* Copyright (c) 1992, 1993
* The Regents of the University of California. All rights reserved.
* %sccs.include.redist.c%
static char sccsid
[] = "@(#)rsaencpwd.c 8.1 (Berkeley) %G%";
* COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
* "Digital Equipment Corporation authorizes the reproduction,
* distribution and modification of this software subject to the following
* 1. Any partial or whole copy of this software, or any modification
* thereof, must include this copyright notice in its entirety.
* 2. This software is supplied "as is" with no warranty of any kind,
* expressed or implied, for any purpose, including any warranty of fitness
* or merchantibility. DIGITAL assumes no responsibility for the use or
* reliability of this software, nor promises to provide any form of
* support for it on any basis.
* 3. Distribution of this software is authorized only if no profit or
* remuneration of any kind is received in exchange for such distribution.
* 4. This software produces public key authentication certificates
* bearing an expiration date established by DIGITAL and RSA Data
* Security, Inc. It may cease to generate certificates after the expiration
* date. Any modification of this software that changes or defeats
* the expiration date or its effect is unauthorized.
* 5. Software that will renew or extend the expiration date of
* authentication certificates produced by this software may be obtained
* from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
* 94065, (415)595-8782, or from DIGITAL"
static unsigned char str_data
[1024] = { IAC
, SB
, TELOPT_AUTHENTICATION
, 0,
static unsigned char str_name
[1024] = { IAC
, SB
, TELOPT_AUTHENTICATION
,
#define RSA_ENCPWD_AUTH 0 /* Authentication data follows */
#define RSA_ENCPWD_REJECT 1 /* Rejected (reason might follow) */
#define RSA_ENCPWD_ACCEPT 2 /* Accepted */
#define RSA_ENCPWD_CHALLENGEKEY 3 /* Challenge and public key */
static char name
[NAME_SZ
];
static char user_passwd
[PWD_SZ
];
static char key_file
[2*NAME_SZ
];
static char lhostname
[NAME_SZ
];
static char challenge
[CHAL_SZ
];
static int challenge_len
;
unsigned char *p
= str_data
+ 4;
unsigned char *cd
= (unsigned char *)d
;
printf("%s:%d: [%d] (%d)",
str_data
[3] == TELQUAL_IS
? ">>>IS" : ">>>REPLY",
if (type
!= NULL
) *p
++ = type
;
if ((*p
++ = *cd
++) == IAC
)
if (str_data
[3] == TELQUAL_IS
)
printsub('>', &str_data
[2], p
- (&str_data
[2]));
return(net_write(str_data
, p
- str_data
));
rsaencpwd_init(ap
, server
)
str_data
[3] = TELQUAL_REPLY
;
bzero(key_file
, sizeof(key_file
));
gethostname(lhostname
, sizeof(lhostname
));
if ((cp
= index(lhostname
, '.')) != 0) *cp
= '\0';
strcpy(key_file
, "/etc/.");
strcat(key_file
, lhostname
);
strcat(key_file
, "_privkey");
if ((fp
=fopen(key_file
, "r"))==NULL
) return(0);
str_data
[3] = TELQUAL_IS
;
printf("[ Trying RSAENCPWD ... ]\n");
if (!UserNameRequested
) {
if (!auth_sendname(UserNameRequested
, strlen(UserNameRequested
))) {
if (!Data(ap
, NULL
, (void *)NULL
, 0)) {
rsaencpwd_is(ap
, data
, cnt
)
char r_passwd
[PWD_SZ
], r_user
[NAME_SZ
];
int r
, i
, j
, chalkey_len
, len
;
bcopy((void *)data
, (void *)auth
.dat
, auth
.length
= cnt
);
if ((fp
=fopen(key_file
, "r"))==NULL
) {
Data(ap
, RSA_ENCPWD_REJECT
, (void *)"Auth failed", -1);
auth_finished(ap
, AUTH_REJECT
);
r
= accept_rsa_encpwd(&auth
, key
, challenge
,
challenge_len
, r_passwd
);
Data(ap
, RSA_ENCPWD_REJECT
, (void *)"Auth failed", -1);
auth_finished(ap
, AUTH_REJECT
);
auth_encrypt_userpwd(r_passwd
);
if (rsaencpwd_passwdok(UserNameRequested
, UserPassword
) == 0) {
* illegal username and password
Data(ap
, RSA_ENCPWD_REJECT
, (void *)"Illegal password", -1);
auth_finished(ap
, AUTH_REJECT
);
Data(ap
, RSA_ENCPWD_ACCEPT
, (void *)0, 0);
auth_finished(ap
, AUTH_USER
);
* If we are doing mutual authentication, get set up to send
* the challange, and verify it when the response comes back.
if ((ap
->way
& AUTH_HOW_MASK
) == AUTH_HOW_ONE_WAY
) {
sprintf(challenge
, "%x", now
);
challenge_len
= strlen(challenge
);
strcpy(challenge
, "randchal");
if ((fp
=fopen(key_file
, "r"))==NULL
) {
Data(ap
, RSA_ENCPWD_REJECT
, (void *)"Auth failed", -1);
auth_finished(ap
, AUTH_REJECT
);
ptr
= (char *) &chalkey
[1];
chalkey_len
= 1+NumEncodeLengthOctets(i
)+i
+1+NumEncodeLengthOctets(challenge_len
)+challenge_len
;
EncodeLength(ptr
, chalkey_len
);
ptr
+=NumEncodeLengthOctets(chalkey_len
);
*ptr
++ = 0x04; /* OCTET STRING */
bcopy(challenge
, ptr
, challenge_len
);
*ptr
++ = 0x04; /* OCTET STRING */
ptr
+= NumEncodeLengthOctets(i
);
chalkey_len
= 1+NumEncodeLengthOctets(chalkey_len
)+chalkey_len
;
Data(ap
, RSA_ENCPWD_CHALLENGEKEY
, (void *)chalkey
, chalkey_len
);
Data(ap
, RSA_ENCPWD_REJECT
, 0, 0);
rsaencpwd_reply(ap
, data
, cnt
)
char randchal
[CHAL_SZ
], *cp
;
char chalkey
[160], pubkey
[128], *ptr
;
printf("[ RSA_ENCPWD refuses authentication because %.*s ]\r\n",
printf("[ RSA_ENCPWD refuses authentication ]\r\n");
printf("[ RSA_ENCPWD accepts you ]\n");
auth_finished(ap
, AUTH_USER
);
case RSA_ENCPWD_CHALLENGEKEY
:
* Verify that the response to the challenge is correct.
bcopy((void *)data
, (void *)chalkey
, cnt
);
ptr
= (char *) &chalkey
[0];
ptr
+= DecodeHeaderLength(chalkey
);
challenge_len
= DecodeValueLength(ptr
);
ptr
+= NumEncodeLengthOctets(challenge_len
);
bcopy(ptr
, challenge
, challenge_len
);
pubkey_len
= DecodeValueLength(ptr
);
ptr
+= NumEncodeLengthOctets(pubkey_len
);
bcopy(ptr
, pubkey
, pubkey_len
);
bzero(user_passwd
, sizeof(user_passwd
));
local_des_read_pw_string(user_passwd
, sizeof(user_passwd
)-1, "Password: ", 0);
UserPassword
= user_passwd
;
r
= init_rsa_encpwd(&token
, user_passwd
, challenge
, challenge_len
, pubkey
);
if (!Data(ap
, RSA_ENCPWD_AUTH
, (void *)token
.dat
, token
.length
)) {
rsaencpwd_status(ap
, name
, level
)
if (UserNameRequested
&& rsaencpwd_passwdok(UserNameRequested
, UserPassword
)) {
strcpy(name
, UserNameRequested
);
#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
rsaencpwd_printsub(data
, cnt
, buf
, buflen
)
unsigned char *data
, *buf
;
buf
[buflen
-1] = '\0'; /* make sure its NULL terminated */
case RSA_ENCPWD_REJECT
: /* Rejected (reason might follow) */
strncpy((char *)buf
, " REJECT ", buflen
);
case RSA_ENCPWD_ACCEPT
: /* Accepted (name might follow) */
strncpy((char *)buf
, " ACCEPT ", buflen
);
for (i
= 4; i
< cnt
; i
++)
ADDC(buf
, buflen
, data
[i
]);
case RSA_ENCPWD_AUTH
: /* Authentication data follows */
strncpy((char *)buf
, " AUTH", buflen
);
case RSA_ENCPWD_CHALLENGEKEY
:
strncpy((char *)buf
, " CHALLENGEKEY", buflen
);
sprintf(lbuf
, " %d (unknown)", data
[3]);
strncpy((char *)buf
, lbuf
, buflen
);
for (i
= 4; i
< cnt
; i
++) {
sprintf(lbuf
, " %d", data
[i
]);
strncpy((char *)buf
, lbuf
, buflen
);
int rsaencpwd_passwdok(name
, passwd
)
if (pwd
= getpwnam(name
))
if (pwd
&& !strcmp(p
, pwd
->pw_passwd
)) {
} else passwdok_status
= 0;