From 8ea571eeba96cf660e2550d5084458acc39c21ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@des.no>
Date: Sat, 23 Feb 2002 18:06:45 +0000
Subject: [PATCH] - pam_sm_chauthtok() can return PAM_TRY_AGAIN. - "sufficient"
 should not terminate the chain if the PAM_PRELIM_CHECK   flag is set.

Sponsored by: DARPA, NAI Labs


git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@81 185d5e19-27fe-0310-9dcf-9bff6b9f3609
---
 lib/openpam_dispatch.c | 10 +++++++---
 lib/pam_chauthtok.c    | 13 ++++++++++++-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/lib/openpam_dispatch.c b/lib/openpam_dispatch.c
index b663d5a..c4d86a1 100644
--- a/lib/openpam_dispatch.c
+++ b/lib/openpam_dispatch.c
@@ -111,7 +111,8 @@ openpam_dispatch(pam_handle_t *pamh,
 			continue;
 		if (r == PAM_SUCCESS) {
 			/*
-			 * For pam_setcred(), treat "sufficient" as
+			 * For pam_setcred() and pam_chauthtok() with the
+			 * PAM_PRELIM_CHECK flag, treat "sufficient" as
 			 * "optional".
 			 *
 			 * Note that Solaris libpam does not terminate
@@ -119,7 +120,9 @@ openpam_dispatch(pam_handle_t *pamh,
 			 * previously failed.  I'm not sure why.
 			 */
 			if (chain->flag == PAM_SUFFICIENT &&
-			    primitive != PAM_SM_SETCRED)
+			    primitive != PAM_SM_SETCRED &&
+			    (primitive != PAM_SM_CHAUTHTOK ||
+				!(flags & PAM_PRELIM_CHECK)))
 				break;
 			continue;
 		}
@@ -203,7 +206,8 @@ _openpam_check_error_code(int primitive, int r)
 		    r == PAM_AUTHTOK_ERR ||
 		    r == PAM_AUTHTOK_RECOVERY_ERR ||
 		    r == PAM_AUTHTOK_LOCK_BUSY ||
-		    r == PAM_AUTHTOK_DISABLE_AGING)
+		    r == PAM_AUTHTOK_DISABLE_AGING ||
+		    r == PAM_TRY_AGAIN)
 			return;
 		break;
 	}
diff --git a/lib/pam_chauthtok.c b/lib/pam_chauthtok.c
index 3248feb..a74f504 100644
--- a/lib/pam_chauthtok.c
+++ b/lib/pam_chauthtok.c
@@ -51,8 +51,18 @@ int
 pam_chauthtok(pam_handle_t *pamh,
 	int flags)
 {
+	int pam_err;
 
-	return (openpam_dispatch(pamh, PAM_SM_CHAUTHTOK, flags));
+	if (flags & PAM_PRELIM_CHECK || flags & PAM_UPDATE_AUTHTOK)
+		return (PAM_SYMBOL_ERR);
+	pam_err = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
+	    flags | PAM_PRELIM_CHECK);
+	if (pam_err == PAM_SUCCESS)
+		pam_err = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
+		    flags | PAM_UPDATE_AUTHTOK);
+	pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
+	pam_set_item(pamh, PAM_AUTHTOK, NULL);
+	return (pam_err);
 }
 
 /*
@@ -61,4 +71,5 @@ pam_chauthtok(pam_handle_t *pamh,
  *	=openpam_dispatch
  *	=pam_sm_chauthtok
  *	!PAM_IGNORE
+ *	PAM_SYMBOL_ERR
  */