tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: delay bailout for invalid authentic 

=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
This commit is contained in:
djm@openbsd.org 2018-07-31 03:10:27 +00:00 committed by Damien Miller
parent 1a66079c06
commit 74287f5df9
3 changed files with 28 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
auth2-gss.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-gss.c,v 1.28 2018/07/10 09:13:30 djm Exp $ */ /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
/* /*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh)
size_t len; size_t len;
u_char *doid = NULL; u_char *doid = NULL;
if (!authctxt->valid || authctxt->user == NULL)
return (0);
if ((r = sshpkt_get_u32(ssh, &mechs)) != 0) if ((r = sshpkt_get_u32(ssh, &mechs)) != 0)
fatal("%s: %s", __func__, ssh_err(r)); fatal("%s: %s", __func__, ssh_err(r));
@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)
return (0); return (0);
} }
if (!authctxt->valid || authctxt->user == NULL) {
debug2("%s: disabled because of invalid user", __func__);
free(doid);
return (0);
}
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (ctxt != NULL) if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt); ssh_gssapi_delete_ctx(&ctxt);

11
auth2-hostbased.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-hostbased.c,v 1.35 2018/07/09 21:35:50 markus Exp $ */ /* $OpenBSD: auth2-hostbased.c,v 1.36 2018/07/31 03:10:27 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
size_t alen, blen, slen; size_t alen, blen, slen;
int r, pktype, authenticated = 0; int r, pktype, authenticated = 0;
if (!authctxt->valid) {
debug2("%s: disabled because of invalid user", __func__);
return 0;
}
/* XXX use sshkey_froms() */ /* XXX use sshkey_froms() */
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)
goto done; goto done;
} }
if (!authctxt->valid || authctxt->user == NULL) {
debug2("%s: disabled because of invalid user", __func__);
goto done;
}
if ((b = sshbuf_new()) == NULL) if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__); fatal("%s: sshbuf_new failed", __func__);
/* reconstruct packet */ /* reconstruct packet */

25
auth2-pubkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.82 2018/07/11 18:55:11 markus Exp $ */ /* $OpenBSD: auth2-pubkey.c,v 1.83 2018/07/31 03:10:27 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh)
{ {
Authctxt *authctxt = ssh->authctxt; Authctxt *authctxt = ssh->authctxt;
struct passwd *pw = authctxt->pw; struct passwd *pw = authctxt->pw;
struct sshbuf *b; struct sshbuf *b = NULL;
struct sshkey *key = NULL; struct sshkey *key = NULL;
char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
u_char *pkblob, *sig, have_sig; u_char *pkblob = NULL, *sig = NULL, have_sig;
size_t blen, slen; size_t blen, slen;
int r, pktype; int r, pktype;
int authenticated = 0; int authenticated = 0;
struct sshauthopt *authopts = NULL; struct sshauthopt *authopts = NULL;
if (!authctxt->valid) {
debug2("%s: disabled because of invalid user", __func__);
return 0;
}
if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
(r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh)
fatal("%s: sshbuf_put_string session id: %s", fatal("%s: sshbuf_put_string session id: %s",
__func__, ssh_err(r)); __func__, ssh_err(r));
} }
if (!authctxt->valid || authctxt->user == NULL) {
debug2("%s: disabled because of invalid user",
__func__);
goto done;
}
/* reconstruct packet */ /* reconstruct packet */
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
#ifdef DEBUG_PK #ifdef DEBUG_PK
sshbuf_dump(b, stderr); sshbuf_dump(b, stderr);
#endif #endif
/* test for correct signature */ /* test for correct signature */
authenticated = 0; authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
authenticated = 1; authenticated = 1;
} }
sshbuf_free(b); sshbuf_free(b);
free(sig);
auth2_record_key(authctxt, authenticated, key); auth2_record_key(authctxt, authenticated, key);
} else { } else {
debug("%s: test pkalg %s pkblob %s%s%s", debug("%s: test pkalg %s pkblob %s%s%s",
@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0) if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r)); fatal("%s: %s", __func__, ssh_err(r));
if (!authctxt->valid || authctxt->user == NULL) {
debug2("%s: disabled because of invalid user",
__func__);
goto done;
}
/* XXX fake reply and always send PK_OK ? */ /* XXX fake reply and always send PK_OK ? */
/* /*
* XXX this allows testing whether a user is allowed * XXX this allows testing whether a user is allowed
@ -238,6 +242,7 @@ done:
free(pkblob); free(pkblob);
free(key_s); free(key_s);
free(ca_s); free(ca_s);
free(sig);
return authenticated; return authenticated;
} }