nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Code Issues Projects Releases Wiki Activity

Uppity: option to always send PK_OK / RSA1 challenge.

Browse Source 
This allows me to deliberately provoke the conditions for the
stale-pointer bug in the agent key list parsing.
This commit is contained in:
Simon Tatham 2020-02-05 21:14:26 +00:00
parent 45287b627d
commit 555aabebde
4 changed files with 44 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
ssh1login-server.c
View File

@ -292,18 +292,34 @@ static void ssh1_login_server_process_queue(PacketProtocolLayer *ppl)
mp_int *modulus = get_mp_ssh1(pktin);
s->authkey = auth_publickey_ssh1(
s->authpolicy, s->username, modulus);
if (!s->authkey &&
s->ssc->stunt_pretend_to_accept_any_pubkey) {
mp_int *zero = mp_from_integer(0);
mp_int *fake_challenge = mp_random_in_range(zero, modulus);
pktout = ssh_bpp_new_pktout(
s->ppl.bpp, SSH1_SMSG_AUTH_RSA_CHALLENGE);
put_mp_ssh1(pktout, fake_challenge);
pq_push(s->ppl.out_pq, pktout);
mp_free(zero);
mp_free(fake_challenge);
}
mp_free(modulus);
}
if (!s->authkey)
if (!s->authkey &&
!s->ssc->stunt_pretend_to_accept_any_pubkey)
continue;
if (s->authkey->bytes < 32) {
if (s->authkey && s->authkey->bytes < 32) {
ppl_logevent("Auth key far too small");
continue;
}
{
if (s->authkey) {
unsigned char *rsabuf =
snewn(s->authkey->bytes, unsigned char);
@ -343,6 +359,9 @@ static void ssh1_login_server_process_queue(PacketProtocolLayer *ppl)
return;
}
if (!s->authkey)
continue;
{
ptrlen response = get_data(pktin, 16);
ptrlen expected = make_ptrlen(

30
ssh2userauth-server.c
View File

@ -203,7 +203,7 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
goto failure;
}
} else if (ptrlen_eq_string(s->method, "publickey")) {
bool has_signature, success;
bool has_signature, success, send_pk_ok, key_really_ok;
ptrlen algorithm, blob, signature;
const ssh_keyalg *keyalg;
ssh_key *key;
@ -217,7 +217,23 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
algorithm = get_string(pktin);
blob = get_string(pktin);
if (!auth_publickey(s->authpolicy, s->username, blob))
key_really_ok = auth_publickey(s->authpolicy, s->username, blob);
send_pk_ok = key_really_ok ||
s->ssc->stunt_pretend_to_accept_any_pubkey;
if (!has_signature) {
if (!send_pk_ok)
goto failure;
pktout = ssh_bpp_new_pktout(
s->ppl.bpp, SSH2_MSG_USERAUTH_PK_OK);
put_stringpl(pktout, algorithm);
put_stringpl(pktout, blob);
pq_push(s->ppl.out_pq, pktout);
continue; /* skip USERAUTH_{SUCCESS,FAILURE} epilogue */
}
if (!key_really_ok)
goto failure;
keyalg = find_pubkey_alg_len(algorithm);
@ -227,16 +243,6 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
if (!key)
goto failure;
if (!has_signature) {
ssh_key_free(key);
pktout = ssh_bpp_new_pktout(
s->ppl.bpp, SSH2_MSG_USERAUTH_PK_OK);
put_stringpl(pktout, algorithm);
put_stringpl(pktout, blob);
pq_push(s->ppl.out_pq, pktout);
continue; /* skip USERAUTH_{SUCCESS,FAILURE} epilogue */
}
sigdata = strbuf_new();
ssh2_userauth_server_add_session_id(s, sigdata);
put_byte(sigdata, SSH2_MSG_USERAUTH_REQUEST);

2
sshserver.h
View File

@ -16,6 +16,8 @@ struct SshServerConfig {
unsigned long ssh1_cipher_mask;
bool ssh1_allow_compression;
bool stunt_pretend_to_accept_any_pubkey;
};
Plug *ssh_server_plug(

2
unix/uxserver.c
View File

@ -782,6 +782,8 @@ int main(int argc, char **argv)
filename_free(logfile);
conf_set_int(conf, CONF_logtype, LGTYP_SSHRAW);
conf_set_int(conf, CONF_logxfovr, LGXF_OVR);
} else if (!strcmp(arg, "--pretend-to-accept-any-pubkey")) {
ssc.stunt_pretend_to_accept_any_pubkey = true;
} else {
fprintf(stderr, "%s: unrecognised option '%s'\n", appname, arg);
exit(1);