|
|
d1a70f |
From a6e055c42b34ec50f55606312b09ec2e14990416 Mon Sep 17 00:00:00 2001
|
|
|
d1a70f |
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
|
|
d1a70f |
Date: Fri, 7 Dec 2018 18:19:33 +0100
|
|
|
d1a70f |
Subject: [PATCH] packet: Allow SSH2_MSG_EXT_INFO when authenticated
|
|
|
d1a70f |
|
|
|
d1a70f |
When the server requests rekey, it can send the SSH2_MSG_EXT_INFO. This
|
|
|
d1a70f |
message was being filtered out by the packet filtering. This includes a
|
|
|
d1a70f |
test to enforce the filtering rules for this packet type.
|
|
|
d1a70f |
|
|
|
d1a70f |
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
|
|
d1a70f |
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
|
|
d1a70f |
(cherry picked from commit fe309ba43fb904da4385fc40a338ecc7482f8388)
|
|
|
d1a70f |
---
|
|
|
d1a70f |
src/packet.c | 6 ++++-
|
|
|
d1a70f |
tests/unittests/torture_packet_filter.c | 31 +++++++++++++++++++++++++
|
|
|
d1a70f |
2 files changed, 36 insertions(+), 1 deletion(-)
|
|
|
d1a70f |
|
|
|
d1a70f |
diff --git a/src/packet.c b/src/packet.c
|
|
|
d1a70f |
index 72e3c096..61a44237 100644
|
|
|
d1a70f |
--- a/src/packet.c
|
|
|
d1a70f |
+++ b/src/packet.c
|
|
|
d1a70f |
@@ -263,13 +263,17 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
|
|
|
d1a70f |
/*
|
|
|
d1a70f |
* States required:
|
|
|
d1a70f |
* - session_state == SSH_SESSION_STATE_AUTHENTICATING
|
|
|
d1a70f |
+ * or session->session_state == SSH_SESSION_STATE_AUTHENTICATED
|
|
|
d1a70f |
+ * (re-exchange)
|
|
|
d1a70f |
* - dh_handshake_state == DH_STATE_FINISHED
|
|
|
d1a70f |
*
|
|
|
d1a70f |
* Transitions:
|
|
|
d1a70f |
* - None
|
|
|
d1a70f |
* */
|
|
|
d1a70f |
|
|
|
d1a70f |
- if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) {
|
|
|
d1a70f |
+ if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATING) &&
|
|
|
d1a70f |
+ (session->session_state != SSH_SESSION_STATE_AUTHENTICATED))
|
|
|
d1a70f |
+ {
|
|
|
d1a70f |
rc = SSH_PACKET_DENIED;
|
|
|
d1a70f |
break;
|
|
|
d1a70f |
}
|
|
|
d1a70f |
diff --git a/tests/unittests/torture_packet_filter.c b/tests/unittests/torture_packet_filter.c
|
|
|
d1a70f |
index 72cbc4cd..44ee3598 100644
|
|
|
d1a70f |
--- a/tests/unittests/torture_packet_filter.c
|
|
|
d1a70f |
+++ b/tests/unittests/torture_packet_filter.c
|
|
|
d1a70f |
@@ -462,6 +462,36 @@ static void torture_packet_filter_check_auth_success(void **state)
|
|
|
d1a70f |
assert_int_equal(rc, 0);
|
|
|
d1a70f |
}
|
|
|
d1a70f |
|
|
|
d1a70f |
+static void torture_packet_filter_check_msg_ext_info(void **state)
|
|
|
d1a70f |
+{
|
|
|
d1a70f |
+ int rc;
|
|
|
d1a70f |
+
|
|
|
d1a70f |
+ global_state accepted[] = {
|
|
|
d1a70f |
+ {
|
|
|
d1a70f |
+ .flags = (COMPARE_SESSION_STATE |
|
|
|
d1a70f |
+ COMPARE_DH_STATE),
|
|
|
d1a70f |
+ .session = SSH_SESSION_STATE_AUTHENTICATING,
|
|
|
d1a70f |
+ .dh = DH_STATE_FINISHED,
|
|
|
d1a70f |
+ },
|
|
|
d1a70f |
+ {
|
|
|
d1a70f |
+ .flags = (COMPARE_SESSION_STATE |
|
|
|
d1a70f |
+ COMPARE_DH_STATE),
|
|
|
d1a70f |
+ .session = SSH_SESSION_STATE_AUTHENTICATED,
|
|
|
d1a70f |
+ .dh = DH_STATE_FINISHED,
|
|
|
d1a70f |
+ },
|
|
|
d1a70f |
+ };
|
|
|
d1a70f |
+
|
|
|
d1a70f |
+ int accepted_count = 2;
|
|
|
d1a70f |
+
|
|
|
d1a70f |
+ /* Unused */
|
|
|
d1a70f |
+ (void) state;
|
|
|
d1a70f |
+
|
|
|
d1a70f |
+ rc = check_message_in_all_states(accepted, accepted_count,
|
|
|
d1a70f |
+ SSH2_MSG_EXT_INFO);
|
|
|
d1a70f |
+
|
|
|
d1a70f |
+ assert_int_equal(rc, 0);
|
|
|
d1a70f |
+}
|
|
|
d1a70f |
+
|
|
|
d1a70f |
static void torture_packet_filter_check_channel_open(void **state)
|
|
|
d1a70f |
{
|
|
|
d1a70f |
int rc;
|
|
|
d1a70f |
@@ -492,6 +522,7 @@ int torture_run_tests(void)
|
|
|
d1a70f |
cmocka_unit_test(torture_packet_filter_check_auth_success),
|
|
|
d1a70f |
cmocka_unit_test(torture_packet_filter_check_channel_open),
|
|
|
d1a70f |
cmocka_unit_test(torture_packet_filter_check_unfiltered),
|
|
|
d1a70f |
+ cmocka_unit_test(torture_packet_filter_check_msg_ext_info)
|
|
|
d1a70f |
};
|
|
|
d1a70f |
|
|
|
d1a70f |
ssh_init();
|
|
|
d1a70f |
--
|
|
|
d1a70f |
2.19.1
|
|
|
d1a70f |
|