From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed, 7 Aug 2019 12:22:55 +0200
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification

If password was already verified by previous modules in the stack
it does not need to be verified by pam_get_authtok_verify either.

* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
  appropriately.
  (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
  set it when the password is verified.
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
---
 libpam/pam_get_authtok.c | 10 ++++++++++
 libpam/pam_private.h     |  1 +
 libpam/pam_start.c       |  1 +
 3 files changed, 12 insertions(+)

diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 800c6e5..99eb25f 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
     }
   else if (chpass)
     {
+      pamh->authtok_verified = 0;
+
       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
 			   PROMPT1, authtok_type,
 			   strlen (authtok_type) > 0?" ":"");
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
   if (retval != PAM_SUCCESS)
     return retval;
 
+  if (chpass > 1)
+    pamh->authtok_verified = 1;
+
   return pam_get_item(pamh, item, (const void **)authtok);
 }
 
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
   if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
     return PAM_SYSTEM_ERR;
 
+  if (pamh->authtok_verified)
+    return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
+
   if (prompt != NULL)
     {
       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
   if (retval != PAM_SUCCESS)
     return retval;
 
+  pamh->authtok_verified = 1;
+
   return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
 }
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
index 7ff9f75..58a26f5 100644
--- a/libpam/pam_private.h
+++ b/libpam/pam_private.h
@@ -172,6 +172,7 @@ struct pam_handle {
 #ifdef HAVE_LIBAUDIT
     int audit_state;             /* keep track of reported audit messages */
 #endif
+    int authtok_verified;
 };
 
 /* Values for select arg to _pam_dispatch() */
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
index 328416d..e27c64b 100644
--- a/libpam/pam_start.c
+++ b/libpam/pam_start.c
@@ -94,6 +94,7 @@ int pam_start (
 #endif
     (*pamh)->xdisplay = NULL;
     (*pamh)->authtok_type = NULL;
+    (*pamh)->authtok_verified = 0;
     memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
 
     if (((*pamh)->pam_conversation = (struct pam_conv *)
-- 
2.20.1