Remove building with NOCRYPTO option
[minix3.git] / lib / libtelnet / auth.c
blob3db63333f9f29ccc0e53c9f737762620fa498edd
1 /* $NetBSD: auth.c,v 1.21 2012/03/21 05:33:27 matt Exp $ */
3 /*-
4 * Copyright (c) 1991, 1993
5 * The Regents of the University of California. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
32 #include <sys/cdefs.h>
33 #ifndef lint
34 #if 0
35 static char sccsid[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95"
36 #else
37 __RCSID("$NetBSD: auth.c,v 1.21 2012/03/21 05:33:27 matt Exp $");
38 #endif
39 #endif /* not lint */
42 * Copyright (C) 1990 by the Massachusetts Institute of Technology
44 * Export of this software from the United States of America is assumed
45 * to require a specific license from the United States Government.
46 * It is the responsibility of any person or organization contemplating
47 * export to obtain such a license before exporting.
49 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
50 * distribute this software and its documentation for any purpose and
51 * without fee is hereby granted, provided that the above copyright
52 * notice appear in all copies and that both that copyright notice and
53 * this permission notice appear in supporting documentation, and that
54 * the name of M.I.T. not be used in advertising or publicity pertaining
55 * to distribution of the software without specific, written prior
56 * permission. M.I.T. makes no representations about the suitability of
57 * this software for any purpose. It is provided "as is" without express
58 * or implied warranty.
62 #ifdef AUTHENTICATION
63 #include <stdio.h>
64 #include <sys/types.h>
65 #include <signal.h>
66 #define AUTH_NAMES
67 #include <arpa/telnet.h>
68 #include <stdlib.h>
69 #include <unistd.h>
70 #ifdef NO_STRING_H
71 #include <strings.h>
72 #else
73 #include <string.h>
74 #endif
76 #include "encrypt.h"
77 #include "auth.h"
78 #include "misc-proto.h"
79 #include "auth-proto.h"
81 #define typemask(x) (1<<((x)-1))
83 #ifdef RSA_ENCPWD
84 extern rsaencpwd_init();
85 extern rsaencpwd_send();
86 extern rsaencpwd_is();
87 extern rsaencpwd_reply();
88 extern rsaencpwd_status();
89 extern rsaencpwd_printsub();
90 #endif
92 int auth_debug_mode = 0;
93 static const char *Name = "Noname";
94 static int Server = 0;
95 static Authenticator *authenticated = 0;
96 static int authenticating = 0;
97 static int validuser = 0;
98 static unsigned char _auth_send_data[256];
99 static unsigned char *auth_send_data;
100 static int auth_send_cnt = 0;
102 static void auth_intr(int);
105 * Authentication types supported. Plese note that these are stored
106 * in priority order, i.e. try the first one first.
108 Authenticator authenticators[] = {
109 #ifdef SPX
110 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
111 spx_init,
112 spx_send,
113 spx_is,
114 spx_reply,
115 spx_status,
116 spx_printsub },
117 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
118 spx_init,
119 spx_send,
120 spx_is,
121 spx_reply,
122 spx_status,
123 spx_printsub },
124 #endif
125 #ifdef KRB5
126 # ifdef ENCRYPTION
127 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
128 kerberos5_init,
129 kerberos5_send,
130 kerberos5_is,
131 kerberos5_reply,
132 kerberos5_status,
133 kerberos5_printsub },
134 # endif /* ENCRYPTION */
135 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
136 kerberos5_init,
137 kerberos5_send,
138 kerberos5_is,
139 kerberos5_reply,
140 kerberos5_status,
141 kerberos5_printsub },
142 #endif
143 #ifdef RSA_ENCPWD
144 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
145 rsaencpwd_init,
146 rsaencpwd_send,
147 rsaencpwd_is,
148 rsaencpwd_reply,
149 rsaencpwd_status,
150 rsaencpwd_printsub },
151 #endif
152 #ifdef SRA
153 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
154 sra_init,
155 sra_send,
156 sra_is,
157 sra_reply,
158 sra_status,
159 sra_printsub },
161 #endif
162 { 0, 0, 0, 0, 0, 0, 0, 0 },
165 static Authenticator NoAuth = { .type = 0 };
167 static int i_support = 0;
168 static int i_wont_support = 0;
170 Authenticator *
171 findauthenticator(int type, int way)
173 Authenticator *ap = authenticators;
175 while (ap->type && (ap->type != type || ap->way != way))
176 ++ap;
177 return(ap->type ? ap : 0);
180 void
181 auth_init(const char *name, int server)
183 Authenticator *ap = authenticators;
185 Server = server;
186 Name = name;
188 i_support = 0;
189 authenticated = 0;
190 authenticating = 0;
191 while (ap->type) {
192 if (!ap->init || (*ap->init)(ap, server)) {
193 i_support |= typemask(ap->type);
194 if (auth_debug_mode)
195 printf(">>>%s: I support auth type %d %d\r\n",
196 Name,
197 ap->type, ap->way);
199 else if (auth_debug_mode)
200 printf(">>>%s: Init failed: auth type %d %d\r\n",
201 Name, ap->type, ap->way);
202 ++ap;
206 void
207 auth_disable_name(char *name)
209 int x;
210 for (x = 0; x < AUTHTYPE_CNT; ++x) {
211 if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
212 i_wont_support |= typemask(x);
213 break;
219 getauthmask(char *type, int *maskp)
221 register int x;
223 if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) {
224 *maskp = -1;
225 return(1);
228 for (x = 1; x < AUTHTYPE_CNT; ++x) {
229 if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) {
230 *maskp = typemask(x);
231 return(1);
234 return(0);
238 auth_enable(char *type)
240 return(auth_onoff(type, 1));
244 auth_disable(char *type)
246 return(auth_onoff(type, 0));
250 auth_onoff(char *type, int on)
252 int i, mask = -1;
253 Authenticator *ap;
255 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
256 printf("auth %s 'type'\n", on ? "enable" : "disable");
257 printf("Where 'type' is one of:\n");
258 printf("\t%s\n", AUTHTYPE_NAME(0));
259 mask = 0;
260 for (ap = authenticators; ap->type; ap++) {
261 if ((mask & (i = typemask(ap->type))) != 0)
262 continue;
263 mask |= i;
264 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
266 return(0);
269 if (!getauthmask(type, &mask)) {
270 printf("%s: invalid authentication type\n", type);
271 return(0);
273 if (on)
274 i_wont_support &= ~mask;
275 else
276 i_wont_support |= mask;
277 return(1);
281 auth_togdebug(int on)
283 if (on < 0)
284 auth_debug_mode ^= 1;
285 else
286 auth_debug_mode = on;
287 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
288 return(1);
292 auth_status(char *s)
294 Authenticator *ap;
295 int i, mask;
297 if (i_wont_support == -1)
298 printf("Authentication disabled\n");
299 else
300 printf("Authentication enabled\n");
302 mask = 0;
303 for (ap = authenticators; ap->type; ap++) {
304 if ((mask & (i = typemask(ap->type))) != 0)
305 continue;
306 mask |= i;
307 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
308 (i_wont_support & typemask(ap->type)) ?
309 "disabled" : "enabled");
311 return(1);
315 * This routine is called by the server to start authentication
316 * negotiation.
318 void
319 auth_request(void)
321 static unsigned char str_request[64] = { IAC, SB,
322 TELOPT_AUTHENTICATION,
323 TELQUAL_SEND, };
324 Authenticator *ap = authenticators;
325 unsigned char *e = str_request + 4;
327 if (!authenticating) {
328 authenticating = 1;
329 while (ap->type) {
330 if (i_support & ~i_wont_support & typemask(ap->type)) {
331 if (auth_debug_mode) {
332 printf(">>>%s: Sending type %d %d\r\n",
333 Name, ap->type, ap->way);
335 *e++ = ap->type;
336 *e++ = ap->way;
338 ++ap;
340 *e++ = IAC;
341 *e++ = SE;
342 telnet_net_write(str_request, e - str_request);
343 printsub('>', &str_request[2], e - str_request - 2);
348 * This is called when an AUTH SEND is received.
349 * It should never arrive on the server side (as only the server can
350 * send an AUTH SEND).
351 * You should probably respond to it if you can...
353 * If you want to respond to the types out of order (i.e. even
354 * if he sends LOGIN KERBEROS and you support both, you respond
355 * with KERBEROS instead of LOGIN (which is against what the
356 * protocol says)) you will have to hack this code...
358 void
359 auth_send(unsigned char *data, int cnt)
361 Authenticator *ap;
362 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
363 TELQUAL_IS, AUTHTYPE_NULL, 0,
364 IAC, SE };
365 if (Server) {
366 if (auth_debug_mode) {
367 printf(">>>%s: auth_send called!\r\n", Name);
369 return;
372 if (auth_debug_mode) {
373 printf(">>>%s: auth_send got:", Name);
374 printd(data, cnt); printf("\r\n");
378 * Save the data, if it is new, so that we can continue looking
379 * at it if the authorization we try doesn't work
381 if (data < _auth_send_data ||
382 data > _auth_send_data + sizeof(_auth_send_data)) {
383 auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data)
384 ? sizeof(_auth_send_data)
385 : (size_t)cnt;
386 memmove(_auth_send_data, data, auth_send_cnt);
387 auth_send_data = _auth_send_data;
388 } else {
390 * This is probably a no-op, but we just make sure
392 auth_send_data = data;
393 auth_send_cnt = cnt;
395 while ((auth_send_cnt -= 2) >= 0) {
396 if (auth_debug_mode)
397 printf(">>>%s: He supports %d\r\n",
398 Name, *auth_send_data);
399 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
400 ap = findauthenticator(auth_send_data[0],
401 auth_send_data[1]);
402 if (ap && ap->send) {
403 if (auth_debug_mode)
404 printf(">>>%s: Trying %d %d\r\n",
405 Name, auth_send_data[0],
406 auth_send_data[1]);
407 if ((*ap->send)(ap)) {
409 * Okay, we found one we like
410 * and did it.
411 * we can go home now.
413 if (auth_debug_mode)
414 printf(">>>%s: Using type %d\r\n",
415 Name, *auth_send_data);
416 auth_send_data += 2;
417 return;
420 /* else
421 * just continue on and look for the
422 * next one if we didn't do anything.
425 auth_send_data += 2;
427 telnet_net_write(str_none, sizeof(str_none));
428 printsub('>', &str_none[2], sizeof(str_none) - 2);
429 if (auth_debug_mode)
430 printf(">>>%s: Sent failure message\r\n", Name);
431 auth_finished(0, AUTH_REJECT);
432 #ifdef KANNAN
434 * We requested strong authentication, however no mechanisms worked.
435 * Therefore, exit on client end.
437 printf("Unable to securely authenticate user ... exit\n");
438 exit(0);
439 #endif /* KANNAN */
442 void
443 auth_send_retry(void)
446 * if auth_send_cnt <= 0 then auth_send will end up rejecting
447 * the authentication and informing the other side of this.
449 auth_send(auth_send_data, auth_send_cnt);
452 void
453 auth_is(unsigned char *data, int cnt)
455 Authenticator *ap;
457 if (cnt < 2)
458 return;
460 if (data[0] == AUTHTYPE_NULL) {
461 auth_finished(0, AUTH_REJECT);
462 return;
465 if ((ap = findauthenticator(data[0], data[1])) != NULL) {
466 if (ap->is)
467 (*ap->is)(ap, data+2, cnt-2);
468 } else if (auth_debug_mode)
469 printf(">>>%s: Invalid authentication in IS: %d\r\n",
470 Name, *data);
473 void
474 auth_reply(unsigned char *data, int cnt)
476 Authenticator *ap;
478 if (cnt < 2)
479 return;
481 if ((ap = findauthenticator(data[0], data[1])) != NULL) {
482 if (ap->reply)
483 (*ap->reply)(ap, data+2, cnt-2);
484 } else if (auth_debug_mode)
485 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
486 Name, *data);
489 void
490 auth_name(unsigned char *data, int cnt)
492 unsigned char savename[256];
494 if (cnt < 1) {
495 if (auth_debug_mode)
496 printf(">>>%s: Empty name in NAME\r\n", Name);
497 return;
499 if ((size_t)cnt > sizeof(savename) - 1) {
500 if (auth_debug_mode)
501 printf(">>>%s: Name in NAME (%d) exceeds %ld length\r\n",
502 Name, cnt, (long)sizeof(savename)-1);
503 return;
505 memmove((void *)savename, (void *)data, cnt);
506 savename[cnt] = '\0'; /* Null terminate */
507 if (auth_debug_mode)
508 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
509 auth_encrypt_user(savename);
513 auth_sendname(unsigned char *cp, int len)
515 static unsigned char str_request[256+6]
516 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
517 register unsigned char *e = str_request + 4;
518 register unsigned char *ee = &str_request[sizeof(str_request)-2];
520 while (--len >= 0) {
521 if ((*e++ = *cp++) == IAC)
522 *e++ = IAC;
523 if (e >= ee)
524 return(0);
526 *e++ = IAC;
527 *e++ = SE;
528 telnet_net_write(str_request, e - str_request);
529 printsub('>', &str_request[2], e - &str_request[2]);
530 return(1);
533 void
534 auth_finished(Authenticator *ap, int result)
536 if (!(authenticated = ap))
537 authenticated = &NoAuth;
538 validuser = result;
541 /* ARGSUSED */
542 static void
543 auth_intr(int sig)
545 auth_finished(0, AUTH_REJECT);
549 auth_wait(char *name, size_t l)
551 if (auth_debug_mode)
552 printf(">>>%s: in auth_wait.\r\n", Name);
554 if (Server && !authenticating)
555 return(0);
557 (void) signal(SIGALRM, auth_intr);
558 alarm(30);
559 while (!authenticated)
560 if (telnet_spin())
561 break;
562 alarm(0);
563 (void) signal(SIGALRM, SIG_DFL);
566 * Now check to see if the user is valid or not
568 if (!authenticated || authenticated == &NoAuth)
569 return(AUTH_REJECT);
571 if (validuser == AUTH_VALID)
572 validuser = AUTH_USER;
574 if (authenticated->status)
575 validuser = (*authenticated->status)(authenticated,
576 name, l, validuser);
577 return(validuser);
580 void
581 auth_debug(int mode)
583 auth_debug_mode = mode;
586 void
587 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
589 Authenticator *ap;
591 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
592 (*ap->printsub)(data, cnt, buf, buflen);
593 else
594 auth_gen_printsub(data, cnt, buf, buflen);
597 void
598 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
600 register unsigned char *cp;
601 unsigned char tbuf[16];
603 cnt -= 3;
604 data += 3;
605 buf[buflen-1] = '\0';
606 buf[buflen-2] = '*';
607 buflen -= 2;
608 for (; cnt > 0; cnt--, data++) {
609 snprintf((char *)tbuf, sizeof(tbuf), " %d", *data);
610 for (cp = tbuf; *cp && buflen > 0; --buflen)
611 *buf++ = *cp++;
612 if (buflen <= 0)
613 return;
615 *buf = '\0';
617 #endif