1 /*- 2 * Copyright (c) 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* 35 * Copyright (C) 1990 by the Massachusetts Institute of Technology 36 * 37 * Export of this software from the United States of America is assumed 38 * to require a specific license from the United States Government. 39 * It is the responsibility of any person or organization contemplating 40 * export to obtain such a license before exporting. 41 * 42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 43 * distribute this software and its documentation for any purpose and 44 * without fee is hereby granted, provided that the above copyright 45 * notice appear in all copies and that both that copyright notice and 46 * this permission notice appear in supporting documentation, and that 47 * the name of M.I.T. not be used in advertising or publicity pertaining 48 * to distribution of the software without specific, written prior 49 * permission. M.I.T. makes no representations about the suitability of 50 * this software for any purpose. It is provided "as is" without express 51 * or implied warranty. 52 */ 53 54 #include <config.h> 55 56 RCSID("$Id: auth.c,v 1.23 2000/01/18 03:09:34 assar Exp $"); 57 58 #if defined(AUTHENTICATION) 59 #include <stdio.h> 60 #ifdef HAVE_SYS_TYPES_H 61 #include <sys/types.h> 62 #endif 63 #include <signal.h> 64 #define AUTH_NAMES 65 #ifdef HAVE_ARPA_TELNET_H 66 #include <arpa/telnet.h> 67 #endif 68 #include <stdlib.h> 69 #include <string.h> 70 71 #include <roken.h> 72 73 #ifdef SOCKS 74 #include <socks.h> 75 #endif 76 77 #include "encrypt.h" 78 #include "auth.h" 79 #include "misc-proto.h" 80 #include "auth-proto.h" 81 82 #define typemask(x) (1<<((x)-1)) 83 84 #ifdef KRB4_ENCPWD 85 extern krb4encpwd_init(); 86 extern krb4encpwd_send(); 87 extern krb4encpwd_is(); 88 extern krb4encpwd_reply(); 89 extern krb4encpwd_status(); 90 extern krb4encpwd_printsub(); 91 #endif 92 93 #ifdef RSA_ENCPWD 94 extern rsaencpwd_init(); 95 extern rsaencpwd_send(); 96 extern rsaencpwd_is(); 97 extern rsaencpwd_reply(); 98 extern rsaencpwd_status(); 99 extern rsaencpwd_printsub(); 100 #endif 101 102 int auth_debug_mode = 0; 103 static const char *Name = "Noname"; 104 static int Server = 0; 105 static Authenticator *authenticated = 0; 106 static int authenticating = 0; 107 static int validuser = 0; 108 static unsigned char _auth_send_data[256]; 109 static unsigned char *auth_send_data; 110 static int auth_send_cnt = 0; 111 112 /* 113 * Authentication types supported. Plese note that these are stored 114 * in priority order, i.e. try the first one first. 115 */ 116 Authenticator authenticators[] = { 117 #ifdef UNSAFE 118 { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 119 unsafe_init, 120 unsafe_send, 121 unsafe_is, 122 unsafe_reply, 123 unsafe_status, 124 unsafe_printsub }, 125 #endif 126 #ifdef SRA 127 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 128 sra_init, 129 sra_send, 130 sra_is, 131 sra_reply, 132 sra_status, 133 sra_printsub }, 134 #endif 135 #ifdef SPX 136 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 137 spx_init, 138 spx_send, 139 spx_is, 140 spx_reply, 141 spx_status, 142 spx_printsub }, 143 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 144 spx_init, 145 spx_send, 146 spx_is, 147 spx_reply, 148 spx_status, 149 spx_printsub }, 150 #endif 151 #ifdef KRB5 152 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 153 kerberos5_init, 154 kerberos5_send_mutual, 155 kerberos5_is, 156 kerberos5_reply, 157 kerberos5_status, 158 kerberos5_printsub }, 159 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 160 kerberos5_init, 161 kerberos5_send_oneway, 162 kerberos5_is, 163 kerberos5_reply, 164 kerberos5_status, 165 kerberos5_printsub }, 166 #endif 167 #ifdef KRB4 168 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 169 kerberos4_init, 170 kerberos4_send_mutual, 171 kerberos4_is, 172 kerberos4_reply, 173 kerberos4_status, 174 kerberos4_printsub }, 175 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 176 kerberos4_init, 177 kerberos4_send_oneway, 178 kerberos4_is, 179 kerberos4_reply, 180 kerberos4_status, 181 kerberos4_printsub }, 182 #endif 183 #ifdef KRB4_ENCPWD 184 { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 185 krb4encpwd_init, 186 krb4encpwd_send, 187 krb4encpwd_is, 188 krb4encpwd_reply, 189 krb4encpwd_status, 190 krb4encpwd_printsub }, 191 #endif 192 #ifdef RSA_ENCPWD 193 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 194 rsaencpwd_init, 195 rsaencpwd_send, 196 rsaencpwd_is, 197 rsaencpwd_reply, 198 rsaencpwd_status, 199 rsaencpwd_printsub }, 200 #endif 201 { 0, }, 202 }; 203 204 static Authenticator NoAuth = { 0 }; 205 206 static int i_support = 0; 207 static int i_wont_support = 0; 208 209 Authenticator * 210 findauthenticator(int type, int way) 211 { 212 Authenticator *ap = authenticators; 213 214 while (ap->type && (ap->type != type || ap->way != way)) 215 ++ap; 216 return(ap->type ? ap : 0); 217 } 218 219 void 220 auth_init(const char *name, int server) 221 { 222 Authenticator *ap = authenticators; 223 224 Server = server; 225 Name = name; 226 227 i_support = 0; 228 authenticated = 0; 229 authenticating = 0; 230 while (ap->type) { 231 if (!ap->init || (*ap->init)(ap, server)) { 232 i_support |= typemask(ap->type); 233 if (auth_debug_mode) 234 printf(">>>%s: I support auth type %d %d\r\n", 235 Name, 236 ap->type, ap->way); 237 } 238 else if (auth_debug_mode) 239 printf(">>>%s: Init failed: auth type %d %d\r\n", 240 Name, ap->type, ap->way); 241 ++ap; 242 } 243 } 244 245 void 246 auth_disable_name(char *name) 247 { 248 int x; 249 for (x = 0; x < AUTHTYPE_CNT; ++x) { 250 if (!strcasecmp(name, AUTHTYPE_NAME(x))) { 251 i_wont_support |= typemask(x); 252 break; 253 } 254 } 255 } 256 257 int 258 getauthmask(char *type, int *maskp) 259 { 260 int x; 261 262 if (!strcasecmp(type, AUTHTYPE_NAME(0))) { 263 *maskp = -1; 264 return(1); 265 } 266 267 for (x = 1; x < AUTHTYPE_CNT; ++x) { 268 if (!strcasecmp(type, AUTHTYPE_NAME(x))) { 269 *maskp = typemask(x); 270 return(1); 271 } 272 } 273 return(0); 274 } 275 276 int 277 auth_enable(char *type) 278 { 279 return(auth_onoff(type, 1)); 280 } 281 282 int 283 auth_disable(char *type) 284 { 285 return(auth_onoff(type, 0)); 286 } 287 288 int 289 auth_onoff(char *type, int on) 290 { 291 int i, mask = -1; 292 Authenticator *ap; 293 294 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { 295 printf("auth %s 'type'\n", on ? "enable" : "disable"); 296 printf("Where 'type' is one of:\n"); 297 printf("\t%s\n", AUTHTYPE_NAME(0)); 298 mask = 0; 299 for (ap = authenticators; ap->type; ap++) { 300 if ((mask & (i = typemask(ap->type))) != 0) 301 continue; 302 mask |= i; 303 printf("\t%s\n", AUTHTYPE_NAME(ap->type)); 304 } 305 return(0); 306 } 307 308 if (!getauthmask(type, &mask)) { 309 printf("%s: invalid authentication type\n", type); 310 return(0); 311 } 312 if (on) 313 i_wont_support &= ~mask; 314 else 315 i_wont_support |= mask; 316 return(1); 317 } 318 319 int 320 auth_togdebug(int on) 321 { 322 if (on < 0) 323 auth_debug_mode ^= 1; 324 else 325 auth_debug_mode = on; 326 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled"); 327 return(1); 328 } 329 330 int 331 auth_status(void) 332 { 333 Authenticator *ap; 334 int i, mask; 335 336 if (i_wont_support == -1) 337 printf("Authentication disabled\n"); 338 else 339 printf("Authentication enabled\n"); 340 341 mask = 0; 342 for (ap = authenticators; ap->type; ap++) { 343 if ((mask & (i = typemask(ap->type))) != 0) 344 continue; 345 mask |= i; 346 printf("%s: %s\n", AUTHTYPE_NAME(ap->type), 347 (i_wont_support & typemask(ap->type)) ? 348 "disabled" : "enabled"); 349 } 350 return(1); 351 } 352 353 /* 354 * This routine is called by the server to start authentication 355 * negotiation. 356 */ 357 void 358 auth_request(void) 359 { 360 static unsigned char str_request[64] = { IAC, SB, 361 TELOPT_AUTHENTICATION, 362 TELQUAL_SEND, }; 363 Authenticator *ap = authenticators; 364 unsigned char *e = str_request + 4; 365 366 if (!authenticating) { 367 authenticating = 1; 368 while (ap->type) { 369 if (i_support & ~i_wont_support & typemask(ap->type)) { 370 if (auth_debug_mode) { 371 printf(">>>%s: Sending type %d %d\r\n", 372 Name, ap->type, ap->way); 373 } 374 *e++ = ap->type; 375 *e++ = ap->way; 376 } 377 ++ap; 378 } 379 *e++ = IAC; 380 *e++ = SE; 381 telnet_net_write(str_request, e - str_request); 382 printsub('>', &str_request[2], e - str_request - 2); 383 } 384 } 385 386 /* 387 * This is called when an AUTH SEND is received. 388 * It should never arrive on the server side (as only the server can 389 * send an AUTH SEND). 390 * You should probably respond to it if you can... 391 * 392 * If you want to respond to the types out of order (i.e. even 393 * if he sends LOGIN KERBEROS and you support both, you respond 394 * with KERBEROS instead of LOGIN (which is against what the 395 * protocol says)) you will have to hack this code... 396 */ 397 void 398 auth_send(unsigned char *data, int cnt) 399 { 400 Authenticator *ap; 401 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, 402 TELQUAL_IS, AUTHTYPE_NULL, 0, 403 IAC, SE }; 404 if (Server) { 405 if (auth_debug_mode) { 406 printf(">>>%s: auth_send called!\r\n", Name); 407 } 408 return; 409 } 410 411 if (auth_debug_mode) { 412 printf(">>>%s: auth_send got:", Name); 413 printd(data, cnt); printf("\r\n"); 414 } 415 416 /* 417 * Save the data, if it is new, so that we can continue looking 418 * at it if the authorization we try doesn't work 419 */ 420 if (data < _auth_send_data || 421 data > _auth_send_data + sizeof(_auth_send_data)) { 422 auth_send_cnt = cnt > sizeof(_auth_send_data) 423 ? sizeof(_auth_send_data) 424 : cnt; 425 memmove(_auth_send_data, data, auth_send_cnt); 426 auth_send_data = _auth_send_data; 427 } else { 428 /* 429 * This is probably a no-op, but we just make sure 430 */ 431 auth_send_data = data; 432 auth_send_cnt = cnt; 433 } 434 while ((auth_send_cnt -= 2) >= 0) { 435 if (auth_debug_mode) 436 printf(">>>%s: He supports %d\r\n", 437 Name, *auth_send_data); 438 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) { 439 ap = findauthenticator(auth_send_data[0], 440 auth_send_data[1]); 441 if (ap && ap->send) { 442 if (auth_debug_mode) 443 printf(">>>%s: Trying %d %d\r\n", 444 Name, auth_send_data[0], 445 auth_send_data[1]); 446 if ((*ap->send)(ap)) { 447 /* 448 * Okay, we found one we like 449 * and did it. 450 * we can go home now. 451 */ 452 if (auth_debug_mode) 453 printf(">>>%s: Using type %d\r\n", 454 Name, *auth_send_data); 455 auth_send_data += 2; 456 return; 457 } 458 } 459 /* else 460 * just continue on and look for the 461 * next one if we didn't do anything. 462 */ 463 } 464 auth_send_data += 2; 465 } 466 telnet_net_write(str_none, sizeof(str_none)); 467 printsub('>', &str_none[2], sizeof(str_none) - 2); 468 if (auth_debug_mode) 469 printf(">>>%s: Sent failure message\r\n", Name); 470 auth_finished(0, AUTH_REJECT); 471 #ifdef KANNAN 472 /* 473 * We requested strong authentication, however no mechanisms worked. 474 * Therefore, exit on client end. 475 */ 476 printf("Unable to securely authenticate user ... exit\n"); 477 exit(0); 478 #endif /* KANNAN */ 479 } 480 481 void 482 auth_send_retry(void) 483 { 484 /* 485 * if auth_send_cnt <= 0 then auth_send will end up rejecting 486 * the authentication and informing the other side of this. 487 */ 488 auth_send(auth_send_data, auth_send_cnt); 489 } 490 491 void 492 auth_is(unsigned char *data, int cnt) 493 { 494 Authenticator *ap; 495 496 if (cnt < 2) 497 return; 498 499 if (data[0] == AUTHTYPE_NULL) { 500 auth_finished(0, AUTH_REJECT); 501 return; 502 } 503 504 if ((ap = findauthenticator(data[0], data[1]))) { 505 if (ap->is) 506 (*ap->is)(ap, data+2, cnt-2); 507 } else if (auth_debug_mode) 508 printf(">>>%s: Invalid authentication in IS: %d\r\n", 509 Name, *data); 510 } 511 512 void 513 auth_reply(unsigned char *data, int cnt) 514 { 515 Authenticator *ap; 516 517 if (cnt < 2) 518 return; 519 520 if ((ap = findauthenticator(data[0], data[1]))) { 521 if (ap->reply) 522 (*ap->reply)(ap, data+2, cnt-2); 523 } else if (auth_debug_mode) 524 printf(">>>%s: Invalid authentication in SEND: %d\r\n", 525 Name, *data); 526 } 527 528 void 529 auth_name(unsigned char *data, int cnt) 530 { 531 char savename[256]; 532 533 if (cnt < 1) { 534 if (auth_debug_mode) 535 printf(">>>%s: Empty name in NAME\r\n", Name); 536 return; 537 } 538 if (cnt > sizeof(savename) - 1) { 539 if (auth_debug_mode) 540 printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n", 541 Name, cnt, (unsigned long)(sizeof(savename)-1)); 542 return; 543 } 544 memmove(savename, data, cnt); 545 savename[cnt] = '\0'; /* Null terminate */ 546 if (auth_debug_mode) 547 printf(">>>%s: Got NAME [%s]\r\n", Name, savename); 548 auth_encrypt_user(savename); 549 } 550 551 int 552 auth_sendname(unsigned char *cp, int len) 553 { 554 static unsigned char str_request[256+6] 555 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, }; 556 unsigned char *e = str_request + 4; 557 unsigned char *ee = &str_request[sizeof(str_request)-2]; 558 559 while (--len >= 0) { 560 if ((*e++ = *cp++) == IAC) 561 *e++ = IAC; 562 if (e >= ee) 563 return(0); 564 } 565 *e++ = IAC; 566 *e++ = SE; 567 telnet_net_write(str_request, e - str_request); 568 printsub('>', &str_request[2], e - &str_request[2]); 569 return(1); 570 } 571 572 void 573 auth_finished(Authenticator *ap, int result) 574 { 575 if (!(authenticated = ap)) 576 authenticated = &NoAuth; 577 validuser = result; 578 } 579 580 /* ARGSUSED */ 581 static void 582 auth_intr(int sig) 583 { 584 auth_finished(0, AUTH_REJECT); 585 } 586 587 int 588 auth_wait(char *name, size_t name_sz) 589 { 590 if (auth_debug_mode) 591 printf(">>>%s: in auth_wait.\r\n", Name); 592 593 if (Server && !authenticating) 594 return(0); 595 596 signal(SIGALRM, auth_intr); 597 alarm(30); 598 while (!authenticated) 599 if (telnet_spin()) 600 break; 601 alarm(0); 602 signal(SIGALRM, SIG_DFL); 603 604 /* 605 * Now check to see if the user is valid or not 606 */ 607 if (!authenticated || authenticated == &NoAuth) 608 return(AUTH_REJECT); 609 610 if (validuser == AUTH_VALID) 611 validuser = AUTH_USER; 612 613 if (authenticated->status) 614 validuser = (*authenticated->status)(authenticated, 615 name, name_sz, 616 validuser); 617 return(validuser); 618 } 619 620 void 621 auth_debug(int mode) 622 { 623 auth_debug_mode = mode; 624 } 625 626 void 627 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 628 { 629 Authenticator *ap; 630 631 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub) 632 (*ap->printsub)(data, cnt, buf, buflen); 633 else 634 auth_gen_printsub(data, cnt, buf, buflen); 635 } 636 637 void 638 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 639 { 640 unsigned char *cp; 641 unsigned char tbuf[16]; 642 643 cnt -= 3; 644 data += 3; 645 buf[buflen-1] = '\0'; 646 buf[buflen-2] = '*'; 647 buflen -= 2; 648 for (; cnt > 0; cnt--, data++) { 649 snprintf(tbuf, sizeof(tbuf), " %d", *data); 650 for (cp = tbuf; *cp && buflen > 0; --buflen) 651 *buf++ = *cp++; 652 if (buflen <= 0) 653 return; 654 } 655 *buf = '\0'; 656 } 657 #endif 658