1 /* $NetBSD: auth.c,v 1.21 2012/03/21 05:33:27 matt Exp $ */
2
3 /*-
4 * Copyright (c) 1991, 1993
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 #ifndef lint
34 #if 0
35 static char sccsid[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95"
36 #else
37 __RCSID("$NetBSD: auth.c,v 1.21 2012/03/21 05:33:27 matt Exp $");
38 #endif
39 #endif /* not lint */
40
41 /*
42 * Copyright (C) 1990 by the Massachusetts Institute of Technology
43 *
44 * Export of this software from the United States of America is assumed
45 * to require a specific license from the United States Government.
46 * It is the responsibility of any person or organization contemplating
47 * export to obtain such a license before exporting.
48 *
49 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
50 * distribute this software and its documentation for any purpose and
51 * without fee is hereby granted, provided that the above copyright
52 * notice appear in all copies and that both that copyright notice and
53 * this permission notice appear in supporting documentation, and that
54 * the name of M.I.T. not be used in advertising or publicity pertaining
55 * to distribution of the software without specific, written prior
56 * permission. M.I.T. makes no representations about the suitability of
57 * this software for any purpose. It is provided "as is" without express
58 * or implied warranty.
59 */
60
61
62 #ifdef AUTHENTICATION
63 #include <stdio.h>
64 #include <sys/types.h>
65 #include <signal.h>
66 #define AUTH_NAMES
67 #include <arpa/telnet.h>
68 #include <stdlib.h>
69 #include <unistd.h>
70 #ifdef NO_STRING_H
71 #include <strings.h>
72 #else
73 #include <string.h>
74 #endif
75
76 #include "encrypt.h"
77 #include "auth.h"
78 #include "misc-proto.h"
79 #include "auth-proto.h"
80
81 #define typemask(x) (1<<((x)-1))
82
83 #ifdef RSA_ENCPWD
84 extern rsaencpwd_init();
85 extern rsaencpwd_send();
86 extern rsaencpwd_is();
87 extern rsaencpwd_reply();
88 extern rsaencpwd_status();
89 extern rsaencpwd_printsub();
90 #endif
91
92 int auth_debug_mode = 0;
93 static const char *Name = "Noname";
94 static int Server = 0;
95 static Authenticator *authenticated = 0;
96 static int authenticating = 0;
97 static int validuser = 0;
98 static unsigned char _auth_send_data[256];
99 static unsigned char *auth_send_data;
100 static int auth_send_cnt = 0;
101
102 static void auth_intr(int);
103
104 /*
105 * Authentication types supported. Plese note that these are stored
106 * in priority order, i.e. try the first one first.
107 */
108 Authenticator authenticators[] = {
109 #ifdef SPX
110 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
111 spx_init,
112 spx_send,
113 spx_is,
114 spx_reply,
115 spx_status,
116 spx_printsub },
117 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
118 spx_init,
119 spx_send,
120 spx_is,
121 spx_reply,
122 spx_status,
123 spx_printsub },
124 #endif
125 #ifdef KRB5
126 # ifdef ENCRYPTION
127 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
128 kerberos5_init,
129 kerberos5_send,
130 kerberos5_is,
131 kerberos5_reply,
132 kerberos5_status,
133 kerberos5_printsub },
134 # endif /* ENCRYPTION */
135 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
136 kerberos5_init,
137 kerberos5_send,
138 kerberos5_is,
139 kerberos5_reply,
140 kerberos5_status,
141 kerberos5_printsub },
142 #endif
143 #ifdef RSA_ENCPWD
144 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
145 rsaencpwd_init,
146 rsaencpwd_send,
147 rsaencpwd_is,
148 rsaencpwd_reply,
149 rsaencpwd_status,
150 rsaencpwd_printsub },
151 #endif
152 #ifdef SRA
153 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
154 sra_init,
155 sra_send,
156 sra_is,
157 sra_reply,
158 sra_status,
159 sra_printsub },
160
161 #endif
162 { 0, 0, 0, 0, 0, 0, 0, 0 },
163 };
164
165 static Authenticator NoAuth = { .type = 0 };
166
167 static int i_support = 0;
168 static int i_wont_support = 0;
169
170 Authenticator *
findauthenticator(int type,int way)171 findauthenticator(int type, int way)
172 {
173 Authenticator *ap = authenticators;
174
175 while (ap->type && (ap->type != type || ap->way != way))
176 ++ap;
177 return(ap->type ? ap : 0);
178 }
179
180 void
auth_init(const char * name,int server)181 auth_init(const char *name, int server)
182 {
183 Authenticator *ap = authenticators;
184
185 Server = server;
186 Name = name;
187
188 i_support = 0;
189 authenticated = 0;
190 authenticating = 0;
191 while (ap->type) {
192 if (!ap->init || (*ap->init)(ap, server)) {
193 i_support |= typemask(ap->type);
194 if (auth_debug_mode)
195 printf(">>>%s: I support auth type %d %d\r\n",
196 Name,
197 ap->type, ap->way);
198 }
199 else if (auth_debug_mode)
200 printf(">>>%s: Init failed: auth type %d %d\r\n",
201 Name, ap->type, ap->way);
202 ++ap;
203 }
204 }
205
206 void
auth_disable_name(char * name)207 auth_disable_name(char *name)
208 {
209 int x;
210 for (x = 0; x < AUTHTYPE_CNT; ++x) {
211 if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
212 i_wont_support |= typemask(x);
213 break;
214 }
215 }
216 }
217
218 int
getauthmask(char * type,int * maskp)219 getauthmask(char *type, int *maskp)
220 {
221 register int x;
222
223 if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) {
224 *maskp = -1;
225 return(1);
226 }
227
228 for (x = 1; x < AUTHTYPE_CNT; ++x) {
229 if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) {
230 *maskp = typemask(x);
231 return(1);
232 }
233 }
234 return(0);
235 }
236
237 int
auth_enable(char * type)238 auth_enable(char *type)
239 {
240 return(auth_onoff(type, 1));
241 }
242
243 int
auth_disable(char * type)244 auth_disable(char *type)
245 {
246 return(auth_onoff(type, 0));
247 }
248
249 int
auth_onoff(char * type,int on)250 auth_onoff(char *type, int on)
251 {
252 int i, mask = -1;
253 Authenticator *ap;
254
255 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
256 printf("auth %s 'type'\n", on ? "enable" : "disable");
257 printf("Where 'type' is one of:\n");
258 printf("\t%s\n", AUTHTYPE_NAME(0));
259 mask = 0;
260 for (ap = authenticators; ap->type; ap++) {
261 if ((mask & (i = typemask(ap->type))) != 0)
262 continue;
263 mask |= i;
264 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
265 }
266 return(0);
267 }
268
269 if (!getauthmask(type, &mask)) {
270 printf("%s: invalid authentication type\n", type);
271 return(0);
272 }
273 if (on)
274 i_wont_support &= ~mask;
275 else
276 i_wont_support |= mask;
277 return(1);
278 }
279
280 int
auth_togdebug(int on)281 auth_togdebug(int on)
282 {
283 if (on < 0)
284 auth_debug_mode ^= 1;
285 else
286 auth_debug_mode = on;
287 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
288 return(1);
289 }
290
291 int
auth_status(char * s)292 auth_status(char *s)
293 {
294 Authenticator *ap;
295 int i, mask;
296
297 if (i_wont_support == -1)
298 printf("Authentication disabled\n");
299 else
300 printf("Authentication enabled\n");
301
302 mask = 0;
303 for (ap = authenticators; ap->type; ap++) {
304 if ((mask & (i = typemask(ap->type))) != 0)
305 continue;
306 mask |= i;
307 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
308 (i_wont_support & typemask(ap->type)) ?
309 "disabled" : "enabled");
310 }
311 return(1);
312 }
313
314 /*
315 * This routine is called by the server to start authentication
316 * negotiation.
317 */
318 void
auth_request(void)319 auth_request(void)
320 {
321 static unsigned char str_request[64] = { IAC, SB,
322 TELOPT_AUTHENTICATION,
323 TELQUAL_SEND, };
324 Authenticator *ap = authenticators;
325 unsigned char *e = str_request + 4;
326
327 if (!authenticating) {
328 authenticating = 1;
329 while (ap->type) {
330 if (i_support & ~i_wont_support & typemask(ap->type)) {
331 if (auth_debug_mode) {
332 printf(">>>%s: Sending type %d %d\r\n",
333 Name, ap->type, ap->way);
334 }
335 *e++ = ap->type;
336 *e++ = ap->way;
337 }
338 ++ap;
339 }
340 *e++ = IAC;
341 *e++ = SE;
342 telnet_net_write(str_request, e - str_request);
343 printsub('>', &str_request[2], e - str_request - 2);
344 }
345 }
346
347 /*
348 * This is called when an AUTH SEND is received.
349 * It should never arrive on the server side (as only the server can
350 * send an AUTH SEND).
351 * You should probably respond to it if you can...
352 *
353 * If you want to respond to the types out of order (i.e. even
354 * if he sends LOGIN KERBEROS and you support both, you respond
355 * with KERBEROS instead of LOGIN (which is against what the
356 * protocol says)) you will have to hack this code...
357 */
358 void
auth_send(unsigned char * data,int cnt)359 auth_send(unsigned char *data, int cnt)
360 {
361 Authenticator *ap;
362 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
363 TELQUAL_IS, AUTHTYPE_NULL, 0,
364 IAC, SE };
365 if (Server) {
366 if (auth_debug_mode) {
367 printf(">>>%s: auth_send called!\r\n", Name);
368 }
369 return;
370 }
371
372 if (auth_debug_mode) {
373 printf(">>>%s: auth_send got:", Name);
374 printd(data, cnt); printf("\r\n");
375 }
376
377 /*
378 * Save the data, if it is new, so that we can continue looking
379 * at it if the authorization we try doesn't work
380 */
381 if (data < _auth_send_data ||
382 data > _auth_send_data + sizeof(_auth_send_data)) {
383 auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data)
384 ? sizeof(_auth_send_data)
385 : (size_t)cnt;
386 memmove(_auth_send_data, data, auth_send_cnt);
387 auth_send_data = _auth_send_data;
388 } else {
389 /*
390 * This is probably a no-op, but we just make sure
391 */
392 auth_send_data = data;
393 auth_send_cnt = cnt;
394 }
395 while ((auth_send_cnt -= 2) >= 0) {
396 if (auth_debug_mode)
397 printf(">>>%s: He supports %d\r\n",
398 Name, *auth_send_data);
399 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
400 ap = findauthenticator(auth_send_data[0],
401 auth_send_data[1]);
402 if (ap && ap->send) {
403 if (auth_debug_mode)
404 printf(">>>%s: Trying %d %d\r\n",
405 Name, auth_send_data[0],
406 auth_send_data[1]);
407 if ((*ap->send)(ap)) {
408 /*
409 * Okay, we found one we like
410 * and did it.
411 * we can go home now.
412 */
413 if (auth_debug_mode)
414 printf(">>>%s: Using type %d\r\n",
415 Name, *auth_send_data);
416 auth_send_data += 2;
417 return;
418 }
419 }
420 /* else
421 * just continue on and look for the
422 * next one if we didn't do anything.
423 */
424 }
425 auth_send_data += 2;
426 }
427 telnet_net_write(str_none, sizeof(str_none));
428 printsub('>', &str_none[2], sizeof(str_none) - 2);
429 if (auth_debug_mode)
430 printf(">>>%s: Sent failure message\r\n", Name);
431 auth_finished(0, AUTH_REJECT);
432 #ifdef KANNAN
433 /*
434 * We requested strong authentication, however no mechanisms worked.
435 * Therefore, exit on client end.
436 */
437 printf("Unable to securely authenticate user ... exit\n");
438 exit(0);
439 #endif /* KANNAN */
440 }
441
442 void
auth_send_retry(void)443 auth_send_retry(void)
444 {
445 /*
446 * if auth_send_cnt <= 0 then auth_send will end up rejecting
447 * the authentication and informing the other side of this.
448 */
449 auth_send(auth_send_data, auth_send_cnt);
450 }
451
452 void
auth_is(unsigned char * data,int cnt)453 auth_is(unsigned char *data, int cnt)
454 {
455 Authenticator *ap;
456
457 if (cnt < 2)
458 return;
459
460 if (data[0] == AUTHTYPE_NULL) {
461 auth_finished(0, AUTH_REJECT);
462 return;
463 }
464
465 if ((ap = findauthenticator(data[0], data[1])) != NULL) {
466 if (ap->is)
467 (*ap->is)(ap, data+2, cnt-2);
468 } else if (auth_debug_mode)
469 printf(">>>%s: Invalid authentication in IS: %d\r\n",
470 Name, *data);
471 }
472
473 void
auth_reply(unsigned char * data,int cnt)474 auth_reply(unsigned char *data, int cnt)
475 {
476 Authenticator *ap;
477
478 if (cnt < 2)
479 return;
480
481 if ((ap = findauthenticator(data[0], data[1])) != NULL) {
482 if (ap->reply)
483 (*ap->reply)(ap, data+2, cnt-2);
484 } else if (auth_debug_mode)
485 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
486 Name, *data);
487 }
488
489 void
auth_name(unsigned char * data,int cnt)490 auth_name(unsigned char *data, int cnt)
491 {
492 unsigned char savename[256];
493
494 if (cnt < 1) {
495 if (auth_debug_mode)
496 printf(">>>%s: Empty name in NAME\r\n", Name);
497 return;
498 }
499 if ((size_t)cnt > sizeof(savename) - 1) {
500 if (auth_debug_mode)
501 printf(">>>%s: Name in NAME (%d) exceeds %ld length\r\n",
502 Name, cnt, (long)sizeof(savename)-1);
503 return;
504 }
505 memmove((void *)savename, (void *)data, cnt);
506 savename[cnt] = '\0'; /* Null terminate */
507 if (auth_debug_mode)
508 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
509 auth_encrypt_user(savename);
510 }
511
512 int
auth_sendname(unsigned char * cp,int len)513 auth_sendname(unsigned char *cp, int len)
514 {
515 static unsigned char str_request[256+6]
516 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
517 register unsigned char *e = str_request + 4;
518 register unsigned char *ee = &str_request[sizeof(str_request)-2];
519
520 while (--len >= 0) {
521 if ((*e++ = *cp++) == IAC)
522 *e++ = IAC;
523 if (e >= ee)
524 return(0);
525 }
526 *e++ = IAC;
527 *e++ = SE;
528 telnet_net_write(str_request, e - str_request);
529 printsub('>', &str_request[2], e - &str_request[2]);
530 return(1);
531 }
532
533 void
auth_finished(Authenticator * ap,int result)534 auth_finished(Authenticator *ap, int result)
535 {
536 if (!(authenticated = ap))
537 authenticated = &NoAuth;
538 validuser = result;
539 }
540
541 /* ARGSUSED */
542 static void
auth_intr(int sig)543 auth_intr(int sig)
544 {
545 auth_finished(0, AUTH_REJECT);
546 }
547
548 int
auth_wait(char * name,size_t l)549 auth_wait(char *name, size_t l)
550 {
551 if (auth_debug_mode)
552 printf(">>>%s: in auth_wait.\r\n", Name);
553
554 if (Server && !authenticating)
555 return(0);
556
557 (void) signal(SIGALRM, auth_intr);
558 alarm(30);
559 while (!authenticated)
560 if (telnet_spin())
561 break;
562 alarm(0);
563 (void) signal(SIGALRM, SIG_DFL);
564
565 /*
566 * Now check to see if the user is valid or not
567 */
568 if (!authenticated || authenticated == &NoAuth)
569 return(AUTH_REJECT);
570
571 if (validuser == AUTH_VALID)
572 validuser = AUTH_USER;
573
574 if (authenticated->status)
575 validuser = (*authenticated->status)(authenticated,
576 name, l, validuser);
577 return(validuser);
578 }
579
580 void
auth_debug(int mode)581 auth_debug(int mode)
582 {
583 auth_debug_mode = mode;
584 }
585
586 void
auth_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)587 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
588 {
589 Authenticator *ap;
590
591 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
592 (*ap->printsub)(data, cnt, buf, buflen);
593 else
594 auth_gen_printsub(data, cnt, buf, buflen);
595 }
596
597 void
auth_gen_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)598 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
599 {
600 register unsigned char *cp;
601 unsigned char tbuf[16];
602
603 cnt -= 3;
604 data += 3;
605 buf[buflen-1] = '\0';
606 buf[buflen-2] = '*';
607 buflen -= 2;
608 for (; cnt > 0; cnt--, data++) {
609 snprintf((char *)tbuf, sizeof(tbuf), " %d", *data);
610 for (cp = tbuf; *cp && buflen > 0; --buflen)
611 *buf++ = *cp++;
612 if (buflen <= 0)
613 return;
614 }
615 *buf = '\0';
616 }
617 #endif
618