void
auth_send_retry(void)
{
/*
* if auth_send_cnt <= 0 then auth_send will end up rejecting
* the authentication and informing the other side of this.
*/
auth_send(auth_send_data, auth_send_cnt);
}
/*
* Function: Parse the athorization sub-options and reply.
*
* Parameters:
* ks - kstream to send abort message to.
*
* parsedat - sub-option string to parse.
*
* end_sub - last charcter position in parsedat.
*/
void
auth_parse(kstream ks, unsigned char *parsedat, int end_sub)
{
if (parsedat[1] == TELQUAL_SEND)
auth_send(ks, parsedat, end_sub);
if (parsedat[1] == TELQUAL_REPLY)
auth_reply(ks, parsedat, end_sub);
}
static void
suboption(void)
{
unsigned char subchar;
printsub('<', subbuffer, SB_LEN()+2);
switch (subchar = SB_GET()) {
case TELOPT_TTYPE:
if (my_want_state_is_wont(TELOPT_TTYPE))
return;
if (SB_EOF() || SB_GET() != TELQUAL_SEND) {
return;
} else {
const char *name;
unsigned char temp[50];
int len;
name = gettermname();
len = strlen(name) + 4 + 2;
if (len < NETROOM()) {
sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
TELQUAL_IS, name, IAC, SE);
ring_supply_data(&netoring, temp, len);
printsub('>', &temp[2], len-2);
} else {
ExitString("No room in buffer for terminal type.\n", 1);
/*NOTREACHED*/
}
}
break;
case TELOPT_TSPEED:
if (my_want_state_is_wont(TELOPT_TSPEED))
return;
if (SB_EOF())
return;
if (SB_GET() == TELQUAL_SEND) {
long ospeed, ispeed;
unsigned char temp[50];
int len;
TerminalSpeeds(&ispeed, &ospeed);
sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
TELQUAL_IS, ospeed, ispeed, IAC, SE);
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */
if (len < NETROOM()) {
ring_supply_data(&netoring, temp, len);
printsub('>', temp+2, len - 2);
}
/*@*/ else printf("lm_will: not enough room in buffer\n");
}
break;
case TELOPT_LFLOW:
if (my_want_state_is_wont(TELOPT_LFLOW))
return;
if (SB_EOF())
return;
switch(SB_GET()) {
case LFLOW_RESTART_ANY:
restartany = 1;
break;
case LFLOW_RESTART_XON:
restartany = 0;
break;
case LFLOW_ON:
localflow = 1;
break;
case LFLOW_OFF:
localflow = 0;
break;
default:
return;
}
setcommandmode();
setconnmode(0);
break;
case TELOPT_LINEMODE:
if (my_want_state_is_wont(TELOPT_LINEMODE))
return;
if (SB_EOF())
return;
switch (SB_GET()) {
case WILL:
lm_will(subpointer, SB_LEN());
break;
case WONT:
lm_wont(subpointer, SB_LEN());
break;
case DO:
lm_do(subpointer, SB_LEN());
break;
case DONT:
lm_dont(subpointer, SB_LEN());
break;
case LM_SLC:
slc(subpointer, SB_LEN());
break;
case LM_MODE:
lm_mode(subpointer, SB_LEN(), 0);
break;
default:
break;
}
break;
#ifdef OLD_ENVIRON
case TELOPT_OLD_ENVIRON:
#endif
case TELOPT_NEW_ENVIRON:
if (SB_EOF())
return;
switch(SB_PEEK()) {
case TELQUAL_IS:
case TELQUAL_INFO:
if (my_want_state_is_dont(subchar))
return;
break;
case TELQUAL_SEND:
if (my_want_state_is_wont(subchar)) {
return;
}
break;
default:
return;
}
env_opt(subpointer, SB_LEN());
break;
case TELOPT_XDISPLOC:
if (my_want_state_is_wont(TELOPT_XDISPLOC))
return;
if (SB_EOF())
return;
if (SB_GET() == TELQUAL_SEND) {
unsigned char temp[50], *dp;
int len;
if ((dp = env_getvalue("DISPLAY")) == NULL ||
strlen(dp) > sizeof(temp) - 7) {
/*
* Something happened, we no longer have a DISPLAY
* variable. Or it is too long. So, turn off the option.
*/
send_wont(TELOPT_XDISPLOC, 1);
break;
}
snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB,
TELOPT_XDISPLOC, TELQUAL_IS, dp, IAC, SE);
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */
if (len < NETROOM()) {
ring_supply_data(&netoring, temp, len);
printsub('>', temp+2, len - 2);
}
/*@*/ else printf("lm_will: not enough room in buffer\n");
}
break;
#ifdef AUTHENTICATION
case TELOPT_AUTHENTICATION: {
if (!autologin)
break;
if (SB_EOF())
return;
switch(SB_GET()) {
case TELQUAL_IS:
if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
return;
auth_is(subpointer, SB_LEN());
break;
case TELQUAL_SEND:
if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
return;
auth_send(subpointer, SB_LEN());
break;
case TELQUAL_REPLY:
if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
return;
auth_reply(subpointer, SB_LEN());
break;
case TELQUAL_NAME:
if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
return;
auth_name(subpointer, SB_LEN());
break;
}
}
break;
#endif
#ifdef ENCRYPTION
case TELOPT_ENCRYPT:
if (SB_EOF())
return;
switch(SB_GET()) {
case ENCRYPT_START:
if (my_want_state_is_dont(TELOPT_ENCRYPT))
return;
encrypt_start(subpointer, SB_LEN());
break;
case ENCRYPT_END:
if (my_want_state_is_dont(TELOPT_ENCRYPT))
return;
encrypt_end();
break;
case ENCRYPT_SUPPORT:
if (my_want_state_is_wont(TELOPT_ENCRYPT))
return;
encrypt_support(subpointer, SB_LEN());
break;
case ENCRYPT_REQSTART:
if (my_want_state_is_wont(TELOPT_ENCRYPT))
return;
encrypt_request_start(subpointer, SB_LEN());
break;
case ENCRYPT_REQEND:
if (my_want_state_is_wont(TELOPT_ENCRYPT))
return;
/*
* We can always send an REQEND so that we cannot
* get stuck encrypting. We should only get this
* if we have been able to get in the correct mode
* anyhow.
*/
encrypt_request_end();
break;
case ENCRYPT_IS:
if (my_want_state_is_dont(TELOPT_ENCRYPT))
return;
encrypt_is(subpointer, SB_LEN());
break;
case ENCRYPT_REPLY:
if (my_want_state_is_wont(TELOPT_ENCRYPT))
return;
encrypt_reply(subpointer, SB_LEN());
break;
case ENCRYPT_ENC_KEYID:
if (my_want_state_is_dont(TELOPT_ENCRYPT))
return;
encrypt_enc_keyid(subpointer, SB_LEN());
break;
case ENCRYPT_DEC_KEYID:
if (my_want_state_is_wont(TELOPT_ENCRYPT))
return;
encrypt_dec_keyid(subpointer, SB_LEN());
break;
default:
break;
}
break;
#endif /* ENCRYPTION */
default:
break;
}
}
munge_err_t
m_msg_client_xfer (m_msg_t *pm, m_msg_type_t mreq_type, munge_ctx_t ctx)
{
char *socket;
int i;
munge_err_t e;
m_msg_t mreq, mrsp;
m_msg_type_t mrsp_type;
if (!pm || !*pm) {
return (EMUNGE_SNAFU);
}
if (!ctx || !(socket = ctx->socket_str)) {
socket = MUNGE_SOCKET_NAME;
}
mreq = *pm;
mrsp = NULL;
if (mreq_type == MUNGE_MSG_ENC_REQ) {
mrsp_type = MUNGE_MSG_ENC_RSP;
}
else if (mreq_type == MUNGE_MSG_DEC_REQ) {
mrsp_type = MUNGE_MSG_DEC_RSP;
}
else {
return (EMUNGE_SNAFU);
}
i = 1;
while (1) {
if ((e = _m_msg_client_connect (mreq, socket)) != EMUNGE_SUCCESS) {
break;
}
else if ((e = m_msg_send (mreq, mreq_type, MUNGE_MAXIMUM_REQ_LEN))
!= EMUNGE_SUCCESS) {
; /* empty */
}
else if (auth_send (mreq) < 0) {
e = EMUNGE_SOCKET;
}
else if ((e = m_msg_create (&mrsp)) != EMUNGE_SUCCESS) {
break;
}
else if ((e = m_msg_bind (mrsp, mreq->sd)) != EMUNGE_SUCCESS) {
break;
}
else if ((e = m_msg_recv (mrsp, mrsp_type, 0)) != EMUNGE_SUCCESS) {
; /* empty */
}
else if ((e = _m_msg_client_disconnect (mrsp)) != EMUNGE_SUCCESS) {
break;
}
else if (e == EMUNGE_SUCCESS) {
break;
}
if (i >= MUNGE_SOCKET_RETRY_ATTEMPTS) {
break;
}
if (e == EMUNGE_BAD_LENGTH) {
break;
}
if (mrsp != NULL) {
mrsp->sd = -1; /* prevent socket close by destroy() */
m_msg_destroy (mrsp);
mrsp = NULL;
}
if (mreq->sd >= 0) {
(void) close (mreq->sd);
mreq->sd = -1;
}
mreq->retry = i;
e = _m_msg_client_millisleep (mreq, i * MUNGE_SOCKET_RETRY_MSECS);
if (e != EMUNGE_SUCCESS) {
break;
}
i++;
}
if (mrsp) {
*pm = mrsp;
mreq->sd = -1; /* prevent socket close by destroy() */
m_msg_destroy (mreq);
}
return (e);
}
int
fwtk_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
{
char *pass; /* Password from the user */
char buf[SUDO_PASS_MAX + 12]; /* General prupose buffer */
char resp[128]; /* Response from the server */
int error;
/* Send username to authentication server. */
(void) snprintf(buf, sizeof(buf), "authorize %s 'sudo'", pw->pw_name);
restart:
if (auth_send(buf) || auth_recv(resp, sizeof(resp))) {
warningx(_("lost connection to authentication server"));
return AUTH_FATAL;
}
/* Get the password/response from the user. */
if (strncmp(resp, "challenge ", 10) == 0) {
(void) snprintf(buf, sizeof(buf), "%s\nResponse: ", &resp[10]);
pass = auth_getpass(buf, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
if (pass && *pass == '\0') {
pass = auth_getpass("Response [echo on]: ",
def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_ON);
}
} else if (strncmp(resp, "chalnecho ", 10) == 0) {
pass = auth_getpass(&resp[10], def_passwd_timeout * 60,
SUDO_CONV_PROMPT_ECHO_OFF);
} else if (strncmp(resp, "password", 8) == 0) {
pass = auth_getpass(prompt, def_passwd_timeout * 60,
SUDO_CONV_PROMPT_ECHO_OFF);
} else if (strncmp(resp, "display ", 8) == 0) {
fprintf(stderr, "%s\n", &resp[8]);
strlcpy(buf, "response dummy", sizeof(buf));
goto restart;
} else {
warningx("%s", resp);
return AUTH_FATAL;
}
if (!pass) { /* ^C or error */
return AUTH_INTR;
}
/* Send the user's response to the server */
(void) snprintf(buf, sizeof(buf), "response '%s'", pass);
if (auth_send(buf) || auth_recv(resp, sizeof(resp))) {
warningx(_("lost connection to authentication server"));
error = AUTH_FATAL;
goto done;
}
if (strncmp(resp, "ok", 2) == 0) {
error = AUTH_SUCCESS;
goto done;
}
/* Main loop prints "Permission Denied" or insult. */
if (strcmp(resp, "Permission Denied.") != 0)
warningx("%s", resp);
error = AUTH_FAILURE;
done:
zero_bytes(pass, strlen(pass));
zero_bytes(buf, strlen(buf));
return error;
}
