(CC'ing ports as a heads-up and in case it helps anyone else
who has been bitten!)
The fix for 'doveadm pw -s CRYPT' segfaults does bad things to
auth - it totally removes CRYPT as a supported scheme:
5.8$ doveadm pw -l
CRYPT MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4
PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA BLF-CRYPT
current$ doveadm pw -l
MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR
CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4
PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA BLF-CRYPT
This isn't just used for encrypting passwords with 'doveadm pw', but
also for verifying them; it looks up the scheme from {FOO} at the start
of a stored password and if it doesn't match a registered scheme then
won't try to verify it:
dovecot: auth: Error: [...]: Unknown scheme CRYPT
Commonly as far as LDAP goes, CRYPT means "pass it to the OS to
deal with".
It's fairly nasty for LDAP because using the {CRYPT} prefix with
bcrypt is the best option that works with both OpenLDAP's internal
authentication and Dovecot.
I'm currently running this, it isn't perfect but seems the least
bad option for now ..
Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/dovecot/Makefile,v
retrieving revision 1.234
diff -u -p -r1.234 Makefile
--- Makefile 12 Dec 2015 16:43:09 -0000 1.234
+++ Makefile 8 Jan 2016 01:41:06 -0000
@@ -9,6 +9,7 @@ COMMENT-postgresql= PostgreSQL authentic
V_MAJOR= 2.2
V_DOVECOT= 2.2.21
+REVISION-server=0
DISTNAME= dovecot-${V_DOVECOT}
PKGNAME= dovecot-${V_DOVECOT}
Index: patches/patch-src_auth_password-scheme-crypt_c
===================================================================
RCS file: patches/patch-src_auth_password-scheme-crypt_c
diff -N patches/patch-src_auth_password-scheme-crypt_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_auth_password-scheme-crypt_c 8 Jan 2016 01:41:06
-0000
@@ -0,0 +1,60 @@
+$OpenBSD$
+
+Dovecot supports various password schemes, e.g. {MD5}, {SHA1},
+{SSHA512}, {CRYPT}, etc. This is is used in two cases:
+
+1. Identifying schemes available for 'doveadm pw -s <scheme>' to
+generate a hashed password from user input.
+
+2. Deciding which schemes to allow in a password database.
+Entries are stored as {SCHEME}passwordhash; the string from within
+brackets is checked against the list of supported schemes.
+
+One common scheme is {CRYPT} which passes to the OS crypt() function and
+is often used with LDAP password databases as it's also supported by
+OpenLDAP for its own authentication.
+
+After DES was removed from crypt(), 'doveadm pw -s CRYPT' started
+segfaulting on OpenBSD. To avoid this Dovecot was changed to
+test-encrypt a password and check that it can be verified,
+if not then that scheme is knocked out. But as well as stopping
+the segfault in case 1, it also prevents it from being used for
+case 2 i.e. verifying passwords.
+
+Result:
+
+dovecot: auth: Error: ldap(xyz,11.22.33.44,<asdafasfasdasfsa>): Unknown scheme
CRYPT
+
+This patch re-allows CRYPT as a supported scheme. On OpenBSD it will
+encrypt as blowfish, on other OS it will encrypt as DES. Verification
+will work with whichever password formats are supported by the OS.
+
+--- src/auth/password-scheme-crypt.c.orig Fri Jan 8 01:04:13 2016
++++ src/auth/password-scheme-crypt.c Fri Jan 8 01:23:35 2016
+@@ -111,7 +111,12 @@ static const struct {
+ const char *salt;
+ const char *expected;
+ } sample[] = {
++#ifdef __OpenBSD__
++ { "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF",
++ "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" },
++#else
+ { "08/15!test~4711", "JB", "JBOZ0DgmtucwE" },
++#endif
+ { "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF",
+ "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" },
+ { "08/15!test~4711", "$5$rounds=1000$0123456789abcdef",
+@@ -124,8 +129,13 @@ static const struct {
+
+ /* keep in sync with the sample struct above */
+ static const struct password_scheme crypt_schemes[] = {
++#ifdef __OpenBSD__
+ { "CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
++ crypt_generate_blowfisch },
++#else
++ { "CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
+ crypt_generate_des },
++#endif
+ { "BLF-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
+ crypt_generate_blowfisch },
+ { "SHA256-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
