2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * $FreeBSD: src/crypto/telnet/libtelnet/auth.c,v 1.3.2.5 2002/04/13 10:59:07 markm Exp $
31 * @(#)auth.c 8.3 (Berkeley) 5/30/95
32 * $FreeBSD: src/crypto/telnet/libtelnet/auth.c,v 1.3.2.5 2002/04/13 10:59:07 markm Exp $
36 * Copyright (C) 1990 by the Massachusetts Institute of Technology
38 * Export of this software from the United States of America is assumed
39 * to require a specific license from the United States Government.
40 * It is the responsibility of any person or organization contemplating
41 * export to obtain such a license before exporting.
43 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
44 * distribute this software and its documentation for any purpose and
45 * without fee is hereby granted, provided that the above copyright
46 * notice appear in all copies and that both that copyright notice and
47 * this permission notice appear in supporting documentation, and that
48 * the name of M.I.T. not be used in advertising or publicity pertaining
49 * to distribution of the software without specific, written prior
50 * permission. M.I.T. makes no representations about the suitability of
51 * this software for any purpose. It is provided "as is" without express
52 * or implied warranty.
58 #include <sys/types.h>
64 #include <arpa/telnet.h>
68 #include "misc-proto.h"
69 #include "auth-proto.h"
71 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0)
74 extern krb4encpwd_init();
75 extern krb4encpwd_send();
76 extern krb4encpwd_is();
77 extern krb4encpwd_reply();
78 extern krb4encpwd_status();
79 extern krb4encpwd_printsub();
83 extern rsaencpwd_init();
84 extern rsaencpwd_send();
85 extern rsaencpwd_is();
86 extern rsaencpwd_reply();
87 extern rsaencpwd_status();
88 extern rsaencpwd_printsub();
91 int auth_debug_mode = 0;
92 static const char *Name = "Noname";
93 static int Server = 0;
94 static Authenticator *authenticated = NULL;
95 static int authenticating = 0;
96 static int validuser = 0;
97 static unsigned char _auth_send_data[256];
98 static unsigned char *auth_send_data;
99 static int auth_send_cnt = 0;
101 int auth_onoff(char *type, int on);
102 void auth_encrypt_user(char *name);
105 * Authentication types supported. Plese note that these are stored
106 * in priority order, i.e. try the first one first.
108 Authenticator authenticators[] = {
111 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
113 kerberos5_send_mutual,
117 kerberos5_printsub },
118 # endif /* ENCRYPTION */
119 { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
121 kerberos5_send_oneway,
125 kerberos5_printsub },
129 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
135 kerberos4_printsub },
136 # endif /* ENCRYPTION */
137 { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
143 kerberos4_printsub },
146 { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
152 krb4encpwd_printsub },
155 { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
161 rsaencpwd_printsub },
164 { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
173 { 0, 0, 0, 0, 0, 0, 0, 0 },
176 static Authenticator NoAuth = { 0, 0, 0, 0, 0, 0, 0, 0 };
178 static int i_support = 0;
179 static int i_wont_support = 0;
182 findauthenticator(int type, int way)
184 Authenticator *ap = authenticators;
186 while (ap->type && (ap->type != type || ap->way != way))
188 return(ap->type ? ap : 0);
192 auth_init(const char *name, int server)
194 Authenticator *ap = authenticators;
200 authenticated = NULL;
203 if (!ap->init || (*ap->init)(ap, server)) {
204 i_support |= typemask(ap->type);
206 printf(">>>%s: I support auth type %d %d\r\n",
210 else if (auth_debug_mode)
211 printf(">>>%s: Init failed: auth type %d %d\r\n",
212 Name, ap->type, ap->way);
218 auth_disable_name(char *name)
221 for (x = 0; x < AUTHTYPE_CNT; ++x) {
222 if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
223 i_wont_support |= typemask(x);
230 getauthmask(char *type, int *maskp)
234 if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) {
239 for (x = 1; x < AUTHTYPE_CNT; ++x) {
240 if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) {
241 *maskp = typemask(x);
249 auth_enable(char *type)
251 return(auth_onoff(type, 1));
255 auth_disable(char *type)
257 return(auth_onoff(type, 0));
261 auth_onoff(char *type, int on)
266 if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
267 printf("auth %s 'type'\n", on ? "enable" : "disable");
268 printf("Where 'type' is one of:\n");
269 printf("\t%s\n", AUTHTYPE_NAME(0));
271 for (ap = authenticators; ap->type; ap++) {
272 if ((mask & (i = typemask(ap->type))) != 0)
275 printf("\t%s\n", AUTHTYPE_NAME(ap->type));
280 if (!getauthmask(type, &mask)) {
281 printf("%s: invalid authentication type\n", type);
285 i_wont_support &= ~mask;
287 i_wont_support |= mask;
292 auth_togdebug(int on)
295 auth_debug_mode ^= 1;
297 auth_debug_mode = on;
298 printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
308 if (i_wont_support == -1)
309 printf("Authentication disabled\n");
311 printf("Authentication enabled\n");
314 for (ap = authenticators; ap->type; ap++) {
315 if ((mask & (i = typemask(ap->type))) != 0)
318 printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
319 (i_wont_support & typemask(ap->type)) ?
320 "disabled" : "enabled");
326 * This routine is called by the server to start authentication
332 static unsigned char str_request[64] = { IAC, SB,
333 TELOPT_AUTHENTICATION,
335 Authenticator *ap = authenticators;
336 unsigned char *e = str_request + 4;
338 if (!authenticating) {
341 if (i_support & ~i_wont_support & typemask(ap->type)) {
342 if (auth_debug_mode) {
343 printf(">>>%s: Sending type %d %d\r\n",
344 Name, ap->type, ap->way);
353 net_write(str_request, e - str_request);
354 printsub('>', &str_request[2], e - str_request - 2);
359 * This is called when an AUTH SEND is received.
360 * It should never arrive on the server side (as only the server can
361 * send an AUTH SEND).
362 * You should probably respond to it if you can...
364 * If you want to respond to the types out of order (i.e. even
365 * if he sends LOGIN KERBEROS and you support both, you respond
366 * with KERBEROS instead of LOGIN (which is against what the
367 * protocol says)) you will have to hack this code...
370 auth_send(unsigned char *data, int cnt)
373 static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
374 TELQUAL_IS, AUTHTYPE_NULL, 0,
377 if (auth_debug_mode) {
378 printf(">>>%s: auth_send called!\r\n", Name);
383 if (auth_debug_mode) {
384 printf(">>>%s: auth_send got:", Name);
385 printd(data, cnt); printf("\r\n");
389 * Save the data, if it is new, so that we can continue looking
390 * at it if the authorization we try doesn't work
392 if (data < _auth_send_data ||
393 data > _auth_send_data + sizeof(_auth_send_data)) {
394 auth_send_cnt = (size_t)cnt > sizeof(_auth_send_data)
395 ? sizeof(_auth_send_data)
397 memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
398 auth_send_data = _auth_send_data;
401 * This is probably a no-op, but we just make sure
403 auth_send_data = data;
406 while ((auth_send_cnt -= 2) >= 0) {
408 printf(">>>%s: He supports %d\r\n",
409 Name, *auth_send_data);
410 if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
411 ap = findauthenticator(auth_send_data[0],
413 if (ap && ap->send) {
415 printf(">>>%s: Trying %d %d\r\n",
416 Name, auth_send_data[0],
418 if ((*ap->send)(ap)) {
420 * Okay, we found one we like
422 * we can go home now.
425 printf(">>>%s: Using type %d\r\n",
426 Name, *auth_send_data);
432 * just continue on and look for the
433 * next one if we didn't do anything.
438 net_write(str_none, sizeof(str_none));
439 printsub('>', &str_none[2], sizeof(str_none) - 2);
441 printf(">>>%s: Sent failure message\r\n", Name);
442 auth_finished(0, AUTH_REJECT);
446 auth_send_retry(void)
449 * if auth_send_cnt <= 0 then auth_send will end up rejecting
450 * the authentication and informing the other side of this.
452 auth_send(auth_send_data, auth_send_cnt);
456 auth_is(unsigned char *data, int cnt)
463 if (data[0] == AUTHTYPE_NULL) {
464 auth_finished(0, AUTH_REJECT);
468 if ((ap = findauthenticator(data[0], data[1]))) {
470 (*ap->is)(ap, data+2, cnt-2);
471 } else if (auth_debug_mode)
472 printf(">>>%s: Invalid authentication in IS: %d\r\n",
477 auth_reply(unsigned char *data, int cnt)
484 if ((ap = findauthenticator(data[0], data[1]))) {
486 (*ap->reply)(ap, data+2, cnt-2);
487 } else if (auth_debug_mode)
488 printf(">>>%s: Invalid authentication in SEND: %d\r\n",
493 auth_name(unsigned char *data, int cnt)
495 unsigned char savename[256];
499 printf(">>>%s: Empty name in NAME\r\n", Name);
502 if ((size_t)cnt > sizeof(savename) - 1) {
504 printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
505 Name, cnt, (u_int)sizeof(savename)-1);
508 memmove((void *)savename, (void *)data, cnt);
509 savename[cnt] = '\0'; /* Null terminate */
511 printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
512 auth_encrypt_user(savename);
516 auth_sendname(unsigned char *cp, int len)
518 static unsigned char str_request[256+6]
519 = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
520 unsigned char *e = str_request + 4;
521 unsigned char *ee = &str_request[sizeof(str_request)-2];
524 if ((*e++ = *cp++) == IAC)
531 net_write(str_request, e - str_request);
532 printsub('>', &str_request[2], e - &str_request[2]);
537 auth_finished(Authenticator *ap, int result)
539 if (!(authenticated = ap))
540 authenticated = &NoAuth;
546 auth_intr(int sig __unused)
548 auth_finished(0, AUTH_REJECT);
552 auth_wait(char *name)
555 printf(">>>%s: in auth_wait.\r\n", Name);
557 if (Server && !authenticating)
560 (void) signal(SIGALRM, auth_intr);
562 while (!authenticated)
566 (void) signal(SIGALRM, SIG_DFL);
569 * Now check to see if the user is valid or not
571 if (!authenticated || authenticated == &NoAuth)
574 if (validuser == AUTH_VALID)
575 validuser = AUTH_USER;
577 if (authenticated->status)
578 validuser = (*authenticated->status)(authenticated,
584 auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
588 if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
589 (*ap->printsub)(data, cnt, buf, buflen);
591 auth_gen_printsub(data, cnt, buf, buflen);
595 auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
598 unsigned char tbuf[16];
602 buf[buflen-1] = '\0';
605 for (; cnt > 0; cnt--, data++) {
606 sprintf((char *)tbuf, " %d", *data);
607 for (cp = tbuf; *cp && buflen > 0; --buflen)