1/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */
2/*
3 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
4 * Copyright (c) 2001 Per Allansson.  All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28
29#include <sys/types.h>
30
31#include <stdarg.h>
32#include <stdio.h>
33#include <string.h>
34
35#include "xmalloc.h"
36#include "ssh2.h"
37#include "key.h"
38#include "hostfile.h"
39#include "auth.h"
40#include "buffer.h"
41#include "packet.h"
42#include "dispatch.h"
43#include "log.h"
44#include "servconf.h"
45
46/* import */
47extern ServerOptions options;
48
49static int auth2_challenge_start(Authctxt *);
50static int send_userauth_info_request(Authctxt *);
51static void input_userauth_info_response(int, u_int32_t, void *);
52
53#ifdef BSD_AUTH
54extern KbdintDevice bsdauth_device;
55#else
56#ifdef USE_PAM
57extern KbdintDevice sshpam_device;
58#endif
59#ifdef SKEY
60extern KbdintDevice skey_device;
61#endif
62#endif
63
64KbdintDevice *devices[] = {
65#ifdef BSD_AUTH
66	&bsdauth_device,
67#else
68#ifdef USE_PAM
69	&sshpam_device,
70#endif
71#ifdef SKEY
72	&skey_device,
73#endif
74#endif
75	NULL
76};
77
78typedef struct KbdintAuthctxt KbdintAuthctxt;
79struct KbdintAuthctxt
80{
81	char *devices;
82	void *ctxt;
83	KbdintDevice *device;
84	u_int nreq;
85};
86
87#ifdef USE_PAM
88void
89remove_kbdint_device(const char *devname)
90{
91	int i, j;
92
93	for (i = 0; devices[i] != NULL; i++)
94		if (strcmp(devices[i]->name, devname) == 0) {
95			for (j = i; devices[j] != NULL; j++)
96				devices[j] = devices[j+1];
97			i--;
98		}
99}
100#endif
101
102static KbdintAuthctxt *
103kbdint_alloc(const char *devs)
104{
105	KbdintAuthctxt *kbdintctxt;
106	Buffer b;
107	int i;
108
109#ifdef USE_PAM
110	if (!options.use_pam)
111		remove_kbdint_device("pam");
112#endif
113
114	kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
115	if (strcmp(devs, "") == 0) {
116		buffer_init(&b);
117		for (i = 0; devices[i]; i++) {
118			if (buffer_len(&b) > 0)
119				buffer_append(&b, ",", 1);
120			buffer_append(&b, devices[i]->name,
121			    strlen(devices[i]->name));
122		}
123		buffer_append(&b, "\0", 1);
124		kbdintctxt->devices = xstrdup(buffer_ptr(&b));
125		buffer_free(&b);
126	} else {
127		kbdintctxt->devices = xstrdup(devs);
128	}
129	debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
130	kbdintctxt->ctxt = NULL;
131	kbdintctxt->device = NULL;
132	kbdintctxt->nreq = 0;
133
134	return kbdintctxt;
135}
136static void
137kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
138{
139	if (kbdintctxt->ctxt) {
140		kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
141		kbdintctxt->ctxt = NULL;
142	}
143	kbdintctxt->device = NULL;
144}
145static void
146kbdint_free(KbdintAuthctxt *kbdintctxt)
147{
148	if (kbdintctxt->device)
149		kbdint_reset_device(kbdintctxt);
150	if (kbdintctxt->devices) {
151		xfree(kbdintctxt->devices);
152		kbdintctxt->devices = NULL;
153	}
154	xfree(kbdintctxt);
155}
156/* get next device */
157static int
158kbdint_next_device(KbdintAuthctxt *kbdintctxt)
159{
160	size_t len;
161	char *t;
162	int i;
163
164	if (kbdintctxt->device)
165		kbdint_reset_device(kbdintctxt);
166	do {
167		len = kbdintctxt->devices ?
168		    strcspn(kbdintctxt->devices, ",") : 0;
169
170		if (len == 0)
171			break;
172		for (i = 0; devices[i]; i++)
173			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
174				kbdintctxt->device = devices[i];
175		t = kbdintctxt->devices;
176		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
177		xfree(t);
178		debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
179		    kbdintctxt->devices : "<empty>");
180	} while (kbdintctxt->devices && !kbdintctxt->device);
181
182	return kbdintctxt->device ? 1 : 0;
183}
184
185/*
186 * try challenge-response, set authctxt->postponed if we have to
187 * wait for the response.
188 */
189int
190auth2_challenge(Authctxt *authctxt, char *devs)
191{
192	debug("auth2_challenge: user=%s devs=%s",
193	    authctxt->user ? authctxt->user : "<nouser>",
194	    devs ? devs : "<no devs>");
195
196	if (authctxt->user == NULL || !devs)
197		return 0;
198	if (authctxt->kbdintctxt == NULL)
199		authctxt->kbdintctxt = kbdint_alloc(devs);
200	return auth2_challenge_start(authctxt);
201}
202
203/* unregister kbd-int callbacks and context */
204void
205auth2_challenge_stop(Authctxt *authctxt)
206{
207	/* unregister callback */
208	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
209	if (authctxt->kbdintctxt != NULL) {
210		kbdint_free(authctxt->kbdintctxt);
211		authctxt->kbdintctxt = NULL;
212	}
213}
214
215/* side effect: sets authctxt->postponed if a reply was sent*/
216static int
217auth2_challenge_start(Authctxt *authctxt)
218{
219	KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
220
221	debug2("auth2_challenge_start: devices %s",
222	    kbdintctxt->devices ?  kbdintctxt->devices : "<empty>");
223
224	if (kbdint_next_device(kbdintctxt) == 0) {
225		auth2_challenge_stop(authctxt);
226		return 0;
227	}
228	debug("auth2_challenge_start: trying authentication method '%s'",
229	    kbdintctxt->device->name);
230
231	if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
232		auth2_challenge_stop(authctxt);
233		return 0;
234	}
235	if (send_userauth_info_request(authctxt) == 0) {
236		auth2_challenge_stop(authctxt);
237		return 0;
238	}
239	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
240	    &input_userauth_info_response);
241
242	authctxt->postponed = 1;
243	return 0;
244}
245
246static int
247send_userauth_info_request(Authctxt *authctxt)
248{
249	KbdintAuthctxt *kbdintctxt;
250	char *name, *instr, **prompts;
251	u_int i, *echo_on;
252
253	kbdintctxt = authctxt->kbdintctxt;
254	if (kbdintctxt->device->query(kbdintctxt->ctxt,
255	    &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
256		return 0;
257
258	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
259	packet_put_cstring(name);
260	packet_put_cstring(instr);
261	packet_put_cstring("");		/* language not used */
262	packet_put_int(kbdintctxt->nreq);
263	for (i = 0; i < kbdintctxt->nreq; i++) {
264		packet_put_cstring(prompts[i]);
265		packet_put_char(echo_on[i]);
266	}
267	packet_send();
268	packet_write_wait();
269
270	for (i = 0; i < kbdintctxt->nreq; i++)
271		xfree(prompts[i]);
272	xfree(prompts);
273	xfree(echo_on);
274	xfree(name);
275	xfree(instr);
276	return 1;
277}
278
279static void
280input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
281{
282	Authctxt *authctxt = ctxt;
283	KbdintAuthctxt *kbdintctxt;
284	int authenticated = 0, res;
285	u_int i, nresp;
286	const char *devicename = NULL;
287	char **response = NULL;
288
289	if (authctxt == NULL)
290		fatal("input_userauth_info_response: no authctxt");
291	kbdintctxt = authctxt->kbdintctxt;
292	if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
293		fatal("input_userauth_info_response: no kbdintctxt");
294	if (kbdintctxt->device == NULL)
295		fatal("input_userauth_info_response: no device");
296
297	authctxt->postponed = 0;	/* reset */
298	nresp = packet_get_int();
299	if (nresp != kbdintctxt->nreq)
300		fatal("input_userauth_info_response: wrong number of replies");
301	if (nresp > 100)
302		fatal("input_userauth_info_response: too many replies");
303	if (nresp > 0) {
304		response = xcalloc(nresp, sizeof(char *));
305		for (i = 0; i < nresp; i++)
306			response[i] = packet_get_string(NULL);
307	}
308	packet_check_eom();
309
310	res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
311
312	for (i = 0; i < nresp; i++) {
313		memset(response[i], 'r', strlen(response[i]));
314		xfree(response[i]);
315	}
316	if (response)
317		xfree(response);
318
319	switch (res) {
320	case 0:
321		/* Success! */
322		authenticated = authctxt->valid ? 1 : 0;
323		break;
324	case 1:
325		/* Authentication needs further interaction */
326		if (send_userauth_info_request(authctxt) == 1)
327			authctxt->postponed = 1;
328		break;
329	default:
330		/* Failure! */
331		break;
332	}
333	devicename = kbdintctxt->device->name;
334	if (!authctxt->postponed) {
335		if (authenticated) {
336			auth2_challenge_stop(authctxt);
337		} else {
338			/* start next device */
339			/* may set authctxt->postponed */
340			auth2_challenge_start(authctxt);
341		}
342	}
343	userauth_finish(authctxt, authenticated, "keyboard-interactive",
344	    devicename);
345}
346
347void
348privsep_challenge_enable(void)
349{
350#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
351	int n = 0;
352#endif
353#ifdef BSD_AUTH
354	extern KbdintDevice mm_bsdauth_device;
355#endif
356#ifdef USE_PAM
357	extern KbdintDevice mm_sshpam_device;
358#endif
359#ifdef SKEY
360	extern KbdintDevice mm_skey_device;
361#endif
362
363#ifdef BSD_AUTH
364	devices[n++] = &mm_bsdauth_device;
365#else
366#ifdef USE_PAM
367	devices[n++] = &mm_sshpam_device;
368#endif
369#ifdef SKEY
370	devices[n++] = &mm_skey_device;
371#endif
372#endif
373}
374