auth2-chall.c 9.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384
  1. /* $OpenBSD: auth2-chall.c,v 1.53 2020/02/26 13:40:09 jsg Exp $ */
  2. /*
  3. * Copyright (c) 2001 Markus Friedl. All rights reserved.
  4. * Copyright (c) 2001 Per Allansson. All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without
  7. * modification, are permitted provided that the following conditions
  8. * are met:
  9. * 1. Redistributions of source code must retain the above copyright
  10. * notice, this list of conditions and the following disclaimer.
  11. * 2. Redistributions in binary form must reproduce the above copyright
  12. * notice, this list of conditions and the following disclaimer in the
  13. * documentation and/or other materials provided with the distribution.
  14. *
  15. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  16. * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19. * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25. */
  26. #include "includes.h"
  27. #include <sys/types.h>
  28. #include <stdlib.h>
  29. #include <stdio.h>
  30. #include <string.h>
  31. #include <stdarg.h>
  32. #include "xmalloc.h"
  33. #include "ssh2.h"
  34. #include "sshkey.h"
  35. #include "hostfile.h"
  36. #include "auth.h"
  37. #include "sshbuf.h"
  38. #include "packet.h"
  39. #include "dispatch.h"
  40. #include "ssherr.h"
  41. #include "log.h"
  42. #include "misc.h"
  43. #include "servconf.h"
  44. /* import */
  45. extern ServerOptions options;
  46. static int auth2_challenge_start(struct ssh *);
  47. static int send_userauth_info_request(struct ssh *);
  48. static int input_userauth_info_response(int, u_int32_t, struct ssh *);
  49. #ifdef BSD_AUTH
  50. extern KbdintDevice bsdauth_device;
  51. #else
  52. #ifdef USE_PAM
  53. extern KbdintDevice sshpam_device;
  54. #endif
  55. #endif
  56. KbdintDevice *devices[] = {
  57. #ifdef BSD_AUTH
  58. &bsdauth_device,
  59. #else
  60. #ifdef USE_PAM
  61. &sshpam_device,
  62. #endif
  63. #endif
  64. NULL
  65. };
  66. typedef struct KbdintAuthctxt KbdintAuthctxt;
  67. struct KbdintAuthctxt
  68. {
  69. char *devices;
  70. void *ctxt;
  71. KbdintDevice *device;
  72. u_int nreq;
  73. u_int devices_done;
  74. };
  75. #ifdef USE_PAM
  76. void
  77. remove_kbdint_device(const char *devname)
  78. {
  79. int i, j;
  80. for (i = 0; devices[i] != NULL; i++)
  81. if (strcmp(devices[i]->name, devname) == 0) {
  82. for (j = i; devices[j] != NULL; j++)
  83. devices[j] = devices[j+1];
  84. i--;
  85. }
  86. }
  87. #endif
  88. static KbdintAuthctxt *
  89. kbdint_alloc(const char *devs)
  90. {
  91. KbdintAuthctxt *kbdintctxt;
  92. struct sshbuf *b;
  93. int i, r;
  94. #ifdef USE_PAM
  95. if (!options.use_pam)
  96. remove_kbdint_device("pam");
  97. #endif
  98. kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt));
  99. if (strcmp(devs, "") == 0) {
  100. if ((b = sshbuf_new()) == NULL)
  101. fatal("%s: sshbuf_new failed", __func__);
  102. for (i = 0; devices[i]; i++) {
  103. if ((r = sshbuf_putf(b, "%s%s",
  104. sshbuf_len(b) ? "," : "", devices[i]->name)) != 0)
  105. fatal("%s: buffer error: %s",
  106. __func__, ssh_err(r));
  107. }
  108. if ((kbdintctxt->devices = sshbuf_dup_string(b)) == NULL)
  109. fatal("%s: sshbuf_dup_string failed", __func__);
  110. sshbuf_free(b);
  111. } else {
  112. kbdintctxt->devices = xstrdup(devs);
  113. }
  114. debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
  115. kbdintctxt->ctxt = NULL;
  116. kbdintctxt->device = NULL;
  117. kbdintctxt->nreq = 0;
  118. return kbdintctxt;
  119. }
  120. static void
  121. kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
  122. {
  123. if (kbdintctxt->ctxt) {
  124. kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
  125. kbdintctxt->ctxt = NULL;
  126. }
  127. kbdintctxt->device = NULL;
  128. }
  129. static void
  130. kbdint_free(KbdintAuthctxt *kbdintctxt)
  131. {
  132. if (kbdintctxt->device)
  133. kbdint_reset_device(kbdintctxt);
  134. free(kbdintctxt->devices);
  135. freezero(kbdintctxt, sizeof(*kbdintctxt));
  136. }
  137. /* get next device */
  138. static int
  139. kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
  140. {
  141. size_t len;
  142. char *t;
  143. int i;
  144. if (kbdintctxt->device)
  145. kbdint_reset_device(kbdintctxt);
  146. do {
  147. len = kbdintctxt->devices ?
  148. strcspn(kbdintctxt->devices, ",") : 0;
  149. if (len == 0)
  150. break;
  151. for (i = 0; devices[i]; i++) {
  152. if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
  153. !auth2_method_allowed(authctxt,
  154. "keyboard-interactive", devices[i]->name))
  155. continue;
  156. if (strncmp(kbdintctxt->devices, devices[i]->name,
  157. len) == 0) {
  158. kbdintctxt->device = devices[i];
  159. kbdintctxt->devices_done |= 1 << i;
  160. }
  161. }
  162. t = kbdintctxt->devices;
  163. kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
  164. free(t);
  165. debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
  166. kbdintctxt->devices : "<empty>");
  167. } while (kbdintctxt->devices && !kbdintctxt->device);
  168. return kbdintctxt->device ? 1 : 0;
  169. }
  170. /*
  171. * try challenge-response, set authctxt->postponed if we have to
  172. * wait for the response.
  173. */
  174. int
  175. auth2_challenge(struct ssh *ssh, char *devs)
  176. {
  177. Authctxt *authctxt = ssh->authctxt;
  178. debug("auth2_challenge: user=%s devs=%s",
  179. authctxt->user ? authctxt->user : "<nouser>",
  180. devs ? devs : "<no devs>");
  181. if (authctxt->user == NULL || !devs)
  182. return 0;
  183. if (authctxt->kbdintctxt == NULL)
  184. authctxt->kbdintctxt = kbdint_alloc(devs);
  185. return auth2_challenge_start(ssh);
  186. }
  187. /* unregister kbd-int callbacks and context */
  188. void
  189. auth2_challenge_stop(struct ssh *ssh)
  190. {
  191. Authctxt *authctxt = ssh->authctxt;
  192. /* unregister callback */
  193. ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
  194. if (authctxt->kbdintctxt != NULL) {
  195. kbdint_free(authctxt->kbdintctxt);
  196. authctxt->kbdintctxt = NULL;
  197. }
  198. }
  199. /* side effect: sets authctxt->postponed if a reply was sent*/
  200. static int
  201. auth2_challenge_start(struct ssh *ssh)
  202. {
  203. Authctxt *authctxt = ssh->authctxt;
  204. KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
  205. debug2("auth2_challenge_start: devices %s",
  206. kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
  207. if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
  208. auth2_challenge_stop(ssh);
  209. return 0;
  210. }
  211. debug("auth2_challenge_start: trying authentication method '%s'",
  212. kbdintctxt->device->name);
  213. if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
  214. auth2_challenge_stop(ssh);
  215. return 0;
  216. }
  217. if (send_userauth_info_request(ssh) == 0) {
  218. auth2_challenge_stop(ssh);
  219. return 0;
  220. }
  221. ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE,
  222. &input_userauth_info_response);
  223. authctxt->postponed = 1;
  224. return 0;
  225. }
  226. static int
  227. send_userauth_info_request(struct ssh *ssh)
  228. {
  229. Authctxt *authctxt = ssh->authctxt;
  230. KbdintAuthctxt *kbdintctxt;
  231. char *name, *instr, **prompts;
  232. u_int r, i, *echo_on;
  233. kbdintctxt = authctxt->kbdintctxt;
  234. if (kbdintctxt->device->query(kbdintctxt->ctxt,
  235. &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
  236. return 0;
  237. if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_INFO_REQUEST)) != 0 ||
  238. (r = sshpkt_put_cstring(ssh, name)) != 0 ||
  239. (r = sshpkt_put_cstring(ssh, instr)) != 0 ||
  240. (r = sshpkt_put_cstring(ssh, "")) != 0 || /* language not used */
  241. (r = sshpkt_put_u32(ssh, kbdintctxt->nreq)) != 0)
  242. fatal("%s: %s", __func__, ssh_err(r));
  243. for (i = 0; i < kbdintctxt->nreq; i++) {
  244. if ((r = sshpkt_put_cstring(ssh, prompts[i])) != 0 ||
  245. (r = sshpkt_put_u8(ssh, echo_on[i])) != 0)
  246. fatal("%s: %s", __func__, ssh_err(r));
  247. }
  248. if ((r = sshpkt_send(ssh)) != 0 ||
  249. (r = ssh_packet_write_wait(ssh)) != 0)
  250. fatal("%s: %s", __func__, ssh_err(r));
  251. for (i = 0; i < kbdintctxt->nreq; i++)
  252. free(prompts[i]);
  253. free(prompts);
  254. free(echo_on);
  255. free(name);
  256. free(instr);
  257. return 1;
  258. }
  259. static int
  260. input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
  261. {
  262. Authctxt *authctxt = ssh->authctxt;
  263. KbdintAuthctxt *kbdintctxt;
  264. int authenticated = 0, res;
  265. int r;
  266. u_int i, nresp;
  267. const char *devicename = NULL;
  268. char **response = NULL;
  269. if (authctxt == NULL)
  270. fatal("input_userauth_info_response: no authctxt");
  271. kbdintctxt = authctxt->kbdintctxt;
  272. if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
  273. fatal("input_userauth_info_response: no kbdintctxt");
  274. if (kbdintctxt->device == NULL)
  275. fatal("input_userauth_info_response: no device");
  276. authctxt->postponed = 0; /* reset */
  277. if ((r = sshpkt_get_u32(ssh, &nresp)) != 0)
  278. fatal("%s: %s", __func__, ssh_err(r));
  279. if (nresp != kbdintctxt->nreq)
  280. fatal("input_userauth_info_response: wrong number of replies");
  281. if (nresp > 100)
  282. fatal("input_userauth_info_response: too many replies");
  283. if (nresp > 0) {
  284. response = xcalloc(nresp, sizeof(char *));
  285. for (i = 0; i < nresp; i++)
  286. if ((r = sshpkt_get_cstring(ssh, &response[i],
  287. NULL)) != 0)
  288. fatal("%s: %s", __func__, ssh_err(r));
  289. }
  290. if ((r = sshpkt_get_end(ssh)) != 0)
  291. fatal("%s: %s", __func__, ssh_err(r));
  292. res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
  293. for (i = 0; i < nresp; i++) {
  294. explicit_bzero(response[i], strlen(response[i]));
  295. free(response[i]);
  296. }
  297. free(response);
  298. switch (res) {
  299. case 0:
  300. /* Success! */
  301. authenticated = authctxt->valid ? 1 : 0;
  302. break;
  303. case 1:
  304. /* Authentication needs further interaction */
  305. if (send_userauth_info_request(ssh) == 1)
  306. authctxt->postponed = 1;
  307. break;
  308. default:
  309. /* Failure! */
  310. break;
  311. }
  312. devicename = kbdintctxt->device->name;
  313. if (!authctxt->postponed) {
  314. if (authenticated) {
  315. auth2_challenge_stop(ssh);
  316. } else {
  317. /* start next device */
  318. /* may set authctxt->postponed */
  319. auth2_challenge_start(ssh);
  320. }
  321. }
  322. userauth_finish(ssh, authenticated, "keyboard-interactive",
  323. devicename);
  324. return 0;
  325. }
  326. void
  327. privsep_challenge_enable(void)
  328. {
  329. #if defined(BSD_AUTH) || defined(USE_PAM)
  330. int n = 0;
  331. #endif
  332. #ifdef BSD_AUTH
  333. extern KbdintDevice mm_bsdauth_device;
  334. #endif
  335. #ifdef USE_PAM
  336. extern KbdintDevice mm_sshpam_device;
  337. #endif
  338. #ifdef BSD_AUTH
  339. devices[n++] = &mm_bsdauth_device;
  340. #else
  341. #ifdef USE_PAM
  342. devices[n++] = &mm_sshpam_device;
  343. #endif
  344. #endif
  345. }