1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 /*
35  * Copyright (C) 1990 by the Massachusetts Institute of Technology
36  *
37  * Export of this software from the United States of America is assumed
38  * to require a specific license from the United States Government.
39  * It is the responsibility of any person or organization contemplating
40  * export to obtain such a license before exporting.
41  *
42  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43  * distribute this software and its documentation for any purpose and
44  * without fee is hereby granted, provided that the above copyright
45  * notice appear in all copies and that both that copyright notice and
46  * this permission notice appear in supporting documentation, and that
47  * the name of M.I.T. not be used in advertising or publicity pertaining
48  * to distribution of the software without specific, written prior
49  * permission.  M.I.T. makes no representations about the suitability of
50  * this software for any purpose.  It is provided "as is" without express
51  * or implied warranty.
52  */
53 
54 #include <config.h>
55 
56 RCSID("$Id: auth.c,v 1.25 2002/01/18 12:58:48 joda Exp $");
57 
58 #if	defined(AUTHENTICATION)
59 #include <stdio.h>
60 #ifdef HAVE_SYS_TYPES_H
61 #include <sys/types.h>
62 #endif
63 #include <signal.h>
64 #define	AUTH_NAMES
65 #ifdef HAVE_ARPA_TELNET_H
66 #include <arpa/telnet.h>
67 #endif
68 #include <stdlib.h>
69 #include <string.h>
70 
71 #include <roken.h>
72 
73 #ifdef SOCKS
74 #include <socks.h>
75 #endif
76 
77 #include "encrypt.h"
78 #include "auth.h"
79 #include "misc-proto.h"
80 #include "auth-proto.h"
81 
82 #define	typemask(x)		(1<<((x)-1))
83 
84 #ifdef	KRB4_ENCPWD
85 extern krb4encpwd_init();
86 extern krb4encpwd_send();
87 extern krb4encpwd_is();
88 extern krb4encpwd_reply();
89 extern krb4encpwd_status();
90 extern krb4encpwd_printsub();
91 #endif
92 
93 #ifdef	RSA_ENCPWD
94 extern rsaencpwd_init();
95 extern rsaencpwd_send();
96 extern rsaencpwd_is();
97 extern rsaencpwd_reply();
98 extern rsaencpwd_status();
99 extern rsaencpwd_printsub();
100 #endif
101 
102 int auth_debug_mode = 0;
103 int auth_has_failed  = 0;
104 int auth_enable_encrypt = 0;
105 static 	const	char	*Name = "Noname";
106 static	int	Server = 0;
107 static	Authenticator	*authenticated = 0;
108 static	int	authenticating = 0;
109 static	int	validuser = 0;
110 static	unsigned char	_auth_send_data[256];
111 static	unsigned char	*auth_send_data;
112 static	int	auth_send_cnt = 0;
113 
114 /*
115  * Authentication types supported.  Plese note that these are stored
116  * in priority order, i.e. try the first one first.
117  */
118 Authenticator authenticators[] = {
119 #ifdef UNSAFE
120     { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
121       unsafe_init,
122       unsafe_send,
123       unsafe_is,
124       unsafe_reply,
125       unsafe_status,
126       unsafe_printsub },
127 #endif
128 #ifdef SRA
129     { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
130       sra_init,
131       sra_send,
132       sra_is,
133       sra_reply,
134       sra_status,
135       sra_printsub },
136 #endif
137 #ifdef	SPX
138     { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
139       spx_init,
140       spx_send,
141       spx_is,
142       spx_reply,
143       spx_status,
144       spx_printsub },
145     { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
146       spx_init,
147       spx_send,
148       spx_is,
149       spx_reply,
150       spx_status,
151       spx_printsub },
152 #endif
153 #ifdef	KRB5
154     { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
155       kerberos5_init,
156       kerberos5_send_mutual,
157       kerberos5_is,
158       kerberos5_reply,
159       kerberos5_status,
160       kerberos5_printsub },
161     { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
162       kerberos5_init,
163       kerberos5_send_oneway,
164       kerberos5_is,
165       kerberos5_reply,
166       kerberos5_status,
167       kerberos5_printsub },
168 #endif
169 #ifdef	KRB4
170     { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
171       kerberos4_init,
172       kerberos4_send_mutual,
173       kerberos4_is,
174       kerberos4_reply,
175       kerberos4_status,
176       kerberos4_printsub },
177     { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
178       kerberos4_init,
179       kerberos4_send_oneway,
180       kerberos4_is,
181       kerberos4_reply,
182       kerberos4_status,
183       kerberos4_printsub },
184 #endif
185 #ifdef	KRB4_ENCPWD
186     { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
187       krb4encpwd_init,
188       krb4encpwd_send,
189       krb4encpwd_is,
190       krb4encpwd_reply,
191       krb4encpwd_status,
192       krb4encpwd_printsub },
193 #endif
194 #ifdef	RSA_ENCPWD
195     { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
196       rsaencpwd_init,
197       rsaencpwd_send,
198       rsaencpwd_is,
199       rsaencpwd_reply,
200       rsaencpwd_status,
201       rsaencpwd_printsub },
202 #endif
203     { 0, },
204 };
205 
206 static Authenticator NoAuth = { 0 };
207 
208 static int	i_support = 0;
209 static int	i_wont_support = 0;
210 
211 Authenticator *
212 findauthenticator(int type, int way)
213 {
214     Authenticator *ap = authenticators;
215 
216     while (ap->type && (ap->type != type || ap->way != way))
217 	++ap;
218     return(ap->type ? ap : 0);
219 }
220 
221 void
222 auth_init(const char *name, int server)
223 {
224     Authenticator *ap = authenticators;
225 
226     Server = server;
227     Name = name;
228 
229     i_support = 0;
230     authenticated = 0;
231     authenticating = 0;
232     while (ap->type) {
233 	if (!ap->init || (*ap->init)(ap, server)) {
234 	    i_support |= typemask(ap->type);
235 	    if (auth_debug_mode)
236 		printf(">>>%s: I support auth type %d %d\r\n",
237 		       Name,
238 		       ap->type, ap->way);
239 	}
240 	else if (auth_debug_mode)
241 	    printf(">>>%s: Init failed: auth type %d %d\r\n",
242 		   Name, ap->type, ap->way);
243 	++ap;
244     }
245 }
246 
247 void
248 auth_disable_name(char *name)
249 {
250     int x;
251     for (x = 0; x < AUTHTYPE_CNT; ++x) {
252 	if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
253 	    i_wont_support |= typemask(x);
254 	    break;
255 	}
256     }
257 }
258 
259 int
260 getauthmask(char *type, int *maskp)
261 {
262     int x;
263 
264     if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
265 	*maskp = -1;
266 	return(1);
267     }
268 
269     for (x = 1; x < AUTHTYPE_CNT; ++x) {
270 	if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
271 	    *maskp = typemask(x);
272 	    return(1);
273 	}
274     }
275     return(0);
276 }
277 
278 int
279 auth_enable(char *type)
280 {
281     return(auth_onoff(type, 1));
282 }
283 
284 int
285 auth_disable(char *type)
286 {
287     return(auth_onoff(type, 0));
288 }
289 
290 int
291 auth_onoff(char *type, int on)
292 {
293     int i, mask = -1;
294     Authenticator *ap;
295 
296     if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
297 	printf("auth %s 'type'\n", on ? "enable" : "disable");
298 	printf("Where 'type' is one of:\n");
299 	printf("\t%s\n", AUTHTYPE_NAME(0));
300 	mask = 0;
301 	for (ap = authenticators; ap->type; ap++) {
302 	    if ((mask & (i = typemask(ap->type))) != 0)
303 		continue;
304 	    mask |= i;
305 	    printf("\t%s\n", AUTHTYPE_NAME(ap->type));
306 	}
307 	return(0);
308     }
309 
310     if (!getauthmask(type, &mask)) {
311 	printf("%s: invalid authentication type\n", type);
312 	return(0);
313     }
314     if (on)
315 	i_wont_support &= ~mask;
316     else
317 	i_wont_support |= mask;
318     return(1);
319 }
320 
321 int
322 auth_togdebug(int on)
323 {
324     if (on < 0)
325 	auth_debug_mode ^= 1;
326     else
327 	auth_debug_mode = on;
328     printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
329     return(1);
330 }
331 
332 int
333 auth_status(void)
334 {
335     Authenticator *ap;
336     int i, mask;
337 
338     if (i_wont_support == -1)
339 	printf("Authentication disabled\n");
340     else
341 	printf("Authentication enabled\n");
342 
343     mask = 0;
344     for (ap = authenticators; ap->type; ap++) {
345 	if ((mask & (i = typemask(ap->type))) != 0)
346 	    continue;
347 	mask |= i;
348 	printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
349 	       (i_wont_support & typemask(ap->type)) ?
350 	       "disabled" : "enabled");
351     }
352     return(1);
353 }
354 
355 /*
356  * This routine is called by the server to start authentication
357  * negotiation.
358  */
359 void
360 auth_request(void)
361 {
362     static unsigned char str_request[64] = { IAC, SB,
363 					     TELOPT_AUTHENTICATION,
364 					     TELQUAL_SEND, };
365     Authenticator *ap = authenticators;
366     unsigned char *e = str_request + 4;
367 
368     if (!authenticating) {
369 	authenticating = 1;
370 	while (ap->type) {
371 	    if (i_support & ~i_wont_support & typemask(ap->type)) {
372 		if (auth_debug_mode) {
373 		    printf(">>>%s: Sending type %d %d\r\n",
374 			   Name, ap->type, ap->way);
375 		}
376 		*e++ = ap->type;
377 		*e++ = ap->way;
378 	    }
379 	    ++ap;
380 	}
381 	*e++ = IAC;
382 	*e++ = SE;
383 	telnet_net_write(str_request, e - str_request);
384 	printsub('>', &str_request[2], e - str_request - 2);
385     }
386 }
387 
388 /*
389  * This is called when an AUTH SEND is received.
390  * It should never arrive on the server side (as only the server can
391  * send an AUTH SEND).
392  * You should probably respond to it if you can...
393  *
394  * If you want to respond to the types out of order (i.e. even
395  * if he sends  LOGIN KERBEROS and you support both, you respond
396  * with KERBEROS instead of LOGIN (which is against what the
397  * protocol says)) you will have to hack this code...
398  */
399 void
400 auth_send(unsigned char *data, int cnt)
401 {
402     Authenticator *ap;
403     static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
404 					TELQUAL_IS, AUTHTYPE_NULL, 0,
405 					IAC, SE };
406     if (Server) {
407 	if (auth_debug_mode) {
408 	    printf(">>>%s: auth_send called!\r\n", Name);
409 	}
410 	return;
411     }
412 
413     if (auth_debug_mode) {
414 	printf(">>>%s: auth_send got:", Name);
415 	printd(data, cnt); printf("\r\n");
416     }
417 
418     /*
419      * Save the data, if it is new, so that we can continue looking
420      * at it if the authorization we try doesn't work
421      */
422     if (data < _auth_send_data ||
423 	data > _auth_send_data + sizeof(_auth_send_data)) {
424 	auth_send_cnt = cnt > sizeof(_auth_send_data)
425 	    ? sizeof(_auth_send_data)
426 	    : cnt;
427 	memmove(_auth_send_data, data, auth_send_cnt);
428 	auth_send_data = _auth_send_data;
429     } else {
430 	/*
431 	 * This is probably a no-op, but we just make sure
432 	 */
433 	auth_send_data = data;
434 	auth_send_cnt = cnt;
435     }
436     while ((auth_send_cnt -= 2) >= 0) {
437 	if (auth_debug_mode)
438 	    printf(">>>%s: He supports %d\r\n",
439 		   Name, *auth_send_data);
440 	if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
441 	    ap = findauthenticator(auth_send_data[0],
442 				   auth_send_data[1]);
443 	    if (ap && ap->send) {
444 		if (auth_debug_mode)
445 		    printf(">>>%s: Trying %d %d\r\n",
446 			   Name, auth_send_data[0],
447 			   auth_send_data[1]);
448 		if ((*ap->send)(ap)) {
449 		    /*
450 		     * Okay, we found one we like
451 		     * and did it.
452 		     * we can go home now.
453 		     */
454 		    if (auth_debug_mode)
455 			printf(">>>%s: Using type %d\r\n",
456 			       Name, *auth_send_data);
457 		    auth_send_data += 2;
458 		    return;
459 		}
460 	    }
461 	    /* else
462 	     *	just continue on and look for the
463 	     *	next one if we didn't do anything.
464 	     */
465 	}
466 	auth_send_data += 2;
467     }
468     telnet_net_write(str_none, sizeof(str_none));
469     printsub('>', &str_none[2], sizeof(str_none) - 2);
470     if (auth_debug_mode)
471 	printf(">>>%s: Sent failure message\r\n", Name);
472     auth_finished(0, AUTH_REJECT);
473     auth_has_failed = 1;
474 #ifdef KANNAN
475     /*
476      *  We requested strong authentication, however no mechanisms worked.
477      *  Therefore, exit on client end.
478      */
479     printf("Unable to securely authenticate user ... exit\n");
480     exit(0);
481 #endif /* KANNAN */
482 }
483 
484 void
485 auth_send_retry(void)
486 {
487     /*
488      * if auth_send_cnt <= 0 then auth_send will end up rejecting
489      * the authentication and informing the other side of this.
490 	 */
491     auth_send(auth_send_data, auth_send_cnt);
492 }
493 
494 void
495 auth_is(unsigned char *data, int cnt)
496 {
497     Authenticator *ap;
498 
499     if (cnt < 2)
500 	return;
501 
502     if (data[0] == AUTHTYPE_NULL) {
503 	auth_finished(0, AUTH_REJECT);
504 	return;
505     }
506 
507     if ((ap = findauthenticator(data[0], data[1]))) {
508 	if (ap->is)
509 	    (*ap->is)(ap, data+2, cnt-2);
510     } else if (auth_debug_mode)
511 	printf(">>>%s: Invalid authentication in IS: %d\r\n",
512 	       Name, *data);
513 }
514 
515 void
516 auth_reply(unsigned char *data, int cnt)
517 {
518     Authenticator *ap;
519 
520     if (cnt < 2)
521 	return;
522 
523     if ((ap = findauthenticator(data[0], data[1]))) {
524 	if (ap->reply)
525 	    (*ap->reply)(ap, data+2, cnt-2);
526     } else if (auth_debug_mode)
527 	printf(">>>%s: Invalid authentication in SEND: %d\r\n",
528 	       Name, *data);
529 }
530 
531 void
532 auth_name(unsigned char *data, int cnt)
533 {
534     char savename[256];
535 
536     if (cnt < 1) {
537 	if (auth_debug_mode)
538 	    printf(">>>%s: Empty name in NAME\r\n", Name);
539 	return;
540     }
541     if (cnt > sizeof(savename) - 1) {
542 	if (auth_debug_mode)
543 	    printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n",
544 		   Name, cnt, (unsigned long)(sizeof(savename)-1));
545 	return;
546     }
547     memmove(savename, data, cnt);
548     savename[cnt] = '\0';	/* Null terminate */
549     if (auth_debug_mode)
550 	printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
551     auth_encrypt_user(savename);
552 }
553 
554 int
555 auth_sendname(unsigned char *cp, int len)
556 {
557     static unsigned char str_request[256+6]
558 	= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
559     unsigned char *e = str_request + 4;
560     unsigned char *ee = &str_request[sizeof(str_request)-2];
561 
562     while (--len >= 0) {
563 	if ((*e++ = *cp++) == IAC)
564 	    *e++ = IAC;
565 	if (e >= ee)
566 	    return(0);
567     }
568     *e++ = IAC;
569     *e++ = SE;
570     telnet_net_write(str_request, e - str_request);
571     printsub('>', &str_request[2], e - &str_request[2]);
572     return(1);
573 }
574 
575 void
576 auth_finished(Authenticator *ap, int result)
577 {
578     if (!(authenticated = ap))
579 	authenticated = &NoAuth;
580     validuser = result;
581 }
582 
583 /* ARGSUSED */
584 static void
585 auth_intr(int sig)
586 {
587     auth_finished(0, AUTH_REJECT);
588 }
589 
590 int
591 auth_wait(char *name, size_t name_sz)
592 {
593     if (auth_debug_mode)
594 	printf(">>>%s: in auth_wait.\r\n", Name);
595 
596     if (Server && !authenticating)
597 	return(0);
598 
599     signal(SIGALRM, auth_intr);
600     alarm(30);
601     while (!authenticated)
602 	if (telnet_spin())
603 	    break;
604     alarm(0);
605     signal(SIGALRM, SIG_DFL);
606 
607     /*
608      * Now check to see if the user is valid or not
609      */
610     if (!authenticated || authenticated == &NoAuth)
611 	return(AUTH_REJECT);
612 
613     if (validuser == AUTH_VALID)
614 	validuser = AUTH_USER;
615 
616     if (authenticated->status)
617 	validuser = (*authenticated->status)(authenticated,
618 					     name, name_sz,
619 					     validuser);
620     return(validuser);
621 }
622 
623 void
624 auth_debug(int mode)
625 {
626     auth_debug_mode = mode;
627 }
628 
629 void
630 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
631 {
632     Authenticator *ap;
633 
634     if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
635 	(*ap->printsub)(data, cnt, buf, buflen);
636     else
637 	auth_gen_printsub(data, cnt, buf, buflen);
638 }
639 
640 void
641 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
642 {
643     unsigned char *cp;
644     unsigned char tbuf[16];
645 
646     cnt -= 3;
647     data += 3;
648     buf[buflen-1] = '\0';
649     buf[buflen-2] = '*';
650     buflen -= 2;
651     for (; cnt > 0; cnt--, data++) {
652 	snprintf((char*)tbuf, sizeof(tbuf), " %d", *data);
653 	for (cp = tbuf; *cp && buflen > 0; --buflen)
654 	    *buf++ = *cp++;
655 	if (buflen <= 0)
656 	    return;
657     }
658     *buf = '\0';
659 }
660 #endif
661