aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnderson Toshiyuki Sasaki <ansasaki@redhat.com>2018-09-19 14:08:28 +0200
committerAndreas Schneider <asn@cryptomilk.org>2018-10-09 11:45:58 +0200
commite5f0e711b05c2ec4c2d016a6abaedae2959ddba2 (patch)
treeba7d4fade51cb2db3295d3ab43379e4053f57756
parente765c1400a724cc5009fd03395ef54b28de9c296 (diff)
downloadlibssh-e5f0e711b05c2ec4c2d016a6abaedae2959ddba2.tar.gz
libssh-e5f0e711b05c2ec4c2d016a6abaedae2959ddba2.tar.xz
libssh-e5f0e711b05c2ec4c2d016a6abaedae2959ddba2.zip
CVE-2018-10933: Introduced new auth states
Introduced the states SSH_AUTH_STATE_PUBKEY_OFFER_SENT and SSH_AUTH_STATE_PUBKEY_AUTH_SENT to know when SSH2_MSG_USERAUTH_PK_OK and SSH2_MSG_USERAUTH_SUCCESS should be expected. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-rw-r--r--include/libssh/auth.h4
-rwxr-xr-xsrc/auth.c32
2 files changed, 25 insertions, 11 deletions
diff --git a/include/libssh/auth.h b/include/libssh/auth.h
index 2c0012b0..05754460 100644
--- a/include/libssh/auth.h
+++ b/include/libssh/auth.h
@@ -90,6 +90,10 @@ enum ssh_auth_state_e {
SSH_AUTH_STATE_GSSAPI_TOKEN,
/** We have sent the MIC and expecting to be authenticated */
SSH_AUTH_STATE_GSSAPI_MIC_SENT,
+ /** We have offered a pubkey to check if it is supported */
+ SSH_AUTH_STATE_PUBKEY_OFFER_SENT,
+ /** We have sent pubkey and signature expecting to be authenticated */
+ SSH_AUTH_STATE_PUBKEY_AUTH_SENT,
};
/** @internal
diff --git a/src/auth.c b/src/auth.c
index b411f226..964e82a6 100755
--- a/src/auth.c
+++ b/src/auth.c
@@ -85,6 +85,8 @@ static int ssh_auth_response_termination(void *user){
case SSH_AUTH_STATE_GSSAPI_REQUEST_SENT:
case SSH_AUTH_STATE_GSSAPI_TOKEN:
case SSH_AUTH_STATE_GSSAPI_MIC_SENT:
+ case SSH_AUTH_STATE_PUBKEY_AUTH_SENT:
+ case SSH_AUTH_STATE_PUBKEY_OFFER_SENT:
return 0;
default:
return 1;
@@ -137,6 +139,8 @@ static int ssh_userauth_get_response(ssh_session session) {
case SSH_AUTH_STATE_GSSAPI_REQUEST_SENT:
case SSH_AUTH_STATE_GSSAPI_TOKEN:
case SSH_AUTH_STATE_GSSAPI_MIC_SENT:
+ case SSH_AUTH_STATE_PUBKEY_OFFER_SENT:
+ case SSH_AUTH_STATE_PUBKEY_AUTH_SENT:
case SSH_AUTH_STATE_NONE:
/* not reached */
rc = SSH_AUTH_ERROR;
@@ -275,21 +279,27 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_success){
SSH_PACKET_CALLBACK(ssh_packet_userauth_pk_ok){
int rc;
- SSH_LOG(SSH_LOG_TRACE, "Received SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE");
+ SSH_LOG(SSH_LOG_TRACE,
+ "Received SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE");
- if(session->auth_state==SSH_AUTH_STATE_KBDINT_SENT){
+ if (session->auth_state == SSH_AUTH_STATE_KBDINT_SENT) {
/* Assuming we are in keyboard-interactive context */
SSH_LOG(SSH_LOG_TRACE,
- "keyboard-interactive context, assuming SSH_USERAUTH_INFO_REQUEST");
- rc=ssh_packet_userauth_info_request(session,type,packet,user);
+ "keyboard-interactive context, "
+ "assuming SSH_USERAUTH_INFO_REQUEST");
+ rc = ssh_packet_userauth_info_request(session, type, packet, user);
#ifdef WITH_GSSAPI
- } else if (session->auth_state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT){
+ } else if (session->auth_state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT) {
rc = ssh_packet_userauth_gssapi_response(session, type, packet, user);
#endif
+ } else if (session->auth_state == SSH_AUTH_STATE_PUBKEY_OFFER_SENT) {
+ session->auth_state = SSH_AUTH_STATE_PK_OK;
+ SSH_LOG(SSH_LOG_TRACE, "Assuming SSH_USERAUTH_PK_OK");
+ rc = SSH_PACKET_USED;
} else {
- session->auth_state=SSH_AUTH_STATE_PK_OK;
- SSH_LOG(SSH_LOG_TRACE, "Assuming SSH_USERAUTH_PK_OK");
- rc=SSH_PACKET_USED;
+ session->auth_state = SSH_AUTH_STATE_ERROR;
+ SSH_LOG(SSH_LOG_TRACE, "SSH_USERAUTH_PK_OK received in wrong state");
+ rc = SSH_PACKET_USED;
}
return rc;
@@ -501,7 +511,7 @@ int ssh_userauth_try_publickey(ssh_session session,
ssh_string_free(pubkey_s);
- session->auth_state = SSH_AUTH_STATE_NONE;
+ session->auth_state = SSH_AUTH_STATE_PUBKEY_OFFER_SENT;
session->pending_call_state = SSH_PENDING_CALL_AUTH_OFFER_PUBKEY;
rc = packet_send(session);
if (rc == SSH_ERROR) {
@@ -622,7 +632,7 @@ int ssh_userauth_publickey(ssh_session session,
goto fail;
}
- session->auth_state = SSH_AUTH_STATE_NONE;
+ session->auth_state = SSH_AUTH_STATE_PUBKEY_AUTH_SENT;
session->pending_call_state = SSH_PENDING_CALL_AUTH_PUBKEY;
rc = packet_send(session);
if (rc == SSH_ERROR) {
@@ -706,7 +716,7 @@ static int ssh_userauth_agent_publickey(ssh_session session,
goto fail;
}
- session->auth_state = SSH_AUTH_STATE_NONE;
+ session->auth_state = SSH_AUTH_STATE_PUBKEY_AUTH_SENT;
session->pending_call_state = SSH_PENDING_CALL_AUTH_AGENT;
rc = packet_send(session);
if (rc == SSH_ERROR) {