pam_get_authtok_verify: Avoid duplicate password verification

If password was already verified by previous modules in the stack
it does not need to be verified by pam_get_authtok_verify either.

* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
  appropriately.
  (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
  set it when the password is verified.
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
* libpam/pam_start.c (pam_start): Initialize authtok_verified.

1 files changed, 10 insertions, 0 deletions

diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 800c6e54..99eb25f2 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
     }
   else if (chpass)
     {
+      pamh->authtok_verified = 0;
+
       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
 			   PROMPT1, authtok_type,
 			   strlen (authtok_type) > 0?" ":"");
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
   if (retval != PAM_SUCCESS)
     return retval;
 
+  if (chpass > 1)
+    pamh->authtok_verified = 1;
+
   return pam_get_item(pamh, item, (const void **)authtok);
 }
 
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
   if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
     return PAM_SYSTEM_ERR;
 
+  if (pamh->authtok_verified)
+    return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
+
   if (prompt != NULL)
     {
       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
   if (retval != PAM_SUCCESS)
     return retval;
 
+  pamh->authtok_verified = 1;
+
   return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
 }