Relevant BUGIDs:

Purpose of commit: regression fix

Commit summary:
---------------

2009-11-10  Thorsten Kukuk  <kukuk@suse.de>

        * doc/man/pam_get_authtok.3.xml: Document pam_get_authtok_noverify
        and pam_get_authtok_verify.

        * libpam/Makefile.am (libpam_la_LDFLAGS): Bump revesion of libpam.

        * libpam/pam_get_authtok.c (pam_get_authtok_internal): Renamed
        from pam_get_authtok, add flags argument, always check return
        values.

        * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Use
        pam_get_authtok_noverify and pam_get_authtok_verify.

        * libpam/include/security/pam_ext.h: Add prototypes for
        pam_get_authtok_noverify and pam_get_authtok_verify.

        * libpam/libpam.map: Add new pam_get_authtok_* functions.

4 files changed, 93 insertions, 9 deletions

diff --git a/libpam/Makefile.am b/libpam/Makefile.am
index c38e1fee..155db5b3 100644
--- a/libpam/Makefile.am
+++ b/libpam/Makefile.am
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
 #
 
 AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \
@@ -20,7 +20,7 @@ include_HEADERS = include/security/_pam_compat.h \
 noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
 		pam_modutil_private.h pam_static_modules.h
 
-libpam_la_LDFLAGS = -no-undefined -version-info 82:1:82
+libpam_la_LDFLAGS = -no-undefined -version-info 82:2:82
 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
 
 if STATIC_MODULES
diff --git a/libpam/include/security/pam_ext.h b/libpam/include/security/pam_ext.h
index 26f7156c..7542861a 100644
--- a/libpam/include/security/pam_ext.h
+++ b/libpam/include/security/pam_ext.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2006, 2008 Thorsten Kukuk.
+ * Copyright (C) 2005, 2006, 2008, 2009 Thorsten Kukuk.
  *
  * <security/pam_ext.h>
  *
@@ -77,6 +77,13 @@ pam_prompt (pam_handle_t *pamh, int style, char **response,
 extern int PAM_NONNULL((1,3))
 pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok,
 		 const char *prompt);
+extern int PAM_NONNULL((1,2))
+pam_get_authtok_noverify (pam_handle_t *pamh, const char **authtok,
+			  const char *prompt);
+extern int PAM_NONNULL((1,2))
+pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
+			const char *prompt);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/libpam/libpam.map b/libpam/libpam.map
index 227e8372..9d55e84f 100644
--- a/libpam/libpam.map
+++ b/libpam/libpam.map
@@ -35,6 +35,12 @@ LIBPAM_EXTENSION_1.1 {
     pam_get_authtok;
 } LIBPAM_EXTENSION_1.0;
 
+LIBPAM_EXTENSION_1.1.1 {
+  global:
+    pam_get_authtok_noverify;
+    pam_get_authtok_verify;
+} LIBPAM_EXTENSION_1.1;
+
 LIBPAM_MODUTIL_1.0 {
   global:
     pam_modutil_getpwnam;
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 9e9f8409..43e33a3c 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -43,6 +43,8 @@
 #define PROMPT2 _("Retype new %s%spassword: ")
 #define MISTYPED_PASS _("Sorry, passwords do not match.")
 
+#define PAM_GETAUTHTOK_NOVERIFY  1
+
 static const char *
 get_option (pam_handle_t *pamh, const char *option)
 {
@@ -70,13 +72,14 @@ get_option (pam_handle_t *pamh, const char *option)
 }
 
 
-int
-pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok,
-		 const char *prompt)
+static int
+pam_get_authtok_internal (pam_handle_t *pamh, int item,
+			  const char **authtok, const char *prompt,
+			  unsigned int flags)
 
 {
   char *resp[2] = {NULL, NULL};
-  const void* prevauthtok;
+  const void *prevauthtok;
   const char *authtok_type = "";
   int ask_twice = 0; /* Password change, ask twice for it */
   int retval;
@@ -88,7 +91,9 @@ pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok,
      which needs to be verified. */
   if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK)
     {
-      ask_twice = 1;
+      if (!(flags & PAM_GETAUTHTOK_NOVERIFY))
+	ask_twice = 1;
+
       authtok_type = get_option (pamh, "authtok_type");
       if (authtok_type == NULL)
 	{
@@ -140,7 +145,8 @@ pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok,
     retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], "%s",
 			 PROMPT);
 
-  if (resp[0] == NULL || (ask_twice && resp[1] == NULL))
+  if (retval != PAM_SUCCESS || resp[0] == NULL ||
+      (ask_twice && resp[1] == NULL))
     {
       /* We want to abort the password change */
       pam_error (pamh, _("Password change aborted."));
@@ -168,3 +174,68 @@ pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok,
 
   return pam_get_item(pamh, item, (const void **)authtok);
 }
+
+int
+pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok,
+		 const char *prompt)
+{
+  return pam_get_authtok_internal (pamh, item, authtok, prompt, 0);
+}
+
+
+int
+pam_get_authtok_noverify (pam_handle_t *pamh, const char **authtok,
+			  const char *prompt)
+{
+  return pam_get_authtok_internal (pamh, PAM_AUTHTOK, authtok, prompt,
+				   PAM_GETAUTHTOK_NOVERIFY);
+}
+
+int
+pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
+			const char *prompt)
+{
+  char *resp = NULL;
+  const char *authtok_type = "";
+  int retval;
+
+  if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
+    return PAM_SYSTEM_ERR;
+
+  if (prompt != NULL)
+    {
+      retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
+			   _("Retype %s"), prompt);
+    }
+  else
+    {
+      retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
+			   PROMPT2, authtok_type,
+			   strlen (authtok_type) > 0?" ":"");
+    }
+
+  if (retval != PAM_SUCCESS || resp == NULL)
+    {
+      /* We want to abort the password change */
+      pam_set_item (pamh, PAM_AUTHTOK, NULL);
+      pam_error (pamh, _("Password change aborted."));
+      return PAM_AUTHTOK_ERR;
+    }
+
+  if (strcmp (*authtok, resp) != 0)
+    {
+      pam_set_item (pamh, PAM_AUTHTOK, NULL);
+      pam_error (pamh, MISTYPED_PASS);
+      _pam_overwrite (resp);
+      _pam_drop (resp);
+      return PAM_TRY_AGAIN;
+    }
+
+  retval = pam_set_item (pamh, PAM_AUTHTOK, resp);
+  _pam_overwrite (resp);
+  _pam_drop (resp);
+  if (retval != PAM_SUCCESS)
+    return retval;
+
+  return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
+}