diff options
| author | Tomas Mraz <tmraz@fedoraproject.org> | 2019-08-07 12:22:55 +0200 |
|---|---|---|
| committer | Tomas Mraz <tmraz@fedoraproject.org> | 2019-08-07 12:22:55 +0200 |
| commit | 27d04a849fd9f9cfd4b35eb80d687817830183df (patch) | |
| tree | 27a5af79e9be90d084a40a1bc2117671f1d00e0e | |
| parent | 9c56cb040ed3b1c1169e2de18f7c69c856fb7b2d (diff) | |
pam_get_authtok_verify: Avoid duplicate password verification
If password was already verified by previous modules in the stack
it does not need to be verified by pam_get_authtok_verify either.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
appropriately.
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
set it when the password is verified.
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
| -rw-r--r-- | libpam/pam_get_authtok.c | 10 | ||||
| -rw-r--r-- | libpam/pam_private.h | 1 | ||||
| -rw-r--r-- | libpam/pam_start.c | 1 |
3 files changed, 12 insertions, 0 deletions
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c index 800c6e54..99eb25f2 100644 --- a/libpam/pam_get_authtok.c +++ b/libpam/pam_get_authtok.c @@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, } else if (chpass) { + pamh->authtok_verified = 0; + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], PROMPT1, authtok_type, strlen (authtok_type) > 0?" ":""); @@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, if (retval != PAM_SUCCESS) return retval; + if (chpass > 1) + pamh->authtok_verified = 1; + return pam_get_item(pamh, item, (const void **)authtok); } @@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK) return PAM_SYSTEM_ERR; + if (pamh->authtok_verified) + return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok); + if (prompt != NULL) { retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, @@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, if (retval != PAM_SUCCESS) return retval; + pamh->authtok_verified = 1; + return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok); } diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 7ff9f758..58a26f58 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -172,6 +172,7 @@ struct pam_handle { #ifdef HAVE_LIBAUDIT int audit_state; /* keep track of reported audit messages */ #endif + int authtok_verified; }; /* Values for select arg to _pam_dispatch() */ diff --git a/libpam/pam_start.c b/libpam/pam_start.c index 328416d2..e27c64bb 100644 --- a/libpam/pam_start.c +++ b/libpam/pam_start.c @@ -94,6 +94,7 @@ int pam_start ( #endif (*pamh)->xdisplay = NULL; (*pamh)->authtok_type = NULL; + (*pamh)->authtok_verified = 0; memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth)); if (((*pamh)->pam_conversation = (struct pam_conv *) |