auth.c

经典的unix下telnetd代码

}

int
auth_status(void)
{
    Authenticator *ap;
    int i, mask;

    if (i_wont_support == -1)
	printf("Authentication disabled\n");
    else
	printf("Authentication enabled\n");

    mask = 0;
    for (ap = authenticators; ap->type; ap++) {
	if ((mask & (i = typemask(ap->type))) != 0)
	    continue;
	mask |= i;
	printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
	       (i_wont_support & typemask(ap->type)) ?
	       "disabled" : "enabled");
    }
    return(1);
}

/*
 * This routine is called by the server to start authentication
 * negotiation.
 */
void
auth_request(void)
{
    static unsigned char str_request[64] = { IAC, SB,
					     TELOPT_AUTHENTICATION,
					     TELQUAL_SEND, };
    Authenticator *ap = authenticators;
    unsigned char *e = str_request + 4;

    if (!authenticating) {
	authenticating = 1;
	while (ap->type) {
	    if (i_support & ~i_wont_support & typemask(ap->type)) {
		if (auth_debug_mode) {
		    printf(">>>%s: Sending type %d %d\r\n",
			   Name, ap->type, ap->way);
		}
		*e++ = ap->type;
		*e++ = ap->way;
	    }
	    ++ap;
	}
	*e++ = IAC;
	*e++ = SE;
	telnet_net_write(str_request, e - str_request);
	printsub('>', &str_request[2], e - str_request - 2);
    }
}

/*
 * This is called when an AUTH SEND is received.
 * It should never arrive on the server side (as only the server can
 * send an AUTH SEND).
 * You should probably respond to it if you can...
 *
 * If you want to respond to the types out of order (i.e. even
 * if he sends  LOGIN KERBEROS and you support both, you respond
 * with KERBEROS instead of LOGIN (which is against what the
 * protocol says)) you will have to hack this code...
 */
void
auth_send(unsigned char *data, int cnt)
{
    Authenticator *ap;
    static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
					TELQUAL_IS, AUTHTYPE_NULL, 0,
					IAC, SE };
    if (Server) {
	if (auth_debug_mode) {
	    printf(">>>%s: auth_send called!\r\n", Name);
	}
	return;
    }

    if (auth_debug_mode) {
	printf(">>>%s: auth_send got:", Name);
	printd(data, cnt); printf("\r\n");
    }

    /*
     * Save the data, if it is new, so that we can continue looking
     * at it if the authorization we try doesn't work
     */
    if (data < _auth_send_data ||
	data > _auth_send_data + sizeof(_auth_send_data)) {
	auth_send_cnt = cnt > sizeof(_auth_send_data)
	    ? sizeof(_auth_send_data)
	    : cnt;
	memmove(_auth_send_data, data, auth_send_cnt);
	auth_send_data = _auth_send_data;
    } else {
	/*
	 * This is probably a no-op, but we just make sure
	 */
	auth_send_data = data;
	auth_send_cnt = cnt;
    }
    while ((auth_send_cnt -= 2) >= 0) {
	if (auth_debug_mode)
	    printf(">>>%s: He supports %d\r\n",
		   Name, *auth_send_data);
	if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
	    ap = findauthenticator(auth_send_data[0],
				   auth_send_data[1]);
	    if (ap && ap->send) {
		if (auth_debug_mode)
		    printf(">>>%s: Trying %d %d\r\n",
			   Name, auth_send_data[0],
			   auth_send_data[1]);
		if ((*ap->send)(ap)) {
		    /*
		     * Okay, we found one we like
		     * and did it.
		     * we can go home now.
		     */
		    if (auth_debug_mode)
			printf(">>>%s: Using type %d\r\n",
			       Name, *auth_send_data);
		    auth_send_data += 2;
		    return;
		}
	    }
	    /* else
	     *	just continue on and look for the
	     *	next one if we didn't do anything.
	     */
	}
	auth_send_data += 2;
    }
    telnet_net_write(str_none, sizeof(str_none));
    printsub('>', &str_none[2], sizeof(str_none) - 2);
    if (auth_debug_mode)
	printf(">>>%s: Sent failure message\r\n", Name);
    auth_finished(0, AUTH_REJECT);
    auth_has_failed = 1;
#ifdef KANNAN
    /*
     *  We requested strong authentication, however no mechanisms worked.
     *  Therefore, exit on client end.
     */
    printf("Unable to securely authenticate user ... exit\n");
    exit(0);
#endif /* KANNAN */
}

void
auth_send_retry(void)
{
    /*
     * if auth_send_cnt <= 0 then auth_send will end up rejecting
     * the authentication and informing the other side of this.
	 */
    auth_send(auth_send_data, auth_send_cnt);
}

void
auth_is(unsigned char *data, int cnt)
{
    Authenticator *ap;

    if (cnt < 2)
	return;

    if (data[0] == AUTHTYPE_NULL) {
	auth_finished(0, AUTH_REJECT);
	return;
    }

    if ((ap = findauthenticator(data[0], data[1]))) {
	if (ap->is)
	    (*ap->is)(ap, data+2, cnt-2);
    } else if (auth_debug_mode)
	printf(">>>%s: Invalid authentication in IS: %d\r\n",
	       Name, *data);
}

void
auth_reply(unsigned char *data, int cnt)
{
    Authenticator *ap;

    if (cnt < 2)
	return;

    if ((ap = findauthenticator(data[0], data[1]))) {
	if (ap->reply)
	    (*ap->reply)(ap, data+2, cnt-2);
    } else if (auth_debug_mode)
	printf(">>>%s: Invalid authentication in SEND: %d\r\n",
	       Name, *data);
}

void
auth_name(unsigned char *data, int cnt)
{
    char savename[256];

    if (cnt < 1) {
	if (auth_debug_mode)
	    printf(">>>%s: Empty name in NAME\r\n", Name);
	return;
    }
    if (cnt > sizeof(savename) - 1) {
	if (auth_debug_mode)
	    printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n",
		   Name, cnt, (unsigned long)(sizeof(savename)-1));
	return;
    }
    memmove(savename, data, cnt);
    savename[cnt] = '\0';	/* Null terminate */
    if (auth_debug_mode)
	printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
    auth_encrypt_user(savename);
}

int
auth_sendname(unsigned char *cp, int len)
{
    static unsigned char str_request[256+6]
	= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
    unsigned char *e = str_request + 4;
    unsigned char *ee = &str_request[sizeof(str_request)-2];

    while (--len >= 0) {
	if ((*e++ = *cp++) == IAC)
	    *e++ = IAC;
	if (e >= ee)
	    return(0);
    }
    *e++ = IAC;
    *e++ = SE;
    telnet_net_write(str_request, e - str_request);
    printsub('>', &str_request[2], e - &str_request[2]);
    return(1);
}

void
auth_finished(Authenticator *ap, int result)
{
    if (!(authenticated = ap))
	authenticated = &NoAuth;
    validuser = result;
}

/* ARGSUSED */
static void
auth_intr(int sig)
{
    auth_finished(0, AUTH_REJECT);
}

int
auth_wait(char *name, size_t name_sz)
{
    if (auth_debug_mode)
	printf(">>>%s: in auth_wait.\r\n", Name);

    if (Server && !authenticating)
	return(0);

    signal(SIGALRM, auth_intr);
    alarm(30);
    while (!authenticated)
	if (telnet_spin())
	    break;
    alarm(0);
    signal(SIGALRM, SIG_DFL);

    /*
     * Now check to see if the user is valid or not
     */
    if (!authenticated || authenticated == &NoAuth)
	return(AUTH_REJECT);

    if (validuser == AUTH_VALID)
	validuser = AUTH_USER;

    if (authenticated->status)
	validuser = (*authenticated->status)(authenticated,
					     name, name_sz,
					     validuser);
    return(validuser);
}

void
auth_debug(int mode)
{
    auth_debug_mode = mode;
}

void
auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
{
    Authenticator *ap;

    if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
	(*ap->printsub)(data, cnt, buf, buflen);
    else
	auth_gen_printsub(data, cnt, buf, buflen);
}

void
auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
{
    unsigned char *cp;
    unsigned char tbuf[16];

    cnt -= 3;
    data += 3;
    buf[buflen-1] = '\0';
    buf[buflen-2] = '*';
    buflen -= 2;
    for (; cnt > 0; cnt--, data++) {
	snprintf(tbuf, sizeof(tbuf), " %d", *data);
	for (cp = tbuf; *cp && buflen > 0; --buflen)
	    *buf++ = *cp++;
	if (buflen <= 0)
	    return;
    }
    *buf = '\0';
}
#endif