// NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	41	char* appPass = reinterpret_cast<char*>(appdataPtr);
				42	size_t appPassSize = std::strlen(appPass);
				43
				44	if ((appPassSize + 1) > PAM_MAX_RESP_SIZE)
				45	{
				46	return PAM_CONV_ERR;
				47	}
Ed Tanous	46ff87b	2022-01-07 09:25:51 -0800	[diff] [blame]	48	// IDeally we'd like to avoid using malloc here, but because we're
				49	// passing off ownership of this to a C application, there aren't a lot
				50	// of sane ways to avoid it.
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	51
Ed Tanous	46ff87b	2022-01-07 09:25:51 -0800	[diff] [blame]	52	// NOLINTNEXTLINE(cppcoreguidelines-no-malloc)'
				53	void* passPtr = malloc(appPassSize + 1);
				54	// NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
				55	char* pass = reinterpret_cast<char*>(passPtr);
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	56	if (pass == nullptr)
				57	{
				58	return PAM_BUF_ERR;
				59	}
				60
				61	std::strncpy(pass, appPass, appPassSize + 1);
				62
Ed Tanous	46ff87b	2022-01-07 09:25:51 -0800	[diff] [blame]	63	size_t numMsgSize = static_cast<size_t>(numMsg);
Ed Tanous	fcc5aa6	2022-01-07 09:40:43 -0800	[diff] [blame]	64	// NOLINTNEXTLINE(cppcoreguidelines-no-malloc)
Ed Tanous	46ff87b	2022-01-07 09:25:51 -0800	[diff] [blame]	65	void* ptr = calloc(numMsgSize, sizeof(struct pam_response));
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	66	if (ptr == nullptr)
				67	{
Ed Tanous	fcc5aa6	2022-01-07 09:40:43 -0800	[diff] [blame]	68	// NOLINTNEXTLINE(cppcoreguidelines-no-malloc)
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	69	free(pass);
				70	return PAM_BUF_ERR;
				71	}
				72
Ed Tanous	46ff87b	2022-01-07 09:25:51 -0800	[diff] [blame]	73	// NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	74	resp = reinterpret_cast<pam_response>(ptr);
Ed Tanous	46ff87b	2022-01-07 09:25:51 -0800	[diff] [blame]	75
Patrick Williams	ad7fa90	2023-05-10 19:57:29 -0500	[diff] [blame]	76	responses[i]->resp = pass;
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	77
				78	return PAM_SUCCESS;
Ed Tanous	911ac31	2017-08-15 09:37:42 -0700	[diff] [blame]	79	}
Ed Tanous	f3d847c	2017-06-12 16:01:42 -0700	[diff] [blame]	80
P Dheeraj Srujan Kumar	ba95fcc	2021-07-12 21:47:59 +0530	[diff] [blame]	81	return PAM_CONV_ERR;
Ed Tanous	f3d847c	2017-06-12 16:01:42 -0700	[diff] [blame]	82	}
				83
Joseph Reynolds	d887fff	2020-01-14 16:34:09 -0600	[diff] [blame]	84	/**
				85	* @brief Attempt username/password authentication via PAM.
				86	* @param username The provided username aka account name.
				87	* @param password The provided password.
				88	* @returns PAM error code or PAM_SUCCESS for success. */
Ed Tanous	26ccae3	2023-02-16 10:28:44 -0800	[diff] [blame]	89	inline int pamAuthenticateUser(std::string_view username,
				90	std::string_view password)
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	91	{
				92	std::string userStr(username);
				93	std::string passStr(password);
Ed Tanous	4ecc618	2022-01-07 09:36:26 -0800	[diff] [blame]	94
				95	// NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)
				96	char* passStrNoConst = const_cast<char*>(passStr.c_str());
				97	const struct pam_conv localConversation = {pamFunctionConversation,
				98	passStrNoConst};
Ed Tanous	99131cd	2019-10-24 11:12:47 -0700	[diff] [blame]	99	pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanous	f3d847c	2017-06-12 16:01:42 -0700	[diff] [blame]	100
Joseph Reynolds	d887fff	2020-01-14 16:34:09 -0600	[diff] [blame]	101	int retval = pam_start("webserver", userStr.c_str(), &localConversation,
				102	&localAuthHandle);
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	103	if (retval != PAM_SUCCESS)
				104	{
Joseph Reynolds	d887fff	2020-01-14 16:34:09 -0600	[diff] [blame]	105	return retval;
				106	}
				107
				108	retval = pam_authenticate(localAuthHandle,
				109	PAM_SILENT \| PAM_DISALLOW_NULL_AUTHTOK);
				110	if (retval != PAM_SUCCESS)
				111	{
				112	pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
				113	return retval;
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	114	}
Ed Tanous	911ac31	2017-08-15 09:37:42 -0700	[diff] [blame]	115
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	116	/* check that the account is healthy */
Joseph Reynolds	d887fff	2020-01-14 16:34:09 -0600	[diff] [blame]	117	retval = pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK);
				118	if (retval != PAM_SUCCESS)
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	119	{
Joseph Reynolds	d887fff	2020-01-14 16:34:09 -0600	[diff] [blame]	120	pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
				121	return retval;
Ed Tanous	1abe55e	2018-09-05 08:30:59 -0700	[diff] [blame]	122	}
Ed Tanous	911ac31	2017-08-15 09:37:42 -0700	[diff] [blame]	123
Joseph Reynolds	d887fff	2020-01-14 16:34:09 -0600	[diff] [blame]	124	return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanous	911ac31	2017-08-15 09:37:42 -0700	[diff] [blame]	125	}
Ed Tanous	a840879	2018-09-05 16:08:38 -0700	[diff] [blame]	126
jayaprakash Mutyala	66b5ca7	2019-08-07 20:26:37 +0000	[diff] [blame]	127	inline int pamUpdatePassword(const std::string& username,
				128	const std::string& password)
Ed Tanous	a840879	2018-09-05 16:08:38 -0700	[diff] [blame]	129	{
Ed Tanous	4ecc618	2022-01-07 09:36:26 -0800	[diff] [blame]	130	// NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)
				131	char* passStrNoConst = const_cast<char*>(password.c_str());
				132	const struct pam_conv localConversation = {pamFunctionConversation,
				133	passStrNoConst};
Ed Tanous	99131cd	2019-10-24 11:12:47 -0700	[diff] [blame]	134	pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanous	a840879	2018-09-05 16:08:38 -0700	[diff] [blame]	135
Joseph Reynolds	96b39e0	2019-12-05 17:53:35 -0600	[diff] [blame]	136	int retval = pam_start("webserver", username.c_str(), &localConversation,
jayaprakash Mutyala	66b5ca7	2019-08-07 20:26:37 +0000	[diff] [blame]	137	&localAuthHandle);
Ed Tanous	a840879	2018-09-05 16:08:38 -0700	[diff] [blame]	138
				139	if (retval != PAM_SUCCESS)
				140	{
jayaprakash Mutyala	66b5ca7	2019-08-07 20:26:37 +0000	[diff] [blame]	141	return retval;
Ed Tanous	a840879	2018-09-05 16:08:38 -0700	[diff] [blame]	142	}
				143
jayaprakash Mutyala	66b5ca7	2019-08-07 20:26:37 +0000	[diff] [blame]	144	retval = pam_chauthtok(localAuthHandle, PAM_SILENT);
				145	if (retval != PAM_SUCCESS)
Ed Tanous	a840879	2018-09-05 16:08:38 -0700	[diff] [blame]	146	{
jayaprakash Mutyala	66b5ca7	2019-08-07 20:26:37 +0000	[diff] [blame]	147	pam_end(localAuthHandle, PAM_SUCCESS);
				148	return retval;
Ed Tanous	a840879	2018-09-05 16:08:38 -0700	[diff] [blame]	149	}
				150
jayaprakash Mutyala	66b5ca7	2019-08-07 20:26:37 +0000	[diff] [blame]	151	return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanous	a840879	2018-09-05 16:08:38 -0700	[diff] [blame]	152	}