From 06cefe1d67491bc2217bd574fd1aa09384d15e6e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 14 Aug 2025 13:47:59 +0200 Subject: [PATCH] packet: Implement packet filter for non-implemented GSSAPI messages Signed-off-by: Jakub Jelen Reviewed-by: Andreas Schneider --- src/packet.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/src/packet.c b/src/packet.c index 99a35b74..7647892c 100644 --- a/src/packet.c +++ b/src/packet.c @@ -749,15 +749,58 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se rc = SSH_PACKET_ALLOWED; break; case SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE: // 63 - /* TODO Not filtered */ + /* Server only. Ignored */ + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * - session->gssapi->state == SSH_GSSAPI_STATE_RCV_MIC (TODO) + * + * Transitions: + * - None + */ + if (session->client) { + rc = SSH_PACKET_DENIED; + break; + } + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } rc = SSH_PACKET_ALLOWED; break; case SSH2_MSG_USERAUTH_GSSAPI_ERROR: // 64 - /* TODO Not filtered */ + /* Client only. Ignored */ + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * + * Transitions: + * - None + */ + if (session->server) { + rc = SSH_PACKET_DENIED; + break; + } + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + rc = SSH_PACKET_ALLOWED; break; case SSH2_MSG_USERAUTH_GSSAPI_ERRTOK: // 65 - /* TODO Not filtered */ + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * + * Transitions: + * - None + */ + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + rc = SSH_PACKET_ALLOWED; break; case SSH2_MSG_USERAUTH_GSSAPI_MIC: // 66