Select Git revision
cl-PAM-noprompts.patch
-
Stephen Hurd authoredStephen Hurd authored
cl-PAM-noprompts.patch 4.01 KiB
--- ../tmp2/session/ssh2_authc.c 2018-12-14 17:31:34.000000000 -0500
+++ session/ssh2_authc.c 2019-06-03 16:41:49.956986000 -0400
@@ -868,7 +868,7 @@
if( !cryptStatusError( status ) )
{
status = CRYPT_OK; /* readUint32() returns a count value */
- if( noPrompts <= 0 || noPrompts > 4 )
+ if( noPrompts < 0 || noPrompts > 4 )
{
/* Requesting zero or more than a small number of prompts is
suspicious */
@@ -876,49 +876,52 @@
}
}
}
- if( cryptStatusOK( status ) )
+ if( noPrompts > 0 )
{
- status = readString32( &stream, promptBuffer,
+ if( cryptStatusOK( status ) )
+ {
+ status = readString32( &stream, promptBuffer,
CRYPT_MAX_TEXTSIZE, &promptLength );
- if( cryptStatusOK( status ) && promptLength <= 0 )
+ if( cryptStatusOK( status ) && promptLength <= 0 )
+ {
+ /* We must have at least some sort of prompt given that we
+ require num_prompts to be nonzero */
+ status = CRYPT_ERROR_BADDATA;
+ }
+ }
+ sMemDisconnect( &stream );
+ if( cryptStatusError( status ) )
{
- /* We must have at least some sort of prompt given that we
- require num_prompts to be nonzero */
- status = CRYPT_ERROR_BADDATA;
+ retExt( status,
+ ( status, SESSION_ERRINFO,
+ "Invalid PAM authentication request packet" ) );
}
- }
- sMemDisconnect( &stream );
- if( cryptStatusError( status ) )
- {
- retExt( status,
- ( status, SESSION_ERRINFO,
- "Invalid PAM authentication request packet" ) );
- }
- REQUIRES( nameLength >= 0 && nameLength <= CRYPT_MAX_TEXTSIZE );
- REQUIRES( promptLength >= 1 && promptLength <= CRYPT_MAX_TEXTSIZE );
+ REQUIRES( nameLength >= 0 && nameLength <= CRYPT_MAX_TEXTSIZE );
+ REQUIRES( promptLength >= 1 && promptLength <= CRYPT_MAX_TEXTSIZE );
- /* Make sure that we're being asked for some form of password
- authentication. This assumes that the prompt string begins with the
- word "password" (which always seems to be the case), if it isn't then
- it may be necessary to do a substring search */
- if( promptLength < 8 || \
- !strIsPrintable( promptBuffer, promptLength ) || \
- strCompare( promptBuffer, "Password", 8 ) )
- {
- /* The following may produce somewhat inconsistent results in terms
- of what it reports because it's unclear what 'name' actually is,
- on the off chance that something fills this in it could produce
- a less appropriate error message than the prompt, but we
- opportunistically try it in case it contains something useful */
- retExt( CRYPT_ERROR_BADDATA,
- ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
- "Server requested unknown PAM authentication type '%s'", - ( nameLength > 0 ) ? \
- sanitiseString( nameBuffer, CRYPT_MAX_TEXTSIZE, \
- nameLength ) : \
- sanitiseString( promptBuffer, CRYPT_MAX_TEXTSIZE, \
- promptLength ) ) );
- }
+ /* Make sure that we're being asked for some form of password
+ authentication. This assumes that the prompt string begins with the
+ word "password" (which always seems to be the case), if it isn't then
+ it may be necessary to do a substring search */
+ if( promptLength < 8 || \
+ !strIsPrintable( promptBuffer, promptLength ) || \
+ strCompare( promptBuffer, "Password", 8 ) )
+ {
+ /* The following may produce somewhat inconsistent results in terms
+ of what it reports because it's unclear what 'name' actually is,
+ on the off chance that something fills this in it could produce
+ a less appropriate error message than the prompt, but we
+ opportunistically try it in case it contains something useful */
+ retExt( CRYPT_ERROR_BADDATA,
+ ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
+ "Server requested unknown PAM authentication type '%s'",
+ ( nameLength > 0 ) ? \
+ sanitiseString( nameBuffer, CRYPT_MAX_TEXTSIZE, \
+ nameLength ) : \
+ sanitiseString( promptBuffer, CRYPT_MAX_TEXTSIZE, \
+ promptLength ) ) );
+ }
+ }
REQUIRES( passwordPtr != NULL && \
passwordPtr->valueLength > 0 && \