From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Tue, 31 Jul 2018 03:10:27 +0000
Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
 =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
 =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
 =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 auth2-gss.c       | 11 +++++++----
 auth2-hostbased.c | 11 ++++++-----
 auth2-pubkey.c    | 25 +++++++++++++++----------
 3 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/auth2-gss.c b/auth2-gss.c
index 1ca8357..250e93d 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -68,9 +68,6 @@ userauth_gssapi(Authctxt *authctxt)
 	u_int len;
 	u_char *doid = NULL;
 
-	if (!authctxt->valid || authctxt->user == NULL)
-		return (0);
-
 	mechs = packet_get_int();
 	if (mechs == 0) {
 		debug("Mechanism negotiation is not supported");
@@ -101,6 +98,12 @@ userauth_gssapi(Authctxt *authctxt)
 		return (0);
 	}
 
+       if (!authctxt->valid || authctxt->user == NULL) {
+               debug2("%s: disabled because of invalid user", __func__);
+               free(doid);
+               return (0);
+       }
+
 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
 		if (ctxt != NULL)
 			ssh_gssapi_delete_ctx(&ctxt);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 1b3c3b2..0076a34 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.26 2016/03/07 19:02:43 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.36 2018/07/31 03:10:27 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -66,10 +66,6 @@ userauth_hostbased(Authctxt *authctxt)
 	int pktype;
 	int authenticated = 0;
 
-	if (!authctxt->valid) {
-		debug2("userauth_hostbased: disabled because of invalid user");
-		return 0;
-	}
 	pkalg = packet_get_string(&alen);
 	pkblob = packet_get_string(&blen);
 	chost = packet_get_string(NULL);
@@ -115,6 +111,11 @@ userauth_hostbased(Authctxt *authctxt)
 		goto done;
 	}
 
+       if (!authctxt->valid || authctxt->user == NULL) {
+               debug2("%s: disabled because of invalid user", __func__);
+               goto done;
+       }
+
 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
 	    authctxt->service;
 	buffer_init(&b);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3e5706f..301b17f 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.62 2017/01/30 01:03:00 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.83 2018/07/31 03:10:27 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -79,16 +79,12 @@ userauth_pubkey(Authctxt *authctxt)
 {
 	Buffer b;
 	Key *key = NULL;
-	char *pkalg, *userstyle, *fp = NULL;
-	u_char *pkblob, *sig;
+	char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
+	u_char *pkblob = NULL, *sig = NULL;
 	u_int alen, blen, slen;
 	int have_sig, pktype;
 	int authenticated = 0;
 
-	if (!authctxt->valid) {
-		debug2("%s: disabled because of invalid user", __func__);
-		return 0;
-	}
 	have_sig = packet_get_char();
 	if (datafellows & SSH_BUG_PKAUTH) {
 		debug2("%s: SSH_BUG_PKAUTH", __func__);
@@ -149,6 +145,11 @@ userauth_pubkey(Authctxt *authctxt)
 		} else {
 			buffer_put_string(&b, session_id2, session_id2_len);
 		}
+                if (!authctxt->valid || authctxt->user == NULL) {
+                        debug2("%s: disabled because of invalid user",
+                            __func__);
+                        goto done;
+                }
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 		xasprintf(&userstyle, "%s%s%s", authctxt->user,
@@ -184,12 +185,17 @@ userauth_pubkey(Authctxt *authctxt)
 			key = NULL; /* Don't free below */
 		}
 		buffer_free(&b);
-		free(sig);
 	} else {
 		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
 		    __func__, sshkey_type(key), fp);
 		packet_check_eom();
 
+                if (!authctxt->valid || authctxt->user == NULL) {
+                        debug2("%s: disabled because of invalid user",
+                            __func__);
+                        goto done;
+                }
+
 		/* XXX fake reply and always send PK_OK ? */
 		/*
 		 * XXX this allows testing whether a user is allowed
@@ -216,6 +222,7 @@ done:
 	free(pkalg);
 	free(pkblob);
 	free(fp);
+        free(sig);
 	return authenticated;
 }