Harden native auth and SDK datagram handling
This commit is contained in:
+42
-4
@@ -433,6 +433,7 @@ struct PendingStreamOpen {
|
||||
attempts: u32,
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
struct PendingNativeAuth {
|
||||
client: dosh::native::NativeClientHello,
|
||||
server: NativeServerHello,
|
||||
@@ -992,8 +993,8 @@ async fn handle_native_user_auth(
|
||||
packet: &protocol::Packet,
|
||||
) -> Result<()> {
|
||||
let pending = {
|
||||
let mut locked = state.lock().expect("server state poisoned");
|
||||
locked.pending_native.remove(&packet.header.conn_id)
|
||||
let locked = state.lock().expect("server state poisoned");
|
||||
locked.pending_native.get(&packet.header.conn_id).cloned()
|
||||
};
|
||||
let Some(pending) = pending else {
|
||||
return send_reject_to_client(socket, peer, packet.header.conn_id, "unknown native auth")
|
||||
@@ -1009,11 +1010,38 @@ async fn handle_native_user_auth(
|
||||
.await;
|
||||
}
|
||||
if pending.created_at.elapsed() > Duration::from_secs(30) {
|
||||
state
|
||||
.lock()
|
||||
.expect("server state poisoned")
|
||||
.pending_native
|
||||
.remove(&packet.header.conn_id);
|
||||
return send_reject_to_client(socket, peer, packet.header.conn_id, "native auth expired")
|
||||
.await;
|
||||
}
|
||||
let body = protocol::decrypt_body(packet, &pending.session_key, CLIENT_TO_SERVER)?;
|
||||
let req: NativeUserAuthBody = protocol::from_body(&body)?;
|
||||
let body = match protocol::decrypt_body(packet, &pending.session_key, CLIENT_TO_SERVER) {
|
||||
Ok(body) => body,
|
||||
Err(_) => {
|
||||
return send_reject_to_client(
|
||||
socket,
|
||||
peer,
|
||||
packet.header.conn_id,
|
||||
"native auth decrypt failed",
|
||||
)
|
||||
.await;
|
||||
}
|
||||
};
|
||||
let req: NativeUserAuthBody = match protocol::from_body(&body) {
|
||||
Ok(req) => req,
|
||||
Err(_) => {
|
||||
return send_reject_to_client(
|
||||
socket,
|
||||
peer,
|
||||
packet.header.conn_id,
|
||||
"invalid native auth body",
|
||||
)
|
||||
.await;
|
||||
}
|
||||
};
|
||||
if pending.client.requested_mode == "doctor" {
|
||||
let check_result = {
|
||||
let locked = state.lock().expect("server state poisoned");
|
||||
@@ -1049,6 +1077,11 @@ async fn handle_native_user_auth(
|
||||
.await;
|
||||
}
|
||||
};
|
||||
state
|
||||
.lock()
|
||||
.expect("server state poisoned")
|
||||
.pending_native
|
||||
.remove(&packet.header.conn_id);
|
||||
let body = protocol::to_body(&check)?;
|
||||
let out = protocol::encode_encrypted(
|
||||
PacketKind::NativeAuthCheckOk,
|
||||
@@ -1229,6 +1262,11 @@ async fn handle_native_user_auth(
|
||||
if let Some((listener, path)) = agent_listener {
|
||||
spawn_agent_forward(state, socket, client_id, listener, path);
|
||||
}
|
||||
state
|
||||
.lock()
|
||||
.expect("server state poisoned")
|
||||
.pending_native
|
||||
.remove(&packet.header.conn_id);
|
||||
|
||||
let ok = NativeAuthOk {
|
||||
client_id,
|
||||
|
||||
Reference in New Issue
Block a user