openssh/auth2-chall.c

332 lines
8.2 KiB
C
Raw Normal View History

/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $");
#include "ssh2.h"
#include "auth.h"
#include "buffer.h"
#include "packet.h"
#include "xmalloc.h"
#include "dispatch.h"
#include "auth.h"
Hopefully things did not get mixed around too much. It compiles under Linux and works. So that is at least a good sign. =) 20010122 - (bal) OpenBSD Resync - markus@cvs.openbsd.org 2001/01/19 12:45:26 GMT 2001 by markus [servconf.c ssh.h sshd.c] only auth-chall.c needs #ifdef SKEY - markus@cvs.openbsd.org 2001/01/19 15:55:10 GMT 2001 by markus [auth-krb4.c auth-options.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c auth2.c channels.c clientloop.c dh.c dispatch.c nchan.c packet.c pathname.h readconf.c scp.c servconf.c serverloop.c session.c ssh-add.c ssh-keygen.c ssh-keyscan.c ssh.c ssh.h ssh1.h sshconnect1.c sshd.c ttymodes.c] move ssh1 definitions to ssh1.h, pathnames to pathnames.h - markus@cvs.openbsd.org 2001/01/19 16:48:14 [sshd.8] fix typo; from stevesk@ - markus@cvs.openbsd.org 2001/01/19 16:50:58 [ssh-dss.c] clear and free digest, make consistent with other code (use dlen); from stevesk@ - markus@cvs.openbsd.org 2001/01/20 15:55:20 GMT 2001 by markus [auth-options.c auth-options.h auth-rsa.c auth2.c] pass the filename to auth_parse_options() - markus@cvs.openbsd.org 2001/01/20 17:59:40 GMT 2001 [readconf.c] fix SIGSEGV from -o ""; problem noted by jehsom@togetherweb.com - stevesk@cvs.openbsd.org 2001/01/20 18:20:29 [sshconnect2.c] dh_new_group() does not return NULL. ok markus@ - markus@cvs.openbsd.org 2001/01/20 21:33:42 [ssh-add.c] do not loop forever if askpass does not exist; from andrew@pimlott.ne.mediaone.net - djm@cvs.openbsd.org 2001/01/20 23:00:56 [servconf.c] Check for NULL return from strdelim; ok markus - djm@cvs.openbsd.org 2001/01/20 23:02:07 [readconf.c] KNF; ok markus - jakob@cvs.openbsd.org 2001/01/21 9:00:33 [ssh-keygen.1] remove -R flag; ok markus@ - markus@cvs.openbsd.org 2001/01/21 19:05:40 [atomicio.c automicio.h auth-chall.c auth-krb4.c auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c auth2-chall.c auth2.c authfd.c authfile.c bufaux.c bufaux.h buffer.c canahost.c canahost.h channels.c cipher.c cli.c clientloop.c clientloop.h compat.c compress.c deattack.c dh.c dispatch.c groupaccess.c hmac.c hostfile.c kex.c key.c key.h log-client.c log-server.c log.c log.h login.c login.h match.c misc.c misc.h nchan.c packet.c pty.c radix.h readconf.c readpass.c readpass.h rsa.c scp.c servconf.c serverloop.c serverloop.h session.c sftp-server.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c tildexpand.h ttysmodes.c uidswap.c xmalloc.c] split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch] - (bal) renamed 'PIDDIR' to '_PATH_SSH_PIDDIR' to match OpenBSD tree - (bal) Moved #ifdef KRB4 in auth-krb4.c above the #include to resolve conflict when compiling for non-kerb install - (bal) removed the #ifdef SKEY in auth1.c to match Markus' changes on 1/19.
2001-01-22 05:34:40 +00:00
#include "log.h"
static int auth2_challenge_start(Authctxt *);
static int send_userauth_info_request(Authctxt *);
static void input_userauth_info_response(int, u_int32_t, void *);
#ifdef BSD_AUTH
extern KbdintDevice bsdauth_device;
#else
#ifdef SKEY
extern KbdintDevice skey_device;
#endif
#endif
KbdintDevice *devices[] = {
#ifdef BSD_AUTH
&bsdauth_device,
#else
#ifdef SKEY
&skey_device,
#endif
#endif
NULL
};
typedef struct KbdintAuthctxt KbdintAuthctxt;
struct KbdintAuthctxt
{
char *devices;
void *ctxt;
KbdintDevice *device;
};
static KbdintAuthctxt *
kbdint_alloc(const char *devs)
{
KbdintAuthctxt *kbdintctxt;
Buffer b;
int i;
kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
if (strcmp(devs, "") == 0) {
buffer_init(&b);
for (i = 0; devices[i]; i++) {
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
buffer_append(&b, devices[i]->name,
strlen(devices[i]->name));
}
buffer_append(&b, "\0", 1);
kbdintctxt->devices = xstrdup(buffer_ptr(&b));
buffer_free(&b);
} else {
kbdintctxt->devices = xstrdup(devs);
}
debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
kbdintctxt->ctxt = NULL;
kbdintctxt->device = NULL;
return kbdintctxt;
}
static void
kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
{
if (kbdintctxt->ctxt) {
kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
kbdintctxt->ctxt = NULL;
}
kbdintctxt->device = NULL;
}
static void
kbdint_free(KbdintAuthctxt *kbdintctxt)
{
if (kbdintctxt->device)
kbdint_reset_device(kbdintctxt);
if (kbdintctxt->devices) {
xfree(kbdintctxt->devices);
kbdintctxt->devices = NULL;
}
xfree(kbdintctxt);
}
/* get next device */
static int
kbdint_next_device(KbdintAuthctxt *kbdintctxt)
{
size_t len;
char *t;
int i;
if (kbdintctxt->device)
kbdint_reset_device(kbdintctxt);
do {
len = kbdintctxt->devices ?
strcspn(kbdintctxt->devices, ",") : 0;
if (len == 0)
break;
for (i = 0; devices[i]; i++)
if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
kbdintctxt->device = devices[i];
t = kbdintctxt->devices;
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
xfree(t);
debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
kbdintctxt->devices : "<empty>");
} while (kbdintctxt->devices && !kbdintctxt->device);
return kbdintctxt->device ? 1 : 0;
}
/*
* try challenge-response, set authctxt->postponed if we have to
* wait for the response.
*/
int
auth2_challenge(Authctxt *authctxt, char *devs)
{
debug("auth2_challenge: user=%s devs=%s",
authctxt->user ? authctxt->user : "<nouser>",
devs ? devs : "<no devs>");
if (authctxt->user == NULL || !devs)
return 0;
if (authctxt->kbdintctxt == NULL)
authctxt->kbdintctxt = kbdint_alloc(devs);
return auth2_challenge_start(authctxt);
}
/* unregister kbd-int callbacks and context */
void
auth2_challenge_stop(Authctxt *authctxt)
{
/* unregister callback */
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
if (authctxt->kbdintctxt != NULL) {
kbdint_free(authctxt->kbdintctxt);
authctxt->kbdintctxt = NULL;
}
}
/* side effect: sets authctxt->postponed if a reply was sent*/
static int
auth2_challenge_start(Authctxt *authctxt)
{
KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
debug2("auth2_challenge_start: devices %s",
kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
if (kbdint_next_device(kbdintctxt) == 0) {
auth2_challenge_stop(authctxt);
return 0;
}
debug("auth2_challenge_start: trying authentication method '%s'",
kbdintctxt->device->name);
if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
auth2_challenge_stop(authctxt);
return 0;
}
if (send_userauth_info_request(authctxt) == 0) {
auth2_challenge_stop(authctxt);
return 0;
}
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
&input_userauth_info_response);
authctxt->postponed = 1;
return 0;
}
static int
send_userauth_info_request(Authctxt *authctxt)
{
KbdintAuthctxt *kbdintctxt;
char *name, *instr, **prompts;
int i;
u_int numprompts, *echo_on;
kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt->device->query(kbdintctxt->ctxt,
&name, &instr, &numprompts, &prompts, &echo_on))
return 0;
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
packet_put_cstring(name);
packet_put_cstring(instr);
packet_put_cstring(""); /* language not used */
packet_put_int(numprompts);
for (i = 0; i < numprompts; i++) {
packet_put_cstring(prompts[i]);
packet_put_char(echo_on[i]);
}
packet_send();
packet_write_wait();
for (i = 0; i < numprompts; i++)
xfree(prompts[i]);
xfree(prompts);
xfree(echo_on);
xfree(name);
xfree(instr);
return 1;
}
static void
input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
KbdintAuthctxt *kbdintctxt;
int i, authenticated = 0, res, len;
u_int nresp;
char **response = NULL, *method;
if (authctxt == NULL)
fatal("input_userauth_info_response: no authctxt");
kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
fatal("input_userauth_info_response: no kbdintctxt");
if (kbdintctxt->device == NULL)
fatal("input_userauth_info_response: no device");
authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++)
response[i] = packet_get_string(NULL);
}
packet_check_eom();
if (authctxt->valid) {
res = kbdintctxt->device->respond(kbdintctxt->ctxt,
nresp, response);
} else {
res = -1;
}
for (i = 0; i < nresp; i++) {
memset(response[i], 'r', strlen(response[i]));
xfree(response[i]);
}
if (response)
xfree(response);
switch (res) {
case 0:
/* Success! */
authenticated = 1;
break;
case 1:
/* Authentication needs further interaction */
if (send_userauth_info_request(authctxt) == 1)
authctxt->postponed = 1;
break;
default:
/* Failure! */
break;
}
len = strlen("keyboard-interactive") + 2 +
strlen(kbdintctxt->device->name);
method = xmalloc(len);
snprintf(method, len, "keyboard-interactive/%s",
kbdintctxt->device->name);
if (!authctxt->postponed) {
if (authenticated) {
auth2_challenge_stop(authctxt);
} else {
/* start next device */
/* may set authctxt->postponed */
auth2_challenge_start(authctxt);
}
}
userauth_finish(authctxt, authenticated, method);
xfree(method);
}
void
privsep_challenge_enable(void)
{
#ifdef BSD_AUTH
extern KbdintDevice mm_bsdauth_device;
#endif
#ifdef SKEY
extern KbdintDevice mm_skey_device;
#endif
/* As long as SSHv1 has devices[0] hard coded this is fine */
#ifdef BSD_AUTH
devices[0] = &mm_bsdauth_device;
#else
#ifdef SKEY
devices[0] = &mm_skey_device;
#endif
#endif
}