Date: Wed, 12 Jan 2005 13:39:00 +0100 (CET) From: Florent Thoumie <flz@xbsd.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ume@FreeBSD.org Subject: ports/76140: Update port: security/cyrus-sasl2 - add WITH_CRYPT knob to support crypt()'ed passwords Message-ID: <20050112123900.5776011737@gate.xbsd.org> Resent-Message-ID: <200501121240.j0CCeQ7T038514@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 76140 >Category: ports >Synopsis: Update port: security/cyrus-sasl2 - add WITH_CRYPT knob to support crypt()'ed passwords >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Jan 12 12:40:25 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Florent Thoumie >Release: FreeBSD 5.3-RELEASE i386 >Organization: Xbsd.org >Environment: System: FreeBSD gate.xbsd.org 5.3-RELEASE FreeBSD 5.3-RELEASE #2: Wed Nov 24 16:35:34 CET 2004 root@gate.xbsd.org:/usr/src/sys/i386/compile/GATE i386 >Description: This patch adds support for crypt password lookups. See [1] for further information. Maintainer cc'ed. [1] http://frost.ath.cx/software/cyrus-sasl-patches/ >How-To-Repeat: N/A >Fix: --- cyrus-sasl2-crypt.diff begins here --- diff -ruN cyrus-sasl2.old/Makefile cyrus-sasl2/Makefile --- cyrus-sasl2.old/Makefile Wed Jan 12 12:43:53 2005 +++ cyrus-sasl2/Makefile Wed Jan 12 13:29:39 2005 @@ -155,6 +155,12 @@ CONFIGURE_ARGS+=--enable-ntlm .endif +.if defined(WITH_CRYPT) +EXTRA_PATCHES= ${PATCHDIR}/crypt-patch-lib::Makefile.in \ + ${PATCHDIR}/crypt-patch-plugins::sql.c \ + ${PATCHDIR}/crypt-patch-lib::checkpw.c +.endif + .include <bsd.port.pre.mk> .if !defined(WITHOUT_GSSAPI) && defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.a) diff -ruN cyrus-sasl2.old/files/crypt-patch-lib::Makefile.in cyrus-sasl2/files/crypt-patch-lib::Makefile.in --- cyrus-sasl2.old/files/crypt-patch-lib::Makefile.in Thu Jan 1 01:00:00 1970 +++ cyrus-sasl2/files/crypt-patch-lib::Makefile.in Wed Jan 12 12:44:03 2005 @@ -0,0 +1,11 @@ +--- lib/Makefile.in.orig 2004-07-02 21:40:15.000000000 +0200 ++++ lib/Makefile.in 2004-09-07 13:21:22.746680576 +0200 +@@ -120,7 +120,7 @@ + JAVA_TRUE = @JAVA_TRUE@ + LDFLAGS = @LDFLAGS@ + LIBOBJS = @LIBOBJS@ +-LIBS = @LIBS@ ++LIBS = -lcrypt @LIBS@ + LIBTOOL = @LIBTOOL@ + LIB_CRYPT = @LIB_CRYPT@ + LIB_DES = @LIB_DES@ diff -ruN cyrus-sasl2.old/files/crypt-patch-lib::checkpw.c cyrus-sasl2/files/crypt-patch-lib::checkpw.c --- cyrus-sasl2.old/files/crypt-patch-lib::checkpw.c Thu Jan 1 01:00:00 1970 +++ cyrus-sasl2/files/crypt-patch-lib::checkpw.c Wed Jan 12 12:44:03 2005 @@ -0,0 +1,157 @@ +--- lib/checkpw.c.orig Wed Mar 17 14:58:13 2004 ++++ lib/checkpw.c Tue Jan 11 13:26:39 2005 +@@ -94,6 +94,23 @@ + # endif + #endif + ++/****************************** ++ * crypt(3) patch start * ++ ******************************/ ++char *crypt(const char *key, const char *salt); ++ ++/* cleartext password formats */ ++#define PASSWORD_FORMAT_CLEARTEXT 1 ++#define PASSWORD_FORMAT_CRYPT 2 ++#define PASSWORD_FORMAT_CRYPTTRAD 3 ++#define PASSWORD_SALT_BUF_LEN 22 ++ ++/* weeds out crypt(3) password's salt */ ++int _sasl_get_salt (char *dest, char *src, int format); ++ ++/****************************** ++ * crypt(3) patch stop * ++ ******************************/ + + /* we store the following secret to check plaintext passwords: + * +@@ -143,7 +160,51 @@ + "*cmusaslsecretPLAIN", + NULL }; + struct propval auxprop_values[3]; +- ++ ++ /****************************** ++ * crypt(3) patch start * ++ * for password format check * ++ ******************************/ ++ sasl_getopt_t *getopt; ++ void *context; ++ const char *p = NULL; ++ /** ++ * MD5: 12 char salt ++ * BLOWFISH: 16 char salt ++ */ ++ char salt[PASSWORD_SALT_BUF_LEN]; ++ int password_format; ++ ++ /* get password format from auxprop configuration */ ++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { ++ getopt(context, NULL, "password_format", &p, NULL); ++ } ++ ++ /* set password format */ ++ if (p) { ++ /* ++ memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN); ++ strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1)); ++ */ ++ /* modern, modular crypt(3) */ ++ if (strncmp(p, "crypt", 11) == 0) ++ password_format = PASSWORD_FORMAT_CRYPT; ++ /* traditional crypt(3) */ ++ else if (strncmp(p, "crypt_trad", 11) == 0) ++ password_format = PASSWORD_FORMAT_CRYPTTRAD; ++ /* cleartext password */ ++ else ++ password_format = PASSWORD_FORMAT_CLEARTEXT; ++ } else { ++ /* cleartext password */ ++ password_format = PASSWORD_FORMAT_CLEARTEXT; ++ } ++ ++ /****************************** ++ * crypt(3) patch stop * ++ * for password format check * ++ ******************************/ ++ + if (!conn || !userstr) + return SASL_BADPARAM; + +@@ -180,14 +241,31 @@ + goto done; + } + +- /* At the point this has been called, the username has been canonified +- * and we've done the auxprop lookup. This should be easy. */ +- if(auxprop_values[0].name +- && auxprop_values[0].values +- && auxprop_values[0].values[0] +- && !strcmp(auxprop_values[0].values[0], passwd)) { +- /* We have a plaintext version and it matched! */ +- return SASL_OK; ++ ++ /****************************** ++ * crypt(3) patch start * ++ ******************************/ ++ ++ /* get salt */ ++ _sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format); ++ ++ /* crypt(3)-ed password? */ ++ if (password_format != PASSWORD_FORMAT_CLEARTEXT) { ++ /* compare password */ ++ if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0) ++ return SASL_OK; ++ else ++ ret = SASL_BADAUTH; ++ } ++ else if (password_format == PASSWORD_FORMAT_CLEARTEXT) { ++ /* compare passwords */ ++ if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0) ++ return SASL_OK; ++ else ++ ret = SASL_BADAUTH; ++ /****************************** ++ * crypt(3) patch stop * ++ ******************************/ + } else if(auxprop_values[1].name + && auxprop_values[1].values + && auxprop_values[1].values[0]) { +@@ -975,3 +1053,37 @@ + #endif + { NULL, NULL } + }; ++ ++/* weeds out crypt(3) password's salt */ ++int _sasl_get_salt (char *dest, char *src, int format) { ++ int num; /* how many characters is salt long? */ ++ switch (format) { ++ case PASSWORD_FORMAT_CRYPT: ++ /* md5 crypt */ ++ if (src[1] == '1') ++ num = 12; ++ /* blowfish crypt */ ++ else if (src[1] == '2') ++ num = (src[1] == '2' && src[2] == 'a') ? 17 : 16; ++ /* traditional crypt */ ++ else ++ num = 2; ++ break; ++ ++ case PASSWORD_FORMAT_CRYPTTRAD: ++ num = 2; ++ break; ++ ++ default: ++ return 1; ++ } ++ ++ /* destroy destination */ ++ memset(dest, '\0', (num + 1)); ++ ++ /* copy salt to destination */ ++ strncpy(dest, src, num); ++ ++ return 1; ++} ++ diff -ruN cyrus-sasl2.old/files/crypt-patch-plugins::sql.c cyrus-sasl2/files/crypt-patch-plugins::sql.c --- cyrus-sasl2.old/files/crypt-patch-plugins::sql.c Thu Jan 1 01:00:00 1970 +++ cyrus-sasl2/files/crypt-patch-plugins::sql.c Wed Jan 12 12:44:03 2005 @@ -0,0 +1,189 @@ +--- plugins/sql.c.orig 2004-06-30 21:31:11.000000000 +0200 ++++ plugins/sql.c 2004-09-07 13:38:57.285556518 +0200 +@@ -54,6 +54,7 @@ + const char *sql_insert; + const char *sql_update; + int sql_usessl; ++ int sql_verbose; + } sql_settings_t; + + static const char * SQL_BLANK_STRING = ""; +@@ -279,8 +280,9 @@ + } + else if (status != PGRES_TUPLES_OK) { + /* error */ +- utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ", +- PQresStatus(status)); ++ if (settings->sql_verbose) ++ utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ", ++ PQresStatus(status)); + PQclear(result); + return -1; + } +@@ -401,7 +403,8 @@ + + rc = sqlite_exec((sqlite*)db, cmd, sqlite_my_callback, (void*)&result, &zErrMsg); + if (rc != SQLITE_OK && rc != SQLITE_ABORT) { +- utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ", zErrMsg); ++ if (settings->sql_verbose) ++ utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ", zErrMsg); + sqlite_freemem (zErrMsg); + return -1; + } +@@ -592,7 +595,7 @@ + { + sql_settings_t *settings; + int r; +- const char *usessl, *engine_name; ++ const char *usessl, *engine_name, *sql_verbose; + const sql_engine_t *e; + + settings = (sql_settings_t *) glob_context; +@@ -674,6 +677,11 @@ + } else { + settings->sql_usessl = 0; + } ++ ++ /* sql verbose */ ++ r = utils->getopt(utils->getopt_context, "SQL", "sql_verbose", &sql_verbose, NULL); ++ if (r || !sql_verbose) sql_verbose = "no"; ++ settings->sql_verbose = (*sql_verbose == '1' || *sql_verbose == 'y' || *sql_verbose == 't' || (*sql_verbose == 'o' && sql_verbose[1] == 'n')); + } + + static void *sql_connect(sql_settings_t *settings, const sasl_utils_t *utils) +@@ -687,7 +695,8 @@ + * it should probably save the connection but for + * now we will just disconnect everytime + */ +- utils->log(NULL, SASL_LOG_DEBUG, ++ if (settings->sql_verbose) ++ utils->log(NULL, SASL_LOG_DEBUG, + "sql plugin try and connect to a host\n"); + + /* create a working version of the hostnames */ +@@ -703,10 +712,11 @@ + while (!isalnum(db_host[0])) db_host++; + } + +- utils->log(NULL, SASL_LOG_DEBUG, +- "sql plugin trying to open db '%s' on host '%s'%s\n", +- settings->sql_database, cur_host, +- settings->sql_usessl ? " using SSL" : ""); ++ if (settings->sql_verbose) ++ utils->log(NULL, SASL_LOG_DEBUG, ++ "sql plugin trying to open db '%s' on host '%s'%s\n", ++ settings->sql_database, cur_host, ++ settings->sql_usessl ? " using SSL" : ""); + + /* set the optional port */ + if ((cur_port = strchr(cur_host, ':'))) *cur_port++ = '\0'; +@@ -720,7 +730,7 @@ + if (conn) break; + + utils->log(NULL, SASL_LOG_ERR, +- "sql plugin could not connect to host %s", cur_host); ++ "sql plugin could not connect to host %s", cur_host); + + cur_host = db_host; + } +@@ -757,7 +767,8 @@ + /* setup the settings */ + settings = (sql_settings_t *) glob_context; + +- sparams->utils->log(NULL, SASL_LOG_DEBUG, ++ if (settings->sql_verbose) ++ sparams->utils->log(NULL, SASL_LOG_DEBUG, + "sql plugin Parse the username %s\n", user); + + user_buf = sparams->utils->malloc(ulen + 1); +@@ -828,14 +839,16 @@ + + if (!do_txn) { + do_txn = 1; +- sparams->utils->log(NULL, SASL_LOG_DEBUG, "begin transaction"); ++ if (settings->sql_verbose) ++ sparams->utils->log(NULL, SASL_LOG_DEBUG, "begin transaction"); + if (settings->sql_engine->sql_begin_txn(conn, sparams->utils)) { +- sparams->utils->log(NULL, SASL_LOG_ERR, +- "Unable to begin transaction\n"); ++ sparams->utils->log(NULL, SASL_LOG_ERR, ++ "Unable to begin transaction\n"); + } + } +- +- sparams->utils->log(NULL, SASL_LOG_DEBUG, ++ ++ if (settings->sql_verbose) ++ sparams->utils->log(NULL, SASL_LOG_DEBUG, + "sql plugin create statement from %s %s %s\n", + realname, escap_userid, escap_realm); + +@@ -845,7 +858,8 @@ + escap_realm, NULL, + sparams->utils); + +- sparams->utils->log(NULL, SASL_LOG_DEBUG, ++ if (settings->sql_verbose) ++ sparams->utils->log(NULL, SASL_LOG_DEBUG, + "sql plugin doing query %s\n", query); + + /* run the query */ +@@ -859,7 +873,8 @@ + } + + if (do_txn) { +- sparams->utils->log(NULL, SASL_LOG_DEBUG, "commit transaction"); ++ if (settings->sql_verbose) ++ sparams->utils->log(NULL, SASL_LOG_DEBUG, "commit transaction"); + if (settings->sql_engine->sql_commit_txn(conn, sparams->utils)) { + sparams->utils->log(NULL, SASL_LOG_ERR, + "Unable to commit transaction\n"); +@@ -906,7 +921,8 @@ + /* make sure our input is okay */ + if (!glob_context || !sparams || !user) return SASL_BADPARAM; + +- sparams->utils->log(NULL, SASL_LOG_DEBUG, ++ if (settings->sql_verbose) ++ sparams->utils->log(NULL, SASL_LOG_DEBUG, + "sql plugin Parse the username %s\n", user); + + user_buf = sparams->utils->malloc(ulen + 1); +@@ -993,9 +1009,11 @@ + cur->values && cur->values[0] ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); +- sparams->utils->log(NULL, SASL_LOG_DEBUG, +- "sql plugin doing statement %s\n", +- log_statement); ++ ++ if (settings->sql_verbose) ++ sparams->utils->log(NULL, SASL_LOG_DEBUG, ++ "sql plugin doing statement %s\n", ++ log_statement); + sparams->utils->free(log_statement); + } + +@@ -1042,7 +1060,8 @@ + + if (!settings) return; + +- utils->log(NULL, SASL_LOG_DEBUG, "sql freeing memory\n"); ++ if (settings->sql_verbose) ++ utils->log(NULL, SASL_LOG_DEBUG, "sql freeing memory\n"); + + utils->free(settings); + } +@@ -1090,9 +1109,10 @@ + return SASL_NOMECH; + } + +- utils->log(NULL, SASL_LOG_DEBUG, +- "sql auxprop plugin using %s engine\n", +- settings->sql_engine->name); ++ if (settings->sql_verbose) ++ utils->log(NULL, SASL_LOG_DEBUG, ++ "sql auxprop plugin using %s engine\n", ++ settings->sql_engine->name); + + sql_auxprop_plugin.glob_context = settings; + --- cyrus-sasl2-crypt.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050112123900.5776011737>