search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Upstream update.
[shishi.git] / extra / inetutils / libtelnet / auth.c
blobb32fd58f8fc8a76950ff33c9bfccb55a32ea11af
1 /*-
2 * Copyright (c) 1991, 1993, 2003
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 4. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #ifndef lint
31 static char sccsid[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95";
32 #endif /* not lint */
33
34 /*
35 * Copyright (C) 1990, 2000 by the Massachusetts Institute of Technology
36 *
37 * Export of this software from the United States of America is assumed
38 * to require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
52 */
53
54 #ifdef HAVE_CONFIG_H
55 #include <config.h>
56 #endif
57
58 #if defined(AUTHENTICATION)
59 #include <stdio.h>
60 #include <sys/types.h>
61 #include <signal.h>
62 #define AUTH_NAMES
63 #include <arpa/telnet.h>
64 #ifdef HAVE_STDLIB_H
65 #include <stdlib.h>
66 #endif
67 #ifdef NO_STRING_H
68 #include <strings.h>
69 #else
70 #include <string.h>
71 #endif
72
73 #include "encrypt.h"
74 #include "auth.h"
75 #include "misc-proto.h"
76 #include "auth-proto.h"
77
78 #define typemask(x) (1<<((x)-1))
79
80 #ifdef KRB4_ENCPWD
81 extern krb4encpwd_init();
82 extern krb4encpwd_send();
83 extern krb4encpwd_is();
84 extern krb4encpwd_reply();
85 extern krb4encpwd_status();
86 extern krb4encpwd_printsub();
87 #endif
88
89 #ifdef RSA_ENCPWD
90 extern rsaencpwd_init();
91 extern rsaencpwd_send();
92 extern rsaencpwd_is();
93 extern rsaencpwd_reply();
94 extern rsaencpwd_status();
95 extern rsaencpwd_printsub();
96 #endif
97
98 int auth_debug_mode = 0;
99 static char *Name = "Noname";
100 static int Server = 0;
101 static TN_Authenticator *authenticated = 0;
102 static int authenticating = 0;
103 static int validuser = 0;
104 static unsigned char _auth_send_data[256];
105 static unsigned char *auth_send_data;
106 static int auth_send_cnt = 0;
107
108 /*
109 * Authentication types supported. Plese note that these are stored
110 * in priority order, i.e. try the first one first.
111 */
112 TN_Authenticator authenticators[] = {
113 #ifdef SPX
114 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
115 spx_init,
116 spx_send,
117 spx_is,
118 spx_reply,
119 spx_status,
120 spx_printsub },
121 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
122 spx_init,
123 spx_send,
124 spx_is,
125 spx_reply,
126 spx_status,
127 spx_printsub },
128 #endif
129 #ifdef SHISHI
130 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
131 krb5shishi_init,
132 krb5shishi_send,
133 krb5shishi_is,
134 krb5shishi_reply,
135 krb5shishi_status,
136 krb5shishi_printsub,
137 krb5shishi_cleanup },
138 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
139 krb5shishi_init,
140 krb5shishi_send,
141 krb5shishi_is,
142 krb5shishi_reply,
143 krb5shishi_status,
144 krb5shishi_printsub,
145 krb5shishi_cleanup },
146 #endif
147 #ifdef KRB5
148 # ifdef ENCRYPTION
149 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
150 kerberos5_init,
151 kerberos5_send,
152 kerberos5_is,
153 kerberos5_reply,
154 kerberos5_status,
155 kerberos5_printsub },
156 # endif /* ENCRYPTION */
157 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
158 kerberos5_init,
159 kerberos5_send,
160 kerberos5_is,
161 kerberos5_reply,
162 kerberos5_status,
163 kerberos5_printsub },
164 #endif
165 #ifdef KRB4
166 # ifdef ENCRYPTION
167 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
168 kerberos4_init,
169 kerberos4_send,
170 kerberos4_is,
171 kerberos4_reply,
172 kerberos4_status,
173 kerberos4_printsub },
174 # endif /* ENCRYPTION */
175 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
176 kerberos4_init,
177 kerberos4_send,
178 kerberos4_is,
179 kerberos4_reply,
180 kerberos4_status,
181 kerberos4_printsub },
182 #endif
183 #ifdef KRB4_ENCPWD
184 { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
185 krb4encpwd_init,
186 krb4encpwd_send,
187 krb4encpwd_is,
188 krb4encpwd_reply,
189 krb4encpwd_status,
190 krb4encpwd_printsub },
191 #endif
192 #ifdef RSA_ENCPWD
193 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
194 rsaencpwd_init,
195 rsaencpwd_send,
196 rsaencpwd_is,
197 rsaencpwd_reply,
198 rsaencpwd_status,
199 rsaencpwd_printsub },
200 #endif
201 { 0, },
202 };
203
204 static TN_Authenticator NoAuth = { 0 };
205
206 static int i_support = 0;
207 static int i_wont_support = 0;
208
209 TN_Authenticator *
210 findauthenticator(type, way)
211 int type;
212 int way;
213 {
214 TN_Authenticator *ap = authenticators;
215
216 while (ap->type && (ap->type != type || ap->way != way))
217 ++ap;
218 return(ap->type ? ap : 0);
219 }
220
221 void
222 auth_init(name, server)
223 char *name;
224 int server;
225 {
226 TN_Authenticator *ap = authenticators;
227
228 Server = server;
229 Name = name;
230
231 i_support = 0;
232 authenticated = 0;
233 authenticating = 0;
234 while (ap->type) {
235 if (!ap->init || (*ap->init)(ap, server)) {
236 i_support |= typemask(ap->type);
237 if (auth_debug_mode)
238 printf(">>>%s: I support auth type %s (%d) %s (%d)\r\n",
239 Name,
240 AUTHTYPE_NAME_OK(ap->type) ?
241 AUTHTYPE_NAME(ap->type) :
242 "unknown",
243 ap->type,
244 ap->way &
245 AUTH_HOW_MASK &
246 AUTH_HOW_MUTUAL ?
247 "MUTUAL" :
248 "ONEWAY",
249 ap->way);
250 }
251 else if (auth_debug_mode)
252 printf(">>>%s: Init failed: auth type %d %d\r\n",
253 Name, ap->type, ap->way);
254 ++ap;
255 }
256 }
257
258 void
259 auth_disable_name(name)
260 char *name;
261 {
262 int x;
263 for (x = 0; x < AUTHTYPE_CNT; ++x) {
264 if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
265 i_wont_support |= typemask(x);
266 break;
267 }
268 }
269 }
270
271 int
272 getauthmask(type, maskp)
273 char *type;
274 int *maskp;
275 {
276 register int x;
277
278 if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
279 *maskp = -1;
280 return(1);
281 }
282
283 for (x = 1; x < AUTHTYPE_CNT; ++x) {
284 if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
285 *maskp = typemask(x);
286 return(1);
287 }
288 }
289 return(0);
290 }
291
292 int
293 auth_enable(type)
294 char *type;
295 {
296 return(auth_onoff(type, 1));
297 }
298
299 int
300 auth_disable(type)
301 char *type;
302 {
303 return(auth_onoff(type, 0));
304 }
305
306 int
307 auth_onoff(type, on)
308 char *type;
309 int on;
310 {
311 int i, mask = -1;
312 TN_Authenticator *ap;
313
314 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
315 printf("auth %s 'type'\n", on ? "enable" : "disable");
316 printf("Where 'type' is one of:\n");
317 printf("\t%s\n", AUTHTYPE_NAME(0));
318 mask = 0;
319 for (ap = authenticators; ap->type; ap++) {
320 if ((mask & (i = typemask(ap->type))) != 0)
321 continue;
322 mask |= i;
323 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
324 }
325 return(0);
326 }
327
328 if (!getauthmask(type, &mask)) {
329 printf("%s: invalid authentication type\n", type);
330 return(0);
331 }
332 if (on)
333 i_wont_support &= ~mask;
334 else
335 i_wont_support |= mask;
336 return(1);
337 }
338
339 int
340 auth_togdebug(on)
341 int on;
342 {
343 if (on < 0)
344 auth_debug_mode ^= 1;
345 else
346 auth_debug_mode = on;
347 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
348 return(1);
349 }
350
351 int
352 auth_status()
353 {
354 TN_Authenticator *ap;
355 int i, mask;
356
357 if (i_wont_support == -1)
358 printf("Authentication disabled\n");
359 else
360 printf("Authentication enabled\n");
361
362 mask = 0;
363 for (ap = authenticators; ap->type; ap++) {
364 if ((mask & (i = typemask(ap->type))) != 0)
365 continue;
366 mask |= i;
367 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
368 (i_wont_support & typemask(ap->type)) ?
369 "disabled" : "enabled");
370 }
371 return(1);
372 }
373
374 /*
375 * This routine is called by the server to start authentication
376 * negotiation.
377 */
378 void
379 auth_request()
380 {
381 static unsigned char str_request[64] = { IAC, SB,
382 TELOPT_AUTHENTICATION,
383 TELQUAL_SEND, };
384 TN_Authenticator *ap = authenticators;
385 unsigned char *e = str_request + 4;
386
387 if (!authenticating) {
388 authenticating = 1;
389 while (ap->type) {
390 if (i_support & ~i_wont_support & typemask(ap->type)) {
391 if (auth_debug_mode) {
392 printf(">>>%s: Sending type %d %d\r\n",
393 Name, ap->type, ap->way);
394 }
395 *e++ = ap->type;
396 *e++ = ap->way;
397 }
398 ++ap;
399 }
400 *e++ = IAC;
401 *e++ = SE;
402 net_write(str_request, e - str_request);
403 printsub('>', &str_request[2], e - str_request - 2);
404 }
405 }
406
407 /*
408 * This is called when an AUTH SEND is received.
409 * It should never arrive on the server side (as only the server can
410 * send an AUTH SEND).
411 * You should probably respond to it if you can...
412 *
413 * If you want to respond to the types out of order (i.e. even
414 * if he sends LOGIN KERBEROS and you support both, you respond
415 * with KERBEROS instead of LOGIN (which is against what the
416 * protocol says)) you will have to hack this code...
417 */
418 void
419 auth_send(data, cnt)
420 unsigned char *data;
421 int cnt;
422 {
423 TN_Authenticator *ap;
424 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
425 TELQUAL_IS, AUTHTYPE_NULL, 0,
426 IAC, SE };
427 if (Server) {
428 if (auth_debug_mode) {
429 printf(">>>%s: auth_send called!\r\n", Name);
430 }
431 return;
432 }
433
434 if (auth_debug_mode) {
435 printf(">>>%s: auth_send got:", Name);
436 printd(data, cnt); printf("\r\n");
437 }
438
439 /*
440 * Save the data, if it is new, so that we can continue looking
441 * at it if the authorization we try doesn't work
442 */
443 if (data < _auth_send_data ||
444 data > _auth_send_data + sizeof(_auth_send_data)) {
445 auth_send_cnt = cnt > sizeof(_auth_send_data)
446 ? sizeof(_auth_send_data)
447 : cnt;
448 memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
449 auth_send_data = _auth_send_data;
450 } else {
451 /*
452 * This is probably a no-op, but we just make sure
453 */
454 auth_send_data = data;
455 auth_send_cnt = cnt;
456 }
457 while ((auth_send_cnt -= 2) >= 0) {
458 if (auth_debug_mode)
459 printf(">>>%s: He supports %s (%d) %s (%d)\r\n",
460 Name, AUTHTYPE_NAME_OK(auth_send_data[0]) ?
461 AUTHTYPE_NAME(auth_send_data[0]) :
462 "unknown",
463 auth_send_data[0],
464 auth_send_data[1] &
465 AUTH_HOW_MASK &
466 AUTH_HOW_MUTUAL ?
467 "MUTUAL" :
468 "ONEWAY",
469 auth_send_data[1]);
470 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
471 ap = findauthenticator(auth_send_data[0],
472 auth_send_data[1]);
473 if (ap && ap->send) {
474 if (auth_debug_mode)
475 printf(">>>%s: Trying %s (%d) %s (%d)\r\n",
476 Name,
477 AUTHTYPE_NAME_OK(auth_send_data[0]) ?
478 AUTHTYPE_NAME(auth_send_data[0]) :
479 "unknown",
480 auth_send_data[0],
481 auth_send_data[1] &
482 AUTH_HOW_MASK &
483 AUTH_HOW_MUTUAL ?
484 "MUTUAL" :
485 "ONEWAY",
486 auth_send_data[1]);
487 if ((*ap->send)(ap)) {
488 /*
489 * Okay, we found one we like
490 * and did it.
491 * we can go home now.
492 */
493 if (auth_debug_mode)
494 printf(">>>%s: Using type %s (%d)\r\n",
495 Name,
496 AUTHTYPE_NAME_OK(*auth_send_data) ?
497 AUTHTYPE_NAME(*auth_send_data) :
498 "unknown",
499 *auth_send_data);
500 auth_send_data += 2;
501 return;
502 }
503 }
504 /* else
505 * just continue on and look for the
506 * next one if we didn't do anything.
507 */
508 }
509 auth_send_data += 2;
510 }
511 net_write(str_none, sizeof(str_none));
512 printsub('>', &str_none[2], sizeof(str_none) - 2);
513 if (auth_debug_mode)
514 printf(">>>%s: Sent failure message\r\n", Name);
515 auth_finished(0, AUTH_REJECT);
516 #ifdef KANNAN
517 /*
518 * We requested strong authentication, however no mechanisms worked.
519 * Therefore, exit on client end.
520 */
521 printf("Unable to securely authenticate user ... exit\n");
522 exit(0);
523 #endif /* KANNAN */
524 }
525
526 void
527 auth_send_retry()
528 {
529 /*
530 * if auth_send_cnt <= 0 then auth_send will end up rejecting
531 * the authentication and informing the other side of this.
532 */
533 auth_send(auth_send_data, auth_send_cnt);
534 }
535
536 void
537 auth_is(data, cnt)
538 unsigned char *data;
539 int cnt;
540 {
541 TN_Authenticator *ap;
542
543 if (cnt < 2)
544 return;
545
546 if (data[0] == AUTHTYPE_NULL) {
547 auth_finished(0, AUTH_REJECT);
548 return;
549 }
550
551 if (ap = findauthenticator(data[0], data[1])) {
552 if (ap->is)
553 (*ap->is)(ap, data+2, cnt-2);
554 } else if (auth_debug_mode)
555 printf(">>>%s: Invalid authentication in IS: %d\r\n",
556 Name, *data);
557 }
558
559 void
560 auth_reply(data, cnt)
561 unsigned char *data;
562 int cnt;
563 {
564 TN_Authenticator *ap;
565
566 if (cnt < 2)
567 return;
568
569 if (ap = findauthenticator(data[0], data[1])) {
570 if (ap->reply)
571 (*ap->reply)(ap, data+2, cnt-2);
572 } else if (auth_debug_mode)
573 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
574 Name, *data);
575 }
576
577 void
578 auth_name(data, cnt)
579 unsigned char *data;
580 int cnt;
581 {
582 TN_Authenticator *ap;
583 unsigned char savename[256];
584
585 if (cnt < 1) {
586 if (auth_debug_mode)
587 printf(">>>%s: Empty name in NAME\r\n", Name);
588 return;
589 }
590 if (cnt > sizeof(savename) - 1) {
591 if (auth_debug_mode)
592 printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
593 Name, cnt, sizeof(savename)-1);
594 return;
595 }
596 memmove((void *)savename, (void *)data, cnt);
597 savename[cnt] = '\0'; /* Null terminate */
598 if (auth_debug_mode)
599 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
600 auth_encrypt_user(savename);
601 }
602
603 int
604 auth_sendname(cp, len)
605 unsigned char *cp;
606 int len;
607 {
608 static unsigned char str_request[256+6]
609 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
610 register unsigned char *e = str_request + 4;
611 register unsigned char *ee = &str_request[sizeof(str_request)-2];
612
613 while (--len >= 0) {
614 if ((*e++ = *cp++) == IAC)
615 *e++ = IAC;
616 if (e >= ee)
617 return(0);
618 }
619 *e++ = IAC;
620 *e++ = SE;
621 net_write(str_request, e - str_request);
622 printsub('>', &str_request[2], e - &str_request[2]);
623 return(1);
624 }
625
626 void
627 auth_finished(ap, result)
628 TN_Authenticator *ap;
629 int result;
630 {
631 if (ap && ap->cleanup)
632 (*ap->cleanup) (ap);
633 if (!(authenticated = ap))
634 authenticated = &NoAuth;
635 validuser = result;
636 }
637
638 /* ARGSUSED */
639 static void
640 auth_intr(sig)
641 int sig;
642 {
643 auth_finished(0, AUTH_REJECT);
644 }
645
646 int
647 auth_wait(name)
648 char *name;
649 {
650 if (auth_debug_mode)
651 printf(">>>%s: in auth_wait.\r\n", Name);
652
653 if (Server && !authenticating)
654 return(0);
655
656 (void) signal(SIGALRM, auth_intr);
657 alarm(30);
658 while (!authenticated)
659 if (telnet_spin())
660 break;
661 alarm(0);
662 (void) signal(SIGALRM, SIG_DFL);
663
664 /*
665 * Now check to see if the user is valid or not
666 */
667 if (!authenticated || authenticated == &NoAuth)
668 return(AUTH_REJECT);
669
670 if (validuser == AUTH_VALID)
671 validuser = AUTH_USER;
672
673 if (authenticated->status)
674 validuser = (*authenticated->status)(authenticated,
675 name, validuser);
676 return(validuser);
677 }
678
679 void
680 auth_debug(mode)
681 int mode;
682 {
683 auth_debug_mode = mode;
684 }
685
686 void
687 auth_printsub(data, cnt, buf, buflen)
688 unsigned char *data, *buf;
689 int cnt, buflen;
690 {
691 TN_Authenticator *ap;
692
693 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
694 (*ap->printsub)(data, cnt, buf, buflen);
695 else
696 auth_gen_printsub(data, cnt, buf, buflen);
697 }
698
699 void
700 auth_gen_printsub(data, cnt, buf, buflen)
701 unsigned char *data, *buf;
702 int cnt, buflen;
703 {
704 register unsigned char *cp;
705 unsigned char tbuf[16];
706
707 cnt -= 3;
708 data += 3;
709 buf[buflen-1] = '\0';
710 buf[buflen-2] = '*';
711 buflen -= 2;
712 for (; cnt > 0; cnt--, data++) {
713 sprintf((char *)tbuf, " %d", *data);
714 for (cp = tbuf; *cp && buflen > 0; --buflen)
715 *buf++ = *cp++;
716 if (buflen <= 0)
717 return;
718 }
719 *buf = '\0';
720 }
721 #endif
Free Kerberos V5 implementation