8 files changed, 51 insertions, 23 deletions

diff --git a/ChangeLog b/ChangeLog
index 139934ca1..8f3ffeda0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,4 @@
-20050830
+20050831
  - (djm) OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2005/08/30 22:08:05
      [gss-serv.c sshconnect2.c]
@@ -11,6 +11,10 @@
      [version.h]
      4.2
  - (dtucker) [README] Update release note URL to 4.2
+ - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c
+   openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
+   libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
+   Feedback and OK dtucker@
 
 20050830
  - (tim) [configure.ac] Back out last change. It needs to be done differently.
@@ -2982,4 +2986,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3885 2005/08/31 14:05:56 dtucker Exp $
+$Id: ChangeLog,v 1.3886 2005/08/31 16:59:49 tim Exp $
diff --git a/auth.c b/auth.c
index d62d8ff22..2dc5c2be6 100644
--- a/auth.c
+++ b/auth.c
@@ -97,11 +97,11 @@ allowed_user(struct passwd * pw)
         /* grab passwd field for locked account check */
 #ifdef USE_SHADOW
         if (spw != NULL)
-#ifdef HAVE_LIBIAF
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
                 passwd = get_iaf_password(pw);
 #else
                 passwd = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF */
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
 #else
         passwd = pw->pw_passwd;
 #endif
@@ -123,6 +123,9 @@ allowed_user(struct passwd * pw)
                 if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
                         locked = 1;
 #endif
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+                free(passwd);
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
                 if (locked) {
                         logit("User %.100s not allowed because account is locked",
                             pw->pw_name);
diff --git a/configure.ac b/configure.ac
index 2834c5802..1e4df2e33 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.291 2005/08/30 14:12:02 tim Exp $
+# $Id: configure.ac,v 1.292 2005/08/31 16:59:49 tim Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -456,6 +456,7 @@ mips-sony-bsd|mips-sony-newsos4)
         case "$host" in
         *-*-sysv5SCO_SV*)       # SCO OpenServer 6.x
                 TEST_SHELL=/u95/bin/sh
+                AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet])
                 ;;
         esac
         ;;
diff --git a/defines.h b/defines.h
index 8d3617d06..408b988b5 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
 
-/* $Id: defines.h,v 1.126 2005/08/26 20:15:20 tim Exp $ */
+/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */
 
 
 /* Constants */
@@ -688,7 +688,7 @@ struct winsize {
 # define CUSTOM_SYS_AUTH_PASSWD 1
 #endif
 
-#ifdef UNIXWARE_LONG_PASSWORDS
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
 # define CUSTOM_SYS_AUTH_PASSWD 1
 #endif
 
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
index cbc3f686b..d881ff028 100644
--- a/openbsd-compat/port-uw.c
+++ b/openbsd-compat/port-uw.c
@@ -25,7 +25,7 @@
 
 #include "includes.h"
 
-#ifdef UNIXWARE_LONG_PASSWORDS
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
 #ifdef HAVE_CRYPT_H
 #include <crypt.h>
 #endif
@@ -44,6 +44,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
         struct passwd *pw = authctxt->pw;
         char *encrypted_password;
         char *salt;
+        int result;
 
         /* Just use the supplied fake password if authctxt is invalid */
         char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
@@ -52,13 +53,27 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
         if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
                 return (1);
 
+        /* Encrypt the candidate password using the proper salt. */
         salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
-        if (nischeck(pw->pw_name))
-                return(strcmp(crypt(password, salt), pw_password) == 0);
+#ifdef UNIXWARE_LONG_PASSWORDS
+        if (!nischeck(pw->pw_name))
+                encrypted_password = bigcrypt(password, salt);
         else
-                return(strcmp(bigcrypt(password, salt), pw_password) == 0);
+#endif /* UNIXWARE_LONG_PASSWORDS */
+                encrypted_password = xcrypt(password, salt);
+
+        /*
+         * Authentication is accepted if the encrypted passwords
+         * are identical.
+         */
+        result = (strcmp(encrypted_password, pw_password) == 0);
+
+        if (authctxt->valid)
+                free(pw_password);
+        return(result);
 }
 
+#ifdef UNIXWARE_LONG_PASSWORDS
 int
 nischeck(char *namep)
 {
@@ -94,7 +109,11 @@ nischeck(char *namep)
 
 #endif /* UNIXWARE_LONG_PASSWORDS */
 
-#ifdef HAVE_LIBIAF
+/*
+        NOTE: ia_get_logpwd() allocates memory for arg 2
+        functions that call shadow_pw() will need to free
+ */
+
 char *
 get_iaf_password(struct passwd *pw)
 {
@@ -104,12 +123,12 @@ get_iaf_password(struct passwd *pw)
         if (!ia_openinfo(pw->pw_name,&uinfo)) {
                 ia_get_logpwd(uinfo, &pw_password);
                 if (pw_password == NULL)
-                        fatal("Unable to get the shadow passwd");
+                        fatal("ia_get_logpwd: Unable to get the shadow passwd");
                 ia_closeinfo(uinfo);
                 return pw_password;
         }
         else
-                fatal("Unable to open the shadow passwd file");
+                fatal("ia_openinfo: Unable to open the shadow passwd file");
 }
-#endif /* HAVE_LIBIAF */
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
 
diff --git a/openbsd-compat/port-uw.h b/openbsd-compat/port-uw.h
index f16bb5e5c..3589b2e44 100644
--- a/openbsd-compat/port-uw.h
+++ b/openbsd-compat/port-uw.h
@@ -24,7 +24,7 @@
 
 #include "includes.h"
 
-#ifdef HAVE_LIBIAF
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
 char * get_iaf_password(struct passwd *pw);
-#endif /* HAVE_LIBIAF */
+#endif
 
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 453203270..9afa0b9f2 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -91,12 +91,13 @@ shadow_pw(struct passwd *pw)
         struct spwd *spw = getspnam(pw->pw_name);
 
         if (spw != NULL)
-#ifdef HAVE_LIBIAF
-                pw_password = get_iaf_password(pw);
-#else
                 pw_password = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF */
 # endif
+
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+        return(get_iaf_password(pw));
+#endif
+
 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
         struct passwd_adjunct *spw;
         if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
diff --git a/session.c b/session.c
index 98bd3121c..db8722f47 100644
--- a/session.c
+++ b/session.c
@@ -1334,11 +1334,11 @@ do_setusercontext(struct passwd *pw)
 # ifdef _AIX
                 aix_usrinfo(pw);
 # endif /* _AIX */
-# ifdef HAVE_LIBIAF
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
                 if (set_id(pw->pw_name) != 0) {
                         exit(1);
                 }
-# endif
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
                 /* Permanently switch to the desired uid. */
                 permanently_set_uid(pw);
 #endif