1 #pragma once 2 3 #include <security/pam_appl.h> 4 5 #include <boost/utility/string_view.hpp> 6 7 #include <cstring> 8 #include <memory> 9 10 // function used to get user input 11 inline int pamFunctionConversation(int numMsg, const struct pam_message** msg, 12 struct pam_response** resp, void* appdataPtr) 13 { 14 if (appdataPtr == nullptr) 15 { 16 return PAM_CONV_ERR; 17 } 18 19 if (numMsg <= 0 || numMsg >= PAM_MAX_NUM_MSG) 20 { 21 return PAM_CONV_ERR; 22 } 23 24 for (int i = 0; i < numMsg; ++i) 25 { 26 /* Ignore all PAM messages except prompting for hidden input */ 27 // NOLINTNEXTLINE(cppcoreguidelines-pro-bounds-pointer-arithmetic) 28 if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF) 29 { 30 continue; 31 } 32 33 /* Assume PAM is only prompting for the password as hidden input */ 34 /* Allocate memory only when PAM_PROMPT_ECHO_OFF is encounterred */ 35 36 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast) 37 char* appPass = reinterpret_cast<char*>(appdataPtr); 38 size_t appPassSize = std::strlen(appPass); 39 40 if ((appPassSize + 1) > PAM_MAX_RESP_SIZE) 41 { 42 return PAM_CONV_ERR; 43 } 44 // IDeally we'd like to avoid using malloc here, but because we're 45 // passing off ownership of this to a C application, there aren't a lot 46 // of sane ways to avoid it. 47 48 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc)' 49 void* passPtr = malloc(appPassSize + 1); 50 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast) 51 char* pass = reinterpret_cast<char*>(passPtr); 52 if (pass == nullptr) 53 { 54 return PAM_BUF_ERR; 55 } 56 57 std::strncpy(pass, appPass, appPassSize + 1); 58 59 size_t numMsgSize = static_cast<size_t>(numMsg); 60 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc) 61 void* ptr = calloc(numMsgSize, sizeof(struct pam_response)); 62 if (ptr == nullptr) 63 { 64 // NOLINTNEXTLINE(cppcoreguidelines-no-malloc) 65 free(pass); 66 return PAM_BUF_ERR; 67 } 68 69 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast) 70 *resp = reinterpret_cast<pam_response*>(ptr); 71 72 // NOLINTNEXTLINE(cppcoreguidelines-pro-bounds-pointer-arithmetic) 73 resp[i]->resp = pass; 74 75 return PAM_SUCCESS; 76 } 77 78 return PAM_CONV_ERR; 79 } 80 81 /** 82 * @brief Attempt username/password authentication via PAM. 83 * @param username The provided username aka account name. 84 * @param password The provided password. 85 * @returns PAM error code or PAM_SUCCESS for success. */ 86 inline int pamAuthenticateUser(std::string_view username, 87 std::string_view password) 88 { 89 std::string userStr(username); 90 std::string passStr(password); 91 92 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast) 93 char* passStrNoConst = const_cast<char*>(passStr.c_str()); 94 const struct pam_conv localConversation = {pamFunctionConversation, 95 passStrNoConst}; 96 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start 97 98 int retval = pam_start("webserver", userStr.c_str(), &localConversation, 99 &localAuthHandle); 100 if (retval != PAM_SUCCESS) 101 { 102 return retval; 103 } 104 105 retval = pam_authenticate(localAuthHandle, 106 PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); 107 if (retval != PAM_SUCCESS) 108 { 109 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval 110 return retval; 111 } 112 113 /* check that the account is healthy */ 114 retval = pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK); 115 if (retval != PAM_SUCCESS) 116 { 117 pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval 118 return retval; 119 } 120 121 return pam_end(localAuthHandle, PAM_SUCCESS); 122 } 123 124 inline int pamUpdatePassword(const std::string& username, 125 const std::string& password) 126 { 127 // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast) 128 char* passStrNoConst = const_cast<char*>(password.c_str()); 129 const struct pam_conv localConversation = {pamFunctionConversation, 130 passStrNoConst}; 131 pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start 132 133 int retval = pam_start("webserver", username.c_str(), &localConversation, 134 &localAuthHandle); 135 136 if (retval != PAM_SUCCESS) 137 { 138 return retval; 139 } 140 141 retval = pam_chauthtok(localAuthHandle, PAM_SILENT); 142 if (retval != PAM_SUCCESS) 143 { 144 pam_end(localAuthHandle, PAM_SUCCESS); 145 return retval; 146 } 147 148 return pam_end(localAuthHandle, PAM_SUCCESS); 149 } 150