From 3e8f41e6ac9b4c39c667067e4bad8160095743f9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:09:50 +1100 Subject: [PATCH] - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/11/03 09:03:37 [auth-chall.c] make this a little more idiot-proof; ok markus@ (includes portable-specific changes) --- ChangeLog | 10 +++++++++- auth-chall.c | 44 +++++++++++++++++++++++--------------------- 2 files changed, 32 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index ae096d4a9..ad94d39ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20031117 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/11/03 09:03:37 + [auth-chall.c] + make this a little more idiot-proof; ok markus@ + (includes portable-specific changes) + + 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and HP-UX, skip test on AIX. @@ -1417,4 +1425,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3097 2003/11/15 01:13:16 dtucker Exp $ +$Id: ChangeLog,v 1.3098 2003/11/17 10:09:50 djm Exp $ diff --git a/auth-chall.c b/auth-chall.c index 00d6e0ec5..dd55d6eb0 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-chall.c,v 1.8 2001/05/18 14:13:28 markus Exp $"); +RCSID("$OpenBSD: auth-chall.c,v 1.9 2003/11/03 09:03:37 djm Exp $"); #include "auth.h" #include "log.h" @@ -67,36 +67,38 @@ get_challenge(Authctxt *authctxt) int verify_response(Authctxt *authctxt, const char *response) { - char *resp[1]; - int res; + char *resp[1], *name, *info, **prompts; + u_int i, numprompts, *echo_on; + int authenticated = 0; if (device == NULL) return 0; if (authctxt->kbdintctxt == NULL) return 0; resp[0] = (char *)response; - res = device->respond(authctxt->kbdintctxt, 1, resp); - if (res == 1) { - /* postponed - send a null query just in case */ - char *name, *info, **prompts; - u_int i, numprompts, *echo_on; + switch (device->respond(authctxt->kbdintctxt, 1, resp)) { + case 0: /* Success */ + authenticated = 1; + break; + case 1: /* Postponed - retry with empty query for PAM */ + if ((device->query(authctxt->kbdintctxt, &name, &info, + &numprompts, &prompts, &echo_on)) != 0) + break; + if (numprompts == 0 && + device->respond(authctxt->kbdintctxt, 0, resp) == 0) + authenticated = 1; - res = device->query(authctxt->kbdintctxt, &name, &info, - &numprompts, &prompts, &echo_on); - if (res == 0) { - for (i = 0; i < numprompts; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(name); - xfree(echo_on); - xfree(info); - } - /* if we received more prompts, we're screwed */ - res = (res == 0 && numprompts == 0) ? 0 : -1; + for (i = 0; i < numprompts; i++) + xfree(prompts[i]); + xfree(prompts); + xfree(name); + xfree(echo_on); + xfree(info); + break; } device->free_ctx(authctxt->kbdintctxt); authctxt->kbdintctxt = NULL; - return res ? 0 : 1; + return authenticated; } void abandon_challenge_response(Authctxt *authctxt)