diff --git a/0001-fix-for-UnionTech.patch b/0001-fix-for-UnionTech.patch deleted file mode 100644 index 8b6718d835048fa6b3db0449357f9e6253a1c30b..0000000000000000000000000000000000000000 --- a/0001-fix-for-UnionTech.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5228ff88c89e143ea062a003b5fd72c504bae901 Mon Sep 17 00:00:00 2001 -From: xingwei-liu -Date: Mon, 15 Nov 2021 13:15:47 +0800 -Subject: [PATCH] fix for UnionTech - ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index 843da2e..84a62d3 100644 ---- a/Makefile -+++ b/Makefile -@@ -39,8 +39,8 @@ install: translate install-pam-module - install -m755 out/bin/deepin-authentication ${DESTDIR}${PREFIX}/lib/deepin-authenticate/ - install -d ${DESTDIR}${PREFIX}/share/dbus-1/system.d - install -m644 misc/conf/*.conf ${DESTDIR}${PREFIX}/share/dbus-1/system.d/ -- install -d ${DESTDIR}/lib/systemd/system -- install -m644 misc/systemd/*.service ${DESTDIR}/lib/systemd/system/ -+ install -d ${DESTDIR}${PREFIX}/lib/systemd/system -+ install -m644 misc/systemd/*.service ${DESTDIR}${PREFIX}/lib/systemd/system/ - install -d ${DESTDIR}${PREFIX}/share/dbus-1/system-services - install -m644 misc/system-services/* ${DESTDIR}${PREFIX}/share/dbus-1/system-services/ - install -d ${DESTDIR}/etc/pam.d --- -2.27.0 - diff --git a/README.md b/README.md new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/deepin-authenticate-1.2.61.tar.gz b/deepin-authenticate-1.2.61.tar.gz deleted file mode 100644 index f35c1228dac213ec9370ae5599b0f48ddbb97377..0000000000000000000000000000000000000000 Binary files a/deepin-authenticate-1.2.61.tar.gz and /dev/null differ diff --git a/deepin-authenticate-mfa-enhance.patch b/deepin-authenticate-mfa-enhance.patch new file mode 100644 index 0000000000000000000000000000000000000000..651ba4f4d50cc98287221b3a518281f6659ef182 --- /dev/null +++ b/deepin-authenticate-mfa-enhance.patch @@ -0,0 +1,2224 @@ +From 0f117a23ec3a349a52a093eb0a6c51b38cea04f9 Mon Sep 17 00:00:00 2001 +From: zhaoshuang +Date: Wed, 1 Apr 2026 15:14:48 +0800 +Subject: [PATCH] deepin-authenticate-mfa-enhance + +--- + Makefile | 8 +- + misc/allowlist | 2 +- + misc/app-type-list | 2 +- + misc/pam-module/auth/dbus.c | 4 +- + misc/pam-module/auth/mfa.c | 68 ++++- + misc/pam-module/auth/pam.c | 44 ++- + misc/pam-module/auth/sfa.c | 7 + + misc/pam-module/auth/utils.c | 29 +- + misc/pam-module/auth/utils.h | 2 +- + misc/po/deepin-authentication.pot | 285 +++++++++--------- + misc/po/zh_CN.po | 120 ++++---- + service/authcommon/type.go | 16 + + service/authenticate/manager.go | 7 +- + service/authenticate/session/custom_tx.go | 2 +- + service/authenticate/session/face_tx.go | 2 +- + .../authenticate/session/fingerprint_tx.go | 2 +- + service/authenticate/session/iris_tx.go | 2 +- + service/authenticate/session/manager.go | 54 ++-- + .../session/multifactor_verify.go | 57 +++- + service/authenticate/session/normal_verify.go | 27 +- + service/authenticate/session/passkey_tx.go | 2 +- + service/authenticate/session/password_tx.go | 3 +- + service/authenticate/session/tx.go | 2 +- + service/authenticate/session/ukey_tx.go | 80 ++++- + service/multifactor/config.go | 34 +++ + service/multifactor/multifactor.go | 14 + + service/ukey/common_device.go | 4 + + service/ukey/device.go | 1 + + service/ukey/exported_methods_auto.go | 6 + + service/ukey/interface.go | 55 +++- + 30 files changed, 653 insertions(+), 288 deletions(-) + +diff --git a/Makefile b/Makefile +index 073ae20..cbda2d8 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + PREFIX = /usr + GOPATH_DIR = gopath + GOPKG_PREFIX = pkg.deepin.io/dde/authentication +-GOBUILD = go build $(GO_BUILD_FLAGS) ++GOBUILD = go build -gcflags="all=-N -l" $(GO_BUILD_FLAGS) + #ifeq (${PAM_MODULE_DIR},) + #PAM_MODULE_DIR := /etc/pam.d + #endif +@@ -9,7 +9,7 @@ PKG_LIBS= openssl libsystemd json-c + BINARIES = deepin-authentication app-type-tool + LANGUAGES = $(basename $(notdir $(wildcard misc/po/*.po))) + +-export SECURITY_BUILD_OPTIONS = -fstack-protector-strong -D_FORTITY_SOURCE=1 -z noexecstack -pie -fPIC -z lazy ++export SECURITY_BUILD_OPTIONS = -fstack-protector-strong -D_FORTITY_SOURCE=1 -z noexecstack -pie -fPIC -z lazy -g + export GO111MODULE=off + + all: build +@@ -45,8 +45,8 @@ install: translate install-pam-module + install -m755 out/bin/deepin-authentication ${DESTDIR}${PREFIX}/lib/deepin-authenticate/ + install -d ${DESTDIR}${PREFIX}/share/dbus-1/system.d + install -m644 misc/conf/*.conf ${DESTDIR}${PREFIX}/share/dbus-1/system.d/ +- install -d ${DESTDIR}/lib/systemd/system +- install -m644 misc/systemd/*.service ${DESTDIR}/lib/systemd/system/ ++ install -d ${DESTDIR}${PREFIX}/lib/systemd/system ++ install -m644 misc/systemd/*.service ${DESTDIR}${PREFIX}/lib/systemd/system/ + install -d ${DESTDIR}${PREFIX}/share/dbus-1/system-services + install -m644 misc/system-services/* ${DESTDIR}${PREFIX}/share/dbus-1/system-services/ + install -d ${DESTDIR}/etc/pam.d +diff --git a/misc/allowlist b/misc/allowlist +index 65a7c3a..c4c980b 100644 +--- a/misc/allowlist ++++ b/misc/allowlist +@@ -1,6 +1,6 @@ + /usr/sbin/lightdm + /usr/bin/dde-lock +-/usr/lib/policykit-1/polkit-agent-helper-1 ++/usr/lib/polkit-1/polkit-agent-helper-1 + /usr/bin/sudo + /usr/bin/su + /usr/bin/login +diff --git a/misc/app-type-list b/misc/app-type-list +index fdecf0a..b5a1f42 100644 +--- a/misc/app-type-list ++++ b/misc/app-type-list +@@ -13,7 +13,7 @@ + "type":"lock" + }, + { +- "app":"/usr/lib/policykit-1/polkit-agent-helper-1", ++ "app":"/usr/lib/polkit-1/polkit-agent-helper-1", + "type":"authorization" + }, + { +diff --git a/misc/pam-module/auth/dbus.c b/misc/pam-module/auth/dbus.c +index ae5a70e..e22f10a 100644 +--- a/misc/pam-module/auth/dbus.c ++++ b/misc/pam-module/auth/dbus.c +@@ -135,7 +135,7 @@ int dbus_method_setToken(struct UserData *ud, + &cipher_text, + &cipher_len); + #else +- ret = sm4_encrypt(password, ++ ret = private_sm4_encrypt(password, + strlen(password), + ud->symmetric_key, + &cipher_text, +@@ -724,4 +724,4 @@ int dbus_method_get_auth_type_error_echo_allow(struct UserData *ud, const char * + sd_bus_error_free(&err); + sd_bus_message_unref(reply); + return ret < 0 ? 1 : 0; +-} +\ No newline at end of file ++} +diff --git a/misc/pam-module/auth/mfa.c b/misc/pam-module/auth/mfa.c +index 38c0ebf..0d52952 100644 +--- a/misc/pam-module/auth/mfa.c ++++ b/misc/pam-module/auth/mfa.c +@@ -26,6 +26,7 @@ int mfa_signal_deal(struct UserData *userData, + void *(*request_pw_cb)(void *)) { + struct UserData *ud = userData; + char msg[MAX_BUF_SIZE]; ++ static char prevMsg[MAX_BUF_SIZE]; + int ret = -1; + + D_DEBUG(ud->pamh, +@@ -33,12 +34,21 @@ int mfa_signal_deal(struct UserData *userData, + signalCode, + authType, + signalMsg); ++ ++ pam_syslog(ud->pamh, LOG_INFO, ++ "in mfa_signal_deal, signalCode is %d, authType is %d, signalMsg is %s", ++ signalCode, ++ authType, ++ signalMsg); + do { + switch (signalCode) { + case ASC_Success: + if (authType != -1) { + sprintf(msg, gettext("Verification successful")); +- send_msg_cb(ud, msg, PAM_TEXT_INFO); ++ if (0 != strcmp(prevMsg, msg)) { ++ send_msg_cb(ud, msg, PAM_TEXT_INFO); ++ strcpy(prevMsg, msg); ++ } + + if (authType == ud->cur_type) { + D_DEBUG(ud->pamh, "authType is same: %d, try next auth", authType); +@@ -119,7 +129,10 @@ int mfa_signal_deal(struct UserData *userData, + type_to_tr(authType)); + } + +- send_msg_cb(ud, msg, PAM_ERROR_MSG); ++ if (0 != strcmp(prevMsg, msg)) { ++ send_msg_cb(ud, msg, PAM_ERROR_MSG); ++ strcpy(prevMsg, msg); ++ } + } + break; + } +@@ -129,7 +142,10 @@ int mfa_signal_deal(struct UserData *userData, + ud->need_cancel = false; + D_DEBUG(ud->pamh, "[DEBUG] set result code: %d", signalCode); + if(ud->allow_passwd_echo_error && authType == AT_Password){ +- send_msg_cb(ud, signalMsg, PAM_ERROR_MSG); ++ if (0 != strcmp(prevMsg, signalMsg)) { ++ send_msg_cb(ud, signalMsg, PAM_ERROR_MSG); ++ strcpy(prevMsg, signalMsg); ++ } + } + break; + case ASC_Verify: +@@ -137,12 +153,20 @@ int mfa_signal_deal(struct UserData *userData, + memset(msg, 0, MAX_BUF_SIZE); + int r = resolve_verify_msg(ud, signalMsg, msg); + if (r != 0) { +- send_msg_cb(ud, msg, r); ++ if (0 != strcmp(prevMsg, msg)) { ++ send_msg_cb(ud, msg, r); ++ strcpy(prevMsg, msg); ++ } + } + + break; + case ASC_Expect: ++ if (0 != strcmp(prevMsg, signalMsg)) { ++ send_msg_cb(ud, signalMsg, PAM_TEXT_INFO); ++ strcpy(prevMsg, signalMsg); ++ } + break; ++ + case ASC_Prompt: + // 多因情况下,各种认证方式都是顺序控制开启的 + if (authType == ud->cur_type && authType != -1) { +@@ -176,30 +200,54 @@ int mfa_signal_deal(struct UserData *userData, + int r = pthread_kill(ud->pid, 0); + //在存在活跃的token获取线程时,不应该收到prompt信号 + // TODO:或者不应该处理 +- if (r != ESRCH) { +- pam_syslog(ud->pamh, LOG_ERR, "more then one token threed!"); +- ret = PAM_ABORT; ++ if (r != ESRCH) {//说明线程存在,可能是重复消息或者误传,ignore即可 ++ pam_syslog(ud->pamh, LOG_WARNING, "a valid token threed exist, maybe duplicate msg!"); ++ if (0 != strcmp(prevMsg, signalMsg)) { ++ send_msg_cb(ud, signalMsg, PAM_TEXT_INFO); ++ strcpy(prevMsg, signalMsg); ++ } + break; + } + } ++ + err = pthread_create(&ud->pid, NULL, request_pw_cb, ud); + if (err != 0) { + pam_syslog(ud->pamh, LOG_ERR, "create password thread error: %d", err); + ret = PAM_ABORT; + break; + } +- D_DEBUG(ud->pamh, "create password thread id: %ld", ud->pid); ++ pam_syslog(ud->pamh, LOG_INFO, "create password thread id: %ld", ud->pid); + } else { +- send_msg_cb(ud, signalMsg, PAM_TEXT_INFO); ++ if (0 != strcmp(prevMsg, signalMsg)) { ++ send_msg_cb(ud, signalMsg, PAM_TEXT_INFO); ++ strcpy(prevMsg, signalMsg); ++ } + } + } + if (authType == -1) { +- send_msg_cb(ud, signalMsg, PAM_TEXT_INFO); ++ if (0 != strcmp(prevMsg, signalMsg)) { ++ send_msg_cb(ud, signalMsg, PAM_TEXT_INFO); ++ strcpy(prevMsg, signalMsg); ++ } + } + break; + case ASC_Started: + break; + case ASC_Ended: ++ if (ud->pid) { ++ //在线程存在的情况下,极可能是挂起在和PAM交互conv的函数中 ++ //由于对话无法取消,此时即使杀死线程,也会导致状态混乱 ++ //因此,此时只能提示前端重启认证过程 ++ D_DEBUG(ud->pamh, "must restart auth process", ud->pid); ++ int ret = pthread_kill(ud->pid, 0); ++ if (ESRCH != ret) { ++ sprintf(msg, gettext("Verification Process msut be restart!")); ++ if (0 != strcmp(prevMsg, msg)) { ++ send_msg_cb(ud, msg, PAM_TEXT_INFO); ++ strcpy(prevMsg, msg); ++ } ++ } // else 线程不存在,说明已经退出了 ++ } + break; + } + } while (0); +diff --git a/misc/pam-module/auth/pam.c b/misc/pam-module/auth/pam.c +index 4e7aeb4..022ea09 100644 +--- a/misc/pam-module/auth/pam.c ++++ b/misc/pam-module/auth/pam.c +@@ -75,6 +75,15 @@ static void clean_auth_data(struct UserData *ud) { + free(ud->key); + ud->key = NULL; + } ++ ++ // 清除密码缓存:当前deepin-authentication缓存的密码, ++ // 可能不适用于后续的PAM模块,如果不清除则会引起后续pam模块验证失败、且无法输入新的验证数据 ++ if (ud->pamh) { ++ pam_set_item(ud->pamh, PAM_AUTHTOK, NULL); // 当前密码 ++ pam_set_item(ud->pamh, PAM_OLDAUTHTOK, NULL); // 旧密码 ++ } ++ ++ return; + } + + static void pam_clean_func(pam_handle_t *pamh, void *userData, int error_status) { +@@ -132,18 +141,25 @@ static struct pam_response *send_msg(struct UserData *ud, const char *msg, int s + } + break; + } ++ ++ pam_syslog(ud->pamh, LOG_ERR, "send msg: %s, style: %d", msg, style); + } while (0); + return presp; + } + + int split_data(char *resp, char **path, char **tok) { +- int ret = 0; ++ int ret = -1; + + char *p = strchr(resp, ';'); + do { + if (p == NULL) { +- ret = -1; +- break; ++ *path = NULL; ++ if (strlen(resp) > 1) { ++ *tok = (char *)malloc(strlen(resp)); ++ strcpy(*tok, resp); ++ (*tok)[strlen(*tok)] = '\0'; ++ ret = 0; ++ } + } else { + *path = (char *)malloc(p - resp + 1); + strncpy(*path, resp, p - resp); +@@ -153,8 +169,10 @@ int split_data(char *resp, char **path, char **tok) { + strcpy(*tok, p + 1); + (*tok)[strlen(*tok)] = '\0'; + } ++ ret = 0; + } + } while (0); ++ + return ret; + } + +@@ -169,13 +187,18 @@ static void *run_request_pw(void *user_data) { + int res = -1; + char *path = NULL; + char *tok = NULL; +- if (split_data(rep->resp, &path, &tok) == 0) { ++ if (0 == split_data(rep->resp, &path, &tok) ++ && (NULL != path ++ || NULL != ud->path)) { + bool success = false; +- D_DEBUG(ud->pamh, "get path: %s, tok: %s", path, tok); +- +- dbus_method_getResult(ud, path, &res); ++ if (NULL == path) { ++ dbus_method_getResult(ud, ud->path, &res); ++ } else { ++ dbus_method_getResult(ud, path, &res); ++ } + + while (ud->waiting_result) { ++ D_DEBUG(ud->pamh, "[DEBUG] pam-module loop because ud->waiting_result"); + usleep(100); + } + if (ud->get_result_val == GET_RESULT_SUCCESS) { +@@ -241,7 +264,6 @@ static int bus_signal_cb(sd_bus_message *m, void *user_data, sd_bus_error *ret_e + authType, + code, + signalmsg); +- + if (ud->auth_ctrl->isMFA) { + ud->res = mfa_signal_deal(ud, code, authType, signalmsg, send_msg, run_request_pw); + } else { +@@ -288,6 +310,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons + int app_type = 0; + char app_path[MAX_BUF_SIZE]; + ++ pam_syslog(pamh, LOG_NOTICE, "call pam_sm_authenticate"); ++ + for (int idx = 0; idx < argc; ++idx) { + const char *splitch = strchr(argv[idx], '='); + +@@ -328,6 +352,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons + pam_set_data(pamh, "deepin-authenticate-user-data", ud, pam_clean_func); + pthread_cleanup_push(thread_cleanup, ud); + D_DEBUG(pamh, "new auth"); ++ + ssize_t nbytes = readlink("/proc/self/exe", buff, MAX_BUF_SIZE); + if (nbytes == -1) { + pam_syslog(pamh, LOG_ERR, "failed to readlink of /proc/self/exe"); +@@ -547,6 +572,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons + + clean_auth_data(ud); + ++ pam_syslog(pamh, LOG_ERR, "auth result: %d", ud->res); + D_DEBUG(ud->pamh, "auth result: %d", ud->res); + return ud->res; + } +@@ -557,4 +583,4 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const cha + UNUSED_VALUE(argc); + UNUSED_VALUE(argv); + return PAM_SUCCESS; +-} +\ No newline at end of file ++} +diff --git a/misc/pam-module/auth/sfa.c b/misc/pam-module/auth/sfa.c +index f453870..0468d50 100644 +--- a/misc/pam-module/auth/sfa.c ++++ b/misc/pam-module/auth/sfa.c +@@ -26,6 +26,12 @@ int sfa_signal_deal(struct UserData *ud, + signalCode, + authType, + signalMsg); ++ pam_syslog(ud->pamh, LOG_ERR, ++ "in sfa_signal_deal, signalCode is %d, authType is %d, signalMsg is %s", ++ signalCode, ++ authType, ++ signalMsg); ++ + do { + switch (signalCode) { + case ASC_Success: +@@ -62,6 +68,7 @@ int sfa_signal_deal(struct UserData *ud, + int typeIndex = type_to_index(failType); + if (typeIndex >= SUPPORT_AT_TYPE) { + pam_syslog(ud->pamh, LOG_ERR, "index(%d) out of limit type", typeIndex); ++ send_msg_cb(ud, signalMsg, PAM_ERROR_MSG); + break; + } + struct Limit *limit = &(ud->limits[typeIndex]); +diff --git a/misc/pam-module/auth/utils.c b/misc/pam-module/auth/utils.c +index 9bfa47c..180aa1e 100644 +--- a/misc/pam-module/auth/utils.c ++++ b/misc/pam-module/auth/utils.c +@@ -5,7 +5,6 @@ + #include + #include + #include +-#include + #include + + int resolve_verify_msg(const struct UserData *ud, const char *verify_msg, char *res_msg) { +@@ -612,15 +611,20 @@ int aes_cbc_encrypt(const char *src, + return 0; + } + +-int sm4_encrypt(const char *src, ++int private_sm4_encrypt(const char *src, + int srcLen, + char *key, + char **cipher_text, + int *outLen) { ++#ifndef SM4_BLOCK_SIZE ++#define SM4_BLOCK_SIZE (16) ++#endif ++ + int ret = 0; + int blockCount = 0; + int quotient = srcLen / SM4_BLOCK_SIZE; + int mod = srcLen % SM4_BLOCK_SIZE; ++ int finalLen = 0; + blockCount = quotient + 1; + + int padding = SM4_BLOCK_SIZE - mod; +@@ -634,22 +638,35 @@ int sm4_encrypt(const char *src, + free(blocks); + return -1; + } +- ret = EVP_CipherInit(ctx, EVP_sm4_ecb(), (unsigned char*)key, NULL, 1); ++ ret = EVP_EncryptInit_ex(ctx, EVP_sm4_ecb(), NULL, (unsigned char*)key, NULL); ++ if (1 != ret) { ++ EVP_CIPHER_CTX_free(ctx); ++ free(blocks); ++ return -1; ++ } ++ ++ // 禁用填充(因为我们已经手动添加了填充) ++ EVP_CIPHER_CTX_set_padding(ctx, 0); ++ ++ ret = EVP_EncryptUpdate(ctx, blocks, outLen, blocks, size); + if (1 != ret) { + EVP_CIPHER_CTX_free(ctx); + free(blocks); + return -1; + } +- ret = EVP_Cipher(ctx, blocks, blocks, size); ++ ++ // 完成加密操作(对于禁用填充的情况,这应该不会写入数据) ++ ret = EVP_EncryptFinal_ex(ctx, blocks + *outLen, &finalLen); + if (1 != ret) { + EVP_CIPHER_CTX_free(ctx); + free(blocks); + return -1; + } ++ + EVP_CIPHER_CTX_free(ctx); +- ++ + *cipher_text = (char *)blocks; +- *outLen = size; ++ *outLen += finalLen; + + return 0; + } +diff --git a/misc/pam-module/auth/utils.h b/misc/pam-module/auth/utils.h +index cc07c43..989a83f 100644 +--- a/misc/pam-module/auth/utils.h ++++ b/misc/pam-module/auth/utils.h +@@ -35,7 +35,7 @@ int aes_cbc_encrypt(const char *src, + char **cipher_text, + int *outLen); + +-int sm4_encrypt(const char *src, ++int private_sm4_encrypt(const char *src, + int srcLen, + char *key, + char **cipher_text, +diff --git a/misc/po/deepin-authentication.pot b/misc/po/deepin-authentication.pot +index 29e5d62..c4c7dbe 100644 +--- a/misc/po/deepin-authentication.pot ++++ b/misc/po/deepin-authentication.pot +@@ -2,412 +2,421 @@ + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. + # FIRST AUTHOR , YEAR. +-# ++# + #, fuzzy + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2022-10-17 14:06+0800\n" ++"POT-Creation-Date: 2026-03-19 15:35+0800\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" ++"Language: \n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=CHARSET\n" + "Content-Transfer-Encoding: 8bit\n" +-"Language: \n" + + #: ../../service/authcommon/face.go:41 ../../service/authcommon/iris.go:37 + #: misc/pam-module/auth/mfa.c:40 misc/pam-module/auth/sfa.c:35 + #, c-format + msgid "Verification successful" +-msgstr "Verification successful" ++msgstr "" + + #: ../../service/authcommon/face.go:43 + msgid "Position your face please" +-msgstr "Position your face please" ++msgstr "" + + #: ../../service/authcommon/face.go:45 + msgid "Position your face inside the frame" +-msgstr "Position your face inside the frame" ++msgstr "" + + #: ../../service/authcommon/face.go:47 ../../service/authcommon/iris.go:39 + msgid "Keep away from the camera" +-msgstr "Keep away from the camera" ++msgstr "" + + #: ../../service/authcommon/face.go:49 ../../service/authcommon/iris.go:41 + msgid "Get closer to the camera" +-msgstr "Get closer to the camera" ++msgstr "" + + #: ../../service/authcommon/face.go:51 + msgid "Face not found" +-msgstr "Face not found" ++msgstr "" + + #: ../../service/authcommon/face.go:53 + msgid "Do not position multiple faces inside the frame" +-msgstr "Do not position multiple faces inside the frame" ++msgstr "" + + #: ../../service/authcommon/face.go:55 ../../service/authcommon/iris.go:45 + msgid "Make sure the camera lens is clean" +-msgstr "Make sure the camera lens is clean" ++msgstr "" + + #: ../../service/authcommon/face.go:57 ../../service/authcommon/iris.go:47 + msgid "Do not enroll in dark, bright or backlit environments" +-msgstr "Do not enroll in dark, bright or backlit environments" ++msgstr "" + + #: ../../service/authcommon/face.go:59 + msgid "Keep your face uncovered" +-msgstr "Keep your face uncovered" ++msgstr "" + + #: ../../service/authcommon/face.go:61 ../../service/authcommon/iris.go:51 ++#: ../../service/authcommon/passkey.go:40 ++#: ../../service/authcommon/passkey.go:42 + msgid "Unknown error" +-msgstr "Unknown error" ++msgstr "" + + #: ../../service/authcommon/iris.go:43 + msgid "Iris not found" +-msgstr "Iris not found" ++msgstr "" + + #: ../../service/authcommon/iris.go:49 + msgid "Keep your eyes wide open" +-msgstr "Keep your eyes wide open" ++msgstr "" + +-#: ../../service/authcommon/passkey.go:35 ++#: ../../service/authcommon/passkey.go:32 + msgid "Unregistered security key" +-msgstr "Unregistered security key" ++msgstr "" + +-#: ../../service/authcommon/passkey.go:37 ++#: ../../service/authcommon/passkey.go:34 + msgid "Please plug in the security key" +-msgstr "Please plug in the security key" ++msgstr "" + +-#: ../../service/authcommon/passkey.go:39 ++#: ../../service/authcommon/passkey.go:36 + msgid "Touch or swipe the security key" +-msgstr "Touch or swipe the security key" ++msgstr "" + +-#: ../../service/authcommon/passkey.go:41 ++#: ../../service/authcommon/passkey.go:38 + msgid "Validation timed out" +-msgstr "Validation timed out" ++msgstr "" + +-#: ../../service/authcommon/text.go:23 misc/pam-module/auth/utils.c:113 ++#: ../../service/authcommon/text.go:23 misc/pam-module/auth/utils.c:112 + #, c-format + msgid "Password" +-msgstr "Password" ++msgstr "" + + #: ../../service/authcommon/text.go:44 + msgid "Enter your PIN" +-msgstr "Enter your PIN" ++msgstr "" + + #: ../../service/authcommon/ukey.go:27 + msgid "Device abnormal" +-msgstr "Device abnormal" ++msgstr "" + + #: ../../service/authcommon/ukey.go:29 + msgid "Enter your PIN: " +-msgstr "Enter your PIN: " ++msgstr "" + + #: ../../service/authcommon/ukey.go:31 + msgid "Verifying..." +-msgstr "Verifying..." ++msgstr "" + + #: ../../service/authcommon/ukey.go:33 + msgid "UKey is required" +-msgstr "UKey is required" ++msgstr "" + + #: ../../service/authcommon/ukey.go:35 + msgid "Unknown UKey state" +-msgstr "Unknown UKey state" ++msgstr "" + + #: ../../service/authenticate/session/custom_tx.go:96 + msgid "custom" +-msgstr "custom" ++msgstr "" + + #: ../../service/authenticate/session/face_tx.go:115 + msgid "Verify your face" +-msgstr "Verify your face" ++msgstr "" + +-#: ../../service/authenticate/session/face_tx.go:236 ++#: ../../service/authenticate/session/face_tx.go:235 + msgid "face" +-msgstr "face" ++msgstr "" + + #: ../../service/authenticate/session/fingerprint_tx.go:178 + msgid "Verify your fingerprint" +-msgstr "Verify your fingerprint" ++msgstr "" + +-#: ../../service/authenticate/session/fingerprint_tx.go:320 ++#: ../../service/authenticate/session/fingerprint_tx.go:332 + msgid "fingerprint" +-msgstr "fingerprint" ++msgstr "" + + #: ../../service/authenticate/session/iris_tx.go:109 + msgid "Verify your iris" +-msgstr "Verify your iris" ++msgstr "" + + #: ../../service/authenticate/session/iris_tx.go:231 + msgid "iris" +-msgstr "iris" ++msgstr "" + + #: ../../service/authenticate/session/multifactor_verify.go:53 + msgid "Multiple verification methods are required" +-msgstr "Multiple verification methods are required" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:266 +-#: ../../service/authenticate/session/normal_verify.go:222 ++#: ../../service/authenticate/session/multifactor_verify.go:91 ++#: ../../service/authenticate/session/multifactor_verify.go:257 ++#: ../../service/authenticate/session/normal_verify.go:85 ++#: ../../service/authenticate/session/normal_verify.go:227 ++msgid "No valid factor to verify" ++msgstr "" ++ ++#: ../../service/authenticate/session/multifactor_verify.go:271 ++#: ../../service/authenticate/session/normal_verify.go:241 + #, c-format + msgid "Verify your %s" +-msgstr "Verify your %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:269 +-#: ../../service/authenticate/session/normal_verify.go:225 ++#: ../../service/authenticate/session/multifactor_verify.go:274 ++#: ../../service/authenticate/session/normal_verify.go:244 + #, c-format + msgid "Enter your %s" +-msgstr "Enter your %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:276 ++#: ../../service/authenticate/session/multifactor_verify.go:281 + #, c-format + msgid "Verify your %s and %s" +-msgstr "Verify your %s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:279 ++#: ../../service/authenticate/session/multifactor_verify.go:284 + #, c-format + msgid "Enter your %s and %s" +-msgstr "Enter your %s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:281 ++#: ../../service/authenticate/session/multifactor_verify.go:286 + #, c-format + msgid "%s and %s" +-msgstr "%s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:286 ++#: ../../service/authenticate/session/multifactor_verify.go:291 + #, c-format + msgid "Verify your %s, %s and %s" +-msgstr "Verify your %s, %s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:289 ++#: ../../service/authenticate/session/multifactor_verify.go:294 + #, c-format + msgid "Enter your %s, %s and %s" +-msgstr "Enter your %s, %s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:291 ++#: ../../service/authenticate/session/multifactor_verify.go:296 + #, c-format + msgid "%s, %s and %s" +-msgstr "%s, %s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:296 ++#: ../../service/authenticate/session/multifactor_verify.go:301 + #, c-format + msgid "Verify your %s, %s, %s and %s" +-msgstr "Verify your %s, %s, %s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:299 ++#: ../../service/authenticate/session/multifactor_verify.go:304 + #, c-format + msgid "Enter your %s, %s, %s and %s" +-msgstr "Enter your %s, %s, %s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:301 ++#: ../../service/authenticate/session/multifactor_verify.go:306 + #, c-format + msgid "%s, %s, %s and %s" +-msgstr "%s, %s, %s and %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:306 +-#: ../../service/authenticate/session/normal_verify.go:262 ++#: ../../service/authenticate/session/multifactor_verify.go:311 ++#: ../../service/authenticate/session/normal_verify.go:281 + #, c-format + msgid "Verify your %s, %s, %s, %s or %s" +-msgstr "Verify your %s, %s, %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:309 +-#: ../../service/authenticate/session/normal_verify.go:265 ++#: ../../service/authenticate/session/multifactor_verify.go:314 ++#: ../../service/authenticate/session/normal_verify.go:284 + #, c-format + msgid "Enter your %s, %s, %s, %s or %s" +-msgstr "Enter your %s, %s, %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:311 +-#: ../../service/authenticate/session/normal_verify.go:267 ++#: ../../service/authenticate/session/multifactor_verify.go:316 ++#: ../../service/authenticate/session/normal_verify.go:286 + #, c-format + msgid "%s, %s, %s, %s or %s" +-msgstr "%s, %s, %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:316 +-#: ../../service/authenticate/session/normal_verify.go:272 ++#: ../../service/authenticate/session/multifactor_verify.go:321 ++#: ../../service/authenticate/session/normal_verify.go:291 + #, c-format + msgid "Verify your %s, %s, %s, %s, %s or %s" +-msgstr "Verify your %s, %s, %s, %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:319 +-#: ../../service/authenticate/session/normal_verify.go:275 ++#: ../../service/authenticate/session/multifactor_verify.go:324 ++#: ../../service/authenticate/session/normal_verify.go:294 + #, c-format + msgid "Enter your %s, %s, %s, %s, %s or %s" +-msgstr "Enter your %s, %s, %s, %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/multifactor_verify.go:321 +-#: ../../service/authenticate/session/normal_verify.go:277 ++#: ../../service/authenticate/session/multifactor_verify.go:326 ++#: ../../service/authenticate/session/normal_verify.go:296 + #, c-format + msgid "%s, %s, %s, %s, %s or %s" +-msgstr "%s, %s, %s, %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:232 ++#: ../../service/authenticate/session/normal_verify.go:251 + #, c-format + msgid "Verify your %s or %s" +-msgstr "Verify your %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:235 ++#: ../../service/authenticate/session/normal_verify.go:254 + #, c-format + msgid "Enter your %s or %s" +-msgstr "Enter your %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:237 ++#: ../../service/authenticate/session/normal_verify.go:256 + #, c-format + msgid "%s or %s" +-msgstr "%s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:242 ++#: ../../service/authenticate/session/normal_verify.go:261 + #, c-format + msgid "Verify your %s, %s or %s" +-msgstr "Verify your %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:245 ++#: ../../service/authenticate/session/normal_verify.go:264 + #, c-format + msgid "Enter your %s, %s or %s" +-msgstr "Enter your %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:247 ++#: ../../service/authenticate/session/normal_verify.go:266 + #, c-format + msgid "%s, %s or %s" +-msgstr "%s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:252 ++#: ../../service/authenticate/session/normal_verify.go:271 + #, c-format + msgid "Verify your %s, %s, %s or %s" +-msgstr "Verify your %s, %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:255 ++#: ../../service/authenticate/session/normal_verify.go:274 + #, c-format + msgid "Enter your %s, %s, %s or %s" +-msgstr "Enter your %s, %s, %s or %s" ++msgstr "" + +-#: ../../service/authenticate/session/normal_verify.go:257 ++#: ../../service/authenticate/session/normal_verify.go:276 + #, c-format + msgid "%s, %s, %s or %s" +-msgstr "%s, %s, %s or %s" ++msgstr "" + + #: ../../service/authenticate/session/passkey_tx.go:130 + msgid "Verify your security key" +-msgstr "Verify your security key" ++msgstr "" + + #: ../../service/authenticate/session/passkey_tx.go:264 + msgid "security key" +-msgstr "security key" ++msgstr "" + +-#: ../../service/authenticate/session/password_tx.go:46 ++#: ../../service/authenticate/session/password_tx.go:48 + msgid "Password: " +-msgstr "Password: " ++msgstr "" + +-#: ../../service/authenticate/session/password_tx.go:59 ++#: ../../service/authenticate/session/password_tx.go:61 + msgid "password" +-msgstr "password" ++msgstr "" + + #: ../../service/authenticate/session/ukey_tx.go:289 + #: misc/pam-module/auth/type.c:24 + msgid "PIN" +-msgstr "PIN" ++msgstr "" + + #: misc/pam-module/auth/limit.c:27 + #, c-format + msgid "Please try again %d minutes later" +-msgstr "Please try again %d minutes later" ++msgstr "" + + #: misc/pam-module/auth/limit.c:29 + #, c-format + msgid "Please try again %d minute later" +-msgstr "Please try again %d minute later" ++msgstr "" + + #: misc/pam-module/auth/mfa.c:109 + #, c-format + msgid "Password verification failed" +-msgstr "Password verification failed" ++msgstr "" + + #: misc/pam-module/auth/mfa.c:118 + #, c-format + msgid "%s verification failed" +-msgstr "%s verification failed" ++msgstr "" + +-#: misc/pam-module/auth/pam.c:397 ++#: misc/pam-module/auth/pam.c:442 + #, c-format + msgid "Your password will expire in %d days, please change it timely" +-msgstr "Your password will expire in %d days, please change it timely" ++msgstr "" + + #: misc/pam-module/auth/sfa.c:78 + #, c-format + msgid "%s locked, use password please" +-msgstr "%s locked, use password please" ++msgstr "" + + #: misc/pam-module/auth/sfa.c:83 + #, c-format + msgid "Password locked, %s" +-msgstr "Password locked, %s" ++msgstr "" + + #: misc/pam-module/auth/sfa.c:91 + #, c-format + msgid "Password verification failed, %d chances left" +-msgstr "Password verification failed, %d chances left" ++msgstr "" + + #: misc/pam-module/auth/sfa.c:101 + #, c-format + msgid "%s verification failed, %d chances left" +-msgstr "%s verification failed, %d chances left" ++msgstr "" + + #: misc/pam-module/auth/sfa.c:109 + #, c-format + msgid "Password verification failed, only one chance left" +-msgstr "Password verification failed, only one chance left" ++msgstr "" + + #: misc/pam-module/auth/sfa.c:118 + #, c-format + msgid "%s verification failed, only one chance left" +-msgstr "%s verification failed, only one chance left" ++msgstr "" + + #: misc/pam-module/auth/type.c:18 + msgid "Fingerprint" +-msgstr "Fingerprint" ++msgstr "" + + #: misc/pam-module/auth/type.c:20 + msgid "Face recognition" +-msgstr "Face recognition" ++msgstr "" + + #: misc/pam-module/auth/type.c:22 + msgid "ActiveDirectory" +-msgstr "ActiveDirectory" ++msgstr "" + + #: misc/pam-module/auth/type.c:26 + msgid "Iris" +-msgstr "Iris" ++msgstr "" + + #: misc/pam-module/auth/type.c:28 + msgid "Unknown" +-msgstr "Unknown" ++msgstr "" + +-#: misc/pam-module/auth/utils.c:54 ++#: misc/pam-module/auth/utils.c:53 + #, c-format + msgid "Verification error" +-msgstr "Verification error" ++msgstr "" + +-#: misc/pam-module/auth/utils.c:59 ++#: misc/pam-module/auth/utils.c:58 + #, c-format + msgid "Fingerprint verification unavailable, please input password" +-msgstr "Fingerprint verification unavailable, please input password" ++msgstr "" + +-#: misc/pam-module/auth/utils.c:83 misc/pam-module/auth/utils.c:91 ++#: misc/pam-module/auth/utils.c:82 misc/pam-module/auth/utils.c:90 + #, c-format + msgid "Clean your finger and try again" +-msgstr "Clean your finger and try again" ++msgstr "" + +-#: misc/pam-module/auth/utils.c:87 ++#: misc/pam-module/auth/utils.c:86 + #, c-format + msgid "Finger not centered" +-msgstr "Finger not centered" ++msgstr "" + +-#: misc/pam-module/auth/utils.c:96 ++#: misc/pam-module/auth/utils.c:95 + #, c-format + msgid "Unclear fingerprint, please clean your finger and try again" +-msgstr "Unclear fingerprint, please clean your finger and try again" ++msgstr "" + +-#: misc/pam-module/auth/utils.c:102 ++#: misc/pam-module/auth/utils.c:101 + #, c-format + msgid "Finger moved too fast, please do not lift until prompted" +-msgstr "Finger moved too fast, please do not lift until prompted" ++msgstr "" +diff --git a/misc/po/zh_CN.po b/misc/po/zh_CN.po +index b324f3e..c9c5a1a 100644 +--- a/misc/po/zh_CN.po ++++ b/misc/po/zh_CN.po +@@ -2,24 +2,25 @@ + # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER + # This file is distributed under the same license as the PACKAGE package. + # FIRST AUTHOR , YEAR. +-# ++# + # Translators: + # Hualet Wang , 2021 + # deepiner, 2023 +-# ++# + #, fuzzy + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2022-10-17 14:06+0800\n" ++"POT-Creation-Date: 2026-03-19 15:35+0800\n" + "PO-Revision-Date: 2020-06-11 09:00+0000\n" + "Last-Translator: deepiner, 2023\n" +-"Language-Team: Chinese (China) (https://app.transifex.com/linuxdeepin/teams/3617/zh_CN/)\n" ++"Language-Team: Chinese (China) (https://app.transifex.com/linuxdeepin/" ++"teams/3617/zh_CN/)\n" ++"Language: zh_CN\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Language: zh_CN\n" + "Plural-Forms: nplurals=1; plural=0;\n" + + #: ../../service/authcommon/face.go:41 ../../service/authcommon/iris.go:37 +@@ -65,6 +66,8 @@ msgid "Keep your face uncovered" + msgstr "请保持面部无遮挡" + + #: ../../service/authcommon/face.go:61 ../../service/authcommon/iris.go:51 ++#: ../../service/authcommon/passkey.go:40 ++#: ../../service/authcommon/passkey.go:42 + msgid "Unknown error" + msgstr "未知错误" + +@@ -76,23 +79,23 @@ msgstr "未识别到虹膜" + msgid "Keep your eyes wide open" + msgstr "请睁大双眼" + +-#: ../../service/authcommon/passkey.go:35 ++#: ../../service/authcommon/passkey.go:32 + msgid "Unregistered security key" + msgstr "尚未添加该设备" + +-#: ../../service/authcommon/passkey.go:37 ++#: ../../service/authcommon/passkey.go:34 + msgid "Please plug in the security key" + msgstr "请插入安全密钥" + +-#: ../../service/authcommon/passkey.go:39 ++#: ../../service/authcommon/passkey.go:36 + msgid "Touch or swipe the security key" + msgstr "请验证安全密钥,触摸或轻扫设备" + +-#: ../../service/authcommon/passkey.go:41 ++#: ../../service/authcommon/passkey.go:38 + msgid "Validation timed out" + msgstr "验证安全密钥超时" + +-#: ../../service/authcommon/text.go:23 misc/pam-module/auth/utils.c:113 ++#: ../../service/authcommon/text.go:23 misc/pam-module/auth/utils.c:112 + #, c-format + msgid "Password" + msgstr "请输入密码" +@@ -129,7 +132,7 @@ msgstr "custom" + msgid "Verify your face" + msgstr "请验证人脸ID" + +-#: ../../service/authenticate/session/face_tx.go:236 ++#: ../../service/authenticate/session/face_tx.go:235 + msgid "face" + msgstr "人脸" + +@@ -137,7 +140,7 @@ msgstr "人脸" + msgid "Verify your fingerprint" + msgstr "请验证指纹" + +-#: ../../service/authenticate/session/fingerprint_tx.go:320 ++#: ../../service/authenticate/session/fingerprint_tx.go:332 + msgid "fingerprint" + msgstr "指纹" + +@@ -153,140 +156,147 @@ msgstr "虹膜" + msgid "Multiple verification methods are required" + msgstr "需要使用多种认证方式" + +-#: ../../service/authenticate/session/multifactor_verify.go:266 +-#: ../../service/authenticate/session/normal_verify.go:222 ++#: ../../service/authenticate/session/multifactor_verify.go:91 ++#: ../../service/authenticate/session/multifactor_verify.go:257 ++#: ../../service/authenticate/session/normal_verify.go:85 ++#: ../../service/authenticate/session/normal_verify.go:227 ++msgid "No valid factor to verify" ++msgstr "无有效的验证因子" ++ ++#: ../../service/authenticate/session/multifactor_verify.go:271 ++#: ../../service/authenticate/session/normal_verify.go:241 + #, c-format + msgid "Verify your %s" + msgstr "请验证%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:269 +-#: ../../service/authenticate/session/normal_verify.go:225 ++#: ../../service/authenticate/session/multifactor_verify.go:274 ++#: ../../service/authenticate/session/normal_verify.go:244 + #, c-format + msgid "Enter your %s" + msgstr "请输入%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:276 ++#: ../../service/authenticate/session/multifactor_verify.go:281 + #, c-format + msgid "Verify your %s and %s" + msgstr "请验证%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:279 ++#: ../../service/authenticate/session/multifactor_verify.go:284 + #, c-format + msgid "Enter your %s and %s" + msgstr "请输入%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:281 ++#: ../../service/authenticate/session/multifactor_verify.go:286 + #, c-format + msgid "%s and %s" + msgstr "请输入%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:286 ++#: ../../service/authenticate/session/multifactor_verify.go:291 + #, c-format + msgid "Verify your %s, %s and %s" + msgstr "请验证%s,%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:289 ++#: ../../service/authenticate/session/multifactor_verify.go:294 + #, c-format + msgid "Enter your %s, %s and %s" + msgstr "请输入%s,%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:291 ++#: ../../service/authenticate/session/multifactor_verify.go:296 + #, c-format + msgid "%s, %s and %s" + msgstr "请输入%s,%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:296 ++#: ../../service/authenticate/session/multifactor_verify.go:301 + #, c-format + msgid "Verify your %s, %s, %s and %s" + msgstr "请验证%s,%s,%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:299 ++#: ../../service/authenticate/session/multifactor_verify.go:304 + #, c-format + msgid "Enter your %s, %s, %s and %s" + msgstr "请输入%s,%s,%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:301 ++#: ../../service/authenticate/session/multifactor_verify.go:306 + #, c-format + msgid "%s, %s, %s and %s" + msgstr "请输入%s,%s,%s和%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:306 +-#: ../../service/authenticate/session/normal_verify.go:262 ++#: ../../service/authenticate/session/multifactor_verify.go:311 ++#: ../../service/authenticate/session/normal_verify.go:281 + #, c-format + msgid "Verify your %s, %s, %s, %s or %s" + msgstr "请验证%s,%s,%s,%s,或%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:309 +-#: ../../service/authenticate/session/normal_verify.go:265 ++#: ../../service/authenticate/session/multifactor_verify.go:314 ++#: ../../service/authenticate/session/normal_verify.go:284 + #, c-format + msgid "Enter your %s, %s, %s, %s or %s" + msgstr "请输入%s,%s,%s,%s,或%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:311 +-#: ../../service/authenticate/session/normal_verify.go:267 ++#: ../../service/authenticate/session/multifactor_verify.go:316 ++#: ../../service/authenticate/session/normal_verify.go:286 + #, c-format + msgid "%s, %s, %s, %s or %s" + msgstr "%s,%s,%s,%s或%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:316 +-#: ../../service/authenticate/session/normal_verify.go:272 ++#: ../../service/authenticate/session/multifactor_verify.go:321 ++#: ../../service/authenticate/session/normal_verify.go:291 + #, c-format + msgid "Verify your %s, %s, %s, %s, %s or %s" + msgstr "请验证%s,%s,%s,%s,%s或%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:319 +-#: ../../service/authenticate/session/normal_verify.go:275 ++#: ../../service/authenticate/session/multifactor_verify.go:324 ++#: ../../service/authenticate/session/normal_verify.go:294 + #, c-format + msgid "Enter your %s, %s, %s, %s, %s or %s" + msgstr "请输入%s,%s,%s,%s,%s或%s" + +-#: ../../service/authenticate/session/multifactor_verify.go:321 +-#: ../../service/authenticate/session/normal_verify.go:277 ++#: ../../service/authenticate/session/multifactor_verify.go:326 ++#: ../../service/authenticate/session/normal_verify.go:296 + #, c-format + msgid "%s, %s, %s, %s, %s or %s" + msgstr "%s,%s,%s,%s,%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:232 ++#: ../../service/authenticate/session/normal_verify.go:251 + #, c-format + msgid "Verify your %s or %s" + msgstr "请验证%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:235 ++#: ../../service/authenticate/session/normal_verify.go:254 + #, c-format + msgid "Enter your %s or %s" + msgstr "请输入%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:237 ++#: ../../service/authenticate/session/normal_verify.go:256 + #, c-format + msgid "%s or %s" + msgstr "请输入%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:242 ++#: ../../service/authenticate/session/normal_verify.go:261 + #, c-format + msgid "Verify your %s, %s or %s" + msgstr "请验证%s,%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:245 ++#: ../../service/authenticate/session/normal_verify.go:264 + #, c-format + msgid "Enter your %s, %s or %s" + msgstr "请输入%s,%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:247 ++#: ../../service/authenticate/session/normal_verify.go:266 + #, c-format + msgid "%s, %s or %s" + msgstr "请输入%s,%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:252 ++#: ../../service/authenticate/session/normal_verify.go:271 + #, c-format + msgid "Verify your %s, %s, %s or %s" + msgstr "请验证%s,%s,%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:255 ++#: ../../service/authenticate/session/normal_verify.go:274 + #, c-format + msgid "Enter your %s, %s, %s or %s" + msgstr "请输入%s,%s,%s或%s" + +-#: ../../service/authenticate/session/normal_verify.go:257 ++#: ../../service/authenticate/session/normal_verify.go:276 + #, c-format + msgid "%s, %s, %s or %s" + msgstr "请输入%s,%s,%s或%s" +@@ -299,11 +309,11 @@ msgstr "请验证安全密钥" + msgid "security key" + msgstr "安全密钥" + +-#: ../../service/authenticate/session/password_tx.go:46 ++#: ../../service/authenticate/session/password_tx.go:48 + msgid "Password: " + msgstr "密码:" + +-#: ../../service/authenticate/session/password_tx.go:59 ++#: ../../service/authenticate/session/password_tx.go:61 + msgid "password" + msgstr "密码" + +@@ -332,7 +342,7 @@ msgstr "密码验证失败" + msgid "%s verification failed" + msgstr "%s验证失败 " + +-#: misc/pam-module/auth/pam.c:397 ++#: misc/pam-module/auth/pam.c:442 + #, c-format + msgid "Your password will expire in %d days, please change it timely" + msgstr "密码将于%d天后过期,请及时修改密码" +@@ -387,32 +397,32 @@ msgstr "虹膜" + msgid "Unknown" + msgstr "未知" + +-#: misc/pam-module/auth/utils.c:54 ++#: misc/pam-module/auth/utils.c:53 + #, c-format + msgid "Verification error" + msgstr "验证错误" + +-#: misc/pam-module/auth/utils.c:59 ++#: misc/pam-module/auth/utils.c:58 + #, c-format + msgid "Fingerprint verification unavailable, please input password" + msgstr "指纹不可用,请输入密码" + +-#: misc/pam-module/auth/utils.c:83 misc/pam-module/auth/utils.c:91 ++#: misc/pam-module/auth/utils.c:82 misc/pam-module/auth/utils.c:90 + #, c-format + msgid "Clean your finger and try again" + msgstr "请清洁手指后再次验证" + +-#: misc/pam-module/auth/utils.c:87 ++#: misc/pam-module/auth/utils.c:86 + #, c-format + msgid "Finger not centered" + msgstr "手指不在中间" + +-#: misc/pam-module/auth/utils.c:96 ++#: misc/pam-module/auth/utils.c:95 + #, c-format + msgid "Unclear fingerprint, please clean your finger and try again" + msgstr "图像模糊,请清洁手指后再次验证" + +-#: misc/pam-module/auth/utils.c:102 ++#: misc/pam-module/auth/utils.c:101 + #, c-format + msgid "Finger moved too fast, please do not lift until prompted" + msgstr "接触时间短,验证时请勿移动手指" +diff --git a/service/authcommon/type.go b/service/authcommon/type.go +index a49af38..ec11afc 100644 +--- a/service/authcommon/type.go ++++ b/service/authcommon/type.go +@@ -308,3 +308,19 @@ func IsSupportedType(appType int) bool { + } + return false + } ++ ++ ++const ( ++ AuthLogicTypeOr = iota + 1 ++ AuthLogicTypeAnd ++) ++ ++func IsSupportedAuthLogicType(authLogicType int) bool { ++ switch authLogicType { ++ case AuthLogicTypeOr: ++ return true ++ case AuthLogicTypeAnd: ++ return true ++ } ++ return false ++} +diff --git a/service/authenticate/manager.go b/service/authenticate/manager.go +index b791858..ede5df1 100644 +--- a/service/authenticate/manager.go ++++ b/service/authenticate/manager.go +@@ -36,7 +36,7 @@ import ( + const ( + dbusServicePath = "/com/deepin/daemon/Authenticate" + dbusServiceInterface = "com.deepin.daemon.Authenticate" +- pamCommonAuthFilePath = "/etc/pam.d/common-auth" ++ pamCommonAuthFilePath = "/etc/pam.d/system-auth" + deepinPamConfFilePath = "/etc/pam.d/deepin_pam_unix" + dsettingsAppID = "org.deepin.dde.authentication" + dsettingsErrorEchoName = "org.deepin.dde.authentication.errorecho" +@@ -223,7 +223,7 @@ func newManage(service *dbusutil.Service) (*Manager, error) { + sysSigLoop: dbusutil.NewSignalLoop(systemConn, 10), + nextId: 1, + SupportedFlags: AuthenticationFlagPassword | AuthenticationFlagFingerprint | AuthenticationFlagUKey | +- AuthenticationFlagFace | AuthenticationFlagIris | AuthenticationFlagCustom, ++ AuthenticationFlagFace, + FrameworkState: FrameworkStatus(), + privileges: newPrivilegesManager(), + exitCbMap: make(map[string]func()), +@@ -358,6 +358,7 @@ func (m *Manager) Authenticate(sender dbus.Sender, username string, authFlags, a + logger.Warning(err) + return "", dbusutil.ToError(err) + } ++ + id := m.genId() + + limitType := m.GetLimitType(sender) +@@ -463,8 +464,8 @@ func (m *Manager) GetLimits(sender dbus.Sender, username string) (limitsInfo str + sender, username) + + limitType := m.GetLimitType(sender) +- + limits, err := m.getLimits(limitType, username) ++ + if err != nil { + logger.Warning(err) + return "", dbusutil.ToError(err) +diff --git a/service/authenticate/session/custom_tx.go b/service/authenticate/session/custom_tx.go +index adbe171..5127799 100644 +--- a/service/authenticate/session/custom_tx.go ++++ b/service/authenticate/session/custom_tx.go +@@ -97,7 +97,7 @@ func (tx *CustomTx) getVerifyTip() string { + } + + func (tx *CustomTx) shouldIgnore(status statusCode) bool { +- if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeLocked || status == StatusCodeEnded || status == StatusCodeStarted { ++ if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeEnded || status == StatusCodeStarted { + return true + } + return false +diff --git a/service/authenticate/session/face_tx.go b/service/authenticate/session/face_tx.go +index 54d94a9..832379d 100644 +--- a/service/authenticate/session/face_tx.go ++++ b/service/authenticate/session/face_tx.go +@@ -250,7 +250,7 @@ func (ft *FaceTx) sendDoneResult(verifyStatus FaceVerifyStatus) { + ft.giveStatus(ft, newVerifyStatus(stdStatus, true, "")) + } + func (ft *FaceTx) shouldIgnore(status statusCode) bool { +- if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeLocked || status == StatusCodeEnded || status == StatusCodeStarted { ++ if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeEnded || status == StatusCodeStarted { + return true + } + return false +diff --git a/service/authenticate/session/fingerprint_tx.go b/service/authenticate/session/fingerprint_tx.go +index 7cba361..b8adee6 100644 +--- a/service/authenticate/session/fingerprint_tx.go ++++ b/service/authenticate/session/fingerprint_tx.go +@@ -333,7 +333,7 @@ func (ft *FingerprintTx) getVerifyTip() string { + } + + func (ft *FingerprintTx) shouldIgnore(status statusCode) bool { +- if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeLocked || status == StatusCodeEnded || status == StatusCodeStarted { ++ if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeEnded || status == StatusCodeStarted { + return true + } + return false +diff --git a/service/authenticate/session/iris_tx.go b/service/authenticate/session/iris_tx.go +index 270a0eb..f629150 100644 +--- a/service/authenticate/session/iris_tx.go ++++ b/service/authenticate/session/iris_tx.go +@@ -244,7 +244,7 @@ func (ft *IrisTx) sendDoneResult(verifyStatus IrisVerifyStatus) { + ft.giveStatus(ft, newVerifyStatus(stdStatus, true, "")) + } + func (ft *IrisTx) shouldIgnore(status statusCode) bool { +- if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeLocked || status == StatusCodeEnded || status == StatusCodeStarted { ++ if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeEnded || status == StatusCodeStarted { + return true + } + return false +diff --git a/service/authenticate/session/manager.go b/service/authenticate/session/manager.go +index 6bdade0..b248ae4 100644 +--- a/service/authenticate/session/manager.go ++++ b/service/authenticate/session/manager.go +@@ -175,7 +175,7 @@ func (m *Manager) listenSignalUpdateLimited() { + } + } + +-func (m *Manager) checkAvailableTx(flag int32) int32 { ++func (m *Manager) checkAvailableTx(flag int32, isMFA bool) int32 { + var retFlag int32 + if flag&AuthenticationFlagPassword != 0 { + retFlag |= AuthenticationFlagPassword +@@ -193,8 +193,14 @@ func (m *Manager) checkAvailableTx(flag int32) int32 { + retFlag |= AuthenticationFlagActiveDirectory + } + if flag&AuthenticationFlagUKey != 0 { +- if m.hasValidUKeyDevice() && m.isUKeySupportedUser() { +- retFlag |= AuthenticationFlagUKey ++ if (isMFA) { ++ if m.isUKeySupportedUser() { ++ retFlag |= AuthenticationFlagUKey ++ } ++ } else { ++ if m.isUKeySupportedDev() { ++ retFlag |= AuthenticationFlagUKey ++ } + } + } + if flag&AuthenticationFlagFace != 0 { +@@ -364,11 +370,17 @@ func (m *Manager) initData() error { + if err != nil { + return err + } ++ + m.PrgPath = execPath + + if mf.MfConfig.IsProgramConfigured(m.appType) && mf.MfConfig.IsProgramEnabled(m.PrgPath) { +- m.IsMFA = true +- logger.Debugf("Program %s is support multiFactor", execPath) ++ if AuthLogicTypeOr == mf.GetMFAObj().GetAuthLogicType(m.appType) { ++ m.IsMFA = false ++ logger.Debugf("Program %s is support multiFactor, but use logic or", execPath) ++ } else { ++ m.IsMFA = true ++ logger.Debugf("Program %s is support multiFactor", execPath) ++ } + } else { + logger.Debugf("Program %s is not support multiFactor", execPath) + } +@@ -376,29 +388,29 @@ func (m *Manager) initData() error { + var availableFlags int32 + if m.proxy.IsPrivilegesConfigured(m.PrgPath) { + m.IsMFA = false +- m.refFlag = AuthenticationFlagPassword + logger.Debugf("Program %s has configuration of privileges, change to SFA", execPath) + } else if m.IsMFA { + // GetExecPath 判断过, 此处不可能为 nil + m.controller = newMultiFactorVerify(m.appType, m.isTTYPrg) +- + refFlags := m.controller.checkTx(m.Username, m.appType, m.refFlag) +- availableFlags = m.checkAvailableTx(refFlags) ++ availableFlags = m.checkAvailableTx(refFlags, true) + +- if availableFlags != refFlags { +- // 无法满足多因条件,走单因认证 +- logger.Debugf("Can not open MFA, use SFA") +- m.IsMFA = false ++ // 走多因认证,不用考虑是否锁定 ++ if !mf.MfConfig.IsProgramConfigured(m.appType) { ++ m.addTxs(0) + } else { +- // 走多因认证,不用考虑是否锁定 +- m.addTxs(refFlags) ++ m.addTxs(availableFlags) + } + } + + if !m.IsMFA { + m.controller = newNormalVerify(m.isTTYPrg) +- availableFlags = m.checkAvailableTx(m.controller.checkTx(m.Username, m.appType, m.refFlag)) +- m.addTxs(availableFlags) ++ if !mf.MfConfig.IsProgramConfigured(m.appType) { ++ m.addTxs(0) ++ } else { ++ availableFlags = m.checkAvailableTx(m.controller.checkTx(m.Username, m.appType, m.refFlag), false) ++ m.addTxs(availableFlags) ++ } + } + + logger.Infof("Authenticate request path is %s and IsMFA is %t", execPath, m.IsMFA) +@@ -445,7 +457,7 @@ func (m *Manager) hasValidUKeyDevice() bool { + } + + devices := hasValidUKeyDevices() +- ++ logger.Debugf(" devices := %v", devices) + if len(devices) == 0 { + return false + } +@@ -469,6 +481,14 @@ func (m *Manager) isUKeySupportedUser() bool { + return isUKeySupportedUser(m.Username, uKeyConfig.Service, uKeyConfig.IsUseDefaultService()) + } + ++func (m *Manager) isUKeySupportedDev() bool { ++ uKeyConfig := m.getUKeyConfig() ++ if uKeyConfig == nil { ++ return false ++ } ++ return isUKeySupportedDev(m.Username, uKeyConfig.Service, uKeyConfig.IsUseDefaultService()) ++} ++ + func (m *Manager) getPINLength() int { + uKeyConfig := m.getUKeyConfig() + if uKeyConfig == nil { +diff --git a/service/authenticate/session/multifactor_verify.go b/service/authenticate/session/multifactor_verify.go +index 1935377..0f2d0dc 100644 +--- a/service/authenticate/session/multifactor_verify.go ++++ b/service/authenticate/session/multifactor_verify.go +@@ -86,6 +86,11 @@ func (m *multiFactorVerify) authenticate(flag int, timeout int) int { + } + } + ++ if 0 == len(m.txs) { ++ m.proxy.emitStatus(AllAuthenticationFlag, StatusCodePrompt, m.genPrompt(m.txs)) ++ m.proxy.emitStatus(AllAuthenticationFlag, StatusCodeFailure, Tr("No valid factor to verify")) ++ } ++ + return hasFailed + } + +@@ -192,13 +197,11 @@ func (m *multiFactorVerify) setResult(type0 string, result bool, msg string) { + // 只可对本次开启的认证设置结果 + if int32(t)&m.mfaAuthFlags != 0 { + // 对于每种认证方式,可以设置多次结果 +- if m.resultMap[t].res == ResDefault { +- m.passNumber++ +- } +- if result { +- m.resultMap[t].res = ResSuccess +- } else { +- m.resultMap[t].res = ResFailed ++ if m.resultMap[t].res != ResSuccess { ++ if result { ++ m.resultMap[t].res = ResSuccess ++ m.passNumber++ ++ } + } + m.resultMap[t].msg = msg + } +@@ -229,11 +232,43 @@ func (m *multiFactorVerify) getAuthMsg() string { + } + + func (m *multiFactorVerify) setExpectResult() error { ++ m.expectPassNumber = 0 ++ ++ //异常处理 ++ if m.conf == nil || len(m.txs) == 0 { ++ return nil ++ } ++ ++ //获取所有可用的认证标志列表 + authList := mf.GetAuthTypeList(m.conf) +- for _, c := range authList { +- m.resultMap[c] = &MFAResInfo{res: ResDefault} ++ if len(authList) == 0 { ++ return nil // 无可用认证类型,无需处理 + } +- m.expectPassNumber = len(authList) ++ ++ //构建事务类型到标志的快速查找集合(去重) ++ txFlagSet := make(map[int]struct{}, len(m.txs)) ++ for _, tx := range m.txs { ++ flag := AuthTypeToFlag(tx.getType()) ++ txFlagSet[flag] = struct{}{} ++ } ++ ++ //加锁保护 resultMap 的写入 ++ m.resultMapMux.Lock() ++ defer m.resultMapMux.Unlock() ++ ++ //重置期望通过次数,清空 resultMap(根据业务需求决定是否清空) ++ for k := range m.resultMap { ++ delete(m.resultMap, k) ++ } ++ ++ //遍历认证列表,若标志存在于事务集合中则初始化 ++ for _, flag := range authList { ++ if _, exists := txFlagSet[flag]; exists { ++ m.resultMap[flag] = &MFAResInfo{res: ResDefault} ++ m.expectPassNumber++ ++ } ++ } ++ + return nil + } + +@@ -249,7 +284,7 @@ func (m *multiFactorVerify) genPrompt(txs []Tx) string { + numOfTx := len(txs) + pinIndex := -1 + if numOfTx == 0 { +- return "" ++ return Tr("No valid factor to verify") + } + + var prompt string +diff --git a/service/authenticate/session/normal_verify.go b/service/authenticate/session/normal_verify.go +index a84ea6b..49e1fa5 100644 +--- a/service/authenticate/session/normal_verify.go ++++ b/service/authenticate/session/normal_verify.go +@@ -7,6 +7,7 @@ import ( + "time" + + . "pkg.deepin.io/dde/authentication/service/authcommon" ++ mf "pkg.deepin.io/dde/authentication/service/multifactor" + ) + + type normalVerify struct { +@@ -75,9 +76,17 @@ func (g *normalVerify) authenticate(flag int, timeout int) int { + } + } + } ++ + if emitPrompt { +- g.proxy.emitStatus(AllAuthenticationFlag, StatusCodePrompt, g.genPrompt(startedTxs)) ++ if 0 != len(startedTxs) { ++ g.proxy.emitStatus(AllAuthenticationFlag, StatusCodePrompt, g.genPrompt(startedTxs)) ++ } + } ++ ++ if 0 == len(startedTxs) { ++ g.proxy.emitStatus(AllAuthenticationFlag, StatusCodeFailure, "No valid factor to verify") ++ } ++ + return hasFailed + } + +@@ -198,14 +207,26 @@ func (g *normalVerify) listenResultCh() { + } + + func (g *normalVerify) checkTx(username string, appType int, refFlag int32) int32 { +- return refFlag ++ var flag int32 ++ ++ conf := mf.MfConfig.GetConfig(appType) ++ if conf == nil { ++ return refFlag ++ } ++ ++ authList := mf.GetAuthTypeList(conf) ++ for _, at := range authList { ++ flag |= int32(at) ++ } ++ ++ return flag + } + + func (g *normalVerify) genPrompt(txs []Tx) string { + numOfTx := len(txs) + pinIndex := -1 + if numOfTx == 0 { +- return "" ++ return "No valid factor to verify" + } + + var prompt string +diff --git a/service/authenticate/session/passkey_tx.go b/service/authenticate/session/passkey_tx.go +index 82ec61b..720abb8 100644 +--- a/service/authenticate/session/passkey_tx.go ++++ b/service/authenticate/session/passkey_tx.go +@@ -265,7 +265,7 @@ func (pt *PasskeyTx) getVerifyTip() string { + } + + func (pt *PasskeyTx) shouldIgnore(status statusCode) bool { +- if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeLocked || status == StatusCodeEnded || status == StatusCodeStarted { ++ if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeEnded || status == StatusCodeStarted { + return true + } + return false +diff --git a/service/authenticate/session/password_tx.go b/service/authenticate/session/password_tx.go +index cff7688..9db90cd 100644 +--- a/service/authenticate/session/password_tx.go ++++ b/service/authenticate/session/password_tx.go +@@ -63,9 +63,10 @@ func (pt *PasswordTx) getVerifyTip() string { + + // 需要忽略不计入认证结果的状态 + func (pt *PasswordTx) shouldIgnore(status statusCode) bool { +- if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeLocked || status == StatusCodeEnded || status == StatusCodeStarted { ++ if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeEnded || status == StatusCodeStarted { + return true + } ++ + return false + } + +diff --git a/service/authenticate/session/tx.go b/service/authenticate/session/tx.go +index b67f52f..6478eca 100644 +--- a/service/authenticate/session/tx.go ++++ b/service/authenticate/session/tx.go +@@ -147,7 +147,7 @@ func (bt *baseTx) giveStatus(tx Tx, s *verifyStatus) { + defer bt.statusMux.Unlock() + + bt.status = s +- logger.Debugf("%v give result: %v", tx, s) ++ logger.Debugf("%v give result: %v, setDevState: %v", tx, s, tx.statusCodeToDevState(s.s)) + bt.setDevState(tx.statusCodeToDevState(s.s)) + bt.devStatus.sendStatus(bt.clone(tx)) + } +diff --git a/service/authenticate/session/ukey_tx.go b/service/authenticate/session/ukey_tx.go +index 7e033e2..0135617 100644 +--- a/service/authenticate/session/ukey_tx.go ++++ b/service/authenticate/session/ukey_tx.go +@@ -28,6 +28,7 @@ type UKeyTx struct { + listened bool + endMux sync.Mutex + isMFA bool ++ currState UKeyState; + } + + func stateToStatusCode(s UKeyState, lost bool) statusCode { +@@ -61,6 +62,7 @@ func newUKeyTx(isMFA bool) *UKeyTx { + tx.isMFA = isMFA + tx.uKeyObj = authenticate.NewUKey(sysBus) + tx.signalLoop = dbusutil.NewSignalLoop(sysBus, 10) ++ + return tx + } + +@@ -127,6 +129,33 @@ func isUKeySupportedUser(username string, serviceName string, useDefaultDevice b + return false + } + ++func isUKeySupportedDev(username string, serviceName string, useDefaultDevice bool) bool { ++ bus, err := dbus.SystemBus() ++ if err != nil { ++ logger.Warning(err) ++ return false ++ } ++ ++ userInfo, err := GetUserInfo(username) ++ if err != nil { ++ logger.Warning("Get user info err:", err) ++ return false ++ } ++ ++ uKey := authenticate.NewUKey(bus) ++ users, err := uKey.GetAvailDevUserList(0, serviceName, useDefaultDevice) ++ if err != nil { ++ logger.Warning("Get user list err:", err) ++ return false ++ } ++ ++ if strv.Strv(users).Contains(userInfo.Uuid) { ++ return true ++ } ++ ++ return false ++} ++ + func getPINLength(serviceName, username string, useDefaultDevice bool) int { + bus, err := dbus.SystemBus() + if err != nil { +@@ -145,6 +174,7 @@ func getPINLength(serviceName, username string, useDefaultDevice bool) int { + + func (u *UKeyTx) listenSignal() { + logger.Debug("Start listenSignal for", u.getType()) ++ + u.signalLoop.Start() + u.uKeyObj.InitSignalExt(u.signalLoop, true) + +@@ -166,27 +196,36 @@ func (u *UKeyTx) listenSignal() { + } else { + authStatus = newVerifyStatus(StatusCodeFailure, true, "") + } ++ logger.Debug("giveStatus u: %v, authStatus:%v", u, authStatus) + u.giveStatus(u, authStatus) + } +- + }) + if err != nil { + logger.Warning(err) + } + // 监听 uKey 设备状态,在拔出的时候发出提示信息,但不结束此次认证,在插入的时候更新提示,恢复 uKey 认证 + _, err = u.uKeyObj.ConnectState(func(id string, state int32) { +- logger.Debugf("Receive state signal for id: %s, state: %d", id, state) ++ logger.Debugf("Receive state signal for id: %s, u.verificationId: %s, state: %d", id, u.verificationId, state) + if u.verificationId == id { ++ authStatus := newVerifyStatus(stateToStatusCode(UKeyState(state), u.deviceLost), false, UKeyState(state).String()) + u.giveStatus(u, newVerifyStatus(stateToStatusCode(UKeyState(state), u.deviceLost), false, UKeyState(state).String())) +- if UKeyState(state) == UKeyStateDeviceException || UKeyState(state) == UKeyStateDeviceNotExist { +- u.end(closeVerify) +- if UKeyState(state) == UKeyStateDeviceNotExist { +- u.deviceLost = true ++ logger.Debugf("giveStatus u: %v, authStatus:%v", u, authStatus) ++ ++ switch u.currState { ++ case UKeyStateDeviceVerifying: ++ if UKeyState(state) == UKeyStateDeviceException || UKeyState(state) == UKeyStateDeviceNotExist { ++ u.end(closeVerify) ++ u.deviceLost = true; ++ u.currState = UKeyStateDeviceNotExist ++ } ++ default: ++ if UKeyState(state) == UKeyStateDeviceOk && u.deviceLost { ++ // device reconnect ++ u.deviceLost = false ++ u.hasInit = false ++ u.giveStatus(u, newVerifyStatus(stateToStatusCode(UKeyState(state), u.deviceLost), false, UKeyState(state).String())) ++ u.currState = UKeyStateDeviceVerifying + } +- } else if UKeyState(state) == UKeyStateDeviceOk && u.deviceLost { +- // device reconnect +- u.deviceLost = false +- u.hasInit = false + } + } + }) +@@ -228,24 +267,32 @@ func (u *UKeyTx) authenticate() error { + u.conf = conf + + if !u.listened { ++ u.currState = UKeyStateDeviceNotExist; + u.listenSignal() + u.listened = true + } + } + + if err != nil { +- u.giveStatus(u, newVerifyStatus(StatusCodeError, false, err.Error())) ++ authStatus := newVerifyStatus(StatusCodeError, false, err.Error()) ++ u.giveStatus(u, authStatus) ++ logger.Debugf("giveStatus u: %v, authStatus:%v", u, authStatus) ++ + return err + } + + u.giveStatus(u, defaultVerifyStatusStarted) ++ u.deviceLost = true ++ + go func() { + logger.Debug("Start verify for", u.getType()) + err = u.uKeyObj.StartVerify(0, u.verificationId) + if err != nil { + logger.Warning(err) + u.uKeyObj.StopVerify(0, u.verificationId) +- u.giveStatus(u, newVerifyStatus(StatusCodeError, false, err.Error())) ++ authStatus := newVerifyStatus(StatusCodeError, false, err.Error()) ++ u.giveStatus(u, authStatus) ++ logger.Debugf("giveStatus u: %v, authStatus:%v", u, authStatus) + return + } + }() +@@ -258,7 +305,9 @@ func (u *UKeyTx) setPassword(pin string) { + err := u.uKeyObj.SetPin(0, u.verificationId, pin) + if err != nil { + logger.Warning(err) +- u.giveStatus(u, newVerifyStatus(StatusCodeError, false, err.Error())) ++ authStatus := newVerifyStatus(StatusCodeError, false, err.Error()) ++ u.giveStatus(u, authStatus) ++ logger.Debugf("giveStatus u: %v, authStatus:%v", u, authStatus) + } + }() + } +@@ -269,6 +318,7 @@ func (u *UKeyTx) end(ct closeType) { + + logger.Debugf("%v end, close type: %s", u, ct) + u.giveStatus(u, defaultVerifyStatusEnd) ++ logger.Debugf("giveStatus u: %v, authStatus:%v", u, defaultVerifyStatusEnd) + + if ct == closeAllResource { + go func() { +@@ -290,14 +340,16 @@ func (u *UKeyTx) getVerifyTip() string { + } + + func (u *UKeyTx) shouldIgnore(status statusCode) bool { +- if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeLocked || status == StatusCodeEnded || status == StatusCodeStarted { ++ if status == StatusCodeVerify || status == StatusCodePrompt || status == StatusCodeEnded || status == StatusCodeStarted { + return true + } ++ + return false + } + + func (u *UKeyTx) setLockState(s lockState) { + if u.getLockState() != s { ++ logger.Debugf("giveStatus u: %v, authStatus:%v", u, newVerifyStatus(s.toStatusCode(), true, "")) + u.giveStatus(u, newVerifyStatus(s.toStatusCode(), true, "")) + if s == lockStateLocked { + if u.devState == devStateVerifying { +diff --git a/service/multifactor/config.go b/service/multifactor/config.go +index 1b4ba13..17f5c61 100644 +--- a/service/multifactor/config.go ++++ b/service/multifactor/config.go +@@ -13,6 +13,7 @@ type AuthTypeConfig struct { + + type Config struct { + ApplicationType string ++ AuthLogicType string + RequestVerificationType []*AuthTypeConfig + } + +@@ -33,6 +34,11 @@ const ( + appTypeAll = "all" + ) + ++const ( ++ authLogicTypeOr = "or" ++ authLogicTypeAnd = "and" ++) ++ + func AppTypeIntToAppTypeString(appType int) string { + switch appType { + case authcommon.AppTypeLogin: +@@ -61,6 +67,16 @@ func appTypeStringToAppTypeInt(appType string) int { + return 0 + } + ++func authLogicTypeStringToauthLogicTypeInt(authLogicType string) int { ++ switch authLogicType{ ++ case authLogicTypeOr: ++ return authcommon.AuthLogicTypeOr ++ case authLogicTypeAnd: ++ return authcommon.AuthLogicTypeAnd ++ } ++ return 0 ++} ++ + func mfaTypeToAuthFlag(type0 string) int { + switch type0 { + case authTypePassword: +@@ -113,6 +129,16 @@ func isSupportedAppType(type0 string) bool { + return false + } + ++func isSupportedAuthLogicType(authLogicType string) bool { ++ switch authLogicType { ++ case authLogicTypeOr: ++ return true ++ case authLogicTypeAnd: ++ return true ++ } ++ return false ++} ++ + func isSupportedAuthType(type0 string) bool { + switch type0 { + case authTypePassword: +@@ -183,6 +209,14 @@ func (c *Config) isValidConfig() bool { + } + } + ++ if !isSupportedAuthLogicType(c.AuthLogicType) { ++ // 在配置文件中, '*' 代表所有类型 ++ if c.ApplicationType == "*" { ++ } else { ++ return false ++ } ++ } ++ + mapTmp := make(map[string]bool) + // check if type valid + for _, atc := range c.RequestVerificationType { +diff --git a/service/multifactor/multifactor.go b/service/multifactor/multifactor.go +index 8410c65..33173c7 100644 +--- a/service/multifactor/multifactor.go ++++ b/service/multifactor/multifactor.go +@@ -177,6 +177,20 @@ func (m *MFAConfig) IsProgramEnabled(execPath string) bool { + return !strv.Strv(m.disabledList).Contains(execPath) + } + ++func (m *MFAConfig) GetAuthLogicType(appType int) int { ++ for _, c := range m.configs { ++ if appTypeStringToAppTypeInt(c.ApplicationType) == appType { ++ return authLogicTypeStringToauthLogicTypeInt(c.AuthLogicType) ++ } ++ } ++ ++ if val, ok := m.configs[appTypeAll]; ok { ++ return authLogicTypeStringToauthLogicTypeInt(val.AuthLogicType) ++ } ++ ++ return AuthLogicTypeOr ++} ++ + func GetAuthTypeList(c *Config) []int { + var list []int + for _, atc := range c.RequestVerificationType { +diff --git a/service/ukey/common_device.go b/service/ukey/common_device.go +index c3afc2b..0c99a3c 100644 +--- a/service/ukey/common_device.go ++++ b/service/ukey/common_device.go +@@ -125,3 +125,7 @@ func (c *commonDevice) getPINLength(username string) (int32, error) { + func (c *commonDevice) getUserList() ([]string, error) { + return c.core.GetUserList(0) + } ++ ++func (c *commonDevice) getAvailDevUserList() ([]string, error) { ++ return c.core.GetAvailDevUserList(0) ++} +diff --git a/service/ukey/device.go b/service/ukey/device.go +index 7229c2a..370d6f0 100644 +--- a/service/ukey/device.go ++++ b/service/ukey/device.go +@@ -35,6 +35,7 @@ type Device interface { + setSessionPath(username, id string, path string) error + getPINLength(username string) (int32, error) + getUserList() ([]string, error) ++ getAvailDevUserList() ([]string, error) + } + + type baseDevice struct { +diff --git a/service/ukey/exported_methods_auto.go b/service/ukey/exported_methods_auto.go +index f4b8565..aea3cf0 100644 +--- a/service/ukey/exported_methods_auto.go ++++ b/service/ukey/exported_methods_auto.go +@@ -26,6 +26,12 @@ func (v *Manager) GetExportedMethods() dbusutil.ExportedMethods { + InArgs: []string{"serviceName", "useDefaultDevice"}, + OutArgs: []string{"users"}, + }, ++ { ++ Name: "GetAvailDevUserList", ++ Fn: v.GetAvailDevUserList, ++ InArgs: []string{"serviceName", "useDefaultDevice"}, ++ OutArgs: []string{"users"}, ++ }, + { + Name: "SetDefaultDevice", + Fn: v.SetDefaultDevice, +diff --git a/service/ukey/interface.go b/service/ukey/interface.go +index dd10376..c84b651 100644 +--- a/service/ukey/interface.go ++++ b/service/ukey/interface.go +@@ -2,6 +2,7 @@ package ukey + + import ( + "fmt" ++ "github.com/linuxdeepin/go-lib/strv" + + "github.com/godbus/dbus" + "github.com/linuxdeepin/go-lib/dbusutil" +@@ -10,6 +11,7 @@ import ( + "pkg.deepin.io/dde/authentication/service/task" + ) + ++ + func (m *Manager) StartVerify(id string) *dbus.Error { + logger.Infof("DBus call StartVerify with id %s", id) + +@@ -19,13 +21,35 @@ func (m *Manager) StartVerify(id string) *dbus.Error { + return dbusutil.ToError(err) + } + +- state, err := info.dev.state() +- if err != nil { +- logger.Warning(err) +- return dbusutil.ToError(err) +- } ++ func() { ++ dev, err := m.newDevice(info.serviceName, true) ++ if err != nil { ++ logger.Warning(err) ++ m.emitSignalState(id, int(authcommon.UKeyStateDeviceNotExist)) ++ return; ++ } + +- m.emitSignalState(id, int(state)) ++ var users []string ++ users, err = dev.getAvailDevUserList() ++ if err != nil { ++ logger.Warning(err) ++ m.emitSignalState(id, int(authcommon.UKeyStateDeviceNotExist)) ++ return ++ } ++ ++ if !strv.Strv(users).Contains(info.uuid) { ++ m.emitSignalState(id, int(authcommon.UKeyStateDeviceNotExist)) ++ return ++ } ++ ++ var state int32 ++ state, err = info.dev.state() ++ if err != nil { ++ m.emitSignalState(id, int(authcommon.UKeyStateDeviceNotExist)) ++ return ++ } ++ m.emitSignalState(id, int(state)) ++ }() + + err = info.dev.verify(info.uuid, id) + if err != nil { +@@ -255,3 +279,22 @@ func (m *Manager) GetUserList(serviceName string, useDefaultDevice bool) (users + + return users, nil + } ++ ++func (m *Manager) GetAvailDevUserList(serviceName string, useDefaultDevice bool) (users []string, busErr *dbus.Error) { ++ logger.Infof("DBus call GetUserList with serviceName %s and useDefaultDevice %t", serviceName, useDefaultDevice) ++ ++ dev, err := m.newDevice(serviceName, useDefaultDevice) ++ if err != nil { ++ logger.Warning(err) ++ return nil, dbusutil.ToError(err) ++ } ++ ++ users, err = dev.getAvailDevUserList() ++ if err != nil { ++ logger.Warning(err) ++ return nil, dbusutil.ToError(err) ++ } ++ ++ return users, nil ++} ++ +-- +2.43.0 + diff --git a/deepin-authenticate_1.5.12.orig.tar.xz b/deepin-authenticate_1.5.12.orig.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..9da6639654bfb8e71d16d47eba5c60dd0efe6cd5 Binary files /dev/null and b/deepin-authenticate_1.5.12.orig.tar.xz differ diff --git a/deepin-authenticate.spec b/deepin-authentication.spec similarity index 30% rename from deepin-authenticate.spec rename to deepin-authentication.spec index 18a987f5ca34df4b3c3b3c540c9d55b80f9a486d..bd7c2dd0479dfa944eedaf0b3fa7d629d9652659 100644 --- a/deepin-authenticate.spec +++ b/deepin-authentication.spec @@ -1,100 +1,163 @@ -# Run tests in check section -# disable for bootstrapping %bcond_with check -%global prefix /usr - %global with_debug 1 -%if 0%{?with_debug} +%if !%{with_debug} %global debug_package %{nil} %endif Name: deepin-authenticate -Version: 1.2.61 -Release: 2%{?dist} +Version: 1.5.12 +Release: 1%{?dist}.06 Summary: Used to adapt fingerprint, face and other authentication methods License: GPLv3 URL: %{gourl} -Source0: %{name}-%{version}.tar.gz +Source0: %{name}_%{version}.orig.tar.xz -Patch1000: 0001-fix-for-UnionTech.patch +Patch9000: deepin-authenticate-mfa-enhance.patch +Patch9001: modify-bool-to-int-to-fix-dbus-stack-overflow-issue.patch BuildRequires: compiler(go-compiler) BuildRequires: iso-codes BuildRequires: pkgconfig(gnome-keyring-1) BuildRequires: pkgconfig(libsystemd) BuildRequires: pam-devel +BuildRequires: go-gir-generator BuildRequires: json-c-devel BuildRequires: pkgconfig(gio-2.0) -BuildRequires: go-gir-generator BuildRequires: pkgconfig(gdk-3.0) +BuildRequires: pkgconfig(gtk+-2.0) +BuildRequires: pkgconfig(json-glib-1.0) BuildRequires: pkgconfig(gdk-x11-3.0) BuildRequires: pkgconfig(gdk-pixbuf-xlib-2.0) BuildRequires: pkgconfig(libpulse) -#BuildRequires: gocode -BuildRequires: golang-dbus -BuildRequires: golang-x-image-devel -BuildRequires: golang-github-rickb777-date-devel -BuildRequires: golang-github-mattn-go-sqlite3-devel -BuildRequires: golang-gopkg-alecthomas-kingpin-devel -BuildRequires: golang-github-cryptix-wav-devel -BuildRequires: golang-github-disintegration-imaging-devel -BuildRequires: golang-github-fogleman-gg-devel -BuildRequires: golang-github-gosexy-gettext-devel -BuildRequires: golang-github-nfnt-resize-devel -BuildRequires: deepin-gettext-tools +BuildRequires: go-gir-generator +BuildRequires: gocode +BuildRequires: dde-api-devel BuildRequires: golang-github-linuxdeepin-go-dbus-factory-devel BuildRequires: go-lib-devel -BuildRequires: golang-github-fsnotify-fsnotify-devel -BuildRequires: golang-github-stretchr-testify-devel +BuildRequires: deepin-gettext-tools +BuildRequires: openssl-devel +BuildRequires: sqlite-devel +BuildRequires: gsm %description In order to unify the authentication interface, this interface is designed to adapt to fingerprint, face and other authentication methods. %prep -%setup -q -%patch1000 -p1 +%autosetup -p1 %build +# 创建本地 GOPATH 目录,用于覆盖原始的 go-lib +LOCAL_GOPATH="%{_builddir}/gopath" +mkdir -p "$LOCAL_GOPATH"/src/github.com/linuxdeepin + +# 复制整个 go-lib 源码到本地(保留原始权限,但副本可写) +cp -a /usr/share/gocode/src/github.com/linuxdeepin/go-lib "$LOCAL_GOPATH"/src/github.com/linuxdeepin/ + +# 修改本地副本中的 dde-sm2.c,替换 ossl_sm2_ 为 SM2_ +SM2_C="$LOCAL_GOPATH/src/github.com/linuxdeepin/go-lib/gm/sm2/dde-sm2.c" +if [ -f "$SM2_C" ]; then + sed -i 's/ossl_sm2_/SM2_/g' "$SM2_C" + # 确保包含 sm2.h 头文件 + if ! grep -q '#include ' "$SM2_C"; then + sed -i '/#include /a #include ' "$SM2_C" + fi +fi + +# 设置 GOPATH:优先使用本地覆盖目录,然后是系统目录 +export GOPATH="$LOCAL_GOPATH:/usr/share/gocode" +%ifarch loongarch64 sw_64 +export CGO_ENABLED=1 +export GOOS="linux" +%endif BUILDID="0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n')" -export GO111MODULE=off export GOPATH=/usr/share/gocode +export GO111MODULE=off %make_build GO_BUILD_FLAGS=-trimpath GOBUILD="go build -compiler gc -ldflags \"-B $BUILDID\"" %install +install -d -p -m 0755 %{buildroot}%{_datadir}/deepin-authentication/mfa-conf.d +install -d -p -m 0755 %{buildroot}%{_datadir}/deepin-authentication/mfa-conf.example.d + export GOPATH=/usr/share/gocode %make_install PAM_MODULE_DIR=%{_libdir}/security GOBUILD="go build -compiler gc -ldflags \"-B $BUILDID\"" +%ifnarch %{ix86} +mv -n %{buildroot}%{_prefix}/lib/libdeepin-authenticate.so.1 %{buildroot}%{_libdir}/ +%endif + +if [ ! -d '%{buildroot}%{_libdir}/pkgconfig' ];then + mkdir -p %{buildroot}%{_libdir}/pkgconfig +fi +%ifnarch %{ix86} +mv -n %{buildroot}%{_prefix}/lib/pkgconfig/libdeepin-authenticate.pc %{buildroot}%{_libdir}/pkgconfig/ +%endif %find_lang deepin-authentication + +%post +systemctl daemon-reload +%systemd_post deepin-authenticate.service + +%preun +%systemd_preun deepin-authenticate.service + +%postun +%systemd_postun_with_restart deepin-authenticate.service + + %files -f deepin-authentication.lang %doc README.org %license - -%{_prefix}/lib/deepin-authenticate/deepin-authentication -%{_prefix}/lib/systemd/system/deepin-authenticate.service +%{_bindir}/app-type-tool +%{_datadir}/deepin-authentication/* +%dir %{_datadir}/deepin-authentication/mfa-conf.d +%dir %{_datadir}/deepin-authentication/mfa-conf.example.d %{_datadir}/dbus-1/system.d/*.conf +%{_unitdir}/*.service %{_datadir}/dbus-1/system-services %{_sysconfdir}/pam.d/deepin_pam_unix -%{_localstatedir}/lib/deepin/authenticate/config.json +%{_prefix}/lib/deepin-authenticate/deepin-authentication +%{_sharedstatedir}/deepin/authenticate/config.json +/usr/share/dsg/configs/org.deepin.dde.authentication/org.deepin.dde.authentication.errorecho.json +/usr/share/dsg/configs/org.deepin.dde.authentication/org.deepin.dde.authentication.json +/usr/share/dsg/configs/org.deepin.dde.authentication/org.deepin.dde.authentication.limit.json +%{_sharedstatedir}/deepin/authenticate/blacklist +%{_sharedstatedir}/deepin/authenticate/config_v1.json %{_datadir}/polkit-1/actions/*.policy %{_libdir}/security/pam_deepin_authentication.so -%{_datadir}/deepin-authentication/allowlist -%{_var}/lib/deepin/authenticate/blacklist -%{_var}/lib/deepin/authenticate/pam-modules -%{_bindir}/app-type-tool -%{_datadir}/deepin-authentication/app-type-list -%{_datadir}/deepin-authentication/mfa-force-disable - +%{_libdir}/security/pam_deepin_session.so +%{_libdir}/libdeepin-authenticate.so.1 +%{_libdir}/pkgconfig/libdeepin-authenticate.pc +%{_includedir}/* %changelog -* Thu Jul 21 2022 liuxingwei liuxingwei@uniontech.com - 1.2.61-2 -- rebuild for an8.6 +* Wed Apr 08 2026 zhaoshuang - 1.5.12.06 +- feat: update prompt msg + +* Wed Mar 18 2026 zhaoshuang - 1.5.12.05 +- feat: rework for mfa +- fix: modify default config logic(bugid:353085) +- fix: modify default logic while no ukey(bugid:353049) +- fix: modify logic to set default factor (bugid:353037) + +* Wed Mar 11 2026 zhaoshuang - 1.5.12.04 +- fix: modify bool to int to fix stack overflow issue(bugid:000000) + +* Wed Mar 11 2026 zhaoshuang - 1.5.12.03 +- fix: rebuild with systemd-255-54 to fix coredump issue(bugid:000000) + +* Fri Jan 30 2026 zhaoshuang - 1.5.12.02 +- feat: enhance for multi-factor authentication, adapt for polkit + +* Wed Jan 07 2026 zhaoshuang - 1.5.12.01 +- update: upgrade to 1.5.12 +- feat: enhance for multi-factor authentication -* Mon Nov 15 2021 huzhengming - 1.2.61-1 -- Update to 1.2.61 +* Fri Nov 29 2024 yangfei - 1.3.22-1.01 +- rebuild: rebuild -* Thu Mar 23 2021 uoser - 1.2.6-1 -- Update to 1.2.6 +* Sun Apr 24 2022 liuzhilin - 1.3.22-1 +- init: package init diff --git a/modify-bool-to-int-to-fix-dbus-stack-overflow-issue.patch b/modify-bool-to-int-to-fix-dbus-stack-overflow-issue.patch new file mode 100644 index 0000000000000000000000000000000000000000..0229848e033d38d5dcbe8221502cbee08d086140 --- /dev/null +++ b/modify-bool-to-int-to-fix-dbus-stack-overflow-issue.patch @@ -0,0 +1,92 @@ +From a58e147a30257b135b5d1fdfb2e7e8d081e00f60 Mon Sep 17 00:00:00 2001 +From: Super User +Date: Thu, 12 Mar 2026 08:18:05 +0800 +Subject: [PATCH] modify bool to int to fix dbus stack overflow issue + +--- + misc/pam-module/auth/dbus.c | 9 +++++---- + misc/pam-module/session/dbus_method.c | 6 ++++-- + 2 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/misc/pam-module/auth/dbus.c b/misc/pam-module/auth/dbus.c +index e22f10a..b80de55 100644 +--- a/misc/pam-module/auth/dbus.c ++++ b/misc/pam-module/auth/dbus.c +@@ -677,7 +677,7 @@ int dbus_method_get_auth_type_error_echo_allow(struct UserData *ud, const char * + { + sd_bus_error err = SD_BUS_ERROR_NULL; + sd_bus_message *reply = NULL; +- bool tmp_val = false; ++ int tmp_val = false; + int ret = 0; + do { + ret = sd_bus_call_method(ud->bus, +@@ -701,13 +701,13 @@ int dbus_method_get_auth_type_error_echo_allow(struct UserData *ud, const char * + ret = sd_bus_message_enter_container(reply, 'v', "b"); + if (ret < 0) { + D_DEBUG(ud->pamh, "Failed to enter variant container: %s\n", strerror(-ret)); +- return 1; ++ break; + } + + ret = sd_bus_message_read(reply, "b", &tmp_val); + if (ret < 0) { + D_DEBUG(ud->pamh, "Failed to read variant data: %s\n", strerror(-ret)); +- return 1; ++ break; + } + + // 退出容器 +@@ -715,12 +715,13 @@ int dbus_method_get_auth_type_error_echo_allow(struct UserData *ud, const char * + if (ret < 0) { + D_DEBUG(ud->pamh, "Failed to exit variant container: %s\n", strerror(errno)); + +- return 1; ++ break; + } + + *allow = tmp_val; + D_DEBUG(ud->pamh, "[DEBUG] auth_type %s allow echo error: %d", auth_type, *allow); + } while (0); ++ + sd_bus_error_free(&err); + sd_bus_message_unref(reply); + return ret < 0 ? 1 : 0; +diff --git a/misc/pam-module/session/dbus_method.c b/misc/pam-module/session/dbus_method.c +index 0d8e4ee..2c6ec25 100644 +--- a/misc/pam-module/session/dbus_method.c ++++ b/misc/pam-module/session/dbus_method.c +@@ -6,6 +6,7 @@ int dbus_method_get_terminal_locked(pam_handle_t *pamh, bool* isTerminalLocked) + char *res = NULL; + sd_bus *bus = NULL; + int ret = 0; ++ int tmp_val = 0; + + do { + ret = sd_bus_open_system(&bus); +@@ -26,7 +27,7 @@ int dbus_method_get_terminal_locked(pam_handle_t *pamh, bool* isTerminalLocked) + break; + } + +- ret = sd_bus_message_read(reply, "b", isTerminalLocked); ++ ret = sd_bus_message_read(reply, "b", &tmp_val); + if (ret < 0) { + pam_syslog(pamh, + LOG_ERR, +@@ -34,10 +35,11 @@ int dbus_method_get_terminal_locked(pam_handle_t *pamh, bool* isTerminalLocked) + "IsTerminalLocked"); + break; + } ++ *isTerminalLocked = (bool)tmp_val; + } while (0); + + sd_bus_error_free(&err); + sd_bus_message_unref(reply); + sd_bus_flush_close_unref(bus); + return ret < 0 ? 1 : 0; +-} +\ No newline at end of file ++} +-- +2.43.0 +