fix: audit fixes — double-unlock guard, PAM OOM code, GPU blur, async fp stop (v0.5.1)

Security: prevent double unlock() when PAM and fingerprint succeed
simultaneously (ext-session-lock protocol error). Fix PAM callback
returning PAM_AUTH_ERR instead of PAM_BUF_ERR on calloc OOM.

Performance: replace CPU-side Gaussian blur (image crate) with GPU blur
via GskBlurNode + GskRenderer::render_texture(). Eliminates 500ms-2s
main-thread blocking on cold cache for 4K wallpapers. Remove image and
dirs dependencies (~15 transitive crates). Make fingerprint stop()
fire-and-forget async to avoid 6s UI block after successful auth.

CLAUDE.md

@@ -38,12 +38,12 @@ LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 ## Architektur
 
 - `auth.rs` — PAM-Authentifizierung via Raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<Vec<u8>>)
-- `fingerprint.rs` — fprintd D-Bus Listener, async init/claim/verify via gio futures, sync stop with 3s timeout, on_exhausted callback after MAX_FP_ATTEMPTS
+- `fingerprint.rs` — fprintd D-Bus Listener, async init/claim/verify via gio futures, async fire-and-forget stop, on_exhausted callback after MAX_FP_ATTEMPTS
 - `users.rs` — Aktuellen User via nix getuid, Avatar-Loading mit Symlink-Rejection
 - `power.rs` — Reboot/Shutdown via /usr/bin/systemctl
 - `i18n.rs` — Locale-Erkennung (OnceLock-cached) und String-Tabellen (DE/EN), faillock_warning mit konfigurierbarem max_attempts
-- `config.rs` — TOML-Config (background_path, fingerprint_enabled als Option<bool>) + Wallpaper-Fallback
+- `config.rs` — TOML-Config (background_path, background_blur, fingerprint_enabled als Option<bool>) + Wallpaper-Fallback
-- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking, FP-Label/Start separat verdrahtet, Zeroizing<String> für Passwort, Power-Confirm
+- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking, FP-Label/Start separat verdrahtet, Zeroizing<String> für Passwort, Power-Confirm, GPU-Blur via GskBlurNode
 - `main.rs` — Entry Point, Panic-Hook, Root-Check, ext-session-lock-v1 (Pflicht in Release), Multi-Monitor, systemd-Journal-Logging, async fprintd-Init nach window.present()
 
 ## Sicherheit

Cargo.lock

@@ -2,12 +2,6 @@
 # It is not intended for manual editing.
 version = 4
 
-[[package]]
-name = "adler2"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
-
 [[package]]
 name = "anyhow"
 version = "1.0.102"
@@ -26,18 +20,6 @@ version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
 
-[[package]]
-name = "bytemuck"
-version = "1.25.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8efb64bd706a16a1bdde310ae86b351e4d21550d98d056f22f8a7f7a2183fec"
-
-[[package]]
-name = "byteorder-lite"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f1fe948ff07f4bd06c30984e69f5b4899c516a3ef74f34df92a2df2ab535495"
-
 [[package]]
 name = "cairo-rs"
 version = "0.22.0"
@@ -83,15 +65,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
-[[package]]
-name = "crc32fast"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
-dependencies = [
- "cfg-if",
-]
-
 [[package]]
 name = "equivalent"
 version = "1.0.2"
@@ -114,15 +87,6 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
 
-[[package]]
-name = "fdeflate"
-version = "0.3.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
-dependencies = [
- "simd-adler32",
-]
-
 [[package]]
 name = "field-offset"
 version = "0.3.6"
@@ -133,16 +97,6 @@ dependencies = [
  "rustc_version",
 ]
 
-[[package]]
-name = "flate2"
-version = "1.1.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
-dependencies = [
- "crc32fast",
- "miniz_oxide",
-]
-
 [[package]]
 name = "foldhash"
 version = "0.1.5"
@@ -556,21 +510,6 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
 
-[[package]]
-name = "image"
-version = "0.25.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85ab80394333c02fe689eaf900ab500fbd0c2213da414687ebf995a65d5a6104"
-dependencies = [
- "bytemuck",
- "byteorder-lite",
- "moxcms",
- "num-traits",
- "png",
- "zune-core",
- "zune-jpeg",
-]
-
 [[package]]
 name = "indexmap"
 version = "2.13.0"
@@ -634,16 +573,6 @@ dependencies = [
  "autocfg",
 ]
 
-[[package]]
-name = "miniz_oxide"
-version = "0.8.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
-dependencies = [
- "adler2",
- "simd-adler32",
-]
-
 [[package]]
 name = "moonlock"
 version = "0.5.0"
@@ -653,9 +582,9 @@ dependencies = [
  "gio",
  "glib",
  "glib-build-tools",
+ "graphene-rs",
  "gtk4",
  "gtk4-session-lock",
- "image",
  "libc",
  "log",
  "nix",
@@ -666,16 +595,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "moxcms"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb85c154ba489f01b25c0d36ae69a87e4a1c73a72631fc6c0eb6dde34a73e44b"
-dependencies = [
- "num-traits",
- "pxfm",
-]
-
 [[package]]
 name = "nix"
 version = "0.29.0"
@@ -688,15 +607,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "num-traits"
-version = "0.2.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
-dependencies = [
- "autocfg",
-]
-
 [[package]]
 name = "once_cell"
 version = "1.21.4"
@@ -739,19 +649,6 @@ version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
 
-[[package]]
-name = "png"
-version = "0.18.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60769b8b31b2a9f263dae2776c37b1b28ae246943cf719eb6946a1db05128a61"
-dependencies = [
- "bitflags",
- "crc32fast",
- "fdeflate",
- "flate2",
- "miniz_oxide",
-]
-
 [[package]]
 name = "prettyplease"
 version = "0.2.37"
@@ -780,12 +677,6 @@ dependencies = [
  "unicode-ident",
 ]
 
-[[package]]
-name = "pxfm"
-version = "0.1.28"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5a041e753da8b807c9255f28de81879c78c876392ff2469cde94799b2896b9d"
-
 [[package]]
 name = "quote"
 version = "1.0.45"
@@ -890,12 +781,6 @@ dependencies = [
  "serde_core",
 ]
 
-[[package]]
-name = "simd-adler32"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "703d5c7ef118737c72f1af64ad2f6f8c5e1921f818cdcb97b8fe6fc69bf66214"
-
 [[package]]
 name = "slab"
 version = "0.4.12"
@@ -1284,18 +1169,3 @@ name = "zmij"
 version = "1.0.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
-
-[[package]]
-name = "zune-core"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb8a0807f7c01457d0379ba880ba6322660448ddebc890ce29bb64da71fb40f9"
-
-[[package]]
-name = "zune-jpeg"
-version = "0.5.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "27bc9d5b815bc103f142aa054f561d9187d191692ec7c2d1e2b4737f8dbd7296"
-dependencies = [
- "zune-core",
-]

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.5.0"
+version = "0.5.1"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"
@@ -14,10 +14,10 @@ gdk-pixbuf = "0.22"
 gio = "0.22"
 toml = "0.8"
 serde = { version = "1", features = ["derive"] }
+graphene-rs = { version = "0.22", package = "graphene-rs" }
 nix = { version = "0.29", features = ["user"] }
 zeroize = { version = "1", features = ["derive"] }
 libc = "0.2"
-image = { version = "0.25", default-features = false, features = ["jpeg", "png"] }
 log = "0.4"
 systemd-journal-logger = "2.2"
 

DECISIONS.md

@@ -2,7 +2,14 @@
 
 Architectural and design decisions for Moonlock, in reverse chronological order.
 
-## 2026-03-28 – Optional background blur via `image` crate
+## 2026-03-28 – GPU blur via GskBlurNode replaces CPU blur
+
+- **Who**: Nyx, Dom
+- **Why**: CPU-side Gaussian blur (`image` crate) blocked the GTK main thread for 500ms–2s on 4K wallpapers at cold cache. Disk cache mitigated repeat starts but added ~100 lines of complexity.
+- **Tradeoffs**: GPU blur quality is slightly different (box-blur approximation vs true Gaussian), acceptable for wallpaper. Removes `image` and `dirs` dependencies entirely. No disk cache needed.
+- **How**: `Snapshot::push_blur()` + `GskRenderer::render_texture()` on `connect_realize`. Blur happens once on the GPU when the widget gets its renderer, producing a concrete `gdk::Texture`. Zero startup latency.
+
+## 2026-03-28 – Optional background blur via `image` crate (superseded)
 
 - **Who**: Nyx, Dom
 - **Why**: Consistent with moonset/moongreet — blurred wallpaper as lockscreen background is a common UX pattern

src/auth.rs

@@ -8,6 +8,7 @@ use zeroize::Zeroizing;
 // PAM return codes
 const PAM_SUCCESS: i32 = 0;
 const PAM_BUF_ERR: i32 = 5;
+const PAM_AUTH_ERR: i32 = 7;
 
 // PAM message styles
 const PAM_PROMPT_ECHO_OFF: libc::c_int = 1;
@@ -73,7 +74,7 @@ unsafe extern "C" fn pam_conv_callback(
         // Safety: appdata_ptr was set to a valid *const CString in authenticate()
         let password = appdata_ptr as *const CString;
         if password.is_null() {
-            return 7; // PAM_AUTH_ERR
+            return PAM_AUTH_ERR;
         }
 
         // Safety: calloc returns zeroed memory for num_msg PamResponse structs.
@@ -84,7 +85,7 @@ unsafe extern "C" fn pam_conv_callback(
         ) as *mut PamResponse;
 
         if resp_array.is_null() {
-            return 7; // PAM_AUTH_ERR
+            return PAM_BUF_ERR;
         }
 
         for i in 0..num_msg as isize {

src/fingerprint.rs

@@ -290,7 +290,8 @@ impl FingerprintListener {
     }
 
     /// Stop listening and release the device.
-    /// Uses a short timeout (3s) to avoid blocking the UI indefinitely.
+    /// Signal disconnect is synchronous to prevent further callbacks.
+    /// D-Bus cleanup (VerifyStop + Release) is fire-and-forget to avoid blocking the UI.
     pub fn stop(&mut self) {
         if !self.running {
             return;
@@ -301,20 +302,15 @@ impl FingerprintListener {
             if let Some(id) = self.signal_id.take() {
                 proxy.disconnect(id);
             }
-            let _ = proxy.call_sync(
+            let proxy = proxy.clone();
-                "VerifyStop",
+            glib::spawn_future_local(async move {
-                None,
+                let _ = proxy
-                gio::DBusCallFlags::NONE,
+                    .call_future("VerifyStop", None, gio::DBusCallFlags::NONE, 3000)
-                3000,
+                    .await;
-                gio::Cancellable::NONE,
+                let _ = proxy
-            );
+                    .call_future("Release", None, gio::DBusCallFlags::NONE, 3000)
-            let _ = proxy.call_sync(
+                    .await;
-                "Release",
+            });
-                None,
-                gio::DBusCallFlags::NONE,
-                3000,
-                gio::Cancellable::NONE,
-            );
         }
     }
 

src/lockscreen.rs

@@ -4,9 +4,9 @@
 use gdk4 as gdk;
 use gdk_pixbuf::Pixbuf;
 use glib::clone;
+use graphene_rs as graphene;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
-use image::imageops;
 use std::cell::RefCell;
 use std::path::Path;
 use std::rc::Rc;
@@ -43,7 +43,7 @@ struct LockscreenState {
 /// Fingerprint is not initialized here — use `wire_fingerprint()` after async init.
 pub fn create_lockscreen_window(
     bg_texture: &gdk::Texture,
-    _config: &Config,
+    config: &Config,
     app: &gtk::Application,
     unlock_callback: Rc<dyn Fn()>,
 ) -> LockscreenHandles {
@@ -83,7 +83,7 @@ pub fn create_lockscreen_window(
     window.set_child(Some(&overlay));
 
     // Background wallpaper
-    let background = create_background_picture(bg_texture);
+    let background = create_background_picture(bg_texture, config.background_blur);
     overlay.set_child(Some(&background));
 
     // Centered vertical box
@@ -415,11 +415,11 @@ pub fn start_fingerprint(
 }
 
 /// Load the wallpaper as a texture once, for sharing across all windows.
-/// When `blur_radius` is `Some(sigma)` with sigma > 0, a Gaussian blur is applied.
+/// Blur is applied at render time via GPU (GskBlurNode), not here.
-pub fn load_background_texture(bg_path: &Path, blur_radius: Option<f32>) -> gdk::Texture {
+pub fn load_background_texture(bg_path: &Path) -> gdk::Texture {
     let fallback = "/dev/moonarch/moonlock/wallpaper.jpg";
 
-    let texture = if bg_path.starts_with("/dev/moonarch/moonlock") {
+    if bg_path.starts_with("/dev/moonarch/moonlock") {
         let resource_path = bg_path.to_str().unwrap_or(fallback);
         gdk::Texture::from_resource(resource_path)
     } else {
@@ -427,46 +427,56 @@ pub fn load_background_texture(bg_path: &Path, blur_radius: Option<f32>) -> gdk:
         gdk::Texture::from_file(&file).unwrap_or_else(|_| {
             gdk::Texture::from_resource(fallback)
         })
-    };
-
-    match blur_radius {
-        Some(sigma) if sigma > 0.0 => apply_blur(&texture, sigma),
-        _ => texture,
     }
 }
 
-/// Apply Gaussian blur to a texture and return a blurred texture.
+/// Create a Picture widget for the wallpaper background.
-fn apply_blur(texture: &gdk::Texture, sigma: f32) -> gdk::Texture {
+/// When `blur_radius` is `Some(sigma)` with sigma > 0, blur is applied via GPU
-    let width = texture.width() as u32;
+/// (GskBlurNode). The blur is rendered to a concrete texture on `realize` (when
-    let height = texture.height() as u32;
+/// the GPU renderer is available), avoiding lazy-render artifacts.
-    let stride = width as usize * 4;
+fn create_background_picture(texture: &gdk::Texture, blur_radius: Option<f32>) -> gtk::Picture {
-    let mut pixel_data = vec![0u8; stride * height as usize];
-    texture.download(&mut pixel_data, stride);
-
-    let img = image::RgbaImage::from_raw(width, height, pixel_data)
-        .expect("pixel buffer size matches texture dimensions");
-    let blurred = imageops::blur(&image::DynamicImage::ImageRgba8(img), sigma);
-
-    let bytes = glib::Bytes::from(blurred.as_raw());
-    let mem_texture = gdk::MemoryTexture::new(
-        width as i32,
-        height as i32,
-        gdk::MemoryFormat::B8g8r8a8Premultiplied,
-        &bytes,
-        stride,
-    );
-    mem_texture.upcast()
-}
-
-/// Create a Picture widget for the wallpaper background from a shared texture.
-fn create_background_picture(texture: &gdk::Texture) -> gtk::Picture {
     let background = gtk::Picture::for_paintable(texture);
     background.set_content_fit(gtk::ContentFit::Cover);
     background.set_hexpand(true);
     background.set_vexpand(true);
+
+    if let Some(sigma) = blur_radius {
+        if sigma > 0.0 {
+            let texture = texture.clone();
+            background.connect_realize(move |picture| {
+                if let Some(blurred) = render_blurred_texture(picture, &texture, sigma) {
+                    picture.set_paintable(Some(&blurred));
+                }
+            });
+        }
+    }
+
     background
 }
 
+/// Render a blurred texture using the widget's GPU renderer.
+/// Returns None if the renderer is not available.
+fn render_blurred_texture(
+    widget: &impl IsA<gtk::Widget>,
+    texture: &gdk::Texture,
+    sigma: f32,
+) -> Option<gdk::Texture> {
+    let native = widget.native()?;
+    let renderer = native.renderer()?;
+    let snapshot = gtk::Snapshot::new();
+    let bounds = graphene::Rect::new(
+        0.0,
+        0.0,
+        texture.width() as f32,
+        texture.height() as f32,
+    );
+    snapshot.push_blur(sigma as f64);
+    snapshot.append_texture(texture, &bounds);
+    snapshot.pop();
+    let node = snapshot.to_node()?;
+    Some(renderer.render_texture(&node, None))
+}
+
 /// Load an image file and set it as the avatar.
 fn set_avatar_from_file(image: &gtk::Image, path: &Path) {
     match Pixbuf::from_file_at_scale(path.to_str().unwrap_or(""), AVATAR_SIZE, AVATAR_SIZE, true) {

src/main.rs

@@ -13,7 +13,7 @@ use gdk4 as gdk;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
 use gtk4_session_lock;
-use std::cell::RefCell;
+use std::cell::{Cell, RefCell};
 use std::rc::Rc;
 
 use crate::fingerprint::FingerprintListener;
@@ -41,7 +41,7 @@ fn activate(app: &gtk::Application) {
 
     let config = config::load_config(None);
     let bg_path = config::resolve_background_path(&config);
-    let bg_texture = lockscreen::load_background_texture(&bg_path, config.background_blur);
+    let bg_texture = lockscreen::load_background_texture(&bg_path);
 
     if gtk4_session_lock::is_supported() {
         activate_with_session_lock(app, &display, &bg_texture, &config);
@@ -70,10 +70,18 @@ fn activate_with_session_lock(
 
     let monitors = display.monitors();
 
-    // Shared unlock callback — unlocks session and quits
+    // Shared unlock callback — unlocks session and quits.
+    // Guard prevents double-unlock if PAM and fingerprint succeed simultaneously.
     let lock_clone = lock.clone();
     let app_clone = app.clone();
+    let already_unlocked = Rc::new(Cell::new(false));
+    let au = already_unlocked.clone();
     let unlock_callback: Rc<dyn Fn()> = Rc::new(move || {
+        if au.get() {
+            log::debug!("Unlock already triggered, ignoring duplicate");
+            return;
+        }
+        au.set(true);
         lock_clone.unlock();
         app_clone.quit();
     });