Dear All,
I like to submit you our patches applied to lib/checkpw.c lib/Makefile.am
The patches add crypt() compare for salted crypt password.
We use this to allow postfix using sasl read and validate crypt passwords
for a database table (postgres).
Tests are successful done on a Debian Wheezy with following configuration:
/etc/postfix/sasl/smtpd.conf
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: pgsql
password_format: crypt
mech_list: LOGIN PLAIN
sql_engine: pgsql
sql_user: postfix
sql_passwd: *********
sql_hostnames: localhost
sql_database: *******
sql_select: select cryptpw as password from mailacct where account='%u@%r'
sql_usessl: no
testmaildb=> SELECT id,account,cryptpw from mailacct where id=1
;
id | account | cryptpw
----+----------------------+------------------------------------
1 | tester@testdom.local | $1$.wMUVvWa$cPWzm5.zHZAqgMBcEC7fA/
(1 row)
Please review the patch and submit it to your upstream releases.
happy new year !
Cheers
Chris
#! /bin/sh /usr/share/dpatch/dpatch-run
## 0038_checkpw_add_cryptcmp.dpatch by <chris.ruehl@xxxxxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c.orig cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c
--- cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c.orig 2013-01-03 10:14:11.420579153 +0800
+++ cyrus-sasl2-2.1.23.dfsg1/lib/checkpw.c 2013-01-03 10:22:02.264429733 +0800
@@ -94,6 +94,7 @@
# endif
#endif
+extern char *crypt();
/* we store the following secret to check plaintext passwords:
*
@@ -184,10 +185,17 @@
* and we've done the auxprop lookup. This should be easy. */
if(auxprop_values[0].name
&& auxprop_values[0].values
- && auxprop_values[0].values[0]
- && !strcmp(auxprop_values[0].values[0], passwd)) {
- /* We have a plaintext version and it matched! */
- return SASL_OK;
+ && auxprop_values[0].values[0] ) {
+
+ if ( !strcmp(auxprop_values[0].values[0], passwd)) {
+ /* We have a plaintext version and it matched! */
+ return SASL_OK;
+ }
+ if ( !strcmp(auxprop_values[0].values[0], crypt(passwd, auxprop_values[0].values[0]))) {
+ /* We have a crypt version and it matched! */
+ return SASL_OK;
+ }
+
} else if(auxprop_values[1].name
&& auxprop_values[1].values
&& auxprop_values[1].values[0]) {
diff -urNad cyrus-sasl2-2.1.25.dfsg1/lib/Makefile.am cyrus-sasl2-2.1.25.dfsg1/lib/Makefile.am.patch
--- cyrus-sasl2-2.1.25.dfsg1/lib/Makefile.am 2013-01-03 12:14:11.000000000 +0800
+++ cyrus-sasl2-2.1.25.dfsg1/lib/Makefile.am.patch 2013-01-03 12:17:22.392096999 +0800
@@ -58,13 +58,14 @@
LTLIBOBJS = @LTLIBOBJS@
LIBOBJS = @LIBOBJS@
LIB_DOOR= @LIB_DOOR@
+LIB_CRYPT= @LIB_CRYPT@
lib_LTLIBRARIES = libsasl2.la
libsasl2_la_SOURCES = $(common_sources) $(common_headers)
libsasl2_la_LDFLAGS = -version-info $(sasl_version) -Wl,--version-script=$(top_srcdir)/Versions
libsasl2_la_DEPENDENCIES = $(LTLIBOBJS) $(top_srcdir)/Versions
-libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR)
+libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR) $(LIB_CRYPT)
if MACOSX
framedir = /Library/Frameworks/SASL2.framework
