The pam_bsdbioapi(8) module always prompts for finger swiping before

failing and proceeding to the next module, even when the user has not
enrolled yet.

This patchset adds a command line option to skip this behaviour.

NOTE: This patch will go into the next upstream release.

PR:		106564
Submitted by:	Eugene M. Kim <freebsd.org@ab.ote.we.lv>
Approved by:	Fredrik Lindberg <fli@shapeshifter.se> (maintainer)

security/pam_bsdbioapi/Makefile

@@ -7,6 +7,7 @@
 
 PORTNAME=	pam_bsdbioapi
 PORTVERSION=	1.5
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	http://shapeshifter.se/pub/pam_bsdbioapi/
 
@@ -15,7 +16,7 @@ COMMENT=	PAM module for BioAPI
 
 LIB_DEPENDS=	bioapi100.0:${PORTSDIR}/security/bioapi
 
-INSTALLS_SHLIB=	yes
+USE_LDCONFIG=	yes
 SUB_FILES=	pkg-message
 MAN8=		pam_bsdbioapi.8
 MAN3=		libbirdb.3

security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8

@@ -0,0 +1,23 @@
+--- src/pam_bsdbioapi/pam_bsdbioapi.8	Thu Feb 23 06:15:13 2006
++++ src/pam_bsdbioapi/pam_bsdbioapi.8.orig	Sun Dec 10 06:36:31 2006
+@@ -36,6 +36,7 @@
+ .Ar pam_bsdbioapi
+ .Ar bsp-uuid 
+ .Ar backend
++.Op -s
+ .Op -f birdb-path
+ .Op -m message-file
+ .Sh DESCRIPTION
+@@ -69,6 +70,12 @@
+ This option is required.
+ .Pp
+ .Bl -tag -width ".Fl m Ar message-file"
++.It Fl s
++Fail without prompting the user to swipe finger if the user has not enrolled
++yet.
++This is useful if only a handful of users has enrolled, but leaks whether the
++given user has enrolled, to whomever tries to authenticate as the user (e.g.
++an attacker outside).
+ .It Fl f Ar birdb-path
+ Specify an alternative path to the birdb.conf file for backend configuration.
+ The default is /usr/local/etc/birdb.conf

security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c

@@ -0,0 +1,51 @@
+--- src/pam_bsdbioapi/pam_bsdbioapi.c	Thu Feb 23 06:15:13 2006
++++ src/pam_bsdbioapi/pam_bsdbioapi.c.orig	Sun Dec 10 06:26:57 2006
+@@ -215,7 +215,7 @@
+     int argc, const char *argv[])
+ {
+ 	const char *user, *bsp_id, *dbid, *conf, *msgfile;
+-	int error, pam_retval = PAM_AUTH_ERR;
++	int error, pam_retval = PAM_AUTH_ERR, skip_unenrolled;
+ 	BioAPI_HANDLE *handle;
+ 	struct birdb_rec keyrec, **recs;
+ 	struct birdb_mod *bm;
+@@ -241,9 +241,10 @@
+ 
+ 	conf = DEFCONFPATH; 
+ 	msgfile = NULL;
++	skip_unenrolled = 0;
+ 
+ 	optind = 2;
+-	while ((opt = getopt(argc, (char **)argv, "m:f:")) != -1) {
++	while ((opt = getopt(argc, (char **)argv, "m:f:s")) != -1) {
+ 		switch (opt) {
+ 		case 'm':
+ 			msgfile = argv[optind - 1];
+@@ -253,6 +254,9 @@
+ 			conf = argv[optind - 1];
+ 			PAM_LOG("Got birdb configuration file: %s", conf);
+ 			break;
++		case 's':
++			skip_unenrolled = 1;
++			break;
+ 		}
+ 	}
+ 
+@@ -271,7 +275,6 @@
+ 	PAM_LOG("Got user: %s", user);
+ 
+ 	setuid(euid);
+-	pam_info(pamh, "Initiating biometric authentication..."); 
+ 
+ 	error = bioapi_init();
+ 	if (error)
+@@ -312,7 +315,8 @@
+ 
+ 	keyrec.br_key = (char *)user;
+ 	recs = birdb_backend_get(bm, bmh, &keyrec);
+-	if (recs != NULL) {
++	if (recs != NULL && (!skip_unenrolled || recs[0] != NULL)) {
++		pam_info(pamh, "Initiating biometric authentication..."); 
+ 		handle = bioapi_attach_bsp(bsp_id);
+ 		if (handle == NULL) {
+ 			PAM_VERBOSE_ERROR("Failed to attach the selected BSP");

security/pam_bsdbioapi/pkg-plist

@@ -5,5 +5,5 @@ lib/libbirdb.a
 lib/libbirdb.so
 lib/pam_bsdbioapi.so
 @dirrm share/birdb
-share/pam_bsdbioapi/upek_touchchip.cmsg
+%%DATADIR%%/upek_touchchip.cmsg
 @dirrm share/pam_bsdbioapi