Uppity: option to always send PK_OK / RSA1 challenge.

This allows me to deliberately provoke the conditions for the stale-pointer bug in the agent key list parsing.
2025-07-02 20:12:48 -05:00 · 2020-02-05 21:14:26 +00:00
parent 45287b627d
commit 555aabebde
4 changed files with 44 additions and 15 deletions
--- a/ssh2userauth-server.c
+++ b/ssh2userauth-server.c
@ -203,7 +203,7 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
                goto failure;
            }
        } else if (ptrlen_eq_string(s->method, "publickey")) {
-            bool has_signature, success;
+            bool has_signature, success, send_pk_ok, key_really_ok;
            ptrlen algorithm, blob, signature;
            const ssh_keyalg *keyalg;
            ssh_key *key;
@ -217,7 +217,23 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
            algorithm = get_string(pktin);
            blob = get_string(pktin);

-            if (!auth_publickey(s->authpolicy, s->username, blob))
+            key_really_ok = auth_publickey(s->authpolicy, s->username, blob);
+            send_pk_ok = key_really_ok ||
+                s->ssc->stunt_pretend_to_accept_any_pubkey;
+
+            if (!has_signature) {
+                if (!send_pk_ok)
+                    goto failure;
+
+                pktout = ssh_bpp_new_pktout(
+                    s->ppl.bpp, SSH2_MSG_USERAUTH_PK_OK);
+                put_stringpl(pktout, algorithm);
+                put_stringpl(pktout, blob);
+                pq_push(s->ppl.out_pq, pktout);
+                continue; /* skip USERAUTH_{SUCCESS,FAILURE} epilogue */
+            }
+
+            if (!key_really_ok)
                goto failure;

            keyalg = find_pubkey_alg_len(algorithm);
@ -227,16 +243,6 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
            if (!key)
                goto failure;

-            if (!has_signature) {
-                ssh_key_free(key);
-                pktout = ssh_bpp_new_pktout(
-                    s->ppl.bpp, SSH2_MSG_USERAUTH_PK_OK);
-                put_stringpl(pktout, algorithm);
-                put_stringpl(pktout, blob);
-                pq_push(s->ppl.out_pq, pktout);
-                continue; /* skip USERAUTH_{SUCCESS,FAILURE} epilogue */
-            }
-
            sigdata = strbuf_new();
            ssh2_userauth_server_add_session_id(s, sigdata);
            put_byte(sigdata, SSH2_MSG_USERAUTH_REQUEST);