1
1

server: fix pubkey reply for key probes

Per RFC 4252, it is required to send back only one of either
SSH_MSG_USERAUTH_PK_OK or SSH_MSG_USERAUTH_FAILURE for public
key probes.

Update the handling of 'auth_pubkey_function' to send back PK_OK
instead of SSH_MSG_USERAUTH_SUCCESS for the case that the state
of the message at hand is SSH_PUBLICKEY_STATE_NONE.

With this change, it is now possible to process an initial key probe
and then subsequent signature validation using the server callbacks.

Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Этот коммит содержится в:
Jon Simons 2013-11-02 01:34:46 -07:00 коммит произвёл Andreas Schneider
родитель ce1d73e0f0
Коммит d4f5a0e6ab

Просмотреть файл

@ -120,10 +120,18 @@ static int ssh_execute_server_request(ssh_session session, ssh_message msg)
msg->auth_request.username, msg->auth_request.pubkey, msg->auth_request.username, msg->auth_request.pubkey,
msg->auth_request.signature_state, msg->auth_request.signature_state,
session->server_callbacks->userdata); session->server_callbacks->userdata);
if (rc == SSH_AUTH_SUCCESS || rc == SSH_AUTH_PARTIAL){ if (msg->auth_request.signature_state != SSH_PUBLICKEY_STATE_NONE) {
if (rc == SSH_AUTH_SUCCESS || rc == SSH_AUTH_PARTIAL) {
ssh_message_auth_reply_success(msg, rc == SSH_AUTH_PARTIAL); ssh_message_auth_reply_success(msg, rc == SSH_AUTH_PARTIAL);
} else { } else {
ssh_message_reply_default(msg); ssh_message_reply_default(msg);
}
} else {
if (rc == SSH_AUTH_SUCCESS) {
ssh_message_auth_reply_pk_ok_simple(msg);
} else {
ssh_message_reply_default(msg);
}
} }
return SSH_OK; return SSH_OK;