shadow.c

   1 /*
   2  * Copyright (c) 2020 Duncan Overbruck <mail@duncano.de>
   3  * Copyright (c) 2021 Sergey Sushilin <sergeysushilin@protonmail.com>
   4  *
   5  * Permission to use, copy, modify, and distribute this software for any
   6  * purpose with or without fee is hereby granted, provided that the above
   7  * copyright notice and this permission notice appear in all copies.
   8  *
   9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  16  */
  17
  18 #include <crypt.h>
  19 #include <err.h>
  20 #include <errno.h>
  21 #include <limits.h>
  22 #include <pwd.h>
  23 #include <shadow.h>
  24 #include <stdio.h>
  25 #include <stdlib.h>
  26 #include <string.h>
  27 #include <syslog.h>
  28 #include <unistd.h>
  29
  30 #include "compat.h"
  31 #include "wrappers.h"
  32 #include "readpassphrase.h"
  33
  34 void shadowauth(char const *doas_prompt, char const *name)
  35 {
  36         char *response, *encrypted, rbuf[1024];
  37         char const *challenge;
  38         struct passwd *pw = xgetpwnam(name);
  39         char const *hash = pw->pw_passwd;
  40
  41         if (hash[0] == 'x' && hash[1] == '\0') {
  42                 struct spwd *sp = xgetspnam(name);
  43                 size_t size = strlen(sp->sp_pwdp) + 1;
  44                 memmove(sp, sp->sp_pwdp, size);
  45                 hash = xrealloc(sp, size);
  46         } else if (hash[0] != '*' || hash[1] != '\0') {
  47                 /* TODO: does last check is required? */
  48                 errx(EXIT_FAILURE, "Authentication failed");
  49         }
  50
  51         challenge = doas_prompt;
  52
  53         response = readpassphrase(challenge, rbuf, sizeof(rbuf), RPP_REQUIRE_TTY);
  54
  55         if (response == NULL && errno == ENOTTY) {
  56                 syslog(LOG_AUTHPRIV | LOG_NOTICE, "tty required for %s", name);
  57                 errx(EXIT_FAILURE, "a tty is required");
  58         }
  59
  60         if (response == NULL)
  61                 err(EXIT_FAILURE, "readpassphrase");
  62
  63         encrypted = crypt(response, hash);
  64         explicit_bzero(rbuf, sizeof(rbuf));
  65
  66         if (encrypted == NULL)
  67                 errx(EXIT_FAILURE, "Authentication failed");
  68
  69         if (!streq(encrypted, hash)) {
  70                 syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed authentication for %s", name);
  71                 errx(EXIT_FAILURE, "Authentication failed");
  72         }
  73
  74         if (hash != pw->pw_passwd)
  75                 xfree(hash);
  76
  77         xfree(pw);
  78 }