1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
|
--- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000
+++ lib/checkpw.c Sat Sep 16 21:07:33 2000
@@ -95,10 +95,19 @@
#include <sys/un.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
-#endif
+#endif /* HAVE_UNISTD_H */
extern int errno;
-#endif
+#endif /* HAVE_PWCHECK */
+
+#ifdef HAVE_MYSQL
+#include <mysql.h>
+#endif /* HAVE_MYSQL */
+
+#ifdef HAVE_LDAP
+#include <lber.h>
+#include <ldap.h>
+#endif /* HAVE_LDAP */
#ifdef HAVE_KRB
@@ -170,12 +179,20 @@
memcpy (&temp_key, "kerberos", 8);
des_fixup_key_parity (&temp_key);
des_key_sched (&temp_key, schedule);
+#ifdef __FreeBSD__
+ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec);
+#else
des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
+#endif
memcpy (&temp_key, &ivec, sizeof temp_key);
des_fixup_key_parity (&temp_key);
des_key_sched (&temp_key, schedule);
+#ifdef __FreeBSD__
+ des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec);
+#else
des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec);
+#endif
des_fixup_key_parity (key);
@@ -210,10 +227,17 @@
return (str);
}
+#ifdef __FreeBSD__
+static int use_key(const char *user __attribute__((unused)),
+ char *instance __attribute__((unused)),
+ const char *realm __attribute__((unused)),
+ const void *key, des_cblock *returned_key)
+#else
static int use_key(char *user __attribute__((unused)),
char *instance __attribute__((unused)),
char *realm __attribute__((unused)),
void *key, des_cblock *returned_key)
+#endif
{
memcpy (returned_key, key, sizeof(des_cblock));
return 0;
@@ -838,7 +862,7 @@
/* pwcheck daemon-authenticated login */
-static int pwcheck_verify_password(sasl_conn_t *conn,
+static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)),
const char *userid,
const char *passwd,
const char *service __attribute__((unused)),
@@ -853,8 +877,10 @@
static char response[1024];
int start, n;
char pwpath[1024];
+#if 0 /* Not used */
sasl_getopt_t *getopt;
void *context;
+#endif
if (reply) { *reply = NULL; }
@@ -902,6 +928,260 @@
#endif
+#ifdef HAVE_MYSQL
+/* DMZ mysql auth 12/29/1999
+ * Updated to 1.5.24 by SWH 09/12/2000
+ */
+#ifdef USE_CRYPT_PASSWORD
+#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')"
+#else
+#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'"
+#endif
+
+static int mysql_verify_password(sasl_conn_t *conn,
+ const char *userid,
+ const char *password,
+ const char *service __attribute__((unused)),
+ const char *user_realm __attribute__((unused)),
+ const char **reply)
+{
+ unsigned int numrows;
+ MYSQL mysql,*sock;
+ MYSQL_RES *result;
+ char qbuf[300];
+ char *db_user="",
+ *db_passwd="",
+ *db_host="",
+ *db_uidcol="",
+ *db_pwcol="",
+ *db_database="",
+ *db_table="";
+ sasl_getopt_t *getopt;
+ void *context;
+
+ if (!userid || !password) {
+ return SASL_BADPARAM;
+ }
+ if (reply) { *reply = NULL; }
+
+ /* check to see if the user configured a mysqluser/passwd/host/etc */
+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL);
+ if (!db_user) db_user = "";
+ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL);
+ if (!db_passwd) db_passwd = "";
+ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL);
+ if (!db_host) db_host = "";
+ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL);
+ if (!db_database) db_database = "";
+ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL);
+ if (!db_table) db_table = "";
+ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL);
+ if (!db_uidcol) db_uidcol = "";
+ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL);
+ if (!db_pwcol) db_pwcol = "";
+ }
+
+ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd)))
+ {
+ if (reply) { *reply = "cannot connect to MySQL server"; }
+ return SASL_FAIL;
+ }
+
+ if (mysql_select_db(sock,db_database) < 0)
+ {
+ mysql_close(sock);
+ if (reply) { *reply = "cannot select MySQL database"; }
+ return SASL_FAIL;
+ }
+ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */
+ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password);
+ if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock)))
+ {
+ mysql_close(sock);
+ return SASL_FAIL;
+ }
+
+ if (result) //There were some rows found
+ {
+ if ((numrows = mysql_affected_rows(&mysql)) != 1)
+ {
+ mysql_free_result(result);
+ mysql_close(sock);
+ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
+ return SASL_BADAUTH;
+ } else {
+ mysql_free_result(result);
+ mysql_close(sock);
+ return SASL_OK;
+ }
+ }
+ mysql_free_result(result);
+ mysql_close(sock);
+ return SASL_BADAUTH;
+}
+#endif /* HAVE_MYSQL */
+
+#ifdef HAVE_LDAP
+/* simon@surf.org.uk LDAP auth 07/11/2000
+ * Updated to 1.5.24 by SWH 09/12/2000
+ */
+
+#define LDAP_SERVER "localhost"
+#define LDAP_BASEDN "o=JOFA, c=UK"
+#define LDAP_UIDATTR "uid"
+
+#ifndef TRUE
+# define TRUE 1
+# define FALSE 0
+#endif
+
+static int ldap_isdigits(char *value)
+{
+ char *ptr;
+ int num = TRUE;
+
+ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) {
+ if (!isdigit(*ptr))
+ num = FALSE;
+ }
+
+ return num;
+}
+
+static int ldap_verify_password(sasl_conn_t *conn,
+ const char *userid,
+ const char *password,
+ const char *service __attribute__((unused)),
+ const char *user_realm __attribute__((unused)),
+ const char **reply)
+{
+
+ LDAP *ld;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ char *attrs[2];
+ char filter[200];
+ char *dn,
+ *ldap_server="",
+ *ldap_basedn="",
+ *ldap_uidattr="",
+ *port_num="";
+ int ldap_port = LDAP_PORT;
+ int count;
+ sasl_getopt_t *getopt;
+ void *context;
+
+ /* If the password is NULL, reject the login...
+ * Otherwise the bind will succed as a reference bind. Not good...
+ */
+ if (strcmp(password,"") == 0)
+ {
+ return SASL_BADPARAM;
+ }
+
+ if (reply) { *reply = NULL; }
+
+ /* check to see if the user configured a mysqluser/passwd/host/etc */
+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL);
+ if (!ldap_server) ldap_server = LDAP_SERVER;
+ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL);
+ if (!ldap_basedn) {
+ if (reply) { *reply = "ldap_basedn not defined"; }
+ return SASL_BADPARAM;
+ }
+ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL);
+ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR;
+ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL);
+ if (!port_num) {
+ ldap_port = LDAP_PORT;
+ } else if (!ldap_isdigits(port_num)) {
+ if (reply) { *reply = "ldap_port - invalid value"; }
+ return SASL_BADPARAM;
+ } else {
+ ldap_port = atoi(port_num);
+ }
+ }
+
+ /* Open the LDAP connection. */
+ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL)
+ {
+ if (reply) { *reply = "cannot connect to LDAP server"; }
+ return SASL_FAIL;
+ }
+
+ /* Bind anonymously so that you can find the DN of the appropriate user. */
+ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
+ {
+ ldap_unbind(ld);
+ if (reply) { *reply = "cannot bind to LDAP server"; }
+ return SASL_FAIL;
+ }
+
+ /* Generate a filter that will return the entry with a matching UID */
+ sprintf(filter,"(%s=%s)", ldap_uidattr,userid);
+
+ /* Just return country...This doesn't actually matter, since we will
+ * not read the attributes and values, only the DN
+ */
+ attrs[0] = "c";
+ attrs[1] = NULL;
+
+ /* Perform the search... */
+ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS )
+ {
+ ldap_unbind(ld);
+ return SASL_BADAUTH;
+ }
+
+ /* If the entry count is not equal to one, either the UID was not unique or
+ * there was no match
+ */
+ if ((count = ldap_count_entries(ld,result)) != 1)
+ {
+ ldap_msgfree(result);
+ ldap_unbind(ld);
+ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
+ return SASL_BADAUTH;
+ }
+
+ /* Get the first entry */
+ if ((entry = ldap_first_entry(ld,result)) == NULL)
+ {
+ ldap_msgfree(result);
+ ldap_unbind(ld);
+ return SASL_BADAUTH;
+ }
+
+ /* Get the DN of the entry */
+ if ((dn = ldap_get_dn(ld,entry)) == NULL)
+ {
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return SASL_BADAUTH;
+ }
+
+ /* Now bind as the DN with the password supplied earlier...
+ * Successful bind means the password was correct, otherwise the
+ * password is invalid.
+ */
+ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS)
+ {
+ free(dn);
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return SASL_BADAUTH;
+ }
+
+ free(dn);
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return SASL_OK;
+}
+
+#endif /* HAVE_LDAP */
+
struct sasl_verify_password_s _sasl_verify_password[] = {
{ "sasldb", &sasldb_verify_password },
#ifdef HAVE_KRB
@@ -921,6 +1201,12 @@
#endif
#ifdef HAVE_PWCHECK
{ "pwcheck", &pwcheck_verify_password },
+#endif
+#ifdef HAVE_MYSQL
+ { "mysql", &mysql_verify_password },
+#endif
+#ifdef HAVE_LDAP
+ { "ldap", &ldap_verify_password },
#endif
{ NULL, NULL }
};
|
