← Back to branch summary

~ubuntu-branches/ubuntu/saucy/dovecot/saucy-updates

« back to all changes in this revision

Viewing changes to src/auth/password-scheme.c

  • Committer: Package Import Robot
  • Author(s): James Page
  • Date: 2012-04-04 14:56:38 UTC
  • mfrom: (1.15.1) (4.1.26 sid)
  • Revision ID: package-import@ubuntu.com-20120404145638-qmvdul6vwpcqparv
Tags: 1:2.0.19-0ubuntu1
https://launchpad.net/bugs/970782
* New upstream release (LP: #970782).
* Merge from Debian testing, remaining changes:
  + Add mail-stack-delivery package:
    - Update d/rules
    - d/control: convert existing dovecot-postfix package to a dummy
      package and add new mail-stack-delivery package.
    - Update maintainer scripts.
    - Rename d/dovecot-postfix.* to debian/mail-stack-delivery.*
    - d/mail-stack-delivery.preinst: Move previously installed backups and
      config files to a new package namespace.
    - d/mail-stack-delivery.prerm: Added to handle downgrades.
  + Use Snakeoil SSL certificates by default:
    - d/control: Depend on ssl-cert.
    - d/dovecot-core.postinst: Relax grep for SSL_* a bit.
  + Add autopkgtest to debian/tests/*.
  + Add ufw integration:
    - d/dovecot-core.ufw.profile: new ufw profile.
    - d/rules: install profile in dovecot-core.
    - d/control: dovecot-core - suggest ufw.
  + d/{control,rules}: enable PIE hardening.
  + d/dovecot-core.dirs: Added usr/share/doc/dovecot-core
  + Add apport hook:
    - d/rules, d/source_dovecot.py
  + Add upstart job:
    - d/rules, d/dovecot-core.dovecot.upstart, d/control,
      d/dovecot-core.dirs, dovecot-imapd.{postrm, postinst, prerm},
      d/dovecot-pop3d.{postinst, postrm, prerm}.
      d/mail-stack-deliver.postinst:
      Convert init script to upstart.
  + d/patches/fix-racey-restart.patch: Backported patch from current
    development release which ensures all child processes terminate prior
    to the main dovecot process.
  + debian/patches/CVE-2011-4318.patch: Dropped - applied upstream
  + d/control: Added Pre-Depends: dpkg (>= 1.15.6) to dovecot-dbg to support
    xz compression in Ubuntu.
  + d/control: Demote dovecot-common Recommends: to Suggests: to prevent
    install of extra packages on upgrade.
* d/patches/dovecot-drac.patch: Updated with version for dovecot >= 2.0.0.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/auth/password-scheme.c
127
127
}
128
128
 
129
129
int password_decode(const char *password, const char *scheme,
130
 
                    const unsigned char **raw_password_r, size_t *size_r)
 
130
                    const unsigned char **raw_password_r, size_t *size_r,
 
131
                    const char **error_r)
131
132
{
132
133
        const struct password_scheme *s;
133
134
        enum password_encoding encoding;
134
135
        buffer_t *buf;
135
136
        unsigned int len;
 
137
        bool guessed_encoding;
 
138
 
 
139
        *error_r = NULL;
136
140
 
137
141
        s = password_scheme_lookup(scheme, &encoding);
138
 
        if (s == NULL)
 
142
        if (s == NULL) {
 
143
                *error_r = "Unknown scheme";
139
144
                return 0;
 
145
        }
140
146
 
141
147
        len = strlen(password);
142
148
        if (encoding != PW_ENCODING_NONE && s->raw_password_len != 0 &&
145
151
                   base64 and hex encodings. the only problem is distinguishing
146
152
                   2 character strings, but there shouldn't be any that short
147
153
                   raw_password_lens. */
148
 
                encoding = len == s->raw_password_len * 2 ? PW_ENCODING_HEX :
149
 
                        PW_ENCODING_BASE64;
 
154
                encoding = len == s->raw_password_len * 2 ?
 
155
                        PW_ENCODING_HEX : PW_ENCODING_BASE64;
 
156
                guessed_encoding = TRUE;
 
157
        } else {
 
158
                guessed_encoding = FALSE;
150
159
        }
151
160
 
152
161
        switch (encoding) {
162
171
                        *size_r = buf->used;
163
172
                        break;
164
173
                }
 
174
                if (!guessed_encoding) {
 
175
                        *error_r = "Input isn't valid HEX encoded data";
 
176
                        return -1;
 
177
                }
165
178
                /* fall through, just in case it was base64-encoded after
166
179
                   all. some input lengths produce matching hex and base64
167
180
                   encoded lengths. */
168
181
        case PW_ENCODING_BASE64:
169
182
                buf = buffer_create_dynamic(pool_datastack_create(),
170
183
                                            MAX_BASE64_DECODED_SIZE(len));
171
 
                if (base64_decode(password, len, NULL, buf) < 0)
 
184
                if (base64_decode(password, len, NULL, buf) < 0) {
 
185
                        *error_r = "Input isn't valid base64 encoded data";
172
186
                        return -1;
 
187
                }
173
188
 
174
189
                *raw_password_r = buf->data;
175
190
                *size_r = buf->used;
177
192
        }
178
193
        if (s->raw_password_len != *size_r && s->raw_password_len != 0) {
179
194
                /* password has invalid length */
 
195
                *error_r = t_strdup_printf(
 
196
                        "Input length isn't valid (%u instead of %u)",
 
197
                        (unsigned int)*size_r, s->raw_password_len);
180
198
                return -1;
181
199
        }
182
200
        return 1;
272
290
        unsigned int i, count;
273
291
        const unsigned char *raw_password;
274
292
        size_t raw_password_size;
 
293
        const char *error;
275
294
 
276
295
        schemes = array_get(&password_schemes, &count);
277
296
        for (i = 0; i < count; i++) {
278
297
                if (password_decode(crypted_password, schemes[i]->name,
279
 
                                    &raw_password, &raw_password_size) <= 0)
 
298
                                    &raw_password, &raw_password_size,
 
299
                                    &error) <= 0)
280
300
                        continue;
281
301
 
282
302
                if (password_verify(plain_password, user, schemes[i]->name,
324
344
md5_verify(const char *plaintext, const char *user,
325
345
           const unsigned char *raw_password, size_t size)
326
346
{
327
 
        const char *password, *str;
 
347
        const char *password, *str, *error;
328
348
        const unsigned char *md5_password;
329
349
        size_t md5_size;
330
350
 
334
354
                str = password_generate_md5_crypt(plaintext, password);
335
355
                return strcmp(str, password) == 0;
336
356
        } else if (password_decode(password, "PLAIN-MD5",
337
 
                                   &md5_password, &md5_size) < 0) {
 
357
                                   &md5_password, &md5_size, &error) < 0) {
338
358
                i_error("md5_verify(%s): Not a valid MD5-CRYPT or "
339
359
                        "PLAIN-MD5 password", user);
340
360
                return FALSE;