Patch radicale's htpasswd parser to support bcrypt passwords, from

Francisco de Borja Lopez Rio. The htpasswd parser isn't very flexible and only normally handles one encryption method in the file. So I've also added a patch to recognise {SHA} from the hash string so that people using this can migrate their file to bcrypt. Update README with new htpasswd syntax and information about bcrypt and migrating. OK ian@, Sergey Bronnikov (maintainer)
2014-03-26 10:17:02 +00:00 · 2014-03-26 10:17:02 +00:00 · ba3bab1654
commit ba3bab1654
parent 1c22623a1a
4 changed files with 65 additions and 10 deletions
--- a/productivity/radicale/Makefile
+++ b/productivity/radicale/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.20 2013/10/21 09:47:19 jung Exp $
+# $OpenBSD: Makefile,v 1.21 2014/03/26 10:17:02 sthen Exp $

 COMMENT =	simple CalDAV calendar server

 MODPY_EGG_VERSION = 0.8
+REVISION =	0
 DISTNAME =	Radicale-${MODPY_EGG_VERSION}
 PKGNAME =	${DISTNAME:L}
 CATEGORIES =	productivity net
@ -18,6 +19,7 @@ MASTER_SITES =		${MASTER_SITE_PYPI:=R/Radicale/}

 MODULES =		lang/python
 MODPY_ADJ_FILES =	radicale.py
+LIB_DEPENDS =		security/py-bcrypt

 NO_TEST =		Yes

--- a/productivity/radicale/patches/patch-config
+++ b/productivity/radicale/patches/patch-config
@ -1,6 +1,6 @@
-$OpenBSD: patch-config,v 1.6 2013/10/21 09:47:19 jung Exp $
--- config.orig	Fri Jun 28 16:37:37 2013
-+++ config	Fri Oct 18 17:39:40 2013
+$OpenBSD: patch-config,v 1.7 2014/03/26 10:17:02 sthen Exp $
+--- config.orig	Fri Jun 28 15:37:37 2013
+++ config	Tue Mar 25 15:04:31 2014
@@ -22,9 +22,9 @@ pid =
 # SSL flag, enable HTTPS protocol
 ssl = False
@ -20,9 +20,10 @@ $OpenBSD: patch-config,v 1.6 2013/10/21 09:47:19 jung Exp $
 -htpasswd_filename = /etc/radicale/users
 +htpasswd_filename = ${SYSCONFDIR}/radicale/users
 # Htpasswd encryption method
- # Value: plain | sha1 | crypt
+-# Value: plain | sha1 | crypt
 -htpasswd_encryption = crypt
-+htpasswd_encryption = sha1
+# Value: plain | sha1 | crypt | bcrypt
+htpasswd_encryption = bcrypt
 
 # LDAP server URL, with protocol and port
 ldap_url = ldap://localhost:389/
--- a/productivity/radicale/patches/patch-radicale_auth_htpasswd_py
+++ b/productivity/radicale/patches/patch-radicale_auth_htpasswd_py
@ -0,0 +1,38 @@
+$OpenBSD: patch-radicale_auth_htpasswd_py,v 1.1 2014/03/26 10:17:02 sthen Exp $
+
+bcrypt support, based on
+http://evilshit.wordpress.com/2013/11/19/how-to-install-a-caldav-and-carddav-server-using-radicale/#bcrypt
+
+--- radicale/auth/htpasswd.py.orig	Fri May 17 00:27:26 2013
+++ radicale/auth/htpasswd.py	Tue Mar 25 14:44:21 2014
+@@ -29,6 +29,7 @@ supported, but md5 is not (see ``htpasswd`` man page t
+ 
+ import base64
+ import hashlib
+import bcrypt
+ 
+ from .. import config
+ 
+@@ -58,11 +59,21 @@ def _sha1(hash_value, password):
+     return sha1.digest() == base64.b64decode(hash_value)
+ 
+ 
+def _bcrypt(hash_value, password):
+    """Check if ``hash_value`` and ``password`` match using bcrypt method."""
+    hash_value = hash_value.encode("ascii")
+    password = password.encode(config.get("encoding", "stock"))
+    return bcrypt.checkpw(password, hash_value)
+
+
+ def is_authenticated(user, password):
+     """Check if ``user``/``password`` couple is valid."""
+     for line in open(FILENAME).readlines():
+         if line.strip():
+             login, hash_value = line.strip().split(":")
+             if login == user:
+-                return globals()["_%s" % ENCRYPTION](hash_value, password)
+                if hash_value[0:5] == '{SHA}':
+                    return _sha1(hash_value, password)
+                else:
+                    return globals()["_%s" % ENCRYPTION](hash_value, password)
+     return False
--- a/productivity/radicale/pkg/README
+++ b/productivity/radicale/pkg/README
@ -1,27 +1,41 @@
-$OpenBSD: README,v 1.4 2011/08/22 08:43:54 sthen Exp $
+$OpenBSD: README,v 1.5 2014/03/26 10:17:02 sthen Exp $

 +-----------------------------------------------------------------------
 | Running ${FULLPKGNAME} on OpenBSD
 +-----------------------------------------------------------------------

 Radicale will run out of the box but with NO SECURITY.
+
 There are two things you should do to enable security:
 enable passwords and enable encryption.

 Authentication
 ==============
-To enable passwords, edit ${SYSCONFDIR}/radicale/config and change
+To enable simple passwords, edit ${SYSCONFDIR}/radicale/config and change
 "type = None" (i.e. passwords are not requested or checked) to
 "type = htpasswd".

 User password(s) may be created with htpasswd(1); e.g.
-"htpasswd -s ${SYSCONFDIR}/radicale/users username".
-If the 'users' file does not already exist, use the '-c' option to create it.
+"htpasswd ${SYSCONFDIR}/radicale/users username".
+
+As of radicale-0.8p0, the OpenBSD port of Radicale has been modified
+to support bcrypt password hashes.
+
+Previous versions required old unix "crypt" or unsalted SHA-1 hashes
+of passwords, neither of which are safe.
+
+Users of previous versions should set "htpasswd_encryption = bcrypt"
+in ${SYSCONFDIR}/radicale/config and update their saved passwords when
+possible (to help with migration, existing SHA hashes stored with a
+"{SHA}" prefix in the users file will still work with the new setting).

 By default all calendars may be accessed by any authenticated user.
 To restrict calendars so that "/user1/calendar_name" can ONLY be
 accessed by user1, also change "personal = False" to "personal = True".

+For further authentication options (including deferring authentication
+to an existing IMAP server), consult Radicale's documentation.
+
 Encryption
 ==========
 To enable encryption, you need both to change "ssl = False" to