From f67e07711f16a64f75c476e3f5873e76170a81ba Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 6 Jun 2002 20:58:19 +0000 Subject: [PATCH] - markus@cvs.openbsd.org 2002/06/04 19:53:40 [monitor.c] save the session id (hash) for ssh2 (it will be passed with the initial sign request) and verify that this value is used during authentication; ok provos@ --- ChangeLog | 7 ++++++- monitor.c | 38 +++++++++++++++++++++++++++++++------- 2 files changed, 37 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6836a24cf..515d12474 100644 --- a/ChangeLog +++ b/ChangeLog @@ -87,6 +87,11 @@ - markus@cvs.openbsd.org 2002/06/04 19:42:35 [monitor.c] only allow enabled authentication methods; ok provos@ + - markus@cvs.openbsd.org 2002/06/04 19:53:40 + [monitor.c] + save the session id (hash) for ssh2 (it will be passed with the + initial sign request) and verify that this value is used during + authentication; ok provos@ 20020604 - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed @@ -771,4 +776,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2167 2002/06/06 20:57:17 mouring Exp $ +$Id: ChangeLog,v 1.2168 2002/06/06 20:58:19 mouring Exp $ diff --git a/monitor.c b/monitor.c index 6fe0afd7e..a96ca04d5 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.12 2002/06/04 19:42:35 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.13 2002/06/04 19:53:40 markus Exp $"); #include @@ -128,6 +128,8 @@ static int key_blobtype = MM_NOKEY; static u_char *hostbased_cuser = NULL; static u_char *hostbased_chost = NULL; static char *auth_method = "unknown"; +static int session_id2_len = 0; +static u_char *session_id2 = NULL; struct mon_table { enum monitor_reqtype type; @@ -454,6 +456,13 @@ mm_answer_sign(int socket, Buffer *m) if (datlen != 20) fatal("%s: data length incorrect: %d", __FUNCTION__, datlen); + /* save session id, it will be passed on the first call */ + if (session_id2_len == 0) { + session_id2_len = datlen; + session_id2 = xmalloc(session_id2_len); + memcpy(session_id2, p, session_id2_len); + } + if ((key = get_hostkey_by_index(keyid)) == NULL) fatal("%s: no hostkey from index %d", __FUNCTION__, keyid); if (key_sign(key, &signature, &siglen, p, datlen) < 0) @@ -819,17 +828,25 @@ monitor_valid_userblob(u_char *data, u_int datalen) u_char *p; u_int len; int fail = 0; - int session_id2_len = 20 /*XXX should get from [net] */; buffer_init(&b); buffer_append(&b, data, datalen); if (datafellows & SSH_OLD_SESSIONID) { + p = buffer_ptr(&b); + len = buffer_len(&b); + if ((session_id2 == NULL) || + (len < session_id2_len) || + (memcmp(p, session_id2, session_id2_len) != 0)) + fail++; buffer_consume(&b, session_id2_len); } else { - xfree(buffer_get_string(&b, &len)); - if (len != session_id2_len) + p = buffer_get_string(&b, &len); + if ((session_id2 == NULL) || + (len != session_id2_len) || + (memcmp(p, session_id2, session_id2_len) != 0)) fail++; + xfree(p); } if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; @@ -868,14 +885,17 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, u_char *cuser, u_char *p; u_int len; int fail = 0; - int session_id2_len = 20 /*XXX should get from [net] */; buffer_init(&b); buffer_append(&b, data, datalen); - xfree(buffer_get_string(&b, &len)); - if (len != session_id2_len) + p = buffer_get_string(&b, &len); + if ((session_id2 == NULL) || + (len != session_id2_len) || + (memcmp(p, session_id2, session_id2_len) != 0)) fail++; + xfree(p); + if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_string(&b, NULL); @@ -1334,6 +1354,10 @@ mm_get_kex(Buffer *m) kex = xmalloc(sizeof(*kex)); memset(kex, 0, sizeof(*kex)); kex->session_id = buffer_get_string(m, &kex->session_id_len); + if ((session_id2 == NULL) || + (kex->session_id_len != session_id2_len) || + (memcmp(kex->session_id, session_id2, session_id2_len) != 0)) + fatal("mm_get_get: internal error: bad session id"); kex->we_need = buffer_get_int(m); kex->server = 1; kex->hostkey_type = buffer_get_int(m);