Merge bugfix delay invalid users

author: Matt Johnston <matt@ucc.asn.au> 2018-08-23 23:43:45 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2018-08-23 23:43:45 +0800
commit: ad3eacf3d65dcd2010b58790f63e4d74c4346c7c (patch)
tree: 953a3beeb41c85a06d10f08f9fd6cbb2e5e6b609 /svr-authpubkey.c
parent: 195934be96aa2aabd0bec0adf14f242155008e50 (diff)
parent: 52adbb34c32d3e2e1bcdb941e20a6f81138b8248 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/svr-authpubkey.c b/svr-authpubkey.c
index ec14ec0..ae1402d 100644
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
@@ -79,7 +79,7 @@ static int checkfileperm(char * filename);
 
 /* process a pubkey auth request, sending success or failure message as
  * appropriate */
-void svr_auth_pubkey() {
+void svr_auth_pubkey(int valid_user) {
 
 	unsigned char testkey; /* whether we're just checking if a key is usable */
 	char* algo = NULL; /* pubkey algo */
@@ -102,6 +102,15 @@ void svr_auth_pubkey() {
 	keybloblen = buf_getint(ses.payload);
 	keyblob = buf_getptr(ses.payload, keybloblen);
 
+	if (!valid_user) {
+		/* Return failure once we have read the contents of the packet
+		required to validate a public key. 
+		Avoids blind user enumeration though it isn't possible to prevent
+		testing for user existence if the public key is known */
+		send_msg_userauth_failure(0, 0);
+		goto out;
+	}
+
 	/* check if the key is valid */
 	if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) {
 		send_msg_userauth_failure(0, 0);
author	Matt Johnston <matt@ucc.asn.au>	2018-08-23 23:43:45 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2018-08-23 23:43:45 +0800
commit	ad3eacf3d65dcd2010b58790f63e4d74c4346c7c (patch)
tree	953a3beeb41c85a06d10f08f9fd6cbb2e5e6b609 /svr-authpubkey.c
parent	195934be96aa2aabd0bec0adf14f242155008e50 (diff)
parent	52adbb34c32d3e2e1bcdb941e20a6f81138b8248 (diff)