1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 * $FreeBSD: src/crypto/telnet/libtelnet/auth.c,v 1.3.2.5 2002/04/13 10:59:07 markm Exp $
30 *
31 * @(#)auth.c 8.3 (Berkeley) 5/30/95
32 * $FreeBSD: src/crypto/telnet/libtelnet/auth.c,v 1.3.2.5 2002/04/13 10:59:07 markm Exp $
33 */
34
35 /*
36 * Copyright (C) 1990 by the Massachusetts Institute of Technology
37 *
38 * Export of this software from the United States of America is assumed
39 * to require a specific license from the United States Government.
40 * It is the responsibility of any person or organization contemplating
41 * export to obtain such a license before exporting.
42 *
43 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
44 * distribute this software and its documentation for any purpose and
45 * without fee is hereby granted, provided that the above copyright
46 * notice appear in all copies and that both that copyright notice and
47 * this permission notice appear in supporting documentation, and that
48 * the name of M.I.T. not be used in advertising or publicity pertaining
49 * to distribution of the software without specific, written prior
50 * permission. M.I.T. makes no representations about the suitability of
51 * this software for any purpose. It is provided "as is" without express
52 * or implied warranty.
53 */
54
55
56 #ifdef AUTHENTICATION
57 #define AUTH_NAMES
58 #include <sys/types.h>
59 #include <signal.h>
60 #include <stdio.h>
61 #include <stdlib.h>
62 #include <string.h>
63 #include <unistd.h>
64 #include <arpa/telnet.h>
65
66 #include "encrypt.h"
67 #include "auth.h"
68 #include "misc-proto.h"
69 #include "auth-proto.h"
70
71 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0)
72
73 #ifdef KRB4_ENCPWD
74 extern krb4encpwd_init();
75 extern krb4encpwd_send();
76 extern krb4encpwd_is();
77 extern krb4encpwd_reply();
78 extern krb4encpwd_status();
79 extern krb4encpwd_printsub();
80 #endif
81
82 #ifdef RSA_ENCPWD
83 extern rsaencpwd_init();
84 extern rsaencpwd_send();
85 extern rsaencpwd_is();
86 extern rsaencpwd_reply();
87 extern rsaencpwd_status();
88 extern rsaencpwd_printsub();
89 #endif
90
91 int auth_debug_mode = 0;
92 static const char *Name = "Noname";
93 static int Server = 0;
94 static Authenticator *authenticated = NULL;
95 static int authenticating = 0;
96 static int validuser = 0;
97 static unsigned char _auth_send_data[256];
98 static unsigned char *auth_send_data;
99 static int auth_send_cnt = 0;
100
101 int auth_onoff(char *type, int on);
102 void auth_encrypt_user(char *name);
103
104 /*
105 * Authentication types supported. Plese note that these are stored
106 * in priority order, i.e. try the first one first.
107 */
108 Authenticator authenticators[] = {
109 #ifdef KRB5
110 # ifdef ENCRYPTION
111 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
112 kerberos5_init,
113 kerberos5_send_mutual,
114 kerberos5_is,
115 kerberos5_reply,
116 kerberos5_status,
117 kerberos5_printsub },
118 # endif /* ENCRYPTION */
119 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
120 kerberos5_init,
121 kerberos5_send_oneway,
122 kerberos5_is,
123 kerberos5_reply,
124 kerberos5_status,
125 kerberos5_printsub },
126 #endif
127 #ifdef KRB4
128 # ifdef ENCRYPTION
129 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
130 kerberos4_init,
131 kerberos4_send,
132 kerberos4_is,
133 kerberos4_reply,
134 kerberos4_status,
135 kerberos4_printsub },
136 # endif /* ENCRYPTION */
137 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
138 kerberos4_init,
139 kerberos4_send,
140 kerberos4_is,
141 kerberos4_reply,
142 kerberos4_status,
143 kerberos4_printsub },
144 #endif
145 #ifdef KRB4_ENCPWD
146 { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
147 krb4encpwd_init,
148 krb4encpwd_send,
149 krb4encpwd_is,
150 krb4encpwd_reply,
151 krb4encpwd_status,
152 krb4encpwd_printsub },
153 #endif
154 #ifdef RSA_ENCPWD
155 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
156 rsaencpwd_init,
157 rsaencpwd_send,
158 rsaencpwd_is,
159 rsaencpwd_reply,
160 rsaencpwd_status,
161 rsaencpwd_printsub },
162 #endif
163 #ifdef SRA
164 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
165 sra_init,
166 sra_send,
167 sra_is,
168 sra_reply,
169 sra_status,
170 sra_printsub },
171
172 #endif
173 { 0, 0, 0, 0, 0, 0, 0, 0 },
174 };
175
176 static Authenticator NoAuth = { 0, 0, 0, 0, 0, 0, 0, 0 };
177
178 static int i_support = 0;
179 static int i_wont_support = 0;
180
181 Authenticator *
findauthenticator(int type,int way)182 findauthenticator(int type, int way)
183 {
184 Authenticator *ap = authenticators;
185
186 while (ap->type && (ap->type != type || ap->way != way))
187 ++ap;
188 return(ap->type ? ap : 0);
189 }
190
191 void
auth_init(const char * name,int server)192 auth_init(const char *name, int server)
193 {
194 Authenticator *ap = authenticators;
195
196 Server = server;
197 Name = name;
198
199 i_support = 0;
200 authenticated = NULL;
201 authenticating = 0;
202 while (ap->type) {
203 if (!ap->init || (*ap->init)(ap, server)) {
204 i_support |= typemask(ap->type);
205 if (auth_debug_mode)
206 printf(">>>%s: I support auth type %d %d\r\n",
207 Name,
208 ap->type, ap->way);
209 }
210 else if (auth_debug_mode)
211 printf(">>>%s: Init failed: auth type %d %d\r\n",
212 Name, ap->type, ap->way);
213 ++ap;
214 }
215 }
216
217 void
auth_disable_name(char * name)218 auth_disable_name(char *name)
219 {
220 int x;
221 for (x = 0; x < AUTHTYPE_CNT; ++x) {
222 if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
223 i_wont_support |= typemask(x);
224 break;
225 }
226 }
227 }
228
229 int
getauthmask(char * type,int * maskp)230 getauthmask(char *type, int *maskp)
231 {
232 int x;
233
234 if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) {
235 *maskp = -1;
236 return(1);
237 }
238
239 for (x = 1; x < AUTHTYPE_CNT; ++x) {
240 if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) {
241 *maskp = typemask(x);
242 return(1);
243 }
244 }
245 return(0);
246 }
247
248 int
auth_enable(char * type)249 auth_enable(char *type)
250 {
251 return(auth_onoff(type, 1));
252 }
253
254 int
auth_disable(char * type)255 auth_disable(char *type)
256 {
257 return(auth_onoff(type, 0));
258 }
259
260 int
auth_onoff(char * type,int on)261 auth_onoff(char *type, int on)
262 {
263 int i, mask = -1;
264 Authenticator *ap;
265
266 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
267 printf("auth %s 'type'\n", on ? "enable" : "disable");
268 printf("Where 'type' is one of:\n");
269 printf("\t%s\n", AUTHTYPE_NAME(0));
270 mask = 0;
271 for (ap = authenticators; ap->type; ap++) {
272 if ((mask & (i = typemask(ap->type))) != 0)
273 continue;
274 mask |= i;
275 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
276 }
277 return(0);
278 }
279
280 if (!getauthmask(type, &mask)) {
281 printf("%s: invalid authentication type\n", type);
282 return(0);
283 }
284 if (on)
285 i_wont_support &= ~mask;
286 else
287 i_wont_support |= mask;
288 return(1);
289 }
290
291 int
auth_togdebug(int on)292 auth_togdebug(int on)
293 {
294 if (on < 0)
295 auth_debug_mode ^= 1;
296 else
297 auth_debug_mode = on;
298 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
299 return(1);
300 }
301
302 int
auth_status(void)303 auth_status(void)
304 {
305 Authenticator *ap;
306 int i, mask;
307
308 if (i_wont_support == -1)
309 printf("Authentication disabled\n");
310 else
311 printf("Authentication enabled\n");
312
313 mask = 0;
314 for (ap = authenticators; ap->type; ap++) {
315 if ((mask & (i = typemask(ap->type))) != 0)
316 continue;
317 mask |= i;
318 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
319 (i_wont_support & typemask(ap->type)) ?
320 "disabled" : "enabled");
321 }
322 return(1);
323 }
324
325 /*
326 * This routine is called by the server to start authentication
327 * negotiation.
328 */
329 void
auth_request(void)330 auth_request(void)
331 {
332 static unsigned char str_request[64] = { IAC, SB,
333 TELOPT_AUTHENTICATION,
334 TELQUAL_SEND, };
335 Authenticator *ap = authenticators;
336 unsigned char *e = str_request + 4;
337
338 if (!authenticating) {
339 authenticating = 1;
340 while (ap->type) {
341 if (i_support & ~i_wont_support & typemask(ap->type)) {
342 if (auth_debug_mode) {
343 printf(">>>%s: Sending type %d %d\r\n",
344 Name, ap->type, ap->way);
345 }
346 *e++ = ap->type;
347 *e++ = ap->way;
348 }
349 ++ap;
350 }
351 *e++ = IAC;
352 *e++ = SE;
353 net_write(str_request, e - str_request);
354 printsub('>', &str_request[2], e - str_request - 2);
355 }
356 }
357
358 /*
359 * This is called when an AUTH SEND is received.
360 * It should never arrive on the server side (as only the server can
361 * send an AUTH SEND).
362 * You should probably respond to it if you can...
363 *
364 * If you want to respond to the types out of order (i.e. even
365 * if he sends LOGIN KERBEROS and you support both, you respond
366 * with KERBEROS instead of LOGIN (which is against what the
367 * protocol says)) you will have to hack this code...
368 */
369 void
auth_send(unsigned char * data,int cnt)370 auth_send(unsigned char *data, int cnt)
371 {
372 Authenticator *ap;
373 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
374 TELQUAL_IS, AUTHTYPE_NULL, 0,
375 IAC, SE };
376 if (Server) {
377 if (auth_debug_mode) {
378 printf(">>>%s: auth_send called!\r\n", Name);
379 }
380 return;
381 }
382
383 if (auth_debug_mode) {
384 printf(">>>%s: auth_send got:", Name);
385 printd(data, cnt); printf("\r\n");
386 }
387
388 /*
389 * Save the data, if it is new, so that we can continue looking
390 * at it if the authorization we try doesn't work
391 */
392 if (data < _auth_send_data ||
393 data > _auth_send_data + sizeof(_auth_send_data)) {
394 auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data)
395 ? sizeof(_auth_send_data)
396 : cnt;
397 memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
398 auth_send_data = _auth_send_data;
399 } else {
400 /*
401 * This is probably a no-op, but we just make sure
402 */
403 auth_send_data = data;
404 auth_send_cnt = cnt;
405 }
406 while ((auth_send_cnt -= 2) >= 0) {
407 if (auth_debug_mode)
408 printf(">>>%s: He supports %d\r\n",
409 Name, *auth_send_data);
410 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
411 ap = findauthenticator(auth_send_data[0],
412 auth_send_data[1]);
413 if (ap && ap->send) {
414 if (auth_debug_mode)
415 printf(">>>%s: Trying %d %d\r\n",
416 Name, auth_send_data[0],
417 auth_send_data[1]);
418 if ((*ap->send)(ap)) {
419 /*
420 * Okay, we found one we like
421 * and did it.
422 * we can go home now.
423 */
424 if (auth_debug_mode)
425 printf(">>>%s: Using type %d\r\n",
426 Name, *auth_send_data);
427 auth_send_data += 2;
428 return;
429 }
430 }
431 /* else
432 * just continue on and look for the
433 * next one if we didn't do anything.
434 */
435 }
436 auth_send_data += 2;
437 }
438 net_write(str_none, sizeof(str_none));
439 printsub('>', &str_none[2], sizeof(str_none) - 2);
440 if (auth_debug_mode)
441 printf(">>>%s: Sent failure message\r\n", Name);
442 auth_finished(0, AUTH_REJECT);
443 }
444
445 void
auth_send_retry(void)446 auth_send_retry(void)
447 {
448 /*
449 * if auth_send_cnt <= 0 then auth_send will end up rejecting
450 * the authentication and informing the other side of this.
451 */
452 auth_send(auth_send_data, auth_send_cnt);
453 }
454
455 void
auth_is(unsigned char * data,int cnt)456 auth_is(unsigned char *data, int cnt)
457 {
458 Authenticator *ap;
459
460 if (cnt < 2)
461 return;
462
463 if (data[0] == AUTHTYPE_NULL) {
464 auth_finished(0, AUTH_REJECT);
465 return;
466 }
467
468 if ((ap = findauthenticator(data[0], data[1]))) {
469 if (ap->is)
470 (*ap->is)(ap, data+2, cnt-2);
471 } else if (auth_debug_mode)
472 printf(">>>%s: Invalid authentication in IS: %d\r\n",
473 Name, *data);
474 }
475
476 void
auth_reply(unsigned char * data,int cnt)477 auth_reply(unsigned char *data, int cnt)
478 {
479 Authenticator *ap;
480
481 if (cnt < 2)
482 return;
483
484 if ((ap = findauthenticator(data[0], data[1]))) {
485 if (ap->reply)
486 (*ap->reply)(ap, data+2, cnt-2);
487 } else if (auth_debug_mode)
488 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
489 Name, *data);
490 }
491
492 void
auth_name(unsigned char * data,int cnt)493 auth_name(unsigned char *data, int cnt)
494 {
495 unsigned char savename[256];
496
497 if (cnt < 1) {
498 if (auth_debug_mode)
499 printf(">>>%s: Empty name in NAME\r\n", Name);
500 return;
501 }
502 if ((size_t)cnt > sizeof(savename) - 1) {
503 if (auth_debug_mode)
504 printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
505 Name, cnt, (u_int)sizeof(savename)-1);
506 return;
507 }
508 memmove((void *)savename, (void *)data, cnt);
509 savename[cnt] = '\0'; /* Null terminate */
510 if (auth_debug_mode)
511 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
512 auth_encrypt_user(savename);
513 }
514
515 int
auth_sendname(unsigned char * cp,int len)516 auth_sendname(unsigned char *cp, int len)
517 {
518 static unsigned char str_request[256+6]
519 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
520 unsigned char *e = str_request + 4;
521 unsigned char *ee = &str_request[sizeof(str_request)-2];
522
523 while (--len >= 0) {
524 if ((*e++ = *cp++) == IAC)
525 *e++ = IAC;
526 if (e >= ee)
527 return(0);
528 }
529 *e++ = IAC;
530 *e++ = SE;
531 net_write(str_request, e - str_request);
532 printsub('>', &str_request[2], e - &str_request[2]);
533 return(1);
534 }
535
536 void
auth_finished(Authenticator * ap,int result)537 auth_finished(Authenticator *ap, int result)
538 {
539 if (!(authenticated = ap))
540 authenticated = &NoAuth;
541 validuser = result;
542 }
543
544 /* ARGSUSED */
545 static void
auth_intr(int sig __unused)546 auth_intr(int sig __unused)
547 {
548 auth_finished(0, AUTH_REJECT);
549 }
550
551 int
auth_wait(char * name)552 auth_wait(char *name)
553 {
554 if (auth_debug_mode)
555 printf(">>>%s: in auth_wait.\r\n", Name);
556
557 if (Server && !authenticating)
558 return(0);
559
560 (void) signal(SIGALRM, auth_intr);
561 alarm(30);
562 while (!authenticated)
563 if (telnet_spin())
564 break;
565 alarm(0);
566 (void) signal(SIGALRM, SIG_DFL);
567
568 /*
569 * Now check to see if the user is valid or not
570 */
571 if (!authenticated || authenticated == &NoAuth)
572 return(AUTH_REJECT);
573
574 if (validuser == AUTH_VALID)
575 validuser = AUTH_USER;
576
577 if (authenticated->status)
578 validuser = (*authenticated->status)(authenticated,
579 name, validuser);
580 return(validuser);
581 }
582
583 void
auth_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)584 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
585 {
586 Authenticator *ap;
587
588 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
589 (*ap->printsub)(data, cnt, buf, buflen);
590 else
591 auth_gen_printsub(data, cnt, buf, buflen);
592 }
593
594 void
auth_gen_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)595 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
596 {
597 unsigned char *cp;
598 unsigned char tbuf[16];
599
600 cnt -= 3;
601 data += 3;
602 buf[buflen-1] = '\0';
603 buf[buflen-2] = '*';
604 buflen -= 2;
605 for (; cnt > 0; cnt--, data++) {
606 sprintf((char *)tbuf, " %d", *data);
607 for (cp = tbuf; *cp && buflen > 0; --buflen)
608 *buf++ = *cp++;
609 if (buflen <= 0)
610 return;
611 }
612 *buf = '\0';
613 }
614 #endif
615