xref: /illumos-gate/usr/src/cmd/cmd-inet/usr.bin/telnet/auth.c (revision 2a8bcb4efb45d99ac41c94a75c396b362c414f7f)
1 /*
2  * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * usr/src/cmd/cmd-inet/usr.bin/telnet/auth.c
8  */
9 
10 /*
11  * Copyright (c) 1991, 1993
12  *	The Regents of the University of California.  All rights reserved.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  * 3. All advertising materials mentioning features or use of this software
23  *    must display the following acknowledgement:
24  *	This product includes software developed by the University of
25  *	California, Berkeley and its contributors.
26  * 4. Neither the name of the University nor the names of its contributors
27  *    may be used to endorse or promote products derived from this software
28  *    without specific prior written permission.
29  *
30  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
31  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
32  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
34  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
35  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
36  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
37  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
38  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
39  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40  * SUCH DAMAGE.
41  */
42 
43 /* based on @(#)auth.c	8.1 (Berkeley) 6/4/93 */
44 
45 /*
46  * Copyright (C) 1990 by the Massachusetts Institute of Technology
47  *
48  * Export of this software from the United States of America may
49  * require a specific license from the United States Government.
50  * It is the responsibility of any person or organization contemplating
51  * export to obtain such a license before exporting.
52  *
53  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
54  * distribute this software and its documentation for any purpose and
55  * without fee is hereby granted, provided that the above copyright
56  * notice appear in all copies and that both that copyright notice and
57  * this permission notice appear in supporting documentation, and that
58  * the name of M.I.T. not be used in advertising or publicity pertaining
59  * to distribution of the software without specific, written prior
60  * permission.  Furthermore if you modify this software you must label
61  * your software as modified software and not distribute it in such a
62  * fashion that it might be confused with the original M.I.T. software.
63  * M.I.T. makes no representations about the suitability of
64  * this software for any purpose.  It is provided "as is" without express
65  * or implied warranty.
66  */
67 
68 
69 #include <stdio.h>
70 #include <sys/types.h>
71 #include <signal.h>
72 
73 #define	AUTHTYPE_NAMES		/* this is needed for arpa/telnet.h */
74 #include <arpa/telnet.h>
75 
76 #ifdef	__STDC__
77 #include <stdlib.h>
78 #endif
79 
80 #include <string.h>
81 
82 #include "externs.h"
83 #include "encrypt.h"
84 #include "auth.h"
85 
86 #define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
87 
88 static int auth_onoff(const char *type, boolean_t on);
89 static void auth_gen_printsub(uchar_t *, uint_t, uchar_t *, uint_t);
90 
91 boolean_t	auth_debug_mode = B_FALSE;
92 boolean_t	auth_has_failed = B_FALSE;
93 boolean_t	auth_enable_encrypt = B_FALSE;
94 
95 static 	char		*Name = "Noname";
96 static	Authenticator	*authenticated = NULL;
97 static	uchar_t		_auth_send_data[BUFSIZ];
98 static	uchar_t		*auth_send_data;
99 static	int		auth_send_cnt = 0;
100 
101 /*
102  * Authentication types supported.  Note that these are stored
103  * in priority order, i.e. try the first one first.
104  */
105 static	Authenticator authenticators[] = {
106 	{ AUTHTYPE_KERBEROS_V5,
107 		AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL|AUTH_ENCRYPT_ON,
108 				kerberos5_init,
109 				kerberos5_send,
110 				kerberos5_reply,
111 				kerberos5_status,
112 				kerberos5_printsub },
113 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
114 				kerberos5_init,
115 				kerberos5_send,
116 				kerberos5_reply,
117 				kerberos5_status,
118 				kerberos5_printsub },
119 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
120 				kerberos5_init,
121 				kerberos5_send,
122 				kerberos5_reply,
123 				kerberos5_status,
124 				kerberos5_printsub },
125 	{ 0, },
126 };
127 
128 static Authenticator NoAuth = { 0 };
129 
130 static uint_t	i_support = 0;
131 static uint_t	i_wont_support = 0;
132 
133 /*
134  * Traverse the Authenticator array until we find the authentication type
135  * and matching direction we are looking for.  Return a pointer into the
136  * Authenticator type array.
137  *
138  * Returns:	0 - type not found (error)
139  * 		nonzero - pointer to authenticator
140  */
141 static Authenticator *
findauthenticator(int type,int way)142 findauthenticator(int type, int way)
143 {
144 	Authenticator *ap = authenticators;
145 
146 	while (ap->type && (ap->type != type || ap->way != way))
147 		++ap;
148 	return (ap->type ? ap : NULL);
149 }
150 
151 /*
152  * For each authentication type in the Authenticator array,
153  * call the associated init routine, and update the i_support bitfield.
154  */
155 void
auth_init(const char * name)156 auth_init(const char *name)
157 {
158 	Authenticator *ap = authenticators;
159 
160 	Name = name ? strdup(name) : "Noname";
161 
162 	i_support = 0;
163 	authenticated = NULL;
164 	while (ap->type) {
165 		if (!ap->init || (*ap->init)(ap)) {
166 			i_support |= typemask(ap->type);
167 			if (auth_debug_mode)
168 			    (void) printf(gettext
169 				(">>>%s: I support auth type %d %d\r\n"),
170 				Name, ap->type, ap->way);
171 		}
172 		++ap;
173 	}
174 }
175 
176 /*
177  * Search the Authenticator array for the authentication type 'name',
178  * and disable this type by updating the i_wont_support bitfield.
179  */
180 void
auth_disable_name(const char * name)181 auth_disable_name(const char *name)
182 {
183 	uint_t x;
184 	for (x = 0; x < AUTHTYPE_CNT; ++x) {
185 		if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
186 			i_wont_support |= typemask(x);
187 			break;
188 		}
189 	}
190 
191 	if (!i_wont_support)
192 		(void) printf(
193 			gettext("%s : invalid authentication type\n"),
194 			name);
195 }
196 
197 /*
198  * Search the Authenticator array for the authentication type given
199  * by the character string 'type', and return its integer bitmask
200  * in maskp.
201  *
202  * Returns:	1 - no error
203  *		0 - type not found (error)
204  */
205 static int
getauthmask(const char * type,uint_t * maskp)206 getauthmask(const char *type, uint_t *maskp)
207 {
208 	uint_t x;
209 
210 	if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
211 		*maskp = (uint_t)-1;
212 		return (1);
213 	}
214 
215 	for (x = 1; x < AUTHTYPE_CNT; ++x) {
216 		if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
217 			*maskp = typemask(x);
218 			return (1);
219 		}
220 	}
221 	return (0);
222 }
223 
224 int
auth_enable(char * type)225 auth_enable(char *type)
226 {
227 	return (auth_onoff(type, B_TRUE));
228 }
229 
230 int
auth_disable(char * type)231 auth_disable(char *type)
232 {
233 	return (auth_onoff(type, B_FALSE));
234 }
235 
236 /*
237  * Responds to the 'auth enable <option>' and 'auth disable <option>' commands.
238  *
239  * If <option> is:
240  *	- a valid authentication type, turns support on / off
241  *	- "?" or "help", print a usage message
242  *	- not recognized, print an error message.
243  *
244  * Returns:	1 - no error, authentication is enabled or disabled
245  *		0 - error, or help requested
246  */
247 static int
auth_onoff(const char * type,boolean_t on)248 auth_onoff(const char *type, boolean_t on)
249 {
250 	uint_t i, mask = 0;
251 	Authenticator *ap;
252 
253 	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
254 		(void) printf(on ?
255 			gettext("auth enable 'type'\n") :
256 			gettext("auth disable 'type'\n"));
257 		(void) printf(
258 			gettext("Where 'type' is one of:\n"));
259 		(void) printf("\t%s\n", AUTHTYPE_NAME(0));
260 		for (ap = authenticators; ap->type; ap++) {
261 			if ((mask & (i = typemask(ap->type))) != 0)
262 				continue;
263 			mask |= i;
264 			(void) printf("\t%s\n", AUTHTYPE_NAME(ap->type));
265 		}
266 		return (0);
267 	}
268 
269 	if (!getauthmask(type, &mask)) {
270 		(void) printf(
271 			gettext("%s: invalid authentication type\n"), type);
272 		return (0);
273 	}
274 	if (on)
275 		i_wont_support &= ~mask;
276 	else
277 		i_wont_support |= mask;
278 	return (1);
279 }
280 
281 /*
282  * Responds to the 'toggle authdebug' command.
283  *
284  * Returns:	1 - always
285  */
286 int
auth_togdebug(int on)287 auth_togdebug(int on)
288 {
289 	if (on < 0)
290 		auth_debug_mode = !auth_debug_mode;
291 	else
292 		auth_debug_mode = on > 0 ? B_TRUE : B_FALSE;
293 	(void) printf(auth_debug_mode ?
294 		gettext("auth debugging enabled\n") :
295 		gettext("auth debugging disabled\n"));
296 	return (1);
297 }
298 
299 /*
300  * Responds to the 'auth status' command.
301  * Traverses the authenticator array and prints enabled or disabled for
302  * each authentication type, depencing on the i_wont_support bitfield.
303  *
304  * Returns:	1 - always
305  */
306 int
auth_status(void)307 auth_status(void)
308 {
309 	Authenticator *ap;
310 	uint_t i, mask;
311 
312 	if (i_wont_support == (uint_t)-1)
313 		(void) printf(gettext("Authentication disabled\n"));
314 	else
315 		(void) printf(gettext("Authentication enabled\n"));
316 
317 	mask = 0;
318 	for (ap = authenticators; ap->type; ap++) {
319 		if ((mask & (i = typemask(ap->type))) != 0)
320 			continue;
321 		mask |= i;
322 		(void) printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
323 			(i_wont_support & typemask(ap->type)) ?
324 			gettext("disabled") : gettext("enabled"));
325 	}
326 	return (1);
327 }
328 
329 /*
330  * This is called when an AUTH SEND is received.
331  * data is a list of authentication mechanisms we support
332  */
333 void
auth_send(uchar_t * data,int cnt)334 auth_send(uchar_t *data, int cnt)
335 {
336 
337 	if (auth_debug_mode) {
338 		(void) printf(gettext(">>>%s: auth_send got:"), Name);
339 		printd(data, cnt);
340 		(void) printf("\r\n");
341 	}
342 
343 	/*
344 	 * Save the list of authentication mechanisms
345 	 */
346 	auth_send_cnt = cnt;
347 	if (auth_send_cnt > sizeof (_auth_send_data))
348 	    auth_send_cnt = sizeof (_auth_send_data);
349 	(void) memcpy((void *)_auth_send_data, (void *)data, auth_send_cnt);
350 	auth_send_data = _auth_send_data;
351 
352 	auth_send_retry();
353 }
354 
355 /*
356  * Try the next authentication mechanism on the list, and see if it
357  * works.
358  */
359 void
auth_send_retry(void)360 auth_send_retry(void)
361 {
362 	Authenticator *ap;
363 	static uchar_t str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
364 		TELQUAL_IS, AUTHTYPE_NULL, 0, IAC, SE };
365 
366 	for (; (auth_send_cnt -= 2) >= 0; auth_send_data += 2) {
367 	    if (auth_debug_mode)
368 		(void) printf(
369 			gettext(">>>%s: Remote host supports %d\r\n"),
370 			Name, *auth_send_data);
371 	    if (!(i_support & typemask(*auth_send_data)))
372 		continue;
373 	    if (i_wont_support & typemask(*auth_send_data))
374 		continue;
375 	    ap = findauthenticator(auth_send_data[0], auth_send_data[1]);
376 	    if (!ap || !ap->send)
377 		continue;
378 	    if ((ap->way & AUTH_ENCRYPT_MASK) && !auth_enable_encrypt)
379 		continue;
380 
381 	    if (auth_debug_mode)
382 		(void) printf(
383 			gettext(">>>%s: Trying %d %d\r\n"), Name,
384 			auth_send_data[0], auth_send_data[1]);
385 	    if ((*ap->send)(ap)) {
386 		/*
387 		 * Okay, we found one we like and did it.  we can go
388 		 * home now.
389 		 */
390 		if (auth_debug_mode)
391 		    (void) printf(gettext(">>>%s: Using type %d\r\n"),
392 			Name, *auth_send_data);
393 		auth_send_data += 2;
394 		return;
395 	    }
396 	}
397 	(void) net_write(str_none, sizeof (str_none));
398 	printsub('>', &str_none[2], sizeof (str_none) - 2);
399 	if (auth_debug_mode)
400 		(void) printf(
401 			gettext(">>>%s: Sent failure message\r\n"), Name);
402 	auth_finished(0, AUTH_REJECT);
403 	auth_has_failed = B_TRUE;
404 }
405 
406 void
auth_reply(uchar_t * data,int cnt)407 auth_reply(uchar_t *data, int cnt)
408 {
409 	Authenticator *ap;
410 
411 	if (cnt < 2)
412 		return;
413 
414 	if (ap = findauthenticator(data[0], data[1])) {
415 		if (ap->reply)
416 			(*ap->reply)(ap, data+2, cnt-2);
417 	} else if (auth_debug_mode)
418 		(void) printf(gettext
419 			(">>>%s: Invalid authentication in SEND: %d\r\n"),
420 			Name, *data);
421 }
422 
423 int
auth_sendname(uchar_t * cp,int len)424 auth_sendname(uchar_t *cp, int len)
425 {
426 	static uchar_t str_request[AUTH_NAME_BUFSIZ + 6] = { IAC, SB,
427 		TELOPT_AUTHENTICATION, TELQUAL_NAME, };
428 	register uchar_t *e = str_request + 4;
429 	register uchar_t *ee = &str_request[sizeof (str_request) - 2];
430 
431 	while (--len >= 0) {
432 		if ((*e++ = *cp++) == IAC)
433 			*e++ = IAC;
434 		if (e >= ee)
435 			return (0);
436 	}
437 	*e++ = IAC;
438 	*e++ = SE;
439 	(void) net_write(str_request, e - str_request);
440 	printsub('>', &str_request[2], e - &str_request[2]);
441 	return (1);
442 }
443 
444 /* ARGSUSED */
445 void
auth_finished(Authenticator * ap,int result)446 auth_finished(Authenticator *ap, int result)
447 {
448 	authenticated = ap;
449 	if (authenticated == NULL)
450 		authenticated = &NoAuth;
451 }
452 
453 void
auth_printsub(uchar_t * data,uint_t cnt,uchar_t * buf,uint_t buflen)454 auth_printsub(uchar_t *data, uint_t cnt, uchar_t *buf, uint_t buflen)
455 {
456 	Authenticator *ap;
457 
458 	ap = findauthenticator(data[1], data[2]);
459 	if (ap && ap->printsub)
460 		(*ap->printsub)(data, cnt, buf, buflen);
461 	else
462 		auth_gen_printsub(data, cnt, buf, buflen);
463 }
464 
465 static void
auth_gen_printsub(uchar_t * data,uint_t cnt,uchar_t * buf,uint_t buflen)466 auth_gen_printsub(uchar_t *data, uint_t cnt, uchar_t *buf, uint_t buflen)
467 {
468 	register uchar_t *cp;
469 	uchar_t lbuf[AUTH_LBUF_BUFSIZ];
470 
471 	if (buflen < 2)
472 		return;
473 	cnt = (cnt > 3) ? cnt - 3 : 0;
474 	data += 3;
475 	buf[buflen - 1] = '\0';
476 	buf[buflen - 2] = '*';
477 	buflen -= 2;
478 	for (; cnt > 0; cnt--, data++) {
479 		(void) snprintf((char *)lbuf, AUTH_LBUF_BUFSIZ, " %d", *data);
480 		for (cp = lbuf; (*cp != '\0') && (buflen > 0); --buflen)
481 			*buf++ = *cp++;
482 		if (buflen == 0)
483 			return;
484 	}
485 	*buf = '\0';
486 }
487