Инструменты пользователя

Инструменты сайта


soft:proxychains:podderzhka_proxy-negotiate_avtorizacii

Поддержка Proxy-Negotiate авторизации

Прекрасная утилита ProxyChains для проксирования программ, даже если те не поддерживают настройки прокси-сервера. Для работы внутри организации мне показалось целесообразным добавить в неё авторизацию Negotiate через GSS API.

Версии: Ubuntu 9.10 Karmic Koala, proxychains 3.1.

Использование

После наложения патча на исходные тексты, появляется возможность использовать специальные имена пользователей:

  • auth:negotiate - без пароля, будет использована Negotiate авторизация;
  • auth:basic <basic64_encoded_string> - вместо пароля готовая закодированная в base64 строка вида '<имя_пользователя>:<пароль>', которую можно получить следующим образом:
    echo -n 'myuser:mypass' | base64

Патч

#! /bin/sh /usr/share/dpatch/dpatch-run
## auth-negotiate.dpatch by  <blake-r@it03.dm.itot.ru>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad proxychains-3.1~/proxychains/Makefile.am proxychains-3.1/proxychains/Makefile.am
--- proxychains-3.1~/proxychains/Makefile.am    2009-05-15 13:07:55.000000000 +0400
+++ proxychains-3.1/proxychains/Makefile.am    2009-11-05 18:03:31.689779317 +0300
@@ -1,6 +1,6 @@
 SUBDIRS = docs

-EXTRA_DIST = proxychains.conf core.c core.h libproxychains.c
+EXTRA_DIST = proxychains.conf core.c core.h libproxychains.c additions.c additions.h negotiate.c negotiate.h

 sysconf_DATA=$(srcdir)/proxychains.conf

@@ -22,10 +22,10 @@

 #proxychains_LDFLAGS = $(all_libraries)
 lib_LTLIBRARIES = libproxychains.la
-libproxychains_la_LDFLAGS = -version-info 3:0:0 $(all_libraries)
+libproxychains_la_LDFLAGS = -version-info 3:0:0 $(all_libraries) -lgssapi_krb5
 libproxychains_la_LIBADD= -ldl
 noinst_HEADERS = core.h
-libproxychains_la_SOURCES= libproxychains.c core.c
+libproxychains_la_SOURCES= libproxychains.c core.c additions.c negotiate.c
 libproxychains_la_METASOURCES = USE_AUTOMOC


diff -urNad proxychains-3.1~/proxychains/Makefile.in proxychains-3.1/proxychains/Makefile.in
--- proxychains-3.1~/proxychains/Makefile.in    2009-05-15 13:07:55.000000000 +0400
+++ proxychains-3.1/proxychains/Makefile.in    2009-11-05 18:01:57.917780706 +0300
@@ -91,7 +91,7 @@

 SUBDIRS = docs

-EXTRA_DIST = proxychains.conf core.c core.h libproxychains.c
+EXTRA_DIST = proxychains.conf core.c core.h libproxychains.c additions.c additions.h negotiate.c negotiate.h

 sysconf_DATA = $(srcdir)/proxychains.conf

@@ -104,10 +104,10 @@

 #proxychains_LDFLAGS = $(all_libraries)
 lib_LTLIBRARIES = libproxychains.la
-libproxychains_la_LDFLAGS = -version-info 3:0:0 $(all_libraries)
+libproxychains_la_LDFLAGS = -version-info 3:0:0 $(all_libraries) -lgssapi_krb5
 libproxychains_la_LIBADD = -ldl
 noinst_HEADERS = core.h
-libproxychains_la_SOURCES = libproxychains.c core.c
+libproxychains_la_SOURCES = libproxychains.c core.c additions.c negotiate.c
 libproxychains_la_METASOURCES = USE_AUTOMOC
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = ../config.h
@@ -120,7 +120,7 @@
 LDFLAGS = @LDFLAGS@
 LIBS = @LIBS@
 libproxychains_la_DEPENDENCIES =
-libproxychains_la_OBJECTS =  libproxychains.lo core.lo
+libproxychains_la_OBJECTS =  libproxychains.lo core.lo additions.lo negotiate.lo
 CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -137,7 +137,7 @@

 TAR = tar
 GZIP_ENV = --best
-DEP_FILES =  .deps/core.P .deps/libproxychains.P
+DEP_FILES =  .deps/core.P .deps/libproxychains.P .deps/additions.P .deps/negotiate.P
 SOURCES = $(libproxychains_la_SOURCES)
 OBJECTS = $(libproxychains_la_OBJECTS)

diff -urNad proxychains-3.1~/proxychains/additions.c proxychains-3.1/proxychains/additions.c
--- proxychains-3.1~/proxychains/additions.c    1970-01-01 03:00:00.000000000 +0300
+++ proxychains-3.1/proxychains/additions.c    2009-11-05 17:41:51.409780806 +0300
@@ -0,0 +1,55 @@
+/***************************************************************************
+              additions.c  -  description
+                 -------------------
+    begin        : Fri Mar 13 2009
+    copyright      :  Blake-R (C) 2009
+    email         : blake-r@mail.ru
+ ***************************************************************************/
+/*     GPL */
+/***************************************************************************
+ *                                     *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                   *
+ *                                     *
+ ***************************************************************************/
+#include <memory.h>
+#include <stdio.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+#include "additions.h"
+
+unsigned int getAddress(const char *host)
+{
+    unsigned int ip=0;
+    int errcode;
+    struct addrinfo hints,*res=NULL;
+    memset(&hints,0,sizeof(hints));
+    hints.ai_family=AF_INET;
+    hints.ai_socktype=SOCK_STREAM;
+    hints.ai_protocol=IPPROTO_TCP;
+
+    errcode=getaddrinfo(host,NULL,&hints,&res);
+    if(errcode)
+    {
+        fprintf(stderr,"getaddrinfo(\"%s\") error: %s (%#x)\n",host,gai_strerror(errcode),errcode);
+    }
+    else
+    {
+        struct addrinfo *cur=res;
+        while(cur&&!ip)
+        {
+            ip=((struct sockaddr_in *)cur->ai_addr)->sin_addr.s_addr;
+            cur=cur->ai_next;
+        }
+        freeaddrinfo(res);
+    }
+
+    if(!ip)
+    {
+        ip=inet_addr(host);
+    }
+    return ip;
+}
diff -urNad proxychains-3.1~/proxychains/additions.h proxychains-3.1/proxychains/additions.h
--- proxychains-3.1~/proxychains/additions.h    1970-01-01 03:00:00.000000000 +0300
+++ proxychains-3.1/proxychains/additions.h    2009-11-05 17:41:51.409780806 +0300
@@ -0,0 +1,22 @@
+/***************************************************************************
+              additions.h  -  description
+                 -------------------
+    begin        : Fri Mar 13 2009
+    copyright      :  Blake-R (C) 2009
+    email         : blake-r@mail.ru
+ ***************************************************************************/
+/*     GPL */
+/***************************************************************************
+ *                                     *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                   *
+ *                                     *
+ ***************************************************************************/
+#ifndef __ADDITIONS_H__
+#define __ADDITIONS_H__
+
+unsigned int getAddress(const char *host);
+
+#endif//__ADDITIONS_H__
diff -urNad proxychains-3.1~/proxychains/core.c proxychains-3.1/proxychains/core.c
--- proxychains-3.1~/proxychains/core.c    2009-05-15 13:07:55.000000000 +0400
+++ proxychains-3.1/proxychains/core.c    2009-11-05 18:04:14.253779926 +0300
@@ -36,6 +36,7 @@
 #include <time.h>
 #include <stdarg.h>
 #include "core.h"
+#include "negotiate.h"

 extern int tcp_read_time_out;
 extern int tcp_connect_time_out;
@@ -203,14 +204,41 @@
                     ntohs(port));
                        if (user[0])
                         {
-                    char src[256];
-                         char dst[512];
-                    strcpy(src,user);
-                    strcat(src,":");
-                    strcat(src,pass);
-                    encode_base_64(src,dst,512);
-                    strcat(buff,"Proxy-Authorization: Basic ");
-                    strcat(buff,dst);
+                    if(user)
+                    {
+                        if(!strcasecmp("auth:negotiate",user))
+                        {
+                            char *negotiateToken;
+                            strcat(buff,"Proxy-Authorization: Negotiate ");
+                            negotiateToken=getNegotiateToken("HTTP",pass);
+                            if(negotiateToken)
+                            {
+                                strcat(buff,negotiateToken);
+                                free(negotiateToken);
+                            }
+                        }
+                        else
+                        {
+                            strcat(buff,"Proxy-Authorization: Basic ");
+                            if (!strcasecmp("auth:basic",user))
+                            {
+                                strcat(buff,pass);
+                            }
+                            else
+                            {
+                                char src[256];
+                                char dst[512];
+                                if(pass)
+                                {
+                                    strcpy(src,user);
+                                    strcat(src,":");
+                                    strcat(src,pass);
+                                    encode_base_64(src,dst,512);
+                                    strcat(buff,dst);
+                                }
+                            }
+                        }
+                    }
                     strcat(buff,"\r\n\r\n");
                 }
                     else
diff -urNad proxychains-3.1~/proxychains/libproxychains.c proxychains-3.1/proxychains/libproxychains.c
--- proxychains-3.1~/proxychains/libproxychains.c    2009-05-15 13:07:55.000000000 +0400
+++ proxychains-3.1/proxychains/libproxychains.c    2009-11-05 17:52:02.877779803 +0300
@@ -34,6 +34,7 @@


 #include "core.h"
+#include "additions.h"

 #define     satosin(x)      ((struct sockaddr_in *) &(x))
 #define     SOCKADDR(x)     (satosin(x)->sin_addr.s_addr)
@@ -174,10 +175,16 @@
                 port_n=0;
                 sscanf(buff,"%s %s %d %s %s", type,host,&port_n,
                     pd[count].user,pd[count].pass);
-                pd[count].ip=inet_addr(host);
+                proxychains_got_chain_data=1; // Temporary set got_chain_data flag to 1, otherwise getAddress() give infinity loop.
+                pd[count].ip=getAddress(host);
+                proxychains_got_chain_data=0; // Data not got yet, revert got_chain_data flag.
                 pd[count].port=htons((unsigned short)port_n);
                 if(!strcmp(type,"http")) {
                     pd[count].pt=HTTP_TYPE;
+                    if(!strcasecmp("auth:negotiate",pd[count].user)){
+                        // Copy host to pass for negotiate host name parameter.
+                        strcpy(pd[count].pass,host);
+                    }
                 }else if(!strcmp(type,"socks4")) {
                     pd[count].pt=SOCKS4_TYPE;
                 }else if(!strcmp(type,"socks5")) {
diff -urNad proxychains-3.1~/proxychains/negotiate.c proxychains-3.1/proxychains/negotiate.c
--- proxychains-3.1~/proxychains/negotiate.c    1970-01-01 03:00:00.000000000 +0300
+++ proxychains-3.1/proxychains/negotiate.c    2009-11-05 17:41:45.553781550 +0300
@@ -0,0 +1,165 @@
+/***************************************************************************
+              negotiate.c  -  description
+                 -------------------
+    begin        : Fri Mar 13 2009
+    copyright      :  Blake-R (C) 2009
+    email         : blake-r@mail.ru
+ ***************************************************************************/
+/*     GPL */
+/***************************************************************************
+ *                                     *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                   *
+ *                                     *
+ ***************************************************************************/
+#include <stdio.h>
+#include <malloc.h>
+#include <string.h>
+#include <gssapi/gssapi.h>
+#include "negotiate.h"
+
+/* ---- Base64 Encoding/Decoding Table --- */
+static const char table64[]=
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+size_t base64_encode(const char *inp, size_t insize, char **outptr)
+{
+  unsigned char ibuf[3];
+  unsigned char obuf[4];
+  int i;
+  int inputparts;
+  char *output;
+  char *base64data;
+
+  char *indata = (char *)inp;
+
+  *outptr = NULL; /* set to NULL in case of failure before we reach the end */
+
+  if(0 == insize)
+    insize = strlen(indata);
+
+  base64data = output = (char*)malloc(insize*4/3+4);
+  if(NULL == output)
+    return 0;
+
+  while(insize > 0) {
+    for (i = inputparts = 0; i < 3; i++) {
+      if(insize > 0) {
+        inputparts++;
+        ibuf[i] = *indata;
+        indata++;
+        insize--;
+      }
+      else
+        ibuf[i] = 0;
+    }
+
+    obuf[0] = (unsigned char)  ((ibuf[0] & 0xFC) >> 2);
+    obuf[1] = (unsigned char) (((ibuf[0] & 0x03) << 4) | \
+                               ((ibuf[1] & 0xF0) >> 4));
+    obuf[2] = (unsigned char) (((ibuf[1] & 0x0F) << 2) | \
+                               ((ibuf[2] & 0xC0) >> 6));
+    obuf[3] = (unsigned char)   (ibuf[2] & 0x3F);
+
+    switch(inputparts) {
+    case 1: /* only one byte read */
+      snprintf(output, 5, "%c%c==",
+               table64[obuf[0]],
+               table64[obuf[1]]);
+      break;
+    case 2: /* two bytes read */
+      snprintf(output, 5, "%c%c%c=",
+               table64[obuf[0]],
+               table64[obuf[1]],
+               table64[obuf[2]]);
+      break;
+    default:
+      snprintf(output, 5, "%c%c%c%c",
+               table64[obuf[0]],
+               table64[obuf[1]],
+               table64[obuf[2]],
+               table64[obuf[3]] );
+      break;
+    }
+    output += 4;
+  }
+  *output=0;
+  *outptr = base64data; /* make it return the actual data memory */
+
+  return strlen(base64data); /* return the length of the new data */
+}
+/* ---- End of Base64 Encoding ---- */
+
+char * getNegotiateToken(const char *service,const char *server)
+{
+    char *token=NULL;
+    OM_uint32 major,minor;
+    gss_buffer_desc gss_buffer;
+    gss_name_t gss_name;
+    gss_ctx_id_t gss_context=GSS_C_NO_CONTEXT;
+    gss_buffer_desc gss_input_token=GSS_C_EMPTY_BUFFER;
+    gss_buffer_desc gss_output_token=GSS_C_EMPTY_BUFFER;
+
+    if(!service||!server)
+    {
+        fprintf(stderr,"Service and server values cannot be NULL!\n");
+        return NULL;
+    }
+
+    gss_buffer.length=strlen(service)+strlen(server)+2;
+    gss_buffer.value=malloc(gss_buffer.length);
+    if(!gss_buffer.value)
+    {
+        fprintf(stderr,"malloc() failed\n");
+    }
+    else
+    {
+        sprintf(gss_buffer.value,"%s@%s",service,server);
+
+        major=gss_import_name(&minor,&gss_buffer,GSS_C_NT_HOSTBASED_SERVICE,&gss_name);
+        if(major!=GSS_S_COMPLETE)
+        {
+            fprintf(stderr,"gss_import_name() error: %#x\n",major);
+        }
+        else
+        {
+            major=gss_init_sec_context(&minor,
+                GSS_C_NO_CREDENTIAL,&gss_context,gss_name,GSS_C_NO_OID,
+                GSS_C_DELEG_FLAG,0,GSS_C_NO_CHANNEL_BINDINGS,
+                &gss_input_token,NULL,&gss_output_token,NULL,NULL);
+            if(major!=GSS_S_COMPLETE)
+            {
+                fprintf(stderr,"gss_init_sec_context() error: %#x\n",major);
+            }
+            else
+            {
+                if(gss_output_token.length==0)
+                {
+                    fprintf(stderr,"Token don't need to be send.");
+                }
+                else
+                {
+                    // TODO: Need to make SPNEGO token (spnegohelp)
+                    base64_encode(gss_output_token.value,gss_output_token.length,&token);
+                }
+
+                major=gss_delete_sec_context(&minor,&gss_context,GSS_C_NO_BUFFER);
+                if(major!=GSS_S_COMPLETE)
+                {
+                    fprintf(stderr,"gss_delete_sec_context() error: %#x\n",major);
+                }
+            }
+
+            major=gss_release_name(&minor,&gss_name);
+            if(major!=GSS_S_COMPLETE)
+            {
+                fprintf(stderr,"gss_release_name() error: %#x\n",major);
+            }
+        }
+
+        free(gss_buffer.value);
+    }
+    return token;
+}
diff -urNad proxychains-3.1~/proxychains/negotiate.h proxychains-3.1/proxychains/negotiate.h
--- proxychains-3.1~/proxychains/negotiate.h    1970-01-01 03:00:00.000000000 +0300
+++ proxychains-3.1/proxychains/negotiate.h    2009-11-05 17:41:45.553781550 +0300
@@ -0,0 +1,22 @@
+/***************************************************************************
+              negotiate.h  -  description
+                 -------------------
+    begin        : Fri Mar 13 2009
+    copyright      :  Blake-R (C) 2009
+    email         : blake-r@mail.ru
+ ***************************************************************************/
+/*     GPL */
+/***************************************************************************
+ *                                     *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                   *
+ *                                     *
+ ***************************************************************************/
+#ifndef NEGOTIATE_H
+#define NEGOTIATE_H
+
+char * getNegotiateToken(const char *service,const char *server);
+
+#endif//NEGOTIATE_H
diff -urNad proxychains-3.1~/proxychains/proxychains.conf proxychains-3.1/proxychains/proxychains.conf
--- proxychains-3.1~/proxychains/proxychains.conf    2009-05-15 13:07:55.000000000 +0400
+++ proxychains-3.1/proxychains/proxychains.conf    2009-11-05 17:43:44.874784169 +0300
@@ -35,7 +35,7 @@
 #quiet_mode

 # Proxy DNS requests - no leak for DNS data
-proxy_dns
+#proxy_dns

 # Some timeouts in milliseconds
 tcp_read_time_out 15000
@@ -56,10 +56,12 @@
 #
 #       proxy types: http, socks4, socks5
 #        ( auth types supported: "basic"-http  "user/pass"-socks )
+#        ( for http there are new support of special user names:
+#            auth:basic <base64 string in form: username:password>    - base64-encoded user name and password
+#            auth:negotiate                        - negotiated token authentication )
 #
 [ProxyList]
 # add proxy here ...
 # meanwile
 # defaults set to "tor"
-socks4     127.0.0.1 9050
-
+http    proxy    4080    auth:negotiate

Дискуссия

Enter your comment
 
soft/proxychains/podderzhka_proxy-negotiate_avtorizacii.txt · Последние изменения: 16.11.2009 20:26 (внешнее изменение)

Инструменты страницы