auth: Remove S/Key mechanism & password scheme

diff --git a/doc/example-config/conf.d/10-auth.conf b/doc/example-config/conf.d/10-auth.conf
index 1c59eb449de719a5beb3625652ec525e89e39a19..1b139d8c0d5c8f5782ba024e95f3e5d476263918 100644 (file)
--- a/doc/example-config/conf.d/10-auth.conf
+++ b/doc/example-config/conf.d/10-auth.conf
@@ -94,7 +94,7 @@
 #auth_ssl_username_from_cert = no
 
 # Space separated list of wanted authentication mechanisms:
-#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
 auth_mechanisms = plain

diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am
index 50e451b25cbe89f88e9867707fb60d0846393af3..159435d40e5e1844db66faa5105953a1d4383d53 100644 (file)
--- a/src/auth/Makefile.am
+++ b/src/auth/Makefile.am
@@ -92,7 +92,7 @@ libauth_la_SOURCES = \
        auth-client-connection.c \
        auth-master-connection.c \
        auth-policy.c \
-       mech-otp-skey-common.c \
+       mech-otp-common.c \
        mech-plain-common.c \
        auth-penalty.c \
        auth-request.c \
@@ -122,7 +122,6 @@ libauth_la_SOURCES = \
        mech-ntlm.c \
        mech-otp.c \
        mech-scram.c \
-       mech-skey.c \
        mech-apop.c \
        mech-winbind.c \
        mech-dovecot-token.c \
@@ -162,7 +161,7 @@ headers = \
        auth-client-connection.h \
        auth-common.h \
        auth-master-connection.h \
-       mech-otp-skey-common.h \
+       mech-otp-common.h \
        mech-plain-common.h \
        mech-digest-md5-private.h \
        mech-scram.h \

diff --git a/src/auth/main.c b/src/auth/main.c
index 85b83befea0064ad027429d0dfc68372cadfb8df..7fa6bb0cee5e198be9cfa697e3201fda7964e762 100644 (file)
--- a/src/auth/main.c
+++ b/src/auth/main.c
@@ -20,7 +20,7 @@
 #include "passdb-cache.h"
 #include "mech.h"
 #include "otp.h"
-#include "mech-otp-skey-common.h"
+#include "mech-otp-common.h"
 #include "auth.h"
 #include "auth-penalty.h"
 #include "auth-token.h"

diff --git a/src/auth/mech-otp-skey-common.c b/src/auth/mech-otp-common.c
similarity index 89%
rename from src/auth/mech-otp-skey-common.c
rename to src/auth/mech-otp-common.c
index ab00a411c0083e086d5242b67b1f5cc8d8b63322..753fcbbbed79a497a60ee286441c8b272577dd3d 100644 (file)
--- a/src/auth/mech-otp-skey-common.c
+++ b/src/auth/mech-otp-common.c
@@ -1,5 +1,5 @@
 /*
- * Common code for OTP and SKEY authentication mechanisms.
+ * Common code for OTP authentication mechanisms.
  *
  * Copyright (c) 2006 Andrey Panin <pazke@donpac.ru>
  *
@@ -11,7 +11,7 @@
 #include "mech.h"
 
 #include "otp.h"
-#include "mech-otp-skey-common.h"
+#include "mech-otp-common.h"
 
 static HASH_TABLE(char *, struct auth_request *) otp_lock_table;
 
@@ -58,7 +58,7 @@ void otp_set_credentials_callback(bool success,
        otp_unlock(auth_request);
 }
 
-void mech_otp_skey_auth_free(struct auth_request *auth_request)
+void mech_otp_auth_free(struct auth_request *auth_request)
 {
        otp_unlock(auth_request);
 

diff --git a/src/auth/mech-otp-skey-common.h b/src/auth/mech-otp-common.h
similarity index 74%
rename from src/auth/mech-otp-skey-common.h
rename to src/auth/mech-otp-common.h
index ca64c810b9433267f573f7efbf3a8abd101e14e8..37a6551a158a472a3a552976c733b4ca5af7e72a 100644 (file)
--- a/src/auth/mech-otp-skey-common.h
+++ b/src/auth/mech-otp-common.h
@@ -1,5 +1,5 @@
-#ifndef MECH_OTP_SKEY_COMMON_H
-#define MECH_OTP_SKEY_COMMON_H
+#ifndef MECH_OTP_COMMON_H
+#define MECH_OTP_COMMON_H
 
 struct otp_auth_request {
        struct auth_request auth_request;
@@ -17,7 +17,7 @@ void otp_unlock(struct auth_request *auth_request);
 
 void otp_set_credentials_callback(bool success,
                                  struct auth_request *auth_request);
-void mech_otp_skey_auth_free(struct auth_request *auth_request);
+void mech_otp_auth_free(struct auth_request *auth_request);
 void mech_otp_deinit(void);
 
 #endif

diff --git a/src/auth/mech-otp.c b/src/auth/mech-otp.c
index 2df2b94e764f4b9aa88736bdf03db5d9c38d5b5d..58f3db15e09c374d359c7ee32896d0d2d0d1b590 100644 (file)
--- a/src/auth/mech-otp.c
+++ b/src/auth/mech-otp.c
@@ -13,7 +13,7 @@
 #include "passdb.h"
 #include "hex-binary.h"
 #include "otp.h"
-#include "mech-otp-skey-common.h"
+#include "mech-otp-common.h"
 
 static void 
 otp_send_challenge(struct auth_request *auth_request,
@@ -54,24 +54,6 @@ otp_send_challenge(struct auth_request *auth_request,
                                            strlen(answer));
 }
 
-static void
-skey_credentials_callback(enum passdb_result result,
-                         const unsigned char *credentials, size_t size,
-                         struct auth_request *auth_request)
-{
-       switch (result) {
-       case PASSDB_RESULT_OK:
-               otp_send_challenge(auth_request, credentials, size);
-               break;
-       case PASSDB_RESULT_INTERNAL_FAILURE:
-               auth_request_internal_failure(auth_request);
-               break;
-       default:
-               auth_request_fail(auth_request);
-               break;
-       }
-}
-
 static void
 otp_credentials_callback(enum passdb_result result,
                         const unsigned char *credentials, size_t size,
@@ -85,9 +67,7 @@ otp_credentials_callback(enum passdb_result result,
                auth_request_internal_failure(auth_request);
                break;
        default:
-               /* OTP credentials not found, try S/KEY */
-               auth_request_lookup_credentials(auth_request, "OTP",
-                                               skey_credentials_callback);
+               auth_request_fail(auth_request);
                break;
        }
 }
@@ -256,5 +236,5 @@ const struct mech_module mech_otp = {
        mech_otp_auth_new,
        mech_generic_auth_initial,
        mech_otp_auth_continue,
-       mech_otp_skey_auth_free
+       mech_otp_auth_free
 };

diff --git a/src/auth/mech-skey.c b/src/auth/mech-skey.c
deleted file mode 100644 (file)
index 6f26324..0000000
--- a/src/auth/mech-skey.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * S/Key (RFC 1731) authentication mechanism.
- *
- * Copyright (c) 2006 Andrey Panin <pazke@donpac.ru>
- *
- * This software is released under the MIT license.
- */
-
-#include "auth-common.h"
-#include "safe-memset.h"
-#include "hash.h"
-#include "mech.h"
-#include "passdb.h"
-#include "hex-binary.h"
-#include "otp.h"
-#include "mech-otp-skey-common.h"
-
-static void 
-skey_send_challenge(struct auth_request *auth_request,
-                   const unsigned char *credentials, size_t size)
-{
-       struct otp_auth_request *request =
-               (struct otp_auth_request *)auth_request;
-       const char *answer;
-
-       if (otp_parse_dbentry(t_strndup(credentials, size),
-                             &request->state) != 0) {
-               e_error(request->auth_request.mech_event,
-                       "invalid OTP data in passdb");
-               auth_request_fail(auth_request);
-               return;
-       }
-
-       if (request->state.algo != OTP_HASH_MD4) {
-               e_error(request->auth_request.mech_event,
-                       "md4 hash is needed");
-               auth_request_fail(auth_request);
-               return;
-       }
-
-       if (--request->state.seq < 1) {
-               e_error(request->auth_request.mech_event,
-                       "sequence number < 1");
-               auth_request_fail(auth_request);
-               return;
-       }
-
-       request->lock = otp_try_lock(auth_request);
-       if (!request->lock) {
-               e_error(request->auth_request.mech_event,
-                       "user is locked, race attack?");
-               auth_request_fail(auth_request);
-               return;
-       }
-
-       answer = p_strdup_printf(request->pool, "%u %s",
-                                request->state.seq, request->state.seed);
-
-       auth_request_handler_reply_continue(auth_request, answer,
-                                           strlen(answer));
-}
-
-static void
-otp_credentials_callback(enum passdb_result result,
-                        const unsigned char *credentials, size_t size,
-                        struct auth_request *auth_request)
-{
-       switch (result) {
-       case PASSDB_RESULT_OK:
-               skey_send_challenge(auth_request, credentials, size);
-               break;
-       case PASSDB_RESULT_INTERNAL_FAILURE:
-               auth_request_internal_failure(auth_request);
-               break;
-       default:
-               auth_request_fail(auth_request);
-               break;
-       }
-}
-
-static void
-skey_credentials_callback(enum passdb_result result,
-                         const unsigned char *credentials, size_t size,
-                         struct auth_request *auth_request)
-{
-       switch (result) {
-       case PASSDB_RESULT_OK:
-               skey_send_challenge(auth_request, credentials, size);
-               break;
-       case PASSDB_RESULT_INTERNAL_FAILURE:
-               auth_request_internal_failure(auth_request);
-               break;
-       default:
-               /* S/KEY credentials not found, try OTP */
-               auth_request_lookup_credentials(auth_request, "OTP",
-                                               otp_credentials_callback);
-               break;
-       }
-}
-
-static void
-mech_skey_auth_phase1(struct auth_request *auth_request,
-                     const unsigned char *data, size_t data_size)
-{
-       const char *username, *error;
-
-       username = t_strndup(data, data_size);
-
-       if (!auth_request_set_username(auth_request, username, &error)) {
-               e_info(auth_request->mech_event,
-                      "%s", error);
-               auth_request_fail(auth_request);
-               return;
-       }
-
-       auth_request_lookup_credentials(auth_request, "SKEY",
-                                       skey_credentials_callback);
-}
-
-static void
-mech_skey_auth_phase2(struct auth_request *auth_request,
-                     const unsigned char *data, size_t data_size)
-{
-       struct otp_auth_request *request =
-               (struct otp_auth_request *)auth_request;
-       struct otp_state *state = &request->state;
-       unsigned char hash[OTP_HASH_SIZE], cur_hash[OTP_HASH_SIZE];
-       int ret;
-
-       if (data_size == 8) {
-               memcpy(hash, data, 8);
-       } else {
-               const char *words = t_strndup(data, data_size);
-
-               ret = otp_parse_response(words, hash, FALSE);
-               if (ret < 0) {
-                       e_error(request->auth_request.mech_event,
-                               "invalid response");
-                       auth_request_fail(auth_request);
-                       otp_unlock(auth_request);
-                       return;
-               }
-       }
-
-       otp_next_hash(state->algo, hash, cur_hash);
-
-       ret = memcmp(cur_hash, state->hash, OTP_HASH_SIZE);
-       if (ret != 0) {
-               auth_request_fail(auth_request);
-               otp_unlock(auth_request);
-               return;
-       }
-
-       memcpy(state->hash, hash, sizeof(state->hash));
-
-       auth_request_set_credentials(auth_request, "OTP",
-                                    otp_print_dbentry(state),
-                                    otp_set_credentials_callback);
-}
-
-static void
-mech_skey_auth_continue(struct auth_request *auth_request,
-                      const unsigned char *data, size_t data_size)
-{
-       if (auth_request->fields.user == NULL) {
-               mech_skey_auth_phase1(auth_request, data, data_size);
-       } else {
-               mech_skey_auth_phase2(auth_request, data, data_size);
-       }
-}
-
-static struct auth_request *mech_skey_auth_new(void)
-{
-       struct otp_auth_request *request;
-       pool_t pool;
-
-       otp_lock_init();
-
-       pool = pool_alloconly_create(MEMPOOL_GROWING"skey_auth_request", 2048);
-       request = p_new(pool, struct otp_auth_request, 1);
-       request->pool = pool;
-       request->lock = FALSE;
-
-       request->auth_request.refcount = 1;
-       request->auth_request.pool = pool;
-       return &request->auth_request;
-}
-
-const struct mech_module mech_skey = {
-       "SKEY",
-
-       .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
-       .passdb_need = MECH_PASSDB_NEED_SET_CREDENTIALS,
-
-       mech_skey_auth_new,
-       mech_generic_auth_initial,
-       mech_skey_auth_continue,
-       mech_otp_skey_auth_free
-};

diff --git a/src/auth/mech.c b/src/auth/mech.c
index 956243f599b5f52aa337eb5e002ec0ec22a04099..b0ddfb713cfd207475d3852111c6a4f4d48e1f50 100644 (file)
--- a/src/auth/mech.c
+++ b/src/auth/mech.c
@@ -75,7 +75,6 @@ extern const struct mech_module mech_ntlm;
 extern const struct mech_module mech_otp;
 extern const struct mech_module mech_scram_sha1;
 extern const struct mech_module mech_scram_sha256;
-extern const struct mech_module mech_skey;
 extern const struct mech_module mech_anonymous;
 #ifdef HAVE_GSSAPI
 extern const struct mech_module mech_gssapi;
@@ -212,7 +211,6 @@ void mech_init(const struct auth_settings *set)
        mech_register_module(&mech_otp);
        mech_register_module(&mech_scram_sha1);
        mech_register_module(&mech_scram_sha256);
-       mech_register_module(&mech_skey);
        mech_register_module(&mech_anonymous);
 #ifdef BUILTIN_GSSAPI
        mech_register_module(&mech_gssapi);
@@ -241,7 +239,6 @@ void mech_deinit(const struct auth_settings *set)
        mech_unregister_module(&mech_otp);
        mech_unregister_module(&mech_scram_sha1);
        mech_unregister_module(&mech_scram_sha256);
-       mech_unregister_module(&mech_skey);
        mech_unregister_module(&mech_anonymous);
 #ifdef BUILTIN_GSSAPI
        mech_unregister_module(&mech_gssapi);

diff --git a/src/auth/password-scheme.c b/src/auth/password-scheme.c
index cae4463b6643a79c0226b7491469dda85d4b1744..3d94c4a8030f5b6f47a24dd9583be09fb500b432 100644 (file)
--- a/src/auth/password-scheme.c
+++ b/src/auth/password-scheme.c
@@ -763,18 +763,6 @@ otp_generate(const char *plaintext, const struct password_generate_params *param
        *size_r = strlen(password);
 }
 
-static void
-skey_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
-             const unsigned char **raw_password_r, size_t *size_r)
-{
-       const char *password;
-
-       if (password_generate_otp(plaintext, NULL, OTP_HASH_MD4, &password) < 0)
-               i_unreached();
-       *raw_password_r = (const unsigned char *)password;
-       *size_r = strlen(password);
-}
-
 static const struct password_scheme builtin_schemes[] = {
        { "MD5", PW_ENCODING_NONE, 0, md5_verify, md5_crypt_generate },
        { "MD5-CRYPT", PW_ENCODING_NONE, 0,
@@ -812,7 +800,6 @@ static const struct password_scheme builtin_schemes[] = {
        { "LANMAN", PW_ENCODING_HEX, LM_HASH_SIZE, NULL, lm_generate },
        { "NTLM", PW_ENCODING_HEX, NTLMSSP_HASH_SIZE, NULL, ntlm_generate },
        { "OTP", PW_ENCODING_NONE, 0, otp_verify, otp_generate },
-       { "SKEY", PW_ENCODING_NONE, 0, otp_verify, skey_generate },
         { "PBKDF2", PW_ENCODING_NONE, 0, pbkdf2_verify, pbkdf2_generate },
 };
 

diff --git a/src/auth/test-libpassword.c b/src/auth/test-libpassword.c
index 66f529f4748c99708f43ff42a48532b08d6b20f2..21cffae9646680816870b7a98faa45a4fa8066f3 100644 (file)
--- a/src/auth/test-libpassword.c
+++ b/src/auth/test-libpassword.c
@@ -13,7 +13,6 @@ static struct {
 } known_non_aliases[] = {
        { "MD5", "DES-CRYPT" },
        { "MD5-CRYPT", "DES-CRYPT" },
-       { "SKEY", "OTP" },
        { "ARGON2ID", "ARGON2I" },
 };
 
@@ -111,7 +110,6 @@ static void test_password_schemes(void)
        test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test");
        test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test");
        test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test");
-       test_password_scheme("SKEY", "{SKEY}md4 1024 ce20d20fae368ff2 689aea1b24ed6438", "test");
        test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test");
        test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test");
        test_password_scheme("SCRAM-SHA-1", "{SCRAM-SHA-1}4096,GetyLXdBuHzf1FWf8SLz2Q==,NA/OqmF4hhrsrB9KR7po+dliTGM=,QBiURvQaE6H6qYTmeghDHLANBFQ=", "test");

diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c
index f30c1db074fe8bc4ef3dcde88ce2312bb6e7fe68..8d0d680f855ba474014aae0462f92eab9c53f3da 100644 (file)
--- a/src/auth/test-mech.c
+++ b/src/auth/test-mech.c
@@ -9,7 +9,7 @@
 #include "auth-settings.h"
 #include "mech-digest-md5-private.h"
 #include "otp.h"
-#include "mech-otp-skey-common.h"
+#include "mech-otp-common.h"
 #include "settings-parser.h"
 #include "password-scheme.h"
 #include "auth-token.h"