Argument timeout=-1 or timeout=300 in pam.d config not working, and manual was incorrectly edited.

Update: a merge request was opened to fix this issue: !195.

I'm using lightdm on my linux desktop, but the default 30s timeout of fprintd makes the fingerprint reading authentication on lock screen barely usable, because when I'm away and this machine is autolocked, I must verify my fingerprint in 30 seconds, otherwise it won't read any fingerprint anymore, and I can't do anything to make it reauthenticate again.

So I read the release log of fprintd, and found that in release 1.94.2, it claims the ability to ignore timeout, which says Add PAM module options to ignore timeout/retry limits. But when I read the builtin manual via man pam_fprind, there's nowhere mention this feature.

But according to this merge request !89 (merged), the contributor indeed edit the manual. That's weird.

Nevertheless, I still try to add timeout=-1 in lightdm pam config file, but with no luck. Then I change it to timeout=300, It's not working either. However, when I change the timeout from 300 to 60 (or any number between 10 and 99), It indeed works.

With curiosity, I manage to investigate into the source code, and found the following issue:

1. https://gitlab.freedesktop.org/libfprint/fprintd/-/blob/0d2e2a6742cbec847aa756da25afd4b73d9ec53f/pam/pam_fprintd.c#L851 limits the length of timeout argument to only timeout=xx, which only accepts two digits, however the timeout variable is unsigned static, which ranges far more than two digits number. So any number between 10 and 99 will work, other won't.

          else if (str_has_prefix (argv[i], TIMEOUT_MATCH) && strlen (argv[i]) <= strlen (TIMEOUT_MATCH) + 2)

2. The contributor of the above merge request tried to imitate the coding style of the max-tries argument parsing method, which can also accept a negative number, and set the max-tries variable to UINT_MAX. At a glance, It must be working, but when timeout variable is being used, which is in https://gitlab.freedesktop.org/libfprint/fprintd/-/blob/0d2e2a6742cbec847aa756da25afd4b73d9ec53f/pam/pam_fprintd.c#L451, the verification_end variable is fixed to ULONG_MAX because timeout is UINT_MAX. Remember it's a uint64_t, and the following code creates a int64_t variable called wait_time. compared to 64bit integer, current usec time is a relatively small number, so assigning a uint to a int, is doomed to being a negative number, and causing the fingerprint verification process stops immediately.

  while (data->max_tries > 0)
    {
      uint64_t verification_end = ULONG_MAX;

      if (timeout != UINT_MAX)
        verification_end = now () + (timeout * USEC_PER_SEC);
// ...
      for (;;)
        {
          struct signalfd_siginfo siginfo;
          int64_t wait_time;

          wait_time = verification_end - now ();
          if (wait_time <= 0)
            break;

3. That's obviously the issue, but why the manual lost the negative number explanation both max-tries and timeout? I tried to figure out how the manual is built, and found that in data/ directory, the *.pod file is where to edit, it will generates the traditional unix manual page, but in this directory, a unix manual page with the same filename exists, which causes confusion. Apparently previous contributors, which respectively added max-tries and timeout ignore options, both misedited the manual file. When I try to remove these generated file, I don't see any error, so I think It's safe to just delete them, thus to prevent others from misediting manual files again.

I'm working to create a merge request fixing these issues, but It's my first time to work in freedesktop project, so feel free to give me suggesions if I did anything wrong.