1 /*- 2 * Copyright (c) 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #if 0 32 #ifndef lint 33 static const char sccsid[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95"; 34 #endif /* not lint */ 35 #endif 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 40 /* 41 * Copyright (C) 1990 by the Massachusetts Institute of Technology 42 * 43 * Export of this software from the United States of America is assumed 44 * to require a specific license from the United States Government. 45 * It is the responsibility of any person or organization contemplating 46 * export to obtain such a license before exporting. 47 * 48 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 49 * distribute this software and its documentation for any purpose and 50 * without fee is hereby granted, provided that the above copyright 51 * notice appear in all copies and that both that copyright notice and 52 * this permission notice appear in supporting documentation, and that 53 * the name of M.I.T. not be used in advertising or publicity pertaining 54 * to distribution of the software without specific, written prior 55 * permission. M.I.T. makes no representations about the suitability of 56 * this software for any purpose. It is provided "as is" without express 57 * or implied warranty. 58 */ 59 60 61 #ifdef AUTHENTICATION 62 #define AUTH_NAMES 63 #include <sys/types.h> 64 #include <signal.h> 65 #include <stdio.h> 66 #include <stdlib.h> 67 #include <string.h> 68 #include <unistd.h> 69 #include <arpa/telnet.h> 70 71 #include "encrypt.h" 72 #include "auth.h" 73 #include "misc-proto.h" 74 #include "auth-proto.h" 75 76 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) 77 78 #ifdef KRB4_ENCPWD 79 extern krb4encpwd_init(); 80 extern krb4encpwd_send(); 81 extern krb4encpwd_is(); 82 extern krb4encpwd_reply(); 83 extern krb4encpwd_status(); 84 extern krb4encpwd_printsub(); 85 #endif 86 87 #ifdef RSA_ENCPWD 88 extern rsaencpwd_init(); 89 extern rsaencpwd_send(); 90 extern rsaencpwd_is(); 91 extern rsaencpwd_reply(); 92 extern rsaencpwd_status(); 93 extern rsaencpwd_printsub(); 94 #endif 95 96 int auth_debug_mode = 0; 97 static const char *Name = "Noname"; 98 static int Server = 0; 99 static Authenticator *authenticated = 0; 100 static int authenticating = 0; 101 static int validuser = 0; 102 static unsigned char _auth_send_data[256]; 103 static unsigned char *auth_send_data; 104 static int auth_send_cnt = 0; 105 106 int auth_onoff(char *type, int on); 107 void auth_encrypt_user(char *name); 108 109 /* 110 * Authentication types supported. Plese note that these are stored 111 * in priority order, i.e. try the first one first. 112 */ 113 Authenticator authenticators[] = { 114 #ifdef KRB5 115 # ifdef ENCRYPTION 116 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 117 kerberos5_init, 118 kerberos5_send_mutual, 119 kerberos5_is, 120 kerberos5_reply, 121 kerberos5_status, 122 kerberos5_printsub }, 123 # endif /* ENCRYPTION */ 124 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 125 kerberos5_init, 126 kerberos5_send_oneway, 127 kerberos5_is, 128 kerberos5_reply, 129 kerberos5_status, 130 kerberos5_printsub }, 131 #endif 132 #ifdef KRB4 133 # ifdef ENCRYPTION 134 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 135 kerberos4_init, 136 kerberos4_send, 137 kerberos4_is, 138 kerberos4_reply, 139 kerberos4_status, 140 kerberos4_printsub }, 141 # endif /* ENCRYPTION */ 142 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 143 kerberos4_init, 144 kerberos4_send, 145 kerberos4_is, 146 kerberos4_reply, 147 kerberos4_status, 148 kerberos4_printsub }, 149 #endif 150 #ifdef KRB4_ENCPWD 151 { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 152 krb4encpwd_init, 153 krb4encpwd_send, 154 krb4encpwd_is, 155 krb4encpwd_reply, 156 krb4encpwd_status, 157 krb4encpwd_printsub }, 158 #endif 159 #ifdef RSA_ENCPWD 160 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 161 rsaencpwd_init, 162 rsaencpwd_send, 163 rsaencpwd_is, 164 rsaencpwd_reply, 165 rsaencpwd_status, 166 rsaencpwd_printsub }, 167 #endif 168 #ifdef SRA 169 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 170 sra_init, 171 sra_send, 172 sra_is, 173 sra_reply, 174 sra_status, 175 sra_printsub }, 176 177 #endif 178 { 0, 0, 0, 0, 0, 0, 0, 0 }, 179 }; 180 181 static Authenticator NoAuth = { 0, 0, 0, 0, 0, 0, 0, 0 }; 182 183 static int i_support = 0; 184 static int i_wont_support = 0; 185 186 Authenticator * 187 findauthenticator(int type, int way) 188 { 189 Authenticator *ap = authenticators; 190 191 while (ap->type && (ap->type != type || ap->way != way)) 192 ++ap; 193 return(ap->type ? ap : 0); 194 } 195 196 void 197 auth_init(const char *name, int server) 198 { 199 Authenticator *ap = authenticators; 200 201 Server = server; 202 Name = name; 203 204 i_support = 0; 205 authenticated = 0; 206 authenticating = 0; 207 while (ap->type) { 208 if (!ap->init || (*ap->init)(ap, server)) { 209 i_support |= typemask(ap->type); 210 if (auth_debug_mode) 211 printf(">>>%s: I support auth type %d %d\r\n", 212 Name, 213 ap->type, ap->way); 214 } 215 else if (auth_debug_mode) 216 printf(">>>%s: Init failed: auth type %d %d\r\n", 217 Name, ap->type, ap->way); 218 ++ap; 219 } 220 } 221 222 void 223 auth_disable_name(char *name) 224 { 225 int x; 226 for (x = 0; x < AUTHTYPE_CNT; ++x) { 227 if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) { 228 i_wont_support |= typemask(x); 229 break; 230 } 231 } 232 } 233 234 int 235 getauthmask(char *type, int *maskp) 236 { 237 int x; 238 239 if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) { 240 *maskp = -1; 241 return(1); 242 } 243 244 for (x = 1; x < AUTHTYPE_CNT; ++x) { 245 if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) { 246 *maskp = typemask(x); 247 return(1); 248 } 249 } 250 return(0); 251 } 252 253 int 254 auth_enable(char *type) 255 { 256 return(auth_onoff(type, 1)); 257 } 258 259 int 260 auth_disable(char *type) 261 { 262 return(auth_onoff(type, 0)); 263 } 264 265 int 266 auth_onoff(char *type, int on) 267 { 268 int i, mask = -1; 269 Authenticator *ap; 270 271 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { 272 printf("auth %s 'type'\n", on ? "enable" : "disable"); 273 printf("Where 'type' is one of:\n"); 274 printf("\t%s\n", AUTHTYPE_NAME(0)); 275 mask = 0; 276 for (ap = authenticators; ap->type; ap++) { 277 if ((mask & (i = typemask(ap->type))) != 0) 278 continue; 279 mask |= i; 280 printf("\t%s\n", AUTHTYPE_NAME(ap->type)); 281 } 282 return(0); 283 } 284 285 if (!getauthmask(type, &mask)) { 286 printf("%s: invalid authentication type\n", type); 287 return(0); 288 } 289 if (on) 290 i_wont_support &= ~mask; 291 else 292 i_wont_support |= mask; 293 return(1); 294 } 295 296 int 297 auth_togdebug(int on) 298 { 299 if (on < 0) 300 auth_debug_mode ^= 1; 301 else 302 auth_debug_mode = on; 303 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled"); 304 return(1); 305 } 306 307 int 308 auth_status(void) 309 { 310 Authenticator *ap; 311 int i, mask; 312 313 if (i_wont_support == -1) 314 printf("Authentication disabled\n"); 315 else 316 printf("Authentication enabled\n"); 317 318 mask = 0; 319 for (ap = authenticators; ap->type; ap++) { 320 if ((mask & (i = typemask(ap->type))) != 0) 321 continue; 322 mask |= i; 323 printf("%s: %s\n", AUTHTYPE_NAME(ap->type), 324 (i_wont_support & typemask(ap->type)) ? 325 "disabled" : "enabled"); 326 } 327 return(1); 328 } 329 330 /* 331 * This routine is called by the server to start authentication 332 * negotiation. 333 */ 334 void 335 auth_request(void) 336 { 337 static unsigned char str_request[64] = { IAC, SB, 338 TELOPT_AUTHENTICATION, 339 TELQUAL_SEND, }; 340 Authenticator *ap = authenticators; 341 unsigned char *e = str_request + 4; 342 343 if (!authenticating) { 344 authenticating = 1; 345 while (ap->type) { 346 if (i_support & ~i_wont_support & typemask(ap->type)) { 347 if (auth_debug_mode) { 348 printf(">>>%s: Sending type %d %d\r\n", 349 Name, ap->type, ap->way); 350 } 351 *e++ = ap->type; 352 *e++ = ap->way; 353 } 354 ++ap; 355 } 356 *e++ = IAC; 357 *e++ = SE; 358 net_write(str_request, e - str_request); 359 printsub('>', &str_request[2], e - str_request - 2); 360 } 361 } 362 363 /* 364 * This is called when an AUTH SEND is received. 365 * It should never arrive on the server side (as only the server can 366 * send an AUTH SEND). 367 * You should probably respond to it if you can... 368 * 369 * If you want to respond to the types out of order (i.e. even 370 * if he sends LOGIN KERBEROS and you support both, you respond 371 * with KERBEROS instead of LOGIN (which is against what the 372 * protocol says)) you will have to hack this code... 373 */ 374 void 375 auth_send(unsigned char *data, int cnt) 376 { 377 Authenticator *ap; 378 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, 379 TELQUAL_IS, AUTHTYPE_NULL, 0, 380 IAC, SE }; 381 if (Server) { 382 if (auth_debug_mode) { 383 printf(">>>%s: auth_send called!\r\n", Name); 384 } 385 return; 386 } 387 388 if (auth_debug_mode) { 389 printf(">>>%s: auth_send got:", Name); 390 printd(data, cnt); printf("\r\n"); 391 } 392 393 /* 394 * Save the data, if it is new, so that we can continue looking 395 * at it if the authorization we try doesn't work 396 */ 397 if (data < _auth_send_data || 398 data > _auth_send_data + sizeof(_auth_send_data)) { 399 auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data) 400 ? sizeof(_auth_send_data) 401 : cnt; 402 memmove((void *)_auth_send_data, (void *)data, auth_send_cnt); 403 auth_send_data = _auth_send_data; 404 } else { 405 /* 406 * This is probably a no-op, but we just make sure 407 */ 408 auth_send_data = data; 409 auth_send_cnt = cnt; 410 } 411 while ((auth_send_cnt -= 2) >= 0) { 412 if (auth_debug_mode) 413 printf(">>>%s: He supports %d\r\n", 414 Name, *auth_send_data); 415 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) { 416 ap = findauthenticator(auth_send_data[0], 417 auth_send_data[1]); 418 if (ap && ap->send) { 419 if (auth_debug_mode) 420 printf(">>>%s: Trying %d %d\r\n", 421 Name, auth_send_data[0], 422 auth_send_data[1]); 423 if ((*ap->send)(ap)) { 424 /* 425 * Okay, we found one we like 426 * and did it. 427 * we can go home now. 428 */ 429 if (auth_debug_mode) 430 printf(">>>%s: Using type %d\r\n", 431 Name, *auth_send_data); 432 auth_send_data += 2; 433 return; 434 } 435 } 436 /* else 437 * just continue on and look for the 438 * next one if we didn't do anything. 439 */ 440 } 441 auth_send_data += 2; 442 } 443 net_write(str_none, sizeof(str_none)); 444 printsub('>', &str_none[2], sizeof(str_none) - 2); 445 if (auth_debug_mode) 446 printf(">>>%s: Sent failure message\r\n", Name); 447 auth_finished(0, AUTH_REJECT); 448 } 449 450 void 451 auth_send_retry(void) 452 { 453 /* 454 * if auth_send_cnt <= 0 then auth_send will end up rejecting 455 * the authentication and informing the other side of this. 456 */ 457 auth_send(auth_send_data, auth_send_cnt); 458 } 459 460 void 461 auth_is(unsigned char *data, int cnt) 462 { 463 Authenticator *ap; 464 465 if (cnt < 2) 466 return; 467 468 if (data[0] == AUTHTYPE_NULL) { 469 auth_finished(0, AUTH_REJECT); 470 return; 471 } 472 473 if ((ap = findauthenticator(data[0], data[1]))) { 474 if (ap->is) 475 (*ap->is)(ap, data+2, cnt-2); 476 } else if (auth_debug_mode) 477 printf(">>>%s: Invalid authentication in IS: %d\r\n", 478 Name, *data); 479 } 480 481 void 482 auth_reply(unsigned char *data, int cnt) 483 { 484 Authenticator *ap; 485 486 if (cnt < 2) 487 return; 488 489 if ((ap = findauthenticator(data[0], data[1]))) { 490 if (ap->reply) 491 (*ap->reply)(ap, data+2, cnt-2); 492 } else if (auth_debug_mode) 493 printf(">>>%s: Invalid authentication in SEND: %d\r\n", 494 Name, *data); 495 } 496 497 void 498 auth_name(unsigned char *data, int cnt) 499 { 500 unsigned char savename[256]; 501 502 if (cnt < 1) { 503 if (auth_debug_mode) 504 printf(">>>%s: Empty name in NAME\r\n", Name); 505 return; 506 } 507 if ((size_t)cnt > sizeof(savename) - 1) { 508 if (auth_debug_mode) 509 printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n", 510 Name, cnt, (u_int)sizeof(savename)-1); 511 return; 512 } 513 memmove((void *)savename, (void *)data, cnt); 514 savename[cnt] = '\0'; /* Null terminate */ 515 if (auth_debug_mode) 516 printf(">>>%s: Got NAME [%s]\r\n", Name, savename); 517 auth_encrypt_user(savename); 518 } 519 520 int 521 auth_sendname(unsigned char *cp, int len) 522 { 523 static unsigned char str_request[256+6] 524 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, }; 525 unsigned char *e = str_request + 4; 526 unsigned char *ee = &str_request[sizeof(str_request)-2]; 527 528 while (--len >= 0) { 529 if ((*e++ = *cp++) == IAC) 530 *e++ = IAC; 531 if (e >= ee) 532 return(0); 533 } 534 *e++ = IAC; 535 *e++ = SE; 536 net_write(str_request, e - str_request); 537 printsub('>', &str_request[2], e - &str_request[2]); 538 return(1); 539 } 540 541 void 542 auth_finished(Authenticator *ap, int result) 543 { 544 if (!(authenticated = ap)) 545 authenticated = &NoAuth; 546 validuser = result; 547 } 548 549 /* ARGSUSED */ 550 static void 551 auth_intr(int sig __unused) 552 { 553 auth_finished(0, AUTH_REJECT); 554 } 555 556 int 557 auth_wait(char *name) 558 { 559 if (auth_debug_mode) 560 printf(">>>%s: in auth_wait.\r\n", Name); 561 562 if (Server && !authenticating) 563 return(0); 564 565 (void) signal(SIGALRM, auth_intr); 566 alarm(30); 567 while (!authenticated) 568 if (telnet_spin()) 569 break; 570 alarm(0); 571 (void) signal(SIGALRM, SIG_DFL); 572 573 /* 574 * Now check to see if the user is valid or not 575 */ 576 if (!authenticated || authenticated == &NoAuth) 577 return(AUTH_REJECT); 578 579 if (validuser == AUTH_VALID) 580 validuser = AUTH_USER; 581 582 if (authenticated->status) 583 validuser = (*authenticated->status)(authenticated, 584 name, validuser); 585 return(validuser); 586 } 587 588 void 589 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 590 { 591 Authenticator *ap; 592 593 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub) 594 (*ap->printsub)(data, cnt, buf, buflen); 595 else 596 auth_gen_printsub(data, cnt, buf, buflen); 597 } 598 599 void 600 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 601 { 602 unsigned char *cp; 603 unsigned char tbuf[16]; 604 605 cnt -= 3; 606 data += 3; 607 buf[buflen-1] = '\0'; 608 buf[buflen-2] = '*'; 609 buflen -= 2; 610 for (; cnt > 0; cnt--, data++) { 611 sprintf((char *)tbuf, " %d", *data); 612 for (cp = tbuf; *cp && buflen > 0; --buflen) 613 *buf++ = *cp++; 614 if (buflen <= 0) 615 return; 616 } 617 *buf = '\0'; 618 } 619 #endif 620