Add PAM package

cmd/fscrypt/errors.go

@@ -46,7 +46,6 @@ var (
 	ErrCanceled           = errors.New("operation canceled")
 	ErrNoDesctructiveOps  = errors.New("operation would be destructive")
 	ErrMaxPassphrase      = util.SystemError("max passphrase length exceeded")
-	ErrPAMPassphrase      = errors.New("incorrect login passphrase")
 	ErrInvalidSource      = errors.New("invalid source type")
 	ErrPassphraseMismatch = errors.New("entered passphrases do not match")
 	ErrSpecifyProtector   = errors.New("multiple protectors available")
@@ -59,6 +58,7 @@ var (
 	ErrBadOwners          = errors.New("you do not own this directory")
 	ErrNotEmptyDir        = errors.New("not an empty directory")
 	ErrNotPassphrase      = errors.New("protector does not use a passphrase")
+	ErrUnknownUser        = errors.New("unknown user")
 )
 
 var loadHelpText = fmt.Sprintf("You may need to mount a linked filesystem. Run with %s for more information.", shortDisplay(verboseFlag))

cmd/fscrypt/keys.go

@@ -125,7 +125,7 @@ func makeKeyFunc(supportRetry, shouldConfirm bool, prefix string) actions.KeyFun
 		switch info.Source() {
 		case metadata.SourceType_pam_passphrase:
 			prompt := fmt.Sprintf("Enter %slogin passphrase for %s: ",
-				prefix, getUsername(info.UID()))
+				prefix, formatUsername(info.UID()))
 			key, err := getPassphraseKey(prompt)
 			if err != nil {
 				return nil, err
@@ -134,15 +134,16 @@ func makeKeyFunc(supportRetry, shouldConfirm bool, prefix string) actions.KeyFun
 			// To confirm, check that the passphrase is the user's
 			// login passphrase.
 			if shouldConfirm {
-				username := getUsername(info.UID())
-				ok, err := pam.IsUserLoginToken(username, key)
+				username, err := usernameFromID(info.UID())
 				if err != nil {
 					key.Wipe()
 					return nil, err
 				}
-				if !ok {
+
+				err = pam.IsUserLoginToken(username, key, quietFlag.Value)
+				if err != nil {
 					key.Wipe()
-					return nil, ErrPAMPassphrase
+					return nil, err
 				}
 			}
 			return key, nil

cmd/fscrypt/prompt.go

@@ -27,6 +27,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/pkg/errors"
+
 	"github.com/google/fscrypt/actions"
 	"github.com/google/fscrypt/metadata"
 	"github.com/google/fscrypt/util"
@@ -106,21 +108,31 @@ func askConfirmation(question string, defaultChoice bool, warning string) error
 	return nil
 }
 
-// getUsername returns the username for the provided UID. If the UID does not
-// correspond to a user or the username is blank, "UID=<uid>" is returned.
-func getUsername(uid int64) string {
+// usernameFromID returns the username for the provided UID. If the UID does not
+// correspond to a user or the username is blank, an error is returned.
+func usernameFromID(uid int64) (string, error) {
 	u, err := user.LookupId(strconv.Itoa(int(uid)))
 	if err != nil || u.Username == "" {
-		return fmt.Sprintf("UID=%d", uid)
+		return "", errors.Wrapf(ErrUnknownUser, "uid %d", uid)
+	}
+	return u.Username, nil
+}
+
+// formatUsername either returns the username for the provided UID, or a string
+// containing the error for unknown UIDs.
+func formatUsername(uid int64) string {
+	username, err := usernameFromID(uid)
+	if err != nil {
+		return fmt.Sprintf("[%v]", err)
 	}
-	return u.Username
+	return username
 }
 
 // formatInfo gives a string description of metadata.ProtectorData.
 func formatInfo(data actions.ProtectorInfo) string {
 	switch data.Source() {
 	case metadata.SourceType_pam_passphrase:
-		return "login protector for " + getUsername(data.UID())
+		return "login protector for " + formatUsername(data.UID())
 	case metadata.SourceType_custom_passphrase:
 		return fmt.Sprintf("custom protector %q", data.Name())
 	case metadata.SourceType_raw_key:

crypto/key.go

@@ -20,6 +20,12 @@
 
 package crypto
 
+/*
+#include <stdlib.h>
+#include <string.h>
+*/
+import "C"
+
 import (
 	"bytes"
 	"crypto/subtle"
@@ -148,13 +154,6 @@ func (key *Key) Len() int {
 	return len(key.data)
 }
 
-// UnsafeData exposes the underlying protected slice. This is unsafe because the
-// data can be paged to disk if the buffer is copied, or the slice may be
-// wiped while being used.
-func (key *Key) UnsafeData() []byte {
-	return key.data
-}
-
 // Equals compares the contents of two keys, returning true if they have the same
 // key data. This function runs in constant time.
 func (key *Key) Equals(key2 *Key) bool {
@@ -178,6 +177,30 @@ func (key *Key) resize(requestedSize int) (*Key, error) {
 	return resizedKey, nil
 }
 
+// UnsafeToCString makes a copy of the string's data into a null-terminated C
+// string allocated by C. Note that this method is unsafe as this C copy has no
+// locking or wiping functionality. The key shouldn't contain any `\0` bytes.
+func (key *Key) UnsafeToCString() unsafe.Pointer {
+	// Memory for the key must be moved into a C string allocated by C.
+	size := C.size_t(key.Len())
+	data := C.calloc(size+1, 1)
+	C.memcpy(data, util.Ptr(key.data), size)
+	return data
+}
+
+// NewKeyFromCString creates of a copy of some C string's data in a key. Note
+// that the original C string is not modified at all, so steps must be taken to
+// ensure that this original copy is secured.
+func NewKeyFromCString(str unsafe.Pointer) (*Key, error) {
+	size := C.strlen((*C.char)(str))
+	key, err := newBlankKey(int(size))
+	if err != nil {
+		return nil, err
+	}
+	C.memcpy(util.Ptr(key.data), str, size)
+	return key, nil
+}
+
 // NewKeyFromReader constructs a key of abritary length by reading from reader
 // until hitting EOF.
 func NewKeyFromReader(reader io.Reader) (*Key, error) {

pam/constants.go

@@ -0,0 +1,110 @@
+/*
+ * constants.go - PAM flags and item types from github.com/msteinert/pam
+ *
+ * Modifications Copyright 2017 Google Inc.
+ * Modifications Author: Joe Richey (joerichey@google.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+/*
+ * Copyright 2011, krockot
+ * Copyright 2015, Michael Steinert <mike.steinert@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice, this
+ *   list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package pam
+
+/*
+#cgo LDFLAGS: -lpam
+
+#include <security/pam_modules.h>
+*/
+import "C"
+
+// Item is a an PAM information type.
+type Item int
+
+// PAM Item types.
+const (
+	// Service is the name which identifies the PAM stack.
+	Service Item = C.PAM_SERVICE
+	// User identifies the username identity used by a service.
+	User = C.PAM_USER
+	// Tty is the terminal name.
+	Tty = C.PAM_TTY
+	// Rhost is the requesting host name.
+	Rhost = C.PAM_RHOST
+	// Authtok is the currently active authentication token.
+	Authtok = C.PAM_AUTHTOK
+	// Oldauthtok is the old authentication token.
+	Oldauthtok = C.PAM_OLDAUTHTOK
+	// Ruser is the requesting user name.
+	Ruser = C.PAM_RUSER
+	// UserPrompt is the string use to prompt for a username.
+	UserPrompt = C.PAM_USER_PROMPT
+)
+
+// Flag is used as input to various PAM functions. Flags can be combined with a
+// bitwise or. Refer to the official PAM documentation for which flags are
+// accepted by which functions.
+type Flag int
+
+// PAM Flag types.
+const (
+	// Silent indicates that no messages should be emitted.
+	Silent Flag = C.PAM_SILENT
+	// DisallowNullAuthtok indicates that authorization should fail
+	// if the user does not have a registered authentication token.
+	DisallowNullAuthtok = C.PAM_DISALLOW_NULL_AUTHTOK
+	// EstablishCred indicates that credentials should be established
+	// for the user.
+	EstablishCred = C.PAM_ESTABLISH_CRED
+	// DeleteCred inidicates that credentials should be deleted.
+	DeleteCred = C.PAM_DELETE_CRED
+	// ReinitializeCred indicates that credentials should be fully
+	// reinitialized.
+	ReinitializeCred = C.PAM_REINITIALIZE_CRED
+	// RefreshCred indicates that the lifetime of existing credentials
+	// should be extended.
+	RefreshCred = C.PAM_REFRESH_CRED
+	// ChangeExpiredAuthtok indicates that the authentication token
+	// should be changed if it has expired.
+	ChangeExpiredAuthtok = C.PAM_CHANGE_EXPIRED_AUTHTOK
+	// PrelimCheck indicates that the modules are being probed as to their
+	// ready status for altering the user's authentication token.
+	PrelimCheck = C.PAM_PRELIM_CHECK
+	// UpdateAuthtok informs the module that this is the call it should
+	// change the authorization tokens.
+	UpdateAuthtok = C.PAM_UPDATE_AUTHTOK
+)