Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / ce05f6c443944f7243e7a134990e7ce689c61f49 / . / include / pam_authenticate.hpp
blob: ca8c8d3250d48968bb3e87965cbf5529e5d7de62 [file] [log] [blame]
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]1#pragma once
2
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]3#include <security/pam_appl.h>
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]4
5#include <boost/utility/string_view.hpp>
Gunnar Mills1214b7e2020-06-04 10:11:30 -0500[diff] [blame]6
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]7#include <cstring>
Ed Tanouse0d918b2018-03-27 17:41:04 -0700[diff] [blame]8#include <memory>
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]9
10// function used to get user input
Ed Tanous55c7b7a2018-05-22 15:27:24 -0700[diff] [blame]11inline int pamFunctionConversation(int numMsg, const struct pam_message** msg,
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]12 struct pam_response** resp, void* appdataPtr)
13{
14 if (appdataPtr == nullptr)
15 {
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]16 return PAM_CONV_ERR;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]17 }
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]18
19 if (numMsg <= 0 || numMsg >= PAM_MAX_NUM_MSG)
Ed Tanousf1eebf02019-03-04 15:57:09 -0800[diff] [blame]20 {
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]21 return PAM_CONV_ERR;
Ed Tanousf1eebf02019-03-04 15:57:09 -0800[diff] [blame]22 }
23
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]24 for (int i = 0; i < numMsg; ++i)
25 {
26 /* Ignore all PAM messages except prompting for hidden input */
Ed Tanousca45aa32022-01-07 09:28:45 -0800[diff] [blame]27 // NOLINTNEXTLINE(cppcoreguidelines-pro-bounds-pointer-arithmetic)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]28 if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF)
29 {
30 continue;
31 }
32
33 /* Assume PAM is only prompting for the password as hidden input */
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]34 /* Allocate memory only when PAM_PROMPT_ECHO_OFF is encounterred */
35
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]36 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]37 char* appPass = reinterpret_cast<char*>(appdataPtr);
38 size_t appPassSize = std::strlen(appPass);
39
40 if ((appPassSize + 1) > PAM_MAX_RESP_SIZE)
41 {
42 return PAM_CONV_ERR;
43 }
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]44 // IDeally we'd like to avoid using malloc here, but because we're
45 // passing off ownership of this to a C application, there aren't a lot
46 // of sane ways to avoid it.
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]47
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]48 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc)'
49 void* passPtr = malloc(appPassSize + 1);
50 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
51 char* pass = reinterpret_cast<char*>(passPtr);
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]52 if (pass == nullptr)
53 {
54 return PAM_BUF_ERR;
55 }
56
57 std::strncpy(pass, appPass, appPassSize + 1);
58
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]59 size_t numMsgSize = static_cast<size_t>(numMsg);
Ed Tanousfcc5aa62022-01-07 09:40:43 -0800[diff] [blame]60 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc)
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]61 void* ptr = calloc(numMsgSize, sizeof(struct pam_response));
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]62 if (ptr == nullptr)
63 {
Ed Tanousfcc5aa62022-01-07 09:40:43 -0800[diff] [blame]64 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc)
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]65 free(pass);
66 return PAM_BUF_ERR;
67 }
68
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]69 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]70 *resp = reinterpret_cast<pam_response*>(ptr);
Ed Tanous46ff87b2022-01-07 09:25:51 -0800[diff] [blame]71
Ed Tanousca45aa32022-01-07 09:28:45 -0800[diff] [blame]72 // NOLINTNEXTLINE(cppcoreguidelines-pro-bounds-pointer-arithmetic)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]73 resp[i]->resp = pass;
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]74
75 return PAM_SUCCESS;
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]76 }
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]77
P Dheeraj Srujan Kumarba95fcc2021-07-12 21:47:59 +0530[diff] [blame]78 return PAM_CONV_ERR;
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]79}
80
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]81/**
82 * @brief Attempt username/password authentication via PAM.
83 * @param username The provided username aka account name.
84 * @param password The provided password.
85 * @returns PAM error code or PAM_SUCCESS for success. */
86inline int pamAuthenticateUser(const std::string_view username,
87 const std::string_view password)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]88{
89 std::string userStr(username);
90 std::string passStr(password);
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]91
92 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)
93 char* passStrNoConst = const_cast<char*>(passStr.c_str());
94 const struct pam_conv localConversation = {pamFunctionConversation,
95 passStrNoConst};
Ed Tanous99131cd2019-10-24 11:12:47 -0700[diff] [blame]96 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanousf3d847c2017-06-12 16:01:42 -0700[diff] [blame]97
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]98 int retval = pam_start("webserver", userStr.c_str(), &localConversation,
99 &localAuthHandle);
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]100 if (retval != PAM_SUCCESS)
101 {
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]102 return retval;
103 }
104
105 retval = pam_authenticate(localAuthHandle,
106 PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
107 if (retval != PAM_SUCCESS)
108 {
109 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
110 return retval;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]111 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]112
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]113 /* check that the account is healthy */
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]114 retval = pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK);
115 if (retval != PAM_SUCCESS)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]116 {
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]117 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
118 return retval;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]119 }
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]120
Joseph Reynoldsd887fff2020-01-14 16:34:09 -0600[diff] [blame]121 return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]122}
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]123
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]124inline int pamUpdatePassword(const std::string& username,
125 const std::string& password)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]126{
Ed Tanous4ecc6182022-01-07 09:36:26 -0800[diff] [blame]127 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)
128 char* passStrNoConst = const_cast<char*>(password.c_str());
129 const struct pam_conv localConversation = {pamFunctionConversation,
130 passStrNoConst};
Ed Tanous99131cd2019-10-24 11:12:47 -0700[diff] [blame]131 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]132
Joseph Reynolds96b39e02019-12-05 17:53:35 -0600[diff] [blame]133 int retval = pam_start("webserver", username.c_str(), &localConversation,
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]134 &localAuthHandle);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]135
136 if (retval != PAM_SUCCESS)
137 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]138 return retval;
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]139 }
140
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]141 retval = pam_chauthtok(localAuthHandle, PAM_SILENT);
142 if (retval != PAM_SUCCESS)
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]143 {
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]144 pam_end(localAuthHandle, PAM_SUCCESS);
145 return retval;
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]146 }
147
jayaprakash Mutyala66b5ca72019-08-07 20:26:37 +0000[diff] [blame]148 return pam_end(localAuthHandle, PAM_SUCCESS);
Ed Tanousa8408792018-09-05 16:08:38 -0700[diff] [blame]149}