s4:auth/gensec: remove unused and untested cyrus_sasl module

There's not a high chance that this module worked at all.

Requesting SASL_SSF in order to get the max input length
is completely broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

source4/auth/gensec/cyrus_sasl.c

@@ -1,454 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
- 
-   Connect GENSEC to an external SASL lib
-
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "lib/tsocket/tsocket.h"
-#include "auth/credentials/credentials.h"
-#include "auth/gensec/gensec.h"
-#include "auth/gensec/gensec_internal.h"
-#include "auth/gensec/gensec_proto.h"
-#include "auth/gensec/gensec_toplevel_proto.h"
-#include <sasl/sasl.h>
-
-NTSTATUS gensec_sasl_init(void);
-
-struct gensec_sasl_state {
-	sasl_conn_t *conn;
-	int step;
-	bool wrap;
-};
-
-static NTSTATUS sasl_nt_status(int sasl_ret) 
-{
-	switch (sasl_ret) {
-	case SASL_CONTINUE:
-		return NT_STATUS_MORE_PROCESSING_REQUIRED;
-	case SASL_NOMEM:
-		return NT_STATUS_NO_MEMORY;
-	case SASL_BADPARAM:
-	case SASL_NOMECH:
-		return NT_STATUS_INVALID_PARAMETER;
-	case SASL_BADMAC:
-		return NT_STATUS_ACCESS_DENIED;
-	case SASL_OK:
-		return NT_STATUS_OK;
-	default:
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-}
-
-static int gensec_sasl_get_user(void *context, int id,
-				const char **result, unsigned *len)
-{
-	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
-	const char *username = cli_credentials_get_username(gensec_get_credentials(gensec_security));
-	if (id != SASL_CB_USER && id != SASL_CB_AUTHNAME) {
-		return SASL_FAIL;
-	}
-	
-	*result = username;
-	return SASL_OK;
-}
-
-static int gensec_sasl_get_realm(void *context, int id,
-				 const char **availrealms,
-				 const char **result)
-{
-	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
-	const char *realm = cli_credentials_get_realm(gensec_get_credentials(gensec_security));
-	int i;
-	if (id != SASL_CB_GETREALM) {
-		return SASL_FAIL;
-	}
-
-	for (i=0; availrealms && availrealms[i]; i++) {
-		if (strcasecmp_m(realm, availrealms[i]) == 0) {
-			result[i] = availrealms[i];
-			return SASL_OK;
-		}
-	}
-	/* None of the realms match, so lets not specify one */
-	*result = "";
-	return SASL_OK;
-}
-
-static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
-			     sasl_secret_t **psecret)
-{
-	struct gensec_security *gensec_security = talloc_get_type(context, struct gensec_security);
-	const char *password = cli_credentials_get_password(gensec_get_credentials(gensec_security));
-	
-	sasl_secret_t *secret;
-	if (!password) {
-		*psecret = NULL;
-		return SASL_OK;
-	}
-	secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
-	if (!secret) {
-		return SASL_NOMEM;
-	}
-	secret->len = strlen(password);
-	strlcpy((char*)secret->data, password, secret->len+1);
-	*psecret = secret;
-	return SASL_OK;
-}
-
-static int gensec_sasl_dispose(struct gensec_sasl_state *gensec_sasl_state)
-{
-	sasl_dispose(&gensec_sasl_state->conn);
-	return SASL_OK;
-}
-
-typedef int (*__gensec_sasl_callback_t)(void);
-
-static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security)
-{
-	struct gensec_sasl_state *gensec_sasl_state;
-	const char *service = gensec_get_target_service(gensec_security);
-	const char *target_name = gensec_get_target_hostname(gensec_security);
-	const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
-	const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
-	char *local_addr = NULL;
-	char *remote_addr = NULL;
-	int sasl_ret;
-
-	sasl_callback_t *callbacks;
-
-	gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
-	if (!gensec_sasl_state) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	callbacks = talloc_array(gensec_sasl_state, sasl_callback_t, 5);
-	callbacks[0].id = SASL_CB_USER;
-	callbacks[0].proc = (__gensec_sasl_callback_t)gensec_sasl_get_user;
-	callbacks[0].context = gensec_security;
-
-	callbacks[1].id = SASL_CB_AUTHNAME;
-	callbacks[1].proc = (__gensec_sasl_callback_t)gensec_sasl_get_user;
-	callbacks[1].context = gensec_security;
-
-	callbacks[2].id = SASL_CB_GETREALM;
-	callbacks[2].proc = (__gensec_sasl_callback_t)gensec_sasl_get_realm;
-	callbacks[2].context = gensec_security;
-
-	callbacks[3].id = SASL_CB_PASS;
-	callbacks[3].proc = (__gensec_sasl_callback_t)gensec_sasl_get_password;
-	callbacks[3].context = gensec_security;
-
-	callbacks[4].id = SASL_CB_LIST_END;
-	callbacks[4].proc = NULL;
-	callbacks[4].context = NULL;
-
-	gensec_security->private_data = gensec_sasl_state;
-
-	if (tlocal_addr) {
-		local_addr = talloc_asprintf(gensec_sasl_state,
-				"%s;%d",
-				tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
-				tsocket_address_inet_port(tlocal_addr));
-	}
-
-	if (tremote_addr) {
-		remote_addr = talloc_asprintf(gensec_sasl_state,
-				"%s;%d",
-				tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
-				tsocket_address_inet_port(tremote_addr));
-	}
-	gensec_sasl_state->step = 0;
-
-	sasl_ret = sasl_client_new(service,
-				   target_name,
-				   local_addr, remote_addr, callbacks, 0,
-				   &gensec_sasl_state->conn);
-	
-	if (sasl_ret == SASL_OK) {
-		sasl_security_properties_t props;
-		talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
-		
-		ZERO_STRUCT(props);
-		if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
-			props.min_ssf = 1;
-			props.max_ssf = 1;
-			props.maxbufsize = 65536;
-			gensec_sasl_state->wrap = true;
-		}
-		if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
-			props.min_ssf = 40;
-			props.max_ssf = UINT_MAX;
-			props.maxbufsize = 65536;
-			gensec_sasl_state->wrap = true;
-		}
-
-		sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
-	}
-	if (sasl_ret != SASL_OK) {
-		DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
-	}
-	return sasl_nt_status(sasl_ret);
-}
-
-static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security, 
-				   TALLOC_CTX *out_mem_ctx, 
-				   struct tevent_context *ev,
-				   const DATA_BLOB in, DATA_BLOB *out) 
-{
-	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
-								      struct gensec_sasl_state);
-	int sasl_ret;
-	const char *out_data;
-	unsigned int out_len;
-
-	if (gensec_sasl_state->step == 0) {
-		const char *mech;
-		sasl_ret = sasl_client_start(gensec_sasl_state->conn, gensec_security->ops->sasl_name, 
-					     NULL, &out_data, &out_len, &mech);
-	} else {
-		sasl_ret = sasl_client_step(gensec_sasl_state->conn,
-					    (char*)in.data, in.length, NULL,
-					    &out_data, &out_len);
-	}
-	if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
-		*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
-	} else {
-		DEBUG(1, ("GENSEC SASL: step %d update failed: %s\n", gensec_sasl_state->step, 
-			  sasl_errdetail(gensec_sasl_state->conn)));
-	}
-	gensec_sasl_state->step++;
-	return sasl_nt_status(sasl_ret);
-}
-
-static NTSTATUS gensec_sasl_unwrap_packets(struct gensec_security *gensec_security, 
-					TALLOC_CTX *out_mem_ctx, 
-					const DATA_BLOB *in, 
-					DATA_BLOB *out,
-					size_t *len_processed) 
-{
-	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
-								      struct gensec_sasl_state);
-	const char *out_data;
-	unsigned int out_len;
-
-	int sasl_ret = sasl_decode(gensec_sasl_state->conn,
-				   (char*)in->data, in->length, &out_data,
-				   &out_len);
-	if (sasl_ret == SASL_OK) {
-		*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
-		*len_processed = in->length;
-	} else {
-		DEBUG(1, ("GENSEC SASL: unwrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
-	}
-	return sasl_nt_status(sasl_ret);
-
-}
-
-static NTSTATUS gensec_sasl_wrap_packets(struct gensec_security *gensec_security, 
-					TALLOC_CTX *out_mem_ctx, 
-					const DATA_BLOB *in, 
-					DATA_BLOB *out,
-					size_t *len_processed) 
-{
-	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
-								      struct gensec_sasl_state);
-	const char *out_data;
-	unsigned int out_len;
-	unsigned len_permitted;
-	int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
-			(const void**)&len_permitted);
-	if (sasl_ret != SASL_OK) {
-		return sasl_nt_status(sasl_ret);
-	}
-	len_permitted = MIN(len_permitted, in->length);
-
-	sasl_ret = sasl_encode(gensec_sasl_state->conn,
-			       (char*)in->data, len_permitted, &out_data,
-			       &out_len);
-	if (sasl_ret == SASL_OK) {
-		*out = data_blob_talloc(out_mem_ctx, out_data, out_len);
-		*len_processed = in->length;
-	} else {
-		DEBUG(1, ("GENSEC SASL: wrap failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
-	}
-	return sasl_nt_status(sasl_ret);
-}
-
-/* Try to figure out what features we actually got on the connection */
-static bool gensec_sasl_have_feature(struct gensec_security *gensec_security, 
-				     uint32_t feature) 
-{
-	struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
-								      struct gensec_sasl_state);
-	sasl_ssf_t ssf;
-	int sasl_ret;
-
-	/* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
-	if (!gensec_sasl_state->wrap) {
-		return false;
-	}
-	
-	sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
-			(const void**)&ssf);
-	if (sasl_ret != SASL_OK) {
-		return false;
-	}
-	if (feature & GENSEC_FEATURE_SIGN) {
-		if (ssf == 0) {
-			return false;
-		}
-		if (ssf >= 1) {
-			return true;
-		}
-	}
-	if (feature & GENSEC_FEATURE_SEAL) {
-		if (ssf <= 1) {
-			return false;
-		}
-		if (ssf > 1) {
-			return true;
-		}
-	}
-	return false;
-}
-
-/* This could in theory work with any SASL mech */
-static const struct gensec_security_ops gensec_sasl_security_ops = {
-	.name             = "sasl-DIGEST-MD5",
-	.sasl_name        = "DIGEST-MD5",
-	.client_start     = gensec_sasl_client_start,
-	.update 	  = gensec_sasl_update,
-	.wrap_packets     = gensec_sasl_wrap_packets,
-	.unwrap_packets   = gensec_sasl_unwrap_packets,
-	.have_feature     = gensec_sasl_have_feature,
-	.enabled          = true,
-	.priority         = GENSEC_SASL
-};
-
-static int gensec_sasl_log(void *context, 
-		    int sasl_log_level,
-		    const char *message) 
-{
-	int dl;
-	switch (sasl_log_level) {
-	case SASL_LOG_NONE:
-		dl = 0;
-		break;
-	case SASL_LOG_ERR:
-		dl = 1;
-		break;
-	case SASL_LOG_FAIL:
-		dl = 2;
-		break;
-	case SASL_LOG_WARN:
-		dl = 3;
-		break;
-	case SASL_LOG_NOTE:
-		dl = 5;
-		break;
-	case SASL_LOG_DEBUG:
-		dl = 10;
-		break;
-	case SASL_LOG_TRACE:
-		dl = 11;
-		break;
-#if DEBUG_PASSWORD
-	case SASL_LOG_PASS:
-		dl = 100;
-		break;
-#endif
-	default:
-		dl = 0;
-		break;
-	}
-	DEBUG(dl, ("gensec_sasl: %s\n", message));
-
-	return SASL_OK;
-}
-
-NTSTATUS gensec_sasl_init(void)
-{
-	NTSTATUS ret;
-	int sasl_ret;
-#if 0
-	int i;
-	const char **sasl_mechs;
-#endif
-	
-	static const sasl_callback_t callbacks[] = {
-		{ 
-			.id = SASL_CB_LOG,
-			.proc = (__gensec_sasl_callback_t)gensec_sasl_log,
-			.context = NULL,
-		},
-		{
-			.id = SASL_CB_LIST_END,
-			.proc = NULL,
-			.context = NULL,
-		}
-	};
-	sasl_ret = sasl_client_init(callbacks);
-	
-	if (sasl_ret == SASL_NOMECH) {
-		/* Nothing to do here */
-		return NT_STATUS_OK;
-	}
-
-	if (sasl_ret != SASL_OK) {
-		return sasl_nt_status(sasl_ret);
-	}
-
-	/* For now, we just register DIGEST-MD5 */
-#if 1
-	ret = gensec_register(&gensec_sasl_security_ops);
-	if (!NT_STATUS_IS_OK(ret)) {
-		DEBUG(0,("Failed to register '%s' gensec backend!\n",
-			 gensec_sasl_security_ops.name));
-		return ret;
-	}
-#else
-	sasl_mechs = sasl_global_listmech();
-	for (i = 0; sasl_mechs && sasl_mechs[i]; i++) {
-		const struct gensec_security_ops *oldmech;
-		struct gensec_security_ops *newmech;
-		oldmech = gensec_security_by_sasl_name(NULL, sasl_mechs[i]);
-		if (oldmech) {
-			continue;
-		}
-		newmech = talloc(talloc_autofree_context(), struct gensec_security_ops);
-		if (!newmech) {
-			return NT_STATUS_NO_MEMORY;
-		}
-		*newmech = gensec_sasl_security_ops;
-		newmech->sasl_name = talloc_strdup(newmech, sasl_mechs[i]);
-		newmech->name = talloc_asprintf(newmech, "sasl-%s", sasl_mechs[i]);
-		if (!newmech->sasl_name || !newmech->name) {
-			return NT_STATUS_NO_MEMORY;
-		}
-
-		ret = gensec_register(newmech);
-		if (!NT_STATUS_IS_OK(ret)) {
-			DEBUG(0,("Failed to register '%s' gensec backend!\n",
-				 gensec_sasl_security_ops.name));
-			return ret;
-		}
-	}
-#endif
-	return NT_STATUS_OK;
-}

source4/auth/gensec/wscript_build

@@ -22,16 +22,6 @@ bld.SAMBA_MODULE('gensec_gssapi',
 	deps='gssapi samba-credentials authkrb5 com_err gensec_util'
 	)
 
-
-bld.SAMBA_MODULE('cyrus_sasl',
-	source='cyrus_sasl.c',
-	subsystem='gensec',
-	init_function='gensec_sasl_init',
-	deps='samba-credentials sasl2',
-	enabled=bld.CONFIG_SET('HAVE_SASL')
-	)
-
-
 bld.SAMBA_PYTHON('pygensec',
 	source='pygensec.c',
 	deps='gensec pytalloc-util pyparam_util',

source4/auth/wscript_configure

@@ -2,7 +2,3 @@
 
 conf.CHECK_HEADERS('security/pam_appl.h')
 conf.CHECK_FUNCS_IN('pam_start', 'pam', checklibc=True)
-
-if (conf.CHECK_HEADERS('sasl/sasl.h') and
-    conf.CHECK_FUNCS_IN('sasl_client_init', 'sasl2')):
-    conf.DEFINE('HAVE_SASL', 1)