📄 ckuath.c
字号:
auth_encrypt_enable(enable) BOOL enable;#endif{ encrypt_flag = enable;}#endif/* * Function: Abort the authentication process * * Parameters: */static VOID#ifdef CK_ANSICauth_abort(char *errmsg, long r)#elseauth_abort(errmsg,r) char *errmsg; long r;#endif{ char buf[9]; extern int sstelnet;#ifdef CK_SSL if (TELOPT_SB(TELOPT_START_TLS).start_tls.me_follows) { return; }#endif /* CK_SSL */ debug(F111,"auth_abort",errmsg,r); /* Construct Telnet Debugging messages */ if (deblog || tn_deb || debses) { sprintf(tn_msg,"TELNET SENT SB %s IS %s %s IAC SE", TELOPT(TELOPT_AUTHENTICATION), authtype_names[AUTHTYPE_NULL], authtype_names[AUTHTYPE_NULL]); debug(F100,tn_msg,"",0); if (tn_deb || debses) tn_debug(tn_msg); } /* Construct the Abort message to send to the host */ /* Basicly we change the authentication type to NULL */ sprintf(buf, "%c%c%c%c%c%c%c%c", IAC, SB, TELOPT_AUTHENTICATION, sstelnet ? TELQUAL_REPLY : TELQUAL_IS, AUTHTYPE_NULL, AUTHTYPE_NULL, IAC, SE); ttol((CHAR *)buf, 8); /* If there is an error message, and error number construct */ /* an explanation to display to the user */ if (errmsg != NULL) { ckstrncpy(strTmp, errmsg, AUTHTMPBL); } else strTmp[0] = '\0'; if (r != AUTH_SUCCESS) { strcat(strTmp, "\r\n");#ifdef KRB4 if ( authentication_version == AUTHTYPE_KERBEROS_V4 ) { strcat(strTmp, (char *)krb_get_err_text_entry(r)); debug(F111,"auth_abort",(char *)krb_get_err_text_entry(r),r); }#endif#ifdef KRB5 if ( authentication_version == AUTHTYPE_KERBEROS_V5 ) { strcat(strTmp, error_message(r)); debug(F111,"auth_abort",error_message(r),r); }#endif } printf("Authentication failed: %s\r\n",strTmp);#ifdef CKSYSLOG if (ckxsyslog >= SYSLG_LI && ckxlogging) { cksyslog(SYSLG_LI, 0, "Telnet authentication failure", (char *) szUserNameRequested, strTmp); }#endif /* CKSYSLOG */ authentication_version = AUTHTYPE_NULL;}/* * Function: Copy data to buffer, doubling IAC character if present. * */static int#ifdef CK_ANSICcopy_for_net(unsigned char *to, unsigned char *from, int c)#elsecopy_for_net(to,from,c) unsigned char *to; unsigned char *from; int c;#endif{ int n; n = c; debug(F111,"copy_for_net","before",n); while (c-- > 0) { if ((*to++ = *from++) == IAC) { n++; *to++ = IAC; } } debug(F111,"copy_for_net","after",n); return n;}#ifdef CK_SSL/* S E N D S S L A U T H S B * Send a SSL Authentication Subnegotiation to host and * output appropriate Telnet Debug messages * * type - Sub Negotiation type * data - ptr to buffer containing data * len - len of buffer if not NUL terminated * * returns number of characters sent or error value */int#ifdef CK_ANSICSendSSLAuthSB(int type, void *data, int len)#elseSendSSLAuthSB(type,data,len) int type; void *data; int len;#endif{ int rc; unsigned char *p = str_data + 3; unsigned char *cd = (unsigned char *)data; extern int sstelnet; /* Check for invalid values */ if ( type != SSL_START && type != SSL_ACCEPT && type != SSL_REJECT) return(0); if (TELOPT_SB(TELOPT_START_TLS).start_tls.me_follows) { if (ttchk() < 0) return(0); else return(1); } if (len == -1) /* Use strlen() for len */ len = strlen((char *)cd); /* Construct Message */ *p++ = sstelnet ? TELQUAL_REPLY : TELQUAL_IS; *p++ = AUTHTYPE_SSL; *p = AUTH_CLIENT_TO_SERVER; *p |= auth_how;#ifdef CK_ENCRYPTION *p |= auth_crypt;#endif p++; *p++ = type; while (len-- > 0) { if ((*p++ = *cd++) == IAC) *p++ = IAC; } *p++ = IAC; *p++ = SE; /* Handle Telnet Debugging Messages */ if (deblog || tn_deb || debses) { int i; int deblen=p-str_data-2; char *s=NULL; int mode = AUTH_CLIENT_TO_SERVER | (auth_how & AUTH_HOW_MASK) | (auth_crypt?AUTH_ENCRYPT_USING_TELOPT:AUTH_ENCRYPT_OFF); switch (type) { case SSL_START: s = "START"; break; case SSL_ACCEPT: s = "ACCEPT"; break; case SSL_REJECT: s = "REJECT"; break; } sprintf(tn_msg,"TELNET SENT SB %s %s %s %s %s ", TELOPT(TELOPT_AUTHENTICATION), str_data[3] == TELQUAL_REPLY ? "REPLY" : str_data[3] == TELQUAL_IS ? "IS" : "???", authtype_names[authentication_version], authmode_names[mode], s);#ifdef HEXDISP { int was_hex = 1; for ( i=7;i<deblen;i++ ) { if ( str_data[i] < 32 || str_data[i] >= 127) { sprintf(hexbuf,"%s%02X ",was_hex?"":"\" ",str_data[i]); was_hex = 1; } else { sprintf(hexbuf,"%s%c",was_hex?"\"":"",str_data[i]); was_hex = 0; } strcat(tn_msg,hexbuf); } if ( !was_hex ) strcat(tn_msg,"\" "); }#else /* HEXDISP */ memcpy(hexbuf,&str_data[7],deblen-7); hexbuf[deblen-7] = ' '; hexbuf[deblen-6] = '\0'; strcat(tn_msg,hexbuf);#endif /* HEXDISP */ strcat(tn_msg,"IAC SE"); debug(F100,tn_msg,"",0); if (tn_deb || debses) tn_debug(tn_msg); } /* Send data */ rc = ttol((CHAR *)str_data, p - str_data); return(rc);}#endif /* CK_SSL */inttn_how_ok(int how){ switch ( tn_auth_how ) { case TN_AUTH_HOW_ANY: return(1); case TN_AUTH_HOW_ONE_WAY: return((how & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY); case TN_AUTH_HOW_MUTUAL: return((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL); default: return(0); }}inttn_enc_ok(int enc){ switch ( tn_auth_enc ) { case TN_AUTH_ENC_ANY: return(1); case TN_AUTH_ENC_NONE: return((enc & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_OFF); case TN_AUTH_ENC_TELOPT: return((enc & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_USING_TELOPT); case TN_AUTH_ENC_EXCH: return((enc & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_AFTER_EXCHANGE); default: return(0); }}static intatok(int at) { int i; if ( auth_type_user[0] == AUTHTYPE_AUTO ) return(1); if ( auth_type_user[0] == AUTHTYPE_NULL ) return(0); for ( i=0; i<AUTHTYPLSTSZ && auth_type_user[i] != AUTHTYPE_NULL; i++ ) { if ( auth_type_user[i] == at ) return(1); } return(0);}/* * Function: Parse authentication send command * * Parameters: * parsedat - the sub-command data. * * end_sub - index of the character in the 'parsedat' array which * is the last byte in a sub-negotiation * * Returns: Kerberos error code. */static int#ifdef CK_ANSICauth_send(unsigned char *parsedat, int end_sub)#elseauth_send(parsedat,end_sub) unsigned char *parsedat; int end_sub;#endif{ unsigned char buf[1024]; unsigned char *pname; int plen; int r; int i; int mode;#ifdef MIT_CURRENT#ifdef CK_ENCRYPTION krb5_data data; krb5_enc_data encdata; krb5_error_code code; krb5_keyblock random_key;#endif /* ENCRYPTION */#endif /* MIT_CURRENT */#ifdef KRB5 int krb5_msg = 0;#endif /* KRB5 */#ifdef KRB4 int krb4_msg = 0; #endif /* KRB4 */#ifdef CK_SSL if (TELOPT_SB(TELOPT_START_TLS).start_tls.me_follows) return(AUTH_SUCCESS);#endif /* CK_SSL */ auth_how = -1; /* We have not found an auth method */ auth_crypt = 0; /* We are not using encryption (yet) */ /* Search the list of acceptable Authentication types sent from */ /* the host and find one that we support */ /* For Kerberos authentications, try to determine if we have a */ /* valid TGT, if not skip over the authentication type because */ /* we wouldn't be able to successfully login anyway. Perhaps */ /* there is another supported authentication which we could use */#ifdef NO_FTP_AUTH /* If the userid is "ftp" or "anonymous" refuse to perform AUTH */ /* for Kerberos or SRP. */#endif /* NO_FTP_AUTH */ if ( auth_type_user[0] == AUTHTYPE_AUTO ) { for (i = 2; i+1 <= end_sub; i += 2) {#ifdef NTLM if (parsedat[i] == AUTHTYPE_NTLM && ck_ntlm_is_valid() && ntlm_auth_send() == 0) { if ((parsedat[i+1] & AUTH_WHO_MASK) == AUTH_CLIENT_TO_SERVER && tn_how_ok(parsedat[i+1]) && tn_enc_ok(parsedat[i+1])) {#ifdef CK_ENCRYPTION /* NTLM does not support Telnet Encryption */ if ((parsedat[i+1] & AUTH_ENCRYPT_MASK)) continue; auth_crypt = parsedat[i+1] & AUTH_ENCRYPT_MASK;#endif /* CK_ENCRYPTION */ TELOPT_ME_MODE(TELOPT_ENCRYPTION) = TN_NG_RF; TELOPT_U_MODE(TELOPT_ENCRYPTION) = TN_NG_RF; authentication_version = AUTHTYPE_NTLM; auth_how = parsedat[i+1] & AUTH_HOW_MASK; break; } }#endif /* NTLM */#ifdef CK_SSL if ( parsedat[i] == AUTHTYPE_SSL && ssl_initialized &&#ifdef SSLDLL ck_ssleay_is_installed() &&#endif /* SSLDLL */ !tls_active_flag && !ssl_active_flag && ssl_load_certs() ) { if ((parsedat[i+1] & AUTH_WHO_MASK) == AUTH_CLIENT_TO_SERVER && tn_how_ok(parsedat[i+1]) && tn_enc_ok(parsedat[i+1])) {#ifdef CK_ENCRYPTION /* SSL does not support Telnet Encryption */ if ((parsedat[i+1] & AUTH_ENCRYPT_MASK)) continue; auth_crypt = parsedat[i+1] & AUTH_ENCRYPT_MASK;#endif /* CK_ENCRYPTION */ TELOPT_ME_MODE(TELOPT_ENCRYPTION) = TN_NG_RF; TELOPT_U_MODE(TELOPT_ENCRYPTION) = TN_NG_RF; authentication_version = AUTHTYPE_SSL; auth_how = parsedat[i+1] & AUTH_HOW_MASK; break; } }#endif /* SSL */#ifdef CK_SRP if ( parsedat[i] == AUTHTYPE_SRP#ifdef SRPDLL && hSRP#endif /* SRPDLL */#ifdef NO_FTP_AUTH && strcmp("ftp",szUserName) && strcmp("anonymous",szUserName)#endif /* NO_FTP_AUTH */ ) { if ((parsedat[i+1] & AUTH_WHO_MASK) == AUTH_CLIENT_TO_SERVER && tn_how_ok(parsedat[i+1]) && tn_enc_ok(parsedat[i+1])) {#ifdef CK_ENCRYPTION if ((parsedat[i+1] & AUTH_ENCRYPT_MASK)#ifndef PRE_SRP_1_4_5 /* Do not support ENCRYPT_USING_TELOPT yet. */ && (TELOPT_ME_MODE(TELOPT_ENCRYPTION) == TN_NG_RF || TELOPT_U_MODE(TELOPT_ENCRYPTION) == TN_NG_RF)#endif /* PRE_SRP_1_4_5 */ ) continue; auth_crypt = parsedat[i+1] & AUTH_ENCRYPT_MASK; if ( auth_crypt == AUTH_ENCRYPT_USING_TELOPT ) { TELOPT_ME_MODE(TELOPT_ENCRYPTION) = TN_NG_MU; TELOPT_U_MODE(TELOPT_ENCRYPTION) = TN_NG_MU; }#endif /* CK_ENCRYPTION */ authentication_version = AUTHTYPE_SRP; auth_how = parsedat[i+1] & AUTH_HOW_MASK; break; } }#endif /* SRP */#ifdef KRB5 if (parsedat[i] == AUTHTYPE_KERBEROS_V5 &&#ifdef OS2 hKRB5_32 &&#endif /* OS2 */#ifdef NO_FTP_AUTH strcmp("ftp",szUserName) && strcmp("anonymous",szUserName) &&#endif /* NO_FTP_AUTH */ ck_krb5_is_installed() && !krb5_msg) { /* Without encryption we can't perform mutual authentication */ if ( (parsedat[i+1] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && !ck_crypt_is_installed()) continue; /* Skip over entries that request credential forwarding */ /* if we are not forwarding. */ if ((!forward_flag && (parsedat[i+1] & INI_CRED_FWD_MASK)) || (forward_flag && ((parsedat[i+1] & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY))) continue; if ( !k5_auth_send(parsedat[i+1] & AUTH_HOW_MASK, parsedat[i+1] & AUTH_ENCRYPT_MASK, parsedat[i+1] & INI_CRED_FWD_MASK) ) { /* If we are auto-getting TGTs, try */ if ( !ck_krb5_is_tgt_valid() ) { printf("Kerberos 5: Ticket Getting Ticket not valid.\r\n"); ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -