From 9db6c4854f6c89baba46399cc6c45cbf691dc237 Mon Sep 17 00:00:00 2001 From: luoqing Date: Wed, 23 Jun 2021 17:07:36 +0800 Subject: [PATCH 01/20] base init --- .clang-format | 152 ++++++++++++++++++++++++++++++++++++++++++++++++++ .gitignore | 2 + README | 1 + 3 files changed, 155 insertions(+) create mode 100644 .clang-format create mode 100644 .gitignore create mode 100644 README diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..135919a --- /dev/null +++ b/.clang-format @@ -0,0 +1,152 @@ +BasedOnStyle: Google +IndentWidth: 4 +--- +Language: Cpp +AccessModifierOffset: -4 +AlignAfterOpenBracket: Align +AlignConsecutiveAssignments: false +AlignConsecutiveDeclarations: false +AlignEscapedNewlines: Left +AlignOperands: true +AlignTrailingComments: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortBlocksOnASingleLine: false +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: All +AllowShortIfStatementsOnASingleLine: true +AllowShortLoopsOnASingleLine: true +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: false +AlwaysBreakTemplateDeclarations: Yes +BinPackArguments: true +BinPackParameters: true +BraceWrapping: + AfterClass: false + AfterControlStatement: false + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterObjCDeclaration: false + AfterStruct: false + AfterUnion: false + AfterExternBlock: false + BeforeCatch: false + BeforeElse: false + IndentBraces: false + SplitEmptyFunction: true + SplitEmptyRecord: true + SplitEmptyNamespace: true +BreakBeforeBinaryOperators: None +BreakBeforeBraces: Allman +BreakBeforeInheritanceComma: false +BreakInheritanceList: BeforeColon +BreakBeforeTernaryOperators: true +BreakConstructorInitializersBeforeComma: false +BreakConstructorInitializers: BeforeColon +BreakAfterJavaFieldAnnotations: false +BreakStringLiterals: true +ColumnLimit: 0 +CommentPragmas: '^ IWYU pragma:' +CompactNamespaces: false +ConstructorInitializerAllOnOneLineOrOnePerLine: true +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: true +DerivePointerAlignment: true +DisableFormat: false +ExperimentalAutoDetectBinPacking: false +FixNamespaceComments: true +ForEachMacros: + - foreach + - Q_FOREACH + - BOOST_FOREACH +IncludeBlocks: Preserve +IncludeCategories: + - Regex: '^' + Priority: 2 + - Regex: '^<.*\.h>' + Priority: 1 + - Regex: '^<.*' + Priority: 2 + - Regex: '.*' + Priority: 3 +IncludeIsMainRegex: '([-_](test|unittest))?$' +IndentCaseLabels: false +IndentPPDirectives: None +IndentWidth: 4 +IndentWrappedFunctionNames: false +JavaScriptQuotes: Leave +JavaScriptWrapImports: true +KeepEmptyLinesAtTheStartOfBlocks: false +MacroBlockBegin: '' +MacroBlockEnd: '' +MaxEmptyLinesToKeep: 1 +NamespaceIndentation: None +ObjCBinPackProtocolList: Never +ObjCBlockIndentWidth: 2 +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: true +PenaltyBreakAssignment: 2 +PenaltyBreakBeforeFirstCallParameter: 1 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakString: 1000 +PenaltyBreakTemplateDeclaration: 10 +PenaltyExcessCharacter: 1000000 +PenaltyReturnTypeOnItsOwnLine: 200 +PointerAlignment: Left +RawStringFormats: + - Language: Cpp + Delimiters: + - cc + - CC + - cpp + - Cpp + - CPP + - 'c++' + - 'C++' + CanonicalDelimiter: '' + BasedOnStyle: google + - Language: TextProto + Delimiters: + - pb + - PB + - proto + - PROTO + EnclosingFunctions: + - EqualsProto + - EquivToProto + - PARSE_PARTIAL_TEXT_PROTO + - PARSE_TEST_PROTO + - PARSE_TEXT_PROTO + - ParseTextOrDie + - ParseTextProtoOrDie + CanonicalDelimiter: '' + BasedOnStyle: google +ReflowComments: true +SortIncludes: true +SortUsingDeclarations: true +SpaceAfterCStyleCast: false +SpaceAfterTemplateKeyword: true +SpaceBeforeAssignmentOperators: true +SpaceBeforeCpp11BracedList: false +SpaceBeforeCtorInitializerColon: true +SpaceBeforeInheritanceColon: true +SpaceBeforeParens: ControlStatements +SpaceBeforeRangeBasedForLoopColon: true +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 2 +SpacesInAngles: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInParentheses: false +SpacesInSquareBrackets: false +Standard: Auto +StatementMacros: + - Q_UNUSED + - QT_REQUIRE_VERSION +TabWidth: 8 +UseTab: Never +... + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..23861cc --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/build +*.pot diff --git a/README b/README new file mode 100644 index 0000000..2c5d008 --- /dev/null +++ b/README @@ -0,0 +1 @@ +系统认证服务,对于系统账户进行认证,包括指纹,人脸,密码认证方式 -- Gitee From d2d37ce40cd630dc444dc6f9ea3148b880322c91 Mon Sep 17 00:00:00 2001 From: luoqing Date: Tue, 13 Jul 2021 09:59:48 +0800 Subject: [PATCH 02/20] feature(kiran-authentication-service): the first version code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 第一个版本代码 Related #38334 Signed-off-by: wangxiaoqing --- CMakeLists.txt | 22 + README | 24 + data/CMakeLists.txt | 8 + ...insec.Kiran.SystemDaemon.Accounts.User.xml | 246 +++++ ...m.kylinsec.Kiran.SystemDaemon.Accounts.xml | 77 ++ ...ran.SystemDaemon.Authentication.service.in | 5 + ...nsec.Kiran.SystemDaemon.Authentication.xml | 56 + ...kylinsec.Kiran.SystemDaemon.Biometrics.xml | 197 ++++ data/custom.conf | 2 + data/kiran-auth-service | 2 + ...an-system-daemon-authentication.service.in | 14 + data/kiran_authentication.conf | 13 + src/CMakeLists.txt | 54 + src/authentication_i.h | 50 + src/kiran-auth-service.c | 973 ++++++++++++++++++ src/kiran-auth-service.h | 42 + src/main.c | 31 + src/pam-kiran-authentication.c | 220 ++++ 18 files changed, 2036 insertions(+) create mode 100644 CMakeLists.txt create mode 100644 data/CMakeLists.txt create mode 100644 data/com.kylinsec.Kiran.SystemDaemon.Accounts.User.xml create mode 100644 data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml create mode 100644 data/com.kylinsec.Kiran.SystemDaemon.Authentication.service.in create mode 100644 data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml create mode 100644 data/com.kylinsec.Kiran.SystemDaemon.Biometrics.xml create mode 100644 data/custom.conf create mode 100644 data/kiran-auth-service create mode 100644 data/kiran-system-daemon-authentication.service.in create mode 100644 data/kiran_authentication.conf create mode 100644 src/CMakeLists.txt create mode 100644 src/authentication_i.h create mode 100644 src/kiran-auth-service.c create mode 100644 src/kiran-auth-service.h create mode 100644 src/main.c create mode 100644 src/pam-kiran-authentication.c diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 0000000..cf3dae0 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,22 @@ +project(kiran-authentication-service) +cmake_minimum_required(VERSION 3.5) + +if(CMAKE_BUILD_TYPE MATCHES "Debug") + set(DEBUG 1) +else() + set(DEBUG 0) +endif() + +include(GNUInstallDirs) + +set(SRC_DIR ${CMAKE_CURRENT_SOURCE_DIR}/src) +set(DATA_DIR ${CMAKE_CURRENT_SOURCE_DIR}/data) +set(MODULE_DIR ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/kiran-fprint-modules/) +set(SERVICE_NAME "com.kylinsec.Kiran.SystemDaemon.Biometrics") +set(SERVICE_PATH "/com/kylinsec/Kiran/SystemDaemon/Biometrics") +set(SERVICE_INTERFACE "com.kylinsec.Kiran.SystemDaemon.Biometrics") +set(INSTALL_BINDIR ${CMAKE_INSTALL_PREFIX}/libexec) + +add_subdirectory(src) +add_subdirectory(data) +#add_subdirectory(pam) diff --git a/README b/README index 2c5d008..9400b97 100644 --- a/README +++ b/README @@ -1 +1,25 @@ 系统认证服务,对于系统账户进行认证,包括指纹,人脸,密码认证方式 + +依赖: +yum install glib-2.0-devel zlog-devel json-glib-1.0-devel kiran-cc-daemon-devel + +编译: +mkdir build && cd build +cmake -DCMAKE_INSTALL_PREFIX=/usr .. + +安装: +cmake install + +pam模块: +pam_kiran_authentication.so 等待认证结果信号,对认证结果进行处理 + +配置文件: +custom.conf + +[daemon] +SessionAuthType = 2 + +其中SessionAuthType项表示默认会话类型, +1 标识串行 +2 标识并行,生物认证时根据匹配的用户进行。 +3 标识并行,指定用户认证 diff --git a/data/CMakeLists.txt b/data/CMakeLists.txt new file mode 100644 index 0000000..a80a8d7 --- /dev/null +++ b/data/CMakeLists.txt @@ -0,0 +1,8 @@ +configure_file(com.kylinsec.Kiran.SystemDaemon.Authentication.service.in ${PROJECT_BINARY_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Authentication.service) +configure_file(kiran-system-daemon-authentication.service.in ${PROJECT_BINARY_DIR}/data/kiran-system-daemon-authentication.service) + +install(FILES kiran_authentication.conf DESTINATION /etc/dbus-1/system.d) +install(FILES custom.conf DESTINATION /etc/kiran-authentication-service/) +install(FILES kiran-auth-service DESTINATION /etc/pam.d/) +install(FILES ${PROJECT_BINARY_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Authentication.service DESTINATION /usr/share/dbus-1/system-services) +install(FILES ${PROJECT_BINARY_DIR}/data/kiran-system-daemon-authentication.service DESTINATION /usr/lib/systemd/system/) diff --git a/data/com.kylinsec.Kiran.SystemDaemon.Accounts.User.xml b/data/com.kylinsec.Kiran.SystemDaemon.Accounts.User.xml new file mode 100644 index 0000000..b059cb4 --- /dev/null +++ b/data/com.kylinsec.Kiran.SystemDaemon.Accounts.User.xml @@ -0,0 +1,246 @@ + + + + + + + The new username. + + Sets the users username. Note that it is usually not allowed to have multiple users with the same username. + + + + + The new name, typically in the form "Firstname Lastname". + + Sets the users real name. + + + + + The new email address. + + Sets the users email address. + + + + + The new language, as a locale specification like "de_DE.UTF-8". + + Sets the users language. + + + + + The new xsession to start (e.g. "gnome") + + Sets the users x session. + + + + + The new session to start (e.g. "gnome-xorg") + + Sets the users wayland or x session. + + + + + The type of the new session to start (e.g. "wayland" or "x11") + + Sets the session type of the users session. + + + + + The new homedir as an absolute path. + + Sets the users home directory. + + + + + The new user shell. + + Sets the users shell. + + + + + The absolute filename of a png file to use as the users icon. + + Sets the users icon. + + + + + Whether to lock or unlock the users account. + + Locks or unlocks a users account. + + + + + The new account type, encoded as an integer. Refer to AccountsAccountType in accounts_i.h + + Changes the users account type. + + + + + The new password mode, encoded as an integer: + + Changes the users password mode. Note that changing the password mode has the side-effect of unlocking the account. + + + + + The crypted password. + + + The password hint. + + Sets a new password for this user. Note that setting a password has the side-effect of unlocking the account. + + + + + The password hint. + + Sets the users password hint. + + + + + Whether to enable automatic login for this user. + + Enables or disables automatic login for a user. + Note that usually only one user can have automatic login + enabled, so turning it on for a user will disable it for + the previously configured autologin user. + + + + + + + + + + + + + + The authentication mode which could be fingerprint, face, etc. Refer to AccountsAuthMode in accounts_i.h + + + the name of the authentication item. For example fingerprint 1, fingerprint 2, etc. + + + The identity of the collected data for the authentication item. + + Add an auth item for a mode. Return error if the name already exists or the method is unsupported. + + + + + + Delete an auth item by name. Return error if the name doesn't exist or the method is unsupported. + + + + + + The json string is an array that every item contains name and the identity of the collected data. + + + + + + + Enable or disable the authentication mode. + + + + + The uid of the user. + + + + The username of the user. + + + + The users real name. + + + + The users account type, encoded as an integer. Refer to AccountsAccountType in accounts_i.h + + + + The users home directory. + + + + The users shell. + + + + The email address. + + + + The users language, as a locale specification like "de_DE.UTF-8". + + + + The users Wayland or X session. + + + + The type of session the user should use (e.g. "wayland" or "x11") + + + + The users x session. + + + + + The filename of a png file containing the users icon. + + + + + Whether the users account is locked. + + + + The password mode for the user account, encoded as an integer. Refer to AccountsPasswordMode in accounts_i.h + + + + The password hint for the user. + + + + Whether automatic login is enabled for the user. + + + + Whether this is a 'system' account, like 'root' or 'nobody'. + System accounts should normally not appear in lists of users, and ListCachedUsers + will not include such accounts. + + + + Bitwise OR the enabled authentication mode. + + + + + Send this signal when the item of the authentication mode is added or deleted. + + + diff --git a/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml b/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml new file mode 100644 index 0000000..d022aec --- /dev/null +++ b/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml @@ -0,0 +1,77 @@ + + + + + + + Object paths of non system users + + + + + + The uid to look up + + + Object path of user + + + + + + The username to look up + + + Object path of user + + + + + + The username for the new user + + + The real name for the new user + + + The account type, encoded as an integer + + + The user uid. If uid is less than zero, then auto to allocate one. + + + Object path of the new user + + + + + + The uid to delete + + + Whether to remove the users files + + + + + + + + Object path of the user that was added. + + + + + + Object path of the user that was deleted. + + + + + \ No newline at end of file diff --git a/data/com.kylinsec.Kiran.SystemDaemon.Authentication.service.in b/data/com.kylinsec.Kiran.SystemDaemon.Authentication.service.in new file mode 100644 index 0000000..1c656a6 --- /dev/null +++ b/data/com.kylinsec.Kiran.SystemDaemon.Authentication.service.in @@ -0,0 +1,5 @@ +[D-BUS Service] +Name=com.kylinsec.Kiran.SystemDaemon.Authentication +Exec=@INSTALL_BINDIR@/kiran_authentication_manager +User=root +SystemdService=kiran-system-daemon-authentication.service diff --git a/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml b/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml new file mode 100644 index 0000000..4ebb48f --- /dev/null +++ b/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml @@ -0,0 +1,56 @@ + + + + + + + + 本次认证的唯一标识ID. + + + + + + 用户名 + + + + 认证方式,串行,并行,参见authentication_i.h. + + + 是否抢占设备 + + + + + + + + + + 应答的消息字符串. + + + + + + + 通过认证的用户名称. + + + 认证状态,参见authentication_i.h. + + + + + + + 消息内容. + + + 消息类型,请求明文信息,请求密码,错误消息,提示信息, 指纹界面, 参见authentication_i.h. + + + + + diff --git a/data/com.kylinsec.Kiran.SystemDaemon.Biometrics.xml b/data/com.kylinsec.Kiran.SystemDaemon.Biometrics.xml new file mode 100644 index 0000000..adae374 --- /dev/null +++ b/data/com.kylinsec.Kiran.SystemDaemon.Biometrics.xml @@ -0,0 +1,197 @@ + + + + + + + +]> + + + + + + 启动用户指纹采集流程, 采集结果通过发出EnrollFprintStatus信号进行通知 + + 权限不足 + 未发现设备 + 设备已经在使用 + 内部其它错误 + + + + + + 描述采集过程状态的文本信息 + + + + 采集到的指纹模板标识ID + + + + 一个1到100之间的数字,描述指纹采集的进度 + + + + 表示指纹采集是否完成 + + + + + + 停止指纹采集 + + 权限不足 + 未发现设备 + 内部其它错误 + + + + + + 启动指纹比对流程,比对结果通过发送信号VerifyFprintStatus进行通知 + + 权限不足 + 未发现设备 + 设备已经在使用 + 内部其它错误 + + + + + + 描述认证过程的信息文本 + + + + 指纹认证过程程是否已经结束 + + + + 是否匹配到指纹模板 + + + + 匹配的指纹模板ID + + + + + + 结束指纹认证过程 + + 权限不足 + 不存在指纹认证流程 + 内部其它错误 + + + + + + 要删除的指纹模板ID + + + 删除给定ID的指纹模板数据 + + 权限不足 + 内部其它错误 + + + + + + zerozmq 服务器的地址 + + + 启动人脸采集流程 + + 权限不足 + 未发现设备 + 设备已经在使用 + 内部其它错误 + + + + + + 描述人脸采集状态信息的文本 + + + + 标识采集到的指纹模板ID + + + + 一个0到100的数值,表示人脸采集的进度 + + + + 人脸采集是否结束 + + + + + + 停止指纹采集过程 + + 权限不足 + 不存在指纹采集过程 + 内部其它错误 + + + + + + 要比对的人脸模板id + + + 启动人脸比对流程,比对结果会通过发出信号VerifyFaceStatus进行通知 + + 权限不足 + 未发现设备 + 设备已经在使用 + 内部其它错误 + + + + + + 描述人脸比对过程状态信息的文本 + + + + 人脸比对过程是否结束 + + + 人脸是否匹配 + + + + + + 停止人脸比对流程 + + 权限不足 + 不存在人脸比对流程 + 内部其它错误 + + + + + + 人脸模板的ID + + + 删除给定ID的人脸模板 + + 权限不足 + 内部其它错误 + + + + + diff --git a/data/custom.conf b/data/custom.conf new file mode 100644 index 0000000..c8c405b --- /dev/null +++ b/data/custom.conf @@ -0,0 +1,2 @@ +[daemon] +SessionAuthType = 2 diff --git a/data/kiran-auth-service b/data/kiran-auth-service new file mode 100644 index 0000000..8a8cc7c --- /dev/null +++ b/data/kiran-auth-service @@ -0,0 +1,2 @@ +#%PAM-1.0 +auth required pam_unix.so diff --git a/data/kiran-system-daemon-authentication.service.in b/data/kiran-system-daemon-authentication.service.in new file mode 100644 index 0000000..4d34007 --- /dev/null +++ b/data/kiran-system-daemon-authentication.service.in @@ -0,0 +1,14 @@ +[Unit] +Description=Kiran System Daemon Authentication Service + +[Service] +Type=dbus +BusName=com.kylinsec.Kiran.SystemDaemon.Authentication +ExecStart=@INSTALL_BINDIR@/kiran_authentication_service + +[Install] +# We pull this in by graphical.target instead of waiting for the bus +# activation, to speed things up a little: gdm uses this anyway so it is nice +# if it is already around when gdm wants to use it and doesn't have to wait for +# it. +WantedBy=graphical.target diff --git a/data/kiran_authentication.conf b/data/kiran_authentication.conf new file mode 100644 index 0000000..865a58f --- /dev/null +++ b/data/kiran_authentication.conf @@ -0,0 +1,13 @@ + + + + + + + + + + + diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt new file mode 100644 index 0000000..c278bc4 --- /dev/null +++ b/src/CMakeLists.txt @@ -0,0 +1,54 @@ +find_package (PkgConfig REQUIRED) + +pkg_check_modules (GLIB2 REQUIRED glib-2.0) +pkg_check_modules (GIO REQUIRED gio-2.0) +pkg_check_modules (GIO_UNIX REQUIRED gio-unix-2.0) +pkg_check_modules (ZLOG REQUIRED zlog) +pkg_check_modules (GLIB_JSON REQUIRED json-glib-1.0) +pkg_check_modules (KIRAN_CC_DAEMON REQUIRED kiran-cc-daemon) + +find_library(PAM_LIBRARY pam) +find_program(GDBUS_CODEGEN "gdbus-codegen") + +if (NOT GDBUS_CODEGEN) + message(FATAL_ERROR "gdbus-codegen program not found") +else() + message("found ${GDBUS_CODEGEN}") +endif (NOT GDBUS_CODEGEN) + +add_custom_command(OUTPUT kiran-authentication-gen.c kiran-authentication-gen.h + COMMAND ${GDBUS_CODEGEN} --c-namespace Kiran --interface-prefix com.kylinsec.Kiran.SystemDaemon --generate-c-code kiran-authentication-gen ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml + DEPENDS ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml +) + +add_custom_command(OUTPUT kiran-user-gen.c kiran-user-gen.h + COMMAND ${GDBUS_CODEGEN} --c-namespace Kiran --interface-prefix com.kylinsec.Kiran.SystemDaemon --generate-c-code kiran-user-gen ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Accounts.User.xml + DEPENDS ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Accounts.User.xml +) + +add_custom_command(OUTPUT kiran-accounts-gen.c kiran-accounts-gen.h + COMMAND ${GDBUS_CODEGEN} --c-namespace Kiran --interface-prefix com.kylinsec.Kiran.SystemDaemon --generate-c-code kiran-accounts-gen ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml + DEPENDS ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml +) + +add_custom_command(OUTPUT kiran-biometrics-gen.c kiran-biometrics-gen.h + COMMAND ${GDBUS_CODEGEN} --c-namespace Kiran --interface-prefix com.kylinsec.Kiran.SystemDaemon --generate-c-code kiran-biometrics-gen ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Biometrics.xml + DEPENDS ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Biometrics.xml +) + +include_directories(${CMAKE_CURRENT_SOURCE_DIR}) +include_directories(${CMAKE_CURRENT_BINARY_DIR}) + +include_directories(${GLIB_JSON_INCLUDE_DIRS} ${KIRAN_CC_DAEMON_INCLUDE_DIRS}) + +include_directories(${ZLOG_INCLUDE_DIRS} ${GLIB2_INCLUDE_DIRS} ${GIO_INCLUDE_DIRS} ${GIO_UNIX_INCLUDE_DIRS}) +add_executable (kiran_authentication_service main.c kiran-authentication-gen.c kiran-auth-service.c kiran-accounts-gen.c kiran-user-gen.c kiran-biometrics-gen.c) +target_link_libraries(kiran_authentication_service pam ${ZLOG_LIBRARIES} ${GLIB2_LIBRARIES} ${GIO_LIBRARIES} ${GIO_UNIX_LIBRARIES} ${GLIB_JSON_LIBRARIES}) +install(TARGETS kiran_authentication_service RUNTIME DESTINATION ${INSTALL_BINDIR}) + +add_library(pam_kiran_authentication MODULE pam-kiran-authentication.c kiran-authentication-gen.c) +set_target_properties(pam_kiran_authentication PROPERTIES PREFIX "") +target_link_libraries(pam_kiran_authentication pam_misc ${GLIB2_LIBRARIES} ${GDBUS_LIBRARIES} ${GLIB_JSON_LIBRARIES}) +install(TARGETS pam_kiran_authentication LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}/security/) + +install(FILES authentication_i.h DESTINATION /usr/include) diff --git a/src/authentication_i.h b/src/authentication_i.h new file mode 100644 index 0000000..7ce2317 --- /dev/null +++ b/src/authentication_i.h @@ -0,0 +1,50 @@ +/** + *@file authentication_i.h + *@brief 认证服务头文件 + *@author wangxiaoqing + *@copyright(c) 2021 KylinSec.All rights reserved. + */ +#ifndef __AUTHENTICATION_I_H__ +#define __AUTHENTICATION_I_H__ + +#ifdef __cplusplus +extern "C" +{ +#endif + +#define AUTH_SERVICE_DBUS_NAME "com.kylinsec.Kiran.SystemDaemon.Authentication" +#define AUTH_SERVICE_OBJECT_PATH "/com/kylinsec/Kiran/SystemDaemon/Authentication" +#define ASK_AUTH_SID "ReqSessionId" + + /** + * 认证方式 + * + */ + enum SessionAuthType + { + //使用默认的认证类型 + SESSION_AUTH_TYPE_DEFAULT = 0, + //串行认证方式,依次进行认证 + SESSION_AUTH_TYPE_ONE = 1, + //并行认证方式,同时进行多种认证 + SESSION_AUTH_TYPE_TOGETHER = 2, + //并行认证方式,生物认证对给定的用户进行认证 + SESSION_AUTH_TYPE_TOGETHER_WITH_USER = 3, + }; + + /* + * 认证状态 + * + */ + enum SessionAuthState + { + //认证成功 + SESSION_AUTH_SUCCESS = 0, + //认证失败 + SESSION_AUTH_FAIL = 1, + }; + +#ifdef __cplusplus +} +#endif +#endif /* __AUTHENTICATION_I_H__ */ diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c new file mode 100644 index 0000000..8239623 --- /dev/null +++ b/src/kiran-auth-service.c @@ -0,0 +1,973 @@ +/** + *@file kiran-auth-service.c + *@brief 实现DBus服务的认证接口 + *@author wangxiaoqing + *@copyright(c) 2021 KylinSec.All rights reserved. + */ +#include "kiran-auth-service.h" +#include +#include +#include +#include +#include "authentication_i.h" +#include "kiran-accounts-gen.h" +#include "kiran-biometrics-gen.h" +#include "kiran-user-gen.h" + +#define MAX_THREAD_NUM 50 +#define CONF_FILE "/etc/kiran-authentication-service/custom.conf" +#define SERVICE "kiran-auth-service" + +typedef struct _AuthSession AuthSession; + +/* + * 认证会话结构体,保存每个会话的 + * 状态信息 + * + */ +struct _AuthSession +{ + //会话ID + char *sid; + //认证的用户名称 + char *username; + //用户认证模式 + int user_auth_mode; + //会话认证方式 + int session_auth_type; + //是否抢占设备 + gboolean occupy; + //绑定指纹的id + char *fprint_id; + + //是否已经开始认证 + gboolean is_start; + gboolean have_fingerprint_auth; + + //调用者dbus连接 + char *sender; + + pam_handle_t *pam_handle; + GCond prompt_cond; + GMutex prompt_mutex; + gchar *respons_msg; + gboolean stop_auth; + GCond stop_cond; + GMutex stop_mutex; + + KiranAuthService *service; +}; + +struct _KiranAuthServicePrivate +{ + guint bus_name_id; + + //认证列表 + GList *auth_list; + //认证线程池 + GThreadPool *auth_thread_pool; + //默认的会话认证类型 + int default_session_auth_type; + + KiranBiometrics *biometrics; + KiranAccounts *accounts; + + //当前进行指纹认证的会话 + AuthSession *cur_fprint_session; + + GDBusConnection *connection; +}; + +static void kiran_authentication_gen_init(KiranAuthenticationGenIface *iface); + +#define KIRAN_AUTH_SERVICE_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE((o), \ + KIRAN_TYPE_AUTH_SERVICE, KiranAuthServicePrivate)) + +G_DEFINE_TYPE_WITH_CODE(KiranAuthService, kiran_auth_service, KIRAN_TYPE_AUTHENTICATION_GEN_SKELETON, + G_IMPLEMENT_INTERFACE(KIRAN_TYPE_AUTHENTICATION_GEN, kiran_authentication_gen_init)) + +static void do_session_passwd_auth(KiranAuthService *service, + AuthSession *session); +static int +default_session_auth_setting(KiranAuthService *service) +{ + KiranAuthServicePrivate *priv = service->priv; + GKeyFile *key_file = NULL; + GError *error = NULL; + int session_auth_type; + gboolean ret; + int value; + + key_file = g_key_file_new(); + + ret = g_key_file_load_from_file(key_file, + CONF_FILE, + G_KEY_FILE_NONE, + &error); + if (!ret) + { + dzlog_error("Key file load fialed: %s", error->message); + g_error_free(error); + return session_auth_type; + } + + error = NULL; + + /* + *获取会话认证类型: + * 1 标识串行 + * 2 标识并行 + * 3 标识并行,指定用户认证 + * 其它的不识别 + */ + value = g_key_file_get_integer(key_file, + "daemon", + "SessionAuthType", + NULL); + + switch (value) + { + case 2: + session_auth_type = SESSION_AUTH_TYPE_TOGETHER; + break; + + case 3: + session_auth_type = SESSION_AUTH_TYPE_TOGETHER_WITH_USER; + break; + + default: + session_auth_type = SESSION_AUTH_TYPE_ONE; + break; + } + + g_key_file_free(key_file); + key_file = NULL; + + priv->default_session_auth_type = session_auth_type; +} + +static void +auth_session_free(gpointer data) +{ + AuthSession *session = data; + + g_mutex_clear(&session->prompt_mutex); + g_cond_clear(&session->prompt_cond); + g_mutex_clear(&session->stop_mutex); + g_cond_clear(&session->stop_cond); + + g_free(session->username); + g_free(session->sender); + g_free(session->fprint_id); + g_free(session); +} + +static void +kiran_auth_service_finalize(GObject *object) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(object); + KiranAuthServicePrivate *priv = service->priv; + + if (priv->bus_name_id > 0) + { + g_bus_unown_name(priv->bus_name_id); + priv->bus_name_id = 0; + } + + if (priv->biometrics) + { + g_object_unref(priv->biometrics); + priv->biometrics = NULL; + } + + if (priv->accounts) + { + g_object_unref(priv->accounts); + priv->accounts = NULL; + } + + g_list_free_full(priv->auth_list, auth_session_free); + priv->auth_list = NULL; + + g_thread_pool_free(priv->auth_thread_pool, + TRUE, + TRUE); + + priv->auth_thread_pool = NULL; + + G_OBJECT_CLASS(kiran_auth_service_parent_class)->finalize(object); +} + +static void +verify_fprint_status_cb(KiranBiometrics *object, + const gchar *arg_result, + gboolean arg_done, + gboolean arg_found, + const gchar *arg_id, + gpointer user_data) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(user_data); + KiranAuthServicePrivate *priv = service->priv; + AuthSession *session = priv->cur_fprint_session; + + if (!session) + { + return; + } + + dzlog_debug("verify_fprint_status: %s, %d, %d, %s\n", + arg_result, + arg_done, + arg_found, + arg_id); + + //发送认证消息 + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + arg_result, + PAM_TEXT_INFO, + session->sid); + + if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER) + { + if (arg_found) + { + char *username = NULL; + + //查找绑定的用户 + + if (username) + { + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + //指纹认证成功 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + username, + SESSION_AUTH_SUCCESS, + session->sid); + } + } + } + else if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER_WITH_USER) + { + //对当前用户的指纹进行认证 + if (arg_found && g_strcmp0(arg_id, session->fprint_id) == 0) + { + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + //指纹认证成功 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + session->username, + SESSION_AUTH_SUCCESS, + session->sid); + } + } + else + { + if (arg_found && g_strcmp0(arg_id, session->fprint_id) == 0) + { + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + + if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) + { + //进行串行认证,指纹通过,启动密码认证 + do_session_passwd_auth(service, session); + } + else + { + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + session->username, + SESSION_AUTH_SUCCESS, + session->sid); + } + return; + } + + if (arg_done) + { + //认证失败 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + session->username, + SESSION_AUTH_FAIL, + session->sid); + } + } +} + +static AuthSession * +find_auth_session_by_sender(KiranAuthService *service, + const char *sender) +{ + KiranAuthServicePrivate *priv = service->priv; + GList *iter = priv->auth_list; + + for (; iter; iter = iter->next) + { + AuthSession *session = iter->data; + + if (g_strcmp0(session->sender, sender) == 0) + { + return session; + } + } + + return NULL; +} + +static void +auth_session_stop(KiranAuthService *service, + AuthSession *session) +{ + KiranAuthServicePrivate *priv = service->priv; + + if (session == priv->cur_fprint_session) + { + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + } + + //停止密码认证 + if (session->pam_handle) + { + session->stop_auth = TRUE; + g_mutex_lock(&session->stop_mutex); + g_cond_wait(&session->stop_cond, &session->stop_mutex); + g_mutex_unlock(&session->stop_mutex); + } + + //删除该会话 + priv->auth_list = g_list_remove(priv->auth_list, session); + auth_session_free(session); +} + +static void +on_name_lost(GDBusConnection *connection, + const gchar *sender_name, + const gchar *object_path, + const gchar *interface_name, + const gchar *signal_name, + GVariant *parameters, + gpointer user_data) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(user_data); + KiranAuthServicePrivate *priv = service->priv; + AuthSession *session = NULL; + GVariant *value; + const gchar *first; + const gchar *last; + gsize length; + gsize i; + + length = g_variant_n_children(parameters); + + if (length < 1) + return; + + value = g_variant_get_child_value(parameters, 0); + first = g_variant_get_string(value, NULL); + + value = g_variant_get_child_value(parameters, length - 1); + last = g_variant_get_string(value, NULL); + + session = find_auth_session_by_sender(service, first); + + if (session && (g_strcmp0(last, "") == 0)) + { + //dbus连接断开,停止本次认证 + auth_session_stop(service, session); + } +} + +static void +bus_acquired_cb(GDBusConnection *connection, + const char *name, + gpointer user_data) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(user_data); + KiranAuthServicePrivate *priv = service->priv; + GDBusInterfaceSkeleton *skeleton = G_DBUS_INTERFACE_SKELETON(service); + GError *error = NULL; + + priv->connection = connection; + g_dbus_interface_skeleton_export(skeleton, + connection, + AUTH_SERVICE_OBJECT_PATH, + &error); + + if (error != NULL) + { + dzlog_error("Failed export interface: %s", error->message); + g_error_free(error); + } + + error = NULL; + priv->biometrics = kiran_biometrics_proxy_new_sync(connection, + G_BUS_NAME_WATCHER_FLAGS_NONE, + "com.kylinsec.Kiran.SystemDaemon.Biometrics", + "/com/kylinsec/Kiran/SystemDaemon/Biometrics", + NULL, + &error); + if (priv->biometrics) + { + g_signal_connect(priv->biometrics, + "verify-fprint-status", + G_CALLBACK(verify_fprint_status_cb), + service); + } + else + { + dzlog_error("Failed biometrics new: %s", error->message); + g_error_free(error); + } + + error = NULL; + priv->accounts = kiran_accounts_proxy_new_sync(connection, + G_BUS_NAME_WATCHER_FLAGS_NONE, + ACCOUNTS_DBUS_NAME, + ACCOUNTS_OBJECT_PATH, + NULL, + &error); + if (priv->accounts == NULL) + { + dzlog_error("Error with getting the bus: %s", error->message); + g_error_free(error); + } + + //监听bus总线信号 + g_dbus_connection_signal_subscribe(connection, + "org.freedesktop.DBus", + "org.freedesktop.DBus", + NULL, + "/org/freedesktop/DBus", + NULL, + G_DBUS_SIGNAL_FLAGS_NONE, + (GDBusSignalCallback)on_name_lost, + service, NULL); +} + +static AuthSession * +find_auth_session_by_sid(KiranAuthService *service, + const char *sid) +{ + KiranAuthServicePrivate *priv = service->priv; + GList *iter = priv->auth_list; + + for (; iter; iter = iter->next) + { + AuthSession *session = iter->data; + + if (g_strcmp0(session->sid, sid) == 0) + { + return session; + } + } + + return NULL; +} + +static gboolean +kiran_auth_service_handle_create_auth(KiranAuthenticationGen *object, + GDBusMethodInvocation *invocation) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(object); + KiranAuthServicePrivate *priv = service->priv; + AuthSession *new_auth_session = NULL; + AuthSession *session = NULL; + gchar *sid = g_uuid_string_random(); + const gchar *sender; + + sender = g_dbus_method_invocation_get_sender(invocation); + + session = find_auth_session_by_sender(service, sender); + if (session) + { + //每个连接只允许创建一个认证 + g_dbus_method_invocation_return_error(invocation, + G_DBUS_ERROR, + G_DBUS_ERROR_INVALID_ARGS, + "Have create a auth with connection"); + return TRUE; + } + + session = find_auth_session_by_sid(service, sid); + while (session != NULL) + { + //如果生成sid已经被占用,则重新生成 + g_free(sid); + sid = g_uuid_string_random(); + session = find_auth_session_by_sid(service, sid); + } + + new_auth_session = g_new0(AuthSession, 1); + new_auth_session->sid = sid; + + if (sender) + new_auth_session->sender = g_strdup(sender); + + //添加到会话列表中 + priv->auth_list = g_list_append(priv->auth_list, new_auth_session); + + g_dbus_method_invocation_return_value(invocation, + g_variant_new("(s)", new_auth_session->sid)); + + return TRUE; +} + +static char * +parser_auth_items_json_data(const char *data) +{ + JsonParser *jparse = json_parser_new(); + JsonNode *root; + JsonReader *reader; + GError *error = NULL; + char *id = NULL; + gboolean ret; + + ret = json_parser_load_from_data(jparse, + data, + -1, + &error); + if (!ret) + { + dzlog_error("Error with parse json data: %s", error->message); + g_error_free(error); + return NULL; + } + + root = json_parser_get_root(jparse); + if (json_node_get_node_type(root) == JSON_NODE_ARRAY) + { + JsonArray *array = json_node_get_array(root); + GList *list = json_array_get_elements(array); + GList *iter; + + reader = json_reader_new(NULL); + for (iter = list; iter; iter = iter->next) + { + const gchar *data_id; + + json_reader_set_root(reader, iter->data); + json_reader_read_member(reader, "data_id"); + data_id = json_reader_get_string_value(reader); + if (data_id) + { + id = strdup(data_id); + break; + } + } + g_object_unref(reader); + } + + g_object_unref(jparse); + + return id; +} + +static void +get_user_account_info(KiranAuthService *service, + AuthSession *session) +{ + KiranAuthServicePrivate *priv = service->priv; + KiranAccountsUser *user = NULL; + GError *error = NULL; + gchar *path = NULL; + gchar *auth = NULL; + gchar *auth_items = NULL; + gboolean ret; + + session->user_auth_mode = ACCOUNTS_AUTH_MODE_NONE; + path = NULL; + error = NULL; + + ret = kiran_accounts_call_find_user_by_name_sync(priv->accounts, + session->username, + &path, + NULL, + &error); + if (!ret) + { + dzlog_error("Error with find the user object path: %s", error->message); + g_error_free(error); + } + + error = NULL; + user = kiran_accounts_user_proxy_new_sync(priv->connection, + G_BUS_NAME_WATCHER_FLAGS_NONE, + ACCOUNTS_DBUS_INTERFACE_NAME, + path, + NULL, + &error); + g_free(path); + + if (user == NULL) + { + dzlog_error("Error with getting the bus: %s", error->message); + g_error_free(error); + } + + session->user_auth_mode = kiran_accounts_user_get_auth_modes(user); + + error = NULL; + ret = kiran_accounts_user_call_get_auth_items_sync(user, + ACCOUNTS_AUTH_MODE_FINGERPRINT, + &auth_items, + NULL, + &error); + if (!ret || !auth_items) + { + dzlog_error("Error with getting the auth item: %s", error->message); + g_error_free(error); + } + else + { + session->fprint_id = parser_auth_items_json_data(auth_items); + } + + g_object_unref(user); +} + +static gboolean +kiran_auth_service_handle_start_auth(KiranAuthenticationGen *object, + GDBusMethodInvocation *invocation, + const gchar *arg_username, + const gchar *arg_sid, + gint arg_type_op, + gboolean arg_occupy) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(object); + KiranAuthServicePrivate *priv = service->priv; + AuthSession *session = NULL; + GError *error = NULL; + gboolean ret = FALSE; + + session = find_auth_session_by_sid(service, arg_sid); + if (session == NULL) + { + //不存在对应的会话 + g_dbus_method_invocation_return_error(invocation, + G_DBUS_ERROR, + G_DBUS_ERROR_INVALID_ARGS, + "The auth session id %s not existed", + arg_sid); + return TRUE; + } + + if (session->is_start) + { + //该会话正在进行中 + g_dbus_method_invocation_return_error(invocation, + G_DBUS_ERROR, + G_DBUS_ERROR_INVALID_ARGS, + "The auth session already runnig"); + return TRUE; + } + + g_free(session->username); + session->username = g_strdup(arg_username); + + if (arg_type_op == SESSION_AUTH_TYPE_ONE || + arg_type_op == SESSION_AUTH_TYPE_TOGETHER || + arg_type_op == SESSION_AUTH_TYPE_TOGETHER_WITH_USER) + { + session->session_auth_type = arg_type_op; + } + else + { //使用默认的认证方式 + session->session_auth_type = priv->default_session_auth_type; + } + + session->occupy = arg_occupy; + get_user_account_info(service, session); + session->stop_auth = FALSE; + session->service = service; + + g_mutex_init(&session->prompt_mutex); + g_cond_init(&session->prompt_cond); + g_mutex_init(&session->stop_mutex); + g_cond_init(&session->stop_cond); + + ret = g_thread_pool_push(priv->auth_thread_pool, + session, + &error); + if (!ret) + { + g_dbus_method_invocation_return_error(invocation, + G_DBUS_ERROR, + G_DBUS_ERROR_INVALID_ARGS, + "Push to auth thread pool failed: %s", + error->message); + dzlog_error("ush to auth thread pool failed: %s", error->message); + g_error_free(error); + } +} + +static gboolean +kiran_auth_service_handle_stop_auth(KiranAuthenticationGen *object, + GDBusMethodInvocation *invocation, + const gchar *arg_sid) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(object); + KiranAuthServicePrivate *priv = service->priv; + AuthSession *session = NULL; + + session = find_auth_session_by_sid(service, arg_sid); + if (session == NULL) + { + //不存在对应的会话 + g_dbus_method_invocation_return_error(invocation, + G_DBUS_ERROR, + G_DBUS_ERROR_INVALID_ARGS, + "The auth session id %s not existed", + arg_sid); + return TRUE; + } + + auth_session_stop(service, session); + + return TRUE; +} + +static gboolean +kiran_auth_service_handle_response_message(KiranAuthenticationGen *object, + GDBusMethodInvocation *invocation, + const gchar *arg_message, + const gchar *arg_sid) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(object); + KiranAuthServicePrivate *priv = service->priv; + AuthSession *session = NULL; + + session = find_auth_session_by_sid(service, arg_sid); + if (session != NULL) + { + g_mutex_lock(&session->prompt_mutex); + g_free(session->respons_msg); + session->respons_msg = g_strdup(arg_message); + g_cond_signal(&session->prompt_cond); + g_mutex_unlock(&session->prompt_mutex); + } +} + +static void +kiran_authentication_gen_init(KiranAuthenticationGenIface *iface) +{ + iface->handle_create_auth = kiran_auth_service_handle_create_auth; + iface->handle_start_auth = kiran_auth_service_handle_start_auth; + iface->handle_stop_auth = kiran_auth_service_handle_stop_auth; + iface->handle_response_message = kiran_auth_service_handle_response_message; +} + +static int +pam_conv_cb(int msg_length, + const struct pam_message **msg, + struct pam_response **resp, + void *app_data) +{ + AuthSession *session = app_data; + KiranAuthService *service = session->service; + const struct pam_message *m = msg[0]; + struct pam_response *response = calloc(1, sizeof(struct pam_response)); + struct pam_response *r = &response[0]; + + if (session->stop_auth) + return PAM_CONV_ERR; + + //发送认证消息 + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + m->msg, + m->msg_style, + session->sid); + + if (m->msg_style == PAM_PROMPT_ECHO_ON || + m->msg_style == PAM_PROMPT_ECHO_OFF) + { + //等待请求的消息 + g_mutex_lock(&session->prompt_mutex); + g_cond_wait(&session->prompt_cond, &session->prompt_mutex); + r->resp = g_strdup(session->respons_msg); + r->resp_retcode = 0; + g_mutex_unlock(&session->prompt_mutex); + } + + *resp = response; + + return PAM_SUCCESS; +} + +static void +do_session_passwd_auth(KiranAuthService *service, + AuthSession *session) +{ + struct pam_conv conversation = {pam_conv_cb, session}; + int ret, state; + const void *user; + + ret = pam_start(SERVICE, session->username, &conversation, &session->pam_handle); + if (ret != PAM_SUCCESS) + { + dzlog_error("Failed to start PAM: %s", pam_strerror(NULL, ret)); + return; + } + + ret = pam_authenticate(session->pam_handle, 0); + if (ret != PAM_SUCCESS) + { + //认证失败 + state = SESSION_AUTH_FAIL; + dzlog_error("Failed to PAM authenticate: %s", pam_strerror(NULL, ret)); + } + else + { + //认证成功 + state = SESSION_AUTH_SUCCESS; + } + + pam_get_item(session->pam_handle, PAM_USER, &user); + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + user, + state, + session->sid); + + pam_end(session->pam_handle, 0); + session->pam_handle = NULL; + g_mutex_lock(&session->stop_mutex); + g_cond_signal(&session->stop_cond); + g_mutex_unlock(&session->stop_mutex); +} + +static gboolean +do_session_fingerprint_auth(KiranAuthService *service, + AuthSession *session) +{ + KiranAuthServicePrivate *priv = service->priv; + GError *error = NULL; + + if (session->occupy) + { + //抢占该认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + } + + kiran_biometrics_call_verify_fprint_start_sync(priv->biometrics, + NULL, + &error); + + if (error != NULL) + { + dzlog_error("call verify fprint start failed: %s", error->message); + g_error_free(error); + return FALSE; + } + + priv->cur_fprint_session = session; + + return TRUE; +} + +static void +do_authentication(gpointer data, + gpointer user_data) +{ + KiranAuthService *service = KIRAN_AUTH_SERVICE(user_data); + AuthSession *session = data; + + dzlog_debug("Start authentication with sid: %s, username:%s, authmode:%d, session_auth_type:%d, occupy:%d", + session->sid, session->username, session->user_auth_mode, + session->session_auth_type, session->occupy); + + //开启认证 + session->is_start = TRUE; + + switch (session->session_auth_type) + { + case SESSION_AUTH_TYPE_TOGETHER: + //并行认证模式 + //启动指纹认证 + do_session_fingerprint_auth(service, session); + + //启动密码认证 + do_session_passwd_auth(service, session); + break; + + case SESSION_AUTH_TYPE_TOGETHER_WITH_USER: + //并行认证模式, 针对给定用户 + if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_FINGERPRINT) + { + //启动指纹认证 + do_session_fingerprint_auth(service, session); + } + + //启动密码认证 + do_session_passwd_auth(service, session); + break; + + default: + //串行认证模式 + if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_FINGERPRINT) + { + //启动指纹认证 + do_session_fingerprint_auth(service, session); + } + } +} + +static void +kiran_auth_service_init(KiranAuthService *self) +{ + KiranAuthServicePrivate *priv; + static guint id; + GError *error = NULL; + + priv = self->priv = KIRAN_AUTH_SERVICE_GET_PRIVATE(self); + priv->auth_list = NULL; + priv->biometrics = NULL; + priv->cur_fprint_session = NULL; + + default_session_auth_setting(self); + priv->auth_thread_pool = g_thread_pool_new(do_authentication, + self, + MAX_THREAD_NUM, + TRUE, + &error); + + if (priv->auth_thread_pool == NULL) + { + dzlog_error("Failed ceate thread pool: %s", error->message); + g_error_free(error); + } + + //向DBus守护程序请求拥有DBus + priv->bus_name_id = g_bus_own_name(G_BUS_TYPE_SYSTEM, + AUTH_SERVICE_DBUS_NAME, + G_BUS_NAME_OWNER_FLAGS_NONE, + bus_acquired_cb, + NULL, + NULL, + self, + NULL); +} + +static void +kiran_auth_service_class_init(KiranAuthServiceClass *klass) +{ + GObjectClass *gobject_class = G_OBJECT_CLASS(klass); + + gobject_class->finalize = kiran_auth_service_finalize; + + g_type_class_add_private(gobject_class, sizeof(KiranAuthServicePrivate)); +} + +/* + *@brief 创建认证服务对象 + * + *@return 成功返回对象的地址,失败返回NULL + */ +KiranAuthService* +kiran_auth_servie_new() +{ + return g_object_new(KIRAN_TYPE_AUTH_SERVICE, NULL); +} diff --git a/src/kiran-auth-service.h b/src/kiran-auth-service.h new file mode 100644 index 0000000..37b40c5 --- /dev/null +++ b/src/kiran-auth-service.h @@ -0,0 +1,42 @@ +/** + *@file kiran-auth-service.h + *@brief 实现DBus服务的认证接口 + *@author wangxiaoqing + *@copyright(c) 2021 KylinSec.All rights reserved. + */ +#ifndef __KIRAN_AUTH_SERVICE__ +#define __KIRAN_AUTH_SERVICE__ + +#include "kiran-authentication-gen.h" + +#define KIRAN_TYPE_AUTH_SERVICE (kiran_auth_service_get_type()) +#define KIRAN_AUTH_SERVICE(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), \ + KIRAN_TYPE_AUTH_SERVICE, KiranAuthService)) +#define KIRAN_AUTH_SERVICE_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), \ + KIRAN_TYPE_AUTH_SERVICE, KiranAuthServiceClass)) +#define KIRAN_IS_AUTH_SERVICE(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), \ + KIRAN_TYPE_AUTH_SERVICE)) +#define KIRAN_IS_AUTH_SERVICE_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), \ + KIRAN_TYPE_AUTH_SERVICE)) +#define KIRAN_AUTH_SERVICE_GET_CLASS(obj) (G_TYPE_CHECK_INSTANCE_GET_CLASS((obj), \ + KIRAN_TYPE_AUTH_SERVICE, KiranAuthServiceClass)) + +typedef struct _KiranAuthService KiranAuthService; +typedef struct _KiranAuthServicePrivate KiranAuthServicePrivate; +typedef struct _KiranAuthServiceClass KiranAuthServiceClass; + +struct _KiranAuthService +{ + KiranAuthenticationGenSkeleton parent; + KiranAuthServicePrivate *priv; +}; + +struct _KiranAuthServiceClass +{ + KiranAuthenticationGenSkeletonClass parent_class; +}; + +GType kiran_auth_servie_get_type(); +KiranAuthService *kiran_auth_servie_new(); + +#endif /* __KIRAN_AUTH_SERVICE__ */ diff --git a/src/main.c b/src/main.c new file mode 100644 index 0000000..0f3f77f --- /dev/null +++ b/src/main.c @@ -0,0 +1,31 @@ +#include +#include +#include "kiran-auth-service.h" + +int main(int argc, char *argv[]) +{ + GMainLoop *loop; + KiranAuthService *service; + + if (dzlog_init_ex(NULL, + "kylinsec-system-app", + "kiran-authentication", + "kiran_authentication_manager") < 0) + return -1; + +#if !GLIB_CHECK_VERSION(2, 36, 0) + g_type_init(); +#endif + + dzlog_info("Start kiran authentication service."); + loop = g_main_loop_new(NULL, FALSE); + service = kiran_auth_servie_new(); + + g_main_loop_run(loop); + + g_main_loop_unref(loop); + g_object_unref(service); + zlog_fini(); + + return 0; +} diff --git a/src/pam-kiran-authentication.c b/src/pam-kiran-authentication.c new file mode 100644 index 0000000..43fbc14 --- /dev/null +++ b/src/pam-kiran-authentication.c @@ -0,0 +1,220 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "authentication_i.h" +#include "kiran-authentication-gen.h" + +typedef struct +{ + GMainLoop *loop; + gchar *username; + gboolean state; + gchar *sid; +} verify_data; + +static int +converse(pam_handle_t *pamh, int nargs, + const struct pam_message **message, + struct pam_response **response) +{ + struct pam_conv *conv; + int retval = pam_get_item(pamh, PAM_CONV, (void *)&conv); + if (retval != PAM_SUCCESS) + { + return retval; + } + return conv->conv(nargs, message, response, conv->appdata_ptr); +} + +char * +request_respone(pam_handle_t *pamh, int echocode, const char *prompt) +{ + char *ret = NULL; + const struct pam_message msg = { + .msg_style = echocode, + .msg = prompt, + }; + const struct pam_message *msgs = &msg; + struct pam_response *resp = NULL; + + int retval = converse(pamh, 1, &msgs, &resp); + + if (retval != PAM_SUCCESS || resp == NULL || resp->resp == NULL || + resp->resp[0] == '\0') + { + if (retval == PAM_SUCCESS && resp && resp->resp) + { + ret = resp->resp; + } + } + else + { + ret = resp->resp; + } + + if (resp) + { + if (!ret) + { + free(resp->resp); + } + free(resp); + } + + return ret; +} + +static void +auth_status_cb(KiranAuthenticationGen *object, + const gchar *arg_username, + gint arg_state, + const gchar *arg_sid, + gpointer user_data) +{ + verify_data *data = user_data; + + if (g_strcmp0(data->sid, arg_sid) == 0) + { + data->state = arg_state; + data->username = g_strdup(arg_username); + g_main_loop_quit(data->loop); + } +} + +static gboolean +verify_timeout_cb(gpointer user_data) +{ + verify_data *data = user_data; + + g_main_loop_quit(data->loop); + + return FALSE; +} + +static gboolean +verify_user(pam_handle_t *pamh) +{ + GDBusConnection *connection; + KiranAuthenticationGen *auth; + verify_data *data; + GError *error; + gboolean ret; + char *sid; + GSource *source; + + error = NULL; + connection = g_bus_get_sync(G_BUS_TYPE_SYSTEM, NULL, &error); + if (connection == NULL) + { + pam_syslog(pamh, LOG_ERR, "Error with getting the bus: %s", error->message); + g_error_free(error); + return FALSE; + } + + error = NULL; + auth = kiran_authentication_gen_proxy_new_sync(connection, + G_BUS_NAME_WATCHER_FLAGS_NONE, + AUTH_SERVICE_DBUS_NAME, + AUTH_SERVICE_OBJECT_PATH, + NULL, + &error); + if (auth == NULL) + { + pam_syslog(pamh, LOG_ERR, "Error with getting the bus: %s", error->message); + g_object_unref(connection); + g_error_free(error); + return FALSE; + } + + + data = g_new0(verify_data, 1); + data->loop = g_main_loop_new(NULL, FALSE); + data->state = SESSION_AUTH_FAIL; + //请求开启认证 + data->sid = request_respone(pamh, PAM_PROMPT_ECHO_ON, ASK_AUTH_SID); + + g_signal_connect(auth, + "auth-status", + G_CALLBACK(auth_status_cb), + data); + + source = g_timeout_source_new_seconds(120); + g_source_attach(source, g_main_loop_get_context(data->loop)); + g_source_set_callback(source, verify_timeout_cb, data, NULL); + + g_main_loop_run(data->loop); + g_source_destroy(source); + g_source_unref(source); + + //认证结果 + ret = (data->state == SESSION_AUTH_SUCCESS) ? TRUE : FALSE; + if (ret) + { + //认证成功,设置用户 + pam_set_item(pamh, PAM_USER, data->username); + } + + g_object_unref(connection); + g_object_unref(auth); + + g_free(data->sid); + g_free(data->username); + g_free(data); + g_main_loop_unref(data->loop); + + return ret; +} + +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + const char *rhost = NULL; + guint i; + int ret; + +#if !GLIB_CHECK_VERSION(2, 36, 0) + g_type_init(); +#endif + pam_get_item(pamh, PAM_RHOST, (const void **)(const void *)&rhost); + + if (rhost != NULL && + *rhost != '\0' && + strcmp(rhost, "localhost") != 0) + { + return PAM_AUTHINFO_UNAVAIL; + } + + ret = verify_user(pamh); + + return (ret == TRUE) ? PAM_SUCCESS : PAM_AUTH_ERR; +} + +int pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +int pam_sm_close_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return PAM_SUCCESS; +} -- Gitee From 5959ef4f454197070bdb699d995776d67f1f7a60 Mon Sep 17 00:00:00 2001 From: luoqing Date: Wed, 14 Jul 2021 13:57:18 +0800 Subject: [PATCH 03/20] feature(kiran-authentication-service): get the username from account service with fprint id MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 添加从账户服务通过指纹id获取用户名称的功能 Related #38334 Signed-off-by: wangxiaoqing --- ...m.kylinsec.Kiran.SystemDaemon.Accounts.xml | 12 ++++ src/kiran-auth-service.c | 71 ++++++++++++++++--- 2 files changed, 72 insertions(+), 11 deletions(-) diff --git a/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml b/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml index d022aec..4f1c703 100644 --- a/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml +++ b/data/com.kylinsec.Kiran.SystemDaemon.Accounts.xml @@ -26,6 +26,18 @@ + + + The authentication mode which could be fingerprint, face, etc. Refer to AccountsAuthMode in accounts-i.h + + + The identity of the collected data for the authentication item. + + + Object path of the new user. + + + The username for the new user diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 8239623..90be4e3 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -88,6 +88,7 @@ G_DEFINE_TYPE_WITH_CODE(KiranAuthService, kiran_auth_service, KIRAN_TYPE_AUTHENT static void do_session_passwd_auth(KiranAuthService *service, AuthSession *session); + static int default_session_auth_setting(KiranAuthService *service) { @@ -231,21 +232,64 @@ verify_fprint_status_cb(KiranBiometrics *object, { if (arg_found) { - char *username = NULL; + KiranAccountsUser *user = NULL; + GError *error = NULL; + gchar *path = NULL; //查找绑定的用户 - - if (username) + kiran_accounts_call_find_user_by_auth_data_sync(priv->accounts, + ACCOUNTS_AUTH_MODE_FINGERPRINT, + arg_id, + &path, + NULL, + &error); + + if (path == NULL) { - //停止指纹认证 - kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); - priv->cur_fprint_session = NULL; - //指纹认证成功 - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - username, - SESSION_AUTH_SUCCESS, - session->sid); + dzlog_error("find fingerprint id with user fail: %s", error->message); + g_error_free(error); } + else + { + dzlog_debug("find fingerprint id %s with user path %s\n", arg_id, path); + + error = NULL; + user = kiran_accounts_user_proxy_new_sync(priv->connection, + G_BUS_NAME_WATCHER_FLAGS_NONE, + ACCOUNTS_DBUS_INTERFACE_NAME, + path, + NULL, + &error); + + if (user == NULL) + { + dzlog_error("Error with getting the bus: %s", error->message); + g_error_free(error); + } + else + { + const gchar *username; + + username = kiran_accounts_user_get_user_name(user); + + if (username) + { + dzlog_debug("get fingerprint user name %s", username); + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + //指纹认证成功 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + username, + SESSION_AUTH_SUCCESS, + session->sid); + + } + g_object_unref(user); + } + } + + g_free(path); } } else if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER_WITH_USER) @@ -333,6 +377,10 @@ auth_session_stop(KiranAuthService *service, //停止密码认证 if (session->pam_handle) { + g_mutex_lock(&session->prompt_mutex); + g_cond_signal(&session->prompt_cond); + g_mutex_unlock(&session->prompt_mutex); + session->stop_auth = TRUE; g_mutex_lock(&session->stop_mutex); g_cond_wait(&session->stop_cond, &session->stop_mutex); @@ -625,6 +673,7 @@ get_user_account_info(KiranAuthService *service, else { session->fprint_id = parser_auth_items_json_data(auth_items); + dzlog_debug("Get fprint_id :%s with %s", session->fprint_id, session->username); } g_object_unref(user); -- Gitee From 5170b2b42669968c98372fd5ac74daffffaf3f2e Mon Sep 17 00:00:00 2001 From: luoqing Date: Wed, 14 Jul 2021 16:26:26 +0800 Subject: [PATCH 04/20] feature(kiran-authentication-service): add auth message type define MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 添加认证消息类型定义 Related #38334 Signed-off-by: wangxiaoqing --- src/authentication_i.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/authentication_i.h b/src/authentication_i.h index 7ce2317..5dc5e23 100644 --- a/src/authentication_i.h +++ b/src/authentication_i.h @@ -16,6 +16,12 @@ extern "C" #define AUTH_SERVICE_OBJECT_PATH "/com/kylinsec/Kiran/SystemDaemon/Authentication" #define ASK_AUTH_SID "ReqSessionId" + /* 消息类型 */ +#define AUTH_SERVICE_PROMPT_ECHO_OFF 1 /* 请求密文应答信息 */ +#define AUTH_SERVICE_PROMPT_ECHO_ON 2 /* 请求明文应答信息 */ +#define AUTH_SERVICE_ERROR_MSG 3 /* 错误消息 */ +#define AUTH_SERVICE_TEXT_INFO 4 /* 提示信息 */ + /** * 认证方式 * -- Gitee From 2dd934f4c9552375518952dba7fc3e9ad9963058 Mon Sep 17 00:00:00 2001 From: luoqing Date: Tue, 20 Jul 2021 16:28:09 +0800 Subject: [PATCH 05/20] fix(kiran-authentication-service): add the dbus method return MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 增加dbus方法返回值 Related #38334 Signed-off-by: wangxiaoqing --- src/kiran-auth-service.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 90be4e3..205df9e 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -559,8 +559,9 @@ kiran_auth_service_handle_create_auth(KiranAuthenticationGen *object, //添加到会话列表中 priv->auth_list = g_list_append(priv->auth_list, new_auth_session); - g_dbus_method_invocation_return_value(invocation, - g_variant_new("(s)", new_auth_session->sid)); + kiran_authentication_gen_complete_create_auth(object, + invocation, + sid); return TRUE; } @@ -752,6 +753,10 @@ kiran_auth_service_handle_start_auth(KiranAuthenticationGen *object, dzlog_error("ush to auth thread pool failed: %s", error->message); g_error_free(error); } + + kiran_authentication_gen_complete_start_auth(object, invocation); + + return TRUE; } static gboolean @@ -777,6 +782,8 @@ kiran_auth_service_handle_stop_auth(KiranAuthenticationGen *object, auth_session_stop(service, session); + kiran_authentication_gen_complete_stop_auth(object, invocation); + return TRUE; } @@ -799,6 +806,10 @@ kiran_auth_service_handle_response_message(KiranAuthenticationGen *object, g_cond_signal(&session->prompt_cond); g_mutex_unlock(&session->prompt_mutex); } + + kiran_authentication_gen_complete_response_message(object, invocation); + + return TRUE; } static void -- Gitee From 61d95eb781d78f8c64e6c54b6b8d58e48e11d451 Mon Sep 17 00:00:00 2001 From: luoqing Date: Tue, 27 Jul 2021 15:17:50 +0800 Subject: [PATCH 06/20] feature(kiran-authentication-service): add the session auth method changed signal interface MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 添加会话认证方式变化信号 Related #38334 Signed-off-by: wangxiaoqing --- ...nsec.Kiran.SystemDaemon.Authentication.xml | 9 +++++++- src/CMakeLists.txt | 2 +- src/authentication_i.h | 13 ++++++++++++ src/kiran-auth-service.c | 21 +++++++++++++++++++ src/main.c | 4 ++++ src/pam-kiran-authentication.c | 9 +++++++- 6 files changed, 55 insertions(+), 3 deletions(-) diff --git a/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml b/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml index 4ebb48f..6db6847 100644 --- a/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml +++ b/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml @@ -48,7 +48,14 @@ 消息内容. - 消息类型,请求明文信息,请求密码,错误消息,提示信息, 指纹界面, 参见authentication_i.h. + 消息类型,包括请求明文信息,请求密文信息,错误消息,提示信息,参见authentication_i.h. + + + + + + + 认证方式,包括密码认证,指纹认证,人脸认证方式, 参见authentication_i.h. diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index c278bc4..0215f53 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -51,4 +51,4 @@ set_target_properties(pam_kiran_authentication PROPERTIES PREFIX "") target_link_libraries(pam_kiran_authentication pam_misc ${GLIB2_LIBRARIES} ${GDBUS_LIBRARIES} ${GLIB_JSON_LIBRARIES}) install(TARGETS pam_kiran_authentication LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}/security/) -install(FILES authentication_i.h DESTINATION /usr/include) +install(FILES authentication_i.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${PROJECT_NAME}) diff --git a/src/authentication_i.h b/src/authentication_i.h index 5dc5e23..536bf54 100644 --- a/src/authentication_i.h +++ b/src/authentication_i.h @@ -50,6 +50,19 @@ extern "C" SESSION_AUTH_FAIL = 1, }; + enum SessionAuthMethod + { + // 没有任何验证方式 + SESSION_AUTH_METHOD_NONE = 0, + // 密码验证 + SESSION_AUTH_METHOD_PASSWORD = (1 << 0), + // 指纹验证 + SESSION_AUTH_METHOD_FINGERPRINT = (1 << 1), + // 人脸识别验证 + SESSION_AUTH_METHOD_FACE = (1 << 2), + SESSION_AUTH_METHOD_LAST = (1 << 3), + }; + #ifdef __cplusplus } #endif diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 205df9e..f6618c3 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -318,6 +318,9 @@ verify_fprint_status_cb(KiranBiometrics *object, if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) { //进行串行认证,指纹通过,启动密码认证 + kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), + SESSION_AUTH_METHOD_PASSWORD, + session->sid); do_session_passwd_auth(service, session); } else @@ -946,11 +949,16 @@ do_authentication(gpointer data, { case SESSION_AUTH_TYPE_TOGETHER: //并行认证模式 + //发送认证模式 + kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), + SESSION_AUTH_METHOD_PASSWORD & SESSION_AUTH_METHOD_FINGERPRINT, + session->sid); //启动指纹认证 do_session_fingerprint_auth(service, session); //启动密码认证 do_session_passwd_auth(service, session); + break; case SESSION_AUTH_TYPE_TOGETHER_WITH_USER: @@ -958,11 +966,21 @@ do_authentication(gpointer data, if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_FINGERPRINT) { //启动指纹认证 + kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), + SESSION_AUTH_METHOD_PASSWORD & SESSION_AUTH_METHOD_FINGERPRINT, + session->sid); do_session_fingerprint_auth(service, session); } + else + { + kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), + SESSION_AUTH_METHOD_PASSWORD, + session->sid); + } //启动密码认证 do_session_passwd_auth(service, session); + break; default: @@ -970,6 +988,9 @@ do_authentication(gpointer data, if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_FINGERPRINT) { //启动指纹认证 + kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), + SESSION_AUTH_METHOD_FINGERPRINT, + session->sid); do_session_fingerprint_auth(service, session); } } diff --git a/src/main.c b/src/main.c index 0f3f77f..5dbf649 100644 --- a/src/main.c +++ b/src/main.c @@ -1,4 +1,5 @@ #include +#include #include #include "kiran-auth-service.h" @@ -7,6 +8,9 @@ int main(int argc, char *argv[]) GMainLoop *loop; KiranAuthService *service; + setlocale(LC_CTYPE, ""); + setlocale(LC_MESSAGES, ""); + if (dzlog_init_ex(NULL, "kylinsec-system-app", "kiran-authentication", diff --git a/src/pam-kiran-authentication.c b/src/pam-kiran-authentication.c index 43fbc14..d9a5ec9 100644 --- a/src/pam-kiran-authentication.c +++ b/src/pam-kiran-authentication.c @@ -138,6 +138,11 @@ verify_user(pam_handle_t *pamh) data->state = SESSION_AUTH_FAIL; //请求开启认证 data->sid = request_respone(pamh, PAM_PROMPT_ECHO_ON, ASK_AUTH_SID); + if (!data->sid || (g_strcmp0(data->sid, "") == 0)) + { + pam_syslog(pamh, LOG_ERR, "Request create auth failed!"); + goto end; + } g_signal_connect(auth, "auth-status", @@ -152,6 +157,7 @@ verify_user(pam_handle_t *pamh) g_source_destroy(source); g_source_unref(source); +end: //认证结果 ret = (data->state == SESSION_AUTH_SUCCESS) ? TRUE : FALSE; if (ret) @@ -163,10 +169,11 @@ verify_user(pam_handle_t *pamh) g_object_unref(connection); g_object_unref(auth); + g_main_loop_unref(data->loop); + g_free(data->sid); g_free(data->username); g_free(data); - g_main_loop_unref(data->loop); return ret; } -- Gitee From 11a579c48f6104069bda19901026b84055d11cfc Mon Sep 17 00:00:00 2001 From: luoqing Date: Tue, 27 Jul 2021 17:45:34 +0800 Subject: [PATCH 07/20] fix(kiran-authentication-service): fix the session end lock and add debug log MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 修改服务卡住的问题,添加debug日志 Related #38334 Signed-off-by: wangxiaoqing --- src/kiran-auth-service.c | 46 ++++++++++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index f6618c3..875c5b8 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -370,6 +370,8 @@ auth_session_stop(KiranAuthService *service, { KiranAuthServicePrivate *priv = service->priv; + dzlog_debug("Session %s stop begin", session->sid); + if (session == priv->cur_fprint_session) { //停止指纹认证 @@ -385,11 +387,18 @@ auth_session_stop(KiranAuthService *service, g_mutex_unlock(&session->prompt_mutex); session->stop_auth = TRUE; - g_mutex_lock(&session->stop_mutex); - g_cond_wait(&session->stop_cond, &session->stop_mutex); - g_mutex_unlock(&session->stop_mutex); + + //如果还没有关闭pam + if (session->pam_handle != NULL) + { + g_mutex_lock(&session->stop_mutex); + g_cond_wait(&session->stop_cond, &session->stop_mutex); + g_mutex_unlock(&session->stop_mutex); + } } + dzlog_debug("Session %s stop end", session->sid); + //删除该会话 priv->auth_list = g_list_remove(priv->auth_list, session); auth_session_free(session); @@ -619,7 +628,7 @@ parser_auth_items_json_data(const char *data) return id; } -static void +static gboolean get_user_account_info(KiranAuthService *service, AuthSession *session) { @@ -629,7 +638,7 @@ get_user_account_info(KiranAuthService *service, gchar *path = NULL; gchar *auth = NULL; gchar *auth_items = NULL; - gboolean ret; + gboolean ret = TRUE; session->user_auth_mode = ACCOUNTS_AUTH_MODE_NONE; path = NULL; @@ -642,8 +651,10 @@ get_user_account_info(KiranAuthService *service, &error); if (!ret) { - dzlog_error("Error with find the user object path: %s", error->message); + dzlog_error("Error with find the user object path: %s with %s", error->message, session->username); g_error_free(error); + + return FALSE; } error = NULL; @@ -659,6 +670,8 @@ get_user_account_info(KiranAuthService *service, { dzlog_error("Error with getting the bus: %s", error->message); g_error_free(error); + + return FALSE; } session->user_auth_mode = kiran_accounts_user_get_auth_modes(user); @@ -673,6 +686,7 @@ get_user_account_info(KiranAuthService *service, { dzlog_error("Error with getting the auth item: %s", error->message); g_error_free(error); + ret = FALSE; } else { @@ -681,6 +695,8 @@ get_user_account_info(KiranAuthService *service, } g_object_unref(user); + + return ret; } static gboolean @@ -697,6 +713,8 @@ kiran_auth_service_handle_start_auth(KiranAuthenticationGen *object, GError *error = NULL; gboolean ret = FALSE; + dzlog_debug("Handle start auth with sid: %s, username: %s", arg_sid, arg_username); + session = find_auth_session_by_sid(service, arg_sid); if (session == NULL) { @@ -722,6 +740,17 @@ kiran_auth_service_handle_start_auth(KiranAuthenticationGen *object, g_free(session->username); session->username = g_strdup(arg_username); + ret = get_user_account_info(service, session); + if (!ret) + { + g_dbus_method_invocation_return_error(invocation, + G_DBUS_ERROR, + G_DBUS_ERROR_INVALID_ARGS, + "Get user %s accout info failed", + session->username); + return TRUE; + } + if (arg_type_op == SESSION_AUTH_TYPE_ONE || arg_type_op == SESSION_AUTH_TYPE_TOGETHER || arg_type_op == SESSION_AUTH_TYPE_TOGETHER_WITH_USER) @@ -734,7 +763,6 @@ kiran_auth_service_handle_start_auth(KiranAuthenticationGen *object, } session->occupy = arg_occupy; - get_user_account_info(service, session); session->stop_auth = FALSE; session->service = service; @@ -771,6 +799,8 @@ kiran_auth_service_handle_stop_auth(KiranAuthenticationGen *object, KiranAuthServicePrivate *priv = service->priv; AuthSession *session = NULL; + dzlog_debug("Handle stop auth with sid: %s", arg_sid); + session = find_auth_session_by_sid(service, arg_sid); if (session == NULL) { @@ -800,6 +830,8 @@ kiran_auth_service_handle_response_message(KiranAuthenticationGen *object, KiranAuthServicePrivate *priv = service->priv; AuthSession *session = NULL; + dzlog_debug("Handle response message with sid: %s", arg_sid); + session = find_auth_session_by_sid(service, arg_sid); if (session != NULL) { -- Gitee From e5faebc3837c807d44cd86ed4c83372700a02ae3 Mon Sep 17 00:00:00 2001 From: luoqing Date: Thu, 29 Jul 2021 10:54:49 +0800 Subject: [PATCH 08/20] fix(kiran-authentication-service): fix the auth method change type erorr MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 修改认证方式信号错误的问题 Related #38334 Signed-off-by: wangxiaoqing --- src/kiran-auth-service.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 875c5b8..f7a6c6e 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -983,7 +983,7 @@ do_authentication(gpointer data, //并行认证模式 //发送认证模式 kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), - SESSION_AUTH_METHOD_PASSWORD & SESSION_AUTH_METHOD_FINGERPRINT, + SESSION_AUTH_METHOD_PASSWORD | SESSION_AUTH_METHOD_FINGERPRINT, session->sid); //启动指纹认证 do_session_fingerprint_auth(service, session); @@ -999,7 +999,7 @@ do_authentication(gpointer data, { //启动指纹认证 kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), - SESSION_AUTH_METHOD_PASSWORD & SESSION_AUTH_METHOD_FINGERPRINT, + SESSION_AUTH_METHOD_PASSWORD | SESSION_AUTH_METHOD_FINGERPRINT, session->sid); do_session_fingerprint_auth(service, session); } -- Gitee From 40fa753c3d0a2ad52f6c5ea94975e06327d35fb7 Mon Sep 17 00:00:00 2001 From: luoqing Date: Wed, 11 Aug 2021 20:30:41 +0800 Subject: [PATCH 09/20] fix(kiran-authentication-service): not send the finger found msg MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 不发送生物认证服务发送过来的指纹匹配消息,这还需要和账户服务管理查找该指纹 是否绑定对应用户才能确定是否认证成功 Related #38334 Signed-off-by: wangxiaoqing --- src/kiran-auth-service.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index f7a6c6e..8a4ae09 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -222,11 +222,14 @@ verify_fprint_status_cb(KiranBiometrics *object, arg_found, arg_id); - //发送认证消息 - kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), - arg_result, - PAM_TEXT_INFO, - session->sid); + if (!arg_found) + { + //发送指纹认证提示消息 + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + arg_result, + PAM_TEXT_INFO, + session->sid); + } if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER) { -- Gitee From 135c9aca3627c98d7c39a0f241216760444585c8 Mon Sep 17 00:00:00 2001 From: luoqing Date: Mon, 16 Aug 2021 10:34:22 +0800 Subject: [PATCH 10/20] fix(kiran-authentication-service): use rsa key to encrypt and decrypt message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 使用ras公私钥对对通信数据进行加密和解密 Related #38334 Signed-off-by: wangxiaoqing --- data/CMakeLists.txt | 2 + ...nsec.Kiran.SystemDaemon.Authentication.xml | 3 + data/kiran-authentication-service.pc.in | 5 + src/CMakeLists.txt | 10 +- src/authentication_i.h | 40 ++++ src/kiran-auth-service.c | 61 +++++- src/kiran-authentication.c | 177 ++++++++++++++++++ 7 files changed, 289 insertions(+), 9 deletions(-) create mode 100644 data/kiran-authentication-service.pc.in create mode 100644 src/kiran-authentication.c diff --git a/data/CMakeLists.txt b/data/CMakeLists.txt index a80a8d7..1f79d7e 100644 --- a/data/CMakeLists.txt +++ b/data/CMakeLists.txt @@ -1,8 +1,10 @@ configure_file(com.kylinsec.Kiran.SystemDaemon.Authentication.service.in ${PROJECT_BINARY_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Authentication.service) configure_file(kiran-system-daemon-authentication.service.in ${PROJECT_BINARY_DIR}/data/kiran-system-daemon-authentication.service) +configure_file(kiran-authentication-service.pc.in ${PROJECT_BINARY_DIR}/data/kiran-authentication-service.pc) install(FILES kiran_authentication.conf DESTINATION /etc/dbus-1/system.d) install(FILES custom.conf DESTINATION /etc/kiran-authentication-service/) install(FILES kiran-auth-service DESTINATION /etc/pam.d/) install(FILES ${PROJECT_BINARY_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Authentication.service DESTINATION /usr/share/dbus-1/system-services) install(FILES ${PROJECT_BINARY_DIR}/data/kiran-system-daemon-authentication.service DESTINATION /usr/lib/systemd/system/) +install(FILES ${PROJECT_BINARY_DIR}/data/kiran-authentication-service.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig) diff --git a/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml b/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml index 6db6847..ed6cf53 100644 --- a/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml +++ b/data/com.kylinsec.Kiran.SystemDaemon.Authentication.xml @@ -7,6 +7,9 @@ 本次认证的唯一标识ID. + + 应答消息的加密公钥,主要用于对密码应答消息加密. + diff --git a/data/kiran-authentication-service.pc.in b/data/kiran-authentication-service.pc.in new file mode 100644 index 0000000..00071ca --- /dev/null +++ b/data/kiran-authentication-service.pc.in @@ -0,0 +1,5 @@ +Name: Kiran Authentication Service +Description: Development files for kiran authentication service +Version: 0.1 +Libs: -L@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_LIBDIR@ -lkiran-authentication-service +Cflags: -I@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_INCLUDEDIR@/@PROJECT_NAME@ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 0215f53..bfee007 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,4 +1,5 @@ find_package (PkgConfig REQUIRED) +find_package (OpenSSL REQUIRED) pkg_check_modules (GLIB2 REQUIRED glib-2.0) pkg_check_modules (GIO REQUIRED gio-2.0) @@ -42,8 +43,8 @@ include_directories(${CMAKE_CURRENT_BINARY_DIR}) include_directories(${GLIB_JSON_INCLUDE_DIRS} ${KIRAN_CC_DAEMON_INCLUDE_DIRS}) include_directories(${ZLOG_INCLUDE_DIRS} ${GLIB2_INCLUDE_DIRS} ${GIO_INCLUDE_DIRS} ${GIO_UNIX_INCLUDE_DIRS}) -add_executable (kiran_authentication_service main.c kiran-authentication-gen.c kiran-auth-service.c kiran-accounts-gen.c kiran-user-gen.c kiran-biometrics-gen.c) -target_link_libraries(kiran_authentication_service pam ${ZLOG_LIBRARIES} ${GLIB2_LIBRARIES} ${GIO_LIBRARIES} ${GIO_UNIX_LIBRARIES} ${GLIB_JSON_LIBRARIES}) +add_executable (kiran_authentication_service main.c kiran-authentication-gen.c kiran-auth-service.c kiran-accounts-gen.c kiran-user-gen.c kiran-biometrics-gen.c kiran-authentication.c) +target_link_libraries(kiran_authentication_service pam ${ZLOG_LIBRARIES} ${GLIB2_LIBRARIES} ${GIO_LIBRARIES} ${GIO_UNIX_LIBRARIES} ${GLIB_JSON_LIBRARIES} ${OPENSSL_CRYPTO_LIBRARIES}) install(TARGETS kiran_authentication_service RUNTIME DESTINATION ${INSTALL_BINDIR}) add_library(pam_kiran_authentication MODULE pam-kiran-authentication.c kiran-authentication-gen.c) @@ -51,4 +52,9 @@ set_target_properties(pam_kiran_authentication PROPERTIES PREFIX "") target_link_libraries(pam_kiran_authentication pam_misc ${GLIB2_LIBRARIES} ${GDBUS_LIBRARIES} ${GLIB_JSON_LIBRARIES}) install(TARGETS pam_kiran_authentication LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}/security/) +add_library(kiran-authentication-service SHARED kiran-authentication.c) +target_link_libraries(kiran-authentication-service ${OPENSSL_CRYPTO_LIBRARIES}) +set_target_properties(kiran-authentication-service PROPERTIES VERSION 0.0.1 SOVERSION 0.1) +install(TARGETS kiran-authentication-service LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}/) + install(FILES authentication_i.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${PROJECT_NAME}) diff --git a/src/authentication_i.h b/src/authentication_i.h index 536bf54..74cba7c 100644 --- a/src/authentication_i.h +++ b/src/authentication_i.h @@ -16,6 +16,8 @@ extern "C" #define AUTH_SERVICE_OBJECT_PATH "/com/kylinsec/Kiran/SystemDaemon/Authentication" #define ASK_AUTH_SID "ReqSessionId" +#define MAX_RSA_TEXT_LEN 256 /* 最大可以加密的数据长度 */ + /* 消息类型 */ #define AUTH_SERVICE_PROMPT_ECHO_OFF 1 /* 请求密文应答信息 */ #define AUTH_SERVICE_PROMPT_ECHO_ON 2 /* 请求明文应答信息 */ @@ -63,6 +65,44 @@ extern "C" SESSION_AUTH_METHOD_LAST = (1 << 3), }; + /** + * @brief rsa公钥对数据进行加密 + * + * @param[in] data 要加密的数据 + * @param[in] data_len 要加密的数据长度 + * @key [in] 公钥内容 + * @encrypted [out] 加密后数据的内存地址 + * @return 返回加密后的数据长度,当等于-1时表示加密失败 + */ + int kiran_authentication_rsa_public_encrypt(char *data, + int data_len, + unsigned char *key, + unsigned char **encrypted); + + /** + * @brief rsa公钥对数据进行解密 + * + * @param[in] enc_data 要解密的加密数据 + * @param[in] data_len 要解密的加密数据长度 + * @key [in] 私钥内容 + * @decrypted [out] 解密后数据的内存地址 + * @return 返回解秘后的数据长度,当等于-1时表示解密失败 + */ + int kiran_authentication_rsa_private_decrypt(unsigned char *enc_data, + int data_len, + unsigned char *key, + char **decrypted); + + /** + * @brief rsa公私钥生成 + * + * @param[out] public_key 公钥内存地址 + * @param [out] private_key 私钥内存地址 + * + * @return 返回公私钥生成结果,当等于-1时表示生成失败 + */ + int kiran_authentication_rsa_key_gen(char **public_key, char **private_key); + #ifdef __cplusplus } #endif diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 8a4ae09..9898f10 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -6,9 +6,9 @@ */ #include "kiran-auth-service.h" #include +#include #include #include -#include #include "authentication_i.h" #include "kiran-accounts-gen.h" #include "kiran-biometrics-gen.h" @@ -56,6 +56,9 @@ struct _AuthSession GMutex stop_mutex; KiranAuthService *service; + + //解密私钥 + char *key; }; struct _KiranAuthServicePrivate @@ -160,6 +163,7 @@ auth_session_free(gpointer data) g_free(session->username); g_free(session->sender); g_free(session->fprint_id); + g_free(session->key); g_free(session); } @@ -541,7 +545,11 @@ kiran_auth_service_handle_create_auth(KiranAuthenticationGen *object, AuthSession *new_auth_session = NULL; AuthSession *session = NULL; gchar *sid = g_uuid_string_random(); + char *public_key = NULL; + char *private_key = NULL; const gchar *sender; + gchar *encode = NULL; + gsize len = 0; sender = g_dbus_method_invocation_get_sender(invocation); @@ -556,6 +564,19 @@ kiran_auth_service_handle_create_auth(KiranAuthenticationGen *object, return TRUE; } + //创建通信的公私秘钥 + kiran_authentication_rsa_key_gen(&public_key, &private_key); + if (public_key == NULL || private_key == NULL) + { + g_dbus_method_invocation_return_error(invocation, + G_DBUS_ERROR, + G_DBUS_ERROR_INVALID_ARGS, + "Create ras key failed!"); + g_free(public_key); + g_free(private_key); + return TRUE; + } + session = find_auth_session_by_sid(service, sid); while (session != NULL) { @@ -567,6 +588,7 @@ kiran_auth_service_handle_create_auth(KiranAuthenticationGen *object, new_auth_session = g_new0(AuthSession, 1); new_auth_session->sid = sid; + new_auth_session->key = private_key; if (sender) new_auth_session->sender = g_strdup(sender); @@ -574,9 +596,15 @@ kiran_auth_service_handle_create_auth(KiranAuthenticationGen *object, //添加到会话列表中 priv->auth_list = g_list_append(priv->auth_list, new_auth_session); + encode = g_base64_encode(public_key, + strlen(public_key)); kiran_authentication_gen_complete_create_auth(object, invocation, - sid); + sid, + encode); + + g_free(public_key); + g_free(encode); return TRUE; } @@ -838,11 +866,30 @@ kiran_auth_service_handle_response_message(KiranAuthenticationGen *object, session = find_auth_session_by_sid(service, arg_sid); if (session != NULL) { - g_mutex_lock(&session->prompt_mutex); - g_free(session->respons_msg); - session->respons_msg = g_strdup(arg_message); - g_cond_signal(&session->prompt_cond); - g_mutex_unlock(&session->prompt_mutex); + guchar *decode_message = NULL; + gchar *decrypted = NULL; + gsize out_len = 0; + + //解码 + decode_message = g_base64_decode(arg_message, &out_len); + if (decode_message) + { + //数据解密 + kiran_authentication_rsa_private_decrypt(decode_message, + out_len, + session->key, + &decrypted); + if (decrypted) + { + g_mutex_lock(&session->prompt_mutex); + g_free(session->respons_msg); + session->respons_msg = g_strdup(decrypted); + g_cond_signal(&session->prompt_cond); + g_mutex_unlock(&session->prompt_mutex); + g_free(decrypted); + } + g_free(decode_message); + } } kiran_authentication_gen_complete_response_message(object, invocation); diff --git a/src/kiran-authentication.c b/src/kiran-authentication.c new file mode 100644 index 0000000..386d95a --- /dev/null +++ b/src/kiran-authentication.c @@ -0,0 +1,177 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +#include "authentication_i.h" + +#define KEY_LEN 2048 +#define RSA_BUFFER_LEN 4096 + +RSA *create_RSA(unsigned char * key, + int public) +{ + RSA *rsa= NULL; + BIO *keybio ; + + keybio = BIO_new_mem_buf(key, -1); + if (keybio == NULL) + { + return NULL; + } + + if(public) + { + rsa = PEM_read_bio_RSA_PUBKEY(keybio, &rsa, NULL, NULL); + } + else + { + rsa = PEM_read_bio_RSAPrivateKey(keybio, &rsa, NULL, NULL); + } + + return rsa; +} + +int kiran_authentication_rsa_public_encrypt(char *data, + int data_len, + unsigned char *key, + unsigned char **encrypted) +{ + RSA * rsa = NULL; + unsigned char buf[RSA_BUFFER_LEN] = {0}; + unsigned char *ptr = NULL; + int result = -1; + + rsa = create_RSA(key, 1); + if (rsa == NULL) + { + return -1; + } + + result = RSA_public_encrypt(data_len, data, buf, rsa, RSA_PKCS1_PADDING); + if (result > 0) + { + ptr = malloc(result); + if (ptr) + { + memcpy(ptr, buf, result); + } + } + + *encrypted = ptr; + + return result; +} + +int kiran_authentication_rsa_private_decrypt(unsigned char *enc_data, + int data_len, + unsigned char *key, + char **decrypted) +{ + RSA *rsa = NULL; + unsigned char buf[RSA_BUFFER_LEN] = {0}; + unsigned char *ptr = NULL; + int result = -1; + + rsa = create_RSA(key, 0); + if (rsa == NULL) + { + return -1; + } + + result = RSA_private_decrypt(data_len, enc_data, buf, rsa, RSA_PKCS1_PADDING); + if (result > 0) + { + ptr = malloc(result); + if (ptr) + { + memcpy(ptr, buf, result); + } + } + + *decrypted = ptr; + + return result; +} + +int +kiran_authentication_rsa_key_gen(char **public_key, char **private_key) +{ + EVP_PKEY_CTX *evp_ctx = NULL; + EVP_PKEY *ppkey = NULL; + BIO *bio = NULL; + BUF_MEM *pub_buf = NULL; + BUF_MEM *pri_buf = NULL; + + *private_key = NULL; + *public_key = NULL; + + evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); + if (evp_ctx == NULL) + { + return -1; + } + + EVP_PKEY_keygen_init(evp_ctx); + EVP_PKEY_CTX_set_rsa_keygen_bits(evp_ctx, KEY_LEN); + + EVP_PKEY_keygen(evp_ctx, &ppkey); + if (ppkey == NULL) + { + EVP_PKEY_CTX_free(evp_ctx); + return -1; + } + + bio = BIO_new(BIO_s_mem()); + if (bio) + { + PEM_write_bio_PUBKEY(bio, ppkey); + BIO_get_mem_ptr(bio, &pub_buf); + if (pub_buf) + { + *public_key = strdup(pub_buf->data); + BUF_MEM_free(pub_buf); + } + BIO_free(bio); + } + + bio = BIO_new(BIO_s_mem()); + if (bio) + { + PEM_write_bio_PrivateKey(bio, ppkey, NULL, NULL, 0, 0, NULL); + BIO_get_mem_ptr(bio, &pri_buf); + if (&pri_buf) + { + *private_key = strdup(pub_buf->data); + BUF_MEM_free(pri_buf); + } + BIO_free(bio); + } + + EVP_PKEY_free(ppkey); + EVP_PKEY_CTX_free(evp_ctx); + + if (*public_key == NULL || + *private_key == NULL) + { + if (*public_key) + { + free(*public_key); + *public_key = NULL; + } + + if (*private_key) + { + free(*private_key); + *private_key = NULL; + } + + return -1; + } + + return 0; +} -- Gitee From c7bec26777d9041344e47dfe29fcff57d261396a Mon Sep 17 00:00:00 2001 From: luoqing Date: Tue, 17 Aug 2021 17:38:58 +0800 Subject: [PATCH 11/20] fix(kiran-authentication-service): fix the free error and pam settings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 修改BIO内存释放错误问题和修改pam认证配置文件 Related #38334 Signed-off-by: wangxiaoqing --- data/kiran-auth-service | 3 ++- src/kiran-auth-service.c | 8 ++++++++ src/kiran-authentication.c | 2 -- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/data/kiran-auth-service b/data/kiran-auth-service index 8a8cc7c..b425f49 100644 --- a/data/kiran-auth-service +++ b/data/kiran-auth-service @@ -1,2 +1,3 @@ #%PAM-1.0 -auth required pam_unix.so +auth include system-auth +auth optional pam_gnome_keyring.so diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 9898f10..c5a628a 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -888,8 +888,16 @@ kiran_auth_service_handle_response_message(KiranAuthenticationGen *object, g_mutex_unlock(&session->prompt_mutex); g_free(decrypted); } + else + { + dzlog_error("Decrypted response message failed with sid: %s", arg_sid); + } g_free(decode_message); } + else + { + dzlog_error("Decode response message failed with sid: %s", arg_sid); + } } kiran_authentication_gen_complete_response_message(object, invocation); diff --git a/src/kiran-authentication.c b/src/kiran-authentication.c index 386d95a..24303ca 100644 --- a/src/kiran-authentication.c +++ b/src/kiran-authentication.c @@ -134,7 +134,6 @@ kiran_authentication_rsa_key_gen(char **public_key, char **private_key) if (pub_buf) { *public_key = strdup(pub_buf->data); - BUF_MEM_free(pub_buf); } BIO_free(bio); } @@ -147,7 +146,6 @@ kiran_authentication_rsa_key_gen(char **public_key, char **private_key) if (&pri_buf) { *private_key = strdup(pub_buf->data); - BUF_MEM_free(pri_buf); } BIO_free(bio); } -- Gitee From daefc64e490e94010d866e222f7241f6aa408673 Mon Sep 17 00:00:00 2001 From: luoqing Date: Mon, 23 Aug 2021 10:01:36 +0800 Subject: [PATCH 12/20] feature(kiran-authentication-service): enable finger auth from settings file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 通过读取生物认证服务配置文件的指纹认证开关来确定是否开启指纹认证 Related #38334 Signed-off-by: wangxiaoqing --- src/kiran-auth-service.c | 53 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index c5a628a..bba7213 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -18,6 +18,10 @@ #define CONF_FILE "/etc/kiran-authentication-service/custom.conf" #define SERVICE "kiran-auth-service" +#define KIRAN_BIO_SETTING_FILE "/etc/kiran-biometrics/settings.conf" +#define SUPPORT_FINGER_KEY "SupportFinger" +#define SUPPORT_FACE_KEY "SupportFace" + typedef struct _AuthSession AuthSession; /* @@ -79,6 +83,11 @@ struct _KiranAuthServicePrivate AuthSession *cur_fprint_session; GDBusConnection *connection; + + //指纹支持 + gboolean support_finger; + //人脸支持 + gboolean support_face; }; static void kiran_authentication_gen_init(KiranAuthenticationGenIface *iface); @@ -150,6 +159,40 @@ default_session_auth_setting(KiranAuthService *service) priv->default_session_auth_type = session_auth_type; } +static void +init_bio_support(KiranAuthService *service) +{ + KiranAuthServicePrivate *priv = service->priv; + GKeyFile *key_file = NULL; + GError *error = NULL; + gboolean ret; + + key_file = g_key_file_new(); + + ret = g_key_file_load_from_file(key_file, + KIRAN_BIO_SETTING_FILE, + G_KEY_FILE_NONE, + &error); + if (!ret) + { + dzlog_error("Key file load fialed: %s", error->message); + g_error_free(error); + return; + } + + priv->support_finger = g_key_file_get_boolean(key_file, + "General", + "SupportFinger", + &error); + + priv->support_face = g_key_file_get_boolean(key_file, + "General", + "SupportFace", + NULL); + g_key_file_free(key_file); + key_file = NULL; +} + static void auth_session_free(gpointer data) { @@ -1026,6 +1069,7 @@ do_authentication(gpointer data, gpointer user_data) { KiranAuthService *service = KIRAN_AUTH_SERVICE(user_data); + KiranAuthServicePrivate *priv = service->priv; AuthSession *session = data; dzlog_debug("Start authentication with sid: %s, username:%s, authmode:%d, session_auth_type:%d, occupy:%d", @@ -1044,7 +1088,10 @@ do_authentication(gpointer data, SESSION_AUTH_METHOD_PASSWORD | SESSION_AUTH_METHOD_FINGERPRINT, session->sid); //启动指纹认证 - do_session_fingerprint_auth(service, session); + if (priv->support_finger) + { + do_session_fingerprint_auth(service, session); + } //启动密码认证 do_session_passwd_auth(service, session); @@ -1097,6 +1144,10 @@ kiran_auth_service_init(KiranAuthService *self) priv->auth_list = NULL; priv->biometrics = NULL; priv->cur_fprint_session = NULL; + priv->support_finger = FALSE; + priv->support_face = FALSE; + + init_bio_support(self); default_session_auth_setting(self); priv->auth_thread_pool = g_thread_pool_new(do_authentication, -- Gitee From 0da01fcd4fb299fdddf4d61f931c950237e9f355 Mon Sep 17 00:00:00 2001 From: luoqing Date: Mon, 23 Aug 2021 10:35:27 +0800 Subject: [PATCH 13/20] fix(kiran-authentication-service): not send emit auth state when stop auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 当取消认证时,不再发送认证结果信息 Related #38334 Signed-off-by: wangxiaoqing --- src/kiran-auth-service.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index bba7213..d60c41b 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -63,6 +63,9 @@ struct _AuthSession //解密私钥 char *key; + + //是否认证结束 + gboolean auth_completed; }; struct _KiranAuthServicePrivate @@ -258,7 +261,8 @@ verify_fprint_status_cb(KiranBiometrics *object, KiranAuthServicePrivate *priv = service->priv; AuthSession *session = priv->cur_fprint_session; - if (!session) + //认证结束 + if (!session || session->auth_completed) { return; } @@ -422,6 +426,8 @@ auth_session_stop(KiranAuthService *service, dzlog_debug("Session %s stop begin", session->sid); + session->auth_completed = TRUE; + if (session == priv->cur_fprint_session) { //停止指纹认证 @@ -839,6 +845,7 @@ kiran_auth_service_handle_start_auth(KiranAuthenticationGen *object, session->occupy = arg_occupy; session->stop_auth = FALSE; session->service = service; + session->auth_completed = FALSE; g_mutex_init(&session->prompt_mutex); g_cond_init(&session->prompt_cond); @@ -1022,11 +1029,14 @@ do_session_passwd_auth(KiranAuthService *service, state = SESSION_AUTH_SUCCESS; } - pam_get_item(session->pam_handle, PAM_USER, &user); - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - user, - state, - session->sid); + if (!session->auth_completed) + { + pam_get_item(session->pam_handle, PAM_USER, &user); + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + user, + state, + session->sid); + } pam_end(session->pam_handle, 0); session->pam_handle = NULL; -- Gitee From 5700c587ab0e98229ea40ae5da1054cabfbc21ca Mon Sep 17 00:00:00 2001 From: luoqing Date: Mon, 23 Aug 2021 11:08:49 +0800 Subject: [PATCH 14/20] fix(kiran-authentication-service): change the pam setting file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 修改pam配置文件,去掉账户锁定模块 Related #38334 Signed-off-by: wangxiaoqing --- data/kiran-auth-service | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/data/kiran-auth-service b/data/kiran-auth-service index b425f49..bf4f4b3 100644 --- a/data/kiran-auth-service +++ b/data/kiran-auth-service @@ -1,3 +1,6 @@ #%PAM-1.0 -auth include system-auth -auth optional pam_gnome_keyring.so +auth required pam_env.so +auth sufficient pam_unix.so nullok try_first_pass debug +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth sufficient pam_sss.so forward_pass use_first_pass +auth required pam_deny.so -- Gitee From 5b987694780b58d0a420705f92d09978e1ec565c Mon Sep 17 00:00:00 2001 From: luoqing Date: Mon, 24 Jan 2022 15:17:13 +0800 Subject: [PATCH 15/20] feature(license): Add the Mulan license. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 添加木兰授权协议 Signed-off-by: wangxiaoqing --- LICENSE | 127 +++++++++++++++++++++++++++++++++ src/authentication_i.h | 14 ++++ src/kiran-auth-service.c | 14 ++++ src/kiran-auth-service.h | 14 ++++ src/kiran-authentication.c | 14 ++++ src/main.c | 14 ++++ src/pam-kiran-authentication.c | 14 ++++ 7 files changed, 211 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..ee58399 --- /dev/null +++ b/LICENSE @@ -0,0 +1,127 @@ + 木兰宽松许可证, 第2版 + + 木兰宽松许可证, 第2版 + 2020年1月 http://license.coscl.org.cn/MulanPSL2 + + + 您对“软件”的复制、使用、修改及分发受木兰宽松许可证,第2版(“本许可证”)的如下条款的约束: + + 0. 定义 + + “软件”是指由“贡献”构成的许可在“本许可证”下的程序和相关文档的集合。 + + “贡献”是指由任一“贡献者”许可在“本许可证”下的受版权法保护的作品。 + + “贡献者”是指将受版权法保护的作品许可在“本许可证”下的自然人或“法人实体”。 + + “法人实体”是指提交贡献的机构及其“关联实体”。 + + “关联实体”是指,对“本许可证”下的行为方而言,控制、受控制或与其共同受控制的机构,此处的控制是指有受控方或共同受控方至少50%直接或间接的投票权、资金或其他有价证券。 + + 1. 授予版权许可 + + 每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的版权许可,您可以复制、使用、修改、分发其“贡献”,不论修改与否。 + + 2. 授予专利许可 + + 每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的(根据本条规定撤销除外)专利许可,供您制造、委托制造、使用、许诺销售、销售、进口其“贡献”或以其他方式转移其“贡献”。前述专利许可仅限于“贡献者”现在或将来拥有或控制的其“贡献”本身或其“贡献”与许可“贡献”时的“软件”结合而将必然会侵犯的专利权利要求,不包括对“贡献”的修改或包含“贡献”的其他结合。如果您或您的“关联实体”直接或间接地,就“软件”或其中的“贡献”对任何人发起专利侵权诉讼(包括反诉或交叉诉讼)或其他专利维权行动,指控其侵犯专利权,则“本许可证”授予您对“软件”的专利许可自您提起诉讼或发起维权行动之日终止。 + + 3. 无商标许可 + + “本许可证”不提供对“贡献者”的商品名称、商标、服务标志或产品名称的商标许可,但您为满足第4条规定的声明义务而必须使用除外。 + + 4. 分发限制 + + 您可以在任何媒介中将“软件”以源程序形式或可执行形式重新分发,不论修改与否,但您必须向接收者提供“本许可证”的副本,并保留“软件”中的版权、商标、专利及免责声明。 + + 5. 免责声明与责任限制 + + “软件”及其中的“贡献”在提供时不带任何明示或默示的担保。在任何情况下,“贡献者”或版权所有者不对任何人因使用“软件”或其中的“贡献”而引发的任何直接或间接损失承担责任,不论因何种原因导致或者基于何种法律理论,即使其曾被建议有此种损失的可能性。 + + 6. 语言 + “本许可证”以中英文双语表述,中英文版本具有同等法律效力。如果中英文版本存在任何冲突不一致,以中文版为准。 + + 条款结束 + + 如何将木兰宽松许可证,第2版,应用到您的软件 + + 如果您希望将木兰宽松许可证,第2版,应用到您的新软件,为了方便接收者查阅,建议您完成如下三步: + + 1, 请您补充如下声明中的空白,包括软件名、软件的首次发表年份以及您作为版权人的名字; + + 2, 请您在软件包的一级目录下创建以“LICENSE”为名的文件,将整个许可证文本放入该文件中; + + 3, 请将如下声明文本放入每个源文件的头部注释中。 + + Copyright (c) [Year] [name of copyright holder] + [Software Name] is licensed under Mulan PSL v2. + You can use this software according to the terms and conditions of the Mulan PSL v2. + You may obtain a copy of Mulan PSL v2 at: + http://license.coscl.org.cn/MulanPSL2 + THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + See the Mulan PSL v2 for more details. + + + Mulan Permissive Software License,Version 2 + + Mulan Permissive Software License,Version 2 (Mulan PSL v2) + January 2020 http://license.coscl.org.cn/MulanPSL2 + + Your reproduction, use, modification and distribution of the Software shall be subject to Mulan PSL v2 (this License) with the following terms and conditions: + + 0. Definition + + Software means the program and related documents which are licensed under this License and comprise all Contribution(s). + + Contribution means the copyrightable work licensed by a particular Contributor under this License. + + Contributor means the Individual or Legal Entity who licenses its copyrightable work under this License. + + Legal Entity means the entity making a Contribution and all its Affiliates. + + Affiliates means entities that control, are controlled by, or are under common control with the acting entity under this License, ‘control’ means direct or indirect ownership of at least fifty percent (50%) of the voting power, capital or other securities of controlled or commonly controlled entity. + + 1. Grant of Copyright License + + Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable copyright license to reproduce, use, modify, or distribute its Contribution, with modification or not. + + 2. Grant of Patent License + + Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable (except for revocation under this Section) patent license to make, have made, use, offer for sale, sell, import or otherwise transfer its Contribution, where such patent license is only limited to the patent claims owned or controlled by such Contributor now or in future which will be necessarily infringed by its Contribution alone, or by combination of the Contribution with the Software to which the Contribution was contributed. The patent license shall not apply to any modification of the Contribution, and any other combination which includes the Contribution. If you or your Affiliates directly or indirectly institute patent litigation (including a cross claim or counterclaim in a litigation) or other patent enforcement activities against any individual or entity by alleging that the Software or any Contribution in it infringes patents, then any patent license granted to you under this License for the Software shall terminate as of the date such litigation or activity is filed or taken. + + 3. No Trademark License + + No trademark license is granted to use the trade names, trademarks, service marks, or product names of Contributor, except as required to fulfill notice requirements in Section 4. + + 4. Distribution Restriction + + You may distribute the Software in any medium with or without modification, whether in source or executable forms, provided that you provide recipients with a copy of this License and retain copyright, patent, trademark and disclaimer statements in the Software. + + 5. Disclaimer of Warranty and Limitation of Liability + + THE SOFTWARE AND CONTRIBUTION IN IT ARE PROVIDED WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL ANY CONTRIBUTOR OR COPYRIGHT HOLDER BE LIABLE TO YOU FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO ANY DIRECT, OR INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OR INABILITY TO USE THE SOFTWARE OR THE CONTRIBUTION IN IT, NO MATTER HOW IT’S CAUSED OR BASED ON WHICH LEGAL THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + + 6. Language + + THIS LICENSE IS WRITTEN IN BOTH CHINESE AND ENGLISH, AND THE CHINESE VERSION AND ENGLISH VERSION SHALL HAVE THE SAME LEGAL EFFECT. IN THE CASE OF DIVERGENCE BETWEEN THE CHINESE AND ENGLISH VERSIONS, THE CHINESE VERSION SHALL PREVAIL. + + END OF THE TERMS AND CONDITIONS + + How to Apply the Mulan Permissive Software License,Version 2 (Mulan PSL v2) to Your Software + + To apply the Mulan PSL v2 to your work, for easy identification by recipients, you are suggested to complete following three steps: + + i Fill in the blanks in following statement, including insert your software name, the year of the first publication of your software, and your name identified as the copyright owner; + + ii Create a file named “LICENSE” which contains the whole context of this License in the first directory of your software package; + + iii Attach the statement to the appropriate annotated syntax at the beginning of each source file. + + + Copyright (c) [Year] [name of copyright holder] + [Software Name] is licensed under Mulan PSL v2. + You can use this software according to the terms and conditions of the Mulan PSL v2. + You may obtain a copy of Mulan PSL v2 at: + http://license.coscl.org.cn/MulanPSL2 + THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + See the Mulan PSL v2 for more details. diff --git a/src/authentication_i.h b/src/authentication_i.h index 74cba7c..9173b11 100644 --- a/src/authentication_i.h +++ b/src/authentication_i.h @@ -1,3 +1,17 @@ +/** + * Copyright (c) 2020 ~ 2021 KylinSec Co., Ltd. + * kiran-cc-daemon is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: wangxiaoqing + */ + /** *@file authentication_i.h *@brief 认证服务头文件 diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index d60c41b..a41c89a 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -1,3 +1,17 @@ +/** + * Copyright (c) 2020 ~ 2021 KylinSec Co., Ltd. + * kiran-cc-daemon is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: wangxiaoqing + */ + /** *@file kiran-auth-service.c *@brief 实现DBus服务的认证接口 diff --git a/src/kiran-auth-service.h b/src/kiran-auth-service.h index 37b40c5..6ced58d 100644 --- a/src/kiran-auth-service.h +++ b/src/kiran-auth-service.h @@ -1,3 +1,17 @@ +/** + * Copyright (c) 2020 ~ 2021 KylinSec Co., Ltd. + * kiran-cc-daemon is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: wangxiaoqing + */ + /** *@file kiran-auth-service.h *@brief 实现DBus服务的认证接口 diff --git a/src/kiran-authentication.c b/src/kiran-authentication.c index 24303ca..73514ec 100644 --- a/src/kiran-authentication.c +++ b/src/kiran-authentication.c @@ -1,3 +1,17 @@ +/** + * Copyright (c) 2020 ~ 2021 KylinSec Co., Ltd. + * kiran-cc-daemon is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: wangxiaoqing + */ + #include #include #include diff --git a/src/main.c b/src/main.c index 5dbf649..d35501e 100644 --- a/src/main.c +++ b/src/main.c @@ -1,3 +1,17 @@ +/** + * Copyright (c) 2020 ~ 2021 KylinSec Co., Ltd. + * kiran-cc-daemon is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: wangxiaoqing + */ + #include #include #include diff --git a/src/pam-kiran-authentication.c b/src/pam-kiran-authentication.c index d9a5ec9..a159f84 100644 --- a/src/pam-kiran-authentication.c +++ b/src/pam-kiran-authentication.c @@ -1,3 +1,17 @@ +/** + * Copyright (c) 2020 ~ 2021 KylinSec Co., Ltd. + * kiran-cc-daemon is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: wangxiaoqing + */ + #include #include #include -- Gitee From 2e76ac1c3f92c075381a46ab8db9608f7ad7bdfd Mon Sep 17 00:00:00 2001 From: luoqing Date: Tue, 25 Jan 2022 16:46:27 +0800 Subject: [PATCH 16/20] fix(kiran-authentication-service): Add the enable zlog ex macro for zlog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 添加ENABLE_ZLOG_EX宏来兼容不同版本的zlog Signed-off-by: wangxiaoqing --- src/CMakeLists.txt | 13 ++++++++++++- src/kiran-auth-service.c | 4 ++++ src/main.c | 16 ++++++++++++---- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index bfee007..b9bb3dc 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -4,10 +4,21 @@ find_package (OpenSSL REQUIRED) pkg_check_modules (GLIB2 REQUIRED glib-2.0) pkg_check_modules (GIO REQUIRED gio-2.0) pkg_check_modules (GIO_UNIX REQUIRED gio-unix-2.0) -pkg_check_modules (ZLOG REQUIRED zlog) pkg_check_modules (GLIB_JSON REQUIRED json-glib-1.0) pkg_check_modules (KIRAN_CC_DAEMON REQUIRED kiran-cc-daemon) +if (ENABLE_ZLOG_EX) + pkg_search_module(ZLOG REQUIRED zlog) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DENABLE_ZLOG_EX") +else() + find_library(ZLOG_LIBRARY zlog) + set (ZLOG_INCLUDE_DIRS "") + set (ZLOG_LIBRARIES "${ZLOG_LIBRARY}") +endif() + +message("found zlog dirs: ${ZLOG_INCLUDE_DIRS}") +message("found zlog libs: ${ZLOG_LIBRARIES}") + find_library(PAM_LIBRARY pam) find_program(GDBUS_CODEGEN "gdbus-codegen") diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index a41c89a..3a4408d 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -22,7 +22,11 @@ #include #include #include +#ifdef ENABLE_ZLOG_EX #include +#else +#include +#endif #include "authentication_i.h" #include "kiran-accounts-gen.h" #include "kiran-biometrics-gen.h" diff --git a/src/main.c b/src/main.c index d35501e..d64b571 100644 --- a/src/main.c +++ b/src/main.c @@ -14,7 +14,11 @@ #include #include +#ifdef ENABLE_ZLOG_EX #include +#else +#include +#endif #include "kiran-auth-service.h" int main(int argc, char *argv[]) @@ -25,11 +29,15 @@ int main(int argc, char *argv[]) setlocale(LC_CTYPE, ""); setlocale(LC_MESSAGES, ""); - if (dzlog_init_ex(NULL, - "kylinsec-system-app", - "kiran-authentication", - "kiran_authentication_manager") < 0) +#ifdef ENABLE_ZLOG_EX + if (dzlog_init_ex (NULL, "kylinsec-system", "kiran-biometrics", "kiran_biometrics_manager") < 0) +#else + if (dzlog_init("/etc/zlog.conf", "kylinsec-system") < 0) +#endif + { + g_error ("zlog init failed!"); return -1; + } #if !GLIB_CHECK_VERSION(2, 36, 0) g_type_init(); -- Gitee From 30a62bd70e52b150bdc20a602fbe1ddb1120b52a Mon Sep 17 00:00:00 2001 From: luoqing Date: Tue, 8 Mar 2022 10:21:36 +0800 Subject: [PATCH 17/20] fix(kiran-authentication-service): Not let user fingerprint login when user not turn on fingerprint authentication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 当用户未开启指纹认证时,禁止用户指纹登录 Related #50163 Signed-off-by: wangxiaoqing --- CMakeLists.txt | 2 +- po/CMakeLists.txt | 4 ++++ po/zh_CN.po | 27 ++++++++++++++++++++++++++ src/CMakeLists.txt | 2 ++ src/config.h.in | 7 +++++++ src/kiran-auth-service.c | 41 ++++++++++++++++++++++++++++++++-------- src/main.c | 7 ++++++- 7 files changed, 80 insertions(+), 10 deletions(-) create mode 100644 po/CMakeLists.txt create mode 100644 po/zh_CN.po create mode 100644 src/config.h.in diff --git a/CMakeLists.txt b/CMakeLists.txt index cf3dae0..4d55917 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -19,4 +19,4 @@ set(INSTALL_BINDIR ${CMAKE_INSTALL_PREFIX}/libexec) add_subdirectory(src) add_subdirectory(data) -#add_subdirectory(pam) +add_subdirectory(po) diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt new file mode 100644 index 0000000..0050110 --- /dev/null +++ b/po/CMakeLists.txt @@ -0,0 +1,4 @@ +find_program (MSGFMT NAMES "msgfmt") + +add_custom_target (ZH_MO ALL ${MSGFMT} zh_CN.po -D ../../po -o ${PROJECT_BINARY_DIR}/zh_CN.mo) +install(FILES ${PROJECT_BINARY_DIR}/zh_CN.mo DESTINATION ${CMAKE_INSTALL_PREFIX}/share/locale/zh_CN/LC_MESSAGES/ RENAME ${PROJECT_NAME}.mo) diff --git a/po/zh_CN.po b/po/zh_CN.po new file mode 100644 index 0000000..7d05181 --- /dev/null +++ b/po/zh_CN.po @@ -0,0 +1,27 @@ +# kiran biometrics package simplified Chinese translation file. +# Copyright (C) 2020 wangxiaoqing . +# This file is distributed under the same license as the kiran-calendar package. +# wangxiaoqing , 2020. +# +msgid "" +msgstr "" +"Project-Id-Version: authentication-service\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2021-03-26 16:49+0800\n" +"PO-Revision-Date: 2020-06-28 19:05+0700\n" +"Last-Translator: wangxiaoqing \n" +"Language-Team: wangxiaoqing \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Poedit-Language: Chinese\n" +"X-Poedit-Country: CHINA\n" + +msgid "User %s does not turn on fingerprint authentication, place again!" +msgstr "用户%s没有开启指纹认证,请重新录入!" + +msgid "The fingerprint is not bound to a user, place again!" +msgstr "当前指纹未绑定系统用户, 请重新录入!" + diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index b9bb3dc..13f4ce4 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -48,6 +48,8 @@ add_custom_command(OUTPUT kiran-biometrics-gen.c kiran-biometrics-gen.h DEPENDS ${PROJECT_SOURCE_DIR}/data/com.kylinsec.Kiran.SystemDaemon.Biometrics.xml ) +configure_file(${SRC_DIR}/config.h.in config.h) + include_directories(${CMAKE_CURRENT_SOURCE_DIR}) include_directories(${CMAKE_CURRENT_BINARY_DIR}) diff --git a/src/config.h.in b/src/config.h.in new file mode 100644 index 0000000..deb5333 --- /dev/null +++ b/src/config.h.in @@ -0,0 +1,7 @@ +#ifndef __CONFIG_H__ +#define __CONFIG_H__ + +#define GETTEXT_PACKAGE "@PROJECT_NAME@" +#define LOCALEDIR "@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_DATADIR@/locale" + +#endif /* __CONFIG_H__ */ diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 3a4408d..0ec3965 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -22,6 +22,7 @@ #include #include #include +#include #ifdef ENABLE_ZLOG_EX #include #else @@ -320,6 +321,10 @@ verify_fprint_status_cb(KiranBiometrics *object, { dzlog_error("find fingerprint id with user fail: %s", error->message); g_error_free(error); + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + _("The fingerprint is not bound to a user, place again!"), + PAM_TEXT_INFO, + session->sid); } else { @@ -341,20 +346,40 @@ verify_fprint_status_cb(KiranBiometrics *object, else { const gchar *username; + gint authmode; username = kiran_accounts_user_get_user_name(user); + authmode = kiran_accounts_user_get_auth_modes(user); if (username) { dzlog_debug("get fingerprint user name %s", username); - //停止指纹认证 - kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); - priv->cur_fprint_session = NULL; - //指纹认证成功 - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - username, - SESSION_AUTH_SUCCESS, - session->sid); + + //该用户支持指纹登录 + if (authmode & ACCOUNTS_AUTH_MODE_FINGERPRINT) + { + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + //指纹认证成功 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + username, + SESSION_AUTH_SUCCESS, + session->sid); + } + else + { + char *msg; + + dzlog_debug("User %s does not turn on fingerprint authentication", username); + + msg = g_strdup_printf(_("User %s does not turn on fingerprint authentication, place again!"), username); + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + msg, + PAM_TEXT_INFO, + session->sid); + g_free(msg); + } } g_object_unref(user); diff --git a/src/main.c b/src/main.c index d64b571..4d42f1c 100644 --- a/src/main.c +++ b/src/main.c @@ -20,6 +20,7 @@ #include #endif #include "kiran-auth-service.h" +#include "config.h" int main(int argc, char *argv[]) { @@ -28,9 +29,13 @@ int main(int argc, char *argv[]) setlocale(LC_CTYPE, ""); setlocale(LC_MESSAGES, ""); + setlocale(LC_ALL, ""); + bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR); + bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8"); + textdomain (GETTEXT_PACKAGE); #ifdef ENABLE_ZLOG_EX - if (dzlog_init_ex (NULL, "kylinsec-system", "kiran-biometrics", "kiran_biometrics_manager") < 0) + if (dzlog_init_ex (NULL, "kylinsec-system", "kiran-authentication-service", "kiran_authentication_service") < 0) #else if (dzlog_init("/etc/zlog.conf", "kylinsec-system") < 0) #endif -- Gitee From ac226f5b1da9da562d79f8f6031a08929b63e535 Mon Sep 17 00:00:00 2001 From: luoqing Date: Wed, 9 Mar 2022 16:11:32 +0800 Subject: [PATCH 18/20] fix(kiran-authentication-service): Let user can bind multiple fingerprit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 让用户可以可以同时绑定多个指纹 Related #38334 Signed-off-by: wangxiaoqing --- po/zh_CN.po | 6 + src/kiran-auth-service.c | 286 +++++++++++++++++++++------------------ 2 files changed, 160 insertions(+), 132 deletions(-) diff --git a/po/zh_CN.po b/po/zh_CN.po index 7d05181..d2eaf08 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -25,3 +25,9 @@ msgstr "用户%s没有开启指纹认证,请重新录入!" msgid "The fingerprint is not bound to a user, place again!" msgstr "当前指纹未绑定系统用户, 请重新录入!" +msgid "User and fprint not math, place again!" +msgstr "用户和当前指纹不匹配,请重新录入!" + +msgid "Fingerprint auth successed!" +msgstr "指纹认证成功!" + diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 0ec3965..7c217be 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -61,7 +61,7 @@ struct _AuthSession //是否抢占设备 gboolean occupy; //绑定指纹的id - char *fprint_id; + GList *fprint_ids; //是否已经开始认证 gboolean is_start; @@ -85,6 +85,8 @@ struct _AuthSession //是否认证结束 gboolean auth_completed; + GCond auth_cond; + GMutex auth_mutex; }; struct _KiranAuthServicePrivate @@ -224,10 +226,12 @@ auth_session_free(gpointer data) g_cond_clear(&session->prompt_cond); g_mutex_clear(&session->stop_mutex); g_cond_clear(&session->stop_cond); + g_mutex_clear(&session->auth_mutex); + g_cond_clear(&session->auth_cond); g_free(session->username); g_free(session->sender); - g_free(session->fprint_id); + g_list_free_full(session->fprint_ids, g_free); g_free(session->key); g_free(session); } @@ -268,6 +272,12 @@ kiran_auth_service_finalize(GObject *object) G_OBJECT_CLASS(kiran_auth_service_parent_class)->finalize(object); } +static gint +id_compare(const gchar* a, const gchar *b) +{ + return g_strcmp0(a, b); +} + static void verify_fprint_status_cb(KiranBiometrics *object, const gchar *arg_result, @@ -299,144 +309,144 @@ verify_fprint_status_cb(KiranBiometrics *object, arg_result, PAM_TEXT_INFO, session->sid); + return; } if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER) { - if (arg_found) + KiranAccountsUser *user = NULL; + GError *error = NULL; + gchar *path = NULL; + + //查找绑定的用户 + kiran_accounts_call_find_user_by_auth_data_sync(priv->accounts, + ACCOUNTS_AUTH_MODE_FINGERPRINT, + arg_id, + &path, + NULL, + &error); + + if (path == NULL) + { + dzlog_error("find fingerprint id with user fail: %s", error->message); + g_error_free(error); + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + _("The fingerprint is not bound to a user, place again!"), + PAM_TEXT_INFO, + session->sid); + } + else { - KiranAccountsUser *user = NULL; - GError *error = NULL; - gchar *path = NULL; - - //查找绑定的用户 - kiran_accounts_call_find_user_by_auth_data_sync(priv->accounts, - ACCOUNTS_AUTH_MODE_FINGERPRINT, - arg_id, - &path, - NULL, - &error); - - if (path == NULL) + dzlog_debug("find fingerprint id %s with user path %s\n", arg_id, path); + + error = NULL; + user = kiran_accounts_user_proxy_new_sync(priv->connection, + G_BUS_NAME_WATCHER_FLAGS_NONE, + ACCOUNTS_DBUS_INTERFACE_NAME, + path, + NULL, + &error); + + if (user == NULL) { - dzlog_error("find fingerprint id with user fail: %s", error->message); + dzlog_error("Error with getting the bus: %s", error->message); g_error_free(error); - kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), - _("The fingerprint is not bound to a user, place again!"), - PAM_TEXT_INFO, - session->sid); } else { - dzlog_debug("find fingerprint id %s with user path %s\n", arg_id, path); + const gchar *username; + gint authmode; - error = NULL; - user = kiran_accounts_user_proxy_new_sync(priv->connection, - G_BUS_NAME_WATCHER_FLAGS_NONE, - ACCOUNTS_DBUS_INTERFACE_NAME, - path, - NULL, - &error); + username = kiran_accounts_user_get_user_name(user); + authmode = kiran_accounts_user_get_auth_modes(user); - if (user == NULL) - { - dzlog_error("Error with getting the bus: %s", error->message); - g_error_free(error); - } - else + if (username) { - const gchar *username; - gint authmode; - - username = kiran_accounts_user_get_user_name(user); - authmode = kiran_accounts_user_get_auth_modes(user); - - if (username) - { - dzlog_debug("get fingerprint user name %s", username); - - //该用户支持指纹登录 - if (authmode & ACCOUNTS_AUTH_MODE_FINGERPRINT) - { - //停止指纹认证 - kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); - priv->cur_fprint_session = NULL; - //指纹认证成功 - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - username, - SESSION_AUTH_SUCCESS, - session->sid); - } - else - { - char *msg; - - dzlog_debug("User %s does not turn on fingerprint authentication", username); - - msg = g_strdup_printf(_("User %s does not turn on fingerprint authentication, place again!"), username); - kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), - msg, - PAM_TEXT_INFO, - session->sid); - g_free(msg); - } - - } - g_object_unref(user); + dzlog_debug("get fingerprint user name %s", username); + + //该用户支持指纹登录 + if (authmode & ACCOUNTS_AUTH_MODE_FINGERPRINT) + { + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + //指纹认证成功 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + username, + SESSION_AUTH_SUCCESS, + session->sid); + } + else + { + char *msg; + + dzlog_debug("User %s does not turn on fingerprint authentication", username); + + msg = g_strdup_printf(_("User %s does not turn on fingerprint authentication, place again!"), username); + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + msg, + PAM_TEXT_INFO, + session->sid); + g_free(msg); + } } + g_object_unref(user); } - - g_free(path); - } - } - else if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER_WITH_USER) - { - //对当前用户的指纹进行认证 - if (arg_found && g_strcmp0(arg_id, session->fprint_id) == 0) - { - //停止指纹认证 - kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); - priv->cur_fprint_session = NULL; - //指纹认证成功 - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - session->username, - SESSION_AUTH_SUCCESS, - session->sid); } + + g_free(path); } else { - if (arg_found && g_strcmp0(arg_id, session->fprint_id) == 0) - { - //停止指纹认证 - kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); - priv->cur_fprint_session = NULL; + if (g_list_find_custom(session->fprint_ids, arg_id, (GCompareFunc)id_compare) == NULL) + { + dzlog_debug("User %s and fprint id %s not math", session->username, arg_id); + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + _("User and fprint not math, place again!"), + PAM_TEXT_INFO, + session->sid); + return; + } - if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) - { - //进行串行认证,指纹通过,启动密码认证 - kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), - SESSION_AUTH_METHOD_PASSWORD, - session->sid); - do_session_passwd_auth(service, session); - } - else - { - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - session->username, - SESSION_AUTH_SUCCESS, - session->sid); - } - return; + if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER_WITH_USER) + { + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + //指纹认证成功 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + session->username, + SESSION_AUTH_SUCCESS, + session->sid); } - - if (arg_done) + else { - //认证失败 - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - session->username, - SESSION_AUTH_FAIL, - session->sid); + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + + if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) + { + //进行串行认证,指纹通过 + kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), + SESSION_AUTH_METHOD_PASSWORD, + session->sid); + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + _("Fingerprint auth successed!"), + PAM_TEXT_INFO, + session->sid); + g_mutex_lock(&session->auth_mutex); + g_cond_signal(&session->auth_cond); + g_mutex_unlock(&session->auth_mutex); + } + else + { + //只需要指纹认证 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + session->username, + SESSION_AUTH_SUCCESS, + session->sid); + } } } } @@ -476,6 +486,9 @@ auth_session_stop(KiranAuthService *service, //停止指纹认证 kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); priv->cur_fprint_session = NULL; + g_mutex_lock(&session->auth_mutex); + g_cond_signal(&session->auth_cond); + g_mutex_unlock(&session->auth_mutex); } //停止密码认证 @@ -484,7 +497,6 @@ auth_session_stop(KiranAuthService *service, g_mutex_lock(&session->prompt_mutex); g_cond_signal(&session->prompt_cond); g_mutex_unlock(&session->prompt_mutex); - session->stop_auth = TRUE; //如果还没有关闭pam @@ -643,6 +655,7 @@ kiran_auth_service_handle_create_auth(KiranAuthenticationGen *object, gchar *encode = NULL; gsize len = 0; + dzlog_debug("Handle create auth message"); sender = g_dbus_method_invocation_get_sender(invocation); session = find_auth_session_by_sender(service, sender); @@ -701,14 +714,14 @@ kiran_auth_service_handle_create_auth(KiranAuthenticationGen *object, return TRUE; } -static char * +static GList * parser_auth_items_json_data(const char *data) { JsonParser *jparse = json_parser_new(); JsonNode *root; JsonReader *reader; + GList *ids = NULL; GError *error = NULL; - char *id = NULL; gboolean ret; ret = json_parser_load_from_data(jparse, @@ -737,18 +750,14 @@ parser_auth_items_json_data(const char *data) json_reader_set_root(reader, iter->data); json_reader_read_member(reader, "data_id"); data_id = json_reader_get_string_value(reader); - if (data_id) - { - id = strdup(data_id); - break; - } + ids = g_list_append(ids, g_strdup(data_id)); } g_object_unref(reader); } g_object_unref(jparse); - return id; + return ids; } static gboolean @@ -813,8 +822,8 @@ get_user_account_info(KiranAuthService *service, } else { - session->fprint_id = parser_auth_items_json_data(auth_items); - dzlog_debug("Get fprint_id :%s with %s", session->fprint_id, session->username); + session->fprint_ids = parser_auth_items_json_data(auth_items); + dzlog_debug("Get fprint_ids %p with %s", session->fprint_ids, session->username); } g_object_unref(user); @@ -894,6 +903,8 @@ kiran_auth_service_handle_start_auth(KiranAuthenticationGen *object, g_cond_init(&session->prompt_cond); g_mutex_init(&session->stop_mutex); g_cond_init(&session->stop_cond); + g_mutex_init(&session->auth_mutex); + g_cond_init(&session->auth_cond); ret = g_thread_pool_push(priv->auth_thread_pool, session, @@ -1125,9 +1136,9 @@ do_authentication(gpointer data, KiranAuthServicePrivate *priv = service->priv; AuthSession *session = data; - dzlog_debug("Start authentication with sid: %s, username:%s, authmode:%d, session_auth_type:%d, occupy:%d", + dzlog_debug("Start authentication with sid: %s, username:%s, authmode:%d, session_auth_type:%d, occupy:%d, fprint_ids:%p", session->sid, session->username, session->user_auth_mode, - session->session_auth_type, session->occupy); + session->session_auth_type, session->occupy, session->fprint_ids); //开启认证 session->is_start = TRUE; @@ -1182,7 +1193,18 @@ do_authentication(gpointer data, SESSION_AUTH_METHOD_FINGERPRINT, session->sid); do_session_fingerprint_auth(service, session); - } + + //等待指纹认证完成 + g_mutex_lock(&session->auth_mutex); + g_cond_wait(&session->auth_cond, &session->auth_mutex); + g_mutex_unlock(&session->auth_mutex); + } + + if ((session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) && !session->auth_completed) + { + //启动密码认证 + do_session_passwd_auth(service, session); + } } } -- Gitee From 2f9ba3f732b02df4c889e88eaee21c9e863edf31 Mon Sep 17 00:00:00 2001 From: luoqing Date: Thu, 10 Mar 2022 10:07:28 +0800 Subject: [PATCH 19/20] fix(kiran-authentication-service): Change the po file path in cmakelists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 在cmakelists修改zh_CN.po的路径, 使用PROJECT_SOURCE_DIR变量 Related #38334 Signed-off-by: wangxiaoqing --- po/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt index 0050110..1445c40 100644 --- a/po/CMakeLists.txt +++ b/po/CMakeLists.txt @@ -1,4 +1,4 @@ find_program (MSGFMT NAMES "msgfmt") -add_custom_target (ZH_MO ALL ${MSGFMT} zh_CN.po -D ../../po -o ${PROJECT_BINARY_DIR}/zh_CN.mo) +add_custom_target (ZH_MO ALL ${MSGFMT} zh_CN.po -D ${PROJECT_SOURCE_DIR}/po -o ${PROJECT_BINARY_DIR}/zh_CN.mo) install(FILES ${PROJECT_BINARY_DIR}/zh_CN.mo DESTINATION ${CMAKE_INSTALL_PREFIX}/share/locale/zh_CN/LC_MESSAGES/ RENAME ${PROJECT_NAME}.mo) -- Gitee From 2f8b23cdd26b3b6815d2bcd9fc58a752919a0b2e Mon Sep 17 00:00:00 2001 From: luoqing Date: Wed, 30 Mar 2022 12:44:52 +0600 Subject: [PATCH 20/20] style(kiran-authentication-service): Format the source code with clang format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 使用clang-format格式化代码 Signed-off-by: wangxiaoqing --- _clang-format | 152 +++++++++++++++++++++++++++++++++ src/kiran-auth-service.c | 128 +++++++++++++-------------- src/kiran-authentication.c | 41 +++++---- src/main.c | 12 +-- src/pam-kiran-authentication.c | 1 - 5 files changed, 242 insertions(+), 92 deletions(-) create mode 100644 _clang-format diff --git a/_clang-format b/_clang-format new file mode 100644 index 0000000..135919a --- /dev/null +++ b/_clang-format @@ -0,0 +1,152 @@ +BasedOnStyle: Google +IndentWidth: 4 +--- +Language: Cpp +AccessModifierOffset: -4 +AlignAfterOpenBracket: Align +AlignConsecutiveAssignments: false +AlignConsecutiveDeclarations: false +AlignEscapedNewlines: Left +AlignOperands: true +AlignTrailingComments: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortBlocksOnASingleLine: false +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: All +AllowShortIfStatementsOnASingleLine: true +AllowShortLoopsOnASingleLine: true +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: false +AlwaysBreakTemplateDeclarations: Yes +BinPackArguments: true +BinPackParameters: true +BraceWrapping: + AfterClass: false + AfterControlStatement: false + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterObjCDeclaration: false + AfterStruct: false + AfterUnion: false + AfterExternBlock: false + BeforeCatch: false + BeforeElse: false + IndentBraces: false + SplitEmptyFunction: true + SplitEmptyRecord: true + SplitEmptyNamespace: true +BreakBeforeBinaryOperators: None +BreakBeforeBraces: Allman +BreakBeforeInheritanceComma: false +BreakInheritanceList: BeforeColon +BreakBeforeTernaryOperators: true +BreakConstructorInitializersBeforeComma: false +BreakConstructorInitializers: BeforeColon +BreakAfterJavaFieldAnnotations: false +BreakStringLiterals: true +ColumnLimit: 0 +CommentPragmas: '^ IWYU pragma:' +CompactNamespaces: false +ConstructorInitializerAllOnOneLineOrOnePerLine: true +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: true +DerivePointerAlignment: true +DisableFormat: false +ExperimentalAutoDetectBinPacking: false +FixNamespaceComments: true +ForEachMacros: + - foreach + - Q_FOREACH + - BOOST_FOREACH +IncludeBlocks: Preserve +IncludeCategories: + - Regex: '^' + Priority: 2 + - Regex: '^<.*\.h>' + Priority: 1 + - Regex: '^<.*' + Priority: 2 + - Regex: '.*' + Priority: 3 +IncludeIsMainRegex: '([-_](test|unittest))?$' +IndentCaseLabels: false +IndentPPDirectives: None +IndentWidth: 4 +IndentWrappedFunctionNames: false +JavaScriptQuotes: Leave +JavaScriptWrapImports: true +KeepEmptyLinesAtTheStartOfBlocks: false +MacroBlockBegin: '' +MacroBlockEnd: '' +MaxEmptyLinesToKeep: 1 +NamespaceIndentation: None +ObjCBinPackProtocolList: Never +ObjCBlockIndentWidth: 2 +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: true +PenaltyBreakAssignment: 2 +PenaltyBreakBeforeFirstCallParameter: 1 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakString: 1000 +PenaltyBreakTemplateDeclaration: 10 +PenaltyExcessCharacter: 1000000 +PenaltyReturnTypeOnItsOwnLine: 200 +PointerAlignment: Left +RawStringFormats: + - Language: Cpp + Delimiters: + - cc + - CC + - cpp + - Cpp + - CPP + - 'c++' + - 'C++' + CanonicalDelimiter: '' + BasedOnStyle: google + - Language: TextProto + Delimiters: + - pb + - PB + - proto + - PROTO + EnclosingFunctions: + - EqualsProto + - EquivToProto + - PARSE_PARTIAL_TEXT_PROTO + - PARSE_TEST_PROTO + - PARSE_TEXT_PROTO + - ParseTextOrDie + - ParseTextProtoOrDie + CanonicalDelimiter: '' + BasedOnStyle: google +ReflowComments: true +SortIncludes: true +SortUsingDeclarations: true +SpaceAfterCStyleCast: false +SpaceAfterTemplateKeyword: true +SpaceBeforeAssignmentOperators: true +SpaceBeforeCpp11BracedList: false +SpaceBeforeCtorInitializerColon: true +SpaceBeforeInheritanceColon: true +SpaceBeforeParens: ControlStatements +SpaceBeforeRangeBasedForLoopColon: true +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 2 +SpacesInAngles: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInParentheses: false +SpacesInSquareBrackets: false +Standard: Auto +StatementMacros: + - Q_UNUSED + - QT_REQUIRE_VERSION +TabWidth: 8 +UseTab: Never +... + diff --git a/src/kiran-auth-service.c b/src/kiran-auth-service.c index 7c217be..c4a91e3 100644 --- a/src/kiran-auth-service.c +++ b/src/kiran-auth-service.c @@ -19,10 +19,10 @@ *@copyright(c) 2021 KylinSec.All rights reserved. */ #include "kiran-auth-service.h" +#include #include #include #include -#include #ifdef ENABLE_ZLOG_EX #include #else @@ -38,8 +38,8 @@ #define SERVICE "kiran-auth-service" #define KIRAN_BIO_SETTING_FILE "/etc/kiran-biometrics/settings.conf" -#define SUPPORT_FINGER_KEY "SupportFinger" -#define SUPPORT_FACE_KEY "SupportFace" +#define SUPPORT_FINGER_KEY "SupportFinger" +#define SUPPORT_FACE_KEY "SupportFace" typedef struct _AuthSession AuthSession; @@ -273,7 +273,7 @@ kiran_auth_service_finalize(GObject *object) } static gint -id_compare(const gchar* a, const gchar *b) +id_compare(const gchar *a, const gchar *b) { return g_strcmp0(a, b); } @@ -309,7 +309,7 @@ verify_fprint_status_cb(KiranBiometrics *object, arg_result, PAM_TEXT_INFO, session->sid); - return; + return; } if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER) @@ -331,7 +331,7 @@ verify_fprint_status_cb(KiranBiometrics *object, dzlog_error("find fingerprint id with user fail: %s", error->message); g_error_free(error); kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), - _("The fingerprint is not bound to a user, place again!"), + _("The fingerprint is not bound to a user, place again!"), PAM_TEXT_INFO, session->sid); } @@ -364,9 +364,9 @@ verify_fprint_status_cb(KiranBiometrics *object, { dzlog_debug("get fingerprint user name %s", username); - //该用户支持指纹登录 - if (authmode & ACCOUNTS_AUTH_MODE_FINGERPRINT) - { + //该用户支持指纹登录 + if (authmode & ACCOUNTS_AUTH_MODE_FINGERPRINT) + { //停止指纹认证 kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); priv->cur_fprint_session = NULL; @@ -375,20 +375,20 @@ verify_fprint_status_cb(KiranBiometrics *object, username, SESSION_AUTH_SUCCESS, session->sid); - } - else - { - char *msg; + } + else + { + char *msg; dzlog_debug("User %s does not turn on fingerprint authentication", username); msg = g_strdup_printf(_("User %s does not turn on fingerprint authentication, place again!"), username); - kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), - msg, + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + msg, PAM_TEXT_INFO, session->sid); - g_free(msg); - } + g_free(msg); + } } g_object_unref(user); } @@ -398,55 +398,55 @@ verify_fprint_status_cb(KiranBiometrics *object, } else { - if (g_list_find_custom(session->fprint_ids, arg_id, (GCompareFunc)id_compare) == NULL) - { + if (g_list_find_custom(session->fprint_ids, arg_id, (GCompareFunc)id_compare) == NULL) + { dzlog_debug("User %s and fprint id %s not math", session->username, arg_id); kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), _("User and fprint not math, place again!"), PAM_TEXT_INFO, session->sid); - return; - } + return; + } if (session->session_auth_type == SESSION_AUTH_TYPE_TOGETHER_WITH_USER) { - //停止指纹认证 - kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); - priv->cur_fprint_session = NULL; - //指纹认证成功 - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - session->username, - SESSION_AUTH_SUCCESS, - session->sid); + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + //指纹认证成功 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + session->username, + SESSION_AUTH_SUCCESS, + session->sid); } else { - //停止指纹认证 - kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); - priv->cur_fprint_session = NULL; - - if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) - { - //进行串行认证,指纹通过 - kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), - SESSION_AUTH_METHOD_PASSWORD, - session->sid); - kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), - _("Fingerprint auth successed!"), - PAM_TEXT_INFO, - session->sid); - g_mutex_lock(&session->auth_mutex); - g_cond_signal(&session->auth_cond); - g_mutex_unlock(&session->auth_mutex); - } - else - { - //只需要指纹认证 - kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), - session->username, - SESSION_AUTH_SUCCESS, - session->sid); - } + //停止指纹认证 + kiran_biometrics_call_verify_fprint_stop_sync(priv->biometrics, NULL, NULL); + priv->cur_fprint_session = NULL; + + if (session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) + { + //进行串行认证,指纹通过 + kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), + SESSION_AUTH_METHOD_PASSWORD, + session->sid); + kiran_authentication_gen_emit_auth_messages(KIRAN_AUTHENTICATION_GEN(service), + _("Fingerprint auth successed!"), + PAM_TEXT_INFO, + session->sid); + g_mutex_lock(&session->auth_mutex); + g_cond_signal(&session->auth_cond); + g_mutex_unlock(&session->auth_mutex); + } + else + { + //只需要指纹认证 + kiran_authentication_gen_emit_auth_status(KIRAN_AUTHENTICATION_GEN(service), + session->username, + SESSION_AUTH_SUCCESS, + session->sid); + } } } } @@ -1147,15 +1147,15 @@ do_authentication(gpointer data, { case SESSION_AUTH_TYPE_TOGETHER: //并行认证模式 - //发送认证模式 + //发送认证模式 kiran_authentication_gen_emit_auth_method_changed(KIRAN_AUTHENTICATION_GEN(service), SESSION_AUTH_METHOD_PASSWORD | SESSION_AUTH_METHOD_FINGERPRINT, session->sid); //启动指纹认证 - if (priv->support_finger) - { + if (priv->support_finger) + { do_session_fingerprint_auth(service, session); - } + } //启动密码认证 do_session_passwd_auth(service, session); @@ -1198,13 +1198,13 @@ do_authentication(gpointer data, g_mutex_lock(&session->auth_mutex); g_cond_wait(&session->auth_cond, &session->auth_mutex); g_mutex_unlock(&session->auth_mutex); - } + } - if ((session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) && !session->auth_completed) - { + if ((session->user_auth_mode & ACCOUNTS_AUTH_MODE_PASSWORD) && !session->auth_completed) + { //启动密码认证 do_session_passwd_auth(service, session); - } + } } } @@ -1263,7 +1263,7 @@ kiran_auth_service_class_init(KiranAuthServiceClass *klass) * *@return 成功返回对象的地址,失败返回NULL */ -KiranAuthService* +KiranAuthService * kiran_auth_servie_new() { return g_object_new(KIRAN_TYPE_AUTH_SERVICE, NULL); diff --git a/src/kiran-authentication.c b/src/kiran-authentication.c index 73514ec..4d0b468 100644 --- a/src/kiran-authentication.c +++ b/src/kiran-authentication.c @@ -12,25 +12,25 @@ * Author: wangxiaoqing */ -#include -#include -#include -#include -#include -#include #include #include +#include +#include +#include +#include +#include +#include #include "authentication_i.h" #define KEY_LEN 2048 #define RSA_BUFFER_LEN 4096 -RSA *create_RSA(unsigned char * key, - int public) +RSA *create_RSA(unsigned char *key, + int public) { - RSA *rsa= NULL; - BIO *keybio ; + RSA *rsa = NULL; + BIO *keybio; keybio = BIO_new_mem_buf(key, -1); if (keybio == NULL) @@ -38,7 +38,7 @@ RSA *create_RSA(unsigned char * key, return NULL; } - if(public) + if (public) { rsa = PEM_read_bio_RSA_PUBKEY(keybio, &rsa, NULL, NULL); } @@ -55,15 +55,15 @@ int kiran_authentication_rsa_public_encrypt(char *data, unsigned char *key, unsigned char **encrypted) { - RSA * rsa = NULL; + RSA *rsa = NULL; unsigned char buf[RSA_BUFFER_LEN] = {0}; unsigned char *ptr = NULL; int result = -1; - + rsa = create_RSA(key, 1); if (rsa == NULL) { - return -1; + return -1; } result = RSA_public_encrypt(data_len, data, buf, rsa, RSA_PKCS1_PADDING); @@ -90,11 +90,11 @@ int kiran_authentication_rsa_private_decrypt(unsigned char *enc_data, unsigned char buf[RSA_BUFFER_LEN] = {0}; unsigned char *ptr = NULL; int result = -1; - + rsa = create_RSA(key, 0); if (rsa == NULL) { - return -1; + return -1; } result = RSA_private_decrypt(data_len, enc_data, buf, rsa, RSA_PKCS1_PADDING); @@ -112,11 +112,10 @@ int kiran_authentication_rsa_private_decrypt(unsigned char *enc_data, return result; } -int -kiran_authentication_rsa_key_gen(char **public_key, char **private_key) +int kiran_authentication_rsa_key_gen(char **public_key, char **private_key) { EVP_PKEY_CTX *evp_ctx = NULL; - EVP_PKEY *ppkey = NULL; + EVP_PKEY *ppkey = NULL; BIO *bio = NULL; BUF_MEM *pub_buf = NULL; BUF_MEM *pri_buf = NULL; @@ -127,7 +126,7 @@ kiran_authentication_rsa_key_gen(char **public_key, char **private_key) evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); if (evp_ctx == NULL) { - return -1; + return -1; } EVP_PKEY_keygen_init(evp_ctx); @@ -137,7 +136,7 @@ kiran_authentication_rsa_key_gen(char **public_key, char **private_key) if (ppkey == NULL) { EVP_PKEY_CTX_free(evp_ctx); - return -1; + return -1; } bio = BIO_new(BIO_s_mem()); diff --git a/src/main.c b/src/main.c index 4d42f1c..f6c8baa 100644 --- a/src/main.c +++ b/src/main.c @@ -19,8 +19,8 @@ #else #include #endif -#include "kiran-auth-service.h" #include "config.h" +#include "kiran-auth-service.h" int main(int argc, char *argv[]) { @@ -30,17 +30,17 @@ int main(int argc, char *argv[]) setlocale(LC_CTYPE, ""); setlocale(LC_MESSAGES, ""); setlocale(LC_ALL, ""); - bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR); - bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8"); - textdomain (GETTEXT_PACKAGE); + bindtextdomain(GETTEXT_PACKAGE, LOCALEDIR); + bind_textdomain_codeset(GETTEXT_PACKAGE, "UTF-8"); + textdomain(GETTEXT_PACKAGE); #ifdef ENABLE_ZLOG_EX - if (dzlog_init_ex (NULL, "kylinsec-system", "kiran-authentication-service", "kiran_authentication_service") < 0) + if (dzlog_init_ex(NULL, "kylinsec-system", "kiran-authentication-service", "kiran_authentication_service") < 0) #else if (dzlog_init("/etc/zlog.conf", "kylinsec-system") < 0) #endif { - g_error ("zlog init failed!"); + g_error("zlog init failed!"); return -1; } diff --git a/src/pam-kiran-authentication.c b/src/pam-kiran-authentication.c index a159f84..256fc15 100644 --- a/src/pam-kiran-authentication.c +++ b/src/pam-kiran-authentication.c @@ -146,7 +146,6 @@ verify_user(pam_handle_t *pamh) return FALSE; } - data = g_new0(verify_data, 1); data->loop = g_main_loop_new(NULL, FALSE); data->state = SESSION_AUTH_FAIL; -- Gitee