[gdm/fix-fallback-mode: 2/35] pam_gdm: Use the last cryptsetup password instead of the first

From: Ray Strode <halfline src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdm/fix-fallback-mode: 2/35] pam_gdm: Use the last cryptsetup password instead of the first
Date: Mon, 6 Sep 2021 13:01:38 +0000 (UTC)


commit 5e2d1363ed1a20ed2e521636ed4fdab947753c1e
Author: Graham Rogers <graham rogers me uk>
Date:   Sun Apr 18 12:22:14 2021 +0100

    pam_gdm: Use the last cryptsetup password instead of the first

 pam_gdm/pam_gdm.c | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)
---
diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c
index 767a6c8c8..ef77f161b 100644
--- a/pam_gdm/pam_gdm.c
+++ b/pam_gdm/pam_gdm.c
@@ -38,21 +38,41 @@ pam_sm_authenticate (pam_handle_t  *pamh,
                      const char   **argv)
 {
 #ifdef HAVE_KEYUTILS
-        int r;
-        void *cached_password = NULL;
+        long r;
+        size_t cached_passwords_length;
+        char *cached_passwords = NULL;
+        char *last_cached_password = NULL;
         key_serial_t serial;
+        size_t i;
 
         serial = find_key_by_type_and_desc ("user", "cryptsetup", 0);
         if (serial == 0)
                 return PAM_AUTHINFO_UNAVAIL;
 
-        r = keyctl_read_alloc (serial, &cached_password);
-        if (r < 0 || r != strlen (cached_password))
+        r = keyctl_read_alloc (serial, &cached_passwords);
+        if (r < 0)
                 return PAM_AUTHINFO_UNAVAIL;
+        
+        cached_passwords_length = r;
+
+        /*
+            Find the last password in the NUL-separated list of passwords.
+            Multiple passwords are returned either when the user enters an
+            incorrect password or there are multiple encrypted drives.
+            In the case of an incorrect password the last one is correct.
+            In the case of multiple drives, choosing the last drive is as
+            arbitrary a choice as any other, but choosing the last password at
+            least supports multiple attempts on the last drive.
+        */
+        last_cached_password = cached_passwords;
+        for (i = 0; i < cached_passwords_length; i++) {
+                last_cached_password = cached_passwords + i;
+                i += strlen (last_cached_password);
+        }
 
-        r = pam_set_item (pamh, PAM_AUTHTOK, cached_password);
+        r = pam_set_item (pamh, PAM_AUTHTOK, last_cached_password);
 
-        free (cached_password);
+        free (cached_passwords);
 
         if (r < 0)
                 return PAM_AUTH_ERR;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]