X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/Security/libsecurity_checkpw/lib/checkpw.c diff --git a/Security/libsecurity_checkpw/lib/checkpw.c b/Security/libsecurity_checkpw/lib/checkpw.c new file mode 100644 index 00000000..a7a8ec4e --- /dev/null +++ b/Security/libsecurity_checkpw/lib/checkpw.c @@ -0,0 +1,111 @@ +/* + * Copyright (c) 2000-2012 Apple Inc. All Rights Reserved. + * + * The contents of this file constitute Original Code as defined in and are + * subject to the Apple Public Source License Version 1.2 (the 'License'). + * You may not use this file except in compliance with the License. Please obtain + * a copy of the License at http://www.apple.com/publicsource and read it before + * using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS + * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT + * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the + * specific language governing rights and limitations under the License. + */ + +#include +#include + +#include "checkpw.h" +#include +#include + +#define PAM_STACK_NAME "checkpw" + +static +int checkpw_internal_pam( const char* uname, const char* password ) +{ + int checkpwret = CHECKPW_FAILURE; + + int pamret = PAM_SUCCESS; + pam_handle_t *pamh; + struct pam_conv pamc; + pamc.conv = &openpam_nullconv; + + pamret = pam_start(PAM_STACK_NAME, uname, &pamc, &pamh); + if (PAM_SUCCESS != pamret) + { + syslog(LOG_WARNING,"PAM: Unable to start pam."); + goto pamerr_no_end; + } + + pamret = pam_set_item(pamh, PAM_AUTHTOK, password); + if (PAM_SUCCESS != pamret) + { + syslog(LOG_WARNING,"PAM: Unable to set password."); + goto pamerr; + } + + pamret = pam_authenticate(pamh, 0); + if (PAM_SUCCESS != pamret) + { + syslog(LOG_WARNING,"PAM: Unable to authenticate."); + checkpwret = CHECKPW_BADPASSWORD; + goto pamerr; + } + + pamret = pam_acct_mgmt(pamh, 0); + if (PAM_SUCCESS != pamret) + { + if (PAM_NEW_AUTHTOK_REQD == pamret) + { + syslog(LOG_WARNING,"PAM: Unable to authorize, password needs to be changed."); + } else { + syslog(LOG_WARNING,"PAM: Unable to authorize."); + } + + goto pamerr; + } + + checkpwret = CHECKPW_SUCCESS; + +pamerr: + pam_end(pamh, pamret); +pamerr_no_end: + return checkpwret; + +} + +#warning TODO: this should be declared in some header. +int checkpw_internal( const struct passwd* pw, const char* password ); +int checkpw_internal( const struct passwd* pw, const char* password ) +{ + return checkpw(pw->pw_name, password); +} + +int checkpw( const char* userName, const char* password ) +{ + int siResult = CHECKPW_FAILURE; + // workaround for 3965234; I assume the empty string is OK... + const char *thePassword = password ? password : ""; + + if (userName == NULL) + return CHECKPW_UNKNOWNUSER; + + siResult = checkpw_internal_pam(userName, thePassword); + switch (siResult) { + case CHECKPW_SUCCESS: + case CHECKPW_UNKNOWNUSER: + case CHECKPW_BADPASSWORD: + break; + default: + usleep(500000); + siResult = checkpw_internal_pam(userName, thePassword); + break; + } + + return siResult; +} +