cyrus-sasl-cryptedpw.patch

   1 diff -ur cyrus-sasl-2.1.19.orig/Makefile.in cyrus-sasl-2.1.19/Makefile.in
   2 --- cyrus-sasl-2.1.19.orig/Makefile.in        2005-07-04 23:59:31.000000000 +0200
   3 +++ cyrus-sasl-2.1.19/Makefile.in 2005-07-05 00:04:27.000000000 +0200
   4 @@ -134,7 +134,7 @@
   5  JAVA_TRUE = @JAVA_TRUE@
   6  LDFLAGS = @LDFLAGS@
   7  LIBOBJS = @LIBOBJS@
   8 -LIBS = @LIBS@
   9 +LIBS = -lcrypt @LIBS@
  10  LIBTOOL = @LIBTOOL@
  11  LIB_CRYPT = @LIB_CRYPT@
  12  LIB_DES = @LIB_DES@
  13 diff -ruN cyrus-sasl-2.1.20-orig/doc/options.html cyrus-sasl-2.1.20/doc/options.html
  14 --- cyrus-sasl-2.1.20-orig/doc/options.html     2004-05-27 18:02:58.000000000 +0200
  15 +++ cyrus-sasl-2.1.20/doc/options.html  2005-07-10 17:17:38.000000000 +0200
  16 @@ -103,6 +103,14 @@
  17  <TD>sasldb_path</TD><TD>sasldb plugin</TD>
  18  <TD>Path to sasldb file</TD><TD><tt>/etc/sasldb2</tt> (system dependant)</TD>
  19  <TR>
  20 +<TD>password_format</TD><TD></TD>
  21 +<TD>Method of password storage (possible values: 'plain', 'crypt', 'crypt_trad').
  22 +Default 'plain' is down-compatible with earlier versions. 'crypt_trad'
  23 +uses old crypt format of 2 chars salt, 'crypt' automagically recognizes crypt
  24 +formats from md5 crypt, blowfish crypt and old crypt (2 chars salt).</TD>
  25 +<TD>plain</TD>
  26 +</TR>
  27 +<TR>
  28  <TD>sql_engine</TD><TD>SQL plugin</TD>
  29  <TD>Name of SQL engine to use (possible values: 'mysql', 'pgsql', 'sqlite').</TD>
  30  <TD><tt>mysql</tt></TD>
  31 --- cyrus-sasl-2.1.25/lib/checkpw.c.orig        2009-12-03 20:07:01.000000000 +0100
  32 +++ cyrus-sasl-2.1.25/lib/checkpw.c     2011-09-16 21:27:43.302773195 +0200
  33 @@ -95,6 +95,23 @@
  34  # endif
  35  #endif
  36
  37 +/******************************
  38 + * crypt(3) patch start       *
  39 + ******************************/
  40 +char *crypt(const char *key, const char *salt);
  41 +
  42 +/* cleartext password formats */
  43 +#define PASSWORD_FORMAT_CLEARTEXT 1
  44 +#define PASSWORD_FORMAT_CRYPT 2
  45 +#define PASSWORD_FORMAT_CRYPTTRAD 3
  46 +#define PASSWORD_SALT_BUF_LEN 22
  47 +
  48 +/* weeds out crypt(3) password's salt */
  49 +int _sasl_get_salt (char *dest, char *src, int format);
  50 +
  51 +/******************************
  52 + * crypt(3) patch stop        *
  53 + ******************************/
  54
  55  /* we store the following secret to check plaintext passwords:
  56   *
  57 @@ -142,7 +159,51 @@
  58                                        "*cmusaslsecretPLAIN",
  59                                        NULL };
  60      struct propval auxprop_values[3];
  61 -
  62 +
  63 +       /******************************
  64 +        * crypt(3) patch start       *
  65 +        * for password format check  *
  66 +        ******************************/
  67 +    sasl_getopt_t *getopt;
  68 +    void *context;
  69 +    const char *p = NULL;
  70 +       /**
  71 +        * MD5: 12 char salt
  72 +        * BLOWFISH: 16 char salt
  73 +        */
  74 +       char salt[PASSWORD_SALT_BUF_LEN];
  75 +       int password_format;
  76 +
  77 +       /* get password format from auxprop configuration */
  78 +       if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
  79 +               getopt(context, NULL, "password_format", &p, NULL);
  80 +       }
  81 +
  82 +       /* set password format */
  83 +       if (p) {
  84 +               /*
  85 +               memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN);
  86 +               strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1));
  87 +               */
  88 +               /* modern, modular crypt(3) */
  89 +               if (strncmp(p, "crypt", 11) == 0)
  90 +                       password_format = PASSWORD_FORMAT_CRYPT;
  91 +               /* traditional crypt(3) */
  92 +               else if (strncmp(p, "crypt_trad", 11) == 0)
  93 +                       password_format = PASSWORD_FORMAT_CRYPTTRAD;
  94 +               /* cleartext password */
  95 +               else
  96 +                       password_format = PASSWORD_FORMAT_CLEARTEXT;
  97 +       } else {
  98 +               /* cleartext password */
  99 +               password_format = PASSWORD_FORMAT_CLEARTEXT;
 100 +       }
 101 +
 102 +       /******************************
 103 +        * crypt(3) patch stop        *
 104 +        * for password format check  *
 105 +        ******************************/
 106 +
 107      if (!conn || !userstr)
 108         return SASL_BADPARAM;
 109
 110 @@ -188,14 +249,31 @@
 111         return SASL_NOUSER;
 112      }
 113
 114 -    /* At the point this has been called, the username has been canonified
 115 -     * and we've done the auxprop lookup.  This should be easy. */
 116 -    if(auxprop_values[0].name
 117 -       && auxprop_values[0].values
 118 -       && auxprop_values[0].values[0]
 119 -       && !strcmp(auxprop_values[0].values[0], passwd)) {
 120 -       /* We have a plaintext version and it matched! */
 121 -       return SASL_OK;
 122 +
 123 +       /******************************
 124 +        * crypt(3) patch start       *
 125 +        ******************************/
 126 +
 127 +       /* get salt */
 128 +       _sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format);
 129 +
 130 +       /* crypt(3)-ed password? */
 131 +       if (password_format != PASSWORD_FORMAT_CLEARTEXT) {
 132 +               /* compare password */
 133 +               if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0)
 134 +                       return SASL_OK;
 135 +               else
 136 +                       ret = SASL_BADAUTH;
 137 +       }
 138 +       else if (password_format == PASSWORD_FORMAT_CLEARTEXT) {
 139 +               /* compare passwords */
 140 +               if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0)
 141 +                       return SASL_OK;
 142 +               else
 143 +                       ret = SASL_BADAUTH;
 144 +       /******************************
 145 +        * crypt(3) patch stop        *
 146 +        ******************************/
 147      } else if(auxprop_values[1].name
 148               && auxprop_values[1].values
 149               && auxprop_values[1].values[0]) {
 150 @@ -1095,3 +1173,37 @@
 151  #endif
 152      { NULL, NULL }
 153  };
 154 +
 155 +/* weeds out crypt(3) password's salt */
 156 +int _sasl_get_salt (char *dest, char *src, int format) {
 157 +       int num;        /* how many characters is salt long? */
 158 +       switch (format) {
 159 +               case PASSWORD_FORMAT_CRYPT:
 160 +                       /* md5 crypt */
 161 +                       if (src[1] == '1')
 162 +                               num = 12;
 163 +                       /* blowfish crypt */
 164 +                       else if (src[1] == '2')
 165 +                               num = (src[1] == '2' && src[2] == 'a') ? 17 : 16;
 166 +                       /* traditional crypt */
 167 +                       else
 168 +                               num = 2;
 169 +                       break;
 170 +
 171 +               case PASSWORD_FORMAT_CRYPTTRAD:
 172 +                       num = 2;
 173 +                       break;
 174 +
 175 +               default:
 176 +                       return 1;
 177 +       }
 178 +
 179 +       /* destroy destination */
 180 +       memset(dest, '\0', (num + 1));
 181 +
 182 +       /* copy salt to destination */
 183 +       strncpy(dest, src, num);
 184 +
 185 +       return 1;
 186 +}
 187 +