From a6e055c42b34ec50f55606312b09ec2e14990416 Mon Sep 17 00:00:00 2001

From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Date: Fri, 7 Dec 2018 18:19:33 +0100

Subject: [PATCH] packet: Allow SSH2_MSG_EXT_INFO when authenticated

When the server requests rekey, it can send the SSH2_MSG_EXT_INFO.  This

message was being filtered out by the packet filtering.  This includes a

test to enforce the filtering rules for this packet type.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

(cherry picked from commit fe309ba43fb904da4385fc40a338ecc7482f8388)

---

 src/packet.c                            |  6 ++++-

 tests/unittests/torture_packet_filter.c | 31 +++++++++++++++++++++++++

 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/packet.c b/src/packet.c

index 72e3c096..61a44237 100644

--- a/src/packet.c

+++ b/src/packet.c

@@ -263,13 +263,17 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se

         /*

          * States required:

          * - session_state == SSH_SESSION_STATE_AUTHENTICATING

+         *   or session->session_state == SSH_SESSION_STATE_AUTHENTICATED

+         *   (re-exchange)

          * - dh_handshake_state == DH_STATE_FINISHED

          *

          * Transitions:

          * - None

          * */

-        if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) {

+        if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATING) &&

+            (session->session_state != SSH_SESSION_STATE_AUTHENTICATED))

+        {

             rc = SSH_PACKET_DENIED;

             break;

         }

diff --git a/tests/unittests/torture_packet_filter.c b/tests/unittests/torture_packet_filter.c

index 72cbc4cd..44ee3598 100644

--- a/tests/unittests/torture_packet_filter.c

+++ b/tests/unittests/torture_packet_filter.c

@@ -462,6 +462,36 @@ static void torture_packet_filter_check_auth_success(void **state)

     assert_int_equal(rc, 0);

 }

+static void torture_packet_filter_check_msg_ext_info(void **state)

+{

+    int rc;

+

+    global_state accepted[] = {

+        {

+            .flags = (COMPARE_SESSION_STATE |

+                    COMPARE_DH_STATE),

+            .session = SSH_SESSION_STATE_AUTHENTICATING,

+            .dh = DH_STATE_FINISHED,

+        },

+        {

+            .flags = (COMPARE_SESSION_STATE |

+                    COMPARE_DH_STATE),

+            .session = SSH_SESSION_STATE_AUTHENTICATED,

+            .dh = DH_STATE_FINISHED,

+        },

+    };

+

+    int accepted_count = 2;

+

+    /* Unused */

+    (void) state;

+

+    rc = check_message_in_all_states(accepted, accepted_count,

+            SSH2_MSG_EXT_INFO);

+

+    assert_int_equal(rc, 0);

+}

+

 static void torture_packet_filter_check_channel_open(void **state)

 {

     int rc;

@@ -492,6 +522,7 @@ int torture_run_tests(void)

         cmocka_unit_test(torture_packet_filter_check_auth_success),

         cmocka_unit_test(torture_packet_filter_check_channel_open),

         cmocka_unit_test(torture_packet_filter_check_unfiltered),

+        cmocka_unit_test(torture_packet_filter_check_msg_ext_info)

     };

     ssh_init();

-- 

2.19.1