summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/pam-pgsql/Makefile5
-rw-r--r--security/pam-pgsql/files/Makefile.bsd4
-rw-r--r--security/pam-pgsql/files/patch-md597
3 files changed, 101 insertions, 5 deletions
diff --git a/security/pam-pgsql/Makefile b/security/pam-pgsql/Makefile
index 09a5101fcca6..837c2add1a3c 100644
--- a/security/pam-pgsql/Makefile
+++ b/security/pam-pgsql/Makefile
@@ -14,10 +14,9 @@ DISTFILES= ${PORTNAME}_${PORTVERSION}${EXTRACT_SUFX}
MAINTAINER= mi@aldan.algebra.com
-LIB_DEPENDS= mhash:${PORTSDIR}/security/mhash \
- pq:${PORTSDIR}/databases/postgresql7
+LIB_DEPENDS= pq:${PORTSDIR}/databases/postgresql7
-FORBIDDEN= security
+FORBIDDEN= can be broken by carefully crafted password string
# When the family of Debian mirrors is added to bsd.port.mk,
# this will suddenly start making sense:
diff --git a/security/pam-pgsql/files/Makefile.bsd b/security/pam-pgsql/files/Makefile.bsd
index 9d000dc4ef26..90e58ccb38f7 100644
--- a/security/pam-pgsql/files/Makefile.bsd
+++ b/security/pam-pgsql/files/Makefile.bsd
@@ -4,9 +4,9 @@ SRCS= pam_pgsql.c pam_get_pass.c pam_std_option.c pam_get_service.c
LIB= pam_pgsql
SHLIB_NAME=${LIB}.so
-LDADD= -lpam -L${LOCALBASE}/lib -lpq -lmhash
+LDADD= -lpam -L${LOCALBASE}/lib -lpq -lmd
CFLAGS+= -Wall -D_GNU_SOURCE \
- -I${LOCALBASE}/include/pgsql -I${LOCALBASE}/include
+ -I${LOCALBASE}/include/pgsql
INTERNALLIB= we don't need no stinking static lib
NOPROFILE= we don't need no profiling either
diff --git a/security/pam-pgsql/files/patch-md5 b/security/pam-pgsql/files/patch-md5
new file mode 100644
index 000000000000..c68fa892c3ff
--- /dev/null
+++ b/security/pam-pgsql/files/patch-md5
@@ -0,0 +1,97 @@
+This patch replaces calls to mhash library with direct calls into -lmd,
+greatly simplifying things...
+
+--- pam_pgsql.c Wed Apr 18 16:47:57 2001
++++ pam_pgsql.c Wed Jan 9 14:46:01 2002
+@@ -14,5 +14,7 @@
+ #include <syslog.h>
+ #include <ctype.h>
+-#include <mhash.h>
++#include <sys/types.h>
++#include <unistd.h>
++#include <md5.h>
+ #include <time.h>
+ #include <libpq-fe.h>
+@@ -336,32 +336,7 @@
+ s = strdup(crypt(pass, crypt_make_salt()));
+ break;
+- case PW_MD5: {
+- char *buf;
+- int buf_size;
+- MHASH handle;
+- unsigned char *hash;
+-
+- handle = mhash_init(MHASH_MD5);
+-
+- if(handle == MHASH_FAILED) {
+- SYSLOG("could not initialize mhash library!");
+- } else {
+- int i;
+-
+- mhash(handle, pass, strlen(pass));
+- hash = mhash_end(handle);
+-
+- buf_size = (mhash_get_block_size(MHASH_MD5) * 2)+1;
+- buf = (char *)malloc(buf_size);
+- bzero(buf, buf_size);
+-
+- for(i = 0; i < mhash_get_block_size(MHASH_MD5); i++) {
+- /* should be safe */
+- sprintf(&buf[i * 2], "%.2x", hash[i]);
+- }
+- s = buf;
+- }
+- }
+- break;
++ case PW_MD5:
++ s = MD5Data(pass, strlen(pass), NULL);
++ break;
+ case PW_CLEAR:
+ default:
+@@ -416,35 +391,15 @@
+ }
+ break;
+- case PW_MD5: {
+- char *buf;
+- int buf_size;
+- MHASH handle;
+- unsigned char *hash;
+-
+- handle = mhash_init(MHASH_MD5);
+-
+- if(handle == MHASH_FAILED) {
+- SYSLOG("could not initialize mhash library!");
+- } else {
+- int i;
+-
+- mhash(handle, passwd, strlen(passwd));
+- hash = mhash_end(handle);
+-
+- buf_size = (mhash_get_block_size(MHASH_MD5) * 2)+1;
+- buf = (char *)malloc(buf_size);
+- bzero(buf, buf_size);
+-
+- for(i = 0; i < mhash_get_block_size(MHASH_MD5); i++) {
+- sprintf(&buf[i * 2], "%.2x", hash[i]);
+- }
+-
+- if(strcmp(buf, stored_pw) == 0)
+- rc = PAM_SUCCESS;
+-
+- free(buf);
+- }
+- }
+- break;
++ case PW_MD5:
++ if(strlen(stored_pw) != 32) {
++ SYSLOG("stored password has invalid length.");
++ } else {
++ char *hash;
++ hash = MD5Data(passwd, strlen(passwd), NULL);
++ if(strcmp(hash, stored_pw) == 0)
++ rc = PAM_SUCCESS;
++ free(hash);
++ }
++ break;
+ }
+ }