This repository has been archived by the owner on Apr 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 95
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Malcolm Smith's patch to support CHAP (digest-based) authentication
when talking to SOCKS 5 proxies. Configures itself transparently (if the proxy offers CHAP it will use it, otherwise it falls back to ordinary cleartext passwords). git-svn-id: svn://svn.tartarus.org/sgt/putty@4517 cda61777-01e9-0310-a592-d414129be87e
- Loading branch information
simon
committed
Aug 30, 2004
1 parent
ae0500e
commit f33ba69
Showing
8 changed files
with
336 additions
and
48 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,190 @@ | ||
/* | ||
* Routines to do cryptographic interaction with proxies in PuTTY. | ||
* This is in a separate module from proxy.c, so that it can be | ||
* conveniently removed in PuTTYtel by replacing this module with | ||
* the stub version nocproxy.c. | ||
*/ | ||
|
||
#include <assert.h> | ||
#include <ctype.h> | ||
#include <string.h> | ||
|
||
#define DEFINE_PLUG_METHOD_MACROS | ||
#include "putty.h" | ||
#include "ssh.h" /* For MD5 support */ | ||
#include "network.h" | ||
#include "proxy.h" | ||
|
||
static void hmacmd5_chap(const unsigned char *challenge, int challen, | ||
const char *passwd, unsigned char *response) | ||
{ | ||
void *hmacmd5_ctx; | ||
int pwlen; | ||
|
||
hmacmd5_ctx = hmacmd5_make_context(); | ||
|
||
pwlen = strlen(passwd); | ||
if (pwlen>64) { | ||
unsigned char md5buf[16]; | ||
MD5Simple(passwd, pwlen, md5buf); | ||
hmacmd5_key(hmacmd5_ctx, md5buf, 16); | ||
} else { | ||
hmacmd5_key(hmacmd5_ctx, passwd, pwlen); | ||
} | ||
|
||
hmacmd5_do_hmac(hmacmd5_ctx, challenge, challen, response); | ||
hmacmd5_free_context(hmacmd5_ctx); | ||
} | ||
|
||
void proxy_socks5_offerencryptedauth(char *command, int *len) | ||
{ | ||
command[*len] = 0x03; /* CHAP */ | ||
(*len)++; | ||
} | ||
|
||
int proxy_socks5_handlechap (Proxy_Socket p) | ||
{ | ||
|
||
/* CHAP authentication reply format: | ||
* version number (1 bytes) = 1 | ||
* number of commands (1 byte) | ||
* | ||
* For each command: | ||
* command identifier (1 byte) | ||
* data length (1 byte) | ||
*/ | ||
unsigned char data[260]; | ||
unsigned char outbuf[20]; | ||
|
||
while(p->chap_num_attributes == 0 || | ||
p->chap_num_attributes_processed < p->chap_num_attributes) { | ||
if (p->chap_num_attributes == 0 || | ||
p->chap_current_attribute == -1) { | ||
/* CHAP normally reads in two bytes, either at the | ||
* beginning or for each attribute/value pair. But if | ||
* we're waiting for the value's data, we might not want | ||
* to read 2 bytes. | ||
*/ | ||
|
||
if (bufchain_size(&p->pending_input_data) < 2) | ||
return 1; /* not got anything yet */ | ||
|
||
/* get the response */ | ||
bufchain_fetch(&p->pending_input_data, data, 2); | ||
bufchain_consume(&p->pending_input_data, 2); | ||
} | ||
|
||
if (p->chap_num_attributes == 0) { | ||
/* If there are no attributes, this is our first msg | ||
* with the server, where we negotiate version and | ||
* number of attributes | ||
*/ | ||
if (data[0] != 0x01) { | ||
plug_closing(p->plug, "Proxy error: SOCKS proxy wants" | ||
" a different CHAP version", | ||
PROXY_ERROR_GENERAL, 0); | ||
return 1; | ||
} | ||
if (data[1] == 0x00) { | ||
plug_closing(p->plug, "Proxy error: SOCKS proxy won't" | ||
" negotiate CHAP with us", | ||
PROXY_ERROR_GENERAL, 0); | ||
return 1; | ||
} | ||
p->chap_num_attributes = data[1]; | ||
} else { | ||
if (p->chap_current_attribute == -1) { | ||
/* We have to read in each attribute/value pair - | ||
* those we don't understand can be ignored, but | ||
* there are a few we'll need to handle. | ||
*/ | ||
p->chap_current_attribute = data[0]; | ||
p->chap_current_datalen = data[1]; | ||
} | ||
if (bufchain_size(&p->pending_input_data) < | ||
p->chap_current_datalen) | ||
return 1; /* not got everything yet */ | ||
|
||
/* get the response */ | ||
bufchain_fetch(&p->pending_input_data, data, | ||
p->chap_current_datalen); | ||
|
||
bufchain_consume(&p->pending_input_data, | ||
p->chap_current_datalen); | ||
|
||
switch (p->chap_current_attribute) { | ||
case 0x00: | ||
/* Successful authentication */ | ||
if (data[0] == 0x00) | ||
p->state = 2; | ||
else { | ||
plug_closing(p->plug, "Proxy error: SOCKS proxy" | ||
" refused CHAP authentication", | ||
PROXY_ERROR_GENERAL, 0); | ||
return 1; | ||
} | ||
break; | ||
case 0x03: | ||
outbuf[0] = 0x01; /* Version */ | ||
outbuf[1] = 0x01; /* One attribute */ | ||
outbuf[2] = 0x04; /* Response */ | ||
outbuf[3] = 0x10; /* Length */ | ||
hmacmd5_chap(data, p->chap_current_datalen, | ||
p->cfg.proxy_password, &outbuf[4]); | ||
sk_write(p->sub_socket, outbuf, 20); | ||
break; | ||
case 0x11: | ||
/* Chose a protocol */ | ||
if (data[0] != 0x85) { | ||
plug_closing(p->plug, "Proxy error: Server chose " | ||
"CHAP of other than HMAC-MD5 but we " | ||
"didn't offer it!", | ||
PROXY_ERROR_GENERAL, 0); | ||
return 1; | ||
} | ||
break; | ||
} | ||
p->chap_current_attribute = -1; | ||
p->chap_num_attributes_processed++; | ||
} | ||
if (p->state == 8 && | ||
p->chap_num_attributes_processed >= p->chap_num_attributes) { | ||
p->chap_num_attributes = 0; | ||
p->chap_num_attributes_processed = 0; | ||
p->chap_current_datalen = 0; | ||
} | ||
} | ||
return 0; | ||
} | ||
|
||
int proxy_socks5_selectchap(Proxy_Socket p) | ||
{ | ||
if (p->cfg.proxy_username[0] || p->cfg.proxy_password[0]) { | ||
char chapbuf[514]; | ||
int ulen; | ||
chapbuf[0] = '\x01'; /* Version */ | ||
chapbuf[1] = '\x02'; /* Number of attributes sent */ | ||
chapbuf[2] = '\x11'; /* First attribute - algorithms list */ | ||
chapbuf[3] = '\x01'; /* Only one CHAP algorithm */ | ||
chapbuf[4] = '\x85'; /* ...and it's HMAC-MD5, the core one */ | ||
chapbuf[5] = '\x02'; /* Second attribute - username */ | ||
|
||
ulen = strlen(p->cfg.proxy_username); | ||
if (ulen > 255) ulen = 255; if (ulen < 1) ulen = 1; | ||
|
||
chapbuf[6] = ulen; | ||
memcpy(chapbuf+7, p->cfg.proxy_username, ulen); | ||
|
||
sk_write(p->sub_socket, chapbuf, ulen + 7); | ||
p->chap_num_attributes = 0; | ||
p->chap_num_attributes_processed = 0; | ||
p->chap_current_attribute = -1; | ||
p->chap_current_datalen = 0; | ||
|
||
p->state = 8; | ||
} else | ||
plug_closing(p->plug, "Proxy error: Server chose " | ||
"CHAP authentication but we didn't offer it!", | ||
PROXY_ERROR_GENERAL, 0); | ||
return 1; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
/* | ||
* Routines to refuse to do cryptographic interaction with proxies | ||
* in PuTTY. This is a stub implementation of the same interfaces | ||
* provided by cproxy.c, for use in PuTTYtel. | ||
*/ | ||
|
||
#include <assert.h> | ||
#include <ctype.h> | ||
#include <string.h> | ||
|
||
#define DEFINE_PLUG_METHOD_MACROS | ||
#include "putty.h" | ||
#include "network.h" | ||
#include "proxy.h" | ||
|
||
void proxy_socks5_offerencryptedauth(char * command, int * len) | ||
{ | ||
/* For telnet, don't add any new encrypted authentication routines */ | ||
} | ||
|
||
int proxy_socks5_handlechap (Proxy_Socket p) | ||
{ | ||
|
||
plug_closing(p->plug, "Proxy error: Trying to handle a SOCKS5 CHAP request" | ||
" in telnet-only build", | ||
PROXY_ERROR_GENERAL, 0); | ||
return 1; | ||
} | ||
|
||
int proxy_socks5_selectchap(Proxy_Socket p) | ||
{ | ||
plug_closing(p->plug, "Proxy error: Trying to handle a SOCKS5 CHAP request" | ||
" in telnet-only build", | ||
PROXY_ERROR_GENERAL, 0); | ||
return 1; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.