checkpw.c crypt patch

[Rodolfo Gonzalez Gonzalez]

David van Geest escribió:
>>> Digging into this more, seems like using a salt isn't even possible.  


Use it if you dare, I found it somewhere back in 2004 ;-)


--- checkpw.c   2009-04-28 10:09:15.000000000 -0500
+++ checkpw.c   2009-05-15 15:48:50.000000000 -0500
@@ -52,6 +52,7 @@
  #include "saslutil.h"
  #include "saslplug.h"
  #include "saslint.h"
+#include <crypt.h>

  #include <assert.h>
  #ifdef HAVE_UNISTD_H
@@ -144,6 +145,10 @@
                                        NULL };
      struct propval auxprop_values[3];

+    /* added lopaka */
+    char salt[31];
+    char *crypt_passwd = NULL;
+
      if (!conn || !userstr)
         return SASL_BADPARAM;

@@ -180,12 +185,28 @@
         goto done;
      }

+    /* 20041008 lopaka */
+    /* encrypt the passwd and then compare it with the encrypted passwd */
+    if(!strncmp(auxprop_values[0].values[0],"$1",2))
+    {
+        /* MD5 */
+        /* obtain salt = first 12 chars */
+        strncpy(salt,auxprop_values[0].values[0],13);
+    }
+    else
+    {
+        /* DES */
+        /* obtain salt = first 2 chars */
+        strncpy(salt,auxprop_values[0].values[0],3);
+    }
+    crypt_passwd = crypt(passwd,salt);
+
      /* At the point this has been called, the username has been canonified
       * and we've done the auxprop lookup.  This should be easy. */
      if(auxprop_values[0].name
         && auxprop_values[0].values
         && auxprop_values[0].values[0]
-       && !strcmp(auxprop_values[0].values[0], passwd)) {
+       && !strcmp(auxprop_values[0].values[0], crypt_passwd)) {
         /* We have a plaintext version and it matched! */
         return SASL_OK;
      } else if(auxprop_values[1].name
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rgonzalez.vcf
Type: text/x-vcard
Size: 224 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20090722/fdb00e7d/attachment.vcf