[unix-history] / lib / libtelnet / auth.c

/*-
 * Copyright (c) 1991 The Regents of the University of California.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *	This product includes software developed by the University of
 *	California, Berkeley and its contributors.
 * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifndef lint
static char sccsid[] = "@(#)auth.c	5.2 (Berkeley) 3/22/91";
#endif /* not lint */

/*
 * Copyright (C) 1990 by the Massachusetts Institute of Technology
 *
 * Export of this software from the United States of America is assumed
 * to require a specific license from the United States Government.
 * It is the responsibility of any person or organization contemplating
 * export to obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of M.I.T. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  M.I.T. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 */


#if	defined(AUTHENTICATE)
#include <stdio.h>
#include <sys/types.h>
#include <signal.h>
#define	AUTH_NAMES
#include <arpa/telnet.h>
#ifdef	__STDC__
#include <stdlib.h>
#endif
#ifdef	NO_STRING_H
#include <strings.h>
#else
#include <string.h>
#endif

#include "encrypt.h"
#include "auth.h"
#include "misc-proto.h"
#include "auth-proto.h"

#define	typemask(x)		(1<<((x)-1))

int auth_debug_mode = 0;
static 	char	*Name = "Noname";
static	int	Server = 0;
static	Authenticator	*authenticated = 0;
static	int	authenticating = 0;
static	int	validuser = 0;
static	unsigned char	_auth_send_data[256];
static	unsigned char	*auth_send_data;
static	int	auth_send_cnt = 0;

/*
 * Authentication types supported.  Plese note that these are stored
 * in priority order, i.e. try the first one first.
 */
Authenticator authenticators[] = {
#ifdef	KRB5
	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
				kerberos5_init,
				kerberos5_send,
				kerberos5_is,
				kerberos5_reply,
				kerberos5_status,
				kerberos5_printsub },
	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
				kerberos5_init,
				kerberos5_send,
				kerberos5_is,
				kerberos5_reply,
				kerberos5_status,
				kerberos5_printsub },
#endif
#ifdef	KRB4
	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
				kerberos4_init,
				kerberos4_send,
				kerberos4_is,
				kerberos4_reply,
				kerberos4_status,
				kerberos4_printsub },
	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
				kerberos4_init,
				kerberos4_send,
				kerberos4_is,
				kerberos4_reply,
				kerberos4_status,
				kerberos4_printsub },
#endif
	{ 0, },
};

static Authenticator NoAuth = { 0 };

static int	i_support = 0;
static int	i_wont_support = 0;

	Authenticator *
findauthenticator(type, way)
	int type;
	int way;
{
	Authenticator *ap = authenticators;

	while (ap->type && (ap->type != type || ap->way != way))
		++ap;
	return(ap->type ? ap : 0);
}

	void
auth_init(name, server)
	char *name;
	int server;
{
	Authenticator *ap = authenticators;

	Server = server;
	Name = name;

	i_support = 0;
	authenticated = 0;
	authenticating = 0;
	while (ap->type) {
		if (!ap->init || (*ap->init)(ap, server)) {
			i_support |= typemask(ap->type);
			if (auth_debug_mode)
				printf(">>>%s: I support auth type %d %d\r\n",
					Name,
					ap->type, ap->way);
		}
		++ap;
	}
}

	void
auth_disable_name(name)
	char *name;
{
	int x;
	for (x = 0; x < AUTHTYPE_CNT; ++x) {
		if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
			i_wont_support |= typemask(x);
			break;
		}
	}
}

	int
getauthmask(type, maskp)
	char *type;
	int *maskp;
{
	register int x;

	if (strcasecmp(type, AUTHTYPE_NAME(0))) {
		*maskp = -1;
		return(1);
	}

	for (x = 1; x < AUTHTYPE_CNT; ++x) {
		if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
			*maskp = typemask(x);
			return(1);
		}
	}
	return(0);
}

	int
auth_enable(type)
	int type;
{
	return(auth_onoff(type, 1));
}

	int
auth_disable(type)
	int type;
{
	return(auth_onoff(type, 0));
}

	int
auth_onoff(type, on)
	char *type;
	int on;
{
	int mask = -1;
	Authenticator *ap;

	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
                printf("auth %s 'type'\n", on ? "enable" : "disable");
		printf("Where 'type' is one of:\n");
		printf("\t%s\n", AUTHTYPE_NAME(0));
		for (ap = authenticators; ap->type; ap++)
			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
		return(0);
	}

	if (!getauthmask(type, &mask)) {
		printf("%s: invalid authentication type\n", type);
		return(0);
	}
	mask = getauthmask(type, &mask);
	if (on)
		i_wont_support &= ~mask;
	else
		i_wont_support |= mask;
	return(1);
}

	int
auth_togdebug(on)
	int on;
{
	if (on < 0)
		auth_debug_mode ^= 1;
	else
		auth_debug_mode = on;
	printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
	return(1);
}

	int
auth_status()
{
	Authenticator *ap;

	if (i_wont_support == -1)
		printf("Authentication disabled\n");
	else
		printf("Authentication enabled\n");

	for (ap = authenticators; ap->type; ap++)
		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
			(i_wont_support & typemask(ap->type)) ?
					"disabled" : "enabled");
	return(1);
}

/*
 * This routine is called by the server to start authentication
 * negotiation.
 */
	void
auth_request()
{
	static unsigned char str_request[64] = { IAC, SB,
						 TELOPT_AUTHENTICATION,
						 TELQUAL_SEND, };
	Authenticator *ap = authenticators;
	unsigned char *e = str_request + 4;

	if (!authenticating) {
		authenticating = 1;
		while (ap->type) {
			if (i_support & ~i_wont_support & typemask(ap->type)) {
				if (auth_debug_mode) {
					printf(">>>%s: Sending type %d %d\r\n",
						Name, ap->type, ap->way);
				}
				*e++ = ap->type;
				*e++ = ap->way;
			}
			++ap;
		}
		*e++ = IAC;
		*e++ = SE;
		net_write(str_request, e - str_request);
		printsub('>', &str_request[2], e - str_request - 2);
	}
}

/*
 * This is called when an AUTH SEND is received.
 * It should never arrive on the server side (as only the server can
 * send an AUTH SEND).
 * You should probably respond to it if you can...
 *
 * If you want to respond to the types out of order (i.e. even
 * if he sends  LOGIN KERBEROS and you support both, you respond
 * with KERBEROS instead of LOGIN (which is against what the
 * protocol says)) you will have to hack this code...
 */
	void
auth_send(data, cnt)
	unsigned char *data;
	int cnt;
{
	Authenticator *ap;
	static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
					    TELQUAL_IS, AUTHTYPE_NULL, 0,
					    IAC, SE };
	if (Server) {
		if (auth_debug_mode) {
			printf(">>>%s: auth_send called!\r\n", Name);
		}
		return;
	}

	if (auth_debug_mode) {
		printf(">>>%s: auth_send got:", Name);
		printd(data, cnt); printf("\r\n");
	}

	/*
	 * Save the data, if it is new, so that we can continue looking
	 * at it if the authorization we try doesn't work
	 */
	if (data < _auth_send_data ||
	    data > _auth_send_data + sizeof(_auth_send_data)) {
		auth_send_cnt = cnt > sizeof(_auth_send_data)
					? sizeof(_auth_send_data)
					: cnt;
		bcopy((void *)data, (void *)_auth_send_data, auth_send_cnt);
		auth_send_data = _auth_send_data;
	} else {
		/*
		 * This is probably a no-op, but we just make sure
		 */
		auth_send_data = data;
		auth_send_cnt = cnt;
	}
	while ((auth_send_cnt -= 2) >= 0) {
		if (auth_debug_mode)
			printf(">>>%s: He supports %d\r\n",
				Name, *auth_send_data);
		if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
			ap = findauthenticator(auth_send_data[0],
					       auth_send_data[1]);
			if (!ap) {
				printf("Internal state error: cannot find authentication type %d a second time\r\n", *auth_send_data);
			} else if (ap->send) {
				if (auth_debug_mode)
					printf(">>>%s: Trying %d %d\r\n",
						Name, auth_send_data[0],
							auth_send_data[1]);
				if ((*ap->send)(ap)) {
					/*
					 * Okay, we found one we like
					 * and did it.
					 * we can go home now.
					 */
					if (auth_debug_mode)
						printf(">>>%s: Using type %d\r\n",
							Name, *auth_send_data);
					auth_send_data += 2;
					return;
				}
			}
			/* else
			 *	just continue on and look for the
			 *	next one if we didn't do anything.
			 */
		}
		auth_send_data += 2;
	}
	net_write(str_none, sizeof(str_none));
	printsub('>', &str_none[2], sizeof(str_none) - 2);
	if (auth_debug_mode)
		printf(">>>%s: Sent failure message\r\n", Name);
	auth_finished(0, AUTH_REJECT);
}

	void
auth_send_retry()
{
	/*
	 * if auth_send_cnt <= 0 then auth_send will end up rejecting
	 * the authentication and informing the other side of this.
	 */
	auth_send(auth_send_data, auth_send_cnt);
}

	void
auth_is(data, cnt)
	unsigned char *data;
	int cnt;
{
	Authenticator *ap;

	if (cnt < 2)
		return;

	if (data[0] == AUTHTYPE_NULL) {
		auth_finished(0, AUTH_REJECT);
		return;
	}

	if (ap = findauthenticator(data[0], data[1])) {
		if (ap->is)
			(*ap->is)(ap, data+2, cnt-2);
	} else if (auth_debug_mode)
		printf(">>>%s: Invalid authentication in IS: %d\r\n",
			Name, *data);
}

	void
auth_reply(data, cnt)
	unsigned char *data;
	int cnt;
{
	Authenticator *ap;

	if (cnt < 2)
		return;

	if (ap = findauthenticator(data[0], data[1])) {
		if (ap->reply)
			(*ap->reply)(ap, data+2, cnt-2);
	} else if (auth_debug_mode)
		printf(">>>%s: Invalid authentication in SEND: %d\r\n",
			Name, *data);
}

	void
auth_name(data, cnt)
	unsigned char *data;
	int cnt;
{
	Authenticator *ap;
	unsigned char savename[256];

	if (cnt < 1) {
		if (auth_debug_mode)
			printf(">>>%s: Empty name in NAME\r\n", Name);
		return;
	}
	if (cnt > sizeof(savename) - 1) {
		if (auth_debug_mode)
			printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
					Name, cnt, sizeof(savename)-1);
		return;
	}
	bcopy((void *)data, (void *)savename, cnt);
	savename[cnt] = '\0';	/* Null terminate */
	if (auth_debug_mode)
		printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
	auth_encrypt_user(savename);
}

	int
auth_sendname(cp, len)
	unsigned char *cp;
	int len;
{
	static unsigned char str_request[256+6]
			= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
	register unsigned char *e = str_request + 4;
	register unsigned char *ee = &str_request[sizeof(str_request)-2];

	while (--len >= 0) {
		if ((*e++ = *cp++) == IAC)
			*e++ = IAC;
		if (e >= ee)
			return(0);
	}
	*e++ = IAC;
	*e++ = SE;
	net_write(str_request, e - str_request);
	printsub('>', &str_request[2], e - &str_request[2]);
	return(1);
}

	void
auth_finished(ap, result)
	Authenticator *ap;
	int result;
{
	if (!(authenticated = ap))
		authenticated = &NoAuth;
	validuser = result;
}

	/* ARGSUSED */
	static void
auth_intr(sig)
	int sig;
{
	auth_finished(0, AUTH_REJECT);
}

	int
auth_wait(name)
	char *name;
{
	if (auth_debug_mode)
		printf(">>>%s: in auth_wait.\r\n", Name);

	if (Server && !authenticating)
		return(0);

	(void) signal(SIGALRM, auth_intr);
	alarm(30);
	while (!authenticated)
		if (telnet_spin())
			break;
	alarm(0);
	(void) signal(SIGALRM, SIG_DFL);

	/*
	 * Now check to see if the user is valid or not
	 */
	if (!authenticated || authenticated == &NoAuth)
		return(AUTH_REJECT);

	if (validuser == AUTH_VALID)
		validuser = AUTH_USER;

	if (authenticated->status)
		validuser = (*authenticated->status)(authenticated,
						     name, validuser);
	return(validuser);
}

	void
auth_debug(mode)
	int mode;
{
	auth_debug_mode = mode;
}

	void
auth_printsub(data, cnt, buf, buflen)
	unsigned char *data, *buf;
	int cnt, buflen;
{
	Authenticator *ap;

	if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
		(*ap->printsub)(data, cnt, buf, buflen);
	else
		auth_gen_printsub(data, cnt, buf, buflen);
}

	void
auth_gen_printsub(data, cnt, buf, buflen)
	unsigned char *data, *buf;
	int cnt, buflen;
{
	register unsigned char *cp;
	unsigned char tbuf[16];

	cnt -= 3;
	data += 3;
	buf[buflen-1] = '\0';
	buf[buflen-2] = '*';
	buflen -= 2;
	for (; cnt > 0; cnt--, data++) {
		sprintf((char *)tbuf, " %d", *data);
		for (cp = tbuf; *cp && buflen > 0; --buflen)
			*buf++ = *cp++;
		if (buflen <= 0)
			return;
	}
	*buf = '\0';
}
#endif
Commit	Line	Data
15637ed4 RG	1	/*-
	2	* Copyright (c) 1991 The Regents of the University of California.
	3	* All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	* 3. All advertising materials mentioning features or use of this software
	14	* must display the following acknowledgement:
	15	* This product includes software developed by the University of
	16	* California, Berkeley and its contributors.
	17	* 4. Neither the name of the University nor the names of its contributors
	18	* may be used to endorse or promote products derived from this software
	19	* without specific prior written permission.
	20	*
	21	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	24	* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	31	* SUCH DAMAGE.
	32	*/
	33
	34	#ifndef lint
	35	static char sccsid[] = "@(#)auth.c 5.2 (Berkeley) 3/22/91";
	36	#endif /* not lint */
	37
	38	/*
	39	* Copyright (C) 1990 by the Massachusetts Institute of Technology
	40	*
	41	* Export of this software from the United States of America is assumed
	42	* to require a specific license from the United States Government.
	43	* It is the responsibility of any person or organization contemplating
	44	* export to obtain such a license before exporting.
	45	*
	46	* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
	47	* distribute this software and its documentation for any purpose and
	48	* without fee is hereby granted, provided that the above copyright
	49	* notice appear in all copies and that both that copyright notice and
	50	* this permission notice appear in supporting documentation, and that
	51	* the name of M.I.T. not be used in advertising or publicity pertaining
	52	* to distribution of the software without specific, written prior
	53	* permission. M.I.T. makes no representations about the suitability of
	54	* this software for any purpose. It is provided "as is" without express
	55	* or implied warranty.
	56	*/
	57
	58
	59	#if defined(AUTHENTICATE)
	60	#include <stdio.h>
	61	#include <sys/types.h>
	62	#include <signal.h>
	63	#define AUTH_NAMES
	64	#include <arpa/telnet.h>
65	#ifdef __STDC__
66	#include <stdlib.h>
67	#endif
68	#ifdef NO_STRING_H
69	#include <strings.h>
70	#else
71	#include <string.h>
72	#endif
73
74	#include "encrypt.h"
75	#include "auth.h"
76	#include "misc-proto.h"
77	#include "auth-proto.h"
78
79	#define typemask(x) (1<<((x)-1))
80
81	int auth_debug_mode = 0;
82	static char *Name = "Noname";
83	static int Server = 0;
84	static Authenticator *authenticated = 0;
85	static int authenticating = 0;
86	static int validuser = 0;
87	static unsigned char _auth_send_data[256];
88	static unsigned char *auth_send_data;
89	static int auth_send_cnt = 0;
90
91	/*
92	* Authentication types supported. Plese note that these are stored
93	* in priority order, i.e. try the first one first.
94	*/
95	Authenticator authenticators[] = {
96	#ifdef KRB5
97	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT\|AUTH_HOW_MUTUAL,
98	kerberos5_init,
99	kerberos5_send,
100	kerberos5_is,
101	kerberos5_reply,
102	kerberos5_status,
103	kerberos5_printsub },
104	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT\|AUTH_HOW_ONE_WAY,
105	kerberos5_init,
106	kerberos5_send,
107	kerberos5_is,
108	kerberos5_reply,
109	kerberos5_status,
110	kerberos5_printsub },
111	#endif
112	#ifdef KRB4
113	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT\|AUTH_HOW_MUTUAL,
114	kerberos4_init,
115	kerberos4_send,
116	kerberos4_is,
117	kerberos4_reply,
118	kerberos4_status,
119	kerberos4_printsub },
120	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT\|AUTH_HOW_ONE_WAY,
121	kerberos4_init,
122	kerberos4_send,
123	kerberos4_is,
124	kerberos4_reply,
125	kerberos4_status,
126	kerberos4_printsub },
127	#endif
128	{ 0, },
129	};
130
131	static Authenticator NoAuth = { 0 };
132
133	static int i_support = 0;
134	static int i_wont_support = 0;
135
136	Authenticator *
137	findauthenticator(type, way)
138	int type;
139	int way;
140	{
141	Authenticator *ap = authenticators;
142
143	while (ap->type && (ap->type != type \|\| ap->way != way))
144	++ap;
145	return(ap->type ? ap : 0);
146	}
147
148	void
149	auth_init(name, server)
150	char *name;
151	int server;
152	{
153	Authenticator *ap = authenticators;
154
155	Server = server;
156	Name = name;
157
158	i_support = 0;
159	authenticated = 0;
160	authenticating = 0;
161	while (ap->type) {
162	if (!ap->init \|\| (*ap->init)(ap, server)) {
163	i_support \|= typemask(ap->type);
164	if (auth_debug_mode)
165	printf(">>>%s: I support auth type %d %d\r\n",
166	Name,
167	ap->type, ap->way);
168	}
169	++ap;
170	}
171	}
172
173	void
174	auth_disable_name(name)
175	char *name;
176	{
177	int x;
178	for (x = 0; x < AUTHTYPE_CNT; ++x) {
179	if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
180	i_wont_support \|= typemask(x);
181	break;
182	}
183	}
184	}
185
186	int
187	getauthmask(type, maskp)
188	char *type;
189	int *maskp;
190	{
191	register int x;
192
193	if (strcasecmp(type, AUTHTYPE_NAME(0))) {
194	*maskp = -1;
195	return(1);
196	}
197
198	for (x = 1; x < AUTHTYPE_CNT; ++x) {
199	if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
200	*maskp = typemask(x);
201	return(1);
202	}
203	}
204	return(0);
205	}
206
207	int
208	auth_enable(type)
209	int type;
210	{
211	return(auth_onoff(type, 1));
212	}
213
214	int
215	auth_disable(type)
216	int type;
217	{
218	return(auth_onoff(type, 0));
219	}
220
221	int
222	auth_onoff(type, on)
223	char *type;
224	int on;
225	{
226	int mask = -1;
227	Authenticator *ap;
228
229	if (!strcasecmp(type, "?") \|\| !strcasecmp(type, "help")) {
230	printf("auth %s 'type'\n", on ? "enable" : "disable");
231	printf("Where 'type' is one of:\n");
232	printf("\t%s\n", AUTHTYPE_NAME(0));
233	for (ap = authenticators; ap->type; ap++)
234	printf("\t%s\n", AUTHTYPE_NAME(ap->type));
235	return(0);
236	}
237
238	if (!getauthmask(type, &mask)) {
239	printf("%s: invalid authentication type\n", type);
240	return(0);
241	}
242	mask = getauthmask(type, &mask);
243	if (on)
244	i_wont_support &= ~mask;
245	else
246	i_wont_support \|= mask;
247	return(1);
248	}
249
250	int
251	auth_togdebug(on)
252	int on;
253	{
254	if (on < 0)
255	auth_debug_mode ^= 1;
256	else
257	auth_debug_mode = on;
258	printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
259	return(1);
260	}
261
262	int
263	auth_status()
264	{
265	Authenticator *ap;
266
267	if (i_wont_support == -1)
268	printf("Authentication disabled\n");
269	else
270	printf("Authentication enabled\n");
271
272	for (ap = authenticators; ap->type; ap++)
273	printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
274	(i_wont_support & typemask(ap->type)) ?
275	"disabled" : "enabled");
276	return(1);
277	}
278
279	/*
280	* This routine is called by the server to start authentication
281	* negotiation.
282	*/
283	void
284	auth_request()
285	{
286	static unsigned char str_request[64] = { IAC, SB,
287	TELOPT_AUTHENTICATION,
288	TELQUAL_SEND, };
289	Authenticator *ap = authenticators;
290	unsigned char *e = str_request + 4;
291
292	if (!authenticating) {
293	authenticating = 1;
294	while (ap->type) {
295	if (i_support & ~i_wont_support & typemask(ap->type)) {
296	if (auth_debug_mode) {
297	printf(">>>%s: Sending type %d %d\r\n",
298	Name, ap->type, ap->way);
299	}
300	*e++ = ap->type;
301	*e++ = ap->way;
302	}
303	++ap;
304	}
305	*e++ = IAC;
306	*e++ = SE;
307	net_write(str_request, e - str_request);
308	printsub('>', &str_request[2], e - str_request - 2);
309	}
310	}
311
312	/*
313	* This is called when an AUTH SEND is received.
314	* It should never arrive on the server side (as only the server can
315	* send an AUTH SEND).
316	* You should probably respond to it if you can...
317	*
318	* If you want to respond to the types out of order (i.e. even
319	* if he sends LOGIN KERBEROS and you support both, you respond
320	* with KERBEROS instead of LOGIN (which is against what the
321	* protocol says)) you will have to hack this code...
322	*/
323	void
324	auth_send(data, cnt)
325	unsigned char *data;
326	int cnt;
327	{
328	Authenticator *ap;
329	static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
330	TELQUAL_IS, AUTHTYPE_NULL, 0,
331	IAC, SE };
332	if (Server) {
333	if (auth_debug_mode) {
334	printf(">>>%s: auth_send called!\r\n", Name);
335	}
336	return;
337	}
338
339	if (auth_debug_mode) {
340	printf(">>>%s: auth_send got:", Name);
341	printd(data, cnt); printf("\r\n");
342	}
343
344	/*
345	* Save the data, if it is new, so that we can continue looking
346	* at it if the authorization we try doesn't work
347	*/
348	if (data < _auth_send_data \|\|
349	data > _auth_send_data + sizeof(_auth_send_data)) {
350	auth_send_cnt = cnt > sizeof(_auth_send_data)
351	? sizeof(_auth_send_data)
352	: cnt;
353	bcopy((void )data, (void )_auth_send_data, auth_send_cnt);
354	auth_send_data = _auth_send_data;
355	} else {
356	/*
357	* This is probably a no-op, but we just make sure
358	*/
359	auth_send_data = data;
360	auth_send_cnt = cnt;
361	}
362	while ((auth_send_cnt -= 2) >= 0) {
363	if (auth_debug_mode)
364	printf(">>>%s: He supports %d\r\n",
365	Name, *auth_send_data);
366	if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
367	ap = findauthenticator(auth_send_data[0],
368	auth_send_data[1]);
369	if (!ap) {
370	printf("Internal state error: cannot find authentication type %d a second time\r\n", *auth_send_data);
371	} else if (ap->send) {
372	if (auth_debug_mode)
373	printf(">>>%s: Trying %d %d\r\n",
374	Name, auth_send_data[0],
375	auth_send_data[1]);
376	if ((*ap->send)(ap)) {
377	/*
378	* Okay, we found one we like
379	* and did it.
380	* we can go home now.
381	*/
382	if (auth_debug_mode)
383	printf(">>>%s: Using type %d\r\n",
384	Name, *auth_send_data);
385	auth_send_data += 2;
386	return;
387	}
388	}
389	/* else
390	* just continue on and look for the
391	* next one if we didn't do anything.
392	*/
393	}
394	auth_send_data += 2;
395	}
396	net_write(str_none, sizeof(str_none));
397	printsub('>', &str_none[2], sizeof(str_none) - 2);
398	if (auth_debug_mode)
399	printf(">>>%s: Sent failure message\r\n", Name);
400	auth_finished(0, AUTH_REJECT);
401	}
402
403	void
404	auth_send_retry()
405	{
406	/*
407	* if auth_send_cnt <= 0 then auth_send will end up rejecting
408	* the authentication and informing the other side of this.
409	*/
410	auth_send(auth_send_data, auth_send_cnt);
411	}
412
413	void
414	auth_is(data, cnt)
415	unsigned char *data;
416	int cnt;
417	{
418	Authenticator *ap;
419
420	if (cnt < 2)
421	return;
422
423	if (data[0] == AUTHTYPE_NULL) {
424	auth_finished(0, AUTH_REJECT);
425	return;
426	}
427
428	if (ap = findauthenticator(data[0], data[1])) {
429	if (ap->is)
430	(*ap->is)(ap, data+2, cnt-2);
431	} else if (auth_debug_mode)
432	printf(">>>%s: Invalid authentication in IS: %d\r\n",
433	Name, *data);
434	}
435
436	void
437	auth_reply(data, cnt)
438	unsigned char *data;
439	int cnt;
440	{
441	Authenticator *ap;
442
443	if (cnt < 2)
444	return;
445
446	if (ap = findauthenticator(data[0], data[1])) {
447	if (ap->reply)
448	(*ap->reply)(ap, data+2, cnt-2);
449	} else if (auth_debug_mode)
450	printf(">>>%s: Invalid authentication in SEND: %d\r\n",
451	Name, *data);
452	}
453
454	void
455	auth_name(data, cnt)
456	unsigned char *data;
457	int cnt;
458	{
459	Authenticator *ap;
460	unsigned char savename[256];
461
462	if (cnt < 1) {
463	if (auth_debug_mode)
464	printf(">>>%s: Empty name in NAME\r\n", Name);
465	return;
466	}
467	if (cnt > sizeof(savename) - 1) {
468	if (auth_debug_mode)
469	printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
470	Name, cnt, sizeof(savename)-1);
471	return;
472	}
473	bcopy((void )data, (void )savename, cnt);
474	savename[cnt] = '\0'; /* Null terminate */
475	if (auth_debug_mode)
476	printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
477	auth_encrypt_user(savename);
478	}
479
480	int
481	auth_sendname(cp, len)
482	unsigned char *cp;
483	int len;
484	{
485	static unsigned char str_request[256+6]
486	= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
487	register unsigned char *e = str_request + 4;
488	register unsigned char *ee = &str_request[sizeof(str_request)-2];
489
490	while (--len >= 0) {
491	if ((e++ = cp++) == IAC)
492	*e++ = IAC;
493	if (e >= ee)
494	return(0);
495	}
496	*e++ = IAC;
497	*e++ = SE;
498	net_write(str_request, e - str_request);
499	printsub('>', &str_request[2], e - &str_request[2]);
500	return(1);
501	}
502
503	void
504	auth_finished(ap, result)
505	Authenticator *ap;
506	int result;
507	{
508	if (!(authenticated = ap))
509	authenticated = &NoAuth;
510	validuser = result;
511	}
512
513	/* ARGSUSED */
514	static void
515	auth_intr(sig)
516	int sig;
517	{
518	auth_finished(0, AUTH_REJECT);
519	}
520
521	int
522	auth_wait(name)
523	char *name;
524	{
525	if (auth_debug_mode)
526	printf(">>>%s: in auth_wait.\r\n", Name);
527
528	if (Server && !authenticating)
529	return(0);
530
531	(void) signal(SIGALRM, auth_intr);
532	alarm(30);
533	while (!authenticated)
534	if (telnet_spin())
535	break;
536	alarm(0);
537	(void) signal(SIGALRM, SIG_DFL);
538
539	/*
540	* Now check to see if the user is valid or not
541	*/
542	if (!authenticated \|\| authenticated == &NoAuth)
543	return(AUTH_REJECT);
544
545	if (validuser == AUTH_VALID)
546	validuser = AUTH_USER;
547
548	if (authenticated->status)
549	validuser = (*authenticated->status)(authenticated,
550	name, validuser);
551	return(validuser);
552	}
553
554	void
555	auth_debug(mode)
556	int mode;
557	{
558	auth_debug_mode = mode;
559	}
560
561	void
562	auth_printsub(data, cnt, buf, buflen)
563	unsigned char data, buf;
564	int cnt, buflen;
565	{
566	Authenticator *ap;
567
568	if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
569	(*ap->printsub)(data, cnt, buf, buflen);
570	else
571	auth_gen_printsub(data, cnt, buf, buflen);
572	}
573
574	void
575	auth_gen_printsub(data, cnt, buf, buflen)
576	unsigned char data, buf;
577	int cnt, buflen;
578	{
579	register unsigned char *cp;
580	unsigned char tbuf[16];
581
582	cnt -= 3;
583	data += 3;
584	buf[buflen-1] = '\0';
585	buf[buflen-2] = '*';
586	buflen -= 2;
587	for (; cnt > 0; cnt--, data++) {
588	sprintf((char )tbuf, " %d", data);
589	for (cp = tbuf; *cp && buflen > 0; --buflen)
590	buf++ = cp++;
591	if (buflen <= 0)
592	return;
593	}
594	*buf = '\0';
595	}
596	#endif