ports/76140: Update port: security/cyrus-sasl2 - add WITH_CRYPT knob to support crypt()'ed passwords
Florent Thoumie
flz at xbsd.org
Wed Jan 12 12:40:26 UTC 2005
>Number: 76140
>Category: ports
>Synopsis: Update port: security/cyrus-sasl2 - add WITH_CRYPT knob to support crypt()'ed passwords
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Jan 12 12:40:25 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Florent Thoumie
>Release: FreeBSD 5.3-RELEASE i386
>Organization:
Xbsd.org
>Environment:
System: FreeBSD gate.xbsd.org 5.3-RELEASE FreeBSD 5.3-RELEASE #2: Wed Nov 24 16:35:34 CET 2004 root at gate.xbsd.org:/usr/src/sys/i386/compile/GATE i386
>Description:
This patch adds support for crypt password lookups.
See [1] for further information.
Maintainer cc'ed.
[1] http://frost.ath.cx/software/cyrus-sasl-patches/
>How-To-Repeat:
N/A
>Fix:
--- cyrus-sasl2-crypt.diff begins here ---
diff -ruN cyrus-sasl2.old/Makefile cyrus-sasl2/Makefile
--- cyrus-sasl2.old/Makefile Wed Jan 12 12:43:53 2005
+++ cyrus-sasl2/Makefile Wed Jan 12 13:29:39 2005
@@ -155,6 +155,12 @@
CONFIGURE_ARGS+=--enable-ntlm
.endif
+.if defined(WITH_CRYPT)
+EXTRA_PATCHES= ${PATCHDIR}/crypt-patch-lib::Makefile.in \
+ ${PATCHDIR}/crypt-patch-plugins::sql.c \
+ ${PATCHDIR}/crypt-patch-lib::checkpw.c
+.endif
+
.include <bsd.port.pre.mk>
.if !defined(WITHOUT_GSSAPI) && defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.a)
diff -ruN cyrus-sasl2.old/files/crypt-patch-lib::Makefile.in cyrus-sasl2/files/crypt-patch-lib::Makefile.in
--- cyrus-sasl2.old/files/crypt-patch-lib::Makefile.in Thu Jan 1 01:00:00 1970
+++ cyrus-sasl2/files/crypt-patch-lib::Makefile.in Wed Jan 12 12:44:03 2005
@@ -0,0 +1,11 @@
+--- lib/Makefile.in.orig 2004-07-02 21:40:15.000000000 +0200
++++ lib/Makefile.in 2004-09-07 13:21:22.746680576 +0200
+@@ -120,7 +120,7 @@
+ JAVA_TRUE = @JAVA_TRUE@
+ LDFLAGS = @LDFLAGS@
+ LIBOBJS = @LIBOBJS@
+-LIBS = @LIBS@
++LIBS = -lcrypt @LIBS@
+ LIBTOOL = @LIBTOOL@
+ LIB_CRYPT = @LIB_CRYPT@
+ LIB_DES = @LIB_DES@
diff -ruN cyrus-sasl2.old/files/crypt-patch-lib::checkpw.c cyrus-sasl2/files/crypt-patch-lib::checkpw.c
--- cyrus-sasl2.old/files/crypt-patch-lib::checkpw.c Thu Jan 1 01:00:00 1970
+++ cyrus-sasl2/files/crypt-patch-lib::checkpw.c Wed Jan 12 12:44:03 2005
@@ -0,0 +1,157 @@
+--- lib/checkpw.c.orig Wed Mar 17 14:58:13 2004
++++ lib/checkpw.c Tue Jan 11 13:26:39 2005
+@@ -94,6 +94,23 @@
+ # endif
+ #endif
+
++/******************************
++ * crypt(3) patch start *
++ ******************************/
++char *crypt(const char *key, const char *salt);
++
++/* cleartext password formats */
++#define PASSWORD_FORMAT_CLEARTEXT 1
++#define PASSWORD_FORMAT_CRYPT 2
++#define PASSWORD_FORMAT_CRYPTTRAD 3
++#define PASSWORD_SALT_BUF_LEN 22
++
++/* weeds out crypt(3) password's salt */
++int _sasl_get_salt (char *dest, char *src, int format);
++
++/******************************
++ * crypt(3) patch stop *
++ ******************************/
+
+ /* we store the following secret to check plaintext passwords:
+ *
+@@ -143,7 +160,51 @@
+ "*cmusaslsecretPLAIN",
+ NULL };
+ struct propval auxprop_values[3];
+-
++
++ /******************************
++ * crypt(3) patch start *
++ * for password format check *
++ ******************************/
++ sasl_getopt_t *getopt;
++ void *context;
++ const char *p = NULL;
++ /**
++ * MD5: 12 char salt
++ * BLOWFISH: 16 char salt
++ */
++ char salt[PASSWORD_SALT_BUF_LEN];
++ int password_format;
++
++ /* get password format from auxprop configuration */
++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
++ getopt(context, NULL, "password_format", &p, NULL);
++ }
++
++ /* set password format */
++ if (p) {
++ /*
++ memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN);
++ strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1));
++ */
++ /* modern, modular crypt(3) */
++ if (strncmp(p, "crypt", 11) == 0)
++ password_format = PASSWORD_FORMAT_CRYPT;
++ /* traditional crypt(3) */
++ else if (strncmp(p, "crypt_trad", 11) == 0)
++ password_format = PASSWORD_FORMAT_CRYPTTRAD;
++ /* cleartext password */
++ else
++ password_format = PASSWORD_FORMAT_CLEARTEXT;
++ } else {
++ /* cleartext password */
++ password_format = PASSWORD_FORMAT_CLEARTEXT;
++ }
++
++ /******************************
++ * crypt(3) patch stop *
++ * for password format check *
++ ******************************/
++
+ if (!conn || !userstr)
+ return SASL_BADPARAM;
+
+@@ -180,14 +241,31 @@
+ goto done;
+ }
+
+- /* At the point this has been called, the username has been canonified
+- * and we've done the auxprop lookup. This should be easy. */
+- if(auxprop_values[0].name
+- && auxprop_values[0].values
+- && auxprop_values[0].values[0]
+- && !strcmp(auxprop_values[0].values[0], passwd)) {
+- /* We have a plaintext version and it matched! */
+- return SASL_OK;
++
++ /******************************
++ * crypt(3) patch start *
++ ******************************/
++
++ /* get salt */
++ _sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format);
++
++ /* crypt(3)-ed password? */
++ if (password_format != PASSWORD_FORMAT_CLEARTEXT) {
++ /* compare password */
++ if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0)
++ return SASL_OK;
++ else
++ ret = SASL_BADAUTH;
++ }
++ else if (password_format == PASSWORD_FORMAT_CLEARTEXT) {
++ /* compare passwords */
++ if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0)
++ return SASL_OK;
++ else
++ ret = SASL_BADAUTH;
++ /******************************
++ * crypt(3) patch stop *
++ ******************************/
+ } else if(auxprop_values[1].name
+ && auxprop_values[1].values
+ && auxprop_values[1].values[0]) {
+@@ -975,3 +1053,37 @@
+ #endif
+ { NULL, NULL }
+ };
++
++/* weeds out crypt(3) password's salt */
++int _sasl_get_salt (char *dest, char *src, int format) {
++ int num; /* how many characters is salt long? */
++ switch (format) {
++ case PASSWORD_FORMAT_CRYPT:
++ /* md5 crypt */
++ if (src[1] == '1')
++ num = 12;
++ /* blowfish crypt */
++ else if (src[1] == '2')
++ num = (src[1] == '2' && src[2] == 'a') ? 17 : 16;
++ /* traditional crypt */
++ else
++ num = 2;
++ break;
++
++ case PASSWORD_FORMAT_CRYPTTRAD:
++ num = 2;
++ break;
++
++ default:
++ return 1;
++ }
++
++ /* destroy destination */
++ memset(dest, '\0', (num + 1));
++
++ /* copy salt to destination */
++ strncpy(dest, src, num);
++
++ return 1;
++}
++
diff -ruN cyrus-sasl2.old/files/crypt-patch-plugins::sql.c cyrus-sasl2/files/crypt-patch-plugins::sql.c
--- cyrus-sasl2.old/files/crypt-patch-plugins::sql.c Thu Jan 1 01:00:00 1970
+++ cyrus-sasl2/files/crypt-patch-plugins::sql.c Wed Jan 12 12:44:03 2005
@@ -0,0 +1,189 @@
+--- plugins/sql.c.orig 2004-06-30 21:31:11.000000000 +0200
++++ plugins/sql.c 2004-09-07 13:38:57.285556518 +0200
+@@ -54,6 +54,7 @@
+ const char *sql_insert;
+ const char *sql_update;
+ int sql_usessl;
++ int sql_verbose;
+ } sql_settings_t;
+
+ static const char * SQL_BLANK_STRING = "";
+@@ -279,8 +280,9 @@
+ }
+ else if (status != PGRES_TUPLES_OK) {
+ /* error */
+- utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ",
+- PQresStatus(status));
++ if (settings->sql_verbose)
++ utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ",
++ PQresStatus(status));
+ PQclear(result);
+ return -1;
+ }
+@@ -401,7 +403,8 @@
+
+ rc = sqlite_exec((sqlite*)db, cmd, sqlite_my_callback, (void*)&result, &zErrMsg);
+ if (rc != SQLITE_OK && rc != SQLITE_ABORT) {
+- utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ", zErrMsg);
++ if (settings->sql_verbose)
++ utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ", zErrMsg);
+ sqlite_freemem (zErrMsg);
+ return -1;
+ }
+@@ -592,7 +595,7 @@
+ {
+ sql_settings_t *settings;
+ int r;
+- const char *usessl, *engine_name;
++ const char *usessl, *engine_name, *sql_verbose;
+ const sql_engine_t *e;
+
+ settings = (sql_settings_t *) glob_context;
+@@ -674,6 +677,11 @@
+ } else {
+ settings->sql_usessl = 0;
+ }
++
++ /* sql verbose */
++ r = utils->getopt(utils->getopt_context, "SQL", "sql_verbose", &sql_verbose, NULL);
++ if (r || !sql_verbose) sql_verbose = "no";
++ settings->sql_verbose = (*sql_verbose == '1' || *sql_verbose == 'y' || *sql_verbose == 't' || (*sql_verbose == 'o' && sql_verbose[1] == 'n'));
+ }
+
+ static void *sql_connect(sql_settings_t *settings, const sasl_utils_t *utils)
+@@ -687,7 +695,8 @@
+ * it should probably save the connection but for
+ * now we will just disconnect everytime
+ */
+- utils->log(NULL, SASL_LOG_DEBUG,
++ if (settings->sql_verbose)
++ utils->log(NULL, SASL_LOG_DEBUG,
+ "sql plugin try and connect to a host\n");
+
+ /* create a working version of the hostnames */
+@@ -703,10 +712,11 @@
+ while (!isalnum(db_host[0])) db_host++;
+ }
+
+- utils->log(NULL, SASL_LOG_DEBUG,
+- "sql plugin trying to open db '%s' on host '%s'%s\n",
+- settings->sql_database, cur_host,
+- settings->sql_usessl ? " using SSL" : "");
++ if (settings->sql_verbose)
++ utils->log(NULL, SASL_LOG_DEBUG,
++ "sql plugin trying to open db '%s' on host '%s'%s\n",
++ settings->sql_database, cur_host,
++ settings->sql_usessl ? " using SSL" : "");
+
+ /* set the optional port */
+ if ((cur_port = strchr(cur_host, ':'))) *cur_port++ = '\0';
+@@ -720,7 +730,7 @@
+ if (conn) break;
+
+ utils->log(NULL, SASL_LOG_ERR,
+- "sql plugin could not connect to host %s", cur_host);
++ "sql plugin could not connect to host %s", cur_host);
+
+ cur_host = db_host;
+ }
+@@ -757,7 +767,8 @@
+ /* setup the settings */
+ settings = (sql_settings_t *) glob_context;
+
+- sparams->utils->log(NULL, SASL_LOG_DEBUG,
++ if (settings->sql_verbose)
++ sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ "sql plugin Parse the username %s\n", user);
+
+ user_buf = sparams->utils->malloc(ulen + 1);
+@@ -828,14 +839,16 @@
+
+ if (!do_txn) {
+ do_txn = 1;
+- sparams->utils->log(NULL, SASL_LOG_DEBUG, "begin transaction");
++ if (settings->sql_verbose)
++ sparams->utils->log(NULL, SASL_LOG_DEBUG, "begin transaction");
+ if (settings->sql_engine->sql_begin_txn(conn, sparams->utils)) {
+- sparams->utils->log(NULL, SASL_LOG_ERR,
+- "Unable to begin transaction\n");
++ sparams->utils->log(NULL, SASL_LOG_ERR,
++ "Unable to begin transaction\n");
+ }
+ }
+-
+- sparams->utils->log(NULL, SASL_LOG_DEBUG,
++
++ if (settings->sql_verbose)
++ sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ "sql plugin create statement from %s %s %s\n",
+ realname, escap_userid, escap_realm);
+
+@@ -845,7 +858,8 @@
+ escap_realm, NULL,
+ sparams->utils);
+
+- sparams->utils->log(NULL, SASL_LOG_DEBUG,
++ if (settings->sql_verbose)
++ sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ "sql plugin doing query %s\n", query);
+
+ /* run the query */
+@@ -859,7 +873,8 @@
+ }
+
+ if (do_txn) {
+- sparams->utils->log(NULL, SASL_LOG_DEBUG, "commit transaction");
++ if (settings->sql_verbose)
++ sparams->utils->log(NULL, SASL_LOG_DEBUG, "commit transaction");
+ if (settings->sql_engine->sql_commit_txn(conn, sparams->utils)) {
+ sparams->utils->log(NULL, SASL_LOG_ERR,
+ "Unable to commit transaction\n");
+@@ -906,7 +921,8 @@
+ /* make sure our input is okay */
+ if (!glob_context || !sparams || !user) return SASL_BADPARAM;
+
+- sparams->utils->log(NULL, SASL_LOG_DEBUG,
++ if (settings->sql_verbose)
++ sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ "sql plugin Parse the username %s\n", user);
+
+ user_buf = sparams->utils->malloc(ulen + 1);
+@@ -993,9 +1009,11 @@
+ cur->values && cur->values[0] ?
+ "<omitted>" : SQL_NULL_VALUE,
+ sparams->utils);
+- sparams->utils->log(NULL, SASL_LOG_DEBUG,
+- "sql plugin doing statement %s\n",
+- log_statement);
++
++ if (settings->sql_verbose)
++ sparams->utils->log(NULL, SASL_LOG_DEBUG,
++ "sql plugin doing statement %s\n",
++ log_statement);
+ sparams->utils->free(log_statement);
+ }
+
+@@ -1042,7 +1060,8 @@
+
+ if (!settings) return;
+
+- utils->log(NULL, SASL_LOG_DEBUG, "sql freeing memory\n");
++ if (settings->sql_verbose)
++ utils->log(NULL, SASL_LOG_DEBUG, "sql freeing memory\n");
+
+ utils->free(settings);
+ }
+@@ -1090,9 +1109,10 @@
+ return SASL_NOMECH;
+ }
+
+- utils->log(NULL, SASL_LOG_DEBUG,
+- "sql auxprop plugin using %s engine\n",
+- settings->sql_engine->name);
++ if (settings->sql_verbose)
++ utils->log(NULL, SASL_LOG_DEBUG,
++ "sql auxprop plugin using %s engine\n",
++ settings->sql_engine->name);
+
+ sql_auxprop_plugin.glob_context = settings;
+
--- cyrus-sasl2-crypt.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list