From 84d8535ff01c5bc3128bd341eda22765a154ce51 Mon Sep 17 00:00:00 2001 From: Josef 'Jeff' Sipek Date: Fri, 16 Oct 2020 09:01:19 -0400 Subject: [PATCH] auth: Remove S/Key mechanism & password scheme --- doc/example-config/conf.d/10-auth.conf | 2 +- src/auth/Makefile.am | 5 +- src/auth/main.c | 2 +- ...ch-otp-skey-common.c => mech-otp-common.c} | 6 +- ...ch-otp-skey-common.h => mech-otp-common.h} | 6 +- src/auth/mech-otp.c | 26 +-- src/auth/mech-skey.c | 199 ------------------ src/auth/mech.c | 3 - src/auth/password-scheme.c | 13 -- src/auth/test-libpassword.c | 2 - src/auth/test-mech.c | 2 +- 11 files changed, 14 insertions(+), 252 deletions(-) rename src/auth/{mech-otp-skey-common.c => mech-otp-common.c} (89%) rename src/auth/{mech-otp-skey-common.h => mech-otp-common.h} (74%) delete mode 100644 src/auth/mech-skey.c diff --git a/doc/example-config/conf.d/10-auth.conf b/doc/example-config/conf.d/10-auth.conf index 1c59eb449d..1b139d8c0d 100644 --- a/doc/example-config/conf.d/10-auth.conf +++ b/doc/example-config/conf.d/10-auth.conf @@ -94,7 +94,7 @@ #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: -# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey +# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am index 50e451b25c..159435d40e 100644 --- a/src/auth/Makefile.am +++ b/src/auth/Makefile.am @@ -92,7 +92,7 @@ libauth_la_SOURCES = \ auth-client-connection.c \ auth-master-connection.c \ auth-policy.c \ - mech-otp-skey-common.c \ + mech-otp-common.c \ mech-plain-common.c \ auth-penalty.c \ auth-request.c \ @@ -122,7 +122,6 @@ libauth_la_SOURCES = \ mech-ntlm.c \ mech-otp.c \ mech-scram.c \ - mech-skey.c \ mech-apop.c \ mech-winbind.c \ mech-dovecot-token.c \ @@ -162,7 +161,7 @@ headers = \ auth-client-connection.h \ auth-common.h \ auth-master-connection.h \ - mech-otp-skey-common.h \ + mech-otp-common.h \ mech-plain-common.h \ mech-digest-md5-private.h \ mech-scram.h \ diff --git a/src/auth/main.c b/src/auth/main.c index 85b83befea..7fa6bb0cee 100644 --- a/src/auth/main.c +++ b/src/auth/main.c @@ -20,7 +20,7 @@ #include "passdb-cache.h" #include "mech.h" #include "otp.h" -#include "mech-otp-skey-common.h" +#include "mech-otp-common.h" #include "auth.h" #include "auth-penalty.h" #include "auth-token.h" diff --git a/src/auth/mech-otp-skey-common.c b/src/auth/mech-otp-common.c similarity index 89% rename from src/auth/mech-otp-skey-common.c rename to src/auth/mech-otp-common.c index ab00a411c0..753fcbbbed 100644 --- a/src/auth/mech-otp-skey-common.c +++ b/src/auth/mech-otp-common.c @@ -1,5 +1,5 @@ /* - * Common code for OTP and SKEY authentication mechanisms. + * Common code for OTP authentication mechanisms. * * Copyright (c) 2006 Andrey Panin * @@ -11,7 +11,7 @@ #include "mech.h" #include "otp.h" -#include "mech-otp-skey-common.h" +#include "mech-otp-common.h" static HASH_TABLE(char *, struct auth_request *) otp_lock_table; @@ -58,7 +58,7 @@ void otp_set_credentials_callback(bool success, otp_unlock(auth_request); } -void mech_otp_skey_auth_free(struct auth_request *auth_request) +void mech_otp_auth_free(struct auth_request *auth_request) { otp_unlock(auth_request); diff --git a/src/auth/mech-otp-skey-common.h b/src/auth/mech-otp-common.h similarity index 74% rename from src/auth/mech-otp-skey-common.h rename to src/auth/mech-otp-common.h index ca64c810b9..37a6551a15 100644 --- a/src/auth/mech-otp-skey-common.h +++ b/src/auth/mech-otp-common.h @@ -1,5 +1,5 @@ -#ifndef MECH_OTP_SKEY_COMMON_H -#define MECH_OTP_SKEY_COMMON_H +#ifndef MECH_OTP_COMMON_H +#define MECH_OTP_COMMON_H struct otp_auth_request { struct auth_request auth_request; @@ -17,7 +17,7 @@ void otp_unlock(struct auth_request *auth_request); void otp_set_credentials_callback(bool success, struct auth_request *auth_request); -void mech_otp_skey_auth_free(struct auth_request *auth_request); +void mech_otp_auth_free(struct auth_request *auth_request); void mech_otp_deinit(void); #endif diff --git a/src/auth/mech-otp.c b/src/auth/mech-otp.c index 2df2b94e76..58f3db15e0 100644 --- a/src/auth/mech-otp.c +++ b/src/auth/mech-otp.c @@ -13,7 +13,7 @@ #include "passdb.h" #include "hex-binary.h" #include "otp.h" -#include "mech-otp-skey-common.h" +#include "mech-otp-common.h" static void otp_send_challenge(struct auth_request *auth_request, @@ -54,24 +54,6 @@ otp_send_challenge(struct auth_request *auth_request, strlen(answer)); } -static void -skey_credentials_callback(enum passdb_result result, - const unsigned char *credentials, size_t size, - struct auth_request *auth_request) -{ - switch (result) { - case PASSDB_RESULT_OK: - otp_send_challenge(auth_request, credentials, size); - break; - case PASSDB_RESULT_INTERNAL_FAILURE: - auth_request_internal_failure(auth_request); - break; - default: - auth_request_fail(auth_request); - break; - } -} - static void otp_credentials_callback(enum passdb_result result, const unsigned char *credentials, size_t size, @@ -85,9 +67,7 @@ otp_credentials_callback(enum passdb_result result, auth_request_internal_failure(auth_request); break; default: - /* OTP credentials not found, try S/KEY */ - auth_request_lookup_credentials(auth_request, "OTP", - skey_credentials_callback); + auth_request_fail(auth_request); break; } } @@ -256,5 +236,5 @@ const struct mech_module mech_otp = { mech_otp_auth_new, mech_generic_auth_initial, mech_otp_auth_continue, - mech_otp_skey_auth_free + mech_otp_auth_free }; diff --git a/src/auth/mech-skey.c b/src/auth/mech-skey.c deleted file mode 100644 index 6f26324f5a..0000000000 --- a/src/auth/mech-skey.c +++ /dev/null @@ -1,199 +0,0 @@ -/* - * S/Key (RFC 1731) authentication mechanism. - * - * Copyright (c) 2006 Andrey Panin - * - * This software is released under the MIT license. - */ - -#include "auth-common.h" -#include "safe-memset.h" -#include "hash.h" -#include "mech.h" -#include "passdb.h" -#include "hex-binary.h" -#include "otp.h" -#include "mech-otp-skey-common.h" - -static void -skey_send_challenge(struct auth_request *auth_request, - const unsigned char *credentials, size_t size) -{ - struct otp_auth_request *request = - (struct otp_auth_request *)auth_request; - const char *answer; - - if (otp_parse_dbentry(t_strndup(credentials, size), - &request->state) != 0) { - e_error(request->auth_request.mech_event, - "invalid OTP data in passdb"); - auth_request_fail(auth_request); - return; - } - - if (request->state.algo != OTP_HASH_MD4) { - e_error(request->auth_request.mech_event, - "md4 hash is needed"); - auth_request_fail(auth_request); - return; - } - - if (--request->state.seq < 1) { - e_error(request->auth_request.mech_event, - "sequence number < 1"); - auth_request_fail(auth_request); - return; - } - - request->lock = otp_try_lock(auth_request); - if (!request->lock) { - e_error(request->auth_request.mech_event, - "user is locked, race attack?"); - auth_request_fail(auth_request); - return; - } - - answer = p_strdup_printf(request->pool, "%u %s", - request->state.seq, request->state.seed); - - auth_request_handler_reply_continue(auth_request, answer, - strlen(answer)); -} - -static void -otp_credentials_callback(enum passdb_result result, - const unsigned char *credentials, size_t size, - struct auth_request *auth_request) -{ - switch (result) { - case PASSDB_RESULT_OK: - skey_send_challenge(auth_request, credentials, size); - break; - case PASSDB_RESULT_INTERNAL_FAILURE: - auth_request_internal_failure(auth_request); - break; - default: - auth_request_fail(auth_request); - break; - } -} - -static void -skey_credentials_callback(enum passdb_result result, - const unsigned char *credentials, size_t size, - struct auth_request *auth_request) -{ - switch (result) { - case PASSDB_RESULT_OK: - skey_send_challenge(auth_request, credentials, size); - break; - case PASSDB_RESULT_INTERNAL_FAILURE: - auth_request_internal_failure(auth_request); - break; - default: - /* S/KEY credentials not found, try OTP */ - auth_request_lookup_credentials(auth_request, "OTP", - otp_credentials_callback); - break; - } -} - -static void -mech_skey_auth_phase1(struct auth_request *auth_request, - const unsigned char *data, size_t data_size) -{ - const char *username, *error; - - username = t_strndup(data, data_size); - - if (!auth_request_set_username(auth_request, username, &error)) { - e_info(auth_request->mech_event, - "%s", error); - auth_request_fail(auth_request); - return; - } - - auth_request_lookup_credentials(auth_request, "SKEY", - skey_credentials_callback); -} - -static void -mech_skey_auth_phase2(struct auth_request *auth_request, - const unsigned char *data, size_t data_size) -{ - struct otp_auth_request *request = - (struct otp_auth_request *)auth_request; - struct otp_state *state = &request->state; - unsigned char hash[OTP_HASH_SIZE], cur_hash[OTP_HASH_SIZE]; - int ret; - - if (data_size == 8) { - memcpy(hash, data, 8); - } else { - const char *words = t_strndup(data, data_size); - - ret = otp_parse_response(words, hash, FALSE); - if (ret < 0) { - e_error(request->auth_request.mech_event, - "invalid response"); - auth_request_fail(auth_request); - otp_unlock(auth_request); - return; - } - } - - otp_next_hash(state->algo, hash, cur_hash); - - ret = memcmp(cur_hash, state->hash, OTP_HASH_SIZE); - if (ret != 0) { - auth_request_fail(auth_request); - otp_unlock(auth_request); - return; - } - - memcpy(state->hash, hash, sizeof(state->hash)); - - auth_request_set_credentials(auth_request, "OTP", - otp_print_dbentry(state), - otp_set_credentials_callback); -} - -static void -mech_skey_auth_continue(struct auth_request *auth_request, - const unsigned char *data, size_t data_size) -{ - if (auth_request->fields.user == NULL) { - mech_skey_auth_phase1(auth_request, data, data_size); - } else { - mech_skey_auth_phase2(auth_request, data, data_size); - } -} - -static struct auth_request *mech_skey_auth_new(void) -{ - struct otp_auth_request *request; - pool_t pool; - - otp_lock_init(); - - pool = pool_alloconly_create(MEMPOOL_GROWING"skey_auth_request", 2048); - request = p_new(pool, struct otp_auth_request, 1); - request->pool = pool; - request->lock = FALSE; - - request->auth_request.refcount = 1; - request->auth_request.pool = pool; - return &request->auth_request; -} - -const struct mech_module mech_skey = { - "SKEY", - - .flags = MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE, - .passdb_need = MECH_PASSDB_NEED_SET_CREDENTIALS, - - mech_skey_auth_new, - mech_generic_auth_initial, - mech_skey_auth_continue, - mech_otp_skey_auth_free -}; diff --git a/src/auth/mech.c b/src/auth/mech.c index 956243f599..b0ddfb713c 100644 --- a/src/auth/mech.c +++ b/src/auth/mech.c @@ -75,7 +75,6 @@ extern const struct mech_module mech_ntlm; extern const struct mech_module mech_otp; extern const struct mech_module mech_scram_sha1; extern const struct mech_module mech_scram_sha256; -extern const struct mech_module mech_skey; extern const struct mech_module mech_anonymous; #ifdef HAVE_GSSAPI extern const struct mech_module mech_gssapi; @@ -212,7 +211,6 @@ void mech_init(const struct auth_settings *set) mech_register_module(&mech_otp); mech_register_module(&mech_scram_sha1); mech_register_module(&mech_scram_sha256); - mech_register_module(&mech_skey); mech_register_module(&mech_anonymous); #ifdef BUILTIN_GSSAPI mech_register_module(&mech_gssapi); @@ -241,7 +239,6 @@ void mech_deinit(const struct auth_settings *set) mech_unregister_module(&mech_otp); mech_unregister_module(&mech_scram_sha1); mech_unregister_module(&mech_scram_sha256); - mech_unregister_module(&mech_skey); mech_unregister_module(&mech_anonymous); #ifdef BUILTIN_GSSAPI mech_unregister_module(&mech_gssapi); diff --git a/src/auth/password-scheme.c b/src/auth/password-scheme.c index cae4463b66..3d94c4a803 100644 --- a/src/auth/password-scheme.c +++ b/src/auth/password-scheme.c @@ -763,18 +763,6 @@ otp_generate(const char *plaintext, const struct password_generate_params *param *size_r = strlen(password); } -static void -skey_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, - const unsigned char **raw_password_r, size_t *size_r) -{ - const char *password; - - if (password_generate_otp(plaintext, NULL, OTP_HASH_MD4, &password) < 0) - i_unreached(); - *raw_password_r = (const unsigned char *)password; - *size_r = strlen(password); -} - static const struct password_scheme builtin_schemes[] = { { "MD5", PW_ENCODING_NONE, 0, md5_verify, md5_crypt_generate }, { "MD5-CRYPT", PW_ENCODING_NONE, 0, @@ -812,7 +800,6 @@ static const struct password_scheme builtin_schemes[] = { { "LANMAN", PW_ENCODING_HEX, LM_HASH_SIZE, NULL, lm_generate }, { "NTLM", PW_ENCODING_HEX, NTLMSSP_HASH_SIZE, NULL, ntlm_generate }, { "OTP", PW_ENCODING_NONE, 0, otp_verify, otp_generate }, - { "SKEY", PW_ENCODING_NONE, 0, otp_verify, skey_generate }, { "PBKDF2", PW_ENCODING_NONE, 0, pbkdf2_verify, pbkdf2_generate }, }; diff --git a/src/auth/test-libpassword.c b/src/auth/test-libpassword.c index 66f529f474..21cffae964 100644 --- a/src/auth/test-libpassword.c +++ b/src/auth/test-libpassword.c @@ -13,7 +13,6 @@ static struct { } known_non_aliases[] = { { "MD5", "DES-CRYPT" }, { "MD5-CRYPT", "DES-CRYPT" }, - { "SKEY", "OTP" }, { "ARGON2ID", "ARGON2I" }, }; @@ -111,7 +110,6 @@ static void test_password_schemes(void) test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test"); test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test"); test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test"); - test_password_scheme("SKEY", "{SKEY}md4 1024 ce20d20fae368ff2 689aea1b24ed6438", "test"); test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test"); test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test"); test_password_scheme("SCRAM-SHA-1", "{SCRAM-SHA-1}4096,GetyLXdBuHzf1FWf8SLz2Q==,NA/OqmF4hhrsrB9KR7po+dliTGM=,QBiURvQaE6H6qYTmeghDHLANBFQ=", "test"); diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c index f30c1db074..8d0d680f85 100644 --- a/src/auth/test-mech.c +++ b/src/auth/test-mech.c @@ -9,7 +9,7 @@ #include "auth-settings.h" #include "mech-digest-md5-private.h" #include "otp.h" -#include "mech-otp-skey-common.h" +#include "mech-otp-common.h" #include "settings-parser.h" #include "password-scheme.h" #include "auth-token.h" -- 2.47.3