2 * Copyright (c) 1991, 1993, 2003
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 4. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 static char sccsid
[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95";
35 * Copyright (C) 1990, 2000 by the Massachusetts Institute of Technology
37 * Export of this software from the United States of America is assumed
38 * to require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
58 #if defined(AUTHENTICATION)
60 #include <sys/types.h>
63 #include <arpa/telnet.h>
75 #include "misc-proto.h"
76 #include "auth-proto.h"
78 #define typemask(x) (1<<((x)-1))
81 extern krb4encpwd_init();
82 extern krb4encpwd_send();
83 extern krb4encpwd_is();
84 extern krb4encpwd_reply();
85 extern krb4encpwd_status();
86 extern krb4encpwd_printsub();
90 extern rsaencpwd_init();
91 extern rsaencpwd_send();
92 extern rsaencpwd_is();
93 extern rsaencpwd_reply();
94 extern rsaencpwd_status();
95 extern rsaencpwd_printsub();
98 int auth_debug_mode
= 0;
99 static char *Name
= "Noname";
100 static int Server
= 0;
101 static TN_Authenticator
*authenticated
= 0;
102 static int authenticating
= 0;
103 static int validuser
= 0;
104 static unsigned char _auth_send_data
[256];
105 static unsigned char *auth_send_data
;
106 static int auth_send_cnt
= 0;
109 * Authentication types supported. Plese note that these are stored
110 * in priority order, i.e. try the first one first.
112 TN_Authenticator authenticators
[] = {
114 { AUTHTYPE_SPX
, AUTH_WHO_CLIENT
|AUTH_HOW_MUTUAL
,
121 { AUTHTYPE_SPX
, AUTH_WHO_CLIENT
|AUTH_HOW_ONE_WAY
,
130 { AUTHTYPE_KERBEROS_V5
, AUTH_WHO_CLIENT
|AUTH_HOW_MUTUAL
,
137 krb5shishi_cleanup
},
138 { AUTHTYPE_KERBEROS_V5
, AUTH_WHO_CLIENT
|AUTH_HOW_ONE_WAY
,
145 krb5shishi_cleanup
},
149 { AUTHTYPE_KERBEROS_V5
, AUTH_WHO_CLIENT
|AUTH_HOW_MUTUAL
,
155 kerberos5_printsub
},
156 # endif /* ENCRYPTION */
157 { AUTHTYPE_KERBEROS_V5
, AUTH_WHO_CLIENT
|AUTH_HOW_ONE_WAY
,
163 kerberos5_printsub
},
167 { AUTHTYPE_KERBEROS_V4
, AUTH_WHO_CLIENT
|AUTH_HOW_MUTUAL
,
173 kerberos4_printsub
},
174 # endif /* ENCRYPTION */
175 { AUTHTYPE_KERBEROS_V4
, AUTH_WHO_CLIENT
|AUTH_HOW_ONE_WAY
,
181 kerberos4_printsub
},
184 { AUTHTYPE_KRB4_ENCPWD
, AUTH_WHO_CLIENT
|AUTH_HOW_MUTUAL
,
190 krb4encpwd_printsub
},
193 { AUTHTYPE_RSA_ENCPWD
, AUTH_WHO_CLIENT
|AUTH_HOW_ONE_WAY
,
199 rsaencpwd_printsub
},
204 static TN_Authenticator NoAuth
= { 0 };
206 static int i_support
= 0;
207 static int i_wont_support
= 0;
210 findauthenticator(type
, way
)
214 TN_Authenticator
*ap
= authenticators
;
216 while (ap
->type
&& (ap
->type
!= type
|| ap
->way
!= way
))
218 return(ap
->type
? ap
: 0);
222 auth_init(name
, server
)
226 TN_Authenticator
*ap
= authenticators
;
235 if (!ap
->init
|| (*ap
->init
)(ap
, server
)) {
236 i_support
|= typemask(ap
->type
);
238 printf(">>>%s: I support auth type %s (%d) %s (%d)\r\n",
240 AUTHTYPE_NAME_OK(ap
->type
) ?
241 AUTHTYPE_NAME(ap
->type
) :
251 else if (auth_debug_mode
)
252 printf(">>>%s: Init failed: auth type %d %d\r\n",
253 Name
, ap
->type
, ap
->way
);
259 auth_disable_name(name
)
263 for (x
= 0; x
< AUTHTYPE_CNT
; ++x
) {
264 if (!strcasecmp(name
, AUTHTYPE_NAME(x
))) {
265 i_wont_support
|= typemask(x
);
272 getauthmask(type
, maskp
)
278 if (!strcasecmp(type
, AUTHTYPE_NAME(0))) {
283 for (x
= 1; x
< AUTHTYPE_CNT
; ++x
) {
284 if (!strcasecmp(type
, AUTHTYPE_NAME(x
))) {
285 *maskp
= typemask(x
);
296 return(auth_onoff(type
, 1));
303 return(auth_onoff(type
, 0));
312 TN_Authenticator
*ap
;
314 if (!strcasecmp(type
, "?") || !strcasecmp(type
, "help")) {
315 printf("auth %s 'type'\n", on
? "enable" : "disable");
316 printf("Where 'type' is one of:\n");
317 printf("\t%s\n", AUTHTYPE_NAME(0));
319 for (ap
= authenticators
; ap
->type
; ap
++) {
320 if ((mask
& (i
= typemask(ap
->type
))) != 0)
323 printf("\t%s\n", AUTHTYPE_NAME(ap
->type
));
328 if (!getauthmask(type
, &mask
)) {
329 printf("%s: invalid authentication type\n", type
);
333 i_wont_support
&= ~mask
;
335 i_wont_support
|= mask
;
344 auth_debug_mode
^= 1;
346 auth_debug_mode
= on
;
347 printf("auth debugging %s\n", auth_debug_mode
? "enabled" : "disabled");
354 TN_Authenticator
*ap
;
357 if (i_wont_support
== -1)
358 printf("Authentication disabled\n");
360 printf("Authentication enabled\n");
363 for (ap
= authenticators
; ap
->type
; ap
++) {
364 if ((mask
& (i
= typemask(ap
->type
))) != 0)
367 printf("%s: %s\n", AUTHTYPE_NAME(ap
->type
),
368 (i_wont_support
& typemask(ap
->type
)) ?
369 "disabled" : "enabled");
375 * This routine is called by the server to start authentication
381 static unsigned char str_request
[64] = { IAC
, SB
,
382 TELOPT_AUTHENTICATION
,
384 TN_Authenticator
*ap
= authenticators
;
385 unsigned char *e
= str_request
+ 4;
387 if (!authenticating
) {
390 if (i_support
& ~i_wont_support
& typemask(ap
->type
)) {
391 if (auth_debug_mode
) {
392 printf(">>>%s: Sending type %d %d\r\n",
393 Name
, ap
->type
, ap
->way
);
402 net_write(str_request
, e
- str_request
);
403 printsub('>', &str_request
[2], e
- str_request
- 2);
408 * This is called when an AUTH SEND is received.
409 * It should never arrive on the server side (as only the server can
410 * send an AUTH SEND).
411 * You should probably respond to it if you can...
413 * If you want to respond to the types out of order (i.e. even
414 * if he sends LOGIN KERBEROS and you support both, you respond
415 * with KERBEROS instead of LOGIN (which is against what the
416 * protocol says)) you will have to hack this code...
423 TN_Authenticator
*ap
;
424 static unsigned char str_none
[] = { IAC
, SB
, TELOPT_AUTHENTICATION
,
425 TELQUAL_IS
, AUTHTYPE_NULL
, 0,
428 if (auth_debug_mode
) {
429 printf(">>>%s: auth_send called!\r\n", Name
);
434 if (auth_debug_mode
) {
435 printf(">>>%s: auth_send got:", Name
);
436 printd(data
, cnt
); printf("\r\n");
440 * Save the data, if it is new, so that we can continue looking
441 * at it if the authorization we try doesn't work
443 if (data
< _auth_send_data
||
444 data
> _auth_send_data
+ sizeof(_auth_send_data
)) {
445 auth_send_cnt
= cnt
> sizeof(_auth_send_data
)
446 ? sizeof(_auth_send_data
)
448 memmove((void *)_auth_send_data
, (void *)data
, auth_send_cnt
);
449 auth_send_data
= _auth_send_data
;
452 * This is probably a no-op, but we just make sure
454 auth_send_data
= data
;
457 while ((auth_send_cnt
-= 2) >= 0) {
459 printf(">>>%s: He supports %s (%d) %s (%d)\r\n",
460 Name
, AUTHTYPE_NAME_OK(auth_send_data
[0]) ?
461 AUTHTYPE_NAME(auth_send_data
[0]) :
470 if ((i_support
& ~i_wont_support
) & typemask(*auth_send_data
)) {
471 ap
= findauthenticator(auth_send_data
[0],
473 if (ap
&& ap
->send
) {
475 printf(">>>%s: Trying %s (%d) %s (%d)\r\n",
477 AUTHTYPE_NAME_OK(auth_send_data
[0]) ?
478 AUTHTYPE_NAME(auth_send_data
[0]) :
487 if ((*ap
->send
)(ap
)) {
489 * Okay, we found one we like
491 * we can go home now.
494 printf(">>>%s: Using type %s (%d)\r\n",
496 AUTHTYPE_NAME_OK(*auth_send_data
) ?
497 AUTHTYPE_NAME(*auth_send_data
) :
505 * just continue on and look for the
506 * next one if we didn't do anything.
511 net_write(str_none
, sizeof(str_none
));
512 printsub('>', &str_none
[2], sizeof(str_none
) - 2);
514 printf(">>>%s: Sent failure message\r\n", Name
);
515 auth_finished(0, AUTH_REJECT
);
518 * We requested strong authentication, however no mechanisms worked.
519 * Therefore, exit on client end.
521 printf("Unable to securely authenticate user ... exit\n");
530 * if auth_send_cnt <= 0 then auth_send will end up rejecting
531 * the authentication and informing the other side of this.
533 auth_send(auth_send_data
, auth_send_cnt
);
541 TN_Authenticator
*ap
;
546 if (data
[0] == AUTHTYPE_NULL
) {
547 auth_finished(0, AUTH_REJECT
);
551 if (ap
= findauthenticator(data
[0], data
[1])) {
553 (*ap
->is
)(ap
, data
+2, cnt
-2);
554 } else if (auth_debug_mode
)
555 printf(">>>%s: Invalid authentication in IS: %d\r\n",
560 auth_reply(data
, cnt
)
564 TN_Authenticator
*ap
;
569 if (ap
= findauthenticator(data
[0], data
[1])) {
571 (*ap
->reply
)(ap
, data
+2, cnt
-2);
572 } else if (auth_debug_mode
)
573 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
582 TN_Authenticator
*ap
;
583 unsigned char savename
[256];
587 printf(">>>%s: Empty name in NAME\r\n", Name
);
590 if (cnt
> sizeof(savename
) - 1) {
592 printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
593 Name
, cnt
, sizeof(savename
)-1);
596 memmove((void *)savename
, (void *)data
, cnt
);
597 savename
[cnt
] = '\0'; /* Null terminate */
599 printf(">>>%s: Got NAME [%s]\r\n", Name
, savename
);
600 auth_encrypt_user(savename
);
604 auth_sendname(cp
, len
)
608 static unsigned char str_request
[256+6]
609 = { IAC
, SB
, TELOPT_AUTHENTICATION
, TELQUAL_NAME
, };
610 register unsigned char *e
= str_request
+ 4;
611 register unsigned char *ee
= &str_request
[sizeof(str_request
)-2];
614 if ((*e
++ = *cp
++) == IAC
)
621 net_write(str_request
, e
- str_request
);
622 printsub('>', &str_request
[2], e
- &str_request
[2]);
627 auth_finished(ap
, result
)
628 TN_Authenticator
*ap
;
631 if (ap
&& ap
->cleanup
)
633 if (!(authenticated
= ap
))
634 authenticated
= &NoAuth
;
643 auth_finished(0, AUTH_REJECT
);
651 printf(">>>%s: in auth_wait.\r\n", Name
);
653 if (Server
&& !authenticating
)
656 (void) signal(SIGALRM
, auth_intr
);
658 while (!authenticated
)
662 (void) signal(SIGALRM
, SIG_DFL
);
665 * Now check to see if the user is valid or not
667 if (!authenticated
|| authenticated
== &NoAuth
)
670 if (validuser
== AUTH_VALID
)
671 validuser
= AUTH_USER
;
673 if (authenticated
->status
)
674 validuser
= (*authenticated
->status
)(authenticated
,
683 auth_debug_mode
= mode
;
687 auth_printsub(data
, cnt
, buf
, buflen
)
688 unsigned char *data
, *buf
;
691 TN_Authenticator
*ap
;
693 if ((ap
= findauthenticator(data
[1], data
[2])) && ap
->printsub
)
694 (*ap
->printsub
)(data
, cnt
, buf
, buflen
);
696 auth_gen_printsub(data
, cnt
, buf
, buflen
);
700 auth_gen_printsub(data
, cnt
, buf
, buflen
)
701 unsigned char *data
, *buf
;
704 register unsigned char *cp
;
705 unsigned char tbuf
[16];
709 buf
[buflen
-1] = '\0';
712 for (; cnt
> 0; cnt
--, data
++) {
713 sprintf((char *)tbuf
, " %d", *data
);
714 for (cp
= tbuf
; *cp
&& buflen
> 0; --buflen
)