Since I've seen some other people requesting the functionality [*], I think
someone could like getting a courtesy copy of a bugzilla entry I've just
filed on bugzilla.cyrusimap.org:
http://bugzilla.cyrusimap.org/bugzilla3/show_bug.cgi?id=3468
I'm attaching both a 2.1.23 and a 2.1.24 version of the patch, since there
is a merge conflict between the former and 2.1.24 sources.
I'd be grateful about any comment - review - test which could help with
upstreaming my patch.
Please keep in mind that I'm unable to test on a solaris box; therefore,
the ipc_doors changes should be treated as VERY SUSPECT; still, I think they
make sense, and would be twice as grateful to any solaris tester...
Thank you very much, yours
lorenzo
[*] In particular, a google search lead to the following pages:
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2011-March/002218.html
"saslauthd/PAM IP logging on failure" - 2011-03-26
https://bugzilla.redhat.com/show_bug.cgi?id=683797
"saslauthd using pam does not log rhost (remote host) IP/hostname
or requested login in /var/log/secure" - 2011-03-10
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-July/002108.html
"PAM authentication - Remote host" - 2010-07-13
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2010-May/002085.html
"remote client ip" - 2010-05-24
diff -ru cyrus-sasl-2.1.24.orig/lib/checkpw.c cyrus-sasl-2.1.24/lib/checkpw.c
--- cyrus-sasl-2.1.24.orig/lib/checkpw.c 2009-08-13 14:36:42.000000000 +0200
+++ cyrus-sasl-2.1.24/lib/checkpw.c 2011-05-22 12:39:05.000000000 +0200
@@ -654,6 +654,8 @@
char pwpath[sizeof(srvaddr.sun_path)];
const char *p = NULL;
char *freeme = NULL;
+ char *freemetoo = NULL;
+ const char *client_addr = NULL;
#ifdef USE_DOORS
door_arg_t arg;
#endif
@@ -685,13 +687,19 @@
user_realm = rtmp + 1;
}
+ if (sasl_getprop(conn, SASL_IPREMOTEPORT, (const void **) & client_addr) == SASL_OK) {
+ if(_sasl_strdup(client_addr, &freemetoo, NULL) != SASL_OK)
+ goto fail;
+ client_addr = freemetoo;
+ }
+
/*
* build request of the form:
*
- * count authid count password count service count realm
+ * count authid count password count service count realm client
*/
{
- unsigned short max_len, req_len, u_len, p_len, s_len, r_len;
+ unsigned short max_len, req_len, u_len, p_len, s_len, r_len, c_len;
max_len = (unsigned short) sizeof(query);
@@ -699,7 +707,8 @@
if ((strlen(userid) > USHRT_MAX) ||
(strlen(passwd) > USHRT_MAX) ||
(strlen(service) > USHRT_MAX) ||
- (user_realm && (strlen(user_realm) > USHRT_MAX))) {
+ (user_realm && (strlen(user_realm) > USHRT_MAX))
+ (client_addr && (strlen(client_addr) > USHRT_MAX))) {
goto toobig;
}
@@ -707,6 +716,7 @@
p_len = (strlen(passwd));
s_len = (strlen(service));
r_len = ((user_realm ? strlen(user_realm) : 0));
+ c_len = ((client_addr ? strlen(client_addr): 0));
/* prevent buffer overflow */
req_len = 30;
@@ -717,11 +727,14 @@
if (max_len - req_len < s_len) goto toobig;
req_len += s_len;
if (max_len - req_len < r_len) goto toobig;
+ req_len += r_len;
+ if (max_len - req_len < c_len) goto toobig;
u_len = htons(u_len);
p_len = htons(p_len);
s_len = htons(s_len);
r_len = htons(r_len);
+ c_len = htons(c_len);
memcpy(query_end, &u_len, sizeof(unsigned short));
query_end += sizeof(unsigned short);
@@ -738,6 +751,10 @@
memcpy(query_end, &r_len, sizeof(unsigned short));
query_end += sizeof(unsigned short);
if (user_realm) while (*user_realm) *query_end++ = *user_realm++;
+
+ memcpy(query_end, &c_len, sizeof(unsigned short));
+ query_end += sizeof(unsigned short);
+ if(client_addr) while (*client_addr) *query_end++ = *client_addr++;
}
#ifdef USE_DOORS
@@ -838,7 +855,8 @@
close(s);
#endif /* USE_DOORS */
- if(freeme) free(freeme);
+ if (freeme) free(freeme);
+ if (freemetoo) free(freemetoo);
if (!strncmp(response, "OK", 2)) {
return SASL_OK;
@@ -853,6 +871,7 @@
fail:
if (freeme) free(freeme);
+ if (freemetoo) free(freemetoo);
return SASL_FAIL;
}
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_dce.c cyrus-sasl-2.1.24/saslauthd/auth_dce.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_dce.c 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_dce.c 2011-05-22 12:24:47.000000000 +0200
@@ -56,7 +56,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote
/* END PARAMETERS */
)
{
@@ -104,7 +105,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_dce.h cyrus-sasl-2.1.24/saslauthd/auth_dce.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_dce.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_dce.h 2011-05-22 12:24:47.000000000 +0200
@@ -26,4 +26,4 @@
* END COPYRIGHT
*/
-char *auth_dce(const char *, const char *, const char *, const char *);
+char *auth_dce(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_getpwent.c cyrus-sasl-2.1.24/saslauthd/auth_getpwent.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_getpwent.c 2009-05-07 17:21:15.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_getpwent.c 2011-05-22 12:24:47.000000000 +0200
@@ -67,7 +67,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_getpwent.h cyrus-sasl-2.1.24/saslauthd/auth_getpwent.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_getpwent.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_getpwent.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,4 +25,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_getpwent(const char *, const char *, const char *, const char *);
+char *auth_getpwent(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_httpform.c cyrus-sasl-2.1.24/saslauthd/auth_httpform.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_httpform.c 2006-04-19 21:51:04.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_httpform.c 2011-05-22 12:24:47.000000000 +0200
@@ -463,7 +463,8 @@
const char *user, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service,
- const char *realm
+ const char *realm,
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_httpform.h cyrus-sasl-2.1.24/saslauthd/auth_httpform.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_httpform.h 2006-03-13 21:17:09.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_httpform.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_httpform(const char *, const char *, const char *, const char *);
+char *auth_httpform(const char *, const char *, const char *, const char *, const char *);
int auth_httpform_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_krb4.c cyrus-sasl-2.1.24/saslauthd/auth_krb4.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_krb4.c 2005-02-01 13:26:34.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_krb4.c 2011-05-22 12:24:47.000000000 +0200
@@ -171,7 +171,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service,
- const char *realm_in
+ const char *realm_in,
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -282,7 +283,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_krb4.h cyrus-sasl-2.1.24/saslauthd/auth_krb4.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_krb4.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_krb4.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_krb4(const char *, const char *, const char *, const char *);
+char *auth_krb4(const char *, const char *, const char *, const char *, const char *);
int auth_krb4_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_krb5.c cyrus-sasl-2.1.24/saslauthd/auth_krb5.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_krb5.c 2009-05-07 17:21:15.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_krb5.c 2011-05-22 12:24:47.000000000 +0200
@@ -172,7 +172,8 @@
const char *user, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service, /* I: service authenticating to */
- const char *realm /* I: user's realm */
+ const char *realm, /* I: user's realm */
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -356,7 +357,8 @@
const char *user, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service, /* I: service authenticating to */
- const char *realm /* I: user's realm */
+ const char *realm, /* I: user's realm */
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -464,7 +466,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_krb5.h cyrus-sasl-2.1.24/saslauthd/auth_krb5.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_krb5.h 2002-04-25 20:31:38.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_krb5.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_krb5(const char *, const char *, const char *, const char *);
+char *auth_krb5(const char *, const char *, const char *, const char *, const char *);
int auth_krb5_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_ldap.c cyrus-sasl-2.1.24/saslauthd/auth_ldap.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_ldap.c 2004-12-08 13:12:27.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_ldap.c 2011-05-22 12:24:47.000000000 +0200
@@ -60,7 +60,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service,
- const char *realm
+ const char *realm,
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -116,7 +117,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_ldap.h cyrus-sasl-2.1.24/saslauthd/auth_ldap.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_ldap.h 2002-06-19 19:35:29.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_ldap.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_ldap(const char *, const char *, const char *, const char *);
+char *auth_ldap(const char *, const char *, const char *, const char *, const char *);
int auth_ldap_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_pam.c cyrus-sasl-2.1.24/saslauthd/auth_pam.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_pam.c 2005-05-15 08:43:19.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_pam.c 2011-05-22 12:24:47.000000000 +0200
@@ -186,7 +186,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service, /* I: service name */
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -213,6 +214,14 @@
my_appdata.pamh = pamh;
+ char * remote_host = strdup(remote);
+ if (remote_host) {
+ char * semicol = strchr(remote_host, ';');
+ if (semicol) * semicol = NULL; /* truncate remote_host at the ';' port separator */
+ pam_set_item(pamh, PAM_RHOST, remote_host);
+ free (remote_host);
+ }
+
rc = pam_authenticate(pamh, PAM_SILENT);
if (rc != PAM_SUCCESS) {
syslog(LOG_DEBUG, "DEBUG: auth_pam: pam_authenticate failed: %s",
@@ -242,7 +251,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_pam.h cyrus-sasl-2.1.24/saslauthd/auth_pam.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_pam.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_pam.h 2011-05-22 12:24:47.000000000 +0200
@@ -32,4 +32,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_pam(const char *, const char *, const char *, const char *);
+char *auth_pam(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_rimap.c cyrus-sasl-2.1.24/saslauthd/auth_rimap.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_rimap.c 2009-05-07 17:21:15.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_rimap.c 2011-05-22 12:24:47.000000000 +0200
@@ -298,7 +298,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_rimap.h cyrus-sasl-2.1.24/saslauthd/auth_rimap.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_rimap.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_rimap.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_rimap(const char *, const char *, const char *, const char *);
+char *auth_rimap(const char *, const char *, const char *, const char *, const char *);
int auth_rimap_init(void);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_sasldb.c cyrus-sasl-2.1.24/saslauthd/auth_sasldb.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_sasldb.c 2009-05-07 17:21:16.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_sasldb.c 2011-05-22 12:24:47.000000000 +0200
@@ -118,13 +118,14 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm
+ const char *realm,
#else
const char *login __attribute__((unused)),/* I: plaintext authenticator */
const char *password __attribute__((unused)), /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
#endif
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_sasldb.h cyrus-sasl-2.1.24/saslauthd/auth_sasldb.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_sasldb.h 2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_sasldb.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,4 +25,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_sasldb(const char *, const char *, const char *, const char *);
+char *auth_sasldb(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_shadow.c cyrus-sasl-2.1.24/saslauthd/auth_shadow.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_shadow.c 2009-08-14 17:41:36.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/auth_shadow.c 2011-05-22 12:24:47.000000000 +0200
@@ -86,7 +86,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -280,7 +281,8 @@
const char *login __attribute__((unused)),
const char *passwd __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_shadow.h cyrus-sasl-2.1.24/saslauthd/auth_shadow.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_shadow.h 2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_shadow.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,4 +25,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_shadow(const char *, const char *, const char *, const char *);
+char *auth_shadow(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_sia.c cyrus-sasl-2.1.24/saslauthd/auth_sia.c
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_sia.c 2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_sia.c 2011-05-22 12:24:47.000000000 +0200
@@ -56,7 +56,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -84,7 +85,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/auth_sia.h cyrus-sasl-2.1.24/saslauthd/auth_sia.h
--- cyrus-sasl-2.1.24.orig/saslauthd/auth_sia.h 2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/auth_sia.h 2011-05-22 12:24:47.000000000 +0200
@@ -25,4 +25,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_sia(const char *, const char *, const char *, const char *);
+char *auth_sia(const char *, const char *, const char *, const char *, const char *);
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/ipc_doors.c cyrus-sasl-2.1.24/saslauthd/ipc_doors.c
--- cyrus-sasl-2.1.24.orig/saslauthd/ipc_doors.c 2004-04-27 18:01:50.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/ipc_doors.c 2011-05-22 12:24:47.000000000 +0200
@@ -218,6 +218,7 @@
char password[MAX_REQ_LEN + 1]; /* password for authentication */
char service[MAX_REQ_LEN + 1]; /* service name for authentication */
char realm[MAX_REQ_LEN + 1]; /* user realm for authentication */
+ char client_addr[MAX_REQ_LEN + 1]; /* client address and port */
/**************************************************************
@@ -294,6 +295,22 @@
memcpy(realm, data, count);
realm[count] = '\0';
+ /* client_addr */
+ memcpy(&count, data, sizeof(unsigned short));
+
+ count = ntohs(count);
+ data += sizeof(unsigned short);
+
+ if (count > MAX_REQ_LEN || data + count > dataend) {
+ logger(L_ERR, L_FUNC, "client_addr exceeds MAX_REQ_LEN: %d",
+ MAX_REQ_LEN);
+ send_no("");
+ return;
+ }
+
+ memcpy(client_addr, data, count);
+ client_addr[count] = '\0';
+
/**************************************************************
* We don't allow NULL passwords or login names
**************************************************************/
@@ -312,7 +329,7 @@
/**************************************************************
* Get the mechanism response from do_auth() and send it back.
**************************************************************/
- response = do_auth(login, password, service, realm);
+ response = do_auth(login, password, service, realm, client_addr);
memset(password, 0, strlen(password));
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/ipc_unix.c cyrus-sasl-2.1.24/saslauthd/ipc_unix.c
--- cyrus-sasl-2.1.24.orig/saslauthd/ipc_unix.c 2003-10-30 20:06:42.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/ipc_unix.c 2011-05-22 12:24:47.000000000 +0200
@@ -329,6 +329,7 @@
char password[MAX_REQ_LEN + 1]; /* password for authentication */
char service[MAX_REQ_LEN + 1]; /* service name for authentication */
char realm[MAX_REQ_LEN + 1]; /* user realm for authentication */
+ char client_addr[MAX_REQ_LEN + 1]; /* client address and port */
/**************************************************************
@@ -399,12 +400,28 @@
send_no(conn_fd, "");
return;
}
-
if (rx_rec(conn_fd, (void *)realm, (size_t)count) != (ssize_t)count)
return;
realm[count] = '\0';
+ /* client_addr */
+ if (rx_rec(conn_fd, (void *)&count, (size_t)sizeof(count)) != (ssize_t)sizeof(count))
+ return;
+
+ count = ntohs(count);
+
+ if (count > MAX_REQ_LEN) {
+ logger(L_ERR, L_FUNC, "client address exceeded MAX_REQ_LEN: %d", MAX_REQ_LEN);
+ send_no(conn_fd, "");
+ return;
+ }
+
+ if (rx_rec(conn_fd, (void *)&client_addr, (size_t)count) != (ssize_t)count)
+ return;
+
+ client_addr[count] = '\0';
+
/**************************************************************
* We don't allow NULL passwords or login names
**************************************************************/
@@ -423,7 +440,7 @@
/**************************************************************
* Get the mechanism response from do_auth() and send it back.
**************************************************************/
- response = do_auth(login, password, service, realm);
+ response = do_auth(login, password, service, realm, client_addr);
memset(password, 0, strlen(password));
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/mechanisms.h cyrus-sasl-2.1.24/saslauthd/mechanisms.h
--- cyrus-sasl-2.1.24.orig/saslauthd/mechanisms.h 2006-03-13 21:17:09.000000000 +0100
+++ cyrus-sasl-2.1.24/saslauthd/mechanisms.h 2011-05-22 12:24:47.000000000 +0200
@@ -40,8 +40,8 @@
char *name; /* name of the mechanism */
int (*initialize)(void); /* initialization function */
char *(*authenticate)(const char *, const char *,
- const char *, const char *); /* authentication
- function */
+ const char *, const char *,
+ const char *); /* authentication function */
} authmech_t;
extern authmech_t mechanisms[]; /* array of supported auth mechs */
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/saslauthd-main.c cyrus-sasl-2.1.24/saslauthd/saslauthd-main.c
--- cyrus-sasl-2.1.24.orig/saslauthd/saslauthd-main.c 2009-05-07 17:21:16.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/saslauthd-main.c 2011-05-22 12:24:47.000000000 +0200
@@ -378,7 +378,7 @@
* return a pointer to a string to send back to the client.
* The caller is responsible for freeing the pointer.
**************************************************************/
-char *do_auth(const char *_login, const char *password, const char *service, const char *realm) {
+char *do_auth(const char *_login, const char *password, const char *service, const char *realm, const char *remote) {
struct cache_result lkup_result;
char *response;
@@ -407,7 +407,7 @@
response = strdup("OK");
cached = 1;
} else {
- response = auth_mech->authenticate(login, password, service, realm);
+ response = auth_mech->authenticate(login, password, service, realm, remote);
if (response == NULL) {
logger(L_ERR, L_FUNC, "internal mechanism failure: %s", auth_mech->name);
@@ -420,18 +420,18 @@
if (flags & VERBOSE) {
if (cached)
- logger(L_DEBUG, L_FUNC, "auth success (cached): [user=%s] [service=%s] [realm=%s]", \
- login, service, realm);
+ logger(L_DEBUG, L_FUNC, "auth success (cached): [user=%s] [service=%s] [realm=%s] [remote=%s]", \
+ login, service, realm, remote);
else
- logger(L_DEBUG, L_FUNC, "auth success: [user=%s] [service=%s] [realm=%s] [mech=%s]", \
- login, service, realm, auth_mech->name);
+ logger(L_DEBUG, L_FUNC, "auth success: [user=%s] [service=%s] [realm=%s] [remote=%s] [mech=%s]", \
+ login, service, realm, remote, auth_mech->name);
}
return response;
}
if (strncmp(response, "NO", 2) == 0) {
- logger(L_INFO, L_FUNC, "auth failure: [user=%s] [service=%s] [realm=%s] [mech=%s] [reason=%s]", \
- login, service, realm, auth_mech->name,
+ logger(L_INFO, L_FUNC, "auth failure: [user=%s] [service=%s] [realm=%s] [remote=%s] [mech=%s] [reason=%s]", \
+ login, service, realm, remote, auth_mech->name,
strlen(response) >= 4 ? response+3 : "Unknown");
return response;
diff -ru cyrus-sasl-2.1.24.orig/saslauthd/saslauthd-main.h cyrus-sasl-2.1.24/saslauthd/saslauthd-main.h
--- cyrus-sasl-2.1.24.orig/saslauthd/saslauthd-main.h 2003-05-16 00:21:41.000000000 +0200
+++ cyrus-sasl-2.1.24/saslauthd/saslauthd-main.h 2011-05-22 12:24:47.000000000 +0200
@@ -88,7 +88,8 @@
/* saslauthd-main.c */
extern char *do_auth(const char *, const char *,
- const char *, const char *);
+ const char *, const char *,
+ const char *);
extern void set_auth_mech(const char *);
extern void set_max_procs(const char *);
extern void set_mech_option(const char *);
#! /bin/sh /usr/share/dpatch/dpatch-run
## 0024_saslauthd_pam_rhost.dpatch by <root@xxxxxxxxxxxxxxxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/lib/checkpw.c cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c
--- cyrus-sasl2-2.1.23.dfsg1~/lib/checkpw.c 2009-04-28 17:09:15.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c 2011-05-22 11:09:35.000000000 +0200
@@ -553,6 +553,8 @@
char pwpath[sizeof(srvaddr.sun_path)];
const char *p = NULL;
char *freeme = NULL;
+ char *freemetoo = NULL;
+ const char *client_addr = NULL;
#ifdef USE_DOORS
door_arg_t arg;
#endif
@@ -584,20 +586,27 @@
user_realm = rtmp + 1;
}
+ if (sasl_getprop(conn, SASL_IPREMOTEPORT, (const void **) & client_addr) == SASL_OK) {
+ if(_sasl_strdup(client_addr, &freemetoo, NULL) != SASL_OK)
+ goto fail;
+ client_addr = freemetoo;
+ }
+
/*
* build request of the form:
*
- * count authid count password count service count realm
+ * count authid count password count service count realm count client
*/
{
- unsigned short u_len, p_len, s_len, r_len;
+ unsigned short u_len, p_len, s_len, r_len, c_len;
u_len = (strlen(userid));
p_len = (strlen(passwd));
s_len = (strlen(service));
r_len = ((user_realm ? strlen(user_realm) : 0));
+ c_len = ((client_addr ? strlen(client_addr): 0));
- if (u_len + p_len + s_len + r_len + 30 > (unsigned short) sizeof(query)) {
+ if (u_len + p_len + s_len + r_len + c_len + 30 > (unsigned short) sizeof(query)) {
/* request just too damn big */
sasl_seterror(conn, 0, "saslauthd request too large");
goto fail;
@@ -607,6 +616,7 @@
p_len = htons(p_len);
s_len = htons(s_len);
r_len = htons(r_len);
+ c_len = htons(c_len);
memcpy(query_end, &u_len, sizeof(unsigned short));
query_end += sizeof(unsigned short);
@@ -623,6 +633,11 @@
memcpy(query_end, &r_len, sizeof(unsigned short));
query_end += sizeof(unsigned short);
if (user_realm) while (*user_realm) *query_end++ = *user_realm++;
+
+ memcpy(query_end, &c_len, sizeof(unsigned short));
+ query_end += sizeof(unsigned short);
+ if(client_addr) while (*client_addr) *query_end++ = *client_addr++;
+
}
#ifdef USE_DOORS
@@ -723,7 +738,8 @@
close(s);
#endif /* USE_DOORS */
- if(freeme) free(freeme);
+ if (freeme) free(freeme);
+ if (freemetoo) free(freemetoo);
if (!strncmp(response, "OK", 2)) {
return SASL_OK;
@@ -734,6 +750,7 @@
fail:
if (freeme) free(freeme);
+ if (freemetoo) free(freemetoo);
return SASL_FAIL;
}
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_dce.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_dce.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_dce.c 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_dce.c 2011-05-22 11:09:35.000000000 +0200
@@ -56,7 +56,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote
/* END PARAMETERS */
)
{
@@ -104,7 +105,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_dce.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_dce.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_dce.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_dce.h 2011-05-22 11:09:35.000000000 +0200
@@ -26,4 +26,4 @@
* END COPYRIGHT
*/
-char *auth_dce(const char *, const char *, const char *, const char *);
+char *auth_dce(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_getpwent.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_getpwent.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_getpwent.c 2009-04-28 17:09:18.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_getpwent.c 2011-05-22 11:09:35.000000000 +0200
@@ -64,7 +64,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_getpwent.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_getpwent.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_getpwent.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_getpwent.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,4 +25,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_getpwent(const char *, const char *, const char *, const char *);
+char *auth_getpwent(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_httpform.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_httpform.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_httpform.c 2006-04-19 21:51:04.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_httpform.c 2011-05-22 11:09:35.000000000 +0200
@@ -463,7 +463,8 @@
const char *user, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service,
- const char *realm
+ const char *realm,
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_httpform.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_httpform.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_httpform.h 2006-03-13 21:17:09.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_httpform.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_httpform(const char *, const char *, const char *, const char *);
+char *auth_httpform(const char *, const char *, const char *, const char *, const char *);
int auth_httpform_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb4.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb4.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb4.c 2005-02-01 13:26:34.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb4.c 2011-05-22 11:09:35.000000000 +0200
@@ -171,7 +171,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service,
- const char *realm_in
+ const char *realm_in,
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -282,7 +283,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb4.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb4.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb4.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb4.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_krb4(const char *, const char *, const char *, const char *);
+char *auth_krb4(const char *, const char *, const char *, const char *, const char *);
int auth_krb4_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb5.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb5.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb5.c 2009-04-28 17:09:18.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb5.c 2011-05-22 11:09:35.000000000 +0200
@@ -172,7 +172,8 @@
const char *user, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service, /* I: service authenticating to */
- const char *realm /* I: user's realm */
+ const char *realm, /* I: user's realm */
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -340,7 +341,8 @@
const char *user, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service, /* I: service authenticating to */
- const char *realm /* I: user's realm */
+ const char *realm, /* I: user's realm */
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -448,7 +450,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb5.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb5.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_krb5.h 2002-04-25 20:31:38.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_krb5.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_krb5(const char *, const char *, const char *, const char *);
+char *auth_krb5(const char *, const char *, const char *, const char *, const char *);
int auth_krb5_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_ldap.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_ldap.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_ldap.c 2004-12-08 13:12:27.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_ldap.c 2011-05-22 11:09:35.000000000 +0200
@@ -60,7 +60,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service,
- const char *realm
+ const char *realm,
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -116,7 +117,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_ldap.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_ldap.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_ldap.h 2002-06-19 19:35:29.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_ldap.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_ldap(const char *, const char *, const char *, const char *);
+char *auth_ldap(const char *, const char *, const char *, const char *, const char *);
int auth_ldap_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_pam.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_pam.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_pam.c 2005-05-15 08:43:19.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_pam.c 2011-05-22 11:09:35.000000000 +0200
@@ -186,7 +186,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service, /* I: service name */
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -213,6 +214,14 @@
my_appdata.pamh = pamh;
+ char * remote_host = strdup(remote);
+ if (remote_host) {
+ char * semicol = strchr(remote_host, ';');
+ if (semicol) * semicol = NULL; /* truncate remote_host at the ';' port separator */
+ pam_set_item(pamh, PAM_RHOST, remote_host);
+ free (remote_host);
+ }
+
rc = pam_authenticate(pamh, PAM_SILENT);
if (rc != PAM_SUCCESS) {
syslog(LOG_DEBUG, "DEBUG: auth_pam: pam_authenticate failed: %s",
@@ -242,7 +251,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_pam.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_pam.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_pam.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_pam.h 2011-05-22 11:09:35.000000000 +0200
@@ -32,4 +32,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_pam(const char *, const char *, const char *, const char *);
+char *auth_pam(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_rimap.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_rimap.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_rimap.c 2011-05-22 11:09:01.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_rimap.c 2011-05-22 11:09:35.000000000 +0200
@@ -298,7 +298,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_rimap.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_rimap.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_rimap.h 2001-12-04 03:06:54.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_rimap.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,5 +25,5 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_rimap(const char *, const char *, const char *, const char *);
+char *auth_rimap(const char *, const char *, const char *, const char *, const char *);
int auth_rimap_init(void);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sasldb.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sasldb.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sasldb.c 2011-05-22 11:09:01.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sasldb.c 2011-05-22 11:09:35.000000000 +0200
@@ -118,13 +118,14 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm
+ const char *realm,
#else
const char *login __attribute__((unused)),/* I: plaintext authenticator */
const char *password __attribute__((unused)), /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
#endif
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sasldb.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sasldb.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sasldb.h 2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sasldb.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,4 +25,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_sasldb(const char *, const char *, const char *, const char *);
+char *auth_sasldb(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_shadow.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_shadow.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_shadow.c 2011-05-22 11:09:01.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_shadow.c 2011-05-22 11:09:35.000000000 +0200
@@ -82,7 +82,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -276,7 +277,8 @@
const char *login __attribute__((unused)),
const char *passwd __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_shadow.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_shadow.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_shadow.h 2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_shadow.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,4 +25,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_shadow(const char *, const char *, const char *, const char *);
+char *auth_shadow(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sia.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sia.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sia.c 2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sia.c 2011-05-22 11:09:35.000000000 +0200
@@ -56,7 +56,8 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote /* I: remote host address */
/* END PARAMETERS */
)
{
@@ -84,7 +85,8 @@
const char *login __attribute__((unused)),
const char *password __attribute__((unused)),
const char *service __attribute__((unused)),
- const char *realm __attribute__((unused))
+ const char *realm __attribute__((unused)),
+ const char *remote __attribute__((unused))
)
{
return NULL;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sia.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sia.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/auth_sia.h 2001-12-04 03:06:55.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/auth_sia.h 2011-05-22 11:09:35.000000000 +0200
@@ -25,4 +25,4 @@
* DAMAGE.
* END COPYRIGHT */
-char *auth_sia(const char *, const char *, const char *, const char *);
+char *auth_sia(const char *, const char *, const char *, const char *, const char *);
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/ipc_doors.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/ipc_doors.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/ipc_doors.c 2004-04-27 18:01:50.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/ipc_doors.c 2011-05-22 11:09:35.000000000 +0200
@@ -218,6 +218,7 @@
char password[MAX_REQ_LEN + 1]; /* password for authentication */
char service[MAX_REQ_LEN + 1]; /* service name for authentication */
char realm[MAX_REQ_LEN + 1]; /* user realm for authentication */
+ char client_addr[MAX_REQ_LEN + 1]; /* client address and port */
/**************************************************************
@@ -294,6 +295,22 @@
memcpy(realm, data, count);
realm[count] = '\0';
+ /* client_addr */
+ memcpy(&count, data, sizeof(unsigned short));
+
+ count = ntohs(count);
+ data += sizeof(unsigned short);
+
+ if (count > MAX_REQ_LEN || data + count > dataend) {
+ logger(L_ERR, L_FUNC, "client_addr exceeds MAX_REQ_LEN: %d",
+ MAX_REQ_LEN);
+ send_no("");
+ return;
+ }
+
+ memcpy(client_addr, data, count);
+ client_addr[count] = '\0';
+
/**************************************************************
* We don't allow NULL passwords or login names
**************************************************************/
@@ -312,7 +329,7 @@
/**************************************************************
* Get the mechanism response from do_auth() and send it back.
**************************************************************/
- response = do_auth(login, password, service, realm);
+ response = do_auth(login, password, service, realm, client_addr);
memset(password, 0, strlen(password));
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/ipc_unix.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/ipc_unix.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/ipc_unix.c 2003-10-30 20:06:42.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/ipc_unix.c 2011-05-22 11:09:35.000000000 +0200
@@ -329,6 +329,7 @@
char password[MAX_REQ_LEN + 1]; /* password for authentication */
char service[MAX_REQ_LEN + 1]; /* service name for authentication */
char realm[MAX_REQ_LEN + 1]; /* user realm for authentication */
+ char client_addr[MAX_REQ_LEN + 1]; /* client address and port */
/**************************************************************
@@ -399,12 +400,28 @@
send_no(conn_fd, "");
return;
}
-
if (rx_rec(conn_fd, (void *)realm, (size_t)count) != (ssize_t)count)
return;
realm[count] = '\0';
+ /* client_addr */
+ if (rx_rec(conn_fd, (void *)&count, (size_t)sizeof(count)) != (ssize_t)sizeof(count))
+ return;
+
+ count = ntohs(count);
+
+ if (count > MAX_REQ_LEN) {
+ logger(L_ERR, L_FUNC, "client address exceeded MAX_REQ_LEN: %d", MAX_REQ_LEN);
+ send_no(conn_fd, "");
+ return;
+ }
+
+ if (rx_rec(conn_fd, (void *)&client_addr, (size_t)count) != (ssize_t)count)
+ return;
+
+ client_addr[count] = '\0';
+
/**************************************************************
* We don't allow NULL passwords or login names
**************************************************************/
@@ -423,7 +440,7 @@
/**************************************************************
* Get the mechanism response from do_auth() and send it back.
**************************************************************/
- response = do_auth(login, password, service, realm);
+ response = do_auth(login, password, service, realm, client_addr);
memset(password, 0, strlen(password));
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/mechanisms.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/mechanisms.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/mechanisms.h 2006-03-13 21:17:09.000000000 +0100
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/mechanisms.h 2011-05-22 11:09:35.000000000 +0200
@@ -40,8 +40,8 @@
char *name; /* name of the mechanism */
int (*initialize)(void); /* initialization function */
char *(*authenticate)(const char *, const char *,
- const char *, const char *); /* authentication
- function */
+ const char *, const char *,
+ const char *); /* authentication function */
} authmech_t;
extern authmech_t mechanisms[]; /* array of supported auth mechs */
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/saslauthd-main.c cyrus-sasl2-2.1.23.dfsg1/saslauthd/saslauthd-main.c
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/saslauthd-main.c 2011-05-22 11:09:01.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/saslauthd-main.c 2011-05-22 11:09:35.000000000 +0200
@@ -367,7 +367,7 @@
* return a pointer to a string to send back to the client.
* The caller is responsible for freeing the pointer.
**************************************************************/
-char *do_auth(const char *_login, const char *password, const char *service, const char *realm) {
+char *do_auth(const char *_login, const char *password, const char *service, const char *realm, const char *remote) {
struct cache_result lkup_result;
char *response;
@@ -396,7 +396,7 @@
response = strdup("OK");
cached = 1;
} else {
- response = auth_mech->authenticate(login, password, service, realm);
+ response = auth_mech->authenticate(login, password, service, realm, remote);
if (response == NULL) {
logger(L_ERR, L_FUNC, "internal mechanism failure: %s", auth_mech->name);
@@ -409,18 +409,18 @@
if (flags & VERBOSE) {
if (cached)
- logger(L_DEBUG, L_FUNC, "auth success (cached): [user=%s] [service=%s] [realm=%s]", \
- login, service, realm);
+ logger(L_DEBUG, L_FUNC, "auth success (cached): [user=%s] [service=%s] [realm=%s] [remote=%s]", \
+ login, service, realm, remote);
else
- logger(L_DEBUG, L_FUNC, "auth success: [user=%s] [service=%s] [realm=%s] [mech=%s]", \
- login, service, realm, auth_mech->name);
+ logger(L_DEBUG, L_FUNC, "auth success: [user=%s] [service=%s] [realm=%s] [remote=%s] [mech=%s]", \
+ login, service, realm, remote, auth_mech->name);
}
return response;
}
if (strncmp(response, "NO", 2) == 0) {
- logger(L_INFO, L_FUNC, "auth failure: [user=%s] [service=%s] [realm=%s] [mech=%s] [reason=%s]", \
- login, service, realm, auth_mech->name,
+ logger(L_INFO, L_FUNC, "auth failure: [user=%s] [service=%s] [realm=%s] [remote=%s] [mech=%s] [reason=%s]", \
+ login, service, realm, remote, auth_mech->name,
strlen(response) >= 4 ? response+3 : "Unknown");
return response;
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' cyrus-sasl2-2.1.23.dfsg1~/saslauthd/saslauthd-main.h cyrus-sasl2-2.1.23.dfsg1/saslauthd/saslauthd-main.h
--- cyrus-sasl2-2.1.23.dfsg1~/saslauthd/saslauthd-main.h 2003-05-16 00:21:41.000000000 +0200
+++ cyrus-sasl2-2.1.23.dfsg1/saslauthd/saslauthd-main.h 2011-05-22 11:09:35.000000000 +0200
@@ -88,7 +88,8 @@
/* saslauthd-main.c */
extern char *do_auth(const char *, const char *,
- const char *, const char *);
+ const char *, const char *,
+ const char *);
extern void set_auth_mech(const char *);
extern void set_max_procs(const char *);
extern void set_mech_option(const char *);
