From 396ebf2f43b8853648b22d557bc0566bf663355a Mon Sep 17 00:00:00 2001 From: Mikhail Teterin Date: Wed, 9 Jan 2002 19:55:47 +0000 Subject: Remove the dependency on security/mhash by calling MD5Data directly. No REVISION bump, as the port remained FORBIDDEN ever since the last upgrade. While here, clarify the FORBIDDEN message a little. --- security/pam-pgsql/Makefile | 5 +- security/pam-pgsql/files/Makefile.bsd | 4 +- security/pam-pgsql/files/patch-md5 | 97 +++++++++++++++++++++++++++++++++++ 3 files changed, 101 insertions(+), 5 deletions(-) create mode 100644 security/pam-pgsql/files/patch-md5 (limited to 'security') diff --git a/security/pam-pgsql/Makefile b/security/pam-pgsql/Makefile index 09a5101fcca6..837c2add1a3c 100644 --- a/security/pam-pgsql/Makefile +++ b/security/pam-pgsql/Makefile @@ -14,10 +14,9 @@ DISTFILES= ${PORTNAME}_${PORTVERSION}${EXTRACT_SUFX} MAINTAINER= mi@aldan.algebra.com -LIB_DEPENDS= mhash:${PORTSDIR}/security/mhash \ - pq:${PORTSDIR}/databases/postgresql7 +LIB_DEPENDS= pq:${PORTSDIR}/databases/postgresql7 -FORBIDDEN= security +FORBIDDEN= can be broken by carefully crafted password string # When the family of Debian mirrors is added to bsd.port.mk, # this will suddenly start making sense: diff --git a/security/pam-pgsql/files/Makefile.bsd b/security/pam-pgsql/files/Makefile.bsd index 9d000dc4ef26..90e58ccb38f7 100644 --- a/security/pam-pgsql/files/Makefile.bsd +++ b/security/pam-pgsql/files/Makefile.bsd @@ -4,9 +4,9 @@ SRCS= pam_pgsql.c pam_get_pass.c pam_std_option.c pam_get_service.c LIB= pam_pgsql SHLIB_NAME=${LIB}.so -LDADD= -lpam -L${LOCALBASE}/lib -lpq -lmhash +LDADD= -lpam -L${LOCALBASE}/lib -lpq -lmd CFLAGS+= -Wall -D_GNU_SOURCE \ - -I${LOCALBASE}/include/pgsql -I${LOCALBASE}/include + -I${LOCALBASE}/include/pgsql INTERNALLIB= we don't need no stinking static lib NOPROFILE= we don't need no profiling either diff --git a/security/pam-pgsql/files/patch-md5 b/security/pam-pgsql/files/patch-md5 new file mode 100644 index 000000000000..c68fa892c3ff --- /dev/null +++ b/security/pam-pgsql/files/patch-md5 @@ -0,0 +1,97 @@ +This patch replaces calls to mhash library with direct calls into -lmd, +greatly simplifying things... + +--- pam_pgsql.c Wed Apr 18 16:47:57 2001 ++++ pam_pgsql.c Wed Jan 9 14:46:01 2002 +@@ -14,5 +14,7 @@ + #include + #include +-#include ++#include ++#include ++#include + #include + #include +@@ -336,32 +336,7 @@ + s = strdup(crypt(pass, crypt_make_salt())); + break; +- case PW_MD5: { +- char *buf; +- int buf_size; +- MHASH handle; +- unsigned char *hash; +- +- handle = mhash_init(MHASH_MD5); +- +- if(handle == MHASH_FAILED) { +- SYSLOG("could not initialize mhash library!"); +- } else { +- int i; +- +- mhash(handle, pass, strlen(pass)); +- hash = mhash_end(handle); +- +- buf_size = (mhash_get_block_size(MHASH_MD5) * 2)+1; +- buf = (char *)malloc(buf_size); +- bzero(buf, buf_size); +- +- for(i = 0; i < mhash_get_block_size(MHASH_MD5); i++) { +- /* should be safe */ +- sprintf(&buf[i * 2], "%.2x", hash[i]); +- } +- s = buf; +- } +- } +- break; ++ case PW_MD5: ++ s = MD5Data(pass, strlen(pass), NULL); ++ break; + case PW_CLEAR: + default: +@@ -416,35 +391,15 @@ + } + break; +- case PW_MD5: { +- char *buf; +- int buf_size; +- MHASH handle; +- unsigned char *hash; +- +- handle = mhash_init(MHASH_MD5); +- +- if(handle == MHASH_FAILED) { +- SYSLOG("could not initialize mhash library!"); +- } else { +- int i; +- +- mhash(handle, passwd, strlen(passwd)); +- hash = mhash_end(handle); +- +- buf_size = (mhash_get_block_size(MHASH_MD5) * 2)+1; +- buf = (char *)malloc(buf_size); +- bzero(buf, buf_size); +- +- for(i = 0; i < mhash_get_block_size(MHASH_MD5); i++) { +- sprintf(&buf[i * 2], "%.2x", hash[i]); +- } +- +- if(strcmp(buf, stored_pw) == 0) +- rc = PAM_SUCCESS; +- +- free(buf); +- } +- } +- break; ++ case PW_MD5: ++ if(strlen(stored_pw) != 32) { ++ SYSLOG("stored password has invalid length."); ++ } else { ++ char *hash; ++ hash = MD5Data(passwd, strlen(passwd), NULL); ++ if(strcmp(hash, stored_pw) == 0) ++ rc = PAM_SUCCESS; ++ free(hash); ++ } ++ break; + } + } -- cgit v1.2.3