blob: 177663dd0fa188267724873775957795a961fcba [file] [log] [blame]
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +05301/*
2// Copyright (c) 2018 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16
Patrick Williams9e7627a2023-05-10 07:51:06 -050017#include <fcntl.h>
18#include <stdarg.h>
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +053019#include <stdio.h>
20#include <stdlib.h>
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +053021#include <string.h>
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +053022#include <sys/stat.h>
Patrick Williams9e7627a2023-05-10 07:51:06 -050023#include <syslog.h>
24#include <unistd.h>
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +053025
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +053026#include <security/pam_ext.h>
Patrick Williams9e7627a2023-05-10 07:51:06 -050027#include <security/pam_modules.h>
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +053028#include <security/pam_modutil.h>
29
30#include <openssl/evp.h>
31#include <openssl/hmac.h>
32#include <openssl/rand.h>
33
34/*
35 * This module is intended to save password of special group user
36 *
37 */
38
39#define MAX_SPEC_GRP_PASS_LENGTH 20
40#define MAX_SPEC_GRP_USER_LENGTH 16
41#define MAX_KEY_SIZE 8
42#define DEFAULT_SPEC_PASS_FILE "/etc/ipmi_pass"
43#define META_PASSWD_SIG "=OPENBMC="
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +053044
45/*
46 * Meta data struct for storing the encrypted password file
47 * Note: Followed by this structure, the real data of hash, iv, encrypted data
48 * with pad and mac are stored.
49 * Decrypted data will hold user name & password for every new line with format
50 * like <user name>:<password>\n
51 */
52typedef struct metapassstruct {
53 char signature[10];
54 unsigned char reseved[2];
55 size_t hashsize;
56 size_t ivsize;
57 size_t datasize;
58 size_t padsize;
59 size_t macsize;
60} metapassstruct;
61
62/**
63 * @brief to acquire lock for atomic operation
64 * Internally uses lckpwdf to acquire the lock. Tries to acquire the lock
65 * using lckpwdf() in interval of 1ms, with maximum of 100 attempts.
66 *
67 * @return PAM_SUCCESS for success / PAM_AUTHTOK_LOCK_BUSY for failure
68 */
69int lock_pwdf(void)
70{
71 int i;
72 int retval;
73
74 i = 0;
75 while ((retval = lckpwdf()) != 0 && i < 100) {
76 usleep(1000);
77 i++;
78 }
79 if (retval != 0) {
80 return PAM_AUTHTOK_LOCK_BUSY;
81 }
82 return PAM_SUCCESS;
83}
84
85/**
86 * @brief unlock the acquired lock
87 * Internally uses ulckpwdf to release the lock
88 */
89void unlock_pwdf(void)
90{
91 ulckpwdf();
92}
93
94/**
95 * @brief to get argument value of option
96 * Function to get the value of argument options.
97 *
98 * @param[in] pamh - pam handle
99 * @param[in] option - argument option to which value has to returned
100 * @param[in] argc - argument count
101 * @param[in] argv - array of arguments
102 */
103static const char *get_option(const pam_handle_t *pamh, const char *option,
104 int argc, const char **argv)
105{
Vernon Mauerybb717162023-06-27 10:22:23 -0700106 if (!pamh) {
107 return NULL;
108 }
109
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530110 int i;
111 size_t len;
112
113 len = strlen(option);
114
115 for (i = 0; i < argc; ++i) {
116 if (strncmp(option, argv[i], len) == 0) {
117 if (argv[i][len] == '=') {
118 return &argv[i][len + 1];
119 }
120 }
121 }
122 return NULL;
123}
124
125/**
126 * @brief encrypt or decrypt function
127 * Function which will do the encryption or decryption of the data.
128 *
129 * @param[in] pamh - pam handle.
130 * @param[in] isencrypt - encrypt or decrypt option.
131 * @param[in] cipher - EVP_CIPHER to be used
132 * @param[in] key - key which has to be used in EVP_CIPHER api's.
133 * @param[in] keylen - Length of the key.
134 * @param[in] iv - Initialization vector data, used along with key
135 * @param[in] ivlen - Length of IV.
136 * @param[in] inbytes - buffer which has to be encrypted or decrypted.
137 * @param[in] inbyteslen - length of input buffer.
138 * @param[in] outbytes - buffer to store decrypted or encrypted data.
139 * @param[in] outbyteslen - length of output buffer
140 * @param[in/out] mac - checksum to cross verify. Will be verified for decrypt
141 * and returns for encrypt.
142 * @param[in/out] maclen - length of checksum
143 * @return - 0 for success -1 for failures.
144 */
145int encrypt_decrypt_data(const pam_handle_t *pamh, int isencrypt,
Vernon Mauerybb717162023-06-27 10:22:23 -0700146 const EVP_CIPHER *cipher, const unsigned char *key,
147 int keylen, const unsigned char *iv, int ivlen,
148 const unsigned char *inbytes, size_t inbyteslen,
149 unsigned char *outbytes, size_t *outbyteslen,
150 unsigned char *mac, unsigned int *maclen)
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530151{
152 EVP_CIPHER_CTX *ctx;
153 const EVP_MD *digest;
Vernon Mauerybb717162023-06-27 10:22:23 -0700154 int outEVPlen = 0;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530155 int retval = 0;
156 size_t outlen = 0;
157
Patrick Williams9e7627a2023-05-10 07:51:06 -0500158 if (cipher == NULL || key == NULL || iv == NULL || inbytes == NULL ||
159 outbytes == NULL || mac == NULL || inbyteslen == 0 ||
160 EVP_CIPHER_key_length(cipher) > keylen ||
161 EVP_CIPHER_iv_length(cipher) > ivlen) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530162 pam_syslog(pamh, LOG_DEBUG, "Invalid inputs");
163 return -1;
164 }
165
166 digest = EVP_sha256();
167 if (!isencrypt) {
Vernon Mauerybb717162023-06-27 10:22:23 -0700168 unsigned char calmac[EVP_MAX_MD_SIZE];
169 unsigned int calmaclen = 0;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530170 // calculate MAC for the encrypted message.
Patrick Williams9e7627a2023-05-10 07:51:06 -0500171 if (NULL == HMAC(digest, key, keylen, inbytes, inbyteslen,
172 calmac, &calmaclen)) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530173 pam_syslog(pamh, LOG_DEBUG,
174 "Failed to verify authentication %d",
175 retval);
176 return -1;
177 }
Patrick Williams9e7627a2023-05-10 07:51:06 -0500178 if (!((calmaclen == *maclen) &&
179 (memcmp(calmac, mac, calmaclen) == 0))) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530180 pam_syslog(pamh, LOG_DEBUG,
181 "Authenticated message doesn't match %d, %d",
182 calmaclen, *maclen);
183 return -1;
184 }
185 }
186
187 ctx = EVP_CIPHER_CTX_new();
188 EVP_CIPHER_CTX_set_padding(ctx, 1);
189
190 // Set key & IV
191 retval = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, isencrypt);
192 if (!retval) {
193 pam_syslog(pamh, LOG_DEBUG, "EVP_CipherInit_ex failed with %d",
194 retval);
195 EVP_CIPHER_CTX_free(ctx);
196 return -1;
197 }
198 if ((retval = EVP_CipherUpdate(ctx, outbytes + outlen, &outEVPlen,
199 inbytes, inbyteslen))) {
200 outlen += outEVPlen;
Patrick Williams9e7627a2023-05-10 07:51:06 -0500201 if ((retval =
202 EVP_CipherFinal(ctx, outbytes + outlen, &outEVPlen))) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530203 outlen += outEVPlen;
204 *outbyteslen = outlen;
205 } else {
206 pam_syslog(pamh, LOG_DEBUG,
207 "EVP_CipherFinal returns with %d", retval);
208 EVP_CIPHER_CTX_free(ctx);
209 return -1;
210 }
211 } else {
212 pam_syslog(pamh, LOG_DEBUG, "EVP_CipherUpdate returns with %d",
213 retval);
214 EVP_CIPHER_CTX_free(ctx);
215 return -1;
216 }
217 EVP_CIPHER_CTX_free(ctx);
218
219 if (isencrypt) {
220 // Create MAC for the encrypted message.
Patrick Williams9e7627a2023-05-10 07:51:06 -0500221 if (NULL == HMAC(digest, key, keylen, outbytes, *outbyteslen,
222 mac, maclen)) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530223 pam_syslog(pamh, LOG_DEBUG,
224 "Failed to create authentication %d",
225 retval);
226 return -1;
227 }
228 }
229 return 0;
230}
231
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530232/**
233 * @brief get temporary file handle
234 * Function to get the temporary file handle, created using mkstemp
235 *
236 * @param[in] pamh - pam handle.
237 * @param[in/out] tempfilename - tempfilename, which will be used in mkstemp.
238 * @return - FILE handle for success. NULL for failure
239 */
Patrick Venture9565abd2018-11-14 09:11:59 -0800240FILE *get_temp_file_handle(const pam_handle_t *pamh, char *const tempfilename)
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530241{
242 FILE *tempfile = NULL;
Patrick Ventured0e324a2018-11-14 10:18:50 -0800243 int fd;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530244 int oldmask = umask(077);
245 fd = mkstemp(tempfilename);
246 if (fd == -1) {
247 pam_syslog(pamh, LOG_DEBUG, "Error in creating temp file");
248 umask(oldmask);
249 return NULL;
250 }
251 pam_syslog(pamh, LOG_DEBUG, "Temporary file name is %s", tempfilename);
252
253 tempfile = fdopen(fd, "w");
254 umask(oldmask);
255 return tempfile;
256}
257
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530258/**
259 * @brief updates special password file
260 * Function to update the special password file. Stores the password against
261 * username in encrypted form along with meta data
262 *
263 * @param[in] pamh - pam handle.
264 * @param[in] keyfilename - file name where key seed is stored.
265 * @param[in] filename - special password file name
266 * @param[in] forwho - name of the user
267 * @param[in] towhat - password that has to stored in encrypted form
268 * @return - PAM_SUCCESS for success or PAM_AUTHTOK_ERR for failure
269 */
270int update_pass_special_file(const pam_handle_t *pamh, const char *keyfilename,
271 const char *filename, const char *forwho,
272 const char *towhat)
273{
274 struct stat st;
275 FILE *pwfile = NULL, *opwfile = NULL, *keyfile = NULL;
276 int err = 0, wroteentry = 0;
277 char tempfilename[1024];
278 size_t forwholen = strlen(forwho);
279 size_t towhatlen = strlen(towhat);
280 char keybuff[MAX_KEY_SIZE] = {0};
281 size_t keybuffsize = sizeof(keybuff);
282
283 const EVP_CIPHER *cipher = EVP_aes_128_cbc();
284 const EVP_MD *digest = EVP_sha256();
285
Vernon Mauerybb717162023-06-27 10:22:23 -0700286 char *linebuff = NULL;
287 unsigned char *opwfilebuff = NULL;
288 unsigned char *opwptext = NULL;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530289 size_t opwptextlen = 0, opwfilesize = 0;
290 metapassstruct *opwmp = NULL;
291
Vernon Mauerybb717162023-06-27 10:22:23 -0700292 unsigned char *pwptext = NULL;
293 unsigned char *pwctext = NULL;
294 size_t pwctextlen = 0, pwptextlen = 0;
295 unsigned int maclen = 0;
296 size_t writtensize = 0;
297 unsigned int keylen = 0;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530298 metapassstruct pwmp = {META_PASSWD_SIG, {0, 0}, .0, 0, 0, 0, 0};
Vernon Mauerybb717162023-06-27 10:22:23 -0700299 unsigned char mac[EVP_MAX_MD_SIZE] = {0};
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530300 unsigned char key[EVP_MAX_KEY_LENGTH];
Vernon Mauerybb717162023-06-27 10:22:23 -0700301 unsigned char iv[EVP_CIPHER_iv_length(cipher)];
302 unsigned char hash[EVP_MD_block_size(digest)];
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530303
304 // Following steps are performed in this function.
305 // Step 1: Create a temporary file - always update temporary file, and
Patrick Venture9565abd2018-11-14 09:11:59 -0800306 // then swap it with original one, only if everything succeded at the
307 // end. Step 2: If file already exists, read the old file and decrypt it
308 // in buffer Step 3: Copy user/password pair from old buffer to new
309 // buffer, and update, if the user already exists with the new password
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530310 // Step 4: Encrypt the new buffer and write it to the temp file created
311 // at Step 1.
312 // Step 5. rename the temporary file name as special password file.
313
314 // verify the tempfilename buffer is enough to hold
315 // filename_XXXXXX (+1 for null).
Patrick Williams9e7627a2023-05-10 07:51:06 -0500316 if (strlen(filename) >
317 (sizeof(tempfilename) - strlen("__XXXXXX") - 1)) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530318 pam_syslog(pamh, LOG_DEBUG, "Not enough buffer, bailing out");
319 return PAM_AUTHTOK_ERR;
320 }
321 // Fetch the key from key file name.
322 keyfile = fopen(keyfilename, "r");
323 if (keyfile == NULL) {
324 pam_syslog(pamh, LOG_DEBUG, "Unable to open key file %s",
325 keyfilename);
326 return PAM_AUTHTOK_ERR;
327 }
328 if (fread(keybuff, 1, keybuffsize, keyfile) != keybuffsize) {
329 pam_syslog(pamh, LOG_DEBUG, "Key file read failed");
330 fclose(keyfile);
331 return PAM_AUTHTOK_ERR;
332 }
333 fclose(keyfile);
334
Patrick Venture9565abd2018-11-14 09:11:59 -0800335 // Step 1: Try to create a temporary file, in which all the update will
336 // happen then it will be renamed to the original file. This is done to
337 // have atomic operation.
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530338 snprintf(tempfilename, sizeof(tempfilename), "%s__XXXXXX", filename);
339 pwfile = get_temp_file_handle(pamh, tempfilename);
340 if (pwfile == NULL) {
341 err = 1;
342 goto done;
343 }
344
345 // Update temporary file stat by reading the special password file
346 opwfile = fopen(filename, "r");
347 if (opwfile != NULL) {
348 if (fstat(fileno(opwfile), &st) == -1) {
349 fclose(opwfile);
350 fclose(pwfile);
351 err = 1;
352 goto done;
353 }
354 } else { // Create with this settings if file is not present.
355 memset(&st, 0, sizeof(st));
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530356 }
Vernon Maueryf3919c42020-04-08 17:05:57 -0700357 // Override the file permission with S_IWUSR | S_IRUSR
358 st.st_mode = S_IWUSR | S_IRUSR;
Patrick Williams9e7627a2023-05-10 07:51:06 -0500359 if ((fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) ||
360 (fchmod(fileno(pwfile), st.st_mode) == -1)) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530361 if (opwfile != NULL) {
362 fclose(opwfile);
363 }
364 fclose(pwfile);
365 err = 1;
366 goto done;
367 }
368 opwfilesize = st.st_size;
369
370 // Step 2: Read existing special password file and decrypt the data.
371 if (opwfilesize) {
372 opwfilebuff = malloc(opwfilesize);
373 if (opwfilebuff == NULL) {
374 fclose(opwfile);
375 fclose(pwfile);
376 err = 1;
377 goto done;
378 }
379
380 if (fread(opwfilebuff, 1, opwfilesize, opwfile)) {
381 opwmp = (metapassstruct *)opwfilebuff;
382 opwptext = malloc(opwmp->datasize + opwmp->padsize);
383 if (opwptext == NULL) {
384 free(opwfilebuff);
385 fclose(opwfile);
386 fclose(pwfile);
387 err = 1;
388 goto done;
389 }
Patrick Venture9565abd2018-11-14 09:11:59 -0800390 // User & password pairs are mapped as <user
391 // name>:<password>\n. Add +3 for special chars ':',
392 // '\n' and '\0'.
Patrick Williams9e7627a2023-05-10 07:51:06 -0500393 pwptextlen = opwmp->datasize + forwholen + towhatlen +
394 3 + EVP_CIPHER_block_size(cipher);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530395 pwptext = malloc(pwptextlen);
396 if (pwptext == NULL) {
397 free(opwptext);
398 free(opwfilebuff);
399 fclose(opwfile);
400 fclose(pwfile);
401 err = 1;
402 goto done;
403 }
404
405 // First get the hashed key to decrypt
406 HMAC(digest, keybuff, keybuffsize,
407 opwfilebuff + sizeof(*opwmp), opwmp->hashsize, key,
408 &keylen);
409
Vernon Mauerybb717162023-06-27 10:22:23 -0700410 unsigned int tmpmacsize = opwmp->macsize;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530411 // Skip decryption if there is no data
412 if (opwmp->datasize != 0) {
413 // Do the decryption
414 if (encrypt_decrypt_data(
Patrick Williams9e7627a2023-05-10 07:51:06 -0500415 pamh, 0, cipher, key, keylen,
416 opwfilebuff + sizeof(*opwmp) +
417 opwmp->hashsize,
418 opwmp->ivsize,
419 opwfilebuff + sizeof(*opwmp) +
420 opwmp->hashsize + opwmp->ivsize,
421 opwmp->datasize + opwmp->padsize,
422 opwptext, &opwptextlen,
423 opwfilebuff + sizeof(*opwmp) +
424 opwmp->hashsize + opwmp->ivsize +
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530425 opwmp->datasize + opwmp->padsize,
Vernon Mauerybb717162023-06-27 10:22:23 -0700426 &tmpmacsize) != 0) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530427 pam_syslog(pamh, LOG_DEBUG,
428 "Decryption failed");
429 free(pwptext);
430 free(opwptext);
431 free(opwfilebuff);
432 fclose(opwfile);
433 fclose(pwfile);
434 err = 1;
435 goto done;
436 }
Vernon Mauerybb717162023-06-27 10:22:23 -0700437 opwmp->macsize = tmpmacsize;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530438 }
439
440 // NULL terminate it, before using it in strtok().
441 opwptext[opwmp->datasize] = '\0';
442
Vernon Mauerybb717162023-06-27 10:22:23 -0700443 linebuff = strtok((char *)opwptext, "\n");
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530444 // Step 3: Copy the existing user/password pair
445 // to the new buffer, and update the password if user
446 // already exists.
447 while (linebuff != NULL) {
Patrick Williams9e7627a2023-05-10 07:51:06 -0500448 if ((!strncmp(linebuff, forwho, forwholen)) &&
449 (linebuff[forwholen] == ':')) {
Vernon Mauerybb717162023-06-27 10:22:23 -0700450 writtensize += snprintf(
451 (char *)pwptext + writtensize,
452 pwptextlen - writtensize, "%s:%s\n",
453 forwho, towhat);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530454 wroteentry = 1;
455 } else {
Vernon Mauerybb717162023-06-27 10:22:23 -0700456 writtensize += snprintf(
457 (char *)pwptext + writtensize,
458 pwptextlen - writtensize, "%s\n",
459 linebuff);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530460 }
461 linebuff = strtok(NULL, "\n");
462 }
463 }
464 // Clear the old password related buffers here, as we are done
465 // with it.
466 free(opwfilebuff);
467 free(opwptext);
468 } else {
Patrick Williams9e7627a2023-05-10 07:51:06 -0500469 pwptextlen =
470 forwholen + towhatlen + 3 + EVP_CIPHER_block_size(cipher);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530471 pwptext = malloc(pwptextlen);
472 if (pwptext == NULL) {
473 if (opwfile != NULL) {
474 fclose(opwfile);
475 }
476 fclose(pwfile);
477 err = 1;
478 goto done;
479 }
480 }
481
482 if (opwfile != NULL) {
483 fclose(opwfile);
484 }
485
Richard Marian Thomaiyar65edb932019-01-28 20:39:10 +0530486 if (!wroteentry) {
487 // Write the new user:password pair at the end.
Vernon Mauerybb717162023-06-27 10:22:23 -0700488 writtensize += snprintf((char *)pwptext + writtensize,
489 pwptextlen - writtensize, "%s:%s\n",
490 forwho, towhat);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530491 }
Richard Marian Thomaiyar65edb932019-01-28 20:39:10 +0530492 pwptextlen = writtensize;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530493
494 // Step 4: Encrypt the data and write to the temporary file
495 if (RAND_bytes(hash, EVP_MD_block_size(digest)) != 1) {
496 pam_syslog(pamh, LOG_DEBUG,
497 "Hash genertion failed, bailing out");
498 free(pwptext);
499 fclose(pwfile);
500 err = 1;
501 goto done;
502 }
503
504 // Generate hash key, which will be used for encryption.
505 HMAC(digest, keybuff, keybuffsize, hash, EVP_MD_block_size(digest), key,
506 &keylen);
507 // Generate IV values
508 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
509 pam_syslog(pamh, LOG_DEBUG,
510 "IV generation failed, bailing out");
511 free(pwptext);
512 fclose(pwfile);
513 err = 1;
514 goto done;
515 }
516
517 // Buffer to store encrypted message.
518 pwctext = malloc(pwptextlen + EVP_CIPHER_block_size(cipher));
519 if (pwctext == NULL) {
520 pam_syslog(pamh, LOG_DEBUG, "Ctext buffer failed, bailing out");
521 free(pwptext);
522 fclose(pwfile);
523 err = 1;
524 goto done;
525 }
526
527 // Do the encryption
Patrick Williams9e7627a2023-05-10 07:51:06 -0500528 if (encrypt_decrypt_data(
529 pamh, 1, cipher, key, keylen, iv, EVP_CIPHER_iv_length(cipher),
530 pwptext, pwptextlen, pwctext, &pwctextlen, mac, &maclen) != 0) {
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530531 pam_syslog(pamh, LOG_DEBUG, "Encryption failed");
532 free(pwctext);
533 free(pwptext);
534 fclose(pwfile);
535 err = 1;
536 goto done;
537 }
538
539 // Update the meta password structure.
540 pwmp.hashsize = EVP_MD_block_size(digest);
541 pwmp.ivsize = EVP_CIPHER_iv_length(cipher);
542 pwmp.datasize = writtensize;
543 pwmp.padsize = pwctextlen - writtensize;
544 pwmp.macsize = maclen;
545
546 // Write the meta password structure, followed by hash, iv, encrypted
547 // data & mac.
548 if (fwrite(&pwmp, 1, sizeof(pwmp), pwfile) != sizeof(pwmp)) {
549 pam_syslog(pamh, LOG_DEBUG, "Error in writing meta data");
550 err = 1;
551 }
552 if (fwrite(hash, 1, pwmp.hashsize, pwfile) != pwmp.hashsize) {
553 pam_syslog(pamh, LOG_DEBUG, "Error in writing hash data");
554 err = 1;
555 }
556 if (fwrite(iv, 1, pwmp.ivsize, pwfile) != pwmp.ivsize) {
557 pam_syslog(pamh, LOG_DEBUG, "Error in writing IV data");
558 err = 1;
559 }
560 if (fwrite(pwctext, 1, pwctextlen, pwfile) != pwctextlen) {
561 pam_syslog(pamh, LOG_DEBUG, "Error in encrypted data");
562 err = 1;
563 }
564 if (fwrite(mac, 1, maclen, pwfile) != maclen) {
565 pam_syslog(pamh, LOG_DEBUG, "Error in writing MAC");
566 err = 1;
567 }
568
569 free(pwctext);
570 free(pwptext);
571
572 if (fflush(pwfile) || fsync(fileno(pwfile))) {
573 pam_syslog(
Patrick Williams9e7627a2023-05-10 07:51:06 -0500574 pamh, LOG_DEBUG,
575 "fflush or fsync error writing entries to special file: %s",
576 tempfilename);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530577 err = 1;
578 }
579
580 if (fclose(pwfile)) {
581 pam_syslog(pamh, LOG_DEBUG,
582 "fclose error writing entries to special file: %s",
583 tempfilename);
584 err = 1;
585 }
586
587done:
588 if (!err) {
589 // Step 5: Rename the temporary file as special password file.
590 if (!rename(tempfilename, filename)) {
591 pam_syslog(pamh, LOG_DEBUG,
592 "password changed for %s in special file",
593 forwho);
594 } else {
595 err = 1;
596 }
597 }
598
599 // Clear out the key buff.
600 memset(keybuff, 0, keybuffsize);
601
602 if (!err) {
603 return PAM_SUCCESS;
604 } else {
605 unlink(tempfilename);
606 return PAM_AUTHTOK_ERR;
607 }
608}
609
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530610/* Password Management API's */
611
612/**
613 * @brief pam_sm_chauthtok API
614 * Function which will be called for pam_chauthtok() calls.
615 *
616 * @param[in] pamh - pam handle
617 * @param[in] flags - pam calls related flags
618 * @param[in] argc - argument counts / options
619 * @param[in] argv - array of arguments / options
620 * @return - PAM_SUCCESS for success, others for failure
621 */
622int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
623{
624 int retval = -1;
625 const void *item = NULL;
626 const char *user = NULL;
627 const char *pass_new = NULL, *pass_old = NULL;
628 const char *spec_grp_name =
Patrick Williams9e7627a2023-05-10 07:51:06 -0500629 get_option(pamh, "spec_grp_name", argc, argv);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530630 const char *spec_pass_file =
Patrick Williams9e7627a2023-05-10 07:51:06 -0500631 get_option(pamh, "spec_pass_file", argc, argv);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530632 const char *key_file = get_option(pamh, "key_file", argc, argv);
633
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530634 if (spec_grp_name == NULL || key_file == NULL) {
635 return PAM_IGNORE;
636 }
637 if (flags & PAM_PRELIM_CHECK) {
638 // send success to verify other stacked modules prelim check.
639 return PAM_SUCCESS;
640 }
641
642 retval = pam_get_user(pamh, &user, NULL);
643 if (retval != PAM_SUCCESS) {
644 return retval;
645 }
646
647 // get already read password by the stacked pam module
648 // Note: If there are no previous stacked pam module which read
649 // the new password, then return with AUTHTOK_ERR
650
651 retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
652 if (retval != PAM_SUCCESS || item == NULL) {
653 return PAM_AUTHTOK_ERR;
654 }
655 pass_new = item;
656
657 struct group *grp;
658 int spec_grp_usr = 0;
659 // Verify whether the user belongs to special group.
660 grp = pam_modutil_getgrnam(pamh, spec_grp_name);
661 if (grp != NULL) {
662 while (*(grp->gr_mem) != NULL) {
663 if (strcmp(user, *grp->gr_mem) == 0) {
664 spec_grp_usr = 1;
665 break;
666 }
667 (grp->gr_mem)++;
668 }
669 }
670
671 pam_syslog(pamh, LOG_DEBUG, "User belongs to special grp: %x",
672 spec_grp_usr);
673
674 if (spec_grp_usr) {
675 // verify the new password is acceptable.
Jiaqing Zhaoa80864a2022-04-04 16:36:35 +0800676 size_t pass_len = strlen(pass_new);
677 size_t user_len = strlen(user);
Patrick Williams9e7627a2023-05-10 07:51:06 -0500678 if (pass_len > MAX_SPEC_GRP_PASS_LENGTH ||
679 user_len > MAX_SPEC_GRP_USER_LENGTH) {
680 pam_syslog(pamh, LOG_ERR,
681 "Password length (%zu) / User name length "
682 "(%zu) is not acceptable for IPMI",
683 pass_len, user_len);
Jiaqing Zhaoa80864a2022-04-04 16:36:35 +0800684 pass_new = pass_old = NULL;
Jiaqing Zhaoe3771e82022-04-02 18:02:25 +0800685 return PAM_AUTHTOK_ERR;
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530686 }
687 if (spec_pass_file == NULL) {
688 spec_pass_file = DEFAULT_SPEC_PASS_FILE;
689 pam_syslog(
Patrick Williams9e7627a2023-05-10 07:51:06 -0500690 pamh, LOG_ERR,
691 "Using default special password file name :%s",
692 spec_pass_file);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530693 }
Vernon Mauerybb717162023-06-27 10:22:23 -0700694 if ((retval = lock_pwdf())) {
Patrick Venture9565abd2018-11-14 09:11:59 -0800695 pam_syslog(pamh, LOG_ERR,
696 "Failed to lock the passwd file");
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530697 return retval;
698 }
699 retval = update_pass_special_file(
Patrick Williams9e7627a2023-05-10 07:51:06 -0500700 pamh, key_file, spec_pass_file, user, pass_new);
Richard Marian Thomaiyar216f2132018-06-12 19:20:48 +0530701 unlock_pwdf();
702 return retval;
703 }
704
705 return PAM_SUCCESS;
706}
707
708/* end of module definition */