# $Id: courier-imap-1.7.2+radius.diff,v 1.7 2005/10/07 02:26:25 jcs Exp $
#
# this is a set of ugly patches to the openbsd port of courier-imap-1.7.2 that
# modifies the authpwd module to use radius authentication for the password,
# and the normal authpwd routines for everything else (login, home directory,
# etc.)
#
# the radius routines are directly copied from the openbsd source tree, so
# if you don't have a current tree in /usr/src, it will fail when trying to
# copy libexec/login_radius/raddauth.c from it.
#
# some things to be aware of:
#
#   - radius authentication uses the "auth-mail" login class, so make sure it's
#     setup in /etc/login.conf (see login_radius(8) for more info)
#
#   - usernames are converted to lowercase after being received from the client
#     (sorry, i had to do this, we used to run pop3 on a vms cluster which is
#     case insensitive)
#
#   - usernames are passed to the radius server for authentication with realms
#     included, and then stripped off when looking up the user in the password
#     database (for obvious reasons)
#
# SECURITY NOTE: be sure that your radius server is configured to only allow
# certain realms (i.e., your own realms, no 3rd party ones) to authenticate
# from the mail server running these patches so that a user cannot login with
# "joe@thirdpartyrealm" and bypass the authentication of your local radius
# server and end up seeing the mail of the local user "joe" on your mail
# system.  if this realm behaviour is not desired, strip realms before passing
# them on to raddauth().
#
# to apply this patch:
#
#   cd /usr/ports/mail/courier-imap
#   patch -p0 < ~/path/to/this/patch
#   find . -name \*.orig -exec rm {} \;
#
# if you don't have a source tree in /usr/src for the raddauth.c, you can fetch
# it from:
#
#   http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/libexec/\
#     login_radius/raddauth.c
#
# by joshua stein <jcs@eng.dls.net>
#

Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/courier-imap/Makefile,v
retrieving revision 1.35
diff -u -r1.35 Makefile
--- Makefile	23 May 2003 21:57:51 -0000	1.35
+++ Makefile	25 Oct 2003 23:34:13 -0000
@@ -95,6 +95,9 @@
 .endfor
 .endif
 
+post-extract:
+	@cp -f /usr/src/libexec/login_radius/raddauth.c ${WRKSRC}/authlib/
+
 post-install:
 	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/courier-imap
 	${INSTALL_DATA_DIR} ${PREFIX}/share/doc/courier-imap
--- /dev/null	Sat Oct 25 18:40:23 2003
+++ patches/patch-authlib_authpwd_c	Sat Oct 25 18:36:53 2003
@@ -0,0 +1,40 @@
+$OpenBSD$
+--- authlib/authpwd.c.orig	Mon Aug 19 10:52:28 2002
++++ authlib/authpwd.c	Sun Sep 14 10:26:03 2003
+@@ -14,6 +14,7 @@
+ #if	HAVE_UNISTD_H
+ #include	<unistd.h>
+ #endif
++#include	<login_cap.h>
+ 
+ #include	"auth.h"
+ #include	"authmod.h"
+@@ -25,6 +26,9 @@
+         int (*callback)(struct authinfo *, void *),
+                         void *arg);
+ 
++extern int raddauth(char *username, char *class, char *style, char *challenge,
++	char *password, char **emsg);
++
+ struct callback_info {
+ 	const char *pass;
+ 	char *userret;
+@@ -36,9 +40,17 @@
+ static int callback_pwd(struct authinfo *a, void *p)
+ {
+ struct callback_info *i=(struct callback_info *)p;
++	char *emsg;
++	emsg = NULL;
+ 
+-	if (a->passwd == 0 || authcheckpassword(i->pass, a->passwd))
++	/* authenticate against radius using what they originally typed in,
++	   realm included */
++	if (a->passwd == 0 || raddauth(a->address, "auth-mail", "radius",
++	i->pass, i->pass, &emsg)) {
++		perror(emsg);
++
+ 		return (-1);
++	}
+ 
+ 	if ((i->userret=strdup(a->sysusername)) == 0)
+ 	{
--- /dev/null	Sat Oct 25 18:40:23 2003
+++ patches/patch-authlib_Makefile_in	Sat Oct 25 18:36:50 2003
@@ -0,0 +1,41 @@
+$OpenBSD$
+--- authlib/Makefile.in.orig	Mon Apr 21 15:32:52 2003
++++ authlib/Makefile.in	Fri Sep 12 11:01:20 2003
+@@ -169,7 +169,7 @@
+ @HAVE_PAM_TRUE@authpamlibsdep = authpam.libsdep
+ @HAVE_PAM_FALSE@authpamlibsdep = 
+ 
+-@HAVE_PWD_TRUE@authpwdc = authpwd.c preauthpwd.c
++@HAVE_PWD_TRUE@authpwdc = authpwd.c preauthpwd.c raddauth.c
+ @HAVE_PWD_FALSE@authpwdc = 
+ @HAVE_PWD_TRUE@authpwdlibsdep = authpwd.libsdep
+ @HAVE_PWD_FALSE@authpwdlibsdep = 
+@@ -224,7 +224,7 @@
+ group = `test -d ../courier && . ../courier/uidgid && echo $$mailgroup && exit 0; echo root`
+ 
+ EXTRA_DIST = authwait.h authpam.c preauthpam.c authpwd.c preauthpwd.c \
+-	authshadow.c preauthshadow.c \
++	raddauth.c authshadow.c preauthshadow.c \
+ 	authcustom.c preauthcustom.c authcustom.h \
+ 	authdaemon.c authdaemond.c authdaemonlib.c preauthdaemon.c \
+ 	authuserdb.c preauthuserdb.c preauthuserdbcommon.c \
+@@ -486,7 +486,8 @@
+ libauth_authpgsql_a_OBJECTS = $(am_libauth_authpgsql_a_OBJECTS)
+ libauth_authpwd_a_AR = $(AR) cru
+ libauth_authpwd_a_LIBADD =
+-@HAVE_PWD_TRUE@am__objects_8 = authpwd.$(OBJEXT) preauthpwd.$(OBJEXT)
++@HAVE_PWD_TRUE@am__objects_8 = authpwd.$(OBJEXT) preauthpwd.$(OBJEXT) \
++@HAVE_PWD_TRUE@		raddauth.$(OBJEXT)
+ @HAVE_PWD_FALSE@am__objects_8 =
+ am_libauth_authpwd_a_OBJECTS = $(am__objects_8)
+ libauth_authpwd_a_OBJECTS = $(am_libauth_authpwd_a_OBJECTS)
+@@ -670,7 +671,8 @@
+ @AMDEP_TRUE@	./$(DEPDIR)/preauthshadow.Po \
+ @AMDEP_TRUE@	./$(DEPDIR)/preauthuserdb.Po \
+ @AMDEP_TRUE@	./$(DEPDIR)/preauthuserdbcommon.Po \
+-@AMDEP_TRUE@	./$(DEPDIR)/preauthvchkpw.Po ./$(DEPDIR)/success.Po
++@AMDEP_TRUE@	./$(DEPDIR)/preauthvchkpw.Po \
++@AMDEP_TRUE@	./$(DEPDIR)/raddauth.Po ./$(DEPDIR)/success.Po
+ COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+ CCLD = $(CC)
--- /dev/null	Sat Oct 25 18:40:23 2003
+++ patches/patch-authlib_raddauth_c	Sat Oct 25 18:37:01 2003
@@ -0,0 +1,11 @@
+$OpenBSD$
+--- authlib/raddauth.c.orig	Fri Sep 12 16:12:23 2003
++++ authlib/raddauth.c	Fri Sep 12 16:12:31 2003
+@@ -85,7 +85,6 @@
+ #include <time.h>
+ #include <unistd.h>
+ #include <md5.h>
+-#include "login_radius.h"
+ 
+ 
+ #define	MAXPWNETNAM		64	/* longest username */
--- /dev/null	Sat Oct 25 18:40:23 2003
+++ patches/patch-authlib_preauthpwd_c	Sat Oct 25 18:36:56 2003
@@ -0,0 +1,28 @@
+$OpenBSD$
+--- authlib/preauthpwd.c.orig	Sun Feb 20 15:48:36 2000
++++ authlib/preauthpwd.c	Sun Sep 14 10:33:13 2003
+@@ -25,16 +25,22 @@
+ {
+ struct authinfo auth;
+ struct passwd *pw;
++char *stripuserid, *z;
+ 
+ 	memset(&auth, 0, sizeof(auth));
+ 
+-	if ((pw=getpwnam(userid)) == 0)
++	/* strip off any realm */
++	stripuserid = strdup(userid);
++	if ((z = strchr(stripuserid, '@')) != NULL)
++		*z = '\0';
++
++	if ((pw=getpwnam(stripuserid)) == 0)
+ 	{
+ 		if (errno == ENOMEM)	return (1);
+ 		return (-1);
+ 	}
+ 
+-	auth.sysusername=userid;
++	auth.sysusername=stripuserid;
+ 	auth.sysgroupid=pw->pw_gid;
+ 	auth.homedir=pw->pw_dir;
+ 	auth.address=userid;
--- /dev/null	Sat Oct 25 18:54:02 2003
+++ patches/patch-imap_pop3login_c	Sat Oct 25 18:53:10 2003
@@ -0,0 +1,42 @@
+$OpenBSD$
+--- imap/pop3login.c.orig	Thu Apr  3 15:17:46 2003
++++ imap/pop3login.c	Sat Oct 25 18:51:50 2003
+@@ -29,6 +29,8 @@
+ extern int have_starttls();
+ extern int tls_required();
+ 
++void lowstr(char *, char *);
++
+ static int	starttls()
+ {
+ 	int	pipefd[2];
+@@ -208,8 +210,13 @@
+ 						perror("malloc");
+ 						exit(1);
+ 					}
++
++					/* convert to lowercase */
++					lowstr(p, p);
++
+ 					strcpy(user, p);
+-					printf("+OK Password required.\r\n");
++					printf("+OK Password required for "
++						"%s.\r\n", user);
+ 					fflush(stdout);
+ 					continue;
+ 				}
+@@ -288,4 +295,14 @@
+ 	}
+ 	exit(0);
+ 	return (0);
++}
++
++void
++lowstr(char *from, char *to)
++{
++	char ch;
++
++	while ((ch = *from++) && ch != '\n')
++		*to++ = isupper(ch) ? tolower(ch) : ch;
++	*to = '\0';
+ }