|
|
b58e57 |
From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001
|
|
|
b58e57 |
From: "djm@openbsd.org" <djm@openbsd.org>
|
|
|
b58e57 |
Date: Tue, 31 Jul 2018 03:10:27 +0000
|
|
|
b58e57 |
Subject: [PATCH] upstream: delay bailout for invalid authentic
|
|
|
b58e57 |
|
|
|
b58e57 |
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
|
|
|
b58e57 |
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
|
|
|
b58e57 |
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
|
|
|
b58e57 |
MIME-Version: 1.0
|
|
|
b58e57 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b58e57 |
Content-Transfer-Encoding: 8bit
|
|
|
b58e57 |
|
|
|
b58e57 |
OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
|
|
|
b58e57 |
---
|
|
|
b58e57 |
auth2-gss.c | 11 +++++++----
|
|
|
b58e57 |
auth2-hostbased.c | 11 ++++++-----
|
|
|
b58e57 |
auth2-pubkey.c | 25 +++++++++++++++----------
|
|
|
b58e57 |
3 files changed, 28 insertions(+), 19 deletions(-)
|
|
|
b58e57 |
|
|
|
b58e57 |
diff --git a/auth2-gss.c b/auth2-gss.c
|
|
|
b58e57 |
index 47308c5ce..9351e0428 100644
|
|
|
b58e57 |
--- a/auth2-gss.c
|
|
|
b58e57 |
+++ b/auth2-gss.c
|
|
|
b58e57 |
@@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh)
|
|
|
b58e57 |
u_int len;
|
|
|
b58e57 |
u_char *doid = NULL;
|
|
|
b58e57 |
|
|
|
b58e57 |
- if (!authctxt->valid || authctxt->user == NULL)
|
|
|
b58e57 |
- return (0);
|
|
|
b58e57 |
-
|
|
|
b58e57 |
mechs = packet_get_int();
|
|
|
b58e57 |
if (mechs == 0) {
|
|
|
b58e57 |
debug("Mechanism negotiation is not supported");
|
|
|
b58e57 |
@@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh)
|
|
|
b58e57 |
return (0);
|
|
|
b58e57 |
}
|
|
|
b58e57 |
|
|
|
b58e57 |
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|
|
b58e57 |
+ debug2("%s: disabled because of invalid user", __func__);
|
|
|
b58e57 |
+ free(doid);
|
|
|
b58e57 |
+ return (0);
|
|
|
b58e57 |
+ }
|
|
|
b58e57 |
+
|
|
|
b58e57 |
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
|
|
|
b58e57 |
if (ctxt != NULL)
|
|
|
b58e57 |
ssh_gssapi_delete_ctx(&ctxt);
|
|
|
b58e57 |
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
|
|
b58e57 |
index 60159a56c..359393291 100644
|
|
|
b58e57 |
--- a/auth2-hostbased.c
|
|
|
b58e57 |
+++ b/auth2-hostbased.c
|
|
|
b58e57 |
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
|
|
|
b58e57 |
int pktype;
|
|
|
b58e57 |
int authenticated = 0;
|
|
|
b58e57 |
|
|
|
b58e57 |
- if (!authctxt->valid) {
|
|
|
b58e57 |
- debug2("userauth_hostbased: disabled because of invalid user");
|
|
|
b58e57 |
- return 0;
|
|
|
b58e57 |
- }
|
|
|
b58e57 |
pkalg = packet_get_string(&alen;;
|
|
|
b58e57 |
pkblob = packet_get_string(&blen);
|
|
|
b58e57 |
chost = packet_get_string(NULL);
|
|
|
b58e57 |
@@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh)
|
|
|
b58e57 |
goto done;
|
|
|
b58e57 |
}
|
|
|
b58e57 |
|
|
|
b58e57 |
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|
|
b58e57 |
+ debug2("%s: disabled because of invalid user", __func__);
|
|
|
b58e57 |
+ goto done;
|
|
|
b58e57 |
+ }
|
|
|
b58e57 |
+
|
|
|
b58e57 |
service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
|
|
|
b58e57 |
authctxt->service;
|
|
|
b58e57 |
buffer_init(&b);
|
|
|
b58e57 |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
|
|
b58e57 |
index c4d0f7908..e1c150401 100644
|
|
|
b58e57 |
--- a/auth2-pubkey.c
|
|
|
b58e57 |
+++ b/auth2-pubkey.c
|
|
|
b58e57 |
@@ -89,16 +89,12 @@ userauth_pubkey(struct ssh *ssh)
|
|
|
b58e57 |
{
|
|
|
b58e57 |
Buffer b;
|
|
|
b58e57 |
Key *key = NULL;
|
|
|
b58e57 |
- char *pkalg, *userstyle, *pubkey, *fp = NULL;
|
|
|
b58e57 |
- u_char *pkblob, *sig;
|
|
|
b58e57 |
+ char *pkalg = NULL, *userstyle = NULL, *pubkey = NULL, *fp = NULL;
|
|
|
b58e57 |
+ u_char *pkblob = NULL, *sig = NULL;
|
|
|
b58e57 |
u_int alen, blen, slen;
|
|
|
b58e57 |
int have_sig, pktype;
|
|
|
b58e57 |
int authenticated = 0;
|
|
|
b58e57 |
|
|
|
b58e57 |
- if (!authctxt->valid) {
|
|
|
b58e57 |
- debug2("%s: disabled because of invalid user", __func__);
|
|
|
b58e57 |
- return 0;
|
|
|
b58e57 |
- }
|
|
|
b58e57 |
have_sig = packet_get_char();
|
|
|
b58e57 |
if (datafellows & SSH_BUG_PKAUTH) {
|
|
|
b58e57 |
debug2("%s: SSH_BUG_PKAUTH", __func__);
|
|
|
b58e57 |
@@ -167,6 +163,12 @@ userauth_pubkey(struct ssh *ssh)
|
|
|
b58e57 |
} else {
|
|
|
b58e57 |
buffer_put_string(&b, session_id2, session_id2_len);
|
|
|
b58e57 |
}
|
|
|
b58e57 |
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|
|
b58e57 |
+ buffer_free(&b);
|
|
|
b58e57 |
+ debug2("%s: disabled because of invalid user",
|
|
|
b58e57 |
+ __func__);
|
|
|
b58e57 |
+ goto done;
|
|
|
b58e57 |
+ }
|
|
|
b58e57 |
/* reconstruct packet */
|
|
|
b58e57 |
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
|
|
b58e57 |
xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
|
|
b58e57 |
@@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh)
|
|
|
b58e57 |
#endif
|
|
|
b58e57 |
pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
|
|
|
b58e57 |
auth_info(authctxt, "%s", pubkey);
|
|
|
b58e57 |
-
|
|
|
b58e57 |
/* test for correct signature */
|
|
|
b58e57 |
authenticated = 0;
|
|
|
b58e57 |
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
|
|
|
b58e57 |
@@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh)
|
|
|
b58e57 |
free(pubkey);
|
|
|
b58e57 |
}
|
|
|
b58e57 |
buffer_free(&b);
|
|
|
b58e57 |
- free(sig);
|
|
|
b58e57 |
} else {
|
|
|
b58e57 |
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
|
|
|
b58e57 |
__func__, sshkey_type(key), fp);
|
|
|
b58e57 |
@@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh)
|
|
|
b58e57 |
__func__, sshkey_type(key), fp);
|
|
|
b58e57 |
packet_check_eom();
|
|
|
b58e57 |
|
|
|
b58e57 |
+ if (!authctxt->valid || authctxt->user == NULL) {
|
|
|
b58e57 |
+ debug2("%s: disabled because of invalid user",
|
|
|
b58e57 |
+ __func__);
|
|
|
b58e57 |
+ goto done;
|
|
|
b58e57 |
+ }
|
|
|
b58e57 |
/* XXX fake reply and always send PK_OK ? */
|
|
|
b58e57 |
/*
|
|
|
b58e57 |
* XXX this allows testing whether a user is allowed
|
|
|
b58e57 |
@@ -238,6 +242,7 @@ userauth_pubkey(struct ssh *ssh)
|
|
|
b58e57 |
free(pkalg);
|
|
|
b58e57 |
free(pkblob);
|
|
|
b58e57 |
free(fp);
|
|
|
b58e57 |
+ free(sig);
|
|
|
b58e57 |
return authenticated;
|
|
|
b58e57 |
}
|
|
|
b58e57 |
|