1 /* 2 * Copyright 2002 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * usr/src/cmd/cmd-inet/usr.bin/telnet/auth.c 8 */ 9 10 /* 11 * Copyright (c) 1991, 1993 12 * The Regents of the University of California. All rights reserved. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. All advertising materials mentioning features or use of this software 23 * must display the following acknowledgement: 24 * This product includes software developed by the University of 25 * California, Berkeley and its contributors. 26 * 4. Neither the name of the University nor the names of its contributors 27 * may be used to endorse or promote products derived from this software 28 * without specific prior written permission. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 31 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 32 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 33 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 34 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 35 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 36 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 37 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 38 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 39 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 40 * SUCH DAMAGE. 41 */ 42 43 /* based on @(#)auth.c 8.1 (Berkeley) 6/4/93 */ 44 45 /* 46 * Copyright (C) 1990 by the Massachusetts Institute of Technology 47 * 48 * Export of this software from the United States of America may 49 * require a specific license from the United States Government. 50 * It is the responsibility of any person or organization contemplating 51 * export to obtain such a license before exporting. 52 * 53 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 54 * distribute this software and its documentation for any purpose and 55 * without fee is hereby granted, provided that the above copyright 56 * notice appear in all copies and that both that copyright notice and 57 * this permission notice appear in supporting documentation, and that 58 * the name of M.I.T. not be used in advertising or publicity pertaining 59 * to distribution of the software without specific, written prior 60 * permission. Furthermore if you modify this software you must label 61 * your software as modified software and not distribute it in such a 62 * fashion that it might be confused with the original M.I.T. software. 63 * M.I.T. makes no representations about the suitability of 64 * this software for any purpose. It is provided "as is" without express 65 * or implied warranty. 66 */ 67 68 69 #include <stdio.h> 70 #include <sys/types.h> 71 #include <signal.h> 72 73 #define AUTHTYPE_NAMES /* this is needed for arpa/telnet.h */ 74 #include <arpa/telnet.h> 75 76 #ifdef __STDC__ 77 #include <stdlib.h> 78 #endif 79 80 #include <string.h> 81 82 #include "externs.h" 83 #include "encrypt.h" 84 #include "auth.h" 85 86 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) 87 88 static int auth_onoff(const char *type, boolean_t on); 89 static void auth_gen_printsub(uchar_t *, uint_t, uchar_t *, uint_t); 90 91 boolean_t auth_debug_mode = B_FALSE; 92 boolean_t auth_has_failed = B_FALSE; 93 boolean_t auth_enable_encrypt = B_FALSE; 94 95 static char *Name = "Noname"; 96 static Authenticator *authenticated = NULL; 97 static uchar_t _auth_send_data[BUFSIZ]; 98 static uchar_t *auth_send_data; 99 static int auth_send_cnt = 0; 100 101 /* 102 * Authentication types supported. Note that these are stored 103 * in priority order, i.e. try the first one first. 104 */ 105 static Authenticator authenticators[] = { 106 { AUTHTYPE_KERBEROS_V5, 107 AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL|AUTH_ENCRYPT_ON, 108 kerberos5_init, 109 kerberos5_send, 110 kerberos5_reply, 111 kerberos5_status, 112 kerberos5_printsub }, 113 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, 114 kerberos5_init, 115 kerberos5_send, 116 kerberos5_reply, 117 kerberos5_status, 118 kerberos5_printsub }, 119 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, 120 kerberos5_init, 121 kerberos5_send, 122 kerberos5_reply, 123 kerberos5_status, 124 kerberos5_printsub }, 125 { 0, }, 126 }; 127 128 static Authenticator NoAuth = { 0 }; 129 130 static uint_t i_support = 0; 131 static uint_t i_wont_support = 0; 132 133 /* 134 * Traverse the Authenticator array until we find the authentication type 135 * and matching direction we are looking for. Return a pointer into the 136 * Authenticator type array. 137 * 138 * Returns: 0 - type not found (error) 139 * nonzero - pointer to authenticator 140 */ 141 static Authenticator * 142 findauthenticator(int type, int way) 143 { 144 Authenticator *ap = authenticators; 145 146 while (ap->type && (ap->type != type || ap->way != way)) 147 ++ap; 148 return (ap->type ? ap : NULL); 149 } 150 151 /* 152 * For each authentication type in the Authenticator array, 153 * call the associated init routine, and update the i_support bitfield. 154 */ 155 void 156 auth_init(const char *name) 157 { 158 Authenticator *ap = authenticators; 159 160 Name = name ? strdup(name) : "Noname"; 161 162 i_support = 0; 163 authenticated = NULL; 164 while (ap->type) { 165 if (!ap->init || (*ap->init)(ap)) { 166 i_support |= typemask(ap->type); 167 if (auth_debug_mode) 168 (void) printf(gettext 169 (">>>%s: I support auth type %d %d\r\n"), 170 Name, ap->type, ap->way); 171 } 172 ++ap; 173 } 174 } 175 176 /* 177 * Search the Authenticator array for the authentication type 'name', 178 * and disable this type by updating the i_wont_support bitfield. 179 */ 180 void 181 auth_disable_name(const char *name) 182 { 183 uint_t x; 184 for (x = 0; x < AUTHTYPE_CNT; ++x) { 185 if (!strcasecmp(name, AUTHTYPE_NAME(x))) { 186 i_wont_support |= typemask(x); 187 break; 188 } 189 } 190 191 if (!i_wont_support) 192 (void) printf( 193 gettext("%s : invalid authentication type\n"), 194 name); 195 } 196 197 /* 198 * Search the Authenticator array for the authentication type given 199 * by the character string 'type', and return its integer bitmask 200 * in maskp. 201 * 202 * Returns: 1 - no error 203 * 0 - type not found (error) 204 */ 205 static int 206 getauthmask(const char *type, uint_t *maskp) 207 { 208 uint_t x; 209 210 if (!strcasecmp(type, AUTHTYPE_NAME(0))) { 211 *maskp = (uint_t)-1; 212 return (1); 213 } 214 215 for (x = 1; x < AUTHTYPE_CNT; ++x) { 216 if (!strcasecmp(type, AUTHTYPE_NAME(x))) { 217 *maskp = typemask(x); 218 return (1); 219 } 220 } 221 return (0); 222 } 223 224 int 225 auth_enable(char *type) 226 { 227 return (auth_onoff(type, B_TRUE)); 228 } 229 230 int 231 auth_disable(char *type) 232 { 233 return (auth_onoff(type, B_FALSE)); 234 } 235 236 /* 237 * Responds to the 'auth enable <option>' and 'auth disable <option>' commands. 238 * 239 * If <option> is: 240 * - a valid authentication type, turns support on / off 241 * - "?" or "help", print a usage message 242 * - not recognized, print an error message. 243 * 244 * Returns: 1 - no error, authentication is enabled or disabled 245 * 0 - error, or help requested 246 */ 247 static int 248 auth_onoff(const char *type, boolean_t on) 249 { 250 uint_t i, mask = 0; 251 Authenticator *ap; 252 253 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { 254 (void) printf(on ? 255 gettext("auth enable 'type'\n") : 256 gettext("auth disable 'type'\n")); 257 (void) printf( 258 gettext("Where 'type' is one of:\n")); 259 (void) printf("\t%s\n", AUTHTYPE_NAME(0)); 260 for (ap = authenticators; ap->type; ap++) { 261 if ((mask & (i = typemask(ap->type))) != 0) 262 continue; 263 mask |= i; 264 (void) printf("\t%s\n", AUTHTYPE_NAME(ap->type)); 265 } 266 return (0); 267 } 268 269 if (!getauthmask(type, &mask)) { 270 (void) printf( 271 gettext("%s: invalid authentication type\n"), type); 272 return (0); 273 } 274 if (on) 275 i_wont_support &= ~mask; 276 else 277 i_wont_support |= mask; 278 return (1); 279 } 280 281 /* 282 * Responds to the 'toggle authdebug' command. 283 * 284 * Returns: 1 - always 285 */ 286 int 287 auth_togdebug(int on) 288 { 289 if (on < 0) 290 auth_debug_mode = !auth_debug_mode; 291 else 292 auth_debug_mode = on > 0 ? B_TRUE : B_FALSE; 293 (void) printf(auth_debug_mode ? 294 gettext("auth debugging enabled\n") : 295 gettext("auth debugging disabled\n")); 296 return (1); 297 } 298 299 /* 300 * Responds to the 'auth status' command. 301 * Traverses the authenticator array and prints enabled or disabled for 302 * each authentication type, depencing on the i_wont_support bitfield. 303 * 304 * Returns: 1 - always 305 */ 306 int 307 auth_status(void) 308 { 309 Authenticator *ap; 310 uint_t i, mask; 311 312 if (i_wont_support == (uint_t)-1) 313 (void) printf(gettext("Authentication disabled\n")); 314 else 315 (void) printf(gettext("Authentication enabled\n")); 316 317 mask = 0; 318 for (ap = authenticators; ap->type; ap++) { 319 if ((mask & (i = typemask(ap->type))) != 0) 320 continue; 321 mask |= i; 322 (void) printf("%s: %s\n", AUTHTYPE_NAME(ap->type), 323 (i_wont_support & typemask(ap->type)) ? 324 gettext("disabled") : gettext("enabled")); 325 } 326 return (1); 327 } 328 329 /* 330 * This is called when an AUTH SEND is received. 331 * data is a list of authentication mechanisms we support 332 */ 333 void 334 auth_send(uchar_t *data, int cnt) 335 { 336 337 if (auth_debug_mode) { 338 (void) printf(gettext(">>>%s: auth_send got:"), Name); 339 printd(data, cnt); 340 (void) printf("\r\n"); 341 } 342 343 /* 344 * Save the list of authentication mechanisms 345 */ 346 auth_send_cnt = cnt; 347 if (auth_send_cnt > sizeof (_auth_send_data)) 348 auth_send_cnt = sizeof (_auth_send_data); 349 (void) memcpy((void *)_auth_send_data, (void *)data, auth_send_cnt); 350 auth_send_data = _auth_send_data; 351 352 auth_send_retry(); 353 } 354 355 /* 356 * Try the next authentication mechanism on the list, and see if it 357 * works. 358 */ 359 void 360 auth_send_retry(void) 361 { 362 Authenticator *ap; 363 static uchar_t str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, 364 TELQUAL_IS, AUTHTYPE_NULL, 0, IAC, SE }; 365 366 for (; (auth_send_cnt -= 2) >= 0; auth_send_data += 2) { 367 if (auth_debug_mode) 368 (void) printf( 369 gettext(">>>%s: Remote host supports %d\r\n"), 370 Name, *auth_send_data); 371 if (!(i_support & typemask(*auth_send_data))) 372 continue; 373 if (i_wont_support & typemask(*auth_send_data)) 374 continue; 375 ap = findauthenticator(auth_send_data[0], auth_send_data[1]); 376 if (!ap || !ap->send) 377 continue; 378 if ((ap->way & AUTH_ENCRYPT_MASK) && !auth_enable_encrypt) 379 continue; 380 381 if (auth_debug_mode) 382 (void) printf( 383 gettext(">>>%s: Trying %d %d\r\n"), Name, 384 auth_send_data[0], auth_send_data[1]); 385 if ((*ap->send)(ap)) { 386 /* 387 * Okay, we found one we like and did it. we can go 388 * home now. 389 */ 390 if (auth_debug_mode) 391 (void) printf(gettext(">>>%s: Using type %d\r\n"), 392 Name, *auth_send_data); 393 auth_send_data += 2; 394 return; 395 } 396 } 397 (void) net_write(str_none, sizeof (str_none)); 398 printsub('>', &str_none[2], sizeof (str_none) - 2); 399 if (auth_debug_mode) 400 (void) printf( 401 gettext(">>>%s: Sent failure message\r\n"), Name); 402 auth_finished(0, AUTH_REJECT); 403 auth_has_failed = B_TRUE; 404 } 405 406 void 407 auth_reply(uchar_t *data, int cnt) 408 { 409 Authenticator *ap; 410 411 if (cnt < 2) 412 return; 413 414 if (ap = findauthenticator(data[0], data[1])) { 415 if (ap->reply) 416 (*ap->reply)(ap, data+2, cnt-2); 417 } else if (auth_debug_mode) 418 (void) printf(gettext 419 (">>>%s: Invalid authentication in SEND: %d\r\n"), 420 Name, *data); 421 } 422 423 int 424 auth_sendname(uchar_t *cp, int len) 425 { 426 static uchar_t str_request[AUTH_NAME_BUFSIZ + 6] = { IAC, SB, 427 TELOPT_AUTHENTICATION, TELQUAL_NAME, }; 428 register uchar_t *e = str_request + 4; 429 register uchar_t *ee = &str_request[sizeof (str_request) - 2]; 430 431 while (--len >= 0) { 432 if ((*e++ = *cp++) == IAC) 433 *e++ = IAC; 434 if (e >= ee) 435 return (0); 436 } 437 *e++ = IAC; 438 *e++ = SE; 439 (void) net_write(str_request, e - str_request); 440 printsub('>', &str_request[2], e - &str_request[2]); 441 return (1); 442 } 443 444 /* ARGSUSED */ 445 void 446 auth_finished(Authenticator *ap, int result) 447 { 448 authenticated = ap; 449 if (authenticated == NULL) 450 authenticated = &NoAuth; 451 } 452 453 void 454 auth_printsub(uchar_t *data, uint_t cnt, uchar_t *buf, uint_t buflen) 455 { 456 Authenticator *ap; 457 458 ap = findauthenticator(data[1], data[2]); 459 if (ap && ap->printsub) 460 (*ap->printsub)(data, cnt, buf, buflen); 461 else 462 auth_gen_printsub(data, cnt, buf, buflen); 463 } 464 465 static void 466 auth_gen_printsub(uchar_t *data, uint_t cnt, uchar_t *buf, uint_t buflen) 467 { 468 register uchar_t *cp; 469 uchar_t lbuf[AUTH_LBUF_BUFSIZ]; 470 471 if (buflen < 2) 472 return; 473 cnt = (cnt > 3) ? cnt - 3 : 0; 474 data += 3; 475 buf[buflen - 1] = '\0'; 476 buf[buflen - 2] = '*'; 477 buflen -= 2; 478 for (; cnt > 0; cnt--, data++) { 479 (void) snprintf((char *)lbuf, AUTH_LBUF_BUFSIZ, " %d", *data); 480 for (cp = lbuf; (*cp != '\0') && (buflen > 0); --buflen) 481 *buf++ = *cp++; 482 if (buflen == 0) 483 return; 484 } 485 *buf = '\0'; 486 } 487