From 20981bf2296202e95d7919394d4610ae3a876cfa Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 19 Sep 2018 17:01:15 +0200
Subject: CVE-2018-10933: Introduce SSH_AUTH_STATE_AUTH_NONE_SENT

The introduced auth state allows to identify when a request without
authentication information was sent.

Fixes T101

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 include/libssh/auth.h | 2 ++
 src/auth.c            | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/libssh/auth.h b/include/libssh/auth.h
index 899282c1..90b377d4 100644
--- a/include/libssh/auth.h
+++ b/include/libssh/auth.h
@@ -82,6 +82,8 @@ enum ssh_auth_state_e {
   SSH_AUTH_STATE_PUBKEY_AUTH_SENT,
   /** We have sent a password expecting to be authenticated */
   SSH_AUTH_STATE_PASSWORD_AUTH_SENT,
+  /** We have sent a request without auth information (method 'none') */
+  SSH_AUTH_STATE_AUTH_NONE_SENT,
 };
 
 /** @internal
diff --git a/src/auth.c b/src/auth.c
index 2b06d2e1..993e6dfe 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -88,6 +88,7 @@ static int ssh_auth_response_termination(void *user) {
         case SSH_AUTH_STATE_PUBKEY_AUTH_SENT:
         case SSH_AUTH_STATE_PUBKEY_OFFER_SENT:
         case SSH_AUTH_STATE_PASSWORD_AUTH_SENT:
+        case SSH_AUTH_STATE_AUTH_NONE_SENT:
             return 0;
         default:
             return 1;
@@ -173,6 +174,7 @@ static int ssh_userauth_get_response(ssh_session session) {
         case SSH_AUTH_STATE_PUBKEY_OFFER_SENT:
         case SSH_AUTH_STATE_PUBKEY_AUTH_SENT:
         case SSH_AUTH_STATE_PASSWORD_AUTH_SENT:
+        case SSH_AUTH_STATE_AUTH_NONE_SENT:
         case SSH_AUTH_STATE_NONE:
             /* not reached */
             rc = SSH_AUTH_ERROR;
@@ -428,7 +430,7 @@ int ssh_userauth_none(ssh_session session, const char *username) {
     }
 
     session->auth.current_method = SSH_AUTH_METHOD_NONE;
-    session->auth.state = SSH_AUTH_STATE_NONE;
+    session->auth.state = SSH_AUTH_STATE_AUTH_NONE_SENT;
     session->pending_call_state = SSH_PENDING_CALL_AUTH_NONE;
     rc = ssh_packet_send(session);
     if (rc == SSH_ERROR) {
-- 
cgit v1.2.3