pam_pwquality: Abort the retry loop when user cancels prompt

The retry loop must be aborted for any pam_get_authtok() error except for PAM_TRY_AGAIN. Fixes: #7
author: Tomas Mraz <tmraz@fedoraproject.org> 2018-05-17 15:32:16 +0200
committer: Tomas Mraz <tmraz@fedoraproject.org> 2018-05-17 15:32:16 +0200
commit: bddd1dfe5a13e39e04ed1593cba4263dfd528fad (patch)
tree: 42dfa5af953ae6eaf541d2087b96afa833fc9b9a
parent: ed713df246388d37fe29d96295d762af7cc667fb (diff)
download: libpwquality-git-bddd1dfe5a13e39e04ed1593cba4263dfd528fad.tar.gz
1 files changed, 15 insertions, 11 deletions
diff --git a/src/pam_pwquality.c b/src/pam_pwquality.c
index dd72380..9c9849d 100644
--- a/src/pam_pwquality.c
+++ b/src/pam_pwquality.c
@@ -209,11 +209,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
                          */
 
                         retval = pam_get_authtok_noverify(pamh, &newtoken, NULL);
-                        if (retval != PAM_SUCCESS) {
-                                pam_syslog(pamh, LOG_ERR, "pam_get_authtok_noverify returned error: %s",
-                                        pam_strerror(pamh, retval));
-                                continue;
-                        } else if (newtoken == NULL) { /* user aborted password change, quit */
+                        if (retval != PAM_SUCCESS || newtoken == NULL) {
+                                if (retval == PAM_AUTHTOK_ERR || newtoken == NULL)
+                                        pam_syslog(pamh, LOG_INFO, "user aborted password change");
+                                else 
+                                        pam_syslog(pamh, LOG_ERR, "pam_get_authtok_noverify returned error: %s",
+                                               pam_strerror(pamh, retval));
                                 pwquality_free_settings(options.pwq);
                                 return PAM_AUTHTOK_ERR;
                         }
@@ -248,12 +249,15 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
                         }
 
                         retval = pam_get_authtok_verify(pamh, &newtoken, NULL);
-                        if (retval != PAM_SUCCESS) {
-                                pam_syslog(pamh, LOG_ERR, "pam_get_authtok_verify returned error: %s",
-                                pam_strerror(pamh, retval));
+                        if (retval != PAM_SUCCESS || newtoken == NULL) {
                                 pam_set_item(pamh, PAM_AUTHTOK, NULL);
-                                continue;
-                        } else if (newtoken == NULL) {      /* user aborted password change, quit */
+                                if (retval == PAM_TRY_AGAIN)
+                                        continue;
+                                if (retval == PAM_AUTHTOK_ERR || newtoken == NULL)
+                                        pam_syslog(pamh, LOG_INFO, "user aborted password change");
+                                else 
+                                        pam_syslog(pamh, LOG_ERR, "pam_get_authtok_verify returned error: %s",
+                                               pam_strerror(pamh, retval));
                                 pwquality_free_settings(options.pwq);
                                 return PAM_AUTHTOK_ERR;
                         }
@@ -270,7 +274,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
                 if (options.retry_times > 1)
                         return PAM_MAXTRIES;
                 else
-                        return retval;
+                        return PAM_AUTHTOK_ERR;
         } else {
                 pwquality_free_settings(options.pwq);
                 if (ctrl & PAM_DEBUG_ARG)
author	Tomas Mraz <tmraz@fedoraproject.org>	2018-05-17 15:32:16 +0200
committer	Tomas Mraz <tmraz@fedoraproject.org>	2018-05-17 15:32:16 +0200
commit	bddd1dfe5a13e39e04ed1593cba4263dfd528fad (patch)
tree	42dfa5af953ae6eaf541d2087b96afa833fc9b9a
parent	ed713df246388d37fe29d96295d762af7cc667fb (diff)
download	libpwquality-git-bddd1dfe5a13e39e04ed1593cba4263dfd528fad.tar.gz