PAM AUTH patch for fprintd

author: Benjamin Chausse <benjamin@chausse.xyz> 2022-03-05 12:30:20 -0500
committer: Benjamin Chausse <benjamin@chausse.xyz> 2022-03-05 12:30:20 -0500
commit: 454002c4d6646d04136635d988d867231e2fcdd6 (patch)
tree: ad454fb4d21f1416761faa381c9cae554bf9dd5a
parent: 8dee52c382c885c8ebfc24d82770c8ecf13f98a1 (diff)
4 files changed, 217 insertions, 10 deletions
diff --git a/config.def.h b/config.def.h
index 712df56..6c22796 100644
--- a/config.def.h
+++ b/config.def.h
@@ -1,17 +1,21 @@
 /* user and group to drop privileges to */
-static const char *user  = "nobody";
-static const char *group = "nobody";
+static const char *user  = "master";
+static const char *group = "wheel";
 
 static const char *colorname[NUMCOLS] = {
 	[INIT] =   "black",     /* after initialization */
 	[INPUT] =  "#7D4B23",   /* during input */
 	[FAILED] = "#B7416E",   /* wrong password */
 	[BLOCKS] = "#f2f1f0",   /* key feedback block */
+	[PAM] =    "#19B596",   /* waiting for PAM */
 };
 
 /* treat a cleared input like a wrong password (color) */
 static const int failonclear = 1;
 
+/* PAM service that's used for authentication */
+static const char* pam_service = "login";
+
 // ### Blocks bar ###
 static short int blocks_enabled = 1; // 0 = don't show blocks
 static const int blocks_width = 0; // 0 = full width
diff --git a/config.mk b/config.mk
index f4b3c6d..2f85023 100644
--- a/config.mk
+++ b/config.mk
@@ -12,7 +12,7 @@ X11LIB = /usr/X11R6/lib
 
 # includes and libs
 INCS = -I. -I/usr/include -I${X11INC}
-LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr
+LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr -lpam
 
 # flags
 CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H
diff --git a/patches/slock-pam_auth-20190207-35633d4.diff b/patches/slock-pam_auth-20190207-35633d4.diff
new file mode 100644
index 0000000..136f4b5
--- /dev/null
+++ b/patches/slock-pam_auth-20190207-35633d4.diff
@@ -0,0 +1,154 @@
+diff --git a/config.def.h b/config.def.h
+index 9855e21..19e7f62 100644
+--- a/config.def.h
++++ b/config.def.h
+@@ -6,7 +6,11 @@ static const char *colorname[NUMCOLS] = {
+ 	[INIT] =   "black",     /* after initialization */
+ 	[INPUT] =  "#005577",   /* during input */
+ 	[FAILED] = "#CC3333",   /* wrong password */
++	[PAM] =    "#9400D3",   /* waiting for PAM */
+ };
+ 
+ /* treat a cleared input like a wrong password (color) */
+ static const int failonclear = 1;
++
++/* PAM service that's used for authentication */
++static const char* pam_service = "login";
+diff --git a/config.mk b/config.mk
+index 74429ae..6e82074 100644
+--- a/config.mk
++++ b/config.mk
+@@ -12,7 +12,7 @@ X11LIB = /usr/X11R6/lib
+ 
+ # includes and libs
+ INCS = -I. -I/usr/include -I${X11INC}
+-LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr
++LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr -lpam
+ 
+ # flags
+ CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H
+diff --git a/slock.c b/slock.c
+index 5ae738c..3a8da42 100644
+--- a/slock.c
++++ b/slock.c
+@@ -18,16 +18,22 @@
+ #include <X11/keysym.h>
+ #include <X11/Xlib.h>
+ #include <X11/Xutil.h>
++#include <security/pam_appl.h>
++#include <security/pam_misc.h>
+ 
+ #include "arg.h"
+ #include "util.h"
+ 
+ char *argv0;
++static int pam_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr);
++struct pam_conv pamc = {pam_conv, NULL};
++char passwd[256];
+ 
+ enum {
+ 	INIT,
+ 	INPUT,
+ 	FAILED,
++	PAM,
+ 	NUMCOLS
+ };
+ 
+@@ -57,6 +63,31 @@ die(const char *errstr, ...)
+ 	exit(1);
+ }
+ 
++static int
++pam_conv(int num_msg, const struct pam_message **msg,
++		struct pam_response **resp, void *appdata_ptr)
++{
++	int retval = PAM_CONV_ERR;
++	for(int i=0; i<num_msg; i++) {
++		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF &&
++				strncmp(msg[i]->msg, "Password: ", 10) == 0) {
++			struct pam_response *resp_msg = malloc(sizeof(struct pam_response));
++			if (!resp_msg)
++				die("malloc failed\n");
++			char *password = malloc(strlen(passwd) + 1);
++			if (!password)
++				die("malloc failed\n");
++			memset(password, 0, strlen(passwd) + 1);
++			strcpy(password, passwd);
++			resp_msg->resp_retcode = 0;
++			resp_msg->resp = password;
++			resp[i] = resp_msg;
++			retval = PAM_SUCCESS;
++		}
++	}
++	return retval;
++}
++
+ #ifdef __linux__
+ #include <fcntl.h>
+ #include <linux/oom.h>
+@@ -121,6 +152,8 @@ gethash(void)
+ 	}
+ #endif /* HAVE_SHADOW_H */
+ 
++	/* pam, store user name */
++	hash = pw->pw_name;
+ 	return hash;
+ }
+ 
+@@ -129,11 +162,12 @@ readpw(Display *dpy, struct xrandr *rr, struct lock **locks, int nscreens,
+        const char *hash)
+ {
+ 	XRRScreenChangeNotifyEvent *rre;
+-	char buf[32], passwd[256], *inputhash;
+-	int num, screen, running, failure, oldc;
++	char buf[32];
++	int num, screen, running, failure, oldc, retval;
+ 	unsigned int len, color;
+ 	KeySym ksym;
+ 	XEvent ev;
++	pam_handle_t *pamh;
+ 
+ 	len = 0;
+ 	running = 1;
+@@ -160,10 +194,26 @@ readpw(Display *dpy, struct xrandr *rr, struct lock **locks, int nscreens,
+ 			case XK_Return:
+ 				passwd[len] = '\0';
+ 				errno = 0;
+-				if (!(inputhash = crypt(passwd, hash)))
+-					fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
++				retval = pam_start(pam_service, hash, &pamc, &pamh);
++				color = PAM;
++				for (screen = 0; screen < nscreens; screen++) {
++					XSetWindowBackground(dpy, locks[screen]->win, locks[screen]->colors[color]);
++					XClearWindow(dpy, locks[screen]->win);
++					XRaiseWindow(dpy, locks[screen]->win);
++				}
++				XSync(dpy, False);
++
++				if (retval == PAM_SUCCESS)
++					retval = pam_authenticate(pamh, 0);
++				if (retval == PAM_SUCCESS)
++					retval = pam_acct_mgmt(pamh, 0);
++
++				running = 1;
++				if (retval == PAM_SUCCESS)
++					running = 0;
+ 				else
+-					running = !!strcmp(inputhash, hash);
++					fprintf(stderr, "slock: %s\n", pam_strerror(pamh, retval));
++				pam_end(pamh, retval);
+ 				if (running) {
+ 					XBell(dpy, 100);
+ 					failure = 1;
+@@ -339,10 +389,9 @@ main(int argc, char **argv) {
+ 	dontkillme();
+ #endif
+ 
++	/* the contents of hash are used to transport the current user name */
+ 	hash = gethash();
+ 	errno = 0;
+-	if (!crypt("", hash))
+-		die("slock: crypt: %s\n", strerror(errno));
+ 
+ 	if (!(dpy = XOpenDisplay(NULL)))
+ 		die("slock: cannot open display\n");
diff --git a/slock.c b/slock.c
index e2b67e2..6d73074 100644
--- a/slock.c
+++ b/slock.c
@@ -20,11 +20,16 @@
 #include <X11/keysym.h>
 #include <X11/Xlib.h>
 #include <X11/Xutil.h>
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
 
 #include "arg.h"
 #include "util.h"
 
 char *argv0;
+static int pam_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr);
+struct pam_conv pamc = {pam_conv, NULL};
+char passwd[256];
 
 static time_t locktime;
 
@@ -33,6 +38,7 @@ enum {
 	INPUT,
 	FAILED,
 	BLOCKS,
+  PAM,
 	NUMCOLS
 };
 
@@ -62,6 +68,31 @@ die(const char *errstr, ...)
 	exit(1);
 }
 
+static int
+pam_conv(int num_msg, const struct pam_message **msg,
+		struct pam_response **resp, void *appdata_ptr)
+{
+	int retval = PAM_CONV_ERR;
+	for(int i=0; i<num_msg; i++) {
+		if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF &&
+				strncmp(msg[i]->msg, "Password: ", 10) == 0) {
+			struct pam_response *resp_msg = malloc(sizeof(struct pam_response));
+			if (!resp_msg)
+				die("malloc failed\n");
+			char *password = malloc(strlen(passwd) + 1);
+			if (!password)
+				die("malloc failed\n");
+			memset(password, 0, strlen(passwd) + 1);
+			strcpy(password, passwd);
+			resp_msg->resp_retcode = 0;
+			resp_msg->resp = password;
+			resp[i] = resp_msg;
+			retval = PAM_SUCCESS;
+		}
+	}
+	return retval;
+}
+
 #ifdef __linux__
 #include <fcntl.h>
 #include <linux/oom.h>
@@ -159,6 +190,8 @@ gethash(void)
 	}
 #endif /* HAVE_SHADOW_H */
 
+	/* pam, store user name */
+	hash = pw->pw_name;
 	return hash;
 }
 
@@ -167,11 +200,12 @@ readpw(Display *dpy, struct xrandr *rr, struct lock **locks, int nscreens,
        const char *hash)
 {
 	XRRScreenChangeNotifyEvent *rre;
-	char buf[32], passwd[256], *inputhash;
-	int num, screen, running, failure, oldc;
+	char buf[32];
+	int num, screen, running, failure, oldc, retval;
 	unsigned int len, color;
 	KeySym ksym;
 	XEvent ev;
+	pam_handle_t *pamh;
 
 	len = 0;
 	running = 1;
@@ -199,10 +233,26 @@ readpw(Display *dpy, struct xrandr *rr, struct lock **locks, int nscreens,
 			case XK_Return:
 				passwd[len] = '\0';
 				errno = 0;
-				if (!(inputhash = crypt(passwd, hash)))
-					fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
+				retval = pam_start(pam_service, hash, &pamc, &pamh);
+				color = PAM;
+				for (screen = 0; screen < nscreens; screen++) {
+					XSetWindowBackground(dpy, locks[screen]->win, locks[screen]->colors[color]);
+					XClearWindow(dpy, locks[screen]->win);
+					XRaiseWindow(dpy, locks[screen]->win);
+				}
+				XSync(dpy, False);
+
+				if (retval == PAM_SUCCESS)
+					retval = pam_authenticate(pamh, 0);
+				if (retval == PAM_SUCCESS)
+					retval = pam_acct_mgmt(pamh, 0);
+
+				running = 1;
+				if (retval == PAM_SUCCESS)
+					running = 0;
 				else
-					running = !!strcmp(inputhash, hash);
+					fprintf(stderr, "slock: %s\n", pam_strerror(pamh, retval));
+				pam_end(pamh, retval);
 				if (running) {
 					XBell(dpy, 100);
 					failure = 1;
@@ -383,10 +433,9 @@ main(int argc, char **argv) {
 	dontkillme();
 #endif
 
+	/* the contents of hash are used to transport the current user name */
 	hash = gethash();
 	errno = 0;
-	if (!crypt("", hash))
-		die("slock: crypt: %s\n", strerror(errno));
 
 	if (!(dpy = XOpenDisplay(NULL)))
 		die("slock: cannot open display\n");
author	Benjamin Chausse <benjamin@chausse.xyz>	2022-03-05 12:30:20 -0500
committer	Benjamin Chausse <benjamin@chausse.xyz>	2022-03-05 12:30:20 -0500
commit	454002c4d6646d04136635d988d867231e2fcdd6 (patch)
tree	ad454fb4d21f1416761faa381c9cae554bf9dd5a
parent	8dee52c382c885c8ebfc24d82770c8ecf13f98a1 (diff)