From 85fc9764cee4ba48bb6cac71efc400415508e0d0 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Mon, 29 Aug 2016 13:07:57 +0200
Subject: ssh: fix Codenomicon/Defensics auth problem with incomplete pdu

Trailing pdu values being 0 or empty strings are just excluded from the pdu
by Codenomicon/Defensics.
This is wrong but some kind of habit "out there". This commit makes Erlang SSH
accept such pdu in one place because Defensics is king of security tests ...
---
 lib/ssh/src/ssh_auth.erl | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

(limited to 'lib/ssh/src')

diff --git a/lib/ssh/src/ssh_auth.erl b/lib/ssh/src/ssh_auth.erl
index fb5e086656..1dcf5d0708 100644
--- a/lib/ssh/src/ssh_auth.erl
+++ b/lib/ssh/src/ssh_auth.erl
@@ -264,12 +264,23 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,
 			SessionId, 
 			#ssh{opts = Opts,
 			     userauth_supported_methods = Methods} = Ssh) ->
-    <<?BYTE(HaveSig), ?UINT32(ALen), BAlg:ALen/binary, 
-     ?UINT32(KLen), KeyBlob:KLen/binary, SigWLen/binary>> = Data,
-    Alg = binary_to_list(BAlg),
+
+    <<?BYTE(HaveSig),
+      ?UINT32(ALen), BAlg:ALen/binary,
+      Rest/binary>> = Data,
+
+    {KeyBlob,  SigWLen} = 
+	case Rest of 
+	    <<?UINT32(KLen0), KeyBlob0:KLen0/binary, SigWLen0/binary>> ->
+		{KeyBlob0,  SigWLen0};
+	    <<>> ->
+		{<<>>, <<>>}
+	end,
+
     case HaveSig of
 	?TRUE ->
-	    case verify_sig(SessionId, User, "ssh-connection", Alg,
+	    case verify_sig(SessionId, User, "ssh-connection", 
+			    binary_to_list(BAlg),
 			    KeyBlob, SigWLen, Opts) of
 		true ->
 		    {authorized, User, 
@@ -284,7 +295,7 @@ handle_userauth_request(#ssh_msg_userauth_request{user = User,
 	?FALSE ->
 	    {not_authorized, {User, undefined},
 	     ssh_transport:ssh_packet(
-	       #ssh_msg_userauth_pk_ok{algorithm_name = Alg,
+	       #ssh_msg_userauth_pk_ok{algorithm_name = binary_to_list(BAlg),
 				       key_blob = KeyBlob}, Ssh)}
     end;
 
-- 
cgit v1.2.3