head	1.3;
access;
symbols
	RELEASE_4_4_0:1.2
	RELEASE_4_3_0:1.2
	RELEASE_4_2_0:1.2
	RELEASE_4_1_1:1.1;
locks; strict;
comment	@# @;


1.3
date	2002.01.17.15.04.38;	author kevlo;	state dead;
branches;
next	1.2;

1.2
date	2000.11.01.11.59.17;	author jeh;	state Exp;
branches;
next	1.1;

1.1
date	2000.09.19.02.59.28;	author ade;	state Exp;
branches;
next	;


desc
@@


1.3
log
@Update to version 1.5.27

PR: 33603
Submitted by: MAINTAINER
@
text
@--- lib/checkpw.c.orig	Wed Jul 19 20:24:13 2000
+++ lib/checkpw.c	Tue Oct 31 20:52:21 2000
@@@@ -95,10 +95,19 @@@@
 #include <sys/un.h>
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
-#endif
+#endif /* HAVE_UNISTD_H */
 
 extern int errno;
-#endif
+#endif /* HAVE_PWCHECK */
+
+#ifdef HAVE_MYSQL
+#include <mysql.h>
+#endif /* HAVE_MYSQL */
+
+#ifdef HAVE_LDAP
+#include <lber.h>
+#include <ldap.h>
+#endif /* HAVE_LDAP */
 
 #ifdef HAVE_KRB
 
@@@@ -170,12 +179,20 @@@@
     memcpy (&temp_key, "kerberos", 8);
     des_fixup_key_parity (&temp_key);
     des_key_sched (&temp_key, schedule);
+#ifdef __FreeBSD__
+    des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec);
+#else
     des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
+#endif
 
     memcpy (&temp_key, &ivec, sizeof temp_key);
     des_fixup_key_parity (&temp_key);
     des_key_sched (&temp_key, schedule);
+#ifdef __FreeBSD__
+    des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec);
+#else
     des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec);
+#endif
 
     des_fixup_key_parity (key);
 
@@@@ -210,10 +227,17 @@@@
     return (str);
 }
 
+#ifdef __FreeBSD__
+static int use_key(const char *user __attribute__((unused)),
+                   char *instance __attribute__((unused)),
+                   const char *realm __attribute__((unused)),
+                   const void *key, des_cblock *returned_key)
+#else
 static int use_key(char *user __attribute__((unused)), 
 		   char *instance __attribute__((unused)), 
 		   char *realm __attribute__((unused)), 
 		   void *key, des_cblock *returned_key)
+#endif
 {
     memcpy (returned_key, key, sizeof(des_cblock));
     return 0;
@@@@ -838,7 +862,7 @@@@
 
 
 /* pwcheck daemon-authenticated login */
-static int pwcheck_verify_password(sasl_conn_t *conn,
+static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)),
 				   const char *userid, 
 				   const char *passwd,
 				   const char *service __attribute__((unused)),
@@@@ -853,8 +877,10 @@@@
     static char response[1024];
     int start, n;
     char pwpath[1024];
+#if 0	/* Not used */
     sasl_getopt_t *getopt;
     void *context;
+#endif
 
     if (reply) { *reply = NULL; }
 
@@@@ -902,6 +928,224 @@@@
 
 #endif
 
+#ifdef HAVE_MYSQL
+/* DMZ mysql auth 12/29/1999
+ * Updated to 1.5.24 by SWH 09/12/2000
+ * changed to malloc qbuf Simon Loader 10/21/2000
+ */
+#ifdef USE_CRYPT_PASSWORD
+#define QUERY_STRING    "select %s from %s where %s = '%s' and %s = password('%s')"
+#else
+#define QUERY_STRING    "select %s from %s where %s = '%s' and %s = '%s'"
+#endif
+
+static int mysql_verify_password(sasl_conn_t *conn,
+				const char *userid,
+				const char *password,
+				const char *service __attribute__((unused)),
+				const char *user_realm __attribute__((unused)),
+				const char **reply)
+{
+   unsigned int numrows;
+   MYSQL mysql,*sock;
+   MYSQL_RES *result;
+   char *qbuf;
+   char *db_user="",
+        *db_passwd="",
+        *db_host="",
+        *db_uidcol="",
+        *db_pwcol="",
+        *db_database="",
+        *db_table="";
+   sasl_getopt_t *getopt;
+   void *context;
+ 
+   if (!userid || !password) {
+       return SASL_BADPARAM;
+   }
+   if (reply) { *reply = NULL; }
+ 
+   /* check to see if the user configured a mysqluser/passwd/host/etc */
+   if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+       getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL);
+       if (!db_user) db_user = "";
+       getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL);
+       if (!db_passwd) db_passwd = "";
+       getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL);
+       if (!db_host) db_host = "";
+       getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL);
+       if (!db_database) db_database = "";
+       getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL);
+       if (!db_table) db_table = "";
+       getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL);
+       if (!db_uidcol) db_uidcol = "";
+       getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL);
+       if (!db_pwcol) db_pwcol = "";
+    }
+
+    if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd)))
+    {
+      if (reply) { *reply = "cannot connect to MySQL server"; }
+      return SASL_FAIL;
+    }
+
+    if (mysql_select_db(sock,db_database) < 0)
+    {
+      mysql_close(sock);
+      if (reply) { *reply = "cannot select MySQL database"; }
+      return SASL_FAIL;
+    }
+    /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */
+    if ( (qbuf = (char *)malloc(strlen(QUERY_STRING)+strlen(db_uidcol)
+				+strlen(db_table)+strlen(db_uidcol)
+				+strlen(userid)+strlen(db_pwcol)
+				+strlen(password)+1)) == NULL ) {
+	if (reply) { *reply = "cannot malloc memory for sql query"; }
+	return SASL_FAIL;
+    }
+    sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password);
+    if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock)))
+    {
+      free(qbuf);
+      mysql_close(sock);
+      return SASL_FAIL;
+    }
+
+    if (result) //There were some rows found
+    {
+           if ((numrows = mysql_affected_rows(&mysql)) != 1)
+           {
+                   mysql_free_result(result);
+                   mysql_close(sock);
+		   if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
+		   free(qbuf);
+                   return SASL_BADAUTH;
+           } else {
+		   free(qbuf);
+                   mysql_free_result(result);
+                   mysql_close(sock);
+                   return SASL_OK;
+	   }
+    }
+    free(qbuf);
+    mysql_free_result(result);
+    mysql_close(sock);
+    return SASL_BADAUTH;
+}
+#endif /* HAVE_MYSQL */
+
+#ifdef HAVE_LDAP
+/* simon@@surf.org.uk LDAP auth 07/11/2000
+ * Updated to 1.5.24 by SWH 09/12/2000
+ * changed to use malloc and simplify the auth by Simon@@surf.org.uk 10/21/2000
+ */
+
+#define LDAP_SERVER	"localhost"
+#define LDAP_BASEDN	"o=JOFA, c=UK"
+#define LDAP_UIDATTR	"uid"
+
+#ifndef TRUE
+# define TRUE		1
+# define FALSE		0
+#endif
+
+static int ldap_isdigits(char *value)
+{
+    char *ptr;
+    int num = TRUE;
+
+    for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) {
+	if (!isdigit(*ptr))
+	    num = FALSE;
+    }
+
+    return num;
+}
+
+static int ldap_verify_password(sasl_conn_t *conn,
+				const char *userid,
+				const char *password,
+				const char *service __attribute__((unused)),
+				const char *user_realm __attribute__((unused)),
+				const char **reply)
+{
+
+    LDAP *ld;
+    char *dn,
+	 *ldap_server="",
+	 *ldap_basedn="",
+	 *ldap_uidattr="",
+	 *port_num="";
+    int ldap_port = LDAP_PORT;
+    sasl_getopt_t *getopt;
+    void *context;
+
+    /* If the password is NULL, reject the login...
+     * Otherwise the bind will succed as a reference bind. Not good...
+     */
+    if (!userid || !password)
+    {
+	return SASL_BADPARAM;
+    }
+
+   if (reply) { *reply = NULL; }
+
+   /* check to see if the user configured a mysqluser/passwd/host/etc */
+   if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+	getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL);
+	if (!ldap_server) ldap_server = LDAP_SERVER;
+	getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL);
+	if (!ldap_basedn) {
+	    if (reply) { *reply = "ldap_basedn not defined"; }
+	    return SASL_BADPARAM;
+	}
+	getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL);
+	if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR;
+	getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL);
+	if (!port_num) {
+	    ldap_port = LDAP_PORT;
+	} else if (!ldap_isdigits(port_num)) {
+	    if (reply) { *reply = "ldap_port - invalid value"; }
+	    return SASL_BADPARAM;
+	} else {
+	    ldap_port = atoi(port_num);
+	}
+    }
+
+    /* Open the LDAP connection. */
+    if ((ld = ldap_open(ldap_server, ldap_port)) == NULL)
+    {
+      if (reply) { *reply = "cannot connect to LDAP server"; }
+      return SASL_FAIL;
+    }
+
+    if ( (dn = (char *)malloc(strlen(ldap_uidattr)
+			     +strlen(userid)+strlen(ldap_basedn)+3)) == NULL ) {
+      if (reply) { *reply = "cannnot allocate memory for ldap dn"; }
+      return SASL_FAIL;
+    }
+    /* Generate a dn that we will try and login with */
+    sprintf(dn,"%s=%s,%s", ldap_uidattr,userid,ldap_basedn);
+
+    /*
+     * Just try and bind with the dn we have been given
+     * In most cases the basedn is correct.
+     * If this is not so I have a version or that too
+     * Simon@@surf.org.uk
+     */
+    if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) {
+      free(dn);
+      ldap_unbind(ld);
+      return SASL_BADAUTH;
+    }
+
+    free(dn);
+    ldap_unbind(ld);
+    return SASL_OK;
+}
+
+#endif /* HAVE_LDAP */
+
 struct sasl_verify_password_s _sasl_verify_password[] = {
     { "sasldb", &sasldb_verify_password },
 #ifdef HAVE_KRB
@@@@ -921,6 +1165,12 @@@@
 #endif
 #ifdef HAVE_PWCHECK
     { "pwcheck", &pwcheck_verify_password },
+#endif
+#ifdef HAVE_MYSQL
+    { "mysql", &mysql_verify_password },
+#endif
+#ifdef HAVE_LDAP
+    { "ldap", &ldap_verify_password },
 #endif
     { NULL, NULL }
 };
@


1.2
log
@- Change /var/pwcheck permissions so Postfix can use pwcheck for SASL Authentication.
- Update MySQL & LDAP Authentication Methods
- Correct bento warning for extra file (Sendmail.conf).
- Correct mysql detection code in configure.sasl, and use LIB_DEPENDS for db3.

PR:		22462
Submitted by:	Scot W. Hetzel <hetzels@@westbend.net> MAINTAINER
@
text
@@


1.1
log
@Cyrus-SASL 1.5.24 sources changed on Aug 15th
-- changed a hard coded value to a variable.

Kerberos IV detection fails due to double check on krb_mk_priv
(with/without com_err), used cached value from first check for krb_mk_priv.

Added addtional pwcheck methods (MySQL & LDAP Authentication).

PR:		21383
Submitted by:	maintainer
@
text
@d2 1
a2 1
+++ lib/checkpw.c	Sat Sep 16 21:07:33 2000
d84 1
a84 1
@@@@ -902,6 +928,260 @@@@
d91 1
d109 1
a109 1
+   char qbuf[300];
d156 7
d166 1
d178 1
d181 1
d187 1
d197 1
a230 4
+    LDAPMessage *result;
+    LDAPMessage *entry;
+    char *attrs[2];
+    char filter[200]; 
a236 1
+    int count;
d243 1
a243 1
+    if (strcmp(password,"") == 0)
d275 2
a276 2
+	if (reply) { *reply = "cannot connect to LDAP server"; }
+	return SASL_FAIL;
d279 4
a282 49
+    /* Bind anonymously so that you can find the DN of the appropriate user. */
+    if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
+    {
+	ldap_unbind(ld);
+	if (reply) { *reply = "cannot bind to LDAP server"; }
+	return SASL_FAIL;
+    }
+
+    /* Generate a filter that will return the entry with a matching UID */
+    sprintf(filter,"(%s=%s)", ldap_uidattr,userid);
+
+    /* Just return country...This doesn't actually matter, since we will
+     * not read the attributes and values, only the DN
+     */
+    attrs[0] = "c";
+    attrs[1] = NULL;
+
+    /* Perform the search... */
+    if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS )
+    {
+	ldap_unbind(ld);
+	return SASL_BADAUTH;
+    }
+
+    /* If the entry count is not equal to one, either the UID was not unique or
+     * there was no match
+     */
+    if ((count = ldap_count_entries(ld,result)) != 1)
+    {
+	ldap_msgfree(result);
+	ldap_unbind(ld);
+	if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
+	return SASL_BADAUTH;
+    }
+
+    /* Get the first entry */
+    if ((entry = ldap_first_entry(ld,result)) == NULL)
+    {
+	ldap_msgfree(result);
+	ldap_unbind(ld);
+	return SASL_BADAUTH;
+    }
+
+    /* Get the DN of the entry */
+    if ((dn = ldap_get_dn(ld,entry)) == NULL)
+    {
+	ldap_msgfree(entry);
+	ldap_unbind(ld);
+	return SASL_BADAUTH;
d284 2
d287 5
a291 3
+    /* Now bind as the DN with the password supplied earlier...
+     * Successful bind means the password was correct, otherwise the
+     * password is invalid.
d293 4
a296 6
+    if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS)
+    {
+	free(dn);
+	ldap_msgfree(entry);
+	ldap_unbind(ld);
+	return SASL_BADAUTH;
a299 1
+    ldap_msgfree(entry);
d309 1
a309 1
@@@@ -921,6 +1201,12 @@@@
@

