Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • dailybuild_linux-x64
  • dailybuild_win32
  • websocket-haproxy
  • new_file_base
  • xjs-forum
  • revert-9d6b6c2f
  • mlong/darkmodetweak
  • 206-SlyEdit-NUL-timeout
  • web-mods
  • sbbs318b
  • goodbuild_linux-x64_Sep-01-2020
  • goodbuild_win32_Sep-01-2020
  • goodbuild_linux-x64_Aug-31-2020
  • goodbuild_win32_Aug-31-2020
  • goodbuild_win32_Aug-30-2020
  • goodbuild_linux-x64_Aug-30-2020
  • goodbuild_linux-x64_Aug-29-2020
  • goodbuild_win32_Aug-29-2020
  • goodbuild_linux-x64_Aug-28-2020
  • goodbuild_win32_Aug-28-2020
  • goodbuild_linux-x64_Aug-27-2020
  • goodbuild_win32_Aug-27-2020
  • goodbuild_win32_Aug-26-2020
  • goodbuild_win32_Aug-25-2020
  • goodbuild_win32_Aug-24-2020
  • goodbuild_win32_Aug-23-2020
  • goodbuild_win32_Aug-22-2020
  • test
  • goodbuild_linux-x64_Aug-22-2020
30 results

cl-PAM-noprompts.patch

Blame
  • Forked from Main / Synchronet
    9087 commits behind, 2541 commits ahead of the upstream repository.
    • deuce's avatar
      d3579e40
      Update Cryptlib to 3.4.5 · d3579e40
      deuce authored
      This versions has a lot more assumptions that the whole world runs Linux
      in it, and just a small number of perviously reported bugs actually fixed.
      
      I think the patch count has actually gone up rather than down for this.
      
      As it turns out, the thing I was trying to fix (https://pskreporter.info not
      working with HTTP.js) is not fixed in the new version and was just yet
      another abitrary undocumented limit being hit.
      
      This *may* break anything crypto-releated, though it seems to work on FreeBSD
      fine.  Win32 build not tested since Digital Man provides precompiled libs
      for that, and mingw32 builds not yet tested.
      
      Please report any *NEW* crypto-related issues after getting this to work.
      
      Oh yeah, it also looks like the cryptlib dependency for Synchronet got
      broken somewhere, so the easiest way to rebuild with the new cryptlib is
      to build SyncTERM first.  I'll try to get this one fixed soonish.
      d3579e40
      History
      Update Cryptlib to 3.4.5
      deuce authored
      This versions has a lot more assumptions that the whole world runs Linux
      in it, and just a small number of perviously reported bugs actually fixed.
      
      I think the patch count has actually gone up rather than down for this.
      
      As it turns out, the thing I was trying to fix (https://pskreporter.info not
      working with HTTP.js) is not fixed in the new version and was just yet
      another abitrary undocumented limit being hit.
      
      This *may* break anything crypto-releated, though it seems to work on FreeBSD
      fine.  Win32 build not tested since Digital Man provides precompiled libs
      for that, and mingw32 builds not yet tested.
      
      Please report any *NEW* crypto-related issues after getting this to work.
      
      Oh yeah, it also looks like the cryptlib dependency for Synchronet got
      broken somewhere, so the easiest way to rebuild with the new cryptlib is
      to build SyncTERM first.  I'll try to get this one fixed soonish.
    cl-PAM-noprompts.patch 4.01 KiB
    --- ../tmp2/session/ssh2_authc.c	2018-12-14 17:31:34.000000000 -0500
    +++ session/ssh2_authc.c	2019-06-03 16:41:49.956986000 -0400
    @@ -868,7 +868,7 @@
     		if( !cryptStatusError( status ) )
     			{
     			status = CRYPT_OK;	/* readUint32() returns a count value */
    -			if( noPrompts <= 0 || noPrompts > 4 )
    +			if( noPrompts < 0 || noPrompts > 4 )
     				{
     				/* Requesting zero or more than a small number of prompts is 
     				   suspicious */
    @@ -876,49 +876,52 @@
     				}
     			}
     		}
    -	if( cryptStatusOK( status ) )
    +	if( noPrompts > 0 )
     		{
    -		status = readString32( &stream, promptBuffer, 
    +		if( cryptStatusOK( status ) )
    + 			{
    +			status = readString32( &stream, promptBuffer, 
     							   CRYPT_MAX_TEXTSIZE, &promptLength );
    -		if( cryptStatusOK( status ) && promptLength <= 0 )
    +			if( cryptStatusOK( status ) && promptLength <= 0 )
    +				{
    +				/* We must have at least some sort of prompt given that we 
    +				   require num_prompts to be nonzero */
    +				status = CRYPT_ERROR_BADDATA;
    +				}
    +			}
    +		sMemDisconnect( &stream );
    +		if( cryptStatusError( status ) )
     			{
    -			/* We must have at least some sort of prompt given that we 
    -			   require num_prompts to be nonzero */
    -			status = CRYPT_ERROR_BADDATA;
    +			retExt( status,
    +					( status, SESSION_ERRINFO, 
    +					  "Invalid PAM authentication request packet" ) );
     			}
    -		}
    -	sMemDisconnect( &stream );
    -	if( cryptStatusError( status ) )
    -		{
    -		retExt( status,
    -				( status, SESSION_ERRINFO, 
    -				  "Invalid PAM authentication request packet" ) );
    -		}
    -	REQUIRES( nameLength >= 0 && nameLength <= CRYPT_MAX_TEXTSIZE );
    -	REQUIRES( promptLength >= 1 && promptLength <= CRYPT_MAX_TEXTSIZE );
    +		REQUIRES( nameLength >= 0 && nameLength <= CRYPT_MAX_TEXTSIZE );
    +		REQUIRES( promptLength >= 1 && promptLength <= CRYPT_MAX_TEXTSIZE );
     
    -	/* Make sure that we're being asked for some form of password 
    -	   authentication.  This assumes that the prompt string begins with the 
    -	   word "password" (which always seems to be the case), if it isn't then 
    -	   it may be necessary to do a substring search */
    -	if( promptLength < 8 || \
    -		!strIsPrintable( promptBuffer, promptLength ) || \
    -		strCompare( promptBuffer, "Password", 8 ) )
    -		{
    -		/* The following may produce somewhat inconsistent results in terms
    -		   of what it reports because it's unclear what 'name' actually is, 
    -		   on the off chance that something fills this in it could produce
    -		   a less appropriate error message than the prompt, but we 
    -		   opportunistically try it in case it contains something useful */
    -		retExt( CRYPT_ERROR_BADDATA,
    -				( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, 
    -				  "Server requested unknown PAM authentication type '%s'", 
    -				  ( nameLength > 0 ) ? \
    -				  sanitiseString( nameBuffer, CRYPT_MAX_TEXTSIZE, \
    -								  nameLength ) : \
    -				  sanitiseString( promptBuffer, CRYPT_MAX_TEXTSIZE, \
    -								  promptLength ) ) );
    -		}
    +		/* Make sure that we're being asked for some form of password 
    +		   authentication.  This assumes that the prompt string begins with the 
    +		   word "password" (which always seems to be the case), if it isn't then 
    +		   it may be necessary to do a substring search */
    +		if( promptLength < 8 || \
    +			!strIsPrintable( promptBuffer, promptLength ) || \
    +			strCompare( promptBuffer, "Password", 8 ) )
    +			{
    +			/* The following may produce somewhat inconsistent results in terms
    +			   of what it reports because it's unclear what 'name' actually is, 
    +			   on the off chance that something fills this in it could produce
    +			   a less appropriate error message than the prompt, but we 
    +			   opportunistically try it in case it contains something useful */
    +			retExt( CRYPT_ERROR_BADDATA,
    +					( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, 
    +					  "Server requested unknown PAM authentication type '%s'", 
    +					  ( nameLength > 0 ) ? \
    +					  sanitiseString( nameBuffer, CRYPT_MAX_TEXTSIZE, \
    +									  nameLength ) : \
    +					  sanitiseString( promptBuffer, CRYPT_MAX_TEXTSIZE, \
    +									  promptLength ) ) );
    +			}
    +	}
     
     	REQUIRES( passwordPtr != NULL && \
     			  passwordPtr->valueLength > 0 && \