pam: checking a user's login passphrase

This commit adds in the fscrypt/pam package. This package will hold all
functionality related to Linux Pluggable Authentication Modules (PAM).
Right now this package uses cgo to mock a PAM conversation, allowing the
function to check if a provided passphrase actually belongs to a user.

Due to the nature of cgo callbacks, global state of the key to check is
necessary for this function. This commit also addresses some issues
about building the cgo components. Now, only the minimal linking flags
are included in the go files. Additional linker flags may now be
necessary to build a static binary of fscrypt. This is addressed in the
Makefile and README.

Finally, this commit fixes a bug where the tests would not run correctly
due to shared global state on the testing filesystem. Fixed, by having
all the tests run sequentially.

Change-Id: Ia43636801da984b505d2f43dd14127b7cfbf2c48

3 files changed, 231 insertions, 0 deletions

diff --git a/pam/login.go b/pam/login.go
new file mode 100644
index 0000000..63041de
--- /dev/null
+++ b/pam/login.go
@@ -0,0 +1,120 @@
+/*
+ * login.go - Checks the validity of a login token key against PAM.
+ *
+ * Copyright 2017 Google Inc.
+ * Author: Joe Richey (joerichey@google.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+// Package pam contains all the functionality for interfacing with Linux
+// Pluggable Authentication Modules (PAM). Currently, all this package does is
+// check the validity of a user's login passphrase.
+// See http://www.linux-pam.org/Linux-PAM-html/ for more information.
+package pam
+
+/*
+#cgo LDFLAGS: -lpam
+#include <stdlib.h>
+#include "pam.h"
+*/
+import "C"
+
+import (
+	"fmt"
+	"log"
+	"sync"
+	"unsafe"
+
+	"fscrypt/crypto"
+	"fscrypt/util"
+)
+
+// Global state is needed for the PAM callback, so we guard this function with a
+// lock. tokenToCheck is only ever non-nil when loginLock is held.
+var (
+	loginLock    sync.Mutex
+	tokenToCheck *crypto.Key
+)
+
+// unexpectedMessage logs an error encountered in the PAM callback.
+//export unexpectedMessage
+func unexpectedMessage(msg *C.char) {
+	log.Printf("pam encountered unexpected %q", C.GoString(msg))
+}
+
+// pamInput is run when the PAM module needs some input from the user. The
+// message parameter is the prompt that would be displayed to the user.
+//export pamInput
+func pamInput(msg *C.char) *C.char {
+	log.Printf("requesting secret data with %q", C.GoString(msg))
+
+	// Memory for the key must be moved into a C string allocated by C.
+	cLen := C.size_t(tokenToCheck.Len())
+	cData := C.malloc(cLen + 1)
+
+	// View the cData as a go slice
+	goData := (*[1 << 30]byte)(cData)
+	copy(goData[:cLen], tokenToCheck.UnsafeData())
+	goData[cLen] = 0 // Null terminator
+	return (*C.char)(cData)
+}
+
+// IsUserLoginToken returns true if the presented token is the user's login key,
+// false if it is not their login key, and an error if this cannot be
+// determined. Note that unless the currently running process is root, this
+// check will only work for the user running this process.
+func IsUserLoginToken(username string, token *crypto.Key) (_ bool, err error) {
+	log.Printf("Checking login token for %s", username)
+	// We require global state for the function. This function never takes
+	// ownership of the token, so it is not responsible for wiping it.
+	loginLock.Lock()
+	tokenToCheck = token
+	defer func() {
+		tokenToCheck = nil
+		loginLock.Unlock()
+	}()
+
+	cUsername := C.CString(username)
+	defer C.free(unsafe.Pointer(cUsername))
+
+	var conv C.struct_pam_conv
+	var handle *C.struct_pam_handle
+	C.pam_init(&conv)
+
+	// Start the pam transaction with the desired conversation and handle.
+	returnCode := C.pam_start(C.fscrypt_service, cUsername, &conv, &handle)
+	if returnCode != C.PAM_SUCCESS {
+		return false, util.SystemError(fmt.Sprintf("pam_start returned %d", returnCode))
+	}
+
+	defer func() {
+		// End the PAM transaction, setting the error if appropriate.
+		returnCode = C.pam_end(handle, returnCode)
+		if returnCode != C.PAM_SUCCESS && err == nil {
+			err = util.SystemError(fmt.Sprintf("pam_end returned %d", returnCode))
+		}
+	}()
+
+	// Ask PAM to authenticate the token. We either get an answer or an error
+	returnCode = C.pam_authenticate(handle, 0)
+	switch returnCode {
+	case C.PAM_SUCCESS:
+		return true, nil
+	case C.PAM_AUTH_ERR:
+		return false, nil
+	default:
+		// PAM didn't give us an answer to the authentication question
+		return false, util.SystemError(fmt.Sprintf("pam_authenticate returned %d", returnCode))
+	}
+}
diff --git a/pam/pam.c b/pam/pam.c
new file mode 100644
index 0000000..ce640e8
--- /dev/null
+++ b/pam/pam.c
@@ -0,0 +1,80 @@
+/*
+ * pam.c - Functions to let us call into libpam from Go.
+ *
+ * Copyright 2017 Google Inc.
+ * Author: Joe Richey (joerichey@google.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+#include "pam.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "_cgo_export.h"  // for pamInput callback
+
+const char* fscrypt_service = "fscrypt";
+
+static int pam_conv(int num_msg, const struct pam_message** msg,
+                    struct pam_response** resp, void* appdata_ptr) {
+  if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG) {
+    return PAM_CONV_ERR;
+  }
+
+  // Allocate the response table with num_msg entries.
+  *resp = calloc(num_msg, sizeof **resp);
+  if (!*resp) {
+    return PAM_BUF_ERR;
+  }
+
+  // Check each message to see if we need to run a callback.
+  char* callback_msg = NULL;
+  char* callback_resp = NULL;
+  int i;
+  for (i = 0; i < num_msg; ++i) {
+    callback_msg = (char*)msg[i]->msg;
+
+    // We run our input callback if the style tells us we need data. Otherwise,
+    // we just print the error messages or text info to standard output.
+    switch (msg[i]->msg_style) {
+      case PAM_PROMPT_ECHO_OFF:
+        callback_resp = pamInput(callback_msg);
+        break;
+      case PAM_PROMPT_ECHO_ON:
+        // We should never have a request for non-secret data
+        unexpectedMessage(callback_msg);
+        callback_resp = NULL;
+        break;
+      case PAM_ERROR_MSG:
+      case PAM_TEXT_INFO:
+        printf("%s\n", callback_msg);
+        continue;
+    }
+
+    if (!callback_resp) {
+      // If the callback failed, free each nonempty response in the response
+      // table and the response table itself.
+      while (--i >= 0) {
+        free((*resp)[i].resp);
+      }
+      free(*resp);
+      return PAM_CONV_ERR;
+    }
+
+    (*resp)[i].resp = callback_resp;
+  }
+  return PAM_SUCCESS;
+}
+
+void pam_init(struct pam_conv* conv) { conv->conv = pam_conv; }
diff --git a/pam/pam.h b/pam/pam.h
new file mode 100644
index 0000000..83ef2a9
--- /dev/null
+++ b/pam/pam.h
@@ -0,0 +1,31 @@
+/*
+ * pam.h - Functions to let us call into libpam from Go.
+ *
+ * Copyright 2017 Google Inc.
+ * Author: Joe Richey (joerichey@google.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+#ifndef FSCRYPT_PAM_H
+#define FSCRYPT_PAM_H
+
+#include <security/pam_appl.h>
+
+// fscrypt_service is the display name of the service requesting the passphrase.
+const char* fscrypt_service;
+
+// pam_init initializes the pam_conv structure for use with our Go callbacks.
+void pam_init(struct pam_conv* conv);
+
+#endif