[PATCH] gssapi: Set correct state after sending GSSAPI_RESPONSE

[Meng Hourk Tan <mtan@xxxxxxxxxx>]

Hello,


Here's a patch related to changes from CVE-2018-10933:

Kerberos Authentication (GSSAPI) as server always fails (on new packet filtering) because SSH_AUTH_STATE_GSSAPI_TOKEN is not correctly set on sending SSH_MSG_USERAUTH_GSSAPI_RESPONSE (containing selected mechanism OID).
After this response, the client will send a SSH_MSG_USERAUTH_GSSAPI_TOKEN packet (see rfc4462 3.3-3.4)
so the packet filter will check the SSH_AUTH_STATE_GSSAPI_TOKEN auth state.


This patch set correct state on sending gssapi response (selected mechanism OID)


Regards,


Meng

From eb6f2efe8c8995a8d687b108d0a9478b7e9991f1 Mon Sep 17 00:00:00 2001
From: Meng Tan <mtan@xxxxxxxxxx>
Date: Thu, 25 Oct 2018 17:06:06 +0200
Subject: [PATCH] gssapi: Set correct state after sending GSSAPI_RESPONSE
 (select mechanism OID)

Signed-off-by: Meng Tan <mtan@xxxxxxxxxx>
---
 src/gssapi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/gssapi.c b/src/gssapi.c
index 77df0b59..e1b37c76 100644
--- a/src/gssapi.c
+++ b/src/gssapi.c
@@ -120,6 +120,7 @@ static int ssh_gssapi_send_response(ssh_session session, ssh_string oid){
         ssh_set_error_oom(session);
         return SSH_ERROR;
     }
+    session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;

     ssh_packet_send(session);
     SSH_LOG(SSH_LOG_PACKET,
--
2.11.0