xref: /freebsd/contrib/telnet/libtelnet/auth.c (revision ce6a89e27cd190313be39bb479880aeda4778436)
1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. Neither the name of the University nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  */
30 
31 #if 0
32 #ifndef lint
33 static const char sccsid[] = "@(#)auth.c	8.3 (Berkeley) 5/30/95";
34 #endif /* not lint */
35 #endif
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
38 
39 
40 /*
41  * Copyright (C) 1990 by the Massachusetts Institute of Technology
42  *
43  * Export of this software from the United States of America is assumed
44  * to require a specific license from the United States Government.
45  * It is the responsibility of any person or organization contemplating
46  * export to obtain such a license before exporting.
47  *
48  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
49  * distribute this software and its documentation for any purpose and
50  * without fee is hereby granted, provided that the above copyright
51  * notice appear in all copies and that both that copyright notice and
52  * this permission notice appear in supporting documentation, and that
53  * the name of M.I.T. not be used in advertising or publicity pertaining
54  * to distribution of the software without specific, written prior
55  * permission.  M.I.T. makes no representations about the suitability of
56  * this software for any purpose.  It is provided "as is" without express
57  * or implied warranty.
58  */
59 
60 
61 #ifdef	AUTHENTICATION
62 #define	AUTH_NAMES
63 #include <sys/types.h>
64 #include <signal.h>
65 #include <stdio.h>
66 #include <stdlib.h>
67 #include <string.h>
68 #include <unistd.h>
69 #include <arpa/telnet.h>
70 
71 #include "encrypt.h"
72 #include "auth.h"
73 #include "misc-proto.h"
74 #include "auth-proto.h"
75 
76 #define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
77 
78 #ifdef	KRB4_ENCPWD
79 extern krb4encpwd_init();
80 extern krb4encpwd_send();
81 extern krb4encpwd_is();
82 extern krb4encpwd_reply();
83 extern krb4encpwd_status();
84 extern krb4encpwd_printsub();
85 #endif
86 
87 #ifdef	RSA_ENCPWD
88 extern rsaencpwd_init();
89 extern rsaencpwd_send();
90 extern rsaencpwd_is();
91 extern rsaencpwd_reply();
92 extern rsaencpwd_status();
93 extern rsaencpwd_printsub();
94 #endif
95 
96 int auth_debug_mode = 0;
97 static 	const char	*Name = "Noname";
98 static	int	Server = 0;
99 static	Authenticator	*authenticated = 0;
100 static	int	authenticating = 0;
101 static	int	validuser = 0;
102 static	unsigned char	_auth_send_data[256];
103 static	unsigned char	*auth_send_data;
104 static	int	auth_send_cnt = 0;
105 
106 int auth_onoff(char *type, int on);
107 void auth_encrypt_user(char *name);
108 
109 /*
110  * Authentication types supported.  Plese note that these are stored
111  * in priority order, i.e. try the first one first.
112  */
113 Authenticator authenticators[] = {
114 #ifdef	KRB5
115 # ifdef	ENCRYPTION
116 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
117 				kerberos5_init,
118 				kerberos5_send_mutual,
119 				kerberos5_is,
120 				kerberos5_reply,
121 				kerberos5_status,
122 				kerberos5_printsub },
123 # endif	/* ENCRYPTION */
124 	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
125 				kerberos5_init,
126 				kerberos5_send_oneway,
127 				kerberos5_is,
128 				kerberos5_reply,
129 				kerberos5_status,
130 				kerberos5_printsub },
131 #endif
132 #ifdef	KRB4
133 # ifdef ENCRYPTION
134 	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
135 				kerberos4_init,
136 				kerberos4_send,
137 				kerberos4_is,
138 				kerberos4_reply,
139 				kerberos4_status,
140 				kerberos4_printsub },
141 # endif	/* ENCRYPTION */
142 	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
143 				kerberos4_init,
144 				kerberos4_send,
145 				kerberos4_is,
146 				kerberos4_reply,
147 				kerberos4_status,
148 				kerberos4_printsub },
149 #endif
150 #ifdef	KRB4_ENCPWD
151 	{ AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
152 				krb4encpwd_init,
153 				krb4encpwd_send,
154 				krb4encpwd_is,
155 				krb4encpwd_reply,
156 				krb4encpwd_status,
157 				krb4encpwd_printsub },
158 #endif
159 #ifdef	RSA_ENCPWD
160 	{ AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
161 				rsaencpwd_init,
162 				rsaencpwd_send,
163 				rsaencpwd_is,
164 				rsaencpwd_reply,
165 				rsaencpwd_status,
166 				rsaencpwd_printsub },
167 #endif
168 #ifdef SRA
169 	{ AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
170 				sra_init,
171 				sra_send,
172 				sra_is,
173 				sra_reply,
174 				sra_status,
175 				sra_printsub },
176 
177 #endif
178 	{ 0, 0, 0, 0, 0, 0, 0, 0 },
179 };
180 
181 static Authenticator NoAuth = { 0, 0, 0, 0, 0, 0, 0, 0 };
182 
183 static int	i_support = 0;
184 static int	i_wont_support = 0;
185 
186 Authenticator *
187 findauthenticator(int type, int way)
188 {
189 	Authenticator *ap = authenticators;
190 
191 	while (ap->type && (ap->type != type || ap->way != way))
192 		++ap;
193 	return(ap->type ? ap : 0);
194 }
195 
196 void
197 auth_init(const char *name, int server)
198 {
199 	Authenticator *ap = authenticators;
200 
201 	Server = server;
202 	Name = name;
203 
204 	i_support = 0;
205 	authenticated = 0;
206 	authenticating = 0;
207 	while (ap->type) {
208 		if (!ap->init || (*ap->init)(ap, server)) {
209 			i_support |= typemask(ap->type);
210 			if (auth_debug_mode)
211 				printf(">>>%s: I support auth type %d %d\r\n",
212 					Name,
213 					ap->type, ap->way);
214 		}
215 		else if (auth_debug_mode)
216 			printf(">>>%s: Init failed: auth type %d %d\r\n",
217 				Name, ap->type, ap->way);
218 		++ap;
219 	}
220 }
221 
222 void
223 auth_disable_name(char *name)
224 {
225 	int x;
226 	for (x = 0; x < AUTHTYPE_CNT; ++x) {
227 		if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
228 			i_wont_support |= typemask(x);
229 			break;
230 		}
231 	}
232 }
233 
234 int
235 getauthmask(char *type, int *maskp)
236 {
237 	int x;
238 
239 	if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) {
240 		*maskp = -1;
241 		return(1);
242 	}
243 
244 	for (x = 1; x < AUTHTYPE_CNT; ++x) {
245 		if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) {
246 			*maskp = typemask(x);
247 			return(1);
248 		}
249 	}
250 	return(0);
251 }
252 
253 int
254 auth_enable(char *type)
255 {
256 	return(auth_onoff(type, 1));
257 }
258 
259 int
260 auth_disable(char *type)
261 {
262 	return(auth_onoff(type, 0));
263 }
264 
265 int
266 auth_onoff(char *type, int on)
267 {
268 	int i, mask = -1;
269 	Authenticator *ap;
270 
271 	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
272 		printf("auth %s 'type'\n", on ? "enable" : "disable");
273 		printf("Where 'type' is one of:\n");
274 		printf("\t%s\n", AUTHTYPE_NAME(0));
275 		mask = 0;
276 		for (ap = authenticators; ap->type; ap++) {
277 			if ((mask & (i = typemask(ap->type))) != 0)
278 				continue;
279 			mask |= i;
280 			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
281 		}
282 		return(0);
283 	}
284 
285 	if (!getauthmask(type, &mask)) {
286 		printf("%s: invalid authentication type\n", type);
287 		return(0);
288 	}
289 	if (on)
290 		i_wont_support &= ~mask;
291 	else
292 		i_wont_support |= mask;
293 	return(1);
294 }
295 
296 int
297 auth_togdebug(int on)
298 {
299 	if (on < 0)
300 		auth_debug_mode ^= 1;
301 	else
302 		auth_debug_mode = on;
303 	printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
304 	return(1);
305 }
306 
307 int
308 auth_status(void)
309 {
310 	Authenticator *ap;
311 	int i, mask;
312 
313 	if (i_wont_support == -1)
314 		printf("Authentication disabled\n");
315 	else
316 		printf("Authentication enabled\n");
317 
318 	mask = 0;
319 	for (ap = authenticators; ap->type; ap++) {
320 		if ((mask & (i = typemask(ap->type))) != 0)
321 			continue;
322 		mask |= i;
323 		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
324 			(i_wont_support & typemask(ap->type)) ?
325 					"disabled" : "enabled");
326 	}
327 	return(1);
328 }
329 
330 /*
331  * This routine is called by the server to start authentication
332  * negotiation.
333  */
334 void
335 auth_request(void)
336 {
337 	static unsigned char str_request[64] = { IAC, SB,
338 						 TELOPT_AUTHENTICATION,
339 						 TELQUAL_SEND, };
340 	Authenticator *ap = authenticators;
341 	unsigned char *e = str_request + 4;
342 
343 	if (!authenticating) {
344 		authenticating = 1;
345 		while (ap->type) {
346 			if (i_support & ~i_wont_support & typemask(ap->type)) {
347 				if (auth_debug_mode) {
348 					printf(">>>%s: Sending type %d %d\r\n",
349 						Name, ap->type, ap->way);
350 				}
351 				*e++ = ap->type;
352 				*e++ = ap->way;
353 			}
354 			++ap;
355 		}
356 		*e++ = IAC;
357 		*e++ = SE;
358 		net_write(str_request, e - str_request);
359 		printsub('>', &str_request[2], e - str_request - 2);
360 	}
361 }
362 
363 /*
364  * This is called when an AUTH SEND is received.
365  * It should never arrive on the server side (as only the server can
366  * send an AUTH SEND).
367  * You should probably respond to it if you can...
368  *
369  * If you want to respond to the types out of order (i.e. even
370  * if he sends  LOGIN KERBEROS and you support both, you respond
371  * with KERBEROS instead of LOGIN (which is against what the
372  * protocol says)) you will have to hack this code...
373  */
374 void
375 auth_send(unsigned char *data, int cnt)
376 {
377 	Authenticator *ap;
378 	static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
379 					    TELQUAL_IS, AUTHTYPE_NULL, 0,
380 					    IAC, SE };
381 	if (Server) {
382 		if (auth_debug_mode) {
383 			printf(">>>%s: auth_send called!\r\n", Name);
384 		}
385 		return;
386 	}
387 
388 	if (auth_debug_mode) {
389 		printf(">>>%s: auth_send got:", Name);
390 		printd(data, cnt); printf("\r\n");
391 	}
392 
393 	/*
394 	 * Save the data, if it is new, so that we can continue looking
395 	 * at it if the authorization we try doesn't work
396 	 */
397 	if (data < _auth_send_data ||
398 	    data > _auth_send_data + sizeof(_auth_send_data)) {
399 		auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data)
400 					? sizeof(_auth_send_data)
401 					: cnt;
402 		memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
403 		auth_send_data = _auth_send_data;
404 	} else {
405 		/*
406 		 * This is probably a no-op, but we just make sure
407 		 */
408 		auth_send_data = data;
409 		auth_send_cnt = cnt;
410 	}
411 	while ((auth_send_cnt -= 2) >= 0) {
412 		if (auth_debug_mode)
413 			printf(">>>%s: He supports %d\r\n",
414 				Name, *auth_send_data);
415 		if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
416 			ap = findauthenticator(auth_send_data[0],
417 					       auth_send_data[1]);
418 			if (ap && ap->send) {
419 				if (auth_debug_mode)
420 					printf(">>>%s: Trying %d %d\r\n",
421 						Name, auth_send_data[0],
422 							auth_send_data[1]);
423 				if ((*ap->send)(ap)) {
424 					/*
425 					 * Okay, we found one we like
426 					 * and did it.
427 					 * we can go home now.
428 					 */
429 					if (auth_debug_mode)
430 						printf(">>>%s: Using type %d\r\n",
431 							Name, *auth_send_data);
432 					auth_send_data += 2;
433 					return;
434 				}
435 			}
436 			/* else
437 			 *	just continue on and look for the
438 			 *	next one if we didn't do anything.
439 			 */
440 		}
441 		auth_send_data += 2;
442 	}
443 	net_write(str_none, sizeof(str_none));
444 	printsub('>', &str_none[2], sizeof(str_none) - 2);
445 	if (auth_debug_mode)
446 		printf(">>>%s: Sent failure message\r\n", Name);
447 	auth_finished(0, AUTH_REJECT);
448 }
449 
450 void
451 auth_send_retry(void)
452 {
453 	/*
454 	 * if auth_send_cnt <= 0 then auth_send will end up rejecting
455 	 * the authentication and informing the other side of this.
456 	 */
457 	auth_send(auth_send_data, auth_send_cnt);
458 }
459 
460 void
461 auth_is(unsigned char *data, int cnt)
462 {
463 	Authenticator *ap;
464 
465 	if (cnt < 2)
466 		return;
467 
468 	if (data[0] == AUTHTYPE_NULL) {
469 		auth_finished(0, AUTH_REJECT);
470 		return;
471 	}
472 
473 	if ((ap = findauthenticator(data[0], data[1]))) {
474 		if (ap->is)
475 			(*ap->is)(ap, data+2, cnt-2);
476 	} else if (auth_debug_mode)
477 		printf(">>>%s: Invalid authentication in IS: %d\r\n",
478 			Name, *data);
479 }
480 
481 void
482 auth_reply(unsigned char *data, int cnt)
483 {
484 	Authenticator *ap;
485 
486 	if (cnt < 2)
487 		return;
488 
489 	if ((ap = findauthenticator(data[0], data[1]))) {
490 		if (ap->reply)
491 			(*ap->reply)(ap, data+2, cnt-2);
492 	} else if (auth_debug_mode)
493 		printf(">>>%s: Invalid authentication in SEND: %d\r\n",
494 			Name, *data);
495 }
496 
497 void
498 auth_name(unsigned char *data, int cnt)
499 {
500 	unsigned char savename[256];
501 
502 	if (cnt < 1) {
503 		if (auth_debug_mode)
504 			printf(">>>%s: Empty name in NAME\r\n", Name);
505 		return;
506 	}
507 	if ((size_t)cnt > sizeof(savename) - 1) {
508 		if (auth_debug_mode)
509 			printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
510 					Name, cnt, (u_int)sizeof(savename)-1);
511 		return;
512 	}
513 	memmove((void *)savename, (void *)data, cnt);
514 	savename[cnt] = '\0';	/* Null terminate */
515 	if (auth_debug_mode)
516 		printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
517 	auth_encrypt_user(savename);
518 }
519 
520 int
521 auth_sendname(unsigned char *cp, int len)
522 {
523 	static unsigned char str_request[256+6]
524 			= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
525 	unsigned char *e = str_request + 4;
526 	unsigned char *ee = &str_request[sizeof(str_request)-2];
527 
528 	while (--len >= 0) {
529 		if ((*e++ = *cp++) == IAC)
530 			*e++ = IAC;
531 		if (e >= ee)
532 			return(0);
533 	}
534 	*e++ = IAC;
535 	*e++ = SE;
536 	net_write(str_request, e - str_request);
537 	printsub('>', &str_request[2], e - &str_request[2]);
538 	return(1);
539 }
540 
541 void
542 auth_finished(Authenticator *ap, int result)
543 {
544 	if (!(authenticated = ap))
545 		authenticated = &NoAuth;
546 	validuser = result;
547 }
548 
549 /* ARGSUSED */
550 static void
551 auth_intr(int sig __unused)
552 {
553 	auth_finished(0, AUTH_REJECT);
554 }
555 
556 int
557 auth_wait(char *name)
558 {
559 	if (auth_debug_mode)
560 		printf(">>>%s: in auth_wait.\r\n", Name);
561 
562 	if (Server && !authenticating)
563 		return(0);
564 
565 	(void) signal(SIGALRM, auth_intr);
566 	alarm(30);
567 	while (!authenticated)
568 		if (telnet_spin())
569 			break;
570 	alarm(0);
571 	(void) signal(SIGALRM, SIG_DFL);
572 
573 	/*
574 	 * Now check to see if the user is valid or not
575 	 */
576 	if (!authenticated || authenticated == &NoAuth)
577 		return(AUTH_REJECT);
578 
579 	if (validuser == AUTH_VALID)
580 		validuser = AUTH_USER;
581 
582 	if (authenticated->status)
583 		validuser = (*authenticated->status)(authenticated,
584 						     name, validuser);
585 	return(validuser);
586 }
587 
588 void
589 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
590 {
591 	Authenticator *ap;
592 
593 	if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
594 		(*ap->printsub)(data, cnt, buf, buflen);
595 	else
596 		auth_gen_printsub(data, cnt, buf, buflen);
597 }
598 
599 void
600 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
601 {
602 	unsigned char *cp;
603 	unsigned char tbuf[16];
604 
605 	cnt -= 3;
606 	data += 3;
607 	buf[buflen-1] = '\0';
608 	buf[buflen-2] = '*';
609 	buflen -= 2;
610 	for (; cnt > 0; cnt--, data++) {
611 		sprintf((char *)tbuf, " %d", *data);
612 		for (cp = tbuf; *cp && buflen > 0; --buflen)
613 			*buf++ = *cp++;
614 		if (buflen <= 0)
615 			return;
616 	}
617 	*buf = '\0';
618 }
619 #endif
620