Blame ecryptfs-utils-87-pamdata.patch

8b5695
diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
8b5695
--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata	2011-08-03 15:40:01.743949759 +0200
8b5695
+++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c	2011-08-03 15:52:05.676388743 +0200
7a13e7
@@ -45,6 +45,25 @@
8b5695
 
8b5695
 #define PRIVATE_DIR "Private"
8b5695
 
8b5695
+#define ECRYPTFS_PAM_DATA "ecryptfs:passphrase"
8b5695
+
8b5695
+struct ecryptfs_pam_data {
8b5695
+	int unwrap;
8b5695
+	uid_t uid;
8b5695
+	char *passphrase;
8b5695
+	const char *homedir;
8b5695
+	const char *username;
8b5695
+	char salt[ECRYPTFS_SALT_SIZE];  
8b5695
+};
8b5695
+
8b5695
+static void pam_free_ecryptfsdata(pam_handle_t *pamh, void *data, int error_status)
8b5695
+{
7a13e7
+	if (data) {
7a13e7
+		free(((struct ecryptfs_pam_data *)data)->passphrase);
7a13e7
+		free(data);
7a13e7
+	}
8b5695
+}
8b5695
+
8b5695
 /* returns: 0 if file does not exist, 1 if it exists, <0 for error */
8b5695
 static int file_exists_dotecryptfs(const char *homedir, char *filename)
8b5695
 {
7a13e7
@@ -64,7 +83,7 @@ out:
8b5695
 	return rc;
8b5695
 }
8b5695
 
8b5695
-static int wrap_passphrase_if_necessary(const char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt)
8b5695
+static int wrap_passphrase_if_necessary(const char *username, uid_t uid, const char *wrapped_pw_filename, const char *passphrase, const char *salt)
8b5695
 {
8b5695
 	char *unwrapped_pw_filename = NULL;
8b5695
 	struct stat s;
7a13e7
@@ -96,42 +115,43 @@ static int wrap_passphrase_if_necessary(
8b5695
 PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
8b5695
 				   const char **argv)
8b5695
 {
8b5695
-	uid_t uid = 0;
8b5695
-	char *homedir = NULL;
8b5695
 	uid_t saved_uid = 0;
8b5695
-	const char *username;
8b5695
-	char *passphrase = NULL;
8b5695
-	char salt[ECRYPTFS_SALT_SIZE];
8b5695
 	char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
8b5695
-	char *auth_tok_sig;
8b5695
 	char *private_mnt = NULL;
8b5695
-	pid_t child_pid, tmp_pid;
8b5695
-	long rc;
8b5695
+	long rc = 0;
8b5695
 	uint32_t version;
8b5695
+	struct ecryptfs_pam_data *epd = {0,};
8b5695
 
8b5695
 	syslog(LOG_INFO, "%s: Called\n", __FUNCTION__);
8b5695
-	rc = pam_get_user(pamh, &username, NULL);
8b5695
+
8b5695
+	if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
8b5695
+		syslog(LOG_ERR,"Memory allocation failed");
8b5695
+		rc = -ENOMEM;
8b5695
+		goto out;
8b5695
+	}
8b5695
+
8b5695
+	rc = pam_get_user(pamh, &epd->username, NULL);
8b5695
 	if (rc == PAM_SUCCESS) {
8b5695
 		struct passwd *pwd;
8b5695
 
8b5695
 		syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__,
8b5695
-		       username);
8b5695
-		pwd = getpwnam(username);
8b5695
+		       epd->username);
8b5695
+		pwd = getpwnam(epd->username);
8b5695
 		if (pwd) {
8b5695
-			uid = pwd->pw_uid;
8b5695
-			homedir = pwd->pw_dir;
8b5695
+			epd->uid = pwd->pw_uid;
8b5695
+			epd->homedir = pwd->pw_dir;
8b5695
 		}
8b5695
 	} else {
8b5695
 		syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
8b5695
-		       "rc = [%ld]\n", username, rc);
8b5695
+		       "rc = [%ld]\n", epd->username, rc);
8b5695
 		goto out;
8b5695
 	}
8b5695
-	if (!file_exists_dotecryptfs(homedir, "auto-mount"))
8b5695
+	if (!file_exists_dotecryptfs(epd->homedir, "auto-mount"))
8b5695
 		goto out;
8b5695
-	private_mnt = ecryptfs_fetch_private_mnt(homedir);
8b5695
+	private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
8b5695
 	if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
8b5695
 		syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__,
8b5695
-			homedir);
8b5695
+			epd->homedir);
8b5695
 		/* If private/home is already mounted, then we can skip
8b5695
 		   costly loading of keys */
8b5695
 		goto out;
7a13e7
@@ -141,82 +161,32 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
8b5695
 	if (ecryptfs_get_version(&version) != 0)
8b5695
 		syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
8b5695
 	saved_uid = geteuid();
8b5695
-	seteuid(uid);
8b5695
-	if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1)
8b5695
-		rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: ");
8b5695
+	seteuid(epd->uid);
8b5695
+	if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1)
8b5695
+		rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &epd->passphrase, "Encryption passphrase: ");
8b5695
 	else
8b5695
-		rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
8b5695
+		rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase);
7a13e7
+	epd->passphrase = strdup(epd->passphrase);
8b5695
 	seteuid(saved_uid);
8b5695
 	if (rc != PAM_SUCCESS) {
8b5695
 		syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
8b5695
 		       rc);
8b5695
 		goto out;
8b5695
 	}
8b5695
-	auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1);
8b5695
-	if (!auth_tok_sig) {
8b5695
-		rc = -ENOMEM;
8b5695
-		syslog(LOG_ERR, "Out of memory\n");
8b5695
-		goto out;
8b5695
-	}
8b5695
+
8b5695
 	rc = ecryptfs_read_salt_hex_from_rc(salt_hex);
8b5695
 	if (rc) {
8b5695
-		from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
8b5695
+		from_hex(epd->salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
8b5695
 	} else
8b5695
-		from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
8b5695
-	if ((child_pid = fork()) == 0) {
8b5695
-		setuid(uid);
8b5695
-		if (passphrase == NULL) {
8b5695
-			syslog(LOG_ERR, "NULL passphrase; aborting\n");
8b5695
-			rc = -EINVAL;
8b5695
-			goto out_child;
8b5695
-		}
8b5695
-		if ((rc = ecryptfs_validate_keyring())) {
8b5695
-			syslog(LOG_WARNING,
8b5695
-			       "Cannot validate keyring integrity\n");
8b5695
-		}
8b5695
-		rc = 0;
8b5695
-		if ((argc == 1)
8b5695
-		    && (memcmp(argv[0], "unwrap\0", 7) == 0)) {
8b5695
-			char *wrapped_pw_filename;
8b5695
+		from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE);
8b5695
 
8b5695
-			rc = asprintf(
8b5695
-				&wrapped_pw_filename, "%s/.ecryptfs/%s",
8b5695
-				homedir,
8b5695
-				ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
8b5695
-			if (rc == -1) {
8b5695
-				syslog(LOG_ERR, "Unable to allocate memory\n");
8b5695
-				rc = -ENOMEM;
8b5695
-				goto out_child;
8b5695
-			}
8b5695
-			if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, passphrase, salt) == 0) {
8b5695
-				syslog(LOG_INFO, "Passphrase file wrapped");
8b5695
-			} else {
8b5695
-				goto out_child;
8b5695
-			}
8b5695
-			rc = ecryptfs_insert_wrapped_passphrase_into_keyring(
8b5695
-				auth_tok_sig, wrapped_pw_filename, passphrase,
8b5695
-				salt);
8b5695
-			free(wrapped_pw_filename);
8b5695
-		} else {
8b5695
-			rc = ecryptfs_add_passphrase_key_to_keyring(
8b5695
-				auth_tok_sig, passphrase, salt);
8b5695
-		}
8b5695
-		if (rc == 1) {
8b5695
-			goto out_child;
8b5695
-		}
8b5695
-		if (rc) {
8b5695
-			syslog(LOG_ERR, "Error adding passphrase key token to "
8b5695
-			       "user session keyring; rc = [%ld]\n", rc);
8b5695
-			goto out_child;
8b5695
-		}
8b5695
-out_child:
8b5695
-		free(auth_tok_sig);
8b5695
-		_exit(0);
8b5695
+	epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
7a13e7
+	if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) {
8b5695
+	  
7a13e7
+		syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc));
8b5695
+		goto out;
8b5695
 	}
8b5695
-	tmp_pid = waitpid(child_pid, NULL, 0);
8b5695
-	if (tmp_pid == -1)
8b5695
-		syslog(LOG_WARNING,
8b5695
-		       "waitpid() returned with error condition\n");
8b5695
+
8b5695
 out:
8b5695
 	if (private_mnt != NULL)
8b5695
 		free(private_mnt);
7a13e7
@@ -361,10 +331,88 @@ static int umount_private_dir(pam_handle
8b5695
 	return private_dir(pamh, 0);
8b5695
 }
8b5695
 
8b5695
+static int fill_keyring(pam_handle_t *pamh)
8b5695
+{
8b5695
+	pid_t child_pid,tmp_pid;
8b5695
+	int rc = 0;
8b5695
+	const struct ecryptfs_pam_data *epd;
8b5695
+	char *auth_tok_sig;
8b5695
+	auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1);
8b5695
+	if (!auth_tok_sig) {
8b5695
+		syslog(LOG_ERR, "Out of memory\n");
8b5695
+		return -ENOMEM;
8b5695
+	}
8b5695
+  
7a13e7
+	if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS)
8b5695
+	{
7a13e7
+		syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc));
8b5695
+		return -EINVAL;
8b5695
+	}
8b5695
+  
8b5695
+ 	if ((child_pid = fork()) == 0) {
8b5695
+		setuid(epd->uid);
8b5695
+		if (epd->passphrase == NULL) {
8b5695
+			syslog(LOG_ERR, "NULL passphrase; aborting\n");
8b5695
+			rc = -EINVAL;
8b5695
+			goto out_child;
8b5695
+		}
8b5695
+		if ((rc = ecryptfs_validate_keyring())) {
8b5695
+			syslog(LOG_WARNING,
8b5695
+			       "Cannot validate keyring integrity\n");
8b5695
+		}
8b5695
+		rc = 0;
8b5695
+		if (epd->unwrap) {
8b5695
+			char *wrapped_pw_filename;
8b5695
+
8b5695
+			rc = asprintf(
8b5695
+				&wrapped_pw_filename, "%s/.ecryptfs/%s",
8b5695
+				epd->homedir,
8b5695
+				ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
8b5695
+			if (rc == -1) {
8b5695
+				syslog(LOG_ERR, "Unable to allocate memory\n");
8b5695
+				rc = -ENOMEM;
8b5695
+				goto out_child;
8b5695
+			}
8b5695
+			if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) {
8b5695
+				syslog(LOG_INFO, "Passphrase file wrapped");
8b5695
+			} else {
8b5695
+				goto out_child;
8b5695
+			}
8b5695
+			rc = ecryptfs_insert_wrapped_passphrase_into_keyring(
8b5695
+				auth_tok_sig, wrapped_pw_filename, epd->passphrase,
8b5695
+				epd->salt);
8b5695
+			free(wrapped_pw_filename);
8b5695
+		} else {
8b5695
+			rc = ecryptfs_add_passphrase_key_to_keyring(
8b5695
+				auth_tok_sig, epd->passphrase, epd->salt);
8b5695
+		}
8b5695
+		if (rc == 1) {
8b5695
+			goto out_child;
8b5695
+		}
8b5695
+		if (rc) {
8b5695
+			syslog(LOG_ERR, "Error adding passphrase key token to "
8b5695
+			       "user session keyring; rc = [%d]\n", rc);
8b5695
+			goto out_child;
8b5695
+		}
8b5695
+out_child:
8b5695
+		free(auth_tok_sig);
8b5695
+		_exit(0);
8b5695
+	}
8b5695
+	tmp_pid = waitpid(child_pid, NULL, 0);
8b5695
+	if (tmp_pid == -1)
8b5695
+		syslog(LOG_WARNING,
8b5695
+		       "waitpid() returned with error condition\n"); 
8b5695
+  
8b5695
+  
8b5695
+  return 0;
8b5695
+}
8b5695
+
8b5695
+
8b5695
 PAM_EXTERN int
8b5695
 pam_sm_open_session(pam_handle_t *pamh, int flags,
8b5695
 		    int argc, const char *argv[])
8b5695
 {
8b5695
+	fill_keyring(pamh);
8b5695
 	mount_private_dir(pamh);
8b5695
 	return PAM_SUCCESS;
8b5695
 }