1255767Sdes/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */ 276259Sgreen/* 376259Sgreen * Copyright (c) 2001 Markus Friedl. All rights reserved. 476259Sgreen * 576259Sgreen * Redistribution and use in source and binary forms, with or without 676259Sgreen * modification, are permitted provided that the following conditions 776259Sgreen * are met: 876259Sgreen * 1. Redistributions of source code must retain the above copyright 976259Sgreen * notice, this list of conditions and the following disclaimer. 1076259Sgreen * 2. Redistributions in binary form must reproduce the above copyright 1176259Sgreen * notice, this list of conditions and the following disclaimer in the 1276259Sgreen * documentation and/or other materials provided with the distribution. 1376259Sgreen * 1476259Sgreen * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 1576259Sgreen * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 1676259Sgreen * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 1776259Sgreen * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 1876259Sgreen * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 1976259Sgreen * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2076259Sgreen * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2176259Sgreen * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2276259Sgreen * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 2376259Sgreen * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2476259Sgreen */ 2576259Sgreen 2676259Sgreen#include "includes.h" 2776259Sgreen 28162856Sdes#include <sys/types.h> 29162856Sdes 30162856Sdes#include <stdarg.h> 31162856Sdes 32162856Sdes#include "xmalloc.h" 33162856Sdes#include "key.h" 34162856Sdes#include "hostfile.h" 3576259Sgreen#include "auth.h" 3676259Sgreen#include "log.h" 37147005Sdes#include "servconf.h" 3876259Sgreen 3992559Sdes/* limited protocol v1 interface to kbd-interactive authentication */ 4092559Sdes 4192559Sdesextern KbdintDevice *devices[]; 4292559Sdesstatic KbdintDevice *device; 43147005Sdesextern ServerOptions options; 4492559Sdes 4576259Sgreenchar * 4692559Sdesget_challenge(Authctxt *authctxt) 4776259Sgreen{ 4892559Sdes char *challenge, *name, *info, **prompts; 4992559Sdes u_int i, numprompts; 5092559Sdes u_int *echo_on; 5176259Sgreen 52147005Sdes#ifdef USE_PAM 53147005Sdes if (!options.use_pam) 54147005Sdes remove_kbdint_device("pam"); 55147005Sdes#endif 56147005Sdes 5792559Sdes device = devices[0]; /* we always use the 1st device for protocol 1 */ 5892559Sdes if (device == NULL) 5992559Sdes return NULL; 6092559Sdes if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL) 6192559Sdes return NULL; 6292559Sdes if (device->query(authctxt->kbdintctxt, &name, &info, 6392559Sdes &numprompts, &prompts, &echo_on)) { 6492559Sdes device->free_ctx(authctxt->kbdintctxt); 6592559Sdes authctxt->kbdintctxt = NULL; 6692559Sdes return NULL; 6776259Sgreen } 6892559Sdes if (numprompts < 1) 6992559Sdes fatal("get_challenge: numprompts < 1"); 7092559Sdes challenge = xstrdup(prompts[0]); 7192559Sdes for (i = 0; i < numprompts; i++) 72255767Sdes free(prompts[i]); 73255767Sdes free(prompts); 74255767Sdes free(name); 75255767Sdes free(echo_on); 76255767Sdes free(info); 7792559Sdes 7892559Sdes return (challenge); 7976259Sgreen} 8076259Sgreenint 8192559Sdesverify_response(Authctxt *authctxt, const char *response) 8276259Sgreen{ 83126277Sdes char *resp[1], *name, *info, **prompts; 84126277Sdes u_int i, numprompts, *echo_on; 85126277Sdes int authenticated = 0; 8676259Sgreen 8792559Sdes if (device == NULL) 8892559Sdes return 0; 8992559Sdes if (authctxt->kbdintctxt == NULL) 9092559Sdes return 0; 9192559Sdes resp[0] = (char *)response; 92126277Sdes switch (device->respond(authctxt->kbdintctxt, 1, resp)) { 93126277Sdes case 0: /* Success */ 94126277Sdes authenticated = 1; 95126277Sdes break; 96126277Sdes case 1: /* Postponed - retry with empty query for PAM */ 97126277Sdes if ((device->query(authctxt->kbdintctxt, &name, &info, 98126277Sdes &numprompts, &prompts, &echo_on)) != 0) 99126277Sdes break; 100126277Sdes if (numprompts == 0 && 101126277Sdes device->respond(authctxt->kbdintctxt, 0, resp) == 0) 102126277Sdes authenticated = 1; 103110138Sdes 104126277Sdes for (i = 0; i < numprompts; i++) 105255767Sdes free(prompts[i]); 106255767Sdes free(prompts); 107255767Sdes free(name); 108255767Sdes free(echo_on); 109255767Sdes free(info); 110126277Sdes break; 111110138Sdes } 11292559Sdes device->free_ctx(authctxt->kbdintctxt); 11392559Sdes authctxt->kbdintctxt = NULL; 114126277Sdes return authenticated; 11576259Sgreen} 116112870Sdesvoid 117112870Sdesabandon_challenge_response(Authctxt *authctxt) 118112870Sdes{ 119112870Sdes if (authctxt->kbdintctxt != NULL) { 120112870Sdes device->free_ctx(authctxt->kbdintctxt); 121112870Sdes authctxt->kbdintctxt = NULL; 122112870Sdes } 123112870Sdes} 124