jcs.org
jcs's openbsd hax
openbsd
1/* $OpenBSD: auth2-chall.c,v 1.59 2026/02/06 22:59:18 dtucker Exp $ */
2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include <sys/types.h>
28
29#include <stdlib.h>
30#include <stdio.h>
31#include <string.h>
32#include <stdarg.h>
33
34#include "xmalloc.h"
35#include "ssh2.h"
36#include "sshkey.h"
37#include "hostfile.h"
38#include "auth.h"
39#include "sshbuf.h"
40#include "packet.h"
41#include "dispatch.h"
42#include "ssherr.h"
43#include "log.h"
44
45static int auth2_challenge_start(struct ssh *);
46static int send_userauth_info_request(struct ssh *);
47static int input_userauth_info_response(int, u_int32_t, struct ssh *);
48
49extern KbdintDevice mm_bsdauth_device;
50
51KbdintDevice *devices[] = {
52 &mm_bsdauth_device,
53 NULL
54};
55
56typedef struct KbdintAuthctxt KbdintAuthctxt;
57struct KbdintAuthctxt
58{
59 char *devices;
60 void *ctxt;
61 KbdintDevice *device;
62 u_int nreq;
63 u_int devices_done;
64};
65
66static KbdintAuthctxt *
67kbdint_alloc(const char *devs)
68{
69 KbdintAuthctxt *kbdintctxt;
70 struct sshbuf *b;
71 int i, r;
72
73 kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt));
74 if (strcmp(devs, "") == 0) {
75 if ((b = sshbuf_new()) == NULL)
76 fatal_f("sshbuf_new failed");
77 for (i = 0; devices[i]; i++) {
78 if ((r = sshbuf_putf(b, "%s%s",
79 sshbuf_len(b) ? "," : "", devices[i]->name)) != 0)
80 fatal_fr(r, "buffer error");
81 }
82 if ((kbdintctxt->devices = sshbuf_dup_string(b)) == NULL)
83 fatal_f("sshbuf_dup_string failed");
84 sshbuf_free(b);
85 } else {
86 kbdintctxt->devices = xstrdup(devs);
87 }
88 debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
89 kbdintctxt->ctxt = NULL;
90 kbdintctxt->device = NULL;
91 kbdintctxt->nreq = 0;
92
93 return kbdintctxt;
94}
95static void
96kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
97{
98 if (kbdintctxt->ctxt) {
99 kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
100 kbdintctxt->ctxt = NULL;
101 }
102 kbdintctxt->device = NULL;
103}
104static void
105kbdint_free(KbdintAuthctxt *kbdintctxt)
106{
107 if (kbdintctxt->device)
108 kbdint_reset_device(kbdintctxt);
109 free(kbdintctxt->devices);
110 freezero(kbdintctxt, sizeof(*kbdintctxt));
111}
112/* get next device */
113static int
114kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
115{
116 size_t len;
117 char *t;
118 size_t i;
119
120 if (kbdintctxt->device)
121 kbdint_reset_device(kbdintctxt);
122 do {
123 len = kbdintctxt->devices ?
124 strcspn(kbdintctxt->devices, ",") : 0;
125
126 if (len == 0)
127 break;
128 for (i = 0; devices[i]; i++) {
129 if (i >= sizeof(kbdintctxt->devices_done) * 8 ||
130 i >= sizeof(devices) / sizeof(devices[0]))
131 fatal_f("internal error: too many devices");
132 if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
133 !auth2_method_allowed(authctxt,
134 "keyboard-interactive", devices[i]->name))
135 continue;
136 if (strlen(devices[i]->name) == len &&
137 memcmp(kbdintctxt->devices, devices[i]->name,
138 len) == 0) {
139 kbdintctxt->device = devices[i];
140 kbdintctxt->devices_done |= 1 << i;
141 }
142 }
143 t = kbdintctxt->devices;
144 kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
145 free(t);
146 debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
147 kbdintctxt->devices : "<empty>");
148 } while (kbdintctxt->devices && !kbdintctxt->device);
149
150 return kbdintctxt->device ? 1 : 0;
151}
152
153/*
154 * try challenge-response, set authctxt->postponed if we have to
155 * wait for the response.
156 */
157int
158auth2_challenge(struct ssh *ssh, char *devs)
159{
160 Authctxt *authctxt = ssh->authctxt;
161 debug("auth2_challenge: user=%s devs=%s",
162 authctxt->user ? authctxt->user : "<nouser>",
163 devs ? devs : "<no devs>");
164
165 if (authctxt->user == NULL || !devs)
166 return 0;
167 if (authctxt->kbdintctxt == NULL)
168 authctxt->kbdintctxt = kbdint_alloc(devs);
169 return auth2_challenge_start(ssh);
170}
171
172/* unregister kbd-int callbacks and context */
173void
174auth2_challenge_stop(struct ssh *ssh)
175{
176 Authctxt *authctxt = ssh->authctxt;
177 /* unregister callback */
178 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
179 if (authctxt->kbdintctxt != NULL) {
180 kbdint_free(authctxt->kbdintctxt);
181 authctxt->kbdintctxt = NULL;
182 }
183}
184
185/* side effect: sets authctxt->postponed if a reply was sent*/
186static int
187auth2_challenge_start(struct ssh *ssh)
188{
189 Authctxt *authctxt = ssh->authctxt;
190 KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
191
192 debug2("auth2_challenge_start: devices %s",
193 kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
194
195 if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
196 auth2_challenge_stop(ssh);
197 return 0;
198 }
199 debug("auth2_challenge_start: trying authentication method '%s'",
200 kbdintctxt->device->name);
201
202 if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
203 auth2_challenge_stop(ssh);
204 return 0;
205 }
206 if (send_userauth_info_request(ssh) == 0) {
207 auth2_challenge_stop(ssh);
208 return 0;
209 }
210 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_INFO_RESPONSE,
211 &input_userauth_info_response);
212
213 authctxt->postponed = 1;
214 return 0;
215}
216
217static int
218send_userauth_info_request(struct ssh *ssh)
219{
220 Authctxt *authctxt = ssh->authctxt;
221 KbdintAuthctxt *kbdintctxt;
222 char *name, *instr, **prompts;
223 u_int r, i, *echo_on;
224
225 kbdintctxt = authctxt->kbdintctxt;
226 if (kbdintctxt->device->query(kbdintctxt->ctxt,
227 &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
228 return 0;
229
230 if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_INFO_REQUEST)) != 0 ||
231 (r = sshpkt_put_cstring(ssh, name)) != 0 ||
232 (r = sshpkt_put_cstring(ssh, instr)) != 0 ||
233 (r = sshpkt_put_cstring(ssh, "")) != 0 || /* language not used */
234 (r = sshpkt_put_u32(ssh, kbdintctxt->nreq)) != 0)
235 fatal_fr(r, "start packet");
236 for (i = 0; i < kbdintctxt->nreq; i++) {
237 if ((r = sshpkt_put_cstring(ssh, prompts[i])) != 0 ||
238 (r = sshpkt_put_u8(ssh, echo_on[i])) != 0)
239 fatal_fr(r, "assemble packet");
240 }
241 if ((r = sshpkt_send(ssh)) != 0 ||
242 (r = ssh_packet_write_wait(ssh)) != 0)
243 fatal_fr(r, "send packet");
244
245 for (i = 0; i < kbdintctxt->nreq; i++)
246 free(prompts[i]);
247 free(prompts);
248 free(echo_on);
249 free(name);
250 free(instr);
251 return 1;
252}
253
254static int
255input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
256{
257 Authctxt *authctxt = ssh->authctxt;
258 KbdintAuthctxt *kbdintctxt;
259 int authenticated = 0, res;
260 int r;
261 u_int i, nresp;
262 const char *devicename = NULL;
263 char **response = NULL;
264
265 if (authctxt == NULL)
266 fatal_f("no authctxt");
267 kbdintctxt = authctxt->kbdintctxt;
268 if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
269 fatal_f("no kbdintctxt");
270 if (kbdintctxt->device == NULL)
271 fatal_f("no device");
272
273 authctxt->postponed = 0; /* reset */
274 if ((r = sshpkt_get_u32(ssh, &nresp)) != 0)
275 fatal_fr(r, "parse packet");
276 if (nresp != kbdintctxt->nreq)
277 fatal_f("wrong number of replies");
278 if (nresp > 100)
279 fatal_f("too many replies");
280 if (nresp > 0) {
281 response = xcalloc(nresp, sizeof(char *));
282 for (i = 0; i < nresp; i++) {
283 if ((r = sshpkt_get_cstring(ssh, &response[i], NULL)) != 0)
284 fatal_fr(r, "parse response");
285 }
286 }
287 if ((r = sshpkt_get_end(ssh)) != 0)
288 fatal_fr(r, "parse packet");
289
290 res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
291
292 for (i = 0; i < nresp; i++) {
293 explicit_bzero(response[i], strlen(response[i]));
294 free(response[i]);
295 }
296 free(response);
297
298 switch (res) {
299 case 0:
300 /* Success! */
301 authenticated = authctxt->valid ? 1 : 0;
302 break;
303 case 1:
304 /* Authentication needs further interaction */
305 if (send_userauth_info_request(ssh) == 1)
306 authctxt->postponed = 1;
307 break;
308 default:
309 /* Failure! */
310 break;
311 }
312 devicename = kbdintctxt->device->name;
313 if (!authctxt->postponed) {
314 if (authenticated) {
315 auth2_challenge_stop(ssh);
316 } else {
317 /* start next device */
318 /* may set authctxt->postponed */
319 auth2_challenge_start(ssh);
320 }
321 }
322 userauth_finish(ssh, authenticated, "keyboard-interactive",
323 devicename);
324 return 0;
325}