1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* based on @(#)auth.c 8.1 (Berkeley) 6/4/93 */
35
36 /*
37 * Copyright (C) 1990 by the Massachusetts Institute of Technology
38 *
39 * Export of this software from the United States of America may
40 * require a specific license from the United States Government.
41 * It is the responsibility of any person or organization contemplating
42 * export to obtain such a license before exporting.
43 *
44 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
45 * distribute this software and its documentation for any purpose and
46 * without fee is hereby granted, provided that the above copyright
47 * notice appear in all copies and that both that copyright notice and
48 * this permission notice appear in supporting documentation, and that
49 * the name of M.I.T. not be used in advertising or publicity pertaining
50 * to distribution of the software without specific, written prior
51 * permission. Furthermore if you modify this software you must label
52 * your software as modified software and not distribute it in such a
53 * fashion that it might be confused with the original M.I.T. software.
54 * M.I.T. makes no representations about the suitability of
55 * this software for any purpose. It is provided "as is" without express
56 * or implied warranty.
57 */
58
59 #include <autoconf.h>
60
61 #if defined(AUTHENTICATION)
62 #include <stdio.h>
63 #include <sys/types.h>
64 #include <signal.h>
65 #define AUTH_NAMES
66 #include <arpa/telnet.h>
67 #ifdef __STDC__
68 #include <stdlib.h>
69 #include <unistd.h>
70 #endif
71 #ifdef HAVE_STRING_H
72 #include <string.h>
73 #else
74 #include <strings.h>
75 #endif
76
77 #include "encrypt.h"
78 #include "auth.h"
79 #include "misc-proto.h"
80 #include "auth-proto.h"
81
82 #define typemask(x) (1<<((x)-1))
83
84
85
86 int auth_debug_mode = 0;
87 int auth_has_failed = 0;
88 int auth_enable_encrypt = 0;
89 int auth_client_non_unix = 0;
90 static char *Name = "Noname";
91 static int Server = 0;
92 static Authenticator *authenticated = 0;
93 static int authenticating = 0;
94 static int validuser = 0;
95 static unsigned char _auth_send_data[256];
96 static unsigned char *auth_send_data;
97 static int auth_send_cnt = 0;
98
99 /*
100 * Authentication types supported. Plese note that these are stored
101 * in priority order, i.e. try the first one first.
102 */
103 Authenticator authenticators[] = {
104 #ifdef SPX
105 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
106 spx_init,
107 spx_send,
108 spx_is,
109 spx_reply,
110 spx_status,
111 spx_printsub },
112 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
113 spx_init,
114 spx_send,
115 spx_is,
116 spx_reply,
117 spx_status,
118 spx_printsub },
119 #endif
120 #ifdef KRB5
121 #ifdef ENCRYPTION
122 { AUTHTYPE_KERBEROS_V5,
123 AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL|AUTH_ENCRYPT_ON,
124 kerberos5_init,
125 kerberos5_send,
126 kerberos5_is,
127 kerberos5_reply,
128 kerberos5_status,
129 kerberos5_printsub },
130 #endif
131 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
132 kerberos5_init,
133 kerberos5_send,
134 kerberos5_is,
135 kerberos5_reply,
136 kerberos5_status,
137 kerberos5_printsub },
138 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
139 kerberos5_init,
140 kerberos5_send,
141 kerberos5_is,
142 kerberos5_reply,
143 kerberos5_status,
144 kerberos5_printsub },
145 #endif
146 { 0, },
147 };
148
149 static Authenticator NoAuth = { 0 };
150
151 static int i_support = 0;
152 static int i_wont_support = 0;
153
154 Authenticator *
findauthenticator(type,way)155 findauthenticator(type, way)
156 int type;
157 int way;
158 {
159 Authenticator *ap = authenticators;
160
161 while (ap->type && (ap->type != type || ap->way != way))
162 ++ap;
163 return(ap->type ? ap : 0);
164 }
165
166 void
auth_init(name,server)167 auth_init(name, server)
168 char *name;
169 int server;
170 {
171 Authenticator *ap = authenticators;
172
173 Server = server;
174 Name = name;
175
176 i_support = 0;
177 authenticated = 0;
178 authenticating = 0;
179 while (ap->type) {
180 if (!ap->init || (*ap->init)(ap, server)) {
181 i_support |= typemask(ap->type);
182 if (auth_debug_mode)
183 printf(">>>%s: I support auth type %d %d\r\n",
184 Name,
185 ap->type, ap->way);
186 }
187 ++ap;
188 }
189 }
190
191 void
auth_disable_name(name)192 auth_disable_name(name)
193 char *name;
194 {
195 int x;
196 for (x = 0; x < AUTHTYPE_CNT; ++x) {
197 if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
198 i_wont_support |= typemask(x);
199 break;
200 }
201 }
202 }
203
204 int
getauthmask(type,maskp)205 getauthmask(type, maskp)
206 char *type;
207 int *maskp;
208 {
209 register int x;
210
211 if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
212 *maskp = -1;
213 return(1);
214 }
215
216 for (x = 1; x < AUTHTYPE_CNT; ++x) {
217 if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
218 *maskp = typemask(x);
219 return(1);
220 }
221 }
222 return(0);
223 }
224
225 int
auth_enable(type)226 auth_enable(type)
227 char * type;
228 {
229 return(auth_onoff(type, 1));
230 }
231
232 int
auth_disable(type)233 auth_disable(type)
234 char * type;
235 {
236 return(auth_onoff(type, 0));
237 }
238
239 int
auth_onoff(type,on)240 auth_onoff(type, on)
241 char *type;
242 int on;
243 {
244 int i, mask = -1;
245 Authenticator *ap;
246
247 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
248 printf("auth %s 'type'\n", on ? "enable" : "disable");
249 printf("Where 'type' is one of:\n");
250 printf("\t%s\n", AUTHTYPE_NAME(0));
251 mask = 0;
252 for (ap = authenticators; ap->type; ap++) {
253 if ((mask & (i = typemask(ap->type))) != 0)
254 continue;
255 mask |= i;
256 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
257 }
258 return(0);
259 }
260
261 if (!getauthmask(type, &mask)) {
262 printf("%s: invalid authentication type\n", type);
263 return(0);
264 }
265 if (on)
266 i_wont_support &= ~mask;
267 else
268 i_wont_support |= mask;
269 return(1);
270 }
271
272 int
auth_togdebug(on)273 auth_togdebug(on)
274 int on;
275 {
276 if (on < 0)
277 auth_debug_mode ^= 1;
278 else
279 auth_debug_mode = on;
280 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
281 return(1);
282 }
283
284 int
auth_status()285 auth_status()
286 {
287 Authenticator *ap;
288 int i, mask;
289
290 if (i_wont_support == -1)
291 printf("Authentication disabled\n");
292 else
293 printf("Authentication enabled\n");
294
295 mask = 0;
296 for (ap = authenticators; ap->type; ap++) {
297 if ((mask & (i = typemask(ap->type))) != 0)
298 continue;
299 mask |= i;
300 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
301 (i_wont_support & typemask(ap->type)) ?
302 "disabled" : "enabled");
303 }
304 return(1);
305 }
306
307 /*
308 * This routine is called by the server to start authentication
309 * negotiation.
310 */
311 void
auth_request()312 auth_request()
313 {
314 static unsigned char str_request[64] = { IAC, SB,
315 TELOPT_AUTHENTICATION,
316 TELQUAL_SEND, };
317 Authenticator *ap = authenticators;
318 unsigned char *e = str_request + 4;
319
320 if (!authenticating) {
321 authenticating = 1;
322 while (ap->type) {
323 if (i_support & ~i_wont_support & typemask(ap->type)) {
324 if (ap->type == AUTHTYPE_KERBEROS_V4 ||
325 !auth_client_non_unix) {
326 if (auth_debug_mode) {
327 printf(">>>%s: Sending type %d %d\r\n",
328 Name, ap->type, ap->way);
329 }
330 *e++ = ap->type;
331 *e++ = ap->way;
332 }
333 }
334 ++ap;
335 }
336 if (auth_client_non_unix) {
337 ap = authenticators;
338 while (ap->type) {
339 if (i_support & ~i_wont_support & typemask(ap->type)) {
340 *e++ = ap->type;
341 *e++ = ap->way;
342 }
343 ++ap;
344 }
345 }
346 *e++ = IAC;
347 *e++ = SE;
348 net_write(str_request, e - str_request);
349 printsub('>', &str_request[2], e - str_request - 2);
350 }
351 }
352
353 /*
354 * This is called when an AUTH SEND is received.
355 * It should never arrive on the server side (as only the server can
356 * send an AUTH SEND).
357 * You should probably respond to it if you can...
358 *
359 * If you want to respond to the types out of order (i.e. even
360 * if he sends LOGIN KERBEROS and you support both, you respond
361 * with KERBEROS instead of LOGIN (which is against what the
362 * protocol says)) you will have to hack this code...
363 */
364 void
auth_send(data,cnt)365 auth_send(data, cnt)
366 unsigned char *data;
367 int cnt;
368 {
369 if (Server) {
370 if (auth_debug_mode) {
371 printf(">>>%s: auth_send called!\r\n", Name);
372 }
373 return;
374 }
375
376 if (auth_debug_mode) {
377 printf(">>>%s: auth_send got:", Name);
378 printd(data, cnt); printf("\r\n");
379 }
380
381 /*
382 * Save the list of authentication mechanisms
383 */
384 auth_send_cnt = cnt;
385 if ((size_t) auth_send_cnt > sizeof(_auth_send_data))
386 auth_send_cnt = sizeof(_auth_send_data);
387 memcpy(_auth_send_data, data, (unsigned) auth_send_cnt);
388 auth_send_data = _auth_send_data;
389
390 auth_send_retry();
391 }
392
393 /*
394 * Try the next authentication mechanism on the list, and see if it
395 * works.
396 */
auth_send_retry()397 void auth_send_retry()
398 {
399 Authenticator *ap;
400 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
401 TELQUAL_IS, AUTHTYPE_NULL, 0,
402 IAC, SE };
403
404 if (Server) {
405 if (auth_debug_mode) {
406 printf(">>>%s: auth_send_retry called!\r\n", Name);
407 }
408 return;
409 }
410
411 for (;(auth_send_cnt -= 2) >= 0; auth_send_data += 2) {
412 if (auth_debug_mode)
413 printf(">>>%s: He supports %d\r\n", Name, *auth_send_data);
414 if (!(i_support & typemask(*auth_send_data)))
415 continue;
416 if (i_wont_support & typemask(*auth_send_data))
417 continue;
418 ap = findauthenticator(auth_send_data[0], auth_send_data[1]);
419 if (!ap || !ap->send)
420 continue;
421 if ((ap->way & AUTH_ENCRYPT_MASK) && !auth_enable_encrypt)
422 continue;
423
424 if (auth_debug_mode)
425 printf(">>>%s: Trying %d %d\r\n", Name, auth_send_data[0],
426 auth_send_data[1]);
427 if ((*ap->send)(ap)) {
428 /*
429 * Okay, we found one we like and did it. we can go
430 * home now.
431 */
432 if (auth_debug_mode)
433 printf(">>>%s: Using type %d\r\n", Name, *auth_send_data);
434 auth_send_data += 2;
435 return;
436 }
437 }
438 net_write(str_none, sizeof(str_none));
439 printsub('>', &str_none[2], sizeof(str_none) - 2);
440 if (auth_debug_mode)
441 printf(">>>%s: Sent failure message\r\n", Name);
442 auth_finished(0, AUTH_REJECT);
443 auth_has_failed = 1;
444 #ifdef KANNAN
445 /*
446 * We requested strong authentication, however no mechanisms worked.
447 * Therefore, exit on client end.
448 */
449 printf("Unable to securely authenticate user ... exit\n");
450 exit(0);
451 #endif /* KANNAN */
452 }
453
454 void
auth_is(data,cnt)455 auth_is(data, cnt)
456 unsigned char *data;
457 int cnt;
458 {
459 Authenticator *ap;
460
461 if (cnt < 2)
462 return;
463
464 if (data[0] == AUTHTYPE_NULL) {
465 auth_finished(0, AUTH_REJECT);
466 return;
467 }
468
469 if ((ap = findauthenticator(data[0], data[1]))) {
470 if (ap->is)
471 (*ap->is)(ap, data+2, cnt-2);
472 } else if (auth_debug_mode)
473 printf(">>>%s: Invalid authentication in IS: %d\r\n",
474 Name, *data);
475 }
476
477 void
auth_reply(data,cnt)478 auth_reply(data, cnt)
479 unsigned char *data;
480 int cnt;
481 {
482 Authenticator *ap;
483
484 if (cnt < 2)
485 return;
486
487 if ((ap = findauthenticator(data[0], data[1]))) {
488 if (ap->reply)
489 (*ap->reply)(ap, data+2, cnt-2);
490 } else if (auth_debug_mode)
491 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
492 Name, *data);
493 }
494
495 void
auth_name(data,cnt)496 auth_name(data, cnt)
497 unsigned char *data;
498 int cnt;
499 {
500 unsigned char savename[256];
501
502 if (cnt < 1) {
503 if (auth_debug_mode)
504 printf(">>>%s: Empty name in NAME\r\n", Name);
505 return;
506 }
507 if ((size_t) cnt > sizeof(savename) - 1) {
508 if (auth_debug_mode)
509 printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
510 Name, cnt, (int) sizeof(savename)-1);
511 return;
512 }
513 memcpy(savename, data, (unsigned) cnt);
514 savename[cnt] = '\0'; /* Null terminate */
515 if (auth_debug_mode)
516 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
517 auth_encrypt_user((const char *)savename);
518 }
519
520 int
auth_sendname(cp,len)521 auth_sendname(cp, len)
522 unsigned char *cp;
523 int len;
524 {
525 static unsigned char str_request[256+6]
526 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
527 register unsigned char *e = str_request + 4;
528 register unsigned char *ee = &str_request[sizeof(str_request)-2];
529
530 while (--len >= 0) {
531 if ((*e++ = *cp++) == IAC)
532 *e++ = IAC;
533 if (e >= ee)
534 return(0);
535 }
536 *e++ = IAC;
537 *e++ = SE;
538 net_write(str_request, e - str_request);
539 printsub('>', &str_request[2], e - &str_request[2]);
540 return(1);
541 }
542
543 void
auth_finished(ap,result)544 auth_finished(ap, result)
545 Authenticator *ap;
546 int result;
547 {
548 if (!(authenticated = ap))
549 authenticated = &NoAuth;
550 validuser = result;
551 }
552
553 /* ARGSUSED */
554 static void
auth_intr(sig)555 auth_intr(sig)
556 int sig;
557 {
558 auth_finished(0, AUTH_REJECT);
559 }
560
561 void
auth_wait(name)562 auth_wait(name)
563 char *name;
564 {
565 if (auth_debug_mode)
566 printf(">>>%s: in auth_wait.\r\n", Name);
567
568 if (Server && !authenticating)
569 return;
570
571 (void) signal(SIGALRM, auth_intr);
572 alarm(30);
573 while (!authenticated)
574 if (telnet_spin())
575 break;
576 alarm(0);
577 (void) signal(SIGALRM, SIG_DFL);
578 }
579
580 int
auth_check(name)581 auth_check(name)
582 char *name;
583 {
584 /*
585 * Now check to see if the user is valid or not
586 */
587 if (!authenticated || authenticated == &NoAuth)
588 return(AUTH_REJECT);
589
590 if (validuser == AUTH_VALID)
591 validuser = AUTH_USER;
592
593 if (authenticated->status)
594 validuser = (*authenticated->status)(authenticated,
595 name, validuser);
596 return(validuser);
597 }
598
auth_must_encrypt()599 int auth_must_encrypt()
600 {
601 if (authenticated &&
602 ((authenticated->way & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON))
603 return 1;
604 return 0;
605 }
606
607 void
auth_debug(mode)608 auth_debug(mode)
609 int mode;
610 {
611 auth_debug_mode = mode;
612 }
613
614 void
auth_printsub(data,cnt,buf,buflen)615 auth_printsub(data, cnt, buf, buflen)
616 unsigned char *data, *buf;
617 int cnt;
618 unsigned int buflen;
619 {
620 Authenticator *ap;
621
622 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
623 (*ap->printsub)(data, cnt, buf, buflen);
624 else
625 auth_gen_printsub(data, cnt, buf, buflen);
626 }
627
628 void
auth_gen_printsub(data,cnt,buf,buflen)629 auth_gen_printsub(data, cnt, buf, buflen)
630 unsigned char *data, *buf;
631 int cnt;
632 unsigned int buflen;
633 {
634 register unsigned char *cp;
635 unsigned char tbuf[16];
636
637 cnt -= 3;
638 data += 3;
639 buf[buflen-1] = '\0';
640 buf[buflen-2] = '*';
641 buflen -= 2;
642 for (; cnt > 0; cnt--, data++) {
643 snprintf((char *)tbuf, sizeof(tbuf), " %d", *data);
644 for (cp = tbuf; *cp && buflen > 0; --buflen)
645 *buf++ = *cp++;
646 if (buflen <= 0)
647 return;
648 }
649 *buf = '\0';
650 }
651 #endif
652