Инструменты пользователя

Инструменты сайта


soft:proxychains:podderzhka_proxy-negotiate_avtorizacii

====== Поддержка Proxy-Negotiate авторизации ====== Прекрасная утилита [[http://proxychains.sourceforge.net/ | ProxyChains]] для проксирования программ, даже если те не поддерживают настройки прокси-сервера. Для работы внутри организации мне показалось целесообразным добавить в неё авторизацию Negotiate через GSS API. Версии: **Ubuntu 9.10 Karmic Koala**, **proxychains 3.1**. ===== Использование ===== После наложения патча на исходные тексты, появляется возможность использовать специальные имена пользователей: * **auth:negotiate** - без пароля, будет использована Negotiate авторизация; * **auth:basic** //<basic64_encoded_string>// - вместо пароля готовая закодированная в base64 строка вида '<имя_пользователя>:<пароль>', которую можно получить следующим образом: <code console> echo -n 'myuser:mypass' | base64 </code> ===== Патч ===== <code diff> #! /bin/sh /usr/share/dpatch/dpatch-run ## auth-negotiate.dpatch by <blake-r@it03.dm.itot.ru> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad proxychains-3.1~/proxychains/Makefile.am proxychains-3.1/proxychains/Makefile.am --- proxychains-3.1~/proxychains/Makefile.am 2009-05-15 13:07:55.000000000 +0400 +++ proxychains-3.1/proxychains/Makefile.am 2009-11-05 18:03:31.689779317 +0300 @@ -1,6 +1,6 @@ SUBDIRS = docs -EXTRA_DIST = proxychains.conf core.c core.h libproxychains.c +EXTRA_DIST = proxychains.conf core.c core.h libproxychains.c additions.c additions.h negotiate.c negotiate.h sysconf_DATA=$(srcdir)/proxychains.conf @@ -22,10 +22,10 @@ #proxychains_LDFLAGS = $(all_libraries) lib_LTLIBRARIES = libproxychains.la -libproxychains_la_LDFLAGS = -version-info 3:0:0 $(all_libraries) +libproxychains_la_LDFLAGS = -version-info 3:0:0 $(all_libraries) -lgssapi_krb5 libproxychains_la_LIBADD= -ldl noinst_HEADERS = core.h -libproxychains_la_SOURCES= libproxychains.c core.c +libproxychains_la_SOURCES= libproxychains.c core.c additions.c negotiate.c libproxychains_la_METASOURCES = USE_AUTOMOC diff -urNad proxychains-3.1~/proxychains/Makefile.in proxychains-3.1/proxychains/Makefile.in --- proxychains-3.1~/proxychains/Makefile.in 2009-05-15 13:07:55.000000000 +0400 +++ proxychains-3.1/proxychains/Makefile.in 2009-11-05 18:01:57.917780706 +0300 @@ -91,7 +91,7 @@ SUBDIRS = docs -EXTRA_DIST = proxychains.conf core.c core.h libproxychains.c +EXTRA_DIST = proxychains.conf core.c core.h libproxychains.c additions.c additions.h negotiate.c negotiate.h sysconf_DATA = $(srcdir)/proxychains.conf @@ -104,10 +104,10 @@ #proxychains_LDFLAGS = $(all_libraries) lib_LTLIBRARIES = libproxychains.la -libproxychains_la_LDFLAGS = -version-info 3:0:0 $(all_libraries) +libproxychains_la_LDFLAGS = -version-info 3:0:0 $(all_libraries) -lgssapi_krb5 libproxychains_la_LIBADD = -ldl noinst_HEADERS = core.h -libproxychains_la_SOURCES = libproxychains.c core.c +libproxychains_la_SOURCES = libproxychains.c core.c additions.c negotiate.c libproxychains_la_METASOURCES = USE_AUTOMOC mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = ../config.h @@ -120,7 +120,7 @@ LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ libproxychains_la_DEPENDENCIES = -libproxychains_la_OBJECTS = libproxychains.lo core.lo +libproxychains_la_OBJECTS = libproxychains.lo core.lo additions.lo negotiate.lo CFLAGS = @CFLAGS@ COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) @@ -137,7 +137,7 @@ TAR = tar GZIP_ENV = --best -DEP_FILES = .deps/core.P .deps/libproxychains.P +DEP_FILES = .deps/core.P .deps/libproxychains.P .deps/additions.P .deps/negotiate.P SOURCES = $(libproxychains_la_SOURCES) OBJECTS = $(libproxychains_la_OBJECTS) diff -urNad proxychains-3.1~/proxychains/additions.c proxychains-3.1/proxychains/additions.c --- proxychains-3.1~/proxychains/additions.c 1970-01-01 03:00:00.000000000 +0300 +++ proxychains-3.1/proxychains/additions.c 2009-11-05 17:41:51.409780806 +0300 @@ -0,0 +1,55 @@ +/*************************************************************************** + additions.c - description + ------------------- + begin : Fri Mar 13 2009 + copyright : Blake-R (C) 2009 + email : blake-r@mail.ru + ***************************************************************************/ +/* GPL */ +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ +#include <memory.h> +#include <stdio.h> +#include <sys/socket.h> +#include <netdb.h> +#include <arpa/inet.h> +#include "additions.h" + +unsigned int getAddress(const char *host) +{ + unsigned int ip=0; + int errcode; + struct addrinfo hints,*res=NULL; + memset(&hints,0,sizeof(hints)); + hints.ai_family=AF_INET; + hints.ai_socktype=SOCK_STREAM; + hints.ai_protocol=IPPROTO_TCP; + + errcode=getaddrinfo(host,NULL,&hints,&res); + if(errcode) + { + fprintf(stderr,"getaddrinfo(\"%s\") error: %s (%#x)\n",host,gai_strerror(errcode),errcode); + } + else + { + struct addrinfo *cur=res; + while(cur&&!ip) + { + ip=((struct sockaddr_in *)cur->ai_addr)->sin_addr.s_addr; + cur=cur->ai_next; + } + freeaddrinfo(res); + } + + if(!ip) + { + ip=inet_addr(host); + } + return ip; +} diff -urNad proxychains-3.1~/proxychains/additions.h proxychains-3.1/proxychains/additions.h --- proxychains-3.1~/proxychains/additions.h 1970-01-01 03:00:00.000000000 +0300 +++ proxychains-3.1/proxychains/additions.h 2009-11-05 17:41:51.409780806 +0300 @@ -0,0 +1,22 @@ +/*************************************************************************** + additions.h - description + ------------------- + begin : Fri Mar 13 2009 + copyright : Blake-R (C) 2009 + email : blake-r@mail.ru + ***************************************************************************/ +/* GPL */ +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ +#ifndef __ADDITIONS_H__ +#define __ADDITIONS_H__ + +unsigned int getAddress(const char *host); + +#endif//__ADDITIONS_H__ diff -urNad proxychains-3.1~/proxychains/core.c proxychains-3.1/proxychains/core.c --- proxychains-3.1~/proxychains/core.c 2009-05-15 13:07:55.000000000 +0400 +++ proxychains-3.1/proxychains/core.c 2009-11-05 18:04:14.253779926 +0300 @@ -36,6 +36,7 @@ #include <time.h> #include <stdarg.h> #include "core.h" +#include "negotiate.h" extern int tcp_read_time_out; extern int tcp_connect_time_out; @@ -203,14 +204,41 @@ ntohs(port)); if (user[0]) { - char src[256]; - char dst[512]; - strcpy(src,user); - strcat(src,":"); - strcat(src,pass); - encode_base_64(src,dst,512); - strcat(buff,"Proxy-Authorization: Basic "); - strcat(buff,dst); + if(user) + { + if(!strcasecmp("auth:negotiate",user)) + { + char *negotiateToken; + strcat(buff,"Proxy-Authorization: Negotiate "); + negotiateToken=getNegotiateToken("HTTP",pass); + if(negotiateToken) + { + strcat(buff,negotiateToken); + free(negotiateToken); + } + } + else + { + strcat(buff,"Proxy-Authorization: Basic "); + if (!strcasecmp("auth:basic",user)) + { + strcat(buff,pass); + } + else + { + char src[256]; + char dst[512]; + if(pass) + { + strcpy(src,user); + strcat(src,":"); + strcat(src,pass); + encode_base_64(src,dst,512); + strcat(buff,dst); + } + } + } + } strcat(buff,"\r\n\r\n"); } else diff -urNad proxychains-3.1~/proxychains/libproxychains.c proxychains-3.1/proxychains/libproxychains.c --- proxychains-3.1~/proxychains/libproxychains.c 2009-05-15 13:07:55.000000000 +0400 +++ proxychains-3.1/proxychains/libproxychains.c 2009-11-05 17:52:02.877779803 +0300 @@ -34,6 +34,7 @@ #include "core.h" +#include "additions.h" #define satosin(x) ((struct sockaddr_in *) &(x)) #define SOCKADDR(x) (satosin(x)->sin_addr.s_addr) @@ -174,10 +175,16 @@ port_n=0; sscanf(buff,"%s %s %d %s %s", type,host,&port_n, pd[count].user,pd[count].pass); - pd[count].ip=inet_addr(host); + proxychains_got_chain_data=1; // Temporary set got_chain_data flag to 1, otherwise getAddress() give infinity loop. + pd[count].ip=getAddress(host); + proxychains_got_chain_data=0; // Data not got yet, revert got_chain_data flag. pd[count].port=htons((unsigned short)port_n); if(!strcmp(type,"http")) { pd[count].pt=HTTP_TYPE; + if(!strcasecmp("auth:negotiate",pd[count].user)){ + // Copy host to pass for negotiate host name parameter. + strcpy(pd[count].pass,host); + } }else if(!strcmp(type,"socks4")) { pd[count].pt=SOCKS4_TYPE; }else if(!strcmp(type,"socks5")) { diff -urNad proxychains-3.1~/proxychains/negotiate.c proxychains-3.1/proxychains/negotiate.c --- proxychains-3.1~/proxychains/negotiate.c 1970-01-01 03:00:00.000000000 +0300 +++ proxychains-3.1/proxychains/negotiate.c 2009-11-05 17:41:45.553781550 +0300 @@ -0,0 +1,165 @@ +/*************************************************************************** + negotiate.c - description + ------------------- + begin : Fri Mar 13 2009 + copyright : Blake-R (C) 2009 + email : blake-r@mail.ru + ***************************************************************************/ +/* GPL */ +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ +#include <stdio.h> +#include <malloc.h> +#include <string.h> +#include <gssapi/gssapi.h> +#include "negotiate.h" + +/* ---- Base64 Encoding/Decoding Table --- */ +static const char table64[]= + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + +size_t base64_encode(const char *inp, size_t insize, char **outptr) +{ + unsigned char ibuf[3]; + unsigned char obuf[4]; + int i; + int inputparts; + char *output; + char *base64data; + + char *indata = (char *)inp; + + *outptr = NULL; /* set to NULL in case of failure before we reach the end */ + + if(0 == insize) + insize = strlen(indata); + + base64data = output = (char*)malloc(insize*4/3+4); + if(NULL == output) + return 0; + + while(insize > 0) { + for (i = inputparts = 0; i < 3; i++) { + if(insize > 0) { + inputparts++; + ibuf[i] = *indata; + indata++; + insize--; + } + else + ibuf[i] = 0; + } + + obuf[0] = (unsigned char) ((ibuf[0] & 0xFC) >> 2); + obuf[1] = (unsigned char) (((ibuf[0] & 0x03) << 4) | \ + ((ibuf[1] & 0xF0) >> 4)); + obuf[2] = (unsigned char) (((ibuf[1] & 0x0F) << 2) | \ + ((ibuf[2] & 0xC0) >> 6)); + obuf[3] = (unsigned char) (ibuf[2] & 0x3F); + + switch(inputparts) { + case 1: /* only one byte read */ + snprintf(output, 5, "%c%c==", + table64[obuf[0]], + table64[obuf[1]]); + break; + case 2: /* two bytes read */ + snprintf(output, 5, "%c%c%c=", + table64[obuf[0]], + table64[obuf[1]], + table64[obuf[2]]); + break; + default: + snprintf(output, 5, "%c%c%c%c", + table64[obuf[0]], + table64[obuf[1]], + table64[obuf[2]], + table64[obuf[3]] ); + break; + } + output += 4; + } + *output=0; + *outptr = base64data; /* make it return the actual data memory */ + + return strlen(base64data); /* return the length of the new data */ +} +/* ---- End of Base64 Encoding ---- */ + +char * getNegotiateToken(const char *service,const char *server) +{ + char *token=NULL; + OM_uint32 major,minor; + gss_buffer_desc gss_buffer; + gss_name_t gss_name; + gss_ctx_id_t gss_context=GSS_C_NO_CONTEXT; + gss_buffer_desc gss_input_token=GSS_C_EMPTY_BUFFER; + gss_buffer_desc gss_output_token=GSS_C_EMPTY_BUFFER; + + if(!service||!server) + { + fprintf(stderr,"Service and server values cannot be NULL!\n"); + return NULL; + } + + gss_buffer.length=strlen(service)+strlen(server)+2; + gss_buffer.value=malloc(gss_buffer.length); + if(!gss_buffer.value) + { + fprintf(stderr,"malloc() failed\n"); + } + else + { + sprintf(gss_buffer.value,"%s@%s",service,server); + + major=gss_import_name(&minor,&gss_buffer,GSS_C_NT_HOSTBASED_SERVICE,&gss_name); + if(major!=GSS_S_COMPLETE) + { + fprintf(stderr,"gss_import_name() error: %#x\n",major); + } + else + { + major=gss_init_sec_context(&minor, + GSS_C_NO_CREDENTIAL,&gss_context,gss_name,GSS_C_NO_OID, + GSS_C_DELEG_FLAG,0,GSS_C_NO_CHANNEL_BINDINGS, + &gss_input_token,NULL,&gss_output_token,NULL,NULL); + if(major!=GSS_S_COMPLETE) + { + fprintf(stderr,"gss_init_sec_context() error: %#x\n",major); + } + else + { + if(gss_output_token.length==0) + { + fprintf(stderr,"Token don't need to be send."); + } + else + { + // TODO: Need to make SPNEGO token (spnegohelp) + base64_encode(gss_output_token.value,gss_output_token.length,&token); + } + + major=gss_delete_sec_context(&minor,&gss_context,GSS_C_NO_BUFFER); + if(major!=GSS_S_COMPLETE) + { + fprintf(stderr,"gss_delete_sec_context() error: %#x\n",major); + } + } + + major=gss_release_name(&minor,&gss_name); + if(major!=GSS_S_COMPLETE) + { + fprintf(stderr,"gss_release_name() error: %#x\n",major); + } + } + + free(gss_buffer.value); + } + return token; +} diff -urNad proxychains-3.1~/proxychains/negotiate.h proxychains-3.1/proxychains/negotiate.h --- proxychains-3.1~/proxychains/negotiate.h 1970-01-01 03:00:00.000000000 +0300 +++ proxychains-3.1/proxychains/negotiate.h 2009-11-05 17:41:45.553781550 +0300 @@ -0,0 +1,22 @@ +/*************************************************************************** + negotiate.h - description + ------------------- + begin : Fri Mar 13 2009 + copyright : Blake-R (C) 2009 + email : blake-r@mail.ru + ***************************************************************************/ +/* GPL */ +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ +#ifndef NEGOTIATE_H +#define NEGOTIATE_H + +char * getNegotiateToken(const char *service,const char *server); + +#endif//NEGOTIATE_H diff -urNad proxychains-3.1~/proxychains/proxychains.conf proxychains-3.1/proxychains/proxychains.conf --- proxychains-3.1~/proxychains/proxychains.conf 2009-05-15 13:07:55.000000000 +0400 +++ proxychains-3.1/proxychains/proxychains.conf 2009-11-05 17:43:44.874784169 +0300 @@ -35,7 +35,7 @@ #quiet_mode # Proxy DNS requests - no leak for DNS data -proxy_dns +#proxy_dns # Some timeouts in milliseconds tcp_read_time_out 15000 @@ -56,10 +56,12 @@ # # proxy types: http, socks4, socks5 # ( auth types supported: "basic"-http "user/pass"-socks ) +# ( for http there are new support of special user names: +# auth:basic <base64 string in form: username:password> - base64-encoded user name and password +# auth:negotiate - negotiated token authentication ) # [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" -socks4 127.0.0.1 9050 - +http proxy 4080 auth:negotiate </code>

Дискуссия

Enter your comment
 
soft/proxychains/podderzhka_proxy-negotiate_avtorizacii.txt · Последние изменения: 16.11.2009 17:26 (внешнее изменение)

Инструменты страницы