1 /*- 2 * Copyright (c) 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* 35 * Copyright (C) 1990 by the Massachusetts Institute of Technology 36 * 37 * Export of this software from the United States of America is assumed 38 * to require a specific license from the United States Government. 39 * It is the responsibility of any person or organization contemplating 40 * export to obtain such a license before exporting. 41 * 42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 43 * distribute this software and its documentation for any purpose and 44 * without fee is hereby granted, provided that the above copyright 45 * notice appear in all copies and that both that copyright notice and 46 * this permission notice appear in supporting documentation, and that 47 * the name of M.I.T. not be used in advertising or publicity pertaining 48 * to distribution of the software without specific, written prior 49 * permission. M.I.T. makes no representations about the suitability of 50 * this software for any purpose. It is provided "as is" without express 51 * or implied warranty. 52 */ 53 54 #include <config.h> 55 56 RCSID("$Id: auth.c,v 1.25 2002/01/18 12:58:48 joda Exp $"); 57 58 #if defined(AUTHENTICATION) 59 #include <stdio.h> 60 #ifdef HAVE_SYS_TYPES_H 61 #include <sys/types.h> 62 #endif 63 #include <signal.h> 64 #define AUTH_NAMES 65 #ifdef HAVE_ARPA_TELNET_H 66 #include <arpa/telnet.h> 67 #endif 68 #include <stdlib.h> 69 #include <string.h> 70 71 #include <roken.h> 72 73 #ifdef SOCKS 74 #include <socks.h> 75 #endif 76 77 #include "encrypt.h" 78 #include "auth.h" 79 #include "misc-proto.h" 80 #include "auth-proto.h" 81 82 #define typemask(x) (1<<((x)-1)) 83 84 #ifdef KRB4_ENCPWD 85 extern krb4encpwd_init(); 86 extern krb4encpwd_send(); 87 extern krb4encpwd_is(); 88 extern krb4encpwd_reply(); 89 extern krb4encpwd_status(); 90 extern krb4encpwd_printsub(); 91 #endif 92 93 #ifdef RSA_ENCPWD 94 extern rsaencpwd_init(); 95 extern rsaencpwd_send(); 96 extern rsaencpwd_is(); 97 extern rsaencpwd_reply(); 98 extern rsaencpwd_status(); 99 extern rsaencpwd_printsub(); 100 #endif 101 102 int auth_debug_mode = 0; 103 int auth_has_failed = 0; 104 int auth_enable_encrypt = 0; 105 static const char *Name = "Noname"; 106 static int Server = 0; 107 static Authenticator *authenticated = 0; 108 static int authenticating = 0; 109 static int validuser = 0; 110 static unsigned char _auth_send_data[256]; 111 static unsigned char *auth_send_data; 112 static int auth_send_cnt = 0; 113 114 /* 115 * Authentication types supported. Plese note that these are stored 116 * in priority order, i.e. try the first one first. 117 */ 118 Authenticator authenticators[] = { 119 #ifdef UNSAFE 120 { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 121 unsafe_init, 122 unsafe_send, 123 unsafe_is, 124 unsafe_reply, 125 unsafe_status, 126 unsafe_printsub }, 127 #endif 128 #ifdef SRA 129 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 130 sra_init, 131 sra_send, 132 sra_is, 133 sra_reply, 134 sra_status, 135 sra_printsub }, 136 #endif 137 #ifdef SPX 138 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 139 spx_init, 140 spx_send, 141 spx_is, 142 spx_reply, 143 spx_status, 144 spx_printsub }, 145 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 146 spx_init, 147 spx_send, 148 spx_is, 149 spx_reply, 150 spx_status, 151 spx_printsub }, 152 #endif 153 #ifdef KRB5 154 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 155 kerberos5_init, 156 kerberos5_send_mutual, 157 kerberos5_is, 158 kerberos5_reply, 159 kerberos5_status, 160 kerberos5_printsub }, 161 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 162 kerberos5_init, 163 kerberos5_send_oneway, 164 kerberos5_is, 165 kerberos5_reply, 166 kerberos5_status, 167 kerberos5_printsub }, 168 #endif 169 #ifdef KRB4 170 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 171 kerberos4_init, 172 kerberos4_send_mutual, 173 kerberos4_is, 174 kerberos4_reply, 175 kerberos4_status, 176 kerberos4_printsub }, 177 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 178 kerberos4_init, 179 kerberos4_send_oneway, 180 kerberos4_is, 181 kerberos4_reply, 182 kerberos4_status, 183 kerberos4_printsub }, 184 #endif 185 #ifdef KRB4_ENCPWD 186 { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 187 krb4encpwd_init, 188 krb4encpwd_send, 189 krb4encpwd_is, 190 krb4encpwd_reply, 191 krb4encpwd_status, 192 krb4encpwd_printsub }, 193 #endif 194 #ifdef RSA_ENCPWD 195 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 196 rsaencpwd_init, 197 rsaencpwd_send, 198 rsaencpwd_is, 199 rsaencpwd_reply, 200 rsaencpwd_status, 201 rsaencpwd_printsub }, 202 #endif 203 { 0, }, 204 }; 205 206 static Authenticator NoAuth = { 0 }; 207 208 static int i_support = 0; 209 static int i_wont_support = 0; 210 211 Authenticator * 212 findauthenticator(int type, int way) 213 { 214 Authenticator *ap = authenticators; 215 216 while (ap->type && (ap->type != type || ap->way != way)) 217 ++ap; 218 return(ap->type ? ap : 0); 219 } 220 221 void 222 auth_init(const char *name, int server) 223 { 224 Authenticator *ap = authenticators; 225 226 Server = server; 227 Name = name; 228 229 i_support = 0; 230 authenticated = 0; 231 authenticating = 0; 232 while (ap->type) { 233 if (!ap->init || (*ap->init)(ap, server)) { 234 i_support |= typemask(ap->type); 235 if (auth_debug_mode) 236 printf(">>>%s: I support auth type %d %d\r\n", 237 Name, 238 ap->type, ap->way); 239 } 240 else if (auth_debug_mode) 241 printf(">>>%s: Init failed: auth type %d %d\r\n", 242 Name, ap->type, ap->way); 243 ++ap; 244 } 245 } 246 247 void 248 auth_disable_name(char *name) 249 { 250 int x; 251 for (x = 0; x < AUTHTYPE_CNT; ++x) { 252 if (!strcasecmp(name, AUTHTYPE_NAME(x))) { 253 i_wont_support |= typemask(x); 254 break; 255 } 256 } 257 } 258 259 int 260 getauthmask(char *type, int *maskp) 261 { 262 int x; 263 264 if (!strcasecmp(type, AUTHTYPE_NAME(0))) { 265 *maskp = -1; 266 return(1); 267 } 268 269 for (x = 1; x < AUTHTYPE_CNT; ++x) { 270 if (!strcasecmp(type, AUTHTYPE_NAME(x))) { 271 *maskp = typemask(x); 272 return(1); 273 } 274 } 275 return(0); 276 } 277 278 int 279 auth_enable(char *type) 280 { 281 return(auth_onoff(type, 1)); 282 } 283 284 int 285 auth_disable(char *type) 286 { 287 return(auth_onoff(type, 0)); 288 } 289 290 int 291 auth_onoff(char *type, int on) 292 { 293 int i, mask = -1; 294 Authenticator *ap; 295 296 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { 297 printf("auth %s 'type'\n", on ? "enable" : "disable"); 298 printf("Where 'type' is one of:\n"); 299 printf("\t%s\n", AUTHTYPE_NAME(0)); 300 mask = 0; 301 for (ap = authenticators; ap->type; ap++) { 302 if ((mask & (i = typemask(ap->type))) != 0) 303 continue; 304 mask |= i; 305 printf("\t%s\n", AUTHTYPE_NAME(ap->type)); 306 } 307 return(0); 308 } 309 310 if (!getauthmask(type, &mask)) { 311 printf("%s: invalid authentication type\n", type); 312 return(0); 313 } 314 if (on) 315 i_wont_support &= ~mask; 316 else 317 i_wont_support |= mask; 318 return(1); 319 } 320 321 int 322 auth_togdebug(int on) 323 { 324 if (on < 0) 325 auth_debug_mode ^= 1; 326 else 327 auth_debug_mode = on; 328 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled"); 329 return(1); 330 } 331 332 int 333 auth_status(void) 334 { 335 Authenticator *ap; 336 int i, mask; 337 338 if (i_wont_support == -1) 339 printf("Authentication disabled\n"); 340 else 341 printf("Authentication enabled\n"); 342 343 mask = 0; 344 for (ap = authenticators; ap->type; ap++) { 345 if ((mask & (i = typemask(ap->type))) != 0) 346 continue; 347 mask |= i; 348 printf("%s: %s\n", AUTHTYPE_NAME(ap->type), 349 (i_wont_support & typemask(ap->type)) ? 350 "disabled" : "enabled"); 351 } 352 return(1); 353 } 354 355 /* 356 * This routine is called by the server to start authentication 357 * negotiation. 358 */ 359 void 360 auth_request(void) 361 { 362 static unsigned char str_request[64] = { IAC, SB, 363 TELOPT_AUTHENTICATION, 364 TELQUAL_SEND, }; 365 Authenticator *ap = authenticators; 366 unsigned char *e = str_request + 4; 367 368 if (!authenticating) { 369 authenticating = 1; 370 while (ap->type) { 371 if (i_support & ~i_wont_support & typemask(ap->type)) { 372 if (auth_debug_mode) { 373 printf(">>>%s: Sending type %d %d\r\n", 374 Name, ap->type, ap->way); 375 } 376 *e++ = ap->type; 377 *e++ = ap->way; 378 } 379 ++ap; 380 } 381 *e++ = IAC; 382 *e++ = SE; 383 telnet_net_write(str_request, e - str_request); 384 printsub('>', &str_request[2], e - str_request - 2); 385 } 386 } 387 388 /* 389 * This is called when an AUTH SEND is received. 390 * It should never arrive on the server side (as only the server can 391 * send an AUTH SEND). 392 * You should probably respond to it if you can... 393 * 394 * If you want to respond to the types out of order (i.e. even 395 * if he sends LOGIN KERBEROS and you support both, you respond 396 * with KERBEROS instead of LOGIN (which is against what the 397 * protocol says)) you will have to hack this code... 398 */ 399 void 400 auth_send(unsigned char *data, int cnt) 401 { 402 Authenticator *ap; 403 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, 404 TELQUAL_IS, AUTHTYPE_NULL, 0, 405 IAC, SE }; 406 if (Server) { 407 if (auth_debug_mode) { 408 printf(">>>%s: auth_send called!\r\n", Name); 409 } 410 return; 411 } 412 413 if (auth_debug_mode) { 414 printf(">>>%s: auth_send got:", Name); 415 printd(data, cnt); printf("\r\n"); 416 } 417 418 /* 419 * Save the data, if it is new, so that we can continue looking 420 * at it if the authorization we try doesn't work 421 */ 422 if (data < _auth_send_data || 423 data > _auth_send_data + sizeof(_auth_send_data)) { 424 auth_send_cnt = cnt > sizeof(_auth_send_data) 425 ? sizeof(_auth_send_data) 426 : cnt; 427 memmove(_auth_send_data, data, auth_send_cnt); 428 auth_send_data = _auth_send_data; 429 } else { 430 /* 431 * This is probably a no-op, but we just make sure 432 */ 433 auth_send_data = data; 434 auth_send_cnt = cnt; 435 } 436 while ((auth_send_cnt -= 2) >= 0) { 437 if (auth_debug_mode) 438 printf(">>>%s: He supports %d\r\n", 439 Name, *auth_send_data); 440 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) { 441 ap = findauthenticator(auth_send_data[0], 442 auth_send_data[1]); 443 if (ap && ap->send) { 444 if (auth_debug_mode) 445 printf(">>>%s: Trying %d %d\r\n", 446 Name, auth_send_data[0], 447 auth_send_data[1]); 448 if ((*ap->send)(ap)) { 449 /* 450 * Okay, we found one we like 451 * and did it. 452 * we can go home now. 453 */ 454 if (auth_debug_mode) 455 printf(">>>%s: Using type %d\r\n", 456 Name, *auth_send_data); 457 auth_send_data += 2; 458 return; 459 } 460 } 461 /* else 462 * just continue on and look for the 463 * next one if we didn't do anything. 464 */ 465 } 466 auth_send_data += 2; 467 } 468 telnet_net_write(str_none, sizeof(str_none)); 469 printsub('>', &str_none[2], sizeof(str_none) - 2); 470 if (auth_debug_mode) 471 printf(">>>%s: Sent failure message\r\n", Name); 472 auth_finished(0, AUTH_REJECT); 473 auth_has_failed = 1; 474 #ifdef KANNAN 475 /* 476 * We requested strong authentication, however no mechanisms worked. 477 * Therefore, exit on client end. 478 */ 479 printf("Unable to securely authenticate user ... exit\n"); 480 exit(0); 481 #endif /* KANNAN */ 482 } 483 484 void 485 auth_send_retry(void) 486 { 487 /* 488 * if auth_send_cnt <= 0 then auth_send will end up rejecting 489 * the authentication and informing the other side of this. 490 */ 491 auth_send(auth_send_data, auth_send_cnt); 492 } 493 494 void 495 auth_is(unsigned char *data, int cnt) 496 { 497 Authenticator *ap; 498 499 if (cnt < 2) 500 return; 501 502 if (data[0] == AUTHTYPE_NULL) { 503 auth_finished(0, AUTH_REJECT); 504 return; 505 } 506 507 if ((ap = findauthenticator(data[0], data[1]))) { 508 if (ap->is) 509 (*ap->is)(ap, data+2, cnt-2); 510 } else if (auth_debug_mode) 511 printf(">>>%s: Invalid authentication in IS: %d\r\n", 512 Name, *data); 513 } 514 515 void 516 auth_reply(unsigned char *data, int cnt) 517 { 518 Authenticator *ap; 519 520 if (cnt < 2) 521 return; 522 523 if ((ap = findauthenticator(data[0], data[1]))) { 524 if (ap->reply) 525 (*ap->reply)(ap, data+2, cnt-2); 526 } else if (auth_debug_mode) 527 printf(">>>%s: Invalid authentication in SEND: %d\r\n", 528 Name, *data); 529 } 530 531 void 532 auth_name(unsigned char *data, int cnt) 533 { 534 char savename[256]; 535 536 if (cnt < 1) { 537 if (auth_debug_mode) 538 printf(">>>%s: Empty name in NAME\r\n", Name); 539 return; 540 } 541 if (cnt > sizeof(savename) - 1) { 542 if (auth_debug_mode) 543 printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n", 544 Name, cnt, (unsigned long)(sizeof(savename)-1)); 545 return; 546 } 547 memmove(savename, data, cnt); 548 savename[cnt] = '\0'; /* Null terminate */ 549 if (auth_debug_mode) 550 printf(">>>%s: Got NAME [%s]\r\n", Name, savename); 551 auth_encrypt_user(savename); 552 } 553 554 int 555 auth_sendname(unsigned char *cp, int len) 556 { 557 static unsigned char str_request[256+6] 558 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, }; 559 unsigned char *e = str_request + 4; 560 unsigned char *ee = &str_request[sizeof(str_request)-2]; 561 562 while (--len >= 0) { 563 if ((*e++ = *cp++) == IAC) 564 *e++ = IAC; 565 if (e >= ee) 566 return(0); 567 } 568 *e++ = IAC; 569 *e++ = SE; 570 telnet_net_write(str_request, e - str_request); 571 printsub('>', &str_request[2], e - &str_request[2]); 572 return(1); 573 } 574 575 void 576 auth_finished(Authenticator *ap, int result) 577 { 578 if (!(authenticated = ap)) 579 authenticated = &NoAuth; 580 validuser = result; 581 } 582 583 /* ARGSUSED */ 584 static void 585 auth_intr(int sig) 586 { 587 auth_finished(0, AUTH_REJECT); 588 } 589 590 int 591 auth_wait(char *name, size_t name_sz) 592 { 593 if (auth_debug_mode) 594 printf(">>>%s: in auth_wait.\r\n", Name); 595 596 if (Server && !authenticating) 597 return(0); 598 599 signal(SIGALRM, auth_intr); 600 alarm(30); 601 while (!authenticated) 602 if (telnet_spin()) 603 break; 604 alarm(0); 605 signal(SIGALRM, SIG_DFL); 606 607 /* 608 * Now check to see if the user is valid or not 609 */ 610 if (!authenticated || authenticated == &NoAuth) 611 return(AUTH_REJECT); 612 613 if (validuser == AUTH_VALID) 614 validuser = AUTH_USER; 615 616 if (authenticated->status) 617 validuser = (*authenticated->status)(authenticated, 618 name, name_sz, 619 validuser); 620 return(validuser); 621 } 622 623 void 624 auth_debug(int mode) 625 { 626 auth_debug_mode = mode; 627 } 628 629 void 630 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 631 { 632 Authenticator *ap; 633 634 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub) 635 (*ap->printsub)(data, cnt, buf, buflen); 636 else 637 auth_gen_printsub(data, cnt, buf, buflen); 638 } 639 640 void 641 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 642 { 643 unsigned char *cp; 644 unsigned char tbuf[16]; 645 646 cnt -= 3; 647 data += 3; 648 buf[buflen-1] = '\0'; 649 buf[buflen-2] = '*'; 650 buflen -= 2; 651 for (; cnt > 0; cnt--, data++) { 652 snprintf((char*)tbuf, sizeof(tbuf), " %d", *data); 653 for (cp = tbuf; *cp && buflen > 0; --buflen) 654 *buf++ = *cp++; 655 if (buflen <= 0) 656 return; 657 } 658 *buf = '\0'; 659 } 660 #endif 661