From cfa957e244f3eb0c36faceadb82dbd23c04e1011 Mon Sep 17 00:00:00 2001 From: "David W. Chapman Jr." Date: Sun, 20 Jan 2002 19:23:25 +0000 Subject: [PATCH] Fix OpenLDAP v1 errors Allow PAM aware pwcheck daemon Add JavaSASL PR: 34068 Submitted by: maintainer --- security/cyrus-sasl/Makefile | 20 ++-- security/cyrus-sasl/files/patch-ab | 15 ++- .../files/patch-java::CyrusSasl::Makefile.am | 11 ++ ...vax::security::auth::callback::Makefile.am | 11 ++ .../cyrus-sasl/files/patch-lib::checkpw.c | 101 ++++++++++++++++++ .../files/patch-pwcheck::Makefile.am | 17 +++ security/cyrus-sasl/files/pwcheck.sh | 73 +++++++++---- security/cyrus-sasl/files/pwcheck_pam.c | 101 ++++++++++++++++++ security/cyrus-sasl/pkg-plist | 33 ++++++ security/cyrus-sasl/scripts/configure.sasl | 73 +++++++++---- security/cyrus-sasl2/Makefile | 20 ++-- security/cyrus-sasl2/files/patch-ab | 15 ++- .../files/patch-java::CyrusSasl::Makefile.am | 11 ++ ...vax::security::auth::callback::Makefile.am | 11 ++ .../cyrus-sasl2/files/patch-lib::checkpw.c | 101 ++++++++++++++++++ .../files/patch-pwcheck::Makefile.am | 17 +++ security/cyrus-sasl2/files/pwcheck.sh | 73 +++++++++---- security/cyrus-sasl2/files/pwcheck_pam.c | 101 ++++++++++++++++++ security/cyrus-sasl2/pkg-plist | 33 ++++++ security/cyrus-sasl2/scripts/configure.sasl | 73 +++++++++---- 20 files changed, 812 insertions(+), 98 deletions(-) create mode 100644 security/cyrus-sasl/files/patch-java::CyrusSasl::Makefile.am create mode 100644 security/cyrus-sasl/files/patch-java::javax::security::auth::callback::Makefile.am create mode 100644 security/cyrus-sasl/files/patch-lib::checkpw.c create mode 100644 security/cyrus-sasl/files/patch-pwcheck::Makefile.am create mode 100644 security/cyrus-sasl/files/pwcheck_pam.c create mode 100644 security/cyrus-sasl2/files/patch-java::CyrusSasl::Makefile.am create mode 100644 security/cyrus-sasl2/files/patch-java::javax::security::auth::callback::Makefile.am create mode 100644 security/cyrus-sasl2/files/patch-lib::checkpw.c create mode 100644 security/cyrus-sasl2/files/patch-pwcheck::Makefile.am create mode 100644 security/cyrus-sasl2/files/pwcheck_pam.c diff --git a/security/cyrus-sasl/Makefile b/security/cyrus-sasl/Makefile index 180849c46eec..74b05c44e5a0 100644 --- a/security/cyrus-sasl/Makefile +++ b/security/cyrus-sasl/Makefile @@ -7,7 +7,7 @@ PORTNAME= cyrus-sasl PORTVERSION= 1.5.27 -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/%SUBDIR%/ \ http://prdownloads.sourceforge.net/cyrus-utils/ \ @@ -69,7 +69,7 @@ SCRIPTS_ENV= WRKDIRPREFIX="${WRKDIRPREFIX}" \ WITH_LDAP2="${WITH_LDAP2}" # JavaSASL needs someone to look at to get it to build -JAVADIR= jdk1.1.8 +JAVADIR= jdk1.3.1 JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/ .if defined(KRB5_HOME) && exists(${KRB5_HOME}) @@ -112,18 +112,21 @@ pre-fetch: .include "${WRKDIRPREFIX}${.CURDIR}/Makefile.inc" .endif +post-extract: + @${CP} ${FILESDIR}/pwcheck_pam.c ${WRKSRC}/pwcheck + pre-patch: @(cd ${WRKSRC} && ${PATCH} -p1 < ${WRKDIR}/${LDAP_MYSQL_PATCH} && \ ${MV} configure.orig configure) # Fix sasldb name in pkg-install/deinstall scripts post-patch: - @${SED} -e "/%%SASLDB%%/s##${SASLDB_NAME}#g" \ + @${SED} -e "s;%%SASLDB%%;${SASLDB_NAME};g" \ ${.CURDIR}/pkg-install > ${PKGINSTALL} - @${SED} -e "/%%SASLDB%%/s##${SASLDB_NAME}#g" \ + @${SED} -e "s;%%SASLDB%%;${SASLDB_NAME};g" \ ${.CURDIR}/pkg-deinstall > ${PKGDEINSTALL} - @${SED} -e "/%%SASLDB%%/s##${SASLDB_NAME}#g" \ - -e "/%%PREFIX%%/s##${PREFIX}#g" \ + @${SED} -e "s;%%SASLDB%%;${SASLDB_NAME};g" \ + -e "s;%%PREFIX%%;${PREFIX};g" \ ${.CURDIR}/pkg-message > ${PKGMESSAGE} .ifdef LDAP_MYSQL_MSG @${ECHO} ${LDAP_MYSQL_MSG} | /usr/bin/fmt -w 67 >> ${PKGMESSAGE} @@ -138,8 +141,8 @@ pre-install: @${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL post-install: - @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ - > ${PREFIX}/etc/rc.d/pwcheck.sh + @${SED} -e "s;%%PREFIX%%;${PREFIX};g" ${PWCHECK_SUB} \ + ${FILESDIR}/pwcheck.sh > ${PREFIX}/etc/rc.d/pwcheck.sh @${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh ${INSTALL} -d -m 770 -o cyrus -g cyrus /var/pwcheck .if !defined(NOPORTDOCS) @@ -151,6 +154,7 @@ post-install: for file in `make -V EXTRA_DIST` ; do \ ${INSTALL_DATA} ${WRKSRC}/doc/$${file} ${DOCSDIR} ; \ done) + @${INSTALL_DATA} ${WRKSRC}/java/doc/draft-weltman-java-sasl-02.txt ${DOCSDIR} @${INSTALL_DATA} ${FILESDIR}/Sendmail.README ${DOCSDIR} .endif @PKG_PREFIX=${PREFIX} BATCH=${BATCH} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL diff --git a/security/cyrus-sasl/files/patch-ab b/security/cyrus-sasl/files/patch-ab index ed6e854ca76d..009a8b4a9f82 100644 --- a/security/cyrus-sasl/files/patch-ab +++ b/security/cyrus-sasl/files/patch-ab @@ -1,5 +1,5 @@ ---- configure.in.orig Tue Nov 27 11:45:28 2001 -+++ configure.in Tue Nov 27 12:49:28 2001 +--- configure.in.orig Thu Jan 17 19:21:51 2002 ++++ configure.in Thu Jan 17 19:47:46 2002 @@ -66,8 +66,9 @@ dnl check for -R, etc. switch CMU_GUESS_RUNPATH_SWITCH @@ -12,7 +12,16 @@ AM_DISABLE_STATIC -@@ -235,6 +236,13 @@ +@@ -122,8 +123,6 @@ + + AC_SUBST(JAVA_INCLUDES) + AC_MSG_RESULT(JAVA_INCLUDES) +- JAVAC=`echo "$JAVAC" | sed 's,.*/,,'` +- JAVAH=`echo "$JAVAH" | sed 's,.*/,,'` + fi + + AM_CONDITIONAL(SAMPLE, test "$enable_sample" = yes) +@@ -235,6 +234,13 @@ berkeley) SASL_DB_BACKEND="db_${dblib}.lo" AC_DEFINE(SASL_BERKELEYDB) diff --git a/security/cyrus-sasl/files/patch-java::CyrusSasl::Makefile.am b/security/cyrus-sasl/files/patch-java::CyrusSasl::Makefile.am new file mode 100644 index 000000000000..bf5be6aef933 --- /dev/null +++ b/security/cyrus-sasl/files/patch-java::CyrusSasl::Makefile.am @@ -0,0 +1,11 @@ +--- java/CyrusSasl/Makefile.am.orig Tue Nov 21 23:55:17 2000 ++++ java/CyrusSasl/Makefile.am Thu Jan 17 21:58:10 2002 +@@ -25,7 +25,7 @@ + + javasasl_version = 1:0:0 + +-javasasldir = $(prefix)/lib/java/classes/sasl/CyrusSasl ++javasasldir = $(prefix)/share/java/classes/sasl/CyrusSasl + javahtmldir = $(prefix)/html/sasl + + INCLUDES=$(JAVA_INCLUDES) -I$(top_srcdir)/include diff --git a/security/cyrus-sasl/files/patch-java::javax::security::auth::callback::Makefile.am b/security/cyrus-sasl/files/patch-java::javax::security::auth::callback::Makefile.am new file mode 100644 index 000000000000..d4f02627d7a8 --- /dev/null +++ b/security/cyrus-sasl/files/patch-java::javax::security::auth::callback::Makefile.am @@ -0,0 +1,11 @@ +--- java/javax/security/auth/callback/Makefile.am.orig Sat Nov 4 16:55:44 2000 ++++ java/javax/security/auth/callback/Makefile.am Thu Jan 17 22:05:23 2002 +@@ -39,7 +39,7 @@ + # + ################################################################ + +-javasasldir = $(prefix)/lib/java/classes/sasl/javax/security/auth/callback ++javasasldir = $(prefix)/share/java/classes/sasl/javax/security/auth/callback + javahtmldir = $(prefix)/html/sasl + + javasasl_JAVA = PasswordCallback.java \ diff --git a/security/cyrus-sasl/files/patch-lib::checkpw.c b/security/cyrus-sasl/files/patch-lib::checkpw.c new file mode 100644 index 000000000000..a7632c8a4ff6 --- /dev/null +++ b/security/cyrus-sasl/files/patch-lib::checkpw.c @@ -0,0 +1,101 @@ +--- lib/checkpw.c.orig Fri Jan 18 21:56:29 2002 ++++ lib/checkpw.c Fri Jan 18 22:14:58 2002 +@@ -1491,6 +1491,9 @@ + # define FALSE 0 + #endif + ++#ifndef LDAP_NO_ATTRS ++#define LDAP_NO_ATTRS "1.1" ++#endif + static int ldap_isdigits(char *value) + { + char *ptr; +@@ -1504,6 +1507,16 @@ + return num; + } + ++#ifdef LDAP_VENDOR_VERSION ++#define SASL_ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) \ ++ ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) ++#define SASL_ldap_memfree(dn) ldap_memfree(dn) ++#else ++#define SASL_ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) \ ++ ldap_search_st(ld, base, scope, filter, attrs, attrsonly, timeout, res) ++#define SASL_ldap_memfree(dn) free(dn) ++#endif ++ + static int ldap_verify_password(sasl_conn_t *conn, + const char *userid, + const char *password, +@@ -1522,18 +1535,18 @@ + *ldap_filter="", + *ldap_bind_dn="", + *ldap_bind_pw="", +- *ldap_ssl="", + *ldap_filter_mode="", + *port_num=""; + int malloc_size; /* safety net */ + int ldap_filter_flag = 0; +- int ldap_ssl_flag = 0; + int ldap_port = LDAP_PORT; + sasl_getopt_t *getopt; + void *context; + LDAPMessage *result, *e; + char *attrs[]={LDAP_NO_ATTRS, NULL}; + #ifdef LDAP_OPT_X_TLS ++ char *ldap_ssl=""; ++ int ldap_ssl_flag = 0; + int tls_option; + #endif + +@@ -1625,9 +1638,11 @@ + return SASL_FAIL; + } + /* set ssl mode if needed */ ++#ifdef LDAP_OPT_X_TLS + if ( ldap_ssl_flag ) { + ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option); + } ++#endif + + /* either run the filter or just bind as them ? */ + +@@ -1657,7 +1672,7 @@ + snprintf(filter,malloc_size-1,"(&(%s=%s)%s)", ldap_uidattr, userid, ldap_filter); + + /* Now do the search */ +- if (ldap_search_ext_s(ld, ldap_basedn, LDAP_SCOPE_SUBTREE, filter, ++ if (SASL_ldap_search_ext_s(ld, ldap_basedn, LDAP_SCOPE_SUBTREE, filter, + attrs, 0, NULL, NULL, LDAP_NO_LIMIT, 1, &result) != + LDAP_SUCCESS) { + free(filter); +@@ -1680,17 +1695,17 @@ + ldap_unbind(ld); + return SASL_BADAUTH; + } +- if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) { ++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) { + e = NULL; + free(filter); +- ldap_memfree(dn); ++ SASL_ldap_memfree(dn); + ldap_msgfree(result); + ldap_unbind(ld); + return SASL_BADAUTH; + } + e = NULL; + free(filter); +- ldap_memfree(dn); ++ SASL_ldap_memfree(dn); + ldap_msgfree(result); + + } else { +@@ -1710,7 +1725,7 @@ + * If this is not so I have a version or that too + * Simon@surf.org.uk + */ +- if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) { ++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) { + free(dn); + ldap_unbind(ld); + return SASL_BADAUTH; diff --git a/security/cyrus-sasl/files/patch-pwcheck::Makefile.am b/security/cyrus-sasl/files/patch-pwcheck::Makefile.am new file mode 100644 index 000000000000..c9e94adefa82 --- /dev/null +++ b/security/cyrus-sasl/files/patch-pwcheck::Makefile.am @@ -0,0 +1,17 @@ +--- pwcheck/Makefile.am.orig Wed Mar 22 11:06:43 2000 ++++ pwcheck/Makefile.am Thu Jan 17 19:09:06 2002 +@@ -22,9 +22,13 @@ + # SOFTWARE. + # + +-sbin_PROGRAMS = pwcheck ++sbin_PROGRAMS = pwcheck pwcheck_pam + + pwcheck_SOURCES = pwcheck.c + EXTRA_pwcheck_SOURCES = pwcheck_getpwnam.c pwcheck_getspnam.c + pwcheck_DEPENDECIES = pwcheck_@PWCHECKMETH@.lo + pwcheck_LDADD = pwcheck_@PWCHECKMETH@.lo @LIB_CRYPT@ @LIB_SOCKET@ ++ ++pwcheck_pam_SOURCES = pwcheck.c ++pwcheck_pam_DEPENDECIES = pwcheck_pam.lo ++pwcheck_pam_LDADD = pwcheck_pam.lo @LIB_CRYPT@ @LIB_SOCKET@ @LIB_PAM@ diff --git a/security/cyrus-sasl/files/pwcheck.sh b/security/cyrus-sasl/files/pwcheck.sh index ba07b9fc580a..3f4c903817a2 100644 --- a/security/cyrus-sasl/files/pwcheck.sh +++ b/security/cyrus-sasl/files/pwcheck.sh @@ -3,29 +3,64 @@ # $FreeBSD$ # +action=$1 + PREFIX=%%PREFIX%% -case "$1" in +# Suck in the configuration variables. +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi -start) - if [ -x ${PREFIX}/sbin/pwcheck ] - then - ${PREFIX}/sbin/pwcheck & && echo -n " pwcheck" - fi +# The following sasl_pwcheck_* variables may be defined in rc.conf +# +# sasl_pwcheck_enable - Set to YES to enable pwcheck +# Default: %%ENABLEPWCHECK%% +# +# sasl_pwcheck_program - Path to pwcheck program (pwcheck/pwcheck_pam) +# Default: ${PREFIX}/sbin/%%PWCHECK%% + +if [ -z "${sasl_pwcheck_enable}" ] ; then + sasl_pwcheck_enable=%%ENABLEPWCHECK%% +fi + +if [ -z "${sasl_pwcheck_program}" ]; then + sasl_pwcheck_program=${PREFIX}/sbin/%%PWCHECK%% +fi + +rc=0 + +case "${sasl_pwcheck_enable}" in + [Yy][Ee][Ss]) + case "${action}" in + + start) + if [ -x ${sasl_pwcheck_program} ] ; then + ${sasl_pwcheck_program} & && echo -n " pwcheck" + fi + ;; + + stop) + if [ -r /var/run/pwcheck.pid ]; then + kill `cat /var/run/pwcheck.pid` && echo -n " pwcheck" + rm /var/run/pwcheck.pid + fi + ;; + + *) + echo "usage: $0 {start|stop}" 1>&2 + rc=64 + ;; + esac ;; - -stop) - if [ -r /var/run/pwcheck.pid ] - then - kill `cat /var/run/pwcheck.pid` && echo -n " pwcheck" - rm /var/run/pwcheck.pid - fi + *) + rc=0 ;; - -*) - echo "usage: $0 {start|stop}" 1>&2 - exit 64 - ;; - esac +exit $rc diff --git a/security/cyrus-sasl/files/pwcheck_pam.c b/security/cyrus-sasl/files/pwcheck_pam.c new file mode 100644 index 000000000000..57e1076ca92a --- /dev/null +++ b/security/cyrus-sasl/files/pwcheck_pam.c @@ -0,0 +1,101 @@ + +#include +#include +#include +#include + +/* Static variables used to communicate between the conversation function + * and the server_login function + */ +static char *PAM_username; +static char *PAM_password; + +/* PAM conversation function + */ +static int PAM_conv (int num_msg, + const struct pam_message **msg, + struct pam_response **resp, + void *appdata_ptr) { + int replies = 0; + struct pam_response *reply = NULL; + + #define COPY_STRING(s) (s) ? strdup(s) : NULL + + reply = malloc(sizeof(struct pam_response) * num_msg); + if (!reply) return PAM_CONV_ERR; + + for (replies = 0; replies < num_msg; replies++) { + switch (msg[replies]->msg_style) { + case PAM_PROMPT_ECHO_ON: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(PAM_username); + /* PAM frees resp */ + break; + case PAM_PROMPT_ECHO_OFF: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(PAM_password); + /* PAM frees resp */ + break; + case PAM_TEXT_INFO: + /* fall through */ + case PAM_ERROR_MSG: + /* ignore it, but pam still wants a NULL response... */ + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = NULL; + break; + default: + /* Must be an error of some sort... */ + free (reply); + return PAM_CONV_ERR; + } + } + *resp = reply; + return PAM_SUCCESS; +} + +static struct pam_conv PAM_conversation = { + PAM_conv, + NULL +}; + +/* Server log in + * Accepts: user name string + * password string + * Returns: "OK" if password validated, error message otherwise + */ + +char *pwcheck(char *username, char *password) +{ + pam_handle_t *pamh; + int pam_error; + + /* PAM only handles authentication, not user information. */ + if ( !(username && password && strlen(username) && strlen(password)) ) + return "Incorrect username"; + + /* validate password */ + + PAM_password = password; + PAM_username = username; + fprintf(stderr, "checking %s\n", username); + pam_error = pam_start("cyrus", username, &PAM_conversation, &pamh); + if (pam_error == PAM_SUCCESS) + pam_error = pam_authenticate(pamh, 0); + + if (pam_error == PAM_SUCCESS) + pam_error = pam_acct_mgmt(pamh, 0); + + if ( pam_error == PAM_SUCCESS) + fprintf(stderr, "\tauthenticated %s\n", username); + else + fprintf(stderr, "\tfailed to authenticate %s\n", username); + + if(pam_end(pamh, pam_error) != PAM_SUCCESS) { + pamh = NULL; + fprintf(stderr, "pwcheck: failed to release authenticator\n"); + exit(1); + } + return ( pam_error == PAM_SUCCESS ? "OK" : "Incorrect passwd" ); +} + + diff --git a/security/cyrus-sasl/pkg-plist b/security/cyrus-sasl/pkg-plist index 4f08d1e0edb0..7e772335df14 100644 --- a/security/cyrus-sasl/pkg-plist +++ b/security/cyrus-sasl/pkg-plist @@ -7,6 +7,9 @@ include/sasl/sasl.h include/sasl/saslplug.h include/sasl/saslutil.h @dirrm include/sasl +%%JAVASASL%%lib/libjavasasl.a +%%JAVASASL%%lib/libjavasasl.so +%%JAVASASL%%lib/libjavasasl.so.1 lib/libsasl.a lib/libsasl.so lib/libsasl.so.8 @@ -34,6 +37,27 @@ lib/sasl/libplain.so.1 sbin/sasldblistusers sbin/saslpasswd sbin/pwcheck +sbin/pwcheck_pam +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/ClientFactory.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/GenericClient.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/GenericCommon.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/GenericServer.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/Sasl.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslClient.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslClientFactory.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslException.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslInputStream.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslOutputStream.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslServer.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslServerFactory.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslUtils.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/ServerFactory.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/Callback.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/CallbackHandler.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/NameCallback.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/PasswordCallback.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/RealmCallback.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/UnsupportedCallbackException.class %%PORTDOCS%%%%DOCSDIR%%/AUTHORS %%PORTDOCS%%%%DOCSDIR%%/COPYING %%PORTDOCS%%%%DOCSDIR%%/ChangeLog @@ -43,6 +67,7 @@ sbin/pwcheck %%PORTDOCS%%%%DOCSDIR%%/Sendmail.README %%PORTDOCS%%%%DOCSDIR%%/TODO %%PORTDOCS%%%%DOCSDIR%%/draft-newman-auth-scram-03.txt +%%PORTDOCS%%%%DOCSDIR%%/draft-weltman-java-sasl-02.txt %%PORTDOCS%%%%DOCSDIR%%/rfc1321.txt %%PORTDOCS%%%%DOCSDIR%%/rfc2095.txt %%PORTDOCS%%%%DOCSDIR%%/rfc2104.txt @@ -54,6 +79,14 @@ sbin/pwcheck %%PORTDOCS%%%%DOCSDIR%%/programming.html %%PORTDOCS%%%%DOCSDIR%%/sysadmin.html %%PORTDOCS%%@dirrm %%DOCSDIR%% +%%JAVASASL%%@dirrm share/java/classes/sasl/javax/security/auth/callback +%%JAVASASL%%@dirrm share/java/classes/sasl/javax/security/auth +%%JAVASASL%%@dirrm share/java/classes/sasl/javax/security +%%JAVASASL%%@dirrm share/java/classes/sasl/javax +%%JAVASASL%%@dirrm share/java/classes/sasl/CyrusSasl +%%JAVASASL%%@dirrm share/java/classes/sasl +%%JAVASASL%%@unexec rmdir %D/share/java/classes || true +%%JAVASASL%%@unexec rmdir %D/share/java || true @dirrm lib/sasl @cwd /var @exec install -d -m 770 -o cyrus -g cyrus %D/pwcheck diff --git a/security/cyrus-sasl/scripts/configure.sasl b/security/cyrus-sasl/scripts/configure.sasl index b4db08de7d59..65a36ef5c876 100644 --- a/security/cyrus-sasl/scripts/configure.sasl +++ b/security/cyrus-sasl/scripts/configure.sasl @@ -25,6 +25,7 @@ if [ "${BATCH}" ]; then OPTIONS="${OPTIONS} \"OpenLDAP1\"" fi if [ "${OPTIONS}" != "x" ]; then + OPTIONS="${OPTIONS} \"PWCHECK\"" set ${OPTIONS} fi else @@ -58,11 +59,14 @@ else /usr/bin/dialog --title "Additional SASL options" --clear \ --checklist "\n\ Please select desired options:" -1 -1 16 \ -NDBM "ndbm DB package" ${SET_NDBM} \ -DB3 "Berkeley DB package, revision 3" ${SET_DB3} \ +NDBM "ndbm DB" ${SET_NDBM} \ +DB3 "Berkeley DB, revision 3" ${SET_DB3} \ +JAVA "JavaSASL [Experimental]" ${SET_JAVA} \ MySQL "MySQL password Authentication" ${SET_MYSQL} \ -OpenLDAP1 "OpenLDAP 1.x support" ${SET_LDAP1} \ -OpenLDAP2 "OpenLDAP 2.x support" ${SET_LDAP2} \ +OpenLDAP1 "OpenLDAP 1.x password Authentication" ${SET_LDAP1} \ +OpenLDAP2 "OpenLDAP 2.x password Authentication w/TLS" ${SET_LDAP2} \ +PWCHECK "Use pwcheck for password Authentication" ON \ +PAMPWCHECK "Use pwcheck_pam for password Authentication" OFF \ 2> $tempfile retval=$? @@ -75,6 +79,8 @@ OpenLDAP2 "OpenLDAP 2.x support" ${SET_LDAP2} \ case $retval in 0) if [ -z "$*" ]; then echo "Nothing selected" + OPTIONS="\"NDBM\"" + set ${OPTIONS} fi ;; 1) echo "Cancel pressed." @@ -112,15 +118,16 @@ while [ "$1" ]; do DBLIB=1 ;; \"JAVA\") - echo "JAVA is disabled, Ignoring option" > /dev/stderr - ;; - \"DISABLED\") - echo "RUN_DEPENDS= \${LOCALBASE}/\${JAVADIR}/bin/java:\${PORTSDIR}/java/jdk" - echo "CONFIGURE_ARGS+= --with-java \\" - echo " --with-javabase=\${LOCALBASE}/include" + echo "BUILD_DEPENDS+= \${LOCALBASE}/\${JAVADIR}/bin/java:\${PORTSDIR}/java/jdk13" + echo "RUN_DEPENDS+= \${LOCALBASE}/\${JAVADIR}/bin/java:\${PORTSDIR}/java/jdk13" + echo "USE_GMAKE= yes" + echo "CONFIGURE_ARGS+= --enable-java \\" + echo " --with-javabase=\${LOCALBASE}/\${JAVADIR}" echo "CONFIGURE_ENV+= JAVAC=\"\${LOCALBASE}/\${JAVADIR}/bin/javac\" \\" - echo " JAVAH=\"\${LOCALBASE}/\${JAVADIR}/bin/javah" \\" - echo " JAVADOC=\"\${LOCALBASE}/\${JAVADIR}/bin/javadoc\" + echo " JAVAH=\"\${LOCALBASE}/\${JAVADIR}/bin/javah\" \\" + echo " JAVADOC=\"\${LOCALBASE}/\${JAVADIR}/bin/javadoc\"" + echo "PLIST_SUB+= JAVASASL=\"\"" + DEFJAVA=1 ;; \"MySQL\") echo "LIB_DEPENDS+= mysqlclient.10:\${PORTSDIR}/databases/mysql323-client" @@ -128,7 +135,7 @@ while [ "$1" ]; do MSG=1 ;; \"OpenLDAP1\") - if [ "$OPENLDAP2" ]; then + if [ "$OPENLDAP" ]; then echo "OpenLDAP1 and OpenLDAP2 are mutually exclusive." > /dev/stderr rm -f ${WRKDIRPREFIX}${REALCURDIR}/Makefile.inc exit 1 @@ -136,11 +143,10 @@ while [ "$1" ]; do echo "LIB_DEPENDS+= ldap.1:\${PORTSDIR}/net/openldap" echo "LIB_DEPENDS+= lber.1:\${PORTSDIR}/net/openldap" echo "CONFIGURE_ARGS+= --with-ldap=\${PREFIX}" - OPENLDAP1=1 - MSG=1 + OPENLDAP=1 ;; \"OpenLDAP2\") - if [ "$OPENLDAP1" ]; then + if [ "$OPENLDAP" ]; then echo "OpenLDAP1 and OpenLDAP2 are mutually exclusive." > /dev/stderr rm -f ${WRKDIRPREFIX}${REALCURDIR}/Makefile.inc exit 1 @@ -148,8 +154,23 @@ while [ "$1" ]; do echo "LIB_DEPENDS+= ldap.2:\${PORTSDIR}/net/openldap2" echo "LIB_DEPENDS+= lber.2:\${PORTSDIR}/net/openldap2" echo "CONFIGURE_ARGS+= --with-ldap=\${PREFIX}" - OPENLDAP2=1 - MSG=1 + OPENLDAP=1 + ;; + \"PWCHECK\") + if [ "$PWCHECK" ]; then + echo "PWCHECK or PAMPWCHECK must be choosen seperately: Defaulting to PAMPWCHECK" > /dev/stderr + else + echo "PWCHECK_SUB+= -e \"s;%%PWCHECK%%;pwcheck;g\"" + PWCHECK=1 + fi + ;; + \"PAMPWCHECK\") + if [ "$PWCHECK" ]; then + echo "PWCHECK or PAMPWCHECK must be choosen seperately: Defaulting to PWCHECK" > /dev/stderr + else + echo "PWCHECK_SUB+= -e \"s;%%PWCHECK%%;pwcheck_pam;g\"" + PWCHECK=1 + fi ;; *) echo "Invalid option(s): $*" > /dev/stderr @@ -160,6 +181,20 @@ while [ "$1" ]; do shift done -if [ "x${MSG}" != "x" ]; then +if [ "$PWCHECK" ]; then + echo "PWCHECK_SUB+= -e \"s;%%ENABLEPWCHECK%%;yes;g\"" +else + echo "PWCHECK_SUB+= -e \"s;%%PWCHECK%%;pwcheck;g\" \\" + echo " -e \"s;%%ENABLEPWCHECK%%;no;g\"" +fi +if [ ! "${DEFJAVA}" ]; then + echo "PLIST_SUB+= JAVASASL=\"@comment \"" +fi +if [ ! "${DBLIB}" ]; then + echo "CONFIGURE_ARGS+= --with-dblib=ndbm" + echo "SASLDB_NAME= sasldb.db" +fi + +if [ "$OPENLDAP" ]; then echo "LDAP_MYSQL_MSG= \"See sysadmin.html in the Cyrus-SASL docs directory for informaion on using LDAP or MySQL for authentication.\"" fi diff --git a/security/cyrus-sasl2/Makefile b/security/cyrus-sasl2/Makefile index 180849c46eec..74b05c44e5a0 100644 --- a/security/cyrus-sasl2/Makefile +++ b/security/cyrus-sasl2/Makefile @@ -7,7 +7,7 @@ PORTNAME= cyrus-sasl PORTVERSION= 1.5.27 -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/%SUBDIR%/ \ http://prdownloads.sourceforge.net/cyrus-utils/ \ @@ -69,7 +69,7 @@ SCRIPTS_ENV= WRKDIRPREFIX="${WRKDIRPREFIX}" \ WITH_LDAP2="${WITH_LDAP2}" # JavaSASL needs someone to look at to get it to build -JAVADIR= jdk1.1.8 +JAVADIR= jdk1.3.1 JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/ .if defined(KRB5_HOME) && exists(${KRB5_HOME}) @@ -112,18 +112,21 @@ pre-fetch: .include "${WRKDIRPREFIX}${.CURDIR}/Makefile.inc" .endif +post-extract: + @${CP} ${FILESDIR}/pwcheck_pam.c ${WRKSRC}/pwcheck + pre-patch: @(cd ${WRKSRC} && ${PATCH} -p1 < ${WRKDIR}/${LDAP_MYSQL_PATCH} && \ ${MV} configure.orig configure) # Fix sasldb name in pkg-install/deinstall scripts post-patch: - @${SED} -e "/%%SASLDB%%/s##${SASLDB_NAME}#g" \ + @${SED} -e "s;%%SASLDB%%;${SASLDB_NAME};g" \ ${.CURDIR}/pkg-install > ${PKGINSTALL} - @${SED} -e "/%%SASLDB%%/s##${SASLDB_NAME}#g" \ + @${SED} -e "s;%%SASLDB%%;${SASLDB_NAME};g" \ ${.CURDIR}/pkg-deinstall > ${PKGDEINSTALL} - @${SED} -e "/%%SASLDB%%/s##${SASLDB_NAME}#g" \ - -e "/%%PREFIX%%/s##${PREFIX}#g" \ + @${SED} -e "s;%%SASLDB%%;${SASLDB_NAME};g" \ + -e "s;%%PREFIX%%;${PREFIX};g" \ ${.CURDIR}/pkg-message > ${PKGMESSAGE} .ifdef LDAP_MYSQL_MSG @${ECHO} ${LDAP_MYSQL_MSG} | /usr/bin/fmt -w 67 >> ${PKGMESSAGE} @@ -138,8 +141,8 @@ pre-install: @${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL post-install: - @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ - > ${PREFIX}/etc/rc.d/pwcheck.sh + @${SED} -e "s;%%PREFIX%%;${PREFIX};g" ${PWCHECK_SUB} \ + ${FILESDIR}/pwcheck.sh > ${PREFIX}/etc/rc.d/pwcheck.sh @${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh ${INSTALL} -d -m 770 -o cyrus -g cyrus /var/pwcheck .if !defined(NOPORTDOCS) @@ -151,6 +154,7 @@ post-install: for file in `make -V EXTRA_DIST` ; do \ ${INSTALL_DATA} ${WRKSRC}/doc/$${file} ${DOCSDIR} ; \ done) + @${INSTALL_DATA} ${WRKSRC}/java/doc/draft-weltman-java-sasl-02.txt ${DOCSDIR} @${INSTALL_DATA} ${FILESDIR}/Sendmail.README ${DOCSDIR} .endif @PKG_PREFIX=${PREFIX} BATCH=${BATCH} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL diff --git a/security/cyrus-sasl2/files/patch-ab b/security/cyrus-sasl2/files/patch-ab index ed6e854ca76d..009a8b4a9f82 100644 --- a/security/cyrus-sasl2/files/patch-ab +++ b/security/cyrus-sasl2/files/patch-ab @@ -1,5 +1,5 @@ ---- configure.in.orig Tue Nov 27 11:45:28 2001 -+++ configure.in Tue Nov 27 12:49:28 2001 +--- configure.in.orig Thu Jan 17 19:21:51 2002 ++++ configure.in Thu Jan 17 19:47:46 2002 @@ -66,8 +66,9 @@ dnl check for -R, etc. switch CMU_GUESS_RUNPATH_SWITCH @@ -12,7 +12,16 @@ AM_DISABLE_STATIC -@@ -235,6 +236,13 @@ +@@ -122,8 +123,6 @@ + + AC_SUBST(JAVA_INCLUDES) + AC_MSG_RESULT(JAVA_INCLUDES) +- JAVAC=`echo "$JAVAC" | sed 's,.*/,,'` +- JAVAH=`echo "$JAVAH" | sed 's,.*/,,'` + fi + + AM_CONDITIONAL(SAMPLE, test "$enable_sample" = yes) +@@ -235,6 +234,13 @@ berkeley) SASL_DB_BACKEND="db_${dblib}.lo" AC_DEFINE(SASL_BERKELEYDB) diff --git a/security/cyrus-sasl2/files/patch-java::CyrusSasl::Makefile.am b/security/cyrus-sasl2/files/patch-java::CyrusSasl::Makefile.am new file mode 100644 index 000000000000..bf5be6aef933 --- /dev/null +++ b/security/cyrus-sasl2/files/patch-java::CyrusSasl::Makefile.am @@ -0,0 +1,11 @@ +--- java/CyrusSasl/Makefile.am.orig Tue Nov 21 23:55:17 2000 ++++ java/CyrusSasl/Makefile.am Thu Jan 17 21:58:10 2002 +@@ -25,7 +25,7 @@ + + javasasl_version = 1:0:0 + +-javasasldir = $(prefix)/lib/java/classes/sasl/CyrusSasl ++javasasldir = $(prefix)/share/java/classes/sasl/CyrusSasl + javahtmldir = $(prefix)/html/sasl + + INCLUDES=$(JAVA_INCLUDES) -I$(top_srcdir)/include diff --git a/security/cyrus-sasl2/files/patch-java::javax::security::auth::callback::Makefile.am b/security/cyrus-sasl2/files/patch-java::javax::security::auth::callback::Makefile.am new file mode 100644 index 000000000000..d4f02627d7a8 --- /dev/null +++ b/security/cyrus-sasl2/files/patch-java::javax::security::auth::callback::Makefile.am @@ -0,0 +1,11 @@ +--- java/javax/security/auth/callback/Makefile.am.orig Sat Nov 4 16:55:44 2000 ++++ java/javax/security/auth/callback/Makefile.am Thu Jan 17 22:05:23 2002 +@@ -39,7 +39,7 @@ + # + ################################################################ + +-javasasldir = $(prefix)/lib/java/classes/sasl/javax/security/auth/callback ++javasasldir = $(prefix)/share/java/classes/sasl/javax/security/auth/callback + javahtmldir = $(prefix)/html/sasl + + javasasl_JAVA = PasswordCallback.java \ diff --git a/security/cyrus-sasl2/files/patch-lib::checkpw.c b/security/cyrus-sasl2/files/patch-lib::checkpw.c new file mode 100644 index 000000000000..a7632c8a4ff6 --- /dev/null +++ b/security/cyrus-sasl2/files/patch-lib::checkpw.c @@ -0,0 +1,101 @@ +--- lib/checkpw.c.orig Fri Jan 18 21:56:29 2002 ++++ lib/checkpw.c Fri Jan 18 22:14:58 2002 +@@ -1491,6 +1491,9 @@ + # define FALSE 0 + #endif + ++#ifndef LDAP_NO_ATTRS ++#define LDAP_NO_ATTRS "1.1" ++#endif + static int ldap_isdigits(char *value) + { + char *ptr; +@@ -1504,6 +1507,16 @@ + return num; + } + ++#ifdef LDAP_VENDOR_VERSION ++#define SASL_ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) \ ++ ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) ++#define SASL_ldap_memfree(dn) ldap_memfree(dn) ++#else ++#define SASL_ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) \ ++ ldap_search_st(ld, base, scope, filter, attrs, attrsonly, timeout, res) ++#define SASL_ldap_memfree(dn) free(dn) ++#endif ++ + static int ldap_verify_password(sasl_conn_t *conn, + const char *userid, + const char *password, +@@ -1522,18 +1535,18 @@ + *ldap_filter="", + *ldap_bind_dn="", + *ldap_bind_pw="", +- *ldap_ssl="", + *ldap_filter_mode="", + *port_num=""; + int malloc_size; /* safety net */ + int ldap_filter_flag = 0; +- int ldap_ssl_flag = 0; + int ldap_port = LDAP_PORT; + sasl_getopt_t *getopt; + void *context; + LDAPMessage *result, *e; + char *attrs[]={LDAP_NO_ATTRS, NULL}; + #ifdef LDAP_OPT_X_TLS ++ char *ldap_ssl=""; ++ int ldap_ssl_flag = 0; + int tls_option; + #endif + +@@ -1625,9 +1638,11 @@ + return SASL_FAIL; + } + /* set ssl mode if needed */ ++#ifdef LDAP_OPT_X_TLS + if ( ldap_ssl_flag ) { + ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option); + } ++#endif + + /* either run the filter or just bind as them ? */ + +@@ -1657,7 +1672,7 @@ + snprintf(filter,malloc_size-1,"(&(%s=%s)%s)", ldap_uidattr, userid, ldap_filter); + + /* Now do the search */ +- if (ldap_search_ext_s(ld, ldap_basedn, LDAP_SCOPE_SUBTREE, filter, ++ if (SASL_ldap_search_ext_s(ld, ldap_basedn, LDAP_SCOPE_SUBTREE, filter, + attrs, 0, NULL, NULL, LDAP_NO_LIMIT, 1, &result) != + LDAP_SUCCESS) { + free(filter); +@@ -1680,17 +1695,17 @@ + ldap_unbind(ld); + return SASL_BADAUTH; + } +- if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) { ++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) { + e = NULL; + free(filter); +- ldap_memfree(dn); ++ SASL_ldap_memfree(dn); + ldap_msgfree(result); + ldap_unbind(ld); + return SASL_BADAUTH; + } + e = NULL; + free(filter); +- ldap_memfree(dn); ++ SASL_ldap_memfree(dn); + ldap_msgfree(result); + + } else { +@@ -1710,7 +1725,7 @@ + * If this is not so I have a version or that too + * Simon@surf.org.uk + */ +- if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) { ++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) { + free(dn); + ldap_unbind(ld); + return SASL_BADAUTH; diff --git a/security/cyrus-sasl2/files/patch-pwcheck::Makefile.am b/security/cyrus-sasl2/files/patch-pwcheck::Makefile.am new file mode 100644 index 000000000000..c9e94adefa82 --- /dev/null +++ b/security/cyrus-sasl2/files/patch-pwcheck::Makefile.am @@ -0,0 +1,17 @@ +--- pwcheck/Makefile.am.orig Wed Mar 22 11:06:43 2000 ++++ pwcheck/Makefile.am Thu Jan 17 19:09:06 2002 +@@ -22,9 +22,13 @@ + # SOFTWARE. + # + +-sbin_PROGRAMS = pwcheck ++sbin_PROGRAMS = pwcheck pwcheck_pam + + pwcheck_SOURCES = pwcheck.c + EXTRA_pwcheck_SOURCES = pwcheck_getpwnam.c pwcheck_getspnam.c + pwcheck_DEPENDECIES = pwcheck_@PWCHECKMETH@.lo + pwcheck_LDADD = pwcheck_@PWCHECKMETH@.lo @LIB_CRYPT@ @LIB_SOCKET@ ++ ++pwcheck_pam_SOURCES = pwcheck.c ++pwcheck_pam_DEPENDECIES = pwcheck_pam.lo ++pwcheck_pam_LDADD = pwcheck_pam.lo @LIB_CRYPT@ @LIB_SOCKET@ @LIB_PAM@ diff --git a/security/cyrus-sasl2/files/pwcheck.sh b/security/cyrus-sasl2/files/pwcheck.sh index ba07b9fc580a..3f4c903817a2 100644 --- a/security/cyrus-sasl2/files/pwcheck.sh +++ b/security/cyrus-sasl2/files/pwcheck.sh @@ -3,29 +3,64 @@ # $FreeBSD$ # +action=$1 + PREFIX=%%PREFIX%% -case "$1" in +# Suck in the configuration variables. +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi -start) - if [ -x ${PREFIX}/sbin/pwcheck ] - then - ${PREFIX}/sbin/pwcheck & && echo -n " pwcheck" - fi +# The following sasl_pwcheck_* variables may be defined in rc.conf +# +# sasl_pwcheck_enable - Set to YES to enable pwcheck +# Default: %%ENABLEPWCHECK%% +# +# sasl_pwcheck_program - Path to pwcheck program (pwcheck/pwcheck_pam) +# Default: ${PREFIX}/sbin/%%PWCHECK%% + +if [ -z "${sasl_pwcheck_enable}" ] ; then + sasl_pwcheck_enable=%%ENABLEPWCHECK%% +fi + +if [ -z "${sasl_pwcheck_program}" ]; then + sasl_pwcheck_program=${PREFIX}/sbin/%%PWCHECK%% +fi + +rc=0 + +case "${sasl_pwcheck_enable}" in + [Yy][Ee][Ss]) + case "${action}" in + + start) + if [ -x ${sasl_pwcheck_program} ] ; then + ${sasl_pwcheck_program} & && echo -n " pwcheck" + fi + ;; + + stop) + if [ -r /var/run/pwcheck.pid ]; then + kill `cat /var/run/pwcheck.pid` && echo -n " pwcheck" + rm /var/run/pwcheck.pid + fi + ;; + + *) + echo "usage: $0 {start|stop}" 1>&2 + rc=64 + ;; + esac ;; - -stop) - if [ -r /var/run/pwcheck.pid ] - then - kill `cat /var/run/pwcheck.pid` && echo -n " pwcheck" - rm /var/run/pwcheck.pid - fi + *) + rc=0 ;; - -*) - echo "usage: $0 {start|stop}" 1>&2 - exit 64 - ;; - esac +exit $rc diff --git a/security/cyrus-sasl2/files/pwcheck_pam.c b/security/cyrus-sasl2/files/pwcheck_pam.c new file mode 100644 index 000000000000..57e1076ca92a --- /dev/null +++ b/security/cyrus-sasl2/files/pwcheck_pam.c @@ -0,0 +1,101 @@ + +#include +#include +#include +#include + +/* Static variables used to communicate between the conversation function + * and the server_login function + */ +static char *PAM_username; +static char *PAM_password; + +/* PAM conversation function + */ +static int PAM_conv (int num_msg, + const struct pam_message **msg, + struct pam_response **resp, + void *appdata_ptr) { + int replies = 0; + struct pam_response *reply = NULL; + + #define COPY_STRING(s) (s) ? strdup(s) : NULL + + reply = malloc(sizeof(struct pam_response) * num_msg); + if (!reply) return PAM_CONV_ERR; + + for (replies = 0; replies < num_msg; replies++) { + switch (msg[replies]->msg_style) { + case PAM_PROMPT_ECHO_ON: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(PAM_username); + /* PAM frees resp */ + break; + case PAM_PROMPT_ECHO_OFF: + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = COPY_STRING(PAM_password); + /* PAM frees resp */ + break; + case PAM_TEXT_INFO: + /* fall through */ + case PAM_ERROR_MSG: + /* ignore it, but pam still wants a NULL response... */ + reply[replies].resp_retcode = PAM_SUCCESS; + reply[replies].resp = NULL; + break; + default: + /* Must be an error of some sort... */ + free (reply); + return PAM_CONV_ERR; + } + } + *resp = reply; + return PAM_SUCCESS; +} + +static struct pam_conv PAM_conversation = { + PAM_conv, + NULL +}; + +/* Server log in + * Accepts: user name string + * password string + * Returns: "OK" if password validated, error message otherwise + */ + +char *pwcheck(char *username, char *password) +{ + pam_handle_t *pamh; + int pam_error; + + /* PAM only handles authentication, not user information. */ + if ( !(username && password && strlen(username) && strlen(password)) ) + return "Incorrect username"; + + /* validate password */ + + PAM_password = password; + PAM_username = username; + fprintf(stderr, "checking %s\n", username); + pam_error = pam_start("cyrus", username, &PAM_conversation, &pamh); + if (pam_error == PAM_SUCCESS) + pam_error = pam_authenticate(pamh, 0); + + if (pam_error == PAM_SUCCESS) + pam_error = pam_acct_mgmt(pamh, 0); + + if ( pam_error == PAM_SUCCESS) + fprintf(stderr, "\tauthenticated %s\n", username); + else + fprintf(stderr, "\tfailed to authenticate %s\n", username); + + if(pam_end(pamh, pam_error) != PAM_SUCCESS) { + pamh = NULL; + fprintf(stderr, "pwcheck: failed to release authenticator\n"); + exit(1); + } + return ( pam_error == PAM_SUCCESS ? "OK" : "Incorrect passwd" ); +} + + diff --git a/security/cyrus-sasl2/pkg-plist b/security/cyrus-sasl2/pkg-plist index 4f08d1e0edb0..7e772335df14 100644 --- a/security/cyrus-sasl2/pkg-plist +++ b/security/cyrus-sasl2/pkg-plist @@ -7,6 +7,9 @@ include/sasl/sasl.h include/sasl/saslplug.h include/sasl/saslutil.h @dirrm include/sasl +%%JAVASASL%%lib/libjavasasl.a +%%JAVASASL%%lib/libjavasasl.so +%%JAVASASL%%lib/libjavasasl.so.1 lib/libsasl.a lib/libsasl.so lib/libsasl.so.8 @@ -34,6 +37,27 @@ lib/sasl/libplain.so.1 sbin/sasldblistusers sbin/saslpasswd sbin/pwcheck +sbin/pwcheck_pam +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/ClientFactory.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/GenericClient.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/GenericCommon.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/GenericServer.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/Sasl.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslClient.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslClientFactory.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslException.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslInputStream.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslOutputStream.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslServer.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslServerFactory.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/SaslUtils.class +%%JAVASASL%%share/java/classes/sasl/CyrusSasl/ServerFactory.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/Callback.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/CallbackHandler.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/NameCallback.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/PasswordCallback.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/RealmCallback.class +%%JAVASASL%%share/java/classes/sasl/javax/security/auth/callback/UnsupportedCallbackException.class %%PORTDOCS%%%%DOCSDIR%%/AUTHORS %%PORTDOCS%%%%DOCSDIR%%/COPYING %%PORTDOCS%%%%DOCSDIR%%/ChangeLog @@ -43,6 +67,7 @@ sbin/pwcheck %%PORTDOCS%%%%DOCSDIR%%/Sendmail.README %%PORTDOCS%%%%DOCSDIR%%/TODO %%PORTDOCS%%%%DOCSDIR%%/draft-newman-auth-scram-03.txt +%%PORTDOCS%%%%DOCSDIR%%/draft-weltman-java-sasl-02.txt %%PORTDOCS%%%%DOCSDIR%%/rfc1321.txt %%PORTDOCS%%%%DOCSDIR%%/rfc2095.txt %%PORTDOCS%%%%DOCSDIR%%/rfc2104.txt @@ -54,6 +79,14 @@ sbin/pwcheck %%PORTDOCS%%%%DOCSDIR%%/programming.html %%PORTDOCS%%%%DOCSDIR%%/sysadmin.html %%PORTDOCS%%@dirrm %%DOCSDIR%% +%%JAVASASL%%@dirrm share/java/classes/sasl/javax/security/auth/callback +%%JAVASASL%%@dirrm share/java/classes/sasl/javax/security/auth +%%JAVASASL%%@dirrm share/java/classes/sasl/javax/security +%%JAVASASL%%@dirrm share/java/classes/sasl/javax +%%JAVASASL%%@dirrm share/java/classes/sasl/CyrusSasl +%%JAVASASL%%@dirrm share/java/classes/sasl +%%JAVASASL%%@unexec rmdir %D/share/java/classes || true +%%JAVASASL%%@unexec rmdir %D/share/java || true @dirrm lib/sasl @cwd /var @exec install -d -m 770 -o cyrus -g cyrus %D/pwcheck diff --git a/security/cyrus-sasl2/scripts/configure.sasl b/security/cyrus-sasl2/scripts/configure.sasl index b4db08de7d59..65a36ef5c876 100644 --- a/security/cyrus-sasl2/scripts/configure.sasl +++ b/security/cyrus-sasl2/scripts/configure.sasl @@ -25,6 +25,7 @@ if [ "${BATCH}" ]; then OPTIONS="${OPTIONS} \"OpenLDAP1\"" fi if [ "${OPTIONS}" != "x" ]; then + OPTIONS="${OPTIONS} \"PWCHECK\"" set ${OPTIONS} fi else @@ -58,11 +59,14 @@ else /usr/bin/dialog --title "Additional SASL options" --clear \ --checklist "\n\ Please select desired options:" -1 -1 16 \ -NDBM "ndbm DB package" ${SET_NDBM} \ -DB3 "Berkeley DB package, revision 3" ${SET_DB3} \ +NDBM "ndbm DB" ${SET_NDBM} \ +DB3 "Berkeley DB, revision 3" ${SET_DB3} \ +JAVA "JavaSASL [Experimental]" ${SET_JAVA} \ MySQL "MySQL password Authentication" ${SET_MYSQL} \ -OpenLDAP1 "OpenLDAP 1.x support" ${SET_LDAP1} \ -OpenLDAP2 "OpenLDAP 2.x support" ${SET_LDAP2} \ +OpenLDAP1 "OpenLDAP 1.x password Authentication" ${SET_LDAP1} \ +OpenLDAP2 "OpenLDAP 2.x password Authentication w/TLS" ${SET_LDAP2} \ +PWCHECK "Use pwcheck for password Authentication" ON \ +PAMPWCHECK "Use pwcheck_pam for password Authentication" OFF \ 2> $tempfile retval=$? @@ -75,6 +79,8 @@ OpenLDAP2 "OpenLDAP 2.x support" ${SET_LDAP2} \ case $retval in 0) if [ -z "$*" ]; then echo "Nothing selected" + OPTIONS="\"NDBM\"" + set ${OPTIONS} fi ;; 1) echo "Cancel pressed." @@ -112,15 +118,16 @@ while [ "$1" ]; do DBLIB=1 ;; \"JAVA\") - echo "JAVA is disabled, Ignoring option" > /dev/stderr - ;; - \"DISABLED\") - echo "RUN_DEPENDS= \${LOCALBASE}/\${JAVADIR}/bin/java:\${PORTSDIR}/java/jdk" - echo "CONFIGURE_ARGS+= --with-java \\" - echo " --with-javabase=\${LOCALBASE}/include" + echo "BUILD_DEPENDS+= \${LOCALBASE}/\${JAVADIR}/bin/java:\${PORTSDIR}/java/jdk13" + echo "RUN_DEPENDS+= \${LOCALBASE}/\${JAVADIR}/bin/java:\${PORTSDIR}/java/jdk13" + echo "USE_GMAKE= yes" + echo "CONFIGURE_ARGS+= --enable-java \\" + echo " --with-javabase=\${LOCALBASE}/\${JAVADIR}" echo "CONFIGURE_ENV+= JAVAC=\"\${LOCALBASE}/\${JAVADIR}/bin/javac\" \\" - echo " JAVAH=\"\${LOCALBASE}/\${JAVADIR}/bin/javah" \\" - echo " JAVADOC=\"\${LOCALBASE}/\${JAVADIR}/bin/javadoc\" + echo " JAVAH=\"\${LOCALBASE}/\${JAVADIR}/bin/javah\" \\" + echo " JAVADOC=\"\${LOCALBASE}/\${JAVADIR}/bin/javadoc\"" + echo "PLIST_SUB+= JAVASASL=\"\"" + DEFJAVA=1 ;; \"MySQL\") echo "LIB_DEPENDS+= mysqlclient.10:\${PORTSDIR}/databases/mysql323-client" @@ -128,7 +135,7 @@ while [ "$1" ]; do MSG=1 ;; \"OpenLDAP1\") - if [ "$OPENLDAP2" ]; then + if [ "$OPENLDAP" ]; then echo "OpenLDAP1 and OpenLDAP2 are mutually exclusive." > /dev/stderr rm -f ${WRKDIRPREFIX}${REALCURDIR}/Makefile.inc exit 1 @@ -136,11 +143,10 @@ while [ "$1" ]; do echo "LIB_DEPENDS+= ldap.1:\${PORTSDIR}/net/openldap" echo "LIB_DEPENDS+= lber.1:\${PORTSDIR}/net/openldap" echo "CONFIGURE_ARGS+= --with-ldap=\${PREFIX}" - OPENLDAP1=1 - MSG=1 + OPENLDAP=1 ;; \"OpenLDAP2\") - if [ "$OPENLDAP1" ]; then + if [ "$OPENLDAP" ]; then echo "OpenLDAP1 and OpenLDAP2 are mutually exclusive." > /dev/stderr rm -f ${WRKDIRPREFIX}${REALCURDIR}/Makefile.inc exit 1 @@ -148,8 +154,23 @@ while [ "$1" ]; do echo "LIB_DEPENDS+= ldap.2:\${PORTSDIR}/net/openldap2" echo "LIB_DEPENDS+= lber.2:\${PORTSDIR}/net/openldap2" echo "CONFIGURE_ARGS+= --with-ldap=\${PREFIX}" - OPENLDAP2=1 - MSG=1 + OPENLDAP=1 + ;; + \"PWCHECK\") + if [ "$PWCHECK" ]; then + echo "PWCHECK or PAMPWCHECK must be choosen seperately: Defaulting to PAMPWCHECK" > /dev/stderr + else + echo "PWCHECK_SUB+= -e \"s;%%PWCHECK%%;pwcheck;g\"" + PWCHECK=1 + fi + ;; + \"PAMPWCHECK\") + if [ "$PWCHECK" ]; then + echo "PWCHECK or PAMPWCHECK must be choosen seperately: Defaulting to PWCHECK" > /dev/stderr + else + echo "PWCHECK_SUB+= -e \"s;%%PWCHECK%%;pwcheck_pam;g\"" + PWCHECK=1 + fi ;; *) echo "Invalid option(s): $*" > /dev/stderr @@ -160,6 +181,20 @@ while [ "$1" ]; do shift done -if [ "x${MSG}" != "x" ]; then +if [ "$PWCHECK" ]; then + echo "PWCHECK_SUB+= -e \"s;%%ENABLEPWCHECK%%;yes;g\"" +else + echo "PWCHECK_SUB+= -e \"s;%%PWCHECK%%;pwcheck;g\" \\" + echo " -e \"s;%%ENABLEPWCHECK%%;no;g\"" +fi +if [ ! "${DEFJAVA}" ]; then + echo "PLIST_SUB+= JAVASASL=\"@comment \"" +fi +if [ ! "${DBLIB}" ]; then + echo "CONFIGURE_ARGS+= --with-dblib=ndbm" + echo "SASLDB_NAME= sasldb.db" +fi + +if [ "$OPENLDAP" ]; then echo "LDAP_MYSQL_MSG= \"See sysadmin.html in the Cyrus-SASL docs directory for informaion on using LDAP or MySQL for authentication.\"" fi