Blame SOURCES/pam-1.3.1-authtok-verify-fix.patch

a46dbe
From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
a46dbe
From: Tomas Mraz <tmraz@fedoraproject.org>
a46dbe
Date: Wed, 7 Aug 2019 12:22:55 +0200
a46dbe
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
a46dbe
a46dbe
If password was already verified by previous modules in the stack
a46dbe
it does not need to be verified by pam_get_authtok_verify either.
a46dbe
a46dbe
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
a46dbe
  appropriately.
a46dbe
  (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
a46dbe
  set it when the password is verified.
a46dbe
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
a46dbe
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
a46dbe
---
a46dbe
 libpam/pam_get_authtok.c | 10 ++++++++++
a46dbe
 libpam/pam_private.h     |  1 +
a46dbe
 libpam/pam_start.c       |  1 +
a46dbe
 3 files changed, 12 insertions(+)
a46dbe
a46dbe
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
a46dbe
index 800c6e5..99eb25f 100644
a46dbe
--- a/libpam/pam_get_authtok.c
a46dbe
+++ b/libpam/pam_get_authtok.c
a46dbe
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
a46dbe
     }
a46dbe
   else if (chpass)
a46dbe
     {
a46dbe
+      pamh->authtok_verified = 0;
a46dbe
+
a46dbe
       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
a46dbe
 			   PROMPT1, authtok_type,
a46dbe
 			   strlen (authtok_type) > 0?" ":"");
a46dbe
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
a46dbe
   if (retval != PAM_SUCCESS)
a46dbe
     return retval;
a46dbe
 
a46dbe
+  if (chpass > 1)
a46dbe
+    pamh->authtok_verified = 1;
a46dbe
+
a46dbe
   return pam_get_item(pamh, item, (const void **)authtok);
a46dbe
 }
a46dbe
 
a46dbe
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
a46dbe
   if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
a46dbe
     return PAM_SYSTEM_ERR;
a46dbe
 
a46dbe
+  if (pamh->authtok_verified)
a46dbe
+    return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
a46dbe
+
a46dbe
   if (prompt != NULL)
a46dbe
     {
a46dbe
       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
a46dbe
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
a46dbe
   if (retval != PAM_SUCCESS)
a46dbe
     return retval;
a46dbe
 
a46dbe
+  pamh->authtok_verified = 1;
a46dbe
+
a46dbe
   return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
a46dbe
 }
a46dbe
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
a46dbe
index 7ff9f75..58a26f5 100644
a46dbe
--- a/libpam/pam_private.h
a46dbe
+++ b/libpam/pam_private.h
a46dbe
@@ -172,6 +172,7 @@ struct pam_handle {
a46dbe
 #ifdef HAVE_LIBAUDIT
a46dbe
     int audit_state;             /* keep track of reported audit messages */
a46dbe
 #endif
a46dbe
+    int authtok_verified;
a46dbe
 };
a46dbe
 
a46dbe
 /* Values for select arg to _pam_dispatch() */
a46dbe
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
a46dbe
index 328416d..e27c64b 100644
a46dbe
--- a/libpam/pam_start.c
a46dbe
+++ b/libpam/pam_start.c
a46dbe
@@ -94,6 +94,7 @@ int pam_start (
a46dbe
 #endif
a46dbe
     (*pamh)->xdisplay = NULL;
a46dbe
     (*pamh)->authtok_type = NULL;
a46dbe
+    (*pamh)->authtok_verified = 0;
a46dbe
     memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
a46dbe
 
a46dbe
     if (((*pamh)->pam_conversation = (struct pam_conv *)
a46dbe
-- 
a46dbe
2.20.1
a46dbe