ckuath.c

KERMIT工具 这在办公室下载不了,很多人都没有载不到.

            break;
        case 6:
            s = "FORWARD_ACCEPT";
            break;
        case 7:
            s = "FORWARD_REJECT";
            break;
        case 8:
            s = "EXP";
            break;
        case 9:
            s = "PARAMS";
            break;
        }

        ckmakxmsg(tn_msg,TN_MSG_LEN,
                  "TELNET SENT SB ",
                 TELOPT(TELOPT_AUTHENTICATION)," ",
                 str_data[3] == TELQUAL_REPLY ? "REPLY" :
                 str_data[3] == TELQUAL_IS ? "IS" : "???"," ",
                 AUTHTYPE_NAME(authentication_version)," ",
                 AUTHMODE_NAME(mode)," ",
                 s," ",NULL);
        tn_hex((CHAR *)tn_msg,TN_MSG_LEN,&str_data[7],deblen-7);
        ckstrncat(tn_msg,"IAC SE",TN_MSG_LEN);
        debug(F100,tn_msg,"",0);
        if (tn_deb || debses) tn_debug(tn_msg);
    }

    /* Send data */
#ifdef OS2
    RequestTelnetMutex( SEM_INDEFINITE_WAIT );
#endif
    rc = ttol((CHAR *)str_data, p - str_data);
#ifdef OS2
    ReleaseTelnetMutex();
#endif
    return(rc);
}

#ifdef CK_ENCRYPTION
/*
 * Function: Enable or disable the encryption process.
 *
 * Parameters:
 *      enable - TRUE to enable, FALSE to disable.
 */
static VOID
#ifdef CK_ANSIC
auth_encrypt_enable(BOOL enable)
#else
auth_encrypt_enable(enable) BOOL enable;
#endif
{
  encrypt_flag = enable;
}
#endif

/*
 * Function: Abort the authentication process
 *
 * Parameters:
 */
static VOID
#ifdef CK_ANSIC
auth_abort(char *errmsg, long r)
#else
auth_abort(errmsg,r) char *errmsg; long r;
#endif
{
    char buf[9];
    extern int sstelnet;

#ifdef CK_SSL
    if (TELOPT_SB(TELOPT_START_TLS).start_tls.me_follows) {
        return;
    }
#endif /* CK_SSL */
    debug(F111,"auth_abort",errmsg,r);

    /* Construct Telnet Debugging messages */
    if (deblog || tn_deb || debses) {
        ckmakxmsg(tn_msg,TN_MSG_LEN,
                  "TELNET SENT SB ",TELOPT(TELOPT_AUTHENTICATION),
                  " IS ",AUTHTYPE_NAME(AUTHTYPE_NULL)," ",
                   AUTHTYPE_NAME(AUTHTYPE_NULL)," IAC SE",
                   NULL,NULL,NULL,NULL,NULL
                 );
        debug(F100,tn_msg,"",0);
        if (tn_deb || debses) tn_debug(tn_msg);
    }

    /* Construct the Abort message to send to the host   */
    /* Basicly we change the authentication type to NULL */
    sprintf(buf, "%c%c%c%c%c%c%c%c", IAC, SB, TELOPT_AUTHENTICATION,
             sstelnet ? TELQUAL_REPLY : TELQUAL_IS, AUTHTYPE_NULL,
             AUTHTYPE_NULL, IAC, SE);   /* safe */
#ifdef OS2
    RequestTelnetMutex( SEM_INDEFINITE_WAIT );
#endif
    ttol((CHAR *)buf, 8);
#ifdef OS2
    ReleaseTelnetMutex();
#endif

    /* If there is an error message, and error number construct */
    /* an explanation to display to the user                    */
    if (errmsg != NULL) {
        ckstrncpy(strTmp, errmsg, AUTHTMPBL);
    } else
        strTmp[0] = '\0';


    if (r != AUTH_SUCCESS) {
        ckstrncat(strTmp, "\r\n",AUTHTMPBL);
#ifdef KRB4
        if ( authentication_version == AUTHTYPE_KERBEROS_V4 ) {
            ckstrncat(strTmp, (char *)krb_get_err_text_entry(r),
                       AUTHTMPBL);
            debug(F111,"auth_abort",(char *)krb_get_err_text_entry(r),r);
        }
#endif
#ifdef KRB5
        if ( authentication_version == AUTHTYPE_KERBEROS_V5 ) {
            ckstrncat(strTmp, error_message(r),AUTHTMPBL);
            debug(F111,"auth_abort",error_message(r),r);
        }
#endif
    }
    printf("Authentication failed: %s\r\n",strTmp);
#ifdef CKSYSLOG
    if (ckxsyslog >= SYSLG_LI && ckxlogging) {
        cksyslog(SYSLG_LI, 0, "Telnet authentication failure",
                  (char *) szUserNameRequested,
                  strTmp);
    }
#endif /* CKSYSLOG */
    authentication_version = AUTHTYPE_NULL;
}


/*
 * Function: Copy data to buffer, doubling IAC character if present.
 *
 */
int
#ifdef CK_ANSIC
copy_for_net(unsigned char *to, unsigned char *from, int c)
#else
copy_for_net(to,from,c) unsigned char *to; unsigned char *from; int c;
#endif
{
    int n;

    n = c;
    debug(F111,"copy_for_net","before",n);
    while (c-- > 0) {
        if ((*to++ = *from++) == IAC) {
            n++;
            *to++ = IAC;
        }
    }
    debug(F111,"copy_for_net","after",n);
    return n;
}

#ifdef CK_SSL
/*  S E N D S S L A U T H S B
 *  Send a SSL Authentication Subnegotiation to host and
 *  output appropriate Telnet Debug messages
 *
 *  type - Sub Negotiation type
 *  data - ptr to buffer containing data
 *  len  - len of buffer if not NUL terminated
 *
 *  returns number of characters sent or error value
 */

int
#ifdef CK_ANSIC
SendSSLAuthSB(int type, void *data, int len)
#else
SendSSLAuthSB(type,data,len) int type; void *data; int len;
#endif
{
    int rc;
    unsigned char *p = str_data + 3;
    unsigned char *cd = (unsigned char *)data;
    extern int sstelnet;

    /* Check for invalid values */
    if ( type != SSL_START && type != SSL_ACCEPT &&
         type != SSL_REJECT)
        return(0);

    if (TELOPT_SB(TELOPT_START_TLS).start_tls.me_follows) {
        if (ttchk() < 0)
          return(0);
        else
          return(1);
    }

    if (len == -1)                        /* Use strlen() for len */
        len = strlen((char *)cd);

    /* Construct Message */
    *p++ = sstelnet ? TELQUAL_REPLY : TELQUAL_IS;
    *p++ = AUTHTYPE_SSL;
    *p = AUTH_CLIENT_TO_SERVER;
    *p |= auth_how;
#ifdef CK_ENCRYPTION
    *p |= auth_crypt;
#endif
    p++;
    *p++ = type;
    while (len-- > 0) {
        if ((*p++ = *cd++) == IAC)
            *p++ = IAC;
        }
    *p++ = IAC;
    *p++ = SE;

    /* Handle Telnet Debugging Messages */
    if (deblog || tn_deb || debses) {
        int i;
        int deblen=p-str_data-2;
        char *s=NULL;
        int mode = AUTH_CLIENT_TO_SERVER | (auth_how & AUTH_HOW_MASK) |
            (auth_crypt?AUTH_ENCRYPT_USING_TELOPT:AUTH_ENCRYPT_OFF);

        switch (type) {
        case SSL_START:
            s = "START";
            break;
        case SSL_ACCEPT:
            s = "ACCEPT";
            break;
        case SSL_REJECT:
            s = "REJECT";
            break;
        }

        ckmakxmsg(tn_msg,TN_MSG_LEN,
                  "TELNET SENT SB ",
                 TELOPT(TELOPT_AUTHENTICATION)," ",
                 str_data[3] == TELQUAL_REPLY ? "REPLY" :
                 str_data[3] == TELQUAL_IS ? "IS" : "???"," ",
                 AUTHTYPE_NAME(authentication_version)," ",
                 AUTHMODE_NAME(mode)," ",
                 s," ",NULL);
        tn_hex((CHAR *)tn_msg,TN_MSG_LEN,&str_data[7],deblen-7);
        ckstrncat(tn_msg,"IAC SE",TN_MSG_LEN);
        debug(F100,tn_msg,"",0);
        if (tn_deb || debses) tn_debug(tn_msg);
    }

    /* Send data */
#ifdef OS2
    RequestTelnetMutex( SEM_INDEFINITE_WAIT );
#endif
    rc = ttol((CHAR *)str_data, p - str_data);
#ifdef OS2
    ReleaseTelnetMutex();
#endif
    return(rc);
}
#endif  /* CK_SSL */

int
tn_how_ok(int how)
{
    switch ( tn_auth_how ) {
    case TN_AUTH_HOW_ANY:
        return(1);
    case TN_AUTH_HOW_ONE_WAY:
        return((how & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY);
    case TN_AUTH_HOW_MUTUAL:
        return((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL);
    default:
        return(0);
    }
}

int
tn_enc_ok(int enc)
{
    switch ( tn_auth_enc ) {
    case TN_AUTH_ENC_ANY:
        if ((enc & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_START_TLS &&
            (!ck_ssleay_is_installed()
#ifdef CK_SSL
             || !ssl_finished_messages ||
             !(tls_active_flag || ssl_active_flag)
#endif /* CK_SSL */
             )) {
#ifdef CK_SSL
            if (!ssl_finished_messages)
                debug(F100,"tn_enc_ok !ssl_finished_messages","",0);
#endif /* CK_SSL */
            return(0);
        }
        return(1);
    case TN_AUTH_ENC_NONE:
        return((enc & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_OFF);
    case TN_AUTH_ENC_TELOPT:
        return((enc & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_USING_TELOPT);
    case TN_AUTH_ENC_EXCH:
        return((enc & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_AFTER_EXCHANGE);
    case TN_AUTH_ENC_TLS:
        return(((enc & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_START_TLS) &&
               ck_ssleay_is_installed()
#ifdef CK_SSL
               && ssl_finished_messages &&
               (tls_active_flag || ssl_active_flag)
#endif /* CK_SSL */
           );
    default:
        return(0);
    }
}

static int
atok(int at) {
    int i;
    if ( auth_type_user[0] == AUTHTYPE_AUTO )
        return(1);
    if ( auth_type_user[0] == AUTHTYPE_NULL )
        return(0);

    for ( i=0;
          i<AUTHTYPLSTSZ && auth_type_user[i] != AUTHTYPE_NULL;
          i++ ) {
        if ( auth_type_user[i] == at )
            return(1);
    }

    return(0);
}


/*
 * Function: Parse authentication send command
 *
 * Parameters:
 *  parsedat - the sub-command data.
 *
 *      end_sub - index of the character in the 'parsedat' array which
 *              is the last byte in a sub-negotiation
 *
 * Returns: Kerberos error code.
 */

static unsigned char send_list[512];
static int  send_len = 0;

_PROTOTYP(static int auth_send, (unsigned char *parsedat, int end_sub));

static int
#ifdef CK_ANSIC
auth_resend(int type)
#else
auth_resend(type) int type;
#endif /* CK_ANSIC */
{
    int i=2;
    while (i+1 <= send_len) {
        if (send_list[i] == type) {
            int j;
            send_len -= 2;
            for (j = i; j < send_len; j++)
                send_list[j] = send_list[j+2];
        } else {
            i += 2;
        }
    }
    return(auth_send(send_list,send_len));
}

static int
#ifdef CK_ANSIC
auth_send(unsigned char *parsedat, int end_sub)
#else
auth_send(parsedat,end_sub) unsigned char *parsedat; int end_sub;
#endif
{
    static unsigned char buf[4096];
    unsigned char *pname;
    int plen;
    int r;
    int i;
    int mode;
#ifdef MIT_CURRENT
#ifdef CK_ENCRYPTION
    krb5_data data;
    krb5_enc_data encdata;
    krb5_error_code code;
    krb5_keyblock random_key;
#endif /* ENCRYPTION */
#endif /* MIT_CURRENT */
#ifdef KRB5
    int krb5_msg = 0;
#endif /* KRB5 */
#ifdef KRB4
    int krb4_msg = 0;
#endif /* KRB4 */
#ifdef GSSAPI_KRB5
    int gssk5_msg = 0;
#endif /* GSSAPI_KRB5 */
    int iaccnt=0;

#ifdef CK_SSL
    if (TELOPT_SB(TELOPT_START_TLS).start_tls.me_follows)
        return(AUTH_SUCCESS);
#endif /* CK_SSL */

    auth_how = -1;              /* We have not found an auth method  */
    auth_crypt = 0;             /* We are not using encryption (yet) */
    send_len = end_sub > 512 ? 512 : end_sub;
    memcpy(send_list,parsedat,send_len);

    /* Search the list of acceptable Authentication types sent from */
    /* the host and find one that we support                        */

    /* For Kerberos authentications, try to determine if we have a  */
    /* valid TGT, if not skip over the authentication type because  */
    /* we wouldn't be able to successfully login anyway.  Perhaps   */
    /* there is another supported authentication which we could use */

#ifdef NO_FTP_AUTH
    /* If the userid is "ftp" or "anonymous" refuse to perform AUTH */
    /* for Kerberos or SRP.                                         */
#endif /* NO_FTP_AUTH */

    if ( auth_type_user[0] == AUTHTYPE_AUTO ) {
    for (i = 2; i+1 <= end_sub; i += 2) {
#ifdef NTLM
        if (parsedat[i] == AUTHTYPE_NTLM &&
             ck_ntlm_is_valid(1) &&
             ntlm_auth_send() == 0) {
            if ((parsedat[i+1] & AUTH_WHO_MASK) == AUTH_CLIENT_TO_SERVER &&
                 tn_how_ok(parsedat[i+1]) && tn_enc_ok(parsedat[i+1])) {
#ifdef CK_ENCRYPTION
                /* NTLM does not support Telnet Encryption */
                if ((parsedat[i+1] & AUTH_ENCRYPT_MASK))
                    continue;
                auth_crypt = parsedat[i+1] & AUTH_ENCRYPT_MASK;
#endif /* CK_ENCRYPTION */
                TELOPT_ME_MODE(TELOPT_ENCRYPTION) = TN_NG_RF;
                TELOPT_U_MODE(TELOPT_ENCRYPTION) = TN_NG_RF;
                authentication_version = AUTHTYPE_NTLM;
                auth_how = parsedat[i+1] & AUTH_HOW_MASK;
                break;
            }
        }
#endif /* NTLM */
#ifdef CK_SSL
        if ( parsedat[i] == AUTHTYPE_SSL && ssl_initialized &&
#ifdef SSLDLL
             ck_ssleay_is_installed() &&
#endif /* SSLDLL */
             !tls_active_flag && !ssl_active_flag
#ifndef USE_CERT_CB
             && tls_load_certs(ssl_ctx,ssl_con,0)
#endif /* USE_CERT_CB */
             ) {

            if ((parsedat[i+1] & AUTH_WHO_MASK) == AUTH_CLIENT_TO_SERVER &&
                 tn_how_ok(parsedat[i+1]) && tn_enc_ok(parsedat[i+1])) {
#ifdef CK_ENCRYPTION
                /* SSL does not support Telnet Encryption */
                if ((parsedat[i+1] & AUTH_ENCRYPT_MASK))
                    continue;
                auth_crypt = parsedat[i+1] & AUTH_ENCRYPT_MASK;
#endif /* CK_ENCRYPTION */
                TELOPT_ME_MODE(TELOPT_ENCRYPTION) = TN_NG_RF;
                TELOPT_U_MODE(TELOPT_ENCRYPTION) = TN_NG_RF;
                authentication_version = AUTHTYPE_SSL;
                auth_how = parsedat[i+1] & AUTH_HOW_MASK;