diff options
| author | Graham Rogers <graham@rogers.me.uk> | 2021-04-18 12:22:14 +0100 |
|---|---|---|
| committer | Graham Rogers <graham@rogers.me.uk> | 2021-04-18 19:11:08 +0100 |
| commit | f365ba1d55c186e2aa93ecf2c897af24d872e767 (patch) | |
| tree | 72b53629b5997bb442d3287a7fa8514083661be2 /pam_gdm | |
| parent | 2c56aec78874ca3bdb1a84ea4d628e3c8be490af (diff) | |
| download | gdm-f365ba1d55c186e2aa93ecf2c897af24d872e767.tar.gz | |
pam_gdm: Use the last cryptsetup password instead of the first
Diffstat (limited to 'pam_gdm')
| -rw-r--r-- | pam_gdm/pam_gdm.c | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c index 767a6c8c..ef77f161 100644 --- a/pam_gdm/pam_gdm.c +++ b/pam_gdm/pam_gdm.c @@ -38,21 +38,41 @@ pam_sm_authenticate (pam_handle_t *pamh, const char **argv) { #ifdef HAVE_KEYUTILS - int r; - void *cached_password = NULL; + long r; + size_t cached_passwords_length; + char *cached_passwords = NULL; + char *last_cached_password = NULL; key_serial_t serial; + size_t i; serial = find_key_by_type_and_desc ("user", "cryptsetup", 0); if (serial == 0) return PAM_AUTHINFO_UNAVAIL; - r = keyctl_read_alloc (serial, &cached_password); - if (r < 0 || r != strlen (cached_password)) + r = keyctl_read_alloc (serial, &cached_passwords); + if (r < 0) return PAM_AUTHINFO_UNAVAIL; + + cached_passwords_length = r; + + /* + Find the last password in the NUL-separated list of passwords. + Multiple passwords are returned either when the user enters an + incorrect password or there are multiple encrypted drives. + In the case of an incorrect password the last one is correct. + In the case of multiple drives, choosing the last drive is as + arbitrary a choice as any other, but choosing the last password at + least supports multiple attempts on the last drive. + */ + last_cached_password = cached_passwords; + for (i = 0; i < cached_passwords_length; i++) { + last_cached_password = cached_passwords + i; + i += strlen (last_cached_password); + } - r = pam_set_item (pamh, PAM_AUTHTOK, cached_password); + r = pam_set_item (pamh, PAM_AUTHTOK, last_cached_password); - free (cached_password); + free (cached_passwords); if (r < 0) return PAM_AUTH_ERR; |