Fix OpenLDAP v1 errors

Allow PAM aware pwcheck daemon
Add JavaSASL

PR:		34068
Submitted by:	maintainer

7 files changed, 306 insertions, 21 deletions

diff --git a/security/cyrus-sasl/files/patch-ab b/security/cyrus-sasl/files/patch-ab
index ed6e854ca76d..009a8b4a9f82 100644
--- a/security/cyrus-sasl/files/patch-ab
+++ b/security/cyrus-sasl/files/patch-ab
@@ -1,5 +1,5 @@
---- configure.in.orig	Tue Nov 27 11:45:28 2001
-+++ configure.in	Tue Nov 27 12:49:28 2001
+--- configure.in.orig	Thu Jan 17 19:21:51 2002
++++ configure.in	Thu Jan 17 19:47:46 2002
 @@ -66,8 +66,9 @@
  dnl check for -R, etc. switch
  CMU_GUESS_RUNPATH_SWITCH
@@ -12,7 +12,16 @@
  
  AM_DISABLE_STATIC
  
-@@ -235,6 +236,13 @@
+@@ -122,8 +123,6 @@
+ 
+   AC_SUBST(JAVA_INCLUDES)
+   AC_MSG_RESULT(JAVA_INCLUDES)
+-  JAVAC=`echo "$JAVAC" | sed 's,.*/,,'`
+-  JAVAH=`echo "$JAVAH" | sed 's,.*/,,'`
+ fi
+ 
+ AM_CONDITIONAL(SAMPLE, test "$enable_sample" = yes)
+@@ -235,6 +234,13 @@
    berkeley)
      SASL_DB_BACKEND="db_${dblib}.lo"
      AC_DEFINE(SASL_BERKELEYDB)
diff --git a/security/cyrus-sasl/files/patch-java::CyrusSasl::Makefile.am b/security/cyrus-sasl/files/patch-java::CyrusSasl::Makefile.am
new file mode 100644
index 000000000000..bf5be6aef933
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-java::CyrusSasl::Makefile.am
@@ -0,0 +1,11 @@
+--- java/CyrusSasl/Makefile.am.orig	Tue Nov 21 23:55:17 2000
++++ java/CyrusSasl/Makefile.am	Thu Jan 17 21:58:10 2002
+@@ -25,7 +25,7 @@
+ 
+ javasasl_version = 1:0:0
+ 
+-javasasldir = $(prefix)/lib/java/classes/sasl/CyrusSasl
++javasasldir = $(prefix)/share/java/classes/sasl/CyrusSasl
+ javahtmldir = $(prefix)/html/sasl
+ 
+ INCLUDES=$(JAVA_INCLUDES) -I$(top_srcdir)/include
diff --git a/security/cyrus-sasl/files/patch-java::javax::security::auth::callback::Makefile.am b/security/cyrus-sasl/files/patch-java::javax::security::auth::callback::Makefile.am
new file mode 100644
index 000000000000..d4f02627d7a8
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-java::javax::security::auth::callback::Makefile.am
@@ -0,0 +1,11 @@
+--- java/javax/security/auth/callback/Makefile.am.orig	Sat Nov  4 16:55:44 2000
++++ java/javax/security/auth/callback/Makefile.am	Thu Jan 17 22:05:23 2002
+@@ -39,7 +39,7 @@
+ #
+ ################################################################
+ 
+-javasasldir = $(prefix)/lib/java/classes/sasl/javax/security/auth/callback
++javasasldir = $(prefix)/share/java/classes/sasl/javax/security/auth/callback
+ javahtmldir = $(prefix)/html/sasl
+ 
+ javasasl_JAVA = PasswordCallback.java \
diff --git a/security/cyrus-sasl/files/patch-lib::checkpw.c b/security/cyrus-sasl/files/patch-lib::checkpw.c
new file mode 100644
index 000000000000..a7632c8a4ff6
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-lib::checkpw.c
@@ -0,0 +1,101 @@
+--- lib/checkpw.c.orig	Fri Jan 18 21:56:29 2002
++++ lib/checkpw.c	Fri Jan 18 22:14:58 2002
+@@ -1491,6 +1491,9 @@
+ # define FALSE         0
+ #endif
+ 
++#ifndef LDAP_NO_ATTRS
++#define LDAP_NO_ATTRS	"1.1"
++#endif
+ static int ldap_isdigits(char *value)
+ {
+   char *ptr;
+@@ -1504,6 +1507,16 @@
+   return num;
+ }
+ 
++#ifdef LDAP_VENDOR_VERSION
++#define SASL_ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) \
++	ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res)
++#define SASL_ldap_memfree(dn) ldap_memfree(dn)
++#else
++#define SASL_ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) \
++	 ldap_search_st(ld, base, scope, filter, attrs, attrsonly, timeout, res)
++#define SASL_ldap_memfree(dn) free(dn)
++#endif
++
+ static int ldap_verify_password(sasl_conn_t *conn,
+ 				const char *userid,
+ 				const char *password,
+@@ -1522,18 +1535,18 @@
+     *ldap_filter="",
+     *ldap_bind_dn="",
+     *ldap_bind_pw="",
+-    *ldap_ssl="",
+     *ldap_filter_mode="",
+     *port_num="";
+   int malloc_size; /* safety net */
+   int ldap_filter_flag = 0;
+-  int ldap_ssl_flag = 0;
+   int ldap_port = LDAP_PORT;
+   sasl_getopt_t *getopt;
+   void *context;
+   LDAPMessage	*result, *e;
+   char *attrs[]={LDAP_NO_ATTRS, NULL};
+ #ifdef LDAP_OPT_X_TLS
++  char *ldap_ssl="";
++  int ldap_ssl_flag = 0;
+   int tls_option;
+ #endif
+   
+@@ -1625,9 +1638,11 @@
+     return SASL_FAIL;
+   }
+   /* set ssl mode if needed */
++#ifdef LDAP_OPT_X_TLS
+   if ( ldap_ssl_flag ) {
+     ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);  
+   }
++#endif
+   
+   /* either run the filter or just bind as them ? */
+   
+@@ -1657,7 +1672,7 @@
+     snprintf(filter,malloc_size-1,"(&(%s=%s)%s)", ldap_uidattr, userid, ldap_filter);
+     
+     /* Now do the search */
+-    if (ldap_search_ext_s(ld, ldap_basedn, LDAP_SCOPE_SUBTREE, filter,
++    if (SASL_ldap_search_ext_s(ld, ldap_basedn, LDAP_SCOPE_SUBTREE, filter,
+                           attrs, 0, NULL, NULL, LDAP_NO_LIMIT, 1, &result) !=
+ 	LDAP_SUCCESS) {
+       free(filter);
+@@ -1680,17 +1695,17 @@
+       ldap_unbind(ld);
+       return SASL_BADAUTH;
+     }
+-    if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) {
++    if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) {
+       e = NULL;
+       free(filter);
+-      ldap_memfree(dn);
++      SASL_ldap_memfree(dn);
+       ldap_msgfree(result);
+       ldap_unbind(ld);
+       return SASL_BADAUTH;
+     }
+     e = NULL;
+     free(filter);
+-    ldap_memfree(dn);
++    SASL_ldap_memfree(dn);
+     ldap_msgfree(result);
+     
+   } else {
+@@ -1710,7 +1725,7 @@
+    * If this is not so I have a version or that too
+    * Simon@surf.org.uk
+    */
+-    if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) {
++    if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) {
+       free(dn);
+       ldap_unbind(ld);
+       return SASL_BADAUTH;
diff --git a/security/cyrus-sasl/files/patch-pwcheck::Makefile.am b/security/cyrus-sasl/files/patch-pwcheck::Makefile.am
new file mode 100644
index 000000000000..c9e94adefa82
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-pwcheck::Makefile.am
@@ -0,0 +1,17 @@
+--- pwcheck/Makefile.am.orig	Wed Mar 22 11:06:43 2000
++++ pwcheck/Makefile.am	Thu Jan 17 19:09:06 2002
+@@ -22,9 +22,13 @@
+ # SOFTWARE.
+ #
+ 
+-sbin_PROGRAMS = pwcheck
++sbin_PROGRAMS = pwcheck pwcheck_pam
+ 
+ pwcheck_SOURCES = pwcheck.c
+ EXTRA_pwcheck_SOURCES = pwcheck_getpwnam.c pwcheck_getspnam.c
+ pwcheck_DEPENDECIES = pwcheck_@PWCHECKMETH@.lo
+ pwcheck_LDADD = pwcheck_@PWCHECKMETH@.lo @LIB_CRYPT@ @LIB_SOCKET@
++
++pwcheck_pam_SOURCES = pwcheck.c
++pwcheck_pam_DEPENDECIES = pwcheck_pam.lo
++pwcheck_pam_LDADD = pwcheck_pam.lo @LIB_CRYPT@ @LIB_SOCKET@ @LIB_PAM@
diff --git a/security/cyrus-sasl/files/pwcheck.sh b/security/cyrus-sasl/files/pwcheck.sh
index ba07b9fc580a..3f4c903817a2 100644
--- a/security/cyrus-sasl/files/pwcheck.sh
+++ b/security/cyrus-sasl/files/pwcheck.sh
@@ -3,29 +3,64 @@
 # $FreeBSD$
 #
 
+action=$1
+
 PREFIX=%%PREFIX%%
 
-case "$1" in
+# Suck in the configuration variables.
+if [ -z "${source_rc_confs_defined}" ]; then
+        if [ -r /etc/defaults/rc.conf ]; then
+                . /etc/defaults/rc.conf
+                source_rc_confs
+        elif [ -r /etc/rc.conf ]; then
+                . /etc/rc.conf
+        fi
+fi
 
-start)
-	if [ -x ${PREFIX}/sbin/pwcheck ]
-	then
-		${PREFIX}/sbin/pwcheck & && echo -n " pwcheck"
-	fi
-	;;
+# The following sasl_pwcheck_* variables may be defined in rc.conf
+#
+# 	sasl_pwcheck_enable  -	Set to YES to enable pwcheck
+#				Default: %%ENABLEPWCHECK%%
+#
+#	sasl_pwcheck_program -	Path to pwcheck program (pwcheck/pwcheck_pam)
+#				Default: ${PREFIX}/sbin/%%PWCHECK%%
 
-stop)
-	if [ -r /var/run/pwcheck.pid ]
-	then
-		kill `cat /var/run/pwcheck.pid` && echo -n " pwcheck"
-		rm /var/run/pwcheck.pid
-	fi
-	;;
+if [ -z "${sasl_pwcheck_enable}" ] ; then
+	sasl_pwcheck_enable=%%ENABLEPWCHECK%%
+fi
 
-*)
-	echo "usage: $0 {start|stop}" 1>&2
-	exit 64
-	;;
+if [ -z "${sasl_pwcheck_program}" ]; then
+	sasl_pwcheck_program=${PREFIX}/sbin/%%PWCHECK%%
+fi
 
+rc=0
+
+case "${sasl_pwcheck_enable}" in
+    [Yy][Ee][Ss])
+	case "${action}" in
+
+	    start)
+		if [ -x ${sasl_pwcheck_program} ] ; then
+		    ${sasl_pwcheck_program} & && echo -n " pwcheck"
+		fi
+		;;
+
+	    stop)
+		if [ -r /var/run/pwcheck.pid ]; then
+		    kill `cat /var/run/pwcheck.pid` && echo -n " pwcheck"
+		    rm /var/run/pwcheck.pid
+		fi
+		;;
+
+	    *)
+		echo "usage: $0 {start|stop}" 1>&2
+		rc=64
+		;;
+	esac
+	;;
+    *)
+	rc=0
+	;;
 esac
 
+exit $rc
diff --git a/security/cyrus-sasl/files/pwcheck_pam.c b/security/cyrus-sasl/files/pwcheck_pam.c
new file mode 100644
index 000000000000..57e1076ca92a
--- /dev/null
+++ b/security/cyrus-sasl/files/pwcheck_pam.c
@@ -0,0 +1,101 @@
+
+#include <security/pam_appl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* Static variables used to communicate between the conversation function
+ * and the server_login function
+ */
+static char *PAM_username;
+static char *PAM_password;
+
+/* PAM conversation function
+ */
+static int PAM_conv (int num_msg,
+                     const struct pam_message **msg,
+                     struct pam_response **resp,
+                     void *appdata_ptr) {
+  int replies = 0;
+  struct pam_response *reply = NULL;
+
+  #define COPY_STRING(s) (s) ? strdup(s) : NULL
+
+  reply = malloc(sizeof(struct pam_response) * num_msg);
+  if (!reply) return PAM_CONV_ERR;
+
+  for (replies = 0; replies < num_msg; replies++) {
+    switch (msg[replies]->msg_style) {
+      case PAM_PROMPT_ECHO_ON:
+        reply[replies].resp_retcode = PAM_SUCCESS;
+        reply[replies].resp = COPY_STRING(PAM_username);
+          /* PAM frees resp */
+        break;
+      case PAM_PROMPT_ECHO_OFF:
+        reply[replies].resp_retcode = PAM_SUCCESS;
+        reply[replies].resp = COPY_STRING(PAM_password);
+          /* PAM frees resp */
+        break;
+      case PAM_TEXT_INFO:
+        /* fall through */
+      case PAM_ERROR_MSG:
+        /* ignore it, but pam still wants a NULL response... */
+        reply[replies].resp_retcode = PAM_SUCCESS;
+        reply[replies].resp = NULL;
+        break;
+      default:
+        /* Must be an error of some sort... */
+        free (reply);
+        return PAM_CONV_ERR;
+    }
+  }
+  *resp = reply;
+  return PAM_SUCCESS;
+}
+
+static struct pam_conv PAM_conversation = {
+    PAM_conv,
+    NULL
+};
+
+/* Server log in
+ * Accepts: user name string
+ *          password string
+ * Returns: "OK" if password validated, error message otherwise
+ */ 
+ 
+char *pwcheck(char *username, char *password)
+{
+  pam_handle_t *pamh;
+  int pam_error;
+
+  /* PAM only handles authentication, not user information. */
+  if ( !(username && password && strlen(username) && strlen(password)) )
+      return "Incorrect username";
+
+  /* validate password */
+
+  PAM_password = password;
+  PAM_username = username;
+  fprintf(stderr, "checking %s\n", username);
+  pam_error = pam_start("cyrus", username, &PAM_conversation, &pamh);
+  if (pam_error == PAM_SUCCESS) 
+    pam_error = pam_authenticate(pamh, 0);
+    
+  if (pam_error == PAM_SUCCESS) 
+    pam_error = pam_acct_mgmt(pamh, 0);
+
+  if ( pam_error == PAM_SUCCESS) 
+    fprintf(stderr, "\tauthenticated %s\n", username);
+  else
+    fprintf(stderr, "\tfailed to authenticate %s\n", username);
+  
+  if(pam_end(pamh, pam_error) != PAM_SUCCESS) {
+    pamh = NULL;
+    fprintf(stderr, "pwcheck: failed to release authenticator\n");
+    exit(1);
+  }
+  return ( pam_error == PAM_SUCCESS ? "OK" : "Incorrect passwd" );
+}
+
+