#include <stdint.h>
#include <xcb/xcb.h>
#include <xcb/xkb.h>
-#include <xcb/dpms.h>
#include <err.h>
#include <assert.h>
+#ifdef __OpenBSD__
+#include <bsd_auth.h>
+#else
#include <security/pam_appl.h>
+#endif
#include <getopt.h>
#include <string.h>
#include <ev.h>
#include <xkbcommon/xkbcommon-x11.h>
#include <cairo.h>
#include <cairo/cairo-xcb.h>
+#ifdef __OpenBSD__
+#include <strings.h> /* explicit_bzero(3) */
+#endif
#include "i3lock.h"
#include "xcb.h"
timer_obj = stop_timer(timer_obj)
typedef void (*ev_callback_t)(EV_P_ ev_timer *w, int revents);
+static void input_done(void);
-/* We need this for libxkbfile */
char color[7] = "ffffff";
-int inactivity_timeout = 30;
uint32_t last_resolution[2];
xcb_window_t win;
static xcb_cursor_t cursor;
+#ifndef __OpenBSD__
static pam_handle_t *pam_handle;
+#endif
int input_position = 0;
/* Holds the password you enter (in UTF-8). */
static char password[512];
static bool beep = false;
bool debug_mode = false;
-static bool dpms = false;
bool unlock_indicator = true;
char *modifier_string = NULL;
static bool dont_fork = false;
struct ev_loop *main_loop;
-static struct ev_timer *clear_pam_wrong_timeout;
+static struct ev_timer *clear_auth_wrong_timeout;
static struct ev_timer *clear_indicator_timeout;
-static struct ev_timer *dpms_timeout;
static struct ev_timer *discard_passwd_timeout;
extern unlock_state_t unlock_state;
-extern pam_state_t pam_state;
+extern auth_state_t auth_state;
int failed_attempts = 0;
bool show_failed_attempts = false;
+bool retry_verification = false;
static struct xkb_state *xkb_state;
static struct xkb_context *xkb_context;
(void)(isutf(s[--(*i)]) || isutf(s[--(*i)]) || isutf(s[--(*i)]) || --(*i));
}
-static void turn_monitors_on(void) {
- if (dpms)
- dpms_set_mode(conn, XCB_DPMS_DPMS_MODE_ON);
-}
-
-static void turn_monitors_off(void) {
- if (dpms)
- dpms_set_mode(conn, XCB_DPMS_DPMS_MODE_OFF);
-}
-
/*
* Loads the XKB keymap from the X11 server and feeds it to xkbcommon.
* Necessary so that we can properly let xkbcommon track the keyboard state and
*
*/
static void clear_password_memory(void) {
+#ifdef __OpenBSD__
+ /* Use explicit_bzero(3) which was explicitly designed not to be
+ * optimized out by the compiler. */
+ explicit_bzero(password, strlen(password));
+#else
/* A volatile pointer to the password buffer to prevent the compiler from
* optimizing this out. */
volatile char *vpassword = password;
* compiler from optimizing the calls away, since the value of 'beep'
* is not known at compile-time. */
vpassword[c] = c + (int)beep;
+#endif
}
ev_timer *start_timer(ev_timer *timer_obj, ev_tstamp timeout, ev_callback_t callback) {
}
/*
- * Resets pam_state to STATE_PAM_IDLE 2 seconds after an unsuccessful
+ * Neccessary calls after ending input via enter or others
+ *
+ */
+static void finish_input(void) {
+ password[input_position] = '\0';
+ unlock_state = STATE_KEY_PRESSED;
+ redraw_screen();
+ input_done();
+}
+
+/*
+ * Resets auth_state to STATE_AUTH_IDLE 2 seconds after an unsuccessful
* authentication event.
*
*/
-static void clear_pam_wrong(EV_P_ ev_timer *w, int revents) {
- DEBUG("clearing pam wrong\n");
- pam_state = STATE_PAM_IDLE;
- unlock_state = STATE_STARTED;
+static void clear_auth_wrong(EV_P_ ev_timer *w, int revents) {
+ DEBUG("clearing auth wrong\n");
+ auth_state = STATE_AUTH_IDLE;
redraw_screen();
/* Clear modifier string. */
}
/* Now free this timeout. */
- STOP_TIMER(clear_pam_wrong_timeout);
+ STOP_TIMER(clear_auth_wrong_timeout);
+
+ /* retry with input done during auth verification */
+ if (retry_verification) {
+ retry_verification = false;
+ finish_input();
+ }
}
static void clear_indicator_cb(EV_P_ ev_timer *w, int revents) {
input_position = 0;
clear_password_memory();
password[input_position] = '\0';
-
- /* Hide the unlock indicator after a bit if the password buffer is
- * empty. */
- if (unlock_indicator) {
- START_TIMER(clear_indicator_timeout, 1.0, clear_indicator_cb);
- unlock_state = STATE_BACKSPACE_ACTIVE;
- redraw_screen();
- unlock_state = STATE_KEY_PRESSED;
- }
-}
-
-static void turn_off_monitors_cb(EV_P_ ev_timer *w, int revents) {
- if (input_position == 0)
- turn_monitors_off();
-
- STOP_TIMER(dpms_timeout);
}
static void discard_passwd_cb(EV_P_ ev_timer *w, int revents) {
clear_input();
- turn_monitors_off();
STOP_TIMER(discard_passwd_timeout);
}
static void input_done(void) {
- STOP_TIMER(clear_pam_wrong_timeout);
- pam_state = STATE_PAM_VERIFY;
+ STOP_TIMER(clear_auth_wrong_timeout);
+ auth_state = STATE_AUTH_VERIFY;
+ unlock_state = STATE_STARTED;
redraw_screen();
+#ifdef __OpenBSD__
+ struct passwd *pw;
+
+ if (!(pw = getpwuid(getuid())))
+ errx(1, "unknown uid %u.", getuid());
+
+ if (auth_userokay(pw->pw_name, NULL, NULL, password) != 0) {
+ DEBUG("successfully authenticated\n");
+ clear_password_memory();
+
+ exit(0);
+ }
+#else
if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
DEBUG("successfully authenticated\n");
clear_password_memory();
- /* Turn the screen on, as it may have been turned off
- * on release of the 'enter' key. */
- turn_monitors_on();
/* PAM credentials should be refreshed, this will for example update any kerberos tickets.
* Related to credentials pam_end() needs to be called to cleanup any temporary
exit(0);
}
+#endif
if (debug_mode)
fprintf(stderr, "Authentication failure\n");
/* Get state of Caps and Num lock modifiers, to be displayed in
- * STATE_PAM_WRONG state */
+ * STATE_AUTH_WRONG state */
xkb_mod_index_t idx, num_mods;
const char *mod_name;
}
}
- pam_state = STATE_PAM_WRONG;
+ auth_state = STATE_AUTH_WRONG;
failed_attempts += 1;
clear_input();
if (unlock_indicator)
/* Clear this state after 2 seconds (unless the user enters another
* password during that time). */
ev_now_update(main_loop);
- START_TIMER(clear_pam_wrong_timeout, TSTAMP_N_SECS(2), clear_pam_wrong);
+ START_TIMER(clear_auth_wrong_timeout, TSTAMP_N_SECS(2), clear_auth_wrong);
/* Cancel the clear_indicator_timeout, it would hide the unlock indicator
* too early. */
}
switch (ksym) {
+ case XKB_KEY_j:
+ case XKB_KEY_m:
case XKB_KEY_Return:
case XKB_KEY_KP_Enter:
case XKB_KEY_XF86ScreenSaver:
- if (pam_state == STATE_PAM_WRONG)
+ if ((ksym == XKB_KEY_j || ksym == XKB_KEY_m) && !ctrl)
+ break;
+
+ if (auth_state == STATE_AUTH_WRONG) {
+ retry_verification = true;
return;
+ }
if (skip_without_validation()) {
clear_input();
return;
}
- password[input_position] = '\0';
- unlock_state = STATE_KEY_PRESSED;
- redraw_screen();
- input_done();
+ finish_input();
skip_repeated_empty_password = true;
return;
default:
switch (ksym) {
case XKB_KEY_u:
- if (ctrl) {
+ case XKB_KEY_Escape:
+ if ((ksym == XKB_KEY_u && ctrl) ||
+ ksym == XKB_KEY_Escape) {
DEBUG("C-u pressed\n");
clear_input();
+ /* Hide the unlock indicator after a bit if the password buffer is
+ * empty. */
+ if (unlock_indicator) {
+ START_TIMER(clear_indicator_timeout, 1.0, clear_indicator_cb);
+ unlock_state = STATE_BACKSPACE_ACTIVE;
+ redraw_screen();
+ unlock_state = STATE_KEY_PRESSED;
+ }
return;
}
break;
- case XKB_KEY_Escape:
- clear_input();
+ case XKB_KEY_Delete:
+ case XKB_KEY_KP_Delete:
+ /* Deleting forward doesn’t make sense, as i3lock doesn’t allow you
+ * to move the cursor when entering a password. We need to eat this
+ * key press so that it won’t be treated as part of the password,
+ * see issue #50. */
return;
+ case XKB_KEY_h:
case XKB_KEY_BackSpace:
+ if (ksym == XKB_KEY_h && !ctrl)
+ break;
+
if (input_position == 0)
return;
password[input_position] = '\0';
/* Hide the unlock indicator after a bit if the password buffer is
- * empty. */
+ * empty. */
START_TIMER(clear_indicator_timeout, 1.0, clear_indicator_cb);
unlock_state = STATE_BACKSPACE_ACTIVE;
redraw_screen();
redraw_screen();
}
+#ifndef __OpenBSD__
/*
* Callback function for PAM. We only react on password request callbacks.
*
return 0;
}
+#endif
/*
* This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb.
xcb_flush(conn);
}
+/*
+ * Try closing logind sleep lock fd passed over from xss-lock, in case we're
+ * being run from there.
+ *
+ */
+static void maybe_close_sleep_lock_fd(void) {
+ const char *sleep_lock_fd = getenv("XSS_SLEEP_LOCK_FD");
+ char *endptr;
+ if (sleep_lock_fd && *sleep_lock_fd != 0) {
+ long int fd = strtol(sleep_lock_fd, &endptr, 10);
+ if (*endptr == 0) {
+ close(fd);
+ }
+ }
+}
+
/*
* Instead of polling the X connection socket we leave this to
* xcb_poll_for_event() which knows better than we can ever know.
handle_key_press((xcb_key_press_event_t *)event);
break;
- case XCB_KEY_RELEASE:
- /* If this was the backspace or escape key we are back at an
- * empty input, so turn off the screen if DPMS is enabled, but
- * only do that after some timeout: maybe user mistyped and
- * will type again right away */
- START_TIMER(dpms_timeout, TSTAMP_N_SECS(inactivity_timeout),
- turn_off_monitors_cb);
- break;
-
case XCB_VISIBILITY_NOTIFY:
handle_visibility_notify(conn, (xcb_visibility_notify_event_t *)event);
break;
case XCB_MAP_NOTIFY:
+ maybe_close_sleep_lock_fd();
if (!dont_fork) {
/* After the first MapNotify, we never fork again. We don’t
* expect to get another MapNotify, but better be sure… */
/*
* This function is called from a fork()ed child and will raise the i3lock
* window when the window is obscured, even when the main i3lock process is
- * blocked due to PAM.
+ * blocked due to the authentication backend.
*
*/
static void raise_loop(xcb_window_t window) {
struct passwd *pw;
char *username;
char *image_path = NULL;
+#ifndef __OpenBSD__
int ret;
struct pam_conv conv = {conv_callback, NULL};
+#endif
int curs_choice = CURS_NONE;
int o;
int optind = 0;
beep = true;
break;
case 'd':
- dpms = true;
+ fprintf(stderr, "DPMS support has been removed from i3lock. Please see the manpage i3lock(1).\n");
break;
case 'I': {
- int time = 0;
- if (sscanf(optarg, "%d", &time) != 1 || time < 0)
- errx(EXIT_FAILURE, "invalid timeout, it must be a positive integer\n");
- inactivity_timeout = time;
+ fprintf(stderr, "Inactivity timeout only makes sense with DPMS, which was removed. Please see the manpage i3lock(1).\n");
break;
}
case 'c': {
* the unlock indicator upon keypresses. */
srand(time(NULL));
+#ifndef __OpenBSD__
/* Initialize PAM */
- ret = pam_start("i3lock", username, &conv, &pam_handle);
- if (ret != PAM_SUCCESS)
+ if ((ret = pam_start("i3lock", username, &conv, &pam_handle)) != PAM_SUCCESS)
errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
-/* Using mlock() as non-super-user seems only possible in Linux. Users of other
- * operating systems should use encrypted swap/no swap (or remove the ifdef and
- * run i3lock as super-user). */
+ if ((ret = pam_set_item(pam_handle, PAM_TTY, getenv("DISPLAY"))) != PAM_SUCCESS)
+ errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
+#endif
+
+/* Using mlock() as non-super-user seems only possible in Linux.
+ * Users of other operating systems should use encrypted swap/no swap
+ * (or remove the ifdef and run i3lock as super-user).
+ * Alas, swap is encrypted by default on OpenBSD so swapping out
+ * is not necessarily an issue. */
#if defined(__linux__)
/* Lock the area where we store the password in memory, we don’t want it to
* be swapped to disk. Since Linux 2.6.9, this does not require any
errx(EXIT_FAILURE, "Could not load keymap");
const char *locale = getenv("LC_ALL");
- if (!locale)
+ if (!locale || !*locale)
locale = getenv("LC_CTYPE");
- if (!locale)
+ if (!locale || !*locale)
locale = getenv("LANG");
- if (!locale) {
+ if (!locale || !*locale) {
if (debug_mode)
fprintf(stderr, "Can't detect your locale, fallback to C\n");
locale = "C";
xinerama_init();
xinerama_query_screens();
- /* if DPMS is enabled, check if the X server really supports it */
- if (dpms) {
- xcb_dpms_capable_cookie_t dpmsc = xcb_dpms_capable(conn);
- xcb_dpms_capable_reply_t *dpmsr;
- if ((dpmsr = xcb_dpms_capable_reply(conn, dpmsc, NULL))) {
- if (!dpmsr->capable) {
- if (debug_mode)
- fprintf(stderr, "Disabling DPMS, X server not DPMS capable\n");
- dpms = false;
- }
- free(dpmsr);
- }
- }
-
screen = xcb_setup_roots_iterator(xcb_get_setup(conn)).data;
last_resolution[0] = screen->width_in_pixels;
image_path, cairo_status_to_string(cairo_surface_status(img)));
img = NULL;
}
+ free(image_path);
}
/* Pixmap on which the image is rendered to (if any) */
xcb_pixmap_t bg_pixmap = draw_image(last_resolution);
- /* open the fullscreen window, already with the correct pixmap in place */
+ /* Open the fullscreen window, already with the correct pixmap in place */
win = open_fullscreen_window(conn, screen, color, bg_pixmap);
xcb_free_pixmap(conn, bg_pixmap);
+ cursor = create_cursor(conn, screen, win, curs_choice);
+
+ /* Display the "locking…" message while trying to grab the pointer/keyboard. */
+ auth_state = STATE_AUTH_LOCK;
+ grab_pointer_and_keyboard(conn, screen, cursor);
+
pid_t pid = fork();
/* The pid == -1 case is intentionally ignored here:
* While the child process is useful for preventing other windows from
if (pid == 0) {
/* Child */
close(xcb_get_file_descriptor(conn));
+ maybe_close_sleep_lock_fd();
raise_loop(win);
exit(EXIT_SUCCESS);
}
- cursor = create_cursor(conn, screen, win, curs_choice);
-
- grab_pointer_and_keyboard(conn, screen, cursor);
/* Load the keymap again to sync the current modifier state. Since we first
* loaded the keymap, there might have been changes, but starting from now,
* we should get all key presses/releases due to having grabbed the
* keyboard. */
(void)load_keymap();
- turn_monitors_off();
-
/* Initialize the libev event loop. */
main_loop = EV_DEFAULT;
if (main_loop == NULL)
errx(EXIT_FAILURE, "Could not initialize libev. Bad LIBEV_FLAGS?\n");
+ /* Explicitly call the screen redraw in case "locking…" message was displayed */
+ auth_state = STATE_AUTH_IDLE;
+ redraw_screen();
+
struct ev_io *xcb_watcher = calloc(sizeof(struct ev_io), 1);
struct ev_check *xcb_check = calloc(sizeof(struct ev_check), 1);
struct ev_prepare *xcb_prepare = calloc(sizeof(struct ev_prepare), 1);