xref: /netbsd-src/lib/libtelnet/auth.c (revision 2a399c6883d870daece976daec6ffa7bb7f934ce)
1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include <sys/cdefs.h>
35 #ifndef lint
36 #if 0
37 static char sccsid[] = "@(#)auth.c	8.3 (Berkeley) 5/30/95"
38 #else
39 __RCSID("$NetBSD: auth.c,v 1.6 1997/10/09 13:52:40 lukem Exp $");
40 #endif
41 #endif /* not lint */
42 
43 /*
44  * Copyright (C) 1990 by the Massachusetts Institute of Technology
45  *
46  * Export of this software from the United States of America is assumed
47  * to require a specific license from the United States Government.
48  * It is the responsibility of any person or organization contemplating
49  * export to obtain such a license before exporting.
50  *
51  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
52  * distribute this software and its documentation for any purpose and
53  * without fee is hereby granted, provided that the above copyright
54  * notice appear in all copies and that both that copyright notice and
55  * this permission notice appear in supporting documentation, and that
56  * the name of M.I.T. not be used in advertising or publicity pertaining
57  * to distribution of the software without specific, written prior
58  * permission.  M.I.T. makes no representations about the suitability of
59  * this software for any purpose.  It is provided "as is" without express
60  * or implied warranty.
61  */
62 
63 
64 #if	defined(AUTHENTICATION)
65 #include <stdio.h>
66 #include <sys/types.h>
67 #include <signal.h>
68 #define	AUTH_NAMES
69 #include <arpa/telnet.h>
70 #ifdef	__STDC__
71 #include <stdlib.h>
72 #endif
73 #ifdef	NO_STRING_H
74 #include <strings.h>
75 #else
76 #include <string.h>
77 #endif
78 
79 #include "encrypt.h"
80 #include "auth.h"
81 #include "misc-proto.h"
82 #include "auth-proto.h"
83 
84 #define	typemask(x)		(1<<((x)-1))
85 
86 #ifdef	KRB4_ENCPWD
87 extern krb4encpwd_init();
88 extern krb4encpwd_send();
89 extern krb4encpwd_is();
90 extern krb4encpwd_reply();
91 extern krb4encpwd_status();
92 extern krb4encpwd_printsub();
93 #endif
94 
95 #ifdef	RSA_ENCPWD
96 extern rsaencpwd_init();
97 extern rsaencpwd_send();
98 extern rsaencpwd_is();
99 extern rsaencpwd_reply();
100 extern rsaencpwd_status();
101 extern rsaencpwd_printsub();
102 #endif
103 
104 int auth_debug_mode = 0;
105 static 	char	*Name = "Noname";
106 static	int	Server = 0;
107 static	Authenticator	*authenticated = 0;
108 static	int	authenticating = 0;
109 static	int	validuser = 0;
110 static	unsigned char	_auth_send_data[256];
111 static	unsigned char	*auth_send_data;
112 static	int	auth_send_cnt = 0;
113 
114 /*
115  * Authentication types supported.  Plese note that these are stored
116  * in priority order, i.e. try the first one first.
117  */
118 Authenticator authenticators[] = {
119 #ifdef	SPX
120 	{ AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
121 				spx_init,
122 				spx_send,
123 				spx_is,
124 				spx_reply,
125 				spx_status,
126 				spx_printsub },
127 	{ AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
128 				spx_init,
129 				spx_send,
130 				spx_is,
131 				spx_reply,
132 				spx_status,
133 				spx_printsub },
134 #endif
135 #ifdef	KRB5
136 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
137 				kerberos5_init,
138 				kerberos5_send,
139 				kerberos5_is,
140 				kerberos5_reply,
141 				kerberos5_status,
142 				kerberos5_printsub },
143 #endif
144 #ifdef	KRB4
145 	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
146 				kerberos4_init,
147 				kerberos4_send,
148 				kerberos4_is,
149 				kerberos4_reply,
150 				kerberos4_status,
151 				kerberos4_printsub },
152 #endif
153 #ifdef	KRB4_ENCPWD
154 	{ AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
155 				krb4encpwd_init,
156 				krb4encpwd_send,
157 				krb4encpwd_is,
158 				krb4encpwd_reply,
159 				krb4encpwd_status,
160 				krb4encpwd_printsub },
161 #endif
162 #ifdef	RSA_ENCPWD
163 	{ AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
164 				rsaencpwd_init,
165 				rsaencpwd_send,
166 				rsaencpwd_is,
167 				rsaencpwd_reply,
168 				rsaencpwd_status,
169 				rsaencpwd_printsub },
170 #endif
171 	{ 0, },
172 };
173 
174 static Authenticator NoAuth = { 0 };
175 
176 static int	i_support = 0;
177 static int	i_wont_support = 0;
178 
179 	Authenticator *
180 findauthenticator(type, way)
181 	int type;
182 	int way;
183 {
184 	Authenticator *ap = authenticators;
185 
186 	while (ap->type && (ap->type != type || ap->way != way))
187 		++ap;
188 	return(ap->type ? ap : 0);
189 }
190 
191 	void
192 auth_init(name, server)
193 	char *name;
194 	int server;
195 {
196 	Authenticator *ap = authenticators;
197 
198 	Server = server;
199 	Name = name;
200 
201 	i_support = 0;
202 	authenticated = 0;
203 	authenticating = 0;
204 	while (ap->type) {
205 		if (!ap->init || (*ap->init)(ap, server)) {
206 			i_support |= typemask(ap->type);
207 			if (auth_debug_mode)
208 				printf(">>>%s: I support auth type %d %d\r\n",
209 					Name,
210 					ap->type, ap->way);
211 		}
212 		else if (auth_debug_mode)
213 			printf(">>>%s: Init failed: auth type %d %d\r\n",
214 				Name, ap->type, ap->way);
215 		++ap;
216 	}
217 }
218 
219 	void
220 auth_disable_name(name)
221 	char *name;
222 {
223 	int x;
224 	for (x = 0; x < AUTHTYPE_CNT; ++x) {
225 		if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
226 			i_wont_support |= typemask(x);
227 			break;
228 		}
229 	}
230 }
231 
232 	int
233 getauthmask(type, maskp)
234 	char *type;
235 	int *maskp;
236 {
237 	register int x;
238 
239 	if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
240 		*maskp = -1;
241 		return(1);
242 	}
243 
244 	for (x = 1; x < AUTHTYPE_CNT; ++x) {
245 		if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
246 			*maskp = typemask(x);
247 			return(1);
248 		}
249 	}
250 	return(0);
251 }
252 
253 	int
254 auth_enable(type)
255 	char *type;
256 {
257 	return(auth_onoff(type, 1));
258 }
259 
260 	int
261 auth_disable(type)
262 	char *type;
263 {
264 	return(auth_onoff(type, 0));
265 }
266 
267 	int
268 auth_onoff(type, on)
269 	char *type;
270 	int on;
271 {
272 	int i, mask = -1;
273 	Authenticator *ap;
274 
275 	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
276 		printf("auth %s 'type'\n", on ? "enable" : "disable");
277 		printf("Where 'type' is one of:\n");
278 		printf("\t%s\n", AUTHTYPE_NAME(0));
279 		mask = 0;
280 		for (ap = authenticators; ap->type; ap++) {
281 			if ((mask & (i = typemask(ap->type))) != 0)
282 				continue;
283 			mask |= i;
284 			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
285 		}
286 		return(0);
287 	}
288 
289 	if (!getauthmask(type, &mask)) {
290 		printf("%s: invalid authentication type\n", type);
291 		return(0);
292 	}
293 	if (on)
294 		i_wont_support &= ~mask;
295 	else
296 		i_wont_support |= mask;
297 	return(1);
298 }
299 
300 	int
301 auth_togdebug(on)
302 	int on;
303 {
304 	if (on < 0)
305 		auth_debug_mode ^= 1;
306 	else
307 		auth_debug_mode = on;
308 	printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
309 	return(1);
310 }
311 
312 	int
313 auth_status()
314 {
315 	Authenticator *ap;
316 	int i, mask;
317 
318 	if (i_wont_support == -1)
319 		printf("Authentication disabled\n");
320 	else
321 		printf("Authentication enabled\n");
322 
323 	mask = 0;
324 	for (ap = authenticators; ap->type; ap++) {
325 		if ((mask & (i = typemask(ap->type))) != 0)
326 			continue;
327 		mask |= i;
328 		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
329 			(i_wont_support & typemask(ap->type)) ?
330 					"disabled" : "enabled");
331 	}
332 	return(1);
333 }
334 
335 /*
336  * This routine is called by the server to start authentication
337  * negotiation.
338  */
339 	void
340 auth_request()
341 {
342 	static unsigned char str_request[64] = { IAC, SB,
343 						 TELOPT_AUTHENTICATION,
344 						 TELQUAL_SEND, };
345 	Authenticator *ap = authenticators;
346 	unsigned char *e = str_request + 4;
347 
348 	if (!authenticating) {
349 		authenticating = 1;
350 		while (ap->type) {
351 			if (i_support & ~i_wont_support & typemask(ap->type)) {
352 				if (auth_debug_mode) {
353 					printf(">>>%s: Sending type %d %d\r\n",
354 						Name, ap->type, ap->way);
355 				}
356 				*e++ = ap->type;
357 				*e++ = ap->way;
358 			}
359 			++ap;
360 		}
361 		*e++ = IAC;
362 		*e++ = SE;
363 		net_write(str_request, e - str_request);
364 		printsub('>', &str_request[2], e - str_request - 2);
365 	}
366 }
367 
368 /*
369  * This is called when an AUTH SEND is received.
370  * It should never arrive on the server side (as only the server can
371  * send an AUTH SEND).
372  * You should probably respond to it if you can...
373  *
374  * If you want to respond to the types out of order (i.e. even
375  * if he sends  LOGIN KERBEROS and you support both, you respond
376  * with KERBEROS instead of LOGIN (which is against what the
377  * protocol says)) you will have to hack this code...
378  */
379 	void
380 auth_send(data, cnt)
381 	unsigned char *data;
382 	int cnt;
383 {
384 	Authenticator *ap;
385 	static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
386 					    TELQUAL_IS, AUTHTYPE_NULL, 0,
387 					    IAC, SE };
388 	if (Server) {
389 		if (auth_debug_mode) {
390 			printf(">>>%s: auth_send called!\r\n", Name);
391 		}
392 		return;
393 	}
394 
395 	if (auth_debug_mode) {
396 		printf(">>>%s: auth_send got:", Name);
397 		printd(data, cnt); printf("\r\n");
398 	}
399 
400 	/*
401 	 * Save the data, if it is new, so that we can continue looking
402 	 * at it if the authorization we try doesn't work
403 	 */
404 	if (data < _auth_send_data ||
405 	    data > _auth_send_data + sizeof(_auth_send_data)) {
406 		auth_send_cnt = cnt > sizeof(_auth_send_data)
407 					? sizeof(_auth_send_data)
408 					: cnt;
409 		memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
410 		auth_send_data = _auth_send_data;
411 	} else {
412 		/*
413 		 * This is probably a no-op, but we just make sure
414 		 */
415 		auth_send_data = data;
416 		auth_send_cnt = cnt;
417 	}
418 	while ((auth_send_cnt -= 2) >= 0) {
419 		if (auth_debug_mode)
420 			printf(">>>%s: He supports %d\r\n",
421 				Name, *auth_send_data);
422 		if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
423 			ap = findauthenticator(auth_send_data[0],
424 					       auth_send_data[1]);
425 			if (ap && ap->send) {
426 				if (auth_debug_mode)
427 					printf(">>>%s: Trying %d %d\r\n",
428 						Name, auth_send_data[0],
429 							auth_send_data[1]);
430 				if ((*ap->send)(ap)) {
431 					/*
432 					 * Okay, we found one we like
433 					 * and did it.
434 					 * we can go home now.
435 					 */
436 					if (auth_debug_mode)
437 						printf(">>>%s: Using type %d\r\n",
438 							Name, *auth_send_data);
439 					auth_send_data += 2;
440 					return;
441 				}
442 			}
443 			/* else
444 			 *	just continue on and look for the
445 			 *	next one if we didn't do anything.
446 			 */
447 		}
448 		auth_send_data += 2;
449 	}
450 	net_write(str_none, sizeof(str_none));
451 	printsub('>', &str_none[2], sizeof(str_none) - 2);
452 	if (auth_debug_mode)
453 		printf(">>>%s: Sent failure message\r\n", Name);
454 	auth_finished(0, AUTH_REJECT);
455 #ifdef KANNAN
456 	/*
457 	 *  We requested strong authentication, however no mechanisms worked.
458 	 *  Therefore, exit on client end.
459 	 */
460 	printf("Unable to securely authenticate user ... exit\n");
461 	exit(0);
462 #endif /* KANNAN */
463 }
464 
465 	void
466 auth_send_retry()
467 {
468 	/*
469 	 * if auth_send_cnt <= 0 then auth_send will end up rejecting
470 	 * the authentication and informing the other side of this.
471 	 */
472 	auth_send(auth_send_data, auth_send_cnt);
473 }
474 
475 	void
476 auth_is(data, cnt)
477 	unsigned char *data;
478 	int cnt;
479 {
480 	Authenticator *ap;
481 
482 	if (cnt < 2)
483 		return;
484 
485 	if (data[0] == AUTHTYPE_NULL) {
486 		auth_finished(0, AUTH_REJECT);
487 		return;
488 	}
489 
490 	if (ap = findauthenticator(data[0], data[1])) {
491 		if (ap->is)
492 			(*ap->is)(ap, data+2, cnt-2);
493 	} else if (auth_debug_mode)
494 		printf(">>>%s: Invalid authentication in IS: %d\r\n",
495 			Name, *data);
496 }
497 
498 	void
499 auth_reply(data, cnt)
500 	unsigned char *data;
501 	int cnt;
502 {
503 	Authenticator *ap;
504 
505 	if (cnt < 2)
506 		return;
507 
508 	if (ap = findauthenticator(data[0], data[1])) {
509 		if (ap->reply)
510 			(*ap->reply)(ap, data+2, cnt-2);
511 	} else if (auth_debug_mode)
512 		printf(">>>%s: Invalid authentication in SEND: %d\r\n",
513 			Name, *data);
514 }
515 
516 	void
517 auth_name(data, cnt)
518 	unsigned char *data;
519 	int cnt;
520 {
521 	Authenticator *ap;
522 	unsigned char savename[256];
523 
524 	if (cnt < 1) {
525 		if (auth_debug_mode)
526 			printf(">>>%s: Empty name in NAME\r\n", Name);
527 		return;
528 	}
529 	if (cnt > sizeof(savename) - 1) {
530 		if (auth_debug_mode)
531 			printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
532 					Name, cnt, sizeof(savename)-1);
533 		return;
534 	}
535 	memmove((void *)savename, (void *)data, cnt);
536 	savename[cnt] = '\0';	/* Null terminate */
537 	if (auth_debug_mode)
538 		printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
539 	auth_encrypt_user(savename);
540 }
541 
542 	int
543 auth_sendname(cp, len)
544 	unsigned char *cp;
545 	int len;
546 {
547 	static unsigned char str_request[256+6]
548 			= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
549 	register unsigned char *e = str_request + 4;
550 	register unsigned char *ee = &str_request[sizeof(str_request)-2];
551 
552 	while (--len >= 0) {
553 		if ((*e++ = *cp++) == IAC)
554 			*e++ = IAC;
555 		if (e >= ee)
556 			return(0);
557 	}
558 	*e++ = IAC;
559 	*e++ = SE;
560 	net_write(str_request, e - str_request);
561 	printsub('>', &str_request[2], e - &str_request[2]);
562 	return(1);
563 }
564 
565 	void
566 auth_finished(ap, result)
567 	Authenticator *ap;
568 	int result;
569 {
570 	if (!(authenticated = ap))
571 		authenticated = &NoAuth;
572 	validuser = result;
573 }
574 
575 	/* ARGSUSED */
576 	static void
577 auth_intr(sig)
578 	int sig;
579 {
580 	auth_finished(0, AUTH_REJECT);
581 }
582 
583 	int
584 auth_wait(name)
585 	char *name;
586 {
587 	if (auth_debug_mode)
588 		printf(">>>%s: in auth_wait.\r\n", Name);
589 
590 	if (Server && !authenticating)
591 		return(0);
592 
593 	(void) signal(SIGALRM, auth_intr);
594 	alarm(30);
595 	while (!authenticated)
596 		if (telnet_spin())
597 			break;
598 	alarm(0);
599 	(void) signal(SIGALRM, SIG_DFL);
600 
601 	/*
602 	 * Now check to see if the user is valid or not
603 	 */
604 	if (!authenticated || authenticated == &NoAuth)
605 		return(AUTH_REJECT);
606 
607 	if (validuser == AUTH_VALID)
608 		validuser = AUTH_USER;
609 
610 	if (authenticated->status)
611 		validuser = (*authenticated->status)(authenticated,
612 						     name, validuser);
613 	return(validuser);
614 }
615 
616 	void
617 auth_debug(mode)
618 	int mode;
619 {
620 	auth_debug_mode = mode;
621 }
622 
623 	void
624 auth_printsub(data, cnt, buf, buflen)
625 	unsigned char *data, *buf;
626 	int cnt, buflen;
627 {
628 	Authenticator *ap;
629 
630 	if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
631 		(*ap->printsub)(data, cnt, buf, buflen);
632 	else
633 		auth_gen_printsub(data, cnt, buf, buflen);
634 }
635 
636 	void
637 auth_gen_printsub(data, cnt, buf, buflen)
638 	unsigned char *data, *buf;
639 	int cnt, buflen;
640 {
641 	register unsigned char *cp;
642 	unsigned char tbuf[16];
643 
644 	cnt -= 3;
645 	data += 3;
646 	buf[buflen-1] = '\0';
647 	buf[buflen-2] = '*';
648 	buflen -= 2;
649 	for (; cnt > 0; cnt--, data++) {
650 		sprintf((char *)tbuf, " %d", *data);
651 		for (cp = tbuf; *cp && buflen > 0; --buflen)
652 			*buf++ = *cp++;
653 		if (buflen <= 0)
654 			return;
655 	}
656 	*buf = '\0';
657 }
658 #endif
659