- markus@cvs.openbsd.org 2003/11/02 11:01:03
[auth2-gss.c compat.c compat.h sshconnect2.c]
remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk
diff --git a/ChangeLog b/ChangeLog
index 78e0492..67a7475 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,9 @@
- markus@cvs.openbsd.org 2003/10/28 09:08:06
[misc.c]
error->debug for getsockopt+TCP_NODELAY; several requests
+ - markus@cvs.openbsd.org 2003/11/02 11:01:03
+ [auth2-gss.c compat.c compat.h sshconnect2.c]
+ remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk
20031021
- (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords
@@ -1390,4 +1393,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-$Id: ChangeLog,v 1.3090 2003/11/03 09:07:14 dtucker Exp $
+$Id: ChangeLog,v 1.3091 2003/11/03 09:09:03 dtucker Exp $
diff --git a/auth2-gss.c b/auth2-gss.c
index a82b87f..84fb384 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.4 2003/10/21 09:50:06 markus Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.5 2003/11/02 11:01:03 markus Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -78,19 +78,19 @@
if (doid)
xfree(doid);
+ present = 0;
doid = packet_get_string(&len);
- if (len <= 2)
- packet_disconnect("Short OID received");
- if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) {
- logit("Mechanism OID received using the old encoding form");
- oid.elements = doid;
- oid.length = len;
+ if (len > 2 &&
+ doid[0] == SSH_GSS_OIDTYPE &&
+ doid[1] == len - 2) {
+ oid.elements = doid + 2;
+ oid.length = len - 2;
+ gss_test_oid_set_member(&ms, &oid, supported,
+ &present);
} else {
- oid.elements = doid + 2;
- oid.length = len - 2;
+ logit("Badly formed OID received");
}
- gss_test_oid_set_member(&ms, &oid, supported, &present);
} while (mechs > 0 && !present);
gss_release_oid_set(&ms, &supported);
@@ -109,7 +109,7 @@
packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
- /* Return OID in same format as we received it*/
+ /* Return the OID that we received */
packet_put_string(doid, len);
packet_send();
diff --git a/compat.c b/compat.c
index af1d143..2fdebe7 100644
--- a/compat.c
+++ b/compat.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.69 2003/08/29 10:03:15 markus Exp $");
+RCSID("$OpenBSD: compat.c,v 1.70 2003/11/02 11:01:03 markus Exp $");
#include "buffer.h"
#include "packet.h"
@@ -79,11 +79,7 @@
{ "OpenSSH_2.5.3*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
{ "OpenSSH_2.*,"
"OpenSSH_3.0*,"
- "OpenSSH_3.1*", SSH_BUG_EXTEOF|SSH_BUG_GSSAPI_BER},
- { "OpenSSH_3.2*,"
- "OpenSSH_3.3*,"
- "OpenSSH_3.4*,"
- "OpenSSH_3.5*", SSH_BUG_GSSAPI_BER},
+ "OpenSSH_3.1*", SSH_BUG_EXTEOF},
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
{ "OpenSSH*", 0 },
{ "*MindTerm*", 0 },
diff --git a/compat.h b/compat.h
index 7a50044..efa0f08 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.36 2003/08/29 10:03:15 markus Exp $ */
+/* $OpenBSD: compat.h,v 1.37 2003/11/02 11:01:03 markus Exp $ */
/*
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
@@ -55,7 +55,6 @@
#define SSH_BUG_EXTEOF 0x00200000
#define SSH_BUG_PROBE 0x00400000
#define SSH_BUG_FIRSTKEX 0x00800000
-#define SSH_BUG_GSSAPI_BER 0x01000000
void enable_compat13(void);
void enable_compat20(void);
diff --git a/sshconnect2.c b/sshconnect2.c
index 6e61a35..f991f81 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.128 2003/10/26 16:57:43 avsm Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.129 2003/11/02 11:01:03 markus Exp $");
#include "openbsd-compat/sys-queue.h"
@@ -519,17 +519,11 @@
packet_put_int(1);
- /* Some servers encode the OID incorrectly (as we used to) */
- if (datafellows & SSH_BUG_GSSAPI_BER) {
- packet_put_string(gss_supported->elements[mech].elements,
- gss_supported->elements[mech].length);
- } else {
- packet_put_int((gss_supported->elements[mech].length)+2);
- packet_put_char(SSH_GSS_OIDTYPE);
- packet_put_char(gss_supported->elements[mech].length);
- packet_put_raw(gss_supported->elements[mech].elements,
- gss_supported->elements[mech].length);
- }
+ packet_put_int((gss_supported->elements[mech].length) + 2);
+ packet_put_char(SSH_GSS_OIDTYPE);
+ packet_put_char(gss_supported->elements[mech].length);
+ packet_put_raw(gss_supported->elements[mech].elements,
+ gss_supported->elements[mech].length);
packet_send();
@@ -560,20 +554,18 @@
/* Setup our OID */
oidv = packet_get_string(&oidlen);
- if (datafellows & SSH_BUG_GSSAPI_BER) {
- if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
- fatal("Server returned different OID than expected");
- } else {
- if(oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen-2) {
- debug("Badly encoded mechanism OID received");
- userauth(authctxt, NULL);
- xfree(oidv);
- return;
- }
- if (!ssh_gssapi_check_oid(gssctxt, oidv+2, oidlen-2))
- fatal("Server returned different OID than expected");
+ if (oidlen <= 2 ||
+ oidv[0] != SSH_GSS_OIDTYPE ||
+ oidv[1] != oidlen - 2) {
+ debug("Badly encoded mechanism OID received");
+ userauth(authctxt, NULL);
+ xfree(oidv);
+ return;
}
+ if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
+ fatal("Server returned different OID than expected");
+
packet_check_eom();
xfree(oidv);