From 74287f5df9966a0648b4a68417451dd18f079ab8 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 31 Jul 2018 03:10:27 +0000 Subject: [PATCH] upstream: delay bailout for invalid authentic =?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?= =?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?= =?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d --- auth2-gss.c | 11 +++++++---- auth2-hostbased.c | 11 ++++++----- auth2-pubkey.c | 25 +++++++++++++++---------- 3 files changed, 28 insertions(+), 19 deletions(-) diff --git a/auth2-gss.c b/auth2-gss.c index 47308c5ce..9351e0428 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -70,9 +70,6 @@ userauth_gssapi(struct ssh *ssh) u_int len; u_char *doid = NULL; - if (!authctxt->valid || authctxt->user == NULL) - return (0); - mechs = packet_get_int(); if (mechs == 0) { debug("Mechanism negotiation is not supported"); @@ -106,6 +103,12 @@ userauth_gssapi(struct ssh *ssh) return (0); } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", __func__); + free(doid); + return (0); + } + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 60159a56c..359393291 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh) int pktype; int authenticated = 0; - if (!authctxt->valid) { - debug2("userauth_hostbased: disabled because of invalid user"); - return 0; - } pkalg = packet_get_string(&alen); pkblob = packet_get_string(&blen); chost = packet_get_string(NULL); @@ -117,6 +113,11 @@ userauth_hostbased(struct ssh *ssh) goto done; } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", __func__); + goto done; + } + service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; buffer_init(&b); diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c4d0f7908..e1c150401 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -89,16 +89,12 @@ userauth_pubkey(struct ssh *ssh) { Buffer b; Key *key = NULL; - char *pkalg, *userstyle, *pubkey, *fp = NULL; - u_char *pkblob, *sig; + char *pkalg = NULL, *userstyle = NULL, *pubkey = NULL, *fp = NULL; + u_char *pkblob = NULL, *sig = NULL; u_int alen, blen, slen; int have_sig, pktype; int authenticated = 0; - if (!authctxt->valid) { - debug2("%s: disabled because of invalid user", __func__); - return 0; - } have_sig = packet_get_char(); if (datafellows & SSH_BUG_PKAUTH) { debug2("%s: SSH_BUG_PKAUTH", __func__); @@ -167,6 +163,12 @@ userauth_pubkey(struct ssh *ssh) } else { buffer_put_string(&b, session_id2, session_id2_len); } + if (!authctxt->valid || authctxt->user == NULL) { + buffer_free(&b); + debug2("%s: disabled because of invalid user", + __func__); + goto done; + } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user, @@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh) #endif pubkey = sshkey_format_oneline(key, options.fingerprint_hash); auth_info(authctxt, "%s", pubkey); - /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && @@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh) free(pubkey); } buffer_free(&b); - free(sig); } else { debug("%s: test whether pkalg/pkblob are acceptable for %s %s", __func__, sshkey_type(key), fp); @@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh) __func__, sshkey_type(key), fp); packet_check_eom(); + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + goto done; + } /* XXX fake reply and always send PK_OK ? */ /* * XXX this allows testing whether a user is allowed @@ -238,6 +242,7 @@ userauth_pubkey(struct ssh *ssh) free(pkalg); free(pkblob); free(fp); + free(sig); return authenticated; }