[Git][debian-proftpd-team/proftpd][master] Add patch for #965077.

Thu Aug 6 20:24:39 BST 2020


Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd


Commits:
99f53909 by Hilmar Preusse at 2020-08-06T21:24:08+02:00
Add patch for #965077.

- - - - -


1 changed file:

- + debian/patches/proftpd-mysql-password-backend.diff


Changes:

=====================================
debian/patches/proftpd-mysql-password-backend.diff
=====================================
@@ -0,0 +1,78 @@
+Index: proftpd-dfsg-1.3.7rc4/contrib/mod_sql_mysql.c
+===================================================================
+--- proftpd-dfsg-1.3.7rc4.orig/contrib/mod_sql_mysql.c	2020-07-18 12:31:23.243328191 +0200
++++ proftpd-dfsg-1.3.7rc4/contrib/mod_sql_mysql.c	2020-07-18 12:31:23.243328191 +0200
+@@ -23,7 +23,7 @@
+  * the source distribution.
+  *
+  * -----DO NOT EDIT-----
+- * $Libraries: -lm -lmysqlclient -lz$
++ * $Libraries: -lm -lmd -lmysqlclient -lz$
+  */
+ 
+ /* INTRO:
+@@ -134,6 +134,8 @@
+ #include <mysql/mysql.h>
+ #include <stdbool.h>
+ 
++#include <sha1.h>
++
+ /* The my_make_scrambled_password{,_323} functions are not part of the public
+  * MySQL API and are not declared in any of the MySQL header files. But the
+  * use of these functions are required for implementing the "Backend"
+@@ -1627,6 +1629,27 @@
+   return MYSQL_PASSWD_FMT_UNKNOWN;
+ }
+ 
++char *hexify(char * const result, const unsigned char *digest,
++	    const size_t size_result, size_t size_digest)
++{
++   static const char * const hexchars = "0123456789ABCDEF";
++   char *result_pnt = result;
++
++   if (size_digest <= (size_t) 0 ||
++       size_result <= (size_digest * (size_t) 2U)) {
++       return NULL;
++   }
++   do {
++       *result_pnt++ = hexchars[(*digest >> 4) & 0xf];
++       *result_pnt++ = hexchars[*digest & 0xf];
++       digest++;
++       size_digest--;
++   } while (size_digest > (size_t) 0U);
++   *result_pnt = 0;
++
++   return result;
++}
++
+ static int match_mysql_passwds(const char *hashed, size_t hashed_len,
+     const char *scrambled, size_t scrambled_len, const char *scramble_func) {
+   int hashed_fmt = 0, scrambled_fmt = 0, matched = FALSE;
+@@ -1810,6 +1833,27 @@
+ #endif /* HAVE_MYSQL_MAKE_SCRAMBLED_PASSWORD_323 */
+ 
+   if (success == FALSE) {
++    SHA1_CTX      ctx;
++    unsigned char h0[20], h1[20];
++    SHA1Init(&ctx);
++    SHA1Update(&ctx, plaintext, strlen(plaintext));
++    SHA1Final(h0, &ctx);
++    SHA1Init(&ctx);
++    SHA1Update(&ctx, h0, sizeof h0);
++    memset(h0, '\0', sizeof h0);
++    SHA1Final(h1, &ctx);
++
++    hexify(scrambled + 1U, h1, (sizeof scrambled) - 1U, sizeof h1);
++    *scrambled = '*';
++    sql_log(DEBUG_FUNC, "comparing scrambled password %s to %s", scrambled, ciphertext);
++
++    scrambled_len = strlen(scrambled);
++   
++    success = match_mysql_passwds(ciphertext, ciphertext_len, scrambled, scrambled_len,
++      "selfmade_sha1");
++  }
++
++  if (success == FALSE) {
+     sql_log(DEBUG_FUNC, "%s", "password mismatch");
+   }
+ 



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/99f53909df83942f1393518e661ae6eab3974e28

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/99f53909df83942f1393518e661ae6eab3974e28
You're receiving this email because of your account on salsa.debian.org.


