hasl/hasl

Fix some issues with the PLAIN mechanism

11 months ago, Gary Kramlich
001018017f56
Parents d3cd2785f913
Children 71b8d5666b25
Fix some issues with the PLAIN mechanism

Testing Done:
Ran the unit tests and verified the docs.

Reviewed at https://reviews.imfreedom.org/r/2506/
3 files changed, 54 insertions(+), 21 deletions(-)
  • +10 -8
    hasl/haslmechanismplain.c
  • +16 -0
    hasl/haslmechanismplain.h
  • +28 -13
    hasl/tests/test-mechanism-plain.c
    • --- a/hasl/haslmechanismplain.c Fri Jul 14 01:55:52 2023 -0500
    +++ b/hasl/haslmechanismplain.c Fri Jul 14 02:03:50 2023 -0500
    @@ -39,24 +39,24 @@
    value = hasl_context_get_username(context);
    if(value == NULL || value[0] == '\0') {
    - g_set_error(error, HASL_MECHANISM_PLAIN_DOMAIN, 0,
    - _("missing username"));
    + g_set_error_literal(error, HASL_MECHANISM_PLAIN_DOMAIN, 0,
    + _("missing username"));
    return FALSE;
    }
    value = hasl_context_get_password(context);
    if(value == NULL || value[0] == '\0') {
    - g_set_error(error, HASL_MECHANISM_PLAIN_DOMAIN, 0,
    - _("missing password"));
    + g_set_error_literal(error, HASL_MECHANISM_PLAIN_DOMAIN, 0,
    + _("missing password"));
    return FALSE;
    }
    if(!hasl_context_get_allow_clear_text(context)) {
    if(!hasl_context_get_tls(context)) {
    - g_set_error(error, HASL_MECHANISM_PLAIN_DOMAIN, 0,
    - _("plain text is not allowed without TLS"));
    + g_set_error_literal(error, HASL_MECHANISM_PLAIN_DOMAIN, 0,
    + _("plain text is not allowed without TLS"));
    return FALSE;
    }
    @@ -83,14 +83,16 @@
    username = hasl_context_get_username(ctx);
    if(username == NULL || username[0] == '\0') {
    - g_set_error(error, HASL_DOMAIN, 0, _("no username provided"));
    + g_set_error_literal(error, HASL_MECHANISM_PLAIN_DOMAIN, 0,
    + _("no username provided"));
    return HASL_MECHANISM_RESULT_ERROR;
    }
    password = hasl_context_get_password(ctx);
    if(password == NULL || password[0] == '\0') {
    - g_set_error(error, HASL_DOMAIN, 0, _("no password provided"));
    + g_set_error_literal(error, HASL_MECHANISM_PLAIN_DOMAIN, 0,
    + _("no password provided"));
    return HASL_MECHANISM_RESULT_ERROR;
    }
    --- a/hasl/haslmechanismplain.h Fri Jul 14 01:55:52 2023 -0500
    +++ b/hasl/haslmechanismplain.h Fri Jul 14 02:03:50 2023 -0500
    @@ -28,6 +28,22 @@
    #define HASL_MECHANISM_PLAIN_DOMAIN (g_quark_from_static_string("hasl-mechanism-plain"))
    +/**
    + * HaslMechanismPlain:
    + *
    + * Implements the SASL PLAIN mechanism per
    + * [RFC 4616](https://www.rfc-editor.org/rfc/rfc4616).
    + *
    + * It requires that [property@Context:username] and [property@Context:password]
    + * are set. If [property@Context:authzid] is set it will be used.
    + *
    + * This mechanism is not secure, so you must set
    + * [property@Context:allow-clear-text] to %TRUE if [property@Context:tls] is
    + * %FALSE.
    + *
    + * Since: 0.1.0
    + */
    +
    #define HASL_TYPE_MECHANISM_PLAIN (hasl_mechanism_plain_get_type())
    G_DECLARE_FINAL_TYPE(HaslMechanismPlain, hasl_mechanism_plain, HASL,
    MECHANISM_PLAIN, HaslMechanism)
    --- a/hasl/tests/test-mechanism-plain.c Fri Jul 14 01:55:52 2023 -0500
    +++ b/hasl/tests/test-mechanism-plain.c Fri Jul 14 02:03:50 2023 -0500
    @@ -35,7 +35,7 @@
    result = hasl_mechanism_step(mechanism, context, NULL, 0, &client_out,
    &client_out_length, &error);
    - g_assert_error(error, HASL_DOMAIN, 0);
    + g_assert_error(error, HASL_MECHANISM_PLAIN_DOMAIN, 0);
    g_clear_error(&error);
    g_assert_cmpint(result, ==, HASL_MECHANISM_RESULT_ERROR);
    @@ -89,6 +89,7 @@
    HaslContext *context = NULL;
    context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_password(context, "hunter2");
    test_hasl_mechanism_plain_error_test(context);
    @@ -101,6 +102,7 @@
    HaslContext *context = NULL;
    context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_username(context, "");
    hasl_context_set_password(context, "hunter2");
    @@ -114,6 +116,7 @@
    HaslContext *context = NULL;
    context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_username(context, "alice");
    test_hasl_mechanism_plain_error_test(context);
    @@ -126,6 +129,7 @@
    HaslContext *context = NULL;
    context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_username(context, "alice");
    hasl_context_set_password(context, "");
    @@ -136,8 +140,9 @@
    static void
    test_hasl_mechanism_plain_possible_empty_context(void) {
    - HaslContext *context = hasl_context_new();
    + HaslContext *context = NULL;
    + context = hasl_context_new();
    test_hasl_mechanism_plain_possible(context, FALSE, TRUE);
    g_clear_object(&context);
    @@ -145,8 +150,10 @@
    static void
    test_hasl_mechanism_plain_possible_username_only(void) {
    - HaslContext *context = hasl_context_new();
    + HaslContext *context = NULL;
    + context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_username(context, "alice");
    test_hasl_mechanism_plain_possible(context, FALSE, TRUE);
    @@ -156,8 +163,10 @@
    static void
    test_hasl_mechanism_plain_possible_password_only(void) {
    - HaslContext *context = hasl_context_new();
    + HaslContext *context = NULL;
    + context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_password(context, "hunter2");
    test_hasl_mechanism_plain_possible(context, FALSE, TRUE);
    @@ -167,11 +176,12 @@
    static void
    test_hasl_mechanism_plain_possible_username_password(void) {
    - HaslContext *context = hasl_context_new();
    + HaslContext *context = NULL;
    + context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_username(context, "alice");
    hasl_context_set_password(context, "hunter2");
    - hasl_context_set_tls(context, TRUE);
    test_hasl_mechanism_plain_possible(context, TRUE, FALSE);
    @@ -180,12 +190,13 @@
    static void
    test_hasl_mechanism_plain_possible_authzid_username_password(void) {
    - HaslContext *context = hasl_context_new();
    + HaslContext *context = NULL;
    + context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_authzid(context, "pointy haired boss");
    hasl_context_set_username(context, "alice");
    hasl_context_set_password(context, "hunter2");
    - hasl_context_set_tls(context, TRUE);
    test_hasl_mechanism_plain_possible(context, TRUE, FALSE);
    @@ -194,8 +205,10 @@
    static void
    test_hasl_mechanism_plain_possible_allow_plain_in_clear_without_tls(void) {
    - HaslContext *context = hasl_context_new();
    + HaslContext *context = NULL;
    + context = hasl_context_new();
    + hasl_context_set_tls(context, FALSE);
    hasl_context_set_username(context, "alice");
    hasl_context_set_password(context, "hunter2");
    hasl_context_set_allow_clear_text(context, TRUE);
    @@ -207,12 +220,13 @@
    static void
    test_hasl_mechanism_plain_possible_allow_plain_in_clear_with_tls(void) {
    - HaslContext *context = hasl_context_new();
    + HaslContext *context = NULL;
    + context = hasl_context_new();
    + hasl_context_set_tls(context, TRUE);
    hasl_context_set_username(context, "alice");
    hasl_context_set_password(context, "hunter2");
    hasl_context_set_allow_clear_text(context, TRUE);
    - hasl_context_set_tls(context, TRUE);
    test_hasl_mechanism_plain_possible(context, TRUE, FALSE);
    @@ -221,11 +235,12 @@
    static void
    test_hasl_mechanism_plain_possible_allow_plain_in_clear_required(void) {
    - HaslContext *context = hasl_context_new();
    + HaslContext *context = NULL;
    + context = hasl_context_new();
    + hasl_context_set_tls(context, FALSE);
    hasl_context_set_username(context, "alice");
    hasl_context_set_password(context, "hunter2");
    - hasl_context_set_tls(context, FALSE);
    test_hasl_mechanism_plain_possible(context, FALSE, TRUE);