- pam_sm_chauthtok() can return PAM_TRY_AGAIN.

- "sufficient" should not terminate the chain if the PAM_PRELIM_CHECK
  flag is set.

Sponsored by: DARPA, NAI Labs


git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@81 185d5e19-27fe-0310-9dcf-9bff6b9f3609

lib/openpam_dispatch.c

@@ -111,7 +111,8 @@ openpam_dispatch(pam_handle_t *pamh,
 			continue;
 		if (r == PAM_SUCCESS) {
 			/*
-			 * For pam_setcred(), treat "sufficient" as
+			 * For pam_setcred() and pam_chauthtok() with the
+			 * PAM_PRELIM_CHECK flag, treat "sufficient" as
 			 * "optional".
 			 *
 			 * Note that Solaris libpam does not terminate
@@ -119,7 +120,9 @@ openpam_dispatch(pam_handle_t *pamh,
 			 * previously failed.  I'm not sure why.
 			 */
 			if (chain->flag == PAM_SUFFICIENT &&
-			    primitive != PAM_SM_SETCRED)
+			    primitive != PAM_SM_SETCRED &&
+			    (primitive != PAM_SM_CHAUTHTOK ||
+				!(flags & PAM_PRELIM_CHECK)))
 				break;
 			continue;
 		}
@@ -203,7 +206,8 @@ _openpam_check_error_code(int primitive, int r)
 		    r == PAM_AUTHTOK_ERR ||
 		    r == PAM_AUTHTOK_RECOVERY_ERR ||
 		    r == PAM_AUTHTOK_LOCK_BUSY ||
-		    r == PAM_AUTHTOK_DISABLE_AGING)
+		    r == PAM_AUTHTOK_DISABLE_AGING ||
+		    r == PAM_TRY_AGAIN)
 			return;
 		break;
 	}

lib/pam_chauthtok.c

@@ -51,8 +51,18 @@ int
 pam_chauthtok(pam_handle_t *pamh,
 	int flags)
 {
+	int pam_err;
 
-	return (openpam_dispatch(pamh, PAM_SM_CHAUTHTOK, flags));
+	if (flags & PAM_PRELIM_CHECK || flags & PAM_UPDATE_AUTHTOK)
+		return (PAM_SYMBOL_ERR);
+	pam_err = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
+	    flags | PAM_PRELIM_CHECK);
+	if (pam_err == PAM_SUCCESS)
+		pam_err = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
+		    flags | PAM_UPDATE_AUTHTOK);
+	pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
+	pam_set_item(pamh, PAM_AUTHTOK, NULL);
+	return (pam_err);
 }
 
 /*
@@ -61,4 +71,5 @@ pam_chauthtok(pam_handle_t *pamh,
  *	=openpam_dispatch
  *	=pam_sm_chauthtok
  *	!PAM_IGNORE
+ *	PAM_SYMBOL_ERR
  */