1 /*-
2  * Copyright (c) 1992, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD$");
36 
37 #ifndef lint
38 static char sccsid[] = "@(#)krb4encpwd.c	8.3 (Berkeley) 5/30/95";
39 #endif /* not lint */
40 
41 
42 #ifdef	KRB4_ENCPWD
43 /*
44  * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
45  * ALL RIGHTS RESERVED
46  *
47  * "Digital Equipment Corporation authorizes the reproduction,
48  * distribution and modification of this software subject to the following
49  * restrictions:
50  *
51  * 1.  Any partial or whole copy of this software, or any modification
52  * thereof, must include this copyright notice in its entirety.
53  *
54  * 2.  This software is supplied "as is" with no warranty of any kind,
55  * expressed or implied, for any purpose, including any warranty of fitness
56  * or merchantibility.  DIGITAL assumes no responsibility for the use or
57  * reliability of this software, nor promises to provide any form of
58  * support for it on any basis.
59  *
60  * 3.  Distribution of this software is authorized only if no profit or
61  * remuneration of any kind is received in exchange for such distribution.
62  *
63  * 4.  This software produces public key authentication certificates
64  * bearing an expiration date established by DIGITAL and RSA Data
65  * Security, Inc.  It may cease to generate certificates after the expiration
66  * date.  Any modification of this software that changes or defeats
67  * the expiration date or its effect is unauthorized.
68  *
69  * 5.  Software that will renew or extend the expiration date of
70  * authentication certificates produced by this software may be obtained
71  * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
72  * 94065, (415)595-8782, or from DIGITAL"
73  *
74  */
75 
76 #include <sys/types.h>
77 #include <arpa/telnet.h>
78 #include <pwd.h>
79 #include <stdio.h>
80 
81 #include <openssl/des.h>
82 #include <krb.h>
83 #ifdef	__STDC__
84 #include <stdlib.h>
85 #endif
86 #ifdef	NO_STRING_H
87 #include <strings.h>
88 #else
89 #include <string.h>
90 #endif
91 
92 #include "encrypt.h"
93 #include "auth.h"
94 #include "misc.h"
95 
96 int krb_mk_encpwd_req P((KTEXT, char *, char *, char *, char *, char *, char *));
97 int krb_rd_encpwd_req P((KTEXT, char *, char *, u_long, AUTH_DAT *, char *, char *, char *, char *));
98 
99 extern auth_debug_mode;
100 
101 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
102 			  		AUTHTYPE_KRB4_ENCPWD, };
103 static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
104 					TELQUAL_NAME, };
105 
106 #define	KRB4_ENCPWD_AUTH	0	/* Authentication data follows */
107 #define	KRB4_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
108 #define KRB4_ENCPWD_ACCEPT	2	/* Accepted */
109 #define	KRB4_ENCPWD_CHALLENGE	3	/* Challenge for mutual auth. */
110 #define	KRB4_ENCPWD_ACK		4	/* Acknowledge */
111 
112 #define KRB_SERVICE_NAME    "rcmd"
113 
114 static	KTEXT_ST auth;
115 static	char name[ANAME_SZ];
116 static	char user_passwd[ANAME_SZ];
117 static	AUTH_DAT adat = { 0 };
118 #ifdef	ENCRYPTION
119 static Block	session_key	= { 0 };
120 #endif	/* ENCRYPTION */
121 static char  challenge[REALM_SZ];
122 
123 	static int
124 Data(ap, type, d, c)
125 	Authenticator *ap;
126 	int type;
127 	void *d;
128 	int c;
129 {
130 	unsigned char *p = str_data + 4;
131 	unsigned char *cd = (unsigned char *)d;
132 
133 	if (c == -1)
134 		c = strlen((char *)cd);
135 
136 	if (0) {
137 		printf("%s:%d: [%d] (%d)",
138 			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
139 			str_data[3],
140 			type, c);
141 		printd(d, c);
142 		printf("\r\n");
143 	}
144 	*p++ = ap->type;
145 	*p++ = ap->way;
146 	*p++ = type;
147 	while (c-- > 0) {
148 		if ((*p++ = *cd++) == IAC)
149 			*p++ = IAC;
150 	}
151 	*p++ = IAC;
152 	*p++ = SE;
153 	if (str_data[3] == TELQUAL_IS)
154 		printsub('>', &str_data[2], p - (&str_data[2]));
155 	return(net_write(str_data, p - str_data));
156 }
157 
158 	int
159 krb4encpwd_init(ap, server)
160 	Authenticator *ap;
161 	int server;
162 {
163 	char hostname[80], *cp, *realm;
164 	C_Block skey;
165 
166 	if (server) {
167 		str_data[3] = TELQUAL_REPLY;
168 	} else {
169 		str_data[3] = TELQUAL_IS;
170 		gethostname(hostname, sizeof(hostname));
171 		realm = krb_realmofhost(hostname);
172 		cp = strchr(hostname, '.');
173 		if (*cp != NULL) *cp = NULL;
174 		if (read_service_key(KRB_SERVICE_NAME, hostname, realm, 0,
175 					KEYFILE, (char *)skey)) {
176 		  return(0);
177 		}
178 	}
179 	return(1);
180 }
181 
182 	int
183 krb4encpwd_send(ap)
184 	Authenticator *ap;
185 {
186 
187 	printf("[ Trying KRB4ENCPWD ... ]\n");
188 	if (!UserNameRequested) {
189 		return(0);
190 	}
191 	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
192 		return(0);
193 	}
194 
195 	if (!Data(ap, KRB4_ENCPWD_ACK, (void *)NULL, 0)) {
196 		return(0);
197 	}
198 
199 	return(1);
200 }
201 
202 	void
203 krb4encpwd_is(ap, data, cnt)
204 	Authenticator *ap;
205 	unsigned char *data;
206 	int cnt;
207 {
208 	Session_Key skey;
209 	Block datablock;
210 	char  r_passwd[ANAME_SZ], r_user[ANAME_SZ];
211 	char  lhostname[ANAME_SZ], *cp;
212 	int r;
213 	time_t now;
214 
215 	if (cnt-- < 1)
216 		return;
217 	switch (*data++) {
218 	case KRB4_ENCPWD_AUTH:
219 		memmove((void *)auth.dat, (void *)data, auth.length = cnt);
220 
221 		gethostname(lhostname, sizeof(lhostname));
222 		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
223 
224 		if (r = krb_rd_encpwd_req(&auth, KRB_SERVICE_NAME, lhostname, 0, &adat, NULL, challenge, r_user, r_passwd)) {
225 			Data(ap, KRB4_ENCPWD_REJECT, (void *)"Auth failed", -1);
226 			auth_finished(ap, AUTH_REJECT);
227 			return;
228 		}
229 		auth_encrypt_userpwd(r_passwd);
230 		if (passwdok(UserNameRequested, UserPassword) == 0) {
231 		  /*
232 		   *  illegal username and password
233 		   */
234 		  Data(ap, KRB4_ENCPWD_REJECT, (void *)"Illegal password", -1);
235 		  auth_finished(ap, AUTH_REJECT);
236 		  return;
237 		}
238 
239 		memmove((void *)session_key, (void *)adat.session, sizeof(Block));
240 		Data(ap, KRB4_ENCPWD_ACCEPT, (void *)0, 0);
241 		auth_finished(ap, AUTH_USER);
242 		break;
243 
244 	case KRB4_ENCPWD_CHALLENGE:
245 		/*
246 		 *  Take the received random challenge text and save
247 		 *  for future authentication.
248 		 */
249 		memmove((void *)challenge, (void *)data, sizeof(Block));
250 		break;
251 
252 
253 	case KRB4_ENCPWD_ACK:
254 		/*
255 		 *  Receive ack, if mutual then send random challenge
256 		 */
257 
258 		/*
259 		 * If we are doing mutual authentication, get set up to send
260 		 * the challenge, and verify it when the response comes back.
261 		 */
262 
263 		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
264 		  register int i;
265 
266 		  time(&now);
267 		  sprintf(challenge, "%x", now);
268 		  Data(ap, KRB4_ENCPWD_CHALLENGE, (void *)challenge, strlen(challenge));
269 		}
270 		break;
271 
272 	default:
273 		Data(ap, KRB4_ENCPWD_REJECT, 0, 0);
274 		break;
275 	}
276 }
277 
278 
279 	void
280 krb4encpwd_reply(ap, data, cnt)
281 	Authenticator *ap;
282 	unsigned char *data;
283 	int cnt;
284 {
285 	Session_Key skey;
286 	KTEXT_ST krb_token;
287 	Block enckey;
288 	CREDENTIALS cred;
289 	int r;
290 	char	randchal[REALM_SZ], instance[ANAME_SZ], *cp;
291 	char	hostname[80], *realm;
292 
293 	if (cnt-- < 1)
294 		return;
295 	switch (*data++) {
296 	case KRB4_ENCPWD_REJECT:
297 		if (cnt > 0) {
298 			printf("[ KRB4_ENCPWD refuses authentication because %.*s ]\r\n",
299 				cnt, data);
300 		} else
301 			printf("[ KRB4_ENCPWD refuses authentication ]\r\n");
302 		auth_send_retry();
303 		return;
304 	case KRB4_ENCPWD_ACCEPT:
305 		printf("[ KRB4_ENCPWD accepts you ]\n");
306 		auth_finished(ap, AUTH_USER);
307 		return;
308 	case KRB4_ENCPWD_CHALLENGE:
309 		/*
310 		 * Verify that the response to the challenge is correct.
311 		 */
312 
313 		gethostname(hostname, sizeof(hostname));
314 		realm = krb_realmofhost(hostname);
315 		memmove((void *)challenge, (void *)data, cnt);
316 		memset(user_passwd, 0, sizeof(user_passwd));
317 		local_des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
318 		UserPassword = user_passwd;
319 		Challenge = challenge;
320 		strcpy(instance, RemoteHostName);
321 		if ((cp = strchr(instance, '.')) != 0)  *cp = '\0';
322 
323 		if (r = krb_mk_encpwd_req(&krb_token, KRB_SERVICE_NAME, instance, realm, Challenge, UserNameRequested, user_passwd)) {
324 		  krb_token.length = 0;
325 		}
326 
327 		if (!Data(ap, KRB4_ENCPWD_AUTH, (void *)krb_token.dat, krb_token.length)) {
328 		  return;
329 		}
330 
331 		break;
332 
333 	default:
334 		return;
335 	}
336 }
337 
338 	int
339 krb4encpwd_status(ap, name, level)
340 	Authenticator *ap;
341 	char *name;
342 	int level;
343 {
344 
345 	if (level < AUTH_USER)
346 		return(level);
347 
348 	if (UserNameRequested && passwdok(UserNameRequested, UserPassword)) {
349 		strcpy(name, UserNameRequested);
350 		return(AUTH_VALID);
351 	} else {
352 		return(AUTH_USER);
353 	}
354 }
355 
356 #define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
357 #define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
358 
359 	void
360 krb4encpwd_printsub(data, cnt, buf, buflen)
361 	unsigned char *data, *buf;
362 	int cnt, buflen;
363 {
364 	char lbuf[32];
365 	register int i;
366 
367 	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
368 	buflen -= 1;
369 
370 	switch(data[3]) {
371 	case KRB4_ENCPWD_REJECT:	/* Rejected (reason might follow) */
372 		strncpy((char *)buf, " REJECT ", buflen);
373 		goto common;
374 
375 	case KRB4_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
376 		strncpy((char *)buf, " ACCEPT ", buflen);
377 	common:
378 		BUMP(buf, buflen);
379 		if (cnt <= 4)
380 			break;
381 		ADDC(buf, buflen, '"');
382 		for (i = 4; i < cnt; i++)
383 			ADDC(buf, buflen, data[i]);
384 		ADDC(buf, buflen, '"');
385 		ADDC(buf, buflen, '\0');
386 		break;
387 
388 	case KRB4_ENCPWD_AUTH:		/* Authentication data follows */
389 		strncpy((char *)buf, " AUTH", buflen);
390 		goto common2;
391 
392 	case KRB4_ENCPWD_CHALLENGE:
393 		strncpy((char *)buf, " CHALLENGE", buflen);
394 		goto common2;
395 
396 	case KRB4_ENCPWD_ACK:
397 		strncpy((char *)buf, " ACK", buflen);
398 		goto common2;
399 
400 	default:
401 		sprintf(lbuf, " %d (unknown)", data[3]);
402 		strncpy((char *)buf, lbuf, buflen);
403 	common2:
404 		BUMP(buf, buflen);
405 		for (i = 4; i < cnt; i++) {
406 			sprintf(lbuf, " %d", data[i]);
407 			strncpy((char *)buf, lbuf, buflen);
408 			BUMP(buf, buflen);
409 		}
410 		break;
411 	}
412 }
413 
414 int passwdok(name, passwd)
415 char *name, *passwd;
416 {
417   char *crypt();
418   char *salt, *p;
419   struct passwd *pwd;
420   int   passwdok_status = 0;
421 
422   if (pwd = getpwnam(name))
423     salt = pwd->pw_passwd;
424   else salt = "xx";
425 
426   p = crypt(passwd, salt);
427 
428   if (pwd && !strcmp(p, pwd->pw_passwd)) {
429     passwdok_status = 1;
430   } else passwdok_status = 0;
431   return(passwdok_status);
432 }
433 
434 #endif
435 
436 #ifdef notdef
437 
438 prkey(msg, key)
439 	char *msg;
440 	unsigned char *key;
441 {
442 	register int i;
443 	printf("%s:", msg);
444 	for (i = 0; i < 8; i++)
445 		printf(" %3d", key[i]);
446 	printf("\r\n");
447 }
448 #endif
449