telnet/libtelnet/auth.c

13e3f4d6SMark Murray/*-
13e3f4d6SMark Murray * Copyright (c) 1991, 1993
13e3f4d6SMark Murray *	The Regents of the University of California.  All rights reserved.
13e3f4d6SMark Murray *
13e3f4d6SMark Murray * Redistribution and use in source and binary forms, with or without
13e3f4d6SMark Murray * modification, are permitted provided that the following conditions
13e3f4d6SMark Murray * are met:
13e3f4d6SMark Murray * 1. Redistributions of source code must retain the above copyright
13e3f4d6SMark Murray *    notice, this list of conditions and the following disclaimer.
13e3f4d6SMark Murray * 2. Redistributions in binary form must reproduce the above copyright
13e3f4d6SMark Murray *    notice, this list of conditions and the following disclaimer in the
13e3f4d6SMark Murray *    documentation and/or other materials provided with the distribution.
13e3f4d6SMark Murray * 3. All advertising materials mentioning features or use of this software
13e3f4d6SMark Murray *    must display the following acknowledgement:
13e3f4d6SMark Murray *	This product includes software developed by the University of
13e3f4d6SMark Murray *	California, Berkeley and its contributors.
13e3f4d6SMark Murray * 4. Neither the name of the University nor the names of its contributors
13e3f4d6SMark Murray *    may be used to endorse or promote products derived from this software
13e3f4d6SMark Murray *    without specific prior written permission.
13e3f4d6SMark Murray *
13e3f4d6SMark Murray * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
13e3f4d6SMark Murray * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
13e3f4d6SMark Murray * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
13e3f4d6SMark Murray * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
13e3f4d6SMark Murray * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
13e3f4d6SMark Murray * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
13e3f4d6SMark Murray * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
13e3f4d6SMark Murray * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
13e3f4d6SMark Murray * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
13e3f4d6SMark Murray * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
13e3f4d6SMark Murray * SUCH DAMAGE.
13e3f4d6SMark Murray */
13e3f4d6SMark Murray
13e3f4d6SMark Murray/*
13e3f4d6SMark Murray * Copyright (C) 1990 by the Massachusetts Institute of Technology
13e3f4d6SMark Murray *
13e3f4d6SMark Murray * Export of this software from the United States of America is assumed
13e3f4d6SMark Murray * to require a specific license from the United States Government.
13e3f4d6SMark Murray * It is the responsibility of any person or organization contemplating
13e3f4d6SMark Murray * export to obtain such a license before exporting.
13e3f4d6SMark Murray *
13e3f4d6SMark Murray * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13e3f4d6SMark Murray * distribute this software and its documentation for any purpose and
13e3f4d6SMark Murray * without fee is hereby granted, provided that the above copyright
13e3f4d6SMark Murray * notice appear in all copies and that both that copyright notice and
13e3f4d6SMark Murray * this permission notice appear in supporting documentation, and that
13e3f4d6SMark Murray * the name of M.I.T. not be used in advertising or publicity pertaining
13e3f4d6SMark Murray * to distribution of the software without specific, written prior
13e3f4d6SMark Murray * permission.  M.I.T. makes no representations about the suitability of
13e3f4d6SMark Murray * this software for any purpose.  It is provided "as is" without express
13e3f4d6SMark Murray * or implied warranty.
13e3f4d6SMark Murray */
13e3f4d6SMark Murray
13e3f4d6SMark Murray#include <config.h>
13e3f4d6SMark Murray
*ae771770SStanislav SedovRCSID("$Id$");
13e3f4d6SMark Murray
13e3f4d6SMark Murray#if	defined(AUTHENTICATION)
13e3f4d6SMark Murray#include <stdio.h>
13e3f4d6SMark Murray#ifdef HAVE_SYS_TYPES_H
13e3f4d6SMark Murray#include <sys/types.h>
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray#include <signal.h>
13e3f4d6SMark Murray#define	AUTH_NAMES
13e3f4d6SMark Murray#ifdef HAVE_ARPA_TELNET_H
13e3f4d6SMark Murray#include <arpa/telnet.h>
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray#include <stdlib.h>
13e3f4d6SMark Murray#include <string.h>
13e3f4d6SMark Murray
13e3f4d6SMark Murray#include <roken.h>
13e3f4d6SMark Murray
13e3f4d6SMark Murray#ifdef SOCKS
13e3f4d6SMark Murray#include <socks.h>
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray
13e3f4d6SMark Murray#include "encrypt.h"
13e3f4d6SMark Murray#include "auth.h"
13e3f4d6SMark Murray#include "misc-proto.h"
13e3f4d6SMark Murray#include "auth-proto.h"
13e3f4d6SMark Murray
13e3f4d6SMark Murray#define	typemask(x)		(1<<((x)-1))
13e3f4d6SMark Murray
13e3f4d6SMark Murray#ifdef	RSA_ENCPWD
13e3f4d6SMark Murrayextern rsaencpwd_init();
13e3f4d6SMark Murrayextern rsaencpwd_send();
13e3f4d6SMark Murrayextern rsaencpwd_is();
13e3f4d6SMark Murrayextern rsaencpwd_reply();
13e3f4d6SMark Murrayextern rsaencpwd_status();
13e3f4d6SMark Murrayextern rsaencpwd_printsub();
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint auth_debug_mode = 0;
4137ff4cSJacques Vidrineint auth_has_failed  = 0;
4137ff4cSJacques Vidrineint auth_enable_encrypt = 0;
13e3f4d6SMark Murraystatic 	const	char	*Name = "Noname";
13e3f4d6SMark Murraystatic	int	Server = 0;
13e3f4d6SMark Murraystatic	Authenticator	*authenticated = 0;
13e3f4d6SMark Murraystatic	int	authenticating = 0;
13e3f4d6SMark Murraystatic	int	validuser = 0;
13e3f4d6SMark Murraystatic	unsigned char	_auth_send_data[256];
13e3f4d6SMark Murraystatic	unsigned char	*auth_send_data;
13e3f4d6SMark Murraystatic	int	auth_send_cnt = 0;
13e3f4d6SMark Murray
13e3f4d6SMark Murray/*
13e3f4d6SMark Murray * Authentication types supported.  Plese note that these are stored
13e3f4d6SMark Murray * in priority order, i.e. try the first one first.
13e3f4d6SMark Murray */
13e3f4d6SMark MurrayAuthenticator authenticators[] = {
13e3f4d6SMark Murray#ifdef UNSAFE
13e3f4d6SMark Murray    { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
13e3f4d6SMark Murray      unsafe_init,
13e3f4d6SMark Murray      unsafe_send,
13e3f4d6SMark Murray      unsafe_is,
13e3f4d6SMark Murray      unsafe_reply,
13e3f4d6SMark Murray      unsafe_status,
13e3f4d6SMark Murray      unsafe_printsub },
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray#ifdef SRA
13e3f4d6SMark Murray    { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
13e3f4d6SMark Murray      sra_init,
13e3f4d6SMark Murray      sra_send,
13e3f4d6SMark Murray      sra_is,
13e3f4d6SMark Murray      sra_reply,
13e3f4d6SMark Murray      sra_status,
13e3f4d6SMark Murray      sra_printsub },
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray#ifdef	SPX
13e3f4d6SMark Murray    { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
13e3f4d6SMark Murray      spx_init,
13e3f4d6SMark Murray      spx_send,
13e3f4d6SMark Murray      spx_is,
13e3f4d6SMark Murray      spx_reply,
13e3f4d6SMark Murray      spx_status,
13e3f4d6SMark Murray      spx_printsub },
13e3f4d6SMark Murray    { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
13e3f4d6SMark Murray      spx_init,
13e3f4d6SMark Murray      spx_send,
13e3f4d6SMark Murray      spx_is,
13e3f4d6SMark Murray      spx_reply,
13e3f4d6SMark Murray      spx_status,
13e3f4d6SMark Murray      spx_printsub },
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray#ifdef	KRB5
13e3f4d6SMark Murray    { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
13e3f4d6SMark Murray      kerberos5_init,
13e3f4d6SMark Murray      kerberos5_send_mutual,
13e3f4d6SMark Murray      kerberos5_is,
13e3f4d6SMark Murray      kerberos5_reply,
13e3f4d6SMark Murray      kerberos5_status,
13e3f4d6SMark Murray      kerberos5_printsub },
13e3f4d6SMark Murray    { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
13e3f4d6SMark Murray      kerberos5_init,
13e3f4d6SMark Murray      kerberos5_send_oneway,
13e3f4d6SMark Murray      kerberos5_is,
13e3f4d6SMark Murray      kerberos5_reply,
13e3f4d6SMark Murray      kerberos5_status,
13e3f4d6SMark Murray      kerberos5_printsub },
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray#ifdef	RSA_ENCPWD
13e3f4d6SMark Murray    { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
13e3f4d6SMark Murray      rsaencpwd_init,
13e3f4d6SMark Murray      rsaencpwd_send,
13e3f4d6SMark Murray      rsaencpwd_is,
13e3f4d6SMark Murray      rsaencpwd_reply,
13e3f4d6SMark Murray      rsaencpwd_status,
13e3f4d6SMark Murray      rsaencpwd_printsub },
13e3f4d6SMark Murray#endif
13e3f4d6SMark Murray    { 0, },
13e3f4d6SMark Murray};
13e3f4d6SMark Murray
13e3f4d6SMark Murraystatic Authenticator NoAuth = { 0 };
13e3f4d6SMark Murray
13e3f4d6SMark Murraystatic int	i_support = 0;
13e3f4d6SMark Murraystatic int	i_wont_support = 0;
13e3f4d6SMark Murray
13e3f4d6SMark MurrayAuthenticator *
13e3f4d6SMark Murrayfindauthenticator(int type, int way)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    Authenticator *ap = authenticators;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    while (ap->type && (ap->type != type || ap->way != way))
13e3f4d6SMark Murray	++ap;
13e3f4d6SMark Murray    return(ap->type ? ap : 0);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_init(const char *name, int server)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    Authenticator *ap = authenticators;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    Server = server;
13e3f4d6SMark Murray    Name = name;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    i_support = 0;
13e3f4d6SMark Murray    authenticated = 0;
13e3f4d6SMark Murray    authenticating = 0;
13e3f4d6SMark Murray    while (ap->type) {
13e3f4d6SMark Murray	if (!ap->init || (*ap->init)(ap, server)) {
13e3f4d6SMark Murray	    i_support |= typemask(ap->type);
13e3f4d6SMark Murray	    if (auth_debug_mode)
13e3f4d6SMark Murray		printf(">>>%s: I support auth type %d %d\r\n",
13e3f4d6SMark Murray		       Name,
13e3f4d6SMark Murray		       ap->type, ap->way);
13e3f4d6SMark Murray	}
13e3f4d6SMark Murray	else if (auth_debug_mode)
13e3f4d6SMark Murray	    printf(">>>%s: Init failed: auth type %d %d\r\n",
13e3f4d6SMark Murray		   Name, ap->type, ap->way);
13e3f4d6SMark Murray	++ap;
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_disable_name(char *name)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    int x;
13e3f4d6SMark Murray    for (x = 0; x < AUTHTYPE_CNT; ++x) {
13e3f4d6SMark Murray	if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
13e3f4d6SMark Murray	    i_wont_support |= typemask(x);
13e3f4d6SMark Murray	    break;
13e3f4d6SMark Murray	}
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint
13e3f4d6SMark Murraygetauthmask(char *type, int *maskp)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    int x;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
13e3f4d6SMark Murray	*maskp = -1;
13e3f4d6SMark Murray	return(1);
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray
13e3f4d6SMark Murray    for (x = 1; x < AUTHTYPE_CNT; ++x) {
13e3f4d6SMark Murray	if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
13e3f4d6SMark Murray	    *maskp = typemask(x);
13e3f4d6SMark Murray	    return(1);
13e3f4d6SMark Murray	}
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    return(0);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint
13e3f4d6SMark Murrayauth_enable(char *type)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    return(auth_onoff(type, 1));
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint
13e3f4d6SMark Murrayauth_disable(char *type)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    return(auth_onoff(type, 0));
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint
13e3f4d6SMark Murrayauth_onoff(char *type, int on)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    int i, mask = -1;
13e3f4d6SMark Murray    Authenticator *ap;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
13e3f4d6SMark Murray	printf("auth %s 'type'\n", on ? "enable" : "disable");
13e3f4d6SMark Murray	printf("Where 'type' is one of:\n");
13e3f4d6SMark Murray	printf("\t%s\n", AUTHTYPE_NAME(0));
13e3f4d6SMark Murray	mask = 0;
13e3f4d6SMark Murray	for (ap = authenticators; ap->type; ap++) {
13e3f4d6SMark Murray	    if ((mask & (i = typemask(ap->type))) != 0)
13e3f4d6SMark Murray		continue;
13e3f4d6SMark Murray	    mask |= i;
13e3f4d6SMark Murray	    printf("\t%s\n", AUTHTYPE_NAME(ap->type));
13e3f4d6SMark Murray	}
13e3f4d6SMark Murray	return(0);
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (!getauthmask(type, &mask)) {
13e3f4d6SMark Murray	printf("%s: invalid authentication type\n", type);
13e3f4d6SMark Murray	return(0);
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    if (on)
13e3f4d6SMark Murray	i_wont_support &= ~mask;
13e3f4d6SMark Murray    else
13e3f4d6SMark Murray	i_wont_support |= mask;
13e3f4d6SMark Murray    return(1);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint
13e3f4d6SMark Murrayauth_togdebug(int on)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    if (on < 0)
13e3f4d6SMark Murray	auth_debug_mode ^= 1;
13e3f4d6SMark Murray    else
13e3f4d6SMark Murray	auth_debug_mode = on;
13e3f4d6SMark Murray    printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
13e3f4d6SMark Murray    return(1);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint
13e3f4d6SMark Murrayauth_status(void)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    Authenticator *ap;
13e3f4d6SMark Murray    int i, mask;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (i_wont_support == -1)
13e3f4d6SMark Murray	printf("Authentication disabled\n");
13e3f4d6SMark Murray    else
13e3f4d6SMark Murray	printf("Authentication enabled\n");
13e3f4d6SMark Murray
13e3f4d6SMark Murray    mask = 0;
13e3f4d6SMark Murray    for (ap = authenticators; ap->type; ap++) {
13e3f4d6SMark Murray	if ((mask & (i = typemask(ap->type))) != 0)
13e3f4d6SMark Murray	    continue;
13e3f4d6SMark Murray	mask |= i;
13e3f4d6SMark Murray	printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
13e3f4d6SMark Murray	       (i_wont_support & typemask(ap->type)) ?
13e3f4d6SMark Murray	       "disabled" : "enabled");
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    return(1);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murray/*
13e3f4d6SMark Murray * This routine is called by the server to start authentication
13e3f4d6SMark Murray * negotiation.
13e3f4d6SMark Murray */
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_request(void)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    static unsigned char str_request[64] = { IAC, SB,
13e3f4d6SMark Murray					     TELOPT_AUTHENTICATION,
13e3f4d6SMark Murray					     TELQUAL_SEND, };
13e3f4d6SMark Murray    Authenticator *ap = authenticators;
13e3f4d6SMark Murray    unsigned char *e = str_request + 4;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (!authenticating) {
13e3f4d6SMark Murray	authenticating = 1;
13e3f4d6SMark Murray	while (ap->type) {
13e3f4d6SMark Murray	    if (i_support & ~i_wont_support & typemask(ap->type)) {
13e3f4d6SMark Murray		if (auth_debug_mode) {
13e3f4d6SMark Murray		    printf(">>>%s: Sending type %d %d\r\n",
13e3f4d6SMark Murray			   Name, ap->type, ap->way);
13e3f4d6SMark Murray		}
13e3f4d6SMark Murray		*e++ = ap->type;
13e3f4d6SMark Murray		*e++ = ap->way;
13e3f4d6SMark Murray	    }
13e3f4d6SMark Murray	    ++ap;
13e3f4d6SMark Murray	}
13e3f4d6SMark Murray	*e++ = IAC;
13e3f4d6SMark Murray	*e++ = SE;
13e3f4d6SMark Murray	telnet_net_write(str_request, e - str_request);
13e3f4d6SMark Murray	printsub('>', &str_request[2], e - str_request - 2);
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murray/*
13e3f4d6SMark Murray * This is called when an AUTH SEND is received.
13e3f4d6SMark Murray * It should never arrive on the server side (as only the server can
13e3f4d6SMark Murray * send an AUTH SEND).
13e3f4d6SMark Murray * You should probably respond to it if you can...
13e3f4d6SMark Murray *
13e3f4d6SMark Murray * If you want to respond to the types out of order (i.e. even
13e3f4d6SMark Murray * if he sends  LOGIN KERBEROS and you support both, you respond
13e3f4d6SMark Murray * with KERBEROS instead of LOGIN (which is against what the
13e3f4d6SMark Murray * protocol says)) you will have to hack this code...
13e3f4d6SMark Murray */
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_send(unsigned char *data, int cnt)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    Authenticator *ap;
13e3f4d6SMark Murray    static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
13e3f4d6SMark Murray					TELQUAL_IS, AUTHTYPE_NULL, 0,
13e3f4d6SMark Murray					IAC, SE };
13e3f4d6SMark Murray    if (Server) {
13e3f4d6SMark Murray	if (auth_debug_mode) {
13e3f4d6SMark Murray	    printf(">>>%s: auth_send called!\r\n", Name);
13e3f4d6SMark Murray	}
13e3f4d6SMark Murray	return;
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (auth_debug_mode) {
13e3f4d6SMark Murray	printf(">>>%s: auth_send got:", Name);
13e3f4d6SMark Murray	printd(data, cnt); printf("\r\n");
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray
13e3f4d6SMark Murray    /*
13e3f4d6SMark Murray     * Save the data, if it is new, so that we can continue looking
13e3f4d6SMark Murray     * at it if the authorization we try doesn't work
13e3f4d6SMark Murray     */
13e3f4d6SMark Murray    if (data < _auth_send_data ||
13e3f4d6SMark Murray	data > _auth_send_data + sizeof(_auth_send_data)) {
13e3f4d6SMark Murray	auth_send_cnt = cnt > sizeof(_auth_send_data)
13e3f4d6SMark Murray	    ? sizeof(_auth_send_data)
13e3f4d6SMark Murray	    : cnt;
13e3f4d6SMark Murray	memmove(_auth_send_data, data, auth_send_cnt);
13e3f4d6SMark Murray	auth_send_data = _auth_send_data;
13e3f4d6SMark Murray    } else {
13e3f4d6SMark Murray	/*
13e3f4d6SMark Murray	 * This is probably a no-op, but we just make sure
13e3f4d6SMark Murray	 */
13e3f4d6SMark Murray	auth_send_data = data;
13e3f4d6SMark Murray	auth_send_cnt = cnt;
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    while ((auth_send_cnt -= 2) >= 0) {
13e3f4d6SMark Murray	if (auth_debug_mode)
13e3f4d6SMark Murray	    printf(">>>%s: He supports %d\r\n",
13e3f4d6SMark Murray		   Name, *auth_send_data);
13e3f4d6SMark Murray	if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
13e3f4d6SMark Murray	    ap = findauthenticator(auth_send_data[0],
13e3f4d6SMark Murray				   auth_send_data[1]);
13e3f4d6SMark Murray	    if (ap && ap->send) {
13e3f4d6SMark Murray		if (auth_debug_mode)
13e3f4d6SMark Murray		    printf(">>>%s: Trying %d %d\r\n",
13e3f4d6SMark Murray			   Name, auth_send_data[0],
13e3f4d6SMark Murray			   auth_send_data[1]);
13e3f4d6SMark Murray		if ((*ap->send)(ap)) {
13e3f4d6SMark Murray		    /*
13e3f4d6SMark Murray		     * Okay, we found one we like
13e3f4d6SMark Murray		     * and did it.
13e3f4d6SMark Murray		     * we can go home now.
13e3f4d6SMark Murray		     */
13e3f4d6SMark Murray		    if (auth_debug_mode)
13e3f4d6SMark Murray			printf(">>>%s: Using type %d\r\n",
13e3f4d6SMark Murray			       Name, *auth_send_data);
13e3f4d6SMark Murray		    auth_send_data += 2;
13e3f4d6SMark Murray		    return;
13e3f4d6SMark Murray		}
13e3f4d6SMark Murray	    }
13e3f4d6SMark Murray	    /* else
13e3f4d6SMark Murray	     *	just continue on and look for the
13e3f4d6SMark Murray	     *	next one if we didn't do anything.
13e3f4d6SMark Murray	     */
13e3f4d6SMark Murray	}
13e3f4d6SMark Murray	auth_send_data += 2;
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    telnet_net_write(str_none, sizeof(str_none));
13e3f4d6SMark Murray    printsub('>', &str_none[2], sizeof(str_none) - 2);
13e3f4d6SMark Murray    if (auth_debug_mode)
13e3f4d6SMark Murray	printf(">>>%s: Sent failure message\r\n", Name);
13e3f4d6SMark Murray    auth_finished(0, AUTH_REJECT);
4137ff4cSJacques Vidrine    auth_has_failed = 1;
13e3f4d6SMark Murray#ifdef KANNAN
13e3f4d6SMark Murray    /*
13e3f4d6SMark Murray     *  We requested strong authentication, however no mechanisms worked.
13e3f4d6SMark Murray     *  Therefore, exit on client end.
13e3f4d6SMark Murray     */
13e3f4d6SMark Murray    printf("Unable to securely authenticate user ... exit\n");
13e3f4d6SMark Murray    exit(0);
13e3f4d6SMark Murray#endif /* KANNAN */
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_send_retry(void)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    /*
13e3f4d6SMark Murray     * if auth_send_cnt <= 0 then auth_send will end up rejecting
13e3f4d6SMark Murray     * the authentication and informing the other side of this.
13e3f4d6SMark Murray	 */
13e3f4d6SMark Murray    auth_send(auth_send_data, auth_send_cnt);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_is(unsigned char *data, int cnt)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    Authenticator *ap;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (cnt < 2)
13e3f4d6SMark Murray	return;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (data[0] == AUTHTYPE_NULL) {
13e3f4d6SMark Murray	auth_finished(0, AUTH_REJECT);
13e3f4d6SMark Murray	return;
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if ((ap = findauthenticator(data[0], data[1]))) {
13e3f4d6SMark Murray	if (ap->is)
13e3f4d6SMark Murray	    (*ap->is)(ap, data+2, cnt-2);
13e3f4d6SMark Murray    } else if (auth_debug_mode)
13e3f4d6SMark Murray	printf(">>>%s: Invalid authentication in IS: %d\r\n",
13e3f4d6SMark Murray	       Name, *data);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_reply(unsigned char *data, int cnt)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    Authenticator *ap;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (cnt < 2)
13e3f4d6SMark Murray	return;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if ((ap = findauthenticator(data[0], data[1]))) {
13e3f4d6SMark Murray	if (ap->reply)
13e3f4d6SMark Murray	    (*ap->reply)(ap, data+2, cnt-2);
13e3f4d6SMark Murray    } else if (auth_debug_mode)
13e3f4d6SMark Murray	printf(">>>%s: Invalid authentication in SEND: %d\r\n",
13e3f4d6SMark Murray	       Name, *data);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_name(unsigned char *data, int cnt)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    char savename[256];
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (cnt < 1) {
13e3f4d6SMark Murray	if (auth_debug_mode)
13e3f4d6SMark Murray	    printf(">>>%s: Empty name in NAME\r\n", Name);
13e3f4d6SMark Murray	return;
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    if (cnt > sizeof(savename) - 1) {
13e3f4d6SMark Murray	if (auth_debug_mode)
13e3f4d6SMark Murray	    printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n",
13e3f4d6SMark Murray		   Name, cnt, (unsigned long)(sizeof(savename)-1));
13e3f4d6SMark Murray	return;
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    memmove(savename, data, cnt);
13e3f4d6SMark Murray    savename[cnt] = '\0';	/* Null terminate */
13e3f4d6SMark Murray    if (auth_debug_mode)
13e3f4d6SMark Murray	printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
13e3f4d6SMark Murray    auth_encrypt_user(savename);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint
13e3f4d6SMark Murrayauth_sendname(unsigned char *cp, int len)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    static unsigned char str_request[256+6]
13e3f4d6SMark Murray	= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
13e3f4d6SMark Murray    unsigned char *e = str_request + 4;
13e3f4d6SMark Murray    unsigned char *ee = &str_request[sizeof(str_request)-2];
13e3f4d6SMark Murray
13e3f4d6SMark Murray    while (--len >= 0) {
13e3f4d6SMark Murray	if ((*e++ = *cp++) == IAC)
13e3f4d6SMark Murray	    *e++ = IAC;
13e3f4d6SMark Murray	if (e >= ee)
13e3f4d6SMark Murray	    return(0);
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    *e++ = IAC;
13e3f4d6SMark Murray    *e++ = SE;
13e3f4d6SMark Murray    telnet_net_write(str_request, e - str_request);
13e3f4d6SMark Murray    printsub('>', &str_request[2], e - &str_request[2]);
13e3f4d6SMark Murray    return(1);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_finished(Authenticator *ap, int result)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    if (!(authenticated = ap))
13e3f4d6SMark Murray	authenticated = &NoAuth;
13e3f4d6SMark Murray    validuser = result;
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murray/* ARGSUSED */
13e3f4d6SMark Murraystatic void
13e3f4d6SMark Murrayauth_intr(int sig)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    auth_finished(0, AUTH_REJECT);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayint
13e3f4d6SMark Murrayauth_wait(char *name, size_t name_sz)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    if (auth_debug_mode)
13e3f4d6SMark Murray	printf(">>>%s: in auth_wait.\r\n", Name);
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (Server && !authenticating)
13e3f4d6SMark Murray	return(0);
13e3f4d6SMark Murray
13e3f4d6SMark Murray    signal(SIGALRM, auth_intr);
13e3f4d6SMark Murray    alarm(30);
13e3f4d6SMark Murray    while (!authenticated)
13e3f4d6SMark Murray	if (telnet_spin())
13e3f4d6SMark Murray	    break;
13e3f4d6SMark Murray    alarm(0);
13e3f4d6SMark Murray    signal(SIGALRM, SIG_DFL);
13e3f4d6SMark Murray
13e3f4d6SMark Murray    /*
13e3f4d6SMark Murray     * Now check to see if the user is valid or not
13e3f4d6SMark Murray     */
13e3f4d6SMark Murray    if (!authenticated || authenticated == &NoAuth)
13e3f4d6SMark Murray	return(AUTH_REJECT);
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (validuser == AUTH_VALID)
13e3f4d6SMark Murray	validuser = AUTH_USER;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if (authenticated->status)
13e3f4d6SMark Murray	validuser = (*authenticated->status)(authenticated,
13e3f4d6SMark Murray					     name, name_sz,
13e3f4d6SMark Murray					     validuser);
13e3f4d6SMark Murray    return(validuser);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
13e3f4d6SMark Murrayauth_debug(int mode)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    auth_debug_mode = mode;
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
*ae771770SStanislav Sedovauth_printsub(unsigned char *data, size_t cnt,
*ae771770SStanislav Sedov	      unsigned char *buf, size_t buflen)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    Authenticator *ap;
13e3f4d6SMark Murray
13e3f4d6SMark Murray    if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
13e3f4d6SMark Murray	(*ap->printsub)(data, cnt, buf, buflen);
13e3f4d6SMark Murray    else
13e3f4d6SMark Murray	auth_gen_printsub(data, cnt, buf, buflen);
13e3f4d6SMark Murray}
13e3f4d6SMark Murray
13e3f4d6SMark Murrayvoid
*ae771770SStanislav Sedovauth_gen_printsub(unsigned char *data, size_t cnt,
*ae771770SStanislav Sedov		  unsigned char *buf, size_t buflen)
13e3f4d6SMark Murray{
13e3f4d6SMark Murray    unsigned char *cp;
13e3f4d6SMark Murray    unsigned char tbuf[16];
13e3f4d6SMark Murray
13e3f4d6SMark Murray    cnt -= 3;
13e3f4d6SMark Murray    data += 3;
13e3f4d6SMark Murray    buf[buflen-1] = '\0';
13e3f4d6SMark Murray    buf[buflen-2] = '*';
13e3f4d6SMark Murray    buflen -= 2;
13e3f4d6SMark Murray    for (; cnt > 0; cnt--, data++) {
4137ff4cSJacques Vidrine	snprintf((char*)tbuf, sizeof(tbuf), " %d", *data);
13e3f4d6SMark Murray	for (cp = tbuf; *cp && buflen > 0; --buflen)
13e3f4d6SMark Murray	    *buf++ = *cp++;
13e3f4d6SMark Murray	if (buflen <= 0)
13e3f4d6SMark Murray	    return;
13e3f4d6SMark Murray    }
13e3f4d6SMark Murray    *buf = '\0';
13e3f4d6SMark Murray}
13e3f4d6SMark Murray#endif