diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-07-31 03:10:27 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-07-31 13:13:26 +1000 |
commit | 74287f5df9966a0648b4a68417451dd18f079ab8 (patch) | |
tree | d65deaf7d3ef15405cf8bdbffc9d96b88341a314 /auth2-pubkey.c | |
parent | 1a66079c0669813306cc69e5776a4acd9fb49015 (diff) |
upstream: delay bailout for invalid authentic
=?UTF-8?q?ating=20user=20until=20after=20the=20packet=20containing=20the?=
=?UTF-8?q?=20request=20has=20been=20fully=20parsed.=20Reported=20by=20Dar?=
=?UTF-8?q?iusz=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c4d0f790..e1c15040 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.82 2018/07/11 18:55:11 markus Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.83 2018/07/31 03:10:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh) { Authctxt *authctxt = ssh->authctxt; struct passwd *pw = authctxt->pw; - struct sshbuf *b; + struct sshbuf *b = NULL; struct sshkey *key = NULL; - char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; - u_char *pkblob, *sig, have_sig; + char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; + u_char *pkblob = NULL, *sig = NULL, have_sig; size_t blen, slen; int r, pktype; int authenticated = 0; struct sshauthopt *authopts = NULL; - if (!authctxt->valid) { - debug2("%s: disabled because of invalid user", __func__); - return 0; - } if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) @@ -167,6 +163,11 @@ userauth_pubkey(struct ssh *ssh) fatal("%s: sshbuf_put_string session id: %s", __func__, ssh_err(r)); } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + goto done; + } /* reconstruct packet */ xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", @@ -183,7 +184,6 @@ userauth_pubkey(struct ssh *ssh) #ifdef DEBUG_PK sshbuf_dump(b, stderr); #endif - /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && @@ -194,7 +194,6 @@ userauth_pubkey(struct ssh *ssh) authenticated = 1; } sshbuf_free(b); - free(sig); auth2_record_key(authctxt, authenticated, key); } else { debug("%s: test pkalg %s pkblob %s%s%s", @@ -205,6 +204,11 @@ userauth_pubkey(struct ssh *ssh) if ((r = sshpkt_get_end(ssh)) != 0) fatal("%s: %s", __func__, ssh_err(r)); + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + goto done; + } /* XXX fake reply and always send PK_OK ? */ /* * XXX this allows testing whether a user is allowed @@ -238,6 +242,7 @@ done: free(pkblob); free(key_s); free(ca_s); + free(sig); return authenticated; } |