search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / appl / telnet / libtelnet / auth.c
blobf3ffcb1f204de62263142b87e8ba243d93cb2e46
1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
36 *
37 * Export of this software from the United States of America is assumed
38 * to require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
52 */
53
54 #include <config.h>
55
56 __RCSID("$Heimdal: auth.c 10809 2002-01-18 12:58:49Z joda $"
57 "$NetBSD$");
58
59 #if defined(AUTHENTICATION)
60 #include <stdio.h>
61 #ifdef HAVE_SYS_TYPES_H
62 #include <sys/types.h>
63 #endif
64 #include <signal.h>
65 #define AUTH_NAMES
66 #ifdef HAVE_ARPA_TELNET_H
67 #include <arpa/telnet.h>
68 #endif
69 #include <stdlib.h>
70 #include <string.h>
71
72 #include <roken.h>
73
74 #ifdef SOCKS
75 #include <socks.h>
76 #endif
77
78 #include "encrypt.h"
79 #include "auth.h"
80 #include "misc-proto.h"
81 #include "auth-proto.h"
82
83 #define typemask(x) (1<<((x)-1))
84
85 #ifdef KRB4_ENCPWD
86 extern krb4encpwd_init();
87 extern krb4encpwd_send();
88 extern krb4encpwd_is();
89 extern krb4encpwd_reply();
90 extern krb4encpwd_status();
91 extern krb4encpwd_printsub();
92 #endif
93
94 #ifdef RSA_ENCPWD
95 extern rsaencpwd_init();
96 extern rsaencpwd_send();
97 extern rsaencpwd_is();
98 extern rsaencpwd_reply();
99 extern rsaencpwd_status();
100 extern rsaencpwd_printsub();
101 #endif
102
103 int auth_debug_mode = 0;
104 int auth_has_failed = 0;
105 int auth_enable_encrypt = 0;
106 static const char *Name = "Noname";
107 static int Server = 0;
108 static Authenticator *authenticated = 0;
109 static int authenticating = 0;
110 static int validuser = 0;
111 static unsigned char _auth_send_data[256];
112 static unsigned char *auth_send_data;
113 static int auth_send_cnt = 0;
114
115 /*
116 * Authentication types supported. Plese note that these are stored
117 * in priority order, i.e. try the first one first.
118 */
119 Authenticator authenticators[] = {
120 #ifdef UNSAFE
121 { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
122 unsafe_init,
123 unsafe_send,
124 unsafe_is,
125 unsafe_reply,
126 unsafe_status,
127 unsafe_printsub },
128 #endif
129 #ifdef SRA
130 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
131 sra_init,
132 sra_send,
133 sra_is,
134 sra_reply,
135 sra_status,
136 sra_printsub },
137 #endif
138 #ifdef SPX
139 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
140 spx_init,
141 spx_send,
142 spx_is,
143 spx_reply,
144 spx_status,
145 spx_printsub },
146 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
147 spx_init,
148 spx_send,
149 spx_is,
150 spx_reply,
151 spx_status,
152 spx_printsub },
153 #endif
154 #ifdef KRB5
155 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
156 kerberos5_init,
157 kerberos5_send_mutual,
158 kerberos5_is,
159 kerberos5_reply,
160 kerberos5_status,
161 kerberos5_printsub },
162 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
163 kerberos5_init,
164 kerberos5_send_oneway,
165 kerberos5_is,
166 kerberos5_reply,
167 kerberos5_status,
168 kerberos5_printsub },
169 #endif
170 #ifdef KRB4
171 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
172 kerberos4_init,
173 kerberos4_send_mutual,
174 kerberos4_is,
175 kerberos4_reply,
176 kerberos4_status,
177 kerberos4_printsub },
178 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
179 kerberos4_init,
180 kerberos4_send_oneway,
181 kerberos4_is,
182 kerberos4_reply,
183 kerberos4_status,
184 kerberos4_printsub },
185 #endif
186 #ifdef KRB4_ENCPWD
187 { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
188 krb4encpwd_init,
189 krb4encpwd_send,
190 krb4encpwd_is,
191 krb4encpwd_reply,
192 krb4encpwd_status,
193 krb4encpwd_printsub },
194 #endif
195 #ifdef RSA_ENCPWD
196 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
197 rsaencpwd_init,
198 rsaencpwd_send,
199 rsaencpwd_is,
200 rsaencpwd_reply,
201 rsaencpwd_status,
202 rsaencpwd_printsub },
203 #endif
204 { 0, },
205 };
206
207 static Authenticator NoAuth = { 0 };
208
209 static int i_support = 0;
210 static int i_wont_support = 0;
211
212 Authenticator *
213 findauthenticator(int type, int way)
214 {
215 Authenticator *ap = authenticators;
216
217 while (ap->type && (ap->type != type || ap->way != way))
218 ++ap;
219 return(ap->type ? ap : 0);
220 }
221
222 void
223 auth_init(const char *name, int server)
224 {
225 Authenticator *ap = authenticators;
226
227 Server = server;
228 Name = name;
229
230 i_support = 0;
231 authenticated = 0;
232 authenticating = 0;
233 while (ap->type) {
234 if (!ap->init || (*ap->init)(ap, server)) {
235 i_support |= typemask(ap->type);
236 if (auth_debug_mode)
237 printf(">>>%s: I support auth type %d %d\r\n",
238 Name,
239 ap->type, ap->way);
240 }
241 else if (auth_debug_mode)
242 printf(">>>%s: Init failed: auth type %d %d\r\n",
243 Name, ap->type, ap->way);
244 ++ap;
245 }
246 }
247
248 void
249 auth_disable_name(char *name)
250 {
251 int x;
252 for (x = 0; x < AUTHTYPE_CNT; ++x) {
253 if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
254 i_wont_support |= typemask(x);
255 break;
256 }
257 }
258 }
259
260 int
261 getauthmask(char *type, int *maskp)
262 {
263 int x;
264
265 if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
266 *maskp = -1;
267 return(1);
268 }
269
270 for (x = 1; x < AUTHTYPE_CNT; ++x) {
271 if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
272 *maskp = typemask(x);
273 return(1);
274 }
275 }
276 return(0);
277 }
278
279 int
280 auth_enable(char *type)
281 {
282 return(auth_onoff(type, 1));
283 }
284
285 int
286 auth_disable(char *type)
287 {
288 return(auth_onoff(type, 0));
289 }
290
291 int
292 auth_onoff(char *type, int on)
293 {
294 int i, mask = -1;
295 Authenticator *ap;
296
297 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
298 printf("auth %s 'type'\n", on ? "enable" : "disable");
299 printf("Where 'type' is one of:\n");
300 printf("\t%s\n", AUTHTYPE_NAME(0));
301 mask = 0;
302 for (ap = authenticators; ap->type; ap++) {
303 if ((mask & (i = typemask(ap->type))) != 0)
304 continue;
305 mask |= i;
306 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
307 }
308 return(0);
309 }
310
311 if (!getauthmask(type, &mask)) {
312 printf("%s: invalid authentication type\n", type);
313 return(0);
314 }
315 if (on)
316 i_wont_support &= ~mask;
317 else
318 i_wont_support |= mask;
319 return(1);
320 }
321
322 int
323 auth_togdebug(int on)
324 {
325 if (on < 0)
326 auth_debug_mode ^= 1;
327 else
328 auth_debug_mode = on;
329 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
330 return(1);
331 }
332
333 int
334 auth_status(void)
335 {
336 Authenticator *ap;
337 int i, mask;
338
339 if (i_wont_support == -1)
340 printf("Authentication disabled\n");
341 else
342 printf("Authentication enabled\n");
343
344 mask = 0;
345 for (ap = authenticators; ap->type; ap++) {
346 if ((mask & (i = typemask(ap->type))) != 0)
347 continue;
348 mask |= i;
349 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
350 (i_wont_support & typemask(ap->type)) ?
351 "disabled" : "enabled");
352 }
353 return(1);
354 }
355
356 /*
357 * This routine is called by the server to start authentication
358 * negotiation.
359 */
360 void
361 auth_request(void)
362 {
363 static unsigned char str_request[64] = { IAC, SB,
364 TELOPT_AUTHENTICATION,
365 TELQUAL_SEND, };
366 Authenticator *ap = authenticators;
367 unsigned char *e = str_request + 4;
368
369 if (!authenticating) {
370 authenticating = 1;
371 while (ap->type) {
372 if (i_support & ~i_wont_support & typemask(ap->type)) {
373 if (auth_debug_mode) {
374 printf(">>>%s: Sending type %d %d\r\n",
375 Name, ap->type, ap->way);
376 }
377 *e++ = ap->type;
378 *e++ = ap->way;
379 }
380 ++ap;
381 }
382 *e++ = IAC;
383 *e++ = SE;
384 telnet_net_write(str_request, e - str_request);
385 printsub('>', &str_request[2], e - str_request - 2);
386 }
387 }
388
389 /*
390 * This is called when an AUTH SEND is received.
391 * It should never arrive on the server side (as only the server can
392 * send an AUTH SEND).
393 * You should probably respond to it if you can...
394 *
395 * If you want to respond to the types out of order (i.e. even
396 * if he sends LOGIN KERBEROS and you support both, you respond
397 * with KERBEROS instead of LOGIN (which is against what the
398 * protocol says)) you will have to hack this code...
399 */
400 void
401 auth_send(unsigned char *data, int cnt)
402 {
403 Authenticator *ap;
404 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
405 TELQUAL_IS, AUTHTYPE_NULL, 0,
406 IAC, SE };
407 if (Server) {
408 if (auth_debug_mode) {
409 printf(">>>%s: auth_send called!\r\n", Name);
410 }
411 return;
412 }
413
414 if (auth_debug_mode) {
415 printf(">>>%s: auth_send got:", Name);
416 printd(data, cnt); printf("\r\n");
417 }
418
419 /*
420 * Save the data, if it is new, so that we can continue looking
421 * at it if the authorization we try doesn't work
422 */
423 if (data < _auth_send_data ||
424 data > _auth_send_data + sizeof(_auth_send_data)) {
425 auth_send_cnt = cnt > sizeof(_auth_send_data)
426 ? sizeof(_auth_send_data)
427 : cnt;
428 memmove(_auth_send_data, data, auth_send_cnt);
429 auth_send_data = _auth_send_data;
430 } else {
431 /*
432 * This is probably a no-op, but we just make sure
433 */
434 auth_send_data = data;
435 auth_send_cnt = cnt;
436 }
437 while ((auth_send_cnt -= 2) >= 0) {
438 if (auth_debug_mode)
439 printf(">>>%s: He supports %d\r\n",
440 Name, *auth_send_data);
441 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
442 ap = findauthenticator(auth_send_data[0],
443 auth_send_data[1]);
444 if (ap && ap->send) {
445 if (auth_debug_mode)
446 printf(">>>%s: Trying %d %d\r\n",
447 Name, auth_send_data[0],
448 auth_send_data[1]);
449 if ((*ap->send)(ap)) {
450 /*
451 * Okay, we found one we like
452 * and did it.
453 * we can go home now.
454 */
455 if (auth_debug_mode)
456 printf(">>>%s: Using type %d\r\n",
457 Name, *auth_send_data);
458 auth_send_data += 2;
459 return;
460 }
461 }
462 /* else
463 * just continue on and look for the
464 * next one if we didn't do anything.
465 */
466 }
467 auth_send_data += 2;
468 }
469 telnet_net_write(str_none, sizeof(str_none));
470 printsub('>', &str_none[2], sizeof(str_none) - 2);
471 if (auth_debug_mode)
472 printf(">>>%s: Sent failure message\r\n", Name);
473 auth_finished(0, AUTH_REJECT);
474 auth_has_failed = 1;
475 #ifdef KANNAN
476 /*
477 * We requested strong authentication, however no mechanisms worked.
478 * Therefore, exit on client end.
479 */
480 printf("Unable to securely authenticate user ... exit\n");
481 exit(0);
482 #endif /* KANNAN */
483 }
484
485 void
486 auth_send_retry(void)
487 {
488 /*
489 * if auth_send_cnt <= 0 then auth_send will end up rejecting
490 * the authentication and informing the other side of this.
491 */
492 auth_send(auth_send_data, auth_send_cnt);
493 }
494
495 void
496 auth_is(unsigned char *data, int cnt)
497 {
498 Authenticator *ap;
499
500 if (cnt < 2)
501 return;
502
503 if (data[0] == AUTHTYPE_NULL) {
504 auth_finished(0, AUTH_REJECT);
505 return;
506 }
507
508 if ((ap = findauthenticator(data[0], data[1]))) {
509 if (ap->is)
510 (*ap->is)(ap, data+2, cnt-2);
511 } else if (auth_debug_mode)
512 printf(">>>%s: Invalid authentication in IS: %d\r\n",
513 Name, *data);
514 }
515
516 void
517 auth_reply(unsigned char *data, int cnt)
518 {
519 Authenticator *ap;
520
521 if (cnt < 2)
522 return;
523
524 if ((ap = findauthenticator(data[0], data[1]))) {
525 if (ap->reply)
526 (*ap->reply)(ap, data+2, cnt-2);
527 } else if (auth_debug_mode)
528 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
529 Name, *data);
530 }
531
532 void
533 auth_name(unsigned char *data, int cnt)
534 {
535 char savename[256];
536
537 if (cnt < 1) {
538 if (auth_debug_mode)
539 printf(">>>%s: Empty name in NAME\r\n", Name);
540 return;
541 }
542 if (cnt > sizeof(savename) - 1) {
543 if (auth_debug_mode)
544 printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n",
545 Name, cnt, (unsigned long)(sizeof(savename)-1));
546 return;
547 }
548 memmove(savename, data, cnt);
549 savename[cnt] = '\0'; /* Null terminate */
550 if (auth_debug_mode)
551 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
552 auth_encrypt_user(savename);
553 }
554
555 int
556 auth_sendname(unsigned char *cp, int len)
557 {
558 static unsigned char str_request[256+6]
559 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
560 unsigned char *e = str_request + 4;
561 unsigned char *ee = &str_request[sizeof(str_request)-2];
562
563 while (--len >= 0) {
564 if ((*e++ = *cp++) == IAC)
565 *e++ = IAC;
566 if (e >= ee)
567 return(0);
568 }
569 *e++ = IAC;
570 *e++ = SE;
571 telnet_net_write(str_request, e - str_request);
572 printsub('>', &str_request[2], e - &str_request[2]);
573 return(1);
574 }
575
576 void
577 auth_finished(Authenticator *ap, int result)
578 {
579 if (!(authenticated = ap))
580 authenticated = &NoAuth;
581 validuser = result;
582 }
583
584 /* ARGSUSED */
585 static void
586 auth_intr(int sig)
587 {
588 auth_finished(0, AUTH_REJECT);
589 }
590
591 int
592 auth_wait(char *name, size_t name_sz)
593 {
594 if (auth_debug_mode)
595 printf(">>>%s: in auth_wait.\r\n", Name);
596
597 if (Server && !authenticating)
598 return(0);
599
600 signal(SIGALRM, auth_intr);
601 alarm(30);
602 while (!authenticated)
603 if (telnet_spin())
604 break;
605 alarm(0);
606 signal(SIGALRM, SIG_DFL);
607
608 /*
609 * Now check to see if the user is valid or not
610 */
611 if (!authenticated || authenticated == &NoAuth)
612 return(AUTH_REJECT);
613
614 if (validuser == AUTH_VALID)
615 validuser = AUTH_USER;
616
617 if (authenticated->status)
618 validuser = (*authenticated->status)(authenticated,
619 name, name_sz,
620 validuser);
621 return(validuser);
622 }
623
624 void
625 auth_debug(int mode)
626 {
627 auth_debug_mode = mode;
628 }
629
630 void
631 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
632 {
633 Authenticator *ap;
634
635 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
636 (*ap->printsub)(data, cnt, buf, buflen);
637 else
638 auth_gen_printsub(data, cnt, buf, buflen);
639 }
640
641 void
642 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
643 {
644 unsigned char *cp;
645 unsigned char tbuf[16];
646
647 cnt -= 3;
648 data += 3;
649 buf[buflen-1] = '\0';
650 buf[buflen-2] = '*';
651 buflen -= 2;
652 for (; cnt > 0; cnt--, data++) {
653 snprintf((char*)tbuf, sizeof(tbuf), " %d", *data);
654 for (cp = tbuf; *cp && buflen > 0; --buflen)
655 *buf++ = *cp++;
656 if (buflen <= 0)
657 return;
658 }
659 *buf = '\0';
660 }
661 #endif
NetBSD on the FriendlyARM MINI2440