xref: /netbsd-src/lib/libtelnet/auth.c (revision 23c8222edbfb0f0932d88a8351d3a0cf817dfb9e) 
1 /*	$NetBSD: auth.c,v 1.16 2003/08/07 16:44:54 agc Exp $	*/
2 
3 /*-
4  * Copyright (c) 1991, 1993
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 #ifndef lint
34 #if 0
35 static char sccsid[] = "@(#)auth.c	8.3 (Berkeley) 5/30/95"
36 #else
37 __RCSID("$NetBSD: auth.c,v 1.16 2003/08/07 16:44:54 agc Exp $");
38 #endif
39 #endif /* not lint */
40 
41 /*
42  * Copyright (C) 1990 by the Massachusetts Institute of Technology
43  *
44  * Export of this software from the United States of America is assumed
45  * to require a specific license from the United States Government.
46  * It is the responsibility of any person or organization contemplating
47  * export to obtain such a license before exporting.
48  *
49  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
50  * distribute this software and its documentation for any purpose and
51  * without fee is hereby granted, provided that the above copyright
52  * notice appear in all copies and that both that copyright notice and
53  * this permission notice appear in supporting documentation, and that
54  * the name of M.I.T. not be used in advertising or publicity pertaining
55  * to distribution of the software without specific, written prior
56  * permission.  M.I.T. makes no representations about the suitability of
57  * this software for any purpose.  It is provided "as is" without express
58  * or implied warranty.
59  */
60 
61 
62 #ifdef AUTHENTICATION
63 #include <stdio.h>
64 #include <sys/types.h>
65 #include <signal.h>
66 #define	AUTH_NAMES
67 #include <arpa/telnet.h>
68 #include <stdlib.h>
69 #include <unistd.h>
70 #ifdef	NO_STRING_H
71 #include <strings.h>
72 #else
73 #include <string.h>
74 #endif
75 
76 #include "encrypt.h"
77 #include "auth.h"
78 #include "misc-proto.h"
79 #include "auth-proto.h"
80 
81 #define	typemask(x)		(1<<((x)-1))
82 
83 #ifdef	KRB4_ENCPWD
84 extern krb4encpwd_init();
85 extern krb4encpwd_send();
86 extern krb4encpwd_is();
87 extern krb4encpwd_reply();
88 extern krb4encpwd_status();
89 extern krb4encpwd_printsub();
90 #endif
91 
92 #ifdef	RSA_ENCPWD
93 extern rsaencpwd_init();
94 extern rsaencpwd_send();
95 extern rsaencpwd_is();
96 extern rsaencpwd_reply();
97 extern rsaencpwd_status();
98 extern rsaencpwd_printsub();
99 #endif
100 
101 int auth_debug_mode = 0;
102 static 	const char	*Name = "Noname";
103 static	int	Server = 0;
104 static	Authenticator	*authenticated = 0;
105 static	int	authenticating = 0;
106 static	int	validuser = 0;
107 static	unsigned char	_auth_send_data[256];
108 static	unsigned char	*auth_send_data;
109 static	int	auth_send_cnt = 0;
110 
111 static void auth_intr P((int));
112 
113 /*
114  * Authentication types supported.  Plese note that these are stored
115  * in priority order, i.e. try the first one first.
116  */
117 Authenticator authenticators[] = {
118 #ifdef	SPX
119 	{ AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
120 				spx_init,
121 				spx_send,
122 				spx_is,
123 				spx_reply,
124 				spx_status,
125 				spx_printsub },
126 	{ AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
127 				spx_init,
128 				spx_send,
129 				spx_is,
130 				spx_reply,
131 				spx_status,
132 				spx_printsub },
133 #endif
134 #ifdef	KRB5
135 # ifdef	ENCRYPTION
136 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
137 				kerberos5_init,
138 				kerberos5_send,
139 				kerberos5_is,
140 				kerberos5_reply,
141 				kerberos5_status,
142 				kerberos5_printsub },
143 # endif	/* ENCRYPTION */
144 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
145 				kerberos5_init,
146 				kerberos5_send,
147 				kerberos5_is,
148 				kerberos5_reply,
149 				kerberos5_status,
150 				kerberos5_printsub },
151 #endif
152 #ifdef	KRB4
153 # ifdef	ENCRYPTION
154 	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
155 				kerberos4_init,
156 				kerberos4_send,
157 				kerberos4_is,
158 				kerberos4_reply,
159 				kerberos4_status,
160 				kerberos4_printsub },
161 # endif	/* ENCRYPTION */
162 	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
163 				kerberos4_init,
164 				kerberos4_send,
165 				kerberos4_is,
166 				kerberos4_reply,
167 				kerberos4_status,
168 				kerberos4_printsub },
169 #endif
170 #ifdef	KRB4_ENCPWD
171 	{ AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
172 				krb4encpwd_init,
173 				krb4encpwd_send,
174 				krb4encpwd_is,
175 				krb4encpwd_reply,
176 				krb4encpwd_status,
177 				krb4encpwd_printsub },
178 #endif
179 #ifdef	RSA_ENCPWD
180 	{ AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
181 				rsaencpwd_init,
182 				rsaencpwd_send,
183 				rsaencpwd_is,
184 				rsaencpwd_reply,
185 				rsaencpwd_status,
186 				rsaencpwd_printsub },
187 #endif
188 	{ 0, },
189 };
190 
191 static Authenticator NoAuth = { 0 };
192 
193 static int	i_support = 0;
194 static int	i_wont_support = 0;
195 
196 	Authenticator *
197 findauthenticator(type, way)
198 	int type;
199 	int way;
200 {
201 	Authenticator *ap = authenticators;
202 
203 	while (ap->type && (ap->type != type || ap->way != way))
204 		++ap;
205 	return(ap->type ? ap : 0);
206 }
207 
208 	void
209 auth_init(name, server)
210 	const char *name;
211 	int server;
212 {
213 	Authenticator *ap = authenticators;
214 
215 	Server = server;
216 	Name = name;
217 
218 	i_support = 0;
219 	authenticated = 0;
220 	authenticating = 0;
221 	while (ap->type) {
222 		if (!ap->init || (*ap->init)(ap, server)) {
223 			i_support |= typemask(ap->type);
224 			if (auth_debug_mode)
225 				printf(">>>%s: I support auth type %d %d\r\n",
226 					Name,
227 					ap->type, ap->way);
228 		}
229 		else if (auth_debug_mode)
230 			printf(">>>%s: Init failed: auth type %d %d\r\n",
231 				Name, ap->type, ap->way);
232 		++ap;
233 	}
234 }
235 
236 	void
237 auth_disable_name(name)
238 	char *name;
239 {
240 	int x;
241 	for (x = 0; x < AUTHTYPE_CNT; ++x) {
242 		if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
243 			i_wont_support |= typemask(x);
244 			break;
245 		}
246 	}
247 }
248 
249 	int
250 getauthmask(type, maskp)
251 	char *type;
252 	int *maskp;
253 {
254 	register int x;
255 
256 	if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
257 		*maskp = -1;
258 		return(1);
259 	}
260 
261 	for (x = 1; x < AUTHTYPE_CNT; ++x) {
262 		if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
263 			*maskp = typemask(x);
264 			return(1);
265 		}
266 	}
267 	return(0);
268 }
269 
270 	int
271 auth_enable(type)
272 	char *type;
273 {
274 	return(auth_onoff(type, 1));
275 }
276 
277 	int
278 auth_disable(type)
279 	char *type;
280 {
281 	return(auth_onoff(type, 0));
282 }
283 
284 	int
285 auth_onoff(type, on)
286 	char *type;
287 	int on;
288 {
289 	int i, mask = -1;
290 	Authenticator *ap;
291 
292 	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
293 		printf("auth %s 'type'\n", on ? "enable" : "disable");
294 		printf("Where 'type' is one of:\n");
295 		printf("\t%s\n", AUTHTYPE_NAME(0));
296 		mask = 0;
297 		for (ap = authenticators; ap->type; ap++) {
298 			if ((mask & (i = typemask(ap->type))) != 0)
299 				continue;
300 			mask |= i;
301 			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
302 		}
303 		return(0);
304 	}
305 
306 	if (!getauthmask(type, &mask)) {
307 		printf("%s: invalid authentication type\n", type);
308 		return(0);
309 	}
310 	if (on)
311 		i_wont_support &= ~mask;
312 	else
313 		i_wont_support |= mask;
314 	return(1);
315 }
316 
317 	int
318 auth_togdebug(on)
319 	int on;
320 {
321 	if (on < 0)
322 		auth_debug_mode ^= 1;
323 	else
324 		auth_debug_mode = on;
325 	printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
326 	return(1);
327 }
328 
329 	int
330 auth_status(s)
331 	char *s;
332 {
333 	Authenticator *ap;
334 	int i, mask;
335 
336 	if (i_wont_support == -1)
337 		printf("Authentication disabled\n");
338 	else
339 		printf("Authentication enabled\n");
340 
341 	mask = 0;
342 	for (ap = authenticators; ap->type; ap++) {
343 		if ((mask & (i = typemask(ap->type))) != 0)
344 			continue;
345 		mask |= i;
346 		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
347 			(i_wont_support & typemask(ap->type)) ?
348 					"disabled" : "enabled");
349 	}
350 	return(1);
351 }
352 
353 /*
354  * This routine is called by the server to start authentication
355  * negotiation.
356  */
357 	void
358 auth_request()
359 {
360 	static unsigned char str_request[64] = { IAC, SB,
361 						 TELOPT_AUTHENTICATION,
362 						 TELQUAL_SEND, };
363 	Authenticator *ap = authenticators;
364 	unsigned char *e = str_request + 4;
365 
366 	if (!authenticating) {
367 		authenticating = 1;
368 		while (ap->type) {
369 			if (i_support & ~i_wont_support & typemask(ap->type)) {
370 				if (auth_debug_mode) {
371 					printf(">>>%s: Sending type %d %d\r\n",
372 						Name, ap->type, ap->way);
373 				}
374 				*e++ = ap->type;
375 				*e++ = ap->way;
376 			}
377 			++ap;
378 		}
379 		*e++ = IAC;
380 		*e++ = SE;
381 		telnet_net_write(str_request, e - str_request);
382 		printsub('>', &str_request[2], e - str_request - 2);
383 	}
384 }
385 
386 /*
387  * This is called when an AUTH SEND is received.
388  * It should never arrive on the server side (as only the server can
389  * send an AUTH SEND).
390  * You should probably respond to it if you can...
391  *
392  * If you want to respond to the types out of order (i.e. even
393  * if he sends  LOGIN KERBEROS and you support both, you respond
394  * with KERBEROS instead of LOGIN (which is against what the
395  * protocol says)) you will have to hack this code...
396  */
397 	void
398 auth_send(data, cnt)
399 	unsigned char *data;
400 	int cnt;
401 {
402 	Authenticator *ap;
403 	static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
404 					    TELQUAL_IS, AUTHTYPE_NULL, 0,
405 					    IAC, SE };
406 	if (Server) {
407 		if (auth_debug_mode) {
408 			printf(">>>%s: auth_send called!\r\n", Name);
409 		}
410 		return;
411 	}
412 
413 	if (auth_debug_mode) {
414 		printf(">>>%s: auth_send got:", Name);
415 		printd(data, cnt); printf("\r\n");
416 	}
417 
418 	/*
419 	 * Save the data, if it is new, so that we can continue looking
420 	 * at it if the authorization we try doesn't work
421 	 */
422 	if (data < _auth_send_data ||
423 	    data > _auth_send_data + sizeof(_auth_send_data)) {
424 		auth_send_cnt = cnt > sizeof(_auth_send_data)
425 					? sizeof(_auth_send_data)
426 					: cnt;
427 		memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
428 		auth_send_data = _auth_send_data;
429 	} else {
430 		/*
431 		 * This is probably a no-op, but we just make sure
432 		 */
433 		auth_send_data = data;
434 		auth_send_cnt = cnt;
435 	}
436 	while ((auth_send_cnt -= 2) >= 0) {
437 		if (auth_debug_mode)
438 			printf(">>>%s: He supports %d\r\n",
439 				Name, *auth_send_data);
440 		if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
441 			ap = findauthenticator(auth_send_data[0],
442 					       auth_send_data[1]);
443 			if (ap && ap->send) {
444 				if (auth_debug_mode)
445 					printf(">>>%s: Trying %d %d\r\n",
446 						Name, auth_send_data[0],
447 							auth_send_data[1]);
448 				if ((*ap->send)(ap)) {
449 					/*
450 					 * Okay, we found one we like
451 					 * and did it.
452 					 * we can go home now.
453 					 */
454 					if (auth_debug_mode)
455 						printf(">>>%s: Using type %d\r\n",
456 							Name, *auth_send_data);
457 					auth_send_data += 2;
458 					return;
459 				}
460 			}
461 			/* else
462 			 *	just continue on and look for the
463 			 *	next one if we didn't do anything.
464 			 */
465 		}
466 		auth_send_data += 2;
467 	}
468 	telnet_net_write(str_none, sizeof(str_none));
469 	printsub('>', &str_none[2], sizeof(str_none) - 2);
470 	if (auth_debug_mode)
471 		printf(">>>%s: Sent failure message\r\n", Name);
472 	auth_finished(0, AUTH_REJECT);
473 #ifdef KANNAN
474 	/*
475 	 *  We requested strong authentication, however no mechanisms worked.
476 	 *  Therefore, exit on client end.
477 	 */
478 	printf("Unable to securely authenticate user ... exit\n");
479 	exit(0);
480 #endif /* KANNAN */
481 }
482 
483 	void
484 auth_send_retry()
485 {
486 	/*
487 	 * if auth_send_cnt <= 0 then auth_send will end up rejecting
488 	 * the authentication and informing the other side of this.
489 	 */
490 	auth_send(auth_send_data, auth_send_cnt);
491 }
492 
493 	void
494 auth_is(data, cnt)
495 	unsigned char *data;
496 	int cnt;
497 {
498 	Authenticator *ap;
499 
500 	if (cnt < 2)
501 		return;
502 
503 	if (data[0] == AUTHTYPE_NULL) {
504 		auth_finished(0, AUTH_REJECT);
505 		return;
506 	}
507 
508 	if ((ap = findauthenticator(data[0], data[1])) != NULL) {
509 		if (ap->is)
510 			(*ap->is)(ap, data+2, cnt-2);
511 	} else if (auth_debug_mode)
512 		printf(">>>%s: Invalid authentication in IS: %d\r\n",
513 			Name, *data);
514 }
515 
516 	void
517 auth_reply(data, cnt)
518 	unsigned char *data;
519 	int cnt;
520 {
521 	Authenticator *ap;
522 
523 	if (cnt < 2)
524 		return;
525 
526 	if ((ap = findauthenticator(data[0], data[1])) != NULL) {
527 		if (ap->reply)
528 			(*ap->reply)(ap, data+2, cnt-2);
529 	} else if (auth_debug_mode)
530 		printf(">>>%s: Invalid authentication in SEND: %d\r\n",
531 			Name, *data);
532 }
533 
534 	void
535 auth_name(data, cnt)
536 	unsigned char *data;
537 	int cnt;
538 {
539 	unsigned char savename[256];
540 
541 	if (cnt < 1) {
542 		if (auth_debug_mode)
543 			printf(">>>%s: Empty name in NAME\r\n", Name);
544 		return;
545 	}
546 	if (cnt > sizeof(savename) - 1) {
547 		if (auth_debug_mode)
548 			printf(">>>%s: Name in NAME (%d) exceeds %ld length\r\n",
549 					Name, cnt, (long)sizeof(savename)-1);
550 		return;
551 	}
552 	memmove((void *)savename, (void *)data, cnt);
553 	savename[cnt] = '\0';	/* Null terminate */
554 	if (auth_debug_mode)
555 		printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
556 	auth_encrypt_user(savename);
557 }
558 
559 	int
560 auth_sendname(cp, len)
561 	unsigned char *cp;
562 	int len;
563 {
564 	static unsigned char str_request[256+6]
565 			= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
566 	register unsigned char *e = str_request + 4;
567 	register unsigned char *ee = &str_request[sizeof(str_request)-2];
568 
569 	while (--len >= 0) {
570 		if ((*e++ = *cp++) == IAC)
571 			*e++ = IAC;
572 		if (e >= ee)
573 			return(0);
574 	}
575 	*e++ = IAC;
576 	*e++ = SE;
577 	telnet_net_write(str_request, e - str_request);
578 	printsub('>', &str_request[2], e - &str_request[2]);
579 	return(1);
580 }
581 
582 	void
583 auth_finished(ap, result)
584 	Authenticator *ap;
585 	int result;
586 {
587 	if (!(authenticated = ap))
588 		authenticated = &NoAuth;
589 	validuser = result;
590 }
591 
592 	/* ARGSUSED */
593 	static void
594 auth_intr(sig)
595 	int sig;
596 {
597 	auth_finished(0, AUTH_REJECT);
598 }
599 
600 	int
601 auth_wait(name, l)
602 	char *name;
603 	size_t l;
604 {
605 	if (auth_debug_mode)
606 		printf(">>>%s: in auth_wait.\r\n", Name);
607 
608 	if (Server && !authenticating)
609 		return(0);
610 
611 	(void) signal(SIGALRM, auth_intr);
612 	alarm(30);
613 	while (!authenticated)
614 		if (telnet_spin())
615 			break;
616 	alarm(0);
617 	(void) signal(SIGALRM, SIG_DFL);
618 
619 	/*
620 	 * Now check to see if the user is valid or not
621 	 */
622 	if (!authenticated || authenticated == &NoAuth)
623 		return(AUTH_REJECT);
624 
625 	if (validuser == AUTH_VALID)
626 		validuser = AUTH_USER;
627 
628 	if (authenticated->status)
629 		validuser = (*authenticated->status)(authenticated,
630 						     name, l, validuser);
631 	return(validuser);
632 }
633 
634 	void
635 auth_debug(mode)
636 	int mode;
637 {
638 	auth_debug_mode = mode;
639 }
640 
641 	void
642 auth_printsub(data, cnt, buf, buflen)
643 	unsigned char *data, *buf;
644 	int cnt, buflen;
645 {
646 	Authenticator *ap;
647 
648 	if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
649 		(*ap->printsub)(data, cnt, buf, buflen);
650 	else
651 		auth_gen_printsub(data, cnt, buf, buflen);
652 }
653 
654 	void
655 auth_gen_printsub(data, cnt, buf, buflen)
656 	unsigned char *data, *buf;
657 	int cnt, buflen;
658 {
659 	register unsigned char *cp;
660 	unsigned char tbuf[16];
661 
662 	cnt -= 3;
663 	data += 3;
664 	buf[buflen-1] = '\0';
665 	buf[buflen-2] = '*';
666 	buflen -= 2;
667 	for (; cnt > 0; cnt--, data++) {
668 		snprintf((char *)tbuf, sizeof(tbuf), " %d", *data);
669 		for (cp = tbuf; *cp && buflen > 0; --buflen)
670 			*buf++ = *cp++;
671 		if (buflen <= 0)
672 			return;
673 	}
674 	*buf = '\0';
675 }
676 #endif
677