1 diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/acconfig.h cyrus-sasl-1.5.27/acconfig.h
2 --- cyrus-sasl-1.5.27.orig/acconfig.h Tue Apr 24 17:02:28 2001
3 +++ cyrus-sasl-1.5.27/acconfig.h Tue Apr 24 17:02:53 2001
5 /* do we have PAM for plaintext password checking? */
8 +/* do we have MySQL for plaintext password checking? */
11 +/* do we have LDAP for plaintext password checking? */
14 /* what flavor of GSSAPI are we using? */
15 #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE
17 diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/configure.in cyrus-sasl-1.5.27/configure.in
18 --- cyrus-sasl-1.5.27.orig/configure.in Tue Apr 24 17:02:28 2001
19 +++ cyrus-sasl-1.5.27/configure.in Tue Apr 24 17:41:49 2001
24 - AC_CHECK_LIB(db-3, db_create, SASL_DB_LIB="-ldb-3";
26 - AC_CHECK_LIB(db, db_create, SASL_DB_LIB="-ldb";
28 - AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
31 + for dbname in db-3.1 db-3 db3.1 db3 db
33 + AC_CHECK_LIB($dbname, db_create, SASL_DB_LIB="-l$dbname";
34 + dblib="berkeley"; break, dblib="no")
36 + if test "$dblib" = "no"; then
37 + AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
38 + dblib="berkeley"; dbname=db,
46 dnl How about berkeley db?
48 - AC_CHECK_LIB(db-3, db_create, SASL_DB_LIB="-ldb-3";
50 - AC_CHECK_LIB(db, db_create, SASL_DB_LIB="-ldb";
52 - AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
55 + for dbname in db-3.1 db-3 db3.1 db3 db
57 + AC_CHECK_LIB($dbname, db_create, SASL_DB_LIB="-l$dbname";
58 + dblib="berkeley"; break, dblib="no")
60 + if test "$dblib" = "no"; then
61 + AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
62 + dblib="berkeley"; dbname=db,
66 if test "$dblib" = no; then
70 AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
73 +AC_ARG_WITH(mysql, [ --with-mysql=PATH enable authentication from MySQL database [no] ],
74 + with_mysql=$withval,
78 +if test -z "$with_mysql"; then
79 + for mysqlloc in lib/mysql lib ; do
80 + for mysqlprefix in ${prefix} /usr/local /usr ; do
81 + if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then
82 + with_mysql="${prefix}"
87 + if test "$mysql_found"; then
94 +case "$with_mysql" in
96 + ""|yes) AC_CHECK_LIB(mysqlclient, mysql_select_db,
97 + AC_DEFINE(HAVE_MYSQL)
98 + LIB_MYSQL="-lmysqlclient",
100 + *) if test -d ${with_mysql}/include/mysql; then
101 + CPPFLAGS="$CPPFLAGS -I${with_mysql}/include/mysql"
103 + CPPFLAGS="$CPPFLAGS -I${with_mysql}/include"
105 + if test -d ${with_mysql}/lib/mysql; then
106 + LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql"
108 + AC_DEFINE(HAVE_MYSQL)
109 + LIB_MYSQL="-lmysqlclient";;
114 +AC_ARG_WITH(ldap, [ --with-ldap=PATH enable authentication from LDAP [no] ],
115 + with_ldap=$withval,
119 +if test -z "$with_ldap"; then
120 + for ldaploc in lib/ldap lib; do
121 + for ldapprefix in ${prefix} /usr/local /usr; do
122 + if test -f ${ldapprefix}/${ldaploc}/libldap.a -o -f ${ldapprefix}/${ldaploc}/libldap.so; then
123 + with_ldap="${ldapprefix}"
128 + if test "$ldap_found"; then
135 +case "$with_ldap" in
137 + ""|yes) AC_CHECK_LIB(ldap, ldap_open,
138 + AC_DEFINE(HAVE_LDAP)
139 + LIB_LDAP="-lldap -llber",
141 + *) if test -d ${with_ldap}/include/ldap; then
142 + CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap"
144 + CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
146 + if test -d ${with_ldap}/lib/ldap; then
147 + LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap"
149 + AC_DEFINE(HAVE_LDAP)
150 + LIB_LDAP="-lldap -llber";;
155 AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [yes] ],
157 @@ -445,11 +533,15 @@
160 if test "$with_des" != no; then
163 + COM_ERR="-lcom_err"
166 AC_CHECK_HEADER(krb.h,
167 - AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
168 - AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
169 - AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
171 + AC_CHECK_LIB(krb, krb_mk_priv,:,
172 + AC_WARN(No Kerberos V4 found); krb4=no,
174 AC_WARN(No Kerberos V4 found); krb4=no)
176 AC_WARN(No DES library found for Kerberos V4 support)
177 diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/doc/sysadmin.html cyrus-sasl-1.5.27/doc/sysadmin.html
178 --- cyrus-sasl-1.5.27.orig/doc/sysadmin.html Sat Feb 17 06:06:33 2001
179 +++ cyrus-sasl-1.5.27/doc/sysadmin.html Tue Apr 24 17:02:53 2001
181 <dt><i>pwcheck</i><dd> checks passwords with the use of a seperate,
182 helper daemon. <b>needs to be documented.</b><p>
184 +<dt><i>mysql</i><dd> A MySQL database can be used for plaintext
185 + password checking by setting "pwcheck_method" to "mysql".<p>
187 + <p>The following SASL options are used for MySQL Authentication:<p>
190 + <dd>mysql_user: <user></dd>
191 + <dd>mysql_passwd: <cleartext pw></dd>
192 + <dd>mysql_host: <host></dd>
193 + <dd>mysql_database: <database></dd>
194 + <dd>mysql_table: <table></dd>
195 + <dd>mysql_uidcol: <username col></dd>
196 + <dd>mysql_pwdcol: <password col></dd>
199 + <p>MySQL pwcheck_method created by <a href="mailto:dmz@dmzs.com">David Matthew Zendzian</a>
200 + the original patch may be found at <a href="http://www.dmzs.com/~dmz/projects/cyrus/">http://www.dmzs.com/~dmz/projects/cyrus/</a>.<p>
202 +<dt><i>ldap</i><dd> A LDAP server can be used for plaintext password
203 + checking by setting "pwcheck_method" to "ldap".<p>
205 + <p>The following SASL options are used for LDAP Authentication:<p>
208 + <dd>ldap_server: <LDAP Server [localhost]>
209 + <dd>ldap_basedn: <LDAP base dn>
210 + <dd>ldap_uidattr: <LDAP uid attribute [uid]>
211 + <dd>ldap_port: <LDAP port [389]>
214 + <p>It is a requirement that "ldap_basedn" be set to the appropriate
215 + value for your site<br>
216 + (ex. ldap_basedn: o=surf, c=UK)<p>
218 + <p>LDAP pwcheck_method created by <a href="mailto:simon@surf.org.uk">Simon@surf.org.uk</a>
219 + the original patch may be found at <a href="http://www.surf.org.uk/">http://www.surf.org.uk/</a>.<p>
221 <dt><i>write your own</i><dd> Last, but not least, the most flexible
222 method of authentication for PLAIN is to write your own. If you do
223 so, any application that calls the "<tt>sasl_checkpass()</tt>"
224 diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/lib/Makefile.am cyrus-sasl-1.5.27/lib/Makefile.am
225 --- cyrus-sasl-1.5.27.orig/lib/Makefile.am Sat Mar 10 06:56:41 2001
226 +++ cyrus-sasl-1.5.27/lib/Makefile.am Tue Apr 24 17:06:04 2001
228 EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c
229 libsasl_la_LDFLAGS = -version-info $(sasl_version)
230 libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@
231 -libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET)
232 +libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET) $(LIB_LDAP) $(LIB_MYSQL)
233 # PLAIN_LIBS are linked in for sasl_checkpass
234 diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/lib/checkpw.c cyrus-sasl-1.5.27/lib/checkpw.c
235 --- cyrus-sasl-1.5.27.orig/lib/checkpw.c Sat Feb 17 06:06:48 2001
236 +++ cyrus-sasl-1.5.27/lib/checkpw.c Tue Apr 24 17:09:32 2001
242 +#endif /* HAVE_UNISTD_H */
247 +#endif /* HAVE_KRB */
253 # ifdef HAVE_UNISTD_H
256 +# endif /* HAVE_UNISTD_H */
260 +#endif /* HAVE_PWCHECK || HAVE_SASLAUTHD */
264 +#endif /* HAVE_MYSQL */
269 +#endif /* HAVE_LDAP */
274 memcpy (&temp_key, "kerberos", 8);
275 des_fixup_key_parity (&temp_key);
276 des_key_sched (&temp_key, schedule);
278 + des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec);
280 des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
283 memcpy (&temp_key, &ivec, sizeof temp_key);
284 des_fixup_key_parity (&temp_key);
285 @@ -211,10 +224,17 @@
290 +static int use_key(const char *user __attribute__((unused)),
291 + char *instance __attribute__((unused)),
292 + const char *realm __attribute__((unused)),
293 + const void *key, des_cblock *returned_key)
295 static int use_key(char *user __attribute__((unused)),
296 char *instance __attribute__((unused)),
297 char *realm __attribute__((unused)),
298 void *key, des_cblock *returned_key)
301 memcpy (returned_key, key, sizeof(des_cblock));
303 @@ -1015,7 +1035,7 @@
306 /* pwcheck daemon-authenticated login */
307 -static int pwcheck_verify_password(sasl_conn_t *conn,
308 +static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)),
311 const char *service __attribute__((unused)),
312 @@ -1030,8 +1050,10 @@
313 static char response[1024];
316 +#if 0 /* Not used */
317 sasl_getopt_t *getopt;
321 if (reply) { *reply = NULL; }
323 @@ -1183,6 +1205,225 @@
328 +/* DMZ mysql auth 12/29/1999
329 + * Updated to 1.5.24 by SWH 09/12/2000
330 + * changed to malloc qbuf Simon Loader 10/21/2000
332 +#ifdef USE_CRYPT_PASSWORD
333 +#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')"
335 +#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'"
338 +static int mysql_verify_password(sasl_conn_t *conn,
339 + const char *userid,
340 + const char *password,
341 + const char *service __attribute__((unused)),
342 + const char *user_realm __attribute__((unused)),
343 + const char **reply)
345 + unsigned int numrows;
356 + sasl_getopt_t *getopt;
359 + if (!userid || !password) {
360 + return SASL_BADPARAM;
362 + if (reply) { *reply = NULL; }
364 + /* check to see if the user configured a mysqluser/passwd/host/etc */
365 + if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
366 + getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL);
367 + if (!db_user) db_user = "";
368 + getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL);
369 + if (!db_passwd) db_passwd = "";
370 + getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL);
371 + if (!db_host) db_host = "";
372 + getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL);
373 + if (!db_database) db_database = "";
374 + getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL);
375 + if (!db_table) db_table = "";
376 + getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL);
377 + if (!db_uidcol) db_uidcol = "";
378 + getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL);
379 + if (!db_pwcol) db_pwcol = "";
382 + if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd)))
384 + if (reply) { *reply = "cannot connect to MySQL server"; }
388 + if (mysql_select_db(sock,db_database) < 0)
391 + if (reply) { *reply = "cannot select MySQL database"; }
394 + /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */
395 + if ( (qbuf = (char *)malloc(strlen(QUERY_STRING)+strlen(db_uidcol)
396 + +strlen(db_table)+strlen(db_uidcol)
397 + +strlen(userid)+strlen(db_pwcol)
398 + +strlen(password)+1)) == NULL ) {
400 + *reply = "cannot malloc memory for sql query";
404 + sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password);
405 + if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock)))
412 + if (result) //There were some rows found
414 + if ((numrows = mysql_affected_rows(&mysql)) != 1)
416 + mysql_free_result(result);
418 + if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
420 + return SASL_BADAUTH;
423 + mysql_free_result(result);
429 + mysql_free_result(result);
431 + return SASL_BADAUTH;
433 +#endif /* HAVE_MYSQL */
436 +/* simon@surf.org.uk LDAP auth 07/11/2000
437 + * Updated to 1.5.24 by SWH 09/12/2000
438 + * changed to use malloc and simplify the auth by Simon@surf.org.uk 10/21/2000
441 +#define LDAP_SERVER "localhost"
442 +#define LDAP_BASEDN "o=JOFA, c=UK"
443 +#define LDAP_UIDATTR "uid"
450 +static int ldap_isdigits(char *value)
455 + for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) {
456 + if (!isdigit(*ptr))
463 +static int ldap_verify_password(sasl_conn_t *conn,
464 + const char *userid,
465 + const char *password,
466 + const char *service __attribute__((unused)),
467 + const char *user_realm __attribute__((unused)),
468 + const char **reply)
477 + int ldap_port = LDAP_PORT;
478 + sasl_getopt_t *getopt;
481 + /* If the password is NULL, reject the login...
482 + * Otherwise the bind will succed as a reference bind. Not good...
484 + if (strcmp(password,"") == 0 || strcmp(userid,"") == 0) {
485 + return SASL_BADPARAM;
488 + if (reply) { *reply = NULL; }
490 + /* check to see if the user configured a mysqluser/passwd/host/etc */
491 + if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
492 + getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL);
493 + if (!ldap_server) ldap_server = LDAP_SERVER;
494 + getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL);
495 + if (!ldap_basedn) {
496 + if (reply) { *reply = "ldap_basedn not defined"; }
497 + return SASL_BADPARAM;
499 + getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL);
500 + if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR;
501 + getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL);
503 + ldap_port = LDAP_PORT;
504 + } else if (!ldap_isdigits(port_num)) {
505 + if (reply) { *reply = "ldap_port - invalid value"; }
506 + return SASL_BADPARAM;
508 + ldap_port = atoi(port_num);
512 + /* Open the LDAP connection. */
513 + if ((ld = ldap_open(ldap_server, ldap_port)) == NULL) {
514 + if (reply) { *reply = "cannot connect to LDAP server"; }
519 + (char *)malloc(strlen(ldap_uidattr)+strlen(userid)+strlen(ldap_basedn)+3)) == NULL ) {
521 + *reply = "cannnot allocate memory for ldap dn";
525 + /* Generate a dn that we will try and login with */
526 + sprintf(dn,"%s=%s,%s", ldap_uidattr,userid,ldap_basedn);
529 + * Just try and bind with the dn we have been given
530 + * In most cases the basedn is correct.
531 + * If this is not so I have a version or that too
532 + * Simon@surf.org.uk
534 + if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) {
537 + return SASL_BADAUTH;
544 +#endif /* HAVE_LDAP */
546 struct sasl_verify_password_s _sasl_verify_password[] = {
547 { "sasldb", &sasldb_verify_password },
549 @@ -1205,6 +1446,12 @@
552 { "pwcheck", &pwcheck_verify_password },
555 + { "mysql", &mysql_verify_password },
558 + { "ldap", &ldap_verify_password },
560 #ifdef HAVE_SASLAUTHD
561 { "saslauthd", &saslauthd_verify_password },
562 diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/plugins/kerberos4.c cyrus-sasl-1.5.27/plugins/kerberos4.c
563 --- cyrus-sasl-1.5.27.orig/plugins/kerberos4.c Sat Mar 10 06:56:46 2001
564 +++ cyrus-sasl-1.5.27/plugins/kerberos4.c Tue Apr 24 17:02:53 2001
567 /* decrypt; verify checksum */
570 + des_pcbc_encrypt((const unsigned char *)in,
571 + (unsigned char *)in,
573 des_pcbc_encrypt((des_cblock *)in,