From ce50840b3c464bbb2e83935f370039cda26e5d33 Mon Sep 17 00:00:00 2001
From: Akinori MUSHA <knu@idaemons.org>
Date: Wed, 28 Jun 2017 17:50:13 +0900
Subject: [PATCH] Fall back to password entry if Touch ID is not available

---
 sudo/plugins/sudoers/auth/sudo_auth.m | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sudo/plugins/sudoers/auth/sudo_auth.m b/sudo/plugins/sudoers/auth/sudo_auth.m
index e59786d..0fee661 100644
--- a/sudo/plugins/sudoers/auth/sudo_auth.m
+++ b/sudo/plugins/sudoers/auth/sudo_auth.m
@@ -470,7 +470,9 @@
 touchid_setup(struct passwd *pw, char **prompt, sudo_auth *auth) {
     @try {
         LAContext *context = [[LAContext alloc] init];
-        BOOL canAuthenticate = [context canEvaluatePolicy:kAuthPolicy error:nil];
+        BOOL canAuthenticate =
+            [context canEvaluatePolicy:kAuthPolicy error:nil] ||
+            [context canEvaluatePolicy:kAuthPolicyFallback error:nil];
         [context release];
         return canAuthenticate ? AUTH_SUCCESS : AUTH_FATAL;
     }
@@ -490,6 +492,7 @@
         [context evaluatePolicy:(result != kTouchIDResultFallback ? kAuthPolicy : kAuthPolicyFallback) localizedReason:@"authenticate a privileged operation" reply:^(BOOL success, NSError *error) {
             result = success ? kTouchIDResultAllowed : kTouchIDResultFailed;
             switch (error.code) {
+                case LAErrorTouchIDNotAvailable:
                 case LAErrorUserFallback:
                     result = kTouchIDResultFallback;
                     break;