ports/mail/dovecot/patches/patch-src_auth_password-scheme-crypt_c

Dovecot supports various password schemes, e.g. {MD5}, {SHA1},
{SSHA512}, {CRYPT}, etc.  This is used in two cases:

1. Identifying schemes available for 'doveadm pw -s <scheme>' to
generate a hashed password from user input.

2. Deciding which schemes to allow in a password database.
Entries are stored as {SCHEME}passwordhash; the string from within
brackets is checked against the list of supported schemes.

One common scheme is {CRYPT} which passes to the OS crypt() function and
is often used with LDAP password databases as it's also supported by
OpenLDAP for its own authentication.

After DES was removed from crypt(), 'doveadm pw -s CRYPT' started
segfaulting on OpenBSD. To avoid this Dovecot was changed to
test-encrypt a password and check that it can be verified,
if not then that scheme is knocked out. But as well as stopping
the segfault in case 1, it also prevents it from being used for
case 2 i.e. verifying passwords.

Result:

dovecot: auth: Error: ldap(xyz,11.22.33.44,<asdafasfasdasfsa>): Unknown scheme CRYPT

This patch re-allows CRYPT as a supported scheme. On OpenBSD it will
encrypt as blowfish, on other OS it will encrypt as DES. Verification
will work with whichever password formats are supported by the OS.

Index: src/auth/password-scheme-crypt.c
--- src/auth/password-scheme-crypt.c.orig
+++ src/auth/password-scheme-crypt.c
@@ -149,7 +149,12 @@ static const struct {
 	const char *salt;
 	const char *expected;
 } sample[] = {
+#ifdef __OpenBSD__
+       { "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF",                                                        
+         "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" },                                          
+#else
 	{ "08/15!test~4711", "JB", "JBOZ0DgmtucwE" },
+#endif
 	{ "08/15!test~4711", "$5$rounds=1000$0123456789abcdef",
 	  "$5$rounds=1000$0123456789abcdef$K/DksR0DT01hGc8g/kt"
 	  "9McEgrbFMKi9qrb1jehe7hn4" },
@@ -160,8 +165,13 @@ static const struct {
 
 /* keep in sync with the sample struct above */
 static const struct password_scheme crypt_schemes[] = {
+#ifdef __OpenBSD__
 	{ "DES-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
+	  crypt_generate_blowfish },
+#else
+	{ "DES-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
 	  crypt_generate_des },
+#endif
 	{ "SHA256-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
 	  crypt_generate_sha256 },
 	{ "SHA512-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
SecBSD's official ports repository 2023-08-16 22:26:55 +00:00			`Dovecot supports various password schemes, e.g. {MD5}, {SHA1},`
			`{SSHA512}, {CRYPT}, etc. This is used in two cases:`

			`1. Identifying schemes available for 'doveadm pw -s <scheme>' to`
			`generate a hashed password from user input.`

			`2. Deciding which schemes to allow in a password database.`
			`Entries are stored as {SCHEME}passwordhash; the string from within`
			`brackets is checked against the list of supported schemes.`

			`One common scheme is {CRYPT} which passes to the OS crypt() function and`
			`is often used with LDAP password databases as it's also supported by`
			`OpenLDAP for its own authentication.`

			`After DES was removed from crypt(), 'doveadm pw -s CRYPT' started`
			`segfaulting on OpenBSD. To avoid this Dovecot was changed to`
			`test-encrypt a password and check that it can be verified,`
			`if not then that scheme is knocked out. But as well as stopping`
			`the segfault in case 1, it also prevents it from being used for`
			`case 2 i.e. verifying passwords.`

			`Result:`

			`dovecot: auth: Error: ldap(xyz,11.22.33.44,<asdafasfasdasfsa>): Unknown scheme CRYPT`

			`This patch re-allows CRYPT as a supported scheme. On OpenBSD it will`
			`encrypt as blowfish, on other OS it will encrypt as DES. Verification`
			`will work with whichever password formats are supported by the OS.`

			`Index: src/auth/password-scheme-crypt.c`
			`--- src/auth/password-scheme-crypt.c.orig`
			`+++ src/auth/password-scheme-crypt.c`
			`@@ -149,7 +149,12 @@ static const struct {`
			`const char *salt;`
			`const char *expected;`
			`} sample[] = {`
			`+#ifdef __OpenBSD__`
			`+ { "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF",`
			`+ "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" },`
			`+#else`
			`{ "08/15!test~4711", "JB", "JBOZ0DgmtucwE" },`
			`+#endif`
			`{ "08/15!test~4711", "$5$rounds=1000$0123456789abcdef",`
			`"$5$rounds=1000$0123456789abcdef$K/DksR0DT01hGc8g/kt"`
			`"9McEgrbFMKi9qrb1jehe7hn4" },`
			`@@ -160,8 +165,13 @@ static const struct {`

			`/* keep in sync with the sample struct above */`
			`static const struct password_scheme crypt_schemes[] = {`
			`+#ifdef __OpenBSD__`
			`{ "DES-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,`
			`+ crypt_generate_blowfish },`
			`+#else`
			`+ { "DES-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,`
			`crypt_generate_des },`
			`+#endif`
			`{ "SHA256-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,`
			`crypt_generate_sha256 },`
			`{ "SHA512-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,`