diff options
| author | ade <ade@FreeBSD.org> | 2000-09-19 10:59:29 +0800 |
|---|---|---|
| committer | ade <ade@FreeBSD.org> | 2000-09-19 10:59:29 +0800 |
| commit | 4ab75079f09fe7eca9a35834f23b51c59cb275f8 (patch) | |
| tree | fc770b9326b636307e91e472e776dd10f67d9fd4 /security/cyrus-sasl | |
| parent | 12d9c087141a76967c82637f2e19b2c6eb49e73b (diff) | |
| download | freebsd-ports-gnome-4ab75079f09fe7eca9a35834f23b51c59cb275f8.tar.gz freebsd-ports-gnome-4ab75079f09fe7eca9a35834f23b51c59cb275f8.tar.zst freebsd-ports-gnome-4ab75079f09fe7eca9a35834f23b51c59cb275f8.zip | |
Cyrus-SASL 1.5.24 sources changed on Aug 15th
-- changed a hard coded value to a variable.
Kerberos IV detection fails due to double check on krb_mk_priv
(with/without com_err), used cached value from first check for krb_mk_priv.
Added addtional pwcheck methods (MySQL & LDAP Authentication).
PR: 21383
Submitted by: maintainer
Diffstat (limited to 'security/cyrus-sasl')
| -rw-r--r-- | security/cyrus-sasl/Makefile | 34 | ||||
| -rw-r--r-- | security/cyrus-sasl/distinfo | 2 | ||||
| -rw-r--r-- | security/cyrus-sasl/files/Sendmail.README | 25 | ||||
| -rw-r--r-- | security/cyrus-sasl/files/patch-ab | 113 | ||||
| -rw-r--r-- | security/cyrus-sasl/files/patch-ag | 15 | ||||
| -rw-r--r-- | security/cyrus-sasl/files/patch-ah | 9 | ||||
| -rw-r--r-- | security/cyrus-sasl/files/patch-ai | 357 | ||||
| -rw-r--r-- | security/cyrus-sasl/files/patch-aj | 46 | ||||
| -rw-r--r-- | security/cyrus-sasl/files/patch-ak | 30 | ||||
| -rw-r--r-- | security/cyrus-sasl/pkg-install | 30 | ||||
| -rw-r--r-- | security/cyrus-sasl/pkg-message | 17 | ||||
| -rw-r--r-- | security/cyrus-sasl/pkg-plist | 13 | ||||
| -rw-r--r-- | security/cyrus-sasl/scripts/configure.sasl | 59 |
13 files changed, 728 insertions, 22 deletions
diff --git a/security/cyrus-sasl/Makefile b/security/cyrus-sasl/Makefile index f3005bb5f4e9..ae2a1b27b0db 100644 --- a/security/cyrus-sasl/Makefile +++ b/security/cyrus-sasl/Makefile @@ -7,6 +7,7 @@ PORTNAME= cyrus-sasl PORTVERSION= 1.5.24 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \ ${MASTER_SITE_LOCAL} \ @@ -19,8 +20,6 @@ USE_OPENSSL= RSA INSTALLS_SHLIB= yes -.include <bsd.port.pre.mk> - Y2K= http://asg.web.cmu.edu/cyrus/imapd/y2k.html MAN3= sasl.3 sasl_authorize_t.3 sasl_callbacks.3 sasl_checkpass.3 \ @@ -32,8 +31,11 @@ MAN3= sasl.3 sasl_authorize_t.3 sasl_callbacks.3 sasl_checkpass.3 \ sasl_setprop.3 sasl_usererr.3 MAN8= sasldblistusers.8 saslpasswd.8 -USE_AUTOCONF= YES +USE_AUTOMAKE= YES USE_LIBTOOL= YES +AUTOHEADER= autoheader +AUTOMAKE= automake --add-missing --include-deps + CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \ --with-plugindir=${PREFIX}/lib/sasl \ --with-dbpath=${PREFIX}/etc/sasldb \ @@ -43,7 +45,12 @@ CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \ --with-pwcheck=/var/pwcheck \ --with-rc4=openssl -# JavaSASL is currently Broken +SCRIPTS_ENV= WRKDIRPREFIX="${WRKDIRPREFIX}" \ + PREFIX="${PREFIX}" \ + TOUCH="${TOUCH}" \ + MKDIR="${MKDIR}" + +# JavaSASL needs someone to look at to get it to build #JAVADIR= jdk1.1.8 #JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/ @@ -93,12 +100,18 @@ PLIST_SUB= PREFIX=${PREFIX} \ EBONES=${EBONES} \ NOPORTDOCS=${NODOCS} +pre-fetch: + @${SETENV} ${SCRIPTS_ENV} ${SH} ${SCRIPTDIR}/configure.sasl + +pre-configure: + @(cd ${WRKSRC} && ${AUTOHEADER}) + # Create Cyrus user and group pre-install: @${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL post-install: - @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ + @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ > ${PREFIX}/etc/rc.d/pwcheck.sh @${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh ${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck @@ -110,20 +123,19 @@ post-install: .for file in ${DOC2} @${INSTALL_DATA} ${WRKSRC}/doc/${file} ${PREFIX}/share/doc/SASL .endfor + @${INSTALL_DATA} ${FILESDIR}/Sendmail.README ${PREFIX}/share/doc .for file in ${HTDOCS} @${INSTALL_DATA} ${WRKSRC}/doc/${file}.html ${PREFIX}/share/doc/SASL/html .endfor .endif + @PKG_PREFIX=${PREFIX} BATCH=${BATCH} ${SH} ${PKGDIR}/INSTALL ${PKGNAME} POST-INSTALL + @${CAT} ${PKGMESSAGE} -.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc) post-clean: @${RM} -f ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc +.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc) .include "${WRKDIRPREFIX}${.CURDIR}/Makefile.inc" -.elif ${PREFIX} != ${LOCALBASE} -# Save PREFIX so that it can be used during make install -.BEGIN: - @echo "PREFIX= ${PREFIX}" > ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc .endif -.include <bsd.port.post.mk> +.include <bsd.port.mk> diff --git a/security/cyrus-sasl/distinfo b/security/cyrus-sasl/distinfo index 6981d65ce1b0..c21d945c6267 100644 --- a/security/cyrus-sasl/distinfo +++ b/security/cyrus-sasl/distinfo @@ -1 +1 @@ -MD5 (cyrus-sasl-1.5.24.tar.gz) = aedc0f8b594e2a13503b375ed78f62b7 +MD5 (cyrus-sasl-1.5.24.tar.gz) = ac3837c071c258b80021325936db2583 diff --git a/security/cyrus-sasl/files/Sendmail.README b/security/cyrus-sasl/files/Sendmail.README new file mode 100644 index 000000000000..7063c93e90e8 --- /dev/null +++ b/security/cyrus-sasl/files/Sendmail.README @@ -0,0 +1,25 @@ +How to enable SMTP AUTH with FreeBSD default Sendmail 8.11 + +1. Edit /usr/src/usr.sbin/sendmail/Makefile, and change the line: + + LDADD= -lutil -lwrap +into + LDADD+= -lutil -lwrap + + NOTE: This change is in 5.0-CURRENT and will be MFC'd to + 4.1-STABLE later. + +2) Add the following to /etc/make.conf: + +# Add SMTP AUTH support to Sendmail +.if ${.CURDIR} == "/usr/src/usr.sbin/sendmail" +CFLAGS+=-DSASL -I/usr/local/include/sasl -L/usr/local/lib +LDADD+=-lsasl +.endif + +3) Rebuild FreeBSD (make buildworld, ...) + +4) Create /usr/local/lib/sasl/Sendmail.conf with the following. + + pwcheck_method: pwcheck + diff --git a/security/cyrus-sasl/files/patch-ab b/security/cyrus-sasl/files/patch-ab index 797e5ef3a899..1acd48d34144 100644 --- a/security/cyrus-sasl/files/patch-ab +++ b/security/cyrus-sasl/files/patch-ab @@ -1,5 +1,5 @@ ---- configure.in.orig Thu Aug 3 14:34:08 2000 -+++ configure.in Thu Aug 3 14:39:24 2000 +--- configure.in.orig Thu Jul 20 21:35:01 2000 ++++ configure.in Sat Sep 16 13:58:02 2000 @@ -66,8 +66,9 @@ dnl check for -R, etc. switch CMU_GUESS_RUNPATH_SWITCH @@ -12,3 +12,112 @@ AM_DISABLE_STATIC +@@ -310,6 +311,88 @@ + fi + AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no) + ++dnl MySQL ++AC_ARG_WITH(mysql, [ --with-mysql=PATH enable authentication from MySQL database [no] ], ++ with_mysql=$withval, ++ with_mysql=no) ++ ++if test -z "$with_mysql"; then ++ for mysqlloc in lib/mysql lib ++ do ++ if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then ++ with_mysql="${prefix}" ++ break ++ elif test -f /usr/local/${mysqlloc}/libmysqlclient.a; then ++ with_mysql="/usr/local" ++ break ++ elif test -f /usr/${mysqlloc}/libmysqlclient.a; then ++ with_mysql="/usr" ++ break ++ fi ++ done ++fi ++ ++LIB_MYSQL="" ++case "$with_mysql" in ++ no) true;; ++ ""|yes) AC_CHECK_LIB(mysqlclient, mysql_select_db, ++ AC_DEFINE(HAVE_MYSQL) ++ LIB_MYSQL="-lmysqlclient", ++ with_mysql=no);; ++ *) if test -d ${with_mysql}/include/mysql; then ++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include/mysql" ++ else ++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include" ++ fi ++ if test -d ${with_mysql}/lib/mysql; then ++ LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql" ++ fi ++ AC_DEFINE(HAVE_MYSQL) ++ LIB_MYSQL="-lmysqlclient";; ++esac ++AC_SUBST(LIB_MYSQL) ++ ++dnl LDAP ++AC_ARG_WITH(ldap, [ --with-ldap=PATH enable authentication from LDAP [no] ], ++ with_ldap=$withval, ++ with_ldap=no) ++ ++if test -z "$with_ldap"; then ++ for ldaploc in lib/ldap lib ++ do ++ if test -f ${prefix}/${ldaploc}/libldap.a; then ++ with_ldap="${prefix}" ++ break ++ elif test -f /usr/local/${ldaploc}/libldap.a; then ++ with_ldap="/usr/local" ++ break ++ elif test -f /usr/${ldaploc}/libldap.a; then ++ with_ldap="/usr" ++ break ++ fi ++ done ++fi ++ ++LIB_LDAP="" ++case "$with_ldap" in ++ no) true;; ++ ""|yes) AC_CHECK_LIB(ldap, ldap_open, ++ AC_DEFINE(HAVE_LDAP) ++ LIB_LDAP="-lldap -llber", ++ with_ldap=no);; ++ *) if test -d ${with_ldap}/include/ldap; then ++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap" ++ else ++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include" ++ fi ++ if test -d ${with_ldap}/lib/ldap; then ++ LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap" ++ fi ++ AC_DEFINE(HAVE_LDAP) ++ LIB_LDAP="-lldap -llber";; ++esac ++AC_SUBST(LIB_LDAP) ++ + dnl CRAM-MD5 + AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [yes] ], + cram=$enableval, +@@ -434,11 +517,15 @@ + fi + + if test "$with_des" != no; then ++ case "$host_os" in ++ freebsd*) ++ COM_ERR="-lcom_err" ++ ;; ++ esac + AC_CHECK_HEADER(krb.h, +- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="", +- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err", +- AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err), +- -ldes), ++ AC_CHECK_LIB(krb, krb_mk_priv,:, ++ AC_WARN(No Kerberos V4 found); krb4=no, ++ -ldes $COM_ERR), + AC_WARN(No Kerberos V4 found); krb4=no) + else + AC_WARN(No DES library found for Kerberos V4 support) diff --git a/security/cyrus-sasl/files/patch-ag b/security/cyrus-sasl/files/patch-ag new file mode 100644 index 000000000000..591a08e66ab5 --- /dev/null +++ b/security/cyrus-sasl/files/patch-ag @@ -0,0 +1,15 @@ +--- acconfig.h.orig Wed Jul 5 11:59:25 2000 ++++ acconfig.h Fri Sep 15 20:56:28 2000 +@@ -84,6 +84,12 @@ + /* do we have PAM for plaintext password checking? */ + #undef HAVE_PAM + ++/* do we have MySQL for plaintext password checking? */ ++#undef HAVE_MYSQL ++ ++/* do we have LDAP for plaintext password checking? */ ++#undef HAVE_LDAP ++ + /* what flavor of GSSAPI are we using? */ + #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE + diff --git a/security/cyrus-sasl/files/patch-ah b/security/cyrus-sasl/files/patch-ah new file mode 100644 index 000000000000..deb47e550737 --- /dev/null +++ b/security/cyrus-sasl/files/patch-ah @@ -0,0 +1,9 @@ +--- lib/Makefile.am.orig Thu Jul 20 21:35:02 2000 ++++ lib/Makefile.am Fri Sep 15 20:56:28 2000 +@@ -53,5 +53,5 @@ + EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c + libsasl_la_LDFLAGS = -version-info $(sasl_version) + libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@ +-libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ++libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ${LIB_LDAP} ${LIB_MYSQL} + # PLAIN_LIBS are linked in for sasl_checkpass diff --git a/security/cyrus-sasl/files/patch-ai b/security/cyrus-sasl/files/patch-ai new file mode 100644 index 000000000000..a630c2ca8d67 --- /dev/null +++ b/security/cyrus-sasl/files/patch-ai @@ -0,0 +1,357 @@ +--- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000 ++++ lib/checkpw.c Sat Sep 16 21:07:33 2000 +@@ -95,10 +95,19 @@ + #include <sys/un.h> + #ifdef HAVE_UNISTD_H + #include <unistd.h> +-#endif ++#endif /* HAVE_UNISTD_H */ + + extern int errno; +-#endif ++#endif /* HAVE_PWCHECK */ ++ ++#ifdef HAVE_MYSQL ++#include <mysql.h> ++#endif /* HAVE_MYSQL */ ++ ++#ifdef HAVE_LDAP ++#include <lber.h> ++#include <ldap.h> ++#endif /* HAVE_LDAP */ + + #ifdef HAVE_KRB + +@@ -170,12 +179,20 @@ + memcpy (&temp_key, "kerberos", 8); + des_fixup_key_parity (&temp_key); + des_key_sched (&temp_key, schedule); ++#ifdef __FreeBSD__ ++ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec); ++#else + des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec); ++#endif + + memcpy (&temp_key, &ivec, sizeof temp_key); + des_fixup_key_parity (&temp_key); + des_key_sched (&temp_key, schedule); ++#ifdef __FreeBSD__ ++ des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec); ++#else + des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec); ++#endif + + des_fixup_key_parity (key); + +@@ -210,10 +227,17 @@ + return (str); + } + ++#ifdef __FreeBSD__ ++static int use_key(const char *user __attribute__((unused)), ++ char *instance __attribute__((unused)), ++ const char *realm __attribute__((unused)), ++ const void *key, des_cblock *returned_key) ++#else + static int use_key(char *user __attribute__((unused)), + char *instance __attribute__((unused)), + char *realm __attribute__((unused)), + void *key, des_cblock *returned_key) ++#endif + { + memcpy (returned_key, key, sizeof(des_cblock)); + return 0; +@@ -838,7 +862,7 @@ + + + /* pwcheck daemon-authenticated login */ +-static int pwcheck_verify_password(sasl_conn_t *conn, ++static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)), + const char *userid, + const char *passwd, + const char *service __attribute__((unused)), +@@ -853,8 +877,10 @@ + static char response[1024]; + int start, n; + char pwpath[1024]; ++#if 0 /* Not used */ + sasl_getopt_t *getopt; + void *context; ++#endif + + if (reply) { *reply = NULL; } + +@@ -902,6 +928,260 @@ + + #endif + ++#ifdef HAVE_MYSQL ++/* DMZ mysql auth 12/29/1999 ++ * Updated to 1.5.24 by SWH 09/12/2000 ++ */ ++#ifdef USE_CRYPT_PASSWORD ++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')" ++#else ++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'" ++#endif ++ ++static int mysql_verify_password(sasl_conn_t *conn, ++ const char *userid, ++ const char *password, ++ const char *service __attribute__((unused)), ++ const char *user_realm __attribute__((unused)), ++ const char **reply) ++{ ++ unsigned int numrows; ++ MYSQL mysql,*sock; ++ MYSQL_RES *result; ++ char qbuf[300]; ++ char *db_user="", ++ *db_passwd="", ++ *db_host="", ++ *db_uidcol="", ++ *db_pwcol="", ++ *db_database="", ++ *db_table=""; ++ sasl_getopt_t *getopt; ++ void *context; ++ ++ if (!userid || !password) { ++ return SASL_BADPARAM; ++ } ++ if (reply) { *reply = NULL; } ++ ++ /* check to see if the user configured a mysqluser/passwd/host/etc */ ++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { ++ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL); ++ if (!db_user) db_user = ""; ++ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL); ++ if (!db_passwd) db_passwd = ""; ++ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL); ++ if (!db_host) db_host = ""; ++ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL); ++ if (!db_database) db_database = ""; ++ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL); ++ if (!db_table) db_table = ""; ++ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL); ++ if (!db_uidcol) db_uidcol = ""; ++ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL); ++ if (!db_pwcol) db_pwcol = ""; ++ } ++ ++ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd))) ++ { ++ if (reply) { *reply = "cannot connect to MySQL server"; } ++ return SASL_FAIL; ++ } ++ ++ if (mysql_select_db(sock,db_database) < 0) ++ { ++ mysql_close(sock); ++ if (reply) { *reply = "cannot select MySQL database"; } ++ return SASL_FAIL; ++ } ++ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */ ++ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password); ++ if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock))) ++ { ++ mysql_close(sock); ++ return SASL_FAIL; ++ } ++ ++ if (result) //There were some rows found ++ { ++ if ((numrows = mysql_affected_rows(&mysql)) != 1) ++ { ++ mysql_free_result(result); ++ mysql_close(sock); ++ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } ++ return SASL_BADAUTH; ++ } else { ++ mysql_free_result(result); ++ mysql_close(sock); ++ return SASL_OK; ++ } ++ } ++ mysql_free_result(result); ++ mysql_close(sock); ++ return SASL_BADAUTH; ++} ++#endif /* HAVE_MYSQL */ ++ ++#ifdef HAVE_LDAP ++/* simon@surf.org.uk LDAP auth 07/11/2000 ++ * Updated to 1.5.24 by SWH 09/12/2000 ++ */ ++ ++#define LDAP_SERVER "localhost" ++#define LDAP_BASEDN "o=JOFA, c=UK" ++#define LDAP_UIDATTR "uid" ++ ++#ifndef TRUE ++# define TRUE 1 ++# define FALSE 0 ++#endif ++ ++static int ldap_isdigits(char *value) ++{ ++ char *ptr; ++ int num = TRUE; ++ ++ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) { ++ if (!isdigit(*ptr)) ++ num = FALSE; ++ } ++ ++ return num; ++} ++ ++static int ldap_verify_password(sasl_conn_t *conn, ++ const char *userid, ++ const char *password, ++ const char *service __attribute__((unused)), ++ const char *user_realm __attribute__((unused)), ++ const char **reply) ++{ ++ ++ LDAP *ld; ++ LDAPMessage *result; ++ LDAPMessage *entry; ++ char *attrs[2]; ++ char filter[200]; ++ char *dn, ++ *ldap_server="", ++ *ldap_basedn="", ++ *ldap_uidattr="", ++ *port_num=""; ++ int ldap_port = LDAP_PORT; ++ int count; ++ sasl_getopt_t *getopt; ++ void *context; ++ ++ /* If the password is NULL, reject the login... ++ * Otherwise the bind will succed as a reference bind. Not good... ++ */ ++ if (strcmp(password,"") == 0) ++ { ++ return SASL_BADPARAM; ++ } ++ ++ if (reply) { *reply = NULL; } ++ ++ /* check to see if the user configured a mysqluser/passwd/host/etc */ ++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { ++ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL); ++ if (!ldap_server) ldap_server = LDAP_SERVER; ++ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL); ++ if (!ldap_basedn) { ++ if (reply) { *reply = "ldap_basedn not defined"; } ++ return SASL_BADPARAM; ++ } ++ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL); ++ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR; ++ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL); ++ if (!port_num) { ++ ldap_port = LDAP_PORT; ++ } else if (!ldap_isdigits(port_num)) { ++ if (reply) { *reply = "ldap_port - invalid value"; } ++ return SASL_BADPARAM; ++ } else { ++ ldap_port = atoi(port_num); ++ } ++ } ++ ++ /* Open the LDAP connection. */ ++ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL) ++ { ++ if (reply) { *reply = "cannot connect to LDAP server"; } ++ return SASL_FAIL; ++ } ++ ++ /* Bind anonymously so that you can find the DN of the appropriate user. */ ++ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS) ++ { ++ ldap_unbind(ld); ++ if (reply) { *reply = "cannot bind to LDAP server"; } ++ return SASL_FAIL; ++ } ++ ++ /* Generate a filter that will return the entry with a matching UID */ ++ sprintf(filter,"(%s=%s)", ldap_uidattr,userid); ++ ++ /* Just return country...This doesn't actually matter, since we will ++ * not read the attributes and values, only the DN ++ */ ++ attrs[0] = "c"; ++ attrs[1] = NULL; ++ ++ /* Perform the search... */ ++ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS ) ++ { ++ ldap_unbind(ld); ++ return SASL_BADAUTH; ++ } ++ ++ /* If the entry count is not equal to one, either the UID was not unique or ++ * there was no match ++ */ ++ if ((count = ldap_count_entries(ld,result)) != 1) ++ { ++ ldap_msgfree(result); ++ ldap_unbind(ld); ++ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } ++ return SASL_BADAUTH; ++ } ++ ++ /* Get the first entry */ ++ if ((entry = ldap_first_entry(ld,result)) == NULL) ++ { ++ ldap_msgfree(result); ++ ldap_unbind(ld); ++ return SASL_BADAUTH; ++ } ++ ++ /* Get the DN of the entry */ ++ if ((dn = ldap_get_dn(ld,entry)) == NULL) ++ { ++ ldap_msgfree(entry); ++ ldap_unbind(ld); ++ return SASL_BADAUTH; ++ } ++ ++ /* Now bind as the DN with the password supplied earlier... ++ * Successful bind means the password was correct, otherwise the ++ * password is invalid. ++ */ ++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) ++ { ++ free(dn); ++ ldap_msgfree(entry); ++ ldap_unbind(ld); ++ return SASL_BADAUTH; ++ } ++ ++ free(dn); ++ ldap_msgfree(entry); ++ ldap_unbind(ld); ++ return SASL_OK; ++} ++ ++#endif /* HAVE_LDAP */ ++ + struct sasl_verify_password_s _sasl_verify_password[] = { + { "sasldb", &sasldb_verify_password }, + #ifdef HAVE_KRB +@@ -921,6 +1201,12 @@ + #endif + #ifdef HAVE_PWCHECK + { "pwcheck", &pwcheck_verify_password }, ++#endif ++#ifdef HAVE_MYSQL ++ { "mysql", &mysql_verify_password }, ++#endif ++#ifdef HAVE_LDAP ++ { "ldap", &ldap_verify_password }, + #endif + { NULL, NULL } + }; diff --git a/security/cyrus-sasl/files/patch-aj b/security/cyrus-sasl/files/patch-aj new file mode 100644 index 000000000000..569384a100d4 --- /dev/null +++ b/security/cyrus-sasl/files/patch-aj @@ -0,0 +1,46 @@ +--- doc/sysadmin.html.orig Wed Jul 12 21:59:51 2000 ++++ doc/sysadmin.html Fri Sep 15 20:56:28 2000 +@@ -171,6 +171,43 @@ + <dt><i>pwcheck</i><dd> checks passwords with the use of a seperate, + helper daemon. <b>needs to be documented.</b><p> + ++<dt><i>mysql</i><dd> A MySQL database can be used for plaintext ++ password checking by setting "pwcheck_method" to "mysql".<p> ++ ++ <p>The following SASL options are used for MySQL Authentication:<p> ++ ++ <dl> ++ <dd>mysql_user: <user></dd> ++ <dd>mysql_passwd: <cleartext pw></dd> ++ <dd>mysql_host: <host></dd> ++ <dd>mysql_database: <database></dd> ++ <dd>mysql_table: <table></dd> ++ <dd>mysql_uidcol: <username col></dd> ++ <dd>mysql_pwdcol: <password col></dd> ++ </dl> ++ ++ <p>MySQL pwcheck_method created by <a href="mailto:dmz@dmzs.com">David Matthew Zendzian</a> ++ the original patch may be found at <a href="http://www.dmzs.com/~dmz/projects/cyrus/">http://www.dmzs.com/~dmz/projects/cyrus/</a>.<p> ++ ++<dt><i>ldap</i><dd> A LDAP server can be used for plaintext password ++ checking by setting "pwcheck_method" to "ldap".<p> ++ ++ <p>The following SASL options are used for LDAP Authentication:<p> ++ ++ <dl> ++ <dd>ldap_server: <LDAP Server [localhost]> ++ <dd>ldap_basedn: <LDAP base dn> ++ <dd>ldap_uidattr: <LDAP uid attribute [uid]> ++ <dd>ldap_port: <LDAP port [389]> ++ </dl> ++ ++ <p>It is a requirement that "ldap_basedn" be set to the appropriate ++ value for your site<br> ++ (ex. ldap_basedn: o=surf, c=UK)<p> ++ ++ <p>LDAP pwcheck_method created by <a href="mailto:simon@surf.org.uk">Simon@surf.org.uk</a> ++ the original patch may be found at <a href="http://www.surf.org.uk/">http://www.surf.org.uk/</a>.<p> ++ + <dt><i>write your own</i><dd> Last, but not least, the most flexible + method of authentication for PLAIN is to write your own. If you do + so, any application that calls the "<tt>sasl_checkpass()</tt>" diff --git a/security/cyrus-sasl/files/patch-ak b/security/cyrus-sasl/files/patch-ak new file mode 100644 index 000000000000..ecbd20ca3239 --- /dev/null +++ b/security/cyrus-sasl/files/patch-ak @@ -0,0 +1,30 @@ +--- plugins/kerberos4.c.orig Wed Apr 19 11:18:48 2000 ++++ plugins/kerberos4.c Sat Sep 16 18:49:20 2000 +@@ -696,8 +696,13 @@ + + /* decrypt; verify checksum */ + ++#ifdef __FreeBSD__ ++ des_pcbc_encrypt((const unsigned char *)in, ++ (unsigned char *)in, ++#else + des_pcbc_encrypt((des_cblock *)in, + (des_cblock *)in, ++#endif + clientinlen, + text->init_keysched, + &text->session, +@@ -1192,8 +1197,13 @@ + } + sout[len]=0; + ++#ifdef __FreeBSD__ ++ des_pcbc_encrypt((const unsigned char *)sout, ++ (unsigned char *)sout, ++#else + des_pcbc_encrypt((des_cblock *)sout, + (des_cblock *)sout, ++#endif + len, + text->init_keysched, + (des_cblock *)text->session, diff --git a/security/cyrus-sasl/pkg-install b/security/cyrus-sasl/pkg-install index d008d0c8ac5a..b3b0fa2cdd31 100644 --- a/security/cyrus-sasl/pkg-install +++ b/security/cyrus-sasl/pkg-install @@ -7,11 +7,15 @@ #set -vx +PKG_BATCH=${BATCH:=NO} + +PKG_PREFIX=${PKG_PREFIX:=/usr/local} + # # create 'cyrus' user and group before installing # -create() { +create_user() { if [ ! -x /usr/sbin/pw ]; then echo "*** Please add a user and a group named \`cyrus' before installing this package." exit 69 @@ -65,9 +69,31 @@ create() { fi } +create_sasldb() { + if [ ! -f ${PGK_PREFIX}/etc/sasldb.db ]; then + touch ${PGK_PREFIX}/etc/sasldb.db + chown cyrus:mail ${PGK_PREFIX}/etc/sasldb.db + chmod 640 ${PGK_PREFIX}/etc/sasldb.db + fi +} + +# This should really be installed by Sendmail + +sendmail_conf() { + if [ ! -f ${PKG_PREFIX}/lib/sasl/Sendmail.conf ]; then + echo "pwcheck_method: pwcheck" > ${PKG_PREFIX}/lib/sasl/Sendmail.conf + fi +} + case $2 in PRE-INSTALL) - create + create_user + ;; + POST-INSTALL) + if [ "${PKG_BATCH}" = "NO" ]; then + create_sasldb + sendmail_conf + fi ;; esac diff --git a/security/cyrus-sasl/pkg-message b/security/cyrus-sasl/pkg-message index 6f87cd3c393b..1016d9655c5a 100644 --- a/security/cyrus-sasl/pkg-message +++ b/security/cyrus-sasl/pkg-message @@ -1,4 +1,15 @@ -Start the pwcheck program to have clients use the SASL libraries -as a non-root user: +PREFIX/etc/cyrusdb.db now needs to be created +before applications that depend on SASL are used. - /usr/local/etc/rc.d/pwcheck.sh [start|stop] + su cyrus + PREFIX/sbin/saslpasswd -c userid + +You will also need to start the pwcheck daemon: + + PREFIX/etc/rc.d/pwcheck.sh start + +Read the documentation in PREFIX/share/doc/SASL + +How to enable SMTP AUTH with system Sendmail 8.11 - Sendmail.README + +How to use LDAP or MySQL for passwords - see html/sysadmin.html diff --git a/security/cyrus-sasl/pkg-plist b/security/cyrus-sasl/pkg-plist index 8d412ca78221..dbb7a8d31995 100644 --- a/security/cyrus-sasl/pkg-plist +++ b/security/cyrus-sasl/pkg-plist @@ -1,5 +1,7 @@ @unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped." etc/rc.d/pwcheck.sh +@comment remove ../etc/sasldb.db only if it exists and has a zero size. +@unexec [ -f %D/etc/sasldb.db -a ! -s %D/etc/sasldb.db ] && rm %D/etc/sasldb.db include/sasl/hmac-md5.h include/sasl/md5.h include/sasl/md5global.h @@ -31,7 +33,10 @@ lib/sasl/liblogin.so.0 lib/sasl/libplain.a lib/sasl/libplain.so lib/sasl/libplain.so.1 -@dirrm lib/sasl +@comment Sendmail.conf should be installed/uninstalled by Sendmail 8.11. +@comment We install it here because Sendmail 8.11 is in the base system. +@unexec echo "pwcheck_method: pwcheck" > %B/Sendmail.conf.tmp +@unexec if cmp -s %B/Sendmail.conf %B/Sendmail.conf.tmp; then rm -f %B/Sendmail.conf %B/Sendmail.conf.tmp; else rm -f %B/Sendmail.conf.tmp fi sbin/sasldblistusers sbin/saslpasswd sbin/pwcheck @@ -41,6 +46,7 @@ sbin/pwcheck %%NOPORTDOCS%%share/doc/SASL/INSTALL %%NOPORTDOCS%%share/doc/SASL/NEWS %%NOPORTDOCS%%share/doc/SASL/README +%%NOPORTDOCS%%share/doc/SASL/Sendmail.README %%NOPORTDOCS%%share/doc/SASL/TODO %%NOPORTDOCS%%share/doc/SASL/draft-leach-digest-sasl-05.txt %%NOPORTDOCS%%share/doc/SASL/draft-newman-auth-scram-03.txt @@ -55,12 +61,13 @@ sbin/pwcheck %%NOPORTDOCS%%share/doc/SASL/html/sysadmin.html %%NOPORTDOCS%%@dirrm share/doc/SASL/html %%NOPORTDOCS%%@dirrm share/doc/SASL +@dirrm lib/sasl @mode u=rwx,go= @cwd /var @exec mkdir pwcheck @exec chown cyrus:cyrus pwcheck @exec chmod go= pwcheck -@comment This file gets create by the pwcheck program -@unexec rm -f pwcheck/pwcheck +@comment This file gets created by the pwcheck program +@unexec rm -f /var/pwcheck/pwcheck @dirrm pwcheck @cwd %%PREFIX%% diff --git a/security/cyrus-sasl/scripts/configure.sasl b/security/cyrus-sasl/scripts/configure.sasl new file mode 100644 index 000000000000..75c4258fa056 --- /dev/null +++ b/security/cyrus-sasl/scripts/configure.sasl @@ -0,0 +1,59 @@ +#!/bin/sh +# $FreeBSD$ + +if [ -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc ]; then + exit +fi + +if [ "${BATCH}" ]; then + exit +else + /usr/bin/dialog --title "Additional pwcheck methods" --clear \ + --checklist "\n\ +Please select desired options:" -1 -1 16 \ +MySQL "MySQL password Authentication" OFF \ +OpenLDAP "OpenLDAP password Authentication" OFF \ +2> /tmp/checklist.tmp.$$ + + retval=$? + + if [ -s /tmp/checklist.tmp.$$ ]; then + set `cat /tmp/checklist.tmp.$$` + fi + rm -f /tmp/checklist.tmp.$$ + + case $retval in + 0) if [ -z "$*" ]; then + echo "Nothing selected" + fi + ;; + 1) echo "Cancel pressed." + exit 1 + ;; + esac +fi + +${MKDIR} ${WRKDIRPREFIX}${CURDIR} +exec > ${WRKDIRPREFIX}${CURDIR}/Makefile.inc + +echo "PREFIX= ${PREFIX}" + +while [ "$1" ]; do + case $1 in + \"MySQL\") + echo "LIB_DEPENDS+= mysqlclient.6:\${PORTSDIR}/databases/mysql322-client" + echo "CONFIGURE_ARGS+=--with-mysql=\${PREFIX}" + ;; + \"OpenLDAP\") + echo "LIB_DEPENDS+= ldap.1:\${PORTSDIR}/net/openldap" + echo "LIB_DEPENDS+= lber.1:\${PORTSDIR}/net/openldap" + echo "CONFIGURE_ARGS+=--with-ldap=\${PREFIX}" + ;; + *) + echo "Invalid option(s): $*" > /dev/stderr + rm -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc + exit 1 + ;; + esac + shift +done |