- (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c

openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
   libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
   Feedback and OK dtucker@

ChangeLog

@@ -1,4 +1,4 @@
-20050830
+20050831
  - (djm) OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2005/08/30 22:08:05
      [gss-serv.c sshconnect2.c]
@@ -11,6 +11,10 @@
      [version.h]
      4.2
  - (dtucker) [README] Update release note URL to 4.2
+ - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c
+   openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
+   libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
+   Feedback and OK dtucker@
 
 20050830
  - (tim) [configure.ac] Back out last change. It needs to be done differently.
@@ -2982,4 +2986,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3885 2005/08/31 14:05:56 dtucker Exp $
+$Id: ChangeLog,v 1.3886 2005/08/31 16:59:49 tim Exp $

auth.c

@@ -97,11 +97,11 @@ allowed_user(struct passwd * pw)
 	/* grab passwd field for locked account check */
 #ifdef USE_SHADOW
 	if (spw != NULL)
-#ifdef HAVE_LIBIAF
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
 		passwd = get_iaf_password(pw);
 #else
 		passwd = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF */
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
 #else
 	passwd = pw->pw_passwd;
 #endif
@@ -123,6 +123,9 @@ allowed_user(struct passwd * pw)
 		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
 			locked = 1;
 #endif
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+		free(passwd);
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
 		if (locked) {
 			logit("User %.100s not allowed because account is locked",
 			    pw->pw_name);

configure.ac

@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.291 2005/08/30 14:12:02 tim Exp $
+# $Id: configure.ac,v 1.292 2005/08/31 16:59:49 tim Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -456,6 +456,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	case "$host" in
 	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
 		TEST_SHELL=/u95/bin/sh
+		AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet])
 		;;
 	esac
 	;;

defines.h

@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
 
-/* $Id: defines.h,v 1.126 2005/08/26 20:15:20 tim Exp $ */
+/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */
 
 
 /* Constants */
@@ -688,7 +688,7 @@ struct winsize {
 # define CUSTOM_SYS_AUTH_PASSWD 1
 #endif
 
-#ifdef UNIXWARE_LONG_PASSWORDS
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
 # define CUSTOM_SYS_AUTH_PASSWD 1
 #endif
 

openbsd-compat/port-uw.c

@@ -25,7 +25,7 @@
 
 #include "includes.h"
 
-#ifdef UNIXWARE_LONG_PASSWORDS
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
 #ifdef HAVE_CRYPT_H
 #include <crypt.h>
 #endif
@@ -44,6 +44,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 	struct passwd *pw = authctxt->pw;
 	char *encrypted_password;
 	char *salt;
+	int result;
 
 	/* Just use the supplied fake password if authctxt is invalid */
 	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
@@ -52,13 +53,27 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
 		return (1);
 
+	/* Encrypt the candidate password using the proper salt. */
 	salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
-	if (nischeck(pw->pw_name))
-		return(strcmp(crypt(password, salt), pw_password) == 0);
+#ifdef UNIXWARE_LONG_PASSWORDS
+	if (!nischeck(pw->pw_name))
+		encrypted_password = bigcrypt(password, salt);
 	else
-		return(strcmp(bigcrypt(password, salt), pw_password) == 0);
+#endif /* UNIXWARE_LONG_PASSWORDS */
+		encrypted_password = xcrypt(password, salt);
+
+	/*
+	 * Authentication is accepted if the encrypted passwords
+	 * are identical.
+	 */
+	result = (strcmp(encrypted_password, pw_password) == 0);
+
+	if (authctxt->valid)
+		free(pw_password);
+	return(result);
 }
 
+#ifdef UNIXWARE_LONG_PASSWORDS
 int
 nischeck(char *namep)
 {
@@ -94,7 +109,11 @@ nischeck(char *namep)
 
 #endif /* UNIXWARE_LONG_PASSWORDS */
 
-#ifdef HAVE_LIBIAF
+/*
+	NOTE: ia_get_logpwd() allocates memory for arg 2
+	functions that call shadow_pw() will need to free
+ */
+
 char *
 get_iaf_password(struct passwd *pw)
 {
@@ -104,12 +123,12 @@ get_iaf_password(struct passwd *pw)
 	if (!ia_openinfo(pw->pw_name,&uinfo)) {
 		ia_get_logpwd(uinfo, &pw_password);
 		if (pw_password == NULL)
-			fatal("Unable to get the shadow passwd");
+			fatal("ia_get_logpwd: Unable to get the shadow passwd");
 		ia_closeinfo(uinfo);
 	 	return pw_password;
 	}
 	else
-		fatal("Unable to open the shadow passwd file");
+		fatal("ia_openinfo: Unable to open the shadow passwd file");
 }
-#endif /* HAVE_LIBIAF */
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
 

openbsd-compat/port-uw.h

@@ -24,7 +24,7 @@
 
 #include "includes.h"
 
-#ifdef HAVE_LIBIAF
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
 char * get_iaf_password(struct passwd *pw);
-#endif /* HAVE_LIBIAF */
+#endif
 

openbsd-compat/xcrypt.c

@@ -91,12 +91,13 @@ shadow_pw(struct passwd *pw)
 	struct spwd *spw = getspnam(pw->pw_name);
 
 	if (spw != NULL)
-#ifdef HAVE_LIBIAF
-		pw_password = get_iaf_password(pw);
-#else
 		pw_password = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF */
 # endif
+
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+	return(get_iaf_password(pw));
+#endif
+
 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
 	struct passwd_adjunct *spw;
 	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)

session.c

@@ -1334,11 +1334,11 @@ do_setusercontext(struct passwd *pw)
 # ifdef _AIX
 		aix_usrinfo(pw);
 # endif /* _AIX */
-# ifdef HAVE_LIBIAF
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
 		if (set_id(pw->pw_name) != 0) {
 			exit(1);
 		}
-# endif
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
 		/* Permanently switch to the desired uid. */
 		permanently_set_uid(pw);
 #endif