CDRIVER-5511 disable loading Cyrus plugins on Windows by default (#1561)

* CDRIVER-5511 disable loading Cyrus plugins on Windows by default

adds the CMake option `CYRUS_PLUGIN_PATH_PREFIX` to opt-in to loading plug-ins

---------

Co-authored-by: Ezra Chung <[email protected]>

Author: kevinAlbs

CMakeLists.txt

@@ -150,6 +150,11 @@ mongo_setting(
    ]]
 )
 
+mongo_setting(CYRUS_PLUGIN_PATH_PREFIX "An absolute path prefix to enable loading Cyrus SASL plugins on Windows"
+   TYPE STRING
+   VISIBLE_IF [[ENABLE_SASL STREQUAL "CYRUS" AND WIN32]]
+)
+
 mongo_setting(ENABLE_CLIENT_SIDE_ENCRYPTION "Enable In-Use Encryption support. Requires additional support libraries."
               OPTIONS ON OFF AUTO
               DEFAULT VALUE AUTO)

NEWS

@@ -1,3 +1,10 @@
+libmongoc 1.26.2 (unreleased)
+=============================
+
+Cyrus SASL:
+
+  * Disable plugin loading with Cyrus SASL on Windows by default. To re-enable, set the CMake option `CYRUS_PLUGIN_PATH_PREFIX` to the absolute path prefix of the Cyrus SASL plugins.
+
 libmongoc 1.26.1
 ================
 

src/libmongoc/CMakeLists.txt

@@ -814,6 +814,12 @@ if (MONGOC_ENABLE_STATIC_BUILD)
    set_target_properties (mcd_rpc PROPERTIES OUTPUT_NAME "mcd-rpc")
 endif ()
 
+set_property(
+   SOURCE ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cyrus.c
+   APPEND PROPERTY COMPILE_DEFINITIONS
+   "MONGOC_CYRUS_PLUGIN_PATH_PREFIX=$<IF:$<STREQUAL:${CYRUS_PLUGIN_PATH_PREFIX},>,NULL,\"${CYRUS_PLUGIN_PATH_PREFIX}\">"
+)
+
 if (ENABLE_SHARED)
    add_library (mongoc_shared SHARED ${SOURCES} ${HEADERS} ${HEADERS_FORWARDING})
    if(WIN32)

src/libmongoc/doc/authentication.rst

@@ -79,9 +79,10 @@ GSSAPI (Kerberos) Authentication
 
 .. note::
 
-  On UNIX-like environments, Kerberos support requires compiling the driver against ``cyrus-sasl``.
+  On UNIX-like environments, Kerberos support requires compiling the driver against `Cyrus SASL <https://www.cyrusimap.org/sasl/>`_.
 
-  On Windows, Kerberos support requires compiling the driver against Windows Native SSPI or ``cyrus-sasl``. The default configuration of the driver will use Windows Native SSPI.
+  On Windows, Kerberos support requires compiling the driver against Windows Native SSPI or Cyrus SASL. The default configuration of the driver will use Windows Native SSPI.
+  Using Cyrus SASL on Windows requires configuring the CMake option ``CYRUS_PLUGIN_PATH_PREFIX`` to the absolute path prefix of the ``GSSAPI`` plugin to enable loading the plugin.
 
   To modify the default configuration, use the cmake option ``ENABLE_SASL``.
 

src/libmongoc/src/mongoc/mongoc-cyrus-private.h

@@ -46,6 +46,8 @@ struct _mongoc_cyrus_t {
 #define SASL_CALLBACK_FN(_f) ((int (*) (void)) ((void (*) (void)) (_f)))
 #endif
 
+int
+_mongoc_cyrus_verifyfile_cb (void *context, const char *file, sasl_verify_type_t type);
 void
 _mongoc_cyrus_init (mongoc_cyrus_t *sasl);
 bool

src/libmongoc/src/mongoc/mongoc-cyrus.c

@@ -126,6 +126,49 @@ _mongoc_cyrus_get_user (mongoc_cyrus_t *sasl, int param_id, const char **result,
    return (sasl->credentials.user != NULL) ? SASL_OK : SASL_FAIL;
 }
 
+static const char *
+sasl_verify_type_to_str (sasl_verify_type_t type)
+{
+   switch (type) {
+   case SASL_VRFY_PLUGIN:
+      return "SASL_VRFY_PLUGIN";
+   case SASL_VRFY_CONF:
+      return "SASL_VRFY_CONF";
+   case SASL_VRFY_PASSWD:
+      return "SASL_VRFY_PASSWD";
+   case SASL_VRFY_OTHER:
+      return "SASL_VRFY_OTHER";
+   default:
+      return "Unknown";
+   }
+}
+
+int
+_mongoc_cyrus_verifyfile_cb (void *context, const char *file, sasl_verify_type_t type)
+{
+   TRACE ("Attempting to load file: `%s`. Type is %s\n", file, sasl_verify_type_to_str (type));
+
+#ifdef _WIN32
+   // On Windows, Cyrus SASL hard-codes the plugin path.
+   // Only permit loading plugin from user configured path to prevent unintentional library loading.
+   if (type == SASL_VRFY_PLUGIN) {
+      const char *path_prefix = MONGOC_CYRUS_PLUGIN_PATH_PREFIX;
+      bool has_valid_prefix = (path_prefix && file == strstr (file, path_prefix));
+      // Check if `file` has necessary prefix.
+      if (has_valid_prefix) {
+         return SASL_OK;
+      }
+      MONGOC_WARNING ("Refusing to load Cyrus SASL plugin at: '%s'. If needed, set CYRUS_PLUGIN_PATH_PREFIX (currently "
+                      "'%s') to the absolute path prefix of the plugin during build configuration of the C Driver.",
+                      file,
+                      path_prefix ? path_prefix : "(unset)");
+      return SASL_CONTINUE;
+   }
+#endif
+
+   return SASL_OK;
+}
+
 
 void
 _mongoc_cyrus_init (mongoc_cyrus_t *sasl)
@@ -134,6 +177,7 @@ _mongoc_cyrus_init (mongoc_cyrus_t *sasl)
                                   {SASL_CB_USER, SASL_CALLBACK_FN (_mongoc_cyrus_get_user), sasl},
                                   {SASL_CB_PASS, SASL_CALLBACK_FN (_mongoc_cyrus_get_pass), sasl},
                                   {SASL_CB_CANON_USER, SASL_CALLBACK_FN (_mongoc_cyrus_canon_user), sasl},
+                                  {SASL_CB_VERIFYFILE, SASL_CALLBACK_FN (_mongoc_cyrus_verifyfile_cb), NULL},
                                   {SASL_CB_LIST_END}};
 
    BSON_ASSERT (sasl);

src/libmongoc/src/mongoc/mongoc-init.c

@@ -52,6 +52,7 @@
 
 #ifdef MONGOC_ENABLE_SASL_CYRUS
 #include <sasl/sasl.h>
+#include <mongoc-cyrus-private.h> // _mongoc_cyrus_verifyfile_cb
 
 static void *
 mongoc_cyrus_mutex_alloc (void)
@@ -110,7 +111,11 @@ static BSON_ONCE_FUN (_mongoc_do_init)
    sasl_set_mutex (
       mongoc_cyrus_mutex_alloc, mongoc_cyrus_mutex_lock, mongoc_cyrus_mutex_unlock, mongoc_cyrus_mutex_free);
 
-   status = sasl_client_init (NULL);
+   sasl_callback_t callbacks[] = {// Include callback to disable loading plugins.
+                                  {SASL_CB_VERIFYFILE, SASL_CALLBACK_FN (_mongoc_cyrus_verifyfile_cb), NULL},
+                                  {SASL_CB_LIST_END}};
+
+   status = sasl_client_init (callbacks);
    BSON_ASSERT (status == SASL_OK);
 #endif