From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001

From: Tomas Mraz <tmraz@fedoraproject.org>

Date: Wed, 7 Aug 2019 12:22:55 +0200

Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification

If password was already verified by previous modules in the stack

it does not need to be verified by pam_get_authtok_verify either.

* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified

  appropriately.

  (pam_get_authtok_verify): Do not prompt if authtok_verified is set and

  set it when the password is verified.

* libpam/pam_private.h: Add authtok_verified to the pam handle struct.

* libpam/pam_start.c (pam_start): Initialize authtok_verified.

---

 libpam/pam_get_authtok.c | 10 ++++++++++

 libpam/pam_private.h     |  1 +

 libpam/pam_start.c       |  1 +

 3 files changed, 12 insertions(+)

diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c

index 800c6e5..99eb25f 100644

--- a/libpam/pam_get_authtok.c

+++ b/libpam/pam_get_authtok.c

@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,

     }

   else if (chpass)

     {

+      pamh->authtok_verified = 0;

+

       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],

 			   PROMPT1, authtok_type,

 			   strlen (authtok_type) > 0?" ":"");

@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,

   if (retval != PAM_SUCCESS)

     return retval;

+  if (chpass > 1)

+    pamh->authtok_verified = 1;

+

   return pam_get_item(pamh, item, (const void **)authtok);

 }

@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,

   if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)

     return PAM_SYSTEM_ERR;

+  if (pamh->authtok_verified)

+    return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);

+

   if (prompt != NULL)

     {

       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,

@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,

   if (retval != PAM_SUCCESS)

     return retval;

+  pamh->authtok_verified = 1;

+

   return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);

 }

diff --git a/libpam/pam_private.h b/libpam/pam_private.h

index 7ff9f75..58a26f5 100644

--- a/libpam/pam_private.h

+++ b/libpam/pam_private.h

@@ -172,6 +172,7 @@ struct pam_handle {

 #ifdef HAVE_LIBAUDIT

     int audit_state;             /* keep track of reported audit messages */

 #endif

+    int authtok_verified;

 };

 /* Values for select arg to _pam_dispatch() */

diff --git a/libpam/pam_start.c b/libpam/pam_start.c

index 328416d..e27c64b 100644

--- a/libpam/pam_start.c

+++ b/libpam/pam_start.c

@@ -94,6 +94,7 @@ int pam_start (

 #endif

     (*pamh)->xdisplay = NULL;

     (*pamh)->authtok_type = NULL;

+    (*pamh)->authtok_verified = 0;

     memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));

     if (((*pamh)->pam_conversation = (struct pam_conv *)

-- 

2.20.1