lib/crypt: Add helpers for operating on /etc/shadow
authorSamuel Mendoza-Jonas <sam@mendozajonas.com>
Tue, 19 Jun 2018 06:33:42 +0000 (16:33 +1000)
committerSamuel Mendoza-Jonas <sam@mendozajonas.com>
Mon, 3 Dec 2018 03:39:57 +0000 (14:39 +1100)
Provides helper functions for reading, writing, and checking against
/etc/shadow. The main use case if for authenticating clients against the
"system" password, which is set as the root password.

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
configure.ac
lib/Makefile.am
lib/crypt/crypt.c [new file with mode: 0644]
lib/crypt/crypt.h [new file with mode: 0644]

index 2bf6e6f64f3afe4748c0382b12ff634186086c8b..4151b002a35b8a2835dcf0b1ff572abd39821498 100644 (file)
@@ -76,6 +76,27 @@ AC_CHECK_LIB([devmapper], [dm_task_create],
        [AC_MSG_FAILURE([The libdevmapper development library is required by petitboot.  Try installing the package libdevmapper-dev or device-mapper-devel.])]
 )
 
+AC_ARG_ENABLE(
+       [crypt],
+       [AS_HELP_STRING(
+               [--enable-crypt],
+               [Include crypt support to enable password use [default=no]]
+       )],
+       [],
+       [enable_crypt=no]
+)
+AM_CONDITIONAL([ENABLE_CRYPT], [test "x$enable_crypt" = "xyes"])
+AS_IF([test "x$enable_crypt" = "xyes"],
+      [AC_DEFINE(CRYPT_SUPPORT, 1, [Enable crypt/password support])],
+      []
+)
+AS_IF([test "x$enable_crypt" = "xyes"],
+       AC_CHECK_LIB([crypt], [crypt],
+               [CRYPT_LIBS=-lcrypt],
+               [AC_MSG_FAILURE([shadow/crypt libs required])]
+       )
+)
+
 AC_ARG_WITH([fdt],
        AS_HELP_STRING([--without-fdt],
                [Build without libfdt (default: no)]))
@@ -455,6 +476,7 @@ AS_IF(
  
 AC_SUBST([UDEV_LIBS])
 AC_SUBST([DEVMAPPER_LIBS])
+AC_SUBST([CRYPT_LIBS])
 AC_SUBST([FDT_LIBS])
 AC_SUBST([LIBFLASH_LIBS])
 AC_SUBST([LIBTOOL_DEPS])
index 016a14dd09f2783d5ac1306a4976678acf98f7ef..69a66c3735acc8734eeb8938f846c98865bd6a47 100644 (file)
@@ -35,6 +35,7 @@ lib_libpbcore_la_CFLAGS = \
 
 lib_libpbcore_la_SOURCES = \
        lib/ccan/endian/endian.h \
+       lib/crypt/crypt.h \
        lib/file/file.h \
        lib/file/file.c \
        lib/fold/fold.h \
@@ -93,3 +94,11 @@ lib_libpbcore_la_SOURCES += \
        lib/security/none.c
 endif
 endif
+
+if ENABLE_CRYPT
+lib_libpbcore_la_SOURCES += \
+       lib/crypt/crypt.c
+
+lib_libpbcore_la_LDFLAGS += \
+       $(CRYPT_LIBS)
+endif
diff --git a/lib/crypt/crypt.c b/lib/crypt/crypt.c
new file mode 100644 (file)
index 0000000..b5e183a
--- /dev/null
@@ -0,0 +1,217 @@
+/*
+ *  Copyright (C) 2018 IBM Corporation
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; version 2 of the License.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ */
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <shadow.h>
+#include <crypt.h>
+#include <errno.h>
+
+#include <talloc/talloc.h>
+#include <log/log.h>
+
+#include "crypt.h"
+
+int crypt_set_password_hash(void *ctx, const char *hash)
+{
+       struct spwd **shadow, *entry;
+       bool found_root;
+       int rc, i, n;
+       FILE *fp;
+
+       if (lckpwdf()) {
+               pb_log("Could not obtain access to shadow file\n");
+               return -1;
+       }
+       setspent();
+
+       found_root = false;
+       shadow = NULL;
+       n = 0;
+
+       /* Read all entries and modify the root entry */
+       errno = 0;
+       fp = fopen("/etc/shadow", "r");
+       if (!fp) {
+               pb_log("Could not open shadow file, %m\n");
+               rc = -1;
+               goto out;
+       }
+
+       entry = fgetspent(fp);
+       while (entry) {
+               shadow = talloc_realloc(ctx, shadow, struct spwd *, n + 1);
+               if (!shadow) {
+                       pb_log("Failed to allocate shadow struct\n");
+                       rc = -1;
+                       goto out;
+               }
+
+               shadow[n] = talloc_memdup(shadow, entry, sizeof(struct spwd));
+               if (!shadow[n]) {
+                       pb_log("Could not duplicate entry for %s\n",
+                                       entry->sp_namp);
+                       rc = -1;
+                       goto out;
+               }
+
+               shadow[n]->sp_namp = talloc_strdup(shadow, entry->sp_namp);
+               if (strncmp(shadow[n]->sp_namp, "root", strlen("root")) == 0) {
+                       shadow[n]->sp_pwdp = talloc_strdup(shadow, hash);
+                       found_root = true;
+               } else {
+                       shadow[n]->sp_pwdp = talloc_strdup(shadow,
+                                       entry->sp_pwdp);
+               }
+
+               if (!shadow[n]->sp_namp || !shadow[n]->sp_pwdp) {
+                       pb_log("Failed to allocate new fields for %s\n",
+                                       entry->sp_namp);
+                       rc = -1;
+                       goto out;
+               }
+
+               n++;
+               entry = fgetspent(fp);
+       }
+
+       if (n == 0)
+               pb_debug_fn("No entries found\n");
+
+       fclose(fp);
+
+       if (!found_root) {
+               /* Make our own */
+               pb_debug_fn("No root user found, creating entry\n");
+               shadow = talloc_realloc(ctx, shadow, struct spwd *, n + 1);
+               if (!shadow) {
+                       pb_log("Failed to allocate shadow struct\n");
+                       rc = -1;
+                       goto out;
+               }
+
+               shadow[n] = talloc_zero(shadow, struct spwd);
+               shadow[n]->sp_namp = talloc_asprintf(shadow, "root");
+               shadow[n]->sp_pwdp = talloc_strdup(shadow, hash);
+               if (!shadow[n]->sp_namp || !shadow[n]->sp_pwdp) {
+                       pb_log("Failed to allocate new fields for root entry\n");
+                       rc = -1;
+                       goto out;
+               }
+               n++;
+       }
+
+       errno = 0;
+       fp = fopen("/etc/shadow", "w");
+       if (!fp) {
+               pb_log("Could not open shadow file, %m\n");
+               rc = -1;
+               goto out;
+       }
+
+       /* Write each entry back to keep the same format in /etc/shadow */
+       for (i = 0; i < n; i++) {
+               rc = putspent(shadow[i], fp);
+               if (rc)
+                       pb_log("Failed to write back shadow entry for %s!\n",
+                                       shadow[i]->sp_namp);
+       }
+
+       rc = 0;
+out:
+       if (fp)
+               fclose(fp);
+       talloc_free(shadow);
+       endspent();
+       ulckpwdf();
+       return rc;
+}
+
+static const char *crypt_hash_password(const char *password)
+{
+       struct spwd *shadow;
+       char *hash, *salt;
+       char new_salt[17];
+       int i;
+
+       shadow = getspnam("root");
+       if (!shadow) {
+               pb_log("Could not find root shadow\n");
+               return NULL;
+       }
+
+       if (shadow->sp_pwdp && strlen(shadow->sp_pwdp)) {
+               salt = shadow->sp_pwdp;
+       } else {
+               for (i = 0; i < 16; i++)
+                       new_salt[i] = random() % 94 + 32;
+               new_salt[i] = '\0';
+               salt = talloc_asprintf(password, "$6$%s", new_salt);
+       }
+
+       hash = crypt(password ?: "", salt);
+       if (!hash)
+               pb_log("Could not create hash, %m\n");
+
+
+       return hash;
+}
+
+
+int crypt_set_password(void *ctx, const char *password)
+{
+       const char *hash;
+
+       if (!password || !strlen(password))
+               return crypt_set_password_hash(ctx, "");
+
+       hash = crypt_hash_password(password);
+       if (!hash)
+               return -1;
+
+       return crypt_set_password_hash(ctx, hash);
+}
+
+char *crypt_get_hash(void *ctx)
+{
+       struct spwd *shadow;
+
+       shadow = getspnam("root");
+       if (!shadow) {
+               pb_log("Could not find root shadow\n");
+               return false;
+       }
+
+       return talloc_strdup(ctx, shadow->sp_pwdp);
+}
+
+bool crypt_check_password(const char *password)
+{
+       struct spwd *shadow;
+       char *hash;
+
+       shadow = getspnam("root");
+       if (!shadow) {
+               pb_log("Could not find root shadow\n");
+               return false;
+       }
+
+       hash = crypt(password ? : "", shadow->sp_pwdp);
+       if (!hash) {
+               pb_log("Could not create hash, %m\n");
+               return false;
+       }
+
+       return strncmp(shadow->sp_pwdp, hash, strlen(shadow->sp_pwdp)) == 0;
+}
diff --git a/lib/crypt/crypt.h b/lib/crypt/crypt.h
new file mode 100644 (file)
index 0000000..4b242f0
--- /dev/null
@@ -0,0 +1,49 @@
+/*
+ *  Copyright (C) 2018 IBM Corporation
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; version 2 of the License.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ */
+#ifndef CRYPT_H
+#define CRYPT_H
+
+#include "config.h"
+
+#ifdef CRYPT_SUPPORT
+
+char *crypt_get_hash(void *ctx);
+bool crypt_check_password(const char *password);
+int crypt_set_password(void *ctx, const char *password);
+int crypt_set_password_hash(void *ctx, const char *hash);
+
+#else
+
+static inline char *crypt_get_hash(void *ctx __attribute__((unused)))
+{
+       return NULL;
+}
+static inline bool crypt_check_password(
+               const char *password __attribute__((unused)))
+{
+       return false;
+}
+static inline int crypt_set_password(void *ctx __attribute__((unused)),
+               const char *password __attribute__((unused)))
+{
+       return -1;
+}
+static inline int crypt_set_password_hash(void *ctx __attribute__((unused)),
+               const char *hash __attribute__((unused)))
+{
+       return -1;
+}
+
+#endif
+#endif /* CRYPT_H */