From 9f4b4ef1b5e1458ca67cff235b655060b27e357b Mon Sep 17 00:00:00 2001

From: Graham Rogers <graham@rogers.me.uk>

Date: Sun, 18 Apr 2021 12:22:14 +0100

Subject: [PATCH 2/2] pam_gdm: Use the last cryptsetup password instead of the

 first

---

 pam_gdm/pam_gdm.c | 32 ++++++++++++++++++++++++++------

 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c

index 767a6c8c..ef77f161 100644

--- a/pam_gdm/pam_gdm.c

+++ b/pam_gdm/pam_gdm.c

@@ -11,75 +11,95 @@

  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  * GNU General Public License for more details.

  *

  * You should have received a copy of the GNU General Public License

  * along with this program; if not, write to the Free Software

  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

  *

  */

 #include <config.h>

 #include <unistd.h>

 #include <security/_pam_macros.h>

 #include <security/pam_ext.h>

 #include <security/pam_misc.h>

 #include <security/pam_modules.h>

 #include <security/pam_modutil.h>

 #ifdef HAVE_KEYUTILS

 #include <keyutils.h>

 #endif

 int

 pam_sm_authenticate (pam_handle_t  *pamh,

                      int            flags,

                      int            argc,

                      const char   **argv)

 {

 #ifdef HAVE_KEYUTILS

-        int r;

-        void *cached_password = NULL;

+        long r;

+        size_t cached_passwords_length;

+        char *cached_passwords = NULL;

+        char *last_cached_password = NULL;

         key_serial_t serial;

+        size_t i;

         serial = find_key_by_type_and_desc ("user", "cryptsetup", 0);

         if (serial == 0)

                 return PAM_AUTHINFO_UNAVAIL;

-        r = keyctl_read_alloc (serial, &cached_password);

-        if (r < 0 || r != strlen (cached_password))

+        r = keyctl_read_alloc (serial, &cached_passwords);

+        if (r < 0)

                 return PAM_AUTHINFO_UNAVAIL;

+        

+        cached_passwords_length = r;

+

+        /*

+            Find the last password in the NUL-separated list of passwords.

+            Multiple passwords are returned either when the user enters an

+            incorrect password or there are multiple encrypted drives.

+            In the case of an incorrect password the last one is correct.

+            In the case of multiple drives, choosing the last drive is as

+            arbitrary a choice as any other, but choosing the last password at

+            least supports multiple attempts on the last drive.

+        */

+        last_cached_password = cached_passwords;

+        for (i = 0; i < cached_passwords_length; i++) {

+                last_cached_password = cached_passwords + i;

+                i += strlen (last_cached_password);

+        }

-        r = pam_set_item (pamh, PAM_AUTHTOK, cached_password);

+        r = pam_set_item (pamh, PAM_AUTHTOK, last_cached_password);

-        free (cached_password);

+        free (cached_passwords);

         if (r < 0)

                 return PAM_AUTH_ERR;

         else

                 return PAM_SUCCESS;

 #endif

         return PAM_AUTHINFO_UNAVAIL;

 }

 int

 pam_sm_setcred (pam_handle_t *pamh,

                 int           flags,

                 int           argc,

                 const char  **argv)

 {

         return PAM_SUCCESS;

 }

 int

 pam_sm_acct_mgmt (pam_handle_t  *pamh,

                   int            flags,

                   int            argc,

                   const char   **argv)

 {

         return PAM_SUCCESS;

 }

 int

 pam_sm_chauthtok (pam_handle_t  *pamh,

-- 

2.35.1