pkg/47269: Patch to fix security/pam-radius

[jdwhite%iastate.edu@localhost]

>Number:         47269
>Category:       pkg
>Synopsis:       Fixes broken pam module on 5.2/6.0, i386/amd64
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 30 23:10:00 +0000 2012
>Originator:     Charlie Root
>Release:        NetBSD 6.0
>Organization:
>Environment:
System: NetBSD nb6i386.its.iastate.edu 6.0 NetBSD 6.0 (GENERIC) i386
Architecture: i386
Machine: i386
>Description:
Tested on 5.2 i386/amd64 and 6.0 i386/amd64.  Same exact issue in all 
four environments.

pam_radius_auth.so compiles, but when invoked the following message 
appears in /var/log/messages:

  in openpam_dispatch(): pam_radius_auth.so: no pam_sm_authenticate()

Control is passed to the next entry in the PAM stack.

>How-To-Repeat:
Stock build from pkgsrc-current and the following in /etc/pam.d/su (or 
sudo) placed before the pam_unix line:

auth            required        pam_radius_auth.so      debug

(Note: I symlinked /usr/lib/security/pam_radius_auth.so to 
/usr/pkg/lib/security/pam_radius_auth.so)

>Fix:
Module must be compiled with -DNO_STATIC_MODULES.

Patch follows and corrects the following:

 - Adds -DNO_STATIC_MODULES to pam-radius source's Makefile CFLAGS.
 - Fixes numerous compiler warnings.
 - Bumps the version of pam-radius to 1.3.17 which adds the following 
   options (the 'ruser' option is of particular importance to me):

   1.3.17
   ------
   Allow any number of retries, instead of only up to 3.

   Add ruser option, to authenticate as PAM_RUSER instead of PAM_USER,
   to allow applications such as 'su' to authenticate as the real user.
   Patch from David Mitchell.

   Add 'localifdown' option.

Module was tested against an RSA SecurID server and functioned perfectly 
on NetBSD 5.2 i386/amd64 and NetBSD 6.0 i386/amd64.

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/security/pam-radius/Makefile,v
retrieving revision 1.4
diff -u -U 1 -r1.4 Makefile
--- Makefile    23 Oct 2012 18:16:48 -0000      1.4
+++ Makefile    30 Nov 2012 22:24:28 -0000
@@ -3,3 +3,3 @@
 PKGNAME=       ${DISTNAME:S/_/-/}
-DISTNAME=      pam_radius-1.3.16
+DISTNAME=      pam_radius-1.3.17
 CATEGORIES=    security
@@ -12,3 +12,3 @@
 NO_CONFIGURE=  YES
-EXTRACT_SUFX=  .tar
+EXTRACT_SUFX=  .tar.gz
 
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/security/pam-radius/distinfo,v
retrieving revision 1.2
diff -u -U 1 -r1.2 distinfo
--- distinfo    21 Feb 2009 00:06:52 -0000      1.2
+++ distinfo    30 Nov 2012 22:24:28 -0000
@@ -2,5 +2,6 @@
 
-SHA1 (pam_radius-1.3.16.tar) = 127352a693bafd9f32dd80ecece57de2bc1c19b8
-RMD160 (pam_radius-1.3.16.tar) = 6fb69c357b01ba5ac026b186de9be0e3f92c3fcd
-Size (pam_radius-1.3.16.tar) = 112640 bytes
-SHA1 (patch-aa) = a52b9561ca552a7b35b65b3f3361f5ab1bdf872e
+SHA1 (pam_radius-1.3.17.tar.gz) = 7623ca1b636bba729c69c3f50254b856bb4519a7
+RMD160 (pam_radius-1.3.17.tar.gz) = c3873d5a4275170420f98c2f37def0593293f463
+Size (pam_radius-1.3.17.tar.gz) = 31341 bytes
+SHA1 (patch-Makefile) = 192a300d690aa096fd31b3ffdb2394761ded23cc
+SHA1 (patch-pam_radius_auth.c) = ac1886fc20757a3787f57071c514e4518b4c25bd
cvs diff: Diffing patches
Index: patches/patch-Makefile
===================================================================
RCS file: patches/patch-Makefile
diff -N patches/patch-Makefile
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-Makefile      30 Nov 2012 22:24:28 -0000
@@ -0,0 +1,7 @@
+--- Makefile   2007-03-25 23:22:11.000000000 -0500
++++ Makefile   2012-11-30 15:29:34.000000000 -0600
+@@ -17,3 +17,3 @@
+ #
+-CFLAGS = -Wall -fPIC
++CFLAGS = -Wall -fPIC -DNO_STATIC_MODULES
+ #
Index: patches/patch-aa
===================================================================
RCS file: patches/patch-aa
diff -N patches/patch-aa
--- patches/patch-aa    21 Feb 2009 00:06:52 -0000      1.1
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-$NetBSD: patch-aa,v 1.1 2009/02/21 00:06:52 adrianp Exp $
-
---- md5.h.orig 2003-04-29 13:19:16.000000000 -0700
-+++ md5.h
-@@ -15,6 +15,9 @@
- #define MD5Transform  pra_MD5Transform
- 
- #include <sys/types.h>
-+#ifndef u_int32_t
-+#define u_int32_t uint32_t
-+#endif
- #define uint32 u_int32_t
- 
- struct MD5Context {
Index: patches/patch-pam_radius_auth.c
===================================================================
RCS file: patches/patch-pam_radius_auth.c
diff -N patches/patch-pam_radius_auth.c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-pam_radius_auth.c     30 Nov 2012 22:24:28 -0000
@@ -0,0 +1,36 @@
+--- pam_radius_auth.c  2007-03-26 04:36:13.000000000 -0500
++++ pam_radius_auth.c  2012-11-30 15:53:29.000000000 -0600
+@@ -58,6 +58,5 @@
+ #include <errno.h>
++#include <sys/types.h>
+ 
+-#ifdef sun
+ #include <security/pam_appl.h>
+-#endif
+ #include <security/pam_modules.h>
+@@ -184,3 +183,3 @@
+     while(*ip_str != '.' && *ip_str != '\0' && count < 4) {
+-      if(!isdigit(*ip_str)) {
++      if(!isdigit((unsigned char)*ip_str)) {
+       return((UINT4)0);
+@@ -220,3 +219,3 @@
+       digit_count = 0;
+-    } else if(!isdigit(*addr)) {
++    } else if(!isdigit((unsigned char)*addr)) {
+       dot_count = 5;
+@@ -276,3 +275,3 @@
+   if (!server->port) {
+-    if (p && isdigit(*p)) {   /* the port looks like it's a number */
++    if (p && isdigit((unsigned char)*p)) {    /* the port looks like it's a 
number */
+       unsigned int i = atoi(p) & 0xffff;
+@@ -768,3 +767,4 @@
+ {
+-  int salen, total_length;
++  socklen_t salen;
++  int total_length;
+   fd_set set;
+@@ -1101,3 +1101,3 @@
+     if (!strcmp("root", user)) {
+-      user = userinfo;
++      user = (char *)userinfo;
+       DPRINT(LOG_DEBUG, "Username now %s from ruser", user);