[packages/cyrus-sasl.git] / cyrus-sasl-cryptedpw.patch

diff -ur cyrus-sasl-2.1.19.orig/Makefile.in cyrus-sasl-2.1.19/Makefile.in
--- cyrus-sasl-2.1.19.orig/Makefile.in        2005-07-04 23:59:31.000000000 +0200
+++ cyrus-sasl-2.1.19/Makefile.in 2005-07-05 00:04:27.000000000 +0200
@@ -134,7 +134,7 @@
 JAVA_TRUE = @JAVA_TRUE@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
+LIBS = -lcrypt @LIBS@
 LIBTOOL = @LIBTOOL@
 LIB_CRYPT = @LIB_CRYPT@
 LIB_DES = @LIB_DES@
diff -ruN cyrus-sasl-2.1.20-orig/doc/options.html cyrus-sasl-2.1.20/doc/options.html
--- cyrus-sasl-2.1.20-orig/doc/options.html	2004-05-27 18:02:58.000000000 +0200
+++ cyrus-sasl-2.1.20/doc/options.html	2005-07-10 17:17:38.000000000 +0200
@@ -103,6 +103,14 @@
 <TD>sasldb_path</TD><TD>sasldb plugin</TD>
 <TD>Path to sasldb file</TD><TD><tt>/etc/sasldb2</tt> (system dependant)</TD>
 <TR>
+<TD>password_format</TD><TD></TD>
+<TD>Method of password storage (possible values: 'plain', 'crypt', 'crypt_trad').
+Default 'plain' is down-compatible with earlier versions. 'crypt_trad'
+uses old crypt format of 2 chars salt, 'crypt' automagically recognizes crypt
+formats from md5 crypt, blowfish crypt and old crypt (2 chars salt).</TD>
+<TD>plain</TD>
+</TR>
+<TR>
 <TD>sql_engine</TD><TD>SQL plugin</TD>
 <TD>Name of SQL engine to use (possible values: 'mysql', 'pgsql', 'sqlite').</TD>
 <TD><tt>mysql</tt></TD>
diff -ruN cyrus-sasl-2.1.20-orig/lib/checkpw.c cyrus-sasl-2.1.20/lib/checkpw.c
--- cyrus-sasl-2.1.20-orig/lib/checkpw.c	2004-03-17 14:58:13.000000000 +0100
+++ cyrus-sasl-2.1.20/lib/checkpw.c	2005-07-10 16:17:11.000000000 +0200
@@ -94,6 +94,23 @@
 # endif
 #endif
 
+/******************************
+ * crypt(3) patch start       *
+ ******************************/
+char *crypt(const char *key, const char *salt);
+
+/* cleartext password formats */
+#define PASSWORD_FORMAT_CLEARTEXT 1
+#define PASSWORD_FORMAT_CRYPT 2
+#define PASSWORD_FORMAT_CRYPTTRAD 3
+#define PASSWORD_SALT_BUF_LEN 22
+
+/* weeds out crypt(3) password's salt */
+int _sasl_get_salt (char *dest, char *src, int format);
+
+/******************************
+ * crypt(3) patch stop        *
+ ******************************/
 
 /* we store the following secret to check plaintext passwords:
  *
@@ -143,7 +160,51 @@
 				       "*cmusaslsecretPLAIN",
 				       NULL };
     struct propval auxprop_values[3];
-    
+
+	/******************************
+	 * crypt(3) patch start       *
+	 * for password format check  *
+	 ******************************/
+    sasl_getopt_t *getopt;
+    void *context;
+    const char *p = NULL;
+	/**
+	 * MD5: 12 char salt
+	 * BLOWFISH: 16 char salt
+	 */
+	char salt[PASSWORD_SALT_BUF_LEN];
+	int password_format;
+
+	/* get password format from auxprop configuration */
+	if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+		getopt(context, NULL, "password_format", &p, NULL);
+	}
+
+	/* set password format */
+	if (p) {
+		/*
+		memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN);
+		strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1));
+		*/
+		/* modern, modular crypt(3) */
+		if (strncmp(p, "crypt", 11) == 0)
+			password_format = PASSWORD_FORMAT_CRYPT;
+		/* traditional crypt(3) */
+		else if (strncmp(p, "crypt_trad", 11) == 0)
+			password_format = PASSWORD_FORMAT_CRYPTTRAD;
+		/* cleartext password */
+		else
+			password_format = PASSWORD_FORMAT_CLEARTEXT;
+	} else {
+		/* cleartext password */
+		password_format = PASSWORD_FORMAT_CLEARTEXT;
+	}
+
+	/******************************
+	 * crypt(3) patch stop        *
+	 * for password format check  *
+	 ******************************/
+
     if (!conn || !userstr)
 	return SASL_BADPARAM;
 
@@ -180,14 +241,31 @@
 	goto done;
     }
 
-    /* At the point this has been called, the username has been canonified
-     * and we've done the auxprop lookup.  This should be easy. */
-    if(auxprop_values[0].name
-       && auxprop_values[0].values
-       && auxprop_values[0].values[0]
-       && !strcmp(auxprop_values[0].values[0], passwd)) {
-	/* We have a plaintext version and it matched! */
-	return SASL_OK;
+
+	/******************************
+	 * crypt(3) patch start       *
+	 ******************************/	
+
+	/* get salt */
+	_sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format);
+	
+	/* crypt(3)-ed password? */
+	if (password_format != PASSWORD_FORMAT_CLEARTEXT) {
+		/* compare password */
+		if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0)
+			return SASL_OK;
+		else
+			ret = SASL_BADAUTH;
+	}
+	else if (password_format == PASSWORD_FORMAT_CLEARTEXT) {
+		/* compare passwords */
+		if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0)
+			return SASL_OK;
+		else
+			ret = SASL_BADAUTH;
+	/******************************
+	 * crypt(3) patch stop        *
+	 ******************************/
     } else if(auxprop_values[1].name
 	      && auxprop_values[1].values
 	      && auxprop_values[1].values[0]) {
@@ -975,3 +1053,37 @@
 #endif     
     { NULL, NULL }
 };
+
+/* weeds out crypt(3) password's salt */
+int _sasl_get_salt (char *dest, char *src, int format) {
+	int num;	/* how many characters is salt long? */
+	switch (format) {
+		case PASSWORD_FORMAT_CRYPT:
+			/* md5 crypt */
+			if (src[1] == '1')
+				num = 12;
+			/* blowfish crypt */
+			else if (src[1] == '2')
+				num = (src[1] == '2' && src[2] == 'a') ? 17 : 16;
+			/* traditional crypt */
+			else
+				num = 2;
+			break;
+	
+		case PASSWORD_FORMAT_CRYPTTRAD:
+			num = 2;
+			break;
+
+		default:
+			return 1;
+	}
+
+	/* destroy destination */
+	memset(dest, '\0', (num + 1));
+
+	/* copy salt to destination */
+	strncpy(dest, src, num);
+
+	return 1;
+}
+
Commit	Line	Data
afbe97ef	1	diff -ur cyrus-sasl-2.1.19.orig/Makefile.in cyrus-sasl-2.1.19/Makefile.in
	2	--- cyrus-sasl-2.1.19.orig/Makefile.in 2005-07-04 23:59:31.000000000 +0200
	3	+++ cyrus-sasl-2.1.19/Makefile.in 2005-07-05 00:04:27.000000000 +0200
	4	@@ -134,7 +134,7 @@
	5	JAVA_TRUE = @JAVA_TRUE@
	6	LDFLAGS = @LDFLAGS@
	7	LIBOBJS = @LIBOBJS@
	8	-LIBS = @LIBS@
	9	+LIBS = -lcrypt @LIBS@
	10	LIBTOOL = @LIBTOOL@
	11	LIB_CRYPT = @LIB_CRYPT@
	12	LIB_DES = @LIB_DES@
	13	diff -ruN cyrus-sasl-2.1.20-orig/doc/options.html cyrus-sasl-2.1.20/doc/options.html
	14	--- cyrus-sasl-2.1.20-orig/doc/options.html 2004-05-27 18:02:58.000000000 +0200
	15	+++ cyrus-sasl-2.1.20/doc/options.html 2005-07-10 17:17:38.000000000 +0200
	16	@@ -103,6 +103,14 @@
	17	<TD>sasldb_path</TD><TD>sasldb plugin</TD>
	18	<TD>Path to sasldb file</TD><TD><tt>/etc/sasldb2</tt> (system dependant)</TD>
	19	<TR>
	20	+<TD>password_format</TD><TD></TD>
	21	+<TD>Method of password storage (possible values: 'plain', 'crypt', 'crypt_trad').
	22	+Default 'plain' is down-compatible with earlier versions. 'crypt_trad'
	23	+uses old crypt format of 2 chars salt, 'crypt' automagically recognizes crypt
	24	+formats from md5 crypt, blowfish crypt and old crypt (2 chars salt).</TD>
	25	+<TD>plain</TD>
	26	+</TR>
	27	+<TR>
	28	<TD>sql_engine</TD><TD>SQL plugin</TD>
	29	<TD>Name of SQL engine to use (possible values: 'mysql', 'pgsql', 'sqlite').</TD>
	30	<TD><tt>mysql</tt></TD>
	31	diff -ruN cyrus-sasl-2.1.20-orig/lib/checkpw.c cyrus-sasl-2.1.20/lib/checkpw.c
	32	--- cyrus-sasl-2.1.20-orig/lib/checkpw.c 2004-03-17 14:58:13.000000000 +0100
	33	+++ cyrus-sasl-2.1.20/lib/checkpw.c 2005-07-10 16:17:11.000000000 +0200
	34	@@ -94,6 +94,23 @@
	35	# endif
	36	#endif
	37
	38	+/******************************
	39	+ * crypt(3) patch start *
	40	+ ******************************/
	41	+char crypt(const char key, const char *salt);
	42	+
	43	+/* cleartext password formats */
	44	+#define PASSWORD_FORMAT_CLEARTEXT 1
	45	+#define PASSWORD_FORMAT_CRYPT 2
	46	+#define PASSWORD_FORMAT_CRYPTTRAD 3
	47	+#define PASSWORD_SALT_BUF_LEN 22
	48	+
	49	+/* weeds out crypt(3) password's salt */
	50	+int _sasl_get_salt (char dest, char src, int format);
	51	+
	52	+/******************************
	53	+ * crypt(3) patch stop *
	54	+ ******************************/
	55
	56	/* we store the following secret to check plaintext passwords:
	57	*
	58	@@ -143,7 +160,51 @@
	59	"*cmusaslsecretPLAIN",
	60	NULL };
	61	struct propval auxprop_values[3];
	62	-
	63	+
	64	+ /******************************
65	+ * crypt(3) patch start *
66	+ * for password format check *
67	+ ******************************/
68	+ sasl_getopt_t *getopt;
69	+ void *context;
70	+ const char *p = NULL;
71	+ /**
72	+ * MD5: 12 char salt
73	+ * BLOWFISH: 16 char salt
74	+ */
75	+ char salt[PASSWORD_SALT_BUF_LEN];
76	+ int password_format;
77	+
78	+ /* get password format from auxprop configuration */
79	+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
80	+ getopt(context, NULL, "password_format", &p, NULL);
81	+ }
82	+
83	+ /* set password format */
84	+ if (p) {
85	+ /*
86	+ memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN);
87	+ strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1));
88	+ */
89	+ /* modern, modular crypt(3) */
90	+ if (strncmp(p, "crypt", 11) == 0)
91	+ password_format = PASSWORD_FORMAT_CRYPT;
92	+ /* traditional crypt(3) */
93	+ else if (strncmp(p, "crypt_trad", 11) == 0)
94	+ password_format = PASSWORD_FORMAT_CRYPTTRAD;
95	+ /* cleartext password */
96	+ else
97	+ password_format = PASSWORD_FORMAT_CLEARTEXT;
98	+ } else {
99	+ /* cleartext password */
100	+ password_format = PASSWORD_FORMAT_CLEARTEXT;
101	+ }
102	+
103	+ /******************************
104	+ * crypt(3) patch stop *
105	+ * for password format check *
106	+ ******************************/
107	+
108	if (!conn \|\| !userstr)
109	return SASL_BADPARAM;
110
111	@@ -180,14 +241,31 @@
112	goto done;
113	}
114
115	- /* At the point this has been called, the username has been canonified
116	- * and we've done the auxprop lookup. This should be easy. */
117	- if(auxprop_values[0].name
118	- && auxprop_values[0].values
119	- && auxprop_values[0].values[0]
120	- && !strcmp(auxprop_values[0].values[0], passwd)) {
121	- /* We have a plaintext version and it matched! */
122	- return SASL_OK;
123	+
124	+ /******************************
125	+ * crypt(3) patch start *
126	+ ******************************/
127	+
128	+ /* get salt */
129	+ _sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format);
130	+
131	+ /* crypt(3)-ed password? */
132	+ if (password_format != PASSWORD_FORMAT_CLEARTEXT) {
133	+ /* compare password */
134	+ if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0)
135	+ return SASL_OK;
136	+ else
137	+ ret = SASL_BADAUTH;
138	+ }
139	+ else if (password_format == PASSWORD_FORMAT_CLEARTEXT) {
140	+ /* compare passwords */
141	+ if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0)
142	+ return SASL_OK;
143	+ else
144	+ ret = SASL_BADAUTH;
145	+ /******************************
146	+ * crypt(3) patch stop *
147	+ ******************************/
148	} else if(auxprop_values[1].name
149	&& auxprop_values[1].values
150	&& auxprop_values[1].values[0]) {
151	@@ -975,3 +1053,37 @@
152	#endif
153	{ NULL, NULL }
154	};
155	+
156	+/* weeds out crypt(3) password's salt */
157	+int _sasl_get_salt (char dest, char src, int format) {
158	+ int num; /* how many characters is salt long? */
159	+ switch (format) {
160	+ case PASSWORD_FORMAT_CRYPT:
161	+ /* md5 crypt */
162	+ if (src[1] == '1')
163	+ num = 12;
164	+ /* blowfish crypt */
165	+ else if (src[1] == '2')
166	+ num = (src[1] == '2' && src[2] == 'a') ? 17 : 16;
167	+ /* traditional crypt */
168	+ else
169	+ num = 2;
170	+ break;
171	+
172	+ case PASSWORD_FORMAT_CRYPTTRAD:
173	+ num = 2;
174	+ break;
175	+
176	+ default:
177	+ return 1;
178	+ }
179	+
180	+ /* destroy destination */
181	+ memset(dest, '\0', (num + 1));
182	+
183	+ /* copy salt to destination */
184	+ strncpy(dest, src, num);
185	+
186	+ return 1;
187	+}
188	+