From bb23b7e9d05d583f4409a01c06bf05302a110be4 Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Fri, 30 Jul 2021 23:46:22 +0200
Subject: [PATCH] pam: Immediately return verify-match/verify-no-match

In the verify-match case, this means disconnecting from the bus rather
than stopping the verification. This is the only way to make sure that
the result is immediately reported and we do not wait for the device to
be idle again (which generally means waiting for finger removal).

In the verify-no-match case we simply send the string first before the
operation is stopped. An exceeded retry limit is only reported after
VerifyStop has finished.
---
 pam/pam_fprintd.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/pam/pam_fprintd.c b/pam/pam_fprintd.c
index 58d15d7..8e1a17e 100644
--- a/pam/pam_fprintd.c
+++ b/pam/pam_fprintd.c
@@ -536,6 +536,14 @@ do_verify (sd_bus      *bus,
           data->timed_out = true;
           send_info_msg (data->pamh, _("Verification timed out"));
         }
+      else
+        {
+          if (str_equal (data->result, "verify-no-match"))
+            send_err_msg (data->pamh, _("Failed to match fingerprint"));
+          else if (str_equal (data->result, "verify-match"))
+            /* Simply disconnect from bus if we return PAM_SUCCESS */
+            return PAM_SUCCESS;
+        }
 
       /* Ignore errors from VerifyStop */
       data->verify_started = false;
@@ -557,11 +565,7 @@ do_verify (sd_bus      *bus,
         {
           if (str_equal (data->result, "verify-no-match"))
             {
-              send_err_msg (data->pamh, _("Failed to match fingerprint"));
-            }
-          else if (str_equal (data->result, "verify-match"))
-            {
-              return PAM_SUCCESS;
+              /* Nothing to do at this point. */
             }
           else if (str_equal (data->result, "verify-unknown-error"))
             {
@@ -743,10 +747,16 @@ do_auth (pam_handle_t *pamh, const char *username)
   if (claim_device (pamh, bus, data->dev, username))
     {
       int ret = do_verify (bus, data);
-      release_device (pamh, bus, data->dev);
+
+      /* Simply disconnect from bus if we return PAM_SUCCESS */
+      if (ret != PAM_SUCCESS)
+        release_device (pamh, bus, data->dev);
+
+      sd_bus_close (bus);
       return ret;
     }
 
+  sd_bus_close (bus);
   return PAM_AUTHINFO_UNAVAIL;
 }