cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
d19b12356c
freebsd-ports/security/cyrus-sasl/files/patch-ai
Ade Lovett 636d1ebd70 Cyrus-SASL 1.5.24 sources changed on Aug 15th 
-- changed a hard coded value to a variable.

Kerberos IV detection fails due to double check on krb_mk_priv
(with/without com_err), used cached value from first check for krb_mk_priv.

Added addtional pwcheck methods (MySQL & LDAP Authentication).

PR:		21383
Submitted by:	maintainer
2000-09-19 02:59:29 +00:00

358 lines
9.9 KiB
Plaintext
Raw Blame History

--- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000
+++ lib/checkpw.c Sat Sep 16 21:07:33 2000
@@ -95,10 +95,19 @@
#include <sys/un.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
-#endif
+#endif /* HAVE_UNISTD_H */
extern int errno;
-#endif
+#endif /* HAVE_PWCHECK */
+
+#ifdef HAVE_MYSQL
+#include <mysql.h>
+#endif /* HAVE_MYSQL */
+
+#ifdef HAVE_LDAP
+#include <lber.h>
+#include <ldap.h>
+#endif /* HAVE_LDAP */
#ifdef HAVE_KRB
@@ -170,12 +179,20 @@
memcpy (&temp_key, "kerberos", 8);
des_fixup_key_parity (&temp_key);
des_key_sched (&temp_key, schedule);
+#ifdef __FreeBSD__
+ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec);
+#else
des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
+#endif
memcpy (&temp_key, &ivec, sizeof temp_key);
des_fixup_key_parity (&temp_key);
des_key_sched (&temp_key, schedule);
+#ifdef __FreeBSD__
+ des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec);
+#else
des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec);
+#endif
des_fixup_key_parity (key);
@@ -210,10 +227,17 @@
return (str);
}
+#ifdef __FreeBSD__
+static int use_key(const char *user __attribute__((unused)),
+ char *instance __attribute__((unused)),
+ const char *realm __attribute__((unused)),
+ const void *key, des_cblock *returned_key)
+#else
static int use_key(char *user __attribute__((unused)),
char *instance __attribute__((unused)),
char *realm __attribute__((unused)),
void *key, des_cblock *returned_key)
+#endif
{
memcpy (returned_key, key, sizeof(des_cblock));
return 0;
@@ -838,7 +862,7 @@
/* pwcheck daemon-authenticated login */
-static int pwcheck_verify_password(sasl_conn_t *conn,
+static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)),
const char *userid,
const char *passwd,
const char *service __attribute__((unused)),
@@ -853,8 +877,10 @@
static char response[1024];
int start, n;
char pwpath[1024];
+#if 0 /* Not used */
sasl_getopt_t *getopt;
void *context;
+#endif
if (reply) { *reply = NULL; }
@@ -902,6 +928,260 @@
#endif
+#ifdef HAVE_MYSQL
+/* DMZ mysql auth 12/29/1999
+ * Updated to 1.5.24 by SWH 09/12/2000
+ */
+#ifdef USE_CRYPT_PASSWORD
+#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')"
+#else
+#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'"
+#endif
+
+static int mysql_verify_password(sasl_conn_t *conn,
+ const char *userid,
+ const char *password,
+ const char *service __attribute__((unused)),
+ const char *user_realm __attribute__((unused)),
+ const char **reply)
+{
+ unsigned int numrows;
+ MYSQL mysql,*sock;
+ MYSQL_RES *result;
+ char qbuf[300];
+ char *db_user="",
+ *db_passwd="",
+ *db_host="",
+ *db_uidcol="",
+ *db_pwcol="",
+ *db_database="",
+ *db_table="";
+ sasl_getopt_t *getopt;
+ void *context;
+
+ if (!userid || !password) {
+ return SASL_BADPARAM;
+ }
+ if (reply) { *reply = NULL; }
+
+ /* check to see if the user configured a mysqluser/passwd/host/etc */
+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL);
+ if (!db_user) db_user = "";
+ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL);
+ if (!db_passwd) db_passwd = "";
+ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL);
+ if (!db_host) db_host = "";
+ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL);
+ if (!db_database) db_database = "";
+ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL);
+ if (!db_table) db_table = "";
+ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL);
+ if (!db_uidcol) db_uidcol = "";
+ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL);
+ if (!db_pwcol) db_pwcol = "";
+ }
+
+ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd)))
+ {
+ if (reply) { *reply = "cannot connect to MySQL server"; }
+ return SASL_FAIL;
+ }
+
+ if (mysql_select_db(sock,db_database) < 0)
+ {
+ mysql_close(sock);
+ if (reply) { *reply = "cannot select MySQL database"; }
+ return SASL_FAIL;
+ }
+ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */
+ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password);
+ if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock)))
+ {
+ mysql_close(sock);
+ return SASL_FAIL;
+ }
+
+ if (result) //There were some rows found
+ {
+ if ((numrows = mysql_affected_rows(&mysql)) != 1)
+ {
+ mysql_free_result(result);
+ mysql_close(sock);
+ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
+ return SASL_BADAUTH;
+ } else {
+ mysql_free_result(result);
+ mysql_close(sock);
+ return SASL_OK;
+ }
+ }
+ mysql_free_result(result);
+ mysql_close(sock);
+ return SASL_BADAUTH;
+}
+#endif /* HAVE_MYSQL */
+
+#ifdef HAVE_LDAP
+/* simon@surf.org.uk LDAP auth 07/11/2000
+ * Updated to 1.5.24 by SWH 09/12/2000
+ */
+
+#define LDAP_SERVER "localhost"
+#define LDAP_BASEDN "o=JOFA, c=UK"
+#define LDAP_UIDATTR "uid"
+
+#ifndef TRUE
+# define TRUE 1
+# define FALSE 0
+#endif
+
+static int ldap_isdigits(char *value)
+{
+ char *ptr;
+ int num = TRUE;
+
+ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) {
+ if (!isdigit(*ptr))
+ num = FALSE;
+ }
+
+ return num;
+}
+
+static int ldap_verify_password(sasl_conn_t *conn,
+ const char *userid,
+ const char *password,
+ const char *service __attribute__((unused)),
+ const char *user_realm __attribute__((unused)),
+ const char **reply)
+{
+
+ LDAP *ld;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ char *attrs[2];
+ char filter[200];
+ char *dn,
+ *ldap_server="",
+ *ldap_basedn="",
+ *ldap_uidattr="",
+ *port_num="";
+ int ldap_port = LDAP_PORT;
+ int count;
+ sasl_getopt_t *getopt;
+ void *context;
+
+ /* If the password is NULL, reject the login...
+ * Otherwise the bind will succed as a reference bind. Not good...
+ */
+ if (strcmp(password,"") == 0)
+ {
+ return SASL_BADPARAM;
+ }
+
+ if (reply) { *reply = NULL; }
+
+ /* check to see if the user configured a mysqluser/passwd/host/etc */
+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL);
+ if (!ldap_server) ldap_server = LDAP_SERVER;
+ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL);
+ if (!ldap_basedn) {
+ if (reply) { *reply = "ldap_basedn not defined"; }
+ return SASL_BADPARAM;
+ }
+ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL);
+ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR;
+ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL);
+ if (!port_num) {
+ ldap_port = LDAP_PORT;
+ } else if (!ldap_isdigits(port_num)) {
+ if (reply) { *reply = "ldap_port - invalid value"; }
+ return SASL_BADPARAM;
+ } else {
+ ldap_port = atoi(port_num);
+ }
+ }
+
+ /* Open the LDAP connection. */
+ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL)
+ {
+ if (reply) { *reply = "cannot connect to LDAP server"; }
+ return SASL_FAIL;
+ }
+
+ /* Bind anonymously so that you can find the DN of the appropriate user. */
+ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
+ {
+ ldap_unbind(ld);
+ if (reply) { *reply = "cannot bind to LDAP server"; }
+ return SASL_FAIL;
+ }
+
+ /* Generate a filter that will return the entry with a matching UID */
+ sprintf(filter,"(%s=%s)", ldap_uidattr,userid);
+
+ /* Just return country...This doesn't actually matter, since we will
+ * not read the attributes and values, only the DN
+ */
+ attrs[0] = "c";
+ attrs[1] = NULL;
+
+ /* Perform the search... */
+ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS )
+ {
+ ldap_unbind(ld);
+ return SASL_BADAUTH;
+ }
+
+ /* If the entry count is not equal to one, either the UID was not unique or
+ * there was no match
+ */
+ if ((count = ldap_count_entries(ld,result)) != 1)
+ {
+ ldap_msgfree(result);
+ ldap_unbind(ld);
+ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
+ return SASL_BADAUTH;
+ }
+
+ /* Get the first entry */
+ if ((entry = ldap_first_entry(ld,result)) == NULL)
+ {
+ ldap_msgfree(result);
+ ldap_unbind(ld);
+ return SASL_BADAUTH;
+ }
+
+ /* Get the DN of the entry */
+ if ((dn = ldap_get_dn(ld,entry)) == NULL)
+ {
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return SASL_BADAUTH;
+ }
+
+ /* Now bind as the DN with the password supplied earlier...
+ * Successful bind means the password was correct, otherwise the
+ * password is invalid.
+ */
+ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS)
+ {
+ free(dn);
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return SASL_BADAUTH;
+ }
+
+ free(dn);
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return SASL_OK;
+}
+
+#endif /* HAVE_LDAP */
+
struct sasl_verify_password_s _sasl_verify_password[] = {
{ "sasldb", &sasldb_verify_password },
#ifdef HAVE_KRB
@@ -921,6 +1201,12 @@
#endif
#ifdef HAVE_PWCHECK
{ "pwcheck", &pwcheck_verify_password },
+#endif
+#ifdef HAVE_MYSQL
+ { "mysql", &mysql_verify_password },
+#endif
+#ifdef HAVE_LDAP
+ { "ldap", &ldap_verify_password },
#endif
{ NULL, NULL }
};
Reference in New Issue View Git Blame Copy Permalink