sway/swaylock/password.c

#define _XOPEN_SOURCE 500
#include <assert.h>
#include <pwd.h>
#include <security/pam_appl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <wlr/util/log.h>
#include <xkbcommon/xkbcommon.h>
#include "swaylock/swaylock.h"
#include "swaylock/seat.h"
#include "unicode.h"

static int function_conversation(int num_msg, const struct pam_message **msg,
		struct pam_response **resp, void *data) {
	struct swaylock_password *pw = data;
	/* PAM expects an array of responses, one for each message */
	struct pam_response *pam_reply = calloc(
			num_msg, sizeof(struct pam_response));
	*resp = pam_reply;
	for (int i = 0; i < num_msg; ++i) {
		switch (msg[i]->msg_style) {
		case PAM_PROMPT_ECHO_OFF:
		case PAM_PROMPT_ECHO_ON:
			pam_reply[i].resp = strdup(pw->buffer); // PAM clears and frees this
			break;
		case PAM_ERROR_MSG:
		case PAM_TEXT_INFO:
			break;
		}
	}
	return PAM_SUCCESS;
}

void clear_password_buffer(struct swaylock_password *pw) {
	// Use volatile keyword so so compiler can't optimize this out.
	volatile char *buffer = pw->buffer;
	volatile char zero = '\0';
	for (size_t i = 0; i < sizeof(buffer); ++i) {
		buffer[i] = zero;
	}
	pw->len = 0;
}

static bool attempt_password(struct swaylock_password *pw) {
	struct passwd *passwd = getpwuid(getuid());
	char *username = passwd->pw_name;
	const struct pam_conv local_conversation = {
		function_conversation, pw
	};
	pam_handle_t *local_auth_handle = NULL;
	int pam_err;
	// TODO: only call pam_start once. keep the same handle the whole time
	if ((pam_err = pam_start("swaylock", username,
					&local_conversation, &local_auth_handle)) != PAM_SUCCESS) {
		wlr_log(WLR_ERROR, "PAM returned error %d", pam_err);
	}
	if ((pam_err = pam_authenticate(local_auth_handle, 0)) != PAM_SUCCESS) {
		wlr_log(WLR_ERROR, "pam_authenticate failed");
		goto fail;
	}
	// TODO: only call pam_end once we succeed at authing. refresh tokens beforehand
	if ((pam_err = pam_end(local_auth_handle, pam_err)) != PAM_SUCCESS) {
		wlr_log(WLR_ERROR, "pam_end failed");
		goto fail;
	}
	clear_password_buffer(pw);
	return true;
fail:
	clear_password_buffer(pw);
	return false;
}

static bool backspace(struct swaylock_password *pw) {
	if (pw->len != 0) {
		pw->buffer[--pw->len] = 0;
		return true;
	}
	return false;
}

static void append_ch(struct swaylock_password *pw, uint32_t codepoint) {
	size_t utf8_size = utf8_chsize(codepoint);
	if (pw->len + utf8_size + 1 >= sizeof(pw->buffer)) {
		// TODO: Display error
		return;
	}
	utf8_encode(&pw->buffer[pw->len], codepoint);
	pw->buffer[pw->len + utf8_size] = 0;
	pw->len += utf8_size;
}

void swaylock_handle_key(struct swaylock_state *state,
		xkb_keysym_t keysym, uint32_t codepoint) {
	switch (keysym) {
	case XKB_KEY_KP_Enter: /* fallthrough */
	case XKB_KEY_Return:
		if (state->args.ignore_empty && state->password.len == 0) {
			break;
		}

		state->auth_state = AUTH_STATE_VALIDATING;
		damage_state(state);
		while (wl_display_dispatch(state->display) != -1 && state->run_display) {
			bool ok = 1;
			struct swaylock_surface *surface;
			wl_list_for_each(surface, &state->surfaces, link) {
				if (surface->dirty) {
					ok = 0;
				}
			}
			if (ok) {
				break;
			}
		}
		wl_display_flush(state->display);

		if (attempt_password(&state->password)) {
			state->run_display = false;
			break;
		}
		state->auth_state = AUTH_STATE_INVALID;
		damage_state(state);
		break;
	case XKB_KEY_Delete:
	case XKB_KEY_BackSpace:
		if (backspace(&state->password)) {
			state->auth_state = AUTH_STATE_BACKSPACE;
		} else {
			state->auth_state = AUTH_STATE_CLEAR;
		}
		damage_state(state);
		break;
	case XKB_KEY_Escape:
		clear_password_buffer(&state->password);
		state->auth_state = AUTH_STATE_CLEAR;
		damage_state(state);
		break;
	case XKB_KEY_Caps_Lock:
		/* The state is getting active after this
		 * so we need to manually toggle it */
		state->xkb.caps_lock = !state->xkb.caps_lock;
		state->auth_state = AUTH_STATE_INPUT_NOP;
		damage_state(state);
		break;
	case XKB_KEY_Shift_L:
	case XKB_KEY_Shift_R:
	case XKB_KEY_Control_L:
	case XKB_KEY_Control_R:
	case XKB_KEY_Meta_L:
	case XKB_KEY_Meta_R:
	case XKB_KEY_Alt_L:
	case XKB_KEY_Alt_R:
	case XKB_KEY_Super_L:
	case XKB_KEY_Super_R:
		state->auth_state = AUTH_STATE_INPUT_NOP;
		damage_state(state);
		break;
	case XKB_KEY_u:
		if (state->xkb.control) {
			clear_password_buffer(&state->password);
			state->auth_state = AUTH_STATE_CLEAR;
			damage_state(state);
			break;
		}
		// fallthrough
	default:
		if (codepoint) {
			append_ch(&state->password, codepoint);
			state->auth_state = AUTH_STATE_INPUT;
			damage_state(state);
		}
		break;
	}
}
swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`#define _XOPEN_SOURCE 500`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`#include <assert.h>`
Verify passwords 2018-04-03 18:49:56 +00:00			`#include <pwd.h>`
			`#include <security/pam_appl.h>`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`#include <stdlib.h>`
swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`#include <string.h>`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`#include <unistd.h>`
			`#include <wlr/util/log.h>`
			`#include <xkbcommon/xkbcommon.h>`
			`#include "swaylock/swaylock.h"`
			`#include "swaylock/seat.h"`
			`#include "unicode.h"`

Verify passwords 2018-04-03 18:49:56 +00:00			`static int function_conversation(int num_msg, const struct pam_message **msg,`
			`struct pam_response *resp, void data) {`
			`struct swaylock_password *pw = data;`
			`/* PAM expects an array of responses, one for each message */`
			`struct pam_response *pam_reply = calloc(`
			`num_msg, sizeof(struct pam_response));`
			`*resp = pam_reply;`
			`for (int i = 0; i < num_msg; ++i) {`
			`switch (msg[i]->msg_style) {`
			`case PAM_PROMPT_ECHO_OFF:`
			`case PAM_PROMPT_ECHO_ON:`
swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`pam_reply[i].resp = strdup(pw->buffer); // PAM clears and frees this`
Verify passwords 2018-04-03 18:49:56 +00:00			`break;`
			`case PAM_ERROR_MSG:`
			`case PAM_TEXT_INFO:`
			`break;`
			`}`
			`}`
			`return PAM_SUCCESS;`
			`}`

swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`void clear_password_buffer(struct swaylock_password *pw) {`
			`// Use volatile keyword so so compiler can't optimize this out.`
			`volatile char *buffer = pw->buffer;`
			`volatile char zero = '\0';`
			`for (size_t i = 0; i < sizeof(buffer); ++i) {`
			`buffer[i] = zero;`
			`}`
			`pw->len = 0;`
			`}`

Verify passwords 2018-04-03 18:49:56 +00:00			`static bool attempt_password(struct swaylock_password *pw) {`
			`struct passwd *passwd = getpwuid(getuid());`
			`char *username = passwd->pw_name;`
			`const struct pam_conv local_conversation = {`
			`function_conversation, pw`
			`};`
			`pam_handle_t *local_auth_handle = NULL;`
			`int pam_err;`
swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`// TODO: only call pam_start once. keep the same handle the whole time`
Verify passwords 2018-04-03 18:49:56 +00:00			`if ((pam_err = pam_start("swaylock", username,`
			`&local_conversation, &local_auth_handle)) != PAM_SUCCESS) {`
Update for swaywm/wlroots#1126 2018-07-09 21:54:30 +00:00			`wlr_log(WLR_ERROR, "PAM returned error %d", pam_err);`
Verify passwords 2018-04-03 18:49:56 +00:00			`}`
			`if ((pam_err = pam_authenticate(local_auth_handle, 0)) != PAM_SUCCESS) {`
Update for swaywm/wlroots#1126 2018-07-09 21:54:30 +00:00			`wlr_log(WLR_ERROR, "pam_authenticate failed");`
Verify passwords 2018-04-03 18:49:56 +00:00			`goto fail;`
			`}`
swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`// TODO: only call pam_end once we succeed at authing. refresh tokens beforehand`
Verify passwords 2018-04-03 18:49:56 +00:00			`if ((pam_err = pam_end(local_auth_handle, pam_err)) != PAM_SUCCESS) {`
Update for swaywm/wlroots#1126 2018-07-09 21:54:30 +00:00			`wlr_log(WLR_ERROR, "pam_end failed");`
Verify passwords 2018-04-03 18:49:56 +00:00			`goto fail;`
			`}`
swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`clear_password_buffer(pw);`
Verify passwords 2018-04-03 18:49:56 +00:00			`return true;`
			`fail:`
swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`clear_password_buffer(pw);`
Verify passwords 2018-04-03 18:49:56 +00:00			`return false;`
			`}`

R E N D E R I N G 2018-04-03 19:04:31 +00:00			`static bool backspace(struct swaylock_password *pw) {`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`if (pw->len != 0) {`
			`pw->buffer[--pw->len] = 0;`
R E N D E R I N G 2018-04-03 19:04:31 +00:00			`return true;`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`}`
R E N D E R I N G 2018-04-03 19:04:31 +00:00			`return false;`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`}`

			`static void append_ch(struct swaylock_password *pw, uint32_t codepoint) {`
			`size_t utf8_size = utf8_chsize(codepoint);`
swaylock: Securely zero-out password. - Replace char* with static array. Any chars > 1024 will be discarded. - mlock() password buffer so it can't be written to swap. - Clear password buffer after auth succeeds or fails. This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519 2018-04-13 00:38:24 +00:00			`if (pw->len + utf8_size + 1 >= sizeof(pw->buffer)) {`
			`// TODO: Display error`
			`return;`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`}`
			`utf8_encode(&pw->buffer[pw->len], codepoint);`
			`pw->buffer[pw->len + utf8_size] = 0;`
			`pw->len += utf8_size;`
			`}`

			`void swaylock_handle_key(struct swaylock_state *state,`
			`xkb_keysym_t keysym, uint32_t codepoint) {`
			`switch (keysym) {`
swaylock: implement a proper render loop 2018-05-25 18:34:36 +00:00			`case XKB_KEY_KP_Enter: /* fallthrough */`
			`case XKB_KEY_Return:`
Implement swaylock customization flags 2018-07-11 01:29:15 +00:00			`if (state->args.ignore_empty && state->password.len == 0) {`
			`break;`
			`}`

swaylock: implement a proper render loop 2018-05-25 18:34:36 +00:00			`state->auth_state = AUTH_STATE_VALIDATING;`
			`damage_state(state);`
swaylock: fix the displaying of "verified" Displaying verified after damaging state needs more than one roundtrip, so keep looping until surfaces are not dirty anymore 2018-06-08 12:59:18 +00:00			`while (wl_display_dispatch(state->display) != -1 && state->run_display) {`
			`bool ok = 1;`
			`struct swaylock_surface *surface;`
			`wl_list_for_each(surface, &state->surfaces, link) {`
			`if (surface->dirty) {`
			`ok = 0;`
			`}`
			`}`
			`if (ok) {`
			`break;`
			`}`
			`}`
			`wl_display_flush(state->display);`

swaylock: implement a proper render loop 2018-05-25 18:34:36 +00:00			`if (attempt_password(&state->password)) {`
			`state->run_display = false;`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`break;`
swaylock: implement a proper render loop 2018-05-25 18:34:36 +00:00			`}`
			`state->auth_state = AUTH_STATE_INVALID;`
			`damage_state(state);`
			`break;`
			`case XKB_KEY_Delete:`
			`case XKB_KEY_BackSpace:`
			`if (backspace(&state->password)) {`
			`state->auth_state = AUTH_STATE_BACKSPACE;`
			`} else {`
Improved key handling in swaylock Make escape clear buffer Add indicator states for ctrl,shift,super et al Add CapsLock indicator 2018-04-20 12:46:30 +00:00			`state->auth_state = AUTH_STATE_CLEAR;`
swaylock: implement a proper render loop 2018-05-25 18:34:36 +00:00			`}`
			`damage_state(state);`
			`break;`
			`case XKB_KEY_Escape:`
			`clear_password_buffer(&state->password);`
			`state->auth_state = AUTH_STATE_CLEAR;`
			`damage_state(state);`
			`break;`
			`case XKB_KEY_Caps_Lock:`
			`/* The state is getting active after this`
			`* so we need to manually toggle it */`
			`state->xkb.caps_lock = !state->xkb.caps_lock;`
			`state->auth_state = AUTH_STATE_INPUT_NOP;`
			`damage_state(state);`
			`break;`
			`case XKB_KEY_Shift_L:`
			`case XKB_KEY_Shift_R:`
			`case XKB_KEY_Control_L:`
			`case XKB_KEY_Control_R:`
			`case XKB_KEY_Meta_L:`
			`case XKB_KEY_Meta_R:`
			`case XKB_KEY_Alt_L:`
			`case XKB_KEY_Alt_R:`
			`case XKB_KEY_Super_L:`
			`case XKB_KEY_Super_R:`
			`state->auth_state = AUTH_STATE_INPUT_NOP;`
			`damage_state(state);`
			`break;`
swaylock: implement ^U to clear buffer The whole state->xcb.modifiers thing didn't work at all (always 0) The xkb doc says "[xkb_state_serialize_mods] should not be used in regular clients; please use the xkb_state_mod_*_is_active API instead" so here it is 2018-06-08 12:58:01 +00:00			`case XKB_KEY_u:`
			`if (state->xkb.control) {`
			`clear_password_buffer(&state->password);`
			`state->auth_state = AUTH_STATE_CLEAR;`
			`damage_state(state);`
			`break;`
			`}`
			`// fallthrough`
swaylock: implement a proper render loop 2018-05-25 18:34:36 +00:00			`default:`
			`if (codepoint) {`
			`append_ch(&state->password, codepoint);`
			`state->auth_state = AUTH_STATE_INPUT;`
			`damage_state(state);`
			`}`
			`break;`
Add password buffer, refactor rendering/surfaces 2018-04-03 18:31:30 +00:00			`}`
			`}`