[Dovecot] Patch Adding BASE64-PLAIN Password Scheme (was: APOP Clear Text)

Timo Sirainen tss at iki.fi
Sat May 12 21:58:30 EEST 2007


On Sun, 2007-05-13 at 00:34 +0800, imacat wrote:
>     Hi.  Here is a simple patch that adds the BASE64-PLAIN password
> scheme.  It may not be very clean.
> 
>      1. I do not know if adding base64_decode() in
> passwd_file_save_results() in src/auth/passdb-passwd-file.c is
> appropriate.

This isn't needed. The generic scheme handling code should have made it
work everywhere.

> @@ -98,7 +100,8 @@
>  						  scheme);
>  	if (strcasecmp(scheme, wanted_scheme) != 0) {
>  		if (strcasecmp(scheme, "PLAIN") != 0 &&
> - -		    strcasecmp(scheme, "CLEARTEXT") != 0) {
> +		    strcasecmp(scheme, "CLEARTEXT") != 0 &&
> +		    strcasecmp(scheme, "BASE64-PLAIN") != 0) {

This is ok, although it makes me think if there should be some kind of a
password_scheme_is_plaintext() function.

> +static bool base64_plain_verify(const char *plaintext, const char *password,
> +			 const char *user __attr_unused__)
> +{
> +	string_t *str;
> +
> +	str = t_str_new(MAX_BASE64_ENCODED_SIZE(strlen(password)+1));
> +	base64_encode(password, strlen(password), str);
> +	return strcmp(plaintext, str_c(str)) == 0;
> +}

This is a bit wrong. plaintext is in the user-given password in
plaintext, and password is the base64 encoded password. Here you're
base64ing a password that's already base64d. That's probably why you
added the code to passdb-passwd-file.c, the code in there is working
right.

> +	{ "BASE64-PLAIN", base64_plain_verify, base64_plain_generate },

I'm going to use PLAIN.B64 and PLAIN.BASE64 in Dovecot v1.1, so if you
might want to use that name already for your passwords so one day you
don't have to patch Dovecot anymore. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070512/9d013c84/attachment-0001.pgp 


More information about the dovecot mailing list