[packages/cyrus-sasl.git] / cyrus-sasl-cryptedpw.patch

diff -ur cyrus-sasl-2.1.19.orig/Makefile.in cyrus-sasl-2.1.19/Makefile.in
--- cyrus-sasl-2.1.19.orig/Makefile.in        2005-07-04 23:59:31.000000000 +0200
+++ cyrus-sasl-2.1.19/Makefile.in 2005-07-05 00:04:27.000000000 +0200
@@ -134,7 +134,7 @@
 JAVA_TRUE = @JAVA_TRUE@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
+LIBS = -lcrypt @LIBS@
 LIBTOOL = @LIBTOOL@
 LIB_CRYPT = @LIB_CRYPT@
 LIB_DES = @LIB_DES@
diff -ruN cyrus-sasl-2.1.20-orig/doc/options.html cyrus-sasl-2.1.20/doc/options.html
--- cyrus-sasl-2.1.20-orig/doc/options.html	2004-05-27 18:02:58.000000000 +0200
+++ cyrus-sasl-2.1.20/doc/options.html	2005-07-10 17:17:38.000000000 +0200
@@ -103,6 +103,14 @@
 <TD>sasldb_path</TD><TD>sasldb plugin</TD>
 <TD>Path to sasldb file</TD><TD><tt>/etc/sasldb2</tt> (system dependant)</TD>
 <TR>
+<TD>password_format</TD><TD></TD>
+<TD>Method of password storage (possible values: 'plain', 'crypt', 'crypt_trad').
+Default 'plain' is down-compatible with earlier versions. 'crypt_trad'
+uses old crypt format of 2 chars salt, 'crypt' automagically recognizes crypt
+formats from md5 crypt, blowfish crypt and old crypt (2 chars salt).</TD>
+<TD>plain</TD>
+</TR>
+<TR>
 <TD>sql_engine</TD><TD>SQL plugin</TD>
 <TD>Name of SQL engine to use (possible values: 'mysql', 'pgsql', 'sqlite').</TD>
 <TD><tt>mysql</tt></TD>
--- cyrus-sasl-2.1.25/lib/checkpw.c.orig	2009-12-03 20:07:01.000000000 +0100
+++ cyrus-sasl-2.1.25/lib/checkpw.c	2011-09-16 21:27:43.302773195 +0200
@@ -95,6 +95,23 @@
 # endif
 #endif
 
+/******************************
+ * crypt(3) patch start       *
+ ******************************/
+char *crypt(const char *key, const char *salt);
+
+/* cleartext password formats */
+#define PASSWORD_FORMAT_CLEARTEXT 1
+#define PASSWORD_FORMAT_CRYPT 2
+#define PASSWORD_FORMAT_CRYPTTRAD 3
+#define PASSWORD_SALT_BUF_LEN 22
+
+/* weeds out crypt(3) password's salt */
+int _sasl_get_salt (char *dest, char *src, int format);
+
+/******************************
+ * crypt(3) patch stop        *
+ ******************************/
 
 /* we store the following secret to check plaintext passwords:
  *
@@ -142,7 +159,51 @@
 				       "*cmusaslsecretPLAIN",
 				       NULL };
     struct propval auxprop_values[3];
-    
+
+	/******************************
+	 * crypt(3) patch start       *
+	 * for password format check  *
+	 ******************************/
+    sasl_getopt_t *getopt;
+    void *context;
+    const char *p = NULL;
+	/**
+	 * MD5: 12 char salt
+	 * BLOWFISH: 16 char salt
+	 */
+	char salt[PASSWORD_SALT_BUF_LEN];
+	int password_format;
+
+	/* get password format from auxprop configuration */
+	if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+		getopt(context, NULL, "password_format", &p, NULL);
+	}
+
+	/* set password format */
+	if (p) {
+		/*
+		memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN);
+		strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1));
+		*/
+		/* modern, modular crypt(3) */
+		if (strncmp(p, "crypt", 11) == 0)
+			password_format = PASSWORD_FORMAT_CRYPT;
+		/* traditional crypt(3) */
+		else if (strncmp(p, "crypt_trad", 11) == 0)
+			password_format = PASSWORD_FORMAT_CRYPTTRAD;
+		/* cleartext password */
+		else
+			password_format = PASSWORD_FORMAT_CLEARTEXT;
+	} else {
+		/* cleartext password */
+		password_format = PASSWORD_FORMAT_CLEARTEXT;
+	}
+
+	/******************************
+	 * crypt(3) patch stop        *
+	 * for password format check  *
+	 ******************************/
+
     if (!conn || !userstr)
 	return SASL_BADPARAM;
 
@@ -188,14 +249,31 @@
 	return SASL_NOUSER;
     }
         
-    /* At the point this has been called, the username has been canonified
-     * and we've done the auxprop lookup.  This should be easy. */
-    if(auxprop_values[0].name
-       && auxprop_values[0].values
-       && auxprop_values[0].values[0]
-       && !strcmp(auxprop_values[0].values[0], passwd)) {
-	/* We have a plaintext version and it matched! */
-	return SASL_OK;
+
+	/******************************
+	 * crypt(3) patch start       *
+	 ******************************/	
+
+	/* get salt */
+	_sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format);
+	
+	/* crypt(3)-ed password? */
+	if (password_format != PASSWORD_FORMAT_CLEARTEXT) {
+		/* compare password */
+		if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0)
+			return SASL_OK;
+		else
+			ret = SASL_BADAUTH;
+	}
+	else if (password_format == PASSWORD_FORMAT_CLEARTEXT) {
+		/* compare passwords */
+		if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0)
+			return SASL_OK;
+		else
+			ret = SASL_BADAUTH;
+	/******************************
+	 * crypt(3) patch stop        *
+	 ******************************/
     } else if(auxprop_values[1].name
 	      && auxprop_values[1].values
 	      && auxprop_values[1].values[0]) {
@@ -1095,3 +1173,37 @@
 #endif
     { NULL, NULL }
 };
+
+/* weeds out crypt(3) password's salt */
+int _sasl_get_salt (char *dest, char *src, int format) {
+	int num;	/* how many characters is salt long? */
+	switch (format) {
+		case PASSWORD_FORMAT_CRYPT:
+			/* md5 crypt */
+			if (src[1] == '1')
+				num = 12;
+			/* blowfish crypt */
+			else if (src[1] == '2')
+				num = (src[1] == '2' && src[2] == 'a') ? 17 : 16;
+			/* traditional crypt */
+			else
+				num = 2;
+			break;
+	
+		case PASSWORD_FORMAT_CRYPTTRAD:
+			num = 2;
+			break;
+
+		default:
+			return 1;
+	}
+
+	/* destroy destination */
+	memset(dest, '\0', (num + 1));
+
+	/* copy salt to destination */
+	strncpy(dest, src, num);
+
+	return 1;
+}
+
Commit	Line	Data
afbe97ef	1	diff -ur cyrus-sasl-2.1.19.orig/Makefile.in cyrus-sasl-2.1.19/Makefile.in
	2	--- cyrus-sasl-2.1.19.orig/Makefile.in 2005-07-04 23:59:31.000000000 +0200
	3	+++ cyrus-sasl-2.1.19/Makefile.in 2005-07-05 00:04:27.000000000 +0200
	4	@@ -134,7 +134,7 @@
	5	JAVA_TRUE = @JAVA_TRUE@
	6	LDFLAGS = @LDFLAGS@
	7	LIBOBJS = @LIBOBJS@
	8	-LIBS = @LIBS@
	9	+LIBS = -lcrypt @LIBS@
	10	LIBTOOL = @LIBTOOL@
	11	LIB_CRYPT = @LIB_CRYPT@
	12	LIB_DES = @LIB_DES@
	13	diff -ruN cyrus-sasl-2.1.20-orig/doc/options.html cyrus-sasl-2.1.20/doc/options.html
	14	--- cyrus-sasl-2.1.20-orig/doc/options.html 2004-05-27 18:02:58.000000000 +0200
	15	+++ cyrus-sasl-2.1.20/doc/options.html 2005-07-10 17:17:38.000000000 +0200
	16	@@ -103,6 +103,14 @@
	17	<TD>sasldb_path</TD><TD>sasldb plugin</TD>
	18	<TD>Path to sasldb file</TD><TD><tt>/etc/sasldb2</tt> (system dependant)</TD>
	19	<TR>
	20	+<TD>password_format</TD><TD></TD>
	21	+<TD>Method of password storage (possible values: 'plain', 'crypt', 'crypt_trad').
	22	+Default 'plain' is down-compatible with earlier versions. 'crypt_trad'
	23	+uses old crypt format of 2 chars salt, 'crypt' automagically recognizes crypt
	24	+formats from md5 crypt, blowfish crypt and old crypt (2 chars salt).</TD>
	25	+<TD>plain</TD>
	26	+</TR>
	27	+<TR>
	28	<TD>sql_engine</TD><TD>SQL plugin</TD>
	29	<TD>Name of SQL engine to use (possible values: 'mysql', 'pgsql', 'sqlite').</TD>
	30	<TD><tt>mysql</tt></TD>
94e6777d JB	31	--- cyrus-sasl-2.1.25/lib/checkpw.c.orig 2009-12-03 20:07:01.000000000 +0100
	32	+++ cyrus-sasl-2.1.25/lib/checkpw.c 2011-09-16 21:27:43.302773195 +0200
	33	@@ -95,6 +95,23 @@
afbe97ef	34	# endif
	35	#endif
	36
	37	+/******************************
	38	+ * crypt(3) patch start *
	39	+ ******************************/
	40	+char crypt(const char key, const char *salt);
	41	+
	42	+/* cleartext password formats */
	43	+#define PASSWORD_FORMAT_CLEARTEXT 1
	44	+#define PASSWORD_FORMAT_CRYPT 2
	45	+#define PASSWORD_FORMAT_CRYPTTRAD 3
	46	+#define PASSWORD_SALT_BUF_LEN 22
	47	+
	48	+/* weeds out crypt(3) password's salt */
	49	+int _sasl_get_salt (char dest, char src, int format);
	50	+
	51	+/******************************
	52	+ * crypt(3) patch stop *
	53	+ ******************************/
	54
	55	/* we store the following secret to check plaintext passwords:
	56	*
94e6777d	57	@@ -142,7 +159,51 @@
afbe97ef	58	"*cmusaslsecretPLAIN",
	59	NULL };
	60	struct propval auxprop_values[3];
	61	-
	62	+
	63	+ /******************************
	64	+ * crypt(3) patch start *
	65	+ * for password format check *
	66	+ ******************************/
	67	+ sasl_getopt_t *getopt;
	68	+ void *context;
	69	+ const char *p = NULL;
	70	+ /**
	71	+ * MD5: 12 char salt
	72	+ * BLOWFISH: 16 char salt
	73	+ */
	74	+ char salt[PASSWORD_SALT_BUF_LEN];
	75	+ int password_format;
	76	+
	77	+ /* get password format from auxprop configuration */
	78	+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
	79	+ getopt(context, NULL, "password_format", &p, NULL);
	80	+ }
	81	+
	82	+ /* set password format */
	83	+ if (p) {
	84	+ /*
	85	+ memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN);
	86	+ strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1));
	87	+ */
	88	+ /* modern, modular crypt(3) */
	89	+ if (strncmp(p, "crypt", 11) == 0)
	90	+ password_format = PASSWORD_FORMAT_CRYPT;
	91	+ /* traditional crypt(3) */
	92	+ else if (strncmp(p, "crypt_trad", 11) == 0)
	93	+ password_format = PASSWORD_FORMAT_CRYPTTRAD;
	94	+ /* cleartext password */
	95	+ else
	96	+ password_format = PASSWORD_FORMAT_CLEARTEXT;
	97	+ } else {
	98	+ /* cleartext password */
	99	+ password_format = PASSWORD_FORMAT_CLEARTEXT;
	100	+ }
	101	+
	102	+ /******************************
	103	+ * crypt(3) patch stop *
	104	+ * for password format check *
	105	+ ******************************/
	106	+
	107	if (!conn \|\| !userstr)
	108	return SASL_BADPARAM;
	109
94e6777d JB	110	@@ -188,14 +249,31 @@
94e6777d JB	111	return SASL_NOUSER;
afbe97ef	112	}
94e6777d	113
afbe97ef	114	- /* At the point this has been called, the username has been canonified
	115	- * and we've done the auxprop lookup. This should be easy. */
	116	- if(auxprop_values[0].name
	117	- && auxprop_values[0].values
	118	- && auxprop_values[0].values[0]
	119	- && !strcmp(auxprop_values[0].values[0], passwd)) {
	120	- /* We have a plaintext version and it matched! */
	121	- return SASL_OK;
	122	+
	123	+ /******************************
	124	+ * crypt(3) patch start *
	125	+ ******************************/
	126	+
	127	+ /* get salt */
	128	+ _sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format);
	129	+
	130	+ /* crypt(3)-ed password? */
	131	+ if (password_format != PASSWORD_FORMAT_CLEARTEXT) {
	132	+ /* compare password */
	133	+ if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0)
	134	+ return SASL_OK;
	135	+ else
	136	+ ret = SASL_BADAUTH;
	137	+ }
	138	+ else if (password_format == PASSWORD_FORMAT_CLEARTEXT) {
	139	+ /* compare passwords */
	140	+ if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0)
	141	+ return SASL_OK;
	142	+ else
	143	+ ret = SASL_BADAUTH;
	144	+ /******************************
	145	+ * crypt(3) patch stop *
	146	+ ******************************/
	147	} else if(auxprop_values[1].name
	148	&& auxprop_values[1].values
	149	&& auxprop_values[1].values[0]) {
94e6777d JB	150	@@ -1095,3 +1173,37 @@
94e6777d JB	151	#endif
afbe97ef	152	{ NULL, NULL }
	153	};
	154	+
	155	+/* weeds out crypt(3) password's salt */
	156	+int _sasl_get_salt (char dest, char src, int format) {
	157	+ int num; /* how many characters is salt long? */
	158	+ switch (format) {
	159	+ case PASSWORD_FORMAT_CRYPT:
	160	+ /* md5 crypt */
	161	+ if (src[1] == '1')
	162	+ num = 12;
	163	+ /* blowfish crypt */
	164	+ else if (src[1] == '2')
	165	+ num = (src[1] == '2' && src[2] == 'a') ? 17 : 16;
	166	+ /* traditional crypt */
	167	+ else
	168	+ num = 2;
	169	+ break;
	170	+
	171	+ case PASSWORD_FORMAT_CRYPTTRAD:
	172	+ num = 2;
	173	+ break;
	174	+
	175	+ default:
	176	+ return 1;
	177	+ }
	178	+
	179	+ /* destroy destination */
	180	+ memset(dest, '\0', (num + 1));
	181	+
	182	+ /* copy salt to destination */
	183	+ strncpy(dest, src, num);
	184	+
	185	+ return 1;
	186	+}
	187	+