Remove the dependency on security/mhash by calling MD5Data directly.

No REVISION bump, as the port remained FORBIDDEN ever since the last
upgrade.

While here, clarify the FORBIDDEN message a little.

3 files changed, 101 insertions, 5 deletions

diff --git a/security/pam-pgsql/Makefile b/security/pam-pgsql/Makefile
index 09a5101fcca6..837c2add1a3c 100644
--- a/security/pam-pgsql/Makefile
+++ b/security/pam-pgsql/Makefile
@@ -14,10 +14,9 @@ DISTFILES=	${PORTNAME}_${PORTVERSION}${EXTRACT_SUFX}
 
 MAINTAINER=	mi@aldan.algebra.com
 
-LIB_DEPENDS=	mhash:${PORTSDIR}/security/mhash \
-		pq:${PORTSDIR}/databases/postgresql7
+LIB_DEPENDS=	pq:${PORTSDIR}/databases/postgresql7
 
-FORBIDDEN=	security
+FORBIDDEN=	can be broken by carefully crafted password string
 
 # When the family of Debian mirrors is added to bsd.port.mk,
 # this will suddenly start making sense:
diff --git a/security/pam-pgsql/files/Makefile.bsd b/security/pam-pgsql/files/Makefile.bsd
index 9d000dc4ef26..90e58ccb38f7 100644
--- a/security/pam-pgsql/files/Makefile.bsd
+++ b/security/pam-pgsql/files/Makefile.bsd
@@ -4,9 +4,9 @@ SRCS=	pam_pgsql.c pam_get_pass.c pam_std_option.c pam_get_service.c
 LIB=	pam_pgsql
 SHLIB_NAME=${LIB}.so
 
-LDADD=		-lpam -L${LOCALBASE}/lib -lpq -lmhash
+LDADD=		-lpam -L${LOCALBASE}/lib -lpq -lmd
 CFLAGS+=	-Wall -D_GNU_SOURCE \
-		-I${LOCALBASE}/include/pgsql -I${LOCALBASE}/include
+		-I${LOCALBASE}/include/pgsql
 
 INTERNALLIB=	we don't need no stinking static lib
 NOPROFILE=	we don't need no profiling either
diff --git a/security/pam-pgsql/files/patch-md5 b/security/pam-pgsql/files/patch-md5
new file mode 100644
index 000000000000..c68fa892c3ff
--- /dev/null
+++ b/security/pam-pgsql/files/patch-md5
@@ -0,0 +1,97 @@
+This patch replaces calls to mhash library with direct calls into -lmd,
+greatly simplifying things...
+
+--- pam_pgsql.c	Wed Apr 18 16:47:57 2001
++++ pam_pgsql.c	Wed Jan  9 14:46:01 2002
+@@ -14,5 +14,7 @@
+ #include <syslog.h>
+ #include <ctype.h>
+-#include <mhash.h>
++#include <sys/types.h>
++#include <unistd.h>
++#include <md5.h>
+ #include <time.h>
+ #include <libpq-fe.h>
+@@ -336,32 +336,7 @@
+             s = strdup(crypt(pass, crypt_make_salt()));
+             break;
+-        case PW_MD5: {
+-                char *buf;
+-                int buf_size;
+-                MHASH handle;
+-                unsigned char *hash;
+-
+-                handle = mhash_init(MHASH_MD5);
+-
+-                if(handle == MHASH_FAILED) {
+-                    SYSLOG("could not initialize mhash library!");
+-                } else {
+-                    int i; 
+-
+-                    mhash(handle, pass, strlen(pass));
+-                    hash = mhash_end(handle);
+-
+-                    buf_size = (mhash_get_block_size(MHASH_MD5) * 2)+1;
+-                    buf = (char *)malloc(buf_size);
+-                    bzero(buf, buf_size);
+-
+-                    for(i = 0; i < mhash_get_block_size(MHASH_MD5); i++) {
+-                        /* should be safe */
+-                        sprintf(&buf[i * 2], "%.2x", hash[i]);
+-                    }
+-                    s = buf;
+-                }
+-            }
+-            break;
++        case PW_MD5:
++	    s = MD5Data(pass, strlen(pass), NULL);
++	    break;
+         case PW_CLEAR:
+         default:
+@@ -416,35 +391,15 @@
+                 }
+                 break;
+-            case PW_MD5: {
+-                char *buf;
+-                int buf_size;
+-                MHASH handle;
+-                unsigned char *hash;
+-
+-                handle = mhash_init(MHASH_MD5);
+-
+-                if(handle == MHASH_FAILED) {
+-                    SYSLOG("could not initialize mhash library!");
+-                } else {
+-                    int i; 
+-
+-                    mhash(handle, passwd, strlen(passwd));
+-                    hash = mhash_end(handle);
+-
+-                    buf_size = (mhash_get_block_size(MHASH_MD5) * 2)+1;
+-                    buf = (char *)malloc(buf_size);
+-                    bzero(buf, buf_size);
+-
+-                    for(i = 0; i < mhash_get_block_size(MHASH_MD5); i++) {
+-                        sprintf(&buf[i * 2], "%.2x", hash[i]);
+-                    }
+-
+-                    if(strcmp(buf, stored_pw) == 0)
+-                        rc = PAM_SUCCESS;
+-
+-                    free(buf);
+-                }
+-            }
+-            break;
++            case PW_MD5:
++		if(strlen(stored_pw) != 32) {
++		    SYSLOG("stored password has invalid length.");
++		} else {
++                    char *hash;
++		    hash = MD5Data(passwd, strlen(passwd), NULL);
++                    if(strcmp(hash, stored_pw) == 0)
++			rc = PAM_SUCCESS;
++		    free(hash);
++		}
++		break;
+         }
+     }