From bd86dea69d96583f2a73a8519cfaca61fb61289c Mon Sep 17 00:00:00 2001
From: Geoffrey King <gjking@mit.edu>
Date: Wed, 19 Aug 1998 11:06:25 +0000
Subject: [PATCH] Add optional support for the CCC (Clear Command Channel)
 command. This command is dangerous, since it allows commands to be
 transmitted without integrity checking, so the default behavior without the
 -c option is still for the server to refuse to accept unprotected commands.

    * ftpd.c: Add a new command line option, -c, which tells the
    server to accept the CCC command.

    * ftpcmd.y: If the -c option was given, check to make sure the CCC
    command itself was integrity protected, and then set ccc_ok to
    allow future commands to be transmitted as cleartext.
    (getline): Now that CCC is potentially allowed, we must check to
    see if we are parsing an unprotected command even if a security
    context is established (i.e. auth_type is set).

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10846 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/appl/gssftp/ftpd/ChangeLog | 12 ++++++++
 src/appl/gssftp/ftpd/ftpcmd.y  | 51 ++++++++++++++++++++++++----------
 src/appl/gssftp/ftpd/ftpd.c    |  6 ++++
 3 files changed, 55 insertions(+), 14 deletions(-)

diff --git a/src/appl/gssftp/ftpd/ChangeLog b/src/appl/gssftp/ftpd/ChangeLog
index 508b3111c..21703b132 100644
--- a/src/appl/gssftp/ftpd/ChangeLog
+++ b/src/appl/gssftp/ftpd/ChangeLog
@@ -1,3 +1,15 @@
+Wed Aug 19 06:47:46 1998  Geoffrey King  <gjking@mit.edu>
+
+	* ftpd.c: Add a new command line option, -c, which tells the
+	server to accept the CCC command.
+
+	* ftpcmd.y: If the -c option was given, check to make sure the CCC
+	command itself was integrity protected, and then set ccc_ok to
+	allow future commands to be transmitted as cleartext.
+	(getline): Now that CCC is potentially allowed, we must check to
+	see if we are parsing an unprotected command even if a security
+	context is established (i.e. auth_type is set).
+
 Wed Aug 12 02:57:07 1998  Geoffrey King  <gjking@mit.edu>
 
 	* ftpcmd.y, ftpd.c: Replace global variable level with clevel and
diff --git a/src/appl/gssftp/ftpd/ftpcmd.y b/src/appl/gssftp/ftpd/ftpcmd.y
index de064bb00..f237bb7c0 100644
--- a/src/appl/gssftp/ftpd/ftpcmd.y
+++ b/src/appl/gssftp/ftpd/ftpcmd.y
@@ -116,6 +116,10 @@ extern	int type;
 extern	int form;
 extern	int clevel;
 extern	int debug;
+
+
+extern	int allow_ccc;
+extern	int ccc_ok;
 extern	int timeout;
 extern	int maxtimeout;
 extern  int pdata;
@@ -234,7 +238,17 @@ cmd:		USER SP username CRLF
 		}
 	|	CCC CRLF
 		= {
-			reply(534, "CCC not supported");
+			if (!allow_ccc) {
+			    reply(534, "CCC not supported");
+			}
+			else {
+			    if(clevel == PROT_C && !ccc_ok) {
+			        reply(533, "CCC command must be integrity protected");
+			    } else {
+			        reply(200, "CCC command successful.");
+				ccc_ok = 1;
+			    }
+			}
 		}
 	|	PBSZ SP STRING CRLF
 		= {
@@ -979,9 +993,29 @@ getline(s, n, iop)
 	    char out[sizeof(cbuf)], *cp;
 	    int len, mic;
 
-	    if ((cs = strpbrk(s, " \r\n")))
-	    	*cs++ = '\0';
+
+	    /* Check to see if we have a protected command. */
+	    if (!((mic = strncmp(s, "ENC", 3)) && strncmp(s, "MIC", 3)
+#ifndef NOCONFIDENTIAL
+	        && strncmp(s, "CONF", 4)
+#endif
+	        ) && (cs = strpbrk(s, " \r\n"))) {
+	    	    *cs++ = '\0'; /* If so, split it into s and cs. */
+	    } else { /* If not, check if unprotected commands are allowed. */
+		if(ccc_ok) {
+		    clevel = PROT_C;
+		    upper(s);
+		    return(s);
+		} else {
+		    reply(533, "All commands must be protected.");
+		    syslog(LOG_ERR, "Unprotected command received");
+		    *s = '\0';
+		    return(s);
+		}
+	    }
 	    upper(s);
+	    if (debug)
+	        syslog(LOG_INFO, "command %s received (mic=%d)", s, mic);
 #ifdef NOCONFIDENTIAL
 	    if (!strcmp(s, "CONF")) {
 		reply(537, "CONF protected commands not supported.");
@@ -989,17 +1023,6 @@ getline(s, n, iop)
 		return(s);
 	    }
 #endif
-	    if ((mic = strcmp(s, "ENC")) && strcmp(s, "MIC")
-#ifndef NOCONFIDENTIAL
-		&& strcmp(s, "CONF")
-#endif
-					) {
-		reply(533, "All commands must be protected.");
-		syslog(LOG_ERR, "Unprotected command received");
-		*s = '\0';
-		return(s);
-	    } else if (debug)
-		syslog(LOG_INFO, "command %s received (mic=%d)", s, mic);
 /* Some paranoid sites may want to require that commands be encrypted. */
 #ifdef PARANOID
 	    if (mic) {
diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c
index e897bd472..19d72fa53 100644
--- a/src/appl/gssftp/ftpd/ftpd.c
+++ b/src/appl/gssftp/ftpd/ftpd.c
@@ -172,6 +172,8 @@ sigjmp_buf urgcatch;
 int	logged_in;
 struct	passwd *pw;
 int	debug;
+int	allow_ccc = 0;    /* whether or not the CCC command is allowed */
+int	ccc_ok = 0;       /* whether or not to accept cleartext commands */
 int	timeout = 900;    /* timeout after 15 minutes of inactivity */
 int	maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */
 int	logging;
@@ -283,6 +285,10 @@ main(argc, argv, envp)
 			authenticate = 1;
 			break;
 
+		case 'c':
+			allow_ccc = 1;
+			break;
+
 		case 'p':
 			if (*++cp != '\0')
 				port = atoi(cp);
-- 
2.26.2