libpamtest: Test failed login & pam_faillock

.github/workflows/pam.yml

@@ -84,6 +84,9 @@ jobs:
           # Anyone can use su
           echo '[*] Test 11'
           tests/test -t 7 -r 0
+          echo '[*] Test 12'
+          # Wrong password
+          tests/test -t 8 -r 2
       - name: Harden PAM
         run: |
           ansible-playbook harden.yml --tags pam --skip-tags slackware
@@ -97,6 +100,10 @@ jobs:
           sudo tests/test -t 6 -r 2
           # Use of su should be denied
           tests/test -t 7 -r 2
+          # Test failed login & pam_faillock
+          sudo tests/test -t 8 -r 2
+          ls -l /var/run/faillock/nobody
+          sudo faillock --user nobody
       - name: chmod /var/log/auth.log
         run: sudo chmod -c 644 /var/log/auth.log
       - name: Archive auth.log

tests/test.c

@@ -49,6 +49,26 @@ static void test_pam_authenticate(void **state)
   perr = run_pamtest("login", "root", &conv_data, tests, NULL);
   assert_int_equal(perr, testcase);
 }
+static void test_pam_authenticate_wrong_password(void **state)
+{
+  enum pamtest_err perr;
+  struct pamtest_conv_data conv_data;
+  const char *trinity_authtoks[] = {
+    "wrong_password",
+    NULL,
+  };
+  struct pam_testcase tests[] = {
+    pam_test(PAMTEST_AUTHENTICATE, PAM_AUTH_ERR),
+  };
+
+  (void) state;	/* unused */
+
+  ZERO_STRUCT(conv_data);
+  conv_data.in_echo_off = trinity_authtoks;
+
+  perr = run_pamtest("login", "nobody", &conv_data, tests, NULL);
+  assert_int_equal(perr, testcase);
+}
 static void test_pam_authenticate_nobody(void **state)
 {
   enum pamtest_err perr;
@@ -200,6 +220,9 @@ int main(int argc, char *argv[]) {
           case 7:
             ptr = test_pam_authenticate_nobody_su;
             break;
+          case 8:
+            ptr = test_pam_authenticate_wrong_password;
+            break;
           default:
             printf("invalid test case\n");
             exit (1);