cyrus-sasl-cryptedpw.patch

   1 diff -ur cyrus-sasl-2.1.19.orig/Makefile.in cyrus-sasl-2.1.19/Makefile.in
   2 --- cyrus-sasl-2.1.19.orig/Makefile.in        2005-07-04 23:59:31.000000000 +0200
   3 +++ cyrus-sasl-2.1.19/Makefile.in 2005-07-05 00:04:27.000000000 +0200
   4 @@ -134,7 +134,7 @@
   5  JAVA_TRUE = @JAVA_TRUE@
   6  LDFLAGS = @LDFLAGS@
   7  LIBOBJS = @LIBOBJS@
   8 -LIBS = @LIBS@
   9 +LIBS = -lcrypt @LIBS@
  10  LIBTOOL = @LIBTOOL@
  11  LIB_CRYPT = @LIB_CRYPT@
  12  LIB_DES = @LIB_DES@
  13 diff -ruN cyrus-sasl-2.1.20-orig/doc/options.html cyrus-sasl-2.1.20/doc/options.html
  14 --- cyrus-sasl-2.1.20-orig/doc/options.html     2004-05-27 18:02:58.000000000 +0200
  15 +++ cyrus-sasl-2.1.20/doc/options.html  2005-07-10 17:17:38.000000000 +0200
  16 @@ -103,6 +103,14 @@
  17  <TD>sasldb_path</TD><TD>sasldb plugin</TD>
  18  <TD>Path to sasldb file</TD><TD><tt>/etc/sasldb2</tt> (system dependant)</TD>
  19  <TR>
  20 +<TD>password_format</TD><TD></TD>
  21 +<TD>Method of password storage (possible values: 'plain', 'crypt', 'crypt_trad').
  22 +Default 'plain' is down-compatible with earlier versions. 'crypt_trad'
  23 +uses old crypt format of 2 chars salt, 'crypt' automagically recognizes crypt
  24 +formats from md5 crypt, blowfish crypt and old crypt (2 chars salt).</TD>
  25 +<TD>plain</TD>
  26 +</TR>
  27 +<TR>
  28  <TD>sql_engine</TD><TD>SQL plugin</TD>
  29  <TD>Name of SQL engine to use (possible values: 'mysql', 'pgsql', 'sqlite').</TD>
  30  <TD><tt>mysql</tt></TD>
  31 diff -ruN cyrus-sasl-2.1.20-orig/lib/checkpw.c cyrus-sasl-2.1.20/lib/checkpw.c
  32 --- cyrus-sasl-2.1.20-orig/lib/checkpw.c        2004-03-17 14:58:13.000000000 +0100
  33 +++ cyrus-sasl-2.1.20/lib/checkpw.c     2005-07-10 16:17:11.000000000 +0200
  34 @@ -94,6 +94,23 @@
  35  # endif
  36  #endif
  37
  38 +/******************************
  39 + * crypt(3) patch start       *
  40 + ******************************/
  41 +char *crypt(const char *key, const char *salt);
  42 +
  43 +/* cleartext password formats */
  44 +#define PASSWORD_FORMAT_CLEARTEXT 1
  45 +#define PASSWORD_FORMAT_CRYPT 2
  46 +#define PASSWORD_FORMAT_CRYPTTRAD 3
  47 +#define PASSWORD_SALT_BUF_LEN 22
  48 +
  49 +/* weeds out crypt(3) password's salt */
  50 +int _sasl_get_salt (char *dest, char *src, int format);
  51 +
  52 +/******************************
  53 + * crypt(3) patch stop        *
  54 + ******************************/
  55
  56  /* we store the following secret to check plaintext passwords:
  57   *
  58 @@ -143,7 +160,51 @@
  59                                        "*cmusaslsecretPLAIN",
  60                                        NULL };
  61      struct propval auxprop_values[3];
  62 -
  63 +
  64 +       /******************************
  65 +        * crypt(3) patch start       *
  66 +        * for password format check  *
  67 +        ******************************/
  68 +    sasl_getopt_t *getopt;
  69 +    void *context;
  70 +    const char *p = NULL;
  71 +       /**
  72 +        * MD5: 12 char salt
  73 +        * BLOWFISH: 16 char salt
  74 +        */
  75 +       char salt[PASSWORD_SALT_BUF_LEN];
  76 +       int password_format;
  77 +
  78 +       /* get password format from auxprop configuration */
  79 +       if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
  80 +               getopt(context, NULL, "password_format", &p, NULL);
  81 +       }
  82 +
  83 +       /* set password format */
  84 +       if (p) {
  85 +               /*
  86 +               memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN);
  87 +               strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1));
  88 +               */
  89 +               /* modern, modular crypt(3) */
  90 +               if (strncmp(p, "crypt", 11) == 0)
  91 +                       password_format = PASSWORD_FORMAT_CRYPT;
  92 +               /* traditional crypt(3) */
  93 +               else if (strncmp(p, "crypt_trad", 11) == 0)
  94 +                       password_format = PASSWORD_FORMAT_CRYPTTRAD;
  95 +               /* cleartext password */
  96 +               else
  97 +                       password_format = PASSWORD_FORMAT_CLEARTEXT;
  98 +       } else {
  99 +               /* cleartext password */
 100 +               password_format = PASSWORD_FORMAT_CLEARTEXT;
 101 +       }
 102 +
 103 +       /******************************
 104 +        * crypt(3) patch stop        *
 105 +        * for password format check  *
 106 +        ******************************/
 107 +
 108      if (!conn || !userstr)
 109         return SASL_BADPARAM;
 110
 111 @@ -180,14 +241,31 @@
 112         goto done;
 113      }
 114
 115 -    /* At the point this has been called, the username has been canonified
 116 -     * and we've done the auxprop lookup.  This should be easy. */
 117 -    if(auxprop_values[0].name
 118 -       && auxprop_values[0].values
 119 -       && auxprop_values[0].values[0]
 120 -       && !strcmp(auxprop_values[0].values[0], passwd)) {
 121 -       /* We have a plaintext version and it matched! */
 122 -       return SASL_OK;
 123 +
 124 +       /******************************
 125 +        * crypt(3) patch start       *
 126 +        ******************************/
 127 +
 128 +       /* get salt */
 129 +       _sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format);
 130 +
 131 +       /* crypt(3)-ed password? */
 132 +       if (password_format != PASSWORD_FORMAT_CLEARTEXT) {
 133 +               /* compare password */
 134 +               if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0)
 135 +                       return SASL_OK;
 136 +               else
 137 +                       ret = SASL_BADAUTH;
 138 +       }
 139 +       else if (password_format == PASSWORD_FORMAT_CLEARTEXT) {
 140 +               /* compare passwords */
 141 +               if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0)
 142 +                       return SASL_OK;
 143 +               else
 144 +                       ret = SASL_BADAUTH;
 145 +       /******************************
 146 +        * crypt(3) patch stop        *
 147 +        ******************************/
 148      } else if(auxprop_values[1].name
 149               && auxprop_values[1].values
 150               && auxprop_values[1].values[0]) {
 151 @@ -975,3 +1053,37 @@
 152  #endif
 153      { NULL, NULL }
 154  };
 155 +
 156 +/* weeds out crypt(3) password's salt */
 157 +int _sasl_get_salt (char *dest, char *src, int format) {
 158 +       int num;        /* how many characters is salt long? */
 159 +       switch (format) {
 160 +               case PASSWORD_FORMAT_CRYPT:
 161 +                       /* md5 crypt */
 162 +                       if (src[1] == '1')
 163 +                               num = 12;
 164 +                       /* blowfish crypt */
 165 +                       else if (src[1] == '2')
 166 +                               num = (src[1] == '2' && src[2] == 'a') ? 17 : 16;
 167 +                       /* traditional crypt */
 168 +                       else
 169 +                               num = 2;
 170 +                       break;
 171 +
 172 +               case PASSWORD_FORMAT_CRYPTTRAD:
 173 +                       num = 2;
 174 +                       break;
 175 +
 176 +               default:
 177 +                       return 1;
 178 +       }
 179 +
 180 +       /* destroy destination */
 181 +       memset(dest, '\0', (num + 1));
 182 +
 183 +       /* copy salt to destination */
 184 +       strncpy(dest, src, num);
 185 +
 186 +       return 1;
 187 +}
 188 +