nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-01 11:32:48 -05:00
Code Issues Projects Releases Wiki Activity

Promote ssh2_userauth_antispoof_msg into utils.

Browse Source 
It doesn't actually do anything specific to the userauth layer; it's
just a helper function that deals with the mechanics of printing an
unspoofable message on various kinds of front end, and the only
parameters it needs are a Seat and a message.

Currently, it's used for 'here is the start/end of the server banner'
only. But it's also got all the right functionality to be used for the
(still missing) messages about which proxy SSH server the next set of
login prompts are going to refer to.
This commit is contained in:
Simon Tatham
2021-09-16 11:43:02 +01:00
parent adf6b698e4
commit fb663d4761
4 changed files with 43 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
ssh/userauth2-client.c
View File

@ -114,8 +114,6 @@ static void ssh2_userauth_add_session_id(
static PktOut *ssh2_userauth_gss_packet(
struct ssh2_userauth_state *s, const char *authtype);
#endif
static void ssh2_userauth_antispoof_msg(
struct ssh2_userauth_state *s, const char *msg);
static const PacketProtocolLayerVtable ssh2_userauth_vtable = {
.free = ssh2_userauth_free,
@ -522,8 +520,9 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
if (bufchain_size(&s->banner) &&
(seat_verbose(s->ppl.seat) || seat_interactive(s->ppl.seat))) {
if (s->banner_scc) {
ssh2_userauth_antispoof_msg(
s, "Pre-authentication banner message from server:");
seat_antispoof_msg(
s->ppl.seat,
"Pre-authentication banner message from server:");
seat_set_trust_status(s->ppl.seat, false);
}
@ -542,8 +541,8 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
if (s->banner_scc) {
seat_set_trust_status(s->ppl.seat, true);
ssh2_userauth_antispoof_msg(
s, "End of banner message from server");
seat_antispoof_msg(s->ppl.seat,
"End of banner message from server");
}
}
@ -1343,8 +1342,8 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
*/
if (!s->ki_printed_header && s->ki_scc &&
(s->num_prompts || name.len || inst.len)) {
ssh2_userauth_antispoof_msg(
s, "Keyboard-interactive authentication "
seat_antispoof_msg(
s->ppl.seat, "Keyboard-interactive authentication "
"prompts from server:");
s->ki_printed_header = true;
seat_set_trust_status(s->ppl.seat, false);
@ -1446,8 +1445,9 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
*/
if (s->ki_printed_header) {
seat_set_trust_status(s->ppl.seat, true);
ssh2_userauth_antispoof_msg(
s, "End of keyboard-interactive prompts from server");
seat_antispoof_msg(
s->ppl.seat,
"End of keyboard-interactive prompts from server");
}
/*
@ -1895,30 +1895,3 @@ static void ssh2_userauth_reconfigure(PacketProtocolLayer *ppl, Conf *conf)
container_of(ppl, struct ssh2_userauth_state, ppl);
ssh_ppl_reconfigure(s->successor_layer, conf);
}
static void ssh2_userauth_antispoof_msg(
struct ssh2_userauth_state *s, const char *msg)
{
strbuf *sb = strbuf_new();
seat_set_trust_status(s->ppl.seat, true);
if (seat_can_set_trust_status(s->ppl.seat)) {
/*
* If the seat can directly indicate that this message is
* generated by the client, then we can just use the message
* unmodified as an unspoofable header.
*/
put_datapl(sb, ptrlen_from_asciz(msg));
} else {
/*
* Otherwise, add enough padding around it that the server
* wouldn't be able to mimic it within our line-length
* constraint.
*/
strbuf_catf(sb, "-- %s ", msg);
while (sb->len < 78)
put_byte(sb, '-');
}
put_datapl(sb, PTRLEN_LITERAL("\r\n"));
seat_banner_pl(s->ppl.seat, ptrlen_from_strbuf(sb));
strbuf_free(sb);
}