You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
pam/SOURCES/pam-1.3.1-authtok-verify-fi...

89 lines
2.9 KiB

From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed, 7 Aug 2019 12:22:55 +0200
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
If password was already verified by previous modules in the stack
it does not need to be verified by pam_get_authtok_verify either.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
appropriately.
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
set it when the password is verified.
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
---
libpam/pam_get_authtok.c | 10 ++++++++++
libpam/pam_private.h | 1 +
libpam/pam_start.c | 1 +
3 files changed, 12 insertions(+)
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 800c6e5..99eb25f 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
}
else if (chpass)
{
+ pamh->authtok_verified = 0;
+
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
PROMPT1, authtok_type,
strlen (authtok_type) > 0?" ":"");
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
if (retval != PAM_SUCCESS)
return retval;
+ if (chpass > 1)
+ pamh->authtok_verified = 1;
+
return pam_get_item(pamh, item, (const void **)authtok);
}
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
return PAM_SYSTEM_ERR;
+ if (pamh->authtok_verified)
+ return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
+
if (prompt != NULL)
{
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
if (retval != PAM_SUCCESS)
return retval;
+ pamh->authtok_verified = 1;
+
return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
}
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
index 7ff9f75..58a26f5 100644
--- a/libpam/pam_private.h
+++ b/libpam/pam_private.h
@@ -172,6 +172,7 @@ struct pam_handle {
#ifdef HAVE_LIBAUDIT
int audit_state; /* keep track of reported audit messages */
#endif
+ int authtok_verified;
};
/* Values for select arg to _pam_dispatch() */
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
index 328416d..e27c64b 100644
--- a/libpam/pam_start.c
+++ b/libpam/pam_start.c
@@ -94,6 +94,7 @@ int pam_start (
#endif
(*pamh)->xdisplay = NULL;
(*pamh)->authtok_type = NULL;
+ (*pamh)->authtok_verified = 0;
memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
if (((*pamh)->pam_conversation = (struct pam_conv *)
--
2.20.1