From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
Date: Thu, 19 Aug 2021 17:37:14 +0200
Subject: [PATCH] added option to disable trivial auth methods (#128)

* added option to disable trivial auth methods

* rename argument to match with other ssh clients

* fixed trivial auth detection for pubkeys

[https://github.com/mkj/dropbear/pull/128]
Upstream-Status: Backport
CVE: CVE-2021-36369
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>

---
 cli-auth.c         | 3 +++
 cli-authinteract.c | 1 +
 cli-authpasswd.c   | 2 +-
 cli-authpubkey.c   | 1 +
 cli-runopts.c      | 7 +++++++
 cli-session.c      | 1 +
 runopts.h          | 1 +
 session.h          | 1 +
 8 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/cli-auth.c b/cli-auth.c
index 2e509e5..6f04495 100644
--- a/cli-auth.c
+++ b/cli-auth.c
@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
 	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
 
 	TRACE(("received msg_userauth_success"))
+	if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
+		dropbear_exit("trivial authentication not allowed");
+	}
 	/* Note: in delayed-zlib mode, setting authdone here 
 	 * will enable compression in the transport layer */
 	ses.authstate.authdone = 1;
diff --git a/cli-authinteract.c b/cli-authinteract.c
index e1cc9a1..f7128ee 100644
--- a/cli-authinteract.c
+++ b/cli-authinteract.c
@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
 	m_free(instruction);
 
 	for (i = 0; i < num_prompts; i++) {
+		cli_ses.is_trivial_auth = 0;
 		unsigned int response_len = 0;
 		prompt = buf_getstring(ses.payload, NULL);
 		cleantext(prompt);
diff --git a/cli-authpasswd.c b/cli-authpasswd.c
index 00fdd8b..a24d43e 100644
--- a/cli-authpasswd.c
+++ b/cli-authpasswd.c
@@ -155,7 +155,7 @@ void cli_auth_password() {
 
 	encrypt_packet();
 	m_burn(password, strlen(password));
-
+	cli_ses.is_trivial_auth = 0;
 	TRACE(("leave cli_auth_password"))
 }
 #endif	/* DROPBEAR_CLI_PASSWORD_AUTH */
diff --git a/cli-authpubkey.c b/cli-authpubkey.c
index 7cee164..7da1a04 100644
--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
 		buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
 		cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
 		buf_free(sigbuf); /* Nothing confidential in the buffer */
+		cli_ses.is_trivial_auth = 0;
 	}
 
 	encrypt_packet();
diff --git a/cli-runopts.c b/cli-runopts.c
index 7d1fffe..6bf8b8e 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
 #if DROPBEAR_CLI_ANYTCPFWD
 	cli_opts.exit_on_fwd_failure = 0;
 #endif
+	cli_opts.disable_trivial_auth = 0;
 #if DROPBEAR_CLI_LOCALTCPFWD
 	cli_opts.localfwds = list_new();
 	opts.listen_fwd_all = 0;
@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
 #if DROPBEAR_CLI_ANYTCPFWD
 			"\tExitOnForwardFailure\n"
 #endif
+			"\tDisableTrivialAuth\n"
 #ifndef DISABLE_SYSLOG
 			"\tUseSyslog\n"
 #endif
@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
 		return;
 	}
 
+	if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
+		cli_opts.disable_trivial_auth = parse_flag_value(optstr);
+		return;
+	}
+
 	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
 }
diff --git a/cli-session.c b/cli-session.c
index 56dd4af..73ef0db 100644
--- a/cli-session.c
+++ b/cli-session.c
@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
 	/* Auth */
 	cli_ses.lastprivkey = NULL;
 	cli_ses.lastauthtype = 0;
+	cli_ses.is_trivial_auth = 1;
 
 	/* For printing "remote host closed" for the user */
 	ses.remoteclosed = cli_remoteclosed;
diff --git a/runopts.h b/runopts.h
index 31eae1f..8519626 100644
--- a/runopts.h
+++ b/runopts.h
@@ -154,6 +154,7 @@ typedef struct cli_runopts {
 #if DROPBEAR_CLI_ANYTCPFWD
 	int exit_on_fwd_failure;
 #endif
+	int disable_trivial_auth;
 #if DROPBEAR_CLI_REMOTETCPFWD
 	m_list * remotefwds;
 #endif
diff --git a/session.h b/session.h
index 0f77055..8676054 100644
--- a/session.h
+++ b/session.h
@@ -287,6 +287,7 @@ struct clientsession {
 
 	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
 						 for the last type of auth we tried */
+	int is_trivial_auth;
 	int ignore_next_auth_response;
 #if DROPBEAR_CLI_INTERACT_AUTH
 	int auth_interact_failed; /* flag whether interactive auth can still