search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix mdoc(7)/man(7) mix up.
[netbsd-mini2440.git] / lib / libtelnet / auth.c
blob7322262104aac503832fc1e788d877a96d000f8b
1 /* $NetBSD: auth.c,v 1.18 2005/02/19 21:55:52 christos Exp $ */
2
3 /*-
4 * Copyright (c) 1991, 1993
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 #ifndef lint
34 #if 0
35 static char sccsid[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95"
36 #else
37 __RCSID("$NetBSD: auth.c,v 1.18 2005/02/19 21:55:52 christos Exp $");
38 #endif
39 #endif /* not lint */
40
41 /*
42 * Copyright (C) 1990 by the Massachusetts Institute of Technology
43 *
44 * Export of this software from the United States of America is assumed
45 * to require a specific license from the United States Government.
46 * It is the responsibility of any person or organization contemplating
47 * export to obtain such a license before exporting.
48 *
49 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
50 * distribute this software and its documentation for any purpose and
51 * without fee is hereby granted, provided that the above copyright
52 * notice appear in all copies and that both that copyright notice and
53 * this permission notice appear in supporting documentation, and that
54 * the name of M.I.T. not be used in advertising or publicity pertaining
55 * to distribution of the software without specific, written prior
56 * permission. M.I.T. makes no representations about the suitability of
57 * this software for any purpose. It is provided "as is" without express
58 * or implied warranty.
59 */
60
61
62 #ifdef AUTHENTICATION
63 #include <stdio.h>
64 #include <sys/types.h>
65 #include <signal.h>
66 #define AUTH_NAMES
67 #include <arpa/telnet.h>
68 #include <stdlib.h>
69 #include <unistd.h>
70 #ifdef NO_STRING_H
71 #include <strings.h>
72 #else
73 #include <string.h>
74 #endif
75
76 #include "encrypt.h"
77 #include "auth.h"
78 #include "misc-proto.h"
79 #include "auth-proto.h"
80
81 #define typemask(x) (1<<((x)-1))
82
83 #ifdef RSA_ENCPWD
84 extern rsaencpwd_init();
85 extern rsaencpwd_send();
86 extern rsaencpwd_is();
87 extern rsaencpwd_reply();
88 extern rsaencpwd_status();
89 extern rsaencpwd_printsub();
90 #endif
91
92 int auth_debug_mode = 0;
93 static const char *Name = "Noname";
94 static int Server = 0;
95 static Authenticator *authenticated = 0;
96 static int authenticating = 0;
97 static int validuser = 0;
98 static unsigned char _auth_send_data[256];
99 static unsigned char *auth_send_data;
100 static int auth_send_cnt = 0;
101
102 static void auth_intr(int);
103
104 /*
105 * Authentication types supported. Plese note that these are stored
106 * in priority order, i.e. try the first one first.
107 */
108 Authenticator authenticators[] = {
109 #ifdef SPX
110 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
111 spx_init,
112 spx_send,
113 spx_is,
114 spx_reply,
115 spx_status,
116 spx_printsub },
117 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
118 spx_init,
119 spx_send,
120 spx_is,
121 spx_reply,
122 spx_status,
123 spx_printsub },
124 #endif
125 #ifdef KRB5
126 # ifdef ENCRYPTION
127 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
128 kerberos5_init,
129 kerberos5_send,
130 kerberos5_is,
131 kerberos5_reply,
132 kerberos5_status,
133 kerberos5_printsub },
134 # endif /* ENCRYPTION */
135 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
136 kerberos5_init,
137 kerberos5_send,
138 kerberos5_is,
139 kerberos5_reply,
140 kerberos5_status,
141 kerberos5_printsub },
142 #endif
143 #ifdef RSA_ENCPWD
144 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
145 rsaencpwd_init,
146 rsaencpwd_send,
147 rsaencpwd_is,
148 rsaencpwd_reply,
149 rsaencpwd_status,
150 rsaencpwd_printsub },
151 #endif
152 #ifdef SRA
153 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
154 sra_init,
155 sra_send,
156 sra_is,
157 sra_reply,
158 sra_status,
159 sra_printsub },
160
161 #endif
162 { 0, 0, 0, 0, 0, 0, 0, 0 },
163 };
164
165 static Authenticator NoAuth = { 0 };
166
167 static int i_support = 0;
168 static int i_wont_support = 0;
169
170 Authenticator *
171 findauthenticator(type, way)
172 int type;
173 int way;
174 {
175 Authenticator *ap = authenticators;
176
177 while (ap->type && (ap->type != type || ap->way != way))
178 ++ap;
179 return(ap->type ? ap : 0);
180 }
181
182 void
183 auth_init(name, server)
184 const char *name;
185 int server;
186 {
187 Authenticator *ap = authenticators;
188
189 Server = server;
190 Name = name;
191
192 i_support = 0;
193 authenticated = 0;
194 authenticating = 0;
195 while (ap->type) {
196 if (!ap->init || (*ap->init)(ap, server)) {
197 i_support |= typemask(ap->type);
198 if (auth_debug_mode)
199 printf(">>>%s: I support auth type %d %d\r\n",
200 Name,
201 ap->type, ap->way);
202 }
203 else if (auth_debug_mode)
204 printf(">>>%s: Init failed: auth type %d %d\r\n",
205 Name, ap->type, ap->way);
206 ++ap;
207 }
208 }
209
210 void
211 auth_disable_name(name)
212 char *name;
213 {
214 int x;
215 for (x = 0; x < AUTHTYPE_CNT; ++x) {
216 if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
217 i_wont_support |= typemask(x);
218 break;
219 }
220 }
221 }
222
223 int
224 getauthmask(type, maskp)
225 char *type;
226 int *maskp;
227 {
228 register int x;
229
230 if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) {
231 *maskp = -1;
232 return(1);
233 }
234
235 for (x = 1; x < AUTHTYPE_CNT; ++x) {
236 if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) {
237 *maskp = typemask(x);
238 return(1);
239 }
240 }
241 return(0);
242 }
243
244 int
245 auth_enable(type)
246 char *type;
247 {
248 return(auth_onoff(type, 1));
249 }
250
251 int
252 auth_disable(type)
253 char *type;
254 {
255 return(auth_onoff(type, 0));
256 }
257
258 int
259 auth_onoff(type, on)
260 char *type;
261 int on;
262 {
263 int i, mask = -1;
264 Authenticator *ap;
265
266 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
267 printf("auth %s 'type'\n", on ? "enable" : "disable");
268 printf("Where 'type' is one of:\n");
269 printf("\t%s\n", AUTHTYPE_NAME(0));
270 mask = 0;
271 for (ap = authenticators; ap->type; ap++) {
272 if ((mask & (i = typemask(ap->type))) != 0)
273 continue;
274 mask |= i;
275 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
276 }
277 return(0);
278 }
279
280 if (!getauthmask(type, &mask)) {
281 printf("%s: invalid authentication type\n", type);
282 return(0);
283 }
284 if (on)
285 i_wont_support &= ~mask;
286 else
287 i_wont_support |= mask;
288 return(1);
289 }
290
291 int
292 auth_togdebug(on)
293 int on;
294 {
295 if (on < 0)
296 auth_debug_mode ^= 1;
297 else
298 auth_debug_mode = on;
299 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
300 return(1);
301 }
302
303 int
304 auth_status(s)
305 char *s;
306 {
307 Authenticator *ap;
308 int i, mask;
309
310 if (i_wont_support == -1)
311 printf("Authentication disabled\n");
312 else
313 printf("Authentication enabled\n");
314
315 mask = 0;
316 for (ap = authenticators; ap->type; ap++) {
317 if ((mask & (i = typemask(ap->type))) != 0)
318 continue;
319 mask |= i;
320 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
321 (i_wont_support & typemask(ap->type)) ?
322 "disabled" : "enabled");
323 }
324 return(1);
325 }
326
327 /*
328 * This routine is called by the server to start authentication
329 * negotiation.
330 */
331 void
332 auth_request()
333 {
334 static unsigned char str_request[64] = { IAC, SB,
335 TELOPT_AUTHENTICATION,
336 TELQUAL_SEND, };
337 Authenticator *ap = authenticators;
338 unsigned char *e = str_request + 4;
339
340 if (!authenticating) {
341 authenticating = 1;
342 while (ap->type) {
343 if (i_support & ~i_wont_support & typemask(ap->type)) {
344 if (auth_debug_mode) {
345 printf(">>>%s: Sending type %d %d\r\n",
346 Name, ap->type, ap->way);
347 }
348 *e++ = ap->type;
349 *e++ = ap->way;
350 }
351 ++ap;
352 }
353 *e++ = IAC;
354 *e++ = SE;
355 telnet_net_write(str_request, e - str_request);
356 printsub('>', &str_request[2], e - str_request - 2);
357 }
358 }
359
360 /*
361 * This is called when an AUTH SEND is received.
362 * It should never arrive on the server side (as only the server can
363 * send an AUTH SEND).
364 * You should probably respond to it if you can...
365 *
366 * If you want to respond to the types out of order (i.e. even
367 * if he sends LOGIN KERBEROS and you support both, you respond
368 * with KERBEROS instead of LOGIN (which is against what the
369 * protocol says)) you will have to hack this code...
370 */
371 void
372 auth_send(data, cnt)
373 unsigned char *data;
374 int cnt;
375 {
376 Authenticator *ap;
377 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
378 TELQUAL_IS, AUTHTYPE_NULL, 0,
379 IAC, SE };
380 if (Server) {
381 if (auth_debug_mode) {
382 printf(">>>%s: auth_send called!\r\n", Name);
383 }
384 return;
385 }
386
387 if (auth_debug_mode) {
388 printf(">>>%s: auth_send got:", Name);
389 printd(data, cnt); printf("\r\n");
390 }
391
392 /*
393 * Save the data, if it is new, so that we can continue looking
394 * at it if the authorization we try doesn't work
395 */
396 if (data < _auth_send_data ||
397 data > _auth_send_data + sizeof(_auth_send_data)) {
398 auth_send_cnt = cnt > sizeof(_auth_send_data)
399 ? sizeof(_auth_send_data)
400 : cnt;
401 memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
402 auth_send_data = _auth_send_data;
403 } else {
404 /*
405 * This is probably a no-op, but we just make sure
406 */
407 auth_send_data = data;
408 auth_send_cnt = cnt;
409 }
410 while ((auth_send_cnt -= 2) >= 0) {
411 if (auth_debug_mode)
412 printf(">>>%s: He supports %d\r\n",
413 Name, *auth_send_data);
414 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
415 ap = findauthenticator(auth_send_data[0],
416 auth_send_data[1]);
417 if (ap && ap->send) {
418 if (auth_debug_mode)
419 printf(">>>%s: Trying %d %d\r\n",
420 Name, auth_send_data[0],
421 auth_send_data[1]);
422 if ((*ap->send)(ap)) {
423 /*
424 * Okay, we found one we like
425 * and did it.
426 * we can go home now.
427 */
428 if (auth_debug_mode)
429 printf(">>>%s: Using type %d\r\n",
430 Name, *auth_send_data);
431 auth_send_data += 2;
432 return;
433 }
434 }
435 /* else
436 * just continue on and look for the
437 * next one if we didn't do anything.
438 */
439 }
440 auth_send_data += 2;
441 }
442 telnet_net_write(str_none, sizeof(str_none));
443 printsub('>', &str_none[2], sizeof(str_none) - 2);
444 if (auth_debug_mode)
445 printf(">>>%s: Sent failure message\r\n", Name);
446 auth_finished(0, AUTH_REJECT);
447 #ifdef KANNAN
448 /*
449 * We requested strong authentication, however no mechanisms worked.
450 * Therefore, exit on client end.
451 */
452 printf("Unable to securely authenticate user ... exit\n");
453 exit(0);
454 #endif /* KANNAN */
455 }
456
457 void
458 auth_send_retry()
459 {
460 /*
461 * if auth_send_cnt <= 0 then auth_send will end up rejecting
462 * the authentication and informing the other side of this.
463 */
464 auth_send(auth_send_data, auth_send_cnt);
465 }
466
467 void
468 auth_is(data, cnt)
469 unsigned char *data;
470 int cnt;
471 {
472 Authenticator *ap;
473
474 if (cnt < 2)
475 return;
476
477 if (data[0] == AUTHTYPE_NULL) {
478 auth_finished(0, AUTH_REJECT);
479 return;
480 }
481
482 if ((ap = findauthenticator(data[0], data[1])) != NULL) {
483 if (ap->is)
484 (*ap->is)(ap, data+2, cnt-2);
485 } else if (auth_debug_mode)
486 printf(">>>%s: Invalid authentication in IS: %d\r\n",
487 Name, *data);
488 }
489
490 void
491 auth_reply(data, cnt)
492 unsigned char *data;
493 int cnt;
494 {
495 Authenticator *ap;
496
497 if (cnt < 2)
498 return;
499
500 if ((ap = findauthenticator(data[0], data[1])) != NULL) {
501 if (ap->reply)
502 (*ap->reply)(ap, data+2, cnt-2);
503 } else if (auth_debug_mode)
504 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
505 Name, *data);
506 }
507
508 void
509 auth_name(data, cnt)
510 unsigned char *data;
511 int cnt;
512 {
513 unsigned char savename[256];
514
515 if (cnt < 1) {
516 if (auth_debug_mode)
517 printf(">>>%s: Empty name in NAME\r\n", Name);
518 return;
519 }
520 if (cnt > sizeof(savename) - 1) {
521 if (auth_debug_mode)
522 printf(">>>%s: Name in NAME (%d) exceeds %ld length\r\n",
523 Name, cnt, (long)sizeof(savename)-1);
524 return;
525 }
526 memmove((void *)savename, (void *)data, cnt);
527 savename[cnt] = '\0'; /* Null terminate */
528 if (auth_debug_mode)
529 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
530 auth_encrypt_user(savename);
531 }
532
533 int
534 auth_sendname(cp, len)
535 unsigned char *cp;
536 int len;
537 {
538 static unsigned char str_request[256+6]
539 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
540 register unsigned char *e = str_request + 4;
541 register unsigned char *ee = &str_request[sizeof(str_request)-2];
542
543 while (--len >= 0) {
544 if ((*e++ = *cp++) == IAC)
545 *e++ = IAC;
546 if (e >= ee)
547 return(0);
548 }
549 *e++ = IAC;
550 *e++ = SE;
551 telnet_net_write(str_request, e - str_request);
552 printsub('>', &str_request[2], e - &str_request[2]);
553 return(1);
554 }
555
556 void
557 auth_finished(ap, result)
558 Authenticator *ap;
559 int result;
560 {
561 if (!(authenticated = ap))
562 authenticated = &NoAuth;
563 validuser = result;
564 }
565
566 /* ARGSUSED */
567 static void
568 auth_intr(sig)
569 int sig;
570 {
571 auth_finished(0, AUTH_REJECT);
572 }
573
574 int
575 auth_wait(name, l)
576 char *name;
577 size_t l;
578 {
579 if (auth_debug_mode)
580 printf(">>>%s: in auth_wait.\r\n", Name);
581
582 if (Server && !authenticating)
583 return(0);
584
585 (void) signal(SIGALRM, auth_intr);
586 alarm(30);
587 while (!authenticated)
588 if (telnet_spin())
589 break;
590 alarm(0);
591 (void) signal(SIGALRM, SIG_DFL);
592
593 /*
594 * Now check to see if the user is valid or not
595 */
596 if (!authenticated || authenticated == &NoAuth)
597 return(AUTH_REJECT);
598
599 if (validuser == AUTH_VALID)
600 validuser = AUTH_USER;
601
602 if (authenticated->status)
603 validuser = (*authenticated->status)(authenticated,
604 name, l, validuser);
605 return(validuser);
606 }
607
608 void
609 auth_debug(mode)
610 int mode;
611 {
612 auth_debug_mode = mode;
613 }
614
615 void
616 auth_printsub(data, cnt, buf, buflen)
617 unsigned char *data, *buf;
618 int cnt, buflen;
619 {
620 Authenticator *ap;
621
622 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
623 (*ap->printsub)(data, cnt, buf, buflen);
624 else
625 auth_gen_printsub(data, cnt, buf, buflen);
626 }
627
628 void
629 auth_gen_printsub(data, cnt, buf, buflen)
630 unsigned char *data, *buf;
631 int cnt, buflen;
632 {
633 register unsigned char *cp;
634 unsigned char tbuf[16];
635
636 cnt -= 3;
637 data += 3;
638 buf[buflen-1] = '\0';
639 buf[buflen-2] = '*';
640 buflen -= 2;
641 for (; cnt > 0; cnt--, data++) {
642 snprintf((char *)tbuf, sizeof(tbuf), " %d", *data);
643 for (cp = tbuf; *cp && buflen > 0; --buflen)
644 *buf++ = *cp++;
645 if (buflen <= 0)
646 return;
647 }
648 *buf = '\0';
649 }
650 #endif
NetBSD on the FriendlyARM MINI2440