diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-07-31 03:10:27 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-08-17 12:29:54 +0100 |
commit | c4ca1497658e0508e8595ad74978c07bc92a18e3 (patch) | |
tree | 5fa70ab6ec0dab7dbda6f686afa8e3321f0114df /auth2-pubkey.c | |
parent | 60256f28189c3d0650a78e737eb0ca4753478a4b (diff) |
upstream: delay bailout for invalid authenticating user
... until after the packet containing the request has been fully parsed.
Reported by Dariusz Tytko and MichaĆ Sajdak; ok deraadt
OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8
Bug-Debian: https://bugs.debian.org/906236
Last-Update: 2018-08-17
Patch-Name: upstream-delay-bailout-for-invalid-authenticating-user.patch
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 8024b1d6a..a9272b97f 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh) | |||
89 | { | 89 | { |
90 | Authctxt *authctxt = ssh->authctxt; | 90 | Authctxt *authctxt = ssh->authctxt; |
91 | struct passwd *pw = authctxt->pw; | 91 | struct passwd *pw = authctxt->pw; |
92 | struct sshbuf *b; | 92 | struct sshbuf *b = NULL; |
93 | struct sshkey *key = NULL; | 93 | struct sshkey *key = NULL; |
94 | char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; | 94 | char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; |
95 | u_char *pkblob, *sig, have_sig; | 95 | u_char *pkblob = NULL, *sig = NULL, have_sig; |
96 | size_t blen, slen; | 96 | size_t blen, slen; |
97 | int r, pktype; | 97 | int r, pktype; |
98 | int authenticated = 0; | 98 | int authenticated = 0; |
99 | struct sshauthopt *authopts = NULL; | 99 | struct sshauthopt *authopts = NULL; |
100 | 100 | ||
101 | if (!authctxt->valid) { | ||
102 | debug2("%s: disabled because of invalid user", __func__); | ||
103 | return 0; | ||
104 | } | ||
105 | if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || | 101 | if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || |
106 | (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || | 102 | (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || |
107 | (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) | 103 | (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) |
@@ -168,6 +164,11 @@ userauth_pubkey(struct ssh *ssh) | |||
168 | fatal("%s: sshbuf_put_string session id: %s", | 164 | fatal("%s: sshbuf_put_string session id: %s", |
169 | __func__, ssh_err(r)); | 165 | __func__, ssh_err(r)); |
170 | } | 166 | } |
167 | if (!authctxt->valid || authctxt->user == NULL) { | ||
168 | debug2("%s: disabled because of invalid user", | ||
169 | __func__); | ||
170 | goto done; | ||
171 | } | ||
171 | /* reconstruct packet */ | 172 | /* reconstruct packet */ |
172 | xasprintf(&userstyle, "%s%s%s", authctxt->user, | 173 | xasprintf(&userstyle, "%s%s%s", authctxt->user, |
173 | authctxt->style ? ":" : "", | 174 | authctxt->style ? ":" : "", |
@@ -184,7 +185,6 @@ userauth_pubkey(struct ssh *ssh) | |||
184 | #ifdef DEBUG_PK | 185 | #ifdef DEBUG_PK |
185 | sshbuf_dump(b, stderr); | 186 | sshbuf_dump(b, stderr); |
186 | #endif | 187 | #endif |
187 | |||
188 | /* test for correct signature */ | 188 | /* test for correct signature */ |
189 | authenticated = 0; | 189 | authenticated = 0; |
190 | if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && | 190 | if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && |
@@ -193,7 +193,6 @@ userauth_pubkey(struct ssh *ssh) | |||
193 | authenticated = 1; | 193 | authenticated = 1; |
194 | } | 194 | } |
195 | sshbuf_free(b); | 195 | sshbuf_free(b); |
196 | free(sig); | ||
197 | auth2_record_key(authctxt, authenticated, key); | 196 | auth2_record_key(authctxt, authenticated, key); |
198 | } else { | 197 | } else { |
199 | debug("%s: test pkalg %s pkblob %s%s%s", | 198 | debug("%s: test pkalg %s pkblob %s%s%s", |
@@ -204,6 +203,11 @@ userauth_pubkey(struct ssh *ssh) | |||
204 | if ((r = sshpkt_get_end(ssh)) != 0) | 203 | if ((r = sshpkt_get_end(ssh)) != 0) |
205 | fatal("%s: %s", __func__, ssh_err(r)); | 204 | fatal("%s: %s", __func__, ssh_err(r)); |
206 | 205 | ||
206 | if (!authctxt->valid || authctxt->user == NULL) { | ||
207 | debug2("%s: disabled because of invalid user", | ||
208 | __func__); | ||
209 | goto done; | ||
210 | } | ||
207 | /* XXX fake reply and always send PK_OK ? */ | 211 | /* XXX fake reply and always send PK_OK ? */ |
208 | /* | 212 | /* |
209 | * XXX this allows testing whether a user is allowed | 213 | * XXX this allows testing whether a user is allowed |
@@ -237,6 +241,7 @@ done: | |||
237 | free(pkblob); | 241 | free(pkblob); |
238 | free(key_s); | 242 | free(key_s); |
239 | free(ca_s); | 243 | free(ca_s); |
244 | free(sig); | ||
240 | return authenticated; | 245 | return authenticated; |
241 | } | 246 | } |
242 | 247 | ||