From beb84d0c26305b80c8c56711782d62212e7abf86 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 19 Jun 2015 13:30:54 +0200 Subject: [PATCH] s4:auth/gensec: remove unused and untested cyrus_sasl module There's not a high chance that this module worked at all. Requesting SASL_SSF in order to get the max input length is completely broken. Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- source4/auth/gensec/cyrus_sasl.c | 454 -------------------------------------- source4/auth/gensec/wscript_build | 10 - source4/auth/wscript_configure | 4 - 3 files changed, 468 deletions(-) delete mode 100644 source4/auth/gensec/cyrus_sasl.c diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c deleted file mode 100644 index 72acc528fd8..00000000000 --- a/source4/auth/gensec/cyrus_sasl.c +++ /dev/null @@ -1,454 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Connect GENSEC to an external SASL lib - - Copyright (C) Andrew Bartlett 2006 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "includes.h" -#include "lib/tsocket/tsocket.h" -#include "auth/credentials/credentials.h" -#include "auth/gensec/gensec.h" -#include "auth/gensec/gensec_internal.h" -#include "auth/gensec/gensec_proto.h" -#include "auth/gensec/gensec_toplevel_proto.h" -#include - -NTSTATUS gensec_sasl_init(void); - -struct gensec_sasl_state { - sasl_conn_t *conn; - int step; - bool wrap; -}; - -static NTSTATUS sasl_nt_status(int sasl_ret) -{ - switch (sasl_ret) { - case SASL_CONTINUE: - return NT_STATUS_MORE_PROCESSING_REQUIRED; - case SASL_NOMEM: - return NT_STATUS_NO_MEMORY; - case SASL_BADPARAM: - case SASL_NOMECH: - return NT_STATUS_INVALID_PARAMETER; - case SASL_BADMAC: - return NT_STATUS_ACCESS_DENIED; - case SASL_OK: - return NT_STATUS_OK; - default: - return NT_STATUS_UNSUCCESSFUL; - } -} - -static int gensec_sasl_get_user(void *context, int id, - const char **result, unsigned *len) -{ - struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security); - const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security)); - if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) { - return SASL_FAIL; - } - - *result = username; - return SASL_OK; -} - -static int gensec_sasl_get_realm(void *context, int id, - const char **availrealms, - const char **result) -{ - struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security); - const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security)); - int i; - if (id != SASL_CB_GETREALM) { - return SASL_FAIL; - } - - for (i=0; availrealms && availrealms[i]; i++) { - if (strcasecmp_m(realm, availrealms[i]) == 0) { - result[i] = availrealms[i]; - return SASL_OK; - } - } - /* None of the realms match, so lets not specify one */ - *result = ""; - return SASL_OK; -} - -static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id, - sasl_secret_t **psecret) -{ - struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security); - const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security)); - - sasl_secret_t *secret; - if (!password) { - *psecret = NULL; - return SASL_OK; - } - secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1); - if (!secret) { - return SASL_NOMEM; - } - secret->len = strlen(password); - strlcpy((char*)secret->data, password, secret->len+1); - *psecret = secret; - return SASL_OK; -} - -static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state) -{ - sasl_dispose(&gensec_sasl_state->conn); - return SASL_OK; -} - -typedef int (*__gensec_sasl_callback_t)(void); - -static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security) -{ - struct gensec_sasl_state *gensec_sasl_state; - const char *service = gensec_get_target_service(gensec_security); - const char *target_name = gensec_get_target_hostname(gensec_security); - const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security); - const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security); - char *local_addr = NULL; - char *remote_addr = NULL; - int sasl_ret; - - sasl_callback_t *callbacks; - - gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state); - if (!gensec_sasl_state) { - return NT_STATUS_NO_MEMORY; - } - - callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5); - callbacks[0].id = SASL_CB_USER; - callbacks[0].proc = (__gensec_sasl_callback_t)gensec_sasl_get_user; - callbacks[0].context = gensec_security; - - callbacks[1].id = SASL_CB_AUTHNAME; - callbacks[1].proc = (__gensec_sasl_callback_t)gensec_sasl_get_user; - callbacks[1].context = gensec_security; - - callbacks[2].id = SASL_CB_GETREALM; - callbacks[2].proc = (__gensec_sasl_callback_t)gensec_sasl_get_realm; - callbacks[2].context = gensec_security; - - callbacks[3].id = SASL_CB_PASS; - callbacks[3].proc = (__gensec_sasl_callback_t)gensec_sasl_get_password; - callbacks[3].context = gensec_security; - - callbacks[4].id = SASL_CB_LIST_END; - callbacks[4].proc = NULL; - callbacks[4].context = NULL; - - gensec_security->private_data = gensec_sasl_state; - - if (tlocal_addr) { - local_addr = talloc_asprintf(gensec_sasl_state, - "%s;%d", - tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state), - tsocket_address_inet_port(tlocal_addr)); - } - - if (tremote_addr) { - remote_addr = talloc_asprintf(gensec_sasl_state, - "%s;%d", - tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state), - tsocket_address_inet_port(tremote_addr)); - } - gensec_sasl_state->step = 0; - - sasl_ret = sasl_client_new(service, - target_name, - local_addr, remote_addr, callbacks, 0, - &gensec_sasl_state->conn); - - if (sasl_ret == SASL_OK) { - sasl_security_properties_t props; - talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose); - - ZERO_STRUCT(props); - if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - props.min_ssf = 1; - props.max_ssf = 1; - props.maxbufsize = 65536; - gensec_sasl_state->wrap = true; - } - if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { - props.min_ssf = 40; - props.max_ssf = UINT_MAX; - props.maxbufsize = 65536; - gensec_sasl_state->wrap = true; - } - - sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props); - } - if (sasl_ret != SASL_OK) { - DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn))); - } - return sasl_nt_status(sasl_ret); -} - -static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security, - TALLOC_CTX *out_mem_ctx, - struct tevent_context *ev, - const DATA_BLOB in, DATA_BLOB *out) -{ - struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, - struct gensec_sasl_state); - int sasl_ret; - const char *out_data; - unsigned int out_len; - - if (gensec_sasl_state->step == 0) { - const char *mech; - sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name, - NULL, &out_data, &out_len, &mech); - } else { - sasl_ret = sasl_client_step(gensec_sasl_state->conn, - (char*)in.data, in.length, NULL, - &out_data, &out_len); - } - if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) { - *out = data_blob_talloc(out_mem_ctx, out_data, out_len); - } else { - DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step, - sasl_errdetail(gensec_sasl_state->conn))); - } - gensec_sasl_state->step++; - return sasl_nt_status(sasl_ret); -} - -static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security, - TALLOC_CTX *out_mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out, - size_t *len_processed) -{ - struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, - struct gensec_sasl_state); - const char *out_data; - unsigned int out_len; - - int sasl_ret = sasl_decode(gensec_sasl_state->conn, - (char*)in->data, in->length, &out_data, - &out_len); - if (sasl_ret == SASL_OK) { - *out = data_blob_talloc(out_mem_ctx, out_data, out_len); - *len_processed = in->length; - } else { - DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn))); - } - return sasl_nt_status(sasl_ret); - -} - -static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security, - TALLOC_CTX *out_mem_ctx, - const DATA_BLOB *in, - DATA_BLOB *out, - size_t *len_processed) -{ - struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, - struct gensec_sasl_state); - const char *out_data; - unsigned int out_len; - unsigned len_permitted; - int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF, - (const void**)&len_permitted); - if (sasl_ret != SASL_OK) { - return sasl_nt_status(sasl_ret); - } - len_permitted = MIN(len_permitted, in->length); - - sasl_ret = sasl_encode(gensec_sasl_state->conn, - (char*)in->data, len_permitted, &out_data, - &out_len); - if (sasl_ret == SASL_OK) { - *out = data_blob_talloc(out_mem_ctx, out_data, out_len); - *len_processed = in->length; - } else { - DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn))); - } - return sasl_nt_status(sasl_ret); -} - -/* Try to figure out what features we actually got on the connection */ -static bool gensec_sasl_have_feature(struct gensec_security *gensec_security, - uint32_t feature) -{ - struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, - struct gensec_sasl_state); - sasl_ssf_t ssf; - int sasl_ret; - - /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */ - if (!gensec_sasl_state->wrap) { - return false; - } - - sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF, - (const void**)&ssf); - if (sasl_ret != SASL_OK) { - return false; - } - if (feature & GENSEC_FEATURE_SIGN) { - if (ssf == 0) { - return false; - } - if (ssf >= 1) { - return true; - } - } - if (feature & GENSEC_FEATURE_SEAL) { - if (ssf <= 1) { - return false; - } - if (ssf > 1) { - return true; - } - } - return false; -} - -/* This could in theory work with any SASL mech */ -static const struct gensec_security_ops gensec_sasl_security_ops = { - .name = "sasl-DIGEST-MD5", - .sasl_name = "DIGEST-MD5", - .client_start = gensec_sasl_client_start, - .update = gensec_sasl_update, - .wrap_packets = gensec_sasl_wrap_packets, - .unwrap_packets = gensec_sasl_unwrap_packets, - .have_feature = gensec_sasl_have_feature, - .enabled = true, - .priority = GENSEC_SASL -}; - -static int gensec_sasl_log(void *context, - int sasl_log_level, - const char *message) -{ - int dl; - switch (sasl_log_level) { - case SASL_LOG_NONE: - dl = 0; - break; - case SASL_LOG_ERR: - dl = 1; - break; - case SASL_LOG_FAIL: - dl = 2; - break; - case SASL_LOG_WARN: - dl = 3; - break; - case SASL_LOG_NOTE: - dl = 5; - break; - case SASL_LOG_DEBUG: - dl = 10; - break; - case SASL_LOG_TRACE: - dl = 11; - break; -#if DEBUG_PASSWORD - case SASL_LOG_PASS: - dl = 100; - break; -#endif - default: - dl = 0; - break; - } - DEBUG(dl, ("gensec_sasl: %s\n", message)); - - return SASL_OK; -} - -NTSTATUS gensec_sasl_init(void) -{ - NTSTATUS ret; - int sasl_ret; -#if 0 - int i; - const char **sasl_mechs; -#endif - - static const sasl_callback_t callbacks[] = { - { - .id = SASL_CB_LOG, - .proc = (__gensec_sasl_callback_t)gensec_sasl_log, - .context = NULL, - }, - { - .id = SASL_CB_LIST_END, - .proc = NULL, - .context = NULL, - } - }; - sasl_ret = sasl_client_init(callbacks); - - if (sasl_ret == SASL_NOMECH) { - /* Nothing to do here */ - return NT_STATUS_OK; - } - - if (sasl_ret != SASL_OK) { - return sasl_nt_status(sasl_ret); - } - - /* For now, we just register DIGEST-MD5 */ -#if 1 - ret = gensec_register(&gensec_sasl_security_ops); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(0,("Failed to register '%s' gensec backend!\n", - gensec_sasl_security_ops.name)); - return ret; - } -#else - sasl_mechs = sasl_global_listmech(); - for (i = 0; sasl_mechs && sasl_mechs[i]; i++) { - const struct gensec_security_ops *oldmech; - struct gensec_security_ops *newmech; - oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]); - if (oldmech) { - continue; - } - newmech = talloc(talloc_autofree_context(), struct gensec_security_ops); - if (!newmech) { - return NT_STATUS_NO_MEMORY; - } - *newmech = gensec_sasl_security_ops; - newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]); - newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]); - if (!newmech->sasl_name || !newmech->name) { - return NT_STATUS_NO_MEMORY; - } - - ret = gensec_register(newmech); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(0,("Failed to register '%s' gensec backend!\n", - gensec_sasl_security_ops.name)); - return ret; - } - } -#endif - return NT_STATUS_OK; -} diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build index 097a7409362..46915f0aeb6 100755 --- a/source4/auth/gensec/wscript_build +++ b/source4/auth/gensec/wscript_build @@ -22,16 +22,6 @@ bld.SAMBA_MODULE('gensec_gssapi', deps='gssapi samba-credentials authkrb5 com_err gensec_util' ) - -bld.SAMBA_MODULE('cyrus_sasl', - source='cyrus_sasl.c', - subsystem='gensec', - init_function='gensec_sasl_init', - deps='samba-credentials sasl2', - enabled=bld.CONFIG_SET('HAVE_SASL') - ) - - bld.SAMBA_PYTHON('pygensec', source='pygensec.c', deps='gensec pytalloc-util pyparam_util', diff --git a/source4/auth/wscript_configure b/source4/auth/wscript_configure index 1d26cde1398..d25cc0b359d 100644 --- a/source4/auth/wscript_configure +++ b/source4/auth/wscript_configure @@ -2,7 +2,3 @@ conf.CHECK_HEADERS('security/pam_appl.h') conf.CHECK_FUNCS_IN('pam_start', 'pam', checklibc=True) - -if (conf.CHECK_HEADERS('sasl/sasl.h') and - conf.CHECK_FUNCS_IN('sasl_client_init', 'sasl2')): - conf.DEFINE('HAVE_SASL', 1) -- 2.11.4.GIT