void
auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
{
Authenticator *ap;
if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
(*ap->printsub)(data, cnt, buf, buflen);
else
auth_gen_printsub(data, cnt, buf, buflen);
}
void
auth_reply(unsigned char *data, int cnt)
{
Authenticator *ap;
if (cnt < 2)
return;
if ((ap = findauthenticator(data[0], data[1]))) {
if (ap->reply)
(*ap->reply)(ap, data+2, cnt-2);
} else if (auth_debug_mode)
printf(">>>%s: Invalid authentication in SEND: %d\r\n",
Name, *data);
}
void
auth_is(unsigned char *data, int cnt)
{
Authenticator *ap;
if (cnt < 2)
return;
if (data[0] == AUTHTYPE_NULL) {
auth_finished(0, AUTH_REJECT);
return;
}
if ((ap = findauthenticator(data[0], data[1]))) {
if (ap->is)
(*ap->is)(ap, data+2, cnt-2);
} else if (auth_debug_mode)
printf(">>>%s: Invalid authentication in IS: %d\r\n",
Name, *data);
}
/*
* This is called when an AUTH SEND is received.
* It should never arrive on the server side (as only the server can
* send an AUTH SEND).
* You should probably respond to it if you can...
*
* If you want to respond to the types out of order (i.e. even
* if he sends LOGIN KERBEROS and you support both, you respond
* with KERBEROS instead of LOGIN (which is against what the
* protocol says)) you will have to hack this code...
*/
void
auth_send(unsigned char *data, int cnt)
{
Authenticator *ap;
static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
TELQUAL_IS, AUTHTYPE_NULL, 0,
IAC, SE };
if (Server) {
if (auth_debug_mode) {
printf(">>>%s: auth_send called!\r\n", Name);
}
return;
}
if (auth_debug_mode) {
printf(">>>%s: auth_send got:", Name);
printd(data, cnt); printf("\r\n");
}
/*
* Save the data, if it is new, so that we can continue looking
* at it if the authorization we try doesn't work
*/
if (data < _auth_send_data ||
data > _auth_send_data + sizeof(_auth_send_data)) {
auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data)
? sizeof(_auth_send_data)
: cnt;
memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
auth_send_data = _auth_send_data;
} else {
/*
* This is probably a no-op, but we just make sure
*/
auth_send_data = data;
auth_send_cnt = cnt;
}
while ((auth_send_cnt -= 2) >= 0) {
if (auth_debug_mode)
printf(">>>%s: He supports %d\r\n",
Name, *auth_send_data);
if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
ap = findauthenticator(auth_send_data[0],
auth_send_data[1]);
if (ap && ap->send) {
if (auth_debug_mode)
printf(">>>%s: Trying %d %d\r\n",
Name, auth_send_data[0],
auth_send_data[1]);
if ((*ap->send)(ap)) {
/*
* Okay, we found one we like
* and did it.
* we can go home now.
*/
if (auth_debug_mode)
printf(">>>%s: Using type %d\r\n",
Name, *auth_send_data);
auth_send_data += 2;
return;
}
}
/* else
* just continue on and look for the
* next one if we didn't do anything.
*/
}
auth_send_data += 2;
}
net_write(str_none, sizeof(str_none));
printsub('>', &str_none[2], sizeof(str_none) - 2);
if (auth_debug_mode)
printf(">>>%s: Sent failure message\r\n", Name);
auth_finished(0, AUTH_REJECT);
}
/*
* This is called when an AUTH SEND is received.
* It should never arrive on the server side (as only the server can
* send an AUTH SEND).
* You should probably respond to it if you can...
*
* If you want to respond to the types out of order (i.e. even
* if he sends LOGIN KERBEROS and you support both, you respond
* with KERBEROS instead of LOGIN (which is against what the
* protocol says)) you will have to hack this code...
*/
void
auth_send (unsigned char *data, int cnt)
{
TN_Authenticator *ap;
static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
TELQUAL_IS, AUTHTYPE_NULL, 0,
IAC, SE
};
if (Server)
{
if (auth_debug_mode)
{
printf (">>>%s: auth_send called!\r\n", Name);
}
return;
}
if (auth_debug_mode)
{
printf (">>>%s: auth_send got:", Name);
printd (data, cnt);
printf ("\r\n");
}
/*
* Save the data, if it is new, so that we can continue looking
* at it if the authorization we try doesn't work
*/
if (data < _auth_send_data ||
data > _auth_send_data + sizeof (_auth_send_data))
{
auth_send_cnt = cnt > sizeof (_auth_send_data)
? sizeof (_auth_send_data) : cnt;
memmove ((void *) _auth_send_data, (void *) data, auth_send_cnt);
auth_send_data = _auth_send_data;
}
else
{
/*
* This is probably a no-op, but we just make sure
*/
auth_send_data = data;
auth_send_cnt = cnt;
}
while ((auth_send_cnt -= 2) >= 0)
{
if (auth_debug_mode)
printf (">>>%s: He supports %s (%d) %s (%d)\r\n",
Name, AUTHTYPE_NAME_OK (auth_send_data[0]) ?
AUTHTYPE_NAME (auth_send_data[0]) :
"unknown",
auth_send_data[0],
auth_send_data[1] &
AUTH_HOW_MASK &
AUTH_HOW_MUTUAL ? "MUTUAL" : "ONEWAY", auth_send_data[1]);
if ((i_support & ~i_wont_support) & typemask (*auth_send_data))
{
ap = findauthenticator (auth_send_data[0], auth_send_data[1]);
if (ap && ap->send)
{
if (auth_debug_mode)
printf (">>>%s: Trying %s (%d) %s (%d)\r\n",
Name,
AUTHTYPE_NAME_OK (auth_send_data[0]) ?
AUTHTYPE_NAME (auth_send_data[0]) :
"unknown",
auth_send_data[0],
auth_send_data[1] &
AUTH_HOW_MASK &
AUTH_HOW_MUTUAL ?
"MUTUAL" : "ONEWAY", auth_send_data[1]);
if ((*ap->send) (ap))
{
/*
* Okay, we found one we like
* and did it.
* we can go home now.
*/
if (auth_debug_mode)
printf (">>>%s: Using type %s (%d)\r\n",
Name,
AUTHTYPE_NAME_OK (*auth_send_data) ?
AUTHTYPE_NAME (*auth_send_data) :
"unknown", *auth_send_data);
auth_send_data += 2;
return;
}
}
/* else
* just continue on and look for the
* next one if we didn't do anything.
*/
}
auth_send_data += 2;
}
net_write (str_none, sizeof (str_none));
printsub ('>', &str_none[2], sizeof (str_none) - 2);
if (auth_debug_mode)
printf (">>>%s: Sent failure message\r\n", Name);
auth_finished (0, AUTH_REJECT);
# ifdef KANNAN
/*
* We requested strong authentication, however no mechanisms worked.
* Therefore, exit on client end.
*/
printf ("Unable to securely authenticate user ... exit\n");
exit (EXIT_SUCCESS);
# endif /* KANNAN */
}
