diff --git a/appl/popper/Makefile.am b/appl/popper/Makefile.am index 45af1ec47..10075a2bd 100644 --- a/appl/popper/Makefile.am +++ b/appl/popper/Makefile.am @@ -2,8 +2,6 @@ include $(top_srcdir)/Makefile.am.common -AM_CPPFLAGS += $(INCLUDE_krb4) - noinst_PROGRAMS = pop_debug libexec_PROGRAMS = popper @@ -33,7 +31,6 @@ popper_SOURCES = \ popper.c \ maildir.c \ auth_gssapi.c \ - auth_krb4.c \ popper.h \ version.h @@ -41,7 +38,6 @@ LDADD = \ $(LIB_otp) \ $(top_builddir)/lib/gssapi/libgssapi.la \ $(LIB_krb5) \ - $(LIB_krb4) \ $(LIB_hcrypto) \ $(LIB_roken) \ $(DBLIB) @@ -49,5 +45,5 @@ LDADD = \ man_MANS = popper.8 EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \ - popper.README.release README-FIRST README-KRB4 \ + popper.README.release README-FIRST \ $(man_MANS) diff --git a/appl/popper/README-KRB4 b/appl/popper/README-KRB4 deleted file mode 100644 index f029cf97c..000000000 --- a/appl/popper/README-KRB4 +++ /dev/null @@ -1,3 +0,0 @@ -Define KERBEROS if you want support for Kerberos V4 style -authentification, then you will be able to start a kerberise pop with -the `-k' flag. diff --git a/appl/popper/auth_krb4.c b/appl/popper/auth_krb4.c deleted file mode 100644 index bbc8cb5c1..000000000 --- a/appl/popper/auth_krb4.c +++ /dev/null @@ -1,203 +0,0 @@ -/* - * Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -RCSID("$Id$"); - - -#if defined(SASL) && defined(KRB4) -#include -#include - -struct krb4_state { - int stage; - uint32_t nonce; -}; - -static int -krb4_loop(POP *p, void *state, - /* const */ void *input, size_t input_length, - void **output, size_t *output_length) -{ - struct krb4_state *ks = state; - - int ret; - des_cblock key; - unsigned char *data; - char instance[INST_SZ]; - des_key_schedule schedule; - - if(ks->stage == 0) { - if(input_length > 0) - return POP_AUTH_FAILURE; - /* S -> C: 32 bit nonce in MSB base64 */ -#ifdef HAVE_OPENSSL -#define des_new_random_key des_random_key -#endif - des_new_random_key(key); - ks->nonce = (key[0] | (key[1] << 8) | (key[2] << 16) | (key[3] << 24) - | key[4] | (key[5] << 8) | (key[6] << 16) | (key[7] << 24)); - *output = malloc(4); - if(*output == NULL) { - pop_auth_set_error("out of memory"); - return POP_AUTH_FAILURE; - } - krb_put_int(ks->nonce, *output, 4, 4); - *output_length = 4; - ks->stage++; - return POP_AUTH_CONTINUE; - } - - if(ks->stage == 1) { - KTEXT_ST authent; - /* C -> S: ticket and authenticator */ - - if (input_length > sizeof(authent.dat)) { - pop_auth_set_error("data packet too long"); - return POP_AUTH_FAILURE; - } - memcpy(authent.dat, input, input_length); - authent.length = input_length; - - k_getsockinst (0, instance, sizeof(instance)); - ret = krb_rd_req(&authent, "pop", instance, - 0 /* XXX p->in_addr.sin_addr.s_addr */, - &p->kdata, NULL); - if (ret != 0) { - pop_auth_set_error(krb_get_err_text(ret)); - return POP_AUTH_FAILURE; - } - if (p->kdata.checksum != ks->nonce) { - pop_auth_set_error("data stream modified"); - return POP_AUTH_FAILURE; - } - /* S -> C: nonce + 1 | bit | max segment */ - - *output = malloc(8); - if(*output == NULL) { - pop_auth_set_error("out of memory"); - return POP_AUTH_FAILURE; - } - data = *output; - krb_put_int(ks->nonce + 1, data, 8, 4); - data[4] = 1; - data[5] = 0; - data[6] = 0; - data[7] = 0; - des_key_sched(&p->kdata.session, schedule); - des_pcbc_encrypt((des_cblock*)data, - (des_cblock*)data, 8, - schedule, - &p->kdata.session, - DES_ENCRYPT); - *output_length = 8; - ks->stage++; - return POP_AUTH_CONTINUE; - } - - if(ks->stage == 2) { - uint32_t nonce_reply; - /* C -> S: nonce | bit | max segment | username */ - - if (input_length % 8 != 0) { - pop_auth_set_error("reply is not a multiple of 8 bytes"); - return POP_AUTH_FAILURE; - } - - des_key_sched(&p->kdata.session, schedule); - des_pcbc_encrypt((des_cblock*)input, - (des_cblock*)input, - input_length, - schedule, - &p->kdata.session, - DES_DECRYPT); - - data = input; - krb_get_int(data, &nonce_reply, 4, 0); - if (nonce_reply != ks->nonce) { - pop_auth_set_error("data stream modified"); - return POP_AUTH_FAILURE; - } - if(data[4] != 1) { - - } - if(data[input_length - 1] != '\0') { - pop_auth_set_error("bad format of username"); - return POP_AUTH_FAILURE; - } - strlcpy(p->user, data + 8, sizeof(p->user)); - if (kuserok(&p->kdata, p->user)) { - pop_log(p, POP_PRIORITY, - "%s: (%s.%s@%s) tried to retrieve mail for %s.", - p->client, p->kdata.pname, p->kdata.pinst, - p->kdata.prealm, p->user); - pop_auth_set_error("Permission denied"); - return POP_AUTH_FAILURE; - } - pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s", - p->ipaddr, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - p->user); - return POP_AUTH_COMPLETE; - } - return POP_AUTH_FAILURE; -} - - -static int -krb4_init(POP *p, void **state) -{ - struct krb4_state *ks = malloc(sizeof(*ks)); - if(ks == NULL) { - pop_auth_set_error("out of memory"); - return POP_AUTH_FAILURE; - } - ks->stage = 0; - *state = ks; - return POP_AUTH_CONTINUE; -} - -static int -krb4_cleanup(POP *p, void *state) -{ - free(state); - return POP_AUTH_CONTINUE; -} - -struct auth_mech krb4_mech = { - "KERBEROS_V4", krb4_init, krb4_loop, krb4_cleanup -}; - -#endif /* KRB5 */ diff --git a/appl/popper/pop_auth.c b/appl/popper/pop_auth.c index 84484c4be..2c352b1a9 100644 --- a/appl/popper/pop_auth.c +++ b/appl/popper/pop_auth.c @@ -80,9 +80,6 @@ pop_auth_set_error(const char *message) static struct auth_mech *methods[] = { #ifdef KRB5 &gssapi_mech, -#endif -#ifdef KRB4 - &krb4_mech, #endif NULL }; diff --git a/appl/popper/pop_debug.c b/appl/popper/pop_debug.c index a5c472cf5..bca03e66e 100644 --- a/appl/popper/pop_debug.c +++ b/appl/popper/pop_debug.c @@ -94,39 +94,6 @@ get_socket (const char *hostname, int port) err (1, "failed to connect to %s", hostname); } -#ifdef KRB4 -static int -doit_v4 (char *host, int port) -{ - KTEXT_ST ticket; - MSG_DAT msg_data; - CREDENTIALS cred; - des_key_schedule sched; - int ret; - int s = get_socket (host, port); - - ret = krb_sendauth(0, - s, - &ticket, - "pop", - host, - krb_realmofhost(host), - getpid(), - &msg_data, - &cred, - sched, - NULL, - NULL, - "KPOPV0.1"); - if(ret) { - warnx("krb_sendauth: %s", krb_get_err_text(ret)); - return 1; - } - loop(s); - return 0; -} -#endif - #ifdef KRB5 static int doit_v5 (char *host, int port) @@ -175,9 +142,6 @@ doit_v5 (char *host, int port) #endif -#ifdef KRB4 -static int use_v4 = -1; -#endif #ifdef KRB5 static int use_v5 = -1; #endif @@ -186,10 +150,6 @@ static int do_version; static int do_help; struct getargs args[] = { -#ifdef KRB4 - { "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4", - NULL }, -#endif #ifdef KRB5 { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5", NULL }, @@ -256,29 +216,15 @@ main(int argc, char **argv) if (port == 0) { #ifdef KRB5 port = krb5_getportbyname (NULL, "kpop", "tcp", 1109); -#elif defined(KRB4) - port = k_getportbyname ("kpop", "tcp", 1109); #else -#error must define KRB4 or KRB5 +#error must define KRB5 #endif } -#if defined(KRB4) && defined(KRB5) - if(use_v4 == -1 && use_v5 == 1) - use_v4 = 0; - if(use_v5 == -1 && use_v4 == 1) - use_v5 = 0; -#endif - #ifdef KRB5 if (ret && use_v5) { ret = doit_v5 (argv[0], port); } -#endif -#ifdef KRB4 - if (ret && use_v4) { - ret = doit_v4 (argv[0], port); - } #endif return ret; } diff --git a/appl/popper/pop_init.c b/appl/popper/pop_init.c index 2e21a9d69..a2924877d 100644 --- a/appl/popper/pop_init.c +++ b/appl/popper/pop_init.c @@ -8,15 +8,15 @@ RCSID("$Id$"); -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) static int pop_net_read(POP *p, int fd, void *buf, size_t len) { #ifdef KRB5 return krb5_net_read(p->context, &fd, buf, len); -#elif defined(KRB4) - return krb_net_read(fd, buf, len); +#else +#error must define KRB5 #endif } #endif @@ -49,54 +49,6 @@ pop_write_addr(POP *p, struct sockaddr *addr) fclose(f); } -#ifdef KRB4 -static int -krb4_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr) -{ - Key_schedule schedule; - KTEXT_ST ticket; - char instance[INST_SZ]; - char version[9]; - int auth; - - if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0) - return -1; - if (pop_net_read (p, s, buf + 4, - KRB_SENDAUTH_VLEN - 4) != KRB_SENDAUTH_VLEN - 4) - return -1; - if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) - return -1; - - k_getsockinst (0, instance, sizeof(instance)); - auth = krb_recvauth(KOPT_IGNORE_PROTOCOL, - s, - &ticket, - "pop", - instance, - (struct sockaddr_in *)addr, - (struct sockaddr_in *) NULL, - &p->kdata, - "", - schedule, - version); - - if (auth != KSUCCESS) { - pop_msg(p, POP_FAILURE, "Kerberos authentication failure: %s", - krb_get_err_text(auth)); - pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - krb_get_err_text(auth)); - return -1; - } - -#ifdef DEBUG - pop_log(p, POP_DEBUG, "%s.%s@%s (%s): ok", p->kdata.pname, - p->kdata.pinst, p->kdata.prealm, p->ipaddr); -#endif /* DEBUG */ - return 0; -} -#endif /* KRB4 */ - #ifdef KRB5 static int krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr) @@ -161,7 +113,7 @@ krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr) static int krb_authenticate(POP *p, struct sockaddr *addr) { -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) u_char buf[BUFSIZ]; if (pop_net_read (p, 0, buf, 4) != 4) { @@ -169,14 +121,6 @@ krb_authenticate(POP *p, struct sockaddr *addr) strerror(errno)); exit (1); } -#ifdef KRB4 - if (krb4_authenticate (p, 0, buf, addr) == 0){ - pop_write_addr(p, addr); - p->version = 4; - return POP_SUCCESS; - } -#endif -#ifdef KRB5 if (krb5_authenticate (p, 0, buf, addr) == 0){ pop_write_addr(p, addr); p->version = 5; @@ -184,8 +128,6 @@ krb_authenticate(POP *p, struct sockaddr *addr) } #endif exit (1); - -#endif /* defined(KRB4) || defined(KRB5) */ return(POP_SUCCESS); } @@ -207,7 +149,7 @@ static int help_flag; static int version_flag; static struct getargs args[] = { -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) { "kerberos", 'k', arg_flag, &kerberos_flag, "use kerberos" }, #endif { "auth-mode", 'a', arg_string, &auth_str, "required authentication", @@ -241,8 +183,6 @@ pop_getportbyname(POP *p, const char *service, { #ifdef KRB5 return krb5_getportbyname(p->context, service, proto, def); -#elif defined(KRB4) - return k_getportbyname(service, proto, htons(def)); #else return htons(default); #endif @@ -348,7 +288,7 @@ pop_init(POP *p,int argcount,char **argmessage) trace_file_name = trace_file; } -#if defined(KRB4) || defined(KRB5) +#if defined(KRB5) p->kerberosp = kerberos_flag; #endif diff --git a/appl/popper/pop_pass.c b/appl/popper/pop_pass.c index 55bed8bec..3993170c2 100644 --- a/appl/popper/pop_pass.c +++ b/appl/popper/pop_pass.c @@ -11,31 +11,6 @@ RCSID("$Id$"); -#ifdef KRB4 -static int -krb4_verify_password (POP *p) -{ - int status; - char lrealm[REALM_SZ]; - char tkt[MaxPathLen]; - - status = krb_get_lrealm(lrealm,1); - if (status == KFAILURE) { - pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - krb_get_err_text(status)); - return 1; - } - snprintf(tkt, sizeof(tkt), "%s_popper.%u", TKT_ROOT, (unsigned)getpid()); - krb_set_tkt_string (tkt); - - status = krb_verify_user(p->user, "", lrealm, - p->pop_parm[1], KRB_VERIFY_SECURE, "pop"); - dest_tkt(); /* no point in keeping the tickets */ - return status; -} -#endif /* KRB4 */ - #ifdef KRB5 static int krb5_verify_password (POP *p) @@ -164,22 +139,6 @@ pop_pass (POP *p) p->user)); if (p->kerberosp) { -#ifdef KRB4 - if (p->version == 4) { - if(kuserok (&p->kdata, p->user)) { - pop_log(p, POP_PRIORITY, - "%s: (%s.%s@%s) tried to retrieve mail for %s.", - p->client, p->kdata.pname, p->kdata.pinst, - p->kdata.prealm, p->user); - return(pop_msg(p,POP_FAILURE, - "Popping not authorized")); - } - pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s", - p->ipaddr, - p->kdata.pname, p->kdata.pinst, p->kdata.prealm, - p->user); - } else -#endif /* KRB4 */ #ifdef KRB5 if (p->version == 5) { char *name; @@ -224,9 +183,6 @@ pop_pass (POP *p) /* pass OK */; else { int ret = -1; -#ifdef KRB4 - ret = krb4_verify_password (p); -#endif #ifdef KRB5 if(ret) ret = krb5_verify_password (p); diff --git a/appl/popper/popper.h b/appl/popper/popper.h index 6fe7ffb41..d792ab1fa 100644 --- a/appl/popper/popper.h +++ b/appl/popper/popper.h @@ -110,10 +110,6 @@ struct ether_addr; #include #include -#ifdef KRB4 -#include -#include -#endif #ifdef KRB5 #include #endif @@ -144,9 +140,7 @@ struct ether_addr; #include #endif -#if defined(KRB4_MAILDIR) -#define POP_MAILDIR KRB4_MAILDIR -#elif defined(_PATH_MAILDIR) +#if defined(_PATH_MAILDIR) #define POP_MAILDIR _PATH_MAILDIR #elif defined(MAILDIR) #define POP_MAILDIR MAILDIR @@ -261,9 +255,6 @@ typedef struct { /* POP parameter block */ int parm_count; /* Number of parameters in parsed list */ int kerberosp; /* Using KPOP? */ -#ifdef KRB4 - AUTH_DAT kdata; -#endif #ifdef KRB5 krb5_context context; krb5_principal principal; /* principal auth as */