@@ -76,6 +76,27 @@ AC_CHECK_LIB([devmapper], [dm_task_create],
[AC_MSG_FAILURE([The libdevmapper development library is required by petitboot. Try installing the package libdevmapper-dev or device-mapper-devel.])]
)
+AC_ARG_ENABLE(
+ [crypt],
+ [AS_HELP_STRING(
+ [--enable-crypt],
+ [Include crypt support to enable password use [default=no]]
+ )],
+ [],
+ [enable_crypt=no]
+)
+AM_CONDITIONAL([ENABLE_CRYPT], [test "x$enable_crypt" = "xyes"])
+AS_IF([test "x$enable_crypt" = "xyes"],
+ [AC_DEFINE(CRYPT_SUPPORT, 1, [Enable crypt/password support])],
+ []
+)
+AS_IF([test "x$enable_crypt" = "xyes"],
+ AC_CHECK_LIB([crypt], [crypt],
+ [CRYPT_LIBS=-lcrypt],
+ [AC_MSG_FAILURE([shadow/crypt libs required])]
+ )
+)
+
AC_ARG_WITH([fdt],
AS_HELP_STRING([--without-fdt],
[Build without libfdt (default: no)]))
@@ -455,6 +476,7 @@ AS_IF(
AC_SUBST([UDEV_LIBS])
AC_SUBST([DEVMAPPER_LIBS])
+AC_SUBST([CRYPT_LIBS])
AC_SUBST([FDT_LIBS])
AC_SUBST([LIBFLASH_LIBS])
AC_SUBST([LIBTOOL_DEPS])
@@ -35,6 +35,7 @@ lib_libpbcore_la_CFLAGS = \
lib_libpbcore_la_SOURCES = \
lib/ccan/endian/endian.h \
+ lib/crypt/crypt.h \
lib/file/file.h \
lib/file/file.c \
lib/fold/fold.h \
@@ -93,3 +94,11 @@ lib_libpbcore_la_SOURCES += \
lib/security/none.c
endif
endif
+
+if ENABLE_CRYPT
+lib_libpbcore_la_SOURCES += \
+ lib/crypt/crypt.c
+
+lib_libpbcore_la_LDFLAGS += \
+ $(CRYPT_LIBS)
+endif
new file mode 100644
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2018 IBM Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ */
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <shadow.h>
+#include <crypt.h>
+#include <errno.h>
+
+#include <talloc/talloc.h>
+#include <log/log.h>
+
+#include "crypt.h"
+
+int crypt_set_password_hash(void *ctx, const char *hash)
+{
+ struct spwd *shadow;
+ FILE *fp;
+ int rc;
+
+ shadow = getspnam("root");
+ if (!shadow) {
+ pb_log("Could not find root shadow\n");
+ return -1;
+ }
+
+ shadow->sp_pwdp = talloc_strdup(ctx, hash);
+ if (!shadow->sp_pwdp) {
+ pb_log("Could not assign password\n");
+ return -1;
+ }
+
+ lckpwdf();
+
+ fp = fopen("/etc/shadow", "w+");
+ if (!fp) {
+ pb_log("Could not open shadow file\n");
+ rc = -1;
+ goto out;
+ }
+
+ rc = putspent(shadow, fp);
+ if (rc)
+ pb_log("Failed to set password hash\n");
+
+ talloc_free(shadow->sp_pwdp);
+out:
+ fclose(fp);
+ ulckpwdf();
+ return rc;
+}
+
+static const char *crypt_hash_password(const char *password)
+{
+ struct spwd *shadow;
+ char *hash;
+
+ shadow = getspnam("root");
+ if (!shadow) {
+ pb_log("Could not find root shadow\n");
+ return NULL;
+ }
+
+ hash = crypt(password ?: "", shadow->sp_pwdp);
+ if (!hash)
+ pb_log("Could not create hash, %m\n");
+
+
+ return hash;
+}
+
+
+int crypt_set_password(void *ctx, const char *password)
+{
+ const char *hash;
+
+ hash = crypt_hash_password(password);
+ if (!hash)
+ return -1;
+
+ return crypt_set_password_hash(ctx, hash);
+}
+
+char *crypt_get_hash(void *ctx)
+{
+ struct spwd *shadow;
+
+ shadow = getspnam("root");
+ if (!shadow) {
+ pb_log("Could not find root shadow\n");
+ return false;
+ }
+
+ return talloc_strdup(ctx, shadow->sp_pwdp);
+}
+
+bool crypt_check_password(const char *password)
+{
+ struct spwd *shadow;
+ char *hash;
+
+ shadow = getspnam("root");
+ if (!shadow) {
+ pb_log("Could not find root shadow\n");
+ return false;
+ }
+
+ hash = crypt(password ? : "", shadow->sp_pwdp);
+ if (!hash) {
+ pb_log("Could not create hash, %m\n");
+ return false;
+ }
+
+ return strncmp(shadow->sp_pwdp, hash, strlen(shadow->sp_pwdp)) == 0;
+}
new file mode 100644
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2018 IBM Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ */
+#ifndef CRYPT_H
+#define CRYPT_H
+
+#include "config.h"
+
+#ifdef CRYPT_SUPPORT
+
+char *crypt_get_hash(void *ctx);
+bool crypt_check_password(const char *password);
+int crypt_set_password(void *ctx, const char *password);
+int crypt_set_password_hash(void *ctx, const char *hash);
+
+#else
+
+static inline char *crypt_get_hash(void *ctx __attribute__((unused)))
+{
+ return NULL;
+}
+static inline bool crypt_check_password(
+ const char *password __attribute__((unused)))
+{
+ return false;
+}
+static inline int crypt_set_password(void *ctx __attribute__((unused)),
+ const char *password __attribute__((unused)))
+{
+ return -1;
+}
+static inline int crypt_set_password_hash(void *ctx __attribute__((unused)),
+ const char *hash __attribute__((unused)))
+{
+ return -1;
+}
+
+#endif
+#endif /* CRYPT_H */
Provides helper functions for reading, writing, and checking against /etc/shadow. The main use case if for authenticating clients against the "system" password, which is set as the root password. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> --- configure.ac | 22 ++++++++ lib/Makefile.am | 9 ++++ lib/crypt/crypt.c | 126 ++++++++++++++++++++++++++++++++++++++++++++++ lib/crypt/crypt.h | 49 ++++++++++++++++++ 4 files changed, 206 insertions(+) create mode 100644 lib/crypt/crypt.c create mode 100644 lib/crypt/crypt.h