Merge pull request #6 from lmctv/pam_rhost

New version of Enable PAM_RHOST patch
cyrusimap · Mar 2, 2020 · f769dde · f769dde
2 parents bda4c98 + c813bf1
commit f769dde
Show file tree

Hide file tree

Showing 29 changed files with 144 additions and 52 deletions.
diff --git a/lib/checkpw.c b/lib/checkpw.c
@@ -657,6 +657,8 @@ static int saslauthd_verify_password(sasl_conn_t *conn,
     char pwpath[sizeof(srvaddr.sun_path)];
     const char *p = NULL;
     char *freeme = NULL;
+    char *freemetoo = NULL;
+    const char *client_addr = NULL;
 #ifdef USE_DOORS
     door_arg_t arg;
 #endif
@@ -692,28 +694,36 @@ static int saslauthd_verify_password(sasl_conn_t *conn,
 	user_realm = rtmp + 1;
     }
 
+    if (sasl_getprop(conn, SASL_IPREMOTEPORT, (const void **) & client_addr) == SASL_OK) {
+	if(_sasl_strdup(client_addr, &freemetoo, NULL) != SASL_OK)
+	    goto fail;
+	client_addr = freemetoo;
+    }
+
     /*
      * build request of the form:
      *
-     * count authid count password count service count realm
+     * count authid count password count service count realm client
      */
     {
- 	unsigned short max_len, req_len, u_len, p_len, s_len, r_len;
+	unsigned short max_len, req_len, u_len, p_len, s_len, r_len, c_len;
 
 	max_len = (unsigned short) sizeof(query);
 
 	/* prevent buffer overflow */
 	if ((strlen(userid) > USHRT_MAX) ||
 	    (strlen(passwd) > USHRT_MAX) ||
 	    (strlen(service) > USHRT_MAX) ||
-	    (user_realm && (strlen(user_realm) > USHRT_MAX))) {
+	    (user_realm && (strlen(user_realm) > USHRT_MAX)) ||
+	    (client_addr && (strlen(client_addr) > USHRT_MAX))) {
 	    goto toobig;
 	}
 
  	u_len = (strlen(userid));
  	p_len = (strlen(passwd));
 	s_len = (strlen(service));
 	r_len = ((user_realm ? strlen(user_realm) : 0));
+	c_len = ((client_addr ? strlen(client_addr): 0));
 
 	/* prevent buffer overflow */
 	req_len = 30;
@@ -724,11 +734,14 @@ static int saslauthd_verify_password(sasl_conn_t *conn,
 	if (max_len - req_len < s_len) goto toobig;
 	req_len += s_len;
 	if (max_len - req_len < r_len) goto toobig;
+	req_len += r_len;
+	if (max_len - req_len < c_len) goto toobig;
 
 	u_len = htons(u_len);
 	p_len = htons(p_len);
 	s_len = htons(s_len);
 	r_len = htons(r_len);
+	c_len = htons(c_len);
 
 	memcpy(query_end, &u_len, sizeof(unsigned short));
 	query_end += sizeof(unsigned short);
@@ -745,6 +758,10 @@ static int saslauthd_verify_password(sasl_conn_t *conn,
 	memcpy(query_end, &r_len, sizeof(unsigned short));
 	query_end += sizeof(unsigned short);
 	if (user_realm) while (*user_realm) *query_end++ = *user_realm++;
+
+	memcpy(query_end, &c_len, sizeof(unsigned short));
+	query_end += sizeof(unsigned short);
+	if(client_addr) while (*client_addr) *query_end++ = *client_addr++;
     }
 
 #ifdef USE_DOORS
@@ -847,6 +864,7 @@ static int saslauthd_verify_password(sasl_conn_t *conn,
 #endif /* USE_DOORS */
 
     if(freeme) free(freeme);
+    if(freemetoo) free(freemetoo);
 
     if (!strncmp(response, "OK", 2)) {
 	return SASL_OK;
@@ -861,6 +879,7 @@ static int saslauthd_verify_password(sasl_conn_t *conn,
 
  fail:
     if (freeme) free(freeme);
+    if (freemetoo) free(freemetoo);
     return SASL_FAIL;
 }
 

diff --git a/saslauthd/auth_dce.c b/saslauthd/auth_dce.c
@@ -52,7 +52,8 @@ auth_dce(
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   /* END PARAMETERS */
   )
 {
@@ -100,7 +101,8 @@ auth_dce(
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
      return NULL;

diff --git a/saslauthd/auth_dce.h b/saslauthd/auth_dce.h
@@ -26,4 +26,4 @@
  * END COPYRIGHT
  */
 
-char *auth_dce(const char *, const char *, const char *, const char *);
+char *auth_dce(const char *, const char *, const char *, const char *, const char *);
diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
@@ -68,7 +68,8 @@ auth_getpwent (
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))   /* I: remote host address */
   /* END PARAMETERS */
   )
 {

diff --git a/saslauthd/auth_getpwent.h b/saslauthd/auth_getpwent.h
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_getpwent(const char *, const char *, const char *, const char *);
+char *auth_getpwent(const char *, const char *, const char *, const char *, const char *);
diff --git a/saslauthd/auth_httpform.c b/saslauthd/auth_httpform.c
@@ -491,7 +491,8 @@ auth_httpform (
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm                    /* I: user's realm */
+  const char *realm,                    /* I: user's realm */
+  const char *remote __attribute__((unused)) /* I: client address */
   /* END PARAMETERS */
   )
 {

diff --git a/saslauthd/auth_httpform.h b/saslauthd/auth_httpform.h
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_httpform(const char *, const char *, const char *, const char *);
+char *auth_httpform(const char *, const char *, const char *, const char *, const char *);
 int auth_httpform_init(void);
diff --git a/saslauthd/auth_krb4.c b/saslauthd/auth_krb4.c
@@ -167,7 +167,8 @@ auth_krb4 (
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,
-  const char *realm_in
+  const char *realm_in,
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -278,7 +279,8 @@ auth_krb4 (
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;

diff --git a/saslauthd/auth_krb4.h b/saslauthd/auth_krb4.h
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_krb4(const char *, const char *, const char *, const char *);
+char *auth_krb4(const char *, const char *, const char *, const char *, const char *);
 int auth_krb4_init(void);
diff --git a/saslauthd/auth_krb5.c b/saslauthd/auth_krb5.c
@@ -175,7 +175,8 @@ auth_krb5 (
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,                  /* I: service authenticating to */
-  const char *realm                     /* I: user's realm */
+  const char *realm,                    /* I: user's realm */
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -362,7 +363,8 @@ auth_krb5 (
   const char *user,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,			/* I: service authenticating to */
-  const char *realm			/* I: user's realm */
+  const char *realm,			/* I: user's realm */
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -470,7 +472,8 @@ auth_krb5 (
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;

diff --git a/saslauthd/auth_krb5.h b/saslauthd/auth_krb5.h
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_krb5(const char *, const char *, const char *, const char *);
+char *auth_krb5(const char *, const char *, const char *, const char *, const char *);
 int auth_krb5_init(void);
diff --git a/saslauthd/auth_ldap.c b/saslauthd/auth_ldap.c
@@ -56,7 +56,8 @@ auth_ldap(
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,
-  const char *realm
+  const char *realm,
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -106,7 +107,8 @@ auth_ldap(
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
      return NULL;

diff --git a/saslauthd/auth_ldap.h b/saslauthd/auth_ldap.h
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_ldap(const char *, const char *, const char *, const char *);
+char *auth_ldap(const char *, const char *, const char *, const char *, const char *);
 int auth_ldap_init(void);
diff --git a/saslauthd/auth_pam.c b/saslauthd/auth_pam.c
@@ -181,7 +181,8 @@ auth_pam (
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service,			/* I: service name */
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote                    /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -208,6 +209,14 @@ auth_pam (
 
     my_appdata.pamh = pamh;
 
+    char * remote_host = strdup(remote);
+    if (remote_host) {
+	char * semicol = strchr(remote_host, ';');
+	if (semicol) * semicol = NULL; /* truncate remote_host at the ';' port separator */
+	pam_set_item(pamh, PAM_RHOST, remote_host);
+	free (remote_host);
+    }
+
     rc = pam_authenticate(pamh, PAM_SILENT);
     if (rc != PAM_SUCCESS) {
 	syslog(LOG_DEBUG, "DEBUG: auth_pam: pam_authenticate failed: %s",
@@ -237,7 +246,8 @@ auth_pam(
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;

diff --git a/saslauthd/auth_pam.h b/saslauthd/auth_pam.h
@@ -32,4 +32,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_pam(const char *, const char *, const char *, const char *);
+char *auth_pam(const char *, const char *, const char *, const char *, const char *);
diff --git a/saslauthd/auth_rimap.c b/saslauthd/auth_rimap.c
@@ -451,7 +451,8 @@ auth_rimap (
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused)) /* I: remote host address */
   /* END PARAMETERS */
   )
 {

diff --git a/saslauthd/auth_rimap.h b/saslauthd/auth_rimap.h
@@ -25,5 +25,5 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_rimap(const char *, const char *, const char *, const char *);
+char *auth_rimap(const char *, const char *, const char *, const char *, const char *);
 int auth_rimap_init(void);
diff --git a/saslauthd/auth_sasldb.c b/saslauthd/auth_sasldb.c
@@ -120,13 +120,14 @@ auth_sasldb (
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm
+  const char *realm,
 #else
   const char *login __attribute__((unused)),/* I: plaintext authenticator */
   const char *password __attribute__((unused)),  /* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
 #endif
+  const char *remote __attribute__((unused)) /* I: remote host address */
   /* END PARAMETERS */
   )
 {

diff --git a/saslauthd/auth_sasldb.h b/saslauthd/auth_sasldb.h
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_sasldb(const char *, const char *, const char *, const char *);
+char *auth_sasldb(const char *, const char *, const char *, const char *, const char *);
diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
@@ -94,7 +94,8 @@ auth_shadow (
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused)) /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -321,7 +322,8 @@ auth_shadow (
   const char *login __attribute__((unused)),
   const char *passwd __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;

diff --git a/saslauthd/auth_shadow.h b/saslauthd/auth_shadow.h
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_shadow(const char *, const char *, const char *, const char *);
+char *auth_shadow(const char *, const char *, const char *, const char *, const char *);
diff --git a/saslauthd/auth_sia.c b/saslauthd/auth_sia.c
@@ -52,7 +52,8 @@ auth_sia (
   const char *login,			/* I: plaintext authenticator */
   const char *password,			/* I: plaintext password */
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused)) /* I: remote host address */
   /* END PARAMETERS */
   )
 {
@@ -80,7 +81,8 @@ auth_sia(
   const char *login __attribute__((unused)),
   const char *password __attribute__((unused)),
   const char *service __attribute__((unused)),
-  const char *realm __attribute__((unused))
+  const char *realm __attribute__((unused)),
+  const char *remote __attribute__((unused))
   )
 {
     return NULL;

diff --git a/saslauthd/auth_sia.h b/saslauthd/auth_sia.h
@@ -25,4 +25,4 @@
  * DAMAGE.
  * END COPYRIGHT */
 
-char *auth_sia(const char *, const char *, const char *, const char *);
+char *auth_sia(const char *, const char *, const char *, const char *, const char *);