1 /* $OpenBSD: auth2-chall.c,v 1.54 2020/10/18 11:32:01 djm Exp $ */
2 /*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27 #include <sys/types.h>
28
29 #include <stdlib.h>
30 #include <stdio.h>
31 #include <string.h>
32 #include <stdarg.h>
33
34 #include "xmalloc.h"
35 #include "ssh2.h"
36 #include "sshkey.h"
37 #include "hostfile.h"
38 #include "auth.h"
39 #include "sshbuf.h"
40 #include "packet.h"
41 #include "dispatch.h"
42 #include "ssherr.h"
43 #include "log.h"
44
45 static int auth2_challenge_start(struct ssh *);
46 static int send_userauth_info_request(struct ssh *);
47 static int input_userauth_info_response(int, u_int32_t, struct ssh *);
48
49 extern KbdintDevice bsdauth_device;
50
51 KbdintDevice *devices[] = {
52 &bsdauth_device,
53 NULL
54 };
55
56 typedef struct KbdintAuthctxt KbdintAuthctxt;
57 struct KbdintAuthctxt
58 {
59 char *devices;
60 void *ctxt;
61 KbdintDevice *device;
62 u_int nreq;
63 u_int devices_done;
64 };
65
66 static KbdintAuthctxt *
kbdint_alloc(const char * devs)67 kbdint_alloc(const char *devs)
68 {
69 KbdintAuthctxt *kbdintctxt;
70 struct sshbuf *b;
71 int i, r;
72
73 kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt));
74 if (strcmp(devs, "") == 0) {
75 if ((b = sshbuf_new()) == NULL)
76 fatal_f("sshbuf_new failed");
77 for (i = 0; devices[i]; i++) {
78 if ((r = sshbuf_putf(b, "%s%s",
79 sshbuf_len(b) ? "," : "", devices[i]->name)) != 0)
80 fatal_fr(r, "buffer error");
81 }
82 if ((kbdintctxt->devices = sshbuf_dup_string(b)) == NULL)
83 fatal_f("sshbuf_dup_string failed");
84 sshbuf_free(b);
85 } else {
86 kbdintctxt->devices = xstrdup(devs);
87 }
88 debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
89 kbdintctxt->ctxt = NULL;
90 kbdintctxt->device = NULL;
91 kbdintctxt->nreq = 0;
92
93 return kbdintctxt;
94 }
95 static void
kbdint_reset_device(KbdintAuthctxt * kbdintctxt)96 kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
97 {
98 if (kbdintctxt->ctxt) {
99 kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
100 kbdintctxt->ctxt = NULL;
101 }
102 kbdintctxt->device = NULL;
103 }
104 static void
kbdint_free(KbdintAuthctxt * kbdintctxt)105 kbdint_free(KbdintAuthctxt *kbdintctxt)
106 {
107 if (kbdintctxt->device)
108 kbdint_reset_device(kbdintctxt);
109 free(kbdintctxt->devices);
110 freezero(kbdintctxt, sizeof(*kbdintctxt));
111 }
112 /* get next device */
113 static int
kbdint_next_device(Authctxt * authctxt,KbdintAuthctxt * kbdintctxt)114 kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
115 {
116 size_t len;
117 char *t;
118 int i;
119
120 if (kbdintctxt->device)
121 kbdint_reset_device(kbdintctxt);
122 do {
123 len = kbdintctxt->devices ?
124 strcspn(kbdintctxt->devices, ",") : 0;
125
126 if (len == 0)
127 break;
128 for (i = 0; devices[i]; i++) {
129 if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
130 !auth2_method_allowed(authctxt,
131 "keyboard-interactive", devices[i]->name))
132 continue;
133 if (strncmp(kbdintctxt->devices, devices[i]->name,
134 len) == 0) {
135 kbdintctxt->device = devices[i];
136 kbdintctxt->devices_done |= 1 << i;
137 }
138 }
139 t = kbdintctxt->devices;
140 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
141 free(t);
142 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
143 kbdintctxt->devices : "<empty>");
144 } while (kbdintctxt->devices && !kbdintctxt->device);
145
146 return kbdintctxt->device ? 1 : 0;
147 }
148
149 /*
150 * try challenge-response, set authctxt->postponed if we have to
151 * wait for the response.
152 */
153 int
auth2_challenge(struct ssh * ssh,char * devs)154 auth2_challenge(struct ssh *ssh, char *devs)
155 {
156 Authctxt *authctxt = ssh->authctxt;
157 debug("auth2_challenge: user=%s devs=%s",
158 authctxt->user ? authctxt->user : "<nouser>",
159 devs ? devs : "<no devs>");
160
161 if (authctxt->user == NULL || !devs)
162 return 0;
163 if (authctxt->kbdintctxt == NULL)
164 authctxt->kbdintctxt = kbdint_alloc(devs);
165 return auth2_challenge_start(ssh);
166 }
167
168 /* unregister kbd-int callbacks and context */
169 void
auth2_challenge_stop(struct ssh * ssh)170 auth2_challenge_stop(struct ssh *ssh)
171 {
172 Authctxt *authctxt = ssh->authctxt;
173 /* unregister callback */
174 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
175 if (authctxt->kbdintctxt != NULL) {
176 kbdint_free(authctxt->kbdintctxt);
177 authctxt->kbdintctxt = NULL;
178 }
179 }
180
181 /* side effect: sets authctxt->postponed if a reply was sent*/
182 static int
auth2_challenge_start(struct ssh * ssh)183 auth2_challenge_start(struct ssh *ssh)
184 {
185 Authctxt *authctxt = ssh->authctxt;
186 KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
187
188 debug2("auth2_challenge_start: devices %s",
189 kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
190
191 if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
192 auth2_challenge_stop(ssh);
193 return 0;
194 }
195 debug("auth2_challenge_start: trying authentication method '%s'",
196 kbdintctxt->device->name);
197
198 if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
199 auth2_challenge_stop(ssh);
200 return 0;
201 }
202 if (send_userauth_info_request(ssh) == 0) {
203 auth2_challenge_stop(ssh);
204 return 0;
205 }
206 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE,
207 &input_userauth_info_response);
208
209 authctxt->postponed = 1;
210 return 0;
211 }
212
213 static int
send_userauth_info_request(struct ssh * ssh)214 send_userauth_info_request(struct ssh *ssh)
215 {
216 Authctxt *authctxt = ssh->authctxt;
217 KbdintAuthctxt *kbdintctxt;
218 char *name, *instr, **prompts;
219 u_int r, i, *echo_on;
220
221 kbdintctxt = authctxt->kbdintctxt;
222 if (kbdintctxt->device->query(kbdintctxt->ctxt,
223 &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
224 return 0;
225
226 if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_INFO_REQUEST)) != 0 ||
227 (r = sshpkt_put_cstring(ssh, name)) != 0 ||
228 (r = sshpkt_put_cstring(ssh, instr)) != 0 ||
229 (r = sshpkt_put_cstring(ssh, "")) != 0 || /* language not used */
230 (r = sshpkt_put_u32(ssh, kbdintctxt->nreq)) != 0)
231 fatal_fr(r, "start packet");
232 for (i = 0; i < kbdintctxt->nreq; i++) {
233 if ((r = sshpkt_put_cstring(ssh, prompts[i])) != 0 ||
234 (r = sshpkt_put_u8(ssh, echo_on[i])) != 0)
235 fatal_fr(r, "assemble packet");
236 }
237 if ((r = sshpkt_send(ssh)) != 0 ||
238 (r = ssh_packet_write_wait(ssh)) != 0)
239 fatal_fr(r, "send packet");
240
241 for (i = 0; i < kbdintctxt->nreq; i++)
242 free(prompts[i]);
243 free(prompts);
244 free(echo_on);
245 free(name);
246 free(instr);
247 return 1;
248 }
249
250 static int
input_userauth_info_response(int type,u_int32_t seq,struct ssh * ssh)251 input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
252 {
253 Authctxt *authctxt = ssh->authctxt;
254 KbdintAuthctxt *kbdintctxt;
255 int authenticated = 0, res;
256 int r;
257 u_int i, nresp;
258 const char *devicename = NULL;
259 char **response = NULL;
260
261 if (authctxt == NULL)
262 fatal_f("no authctxt");
263 kbdintctxt = authctxt->kbdintctxt;
264 if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
265 fatal_f("no kbdintctxt");
266 if (kbdintctxt->device == NULL)
267 fatal_f("no device");
268
269 authctxt->postponed = 0; /* reset */
270 if ((r = sshpkt_get_u32(ssh, &nresp)) != 0)
271 fatal_fr(r, "parse packet");
272 if (nresp != kbdintctxt->nreq)
273 fatal_f("wrong number of replies");
274 if (nresp > 100)
275 fatal_f("too many replies");
276 if (nresp > 0) {
277 response = xcalloc(nresp, sizeof(char *));
278 for (i = 0; i < nresp; i++) {
279 if ((r = sshpkt_get_cstring(ssh, &response[i], NULL)) != 0)
280 fatal_fr(r, "parse response");
281 }
282 }
283 if ((r = sshpkt_get_end(ssh)) != 0)
284 fatal_fr(r, "parse packet");
285
286 res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
287
288 for (i = 0; i < nresp; i++) {
289 explicit_bzero(response[i], strlen(response[i]));
290 free(response[i]);
291 }
292 free(response);
293
294 switch (res) {
295 case 0:
296 /* Success! */
297 authenticated = authctxt->valid ? 1 : 0;
298 break;
299 case 1:
300 /* Authentication needs further interaction */
301 if (send_userauth_info_request(ssh) == 1)
302 authctxt->postponed = 1;
303 break;
304 default:
305 /* Failure! */
306 break;
307 }
308 devicename = kbdintctxt->device->name;
309 if (!authctxt->postponed) {
310 if (authenticated) {
311 auth2_challenge_stop(ssh);
312 } else {
313 /* start next device */
314 /* may set authctxt->postponed */
315 auth2_challenge_start(ssh);
316 }
317 }
318 userauth_finish(ssh, authenticated, "keyboard-interactive",
319 devicename);
320 return 0;
321 }
322
323 void
privsep_challenge_enable(void)324 privsep_challenge_enable(void)
325 {
326 extern KbdintDevice mm_bsdauth_device;
327 devices[0] = &mm_bsdauth_device;
328 }
329