diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fefe1a420..4e2ca40f4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -151,7 +151,7 @@ mingw-cross-build: script: - .gitlab-ci/meson-build.sh --run-install variables: - MESON_ARGS: --cross-file=.gitlab-ci/cross-i686-w64-mingw32.txt -Dglx=false -Dsecure-rpc=false -Dlisten_tcp=true + MESON_ARGS: --cross-file=.gitlab-ci/cross-i686-w64-mingw32.txt -Dglx=false -Dlisten_tcp=true meson-dist: extends: .common-build-and-test diff --git a/meson_options.txt b/meson_options.txt index e831d1dc9..94698f218 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -33,8 +33,6 @@ option('serverconfigdir', type: 'string', option('glx', type: 'boolean', value: true) option('xdmcp', type: 'boolean', value: true) option('xdm-auth-1', type: 'boolean', value: true) -option('secure-rpc', type: 'combo', choices: ['true', 'false', 'auto'], value: 'auto', - description: 'Enable Secure-RPC (DES) authentication') option('ipv6', type: 'combo', choices: ['true', 'false', 'auto'], value: 'auto') option('input_thread', type: 'combo', choices: ['true', 'false', 'auto'], value: 'auto') diff --git a/os/access.c b/os/access.c index c7a2ab8c5..30399c905 100644 --- a/os/access.c +++ b/os/access.c @@ -193,7 +193,6 @@ SOFTWARE. #include "osdep.h" #include "xace.h" -#include "rpcauth.h" #include "xdmcp.h" Bool defeatAccessControl = FALSE; @@ -1002,12 +1001,6 @@ ResetHosts(const char *display) hostname = ohostname + 6; } #endif -#endif -#ifdef SECURE_RPC - else if (!strncmp("nis:", lhostname, 4)) { - family = FamilyNetname; - hostname = ohostname + 4; - } #endif else if (!strncmp("si:", lhostname, 3)) { family = FamilyServerInterpreted; @@ -1022,14 +1015,6 @@ ResetHosts(const char *display) } } else -#ifdef SECURE_RPC - if ((family == FamilyNetname) || (strchr(hostname, '@'))) { - SecureRPCInit(); - (void) NewHost(FamilyNetname, hostname, strlen(hostname), - FALSE); - } - else -#endif /* SECURE_RPC */ #if defined(TCPCONN) { #if defined(IPv6) && defined(AF_INET6) @@ -1342,12 +1327,6 @@ AddHost(ClientPtr client, int family, unsigned length, /* of bytes in pAddr */ len = length; LocalHostEnabled = TRUE; break; -#ifdef SECURE_RPC - case FamilyNetname: - len = length; - SecureRPCInit(); - break; -#endif case FamilyInternet: #if defined(IPv6) && defined(AF_INET6) case FamilyInternet6: @@ -1431,11 +1410,6 @@ RemoveHost(ClientPtr client, int family, unsigned length, /* of bytes in p len = length; LocalHostEnabled = FALSE; break; -#ifdef SECURE_RPC - case FamilyNetname: - len = length; - break; -#endif case FamilyInternet: #if defined(IPv6) && defined(AF_INET6) case FamilyInternet6: diff --git a/os/auth.c b/os/auth.c index 20752eeb5..e768060fe 100644 --- a/os/auth.c +++ b/os/auth.c @@ -50,7 +50,6 @@ from The Open Group. #include "os/auth.h" -#include "rpcauth.h" #include "xdmcp.h" #include "xdmauth.h" #include "mitauth.h" @@ -85,15 +84,6 @@ static struct protocol protocols[] = { #endif }, #endif -#ifdef SECURE_RPC - {(unsigned short) 9, "SUN-DES-1", - SecureRPCAdd, SecureRPCCheck, SecureRPCReset, - SecureRPCFromID, SecureRPCRemove, -#ifdef XCSECURITY - NULL -#endif - }, -#endif }; #define NUM_AUTHORIZATION ARRAY_SIZE(protocols) diff --git a/os/meson.build b/os/meson.build index 25a00af90..38d3d2fae 100644 --- a/os/meson.build +++ b/os/meson.build @@ -59,41 +59,6 @@ endif os_dep = [] os_c_args = [] -rpc_dep = [] -opt_secure_rpc = get_option('secure-rpc') -if opt_secure_rpc != 'false' - build_secure_rpc = true - - # prefer libtirpc (if available), otherwise ensure RPC functions are - # provided by libc. - rpc_dep = dependency('libtirpc', required: false, include_type: 'system') - if not (rpc_dep.found() or cc.has_header('rpc/rpc.h')) - if opt_secure_rpc == 'true' - error('secure-rpc requested, but neither libtirpc or libc RPC support were found') - else - message('secure-rpc disabled since neither libtirpc or libc RPC support were found') - build_secure_rpc = false - endif - endif - # XXX: also check if RPC library provides xdr_opaque_auth, authdes_(sec)create ??? - - if not (cc.has_member('struct authdes_cred', 'adc_fullname', - prefix : '#include ', - dependencies: rpc_dep)) - if opt_secure_rpc == 'true' - error('secure-rpc requested, but RPC implementation lacking struct authdes_cred') - else - message('secure-rpc disable since RPC implementation lacking struct authdes_cred') - build_secure_rpc = false - endif - endif - - if build_secure_rpc - os_c_args += '-DSECURE_RPC' - srcs_os += 'rpcauth.c' - endif -endif - if get_option('xres') # Only the XRes extension cares about the client ID. os_c_args += '-DCLIENTIDS' @@ -125,7 +90,6 @@ libxserver_os = static_library('libxserver_os', common_dep, dl_dep, sha1_dep, - rpc_dep, os_dep, dependency('xau') ], diff --git a/os/rpcauth.c b/os/rpcauth.c deleted file mode 100644 index d3d4e4bd8..000000000 --- a/os/rpcauth.c +++ /dev/null @@ -1,193 +0,0 @@ -/* - -Copyright 1991, 1998 The Open Group - -Permission to use, copy, modify, distribute, and sell this software and its -documentation for any purpose is hereby granted without fee, provided that -the above copyright notice appear in all copies and that both that -copyright notice and this permission notice appear in supporting -documentation. - -The above copyright notice and this permission notice shall be included -in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR -OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -OTHER DEALINGS IN THE SOFTWARE. - -Except as contained in this notice, the name of The Open Group shall -not be used in advertising or otherwise to promote the sale, use or -other dealings in this Software without prior written authorization -from The Open Group. - -*/ - -/* - * SUN-DES-1 authentication mechanism - * Author: Mayank Choudhary, Sun Microsystems - */ - -#ifdef HAVE_DIX_CONFIG_H -#include -#endif - -#ifdef SECURE_RPC - -#include -#include - -#include "os/auth.h" - -#include "misc.h" -#include "os.h" -#include "osdep.h" -#include "dixstruct.h" -#include "rpcauth.h" - -#include - -#ifdef __sun -/* only includes this if _KERNEL is #defined... */ -extern bool_t xdr_opaque_auth(XDR *, struct opaque_auth *); -#endif - -static enum auth_stat why; - -static char * -authdes_ezdecode(const char *inmsg, int len) -{ - struct rpc_msg msg; - char cred_area[MAX_AUTH_BYTES]; - char verf_area[MAX_AUTH_BYTES]; - char *temp_inmsg; - struct svc_req r; - bool_t res0, res1; - XDR xdr; - SVCXPRT xprt; - - temp_inmsg = malloc(len); - if (temp_inmsg == NULL) { - why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ - return NULL; - } - memcpy(temp_inmsg, inmsg, len); - - memset((char *) &msg, 0, sizeof(msg)); - memset((char *) &r, 0, sizeof(r)); - memset(cred_area, 0, sizeof(cred_area)); - memset(verf_area, 0, sizeof(verf_area)); - - msg.rm_call.cb_cred.oa_base = cred_area; - msg.rm_call.cb_verf.oa_base = verf_area; - why = AUTH_FAILED; - xdrmem_create(&xdr, temp_inmsg, len, XDR_DECODE); - - if ((r.rq_clntcred = malloc(MAX_AUTH_BYTES)) == NULL) - goto bad1; - r.rq_xprt = &xprt; - - /* decode into msg */ - res0 = xdr_opaque_auth(&xdr, &(msg.rm_call.cb_cred)); - res1 = xdr_opaque_auth(&xdr, &(msg.rm_call.cb_verf)); - if (!(res0 && res1)) - goto bad2; - - /* do the authentication */ - - r.rq_cred = msg.rm_call.cb_cred; /* read by opaque stuff */ - if (r.rq_cred.oa_flavor != AUTH_DES) { - why = AUTH_TOOWEAK; - goto bad2; - } -#ifdef SVR4 - if ((why = __authenticate(&r, &msg)) != AUTH_OK) { -#else - if ((why = _authenticate(&r, &msg)) != AUTH_OK) { -#endif - goto bad2; - } - return (((struct authdes_cred *) r.rq_clntcred)->adc_fullname.name); - - bad2: - free(r.rq_clntcred); - bad1: - return ((char *) 0); /* ((struct authdes_cred *) NULL); */ -} - -static XID rpc_id = (XID) ~0L; - -static Bool -CheckNetName(unsigned char *addr, short len, void *closure) -{ - return (len == strlen((char *) closure) && - strncmp((char *) addr, (char *) closure, len) == 0); -} - -static char rpc_error[MAXNETNAMELEN + 50]; - -_X_HIDDEN XID -SecureRPCCheck(unsigned short data_length, const char *data, - ClientPtr client, const char **reason) -{ - char *fullname; - - if (rpc_id == (XID) ~0L) { - *reason = "Secure RPC authorization not initialized"; - } - else { - fullname = authdes_ezdecode(data, data_length); - if (fullname == (char *) 0) { - snprintf(rpc_error, sizeof(rpc_error), - "Unable to authenticate secure RPC client (why=%d)", why); - *reason = rpc_error; - } - else { - if (ForEachHostInFamily(FamilyNetname, CheckNetName, fullname)) - return rpc_id; - snprintf(rpc_error, sizeof(rpc_error), - "Principal \"%s\" is not authorized to connect", fullname); - *reason = rpc_error; - } - } - return (XID) ~0L; -} - -_X_HIDDEN void -SecureRPCInit(void) -{ - if (rpc_id == (XID) ~0L) - AddAuthorization(9, "SUN-DES-1", 0, (char *) 0); -} - -_X_HIDDEN int -SecureRPCAdd(unsigned short data_length, const char *data, XID id) -{ - if (data_length) - AddHost((void *) 0, FamilyNetname, data_length, data); - rpc_id = id; - return 1; -} - -_X_HIDDEN int -SecureRPCReset(void) -{ - rpc_id = (XID) ~0L; - return 1; -} - -_X_HIDDEN int -SecureRPCFromID(XID id, unsigned short *data_lenp, char **datap) -{ - return 0; -} - -_X_HIDDEN int -SecureRPCRemove(unsigned short data_length, const char *data) -{ - return 0; -} -#endif /* SECURE_RPC */ diff --git a/os/rpcauth.h b/os/rpcauth.h deleted file mode 100644 index 255eafcea..000000000 --- a/os/rpcauth.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef _XSERVER_OS_RPCAUTH_H -#define _XSERVER_OS_RPCAUTH_H - -#include "auth.h" - -void SecureRPCInit(AuthInitArgs); -XID SecureRPCCheck(AuthCheckArgs); -int SecureRPCAdd(AuthAddCArgs); -int SecureRPCFromID(AuthFromIDArgs); -int SecureRPCRemove(AuthRemCArgs); -int SecureRPCReset(AuthRstCArgs); - -#endif /* _XSERVER_OS_RPCAUTH_H */ diff --git a/test/scripts/build-travis-osx.sh b/test/scripts/build-travis-osx.sh index d9632490d..e0ec8e2cf 100755 --- a/test/scripts/build-travis-osx.sh +++ b/test/scripts/build-travis-osx.sh @@ -45,6 +45,6 @@ fi popd # build -meson _build/ -Dprefix=/opt/X11 -Dsecure-rpc=false +meson _build/ -Dprefix=/opt/X11 DESTDIR=$(pwd)/staging ninja -C _build/ install ninja -C _build/ test