From e4403cbc1bd341c0d3e5439912119433e002d2a5 Mon Sep 17 00:00:00 2001 From: sthen Date: Mon, 11 Jan 2016 22:45:26 +0000 Subject: [PATCH] Add a patch to re-allow the CRYPT password scheme in Dovecot. This scheme checks the password against the stored hash using the OS crypt() function and supports whichever schemes are supported by the OS, but currently Dovecot makes some assumptions about hash format (to work around a segfault when used on OpenBSD following removal of DES from crypt). 'doveadm pw -s CRYPT' (tool to generate hashed passwords) will now produce bcrypt passwords rather than not allowing the scheme at all. More info in the patch itself. OK Brad. --- mail/dovecot/Makefile | 3 +- .../patch-src_auth_password-scheme-crypt_c | 60 +++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile index d00b15a40e4..660b686538e 100644 --- a/mail/dovecot/Makefile +++ b/mail/dovecot/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.234 2015/12/12 16:43:09 sthen Exp $ +# $OpenBSD: Makefile,v 1.235 2016/01/11 22:45:26 sthen Exp $ SHARED_ONLY= Yes @@ -9,6 +9,7 @@ COMMENT-postgresql= PostgreSQL authentication / dictionary support for Dovecot V_MAJOR= 2.2 V_DOVECOT= 2.2.21 +REVISION-server=0 DISTNAME= dovecot-${V_DOVECOT} PKGNAME= dovecot-${V_DOVECOT} diff --git a/mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c b/mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c new file mode 100644 index 00000000000..45912f8c126 --- /dev/null +++ b/mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c @@ -0,0 +1,60 @@ +$OpenBSD: patch-src_auth_password-scheme-crypt_c,v 1.3 2016/01/11 22:45:26 sthen Exp $ + +Dovecot supports various password schemes, e.g. {MD5}, {SHA1}, +{SSHA512}, {CRYPT}, etc. This is is used in two cases: + +1. Identifying schemes available for 'doveadm pw -s ' to +generate a hashed password from user input. + +2. Deciding which schemes to allow in a password database. +Entries are stored as {SCHEME}passwordhash; the string from within +brackets is checked against the list of supported schemes. + +One common scheme is {CRYPT} which passes to the OS crypt() function and +is often used with LDAP password databases as it's also supported by +OpenLDAP for its own authentication. + +After DES was removed from crypt(), 'doveadm pw -s CRYPT' started +segfaulting on OpenBSD. To avoid this Dovecot was changed to +test-encrypt a password and check that it can be verified, +if not then that scheme is knocked out. But as well as stopping +the segfault in case 1, it also prevents it from being used for +case 2 i.e. verifying passwords. + +Result: + +dovecot: auth: Error: ldap(xyz,11.22.33.44,): Unknown scheme CRYPT + +This patch re-allows CRYPT as a supported scheme. On OpenBSD it will +encrypt as blowfish, on other OS it will encrypt as DES. Verification +will work with whichever password formats are supported by the OS. + +--- src/auth/password-scheme-crypt.c.orig Fri Jan 8 01:04:13 2016 ++++ src/auth/password-scheme-crypt.c Fri Jan 8 01:23:35 2016 +@@ -111,7 +111,12 @@ static const struct { + const char *salt; + const char *expected; + } sample[] = { ++#ifdef __OpenBSD__ ++ { "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF", ++ "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" }, ++#else + { "08/15!test~4711", "JB", "JBOZ0DgmtucwE" }, ++#endif + { "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF", + "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" }, + { "08/15!test~4711", "$5$rounds=1000$0123456789abcdef", +@@ -124,8 +129,13 @@ static const struct { + + /* keep in sync with the sample struct above */ + static const struct password_scheme crypt_schemes[] = { ++#ifdef __OpenBSD__ + { "CRYPT", PW_ENCODING_NONE, 0, crypt_verify, ++ crypt_generate_blowfisch }, ++#else ++ { "CRYPT", PW_ENCODING_NONE, 0, crypt_verify, + crypt_generate_des }, ++#endif + { "BLF-CRYPT", PW_ENCODING_NONE, 0, crypt_verify, + crypt_generate_blowfisch }, + { "SHA256-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,