Add a patch to re-allow the CRYPT password scheme in Dovecot. This scheme

checks the password against the stored hash using the OS crypt() function and supports whichever schemes are supported by the OS, but currently Dovecot makes some assumptions about hash format (to work around a segfault when used on OpenBSD following removal of DES from crypt). 'doveadm pw -s CRYPT' (tool to generate hashed passwords) will now produce bcrypt passwords rather than not allowing the scheme at all. More info in the patch itself. OK Brad.
2016-01-11 22:45:26 +00:00 · 2016-01-11 22:45:26 +00:00 · e4403cbc1b
commit e4403cbc1b
parent eab25dd5e1
2 changed files with 62 additions and 1 deletions
--- a/mail/dovecot/Makefile
+++ b/mail/dovecot/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.234 2015/12/12 16:43:09 sthen Exp $
+# $OpenBSD: Makefile,v 1.235 2016/01/11 22:45:26 sthen Exp $

 SHARED_ONLY=	Yes

@ -9,6 +9,7 @@ COMMENT-postgresql= PostgreSQL authentication / dictionary support for Dovecot

 V_MAJOR=	2.2
 V_DOVECOT=	2.2.21
+REVISION-server=0

 DISTNAME=	dovecot-${V_DOVECOT}
 PKGNAME=	dovecot-${V_DOVECOT}
--- a/mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c
+++ b/mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c
@ -0,0 +1,60 @@
+$OpenBSD: patch-src_auth_password-scheme-crypt_c,v 1.3 2016/01/11 22:45:26 sthen Exp $
+
+Dovecot supports various password schemes, e.g. {MD5}, {SHA1},
+{SSHA512}, {CRYPT}, etc.  This is is used in two cases:
+
+1. Identifying schemes available for 'doveadm pw -s <scheme>' to
+generate a hashed password from user input.
+
+2. Deciding which schemes to allow in a password database.
+Entries are stored as {SCHEME}passwordhash; the string from within
+brackets is checked against the list of supported schemes.
+
+One common scheme is {CRYPT} which passes to the OS crypt() function and
+is often used with LDAP password databases as it's also supported by
+OpenLDAP for its own authentication.
+
+After DES was removed from crypt(), 'doveadm pw -s CRYPT' started
+segfaulting on OpenBSD. To avoid this Dovecot was changed to
+test-encrypt a password and check that it can be verified,
+if not then that scheme is knocked out. But as well as stopping
+the segfault in case 1, it also prevents it from being used for
+case 2 i.e. verifying passwords.
+
+Result:
+
+dovecot: auth: Error: ldap(xyz,11.22.33.44,<asdafasfasdasfsa>): Unknown scheme CRYPT
+
+This patch re-allows CRYPT as a supported scheme. On OpenBSD it will
+encrypt as blowfish, on other OS it will encrypt as DES. Verification
+will work with whichever password formats are supported by the OS.
+
+--- src/auth/password-scheme-crypt.c.orig	Fri Jan  8 01:04:13 2016
+++ src/auth/password-scheme-crypt.c	Fri Jan  8 01:23:35 2016
+@@ -111,7 +111,12 @@ static const struct {
+ 	const char *salt;
+ 	const char *expected;
+ } sample[] = {
+#ifdef __OpenBSD__
+	{ "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF",
+	  "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" },
+#else
+ 	{ "08/15!test~4711", "JB", "JBOZ0DgmtucwE" },
+#endif
+ 	{ "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF",
+ 	  "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" },
+ 	{ "08/15!test~4711", "$5$rounds=1000$0123456789abcdef",
+@@ -124,8 +129,13 @@ static const struct {
+ 
+ /* keep in sync with the sample struct above */
+ static const struct password_scheme crypt_schemes[] = {
+#ifdef __OpenBSD__
+ 	{ "CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
+	  crypt_generate_blowfisch },
+#else
+	{ "CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
+ 	  crypt_generate_des },
+#endif
+ 	{ "BLF-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
+ 	  crypt_generate_blowfisch },
+ 	{ "SHA256-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,