xref: /netbsd-src/lib/libtelnet/auth.c (revision 53b02e147d4ed531c0d2a5ca9b3e8026ba3e99b5) 
1 /*	$NetBSD: auth.c,v 1.25 2021/09/19 20:52:47 andvar Exp $	*/
2 
3 /*-
4  * Copyright (c) 1991, 1993
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 #ifndef lint
34 #if 0
35 static char sccsid[] = "@(#)auth.c	8.3 (Berkeley) 5/30/95"
36 #else
37 __RCSID("$NetBSD: auth.c,v 1.25 2021/09/19 20:52:47 andvar Exp $");
38 #endif
39 #endif /* not lint */
40 
41 /*
42  * Copyright (C) 1990 by the Massachusetts Institute of Technology
43  *
44  * Export of this software from the United States of America is assumed
45  * to require a specific license from the United States Government.
46  * It is the responsibility of any person or organization contemplating
47  * export to obtain such a license before exporting.
48  *
49  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
50  * distribute this software and its documentation for any purpose and
51  * without fee is hereby granted, provided that the above copyright
52  * notice appear in all copies and that both that copyright notice and
53  * this permission notice appear in supporting documentation, and that
54  * the name of M.I.T. not be used in advertising or publicity pertaining
55  * to distribution of the software without specific, written prior
56  * permission.  M.I.T. makes no representations about the suitability of
57  * this software for any purpose.  It is provided "as is" without express
58  * or implied warranty.
59  */
60 
61 
62 #ifdef AUTHENTICATION
63 #include <stdio.h>
64 #include <sys/types.h>
65 #include <signal.h>
66 #define	AUTH_NAMES
67 #include <arpa/telnet.h>
68 #include <stdlib.h>
69 #include <unistd.h>
70 #ifdef	NO_STRING_H
71 #include <strings.h>
72 #else
73 #include <string.h>
74 #endif
75 
76 #include "encrypt.h"
77 #include "auth.h"
78 #include "misc-proto.h"
79 #include "auth-proto.h"
80 
81 #define	typemask(x)		(1<<((x)-1))
82 
83 int auth_debug_mode = 0;
84 static 	const char	*Name = "Noname";
85 static	int	Server = 0;
86 static	Authenticator	*authenticated = 0;
87 static	int	authenticating = 0;
88 static	int	validuser = 0;
89 static	unsigned char	_auth_send_data[256];
90 static	unsigned char	*auth_send_data;
91 static	int	auth_send_cnt = 0;
92 
93 static void auth_intr(int);
94 
95 /*
96  * Authentication types supported.  Please note that these are stored
97  * in priority order, i.e. try the first one first.
98  */
99 Authenticator authenticators[] = {
100 #ifdef	KRB5
101 # ifdef	ENCRYPTION
102 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
103 				kerberos5_init,
104 				kerberos5_send,
105 				kerberos5_is,
106 				kerberos5_reply,
107 				kerberos5_status,
108 				kerberos5_printsub },
109 # endif	/* ENCRYPTION */
110 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
111 				kerberos5_init,
112 				kerberos5_send,
113 				kerberos5_is,
114 				kerberos5_reply,
115 				kerberos5_status,
116 				kerberos5_printsub },
117 #endif
118 #ifdef SRA
119 	{ AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
120 				sra_init,
121 				sra_send,
122 				sra_is,
123 				sra_reply,
124 				sra_status,
125 				sra_printsub },
126 
127 #endif
128 	{ 0, 0, 0, 0, 0, 0, 0, 0 },
129 };
130 
131 static Authenticator NoAuth = { .type = 0 };
132 
133 static int	i_support = 0;
134 static int	i_wont_support = 0;
135 
136 Authenticator *
137 findauthenticator(int type, int way)
138 {
139 	Authenticator *ap = authenticators;
140 
141 	while (ap->type && (ap->type != type || ap->way != way))
142 		++ap;
143 	return(ap->type ? ap : 0);
144 }
145 
146 void
147 auth_init(const char *name, int server)
148 {
149 	Authenticator *ap = authenticators;
150 
151 	Server = server;
152 	Name = name;
153 
154 	i_support = 0;
155 	authenticated = 0;
156 	authenticating = 0;
157 	while (ap->type) {
158 		if (!ap->init || (*ap->init)(ap, server)) {
159 			i_support |= typemask(ap->type);
160 			if (auth_debug_mode)
161 				printf(">>>%s: I support auth type %d %d\r\n",
162 					Name,
163 					ap->type, ap->way);
164 		}
165 		else if (auth_debug_mode)
166 			printf(">>>%s: Init failed: auth type %d %d\r\n",
167 				Name, ap->type, ap->way);
168 		++ap;
169 	}
170 }
171 
172 void
173 auth_disable_name(char *name)
174 {
175 	int x;
176 	for (x = 0; x < AUTHTYPE_CNT; ++x) {
177 		if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
178 			i_wont_support |= typemask(x);
179 			break;
180 		}
181 	}
182 }
183 
184 int
185 getauthmask(const char *type, int *maskp)
186 {
187 	register int x;
188 
189 	if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) {
190 		*maskp = -1;
191 		return(1);
192 	}
193 
194 	for (x = 1; x < AUTHTYPE_CNT; ++x) {
195 		if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) {
196 			*maskp = typemask(x);
197 			return(1);
198 		}
199 	}
200 	return(0);
201 }
202 
203 int
204 auth_enable(const char *type)
205 {
206 	return(auth_onoff(type, 1));
207 }
208 
209 int
210 auth_disable(const char *type)
211 {
212 	return(auth_onoff(type, 0));
213 }
214 
215 int
216 auth_onoff(const char *type, int on)
217 {
218 	int i, mask = -1;
219 	Authenticator *ap;
220 
221 	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
222 		printf("auth %s 'type'\n", on ? "enable" : "disable");
223 		printf("Where 'type' is one of:\n");
224 		printf("\t%s\n", AUTHTYPE_NAME(0));
225 		mask = 0;
226 		for (ap = authenticators; ap->type; ap++) {
227 			if ((mask & (i = typemask(ap->type))) != 0)
228 				continue;
229 			mask |= i;
230 			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
231 		}
232 		return(0);
233 	}
234 
235 	if (!getauthmask(type, &mask)) {
236 		printf("%s: invalid authentication type\n", type);
237 		return(0);
238 	}
239 	if (on)
240 		i_wont_support &= ~mask;
241 	else
242 		i_wont_support |= mask;
243 	return(1);
244 }
245 
246 int
247 auth_togdebug(int on)
248 {
249 	if (on < 0)
250 		auth_debug_mode ^= 1;
251 	else
252 		auth_debug_mode = on;
253 	printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
254 	return(1);
255 }
256 
257 int
258 auth_status(const char *s)
259 {
260 	Authenticator *ap;
261 	int i, mask;
262 
263 	if (i_wont_support == -1)
264 		printf("Authentication disabled\n");
265 	else
266 		printf("Authentication enabled\n");
267 
268 	mask = 0;
269 	for (ap = authenticators; ap->type; ap++) {
270 		if ((mask & (i = typemask(ap->type))) != 0)
271 			continue;
272 		mask |= i;
273 		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
274 			(i_wont_support & typemask(ap->type)) ?
275 					"disabled" : "enabled");
276 	}
277 	return(1);
278 }
279 
280 /*
281  * This routine is called by the server to start authentication
282  * negotiation.
283  */
284 void
285 auth_request(void)
286 {
287 	static unsigned char str_request[64] = { IAC, SB,
288 						 TELOPT_AUTHENTICATION,
289 						 TELQUAL_SEND, };
290 	Authenticator *ap = authenticators;
291 	unsigned char *e = str_request + 4;
292 
293 	if (!authenticating) {
294 		authenticating = 1;
295 		while (ap->type) {
296 			if (i_support & ~i_wont_support & typemask(ap->type)) {
297 				if (auth_debug_mode) {
298 					printf(">>>%s: Sending type %d %d\r\n",
299 						Name, ap->type, ap->way);
300 				}
301 				*e++ = ap->type;
302 				*e++ = ap->way;
303 			}
304 			++ap;
305 		}
306 		*e++ = IAC;
307 		*e++ = SE;
308 		telnet_net_write(str_request, e - str_request);
309 		printsub('>', &str_request[2], e - str_request - 2);
310 	}
311 }
312 
313 /*
314  * This is called when an AUTH SEND is received.
315  * It should never arrive on the server side (as only the server can
316  * send an AUTH SEND).
317  * You should probably respond to it if you can...
318  *
319  * If you want to respond to the types out of order (i.e. even
320  * if he sends  LOGIN KERBEROS and you support both, you respond
321  * with KERBEROS instead of LOGIN (which is against what the
322  * protocol says)) you will have to hack this code...
323  */
324 void
325 auth_send(unsigned char *data, int cnt)
326 {
327 	Authenticator *ap;
328 	static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
329 					    TELQUAL_IS, AUTHTYPE_NULL, 0,
330 					    IAC, SE };
331 	if (Server) {
332 		if (auth_debug_mode) {
333 			printf(">>>%s: auth_send called!\r\n", Name);
334 		}
335 		return;
336 	}
337 
338 	if (auth_debug_mode) {
339 		printf(">>>%s: auth_send got:", Name);
340 		printd(data, cnt); printf("\r\n");
341 	}
342 
343 	/*
344 	 * Save the data, if it is new, so that we can continue looking
345 	 * at it if the authorization we try doesn't work
346 	 */
347 	if (data < _auth_send_data ||
348 	    data > _auth_send_data + sizeof(_auth_send_data)) {
349 		auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data)
350 					? sizeof(_auth_send_data)
351 					: (size_t)cnt;
352 		memmove(_auth_send_data, data, auth_send_cnt);
353 		auth_send_data = _auth_send_data;
354 	} else {
355 		/*
356 		 * This is probably a no-op, but we just make sure
357 		 */
358 		auth_send_data = data;
359 		auth_send_cnt = cnt;
360 	}
361 	while ((auth_send_cnt -= 2) >= 0) {
362 		if (auth_debug_mode)
363 			printf(">>>%s: He supports %d\r\n",
364 				Name, *auth_send_data);
365 		if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
366 			ap = findauthenticator(auth_send_data[0],
367 					       auth_send_data[1]);
368 			if (ap && ap->send) {
369 				if (auth_debug_mode)
370 					printf(">>>%s: Trying %d %d\r\n",
371 						Name, auth_send_data[0],
372 							auth_send_data[1]);
373 				if ((*ap->send)(ap)) {
374 					/*
375 					 * Okay, we found one we like
376 					 * and did it.
377 					 * we can go home now.
378 					 */
379 					if (auth_debug_mode)
380 						printf(">>>%s: Using type %d\r\n",
381 							Name, *auth_send_data);
382 					auth_send_data += 2;
383 					return;
384 				}
385 			}
386 			/* else
387 			 *	just continue on and look for the
388 			 *	next one if we didn't do anything.
389 			 */
390 		}
391 		auth_send_data += 2;
392 	}
393 	telnet_net_write(str_none, sizeof(str_none));
394 	printsub('>', &str_none[2], sizeof(str_none) - 2);
395 	if (auth_debug_mode)
396 		printf(">>>%s: Sent failure message\r\n", Name);
397 	auth_finished(0, AUTH_REJECT);
398 #ifdef KANNAN
399 	/*
400 	 *  We requested strong authentication, however no mechanisms worked.
401 	 *  Therefore, exit on client end.
402 	 */
403 	printf("Unable to securely authenticate user ... exit\n");
404 	exit(0);
405 #endif /* KANNAN */
406 }
407 
408 void
409 auth_send_retry(void)
410 {
411 	/*
412 	 * if auth_send_cnt <= 0 then auth_send will end up rejecting
413 	 * the authentication and informing the other side of this.
414 	 */
415 	auth_send(auth_send_data, auth_send_cnt);
416 }
417 
418 void
419 auth_is(unsigned char *data, int cnt)
420 {
421 	Authenticator *ap;
422 
423 	if (cnt < 2)
424 		return;
425 
426 	if (data[0] == AUTHTYPE_NULL) {
427 		auth_finished(0, AUTH_REJECT);
428 		return;
429 	}
430 
431 	if ((ap = findauthenticator(data[0], data[1])) != NULL) {
432 		if (ap->is)
433 			(*ap->is)(ap, data+2, cnt-2);
434 	} else if (auth_debug_mode)
435 		printf(">>>%s: Invalid authentication in IS: %d\r\n",
436 			Name, *data);
437 }
438 
439 void
440 auth_reply(unsigned char *data, int cnt)
441 {
442 	Authenticator *ap;
443 
444 	if (cnt < 2)
445 		return;
446 
447 	if ((ap = findauthenticator(data[0], data[1])) != NULL) {
448 		if (ap->reply)
449 			(*ap->reply)(ap, data+2, cnt-2);
450 	} else if (auth_debug_mode)
451 		printf(">>>%s: Invalid authentication in SEND: %d\r\n",
452 			Name, *data);
453 }
454 
455 void
456 auth_name(unsigned char *data, int cnt)
457 {
458 	unsigned char savename[256];
459 
460 	if (cnt < 1) {
461 		if (auth_debug_mode)
462 			printf(">>>%s: Empty name in NAME\r\n", Name);
463 		return;
464 	}
465 	if ((size_t)cnt > sizeof(savename) - 1) {
466 		if (auth_debug_mode)
467 			printf(">>>%s: Name in NAME (%d) exceeds %ld length\r\n",
468 					Name, cnt, (long)sizeof(savename)-1);
469 		return;
470 	}
471 	memmove((void *)savename, (void *)data, cnt);
472 	savename[cnt] = '\0';	/* Null terminate */
473 	if (auth_debug_mode)
474 		printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
475 	auth_encrypt_user(savename);
476 }
477 
478 int
479 auth_sendname(unsigned char *cp, int len)
480 {
481 	static unsigned char str_request[256+6]
482 			= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
483 	register unsigned char *e = str_request + 4;
484 	register unsigned char *ee = &str_request[sizeof(str_request)-2];
485 
486 	while (--len >= 0) {
487 		if ((*e++ = *cp++) == IAC)
488 			*e++ = IAC;
489 		if (e >= ee)
490 			return(0);
491 	}
492 	*e++ = IAC;
493 	*e++ = SE;
494 	telnet_net_write(str_request, e - str_request);
495 	printsub('>', &str_request[2], e - &str_request[2]);
496 	return(1);
497 }
498 
499 void
500 auth_finished(Authenticator *ap, int result)
501 {
502 	if (!(authenticated = ap))
503 		authenticated = &NoAuth;
504 	validuser = result;
505 }
506 
507 	/* ARGSUSED */
508 static void
509 auth_intr(int sig)
510 {
511 	auth_finished(0, AUTH_REJECT);
512 }
513 
514 int
515 auth_wait(char *name, size_t l)
516 {
517 	if (auth_debug_mode)
518 		printf(">>>%s: in auth_wait.\r\n", Name);
519 
520 	if (Server && !authenticating)
521 		return(0);
522 
523 	(void) signal(SIGALRM, auth_intr);
524 	alarm(30);
525 	while (!authenticated)
526 		if (telnet_spin())
527 			break;
528 	alarm(0);
529 	(void) signal(SIGALRM, SIG_DFL);
530 
531 	/*
532 	 * Now check to see if the user is valid or not
533 	 */
534 	if (!authenticated || authenticated == &NoAuth)
535 		return(AUTH_REJECT);
536 
537 	if (validuser == AUTH_VALID)
538 		validuser = AUTH_USER;
539 
540 	if (authenticated->status)
541 		validuser = (*authenticated->status)(authenticated,
542 						     name, l, validuser);
543 	return(validuser);
544 }
545 
546 void
547 auth_debug(int mode)
548 {
549 	auth_debug_mode = mode;
550 }
551 
552 void
553 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
554 {
555 	Authenticator *ap;
556 
557 	if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
558 		(*ap->printsub)(data, cnt, buf, buflen);
559 	else
560 		auth_gen_printsub(data, cnt, buf, buflen);
561 }
562 
563 void
564 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
565 {
566 	register unsigned char *cp;
567 	unsigned char tbuf[16];
568 
569 	cnt -= 3;
570 	data += 3;
571 	buf[buflen-1] = '\0';
572 	buf[buflen-2] = '*';
573 	buflen -= 2;
574 	for (; cnt > 0; cnt--, data++) {
575 		snprintf((char *)tbuf, sizeof(tbuf), " %d", *data);
576 		for (cp = tbuf; *cp && buflen > 0; --buflen)
577 			*buf++ = *cp++;
578 		if (buflen <= 0)
579 			return;
580 	}
581 	*buf = '\0';
582 }
583 #endif
584