Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<

3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them.
author: Colin Watson <cjwatson@debian.org> 2010-03-08 11:26:21 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-03-08 11:26:21 +0000
commit: dd79498e0f4086a765cea7757ac023e925b75db2 (patch)
tree: aecf8e47f7abe06e86f961eb6fb198c1ca7b5de8
parent: dbf5ed52ce596dcf8c1f151d587f7f1f4c78b4eb (diff)
6 files changed, 16 insertions, 153 deletions
diff --git a/debian/changelog b/debian/changelog
index 2b75de5a1..8ce7bbae4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,11 @@ openssh (1:5.3p1-4) UNRELEASED; urgency=low
  * Include debian/ssh-askpass-gnome.png in the Debian tarball now that
    we're using a source format that permits this, rather than messing
    around with uudecode.
+  * Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
+    3.8.1p1-1.  Simon Wilkinson refused this patch since the old gssapi
+    mechanism was removed due to a serious security hole, and since these
+    versions of ssh-krb5 are no longer security-supported by Debian I don't
+    think there's any point keeping client compatibility for them.
 -- Colin Watson <cjwatson@debian.org>  Mon, 01 Mar 2010 12:24:41 +0000
diff --git a/debian/patches/banner-noslash.patch b/debian/patches/banner-noslash.patch
index af5f4213c..fa7b08f23 100644
--- a/debian/patches/banner-noslash.patch
+++ b/debian/patches/banner-noslash.patch
@@ -11,7 +11,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -477,7 +477,7 @@
+@@ -472,7 +472,7 @@
                if (len > 65536)
                        len = 65536;
                msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
deleted file mode 100644
index 1ef689331..000000000
--- a/debian/patches/old-gssapi.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-Description: Interoperate with old GSSAPI authentication method
- ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
- .
- Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
-Author: "Aaron M. Ucko" <ucko@debian.org>
-Bug-Debian: http://bugs.debian.org/328388
-Forwarded: yes
-Last-Updated: 2010-03-01
-Index: b/sshconnect2.c
-===================================================================
--- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -314,6 +314,11 @@
-                NULL,
-                &options.gss_authentication,
-                NULL},
-+       {"gssapi",
-+               userauth_gssapi,
-+               NULL,
-+               &options.gss_authentication,
-+               NULL},
- #endif
-        {"hostbased",
-                userauth_hostbased,
-@@ -601,6 +606,7 @@
-        OM_uint32 min;
-        int ok = 0;
-        const char *gss_host;
-+       int old_gssapi_method;
- 
-        if (options.gss_trust_dns)
-                gss_host = get_canonical_hostname(1);
-@@ -639,13 +645,25 @@
-        packet_put_cstring(authctxt->service);
-        packet_put_cstring(authctxt->method->name);
- 
-       packet_put_int(1);
-+       old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
-+
-+       /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
-+        * tagged OIDs.  As such we include both tagged and untagged oids
-+        * for the old gssapi method.
-+        * We only include tagged oids for the new gssapi-with-mic method.
-+        */
-+       packet_put_int(old_gssapi_method ? 2 : 1);
- 
-        packet_put_int((gss_supported->elements[mech].length) + 2);
-        packet_put_char(SSH_GSS_OIDTYPE);
-        packet_put_char(gss_supported->elements[mech].length);
-        packet_put_raw(gss_supported->elements[mech].elements,
-            gss_supported->elements[mech].length);
-+       if (old_gssapi_method) {
-+               packet_put_int(gss_supported->elements[mech].length);
-+               packet_put_raw(gss_supported->elements[mech].elements,
-+                              gss_supported->elements[mech].length);
-+       }
- 
-        packet_send();
- 
-@@ -685,8 +703,10 @@
-        }
- 
-        if (status == GSS_S_COMPLETE) {
-+               int old_gssapi_method = !strcmp(authctxt->method->name,
-+                                               "gssapi");
-                /* send either complete or MIC, depending on mechanism */
-               if (!(flags & GSS_C_INTEG_FLAG)) {
-+               if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
-                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
-                        packet_send();
-                } else {
-@@ -720,7 +740,7 @@
-        Authctxt *authctxt = ctxt;
-        Gssctxt *gssctxt;
-        u_int oidlen;
-       u_char *oidv;
-+       u_char *oidv, *oidv_free;
- 
-        if (authctxt == NULL)
-                fatal("input_gssapi_response: no authentication context");
-@@ -728,22 +748,28 @@
- 
-        /* Setup our OID */
-        oidv = packet_get_string(&oidlen);
-+       oidv_free = oidv;
- 
-        if (oidlen <= 2 ||
-            oidv[0] != SSH_GSS_OIDTYPE ||
-            oidv[1] != oidlen - 2) {
-               xfree(oidv);
-                debug("Badly encoded mechanism OID received");
-               userauth(authctxt, NULL);
-               return;
-+               if (oidlen < 2) {
-+                       xfree(oidv_free);
-+                       userauth(authctxt, NULL);
-+                       return;
-+               }
-+       } else {
-+               oidlen -= 2;
-+               oidv += 2;
-        }
- 
-       if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
-+       if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
-                fatal("Server returned different OID than expected");
- 
-        packet_check_eom();
- 
-       xfree(oidv);
-+       xfree(oidv_free);
- 
-        if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
-                /* Start again with next method on list */
diff --git a/debian/patches/series b/debian/patches/series
index fd6f569d0..7f410e363 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,7 +3,6 @@ gssapi.patch
 gssapi-autoconf.patch
 gssapi-compat.patch
 gssapi-dump.patch
-old-gssapi.patch
 # Autotools
 config-guess-sub.patch
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index c1df3b7f4..a0396a6eb 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1315,7 +1315,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -1418,6 +1418,8 @@
+@@ -1392,6 +1392,8 @@
 
        /* list of keys stored in the filesystem */
        for (i = 0; i < options.num_identity_files; i++) {
@@ -1324,7 +1324,7 @@ Index: b/sshconnect2.c
                key = options.identity_keys[i];
                if (key && key->type == KEY_RSA1)
                        continue;
-@@ -1508,7 +1510,7 @@
+@@ -1482,7 +1484,7 @@
                if (id->key && id->key->type != KEY_RSA1) {
                        debug("Offering public key: %s", id->filename);
                        sent = send_pubkey_test(authctxt, id);
diff --git a/sshconnect2.c b/sshconnect2.c
index af322e81c..bc8d206ae 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -314,11 +314,6 @@ Authmethod authmethods[] = {
                NULL,
                &options.gss_authentication,
                NULL},
-        {"gssapi",
-                userauth_gssapi,
-                NULL,
-                &options.gss_authentication,
-                NULL},
 #endif
        {"hostbased",
                userauth_hostbased,
@@ -606,7 +601,6 @@ userauth_gssapi(Authctxt *authctxt)
        OM_uint32 min;
        int ok = 0;
        const char *gss_host;
-        int old_gssapi_method;
        if (options.gss_trust_dns)
                gss_host = get_canonical_hostname(1);
@@ -645,25 +639,13 @@ userauth_gssapi(Authctxt *authctxt)
        packet_put_cstring(authctxt->service);
        packet_put_cstring(authctxt->method->name);
-        old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
+        packet_put_int(1);
-        /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
-         * tagged OIDs.  As such we include both tagged and untagged oids
-         * for the old gssapi method.
-         * We only include tagged oids for the new gssapi-with-mic method.
-         */
-        packet_put_int(old_gssapi_method ? 2 : 1);
        packet_put_int((gss_supported->elements[mech].length) + 2);
        packet_put_char(SSH_GSS_OIDTYPE);
        packet_put_char(gss_supported->elements[mech].length);
        packet_put_raw(gss_supported->elements[mech].elements,
            gss_supported->elements[mech].length);
-        if (old_gssapi_method) {
-                packet_put_int(gss_supported->elements[mech].length);
-                packet_put_raw(gss_supported->elements[mech].elements,
-                               gss_supported->elements[mech].length);
-        }
        packet_send();
@@ -703,10 +685,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
        }
        if (status == GSS_S_COMPLETE) {
-                int old_gssapi_method = !strcmp(authctxt->method->name,
-                                                "gssapi");
                /* send either complete or MIC, depending on mechanism */
-                if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
+                if (!(flags & GSS_C_INTEG_FLAG)) {
                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
                        packet_send();
                } else {
@@ -740,7 +720,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
        u_int oidlen;
-        u_char *oidv, *oidv_free;
+        u_char *oidv;
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
@@ -748,28 +728,22 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
        /* Setup our OID */
        oidv = packet_get_string(&oidlen);
-        oidv_free = oidv;
        if (oidlen <= 2 ||
            oidv[0] != SSH_GSS_OIDTYPE ||
            oidv[1] != oidlen - 2) {
+                xfree(oidv);
                debug("Badly encoded mechanism OID received");
-                if (oidlen < 2) {
+                userauth(authctxt, NULL);
-                        xfree(oidv_free);
+                return;
-                        userauth(authctxt, NULL);
-                        return;
-                }
-        } else {
-                oidlen -= 2;
-                oidv += 2;
        }
-        if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
+        if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
                fatal("Server returned different OID than expected");
        packet_check_eom();
-        xfree(oidv_free);
+        xfree(oidv);
        if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
                /* Start again with next method on list */
author	Colin Watson <cjwatson@debian.org>	2010-03-08 11:26:21 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-03-08 11:26:21 +0000
commit	dd79498e0f4086a765cea7757ac023e925b75db2 (patch)
tree	aecf8e47f7abe06e86f961eb6fb198c1ca7b5de8
parent	dbf5ed52ce596dcf8c1f151d587f7f1f4c78b4eb (diff)

diff --git a/debian/changelog b/debian/changelog index 2b75de5a1..8ce7bbae4 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -5,6 +5,11 @@ openssh (1:5.3p1-4) UNRELEASED; urgency=low
5	* Include debian/ssh-askpass-gnome.png in the Debian tarball now that	5	* Include debian/ssh-askpass-gnome.png in the Debian tarball now that
6	we're using a source format that permits this, rather than messing	6	we're using a source format that permits this, rather than messing
7	around with uudecode.	7	around with uudecode.
		8	* Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
		9	3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi
		10	mechanism was removed due to a serious security hole, and since these
		11	versions of ssh-krb5 are no longer security-supported by Debian I don't
		12	think there's any point keeping client compatibility for them.
8		13
9	-- Colin Watson <cjwatson@debian.org> Mon, 01 Mar 2010 12:24:41 +0000	14	-- Colin Watson <cjwatson@debian.org> Mon, 01 Mar 2010 12:24:41 +0000
10		15


diff --git a/debian/patches/banner-noslash.patch b/debian/patches/banner-noslash.patch index af5f4213c..fa7b08f23 100644 --- a/debian/patches/banner-noslash.patch +++ b/debian/patches/banner-noslash.patch
@@ -11,7 +11,7 @@ Index: b/sshconnect2.c
11	===================================================================	11	===================================================================
12	--- a/sshconnect2.c	12	--- a/sshconnect2.c
13	+++ b/sshconnect2.c	13	+++ b/sshconnect2.c
14	@@ -477,7 +477,7 @@	14	@@ -472,7 +472,7 @@
15	if (len > 65536)	15	if (len > 65536)
16	len = 65536;	16	len = 65536;
17	msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */	17	msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */


diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch deleted file mode 100644 index 1ef689331..000000000 --- a/debian/patches/old-gssapi.patch +++ /dev/null
@@ -1,115 +0,0 @@
1	Description: Interoperate with old GSSAPI authentication method
2	ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
3	.
4	Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch.
5	Author: "Aaron M. Ucko" <ucko@debian.org>
6	Bug-Debian: http://bugs.debian.org/328388
7	Forwarded: yes
8	Last-Updated: 2010-03-01
9
10	Index: b/sshconnect2.c
11	===================================================================
12	--- a/sshconnect2.c
13	+++ b/sshconnect2.c
14	@@ -314,6 +314,11 @@
15	NULL,
16	&options.gss_authentication,
17	NULL},
18	+ {"gssapi",
19	+ userauth_gssapi,
20	+ NULL,
21	+ &options.gss_authentication,
22	+ NULL},
23	#endif
24	{"hostbased",
25	userauth_hostbased,
26	@@ -601,6 +606,7 @@
27	OM_uint32 min;
28	int ok = 0;
29	const char *gss_host;
30	+ int old_gssapi_method;
31
32	if (options.gss_trust_dns)
33	gss_host = get_canonical_hostname(1);
34	@@ -639,13 +645,25 @@
35	packet_put_cstring(authctxt->service);
36	packet_put_cstring(authctxt->method->name);
37
38	- packet_put_int(1);
39	+ old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
40	+
41	+ /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
42	+ * tagged OIDs. As such we include both tagged and untagged oids
43	+ * for the old gssapi method.
44	+ * We only include tagged oids for the new gssapi-with-mic method.
45	+ */
46	+ packet_put_int(old_gssapi_method ? 2 : 1);
47
48	packet_put_int((gss_supported->elements[mech].length) + 2);
49	packet_put_char(SSH_GSS_OIDTYPE);
50	packet_put_char(gss_supported->elements[mech].length);
51	packet_put_raw(gss_supported->elements[mech].elements,
52	gss_supported->elements[mech].length);
53	+ if (old_gssapi_method) {
54	+ packet_put_int(gss_supported->elements[mech].length);
55	+ packet_put_raw(gss_supported->elements[mech].elements,
56	+ gss_supported->elements[mech].length);
57	+ }
58
59	packet_send();
60
61	@@ -685,8 +703,10 @@
62	}
63
64	if (status == GSS_S_COMPLETE) {
65	+ int old_gssapi_method = !strcmp(authctxt->method->name,
66	+ "gssapi");
67	/* send either complete or MIC, depending on mechanism */
68	- if (!(flags & GSS_C_INTEG_FLAG)) {
69	+ if (old_gssapi_method \|\| !(flags & GSS_C_INTEG_FLAG)) {
70	packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
71	packet_send();
72	} else {
73	@@ -720,7 +740,7 @@
74	Authctxt *authctxt = ctxt;
75	Gssctxt *gssctxt;
76	u_int oidlen;
77	- u_char *oidv;
78	+ u_char oidv, oidv_free;
79
80	if (authctxt == NULL)
81	fatal("input_gssapi_response: no authentication context");
82	@@ -728,22 +748,28 @@
83
84	/* Setup our OID */
85	oidv = packet_get_string(&oidlen);
86	+ oidv_free = oidv;
87
88	if (oidlen <= 2 \|\|
89	oidv[0] != SSH_GSS_OIDTYPE \|\|
90	oidv[1] != oidlen - 2) {
91	- xfree(oidv);
92	debug("Badly encoded mechanism OID received");
93	- userauth(authctxt, NULL);
94	- return;
95	+ if (oidlen < 2) {
96	+ xfree(oidv_free);
97	+ userauth(authctxt, NULL);
98	+ return;
99	+ }
100	+ } else {
101	+ oidlen -= 2;
102	+ oidv += 2;
103	}
104
105	- if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
106	+ if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
107	fatal("Server returned different OID than expected");
108
109	packet_check_eom();
110
111	- xfree(oidv);
112	+ xfree(oidv_free);
113
114	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
115	/* Start again with next method on list */


diff --git a/debian/patches/series b/debian/patches/series index fd6f569d0..7f410e363 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -3,7 +3,6 @@ gssapi.patch
3	gssapi-autoconf.patch	3	gssapi-autoconf.patch
4	gssapi-compat.patch	4	gssapi-compat.patch
5	gssapi-dump.patch	5	gssapi-dump.patch
6	old-gssapi.patch
7		6
8	# Autotools	7	# Autotools
9	config-guess-sub.patch	8	config-guess-sub.patch


diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index c1df3b7f4..a0396a6eb 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch
@@ -1315,7 +1315,7 @@ Index: b/sshconnect2.c
1315	===================================================================	1315	===================================================================
1316	--- a/sshconnect2.c	1316	--- a/sshconnect2.c
1317	+++ b/sshconnect2.c	1317	+++ b/sshconnect2.c
1318	@@ -1418,6 +1418,8 @@	1318	@@ -1392,6 +1392,8 @@
1319		1319
1320	/* list of keys stored in the filesystem */	1320	/* list of keys stored in the filesystem */
1321	for (i = 0; i < options.num_identity_files; i++) {	1321	for (i = 0; i < options.num_identity_files; i++) {
@@ -1324,7 +1324,7 @@ Index: b/sshconnect2.c
1324	key = options.identity_keys[i];	1324	key = options.identity_keys[i];
1325	if (key && key->type == KEY_RSA1)	1325	if (key && key->type == KEY_RSA1)
1326	continue;	1326	continue;
1327	@@ -1508,7 +1510,7 @@	1327	@@ -1482,7 +1484,7 @@
1328	if (id->key && id->key->type != KEY_RSA1) {	1328	if (id->key && id->key->type != KEY_RSA1) {
1329	debug("Offering public key: %s", id->filename);	1329	debug("Offering public key: %s", id->filename);
1330	sent = send_pubkey_test(authctxt, id);	1330	sent = send_pubkey_test(authctxt, id);


diff --git a/sshconnect2.c b/sshconnect2.c index af322e81c..bc8d206ae 100644 --- a/sshconnect2.c +++ b/sshconnect2.c
@@ -314,11 +314,6 @@ Authmethod authmethods[] = {
314	NULL,	314	NULL,
315	&options.gss_authentication,	315	&options.gss_authentication,
316	NULL},	316	NULL},
317	{"gssapi",
318	userauth_gssapi,
319	NULL,
320	&options.gss_authentication,
321	NULL},
322	#endif	317	#endif
323	{"hostbased",	318	{"hostbased",
324	userauth_hostbased,	319	userauth_hostbased,
@@ -606,7 +601,6 @@ userauth_gssapi(Authctxt *authctxt)
606	OM_uint32 min;	601	OM_uint32 min;
607	int ok = 0;	602	int ok = 0;
608	const char *gss_host;	603	const char *gss_host;
609	int old_gssapi_method;
610		604
611	if (options.gss_trust_dns)	605	if (options.gss_trust_dns)
612	gss_host = get_canonical_hostname(1);	606	gss_host = get_canonical_hostname(1);
@@ -645,25 +639,13 @@ userauth_gssapi(Authctxt *authctxt)
645	packet_put_cstring(authctxt->service);	639	packet_put_cstring(authctxt->service);
646	packet_put_cstring(authctxt->method->name);	640	packet_put_cstring(authctxt->method->name);
647		641
648	old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");	642	packet_put_int(1);
649
650	/* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
651	* tagged OIDs. As such we include both tagged and untagged oids
652	* for the old gssapi method.
653	* We only include tagged oids for the new gssapi-with-mic method.
654	*/
655	packet_put_int(old_gssapi_method ? 2 : 1);
656		643
657	packet_put_int((gss_supported->elements[mech].length) + 2);	644	packet_put_int((gss_supported->elements[mech].length) + 2);
658	packet_put_char(SSH_GSS_OIDTYPE);	645	packet_put_char(SSH_GSS_OIDTYPE);
659	packet_put_char(gss_supported->elements[mech].length);	646	packet_put_char(gss_supported->elements[mech].length);
660	packet_put_raw(gss_supported->elements[mech].elements,	647	packet_put_raw(gss_supported->elements[mech].elements,
661	gss_supported->elements[mech].length);	648	gss_supported->elements[mech].length);
662	if (old_gssapi_method) {
663	packet_put_int(gss_supported->elements[mech].length);
664	packet_put_raw(gss_supported->elements[mech].elements,
665	gss_supported->elements[mech].length);
666	}
667		649
668	packet_send();	650	packet_send();
669		651
@@ -703,10 +685,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
703	}	685	}
704		686
705	if (status == GSS_S_COMPLETE) {	687	if (status == GSS_S_COMPLETE) {
706	int old_gssapi_method = !strcmp(authctxt->method->name,
707	"gssapi");
708	/* send either complete or MIC, depending on mechanism */	688	/* send either complete or MIC, depending on mechanism */
709	if (old_gssapi_method \|\| !(flags & GSS_C_INTEG_FLAG)) {	689	if (!(flags & GSS_C_INTEG_FLAG)) {
710	packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);	690	packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
711	packet_send();	691	packet_send();
712	} else {	692	} else {
@@ -740,7 +720,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
740	Authctxt *authctxt = ctxt;	720	Authctxt *authctxt = ctxt;
741	Gssctxt *gssctxt;	721	Gssctxt *gssctxt;
742	u_int oidlen;	722	u_int oidlen;
743	u_char oidv, oidv_free;	723	u_char *oidv;
744		724
745	if (authctxt == NULL)	725	if (authctxt == NULL)
746	fatal("input_gssapi_response: no authentication context");	726	fatal("input_gssapi_response: no authentication context");
@@ -748,28 +728,22 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
748		728
749	/* Setup our OID */	729	/* Setup our OID */
750	oidv = packet_get_string(&oidlen);	730	oidv = packet_get_string(&oidlen);
751	oidv_free = oidv;
752		731
753	if (oidlen <= 2 \|\|	732	if (oidlen <= 2 \|\|
754	oidv[0] != SSH_GSS_OIDTYPE \|\|	733	oidv[0] != SSH_GSS_OIDTYPE \|\|
755	oidv[1] != oidlen - 2) {	734	oidv[1] != oidlen - 2) {
		735	xfree(oidv);
756	debug("Badly encoded mechanism OID received");	736	debug("Badly encoded mechanism OID received");
757	if (oidlen < 2) {	737	userauth(authctxt, NULL);
758	xfree(oidv_free);	738	return;
759	userauth(authctxt, NULL);
760	return;
761	}
762	} else {
763	oidlen -= 2;
764	oidv += 2;
765	}	739	}
766		740
767	if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))	741	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
768	fatal("Server returned different OID than expected");	742	fatal("Server returned different OID than expected");
769		743
770	packet_check_eom();	744	packet_check_eom();
771		745
772	xfree(oidv_free);	746	xfree(oidv);
773		747
774	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {	748	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
775	/* Start again with next method on list */	749	/* Start again with next method on list */