From f365ba1d55c186e2aa93ecf2c897af24d872e767 Mon Sep 17 00:00:00 2001 From: Graham Rogers Date: Sun, 18 Apr 2021 12:22:14 +0100 Subject: pam_gdm: Use the last cryptsetup password instead of the first --- pam_gdm/pam_gdm.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) (limited to 'pam_gdm') diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c index 767a6c8c..ef77f161 100644 --- a/pam_gdm/pam_gdm.c +++ b/pam_gdm/pam_gdm.c @@ -38,21 +38,41 @@ pam_sm_authenticate (pam_handle_t *pamh, const char **argv) { #ifdef HAVE_KEYUTILS - int r; - void *cached_password = NULL; + long r; + size_t cached_passwords_length; + char *cached_passwords = NULL; + char *last_cached_password = NULL; key_serial_t serial; + size_t i; serial = find_key_by_type_and_desc ("user", "cryptsetup", 0); if (serial == 0) return PAM_AUTHINFO_UNAVAIL; - r = keyctl_read_alloc (serial, &cached_password); - if (r < 0 || r != strlen (cached_password)) + r = keyctl_read_alloc (serial, &cached_passwords); + if (r < 0) return PAM_AUTHINFO_UNAVAIL; + + cached_passwords_length = r; + + /* + Find the last password in the NUL-separated list of passwords. + Multiple passwords are returned either when the user enters an + incorrect password or there are multiple encrypted drives. + In the case of an incorrect password the last one is correct. + In the case of multiple drives, choosing the last drive is as + arbitrary a choice as any other, but choosing the last password at + least supports multiple attempts on the last drive. + */ + last_cached_password = cached_passwords; + for (i = 0; i < cached_passwords_length; i++) { + last_cached_password = cached_passwords + i; + i += strlen (last_cached_password); + } - r = pam_set_item (pamh, PAM_AUTHTOK, cached_password); + r = pam_set_item (pamh, PAM_AUTHTOK, last_cached_password); - free (cached_password); + free (cached_passwords); if (r < 0) return PAM_AUTH_ERR; -- cgit v1.2.1