Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(381)

Side by Side Diff: src/platform/pam_offline/pam_offline.cc

Issue 2051003: Initial patch from Will. (Closed) Base URL: ssh://git@chromiumos-git/chromiumos
Patch Set: Address style nits. Created 10 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This is supposed to be defined before the pam includes. 5 // This is supposed to be defined before the pam includes.
6 #define PAM_SM_AUTH 6 #define PAM_SM_AUTH
7 7
8 #include <sys/types.h> 8 #include "pam_offline/pam_prompt_wrapper.h"
9 #include <sys/stat.h> 9 #include "pam_offline/username_password_fetcher.h"
10 #include "pam_offline/utils.h"
11
12 #include <dbus/dbus-glib.h>
10 #include <fcntl.h> 13 #include <fcntl.h>
11 14 #include <glib-object.h>
12 #include <base/command_line.h>
13 #include <base/logging.h>
14 #include <security/_pam_macros.h> 15 #include <security/_pam_macros.h>
16 #include <security/pam_ext.h>
15 #include <security/pam_modules.h> 17 #include <security/pam_modules.h>
16 #include <security/pam_ext.h>
17 #include <stdio.h> 18 #include <stdio.h>
18 #include <stdlib.h> 19 #include <stdlib.h>
20 #include <sys/stat.h>
21 #include <sys/types.h>
19 22
20 #include "pam_offline/credentials.h" 23 #include "base/command_line.h"
21 #include "pam_offline/authenticator.h" 24 #include "base/logging.h"
22 #include "pam_offline/pam_prompt_wrapper.h" 25 #include "cros/chromeos_cros_api.h"
23 #include "pam_offline/username_password_fetcher.h" 26 #include "cros/chromeos_cryptohome.h"
24 27
25 const char kUserName[] = "chronos"; 28 const char kUserName[] = "chronos";
26 29
27 static void setcred_free(pam_handle_t *pamh /*unused*/, 30 static void setcred_free(pam_handle_t *pamh /*unused*/,
28 void *ptr, 31 void *ptr,
29 int err /*unused*/) { 32 int err /*unused*/) {
30 if (ptr) { 33 if (ptr) {
31 int *intptr = reinterpret_cast<int*>(ptr); 34 int *intptr = reinterpret_cast<int*>(ptr);
32 delete intptr; 35 delete intptr;
33 } 36 }
34 } 37 }
35 38
39 static bool pam_offline_libcros_loaded = false;
40 static bool ensure_libcros() {
41 if(!pam_offline_libcros_loaded) {
42 ::g_type_init();
43 std::string load_error;
44 pam_offline_libcros_loaded =
45 chromeos::LoadLibcros(chromeos::kCrosDefaultPath, load_error);
46 }
47 return pam_offline_libcros_loaded;
48 }
49
36 // PAM framework looks for these entry-points to pass control to the 50 // PAM framework looks for these entry-points to pass control to the
37 // authentication module. 51 // authentication module.
38 52
39 // pam_sm_authenticate() will decrypt something using the given creds 53 // pam_sm_authenticate() will decrypt something using the given creds
40 // and return success if the something decrypts successfully, failure 54 // and return success if the something decrypts successfully, failure
41 // otherwise. 55 // otherwise.
42 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, 56 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
43 int argc, const char **argv) { 57 int argc, const char **argv) {
44 // "flags" can contain PAM_SILENT, which means we shouldn't emit 58 // "flags" can contain PAM_SILENT, which means we shouldn't emit
45 // any messages, and PAM_DISALLOW_NULL_AUTHTOK, which means that 59 // any messages, and PAM_DISALLOW_NULL_AUTHTOK, which means that
46 // unknown users should NOT be silently logged in. 60 // unknown users should NOT be silently logged in.
47 // 61 //
48 // TODO(cmasone): support PAM_SILENT 62 // TODO(cmasone): support PAM_SILENT
49 // TODO(cmasone): Should we behave as though DISALLOW_NULL_AUTHTOK 63 // TODO(cmasone): Should we behave as though DISALLOW_NULL_AUTHTOK
50 // is always set? I think so... 64 // is always set? I think so...
51 65
52 // ret_data points to some space that we use to store our return 66 // ret_data points to some space that we use to store our return
53 // value for later use in pam_sm_setcred 67 // value for later use in pam_sm_setcred
54 int retval = PAM_AUTH_ERR; 68 int retval = PAM_AUTH_ERR;
55 int *ret_data = new int; 69 int *ret_data = new int;
56 70
57 pam_offline::PamPromptWrapper pam; 71 pam_offline::PamPromptWrapper pam;
58 pam_offline::UsernamePasswordFetcher fetcher(&pam); 72 pam_offline::UsernamePasswordFetcher fetcher(&pam);
59 pam_offline::Credentials *credentials = fetcher.FetchCredentials(pamh); 73 pam_offline::Credentials *credentials = fetcher.FetchCredentials(pamh);
60 74
61 // If fetcher.FetchCredentials times out you get NULL credentials 75 // If fetcher.FetchCredentials times out you get NULL credentials
62 if (credentials) { 76 if (credentials) {
63 pam_offline::Authenticator auth;
64 77
65 if (auth.Init()) { 78 if (ensure_libcros()) {
66 if (auth.TestAllMasterKeys(*credentials)) { 79 char username[pam_offline::kMaxUsernameLength];
67 retval = PAM_SUCCESS; 80 memset(username, 0, sizeof(username));
68 pam_set_item(pamh, PAM_USER, 81 credentials->GetFullUsername(username, sizeof(username));
69 reinterpret_cast<const void*>(kUserName)); 82 pam_offline::Blob salt = chromeos::CryptohomeGetSystemSalt();
83 if(salt.size() != 0) {
84 if(chromeos::CryptohomeCheckKey(username,
85 credentials->GetPasswordWeakHash(salt).c _str())) {
86 retval = PAM_SUCCESS;
87 pam_set_item(pamh, PAM_USER,
88 reinterpret_cast<const void*>(kUserName));
89 } else {
90 LOG(INFO) << "Invalid credentials.";
91 }
70 } else { 92 } else {
71 LOG(INFO) << "Invalid credentials."; 93 LOG(INFO) << "Unable to get system salt.";
72 } 94 }
73 } else { 95 } else {
74 LOG(ERROR) << "Authenticator failed to Init()."; 96 LOG(ERROR) << "libcros load failed.";
75 } 97 }
76 98
77 delete credentials; 99 delete credentials;
78 } else { 100 } else {
79 LOG(INFO) << "FetchCredentials returned NULL."; 101 LOG(INFO) << "FetchCredentials returned NULL.";
80 } 102 }
81 103
82 *ret_data = retval; 104 *ret_data = retval;
83 pam_set_data(pamh, "unix_setcred_return", 105 pam_set_data(pamh, "unix_setcred_return",
84 reinterpret_cast<void *>(ret_data), setcred_free); 106 reinterpret_cast<void *>(ret_data), setcred_free);
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after
117 struct pam_module _pam_offline_modstruct = { 139 struct pam_module _pam_offline_modstruct = {
118 "pam_offline", 140 "pam_offline",
119 pam_sm_authenticate, 141 pam_sm_authenticate,
120 pam_sm_setcred, 142 pam_sm_setcred,
121 NULL, 143 NULL,
122 NULL, 144 NULL,
123 NULL, 145 NULL,
124 NULL, 146 NULL,
125 }; 147 };
126 #endif 148 #endif
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698