1 /* $OpenBSD: auth2-chall.c,v 1.50 2018/07/11 18:55:11 markus Exp $ */ 2 /* 3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Per Allansson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 29 #include <sys/types.h> 30 31 #include <stdarg.h> 32 #include <stdio.h> 33 #include <string.h> 34 35 #include "xmalloc.h" 36 #include "ssh2.h" 37 #include "sshkey.h" 38 #include "hostfile.h" 39 #include "auth.h" 40 #include "sshbuf.h" 41 #include "packet.h" 42 #include "dispatch.h" 43 #include "ssherr.h" 44 #include "log.h" 45 #include "misc.h" 46 #include "servconf.h" 47 48 /* import */ 49 extern ServerOptions options; 50 51 static int auth2_challenge_start(struct ssh *); 52 static int send_userauth_info_request(struct ssh *); 53 static int input_userauth_info_response(int, u_int32_t, struct ssh *); 54 55 #ifdef BSD_AUTH 56 extern KbdintDevice bsdauth_device; 57 #else 58 #ifdef USE_PAM 59 extern KbdintDevice sshpam_device; 60 #endif 61 #endif 62 63 KbdintDevice *devices[] = { 64 #ifdef BSD_AUTH 65 &bsdauth_device, 66 #else 67 #ifdef USE_PAM 68 &sshpam_device, 69 #endif 70 #endif 71 NULL 72 }; 73 74 typedef struct KbdintAuthctxt KbdintAuthctxt; 75 struct KbdintAuthctxt 76 { 77 char *devices; 78 void *ctxt; 79 KbdintDevice *device; 80 u_int nreq; 81 u_int devices_done; 82 }; 83 84 #ifdef USE_PAM 85 void 86 remove_kbdint_device(const char *devname) 87 { 88 int i, j; 89 90 for (i = 0; devices[i] != NULL; i++) 91 if (strcmp(devices[i]->name, devname) == 0) { 92 for (j = i; devices[j] != NULL; j++) 93 devices[j] = devices[j+1]; 94 i--; 95 } 96 } 97 #endif 98 99 static KbdintAuthctxt * 100 kbdint_alloc(const char *devs) 101 { 102 KbdintAuthctxt *kbdintctxt; 103 struct sshbuf *b; 104 int i, r; 105 106 #ifdef USE_PAM 107 if (!options.use_pam) 108 remove_kbdint_device("pam"); 109 #endif 110 111 kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt)); 112 if (strcmp(devs, "") == 0) { 113 if ((b = sshbuf_new()) == NULL) 114 fatal("%s: sshbuf_new failed", __func__); 115 for (i = 0; devices[i]; i++) { 116 if ((r = sshbuf_putf(b, "%s%s", 117 sshbuf_len(b) ? "," : "", devices[i]->name)) != 0) 118 fatal("%s: buffer error: %s", 119 __func__, ssh_err(r)); 120 } 121 if ((kbdintctxt->devices = sshbuf_dup_string(b)) == NULL) 122 fatal("%s: sshbuf_dup_string failed", __func__); 123 sshbuf_free(b); 124 } else { 125 kbdintctxt->devices = xstrdup(devs); 126 } 127 debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); 128 kbdintctxt->ctxt = NULL; 129 kbdintctxt->device = NULL; 130 kbdintctxt->nreq = 0; 131 132 return kbdintctxt; 133 } 134 static void 135 kbdint_reset_device(KbdintAuthctxt *kbdintctxt) 136 { 137 if (kbdintctxt->ctxt) { 138 kbdintctxt->device->free_ctx(kbdintctxt->ctxt); 139 kbdintctxt->ctxt = NULL; 140 } 141 kbdintctxt->device = NULL; 142 } 143 static void 144 kbdint_free(KbdintAuthctxt *kbdintctxt) 145 { 146 if (kbdintctxt->device) 147 kbdint_reset_device(kbdintctxt); 148 free(kbdintctxt->devices); 149 explicit_bzero(kbdintctxt, sizeof(*kbdintctxt)); 150 free(kbdintctxt); 151 } 152 /* get next device */ 153 static int 154 kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) 155 { 156 size_t len; 157 char *t; 158 int i; 159 160 if (kbdintctxt->device) 161 kbdint_reset_device(kbdintctxt); 162 do { 163 len = kbdintctxt->devices ? 164 strcspn(kbdintctxt->devices, ",") : 0; 165 166 if (len == 0) 167 break; 168 for (i = 0; devices[i]; i++) { 169 if ((kbdintctxt->devices_done & (1 << i)) != 0 || 170 !auth2_method_allowed(authctxt, 171 "keyboard-interactive", devices[i]->name)) 172 continue; 173 if (strncmp(kbdintctxt->devices, devices[i]->name, 174 len) == 0) { 175 kbdintctxt->device = devices[i]; 176 kbdintctxt->devices_done |= 1 << i; 177 } 178 } 179 t = kbdintctxt->devices; 180 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; 181 free(t); 182 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? 183 kbdintctxt->devices : "<empty>"); 184 } while (kbdintctxt->devices && !kbdintctxt->device); 185 186 return kbdintctxt->device ? 1 : 0; 187 } 188 189 /* 190 * try challenge-response, set authctxt->postponed if we have to 191 * wait for the response. 192 */ 193 int 194 auth2_challenge(struct ssh *ssh, char *devs) 195 { 196 Authctxt *authctxt = ssh->authctxt; 197 debug("auth2_challenge: user=%s devs=%s", 198 authctxt->user ? authctxt->user : "<nouser>", 199 devs ? devs : "<no devs>"); 200 201 if (authctxt->user == NULL || !devs) 202 return 0; 203 if (authctxt->kbdintctxt == NULL) 204 authctxt->kbdintctxt = kbdint_alloc(devs); 205 return auth2_challenge_start(ssh); 206 } 207 208 /* unregister kbd-int callbacks and context */ 209 void 210 auth2_challenge_stop(struct ssh *ssh) 211 { 212 Authctxt *authctxt = ssh->authctxt; 213 /* unregister callback */ 214 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); 215 if (authctxt->kbdintctxt != NULL) { 216 kbdint_free(authctxt->kbdintctxt); 217 authctxt->kbdintctxt = NULL; 218 } 219 } 220 221 /* side effect: sets authctxt->postponed if a reply was sent*/ 222 static int 223 auth2_challenge_start(struct ssh *ssh) 224 { 225 Authctxt *authctxt = ssh->authctxt; 226 KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt; 227 228 debug2("auth2_challenge_start: devices %s", 229 kbdintctxt->devices ? kbdintctxt->devices : "<empty>"); 230 231 if (kbdint_next_device(authctxt, kbdintctxt) == 0) { 232 auth2_challenge_stop(ssh); 233 return 0; 234 } 235 debug("auth2_challenge_start: trying authentication method '%s'", 236 kbdintctxt->device->name); 237 238 if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) { 239 auth2_challenge_stop(ssh); 240 return 0; 241 } 242 if (send_userauth_info_request(ssh) == 0) { 243 auth2_challenge_stop(ssh); 244 return 0; 245 } 246 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE, 247 &input_userauth_info_response); 248 249 authctxt->postponed = 1; 250 return 0; 251 } 252 253 static int 254 send_userauth_info_request(struct ssh *ssh) 255 { 256 Authctxt *authctxt = ssh->authctxt; 257 KbdintAuthctxt *kbdintctxt; 258 char *name, *instr, **prompts; 259 u_int r, i, *echo_on; 260 261 kbdintctxt = authctxt->kbdintctxt; 262 if (kbdintctxt->device->query(kbdintctxt->ctxt, 263 &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on)) 264 return 0; 265 266 if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_INFO_REQUEST)) != 0 || 267 (r = sshpkt_put_cstring(ssh, name)) != 0 || 268 (r = sshpkt_put_cstring(ssh, instr)) != 0 || 269 (r = sshpkt_put_cstring(ssh, "")) != 0 || /* language not used */ 270 (r = sshpkt_put_u32(ssh, kbdintctxt->nreq)) != 0) 271 fatal("%s: %s", __func__, ssh_err(r)); 272 for (i = 0; i < kbdintctxt->nreq; i++) { 273 if ((r = sshpkt_put_cstring(ssh, prompts[i])) != 0 || 274 (r = sshpkt_put_u8(ssh, echo_on[i])) != 0) 275 fatal("%s: %s", __func__, ssh_err(r)); 276 } 277 if ((r = sshpkt_send(ssh)) != 0 || 278 (r = ssh_packet_write_wait(ssh)) != 0) 279 fatal("%s: %s", __func__, ssh_err(r)); 280 281 for (i = 0; i < kbdintctxt->nreq; i++) 282 free(prompts[i]); 283 free(prompts); 284 free(echo_on); 285 free(name); 286 free(instr); 287 return 1; 288 } 289 290 static int 291 input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh) 292 { 293 Authctxt *authctxt = ssh->authctxt; 294 KbdintAuthctxt *kbdintctxt; 295 int authenticated = 0, res; 296 int r; 297 u_int i, nresp; 298 const char *devicename = NULL; 299 char **response = NULL; 300 301 if (authctxt == NULL) 302 fatal("input_userauth_info_response: no authctxt"); 303 kbdintctxt = authctxt->kbdintctxt; 304 if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL) 305 fatal("input_userauth_info_response: no kbdintctxt"); 306 if (kbdintctxt->device == NULL) 307 fatal("input_userauth_info_response: no device"); 308 309 authctxt->postponed = 0; /* reset */ 310 if ((r = sshpkt_get_u32(ssh, &nresp)) != 0) 311 fatal("%s: %s", __func__, ssh_err(r)); 312 if (nresp != kbdintctxt->nreq) 313 fatal("input_userauth_info_response: wrong number of replies"); 314 if (nresp > 100) 315 fatal("input_userauth_info_response: too many replies"); 316 if (nresp > 0) { 317 response = xcalloc(nresp, sizeof(char *)); 318 for (i = 0; i < nresp; i++) 319 if ((r = sshpkt_get_cstring(ssh, &response[i], 320 NULL)) != 0) 321 fatal("%s: %s", __func__, ssh_err(r)); 322 } 323 if ((r = sshpkt_get_end(ssh)) != 0) 324 fatal("%s: %s", __func__, ssh_err(r)); 325 326 res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); 327 328 for (i = 0; i < nresp; i++) { 329 explicit_bzero(response[i], strlen(response[i])); 330 free(response[i]); 331 } 332 free(response); 333 334 switch (res) { 335 case 0: 336 /* Success! */ 337 authenticated = authctxt->valid ? 1 : 0; 338 break; 339 case 1: 340 /* Authentication needs further interaction */ 341 if (send_userauth_info_request(ssh) == 1) 342 authctxt->postponed = 1; 343 break; 344 default: 345 /* Failure! */ 346 break; 347 } 348 devicename = kbdintctxt->device->name; 349 if (!authctxt->postponed) { 350 if (authenticated) { 351 auth2_challenge_stop(ssh); 352 } else { 353 /* start next device */ 354 /* may set authctxt->postponed */ 355 auth2_challenge_start(ssh); 356 } 357 } 358 userauth_finish(ssh, authenticated, "keyboard-interactive", 359 devicename); 360 return 0; 361 } 362 363 void 364 privsep_challenge_enable(void) 365 { 366 #if defined(BSD_AUTH) || defined(USE_PAM) 367 int n = 0; 368 #endif 369 #ifdef BSD_AUTH 370 extern KbdintDevice mm_bsdauth_device; 371 #endif 372 #ifdef USE_PAM 373 extern KbdintDevice mm_sshpam_device; 374 #endif 375 376 #ifdef BSD_AUTH 377 devices[n++] = &mm_bsdauth_device; 378 #else 379 #ifdef USE_PAM 380 devices[n++] = &mm_sshpam_device; 381 #endif 382 #endif 383 } 384