Select Git revision
cl-PAM-noprompts.patch
Forked from
Main / Synchronet
9087 commits behind, 2541 commits ahead of the upstream repository.
-
deuce authored
This versions has a lot more assumptions that the whole world runs Linux in it, and just a small number of perviously reported bugs actually fixed. I think the patch count has actually gone up rather than down for this. As it turns out, the thing I was trying to fix (https://pskreporter.info not working with HTTP.js) is not fixed in the new version and was just yet another abitrary undocumented limit being hit. This *may* break anything crypto-releated, though it seems to work on FreeBSD fine. Win32 build not tested since Digital Man provides precompiled libs for that, and mingw32 builds not yet tested. Please report any *NEW* crypto-related issues after getting this to work. Oh yeah, it also looks like the cryptlib dependency for Synchronet got broken somewhere, so the easiest way to rebuild with the new cryptlib is to build SyncTERM first. I'll try to get this one fixed soonish.
deuce authoredThis versions has a lot more assumptions that the whole world runs Linux in it, and just a small number of perviously reported bugs actually fixed. I think the patch count has actually gone up rather than down for this. As it turns out, the thing I was trying to fix (https://pskreporter.info not working with HTTP.js) is not fixed in the new version and was just yet another abitrary undocumented limit being hit. This *may* break anything crypto-releated, though it seems to work on FreeBSD fine. Win32 build not tested since Digital Man provides precompiled libs for that, and mingw32 builds not yet tested. Please report any *NEW* crypto-related issues after getting this to work. Oh yeah, it also looks like the cryptlib dependency for Synchronet got broken somewhere, so the easiest way to rebuild with the new cryptlib is to build SyncTERM first. I'll try to get this one fixed soonish.
cl-PAM-noprompts.patch 4.01 KiB
--- ../tmp2/session/ssh2_authc.c 2018-12-14 17:31:34.000000000 -0500
+++ session/ssh2_authc.c 2019-06-03 16:41:49.956986000 -0400
@@ -868,7 +868,7 @@
if( !cryptStatusError( status ) )
{
status = CRYPT_OK; /* readUint32() returns a count value */
- if( noPrompts <= 0 || noPrompts > 4 )
+ if( noPrompts < 0 || noPrompts > 4 )
{
/* Requesting zero or more than a small number of prompts is
suspicious */
@@ -876,49 +876,52 @@
}
}
}
- if( cryptStatusOK( status ) )
+ if( noPrompts > 0 )
{
- status = readString32( &stream, promptBuffer,
+ if( cryptStatusOK( status ) )
+ {
+ status = readString32( &stream, promptBuffer,
CRYPT_MAX_TEXTSIZE, &promptLength );
- if( cryptStatusOK( status ) && promptLength <= 0 )
+ if( cryptStatusOK( status ) && promptLength <= 0 )
+ {
+ /* We must have at least some sort of prompt given that we
+ require num_prompts to be nonzero */
+ status = CRYPT_ERROR_BADDATA;
+ }
+ }
+ sMemDisconnect( &stream );
+ if( cryptStatusError( status ) )
{
- /* We must have at least some sort of prompt given that we
- require num_prompts to be nonzero */
- status = CRYPT_ERROR_BADDATA;
+ retExt( status,
+ ( status, SESSION_ERRINFO,
+ "Invalid PAM authentication request packet" ) );
}
- }
- sMemDisconnect( &stream );
- if( cryptStatusError( status ) )
- {
- retExt( status,
- ( status, SESSION_ERRINFO,
- "Invalid PAM authentication request packet" ) );
- }
- REQUIRES( nameLength >= 0 && nameLength <= CRYPT_MAX_TEXTSIZE );
- REQUIRES( promptLength >= 1 && promptLength <= CRYPT_MAX_TEXTSIZE );
+ REQUIRES( nameLength >= 0 && nameLength <= CRYPT_MAX_TEXTSIZE );
+ REQUIRES( promptLength >= 1 && promptLength <= CRYPT_MAX_TEXTSIZE );
- /* Make sure that we're being asked for some form of password
- authentication. This assumes that the prompt string begins with the
- word "password" (which always seems to be the case), if it isn't then
- it may be necessary to do a substring search */
- if( promptLength < 8 || \
- !strIsPrintable( promptBuffer, promptLength ) || \
- strCompare( promptBuffer, "Password", 8 ) )
- {
- /* The following may produce somewhat inconsistent results in terms
- of what it reports because it's unclear what 'name' actually is,
- on the off chance that something fills this in it could produce
- a less appropriate error message than the prompt, but we
- opportunistically try it in case it contains something useful */
- retExt( CRYPT_ERROR_BADDATA,
- ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
- "Server requested unknown PAM authentication type '%s'",
- ( nameLength > 0 ) ? \
- sanitiseString( nameBuffer, CRYPT_MAX_TEXTSIZE, \
- nameLength ) : \
- sanitiseString( promptBuffer, CRYPT_MAX_TEXTSIZE, \
- promptLength ) ) );
- }
+ /* Make sure that we're being asked for some form of password
+ authentication. This assumes that the prompt string begins with the
+ word "password" (which always seems to be the case), if it isn't then
+ it may be necessary to do a substring search */
+ if( promptLength < 8 || \
+ !strIsPrintable( promptBuffer, promptLength ) || \
+ strCompare( promptBuffer, "Password", 8 ) )
+ {
+ /* The following may produce somewhat inconsistent results in terms
+ of what it reports because it's unclear what 'name' actually is,
+ on the off chance that something fills this in it could produce
+ a less appropriate error message than the prompt, but we
+ opportunistically try it in case it contains something useful */
+ retExt( CRYPT_ERROR_BADDATA,
+ ( CRYPT_ERROR_BADDATA, SESSION_ERRINFO,
+ "Server requested unknown PAM authentication type '%s'",
+ ( nameLength > 0 ) ? \
+ sanitiseString( nameBuffer, CRYPT_MAX_TEXTSIZE, \
+ nameLength ) : \
+ sanitiseString( promptBuffer, CRYPT_MAX_TEXTSIZE, \
+ promptLength ) ) );
+ }
+ }
REQUIRES( passwordPtr != NULL && \
passwordPtr->valueLength > 0 && \