1 /* $OpenBSD: auth2-chall.c,v 1.44 2016/05/02 08:49:03 djm Exp $ */
3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 #include <sys/types.h>
48 extern ServerOptions options
;
50 static int auth2_challenge_start(Authctxt
*);
51 static int send_userauth_info_request(Authctxt
*);
52 static int input_userauth_info_response(int, u_int32_t
, void *);
55 extern KbdintDevice bsdauth_device
;
58 extern KbdintDevice sshpam_device
;
61 extern KbdintDevice skey_device
;
65 KbdintDevice
*devices
[] = {
79 typedef struct KbdintAuthctxt KbdintAuthctxt
;
91 remove_kbdint_device(const char *devname
)
95 for (i
= 0; devices
[i
] != NULL
; i
++)
96 if (strcmp(devices
[i
]->name
, devname
) == 0) {
97 for (j
= i
; devices
[j
] != NULL
; j
++)
98 devices
[j
] = devices
[j
+1];
104 static KbdintAuthctxt
*
105 kbdint_alloc(const char *devs
)
107 KbdintAuthctxt
*kbdintctxt
;
112 if (!options
.use_pam
)
113 remove_kbdint_device("pam");
116 kbdintctxt
= xcalloc(1, sizeof(KbdintAuthctxt
));
117 if (strcmp(devs
, "") == 0) {
119 for (i
= 0; devices
[i
]; i
++) {
120 if (buffer_len(&b
) > 0)
121 buffer_append(&b
, ",", 1);
122 buffer_append(&b
, devices
[i
]->name
,
123 strlen(devices
[i
]->name
));
125 if ((kbdintctxt
->devices
= sshbuf_dup_string(&b
)) == NULL
)
126 fatal("%s: sshbuf_dup_string failed", __func__
);
129 kbdintctxt
->devices
= xstrdup(devs
);
131 debug("kbdint_alloc: devices '%s'", kbdintctxt
->devices
);
132 kbdintctxt
->ctxt
= NULL
;
133 kbdintctxt
->device
= NULL
;
134 kbdintctxt
->nreq
= 0;
139 kbdint_reset_device(KbdintAuthctxt
*kbdintctxt
)
141 if (kbdintctxt
->ctxt
) {
142 kbdintctxt
->device
->free_ctx(kbdintctxt
->ctxt
);
143 kbdintctxt
->ctxt
= NULL
;
145 kbdintctxt
->device
= NULL
;
148 kbdint_free(KbdintAuthctxt
*kbdintctxt
)
150 if (kbdintctxt
->device
)
151 kbdint_reset_device(kbdintctxt
);
152 free(kbdintctxt
->devices
);
153 explicit_bzero(kbdintctxt
, sizeof(*kbdintctxt
));
156 /* get next device */
158 kbdint_next_device(Authctxt
*authctxt
, KbdintAuthctxt
*kbdintctxt
)
164 if (kbdintctxt
->device
)
165 kbdint_reset_device(kbdintctxt
);
167 len
= kbdintctxt
->devices
?
168 strcspn(kbdintctxt
->devices
, ",") : 0;
172 for (i
= 0; devices
[i
]; i
++) {
173 if ((kbdintctxt
->devices_done
& (1 << i
)) != 0 ||
174 !auth2_method_allowed(authctxt
,
175 "keyboard-interactive", devices
[i
]->name
))
177 if (strncmp(kbdintctxt
->devices
, devices
[i
]->name
,
179 kbdintctxt
->device
= devices
[i
];
180 kbdintctxt
->devices_done
|= 1 << i
;
183 t
= kbdintctxt
->devices
;
184 kbdintctxt
->devices
= t
[len
] ? xstrdup(t
+len
+1) : NULL
;
186 debug2("kbdint_next_device: devices %s", kbdintctxt
->devices
?
187 kbdintctxt
->devices
: "<empty>");
188 } while (kbdintctxt
->devices
&& !kbdintctxt
->device
);
190 return kbdintctxt
->device
? 1 : 0;
194 * try challenge-response, set authctxt->postponed if we have to
195 * wait for the response.
198 auth2_challenge(Authctxt
*authctxt
, char *devs
)
200 debug("auth2_challenge: user=%s devs=%s",
201 authctxt
->user
? authctxt
->user
: "<nouser>",
202 devs
? devs
: "<no devs>");
204 if (authctxt
->user
== NULL
|| !devs
)
206 if (authctxt
->kbdintctxt
== NULL
)
207 authctxt
->kbdintctxt
= kbdint_alloc(devs
);
208 return auth2_challenge_start(authctxt
);
211 /* unregister kbd-int callbacks and context */
213 auth2_challenge_stop(Authctxt
*authctxt
)
215 /* unregister callback */
216 dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE
, NULL
);
217 if (authctxt
->kbdintctxt
!= NULL
) {
218 kbdint_free(authctxt
->kbdintctxt
);
219 authctxt
->kbdintctxt
= NULL
;
223 /* side effect: sets authctxt->postponed if a reply was sent*/
225 auth2_challenge_start(Authctxt
*authctxt
)
227 KbdintAuthctxt
*kbdintctxt
= authctxt
->kbdintctxt
;
229 debug2("auth2_challenge_start: devices %s",
230 kbdintctxt
->devices
? kbdintctxt
->devices
: "<empty>");
232 if (kbdint_next_device(authctxt
, kbdintctxt
) == 0) {
233 auth2_challenge_stop(authctxt
);
236 debug("auth2_challenge_start: trying authentication method '%s'",
237 kbdintctxt
->device
->name
);
239 if ((kbdintctxt
->ctxt
= kbdintctxt
->device
->init_ctx(authctxt
)) == NULL
) {
240 auth2_challenge_stop(authctxt
);
243 if (send_userauth_info_request(authctxt
) == 0) {
244 auth2_challenge_stop(authctxt
);
247 dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE
,
248 &input_userauth_info_response
);
250 authctxt
->postponed
= 1;
255 send_userauth_info_request(Authctxt
*authctxt
)
257 KbdintAuthctxt
*kbdintctxt
;
258 char *name
, *instr
, **prompts
;
261 kbdintctxt
= authctxt
->kbdintctxt
;
262 if (kbdintctxt
->device
->query(kbdintctxt
->ctxt
,
263 &name
, &instr
, &kbdintctxt
->nreq
, &prompts
, &echo_on
))
266 packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST
);
267 packet_put_cstring(name
);
268 packet_put_cstring(instr
);
269 packet_put_cstring(""); /* language not used */
270 packet_put_int(kbdintctxt
->nreq
);
271 for (i
= 0; i
< kbdintctxt
->nreq
; i
++) {
272 packet_put_cstring(prompts
[i
]);
273 packet_put_char(echo_on
[i
]);
278 for (i
= 0; i
< kbdintctxt
->nreq
; i
++)
288 input_userauth_info_response(int type
, u_int32_t seq
, void *ctxt
)
290 Authctxt
*authctxt
= ctxt
;
291 KbdintAuthctxt
*kbdintctxt
;
292 int authenticated
= 0, res
;
294 const char *devicename
= NULL
;
295 char **response
= NULL
;
297 if (authctxt
== NULL
)
298 fatal("input_userauth_info_response: no authctxt");
299 kbdintctxt
= authctxt
->kbdintctxt
;
300 if (kbdintctxt
== NULL
|| kbdintctxt
->ctxt
== NULL
)
301 fatal("input_userauth_info_response: no kbdintctxt");
302 if (kbdintctxt
->device
== NULL
)
303 fatal("input_userauth_info_response: no device");
305 authctxt
->postponed
= 0; /* reset */
306 nresp
= packet_get_int();
307 if (nresp
!= kbdintctxt
->nreq
)
308 fatal("input_userauth_info_response: wrong number of replies");
310 fatal("input_userauth_info_response: too many replies");
312 response
= xcalloc(nresp
, sizeof(char *));
313 for (i
= 0; i
< nresp
; i
++)
314 response
[i
] = packet_get_string(NULL
);
318 res
= kbdintctxt
->device
->respond(kbdintctxt
->ctxt
, nresp
, response
);
320 for (i
= 0; i
< nresp
; i
++) {
321 explicit_bzero(response
[i
], strlen(response
[i
]));
329 authenticated
= authctxt
->valid
? 1 : 0;
332 /* Authentication needs further interaction */
333 if (send_userauth_info_request(authctxt
) == 1)
334 authctxt
->postponed
= 1;
340 devicename
= kbdintctxt
->device
->name
;
341 if (!authctxt
->postponed
) {
343 auth2_challenge_stop(authctxt
);
345 /* start next device */
346 /* may set authctxt->postponed */
347 auth2_challenge_start(authctxt
);
350 userauth_finish(authctxt
, authenticated
, "keyboard-interactive",
356 privsep_challenge_enable(void)
358 #if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
362 extern KbdintDevice mm_bsdauth_device
;
365 extern KbdintDevice mm_sshpam_device
;
368 extern KbdintDevice mm_skey_device
;
372 devices
[n
++] = &mm_bsdauth_device
;
375 devices
[n
++] = &mm_sshpam_device
;
378 devices
[n
++] = &mm_skey_device
;