/contrib/cvs/src/login.c

https://bitbucket.org/freebsd/freebsd-head/ · C · 686 lines · 377 code · 83 blank · 226 comment · 118 complexity · d9352766999ef6a2dee9250f1688efd4 MD5 · raw file

  1. /*
  2. * Copyright (C) 1986-2005 The Free Software Foundation, Inc.
  3. *
  4. * Portions Copyright (C) 1998-2005 Derek Price, Ximbiot <http://ximbiot.com>,
  5. * and others.
  6. *
  7. * Portions Copyright (c) 1995, Cyclic Software, Bloomington, IN, USA
  8. *
  9. * You may distribute under the terms of the GNU General Public License as
  10. * specified in the README file that comes with CVS.
  11. *
  12. * Allow user to log in for an authenticating server.
  13. */
  14. #include "cvs.h"
  15. #include "getline.h"
  16. #ifdef AUTH_CLIENT_SUPPORT /* This covers the rest of the file. */
  17. /* There seems to be very little agreement on which system header
  18. getpass is declared in. With a lot of fancy autoconfiscation,
  19. we could perhaps detect this, but for now we'll just rely on
  20. _CRAY, since Cray is perhaps the only system on which our own
  21. declaration won't work (some Crays declare the 2#$@% thing as
  22. varadic, believe it or not). On Cray, getpass will be declared
  23. in either stdlib.h or unistd.h. */
  24. #ifndef CVS_PASSWORD_FILE
  25. #define CVS_PASSWORD_FILE ".cvspass"
  26. #endif
  27. /* If non-NULL, get_cvs_password() will just return this. */
  28. static char *cvs_password = NULL;
  29. static char *construct_cvspass_filename PROTO ((void));
  30. /* The return value will need to be freed. */
  31. static char *
  32. construct_cvspass_filename ()
  33. {
  34. char *homedir;
  35. char *passfile;
  36. /* Environment should override file. */
  37. if ((passfile = getenv ("CVS_PASSFILE")) != NULL)
  38. return xstrdup (passfile);
  39. /* Construct absolute pathname to user's password file. */
  40. /* todo: does this work under OS/2 ? */
  41. homedir = get_homedir ();
  42. if (! homedir)
  43. {
  44. /* FIXME? This message confuses a lot of users, at least
  45. on Win95 (which doesn't set HOMEDRIVE and HOMEPATH like
  46. NT does). I suppose the answer for Win95 is to store the
  47. passwords in the registry or something (??). And .cvsrc
  48. and such too? Wonder what WinCVS does (about .cvsrc, the
  49. right thing for a GUI is to just store the password in
  50. memory only)... */
  51. error (1, 0, "could not find out home directory");
  52. return (char *) NULL;
  53. }
  54. passfile = strcat_filename_onto_homedir (homedir, CVS_PASSWORD_FILE);
  55. /* Safety first and last, Scouts. */
  56. if (isfile (passfile))
  57. /* xchmod() is too polite. */
  58. chmod (passfile, 0600);
  59. return passfile;
  60. }
  61. /*
  62. * static char *
  63. * password_entry_parseline (
  64. * const char *cvsroot_canonical,
  65. * const unsigned char warn,
  66. * const int linenumber,
  67. * char *linebuf
  68. * );
  69. *
  70. * Internal function used by password_entry_operation. Parse a single line
  71. * from a ~/.cvsroot password file and return a pointer to the password if the
  72. * line refers to the same cvsroot as cvsroot_canonical
  73. *
  74. * INPUTS
  75. * cvsroot_canonical the root we are looking for
  76. * warn Boolean: print warnings for invalid lines?
  77. * linenumber the line number for error messages
  78. * linebuf the current line
  79. *
  80. * RETURNS
  81. * NULL if the line doesn't match
  82. * char *password as a pointer into linebuf
  83. *
  84. * NOTES
  85. * This function temporarily alters linebuf, so it isn't thread safe when
  86. * called on the same linebuf
  87. */
  88. static char *
  89. password_entry_parseline (cvsroot_canonical, warn, linenumber, linebuf)
  90. const char *cvsroot_canonical;
  91. const unsigned char warn;
  92. const int linenumber;
  93. char *linebuf;
  94. {
  95. char *password = NULL;
  96. char *p;
  97. /* look for '^/' */
  98. if (*linebuf == '/')
  99. {
  100. /* Yes: slurp '^/\d+\D' and parse the rest of the line according to version number */
  101. char *q;
  102. unsigned long int entry_version = 0;
  103. if (isspace(*(linebuf + 1)))
  104. {
  105. /* special case since strtoul ignores leading white space */
  106. q = linebuf + 1;
  107. }
  108. else
  109. {
  110. entry_version = strtoul (linebuf + 1, &q, 10);
  111. if (q != linebuf + 1)
  112. /* assume a delimiting seperator */
  113. q++;
  114. }
  115. switch (entry_version)
  116. {
  117. case 1:
  118. /* this means the same normalize_cvsroot we are using was
  119. * used to create this entry. strcmp is good enough for
  120. * us.
  121. */
  122. p = strchr (q, ' ');
  123. if (p == NULL)
  124. {
  125. if (warn && !really_quiet)
  126. error (0, 0, "warning: skipping invalid entry in password file at line %d",
  127. linenumber);
  128. }
  129. else
  130. {
  131. *p = '\0';
  132. if (strcmp (cvsroot_canonical, q) == 0)
  133. password = p + 1;
  134. *p = ' ';
  135. }
  136. break;
  137. case ULONG_MAX:
  138. if (warn && !really_quiet)
  139. {
  140. error (0, errno, "warning: unable to convert version number in password file at line %d",
  141. linenumber);
  142. error (0, 0, "skipping entry");
  143. }
  144. break;
  145. case 0:
  146. if (warn && !really_quiet)
  147. error (0, 0, "warning: skipping entry with invalid version string in password file at line %d",
  148. linenumber);
  149. break;
  150. default:
  151. if (warn && !really_quiet)
  152. error (0, 0, "warning: skipping entry with unknown version (%lu) in password file at line %d",
  153. entry_version, linenumber);
  154. break;
  155. }
  156. }
  157. else
  158. {
  159. /* No: assume:
  160. *
  161. * ^cvsroot Aencoded_password$
  162. *
  163. * as header comment specifies and parse accordingly
  164. */
  165. cvsroot_t *tmp_root;
  166. char *tmp_root_canonical;
  167. p = strchr (linebuf, ' ');
  168. if (p == NULL)
  169. {
  170. if (warn && !really_quiet)
  171. error (0, 0, "warning: skipping invalid entry in password file at line %d", linenumber);
  172. return NULL;;
  173. }
  174. *p = '\0';
  175. if ((tmp_root = parse_cvsroot (linebuf)) == NULL)
  176. {
  177. if (warn && !really_quiet)
  178. error (0, 0, "warning: skipping invalid entry in password file at line %d", linenumber);
  179. *p = ' ';
  180. return NULL;
  181. }
  182. *p = ' ';
  183. tmp_root_canonical = normalize_cvsroot (tmp_root);
  184. if (strcmp (cvsroot_canonical, tmp_root_canonical) == 0)
  185. password = p + 1;
  186. free (tmp_root_canonical);
  187. free_cvsroot_t (tmp_root);
  188. }
  189. return password;
  190. }
  191. /*
  192. * static char *
  193. * password_entry_operation (
  194. * password_entry_operation_t operation,
  195. * cvsroot_t *root,
  196. * char *newpassword
  197. * );
  198. *
  199. * Search the password file and depending on the value of operation:
  200. *
  201. * Mode Action
  202. * password_entry_lookup Return the password
  203. * password_entry_delete Delete the entry from the file, if it
  204. * exists.
  205. * password_entry_add Replace the line with the new one, else
  206. * append it.
  207. *
  208. * Because the user might be accessing multiple repositories, with
  209. * different passwords for each one, the format of ~/.cvspass is:
  210. *
  211. * [user@]host:[port]/path Aencoded_password
  212. * [user@]host:[port]/path Aencoded_password
  213. * ...
  214. *
  215. * New entries are always of the form:
  216. *
  217. * /1 user@host:port/path Aencoded_password
  218. *
  219. * but the old format is supported for backwards compatibility.
  220. * The entry version string wasn't strictly necessary, but it avoids the
  221. * overhead of parsing some entries since we know it is already in canonical
  222. * form and allows room for expansion later, say, if we want to allow spaces
  223. * and/or other characters to be escaped in the string. Also, the new entries
  224. * would have been ignored by old versions of CVS anyhow since those versions
  225. * didn't know how to parse a port number.
  226. *
  227. * The "A" before "encoded_password" is a literal capital A. It's a
  228. * version number indicating which form of scrambling we're doing on
  229. * the password -- someday we might provide something more secure than
  230. * the trivial encoding we do now, and when that day comes, it would
  231. * be nice to remain backward-compatible.
  232. *
  233. * Like .netrc, the file's permissions are the only thing preventing
  234. * it from being read by others. Unlike .netrc, we will not be
  235. * fascist about it, at most issuing a warning, and never refusing to
  236. * work.
  237. *
  238. * INPUTS
  239. * operation operation to perform
  240. * root cvsroot_t to look up
  241. * newpassword prescrambled new password, for password_entry_add_mode
  242. *
  243. * RETURNS
  244. * -1 if password_entry_lookup_mode not specified
  245. * NULL on failed lookup
  246. * pointer to a copy of the password string otherwise, which the caller is
  247. * responsible for disposing of
  248. */
  249. typedef enum password_entry_operation_e {
  250. password_entry_lookup,
  251. password_entry_delete,
  252. password_entry_add
  253. } password_entry_operation_t;
  254. static char *
  255. password_entry_operation (operation, root, newpassword)
  256. password_entry_operation_t operation;
  257. cvsroot_t *root;
  258. char *newpassword;
  259. {
  260. char *passfile;
  261. FILE *fp;
  262. char *cvsroot_canonical = NULL;
  263. char *password = NULL;
  264. int line_length;
  265. long line = -1;
  266. char *linebuf = NULL;
  267. size_t linebuf_len;
  268. char *p;
  269. int save_errno = 0;
  270. if (root->method != pserver_method)
  271. {
  272. error (0, 0, "\
  273. internal error: can only call password_entry_operation with pserver method");
  274. error (1, 0, "CVSROOT: %s", root->original);
  275. }
  276. cvsroot_canonical = normalize_cvsroot (root);
  277. /* Yes, the method below reads the user's password file twice when we have
  278. * to delete an entry. It's inefficient, but we're not talking about a gig of
  279. * data here.
  280. */
  281. passfile = construct_cvspass_filename ();
  282. fp = CVS_FOPEN (passfile, "r");
  283. if (fp == NULL)
  284. {
  285. error (0, errno, "warning: failed to open %s for reading", passfile);
  286. goto process;
  287. }
  288. /* Check each line to see if we have this entry already. */
  289. line = 0;
  290. while ((line_length = getline (&linebuf, &linebuf_len, fp)) >= 0)
  291. {
  292. line++;
  293. password = password_entry_parseline (cvsroot_canonical, 1, line,
  294. linebuf);
  295. if (password != NULL)
  296. /* this is it! break out and deal with linebuf */
  297. break;
  298. }
  299. if (line_length < 0 && !feof (fp))
  300. {
  301. error (0, errno, "cannot read %s", passfile);
  302. goto error_exit;
  303. }
  304. if (fclose (fp) < 0)
  305. /* not fatal, unless it cascades */
  306. error (0, errno, "cannot close %s", passfile);
  307. fp = NULL;
  308. /* Utter, total, raving paranoia, I know. */
  309. chmod (passfile, 0600);
  310. /* a copy to return or keep around so we can reuse linebuf */
  311. if (password != NULL)
  312. {
  313. /* chomp the EOL */
  314. p = strchr (password, '\n');
  315. if (p != NULL)
  316. *p = '\0';
  317. password = xstrdup (password);
  318. }
  319. process:
  320. /* might as well return now */
  321. if (operation == password_entry_lookup)
  322. goto out;
  323. /* same here */
  324. if (operation == password_entry_delete && password == NULL)
  325. {
  326. error (0, 0, "Entry not found.");
  327. goto out;
  328. }
  329. /* okay, file errors can simply be fatal from now on since we don't do
  330. * anything else if we're in lookup mode
  331. */
  332. /* copy the file with the entry deleted unless we're in add
  333. * mode and the line we found contains the same password we're supposed to
  334. * add
  335. */
  336. if (!noexec && password != NULL && (operation == password_entry_delete
  337. || (operation == password_entry_add
  338. && strcmp (password, newpassword))))
  339. {
  340. long found_at = line;
  341. char *tmp_name;
  342. FILE *tmp_fp;
  343. /* open the original file again */
  344. fp = CVS_FOPEN (passfile, "r");
  345. if (fp == NULL)
  346. error (1, errno, "failed to open %s for reading", passfile);
  347. /* create and open a temp file */
  348. if ((tmp_fp = cvs_temp_file (&tmp_name)) == NULL)
  349. error (1, errno, "unable to open temp file %s",
  350. tmp_name ? tmp_name : "(null)");
  351. line = 0;
  352. while ((line_length = getline (&linebuf, &linebuf_len, fp)) >= 0)
  353. {
  354. line++;
  355. if (line < found_at
  356. || (line != found_at
  357. && !password_entry_parseline (cvsroot_canonical, 0, line,
  358. linebuf)))
  359. {
  360. if (fprintf (tmp_fp, "%s", linebuf) == EOF)
  361. {
  362. /* try and clean up anyhow */
  363. error (0, errno, "fatal error: cannot write %s", tmp_name);
  364. if (fclose (tmp_fp) == EOF)
  365. error (0, errno, "cannot close %s", tmp_name);
  366. /* call CVS_UNLINK instead of unlink_file since the file
  367. * got created in noexec mode
  368. */
  369. if (CVS_UNLINK (tmp_name) < 0)
  370. error (0, errno, "cannot remove %s", tmp_name);
  371. /* but quit so we don't remove all the entries from a
  372. * user's password file accidentally
  373. */
  374. error (1, 0, "exiting");
  375. }
  376. }
  377. }
  378. if (line_length < 0 && !feof (fp))
  379. {
  380. error (0, errno, "cannot read %s", passfile);
  381. goto error_exit;
  382. }
  383. if (fclose (fp) < 0)
  384. /* not fatal, unless it cascades */
  385. error (0, errno, "cannot close %s", passfile);
  386. if (fclose (tmp_fp) < 0)
  387. /* not fatal, unless it cascades */
  388. /* FIXME - does copy_file return correct results if the file wasn't
  389. * closed? should this be fatal?
  390. */
  391. error (0, errno, "cannot close %s", tmp_name);
  392. /* FIXME: rename_file would make more sense (e.g. almost
  393. * always faster).
  394. *
  395. * I don't think so, unless we change the way rename_file works to
  396. * attempt a cp/rm sequence when rename fails since rename doesn't
  397. * work across file systems and it isn't uncommon to have /tmp
  398. * on its own partition.
  399. *
  400. * For that matter, it's probably not uncommon to have a home
  401. * directory on an NFS mount.
  402. */
  403. copy_file (tmp_name, passfile);
  404. if (CVS_UNLINK (tmp_name) < 0)
  405. error (0, errno, "cannot remove %s", tmp_name);
  406. free (tmp_name);
  407. }
  408. /* in add mode, if we didn't find an entry or found an entry with a
  409. * different password, append the new line
  410. */
  411. if (!noexec && operation == password_entry_add
  412. && (password == NULL || strcmp (password, newpassword)))
  413. {
  414. if ((fp = CVS_FOPEN (passfile, "a")) == NULL)
  415. error (1, errno, "could not open %s for writing", passfile);
  416. if (fprintf (fp, "/1 %s %s\n", cvsroot_canonical, newpassword) == EOF)
  417. error (1, errno, "cannot write %s", passfile);
  418. if (fclose (fp) < 0)
  419. error (1, errno, "cannot close %s", passfile);
  420. }
  421. /* Utter, total, raving paranoia, I know. */
  422. chmod (passfile, 0600);
  423. if (password)
  424. {
  425. free (password);
  426. password = NULL;
  427. }
  428. if (linebuf)
  429. free (linebuf);
  430. out:
  431. free (cvsroot_canonical);
  432. free (passfile);
  433. return password;
  434. error_exit:
  435. /* just exit when we're not in lookup mode */
  436. if (operation != password_entry_lookup)
  437. error (1, 0, "fatal error: exiting");
  438. /* clean up and exit in lookup mode so we can try a login with a NULL
  439. * password anyhow in case that's what we would have found
  440. */
  441. save_errno = errno;
  442. if (fp != NULL)
  443. {
  444. /* Utter, total, raving paranoia, I know. */
  445. chmod (passfile, 0600);
  446. if(fclose (fp) < 0)
  447. error (0, errno, "cannot close %s", passfile);
  448. }
  449. if (linebuf)
  450. free (linebuf);
  451. if (cvsroot_canonical)
  452. free (cvsroot_canonical);
  453. free (passfile);
  454. errno = save_errno;
  455. return NULL;
  456. }
  457. /* Prompt for a password, and store it in the file "CVS/.cvspass".
  458. */
  459. static const char *const login_usage[] =
  460. {
  461. "Usage: %s %s\n",
  462. "(Specify the --help global option for a list of other help options)\n",
  463. NULL
  464. };
  465. int
  466. login (argc, argv)
  467. int argc;
  468. char **argv;
  469. {
  470. char *typed_password;
  471. char *cvsroot_canonical;
  472. if (argc < 0)
  473. usage (login_usage);
  474. if (current_parsed_root->method != pserver_method)
  475. {
  476. error (0, 0, "can only use `login' command with the 'pserver' method");
  477. error (1, 0, "CVSROOT: %s", current_parsed_root->original);
  478. }
  479. cvsroot_canonical = normalize_cvsroot(current_parsed_root);
  480. printf ("Logging in to %s\n", cvsroot_canonical);
  481. fflush (stdout);
  482. if (current_parsed_root->password)
  483. {
  484. typed_password = scramble (current_parsed_root->password);
  485. }
  486. else
  487. {
  488. char *tmp;
  489. tmp = getpass ("CVS password: ");
  490. /* Must deal with a NULL return value here. I haven't managed to
  491. * disconnect the CVS process from the tty and force a NULL return
  492. * in sanity.sh, but the Linux version of getpass is documented
  493. * to return NULL when it can't open /dev/tty...
  494. */
  495. if (!tmp) error (1, errno, "login: Failed to read password.");
  496. typed_password = scramble (tmp);
  497. memset (tmp, 0, strlen (tmp));
  498. }
  499. /* Force get_cvs_password() to use this one (when the client
  500. * confirms the new password with the server), instead of
  501. * consulting the file. We make a new copy because cvs_password
  502. * will get zeroed by connect_to_server(). */
  503. cvs_password = xstrdup (typed_password);
  504. connect_to_pserver (current_parsed_root, NULL, NULL, 1, 0);
  505. password_entry_operation (password_entry_add, current_parsed_root,
  506. typed_password);
  507. free_cvs_password (typed_password);
  508. free (cvsroot_canonical);
  509. return 0;
  510. }
  511. /* Free the password returned by get_cvs_password() and also free the
  512. * saved cvs_password if they are different pointers. Be paranoid
  513. * about the in-memory copy of the password and overwrite it with zero
  514. * bytes before doing the free().
  515. */
  516. void
  517. free_cvs_password (char *password)
  518. {
  519. if (password && password != cvs_password)
  520. {
  521. memset (password, 0, strlen (password));
  522. free (password);
  523. }
  524. if (cvs_password)
  525. {
  526. memset (cvs_password, 0, strlen (cvs_password));
  527. free (cvs_password);
  528. cvs_password = NULL;
  529. }
  530. }
  531. /* Returns the _scrambled_ password in freshly allocated memory. The server
  532. * must descramble before hashing and comparing. If password file not found,
  533. * or password not found in the file, just return NULL.
  534. */
  535. char *
  536. get_cvs_password ()
  537. {
  538. if (current_parsed_root->password)
  539. return scramble (current_parsed_root->password);
  540. /* If someone (i.e., login()) is calling connect_to_pserver() out of
  541. context, then assume they have supplied the correct, scrambled
  542. password. */
  543. if (cvs_password)
  544. return xstrdup (cvs_password);
  545. if (getenv ("CVS_PASSWORD") != NULL)
  546. {
  547. /* In previous versions of CVS one could specify a password in
  548. * CVS_PASSWORD. This is a bad idea, because in BSD variants
  549. * of unix anyone can see the environment variable with 'ps'.
  550. * But for users who were using that feature we want to at
  551. * least let them know what is going on. After printing this
  552. * warning, we should fall through to the regular error where
  553. * we tell them to run "cvs login" (unless they already ran
  554. * it, of course).
  555. */
  556. error (0, 0, "CVS_PASSWORD is no longer supported; ignored");
  557. }
  558. if (current_parsed_root->method != pserver_method)
  559. {
  560. error (0, 0, "can only call get_cvs_password with pserver method");
  561. error (1, 0, "CVSROOT: %s", current_parsed_root->original);
  562. }
  563. return password_entry_operation (password_entry_lookup,
  564. current_parsed_root, NULL);
  565. }
  566. static const char *const logout_usage[] =
  567. {
  568. "Usage: %s %s\n",
  569. "(Specify the --help global option for a list of other help options)\n",
  570. NULL
  571. };
  572. /* Remove any entry for the CVSRoot repository found in .cvspass. */
  573. int
  574. logout (argc, argv)
  575. int argc;
  576. char **argv;
  577. {
  578. char *cvsroot_canonical;
  579. if (argc < 0)
  580. usage (logout_usage);
  581. if (current_parsed_root->method != pserver_method)
  582. {
  583. error (0, 0, "can only use pserver method with `logout' command");
  584. error (1, 0, "CVSROOT: %s", current_parsed_root->original);
  585. }
  586. /* Hmm. Do we want a variant of this command which deletes _all_
  587. the entries from the current .cvspass? Might be easier to
  588. remember than "rm ~/.cvspass" but then again if people are
  589. mucking with HOME (common in Win95 as the system doesn't set
  590. it), then this variant of "cvs logout" might give a false sense
  591. of security, in that it wouldn't delete entries from any
  592. .cvspass files but the current one. */
  593. if (!quiet)
  594. {
  595. cvsroot_canonical = normalize_cvsroot(current_parsed_root);
  596. printf ("Logging out of %s\n", cvsroot_canonical);
  597. fflush (stdout);
  598. free (cvsroot_canonical);
  599. }
  600. password_entry_operation (password_entry_delete, current_parsed_root, NULL);
  601. return 0;
  602. }
  603. #endif /* AUTH_CLIENT_SUPPORT from beginning of file. */