2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
37 * Export of this software from the United States of America is assumed
38 * to require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
56 RCSID("$Id: auth.c,v 1.22 1999/03/11 13:48:52 joda Exp $");
58 #if defined(AUTHENTICATION)
60 #ifdef HAVE_SYS_TYPES_H
61 #include <sys/types.h>
65 #ifdef HAVE_ARPA_TELNET_H
66 #include <arpa/telnet.h>
79 #include "misc-proto.h"
80 #include "auth-proto.h"
82 #define typemask(x) (1<<((x)-1))
85 extern krb4encpwd_init();
86 extern krb4encpwd_send();
87 extern krb4encpwd_is();
88 extern krb4encpwd_reply();
89 extern krb4encpwd_status();
90 extern krb4encpwd_printsub();
94 extern rsaencpwd_init();
95 extern rsaencpwd_send();
96 extern rsaencpwd_is();
97 extern rsaencpwd_reply();
98 extern rsaencpwd_status();
99 extern rsaencpwd_printsub();
102 int auth_debug_mode = 0;
103 static char *Name = "Noname";
104 static int Server = 0;
105 static Authenticator *authenticated = 0;
106 static int authenticating = 0;
107 static int validuser = 0;
108 static unsigned char _auth_send_data[256];
109 static unsigned char *auth_send_data;
110 static int auth_send_cnt = 0;
113 * Authentication types supported. Plese note that these are stored
114 * in priority order, i.e. try the first one first.
116 Authenticator authenticators[] = {
118 { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
127 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
136 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
143 { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
152 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
154 kerberos5_send_mutual,
158 kerberos5_printsub },
159 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
161 kerberos5_send_oneway,
165 kerberos5_printsub },
168 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
170 kerberos4_send_mutual,
174 kerberos4_printsub },
175 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
177 kerberos4_send_oneway,
181 kerberos4_printsub },
184 { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
190 krb4encpwd_printsub },
193 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
199 rsaencpwd_printsub },
204 static Authenticator NoAuth = { 0 };
206 static int i_support = 0;
207 static int i_wont_support = 0;
210 findauthenticator(int type, int way)
212 Authenticator *ap = authenticators;
214 while (ap->type && (ap->type != type || ap->way != way))
216 return(ap->type ? ap : 0);
220 auth_init(char *name, int server)
222 Authenticator *ap = authenticators;
231 if (!ap->init || (*ap->init)(ap, server)) {
232 i_support |= typemask(ap->type);
234 printf(">>>%s: I support auth type %d %d\r\n",
238 else if (auth_debug_mode)
239 printf(">>>%s: Init failed: auth type %d %d\r\n",
240 Name, ap->type, ap->way);
246 auth_disable_name(char *name)
249 for (x = 0; x < AUTHTYPE_CNT; ++x) {
250 if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
251 i_wont_support |= typemask(x);
258 getauthmask(char *type, int *maskp)
262 if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
267 for (x = 1; x < AUTHTYPE_CNT; ++x) {
268 if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
269 *maskp = typemask(x);
277 auth_enable(char *type)
279 return(auth_onoff(type, 1));
283 auth_disable(char *type)
285 return(auth_onoff(type, 0));
289 auth_onoff(char *type, int on)
294 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
295 printf("auth %s 'type'\n", on ? "enable" : "disable");
296 printf("Where 'type' is one of:\n");
297 printf("\t%s\n", AUTHTYPE_NAME(0));
299 for (ap = authenticators; ap->type; ap++) {
300 if ((mask & (i = typemask(ap->type))) != 0)
303 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
308 if (!getauthmask(type, &mask)) {
309 printf("%s: invalid authentication type\n", type);
313 i_wont_support &= ~mask;
315 i_wont_support |= mask;
320 auth_togdebug(int on)
323 auth_debug_mode ^= 1;
325 auth_debug_mode = on;
326 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
336 if (i_wont_support == -1)
337 printf("Authentication disabled\n");
339 printf("Authentication enabled\n");
342 for (ap = authenticators; ap->type; ap++) {
343 if ((mask & (i = typemask(ap->type))) != 0)
346 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
347 (i_wont_support & typemask(ap->type)) ?
348 "disabled" : "enabled");
354 * This routine is called by the server to start authentication
360 static unsigned char str_request[64] = { IAC, SB,
361 TELOPT_AUTHENTICATION,
363 Authenticator *ap = authenticators;
364 unsigned char *e = str_request + 4;
366 if (!authenticating) {
369 if (i_support & ~i_wont_support & typemask(ap->type)) {
370 if (auth_debug_mode) {
371 printf(">>>%s: Sending type %d %d\r\n",
372 Name, ap->type, ap->way);
381 telnet_net_write(str_request, e - str_request);
382 printsub('>', &str_request[2], e - str_request - 2);
387 * This is called when an AUTH SEND is received.
388 * It should never arrive on the server side (as only the server can
389 * send an AUTH SEND).
390 * You should probably respond to it if you can...
392 * If you want to respond to the types out of order (i.e. even
393 * if he sends LOGIN KERBEROS and you support both, you respond
394 * with KERBEROS instead of LOGIN (which is against what the
395 * protocol says)) you will have to hack this code...
398 auth_send(unsigned char *data, int cnt)
401 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
402 TELQUAL_IS, AUTHTYPE_NULL, 0,
405 if (auth_debug_mode) {
406 printf(">>>%s: auth_send called!\r\n", Name);
411 if (auth_debug_mode) {
412 printf(">>>%s: auth_send got:", Name);
413 printd(data, cnt); printf("\r\n");
417 * Save the data, if it is new, so that we can continue looking
418 * at it if the authorization we try doesn't work
420 if (data < _auth_send_data ||
421 data > _auth_send_data + sizeof(_auth_send_data)) {
422 auth_send_cnt = cnt > sizeof(_auth_send_data)
423 ? sizeof(_auth_send_data)
425 memmove(_auth_send_data, data, auth_send_cnt);
426 auth_send_data = _auth_send_data;
429 * This is probably a no-op, but we just make sure
431 auth_send_data = data;
434 while ((auth_send_cnt -= 2) >= 0) {
436 printf(">>>%s: He supports %d\r\n",
437 Name, *auth_send_data);
438 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
439 ap = findauthenticator(auth_send_data[0],
441 if (ap && ap->send) {
443 printf(">>>%s: Trying %d %d\r\n",
444 Name, auth_send_data[0],
446 if ((*ap->send)(ap)) {
448 * Okay, we found one we like
450 * we can go home now.
453 printf(">>>%s: Using type %d\r\n",
454 Name, *auth_send_data);
460 * just continue on and look for the
461 * next one if we didn't do anything.
466 telnet_net_write(str_none, sizeof(str_none));
467 printsub('>', &str_none[2], sizeof(str_none) - 2);
469 printf(">>>%s: Sent failure message\r\n", Name);
470 auth_finished(0, AUTH_REJECT);
473 * We requested strong authentication, however no mechanisms worked.
474 * Therefore, exit on client end.
476 printf("Unable to securely authenticate user ... exit\n");
482 auth_send_retry(void)
485 * if auth_send_cnt <= 0 then auth_send will end up rejecting
486 * the authentication and informing the other side of this.
488 auth_send(auth_send_data, auth_send_cnt);
492 auth_is(unsigned char *data, int cnt)
499 if (data[0] == AUTHTYPE_NULL) {
500 auth_finished(0, AUTH_REJECT);
504 if ((ap = findauthenticator(data[0], data[1]))) {
506 (*ap->is)(ap, data+2, cnt-2);
507 } else if (auth_debug_mode)
508 printf(">>>%s: Invalid authentication in IS: %d\r\n",
513 auth_reply(unsigned char *data, int cnt)
520 if ((ap = findauthenticator(data[0], data[1]))) {
522 (*ap->reply)(ap, data+2, cnt-2);
523 } else if (auth_debug_mode)
524 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
529 auth_name(unsigned char *data, int cnt)
535 printf(">>>%s: Empty name in NAME\r\n", Name);
538 if (cnt > sizeof(savename) - 1) {
540 printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n",
541 Name, cnt, (unsigned long)(sizeof(savename)-1));
544 memmove(savename, data, cnt);
545 savename[cnt] = '\0'; /* Null terminate */
547 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
548 auth_encrypt_user(savename);
552 auth_sendname(unsigned char *cp, int len)
554 static unsigned char str_request[256+6]
555 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
556 unsigned char *e = str_request + 4;
557 unsigned char *ee = &str_request[sizeof(str_request)-2];
560 if ((*e++ = *cp++) == IAC)
567 telnet_net_write(str_request, e - str_request);
568 printsub('>', &str_request[2], e - &str_request[2]);
573 auth_finished(Authenticator *ap, int result)
575 if (!(authenticated = ap))
576 authenticated = &NoAuth;
584 auth_finished(0, AUTH_REJECT);
588 auth_wait(char *name, size_t name_sz)
591 printf(">>>%s: in auth_wait.\r\n", Name);
593 if (Server && !authenticating)
596 signal(SIGALRM, auth_intr);
598 while (!authenticated)
602 signal(SIGALRM, SIG_DFL);
605 * Now check to see if the user is valid or not
607 if (!authenticated || authenticated == &NoAuth)
610 if (validuser == AUTH_VALID)
611 validuser = AUTH_USER;
613 if (authenticated->status)
614 validuser = (*authenticated->status)(authenticated,
623 auth_debug_mode = mode;
627 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
631 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
632 (*ap->printsub)(data, cnt, buf, buflen);
634 auth_gen_printsub(data, cnt, buf, buflen);
638 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
641 unsigned char tbuf[16];
645 buf[buflen-1] = '\0';
648 for (; cnt > 0; cnt--, data++) {
649 snprintf(tbuf, sizeof(tbuf), " %d", *data);
650 for (cp = tbuf; *cp && buflen > 0; --buflen)