xref: /openbmc/phosphor-host-ipmid/user_channel/passwd_mgr.cpp (revision 70bd0635acd98d409577e6faee774970118053f2)
14654d99fSRichard Marian Thomaiyar /*
24654d99fSRichard Marian Thomaiyar // Copyright (c) 2018 Intel Corporation
34654d99fSRichard Marian Thomaiyar //
44654d99fSRichard Marian Thomaiyar // Licensed under the Apache License, Version 2.0 (the "License");
54654d99fSRichard Marian Thomaiyar // you may not use this file except in compliance with the License.
64654d99fSRichard Marian Thomaiyar // You may obtain a copy of the License at
74654d99fSRichard Marian Thomaiyar //
84654d99fSRichard Marian Thomaiyar //      http://www.apache.org/licenses/LICENSE-2.0
94654d99fSRichard Marian Thomaiyar //
104654d99fSRichard Marian Thomaiyar // Unless required by applicable law or agreed to in writing, software
114654d99fSRichard Marian Thomaiyar // distributed under the License is distributed on an "AS IS" BASIS,
124654d99fSRichard Marian Thomaiyar // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
134654d99fSRichard Marian Thomaiyar // See the License for the specific language governing permissions and
144654d99fSRichard Marian Thomaiyar // limitations under the License.
154654d99fSRichard Marian Thomaiyar */
164654d99fSRichard Marian Thomaiyar 
174654d99fSRichard Marian Thomaiyar #include "passwd_mgr.hpp"
184654d99fSRichard Marian Thomaiyar 
19b29b5ab3SAppaRao Puli #include "file.hpp"
204654d99fSRichard Marian Thomaiyar #include "shadowlock.hpp"
214654d99fSRichard Marian Thomaiyar 
224654d99fSRichard Marian Thomaiyar #include <openssl/hmac.h>
23b29b5ab3SAppaRao Puli #include <openssl/rand.h>
244654d99fSRichard Marian Thomaiyar #include <openssl/sha.h>
254654d99fSRichard Marian Thomaiyar #include <string.h>
264654d99fSRichard Marian Thomaiyar #include <sys/stat.h>
27b29b5ab3SAppaRao Puli #include <unistd.h>
284654d99fSRichard Marian Thomaiyar 
29b29b5ab3SAppaRao Puli #include <cerrno>
304654d99fSRichard Marian Thomaiyar #include <cstring>
314654d99fSRichard Marian Thomaiyar #include <fstream>
32b29b5ab3SAppaRao Puli #include <iomanip>
334654d99fSRichard Marian Thomaiyar #include <phosphor-logging/log.hpp>
344654d99fSRichard Marian Thomaiyar 
354654d99fSRichard Marian Thomaiyar namespace ipmi
364654d99fSRichard Marian Thomaiyar {
374654d99fSRichard Marian Thomaiyar 
384654d99fSRichard Marian Thomaiyar static const char* passwdFileName = "/etc/ipmi_pass";
394654d99fSRichard Marian Thomaiyar static const char* encryptKeyFileName = "/etc/key_file";
404654d99fSRichard Marian Thomaiyar static const size_t maxKeySize = 8;
414654d99fSRichard Marian Thomaiyar 
426ba8d315SRichard Marian Thomaiyar constexpr mode_t modeMask =
436ba8d315SRichard Marian Thomaiyar     (S_ISUID | S_ISGID | S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO);
446ba8d315SRichard Marian Thomaiyar 
45b29b5ab3SAppaRao Puli #define META_PASSWD_SIG "=OPENBMC="
46b29b5ab3SAppaRao Puli 
474654d99fSRichard Marian Thomaiyar /*
484654d99fSRichard Marian Thomaiyar  * Meta data struct for encrypted password file
494654d99fSRichard Marian Thomaiyar  */
5048e55585SRichard Marian Thomaiyar struct MetaPassStruct
514654d99fSRichard Marian Thomaiyar {
524654d99fSRichard Marian Thomaiyar     char signature[10];
534654d99fSRichard Marian Thomaiyar     unsigned char reseved[2];
544654d99fSRichard Marian Thomaiyar     size_t hashSize;
554654d99fSRichard Marian Thomaiyar     size_t ivSize;
564654d99fSRichard Marian Thomaiyar     size_t dataSize;
574654d99fSRichard Marian Thomaiyar     size_t padSize;
584654d99fSRichard Marian Thomaiyar     size_t macSize;
594654d99fSRichard Marian Thomaiyar };
604654d99fSRichard Marian Thomaiyar 
614654d99fSRichard Marian Thomaiyar using namespace phosphor::logging;
624654d99fSRichard Marian Thomaiyar 
634654d99fSRichard Marian Thomaiyar PasswdMgr::PasswdMgr()
644654d99fSRichard Marian Thomaiyar {
656ba8d315SRichard Marian Thomaiyar     restrictFilesPermission();
664654d99fSRichard Marian Thomaiyar     initPasswordMap();
674654d99fSRichard Marian Thomaiyar }
684654d99fSRichard Marian Thomaiyar 
696ba8d315SRichard Marian Thomaiyar void PasswdMgr::restrictFilesPermission(void)
706ba8d315SRichard Marian Thomaiyar {
716ba8d315SRichard Marian Thomaiyar     struct stat st = {};
726ba8d315SRichard Marian Thomaiyar     // Restrict file permission to owner read & write
736ba8d315SRichard Marian Thomaiyar     if (stat(passwdFileName, &st) == 0)
746ba8d315SRichard Marian Thomaiyar     {
756ba8d315SRichard Marian Thomaiyar         if ((st.st_mode & modeMask) != (S_IRUSR | S_IWUSR))
766ba8d315SRichard Marian Thomaiyar         {
776ba8d315SRichard Marian Thomaiyar             chmod(passwdFileName, S_IRUSR | S_IWUSR);
786ba8d315SRichard Marian Thomaiyar         }
796ba8d315SRichard Marian Thomaiyar     }
806ba8d315SRichard Marian Thomaiyar 
816ba8d315SRichard Marian Thomaiyar     if (stat(encryptKeyFileName, &st) == 0)
826ba8d315SRichard Marian Thomaiyar     {
836ba8d315SRichard Marian Thomaiyar         if ((st.st_mode & modeMask) != (S_IRUSR | S_IWUSR))
846ba8d315SRichard Marian Thomaiyar         {
856ba8d315SRichard Marian Thomaiyar             chmod(encryptKeyFileName, S_IRUSR | S_IWUSR);
866ba8d315SRichard Marian Thomaiyar         }
876ba8d315SRichard Marian Thomaiyar     }
886ba8d315SRichard Marian Thomaiyar }
896ba8d315SRichard Marian Thomaiyar 
904654d99fSRichard Marian Thomaiyar std::string PasswdMgr::getPasswdByUserName(const std::string& userName)
914654d99fSRichard Marian Thomaiyar {
924654d99fSRichard Marian Thomaiyar     checkAndReload();
934654d99fSRichard Marian Thomaiyar     auto iter = passwdMapList.find(userName);
944654d99fSRichard Marian Thomaiyar     if (iter == passwdMapList.end())
954654d99fSRichard Marian Thomaiyar     {
964654d99fSRichard Marian Thomaiyar         return std::string();
974654d99fSRichard Marian Thomaiyar     }
984654d99fSRichard Marian Thomaiyar     return iter->second;
994654d99fSRichard Marian Thomaiyar }
1004654d99fSRichard Marian Thomaiyar 
10142bed64dSRichard Marian Thomaiyar int PasswdMgr::updateUserEntry(const std::string& userName,
10242bed64dSRichard Marian Thomaiyar                                const std::string& newUserName)
103b29b5ab3SAppaRao Puli {
104b29b5ab3SAppaRao Puli     std::time_t updatedTime = getUpdatedFileTime();
105b29b5ab3SAppaRao Puli     // Check file time stamp to know passwdMapList is up-to-date.
106b29b5ab3SAppaRao Puli     // If not up-to-date, then updatePasswdSpecialFile will read and
107b29b5ab3SAppaRao Puli     // check the user entry existance.
108b29b5ab3SAppaRao Puli     if (fileLastUpdatedTime == updatedTime && updatedTime != -EIO)
109b29b5ab3SAppaRao Puli     {
110b29b5ab3SAppaRao Puli         if (passwdMapList.find(userName) == passwdMapList.end())
111b29b5ab3SAppaRao Puli         {
112b29b5ab3SAppaRao Puli             log<level::DEBUG>("User not found");
113b29b5ab3SAppaRao Puli             return 0;
114b29b5ab3SAppaRao Puli         }
115b29b5ab3SAppaRao Puli     }
116b29b5ab3SAppaRao Puli 
117b29b5ab3SAppaRao Puli     // Write passwdMap to Encryted file
11842bed64dSRichard Marian Thomaiyar     if (updatePasswdSpecialFile(userName, newUserName) != 0)
119b29b5ab3SAppaRao Puli     {
120b29b5ab3SAppaRao Puli         log<level::DEBUG>("Passwd file update failed");
121b29b5ab3SAppaRao Puli         return -EIO;
122b29b5ab3SAppaRao Puli     }
123b29b5ab3SAppaRao Puli 
124b29b5ab3SAppaRao Puli     log<level::DEBUG>("Passwd file updated successfully");
125b29b5ab3SAppaRao Puli     return 0;
126b29b5ab3SAppaRao Puli }
127b29b5ab3SAppaRao Puli 
1284654d99fSRichard Marian Thomaiyar void PasswdMgr::checkAndReload(void)
1294654d99fSRichard Marian Thomaiyar {
130b29b5ab3SAppaRao Puli     std::time_t updatedTime = getUpdatedFileTime();
131b29b5ab3SAppaRao Puli     if (fileLastUpdatedTime != updatedTime && updatedTime != -1)
1324654d99fSRichard Marian Thomaiyar     {
1334654d99fSRichard Marian Thomaiyar         log<level::DEBUG>("Reloading password map list");
1344654d99fSRichard Marian Thomaiyar         passwdMapList.clear();
1354654d99fSRichard Marian Thomaiyar         initPasswordMap();
1364654d99fSRichard Marian Thomaiyar     }
1374654d99fSRichard Marian Thomaiyar }
1384654d99fSRichard Marian Thomaiyar 
139b29b5ab3SAppaRao Puli int PasswdMgr::encryptDecryptData(bool doEncrypt, const EVP_CIPHER* cipher,
140b29b5ab3SAppaRao Puli                                   uint8_t* key, size_t keyLen, uint8_t* iv,
141b29b5ab3SAppaRao Puli                                   size_t ivLen, uint8_t* inBytes,
142b29b5ab3SAppaRao Puli                                   size_t inBytesLen, uint8_t* mac,
143b29b5ab3SAppaRao Puli                                   size_t* macLen, unsigned char* outBytes,
144b29b5ab3SAppaRao Puli                                   size_t* outBytesLen)
1454654d99fSRichard Marian Thomaiyar {
1464654d99fSRichard Marian Thomaiyar     if (cipher == NULL || key == NULL || iv == NULL || inBytes == NULL ||
1474654d99fSRichard Marian Thomaiyar         outBytes == NULL || mac == NULL || inBytesLen == 0 ||
1484654d99fSRichard Marian Thomaiyar         (size_t)EVP_CIPHER_key_length(cipher) > keyLen ||
1494654d99fSRichard Marian Thomaiyar         (size_t)EVP_CIPHER_iv_length(cipher) > ivLen)
1504654d99fSRichard Marian Thomaiyar     {
1514654d99fSRichard Marian Thomaiyar         log<level::DEBUG>("Error Invalid Inputs");
152b29b5ab3SAppaRao Puli         return -EINVAL;
1534654d99fSRichard Marian Thomaiyar     }
1544654d99fSRichard Marian Thomaiyar 
155b29b5ab3SAppaRao Puli     if (!doEncrypt)
156b29b5ab3SAppaRao Puli     {
157b29b5ab3SAppaRao Puli         // verify MAC before decrypting the data.
1584654d99fSRichard Marian Thomaiyar         std::array<uint8_t, EVP_MAX_MD_SIZE> calMac;
1594654d99fSRichard Marian Thomaiyar         size_t calMacLen = calMac.size();
1604654d99fSRichard Marian Thomaiyar         // calculate MAC for the encrypted message.
1614654d99fSRichard Marian Thomaiyar         if (NULL == HMAC(EVP_sha256(), key, keyLen, inBytes, inBytesLen,
1624654d99fSRichard Marian Thomaiyar                          calMac.data(),
1634654d99fSRichard Marian Thomaiyar                          reinterpret_cast<unsigned int*>(&calMacLen)))
1644654d99fSRichard Marian Thomaiyar         {
1654654d99fSRichard Marian Thomaiyar             log<level::DEBUG>("Error: Failed to calculate MAC");
166b29b5ab3SAppaRao Puli             return -EIO;
1674654d99fSRichard Marian Thomaiyar         }
168b29b5ab3SAppaRao Puli         if (!((calMacLen == *macLen) &&
1694654d99fSRichard Marian Thomaiyar               (std::memcmp(calMac.data(), mac, calMacLen) == 0)))
1704654d99fSRichard Marian Thomaiyar         {
1714654d99fSRichard Marian Thomaiyar             log<level::DEBUG>("Authenticated message doesn't match");
172b29b5ab3SAppaRao Puli             return -EBADMSG;
173b29b5ab3SAppaRao Puli         }
1744654d99fSRichard Marian Thomaiyar     }
1754654d99fSRichard Marian Thomaiyar 
1764654d99fSRichard Marian Thomaiyar     std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)> ctx(
1774654d99fSRichard Marian Thomaiyar         EVP_CIPHER_CTX_new(), ::EVP_CIPHER_CTX_free);
1784654d99fSRichard Marian Thomaiyar     EVP_CIPHER_CTX_set_padding(ctx.get(), 1);
1794654d99fSRichard Marian Thomaiyar 
180b29b5ab3SAppaRao Puli     // Set key & IV
181b29b5ab3SAppaRao Puli     int retval = EVP_CipherInit_ex(ctx.get(), cipher, NULL, key, iv,
182b29b5ab3SAppaRao Puli                                    static_cast<int>(doEncrypt));
1834654d99fSRichard Marian Thomaiyar     if (!retval)
1844654d99fSRichard Marian Thomaiyar     {
1854654d99fSRichard Marian Thomaiyar         log<level::DEBUG>("EVP_CipherInit_ex failed",
1864654d99fSRichard Marian Thomaiyar                           entry("RET_VAL=%d", retval));
187b29b5ab3SAppaRao Puli         return -EIO;
1884654d99fSRichard Marian Thomaiyar     }
1894654d99fSRichard Marian Thomaiyar 
1904654d99fSRichard Marian Thomaiyar     int outLen = 0, outEVPLen = 0;
1914654d99fSRichard Marian Thomaiyar     if ((retval = EVP_CipherUpdate(ctx.get(), outBytes + outLen, &outEVPLen,
1924654d99fSRichard Marian Thomaiyar                                    inBytes, inBytesLen)))
1934654d99fSRichard Marian Thomaiyar     {
1944654d99fSRichard Marian Thomaiyar         outLen += outEVPLen;
1954654d99fSRichard Marian Thomaiyar         if ((retval =
1964654d99fSRichard Marian Thomaiyar                  EVP_CipherFinal(ctx.get(), outBytes + outLen, &outEVPLen)))
1974654d99fSRichard Marian Thomaiyar         {
1984654d99fSRichard Marian Thomaiyar             outLen += outEVPLen;
1994654d99fSRichard Marian Thomaiyar             *outBytesLen = outLen;
2004654d99fSRichard Marian Thomaiyar         }
2014654d99fSRichard Marian Thomaiyar         else
2024654d99fSRichard Marian Thomaiyar         {
2034654d99fSRichard Marian Thomaiyar             log<level::DEBUG>("EVP_CipherFinal fails",
2044654d99fSRichard Marian Thomaiyar                               entry("RET_VAL=%d", retval));
205b29b5ab3SAppaRao Puli             return -EIO;
2064654d99fSRichard Marian Thomaiyar         }
2074654d99fSRichard Marian Thomaiyar     }
2084654d99fSRichard Marian Thomaiyar     else
2094654d99fSRichard Marian Thomaiyar     {
2104654d99fSRichard Marian Thomaiyar         log<level::DEBUG>("EVP_CipherUpdate fails",
2114654d99fSRichard Marian Thomaiyar                           entry("RET_VAL=%d", retval));
212b29b5ab3SAppaRao Puli         return -EIO;
213b29b5ab3SAppaRao Puli     }
214b29b5ab3SAppaRao Puli 
215b29b5ab3SAppaRao Puli     if (doEncrypt)
216b29b5ab3SAppaRao Puli     {
217b29b5ab3SAppaRao Puli         // Create MAC for the encrypted message
218b29b5ab3SAppaRao Puli         if (NULL == HMAC(EVP_sha256(), key, keyLen, outBytes, *outBytesLen, mac,
219b29b5ab3SAppaRao Puli                          reinterpret_cast<unsigned int*>(macLen)))
220b29b5ab3SAppaRao Puli         {
221b29b5ab3SAppaRao Puli             log<level::DEBUG>("Failed to create authentication");
222b29b5ab3SAppaRao Puli             return -EIO;
223b29b5ab3SAppaRao Puli         }
2244654d99fSRichard Marian Thomaiyar     }
2254654d99fSRichard Marian Thomaiyar     return 0;
2264654d99fSRichard Marian Thomaiyar }
2274654d99fSRichard Marian Thomaiyar 
2284654d99fSRichard Marian Thomaiyar void PasswdMgr::initPasswordMap(void)
2294654d99fSRichard Marian Thomaiyar {
2304654d99fSRichard Marian Thomaiyar     phosphor::user::shadow::Lock lock();
231b29b5ab3SAppaRao Puli     std::vector<uint8_t> dataBuf;
2324654d99fSRichard Marian Thomaiyar 
233b29b5ab3SAppaRao Puli     if (readPasswdFileData(dataBuf) != 0)
2344654d99fSRichard Marian Thomaiyar     {
235b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in reading the encrypted pass file");
2364654d99fSRichard Marian Thomaiyar         return;
2374654d99fSRichard Marian Thomaiyar     }
2384654d99fSRichard Marian Thomaiyar 
239b29b5ab3SAppaRao Puli     if (dataBuf.size() != 0)
2404654d99fSRichard Marian Thomaiyar     {
2414654d99fSRichard Marian Thomaiyar         // populate the user list with password
242b29b5ab3SAppaRao Puli         char* outPtr = reinterpret_cast<char*>(dataBuf.data());
2434654d99fSRichard Marian Thomaiyar         char* nToken = NULL;
2444654d99fSRichard Marian Thomaiyar         char* linePtr = strtok_r(outPtr, "\n", &nToken);
24551d0c40aSPatrick Venture         size_t lineSize = 0;
2464654d99fSRichard Marian Thomaiyar         while (linePtr != NULL)
2474654d99fSRichard Marian Thomaiyar         {
24851d0c40aSPatrick Venture             size_t userEPos = 0;
2494654d99fSRichard Marian Thomaiyar             std::string lineStr(linePtr);
2504654d99fSRichard Marian Thomaiyar             if ((userEPos = lineStr.find(":")) != std::string::npos)
2514654d99fSRichard Marian Thomaiyar             {
2524654d99fSRichard Marian Thomaiyar                 lineSize = lineStr.size();
2534654d99fSRichard Marian Thomaiyar                 passwdMapList.emplace(
2544654d99fSRichard Marian Thomaiyar                     lineStr.substr(0, userEPos),
2554654d99fSRichard Marian Thomaiyar                     lineStr.substr(userEPos + 1, lineSize - (userEPos + 1)));
2564654d99fSRichard Marian Thomaiyar             }
2574654d99fSRichard Marian Thomaiyar             linePtr = strtok_r(NULL, "\n", &nToken);
2584654d99fSRichard Marian Thomaiyar         }
259b29b5ab3SAppaRao Puli     }
260b29b5ab3SAppaRao Puli 
2614654d99fSRichard Marian Thomaiyar     // Update the timestamp
262b29b5ab3SAppaRao Puli     fileLastUpdatedTime = getUpdatedFileTime();
263*70bd0635SJayaprakash Mutyala     // Clear sensitive data
264*70bd0635SJayaprakash Mutyala     OPENSSL_cleanse(dataBuf.data(), dataBuf.size());
265b29b5ab3SAppaRao Puli     return;
266b29b5ab3SAppaRao Puli }
267b29b5ab3SAppaRao Puli 
268b29b5ab3SAppaRao Puli int PasswdMgr::readPasswdFileData(std::vector<uint8_t>& outBytes)
269b29b5ab3SAppaRao Puli {
270b29b5ab3SAppaRao Puli     std::array<uint8_t, maxKeySize> keyBuff;
271b29b5ab3SAppaRao Puli     std::ifstream keyFile(encryptKeyFileName, std::ios::in | std::ios::binary);
272b29b5ab3SAppaRao Puli     if (!keyFile.is_open())
273b29b5ab3SAppaRao Puli     {
274b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in opening encryption key file");
275b29b5ab3SAppaRao Puli         return -EIO;
276b29b5ab3SAppaRao Puli     }
277b29b5ab3SAppaRao Puli     keyFile.read(reinterpret_cast<char*>(keyBuff.data()), keyBuff.size());
278b29b5ab3SAppaRao Puli     if (keyFile.fail())
279b29b5ab3SAppaRao Puli     {
280b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in reading encryption key file");
281b29b5ab3SAppaRao Puli         return -EIO;
282b29b5ab3SAppaRao Puli     }
283b29b5ab3SAppaRao Puli 
284b29b5ab3SAppaRao Puli     std::ifstream passwdFile(passwdFileName, std::ios::in | std::ios::binary);
285b29b5ab3SAppaRao Puli     if (!passwdFile.is_open())
286b29b5ab3SAppaRao Puli     {
287b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in opening ipmi password file");
288b29b5ab3SAppaRao Puli         return -EIO;
289b29b5ab3SAppaRao Puli     }
290b29b5ab3SAppaRao Puli 
291b29b5ab3SAppaRao Puli     // calculate file size and read the data
292b29b5ab3SAppaRao Puli     passwdFile.seekg(0, std::ios::end);
293b29b5ab3SAppaRao Puli     ssize_t fileSize = passwdFile.tellg();
294b29b5ab3SAppaRao Puli     passwdFile.seekg(0, std::ios::beg);
295b29b5ab3SAppaRao Puli     std::vector<uint8_t> input(fileSize);
296b29b5ab3SAppaRao Puli     passwdFile.read(reinterpret_cast<char*>(input.data()), fileSize);
297b29b5ab3SAppaRao Puli     if (passwdFile.fail())
298b29b5ab3SAppaRao Puli     {
299b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in reading encryption key file");
300b29b5ab3SAppaRao Puli         return -EIO;
301b29b5ab3SAppaRao Puli     }
302b29b5ab3SAppaRao Puli 
303b29b5ab3SAppaRao Puli     // verify the signature first
30448e55585SRichard Marian Thomaiyar     MetaPassStruct* metaData = reinterpret_cast<MetaPassStruct*>(input.data());
305b29b5ab3SAppaRao Puli     if (std::strncmp(metaData->signature, META_PASSWD_SIG,
306b29b5ab3SAppaRao Puli                      sizeof(metaData->signature)))
307b29b5ab3SAppaRao Puli     {
308b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error signature mismatch in password file");
309b29b5ab3SAppaRao Puli         return -EBADMSG;
310b29b5ab3SAppaRao Puli     }
311b29b5ab3SAppaRao Puli 
312b29b5ab3SAppaRao Puli     size_t inBytesLen = metaData->dataSize + metaData->padSize;
313b29b5ab3SAppaRao Puli     // If data is empty i.e no password map then return success
314b29b5ab3SAppaRao Puli     if (inBytesLen == 0)
315b29b5ab3SAppaRao Puli     {
316b29b5ab3SAppaRao Puli         log<level::DEBUG>("Empty password file");
317b29b5ab3SAppaRao Puli         return 0;
318b29b5ab3SAppaRao Puli     }
319b29b5ab3SAppaRao Puli 
320b29b5ab3SAppaRao Puli     // compute the key needed to decrypt
321b29b5ab3SAppaRao Puli     std::array<uint8_t, EVP_MAX_KEY_LENGTH> key;
322b29b5ab3SAppaRao Puli     auto keyLen = key.size();
323b29b5ab3SAppaRao Puli     if (NULL == HMAC(EVP_sha256(), keyBuff.data(), keyBuff.size(),
324b29b5ab3SAppaRao Puli                      input.data() + sizeof(*metaData), metaData->hashSize,
325b29b5ab3SAppaRao Puli                      key.data(), reinterpret_cast<unsigned int*>(&keyLen)))
326b29b5ab3SAppaRao Puli     {
327b29b5ab3SAppaRao Puli         log<level::DEBUG>("Failed to create MAC for authentication");
328b29b5ab3SAppaRao Puli         return -EIO;
329b29b5ab3SAppaRao Puli     }
330b29b5ab3SAppaRao Puli 
331b29b5ab3SAppaRao Puli     // decrypt the data
332b29b5ab3SAppaRao Puli     uint8_t* iv = input.data() + sizeof(*metaData) + metaData->hashSize;
333b29b5ab3SAppaRao Puli     size_t ivLen = metaData->ivSize;
334b29b5ab3SAppaRao Puli     uint8_t* inBytes = iv + ivLen;
335b29b5ab3SAppaRao Puli     uint8_t* mac = inBytes + inBytesLen;
336b29b5ab3SAppaRao Puli     size_t macLen = metaData->macSize;
337b29b5ab3SAppaRao Puli 
338b29b5ab3SAppaRao Puli     size_t outBytesLen = 0;
339b29b5ab3SAppaRao Puli     // Resize to actual data size
340b29b5ab3SAppaRao Puli     outBytes.resize(inBytesLen + EVP_MAX_BLOCK_LENGTH);
341b29b5ab3SAppaRao Puli     if (encryptDecryptData(false, EVP_aes_128_cbc(), key.data(), keyLen, iv,
342b29b5ab3SAppaRao Puli                            ivLen, inBytes, inBytesLen, mac, &macLen,
343b29b5ab3SAppaRao Puli                            outBytes.data(), &outBytesLen) != 0)
344b29b5ab3SAppaRao Puli     {
345b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in decryption");
346b29b5ab3SAppaRao Puli         return -EIO;
347b29b5ab3SAppaRao Puli     }
348b29b5ab3SAppaRao Puli     // Resize the vector to outBytesLen
349b29b5ab3SAppaRao Puli     outBytes.resize(outBytesLen);
350b29b5ab3SAppaRao Puli 
351b29b5ab3SAppaRao Puli     OPENSSL_cleanse(key.data(), keyLen);
352b29b5ab3SAppaRao Puli     OPENSSL_cleanse(iv, ivLen);
353b29b5ab3SAppaRao Puli 
354b29b5ab3SAppaRao Puli     return 0;
355b29b5ab3SAppaRao Puli }
356b29b5ab3SAppaRao Puli 
35742bed64dSRichard Marian Thomaiyar int PasswdMgr::updatePasswdSpecialFile(const std::string& userName,
35842bed64dSRichard Marian Thomaiyar                                        const std::string& newUserName)
359b29b5ab3SAppaRao Puli {
360b29b5ab3SAppaRao Puli     phosphor::user::shadow::Lock lock();
361b29b5ab3SAppaRao Puli 
362b29b5ab3SAppaRao Puli     size_t bytesWritten = 0;
363b29b5ab3SAppaRao Puli     size_t inBytesLen = 0;
364b29b5ab3SAppaRao Puli     size_t isUsrFound = false;
365b29b5ab3SAppaRao Puli     const EVP_CIPHER* cipher = EVP_aes_128_cbc();
366b29b5ab3SAppaRao Puli     std::vector<uint8_t> dataBuf;
367b29b5ab3SAppaRao Puli 
368b29b5ab3SAppaRao Puli     // Read the encrypted file and get the file data
369b29b5ab3SAppaRao Puli     // Check user existance and return if not exist.
370b29b5ab3SAppaRao Puli     if (readPasswdFileData(dataBuf) != 0)
371b29b5ab3SAppaRao Puli     {
372b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in reading the encrypted pass file");
373b29b5ab3SAppaRao Puli         return -EIO;
374b29b5ab3SAppaRao Puli     }
375b29b5ab3SAppaRao Puli 
376b29b5ab3SAppaRao Puli     if (dataBuf.size() != 0)
377b29b5ab3SAppaRao Puli     {
37842bed64dSRichard Marian Thomaiyar         inBytesLen =
37942bed64dSRichard Marian Thomaiyar             dataBuf.size() + newUserName.size() + EVP_CIPHER_block_size(cipher);
380b29b5ab3SAppaRao Puli     }
381b29b5ab3SAppaRao Puli 
382b29b5ab3SAppaRao Puli     std::vector<uint8_t> inBytes(inBytesLen);
383b29b5ab3SAppaRao Puli     if (inBytesLen != 0)
384b29b5ab3SAppaRao Puli     {
385b29b5ab3SAppaRao Puli         char* outPtr = reinterpret_cast<char*>(dataBuf.data());
386b29b5ab3SAppaRao Puli         char* nToken = NULL;
387b29b5ab3SAppaRao Puli         char* linePtr = strtok_r(outPtr, "\n", &nToken);
388b29b5ab3SAppaRao Puli         while (linePtr != NULL)
389b29b5ab3SAppaRao Puli         {
39051d0c40aSPatrick Venture             size_t userEPos = 0;
39151d0c40aSPatrick Venture 
392b29b5ab3SAppaRao Puli             std::string lineStr(linePtr);
393b29b5ab3SAppaRao Puli             if ((userEPos = lineStr.find(":")) != std::string::npos)
394b29b5ab3SAppaRao Puli             {
395b29b5ab3SAppaRao Puli                 if (userName.compare(lineStr.substr(0, userEPos)) == 0)
396b29b5ab3SAppaRao Puli                 {
397b29b5ab3SAppaRao Puli                     isUsrFound = true;
39842bed64dSRichard Marian Thomaiyar                     if (!newUserName.empty())
39942bed64dSRichard Marian Thomaiyar                     {
40042bed64dSRichard Marian Thomaiyar                         bytesWritten += std::snprintf(
40142bed64dSRichard Marian Thomaiyar                             reinterpret_cast<char*>(&inBytes[0]) + bytesWritten,
40242bed64dSRichard Marian Thomaiyar                             (inBytesLen - bytesWritten), "%s%s\n",
40342bed64dSRichard Marian Thomaiyar                             newUserName.c_str(),
40442bed64dSRichard Marian Thomaiyar                             lineStr.substr(userEPos, lineStr.size()).data());
40542bed64dSRichard Marian Thomaiyar                     }
406b29b5ab3SAppaRao Puli                 }
407b29b5ab3SAppaRao Puli                 else
408b29b5ab3SAppaRao Puli                 {
409b29b5ab3SAppaRao Puli                     bytesWritten += std::snprintf(
410b29b5ab3SAppaRao Puli                         reinterpret_cast<char*>(&inBytes[0]) + bytesWritten,
41142bed64dSRichard Marian Thomaiyar                         (inBytesLen - bytesWritten), "%s\n", lineStr.data());
412b29b5ab3SAppaRao Puli                 }
413b29b5ab3SAppaRao Puli             }
414b29b5ab3SAppaRao Puli             linePtr = strtok_r(NULL, "\n", &nToken);
415b29b5ab3SAppaRao Puli         }
416161f20d5SRichard Marian Thomaiyar         inBytesLen = bytesWritten;
417b29b5ab3SAppaRao Puli     }
418b29b5ab3SAppaRao Puli     if (!isUsrFound)
419b29b5ab3SAppaRao Puli     {
420b29b5ab3SAppaRao Puli         log<level::DEBUG>("User doesn't exist");
421b29b5ab3SAppaRao Puli         return 0;
422b29b5ab3SAppaRao Puli     }
423b29b5ab3SAppaRao Puli 
424b29b5ab3SAppaRao Puli     // Read the key buff from key file
425b29b5ab3SAppaRao Puli     std::array<uint8_t, maxKeySize> keyBuff;
426b29b5ab3SAppaRao Puli     std::ifstream keyFile(encryptKeyFileName, std::ios::in | std::ios::binary);
427b29b5ab3SAppaRao Puli     if (!keyFile.good())
428b29b5ab3SAppaRao Puli     {
429b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in opening encryption key file");
430b29b5ab3SAppaRao Puli         return -EIO;
431b29b5ab3SAppaRao Puli     }
432b29b5ab3SAppaRao Puli     keyFile.read(reinterpret_cast<char*>(keyBuff.data()), keyBuff.size());
433b29b5ab3SAppaRao Puli     if (keyFile.fail())
434b29b5ab3SAppaRao Puli     {
435b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in reading encryption key file");
436b29b5ab3SAppaRao Puli         return -EIO;
437b29b5ab3SAppaRao Puli     }
438b29b5ab3SAppaRao Puli     keyFile.close();
439b29b5ab3SAppaRao Puli 
440b29b5ab3SAppaRao Puli     // Read the original passwd file mode
441b29b5ab3SAppaRao Puli     struct stat st = {};
442b29b5ab3SAppaRao Puli     if (stat(passwdFileName, &st) != 0)
443b29b5ab3SAppaRao Puli     {
444b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in getting password file fstat()");
445b29b5ab3SAppaRao Puli         return -EIO;
446b29b5ab3SAppaRao Puli     }
447b29b5ab3SAppaRao Puli 
448b29b5ab3SAppaRao Puli     // Create temporary file for write
449b29b5ab3SAppaRao Puli     std::string pwdFile(passwdFileName);
450b29b5ab3SAppaRao Puli     std::vector<char> tempFileName(pwdFile.begin(), pwdFile.end());
451b29b5ab3SAppaRao Puli     std::vector<char> fileTemplate = {'_', '_', 'X', 'X', 'X',
452b29b5ab3SAppaRao Puli                                       'X', 'X', 'X', '\0'};
453b29b5ab3SAppaRao Puli     tempFileName.insert(tempFileName.end(), fileTemplate.begin(),
454b29b5ab3SAppaRao Puli                         fileTemplate.end());
455b29b5ab3SAppaRao Puli     int fd = mkstemp((char*)tempFileName.data());
456b29b5ab3SAppaRao Puli     if (fd == -1)
457b29b5ab3SAppaRao Puli     {
458b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error creating temp file");
459b29b5ab3SAppaRao Puli         return -EIO;
460b29b5ab3SAppaRao Puli     }
461b29b5ab3SAppaRao Puli 
462b29b5ab3SAppaRao Puli     std::string strTempFileName(tempFileName.data());
463b29b5ab3SAppaRao Puli     // Open the temp file for writing from provided fd
464b29b5ab3SAppaRao Puli     // By "true", remove it at exit if still there.
465b29b5ab3SAppaRao Puli     // This is needed to cleanup the temp file at exception
466b29b5ab3SAppaRao Puli     phosphor::user::File temp(fd, strTempFileName, "w", true);
467b29b5ab3SAppaRao Puli     if ((temp)() == NULL)
468b29b5ab3SAppaRao Puli     {
469b29b5ab3SAppaRao Puli         close(fd);
470b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error creating temp file");
471b29b5ab3SAppaRao Puli         return -EIO;
472b29b5ab3SAppaRao Puli     }
473b29b5ab3SAppaRao Puli 
474b265455aSVernon Mauery     // Set the file mode as read-write for owner only
475b265455aSVernon Mauery     if (fchmod(fileno((temp)()), S_IRUSR | S_IWUSR) < 0)
476b29b5ab3SAppaRao Puli     {
477b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error setting fchmod for temp file");
478b29b5ab3SAppaRao Puli         return -EIO;
479b29b5ab3SAppaRao Puli     }
480b29b5ab3SAppaRao Puli 
481b29b5ab3SAppaRao Puli     const EVP_MD* digest = EVP_sha256();
482b29b5ab3SAppaRao Puli     size_t hashLen = EVP_MD_block_size(digest);
483b29b5ab3SAppaRao Puli     std::vector<uint8_t> hash(hashLen);
484b29b5ab3SAppaRao Puli     size_t ivLen = EVP_CIPHER_iv_length(cipher);
485b29b5ab3SAppaRao Puli     std::vector<uint8_t> iv(ivLen);
486b29b5ab3SAppaRao Puli     std::array<uint8_t, EVP_MAX_KEY_LENGTH> key;
487b29b5ab3SAppaRao Puli     size_t keyLen = key.size();
488b29b5ab3SAppaRao Puli     std::array<uint8_t, EVP_MAX_MD_SIZE> mac;
489b29b5ab3SAppaRao Puli     size_t macLen = mac.size();
490b29b5ab3SAppaRao Puli 
491b29b5ab3SAppaRao Puli     // Create random hash and generate hash key which will be used for
492b29b5ab3SAppaRao Puli     // encryption.
493b29b5ab3SAppaRao Puli     if (RAND_bytes(hash.data(), hashLen) != 1)
494b29b5ab3SAppaRao Puli     {
495b29b5ab3SAppaRao Puli         log<level::DEBUG>("Hash genertion failed, bailing out");
496b29b5ab3SAppaRao Puli         return -EIO;
497b29b5ab3SAppaRao Puli     }
498b29b5ab3SAppaRao Puli     if (NULL == HMAC(digest, keyBuff.data(), keyBuff.size(), hash.data(),
499b29b5ab3SAppaRao Puli                      hashLen, key.data(),
500b29b5ab3SAppaRao Puli                      reinterpret_cast<unsigned int*>(&keyLen)))
501b29b5ab3SAppaRao Puli     {
502b29b5ab3SAppaRao Puli         log<level::DEBUG>("Failed to create MAC for authentication");
503b29b5ab3SAppaRao Puli         return -EIO;
504b29b5ab3SAppaRao Puli     }
505b29b5ab3SAppaRao Puli 
506b29b5ab3SAppaRao Puli     // Generate IV values
507b29b5ab3SAppaRao Puli     if (RAND_bytes(iv.data(), ivLen) != 1)
508b29b5ab3SAppaRao Puli     {
509b29b5ab3SAppaRao Puli         log<level::DEBUG>("UV genertion failed, bailing out");
510b29b5ab3SAppaRao Puli         return -EIO;
511b29b5ab3SAppaRao Puli     }
512b29b5ab3SAppaRao Puli 
513b29b5ab3SAppaRao Puli     // Encrypt the input data
514b29b5ab3SAppaRao Puli     std::vector<uint8_t> outBytes(inBytesLen + EVP_MAX_BLOCK_LENGTH);
515b29b5ab3SAppaRao Puli     size_t outBytesLen = 0;
516b29b5ab3SAppaRao Puli     if (inBytesLen != 0)
517b29b5ab3SAppaRao Puli     {
518b29b5ab3SAppaRao Puli         if (encryptDecryptData(true, EVP_aes_128_cbc(), key.data(), keyLen,
519b29b5ab3SAppaRao Puli                                iv.data(), ivLen, inBytes.data(), inBytesLen,
520b29b5ab3SAppaRao Puli                                mac.data(), &macLen, outBytes.data(),
521b29b5ab3SAppaRao Puli                                &outBytesLen) != 0)
522b29b5ab3SAppaRao Puli         {
523b29b5ab3SAppaRao Puli             log<level::DEBUG>("Error while encrypting the data");
524b29b5ab3SAppaRao Puli             return -EIO;
525b29b5ab3SAppaRao Puli         }
526b29b5ab3SAppaRao Puli         outBytes[outBytesLen] = 0;
527b29b5ab3SAppaRao Puli     }
528b29b5ab3SAppaRao Puli     OPENSSL_cleanse(key.data(), keyLen);
529b29b5ab3SAppaRao Puli 
530b29b5ab3SAppaRao Puli     // Update the meta password structure.
53148e55585SRichard Marian Thomaiyar     MetaPassStruct metaData = {META_PASSWD_SIG, {0, 0}, 0, 0, 0, 0, 0};
532b29b5ab3SAppaRao Puli     metaData.hashSize = hashLen;
533b29b5ab3SAppaRao Puli     metaData.ivSize = ivLen;
534b29b5ab3SAppaRao Puli     metaData.dataSize = bytesWritten;
535b29b5ab3SAppaRao Puli     metaData.padSize = outBytesLen - bytesWritten;
536b29b5ab3SAppaRao Puli     metaData.macSize = macLen;
537b29b5ab3SAppaRao Puli 
538b29b5ab3SAppaRao Puli     if (fwrite(&metaData, 1, sizeof(metaData), (temp)()) != sizeof(metaData))
539b29b5ab3SAppaRao Puli     {
540b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in writing meta data");
541b29b5ab3SAppaRao Puli         return -EIO;
542b29b5ab3SAppaRao Puli     }
543b29b5ab3SAppaRao Puli 
544b29b5ab3SAppaRao Puli     if (fwrite(&hash[0], 1, hashLen, (temp)()) != hashLen)
545b29b5ab3SAppaRao Puli     {
546b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in writing hash data");
547b29b5ab3SAppaRao Puli         return -EIO;
548b29b5ab3SAppaRao Puli     }
549b29b5ab3SAppaRao Puli 
550b29b5ab3SAppaRao Puli     if (fwrite(&iv[0], 1, ivLen, (temp)()) != ivLen)
551b29b5ab3SAppaRao Puli     {
552b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in writing IV data");
553b29b5ab3SAppaRao Puli         return -EIO;
554b29b5ab3SAppaRao Puli     }
555b29b5ab3SAppaRao Puli 
556b29b5ab3SAppaRao Puli     if (fwrite(&outBytes[0], 1, outBytesLen, (temp)()) != outBytesLen)
557b29b5ab3SAppaRao Puli     {
558b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in writing encrypted data");
559b29b5ab3SAppaRao Puli         return -EIO;
560b29b5ab3SAppaRao Puli     }
561b29b5ab3SAppaRao Puli 
562b29b5ab3SAppaRao Puli     if (fwrite(&mac[0], 1, macLen, (temp)()) != macLen)
563b29b5ab3SAppaRao Puli     {
564b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error in writing MAC data");
565b29b5ab3SAppaRao Puli         return -EIO;
566b29b5ab3SAppaRao Puli     }
567b29b5ab3SAppaRao Puli 
568b29b5ab3SAppaRao Puli     if (fflush((temp)()))
569b29b5ab3SAppaRao Puli     {
570b29b5ab3SAppaRao Puli         log<level::DEBUG>(
571b29b5ab3SAppaRao Puli             "File fflush error while writing entries to special file");
572b29b5ab3SAppaRao Puli         return -EIO;
573b29b5ab3SAppaRao Puli     }
574b29b5ab3SAppaRao Puli 
575b29b5ab3SAppaRao Puli     OPENSSL_cleanse(iv.data(), ivLen);
576b29b5ab3SAppaRao Puli 
577b29b5ab3SAppaRao Puli     // Rename the tmp  file to actual file
578b29b5ab3SAppaRao Puli     if (std::rename(strTempFileName.data(), passwdFileName) != 0)
579b29b5ab3SAppaRao Puli     {
580b29b5ab3SAppaRao Puli         log<level::DEBUG>("Failed to rename tmp file to ipmi-pass");
581b29b5ab3SAppaRao Puli         return -EIO;
582b29b5ab3SAppaRao Puli     }
583b29b5ab3SAppaRao Puli 
584b29b5ab3SAppaRao Puli     return 0;
585b29b5ab3SAppaRao Puli }
586b29b5ab3SAppaRao Puli 
587b29b5ab3SAppaRao Puli std::time_t PasswdMgr::getUpdatedFileTime()
588b29b5ab3SAppaRao Puli {
5894654d99fSRichard Marian Thomaiyar     struct stat fileStat = {};
5904654d99fSRichard Marian Thomaiyar     if (stat(passwdFileName, &fileStat) != 0)
5914654d99fSRichard Marian Thomaiyar     {
592b29b5ab3SAppaRao Puli         log<level::DEBUG>("Error - Getting passwd file time stamp");
593b29b5ab3SAppaRao Puli         return -EIO;
5944654d99fSRichard Marian Thomaiyar     }
595b29b5ab3SAppaRao Puli     return fileStat.st_mtime;
5964654d99fSRichard Marian Thomaiyar }
5974654d99fSRichard Marian Thomaiyar 
5984654d99fSRichard Marian Thomaiyar } // namespace ipmi
599