[tpop3d-discuss]SHA1 hashes in MySQL and more verbose debug

Chris Lightfoot chris at ex-parrot.com
Wed, 29 Sep 2004 21:46:07 +0100 

On Wed, Sep 29, 2004 at 11:36:49AM -0500, estoy@ver.megared.net.mx wrote:
> Hi,
> 
> I'm new to this list (and tpop3d), so excuse me if this is something 
> obvious.
> 
> I'm trying to set up Exim+MySQL+tpop3d auth but it is not working, I 
> have 2 questions:
> 
> 1.- How do i set the auth-mysql-pass-query in order to use SHA1 hashes 
> in my MySQL???
> 
> I saw in the documentation that only these are supported:
> ~~~~~~~~~~~~~~~~~~~
> {crypt}
> {crypt_md5}
> {plaintext}
> {mysql}
> {md5} or no prefix
> ~~~~~~~~~~~~~~~~~~~
> 
> But no prefix seems to work with SHA1 hashes 

SHA1 is indeed not yet supported. It's be pretty easy to
add, though:

diff -u -r1.6 password.c
--- password.c  9 Sep 2003 22:52:30 -0000       1.6
+++ password.c  29 Sep 2004 20:43:07 -0000
@@ -31,6 +31,8 @@
 #define _XOPEN_SRC      /* crypt(3), on some systems */
 #include <unistd.h>
 
+#include <openssl/sha.h>
+
 #include "md5.h"
 #include "util.h"
 
@@ -272,6 +274,24 @@
                 log_print(LOG_ERR, _("password: %s has password type mysql, but hash is of incorrect length %d (expecting 8 or 16)"), who, n);
                 return 0;
         }
+    } else if (IS_SCHEME(pwhash, "{sha1}", default_crypt_scheme)) {
+        unsigned char h[20], hh[41];
+        SHA_CTX c;
+        int i;
+
+        if (strlen(realhash) != 40) {
+            log_print(LOG_ERR, _("password: %s has password type sha1, but has is of incorrect length"), who);
+            return 0;
+        }
+        
+        SHA1_Init(&c);
+        SHA1_Update(&c, pass, strlen(pass));
+        SHA1_Final(h, &c);
+
+        for (i = 0; i < 20; ++i)
+            sprintf(hh + 2 * i, "%02x", (unsigned int)h[i]);
+
+        return strcasecmp(realhash, hh) == 0;
     } else if (IS_SCHEME(pwhash, "{md5}", default_crypt_scheme)) {
         /* Straight MD5 password. But this might be either in hex or base64
          * encoding. */

-- note that this won't compile unless tpop3d is being
linked against OpenSSL's -lcrypto for some other reason
(e.g. TLS support). You can fix that manually.

> my conf file:
> ~~~~~~~~</usr/local/etc/tpop3d.conf>~~~~~~~~~~~
> auth-mysql-pass-query: SELECT CONCAT(emp_home,'/Maildir'), \
>         CONCAT('{crypt}',pwd_hash), \
>         'mailnull','maildir' \
>         FROM emp \
>         WHERE login='$(local_part)'
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

that looks OK.

> 2.- How do I get more useful information from the logs???
> I've tried the "log-bad-passwords:" and the server is getting the
> correct username and password, so it's not username/password the 
> problem... but in the logs appears "authentication failures":

are you running with the -v option?

-- 
``Decommissioning is the perpetual rock
  upon which we have come adrift'' (Peter Mandelson)