From c4148424b71a25ec79005361dc2363b800b10ada Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 1 Apr 2010 04:24:00 +0200 Subject: [PATCH] Kill Kerberos IV and RPOP. --- Makefile.am | 3 - NEWS | 9 +- README | 2 +- conf.c | 7 +- configure.ac | 162 +------------------------ daemon.c | 16 --- driver.c | 113 +---------------- env.c | 1 - fetchmail-features.html | 4 +- fetchmail.c | 27 +---- fetchmail.h | 11 +- fetchmail.man | 44 ++----- fm_md5.h | 15 +-- idlist.c | 15 --- imap.c | 27 ----- interface.c | 18 --- kerberos.c | 260 ---------------------------------------- kerberos.h | 25 +--- options.c | 12 +- po/POTFILES.in | 1 - pop3.c | 85 +------------ rcfile_l.l | 4 +- rcfile_y.y | 9 +- sink.c | 23 +--- smbencrypt.c | 40 ------- socket.c | 48 -------- socket.h | 2 +- transact.c | 18 --- 28 files changed, 49 insertions(+), 952 deletions(-) delete mode 100644 kerberos.c diff --git a/Makefile.am b/Makefile.am index 31fcc7bc..796ad00b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -77,9 +77,6 @@ endif if ODMR_ENABLE fetchmail_SOURCES += odmr.c endif -if KERBEROS_V4_ENABLE -fetchmail_SOURCES += kerberos.c -endif if RPA_ENABLE fetchmail_SOURCES += rpa.c endif diff --git a/NEWS b/NEWS index 328074ed..07e72114 100644 --- a/NEWS +++ b/NEWS @@ -15,7 +15,6 @@ removed from a 6.4.0 or newer release.) version as they are not reasonably portable across operating systems. * IMAP2 and IMAP4 (not IMAP4r1) are obsolete, support may be removed from a future fetchmail version. -* RPOP is obsolete, support will be removed from a future fetchmail release. * --sslcertck will become a default setting in a future fetchmail version. * The multidrop To/Cc guessing code along with the fragile duplicate suppressor is deprecated and may be removed from a future release. @@ -30,7 +29,6 @@ removed from a 6.4.0 or newer release.) inconsistent and confusing. * The "protocol auto" default inside fetchmail may be removed from a future fetchmail release. Explicit configuration of the protocol is recommended. -* Kerberos IV support may be removed from a future fetchmail release. * Kerberos 5 support may be removed from a future fetchmail release. * The --principal option may be removed from a future fetchmail release. * SIGHUP wakeup support may be removed from a future fetchmail release and @@ -49,15 +47,16 @@ fetchmail-6.4.0 (not yet released): NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED! # REMOVED FEATURES -* POP2 was long obsolete and removed -* BeOS and EMX support was removed +* POP2 and RPOP were long obsolete and removed * Trio was removed -* Support for systems that do not conform to C89 and POSIX 2001 was removed. +* Support for systems that do not conform to C89 and POSIX 2001 was removed, this includes + BeOS, EMX, NeXTSTEP. * The MX and host alias DNS lookups that fetchmail performs in multidrop mode have been removed. They were based on the mistaken assumption that the IMAP/POP3 server was also the MX server, which is rarely the case. They have never supported IPv6 (including IPv6-mapped IPv4) either. Non-DNS based alias keywords such as "aka" remain. +* Kerberos IV support was removed. -------------------------------------------------------------------------------- diff --git a/README b/README index 8bda0b87..f64c7ab1 100644 --- a/README +++ b/README @@ -12,7 +12,7 @@ can then be be read by normal mail user agents such as mutt(1), elm(1) or Mail(1). Fetchmail supports all standard mail-retrieval protocols in use on the -Internet: POP3 (including some variants such as RPOP, APOP, KPOP), IMAP4rev1 +Internet: POP3 (including some variants such as APOP, KPOP), IMAP4rev1 (also IMAP4, IMAP2bis), IMAP4, ETRN, and ODMR. On the output side, fetchmail supports ESMTP/SMTP, LMTP, and invocation of a local delivery agent. diff --git a/conf.c b/conf.c index d21dec1c..1cab1e42 100644 --- a/conf.c +++ b/conf.c @@ -156,9 +156,6 @@ void dump_config(struct runctl *runp, struct query *querylist) #ifdef GSSAPI "'gssapi'," #endif /* GSSAPI */ -#if defined(KERBEROS_V4) - "'kerberos'," -#endif /* defined(IMAP4) */ #ifdef RPA_ENABLE "'rpa'," #endif /* RPA_ENABLE */ @@ -241,7 +238,7 @@ void dump_config(struct runctl *runp, struct query *querylist) using_kpop = (ctl->server.protocol == P_POP3 && ctl->server.service && !strcmp(ctl->server.service, KPOP_PORT ) && - ctl->server.authenticate == A_KERBEROS_V4); + ctl->server.authenticate == A_KERBEROS_V5); stringdump("pollname", ctl->server.pollname); booldump("active", !ctl->server.skip); @@ -273,8 +270,6 @@ void dump_config(struct runctl *runp, struct query *querylist) stringdump("auth", "cram-md5"); else if (ctl->server.authenticate == A_GSSAPI) stringdump("auth", "gssapi"); - else if (ctl->server.authenticate == A_KERBEROS_V4) - stringdump("auth", "kerberos_v4"); else if (ctl->server.authenticate == A_KERBEROS_V5) stringdump("auth", "kerberos_v5"); else if (ctl->server.authenticate == A_SSH) diff --git a/configure.ac b/configure.ac index 2e61aed4..f83b4169 100644 --- a/configure.ac +++ b/configure.ac @@ -60,15 +60,11 @@ if test "x$SHELL" = "x" ; then fi -AC_TYPE_SIZE_T -AC_TYPE_PID_T AC_CHECK_HEADERS([arpa/nameser.h md5.h]) AC_CHECK_HEADERS([resolv.h],,,[ #include -#ifdef HAVE_NETINET_IN_H #include -#endif #ifdef HAVE_ARPA_NAMESER_H #include #endif @@ -76,9 +72,7 @@ AC_CHECK_HEADERS([resolv.h],,,[ AC_CHECK_DECLS([h_errno],,,[ AC_INCLUDES_DEFAULT - #ifdef HAVE_NETDB_H #include - #endif ]) AC_C_CONST dnl getopt needs this. @@ -141,12 +135,8 @@ dnl INET6 is used by KAME/getnameinfo AC_CACHE_CHECK(for AF_INET6/PF_INET6,ac_cv_inet6, AC_COMPILE_IFELSE([ AC_LANG_PROGRAM([[ - #ifdef HAVE_SYS_TYPES_H #include - #endif - #ifdef HAVE_SYS_SOCKET_H #include - #endif ]],[[ int foo = AF_INET6; int bar = PF_INET6; @@ -172,9 +162,7 @@ for lib in '' -lresolv; do LIBS="$old_LIBS $lib" AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include -#ifdef HAVE_NETINET_IN_H #include -#endif #ifdef HAVE_ARPA_NAMESER_H #include #endif @@ -193,49 +181,16 @@ done dnl Check for libcrypt -- it may live in libc or libcrypt, as on IRIX AC_CHECK_FUNC(crypt, , AC_CHECK_LIB(crypt,crypt)) -dnl Check for usable void pointer type -AC_MSG_CHECKING(use of void pointer type) -AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[char *p; - void *xmalloc(); - p = (char *) xmalloc(1); - ]])],[AC_DEFINE(HAVE_VOIDPOINTER,1,[Define if your C compiler allows void * as a function result]) AC_MSG_RESULT(yes)],[AC_MSG_RESULT(no)]) - dnl Check for ANSI volatile AC_C_VOLATILE -dnl Check out the wait reality. We have to assume sys/wait.h is present. -AC_CHECK_FUNCS(waitpid wait3) -AC_MSG_CHECKING(for union wait); -AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include -#include ]], [[union wait status; int pid; pid = wait (&status); -#ifdef WEXITSTATUS -/* Some POSIXoid systems have both the new-style macros and the old - union wait type, and they do not work together. If union wait - conflicts with WEXITSTATUS et al, we do not want to use it at all. */ -if (WEXITSTATUS (status) != 0) pid = -1; -#endif -#ifdef HAVE_WAITPID -/* Make sure union wait works with waitpid. */ -pid = waitpid (-1, &status, 0); -#endif -]])],[AC_DEFINE(HAVE_UNION_WAIT,1,Define if 'union wait' is the type of the first arg to wait functions.) AC_MSG_RESULT(yes)],[AC_MSG_RESULT(no)]) - AC_MSG_CHECKING(sys_siglist declaration in signal.h or unistd.h) AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include /* NetBSD declares sys_siglist in . */ #include ]], [[char *msg = *(sys_siglist + 1);]])],[AC_DEFINE(SYS_SIGLIST_DECLARED,1,[Define if 'sys_siglist' is declared by .]) AC_MSG_RESULT(yes)],[AC_MSG_RESULT(no)]) -# Find the right directory to put the root-mode PID file in -for dir in "/var/run" "/etc" -do - if test -d $dir - then - break; - fi -done -AC_MSG_RESULT(root-mode pid file will go in $dir) -AC_DEFINE_UNQUOTED(PID_DIR, "$dir", directory for PID lock files) +AC_DEFINE_UNQUOTED(PID_DIR, "/var/run", directory for PID lock files) # We may have a fallback MDA available in case the socket open to the # local SMTP listener fails. Best to use procmail for this, as we know @@ -326,10 +281,6 @@ case "$enable_fallback" in ;; esac -AC_CHECK_SIZEOF(short) -AC_CHECK_SIZEOF(int) -AC_CHECK_SIZEOF(long) - ### use option --disable-POP3 to omit the POP3 support AC_ARG_ENABLE(POP3, [ --disable-POP3 don't compile in POP3 protocol support], @@ -411,12 +362,8 @@ AC_SEARCH_LIBS(getaddrinfo, [nsl socket]) AC_CACHE_CHECK([for getaddrinfo],[fm_cv_getaddrinfo],[ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include -#ifdef HAVE_SYS_SOCKET_H #include -#endif -#ifdef HAVE_NETDB_H #include -#endif ]], [[getaddrinfo(0, 0, 0, 0);]])],[ fm_cv_getaddrinfo=yes],[ fm_cv_getaddrinfo=no ]) ]) @@ -428,12 +375,8 @@ fi AC_CACHE_CHECK([for getnameinfo],[fm_cv_getnameinfo],[ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include -#ifdef HAVE_SYS_SOCKET_H #include -#endif -#ifdef HAVE_NETDB_H #include -#endif #ifndef NULL #define NULL 0 #endif @@ -464,20 +407,10 @@ if test "$fm_cv_getaddrinfo" = yes ; then fi fi -# This version of the Kerberos 4 and 5 options addresses the follwing issues: +# This version of the Kerberos 5 options addresses the follwing issues: # # * Build correctly under Heimdal kerberos if it is compiled with db2 and # OpenSSL support (Debian's is) -# * Build the kerberos.c stuff (KPOP) only for kerberosIV, to avoid breakage. -# I don't know if this is 100% correct, but now at least IMAP and POP3 -# behave the same way regarding kerberosV. -# * Build without any fuss for both kerberosIV and V at the same time. -# * Move all the kerberos header mess to kerberos.h, and #include that -# in driver.c and kerberos.c. -# -# Tested using the Heimdal Kerberos V libs, Kungliga Tekniska Högskolan (the -# Royal Institute of Technology in Stockholm, Sweden)'s kerberos IV libs, and -# the MIT reference implementation of KerberosV (all as packaged in Debian). ### use option --with-kerberos5=DIR to point at a Kerberos 5 directory ### make sure --with-ssl is run before --with-kerberos* ! @@ -567,97 +500,6 @@ fi fi ]) dnl --with-kerberos5=DIR -### use option --with-kerberos=DIR to point at a Kerberos 4 directory -KERBEROS_V4=0 -AC_ARG_WITH(kerberos, - [ --with-kerberos=DIR point fetchmail compilation at a Kerberos 4 directory], -[ -if test "$with_kerberos" != "no" -then - AC_MSG_WARN([Kerberos IV support is obsolete. Use --with-kerberos5 if possible.]) -# Check for a NetBSD/OpenBSD special case -if test "$with_kerberos" = "yes" && ( test `uname` = "NetBSD" || test `uname` = "OpenBSD" ) -then - AS_MESSAGE(checking kerberosIV for `uname`...) - KERBEROS_V4=1 - CFLAGS="$CFLAGS -I/usr/include/kerberosIV" - case `uname` in - NetBSD) LIBS="$LIBS -lkrb -ldes -lroken -lcom_err" ;; - OpenBSD) LIBS="$LIBS -lkrb -ldes" ;; - esac -elif krb4-config 2> /dev/null >/dev/null ; then - krb4_prefix=`krb4-config --prefix` - AC_MSG_RESULT([krb4-config points to kerberosIV under $krb4_prefix]) - unset krb4_prefix - CFLAGS="$CFLAGS `krb4-config --cflags`" - LIBS="$LIBS `krb4-config --libs`" - KERBEROS_V4=1 -elif krb5-config 2> /dev/null >/dev/null ; then - krb4_prefix=`krb5-config --prefix krb4` - AC_MSG_RESULT([krb5-config points to kerberosIV under $krb4_prefix]) - if test -f ${krb4_prefix}/include/kerberosIV/krb.h ; then - AC_DEFINE(KERBEROS_V4_V5,1,Define if you have Kerberos V4 headers under a kerberosIV directory) - fi - unset krb4_prefix - CFLAGS="$CFLAGS `krb5-config --cflags krb4`" - LIBS="$LIBS `krb5-config --libs krb4`" - KERBEROS_V4=1 -else - #we need to detect when we're building under a kerberosV compatibility - #layer, btw... - if test "$with_kerberos" != "yes" ; then - searchdirs="$with_kerberos" - else - searchdirs="$with_kerberos5 /usr/kerberos /usr/kerberosIV /usr/athena /usr" - fi - with_kerberos= - ac_saveLDFLAGS="$LDFLAGS" - for dir in $searchdirs - do - AC_MSG_CHECKING([for Kerberos IV in $dir]) - if test -f "$dir/include/krb.h" || test -f "$dir/include/krb4.h" \ - || test -f "$dir/include/kerberosIV/krb.h" - then - AC_MSG_RESULT([found]) - else - AC_MSG_RESULT([not found]) - continue - fi - #Find libs - if test -f "$with_kerberos5/roken.h" ; then - AC_CHECK_LIB(45, krb_mk_req) - fi - LDFLAGS="-L$dir/lib $ac_saveLDFLAGS" - if test `uname` = "FreeBSD"; then - AC_SEARCH_LIBS(_ossl_old_des_string_to_key, [des425 des crypto], [], continue) - else - AC_SEARCH_LIBS(des_string_to_key, [crypto], [], continue) - fi - AC_SEARCH_LIBS(krb_realmofhost, [krb4 krb], [], continue) - with_kerberos="$dir" - if test -f "$dir/include/kerberosIV/krb.h" ; then - dir="$dir/include/kerberosIV" - else - dir="$dir/include" - fi - KERBEROS_V4=1 - test -f "$with_kerberos5/roken.h" && AC_DEFINE(HEIMDAL) - test "$dir" != "/usr/include" && CFLAGS="$CFLAGS -I$dir" - LDFLAGS="$LDFLAGS -L$with_kerberos/lib" - break - done - if test -z "$with_kerberos" ; then - AC_MSG_ERROR([Kerberos 4 libraries not found]) - fi - LDFLAGS="$ac_saveLDFLAGS" -fi -fi -]) dnl --with-kerberos=DIR -if test "$KERBEROS_V4" = 1 ; then - AC_DEFINE(KERBEROS_V4,1,Define if you have Kerberos V4) -fi -AM_CONDITIONAL(KERBEROS_V4_ENABLE, test "$KERBEROS_V4" = 1) - ### use option --with-ssl to compile in the SSL support AC_ARG_WITH(ssl, [ --with-ssl=[DIR] enable SSL support using libraries in DIR], diff --git a/daemon.c b/daemon.c index 65e01772..8f39e86c 100644 --- a/daemon.c +++ b/daemon.c @@ -33,26 +33,10 @@ static void sigchld_handler (int sig) /* process SIGCHLD to obtain the exit code of the terminating process */ { -#if defined(HAVE_WAITPID) /* the POSIX way */ int status; while (waitpid(-1, &status, WNOHANG) > 0) continue; /* swallow 'em up. */ -#elif defined(HAVE_WAIT3) /* the BSD way */ - pid_t pid; -#if defined(HAVE_UNION_WAIT) && !defined(__FreeBSD__) - union wait status; -#else - int status; -#endif - - while ((pid = wait3(&status, WNOHANG, 0)) > 0) - continue; /* swallow 'em up. */ -#else /* Zooks! Nothing to do but wait(), and hope we don't block... */ - int status; - - wait(&status); -#endif lastsig = SIGCHLD; (void)sig; } diff --git a/driver.c b/driver.c index 19777ccd..e4c2638a 100644 --- a/driver.c +++ b/driver.c @@ -32,9 +32,6 @@ extern "C" { #include #include "kerberos.h" -#ifdef KERBEROS_V4 -#include -#endif /* KERBEROS_V4 */ #include "i18n.h" #include "socket.h" @@ -122,74 +119,9 @@ static int cleanupSockClose (int fd) return (scerror); } -#ifdef KERBEROS_V4 -static int kerberos_auth(socket, canonical, principal) -/* authenticate to the server host using Kerberos V4 */ -int socket; /* socket to server host */ -char *canonical; /* server name */ -char *principal; -{ - KTEXT ticket; - MSG_DAT msg_data; - CREDENTIALS cred; - Key_schedule schedule; - int rem; - char * prin_copy = (char *) NULL; - char * prin = (char *) NULL; - char * inst = (char *) NULL; - char * realm = (char *) NULL; - - if (principal != (char *)NULL && *principal) - { - char *cp; - prin = prin_copy = xstrdup(principal); - for (cp = prin_copy; *cp && *cp != '.'; ++cp) - ; - if (*cp) - { - *cp++ = '\0'; - inst = cp; - while (*cp && *cp != '@') - ++cp; - if (*cp) - { - *cp++ = '\0'; - realm = cp; - } - } - } - - ticket = xmalloc(sizeof (KTEXT_ST)); - rem = (krb_sendauth (0L, socket, ticket, - prin ? prin : "pop", - inst ? inst : canonical, - realm ? realm : ((char *) (krb_realmofhost (canonical))), - ((unsigned long) 0), - (&msg_data), - (&cred), - (schedule), - ((struct sockaddr_in *) 0), - ((struct sockaddr_in *) 0), - "KPOPV0.1")); - free(ticket); - if (prin_copy) - { - free(prin_copy); - } - if (rem != KSUCCESS) - { - report(stderr, GT_("kerberos error %s\n"), (krb_get_err_text (rem))); - return (PS_AUTHFAIL); - } - return (0); -} -#endif /* KERBEROS_V4 */ - #ifdef KERBEROS_V5 -static int kerberos5_auth(socket, canonical) -/* authenticate to the server host using Kerberos V5 */ -int socket; /* socket to server host */ -const char *canonical; /* server name */ +/** authenticate to the server host using Kerberos V5 */ +static int kerberos5_auth(int socket /** socket to server host */, const char *canonical /** server name */) { krb5_error_code retval; krb5_context context; @@ -436,7 +368,7 @@ static int fetch_messages(int mailserver_socket, struct query *ctl, * could be "auto". */ switch (ctl->server.protocol) { - case P_POP3: case P_APOP: case P_RPOP: + case P_POP3: case P_APOP: fetchsizelimit = 1; } @@ -1064,26 +996,6 @@ static int do_session( ctl->server.base_protocol->name, ctl->server.pollname); strlcpy(errbuf, strerror(err_no), sizeof(errbuf)); report_complete(stderr, ": %s\n", errbuf); - -#ifdef __UNUSED__ - /* - * Don't use this. It was an attempt to address Debian bug - * #47143 (Notify user by mail when pop server nonexistent). - * Trouble is, that doesn't work; you trip over the case - * where your SLIP or PPP link is down... - */ - /* warn the system administrator */ - if (open_warning_by_mail(ctl) == 0) - { - stuff_warning(iana_charset, ctl, - GT_("Subject: Fetchmail unreachable-server warning.")); - stuff_warning(NULL, ctl, ""); - stuff_warning(NULL, ctl, GT_("Fetchmail could not reach the mail server %s:"), - ctl->server.pollname); - stuff_warning(NULL, ctl, errbuf, ctl->server.pollname); - close_warning_by_mail(ctl, (struct msgblk *)NULL); - } -#endif } err = PS_SOCKET; set_timeout(0); @@ -1123,17 +1035,6 @@ static int do_session( */ set_timeout(0); phase = oldphase; -#ifdef KERBEROS_V4 - if (ctl->server.authenticate == A_KERBEROS_V4 && (strcasecmp(proto->name,"IMAP") != 0)) - { - set_timeout(mytimeout); - err = kerberos_auth(mailserver_socket, ctl->server.truename, - ctl->server.principal); - set_timeout(0); - if (err != 0) - goto cleanUp; - } -#endif /* KERBEROS_V4 */ #ifdef KERBEROS_V5 if (ctl->server.authenticate == A_KERBEROS_V5) @@ -1598,14 +1499,6 @@ int do_protocol(struct query *ctl /** parsed options with merged-in defaults */, { int err; -#ifndef KERBEROS_V4 - if (ctl->server.authenticate == A_KERBEROS_V4) - { - report(stderr, GT_("Kerberos V4 support not linked.\n")); - return(PS_ERROR); - } -#endif /* KERBEROS_V4 */ - #ifndef KERBEROS_V5 if (ctl->server.authenticate == A_KERBEROS_V5) { diff --git a/env.c b/env.c index e9dfad90..cc8c9cd9 100644 --- a/env.c +++ b/env.c @@ -244,7 +244,6 @@ const char *showproto(int proto) #ifdef POP3_ENABLE case P_POP3: return("POP3"); case P_APOP: return("APOP"); - case P_RPOP: return("RPOP"); #endif /* POP3_ENABLE */ #ifdef IMAP_ENABLE case P_IMAP: return("IMAP"); diff --git a/fetchmail-features.html b/fetchmail-features.html index cbf6cbe0..804cf779 100644 --- a/fetchmail-features.html +++ b/fetchmail-features.html @@ -26,7 +26,7 @@

Version 6.4:

    -
  • Removes support for obsolete POP2.
    • +
  • Removes support for obsolete POP2, RPOP, Kerberos IV.

Since 5.0:

@@ -204,7 +204,7 @@ syslog. only when a point-to-point link to a particular IP address is up. -
  • RPOP support (restored; had been removed in 1.8).
    • +
  • RPOP support (restored; had been removed in 1.8, later removed again).

    • 2.0 and earlier versions:

    diff --git a/fetchmail.c b/fetchmail.c index b2f3487b..8a0b64a4 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -262,9 +262,6 @@ int main(int argc, char **argv) #ifdef ENABLE_NLS "+NLS" #endif /* ENABLE_NLS */ -#ifdef KERBEROS_V4 - "+KRB4" -#endif /* KERBEROS_V4 */ #ifdef KERBEROS_V5 "+KRB5" #endif /* KERBEROS_V5 */ @@ -1142,7 +1139,6 @@ static int load_params(int argc, char **argv, int optind) for (ctl = querylist; ctl; ctl = ctl->next) if (ctl->active && (ctl->server.protocol==P_ETRN || ctl->server.protocol==P_ODMR - || ctl->server.authenticate == A_KERBEROS_V4 || ctl->server.authenticate == A_KERBEROS_V5)) { fetchmailhost = host_fqdn(1); @@ -1218,12 +1214,6 @@ static int load_params(int argc, char **argv, int optind) } #endif /* SSL_ENABLE */ #undef DEFAULT -#ifndef KERBEROS_V4 - if (ctl->server.authenticate == A_KERBEROS_V4) { - report(stderr, GT_("KERBEROS v4 support is configured, but not compiled in.\n")); - exit(PS_SYNTAX); - } -#endif #ifndef KERBEROS_V5 if (ctl->server.authenticate == A_KERBEROS_V5) { report(stderr, GT_("KERBEROS v5 support is configured, but not compiled in.\n")); @@ -1286,13 +1276,6 @@ static int load_params(int argc, char **argv, int optind) ctl->server.pollname); exit(PS_SYNTAX); } - if (ctl->server.protocol == P_RPOP && port >= 1024) - { - (void) fprintf(stderr, - GT_("fetchmail: %s configuration invalid, RPOP requires a privileged port\n"), - ctl->server.pollname); - exit(PS_SYNTAX); - } } if (ctl->listener == LMTP_MODE) { @@ -1435,7 +1418,6 @@ static int query_host(struct query *ctl) break; case P_POP3: case P_APOP: - case P_RPOP: #ifdef POP3_ENABLE do { st = doPOP3(ctl); @@ -1554,9 +1536,6 @@ static void dump_params (struct runctl *runp, if (ctl->server.protocol == P_APOP) printf(GT_(" APOP secret = \"%s\".\n"), visbuf(ctl->password)); - else if (ctl->server.protocol == P_RPOP) - printf(GT_(" RPOP id = \"%s\".\n"), - visbuf(ctl->password)); else printf(GT_(" Password = \"%s\".\n"), visbuf(ctl->password)); @@ -1565,8 +1544,7 @@ static void dump_params (struct runctl *runp, if (ctl->server.protocol == P_POP3 && ctl->server.service && !strcmp(ctl->server.service, KPOP_PORT) - && (ctl->server.authenticate == A_KERBEROS_V4 || - ctl->server.authenticate == A_KERBEROS_V5)) + && (ctl->server.authenticate == A_KERBEROS_V5)) printf(GT_(" Protocol is KPOP with Kerberos %s authentication"), ctl->server.authenticate == A_KERBEROS_V5 ? "V" : "IV"); else @@ -1602,9 +1580,6 @@ static void dump_params (struct runctl *runp, case A_GSSAPI: printf(GT_(" GSSAPI authentication will be forced.\n")); break; - case A_KERBEROS_V4: - printf(GT_(" Kerberos V4 authentication will be forced.\n")); - break; case A_KERBEROS_V5: printf(GT_(" Kerberos V5 authentication will be forced.\n")); break; diff --git a/fetchmail.h b/fetchmail.h index 14ad4eec..eb4f47b1 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -25,7 +25,6 @@ struct addrinfo; #define P_AUTO 1 #define P_POP3 3 #define P_APOP 4 -#define P_RPOP 5 #define P_IMAP 6 #define P_ETRN 7 #define P_ODMR 8 @@ -52,7 +51,6 @@ struct addrinfo; #define A_NTLM 2 /* Microsoft NTLM protocol */ #define A_CRAM_MD5 3 /* CRAM-MD5 shrouding (RFC2195) */ #define A_OTP 4 /* One-time password (RFC1508) */ -#define A_KERBEROS_V4 5 /* authenticate w/ Kerberos V4 */ #define A_KERBEROS_V5 6 /* authenticate w/ Kerberos V5 */ #define A_GSSAPI 7 /* authenticate with GSSAPI */ #define A_SSH 8 /* authentication at session level */ @@ -63,7 +61,6 @@ struct addrinfo; * require a password */ #define NO_PASSWORD(ctl) \ ((ctl)->server.authenticate == A_OTP \ - || (ctl)->server.authenticate == A_KERBEROS_V4 \ || (ctl)->server.authenticate == A_KERBEROS_V5 \ || (ctl)->server.authenticate == A_GSSAPI \ || (ctl)->server.authenticate == A_SSH \ @@ -456,7 +453,7 @@ extern const char *iana_charset; /* IANA assigned charset name */ /* prototypes for globally callable functions */ /* from /usr/include/sys/cdefs.h */ -#if !defined __GNUC__ || __GNUC__ < 2 +#if !defined __GNUC__ # define __attribute__(xyz) /* Ignore. */ #endif @@ -656,12 +653,6 @@ int yylex(void); #define STRING_DISABLED (char *)-1 #define STRING_DUMMY "" -#ifdef NeXT -#ifndef S_IXGRP -#define S_IXGRP 0000010 -#endif -#endif - #ifndef HAVE_STPCPY char *stpcpy(char *, const char*); #endif diff --git a/fetchmail.man b/fetchmail.man index 3686a186..0c801632 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -272,10 +272,8 @@ Post Office Protocol 3 .IP APOP Use POP3 with old-fashioned MD5-challenge authentication. Considered not resistant to man-in-the-middle attacks. -.IP RPOP -Use POP3 with RPOP authentication. .IP KPOP -Use POP3 with Kerberos V4 authentication on port 1109. +Use POP3 with Kerberos V5 authentication on port 1109. .IP SDPS Use POP3 with Demon Internet's SDPS extensions. .IP IMAP @@ -908,12 +906,11 @@ Note that this option may be removed from a future fetchmail version. .br This option permits you to specify an authentication type (see USER AUTHENTICATION below for details). The possible values are \fBany\fP, -\&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for -excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP, +\&\fBpassword\fP, \fBkerberos_v5\fP, \fBgssapi\fP, \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3), \fBexternal\fP (only IMAP) and \fBssh\fP. When \fBany\fP (the default) is specified, fetchmail tries -first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ IV, +first methods that don't require a password (EXTERNAL, GSSAPI, KERBEROS\ 5); then it looks for methods that mask your password (CRAM-MD5, NTLM, X\-OTP - note that MSN is only supported for POP3, but not autoprobed); and only if the server doesn't @@ -925,11 +922,10 @@ Any value other than \fBpassword\fP, \fBcram\-md5\fP, \fBntlm\fP, \&\fBmsn\fP or \fBotp\fP suppresses fetchmail's normal inquiry for a password. Specify \fBssh\fP when you are using an end-to-end secure connection such as an ssh tunnel; specify \fBexternal\fP when you use -TLS with client authentication and specify \fBgssapi\fP or -\&\fBkerberos_v4\fP if you are using a protocol variant that employs -GSSAPI or K4. Choosing KPOP protocol automatically selects Kerberos -authentication. This option does not work with ETRN. GSSAPI service names are -in line with RFC-2743 and IANA registrations, see +TLS with client authentication and specify \fBgssapi\fP if you are using a +protocol variant that employs GSSAPI. Choosing KPOP protocol automatically +selects Kerberos authentication. This option does not work with ETRN. +GSSAPI service names are in line with RFC-2743 and IANA registrations, see .URL http://www.iana.org/assignments/gssapi-service-names/ "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names" . .SS Miscellaneous Options .TP @@ -1101,17 +1097,6 @@ a mailbox on the server. Contact your server administrator if you don't know the correct user-id and password for your mailbox account. .SH POP3 VARIANTS .PP -Early versions of POP3 (RFC1081, RFC1225) supported a crude form of -independent authentication using the \fI.rhosts\fP file on the -mailserver side. Under this RPOP variant, a fixed per-user ID -equivalent to a password was sent in clear over a link to a reserved -port, with the command RPOP rather than PASS to alert the server that it -should do special checking. RPOP is supported by \fBfetchmail\fP -(you can specify 'protocol RPOP' to have the program send 'RPOP' -rather than 'PASS') but its use is strongly discouraged, and support -will be removed from a future fetchmail version. This -facility was vulnerable to spoofing and was withdrawn in RFC1460. -.PP RFC1460 introduced APOP authentication. In this variant of POP3, you register an APOP password on your server host (on some servers, the program to do this is called \fBpopauth\fP(8)). You put the same @@ -1150,7 +1135,7 @@ command causes much grief on some servers and is only optional. .PP If your \fBfetchmail\fP was built with Kerberos support and you specify Kerberos authentication (either with \-\-auth or the \fI.fetchmailrc\fP -option \fBauthenticate kerberos_v4\fP) it will try to get a Kerberos +option \fBauthenticate kerberos_v5\fP) it will try to get a Kerberos ticket from the mailserver at the start of each query. Note: if either the pollname or via name is 'hesiod', fetchmail will try to use Hesiod to look up the mailserver. @@ -2197,18 +2182,18 @@ Legal protocol identifiers for use with the 'protocol' keyword are: .fi .sp .PP -Legal authentication types are 'any', 'password', 'kerberos', -\&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' +Legal authentication types are 'any', 'password', +\&'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' (only for POP3), 'ntlm', 'ssh', 'external' (only IMAP). The 'password' type specifies authentication by normal transmission of a password (the password may be plain text or subject to protocol-specific encryption as in CRAM-MD5); -\&'kerberos' tells \fBfetchmail\fP to try to get a Kerberos ticket at the +\&'kerberos_v5' tells \fBfetchmail\fP to try to get a Kerberos ticket at the start of each query instead, and send an arbitrary string as the password; and 'gssapi' tells fetchmail to use GSSAPI authentication. See the description of the 'auth' keyword for more. .PP -Specifying 'kpop' sets POP3 protocol over port 1109 with Kerberos V4 +Specifying 'kpop' sets POP3 protocol over port 1109 with Kerberos V5 authentication. These defaults may be overridden by later options. .PP There are some global option statements: 'set logfile' @@ -2869,7 +2854,7 @@ buggy terminal ioctl code in the kernel. The \-f\~\- option (reading a configuration from stdin) is incompatible with the plugin option. .PP -The 'principal' option only handles Kerberos IV, not V. +The 'principal' option does not work for Kerberos V. .PP Interactively entered passwords are truncated after 63 characters. If you really need to use a longer password, you will have to use a @@ -2950,9 +2935,6 @@ RFC 2195, RFC 2449. APOP: RFC 1939. .TP 5 -RPOP: -RFC 1081, RFC 1225. -.TP 5 IMAP2/IMAP2BIS: RFC 1176, RFC 1732. .TP 5 diff --git a/fm_md5.h b/fm_md5.h index 5243c51b..a92a3988 100644 --- a/fm_md5.h +++ b/fm_md5.h @@ -3,7 +3,7 @@ #include "config.h" -#include +#include #ifdef HAVE_MD5_H #include @@ -14,23 +14,16 @@ #define HEADER_MD5_H #endif - -#if SIZEOF_INT == 4 -typedef unsigned int uint32; -#else -typedef unsigned long int uint32; -#endif - struct MD5Context { - uint32 buf[4]; - uint32 bits[2]; + uint32_t buf[4]; + uint32_t bits[2]; unsigned char in[64]; }; void MD5Init(struct MD5Context *context); void MD5Update(struct MD5Context *context, const void *buf, unsigned len); void MD5Final(void *digest, struct MD5Context *context); -void MD5Transform(uint32 buf[], uint32 const in[]); +void MD5Transform(uint32_t buf[], uint32_t const in[]); /* * This is needed to make RSAREF happy on some MS-DOS compilers. diff --git a/idlist.c b/idlist.c index d886de6b..a2dfe3a6 100644 --- a/idlist.c +++ b/idlist.c @@ -82,21 +82,6 @@ void save_str_pair(struct idlist **idl, const char *str1, const char *str2) (*end)->next = (struct idlist *)NULL; } -#ifdef __UNUSED__ -void free_str_pair_list(struct idlist **idl) -/* free the given ID pair list */ -{ - if (*idl == (struct idlist *)NULL) - return; - - free_idpair_list(&(*idl)->next); - free ((*idl)->id); - free ((*idl)->val.id2); - free(*idl); - *idl = (struct idlist *)NULL; -} -#endif - /** Check if ID \a str is in idlist \a idl. \return idlist entry if found, * NULL if not found. */ struct idlist *str_in_list(struct idlist **idl, const char *str, diff --git a/imap.c b/imap.c index 39411e85..786f9de4 100644 --- a/imap.c +++ b/imap.c @@ -528,24 +528,6 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) } #endif /* GSSAPI */ -#ifdef KERBEROS_V4 - if ((ctl->server.authenticate == A_ANY - || ctl->server.authenticate == A_KERBEROS_V4 - || ctl->server.authenticate == A_KERBEROS_V5) - && strstr(capabilities, "AUTH=KERBEROS_V4")) - { - if ((ok = do_rfc1731(sock, "AUTHENTICATE", ctl->server.truename))) - { - /* SASL cancellation of authentication */ - gen_send(sock, "*"); - if(ctl->server.authenticate != A_ANY) - return ok; - } - else - return ok; - } -#endif /* KERBEROS_V4 */ - /* * No such luck. OK, now try the variants that mask your password * in a challenge-response. @@ -605,15 +587,6 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) } #endif /* NTLM_ENABLE */ -#ifdef __UNUSED__ /* The Cyrus IMAP4rev1 server chokes on this */ - /* this handles either AUTH=LOGIN or AUTH-LOGIN */ - if ((imap_version >= IMAP4rev1) && (!strstr(capabilities, "LOGIN"))) - { - report(stderr, - GT_("Required LOGIN capability not supported by server\n")); - } -#endif /* __UNUSED__ */ - /* * We're stuck with sending the password en clair. * The reason for this odd-looking logic is that some diff --git a/interface.c b/interface.c index f2e70969..833bc33e 100644 --- a/interface.c +++ b/interface.c @@ -225,10 +225,8 @@ get_ifinfo(const char *ifname, ifinfo_t *ifinfo) char iname[16]; struct ifnet ifnet; unsigned long ifnet_addr = ifnet_savedaddr; -#if __FreeBSD_version >= 300001 struct ifnethead ifnethead; struct ifaddrhead ifaddrhead; -#endif struct ifaddr ifaddr; unsigned long ifaddr_addr; struct sockaddr sa; @@ -254,12 +252,8 @@ get_ifinfo(const char *ifname, ifinfo_t *ifinfo) } } -#if __FreeBSD_version >= 300001 kvm_read(kvmfd, ifnet_savedaddr, (char *) &ifnethead, sizeof ifnethead); ifnet_addr = (u_long) ifnethead.tqh_first; -#else - ifnet_addr = ifnet_savedaddr; -#endif while (ifnet_addr) { @@ -279,11 +273,7 @@ get_ifinfo(const char *ifname, ifinfo_t *ifinfo) ifinfo->rx_packets = ifnet.if_ipackets; ifinfo->tx_packets = ifnet.if_opackets; -#if __FreeBSD_version >= 300001 ifaddr_addr = (u_long) ifnet.if_addrhead.tqh_first; -#else - ifaddr_addr = (u_long) ifnet.if_addrlist; -#endif while(ifaddr_addr) { @@ -292,11 +282,7 @@ get_ifinfo(const char *ifname, ifinfo_t *ifinfo) if (sa.sa_family != AF_INET) { -#if __FreeBSD_version >= 300001 ifaddr_addr = (u_long) ifaddr.ifa_link.tqe_next; -#else - ifaddr_addr = (u_long) ifaddr.ifa_next; -#endif continue; } @@ -318,11 +304,7 @@ get_ifinfo(const char *ifname, ifinfo_t *ifinfo) return 0; } -#if __FreeBSD_version >= 300001 ifnet_addr = (u_long) ifnet.if_link.tqe_next; -#else - ifnet_addr = (unsigned long) ifnet.if_next; -#endif } if (if_egid) diff --git a/kerberos.c b/kerberos.c deleted file mode 100644 index 1125ec9c..00000000 --- a/kerberos.c +++ /dev/null @@ -1,260 +0,0 @@ -/* - * kerberos.c -- Kerberos authentication (see RFC 1731). - * - * For license terms, see the file COPYING in this directory. - */ -#include "config.h" - -#ifdef KERBEROS_V4 - -#include -#include -#include -#include -#include "fetchmail.h" -#include "socket.h" -#include "kerberos.h" - -#include -#include /* for htonl/ntohl */ - -#include "i18n.h" - -#if SIZEOF_INT == 4 -typedef int int32; -#elif SIZEOF_SHORT == 4 -typedef short int32; -#elif SIZEOF_LONG == 4 -typedef long int32; -#else -#error Cannot deduce a 32-bit-type -#endif - -int do_rfc1731(int sock, char *command, char *truename) -/* authenticate as per RFC1731 -- note 32-bit integer requirement here */ -{ - int result = 0, len; - char buf1[4096], buf2[4096]; - union { - int32 cint; - char cstr[4]; - } challenge1, challenge2; - char srvinst[INST_SZ]; - char *p; - char srvrealm[REALM_SZ]; - KTEXT_ST authenticator; - CREDENTIALS credentials; - char tktuser[MAX_K_NAME_SZ+1+INST_SZ+1+REALM_SZ+1]; - char tktinst[INST_SZ]; - char tktrealm[REALM_SZ]; - des_cblock session; - des_key_schedule schedule; - - gen_send(sock, "%s KERBEROS_V4", command); - - /* The data encoded in the first ready response contains a random - * 32-bit number in network byte order. The client should respond - * with a Kerberos ticket and an authenticator for the principal - * "imap.hostname@realm", where "hostname" is the first component - * of the host name of the server with all letters in lower case - * and where "realm" is the Kerberos realm of the server. The - * encrypted checksum field included within the Kerberos - * authenticator should contain the server provided 32-bit number - * in network byte order. - */ - - if ((result = gen_recv(sock, buf1, sizeof buf1)) != 0) { - return result; - } - - len = from64tobits(challenge1.cstr, buf1, sizeof(challenge1.cstr)); - if (len < 0) { - report(stderr, GT_("could not decode initial BASE64 challenge\n")); - return PS_AUTHFAIL; - } - - /* this patch by Dan Root solves an endianess - * problem. */ - { - char tmp[4]; - - *(int *)tmp = ntohl(*(int *) challenge1.cstr); - memcpy(challenge1.cstr, tmp, sizeof(tmp)); - } - - /* Client responds with a Kerberos ticket and an authenticator for - * the principal "imap.hostname@realm" where "hostname" is the - * first component of the host name of the server with all letters - * in lower case and where "realm" is the Kerberos realm of the - * server. The encrypted checksum field included within the - * Kerberos authenticator should contain the server-provided - * 32-bit number in network byte order. - */ - - strncpy(srvinst, truename, (sizeof srvinst)-1); - srvinst[(sizeof srvinst)-1] = '\0'; - for (p = srvinst; *p; p++) { - if (isupper((unsigned char)*p)) { - *p = tolower((unsigned char)*p); - } - } - - strncpy(srvrealm, (char *)krb_realmofhost(srvinst), (sizeof srvrealm)-1); - srvrealm[(sizeof srvrealm)-1] = '\0'; - if ((p = strchr(srvinst, '.')) != NULL) { - *p = '\0'; - } - - result = krb_mk_req(&authenticator, "imap", srvinst, srvrealm, 0); - if (result) { - report(stderr, "krb_mq_req: %s\n", krb_get_err_text(result)); - return PS_AUTHFAIL; - } - - result = krb_get_cred("imap", srvinst, srvrealm, &credentials); - if (result) { - report(stderr, "krb_get_cred: %s\n", krb_get_err_text(result)); - return PS_AUTHFAIL; - } - - memcpy(session, credentials.session, sizeof session); - memset(&credentials, 0, sizeof credentials); - des_key_sched(&session, schedule); - - result = krb_get_tf_fullname(TKT_FILE, tktuser, tktinst, tktrealm); - if (result) { - report(stderr, "krb_get_tf_fullname: %s\n", krb_get_err_text(result)); - return PS_AUTHFAIL; - } - -#ifdef __UNUSED__ - /* - * Andrew H. Chatham alleges that this check - * is not necessary and has consistently been messing him up. - */ - if (strcmp(tktuser, user) != 0) { - report(stderr, - GT_("principal %s in ticket does not match -u %s\n"), tktuser, - user); - return PS_AUTHFAIL; - } -#endif /* __UNUSED__ */ - - if (tktinst[0]) { - report(stderr, - GT_("non-null instance (%s) might cause strange behavior\n"), - tktinst); - strlcat(tktuser, ".", sizeof(tktuser)); - strlcat(tktuser, tktinst, sizeof(tktuser)); - } - - if (strcmp(tktrealm, srvrealm) != 0) { - strlcat(tktuser, "@", sizeof(tktuser)); - strlcat(tktuser, tktrealm, sizeof(tktuser)); - } - - result = krb_mk_req(&authenticator, "imap", srvinst, srvrealm, - challenge1.cint); - if (result) { - report(stderr, "krb_mq_req: %s\n", krb_get_err_text(result)); - return PS_AUTHFAIL; - } - - to64frombits(buf1, authenticator.dat, authenticator.length); - if (outlevel >= O_MONITOR) { - report(stdout, "IMAP> %s\n", buf1); - } - strcat(buf1, "\r\n"); - SockWrite(sock, buf1, strlen(buf1)); - - /* Upon decrypting and verifying the ticket and authenticator, the - * server should verify that the contained checksum field equals - * the original server provided random 32-bit number. Should the - * verification be successful, the server must add one to the - * checksum and construct 8 octets of data, with the first four - * octets containing the incremented checksum in network byte - * order, the fifth octet containing a bit-mask specifying the - * protection mechanisms supported by the server, and the sixth - * through eighth octets containing, in network byte order, the - * maximum cipher-text buffer size the server is able to receive. - * The server must encrypt the 8 octets of data in the session key - * and issue that encrypted data in a second ready response. The - * client should consider the server authenticated if the first - * four octets the un-encrypted data is equal to one plus the - * checksum it previously sent. - */ - - if ((result = gen_recv(sock, buf1, sizeof buf1)) != 0) - return result; - - /* The client must construct data with the first four octets - * containing the original server-issued checksum in network byte - * order, the fifth octet containing the bit-mask specifying the - * selected protection mechanism, the sixth through eighth octets - * containing in network byte order the maximum cipher-text buffer - * size the client is able to receive, and the following octets - * containing a user name string. The client must then append - * from one to eight octets so that the length of the data is a - * multiple of eight octets. The client must then PCBC encrypt the - * data with the session key and respond to the second ready - * response with the encrypted data. The server decrypts the data - * and verifies the contained checksum. The username field - * identifies the user for whom subsequent IMAP operations are to - * be performed; the server must verify that the principal - * identified in the Kerberos ticket is authorized to connect as - * that user. After these verifications, the authentication - * process is complete. - */ - - len = from64tobits(buf2, buf1, sizeof(buf2)); - if (len < 0) { - report(stderr, GT_("could not decode BASE64 ready response\n")); - return PS_AUTHFAIL; - } - - des_ecb_encrypt((des_cblock *)buf2, (des_cblock *)buf2, schedule, 0); - memcpy(challenge2.cstr, buf2, 4); - if ((int32)ntohl(challenge2.cint) != challenge1.cint + 1) { - report(stderr, GT_("challenge mismatch\n")); - return PS_AUTHFAIL; - } - - memset(authenticator.dat, 0, sizeof authenticator.dat); - - result = htonl(challenge1.cint); - memcpy(authenticator.dat, &result, sizeof result); - - /* The protection mechanisms and their corresponding bit-masks are as - * follows: - * - * 1 No protection mechanism - * 2 Integrity (krb_mk_safe) protection - * 4 Privacy (krb_mk_priv) protection - */ - authenticator.dat[4] = 1; - - len = strlen(tktuser); - strncpy((char *)authenticator.dat+8, tktuser, len); - authenticator.length = len + 8 + 1; - while (authenticator.length & 7) { - authenticator.length++; - } - des_pcbc_encrypt((const unsigned char *)authenticator.dat, - (unsigned char *)authenticator.dat, authenticator.length, schedule, - &session, 1); - - to64frombits(buf1, authenticator.dat, authenticator.length); - - /* ship down the response, accept the server's error/ok indication */ - suppress_tags = TRUE; - result = gen_transact(sock, buf1, strlen(buf1)); - suppress_tags = FALSE; - if (result) - return(result); - else - return(PS_SUCCESS); -} -#endif /* KERBEROS_V4 */ - -/* kerberos.c ends here */ - diff --git a/kerberos.h b/kerberos.h index fc0689da..ae3d3db5 100644 --- a/kerberos.h +++ b/kerberos.h @@ -6,33 +6,12 @@ #ifndef H_KERBEROS__ #define H_KERBEROS__ + #include "config.h" -#if defined(KERBEROS_V4) || defined(KERBEROS_V5) #ifdef KERBEROS_V5 #include /* #include */ -#endif - -#ifdef KERBEROS_V4 -# ifdef KERBEROS_V4_V5 -# include -# include -# else -# if defined (__bsdi__) -# include /* order of includes matters */ -# define krb_get_err_text(e) (krb_err_txt[e]) -# endif -# include -# if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) -# define krb_get_err_text(e) (krb_err_txt[e]) -# include -# endif -# endif -#endif - -/* des.h might define _ for no good reason. */ -#undef _ +#endif /* KERBEROS_V5 */ -#endif /* KERBEROS_V4 || KERBEROS_V5 */ #endif /* H_KERBEROS__ */ diff --git a/options.c b/options.c index 6d7e87a2..3661a71f 100644 --- a/options.c +++ b/options.c @@ -300,16 +300,12 @@ int parsecmdline (int argc /** argument count */, ctl->server.protocol = P_POP3; else if (strcasecmp(optarg,"apop") == 0) ctl->server.protocol = P_APOP; - else if (strcasecmp(optarg,"rpop") == 0) - ctl->server.protocol = P_RPOP; else if (strcasecmp(optarg,"kpop") == 0) { ctl->server.protocol = P_POP3; ctl->server.service = KPOP_PORT; #ifdef KERBEROS_V5 ctl->server.authenticate = A_KERBEROS_V5; -#else - ctl->server.authenticate = A_KERBEROS_V4; #endif /* KERBEROS_V5 */ } else if (strcasecmp(optarg,"imap") == 0) @@ -335,16 +331,12 @@ int parsecmdline (int argc /** argument count */, case LA_AUTH: if (strcmp(optarg, "password") == 0) ctl->server.authenticate = A_PASSWORD; - else if (strcmp(optarg, "kerberos") == 0) #ifdef KERBEROS_V5 + else if (strcmp(optarg, "kerberos") == 0) ctl->server.authenticate = A_KERBEROS_V5; -#else - ctl->server.authenticate = A_KERBEROS_V4; -#endif /* KERBEROS_V5 */ else if (strcmp(optarg, "kerberos_v5") == 0) ctl->server.authenticate = A_KERBEROS_V5; - else if (strcmp(optarg, "kerberos_v4") == 0) - ctl->server.authenticate = A_KERBEROS_V4; +#endif /* KERBEROS_V5 */ else if (strcmp(optarg, "ssh") == 0) ctl->server.authenticate = A_SSH; else if (strcasecmp(optarg, "external") == 0) diff --git a/po/POTFILES.in b/po/POTFILES.in index 39e43347..32835c57 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -10,7 +10,6 @@ gssapi.c idle.c imap.c interface.c -kerberos.c lock.c netrc.c odmr.c diff --git a/pop3.c b/pop3.c index be7315bb..0374a1ba 100644 --- a/pop3.c +++ b/pop3.c @@ -41,9 +41,9 @@ flag done_capa = FALSE; #if defined(GSSAPI) flag has_gssapi = FALSE; #endif /* defined(GSSAPI) */ -#if defined(KERBEROS_V4) || defined(KERBEROS_V5) +#if defined(KERBEROS_V5) flag has_kerberos = FALSE; -#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ +#endif /* defined(KERBEROS_V5) */ static flag has_cram = FALSE; #ifdef OPIE_ENABLE flag has_otp = FALSE; @@ -201,9 +201,9 @@ static int capa_probe(int sock) #if defined(GSSAPI) has_gssapi = FALSE; #endif /* defined(GSSAPI) */ -#if defined(KERBEROS_V4) || defined(KERBEROS_V5) +#if defined(KERBEROS_V5) has_kerberos = FALSE; -#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ +#endif /* defined(KERBEROS_V5) */ has_cram = FALSE; #ifdef OPIE_ENABLE has_otp = FALSE; @@ -233,11 +233,6 @@ static int capa_probe(int sock) has_gssapi = TRUE; #endif /* defined(GSSAPI) */ -#if defined(KERBEROS_V4) - if (strstr(buffer, "KERBEROS_V4")) - has_kerberos = TRUE; -#endif /* defined(KERBEROS_V4) */ - #ifdef OPIE_ENABLE if (strstr(buffer, "X-OTP")) has_otp = TRUE; @@ -283,9 +278,9 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) #if defined(GSSAPI) has_gssapi = FALSE; #endif /* defined(GSSAPI) */ -#if defined(KERBEROS_V4) || defined(KERBEROS_V5) +#if defined(KERBEROS_V5) has_kerberos = FALSE; -#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ +#endif /* defined(KERBEROS_V5) */ has_cram = FALSE; #ifdef OPIE_ENABLE has_otp = FALSE; @@ -385,7 +380,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) */ if ((ctl->server.authenticate == A_ANY) || (ctl->server.authenticate == A_GSSAPI) || - (ctl->server.authenticate == A_KERBEROS_V4) || (ctl->server.authenticate == A_KERBEROS_V5) || (ctl->server.authenticate == A_OTP) || (ctl->server.authenticate == A_CRAM_MD5) || @@ -494,22 +488,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) /* * OK, we have an authentication type now. */ -#if defined(KERBEROS_V4) - /* - * Servers doing KPOP have to go through a dummy login sequence - * rather than doing SASL. - */ - if (has_kerberos && - ctl->server.service && (strcmp(ctl->server.service, KPOP_PORT)!=0) - && (ctl->server.authenticate == A_KERBEROS_V4 - || ctl->server.authenticate == A_KERBEROS_V5 - || ctl->server.authenticate == A_ANY)) - { - ok = do_rfc1731(sock, "AUTH", ctl->server.truename); - if (ok == PS_SUCCESS || ctl->server.authenticate != A_ANY) - break; - } -#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ #if defined(GSSAPI) if (has_gssapi && @@ -596,7 +574,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) * users switching *to* KPOP accidentally revealing their * password */ if ((ctl->server.authenticate == A_ANY - || ctl->server.authenticate == A_KERBEROS_V4 || ctl->server.authenticate == A_KERBEROS_V5) && (ctl->server.service != NULL && strcmp(ctl->server.service, KPOP_PORT) == 0)) @@ -664,15 +641,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) ok = gen_transact(sock, "APOP %s %s", ctl->remotename, (char *)ctl->digest); break; - case P_RPOP: - if ((ok = gen_transact(sock,"USER %s", ctl->remotename)) == 0) { - strlcpy(shroud, ctl->password, sizeof(shroud)); - ok = gen_transact(sock, "RPOP %s", ctl->password); - memset(shroud, 0x55, sizeof(shroud)); - shroud[0] = '\0'; - } - break; - default: report(stderr, GT_("Undefined protocol request in POP3_auth\n")); ok = PS_ERROR; @@ -1078,29 +1046,6 @@ static int pop3_is_old(int sock, struct query *ctl, int num) newl->val.status.mark != UID_UNSEEN); } -#ifdef UNUSED -/* - * We could use this to fetch headers only as we do for IMAP. The trouble - * is that there's no way to fetch the body only. So the following RETR - * would have to re-fetch the header. Enough messages have longer headers - * than bodies to make this a net loss. - */ -static int pop_fetch_headers(int sock, struct query *ctl,int number,int *lenp) -/* request headers of nth message */ -{ - int ok; - char buf[POPBUFSIZE+1]; - - gen_send(sock, "TOP %d 0", number); - if ((ok = pop3_ok(sock, buf)) != 0) - return(ok); - - *lenp = -1; /* we got sizes from the LIST response */ - - return(PS_SUCCESS); -} -#endif /* UNUSED */ - static int pop3_fetch(int sock, struct query *ctl, int number, int *lenp) /* request nth message */ { @@ -1232,24 +1177,6 @@ static int pop3_logout(int sock, struct query *ctl) { int ok; -#ifdef __UNUSED__ - /* - * We used to do this in case the server marks messages deleted when seen. - * (Yes, this has been reported, in the MercuryP/NLM server. - * It's even legal under RFC 1939 (section 8) as a site policy.) - * It interacted badly with UIDL, though. Thomas Zajic wrote: - * "Running 'fetchmail -F -v' and checking the logs, I found out - * that fetchmail did in fact flush my mailbox properly, but sent - * a RSET just before sending QUIT to log off. This caused the - * POP3 server to undo/forget about the previous DELEs, resetting - * my mailbox to its original (ie. unflushed) state. The - * ~/.fetchids file did get flushed though, so the next time - * fetchmail was run it saw all the old messages as new ones ..." - */ - if (ctl->keep) - gen_transact(sock, "RSET"); -#endif /* __UNUSED__ */ - ok = gen_transact(sock, "QUIT"); if (!ok) expunge_uids(ctl); diff --git a/rcfile_l.l b/rcfile_l.l index bb86da1e..f792c45a 100644 --- a/rcfile_l.l +++ b/rcfile_l.l @@ -79,9 +79,8 @@ preauth(enticate)? { SETSTATE(AUTH); return AUTHENTICATE; } auth(enticate)? { SETSTATE(AUTH); return AUTHENTICATE; } any { SETSTATE(0); yylval.proto = A_ANY; return AUTHTYPE;} gssapi { SETSTATE(0); yylval.proto = A_GSSAPI; return AUTHTYPE;} -kerberos(_v)?4 { SETSTATE(0); yylval.proto = A_KERBEROS_V4; return AUTHTYPE;} kerberos(_v)?5 { SETSTATE(0); yylval.proto = A_KERBEROS_V5; return AUTHTYPE;} -kerberos { SETSTATE(0); yylval.proto = A_KERBEROS_V4; return AUTHTYPE;} +kerberos { SETSTATE(0); yylval.proto = A_KERBEROS_V5; return AUTHTYPE;} ssh { SETSTATE(0); yylval.proto = A_SSH; return AUTHTYPE;} external { SETSTATE(0); yylval.proto = A_EXTERNAL; return AUTHTYPE;} (otp|opie) { SETSTATE(0); yylval.proto = A_OTP; return AUTHTYPE;} @@ -192,7 +191,6 @@ options {/* EMPTY */} (pop3)|(POP3) { yylval.proto = P_POP3; return PROTO; } (imap)|(IMAP) { yylval.proto = P_IMAP; return PROTO; } (apop)|(APOP) { yylval.proto = P_APOP; return PROTO; } -(rpop)|(RPOP) { yylval.proto = P_RPOP; return PROTO; } (etrn)|(ETRN) { yylval.proto = P_ETRN; return PROTO; } (odmr)|(ODMR) { yylval.proto = P_ODMR; return PROTO; } (kpop)|(KPOP) { return KPOP; } diff --git a/rcfile_y.y b/rcfile_y.y index a024fd65..83ffc1b3 100644 --- a/rcfile_y.y +++ b/rcfile_y.y @@ -148,14 +148,13 @@ serv_option : AKA alias_list | PROTOCOL PROTO {current.server.protocol = $2;} | PROTOCOL KPOP { current.server.protocol = P_POP3; - - if (current.server.authenticate == A_PASSWORD) #ifdef KERBEROS_V5 + if (current.server.authenticate == A_PASSWORD) current.server.authenticate = A_KERBEROS_V5; -#else - current.server.authenticate = A_KERBEROS_V4; -#endif /* KERBEROS_V5 */ current.server.service = KPOP_PORT; +#else + yyerror(GT_("Kerberos not enabled.")); +#endif } | PRINCIPAL STRING {current.server.principal = $2;} | ESMTPNAME STRING {current.server.esmtp_name = $2;} diff --git a/sink.c b/sink.c index 124ccbfe..e93d741a 100644 --- a/sink.c +++ b/sink.c @@ -433,18 +433,6 @@ static int handle_smtp_report(struct query *ctl, struct msgblk *msg) responses[0] = xstrdup(smtp_response); -#ifdef __UNUSED__ - /* - * Don't do this! It can really mess you up if, for example, you're - * reporting an error with a single RCPT TO address among several; - * RSET discards the message body and it doesn't get sent to the - * valid recipients. - */ - smtp_rset(ctl); /* stay on the safe side */ - if (outlevel >= O_DEBUG) - report(stdout, GT_("Saved error is still %d\n"), smtperr); -#endif /* __UNUSED */ - /* * Note: send_bouncemail message strings are not made subject * to gettext translation because (a) they're going to be @@ -521,12 +509,6 @@ static int handle_smtp_report(struct query *ctl, struct msgblk *msg) * (b) we wouldn't want spammers to get confirmation that * this address is live, anyway. */ -#ifdef __DONT_FEED_THE_SPAMMERS__ - if (run.bouncemail) - send_bouncemail(ctl, msg, XMIT_ACCEPT, - "Invalid address in MAIL FROM (SMTP error 553).\r\n", - 1, responses); -#endif /* __DONT_FEED_THE_SPAMMERS__ */ free(responses[0]); return(PS_REFUSED); @@ -605,10 +587,7 @@ static int handle_smtp_report_without_bounce(struct query *ctl, struct msgblk *m return(PS_REFUSED); case 553: /* invalid sending domain */ -#ifdef __DONT_FEED_THE_SPAMMERS__ - if (run.bouncemail) - return(PS_SUCCESS); -#endif /* __DONT_FEED_THE_SPAMMERS__ */ + /* do not send bounce mail - it would feed spammers */ return(PS_REFUSED); default: diff --git a/smbencrypt.c b/smbencrypt.c index 0656863c..1749bf07 100644 --- a/smbencrypt.c +++ b/smbencrypt.c @@ -197,43 +197,3 @@ void SMBNTencrypt(unsigned char *passwd, unsigned char *c8, unsigned char *p24) dump_data(100, (char *)p24, 24); #endif } - -#if 0 - -BOOL make_oem_passwd_hash(char data[516], const char *passwd, unsigned char old_pw_hash[16], BOOL unicode) -{ - int new_pw_len = strlen(passwd) * (unicode ? 2 : 1); - - if (new_pw_len > 512) - { - DEBUG(0,("make_oem_passwd_hash: new password is too long.\n")); - return False; - } - - /* - * Now setup the data area. - * We need to generate a random fill - * for this area to make it harder to - * decrypt. JRA. - */ - generate_random_buffer((unsigned char *)data, 516, False); - if (unicode) - { - struni2( &data[512 - new_pw_len], passwd); - } - else - { - fstrcpy( &data[512 - new_pw_len], passwd); - } - SIVAL(data, 512, new_pw_len); - -#ifdef DEBUG_PASSWORD - DEBUG(100,("make_oem_passwd_hash\n")); - dump_data(100, data, 516); -#endif - SamOEMhash( (unsigned char *)data, (unsigned char *)old_pw_hash, True); - - return True; -} - -#endif diff --git a/socket.c b/socket.c index 5ac2edcf..5384ba82 100644 --- a/socket.c +++ b/socket.c @@ -166,30 +166,6 @@ static int handle_plugin(const char *host, return fds[1]; } -#ifdef __UNUSED__ - -int SockCheckOpen(int fd) -/* poll given socket; is it selectable? */ -{ - fd_set r, w, e; - int rt; - struct timeval tv; - - for (;;) - { - FD_ZERO(&r); FD_ZERO(&w); FD_ZERO(&e); - FD_SET(fd, &e); - - tv.tv_sec = 0; tv.tv_usec = 0; - rt = select(fd+1, &r, &w, &e, &tv); - if (rt == -1 && (errno != EAGAIN && errno != EINTR)) - return 0; - if (rt != -1) - return 1; - } -} -#endif /* __UNUSED__ */ - int UnixOpen(const char *path) { int sock = -1; @@ -963,30 +939,6 @@ int SockClose(int sock) } #endif -#ifdef __UNUSED__ - /* - * This hangs in RedHat 6.2 after fetchmail runs for a while a - * FIN_WAIT2 comes up in netstat and fetchmail never returns from - * the recv system call. (Reported from jtnews - * , Wed, 24 May 2000 21:26:02.) - * - * Half-close the connection first so the other end gets notified. - * - * This stops sends but allows receives (effectively, it sends a - * TCP ). */ - if (shutdown(sock, 1) == 0) { - char ch; - /* If there is any data still waiting in the queue, discard it. - * Call recv() until either it returns 0 (meaning we received a FIN) - * or any error occurs. This makes sure all data sent by the other - * side is acknowledged at the TCP level. - */ - if (fm_peek(sock, &ch, 1) > 0) - while (fm_read(sock, &ch, 1) > 0) - continue; - } -#endif /* __UNUSED__ */ - /* if there's an error closing at this point, not much we can do */ return(fm_close(sock)); /* this is guarded */ } diff --git a/socket.h b/socket.h index 07aca530..bda70d29 100644 --- a/socket.h +++ b/socket.h @@ -43,7 +43,7 @@ Returns number of bytes successfully written. int SockWrite(int sock, const char *buf, int size); /* from /usr/include/sys/cdefs.h */ -#if !defined __GNUC__ || __GNUC__ < 2 +#if !defined __GNUC__ # define __attribute__(xyz) /* Ignore. */ #endif diff --git a/transact.c b/transact.c index 046b9fb0..0bae20a4 100644 --- a/transact.c +++ b/transact.c @@ -854,24 +854,6 @@ eoh: else if (!strncasecmp("Resent-Sender:", line, 14) && (strchr(line, '@') || strchr(line, '!'))) resent_sender_offs = (line - msgblk.headers); -#ifdef __UNUSED__ - else if (!strncasecmp("Message-Id:", line, 11)) - { - if (ctl->server.uidl) - { - char id[IDLEN+1]; - - line[IDLEN+12] = 0; /* prevent stack overflow */ - sscanf(line+12, "%s", id); - if (!str_find( &ctl->newsaved, num)) - { - struct idlist *newl = save_str(&ctl->newsaved,id,UID_SEEN); - newl->val.status.num = num; - } - } - } -#endif /* __UNUSED__ */ - /* if multidrop is on, gather addressee headers */ if (MULTIDROP(ctl)) { -- 2.43.2