Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2008-05-14  Tomas Mraz <t8m@centrum.cz>

        * modules/pam_unix/pam_unix_passwd.c(pam_sm_chauthtok): Unset authtok
        item when password is not approved.
        * modules/pam_unix/support.c(_unix_read_password): UNIX_USE_FIRST_PASS
        is always set when UNIX_AUTHTOK is set, change order of conditions.

2 files changed, 6 insertions, 2 deletions

diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index d221220f..0a429756 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -699,6 +699,10 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 				pass_new = NULL;
 			}
 			retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
+			
+			if (retval != PAM_SUCCESS && off(UNIX_NOT_SET_PASS, ctrl)) {
+				pam_set_item(pamh, PAM_AUTHTOK, NULL);
+			}
 		}
 
 		if (retval != PAM_SUCCESS) {
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index b82cad26..781d0006 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -743,11 +743,11 @@ int _unix_read_password(pam_handle_t * pamh
 			return retval;
 		} else if (*pass != NULL) {	/* we have a password! */
 			return PAM_SUCCESS;
-		} else if (on(UNIX_USE_FIRST_PASS, ctrl)) {
-			return PAM_AUTHTOK_RECOVERY_ERR;	  /* didn't work */
 		} else if (on(UNIX_USE_AUTHTOK, ctrl)
 			   && off(UNIX__OLD_PASSWD, ctrl)) {
 			return PAM_AUTHTOK_ERR;
+		} else if (on(UNIX_USE_FIRST_PASS, ctrl)) {
+			return PAM_AUTHTOK_RECOVERY_ERR;	  /* didn't work */
 		}
 	}
 	/*