summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-07-31 03:10:27 +0000
committerDamien Miller <djm@mindrot.org>2018-07-31 13:13:26 +1000
commit74287f5df9966a0648b4a68417451dd18f079ab8 (patch)
treed65deaf7d3ef15405cf8bdbffc9d96b88341a314 /auth2-pubkey.c
parent1a66079c0669813306cc69e5776a4acd9fb49015 (diff)
upstream: delay bailout for invalid authentic
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= =?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= =?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c25
1 files changed, 15 insertions, 10 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index c4d0f7908..e1c150401 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.82 2018/07/11 18:55:11 markus Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.83 2018/07/31 03:10:27 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh)
89{ 89{
90 Authctxt *authctxt = ssh->authctxt; 90 Authctxt *authctxt = ssh->authctxt;
91 struct passwd *pw = authctxt->pw; 91 struct passwd *pw = authctxt->pw;
92 struct sshbuf *b; 92 struct sshbuf *b = NULL;
93 struct sshkey *key = NULL; 93 struct sshkey *key = NULL;
94 char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; 94 char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
95 u_char *pkblob, *sig, have_sig; 95 u_char *pkblob = NULL, *sig = NULL, have_sig;
96 size_t blen, slen; 96 size_t blen, slen;
97 int r, pktype; 97 int r, pktype;
98 int authenticated = 0; 98 int authenticated = 0;
99 struct sshauthopt *authopts = NULL; 99 struct sshauthopt *authopts = NULL;
100 100
101 if (!authctxt->valid) {
102 debug2("%s: disabled because of invalid user", __func__);
103 return 0;
104 }
105 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || 101 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
106 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || 102 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
107 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) 103 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
@@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh)
167 fatal("%s: sshbuf_put_string session id: %s", 163 fatal("%s: sshbuf_put_string session id: %s",
168 __func__, ssh_err(r)); 164 __func__, ssh_err(r));
169 } 165 }
166 if (!authctxt->valid || authctxt->user == NULL) {
167 debug2("%s: disabled because of invalid user",
168 __func__);
169 goto done;
170 }
170 /* reconstruct packet */ 171 /* reconstruct packet */
171 xasprintf(&userstyle, "%s%s%s", authctxt->user, 172 xasprintf(&userstyle, "%s%s%s", authctxt->user,
172 authctxt->style ? ":" : "", 173 authctxt->style ? ":" : "",
@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
183#ifdef DEBUG_PK 184#ifdef DEBUG_PK
184 sshbuf_dump(b, stderr); 185 sshbuf_dump(b, stderr);
185#endif 186#endif
186
187 /* test for correct signature */ 187 /* test for correct signature */
188 authenticated = 0; 188 authenticated = 0;
189 if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && 189 if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
194 authenticated = 1; 194 authenticated = 1;
195 } 195 }
196 sshbuf_free(b); 196 sshbuf_free(b);
197 free(sig);
198 auth2_record_key(authctxt, authenticated, key); 197 auth2_record_key(authctxt, authenticated, key);
199 } else { 198 } else {
200 debug("%s: test pkalg %s pkblob %s%s%s", 199 debug("%s: test pkalg %s pkblob %s%s%s",
@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
205 if ((r = sshpkt_get_end(ssh)) != 0) 204 if ((r = sshpkt_get_end(ssh)) != 0)
206 fatal("%s: %s", __func__, ssh_err(r)); 205 fatal("%s: %s", __func__, ssh_err(r));
207 206
207 if (!authctxt->valid || authctxt->user == NULL) {
208 debug2("%s: disabled because of invalid user",
209 __func__);
210 goto done;
211 }
208 /* XXX fake reply and always send PK_OK ? */ 212 /* XXX fake reply and always send PK_OK ? */
209 /* 213 /*
210 * XXX this allows testing whether a user is allowed 214 * XXX this allows testing whether a user is allowed
@@ -238,6 +242,7 @@ done:
238 free(pkblob); 242 free(pkblob);
239 free(key_s); 243 free(key_s);
240 free(ca_s); 244 free(ca_s);
245 free(sig);
241 return authenticated; 246 return authenticated;
242} 247}
243 248