int EncryptDisable(char *type, char *mode) { Encryptions *ep; int ret = 0; if (isprefix(type, "help") || isprefix(type, "?")) { printf("Usage: encrypt disable <type> [input|output]\n"); encrypt_list_types(); } else if ((ep = (Encryptions *)genget(type, (char **)encryptions, sizeof(Encryptions))) == 0) { printf("%s: invalid encryption type\n", type); } else if (Ambiguous((char **)ep)) { printf("Ambiguous type '%s'\n", type); } else { if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) { if (decrypt_mode == ep->type) EncryptStopInput(); i_wont_support_decrypt |= typemask(ep->type); ret = 1; } if ((mode == 0) || (isprefix(mode, "output"))) { if (encrypt_mode == ep->type) EncryptStopOutput(); i_wont_support_encrypt |= typemask(ep->type); ret = 1; } if (ret == 0) printf("%s: invalid encryption mode\n", mode); } return(ret); }
void encrypt_init(const char *name, int server) { Encryptions *ep = encryptions; Name = name; Server = server; i_support_encrypt = i_support_decrypt = 0; remote_supports_encrypt = remote_supports_decrypt = 0; encrypt_mode = 0; decrypt_mode = 0; encrypt_output = 0; decrypt_input = 0; str_suplen = 4; while (ep->type) { if (encrypt_debug_mode) printf(">>>%s: I will support %s\r\n", Name, ENCTYPE_NAME(ep->type)); i_support_encrypt |= typemask(ep->type); i_support_decrypt |= typemask(ep->type); if ((i_wont_support_decrypt & typemask(ep->type)) == 0) if ((str_send[str_suplen++] = ep->type) == IAC) str_send[str_suplen++] = IAC; if (ep->init) (*ep->init)(Server); ++ep; } str_send[str_suplen++] = IAC; str_send[str_suplen++] = SE; }
/* * This routine is called by the server to start authentication * negotiation. */ void auth_request(void) { static unsigned char str_request[64] = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_SEND, }; Authenticator *ap = authenticators; unsigned char *e = str_request + 4; if (!authenticating) { authenticating = 1; while (ap->type) { if (i_support & ~i_wont_support & typemask(ap->type)) { if (auth_debug_mode) { printf(">>>%s: Sending type %d %d\r\n", Name, ap->type, ap->way); } *e++ = ap->type; *e++ = ap->way; } ++ap; } *e++ = IAC; *e++ = SE; net_write(str_request, e - str_request); printsub('>', &str_request[2], e - str_request - 2); } }
int auth_onoff(char *type, int on) { int i, mask = -1; Authenticator *ap; if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { printf("auth %s 'type'\n", on ? "enable" : "disable"); printf("Where 'type' is one of:\n"); printf("\t%s\n", AUTHTYPE_NAME(0)); mask = 0; for (ap = authenticators; ap->type; ap++) { if ((mask & (i = typemask(ap->type))) != 0) continue; mask |= i; printf("\t%s\n", AUTHTYPE_NAME(ap->type)); } return(0); } if (!getauthmask(type, &mask)) { printf("%s: invalid authentication type\n", type); return(0); } if (on) i_wont_support &= ~mask; else i_wont_support |= mask; return(1); }
void auth_init(const char *name, int server) { Authenticator *ap = authenticators; Server = server; Name = name; i_support = 0; authenticated = 0; authenticating = 0; while (ap->type) { if (!ap->init || (*ap->init)(ap, server)) { i_support |= typemask(ap->type); if (auth_debug_mode) printf(">>>%s: I support auth type %d %d\r\n", Name, ap->type, ap->way); } else if (auth_debug_mode) printf(">>>%s: Init failed: auth type %d %d\r\n", Name, ap->type, ap->way); ++ap; } }
void auth_init (char *name, int server) { TN_Authenticator *ap = authenticators; Server = server; Name = name; i_support = 0; authenticated = 0; authenticating = 0; while (ap->type) { if (!ap->init || (*ap->init) (ap, server)) { i_support |= typemask (ap->type); if (auth_debug_mode) printf (">>>%s: I support auth type %s (%d) %s (%d)\r\n", Name, AUTHTYPE_NAME_OK (ap->type) ? AUTHTYPE_NAME (ap->type) : "unknown", ap->type, ap->way & AUTH_HOW_MASK & AUTH_HOW_MUTUAL ? "MUTUAL" : "ONEWAY", ap->way); } else if (auth_debug_mode) printf (">>>%s: Init failed: auth type %d %d\r\n", Name, ap->type, ap->way); ++ap; } }
void auth_disable_name(char *name) { int x; for (x = 0; x < AUTHTYPE_CNT; ++x) { if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) { i_wont_support |= typemask(x); break; } } }
static Encryptions * finddecryption(int type) { Encryptions *ep = encryptions; if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & (unsigned)typemask(type))) return(0); while (ep->type && ep->type != type) ++ep; return(ep->type ? ep : 0); }
int auth_status(void) { Authenticator *ap; int i, mask; if (i_wont_support == -1) printf("Authentication disabled\n"); else printf("Authentication enabled\n"); mask = 0; for (ap = authenticators; ap->type; ap++) { if ((mask & (i = typemask(ap->type))) != 0) continue; mask |= i; printf("%s: %s\n", AUTHTYPE_NAME(ap->type), (i_wont_support & typemask(ap->type)) ? "disabled" : "enabled"); } return(1); }
/* * Called when ENCRYPT SUPPORT is received. */ void encrypt_support(unsigned char *typelist, int cnt) { int type, use_type = 0; Encryptions *ep; /* * Forget anything the other side has previously told us. */ remote_supports_decrypt = 0; while (cnt-- > 0) { type = *typelist++; if (encrypt_debug_mode) printf(">>>%s: He is supporting %s (%d)\r\n", Name, ENCTYPE_NAME(type), type); if ((type < ENCTYPE_CNT) && (I_SUPPORT_ENCRYPT & typemask(type))) { remote_supports_decrypt |= typemask(type); if (use_type == 0) use_type = type; } } if (use_type) { ep = findencryption(use_type); if (!ep) return; type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0; if (encrypt_debug_mode) printf(">>>%s: (*ep->start)() returned %d\r\n", Name, type); if (type < 0) return; encrypt_mode = use_type; if (type == 0) encrypt_start_output(use_type); } }
int getauthmask(char *type, int *maskp) { int x; if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) { *maskp = -1; return(1); } for (x = 1; x < AUTHTYPE_CNT; ++x) { if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) { *maskp = typemask(x); return(1); } } return(0); }
void encrypt_is(unsigned char *data, int cnt) { Encryptions *ep; int type, ret; if (--cnt < 0) return; type = *data++; if (type < ENCTYPE_CNT) remote_supports_encrypt |= typemask(type); if (!(ep = finddecryption(type))) { if (encrypt_debug_mode) printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n", Name, ENCTYPE_NAME_OK(type) ? ENCTYPE_NAME(type) : "(unknown)", type); return; } if (!ep->is) { if (encrypt_debug_mode) printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n", Name, ENCTYPE_NAME_OK(type) ? ENCTYPE_NAME(type) : "(unknown)", type); ret = 0; } else { ret = (*ep->is)(data, cnt); if (encrypt_debug_mode) printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt, (ret < 0) ? "FAIL " : (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); } if (ret < 0) { autodecrypt = 0; } else { decrypt_mode = type; if (ret == 0 && autodecrypt) encrypt_send_request_start(); } }
void (*encrypt_output) P((unsigned char *, int)); int (*decrypt_input) P((int)); int encrypt_debug_mode = 0; static int decrypt_mode = 0; static int encrypt_mode = 0; static int encrypt_verbose = 0; static int autoencrypt = 0; static int autodecrypt = 0; static int havesessionkey = 0; static int Server = 0; static char *Name = "Noname"; #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64); static long i_support_decrypt = typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64); static long i_wont_support_encrypt = 0; static long i_wont_support_decrypt = 0; #define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt) #define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt) static long remote_supports_encrypt = 0; static long remote_supports_decrypt = 0; static Encryptions encryptions[] = { #ifdef DES_ENCRYPTION { "DES_CFB64", ENCTYPE_DES_CFB64, cfb64_encrypt,
/* * This is called when an AUTH SEND is received. * It should never arrive on the server side (as only the server can * send an AUTH SEND). * You should probably respond to it if you can... * * If you want to respond to the types out of order (i.e. even * if he sends LOGIN KERBEROS and you support both, you respond * with KERBEROS instead of LOGIN (which is against what the * protocol says)) you will have to hack this code... */ void auth_send(unsigned char *data, int cnt) { Authenticator *ap; static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_IS, AUTHTYPE_NULL, 0, IAC, SE }; if (Server) { if (auth_debug_mode) { printf(">>>%s: auth_send called!\r\n", Name); } return; } if (auth_debug_mode) { printf(">>>%s: auth_send got:", Name); printd(data, cnt); printf("\r\n"); } /* * Save the data, if it is new, so that we can continue looking * at it if the authorization we try doesn't work */ if (data < _auth_send_data || data > _auth_send_data + sizeof(_auth_send_data)) { auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data) ? sizeof(_auth_send_data) : cnt; memmove((void *)_auth_send_data, (void *)data, auth_send_cnt); auth_send_data = _auth_send_data; } else { /* * This is probably a no-op, but we just make sure */ auth_send_data = data; auth_send_cnt = cnt; } while ((auth_send_cnt -= 2) >= 0) { if (auth_debug_mode) printf(">>>%s: He supports %d\r\n", Name, *auth_send_data); if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) { ap = findauthenticator(auth_send_data[0], auth_send_data[1]); if (ap && ap->send) { if (auth_debug_mode) printf(">>>%s: Trying %d %d\r\n", Name, auth_send_data[0], auth_send_data[1]); if ((*ap->send)(ap)) { /* * Okay, we found one we like * and did it. * we can go home now. */ if (auth_debug_mode) printf(">>>%s: Using type %d\r\n", Name, *auth_send_data); auth_send_data += 2; return; } } /* else * just continue on and look for the * next one if we didn't do anything. */ } auth_send_data += 2; } net_write(str_none, sizeof(str_none)); printsub('>', &str_none[2], sizeof(str_none) - 2); if (auth_debug_mode) printf(">>>%s: Sent failure message\r\n", Name); auth_finished(0, AUTH_REJECT); }
/* * This is called when an AUTH SEND is received. * It should never arrive on the server side (as only the server can * send an AUTH SEND). * You should probably respond to it if you can... * * If you want to respond to the types out of order (i.e. even * if he sends LOGIN KERBEROS and you support both, you respond * with KERBEROS instead of LOGIN (which is against what the * protocol says)) you will have to hack this code... */ void auth_send (unsigned char *data, int cnt) { TN_Authenticator *ap; static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_IS, AUTHTYPE_NULL, 0, IAC, SE }; if (Server) { if (auth_debug_mode) { printf (">>>%s: auth_send called!\r\n", Name); } return; } if (auth_debug_mode) { printf (">>>%s: auth_send got:", Name); printd (data, cnt); printf ("\r\n"); } /* * Save the data, if it is new, so that we can continue looking * at it if the authorization we try doesn't work */ if (data < _auth_send_data || data > _auth_send_data + sizeof (_auth_send_data)) { auth_send_cnt = cnt > sizeof (_auth_send_data) ? sizeof (_auth_send_data) : cnt; memmove ((void *) _auth_send_data, (void *) data, auth_send_cnt); auth_send_data = _auth_send_data; } else { /* * This is probably a no-op, but we just make sure */ auth_send_data = data; auth_send_cnt = cnt; } while ((auth_send_cnt -= 2) >= 0) { if (auth_debug_mode) printf (">>>%s: He supports %s (%d) %s (%d)\r\n", Name, AUTHTYPE_NAME_OK (auth_send_data[0]) ? AUTHTYPE_NAME (auth_send_data[0]) : "unknown", auth_send_data[0], auth_send_data[1] & AUTH_HOW_MASK & AUTH_HOW_MUTUAL ? "MUTUAL" : "ONEWAY", auth_send_data[1]); if ((i_support & ~i_wont_support) & typemask (*auth_send_data)) { ap = findauthenticator (auth_send_data[0], auth_send_data[1]); if (ap && ap->send) { if (auth_debug_mode) printf (">>>%s: Trying %s (%d) %s (%d)\r\n", Name, AUTHTYPE_NAME_OK (auth_send_data[0]) ? AUTHTYPE_NAME (auth_send_data[0]) : "unknown", auth_send_data[0], auth_send_data[1] & AUTH_HOW_MASK & AUTH_HOW_MUTUAL ? "MUTUAL" : "ONEWAY", auth_send_data[1]); if ((*ap->send) (ap)) { /* * Okay, we found one we like * and did it. * we can go home now. */ if (auth_debug_mode) printf (">>>%s: Using type %s (%d)\r\n", Name, AUTHTYPE_NAME_OK (*auth_send_data) ? AUTHTYPE_NAME (*auth_send_data) : "unknown", *auth_send_data); auth_send_data += 2; return; } } /* else * just continue on and look for the * next one if we didn't do anything. */ } auth_send_data += 2; } net_write (str_none, sizeof (str_none)); printsub ('>', &str_none[2], sizeof (str_none) - 2); if (auth_debug_mode) printf (">>>%s: Sent failure message\r\n", Name); auth_finished (0, AUTH_REJECT); # ifdef KANNAN /* * We requested strong authentication, however no mechanisms worked. * Therefore, exit on client end. */ printf ("Unable to securely authenticate user ... exit\n"); exit (EXIT_SUCCESS); # endif /* KANNAN */ }
int EncryptStopOutput(void); int encrypt_debug_mode = 0; static int decrypt_mode = 0; static int encrypt_mode = 0; static int encrypt_verbose = 0; static int autoencrypt = 0; static int autodecrypt = 0; static int havesessionkey = 0; static int Server = 0; static const char *Name = "Noname"; #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) static u_long i_support_encrypt = 0 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64) |0; static u_long i_support_decrypt = 0 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64) |0; static u_long i_wont_support_encrypt = 0; static u_long i_wont_support_decrypt = 0; #define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt) #define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt) static u_long remote_supports_encrypt = 0; static u_long remote_supports_decrypt = 0; static Encryptions encryptions[] = { { "DES_CFB64", ENCTYPE_DES_CFB64,