Line 0
Link Here
|
|
|
1 |
--- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000 |
2 |
+++ lib/checkpw.c Sat Sep 16 21:07:33 2000 |
3 |
@@ -95,10 +95,19 @@ |
4 |
#include <sys/un.h> |
5 |
#ifdef HAVE_UNISTD_H |
6 |
#include <unistd.h> |
7 |
-#endif |
8 |
+#endif /* HAVE_UNISTD_H */ |
9 |
|
10 |
extern int errno; |
11 |
-#endif |
12 |
+#endif /* HAVE_PWCHECK */ |
13 |
+ |
14 |
+#ifdef HAVE_MYSQL |
15 |
+#include <mysql.h> |
16 |
+#endif /* HAVE_MYSQL */ |
17 |
+ |
18 |
+#ifdef HAVE_LDAP |
19 |
+#include <lber.h> |
20 |
+#include <ldap.h> |
21 |
+#endif /* HAVE_LDAP */ |
22 |
|
23 |
#ifdef HAVE_KRB |
24 |
|
25 |
@@ -170,12 +179,20 @@ |
26 |
memcpy (&temp_key, "kerberos", 8); |
27 |
des_fixup_key_parity (&temp_key); |
28 |
des_key_sched (&temp_key, schedule); |
29 |
+#ifdef __FreeBSD__ |
30 |
+ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec); |
31 |
+#else |
32 |
des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec); |
33 |
+#endif |
34 |
|
35 |
memcpy (&temp_key, &ivec, sizeof temp_key); |
36 |
des_fixup_key_parity (&temp_key); |
37 |
des_key_sched (&temp_key, schedule); |
38 |
+#ifdef __FreeBSD__ |
39 |
+ des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec); |
40 |
+#else |
41 |
des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec); |
42 |
+#endif |
43 |
|
44 |
des_fixup_key_parity (key); |
45 |
|
46 |
@@ -210,10 +227,17 @@ |
47 |
return (str); |
48 |
} |
49 |
|
50 |
+#ifdef __FreeBSD__ |
51 |
+static int use_key(const char *user __attribute__((unused)), |
52 |
+ char *instance __attribute__((unused)), |
53 |
+ const char *realm __attribute__((unused)), |
54 |
+ const void *key, des_cblock *returned_key) |
55 |
+#else |
56 |
static int use_key(char *user __attribute__((unused)), |
57 |
char *instance __attribute__((unused)), |
58 |
char *realm __attribute__((unused)), |
59 |
void *key, des_cblock *returned_key) |
60 |
+#endif |
61 |
{ |
62 |
memcpy (returned_key, key, sizeof(des_cblock)); |
63 |
return 0; |
64 |
@@ -838,7 +862,7 @@ |
65 |
|
66 |
|
67 |
/* pwcheck daemon-authenticated login */ |
68 |
-static int pwcheck_verify_password(sasl_conn_t *conn, |
69 |
+static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)), |
70 |
const char *userid, |
71 |
const char *passwd, |
72 |
const char *service __attribute__((unused)), |
73 |
@@ -853,8 +877,10 @@ |
74 |
static char response[1024]; |
75 |
int start, n; |
76 |
char pwpath[1024]; |
77 |
+#if 0 /* Not used */ |
78 |
sasl_getopt_t *getopt; |
79 |
void *context; |
80 |
+#endif |
81 |
|
82 |
if (reply) { *reply = NULL; } |
83 |
|
84 |
@@ -902,6 +928,260 @@ |
85 |
|
86 |
#endif |
87 |
|
88 |
+#ifdef HAVE_MYSQL |
89 |
+/* DMZ mysql auth 12/29/1999 |
90 |
+ * Updated to 1.5.24 by SWH 09/12/2000 |
91 |
+ */ |
92 |
+#ifdef USE_CRYPT_PASSWORD |
93 |
+#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')" |
94 |
+#else |
95 |
+#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'" |
96 |
+#endif |
97 |
+ |
98 |
+static int mysql_verify_password(sasl_conn_t *conn, |
99 |
+ const char *userid, |
100 |
+ const char *password, |
101 |
+ const char *service __attribute__((unused)), |
102 |
+ const char *user_realm __attribute__((unused)), |
103 |
+ const char **reply) |
104 |
+{ |
105 |
+ unsigned int numrows; |
106 |
+ MYSQL mysql,*sock; |
107 |
+ MYSQL_RES *result; |
108 |
+ char qbuf[300]; |
109 |
+ char *db_user="", |
110 |
+ *db_passwd="", |
111 |
+ *db_host="", |
112 |
+ *db_uidcol="", |
113 |
+ *db_pwcol="", |
114 |
+ *db_database="", |
115 |
+ *db_table=""; |
116 |
+ sasl_getopt_t *getopt; |
117 |
+ void *context; |
118 |
+ |
119 |
+ if (!userid || !password) { |
120 |
+ return SASL_BADPARAM; |
121 |
+ } |
122 |
+ if (reply) { *reply = NULL; } |
123 |
+ |
124 |
+ /* check to see if the user configured a mysqluser/passwd/host/etc */ |
125 |
+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { |
126 |
+ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL); |
127 |
+ if (!db_user) db_user = ""; |
128 |
+ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL); |
129 |
+ if (!db_passwd) db_passwd = ""; |
130 |
+ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL); |
131 |
+ if (!db_host) db_host = ""; |
132 |
+ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL); |
133 |
+ if (!db_database) db_database = ""; |
134 |
+ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL); |
135 |
+ if (!db_table) db_table = ""; |
136 |
+ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL); |
137 |
+ if (!db_uidcol) db_uidcol = ""; |
138 |
+ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL); |
139 |
+ if (!db_pwcol) db_pwcol = ""; |
140 |
+ } |
141 |
+ |
142 |
+ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd))) |
143 |
+ { |
144 |
+ if (reply) { *reply = "cannot connect to MySQL server"; } |
145 |
+ return SASL_FAIL; |
146 |
+ } |
147 |
+ |
148 |
+ if (mysql_select_db(sock,db_database) < 0) |
149 |
+ { |
150 |
+ mysql_close(sock); |
151 |
+ if (reply) { *reply = "cannot select MySQL database"; } |
152 |
+ return SASL_FAIL; |
153 |
+ } |
154 |
+ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */ |
155 |
+ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password); |
156 |
+ if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock))) |
157 |
+ { |
158 |
+ mysql_close(sock); |
159 |
+ return SASL_FAIL; |
160 |
+ } |
161 |
+ |
162 |
+ if (result) //There were some rows found |
163 |
+ { |
164 |
+ if ((numrows = mysql_affected_rows(&mysql)) != 1) |
165 |
+ { |
166 |
+ mysql_free_result(result); |
167 |
+ mysql_close(sock); |
168 |
+ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } |
169 |
+ return SASL_BADAUTH; |
170 |
+ } else { |
171 |
+ mysql_free_result(result); |
172 |
+ mysql_close(sock); |
173 |
+ return SASL_OK; |
174 |
+ } |
175 |
+ } |
176 |
+ mysql_free_result(result); |
177 |
+ mysql_close(sock); |
178 |
+ return SASL_BADAUTH; |
179 |
+} |
180 |
+#endif /* HAVE_MYSQL */ |
181 |
+ |
182 |
+#ifdef HAVE_LDAP |
183 |
+/* simon@surf.org.uk LDAP auth 07/11/2000 |
184 |
+ * Updated to 1.5.24 by SWH 09/12/2000 |
185 |
+ */ |
186 |
+ |
187 |
+#define LDAP_SERVER "localhost" |
188 |
+#define LDAP_BASEDN "o=JOFA, c=UK" |
189 |
+#define LDAP_UIDATTR "uid" |
190 |
+ |
191 |
+#ifndef TRUE |
192 |
+# define TRUE 1 |
193 |
+# define FALSE 0 |
194 |
+#endif |
195 |
+ |
196 |
+static int ldap_isdigits(char *value) |
197 |
+{ |
198 |
+ char *ptr; |
199 |
+ int num = TRUE; |
200 |
+ |
201 |
+ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) { |
202 |
+ if (!isdigit(*ptr)) |
203 |
+ num = FALSE; |
204 |
+ } |
205 |
+ |
206 |
+ return num; |
207 |
+} |
208 |
+ |
209 |
+static int ldap_verify_password(sasl_conn_t *conn, |
210 |
+ const char *userid, |
211 |
+ const char *password, |
212 |
+ const char *service __attribute__((unused)), |
213 |
+ const char *user_realm __attribute__((unused)), |
214 |
+ const char **reply) |
215 |
+{ |
216 |
+ |
217 |
+ LDAP *ld; |
218 |
+ LDAPMessage *result; |
219 |
+ LDAPMessage *entry; |
220 |
+ char *attrs[2]; |
221 |
+ char filter[200]; |
222 |
+ char *dn, |
223 |
+ *ldap_server="", |
224 |
+ *ldap_basedn="", |
225 |
+ *ldap_uidattr="", |
226 |
+ *port_num=""; |
227 |
+ int ldap_port = LDAP_PORT; |
228 |
+ int count; |
229 |
+ sasl_getopt_t *getopt; |
230 |
+ void *context; |
231 |
+ |
232 |
+ /* If the password is NULL, reject the login... |
233 |
+ * Otherwise the bind will succed as a reference bind. Not good... |
234 |
+ */ |
235 |
+ if (strcmp(password,"") == 0) |
236 |
+ { |
237 |
+ return SASL_BADPARAM; |
238 |
+ } |
239 |
+ |
240 |
+ if (reply) { *reply = NULL; } |
241 |
+ |
242 |
+ /* check to see if the user configured a mysqluser/passwd/host/etc */ |
243 |
+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { |
244 |
+ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL); |
245 |
+ if (!ldap_server) ldap_server = LDAP_SERVER; |
246 |
+ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL); |
247 |
+ if (!ldap_basedn) { |
248 |
+ if (reply) { *reply = "ldap_basedn not defined"; } |
249 |
+ return SASL_BADPARAM; |
250 |
+ } |
251 |
+ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL); |
252 |
+ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR; |
253 |
+ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL); |
254 |
+ if (!port_num) { |
255 |
+ ldap_port = LDAP_PORT; |
256 |
+ } else if (!ldap_isdigits(port_num)) { |
257 |
+ if (reply) { *reply = "ldap_port - invalid value"; } |
258 |
+ return SASL_BADPARAM; |
259 |
+ } else { |
260 |
+ ldap_port = atoi(port_num); |
261 |
+ } |
262 |
+ } |
263 |
+ |
264 |
+ /* Open the LDAP connection. */ |
265 |
+ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL) |
266 |
+ { |
267 |
+ if (reply) { *reply = "cannot connect to LDAP server"; } |
268 |
+ return SASL_FAIL; |
269 |
+ } |
270 |
+ |
271 |
+ /* Bind anonymously so that you can find the DN of the appropriate user. */ |
272 |
+ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS) |
273 |
+ { |
274 |
+ ldap_unbind(ld); |
275 |
+ if (reply) { *reply = "cannot bind to LDAP server"; } |
276 |
+ return SASL_FAIL; |
277 |
+ } |
278 |
+ |
279 |
+ /* Generate a filter that will return the entry with a matching UID */ |
280 |
+ sprintf(filter,"(%s=%s)", ldap_uidattr,userid); |
281 |
+ |
282 |
+ /* Just return country...This doesn't actually matter, since we will |
283 |
+ * not read the attributes and values, only the DN |
284 |
+ */ |
285 |
+ attrs[0] = "c"; |
286 |
+ attrs[1] = NULL; |
287 |
+ |
288 |
+ /* Perform the search... */ |
289 |
+ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS ) |
290 |
+ { |
291 |
+ ldap_unbind(ld); |
292 |
+ return SASL_BADAUTH; |
293 |
+ } |
294 |
+ |
295 |
+ /* If the entry count is not equal to one, either the UID was not unique or |
296 |
+ * there was no match |
297 |
+ */ |
298 |
+ if ((count = ldap_count_entries(ld,result)) != 1) |
299 |
+ { |
300 |
+ ldap_msgfree(result); |
301 |
+ ldap_unbind(ld); |
302 |
+ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } |
303 |
+ return SASL_BADAUTH; |
304 |
+ } |
305 |
+ |
306 |
+ /* Get the first entry */ |
307 |
+ if ((entry = ldap_first_entry(ld,result)) == NULL) |
308 |
+ { |
309 |
+ ldap_msgfree(result); |
310 |
+ ldap_unbind(ld); |
311 |
+ return SASL_BADAUTH; |
312 |
+ } |
313 |
+ |
314 |
+ /* Get the DN of the entry */ |
315 |
+ if ((dn = ldap_get_dn(ld,entry)) == NULL) |
316 |
+ { |
317 |
+ ldap_msgfree(entry); |
318 |
+ ldap_unbind(ld); |
319 |
+ return SASL_BADAUTH; |
320 |
+ } |
321 |
+ |
322 |
+ /* Now bind as the DN with the password supplied earlier... |
323 |
+ * Successful bind means the password was correct, otherwise the |
324 |
+ * password is invalid. |
325 |
+ */ |
326 |
+ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) |
327 |
+ { |
328 |
+ free(dn); |
329 |
+ ldap_msgfree(entry); |
330 |
+ ldap_unbind(ld); |
331 |
+ return SASL_BADAUTH; |
332 |
+ } |
333 |
+ |
334 |
+ free(dn); |
335 |
+ ldap_msgfree(entry); |
336 |
+ ldap_unbind(ld); |
337 |
+ return SASL_OK; |
338 |
+} |
339 |
+ |
340 |
+#endif /* HAVE_LDAP */ |
341 |
+ |
342 |
struct sasl_verify_password_s _sasl_verify_password[] = { |
343 |
{ "sasldb", &sasldb_verify_password }, |
344 |
#ifdef HAVE_KRB |
345 |
@@ -921,6 +1201,12 @@ |
346 |
#endif |
347 |
#ifdef HAVE_PWCHECK |
348 |
{ "pwcheck", &pwcheck_verify_password }, |
349 |
+#endif |
350 |
+#ifdef HAVE_MYSQL |
351 |
+ { "mysql", &mysql_verify_password }, |
352 |
+#endif |
353 |
+#ifdef HAVE_LDAP |
354 |
+ { "ldap", &ldap_verify_password }, |
355 |
#endif |
356 |
{ NULL, NULL } |
357 |
}; |