oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

remove krb4 support

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24501 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-01-26 01:10:33 +00:00
parent 580ba0e781
commit 00c521c6e2
8 changed files with 9 additions and 389 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
appl/popper/Makefile.am
View File

@@ -2,8 +2,6 @@
include $(top_srcdir)/Makefile.am.common include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_krb4)
noinst_PROGRAMS = pop_debug noinst_PROGRAMS = pop_debug
libexec_PROGRAMS = popper libexec_PROGRAMS = popper
@@ -33,7 +31,6 @@ popper_SOURCES = \
popper.c \ popper.c \
maildir.c \ maildir.c \
auth_gssapi.c \ auth_gssapi.c \
auth_krb4.c \
popper.h \ popper.h \
version.h version.h
@@ -41,7 +38,6 @@ LDADD = \
$(LIB_otp) \ $(LIB_otp) \
$(top_builddir)/lib/gssapi/libgssapi.la \ $(top_builddir)/lib/gssapi/libgssapi.la \
$(LIB_krb5) \ $(LIB_krb5) \
$(LIB_krb4) \
$(LIB_hcrypto) \ $(LIB_hcrypto) \
$(LIB_roken) \ $(LIB_roken) \
$(DBLIB) $(DBLIB)
@@ -49,5 +45,5 @@ LDADD = \
man_MANS = popper.8 man_MANS = popper.8
EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \ EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \
popper.README.release README-FIRST README-KRB4 \ popper.README.release README-FIRST \
$(man_MANS) $(man_MANS)

3
appl/popper/README-KRB4
View File

@@ -1,3 +0,0 @@
Define KERBEROS if you want support for Kerberos V4 style
authentification, then you will be able to start a kerberise pop with
the `-k' flag.

203
appl/popper/auth_krb4.c
View File

@@ -1,203 +0,0 @@
/*
* Copyright (c) 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <popper.h>
#include <base64.h>
#include <pop_auth.h>
RCSID("$Id$");
#if defined(SASL) && defined(KRB4)
#include <krb.h>
#include <des.h>
struct krb4_state {
int stage;
uint32_t nonce;
};
static int
krb4_loop(POP *p, void *state,
/* const */ void *input, size_t input_length,
void **output, size_t *output_length)
{
struct krb4_state *ks = state;
int ret;
des_cblock key;
unsigned char *data;
char instance[INST_SZ];
des_key_schedule schedule;
if(ks->stage == 0) {
if(input_length > 0)
return POP_AUTH_FAILURE;
/* S -> C: 32 bit nonce in MSB base64 */
#ifdef HAVE_OPENSSL
#define des_new_random_key des_random_key
#endif
des_new_random_key(key);
ks->nonce = (key[0] | (key[1] << 8) | (key[2] << 16) | (key[3] << 24)
| key[4] | (key[5] << 8) | (key[6] << 16) | (key[7] << 24));
*output = malloc(4);
if(*output == NULL) {
pop_auth_set_error("out of memory");
return POP_AUTH_FAILURE;
}
krb_put_int(ks->nonce, *output, 4, 4);
*output_length = 4;
ks->stage++;
return POP_AUTH_CONTINUE;
}
if(ks->stage == 1) {
KTEXT_ST authent;
/* C -> S: ticket and authenticator */
if (input_length > sizeof(authent.dat)) {
pop_auth_set_error("data packet too long");
return POP_AUTH_FAILURE;
}
memcpy(authent.dat, input, input_length);
authent.length = input_length;
k_getsockinst (0, instance, sizeof(instance));
ret = krb_rd_req(&authent, "pop", instance,
0 /* XXX p->in_addr.sin_addr.s_addr */,
&p->kdata, NULL);
if (ret != 0) {
pop_auth_set_error(krb_get_err_text(ret));
return POP_AUTH_FAILURE;
}
if (p->kdata.checksum != ks->nonce) {
pop_auth_set_error("data stream modified");
return POP_AUTH_FAILURE;
}
/* S -> C: nonce + 1 | bit | max segment */
*output = malloc(8);
if(*output == NULL) {
pop_auth_set_error("out of memory");
return POP_AUTH_FAILURE;
}
data = *output;
krb_put_int(ks->nonce + 1, data, 8, 4);
data[4] = 1;
data[5] = 0;
data[6] = 0;
data[7] = 0;
des_key_sched(&p->kdata.session, schedule);
des_pcbc_encrypt((des_cblock*)data,
(des_cblock*)data, 8,
schedule,
&p->kdata.session,
DES_ENCRYPT);
*output_length = 8;
ks->stage++;
return POP_AUTH_CONTINUE;
}
if(ks->stage == 2) {
uint32_t nonce_reply;
/* C -> S: nonce | bit | max segment | username */
if (input_length % 8 != 0) {
pop_auth_set_error("reply is not a multiple of 8 bytes");
return POP_AUTH_FAILURE;
}
des_key_sched(&p->kdata.session, schedule);
des_pcbc_encrypt((des_cblock*)input,
(des_cblock*)input,
input_length,
schedule,
&p->kdata.session,
DES_DECRYPT);
data = input;
krb_get_int(data, &nonce_reply, 4, 0);
if (nonce_reply != ks->nonce) {
pop_auth_set_error("data stream modified");
return POP_AUTH_FAILURE;
}
if(data[4] != 1) {
}
if(data[input_length - 1] != '\0') {
pop_auth_set_error("bad format of username");
return POP_AUTH_FAILURE;
}
strlcpy(p->user, data + 8, sizeof(p->user));
if (kuserok(&p->kdata, p->user)) {
pop_log(p, POP_PRIORITY,
"%s: (%s.%s@%s) tried to retrieve mail for %s.",
p->client, p->kdata.pname, p->kdata.pinst,
p->kdata.prealm, p->user);
pop_auth_set_error("Permission denied");
return POP_AUTH_FAILURE;
}
pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s",
p->ipaddr,
p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
p->user);
return POP_AUTH_COMPLETE;
}
return POP_AUTH_FAILURE;
}
static int
krb4_init(POP *p, void **state)
{
struct krb4_state *ks = malloc(sizeof(*ks));
if(ks == NULL) {
pop_auth_set_error("out of memory");
return POP_AUTH_FAILURE;
}
ks->stage = 0;
*state = ks;
return POP_AUTH_CONTINUE;
}
static int
krb4_cleanup(POP *p, void *state)
{
free(state);
return POP_AUTH_CONTINUE;
}
struct auth_mech krb4_mech = {
"KERBEROS_V4", krb4_init, krb4_loop, krb4_cleanup
};
#endif /* KRB5 */

3
appl/popper/pop_auth.c
View File

@@ -80,9 +80,6 @@ pop_auth_set_error(const char *message)
static struct auth_mech *methods[] = { static struct auth_mech *methods[] = {
#ifdef KRB5 #ifdef KRB5
&gssapi_mech, &gssapi_mech,
#endif
#ifdef KRB4
&krb4_mech,
#endif #endif
NULL NULL
}; };

56
appl/popper/pop_debug.c
View File

@@ -94,39 +94,6 @@ get_socket (const char *hostname, int port)
err (1, "failed to connect to %s", hostname); err (1, "failed to connect to %s", hostname);
} }
#ifdef KRB4
static int
doit_v4 (char *host, int port)
{
KTEXT_ST ticket;
MSG_DAT msg_data;
CREDENTIALS cred;
des_key_schedule sched;
int ret;
int s = get_socket (host, port);
ret = krb_sendauth(0,
s,
&ticket,
"pop",
host,
krb_realmofhost(host),
getpid(),
&msg_data,
&cred,
sched,
NULL,
NULL,
"KPOPV0.1");
if(ret) {
warnx("krb_sendauth: %s", krb_get_err_text(ret));
return 1;
}
loop(s);
return 0;
}
#endif
#ifdef KRB5 #ifdef KRB5
static int static int
doit_v5 (char *host, int port) doit_v5 (char *host, int port)
@@ -175,9 +142,6 @@ doit_v5 (char *host, int port)
#endif #endif
#ifdef KRB4
static int use_v4 = -1;
#endif
#ifdef KRB5 #ifdef KRB5
static int use_v5 = -1; static int use_v5 = -1;
#endif #endif
@@ -186,10 +150,6 @@ static int do_version;
static int do_help; static int do_help;
struct getargs args[] = { struct getargs args[] = {
#ifdef KRB4
{ "krb4", '4', arg_flag, &use_v4, "Use Kerberos V4",
NULL },
#endif
#ifdef KRB5 #ifdef KRB5
{ "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5", { "krb5", '5', arg_flag, &use_v5, "Use Kerberos V5",
NULL }, NULL },
@@ -256,29 +216,15 @@ main(int argc, char **argv)
if (port == 0) { if (port == 0) {
#ifdef KRB5 #ifdef KRB5
port = krb5_getportbyname (NULL, "kpop", "tcp", 1109); port = krb5_getportbyname (NULL, "kpop", "tcp", 1109);
#elif defined(KRB4)
port = k_getportbyname ("kpop", "tcp", 1109);
#else #else
#error must define KRB4 or KRB5 #error must define KRB5
#endif #endif
} }
#if defined(KRB4) && defined(KRB5)
if(use_v4 == -1 && use_v5 == 1)
use_v4 = 0;
if(use_v5 == -1 && use_v4 == 1)
use_v5 = 0;
#endif
#ifdef KRB5 #ifdef KRB5
if (ret && use_v5) { if (ret && use_v5) {
ret = doit_v5 (argv[0], port); ret = doit_v5 (argv[0], port);
} }
#endif
#ifdef KRB4
if (ret && use_v4) {
ret = doit_v4 (argv[0], port);
}
#endif #endif
return ret; return ret;
} }

72
appl/popper/pop_init.c
View File

@@ -8,15 +8,15 @@
RCSID("$Id$"); RCSID("$Id$");
#if defined(KRB4) || defined(KRB5) #if defined(KRB5)
static int static int
pop_net_read(POP *p, int fd, void *buf, size_t len) pop_net_read(POP *p, int fd, void *buf, size_t len)
{ {
#ifdef KRB5 #ifdef KRB5
return krb5_net_read(p->context, &fd, buf, len); return krb5_net_read(p->context, &fd, buf, len);
#elif defined(KRB4) #else
return krb_net_read(fd, buf, len); #error must define KRB5
#endif #endif
} }
#endif #endif
@@ -49,54 +49,6 @@ pop_write_addr(POP *p, struct sockaddr *addr)
fclose(f); fclose(f);
} }
#ifdef KRB4
static int
krb4_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr)
{
Key_schedule schedule;
KTEXT_ST ticket;
char instance[INST_SZ];
char version[9];
int auth;
if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
return -1;
if (pop_net_read (p, s, buf + 4,
KRB_SENDAUTH_VLEN - 4) != KRB_SENDAUTH_VLEN - 4)
return -1;
if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0)
return -1;
k_getsockinst (0, instance, sizeof(instance));
auth = krb_recvauth(KOPT_IGNORE_PROTOCOL,
s,
&ticket,
"pop",
instance,
(struct sockaddr_in *)addr,
(struct sockaddr_in *) NULL,
&p->kdata,
"",
schedule,
version);
if (auth != KSUCCESS) {
pop_msg(p, POP_FAILURE, "Kerberos authentication failure: %s",
krb_get_err_text(auth));
pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client,
p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
krb_get_err_text(auth));
return -1;
}
#ifdef DEBUG
pop_log(p, POP_DEBUG, "%s.%s@%s (%s): ok", p->kdata.pname,
p->kdata.pinst, p->kdata.prealm, p->ipaddr);
#endif /* DEBUG */
return 0;
}
#endif /* KRB4 */
#ifdef KRB5 #ifdef KRB5
static int static int
krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr) krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr)
@@ -161,7 +113,7 @@ krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr)
static int static int
krb_authenticate(POP *p, struct sockaddr *addr) krb_authenticate(POP *p, struct sockaddr *addr)
{ {
#if defined(KRB4) || defined(KRB5) #if defined(KRB5)
u_char buf[BUFSIZ]; u_char buf[BUFSIZ];
if (pop_net_read (p, 0, buf, 4) != 4) { if (pop_net_read (p, 0, buf, 4) != 4) {
@@ -169,14 +121,6 @@ krb_authenticate(POP *p, struct sockaddr *addr)
strerror(errno)); strerror(errno));
exit (1); exit (1);
} }
#ifdef KRB4
if (krb4_authenticate (p, 0, buf, addr) == 0){
pop_write_addr(p, addr);
p->version = 4;
return POP_SUCCESS;
}
#endif
#ifdef KRB5
if (krb5_authenticate (p, 0, buf, addr) == 0){ if (krb5_authenticate (p, 0, buf, addr) == 0){
pop_write_addr(p, addr); pop_write_addr(p, addr);
p->version = 5; p->version = 5;
@@ -184,8 +128,6 @@ krb_authenticate(POP *p, struct sockaddr *addr)
} }
#endif #endif
exit (1); exit (1);
#endif /* defined(KRB4) || defined(KRB5) */
return(POP_SUCCESS); return(POP_SUCCESS);
} }
@@ -207,7 +149,7 @@ static int help_flag;
static int version_flag; static int version_flag;
static struct getargs args[] = { static struct getargs args[] = {
#if defined(KRB4) || defined(KRB5) #if defined(KRB5)
{ "kerberos", 'k', arg_flag, &kerberos_flag, "use kerberos" }, { "kerberos", 'k', arg_flag, &kerberos_flag, "use kerberos" },
#endif #endif
{ "auth-mode", 'a', arg_string, &auth_str, "required authentication", { "auth-mode", 'a', arg_string, &auth_str, "required authentication",
@@ -241,8 +183,6 @@ pop_getportbyname(POP *p, const char *service,
{ {
#ifdef KRB5 #ifdef KRB5
return krb5_getportbyname(p->context, service, proto, def); return krb5_getportbyname(p->context, service, proto, def);
#elif defined(KRB4)
return k_getportbyname(service, proto, htons(def));
#else #else
return htons(default); return htons(default);
#endif #endif
@@ -348,7 +288,7 @@ pop_init(POP *p,int argcount,char **argmessage)
trace_file_name = trace_file; trace_file_name = trace_file;
} }
#if defined(KRB4) || defined(KRB5) #if defined(KRB5)
p->kerberosp = kerberos_flag; p->kerberosp = kerberos_flag;
#endif #endif

44
appl/popper/pop_pass.c
View File

@@ -11,31 +11,6 @@
RCSID("$Id$"); RCSID("$Id$");
#ifdef KRB4
static int
krb4_verify_password (POP *p)
{
int status;
char lrealm[REALM_SZ];
char tkt[MaxPathLen];
status = krb_get_lrealm(lrealm,1);
if (status == KFAILURE) {
pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client,
p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
krb_get_err_text(status));
return 1;
}
snprintf(tkt, sizeof(tkt), "%s_popper.%u", TKT_ROOT, (unsigned)getpid());
krb_set_tkt_string (tkt);
status = krb_verify_user(p->user, "", lrealm,
p->pop_parm[1], KRB_VERIFY_SECURE, "pop");
dest_tkt(); /* no point in keeping the tickets */
return status;
}
#endif /* KRB4 */
#ifdef KRB5 #ifdef KRB5
static int static int
krb5_verify_password (POP *p) krb5_verify_password (POP *p)
@@ -164,22 +139,6 @@ pop_pass (POP *p)
p->user)); p->user));
if (p->kerberosp) { if (p->kerberosp) {
#ifdef KRB4
if (p->version == 4) {
if(kuserok (&p->kdata, p->user)) {
pop_log(p, POP_PRIORITY,
"%s: (%s.%s@%s) tried to retrieve mail for %s.",
p->client, p->kdata.pname, p->kdata.pinst,
p->kdata.prealm, p->user);
return(pop_msg(p,POP_FAILURE,
"Popping not authorized"));
}
pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s",
p->ipaddr,
p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
p->user);
} else
#endif /* KRB4 */
#ifdef KRB5 #ifdef KRB5
if (p->version == 5) { if (p->version == 5) {
char *name; char *name;
@@ -224,9 +183,6 @@ pop_pass (POP *p)
/* pass OK */; /* pass OK */;
else { else {
int ret = -1; int ret = -1;
#ifdef KRB4
ret = krb4_verify_password (p);
#endif
#ifdef KRB5 #ifdef KRB5
if(ret) if(ret)
ret = krb5_verify_password (p); ret = krb5_verify_password (p);

11
appl/popper/popper.h
View File

@@ -110,10 +110,6 @@ struct ether_addr;
#include <roken.h> #include <roken.h>
#include <getarg.h> #include <getarg.h>
#ifdef KRB4
#include <krb.h>
#include <prot.h>
#endif
#ifdef KRB5 #ifdef KRB5
#include <krb5.h> #include <krb5.h>
#endif #endif
@@ -144,9 +140,7 @@ struct ether_addr;
#include <otp.h> #include <otp.h>
#endif #endif
#if defined(KRB4_MAILDIR) #if defined(_PATH_MAILDIR)
#define POP_MAILDIR KRB4_MAILDIR
#elif defined(_PATH_MAILDIR)
#define POP_MAILDIR _PATH_MAILDIR #define POP_MAILDIR _PATH_MAILDIR
#elif defined(MAILDIR) #elif defined(MAILDIR)
#define POP_MAILDIR MAILDIR #define POP_MAILDIR MAILDIR
@@ -261,9 +255,6 @@ typedef struct { /* POP parameter block */
int parm_count; /* Number of parameters in int parm_count; /* Number of parameters in
parsed list */ parsed list */
int kerberosp; /* Using KPOP? */ int kerberosp; /* Using KPOP? */
#ifdef KRB4
AUTH_DAT kdata;
#endif
#ifdef KRB5 #ifdef KRB5
krb5_context context; krb5_context context;
krb5_principal principal; /* principal auth as */ krb5_principal principal; /* principal auth as */