191094Sdes/*- 2115619Sdes * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 3348980Sdes * Copyright (c) 2004-2017 Dag-Erling Sm��rgrav 491094Sdes * All rights reserved. 591094Sdes * 691094Sdes * This software was developed for the FreeBSD Project by ThinkSec AS and 799158Sdes * Network Associates Laboratories, the Security Research Division of 899158Sdes * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 999158Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 1091094Sdes * 1191094Sdes * Redistribution and use in source and binary forms, with or without 1291094Sdes * modification, are permitted provided that the following conditions 1391094Sdes * are met: 1491094Sdes * 1. Redistributions of source code must retain the above copyright 1591094Sdes * notice, this list of conditions and the following disclaimer. 1691094Sdes * 2. Redistributions in binary form must reproduce the above copyright 1791094Sdes * notice, this list of conditions and the following disclaimer in the 1891094Sdes * documentation and/or other materials provided with the distribution. 1991094Sdes * 3. The name of the author may not be used to endorse or promote 2091094Sdes * products derived from this software without specific prior written 2191094Sdes * permission. 2291094Sdes * 2391094Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2491094Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2591094Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2691094Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2791094Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2891094Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2991094Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3091094Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3191094Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3291094Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3391094Sdes * SUCH DAMAGE. 3491094Sdes * 35348980Sdes * $OpenPAM: pam_get_authtok.c 938 2017-04-30 21:34:42Z des $ 3691094Sdes */ 3791094Sdes 38228690Sdes#ifdef HAVE_CONFIG_H 39228690Sdes# include "config.h" 40228690Sdes#endif 41228690Sdes 4291094Sdes#include <sys/param.h> 4391094Sdes 4493982Sdes#include <stdlib.h> 4596364Sdes#include <string.h> 4693982Sdes 4791094Sdes#include <security/pam_appl.h> 4891094Sdes#include <security/openpam.h> 4991094Sdes 5091094Sdes#include "openpam_impl.h" 51271624Sdes#include "openpam_strlset.h" 5291094Sdes 53117610Sdesstatic const char authtok_prompt[] = "Password:"; 54236099Sdesstatic const char authtok_prompt_remote[] = "Password for %u@%h:"; 55117610Sdesstatic const char oldauthtok_prompt[] = "Old Password:"; 56117610Sdesstatic const char newauthtok_prompt[] = "New Password:"; 5793982Sdes 5891094Sdes/* 5991094Sdes * OpenPAM extension 6091094Sdes * 6191094Sdes * Retrieve authentication token 6291094Sdes */ 6391094Sdes 6491094Sdesint 6591094Sdespam_get_authtok(pam_handle_t *pamh, 6693982Sdes int item, 6791094Sdes const char **authtok, 6891094Sdes const char *prompt) 6991094Sdes{ 70228690Sdes char prompt_buf[1024]; 71228690Sdes size_t prompt_size; 72125647Sdes const void *oldauthtok, *prevauthtok, *promptp; 73228690Sdes const char *prompt_option, *default_prompt; 74236099Sdes const void *lhost, *rhost; 7593982Sdes char *resp, *resp2; 7693982Sdes int pitem, r, style, twice; 7791094Sdes 78107937Sdes ENTER(); 7993982Sdes *authtok = NULL; 8093982Sdes twice = 0; 8193982Sdes switch (item) { 8293982Sdes case PAM_AUTHTOK: 8393982Sdes pitem = PAM_AUTHTOK_PROMPT; 84228690Sdes prompt_option = "authtok_prompt"; 8593982Sdes default_prompt = authtok_prompt; 86236099Sdes r = pam_get_item(pamh, PAM_RHOST, &rhost); 87236099Sdes if (r == PAM_SUCCESS && rhost != NULL) { 88236099Sdes r = pam_get_item(pamh, PAM_HOST, &lhost); 89236099Sdes if (r == PAM_SUCCESS && lhost != NULL) { 90236099Sdes if (strcmp(rhost, lhost) != 0) 91236099Sdes default_prompt = authtok_prompt_remote; 92236099Sdes } 93236099Sdes } 9493982Sdes r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok); 9593982Sdes if (r == PAM_SUCCESS && oldauthtok != NULL) { 9693982Sdes default_prompt = newauthtok_prompt; 9793982Sdes twice = 1; 9893982Sdes } 9993982Sdes break; 10093982Sdes case PAM_OLDAUTHTOK: 10193982Sdes pitem = PAM_OLDAUTHTOK_PROMPT; 102228690Sdes prompt_option = "oldauthtok_prompt"; 10393982Sdes default_prompt = oldauthtok_prompt; 10493982Sdes twice = 0; 10593982Sdes break; 10693982Sdes default: 107348980Sdes RETURNC(PAM_BAD_CONSTANT); 10893982Sdes } 10991100Sdes if (openpam_get_option(pamh, "try_first_pass") || 11091100Sdes openpam_get_option(pamh, "use_first_pass")) { 111125647Sdes r = pam_get_item(pamh, item, &prevauthtok); 112125647Sdes if (r == PAM_SUCCESS && prevauthtok != NULL) { 113125647Sdes *authtok = prevauthtok; 114107937Sdes RETURNC(PAM_SUCCESS); 115255376Sdes } else if (openpam_get_option(pamh, "use_first_pass")) { 116255376Sdes RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r); 117125647Sdes } 11891100Sdes } 119228690Sdes /* pam policy overrides the module's choice */ 120228690Sdes if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL) 121228690Sdes prompt = promptp; 122228690Sdes /* no prompt provided, see if there is one tucked away somewhere */ 123315906Sdes if (prompt == NULL) { 124315906Sdes r = pam_get_item(pamh, pitem, &promptp); 125315906Sdes if (r == PAM_SUCCESS && promptp != NULL) 126125647Sdes prompt = promptp; 127315906Sdes } 128228690Sdes /* fall back to hardcoded default */ 129228690Sdes if (prompt == NULL) 130228690Sdes prompt = default_prompt; 131228690Sdes /* expand */ 132228690Sdes prompt_size = sizeof prompt_buf; 133228690Sdes r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt); 134228690Sdes if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf) 135228690Sdes prompt = prompt_buf; 13691100Sdes style = openpam_get_option(pamh, "echo_pass") ? 13791100Sdes PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; 13893982Sdes r = pam_prompt(pamh, style, &resp, "%s", prompt); 13991094Sdes if (r != PAM_SUCCESS) 140107937Sdes RETURNC(r); 14193982Sdes if (twice) { 14293982Sdes r = pam_prompt(pamh, style, &resp2, "Retype %s", prompt); 14393982Sdes if (r != PAM_SUCCESS) { 144271624Sdes strlset(resp, 0, PAM_MAX_RESP_SIZE); 145115619Sdes FREE(resp); 146107937Sdes RETURNC(r); 14793982Sdes } 148271624Sdes if (strcmp(resp, resp2) != 0) { 149271624Sdes strlset(resp, 0, PAM_MAX_RESP_SIZE); 150115619Sdes FREE(resp); 151271624Sdes } 152271624Sdes strlset(resp2, 0, PAM_MAX_RESP_SIZE); 153115619Sdes FREE(resp2); 15493982Sdes } 15593982Sdes if (resp == NULL) 156107937Sdes RETURNC(PAM_TRY_AGAIN); 15794706Sdes r = pam_set_item(pamh, item, resp); 158271624Sdes strlset(resp, 0, PAM_MAX_RESP_SIZE); 159115619Sdes FREE(resp); 16093982Sdes if (r != PAM_SUCCESS) 161107937Sdes RETURNC(r); 162110556Sdes r = pam_get_item(pamh, item, (const void **)authtok); 163110556Sdes RETURNC(r); 16491094Sdes} 16591100Sdes 16691100Sdes/* 16791100Sdes * Error codes: 16891100Sdes * 16991100Sdes * =pam_get_item 17091100Sdes * =pam_prompt 17191100Sdes * =pam_set_item 17291100Sdes * !PAM_SYMBOL_ERR 173348980Sdes * PAM_BAD_CONSTANT 17493982Sdes * PAM_TRY_AGAIN 17591100Sdes */ 17693982Sdes 17793982Sdes/** 178255376Sdes * The =pam_get_authtok function either prompts the user for an 179255376Sdes * authentication token or retrieves a cached authentication token, 180255376Sdes * depending on circumstances. 181141098Sdes * Either way, a pointer to the authentication token is stored in the 182255376Sdes * location pointed to by the =authtok argument, and the corresponding PAM 183255376Sdes * item is updated. 18493982Sdes * 18593982Sdes * The =item argument must have one of the following values: 18693982Sdes * 18795908Sdes * =PAM_AUTHTOK: 18893982Sdes * Returns the current authentication token, or the new token 18993982Sdes * when changing authentication tokens. 19095908Sdes * =PAM_OLDAUTHTOK: 19193982Sdes * Returns the previous authentication token when changing 19293982Sdes * authentication tokens. 19393982Sdes * 19493982Sdes * The =prompt argument specifies a prompt to use if no token is cached. 19593982Sdes * If it is =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item, 196141098Sdes * as appropriate, will be used. 197141098Sdes * If that item is also =NULL, a hardcoded default prompt will be used. 198255376Sdes * Additionally, when =pam_get_authtok is called from a service module, 199255376Sdes * the prompt may be affected by module options as described below. 200255376Sdes * The prompt is then expanded using =openpam_subst before it is passed to 201255376Sdes * the conversation function. 20293982Sdes * 20393982Sdes * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK 20493982Sdes * item, =pam_get_authtok will ask the user to confirm the new token by 205141098Sdes * retyping it. 206141098Sdes * If there is a mismatch, =pam_get_authtok will return =PAM_TRY_AGAIN. 20793982Sdes * 208255376Sdes * MODULE OPTIONS 209255376Sdes * 210255376Sdes * When called by a service module, =pam_get_authtok will recognize the 211255376Sdes * following module options: 212255376Sdes * 213255376Sdes * ;authtok_prompt: 214255376Sdes * Prompt to use when =item is set to =PAM_AUTHTOK. 215255376Sdes * This option overrides both the =prompt argument and the 216255376Sdes * =PAM_AUTHTOK_PROMPT item. 217255376Sdes * ;echo_pass: 218255376Sdes * If the application's conversation function allows it, this 219255376Sdes * lets the user see what they are typing. 220255376Sdes * This should only be used for non-reusable authentication 221255376Sdes * tokens. 222255376Sdes * ;oldauthtok_prompt: 223255376Sdes * Prompt to use when =item is set to =PAM_OLDAUTHTOK. 224255376Sdes * This option overrides both the =prompt argument and the 225255376Sdes * =PAM_OLDAUTHTOK_PROMPT item. 226255376Sdes * ;try_first_pass: 227255376Sdes * If the requested item is non-null, return it without 228255376Sdes * prompting the user. 229255376Sdes * Typically, the service module will verify the token, and 230255376Sdes * if it does not match, clear the item before calling 231255376Sdes * =pam_get_authtok a second time. 232255376Sdes * ;use_first_pass: 233255376Sdes * Do not prompt the user at all; just return the cached 234255376Sdes * value, or =PAM_AUTH_ERR if there is none. 235255376Sdes * 236255376Sdes * >pam_conv 23793982Sdes * >pam_get_item 23893982Sdes * >pam_get_user 239255376Sdes * >openpam_get_option 240228690Sdes * >openpam_subst 24193982Sdes */ 242