diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-07-01 02:26:31 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-07-01 12:29:43 +1000 |
| commit | 1bf477d3cdf1a864646d59820878783d42357a1d (patch) | |
| tree | 51d4c6538c262177bf76316eba414a6202964b36 | |
| parent | 47aa7a0f8551b471fcae0447c1d78464f6dba869 (diff) | |
upstream commit
better refuse ForwardX11Trusted=no connections attempted
after ForwardX11Timeout expires; reported by Jann Horn
Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
| -rw-r--r-- | channels.c | 18 | ||||
| -rw-r--r-- | channels.h | 3 | ||||
| -rw-r--r-- | clientloop.c | 29 |
3 files changed, 40 insertions, 10 deletions
diff --git a/channels.c b/channels.c index 3fe836aad..a84b487e5 100644 --- a/channels.c +++ b/channels.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: channels.c,v 1.346 2015/06/30 05:25:07 djm Exp $ */ | 1 | /* $OpenBSD: channels.c,v 1.347 2015/07/01 02:26:31 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -161,6 +161,9 @@ static char *x11_saved_proto = NULL; | |||
| 161 | static char *x11_saved_data = NULL; | 161 | static char *x11_saved_data = NULL; |
| 162 | static u_int x11_saved_data_len = 0; | 162 | static u_int x11_saved_data_len = 0; |
| 163 | 163 | ||
| 164 | /* Deadline after which all X11 connections are refused */ | ||
| 165 | static u_int x11_refuse_time; | ||
| 166 | |||
| 164 | /* | 167 | /* |
| 165 | * Fake X11 authentication data. This is what the server will be sending us; | 168 | * Fake X11 authentication data. This is what the server will be sending us; |
| 166 | * we should replace any occurrences of this by the real data. | 169 | * we should replace any occurrences of this by the real data. |
| @@ -912,6 +915,13 @@ x11_open_helper(Buffer *b) | |||
| 912 | u_char *ucp; | 915 | u_char *ucp; |
| 913 | u_int proto_len, data_len; | 916 | u_int proto_len, data_len; |
| 914 | 917 | ||
| 918 | /* Is this being called after the refusal deadline? */ | ||
| 919 | if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) { | ||
| 920 | verbose("Rejected X11 connection after ForwardX11Timeout " | ||
| 921 | "expired"); | ||
| 922 | return -1; | ||
| 923 | } | ||
| 924 | |||
| 915 | /* Check if the fixed size part of the packet is in buffer. */ | 925 | /* Check if the fixed size part of the packet is in buffer. */ |
| 916 | if (buffer_len(b) < 12) | 926 | if (buffer_len(b) < 12) |
| 917 | return 0; | 927 | return 0; |
| @@ -1483,6 +1493,12 @@ channel_set_reuseaddr(int fd) | |||
| 1483 | error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); | 1493 | error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); |
| 1484 | } | 1494 | } |
| 1485 | 1495 | ||
| 1496 | void | ||
| 1497 | channel_set_x11_refuse_time(u_int refuse_time) | ||
| 1498 | { | ||
| 1499 | x11_refuse_time = refuse_time; | ||
| 1500 | } | ||
| 1501 | |||
| 1486 | /* | 1502 | /* |
| 1487 | * This socket is listening for connections to a forwarded TCP/IP port. | 1503 | * This socket is listening for connections to a forwarded TCP/IP port. |
| 1488 | */ | 1504 | */ |
diff --git a/channels.h b/channels.h index b9b486027..9d76c9d2a 100644 --- a/channels.h +++ b/channels.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: channels.h,v 1.117 2015/05/08 06:45:13 djm Exp $ */ | 1 | /* $OpenBSD: channels.h,v 1.118 2015/07/01 02:26:31 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -284,6 +284,7 @@ int permitopen_port(const char *); | |||
| 284 | 284 | ||
| 285 | /* x11 forwarding */ | 285 | /* x11 forwarding */ |
| 286 | 286 | ||
| 287 | void channel_set_x11_refuse_time(u_int); | ||
| 287 | int x11_connect_display(void); | 288 | int x11_connect_display(void); |
| 288 | int x11_create_display_inet(int, int, int, u_int *, int **); | 289 | int x11_create_display_inet(int, int, int, u_int *, int **); |
| 289 | int x11_input_open(int, u_int32_t, void *); | 290 | int x11_input_open(int, u_int32_t, void *); |
diff --git a/clientloop.c b/clientloop.c index 040deb992..dc0e557ad 100644 --- a/clientloop.c +++ b/clientloop.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: clientloop.c,v 1.273 2015/05/04 06:10:48 djm Exp $ */ | 1 | /* $OpenBSD: clientloop.c,v 1.274 2015/07/01 02:26:31 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -163,7 +163,7 @@ static int connection_in; /* Connection to server (input). */ | |||
| 163 | static int connection_out; /* Connection to server (output). */ | 163 | static int connection_out; /* Connection to server (output). */ |
| 164 | static int need_rekeying; /* Set to non-zero if rekeying is requested. */ | 164 | static int need_rekeying; /* Set to non-zero if rekeying is requested. */ |
| 165 | static int session_closed; /* In SSH2: login session closed. */ | 165 | static int session_closed; /* In SSH2: login session closed. */ |
| 166 | static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ | 166 | static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ |
| 167 | 167 | ||
| 168 | static void client_init_dispatch(void); | 168 | static void client_init_dispatch(void); |
| 169 | int session_ident = -1; | 169 | int session_ident = -1; |
| @@ -298,7 +298,8 @@ client_x11_display_valid(const char *display) | |||
| 298 | return 1; | 298 | return 1; |
| 299 | } | 299 | } |
| 300 | 300 | ||
| 301 | #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" | 301 | #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" |
| 302 | #define X11_TIMEOUT_SLACK 60 | ||
| 302 | void | 303 | void |
| 303 | client_x11_get_proto(const char *display, const char *xauth_path, | 304 | client_x11_get_proto(const char *display, const char *xauth_path, |
| 304 | u_int trusted, u_int timeout, char **_proto, char **_data) | 305 | u_int trusted, u_int timeout, char **_proto, char **_data) |
| @@ -311,7 +312,7 @@ client_x11_get_proto(const char *display, const char *xauth_path, | |||
| 311 | int got_data = 0, generated = 0, do_unlink = 0, i; | 312 | int got_data = 0, generated = 0, do_unlink = 0, i; |
| 312 | char *xauthdir, *xauthfile; | 313 | char *xauthdir, *xauthfile; |
| 313 | struct stat st; | 314 | struct stat st; |
| 314 | u_int now; | 315 | u_int now, x11_timeout_real; |
| 315 | 316 | ||
| 316 | xauthdir = xauthfile = NULL; | 317 | xauthdir = xauthfile = NULL; |
| 317 | *_proto = proto; | 318 | *_proto = proto; |
| @@ -344,6 +345,15 @@ client_x11_get_proto(const char *display, const char *xauth_path, | |||
| 344 | xauthdir = xmalloc(PATH_MAX); | 345 | xauthdir = xmalloc(PATH_MAX); |
| 345 | xauthfile = xmalloc(PATH_MAX); | 346 | xauthfile = xmalloc(PATH_MAX); |
| 346 | mktemp_proto(xauthdir, PATH_MAX); | 347 | mktemp_proto(xauthdir, PATH_MAX); |
| 348 | /* | ||
| 349 | * The authentication cookie should briefly outlive | ||
| 350 | * ssh's willingness to forward X11 connections to | ||
| 351 | * avoid nasty fail-open behaviour in the X server. | ||
| 352 | */ | ||
| 353 | if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK) | ||
| 354 | x11_timeout_real = UINT_MAX; | ||
| 355 | else | ||
| 356 | x11_timeout_real = timeout + X11_TIMEOUT_SLACK; | ||
| 347 | if (mkdtemp(xauthdir) != NULL) { | 357 | if (mkdtemp(xauthdir) != NULL) { |
| 348 | do_unlink = 1; | 358 | do_unlink = 1; |
| 349 | snprintf(xauthfile, PATH_MAX, "%s/xauthfile", | 359 | snprintf(xauthfile, PATH_MAX, "%s/xauthfile", |
| @@ -351,17 +361,20 @@ client_x11_get_proto(const char *display, const char *xauth_path, | |||
| 351 | snprintf(cmd, sizeof(cmd), | 361 | snprintf(cmd, sizeof(cmd), |
| 352 | "%s -f %s generate %s " SSH_X11_PROTO | 362 | "%s -f %s generate %s " SSH_X11_PROTO |
| 353 | " untrusted timeout %u 2>" _PATH_DEVNULL, | 363 | " untrusted timeout %u 2>" _PATH_DEVNULL, |
| 354 | xauth_path, xauthfile, display, timeout); | 364 | xauth_path, xauthfile, display, |
| 365 | x11_timeout_real); | ||
| 355 | debug2("x11_get_proto: %s", cmd); | 366 | debug2("x11_get_proto: %s", cmd); |
| 356 | if (system(cmd) == 0) | ||
| 357 | generated = 1; | ||
| 358 | if (x11_refuse_time == 0) { | 367 | if (x11_refuse_time == 0) { |
| 359 | now = monotime() + 1; | 368 | now = monotime() + 1; |
| 360 | if (UINT_MAX - timeout < now) | 369 | if (UINT_MAX - timeout < now) |
| 361 | x11_refuse_time = UINT_MAX; | 370 | x11_refuse_time = UINT_MAX; |
| 362 | else | 371 | else |
| 363 | x11_refuse_time = now + timeout; | 372 | x11_refuse_time = now + timeout; |
| 373 | channel_set_x11_refuse_time( | ||
| 374 | x11_refuse_time); | ||
| 364 | } | 375 | } |
| 376 | if (system(cmd) == 0) | ||
| 377 | generated = 1; | ||
| 365 | } | 378 | } |
| 366 | } | 379 | } |
| 367 | 380 | ||
| @@ -1889,7 +1902,7 @@ client_request_x11(const char *request_type, int rchan) | |||
| 1889 | "malicious server."); | 1902 | "malicious server."); |
| 1890 | return NULL; | 1903 | return NULL; |
| 1891 | } | 1904 | } |
| 1892 | if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) { | 1905 | if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) { |
| 1893 | verbose("Rejected X11 connection after ForwardX11Timeout " | 1906 | verbose("Rejected X11 connection after ForwardX11Timeout " |
| 1894 | "expired"); | 1907 | "expired"); |
| 1895 | return NULL; | 1908 | return NULL; |