1 /* $NetBSD: auth2-chall.c,v 1.19 2021/03/05 17:47:15 christos Exp $ */
2 /* $OpenBSD: auth2-chall.c,v 1.54 2020/10/18 11:32:01 djm Exp $ */
3
4 /*
5 * Copyright (c) 2001 Markus Friedl. All rights reserved.
6 * Copyright (c) 2001 Per Allansson. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include "includes.h"
30 __RCSID("$NetBSD: auth2-chall.c,v 1.19 2021/03/05 17:47:15 christos Exp $");
31 #include <sys/types.h>
32
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <string.h>
36 #include <stdarg.h>
37
38 #include "xmalloc.h"
39 #include "ssh2.h"
40 #include "sshkey.h"
41 #include "hostfile.h"
42 #include "auth.h"
43 #include "sshbuf.h"
44 #include "packet.h"
45 #include "dispatch.h"
46 #include "ssherr.h"
47 #include "log.h"
48 #include "misc.h"
49 #include "servconf.h"
50
51 /* import */
52 extern ServerOptions options;
53
54 static int auth2_challenge_start(struct ssh *);
55 static int send_userauth_info_request(struct ssh *);
56 static int input_userauth_info_response(int, u_int32_t, struct ssh *);
57
58 #ifdef BSD_AUTH
59 extern KbdintDevice bsdauth_device;
60 #else
61 #ifdef USE_PAM
62 extern KbdintDevice sshpam_device;
63 #endif
64 #ifdef SKEY
65 extern KbdintDevice skey_device;
66 #endif
67 #endif
68
69 KbdintDevice *devices[] = {
70 #ifdef BSD_AUTH
71 &bsdauth_device,
72 #else
73 #ifdef USE_PAM
74 &sshpam_device,
75 #endif
76 #ifdef SKEY
77 &skey_device,
78 #endif
79 #endif
80 NULL
81 };
82
83 typedef struct KbdintAuthctxt KbdintAuthctxt;
84 struct KbdintAuthctxt
85 {
86 char *devices;
87 void *ctxt;
88 KbdintDevice *device;
89 u_int nreq;
90 u_int devices_done;
91 };
92
93 #ifdef USE_PAM
94 void remove_kbdint_device(const char *);
95 void
remove_kbdint_device(const char * xdevname)96 remove_kbdint_device(const char *xdevname)
97 {
98 int i, j;
99
100 for (i = 0; devices[i] != NULL; i++)
101 if (strcmp(devices[i]->name, xdevname) == 0) {
102 for (j = i; devices[j] != NULL; j++)
103 devices[j] = devices[j+1];
104 i--;
105 }
106 }
107 #endif
108
109 static KbdintAuthctxt *
kbdint_alloc(const char * devs)110 kbdint_alloc(const char *devs)
111 {
112 KbdintAuthctxt *kbdintctxt;
113 struct sshbuf *b;
114 int i, r;
115
116 #ifdef USE_PAM
117 if (!options.use_pam)
118 remove_kbdint_device("pam");
119 #endif
120
121 kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt));
122 if (strcmp(devs, "") == 0) {
123 if ((b = sshbuf_new()) == NULL)
124 fatal_f("sshbuf_new failed");
125 for (i = 0; devices[i]; i++) {
126 if ((r = sshbuf_putf(b, "%s%s",
127 sshbuf_len(b) ? "," : "", devices[i]->name)) != 0)
128 fatal_fr(r, "buffer error");
129 }
130 if ((kbdintctxt->devices = sshbuf_dup_string(b)) == NULL)
131 fatal_f("sshbuf_dup_string failed");
132 sshbuf_free(b);
133 } else {
134 kbdintctxt->devices = xstrdup(devs);
135 }
136 debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
137 kbdintctxt->ctxt = NULL;
138 kbdintctxt->device = NULL;
139 kbdintctxt->nreq = 0;
140
141 return kbdintctxt;
142 }
143 static void
kbdint_reset_device(KbdintAuthctxt * kbdintctxt)144 kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
145 {
146 if (kbdintctxt->ctxt) {
147 kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
148 kbdintctxt->ctxt = NULL;
149 }
150 kbdintctxt->device = NULL;
151 }
152 static void
kbdint_free(KbdintAuthctxt * kbdintctxt)153 kbdint_free(KbdintAuthctxt *kbdintctxt)
154 {
155 if (kbdintctxt->device)
156 kbdint_reset_device(kbdintctxt);
157 free(kbdintctxt->devices);
158 freezero(kbdintctxt, sizeof(*kbdintctxt));
159 }
160 /* get next device */
161 static int
kbdint_next_device(Authctxt * authctxt,KbdintAuthctxt * kbdintctxt)162 kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
163 {
164 size_t len;
165 char *t;
166 int i;
167
168 if (kbdintctxt->device)
169 kbdint_reset_device(kbdintctxt);
170 do {
171 len = kbdintctxt->devices ?
172 strcspn(kbdintctxt->devices, ",") : 0;
173
174 if (len == 0)
175 break;
176 for (i = 0; devices[i]; i++) {
177 if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
178 !auth2_method_allowed(authctxt,
179 "keyboard-interactive", devices[i]->name))
180 continue;
181 if (strncmp(kbdintctxt->devices, devices[i]->name,
182 len) == 0) {
183 kbdintctxt->device = devices[i];
184 kbdintctxt->devices_done |= 1 << i;
185 }
186 }
187 t = kbdintctxt->devices;
188 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
189 free(t);
190 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
191 kbdintctxt->devices : "<empty>");
192 } while (kbdintctxt->devices && !kbdintctxt->device);
193
194 return kbdintctxt->device ? 1 : 0;
195 }
196
197 /*
198 * try challenge-response, set authctxt->postponed if we have to
199 * wait for the response.
200 */
201 int
auth2_challenge(struct ssh * ssh,char * devs)202 auth2_challenge(struct ssh *ssh, char *devs)
203 {
204 Authctxt *authctxt = ssh->authctxt;
205 debug("auth2_challenge: user=%s devs=%s",
206 authctxt->user ? authctxt->user : "<nouser>",
207 devs ? devs : "<no devs>");
208
209 if (authctxt->user == NULL || !devs)
210 return 0;
211 if (authctxt->kbdintctxt == NULL)
212 authctxt->kbdintctxt = kbdint_alloc(devs);
213 return auth2_challenge_start(ssh);
214 }
215
216 /* unregister kbd-int callbacks and context */
217 void
auth2_challenge_stop(struct ssh * ssh)218 auth2_challenge_stop(struct ssh *ssh)
219 {
220 Authctxt *authctxt = ssh->authctxt;
221 /* unregister callback */
222 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
223 if (authctxt->kbdintctxt != NULL) {
224 kbdint_free(authctxt->kbdintctxt);
225 authctxt->kbdintctxt = NULL;
226 }
227 }
228
229 /* side effect: sets authctxt->postponed if a reply was sent*/
230 static int
auth2_challenge_start(struct ssh * ssh)231 auth2_challenge_start(struct ssh *ssh)
232 {
233 Authctxt *authctxt = ssh->authctxt;
234 KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
235
236 debug2("auth2_challenge_start: devices %s",
237 kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
238
239 if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
240 auth2_challenge_stop(ssh);
241 return 0;
242 }
243 debug("auth2_challenge_start: trying authentication method '%s'",
244 kbdintctxt->device->name);
245
246 if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
247 auth2_challenge_stop(ssh);
248 return 0;
249 }
250 if (send_userauth_info_request(ssh) == 0) {
251 auth2_challenge_stop(ssh);
252 return 0;
253 }
254 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE,
255 &input_userauth_info_response);
256
257 authctxt->postponed = 1;
258 return 0;
259 }
260
261 static int
send_userauth_info_request(struct ssh * ssh)262 send_userauth_info_request(struct ssh *ssh)
263 {
264 Authctxt *authctxt = ssh->authctxt;
265 KbdintAuthctxt *kbdintctxt;
266 char *name, *instr, **prompts;
267 int r;
268 u_int i, *echo_on;
269
270 kbdintctxt = authctxt->kbdintctxt;
271 if (kbdintctxt->device->query(kbdintctxt->ctxt,
272 &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
273 return 0;
274
275 if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_INFO_REQUEST)) != 0 ||
276 (r = sshpkt_put_cstring(ssh, name)) != 0 ||
277 (r = sshpkt_put_cstring(ssh, instr)) != 0 ||
278 (r = sshpkt_put_cstring(ssh, "")) != 0 || /* language not used */
279 (r = sshpkt_put_u32(ssh, kbdintctxt->nreq)) != 0)
280 fatal_fr(r, "start packet");
281 for (i = 0; i < kbdintctxt->nreq; i++) {
282 if ((r = sshpkt_put_cstring(ssh, prompts[i])) != 0 ||
283 (r = sshpkt_put_u8(ssh, echo_on[i])) != 0)
284 fatal_fr(r, "assemble packet");
285 }
286 if ((r = sshpkt_send(ssh)) != 0 ||
287 (r = ssh_packet_write_wait(ssh)) < 0)
288 fatal_fr(r, "send packet");
289
290 for (i = 0; i < kbdintctxt->nreq; i++)
291 free(prompts[i]);
292 free(prompts);
293 free(echo_on);
294 free(name);
295 free(instr);
296 return 1;
297 }
298
299 static int
input_userauth_info_response(int type,u_int32_t seq,struct ssh * ssh)300 input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
301 {
302 Authctxt *authctxt = ssh->authctxt;
303 KbdintAuthctxt *kbdintctxt;
304 int authenticated = 0, res;
305 int r;
306 u_int i, nresp;
307 const char *devicename = NULL;
308 char **response = NULL;
309
310 if (authctxt == NULL)
311 fatal_f("no authctxt");
312 kbdintctxt = authctxt->kbdintctxt;
313 if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
314 fatal_f("no kbdintctxt");
315 if (kbdintctxt->device == NULL)
316 fatal_f("no device");
317
318 authctxt->postponed = 0; /* reset */
319 if ((r = sshpkt_get_u32(ssh, &nresp)) != 0)
320 fatal_fr(r, "parse packet");
321 if (nresp != kbdintctxt->nreq)
322 fatal_f("wrong number of replies");
323 if (nresp > 100)
324 fatal_f("too many replies");
325 if (nresp > 0) {
326 response = xcalloc(nresp, sizeof(char *));
327 for (i = 0; i < nresp; i++) {
328 if ((r = sshpkt_get_cstring(ssh, &response[i], NULL)) != 0)
329 fatal_fr(r, "parse response");
330 }
331 }
332 if ((r = sshpkt_get_end(ssh)) != 0)
333 fatal_fr(r, "parse packet");
334
335 res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
336
337 for (i = 0; i < nresp; i++) {
338 explicit_bzero(response[i], strlen(response[i]));
339 free(response[i]);
340 }
341 free(response);
342
343 switch (res) {
344 case 0:
345 /* Success! */
346 authenticated = authctxt->valid ? 1 : 0;
347 break;
348 case 1:
349 /* Authentication needs further interaction */
350 if (send_userauth_info_request(ssh) == 1)
351 authctxt->postponed = 1;
352 break;
353 default:
354 /* Failure! */
355 break;
356 }
357 devicename = kbdintctxt->device->name;
358 if (!authctxt->postponed) {
359 if (authenticated) {
360 auth2_challenge_stop(ssh);
361 } else {
362 /* start next device */
363 /* may set authctxt->postponed */
364 auth2_challenge_start(ssh);
365 }
366 }
367 userauth_finish(ssh, authenticated, "keyboard-interactive",
368 devicename);
369 return 0;
370 }
371
372 void
privsep_challenge_enable(void)373 privsep_challenge_enable(void)
374 {
375 #if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
376 int n = 0;
377 #endif
378 #ifdef BSD_AUTH
379 extern KbdintDevice mm_bsdauth_device;
380 #endif
381 #ifdef USE_PAM
382 extern KbdintDevice mm_sshpam_device;
383 #endif
384 #ifdef SKEY
385 extern KbdintDevice mm_skey_device;
386 #endif
387 /* As long as SSHv1 has devices[0] hard coded this is fine */
388 #ifdef BSD_AUTH
389 devices[n++] = &mm_bsdauth_device;
390 #endif
391 #ifdef USE_PAM
392 devices[n++] = &mm_sshpam_device;
393 #endif
394 #ifdef SKEY
395 devices[n++] = &mm_skey_device;
396 #endif
397 }
398