Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / pam-ipmi / 216f2139a4ab302e8cb2d3b85ff87b4747db7b60 / . / src / pam_ipmisave / pam_ipmisave.c
blob: bad10dd30cb0595f277225279bc847bbd7369e5d [file] [log] [blame]
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530[diff] [blame^]1/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16
17#include <syslog.h>
18#include <stdio.h>
19#include <stdlib.h>
20#include <stdarg.h>
21#include <string.h>
22#include <unistd.h>
23#include <sys/stat.h>
24#include <fcntl.h>
25
26#include <security/pam_modules.h>
27#include <security/pam_ext.h>
28#include <security/pam_modutil.h>
29
30#include <openssl/evp.h>
31#include <openssl/hmac.h>
32#include <openssl/rand.h>
33
34/*
35 * This module is intended to save password of special group user
36 *
37 */
38
39#define MAX_SPEC_GRP_PASS_LENGTH 20
40#define MAX_SPEC_GRP_USER_LENGTH 16
41#define MAX_KEY_SIZE 8
42#define DEFAULT_SPEC_PASS_FILE "/etc/ipmi_pass"
43#define META_PASSWD_SIG "=OPENBMC="
44#define block_round(ODD, BLK) \
45 ((ODD) + (((BLK) - ((ODD) & ((BLK)-1))) & ((BLK)-1)))
46
47/*
48 * Meta data struct for storing the encrypted password file
49 * Note: Followed by this structure, the real data of hash, iv, encrypted data
50 * with pad and mac are stored.
51 * Decrypted data will hold user name & password for every new line with format
52 * like <user name>:<password>\n
53 */
54typedef struct metapassstruct {
55 char signature[10];
56 unsigned char reseved[2];
57 size_t hashsize;
58 size_t ivsize;
59 size_t datasize;
60 size_t padsize;
61 size_t macsize;
62} metapassstruct;
63
64/**
65 * @brief to acquire lock for atomic operation
66 * Internally uses lckpwdf to acquire the lock. Tries to acquire the lock
67 * using lckpwdf() in interval of 1ms, with maximum of 100 attempts.
68 *
69 * @return PAM_SUCCESS for success / PAM_AUTHTOK_LOCK_BUSY for failure
70 */
71int lock_pwdf(void)
72{
73 int i;
74 int retval;
75
76 i = 0;
77 while ((retval = lckpwdf()) != 0 && i < 100) {
78 usleep(1000);
79 i++;
80 }
81 if (retval != 0) {
82 return PAM_AUTHTOK_LOCK_BUSY;
83 }
84 return PAM_SUCCESS;
85}
86
87/**
88 * @brief unlock the acquired lock
89 * Internally uses ulckpwdf to release the lock
90 */
91void unlock_pwdf(void)
92{
93 ulckpwdf();
94}
95
96/**
97 * @brief to get argument value of option
98 * Function to get the value of argument options.
99 *
100 * @param[in] pamh - pam handle
101 * @param[in] option - argument option to which value has to returned
102 * @param[in] argc - argument count
103 * @param[in] argv - array of arguments
104 */
105static const char *get_option(const pam_handle_t *pamh, const char *option,
106 int argc, const char **argv)
107{
108 int i;
109 size_t len;
110
111 len = strlen(option);
112
113 for (i = 0; i < argc; ++i) {
114 if (strncmp(option, argv[i], len) == 0) {
115 if (argv[i][len] == '=') {
116 return &argv[i][len + 1];
117 }
118 }
119 }
120 return NULL;
121}
122
123/**
124 * @brief encrypt or decrypt function
125 * Function which will do the encryption or decryption of the data.
126 *
127 * @param[in] pamh - pam handle.
128 * @param[in] isencrypt - encrypt or decrypt option.
129 * @param[in] cipher - EVP_CIPHER to be used
130 * @param[in] key - key which has to be used in EVP_CIPHER api's.
131 * @param[in] keylen - Length of the key.
132 * @param[in] iv - Initialization vector data, used along with key
133 * @param[in] ivlen - Length of IV.
134 * @param[in] inbytes - buffer which has to be encrypted or decrypted.
135 * @param[in] inbyteslen - length of input buffer.
136 * @param[in] outbytes - buffer to store decrypted or encrypted data.
137 * @param[in] outbyteslen - length of output buffer
138 * @param[in/out] mac - checksum to cross verify. Will be verified for decrypt
139 * and returns for encrypt.
140 * @param[in/out] maclen - length of checksum
141 * @return - 0 for success -1 for failures.
142 */
143int encrypt_decrypt_data(const pam_handle_t *pamh, int isencrypt,
144 const EVP_CIPHER *cipher, const char *key,
145 size_t keylen, const char *iv, size_t ivlen,
146 const char *inbytes, size_t inbyteslen, char *outbytes,
147 size_t *outbyteslen, char *mac, size_t *maclen)
148{
149 EVP_CIPHER_CTX *ctx;
150 const EVP_MD *digest;
151 size_t outEVPlen = 0;
152 int retval = 0;
153 size_t outlen = 0;
154
155 if (cipher == NULL || key == NULL || iv == NULL || inbytes == NULL
156 || outbytes == NULL || mac == NULL || inbyteslen == 0
157 || EVP_CIPHER_key_length(cipher) > keylen
158 || EVP_CIPHER_iv_length(cipher) > ivlen) {
159 pam_syslog(pamh, LOG_DEBUG, "Invalid inputs");
160 return -1;
161 }
162
163 digest = EVP_sha256();
164 if (!isencrypt) {
165 char calmac[EVP_MAX_MD_SIZE];
166 size_t calmaclen = 0;
167 // calculate MAC for the encrypted message.
168 if (NULL
169 == HMAC(digest, key, keylen, inbytes, inbyteslen, calmac,
170 &calmaclen)) {
171 pam_syslog(pamh, LOG_DEBUG,
172 "Failed to verify authentication %d",
173 retval);
174 return -1;
175 }
176 if (!((calmaclen == *maclen)
177 && (memcmp(calmac, mac, calmaclen) == 0))) {
178 pam_syslog(pamh, LOG_DEBUG,
179 "Authenticated message doesn't match %d, %d",
180 calmaclen, *maclen);
181 return -1;
182 }
183 }
184
185 ctx = EVP_CIPHER_CTX_new();
186 EVP_CIPHER_CTX_set_padding(ctx, 1);
187
188 // Set key & IV
189 retval = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, isencrypt);
190 if (!retval) {
191 pam_syslog(pamh, LOG_DEBUG, "EVP_CipherInit_ex failed with %d",
192 retval);
193 EVP_CIPHER_CTX_free(ctx);
194 return -1;
195 }
196 if ((retval = EVP_CipherUpdate(ctx, outbytes + outlen, &outEVPlen,
197 inbytes, inbyteslen))) {
198 outlen += outEVPlen;
199 if ((retval = EVP_CipherFinal(ctx, outbytes + outlen,
200 &outEVPlen))) {
201 outlen += outEVPlen;
202 *outbyteslen = outlen;
203 } else {
204 pam_syslog(pamh, LOG_DEBUG,
205 "EVP_CipherFinal returns with %d", retval);
206 EVP_CIPHER_CTX_free(ctx);
207 return -1;
208 }
209 } else {
210 pam_syslog(pamh, LOG_DEBUG, "EVP_CipherUpdate returns with %d",
211 retval);
212 EVP_CIPHER_CTX_free(ctx);
213 return -1;
214 }
215 EVP_CIPHER_CTX_free(ctx);
216
217 if (isencrypt) {
218 // Create MAC for the encrypted message.
219 if (NULL
220 == HMAC(digest, key, keylen, outbytes, *outbyteslen, mac,
221 maclen)) {
222 pam_syslog(pamh, LOG_DEBUG,
223 "Failed to create authentication %d",
224 retval);
225 return -1;
226 }
227 }
228 return 0;
229}
230
231
232/**
233 * @brief get temporary file handle
234 * Function to get the temporary file handle, created using mkstemp
235 *
236 * @param[in] pamh - pam handle.
237 * @param[in/out] tempfilename - tempfilename, which will be used in mkstemp.
238 * @return - FILE handle for success. NULL for failure
239 */
240FILE * get_temp_file_handle(const pam_handle_t *pamh, char * const tempfilename)
241{
242 FILE *tempfile = NULL;
243 int fd = -1;
244 int oldmask = umask(077);
245 fd = mkstemp(tempfilename);
246 if (fd == -1) {
247 pam_syslog(pamh, LOG_DEBUG, "Error in creating temp file");
248 umask(oldmask);
249 return NULL;
250 }
251 pam_syslog(pamh, LOG_DEBUG, "Temporary file name is %s", tempfilename);
252
253 tempfile = fdopen(fd, "w");
254 umask(oldmask);
255 return tempfile;
256}
257
258
259/**
260 * @brief updates special password file
261 * Function to update the special password file. Stores the password against
262 * username in encrypted form along with meta data
263 *
264 * @param[in] pamh - pam handle.
265 * @param[in] keyfilename - file name where key seed is stored.
266 * @param[in] filename - special password file name
267 * @param[in] forwho - name of the user
268 * @param[in] towhat - password that has to stored in encrypted form
269 * @return - PAM_SUCCESS for success or PAM_AUTHTOK_ERR for failure
270 */
271int update_pass_special_file(const pam_handle_t *pamh, const char *keyfilename,
272 const char *filename, const char *forwho,
273 const char *towhat)
274{
275 struct stat st;
276 FILE *pwfile = NULL, *opwfile = NULL, *keyfile = NULL;
277 int err = 0, wroteentry = 0;
278 char tempfilename[1024];
279 size_t forwholen = strlen(forwho);
280 size_t towhatlen = strlen(towhat);
281 char keybuff[MAX_KEY_SIZE] = {0};
282 size_t keybuffsize = sizeof(keybuff);
283
284 const EVP_CIPHER *cipher = EVP_aes_128_cbc();
285 const EVP_MD *digest = EVP_sha256();
286
287 char *linebuff = NULL, *opwfilebuff = NULL, *opwptext = NULL;
288 size_t opwptextlen = 0, opwfilesize = 0;
289 metapassstruct *opwmp = NULL;
290
291 char *pwptext = NULL, *pwctext = NULL;
292 size_t pwctextlen = 0, pwptextlen = 0, maclen = 0;
293 size_t writtensize = 0, keylen = 0;
294 metapassstruct pwmp = {META_PASSWD_SIG, {0, 0}, .0, 0, 0, 0, 0};
295 char mac[EVP_MAX_MD_SIZE] = {0};
296 unsigned char key[EVP_MAX_KEY_LENGTH];
297 char iv[EVP_CIPHER_iv_length(cipher)];
298 char hash[EVP_MD_block_size(digest)];
299
300 // Following steps are performed in this function.
301 // Step 1: Create a temporary file - always update temporary file, and
302 // then swap it with original one, only if everything succeded at the end.
303 // Step 2: If file already exists, read the old file and decrypt it in buffer
304 // Step 3: Copy user/password pair from old buffer to new buffer,
305 // and update, if the user already exists with the new password
306 // Step 4: Encrypt the new buffer and write it to the temp file created
307 // at Step 1.
308 // Step 5. rename the temporary file name as special password file.
309
310 // verify the tempfilename buffer is enough to hold
311 // filename_XXXXXX (+1 for null).
312 if (strlen(filename)
313 > (sizeof(tempfilename) - strlen("__XXXXXX") - 1)) {
314 pam_syslog(pamh, LOG_DEBUG, "Not enough buffer, bailing out");
315 return PAM_AUTHTOK_ERR;
316 }
317 // Fetch the key from key file name.
318 keyfile = fopen(keyfilename, "r");
319 if (keyfile == NULL) {
320 pam_syslog(pamh, LOG_DEBUG, "Unable to open key file %s",
321 keyfilename);
322 return PAM_AUTHTOK_ERR;
323 }
324 if (fread(keybuff, 1, keybuffsize, keyfile) != keybuffsize) {
325 pam_syslog(pamh, LOG_DEBUG, "Key file read failed");
326 fclose(keyfile);
327 return PAM_AUTHTOK_ERR;
328 }
329 fclose(keyfile);
330
331 // Step 1: Try to create a temporary file, in which all the update will happen
332 // then it will be renamed to the original file. This is done to have
333 // atomic operation.
334 snprintf(tempfilename, sizeof(tempfilename), "%s__XXXXXX", filename);
335 pwfile = get_temp_file_handle(pamh, tempfilename);
336 if (pwfile == NULL) {
337 err = 1;
338 goto done;
339 }
340
341 // Update temporary file stat by reading the special password file
342 opwfile = fopen(filename, "r");
343 if (opwfile != NULL) {
344 if (fstat(fileno(opwfile), &st) == -1) {
345 fclose(opwfile);
346 fclose(pwfile);
347 err = 1;
348 goto done;
349 }
350 } else { // Create with this settings if file is not present.
351 memset(&st, 0, sizeof(st));
352 st.st_mode = 0x8000 | S_IRUSR;
353 }
354 if ((fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) ||
355 (fchmod(fileno(pwfile), st.st_mode) == -1)) {
356 if (opwfile != NULL) {
357 fclose(opwfile);
358 }
359 fclose(pwfile);
360 err = 1;
361 goto done;
362 }
363 opwfilesize = st.st_size;
364
365 // Step 2: Read existing special password file and decrypt the data.
366 if (opwfilesize) {
367 opwfilebuff = malloc(opwfilesize);
368 if (opwfilebuff == NULL) {
369 fclose(opwfile);
370 fclose(pwfile);
371 err = 1;
372 goto done;
373 }
374
375 if (fread(opwfilebuff, 1, opwfilesize, opwfile)) {
376 opwmp = (metapassstruct *)opwfilebuff;
377 opwptext = malloc(opwmp->datasize + opwmp->padsize);
378 if (opwptext == NULL) {
379 free(opwfilebuff);
380 fclose(opwfile);
381 fclose(pwfile);
382 err = 1;
383 goto done;
384 }
385 // User & password pairs are mapped as <user name>:<password>\n.
386 // Add +3 for special chars ':', '\n' and '\0'.
387 pwptextlen = opwmp->datasize + forwholen + towhatlen + 3
388 + EVP_CIPHER_block_size(cipher);
389 pwptext = malloc(pwptextlen);
390 if (pwptext == NULL) {
391 free(opwptext);
392 free(opwfilebuff);
393 fclose(opwfile);
394 fclose(pwfile);
395 err = 1;
396 goto done;
397 }
398
399 // First get the hashed key to decrypt
400 HMAC(digest, keybuff, keybuffsize,
401 opwfilebuff + sizeof(*opwmp), opwmp->hashsize, key,
402 &keylen);
403
404 // Skip decryption if there is no data
405 if (opwmp->datasize != 0) {
406 // Do the decryption
407 if (encrypt_decrypt_data(
408 pamh, 0, cipher, key, keylen,
409 opwfilebuff + sizeof(*opwmp)
410 + opwmp->hashsize,
411 opwmp->ivsize,
412 opwfilebuff + sizeof(*opwmp)
413 + opwmp->hashsize
414 + opwmp->ivsize,
415 opwmp->datasize + opwmp->padsize,
416 opwptext, &opwptextlen,
417 opwfilebuff + sizeof(*opwmp)
418 + opwmp->hashsize
419 + opwmp->ivsize
420 + opwmp->datasize
421 + opwmp->padsize,
422 &opwmp->macsize)
423 != 0) {
424 pam_syslog(pamh, LOG_DEBUG,
425 "Decryption failed");
426 free(pwptext);
427 free(opwptext);
428 free(opwfilebuff);
429 fclose(opwfile);
430 fclose(pwfile);
431 err = 1;
432 goto done;
433 }
434 }
435
436 // NULL terminate it, before using it in strtok().
437 opwptext[opwmp->datasize] = '\0';
438
439 linebuff = strtok(opwptext, "\n");
440 // Step 3: Copy the existing user/password pair
441 // to the new buffer, and update the password if user
442 // already exists.
443 while (linebuff != NULL) {
444 if ((!strncmp(linebuff, forwho, forwholen))
445 && (linebuff[forwholen] == ':')) {
446 writtensize += snprintf(
447 pwptext + writtensize,
448 pwptextlen - writtensize,
449 "%s:%s\n", forwho, towhat);
450 wroteentry = 1;
451 } else {
452 writtensize += snprintf(
453 pwptext + writtensize,
454 pwptextlen - writtensize,
455 "%s\n", linebuff);
456 }
457 linebuff = strtok(NULL, "\n");
458 }
459 }
460 // Clear the old password related buffers here, as we are done
461 // with it.
462 free(opwfilebuff);
463 free(opwptext);
464 } else {
465 pwptextlen = forwholen + towhatlen + 3
466 + EVP_CIPHER_block_size(cipher);
467 pwptext = malloc(pwptextlen);
468 if (pwptext == NULL) {
469 if (opwfile != NULL) {
470 fclose(opwfile);
471 }
472 fclose(pwfile);
473 err = 1;
474 goto done;
475 }
476 }
477
478 if (opwfile != NULL) {
479 fclose(opwfile);
480 }
481
482 if (wroteentry) {
483 // user password pair already updated, round it off as per the CIPHER block
484 pwptextlen =
485 block_round(writtensize, EVP_CIPHER_block_size(cipher));
486 // memset the padding bytes
487 memset(pwptext + writtensize, 0, pwptextlen - writtensize);
488 } else {
489 // Write the new user:password pair at the end and round it off as per the
490 // CIPHER block.
491 writtensize += snprintf(pwptext + writtensize,
492 pwptextlen - writtensize, "%s:%s\n",
493 forwho, towhat);
494 pwptextlen =
495 block_round(writtensize, EVP_CIPHER_block_size(cipher));
496 // memset the padding bytes
497 memset(pwptext + writtensize, 0, pwptextlen - writtensize);
498 }
499
500 // Step 4: Encrypt the data and write to the temporary file
501 if (RAND_bytes(hash, EVP_MD_block_size(digest)) != 1) {
502 pam_syslog(pamh, LOG_DEBUG,
503 "Hash genertion failed, bailing out");
504 free(pwptext);
505 fclose(pwfile);
506 err = 1;
507 goto done;
508 }
509
510 // Generate hash key, which will be used for encryption.
511 HMAC(digest, keybuff, keybuffsize, hash, EVP_MD_block_size(digest), key,
512 &keylen);
513 // Generate IV values
514 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
515 pam_syslog(pamh, LOG_DEBUG,
516 "IV generation failed, bailing out");
517 free(pwptext);
518 fclose(pwfile);
519 err = 1;
520 goto done;
521 }
522
523 // Buffer to store encrypted message.
524 pwctext = malloc(pwptextlen + EVP_CIPHER_block_size(cipher));
525 if (pwctext == NULL) {
526 pam_syslog(pamh, LOG_DEBUG, "Ctext buffer failed, bailing out");
527 free(pwptext);
528 fclose(pwfile);
529 err = 1;
530 goto done;
531 }
532
533 // Do the encryption
534 if (encrypt_decrypt_data(pamh, 1, cipher, key, keylen, iv,
535 EVP_CIPHER_iv_length(cipher), pwptext,
536 pwptextlen, pwctext, &pwctextlen, mac, &maclen)
537 != 0) {
538 pam_syslog(pamh, LOG_DEBUG, "Encryption failed");
539 free(pwctext);
540 free(pwptext);
541 fclose(pwfile);
542 err = 1;
543 goto done;
544 }
545
546 // Update the meta password structure.
547 pwmp.hashsize = EVP_MD_block_size(digest);
548 pwmp.ivsize = EVP_CIPHER_iv_length(cipher);
549 pwmp.datasize = writtensize;
550 pwmp.padsize = pwctextlen - writtensize;
551 pwmp.macsize = maclen;
552
553 // Write the meta password structure, followed by hash, iv, encrypted
554 // data & mac.
555 if (fwrite(&pwmp, 1, sizeof(pwmp), pwfile) != sizeof(pwmp)) {
556 pam_syslog(pamh, LOG_DEBUG, "Error in writing meta data");
557 err = 1;
558 }
559 if (fwrite(hash, 1, pwmp.hashsize, pwfile) != pwmp.hashsize) {
560 pam_syslog(pamh, LOG_DEBUG, "Error in writing hash data");
561 err = 1;
562 }
563 if (fwrite(iv, 1, pwmp.ivsize, pwfile) != pwmp.ivsize) {
564 pam_syslog(pamh, LOG_DEBUG, "Error in writing IV data");
565 err = 1;
566 }
567 if (fwrite(pwctext, 1, pwctextlen, pwfile) != pwctextlen) {
568 pam_syslog(pamh, LOG_DEBUG, "Error in encrypted data");
569 err = 1;
570 }
571 if (fwrite(mac, 1, maclen, pwfile) != maclen) {
572 pam_syslog(pamh, LOG_DEBUG, "Error in writing MAC");
573 err = 1;
574 }
575
576 free(pwctext);
577 free(pwptext);
578
579 if (fflush(pwfile) || fsync(fileno(pwfile))) {
580 pam_syslog(
581 pamh, LOG_DEBUG,
582 "fflush or fsync error writing entries to special file: %s",
583 tempfilename);
584 err = 1;
585 }
586
587 if (fclose(pwfile)) {
588 pam_syslog(pamh, LOG_DEBUG,
589 "fclose error writing entries to special file: %s",
590 tempfilename);
591 err = 1;
592 }
593
594done:
595 if (!err) {
596 // Step 5: Rename the temporary file as special password file.
597 if (!rename(tempfilename, filename)) {
598 pam_syslog(pamh, LOG_DEBUG,
599 "password changed for %s in special file",
600 forwho);
601 } else {
602 err = 1;
603 }
604 }
605
606 // Clear out the key buff.
607 memset(keybuff, 0, keybuffsize);
608
609 if (!err) {
610 return PAM_SUCCESS;
611 } else {
612 unlink(tempfilename);
613 return PAM_AUTHTOK_ERR;
614 }
615}
616
617
618/* Password Management API's */
619
620/**
621 * @brief pam_sm_chauthtok API
622 * Function which will be called for pam_chauthtok() calls.
623 *
624 * @param[in] pamh - pam handle
625 * @param[in] flags - pam calls related flags
626 * @param[in] argc - argument counts / options
627 * @param[in] argv - array of arguments / options
628 * @return - PAM_SUCCESS for success, others for failure
629 */
630int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
631{
632 int retval = -1;
633 const void *item = NULL;
634 const char *user = NULL;
635 const char *pass_new = NULL, *pass_old = NULL;
636 const char *spec_grp_name =
637 get_option(pamh, "spec_grp_name", argc, argv);
638 const char *spec_pass_file =
639 get_option(pamh, "spec_pass_file", argc, argv);
640 const char *key_file = get_option(pamh, "key_file", argc, argv);
641
642
643 if (spec_grp_name == NULL || key_file == NULL) {
644 return PAM_IGNORE;
645 }
646 if (flags & PAM_PRELIM_CHECK) {
647 // send success to verify other stacked modules prelim check.
648 return PAM_SUCCESS;
649 }
650
651 retval = pam_get_user(pamh, &user, NULL);
652 if (retval != PAM_SUCCESS) {
653 return retval;
654 }
655
656 // get already read password by the stacked pam module
657 // Note: If there are no previous stacked pam module which read
658 // the new password, then return with AUTHTOK_ERR
659
660 retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
661 if (retval != PAM_SUCCESS || item == NULL) {
662 return PAM_AUTHTOK_ERR;
663 }
664 pass_new = item;
665
666 struct group *grp;
667 int spec_grp_usr = 0;
668 // Verify whether the user belongs to special group.
669 grp = pam_modutil_getgrnam(pamh, spec_grp_name);
670 if (grp != NULL) {
671 while (*(grp->gr_mem) != NULL) {
672 if (strcmp(user, *grp->gr_mem) == 0) {
673 spec_grp_usr = 1;
674 break;
675 }
676 (grp->gr_mem)++;
677 }
678 }
679
680 pam_syslog(pamh, LOG_DEBUG, "User belongs to special grp: %x",
681 spec_grp_usr);
682
683 if (spec_grp_usr) {
684 // verify the new password is acceptable.
685 if (strlen(pass_new) > MAX_SPEC_GRP_PASS_LENGTH
686 || strlen(user) > MAX_SPEC_GRP_USER_LENGTH) {
687 pam_syslog(
688 pamh, LOG_ERR,
689 "Password length (%x) / User name length (%x) not acceptable",
690 strlen(pass_new), strlen(user));
691 pass_new = NULL;
692 return PAM_NEW_AUTHTOK_REQD;
693 }
694 if (spec_pass_file == NULL) {
695 spec_pass_file = DEFAULT_SPEC_PASS_FILE;
696 pam_syslog(
697 pamh, LOG_ERR,
698 "Using default special password file name :%s",
699 spec_pass_file);
700 }
701 if (retval = lock_pwdf()) {
702 pam_syslog(
703 pamh, LOG_ERR,
704 "Failed to lock the passwd file");
705 return retval;
706 }
707 retval = update_pass_special_file(
708 pamh, key_file, spec_pass_file, user, pass_new);
709 unlock_pwdf();
710 return retval;
711 }
712
713 return PAM_SUCCESS;
714}
715
716/* end of module definition */