From flz@xbsd.org  Wed Jan 12 12:37:46 2005
Return-Path: <flz@xbsd.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 73E1916A4CE; Wed, 12 Jan 2005 12:37:46 +0000 (GMT)
Received: from gate.xbsd.org (xbsd.org [82.233.2.192])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 69FC443D5C; Wed, 12 Jan 2005 12:37:45 +0000 (GMT)
	(envelope-from flz@xbsd.org)
Received: from localhost (localhost.xbsd.org [127.0.0.1])
	by gate.xbsd.org (Postfix) with ESMTP id 43B7611883;
	Wed, 12 Jan 2005 13:39:10 +0100 (CET)
Received: from gate.xbsd.org ([127.0.0.1])
 by localhost (gate.xbsd.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
 id 55007-06; Wed, 12 Jan 2005 13:39:00 +0100 (CET)
Received: by gate.xbsd.org (Postfix, from userid 2001)
	id 5776011737; Wed, 12 Jan 2005 13:39:00 +0100 (CET)
Message-Id: <20050112123900.5776011737@gate.xbsd.org>
Date: Wed, 12 Jan 2005 13:39:00 +0100 (CET)
From: Florent Thoumie <flz@xbsd.org>
Reply-To: Florent Thoumie <flz@xbsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: ume@FreeBSD.org
Subject: Update port: security/cyrus-sasl2 - add WITH_CRYPT knob to support crypt()'ed passwords
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         76140
>Category:       ports
>Synopsis:       Update port: security/cyrus-sasl2 - add WITH_CRYPT knob to support crypt()'ed passwords
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 12 12:40:25 GMT 2005
>Closed-Date:    Fri Feb 18 18:43:26 GMT 2005
>Last-Modified:  Fri Feb 18 18:43:26 GMT 2005
>Originator:     Florent Thoumie
>Release:        FreeBSD 5.3-RELEASE i386
>Organization:
Xbsd.org
>Environment:

System: FreeBSD gate.xbsd.org 5.3-RELEASE FreeBSD 5.3-RELEASE #2: Wed Nov 24 16:35:34 CET 2004 root@gate.xbsd.org:/usr/src/sys/i386/compile/GATE i386

>Description:

This patch adds support for crypt password lookups.

See [1] for further information.

Maintainer cc'ed.

[1] http://frost.ath.cx/software/cyrus-sasl-patches/

>How-To-Repeat:

N/A

>Fix:

--- cyrus-sasl2-crypt.diff begins here ---
diff -ruN cyrus-sasl2.old/Makefile cyrus-sasl2/Makefile
--- cyrus-sasl2.old/Makefile	Wed Jan 12 12:43:53 2005
+++ cyrus-sasl2/Makefile	Wed Jan 12 13:29:39 2005
@@ -155,6 +155,12 @@
 CONFIGURE_ARGS+=--enable-ntlm
 .endif
 
+.if defined(WITH_CRYPT)
+EXTRA_PATCHES=	${PATCHDIR}/crypt-patch-lib::Makefile.in \
+		${PATCHDIR}/crypt-patch-plugins::sql.c \
+		${PATCHDIR}/crypt-patch-lib::checkpw.c
+.endif
+
 .include <bsd.port.pre.mk>
 
 .if !defined(WITHOUT_GSSAPI) && defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.a)
diff -ruN cyrus-sasl2.old/files/crypt-patch-lib::Makefile.in cyrus-sasl2/files/crypt-patch-lib::Makefile.in
--- cyrus-sasl2.old/files/crypt-patch-lib::Makefile.in	Thu Jan  1 01:00:00 1970
+++ cyrus-sasl2/files/crypt-patch-lib::Makefile.in	Wed Jan 12 12:44:03 2005
@@ -0,0 +1,11 @@
+--- lib/Makefile.in.orig	2004-07-02 21:40:15.000000000 +0200
++++ lib/Makefile.in	2004-09-07 13:21:22.746680576 +0200
+@@ -120,7 +120,7 @@
+ JAVA_TRUE = @JAVA_TRUE@
+ LDFLAGS = @LDFLAGS@
+ LIBOBJS = @LIBOBJS@
+-LIBS = @LIBS@
++LIBS = -lcrypt @LIBS@
+ LIBTOOL = @LIBTOOL@
+ LIB_CRYPT = @LIB_CRYPT@
+ LIB_DES = @LIB_DES@
diff -ruN cyrus-sasl2.old/files/crypt-patch-lib::checkpw.c cyrus-sasl2/files/crypt-patch-lib::checkpw.c
--- cyrus-sasl2.old/files/crypt-patch-lib::checkpw.c	Thu Jan  1 01:00:00 1970
+++ cyrus-sasl2/files/crypt-patch-lib::checkpw.c	Wed Jan 12 12:44:03 2005
@@ -0,0 +1,157 @@
+--- lib/checkpw.c.orig	Wed Mar 17 14:58:13 2004
++++ lib/checkpw.c	Tue Jan 11 13:26:39 2005
+@@ -94,6 +94,23 @@
+ # endif
+ #endif
+ 
++/******************************
++ * crypt(3) patch start       *
++ ******************************/
++char *crypt(const char *key, const char *salt);
++
++/* cleartext password formats */
++#define PASSWORD_FORMAT_CLEARTEXT 1
++#define PASSWORD_FORMAT_CRYPT 2
++#define PASSWORD_FORMAT_CRYPTTRAD 3
++#define PASSWORD_SALT_BUF_LEN 22
++
++/* weeds out crypt(3) password's salt */
++int _sasl_get_salt (char *dest, char *src, int format);
++
++/******************************
++ * crypt(3) patch stop        *
++ ******************************/
+ 
+ /* we store the following secret to check plaintext passwords:
+  *
+@@ -143,7 +160,51 @@
+ 				       "*cmusaslsecretPLAIN",
+ 				       NULL };
+     struct propval auxprop_values[3];
+-    
++
++	/******************************
++	 * crypt(3) patch start       *
++	 * for password format check  *
++	 ******************************/
++    sasl_getopt_t *getopt;
++    void *context;
++    const char *p = NULL;
++	/**
++	 * MD5: 12 char salt
++	 * BLOWFISH: 16 char salt
++	 */
++	char salt[PASSWORD_SALT_BUF_LEN];
++	int password_format;
++
++	/* get password format from auxprop configuration */
++	if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
++		getopt(context, NULL, "password_format", &p, NULL);
++	}
++
++	/* set password format */
++	if (p) {
++		/*
++		memset(pass_format_str, '\0', PASSWORD_FORMAT_STR_LEN);
++		strncpy(pass_format_str, p, (PASSWORD_FORMAT_STR_LEN - 1));
++		*/
++		/* modern, modular crypt(3) */
++		if (strncmp(p, "crypt", 11) == 0)
++			password_format = PASSWORD_FORMAT_CRYPT;
++		/* traditional crypt(3) */
++		else if (strncmp(p, "crypt_trad", 11) == 0)
++			password_format = PASSWORD_FORMAT_CRYPTTRAD;
++		/* cleartext password */
++		else
++			password_format = PASSWORD_FORMAT_CLEARTEXT;
++	} else {
++		/* cleartext password */
++		password_format = PASSWORD_FORMAT_CLEARTEXT;
++	}
++
++	/******************************
++	 * crypt(3) patch stop        *
++	 * for password format check  *
++	 ******************************/
++
+     if (!conn || !userstr)
+ 	return SASL_BADPARAM;
+ 
+@@ -180,14 +241,31 @@
+ 	goto done;
+     }
+ 
+-    /* At the point this has been called, the username has been canonified
+-     * and we've done the auxprop lookup.  This should be easy. */
+-    if(auxprop_values[0].name
+-       && auxprop_values[0].values
+-       && auxprop_values[0].values[0]
+-       && !strcmp(auxprop_values[0].values[0], passwd)) {
+-	/* We have a plaintext version and it matched! */
+-	return SASL_OK;
++
++	/******************************
++	 * crypt(3) patch start       *
++	 ******************************/	
++
++	/* get salt */
++	_sasl_get_salt(salt, (char *) auxprop_values[0].values[0], password_format);
++	
++	/* crypt(3)-ed password? */
++	if (password_format != PASSWORD_FORMAT_CLEARTEXT) {
++		/* compare password */
++		if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(crypt(passwd, salt), auxprop_values[0].values[0]) == 0)
++			return SASL_OK;
++		else
++			ret = SASL_BADAUTH;
++	}
++	else if (password_format == PASSWORD_FORMAT_CLEARTEXT) {
++		/* compare passwords */
++		if (auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] && strcmp(auxprop_values[0].values[0], passwd) == 0)
++			return SASL_OK;
++		else
++			ret = SASL_BADAUTH;
++	/******************************
++	 * crypt(3) patch stop        *
++	 ******************************/
+     } else if(auxprop_values[1].name
+ 	      && auxprop_values[1].values
+ 	      && auxprop_values[1].values[0]) {
+@@ -975,3 +1053,37 @@
+ #endif     
+     { NULL, NULL }
+ };
++
++/* weeds out crypt(3) password's salt */
++int _sasl_get_salt (char *dest, char *src, int format) {
++	int num;	/* how many characters is salt long? */
++	switch (format) {
++		case PASSWORD_FORMAT_CRYPT:
++			/* md5 crypt */
++			if (src[1] == '1')
++				num = 12;
++			/* blowfish crypt */
++			else if (src[1] == '2')
++				num = (src[1] == '2' && src[2] == 'a') ? 17 : 16;
++			/* traditional crypt */
++			else
++				num = 2;
++			break;
++	
++		case PASSWORD_FORMAT_CRYPTTRAD:
++			num = 2;
++			break;
++
++		default:
++			return 1;
++	}
++
++	/* destroy destination */
++	memset(dest, '\0', (num + 1));
++
++	/* copy salt to destination */
++	strncpy(dest, src, num);
++
++	return 1;
++}
++
diff -ruN cyrus-sasl2.old/files/crypt-patch-plugins::sql.c cyrus-sasl2/files/crypt-patch-plugins::sql.c
--- cyrus-sasl2.old/files/crypt-patch-plugins::sql.c	Thu Jan  1 01:00:00 1970
+++ cyrus-sasl2/files/crypt-patch-plugins::sql.c	Wed Jan 12 12:44:03 2005
@@ -0,0 +1,189 @@
+--- plugins/sql.c.orig	2004-06-30 21:31:11.000000000 +0200
++++ plugins/sql.c	2004-09-07 13:38:57.285556518 +0200
+@@ -54,6 +54,7 @@
+     const char *sql_insert;
+     const char *sql_update;
+     int sql_usessl;
++    int sql_verbose;
+ } sql_settings_t;
+ 
+ static const char * SQL_BLANK_STRING = "";
+@@ -279,8 +280,9 @@
+     }
+     else if (status != PGRES_TUPLES_OK) {
+ 	/* error */
+-	utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ",
+-		   PQresStatus(status));
++	if (settings->sql_verbose)
++		utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ",
++			   PQresStatus(status));
+ 	PQclear(result);
+ 	return -1;
+     }
+@@ -401,7 +403,8 @@
+ 
+     rc = sqlite_exec((sqlite*)db, cmd, sqlite_my_callback, (void*)&result, &zErrMsg);
+     if (rc != SQLITE_OK && rc != SQLITE_ABORT) {
+-	utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ", zErrMsg);
++    	if (settings->sql_verbose)
++			utils->log(NULL, SASL_LOG_DEBUG, "sql plugin: %s ", zErrMsg);
+ 	sqlite_freemem (zErrMsg);
+ 	return -1;
+     }
+@@ -592,7 +595,7 @@
+ {
+     sql_settings_t *settings;
+     int r;
+-    const char *usessl, *engine_name;
++    const char *usessl, *engine_name, *sql_verbose;
+     const sql_engine_t *e;
+     
+     settings = (sql_settings_t *) glob_context;
+@@ -674,6 +677,11 @@
+     } else {
+ 	settings->sql_usessl = 0;
+     }
++    
++    /* sql verbose */
++    r = utils->getopt(utils->getopt_context, "SQL", "sql_verbose", &sql_verbose, NULL);
++    if (r || !sql_verbose) sql_verbose = "no";
++    settings->sql_verbose = (*sql_verbose == '1' || *sql_verbose == 'y'  || *sql_verbose == 't' || (*sql_verbose == 'o' && sql_verbose[1] == 'n'));
+ }
+ 
+ static void *sql_connect(sql_settings_t *settings, const sasl_utils_t *utils)
+@@ -687,7 +695,8 @@
+      * it should probably save the connection but for 
+      * now we will just disconnect everytime
+      */
+-    utils->log(NULL, SASL_LOG_DEBUG,
++    if (settings->sql_verbose)
++    	utils->log(NULL, SASL_LOG_DEBUG,
+ 	       "sql plugin try and connect to a host\n");
+     
+     /* create a working version of the hostnames */
+@@ -703,10 +712,11 @@
+ 	    while (!isalnum(db_host[0])) db_host++;
+ 	}
+ 	
+-	utils->log(NULL, SASL_LOG_DEBUG,
+-		   "sql plugin trying to open db '%s' on host '%s'%s\n",
+-		   settings->sql_database, cur_host,
+-		   settings->sql_usessl ? " using SSL" : "");
++	if (settings->sql_verbose)
++		utils->log(NULL, SASL_LOG_DEBUG,
++			   "sql plugin trying to open db '%s' on host '%s'%s\n",
++			   settings->sql_database, cur_host,
++			   settings->sql_usessl ? " using SSL" : "");
+ 	
+ 	/* set the optional port */
+ 	if ((cur_port = strchr(cur_host, ':'))) *cur_port++ = '\0';
+@@ -720,7 +730,7 @@
+ 	if (conn) break;
+ 	
+ 	utils->log(NULL, SASL_LOG_ERR,
+-		   "sql plugin could not connect to host %s", cur_host);
++	   "sql plugin could not connect to host %s", cur_host);
+ 	
+ 	cur_host = db_host;
+     }
+@@ -757,7 +767,8 @@
+     /* setup the settings */
+     settings = (sql_settings_t *) glob_context;
+     
+-    sparams->utils->log(NULL, SASL_LOG_DEBUG,
++    if (settings->sql_verbose)
++	    sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ 			"sql plugin Parse the username %s\n", user);
+     
+     user_buf = sparams->utils->malloc(ulen + 1);
+@@ -828,14 +839,16 @@
+ 
+ 	if (!do_txn) {
+ 	    do_txn = 1;
+-	    sparams->utils->log(NULL, SASL_LOG_DEBUG, "begin transaction");
++	    if (settings->sql_verbose)
++		    sparams->utils->log(NULL, SASL_LOG_DEBUG, "begin transaction");
+ 	    if (settings->sql_engine->sql_begin_txn(conn, sparams->utils)) {
+-		sparams->utils->log(NULL, SASL_LOG_ERR, 
+-				    "Unable to begin transaction\n");
++			sparams->utils->log(NULL, SASL_LOG_ERR, 
++			    "Unable to begin transaction\n");
+ 	    }
+ 	}
+-    
+-	sparams->utils->log(NULL, SASL_LOG_DEBUG,
++
++	if (settings->sql_verbose)    
++		sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ 			    "sql plugin create statement from %s %s %s\n",
+ 			    realname, escap_userid, escap_realm);
+ 	
+@@ -845,7 +858,8 @@
+ 				     escap_realm, NULL,
+ 				     sparams->utils);
+ 	
+-	sparams->utils->log(NULL, SASL_LOG_DEBUG,
++	if (settings->sql_verbose)
++		sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ 			    "sql plugin doing query %s\n", query);
+ 	
+ 	/* run the query */
+@@ -859,7 +873,8 @@
+     }
+ 
+     if (do_txn) {
+-	sparams->utils->log(NULL, SASL_LOG_DEBUG, "commit transaction");
++    	if (settings->sql_verbose)
++			sparams->utils->log(NULL, SASL_LOG_DEBUG, "commit transaction");
+ 	if (settings->sql_engine->sql_commit_txn(conn, sparams->utils)) {
+ 	    sparams->utils->log(NULL, SASL_LOG_ERR, 
+ 				"Unable to commit transaction\n");
+@@ -906,7 +921,8 @@
+     /* make sure our input is okay */
+     if (!glob_context || !sparams || !user) return SASL_BADPARAM;
+     
+-    sparams->utils->log(NULL, SASL_LOG_DEBUG,
++    if (settings->sql_verbose)
++	    sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ 			"sql plugin Parse the username %s\n", user);
+     
+     user_buf = sparams->utils->malloc(ulen + 1);
+@@ -993,9 +1009,11 @@
+ 				     cur->values && cur->values[0] ?
+ 				     "<omitted>" : SQL_NULL_VALUE,
+ 				     sparams->utils);
+-	    sparams->utils->log(NULL, SASL_LOG_DEBUG,
+-				"sql plugin doing statement %s\n",
+-				log_statement);
++		
++	    if (settings->sql_verbose)
++	    	sparams->utils->log(NULL, SASL_LOG_DEBUG,
++					"sql plugin doing statement %s\n",
++					log_statement);
+ 	    sparams->utils->free(log_statement);
+ 	}
+ 	
+@@ -1042,7 +1060,8 @@
+     
+     if (!settings) return;
+     
+-    utils->log(NULL, SASL_LOG_DEBUG, "sql freeing memory\n");
++    if (settings->sql_verbose)
++	    utils->log(NULL, SASL_LOG_DEBUG, "sql freeing memory\n");
+     
+     utils->free(settings);
+ }
+@@ -1090,9 +1109,10 @@
+ 	return SASL_NOMECH;
+     }
+ 
+-    utils->log(NULL, SASL_LOG_DEBUG,
+-	       "sql auxprop plugin using %s engine\n",
+-	       settings->sql_engine->name);
++	if (settings->sql_verbose)
++	    utils->log(NULL, SASL_LOG_DEBUG,
++		       "sql auxprop plugin using %s engine\n",
++	    	   settings->sql_engine->name);
+     
+     sql_auxprop_plugin.glob_context = settings;
+     
--- cyrus-sasl2-crypt.diff ends here ---
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: ume 
State-Changed-When: Wed Jan 12 14:56:28 GMT 2005 
State-Changed-Why:  
I don't want to add such big patch into the port.  Because, 
it makes update harder.  Please send your patch to cyrus 
guys to include it into the original distribution.  Once 
cyrus decide to include your patch, I'll add it to the port. 


Responsible-Changed-From-To: freebsd-ports-bugs->ume 
Responsible-Changed-By: ume 
Responsible-Changed-When: Wed Jan 12 14:56:28 GMT 2005 
Responsible-Changed-Why:  
It's my port. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76140 

From: Florent Thoumie <flz@xbsd.org>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org,
	ume@FreeBSD.org
Cc:  
Subject: Re: ports/76140: Update port: security/cyrus-sasl2 - add WITH_CRYPT
 knob to support crypt()'ed passwords
Date: Fri, 18 Feb 2005 12:33:56 +0100

 This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
 --------------enig25996FF64157C95279B653D2
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 This PR can be closed since the patch won't be included in the ports tree.
 
 --------------enig25996FF64157C95279B653D2
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename="signature.asc"
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.0 (FreeBSD)
 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
 iD8DBQFCFdKpMxEkbVFH3PQRAj8CAJ9LxNfEh7L++j08F/YzD815qAebPACgh9jW
 9igDKVHeL5YNSQteMSIKqXA=
 =qGGX
 -----END PGP SIGNATURE-----
 
 --------------enig25996FF64157C95279B653D2--
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Fri Feb 18 18:42:29 GMT 2005 
State-Changed-Why:  
Closed at submitter's request (maintainer disagreed with patch). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76140 
>Unformatted:
