upstream commit

Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations. ok markus@ OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
author: djm@openbsd.org <djm@openbsd.org> 2018-01-23 05:27:21 +0000
committer: Damien Miller <djm@mindrot.org> 2018-01-23 16:40:29 +1100
commit: 14b5c635d1190633b23ac3372379517fb645b0c2 (patch)
tree: 8ef70b4660b04ba6add4c314d52f84375cb16788 /auth2-pubkey.c
parent: 7c77991f5de5d8475cbeb7cbb06d0c7d1611d7bb (diff)
1 files changed, 10 insertions, 37 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0713a9de8..e64982283 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.74 2017/12/21 00:00:28 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.75 2018/01/23 05:27:21 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -100,26 +100,10 @@ userauth_pubkey(struct ssh *ssh)
                debug2("%s: disabled because of invalid user", __func__);
                return 0;
        }
-        if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
+        if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
-                fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
+            (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
-        if (ssh->compat & SSH_BUG_PKAUTH) {
+            (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
-                debug2("%s: SSH_BUG_PKAUTH", __func__);
+                fatal("%s: parse request failed: %s", __func__, ssh_err(r));
-                if ((b = sshbuf_new()) == NULL)
-                        fatal("%s: sshbuf_new failed", __func__);
-                /* no explicit pkalg given */
-                /* so we have to extract the pkalg from the pkblob */
-                /* XXX use sshbuf_from() */
-                if ((r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
-                    (r = sshbuf_put(b, pkblob, blen)) != 0 ||
-                    (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0)
-                        fatal("%s: failed: %s", __func__, ssh_err(r));
-                sshbuf_free(b);
-        } else {
-                if ((r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
-                    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
-                        fatal("%s: sshpkt_get_cstring failed: %s",
-                            __func__, ssh_err(r));
-        }
        pktype = sshkey_type_from_name(pkalg);
        if (pktype == KEY_UNSPEC) {
                /* this is perfectly legal */
@@ -188,22 +172,11 @@ userauth_pubkey(struct ssh *ssh)
                    authctxt->style ? authctxt->style : "");
                if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
                    (r = sshbuf_put_cstring(b, userstyle)) != 0 ||
-                    (r = sshbuf_put_cstring(b, ssh->compat & SSH_BUG_PKSERVICE ?
+                    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
-                    "ssh-userauth" : authctxt->service)) != 0)
+                    (r = sshbuf_put_cstring(b, "publickey")) != 0 ||
-                        fatal("%s: build packet failed: %s",
+                    (r = sshbuf_put_u8(b, have_sig)) != 0 ||
-                            __func__, ssh_err(r));
+                    (r = sshbuf_put_cstring(b, pkalg) != 0) ||
-                if (ssh->compat & SSH_BUG_PKAUTH) {
+                    (r = sshbuf_put_string(b, pkblob, blen)) != 0)
-                        if ((r = sshbuf_put_u8(b, have_sig)) != 0)
-                                fatal("%s: build packet failed: %s",
-                                    __func__, ssh_err(r));
-                } else {
-                        if ((r = sshbuf_put_cstring(b, "publickey")) != 0 ||
-                            (r = sshbuf_put_u8(b, have_sig)) != 0 ||
-                            (r = sshbuf_put_cstring(b, pkalg) != 0))
-                                fatal("%s: build packet failed: %s",
-                                    __func__, ssh_err(r));
-                }
-                if ((r = sshbuf_put_string(b, pkblob, blen)) != 0)
                        fatal("%s: build packet failed: %s",
                            __func__, ssh_err(r));
 #ifdef DEBUG_PK
author	djm@openbsd.org <djm@openbsd.org>	2018-01-23 05:27:21 +0000
committer	Damien Miller <djm@mindrot.org>	2018-01-23 16:40:29 +1100
commit	14b5c635d1190633b23ac3372379517fb645b0c2 (patch)
tree	8ef70b4660b04ba6add4c314d52f84375cb16788 /auth2-pubkey.c
parent	7c77991f5de5d8475cbeb7cbb06d0c7d1611d7bb (diff)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 0713a9de8..e64982283 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.74 2017/12/21 00:00:28 djm Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.75 2018/01/23 05:27:21 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -100,26 +100,10 @@ userauth_pubkey(struct ssh *ssh)
100	debug2("%s: disabled because of invalid user", __func__);	100	debug2("%s: disabled because of invalid user", __func__);
101	return 0;	101	return 0;
102	}	102	}
103	if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)	103	if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 \|\|
104	fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));	104	(r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 \|\|
105	if (ssh->compat & SSH_BUG_PKAUTH) {	105	(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
106	debug2("%s: SSH_BUG_PKAUTH", __func__);	106	fatal("%s: parse request failed: %s", __func__, ssh_err(r));
107	if ((b = sshbuf_new()) == NULL)
108	fatal("%s: sshbuf_new failed", __func__);
109	/* no explicit pkalg given */
110	/* so we have to extract the pkalg from the pkblob */
111	/* XXX use sshbuf_from() */
112	if ((r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 \|\|
113	(r = sshbuf_put(b, pkblob, blen)) != 0 \|\|
114	(r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0)
115	fatal("%s: failed: %s", __func__, ssh_err(r));
116	sshbuf_free(b);
117	} else {
118	if ((r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 \|\|
119	(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
120	fatal("%s: sshpkt_get_cstring failed: %s",
121	__func__, ssh_err(r));
122	}
123	pktype = sshkey_type_from_name(pkalg);	107	pktype = sshkey_type_from_name(pkalg);
124	if (pktype == KEY_UNSPEC) {	108	if (pktype == KEY_UNSPEC) {
125	/* this is perfectly legal */	109	/* this is perfectly legal */
@@ -188,22 +172,11 @@ userauth_pubkey(struct ssh *ssh)
188	authctxt->style ? authctxt->style : "");	172	authctxt->style ? authctxt->style : "");
189	if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 \|\|	173	if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 \|\|
190	(r = sshbuf_put_cstring(b, userstyle)) != 0 \|\|	174	(r = sshbuf_put_cstring(b, userstyle)) != 0 \|\|
191	(r = sshbuf_put_cstring(b, ssh->compat & SSH_BUG_PKSERVICE ?	175	(r = sshbuf_put_cstring(b, authctxt->service)) != 0 \|\|
192	"ssh-userauth" : authctxt->service)) != 0)	176	(r = sshbuf_put_cstring(b, "publickey")) != 0 \|\|
193	fatal("%s: build packet failed: %s",	177	(r = sshbuf_put_u8(b, have_sig)) != 0 \|\|
194	__func__, ssh_err(r));	178	(r = sshbuf_put_cstring(b, pkalg) != 0) \|\|
195	if (ssh->compat & SSH_BUG_PKAUTH) {	179	(r = sshbuf_put_string(b, pkblob, blen)) != 0)
196	if ((r = sshbuf_put_u8(b, have_sig)) != 0)
197	fatal("%s: build packet failed: %s",
198	__func__, ssh_err(r));
199	} else {
200	if ((r = sshbuf_put_cstring(b, "publickey")) != 0 \|\|
201	(r = sshbuf_put_u8(b, have_sig)) != 0 \|\|
202	(r = sshbuf_put_cstring(b, pkalg) != 0))
203	fatal("%s: build packet failed: %s",
204	__func__, ssh_err(r));
205	}
206	if ((r = sshbuf_put_string(b, pkblob, blen)) != 0)
207	fatal("%s: build packet failed: %s",	180	fatal("%s: build packet failed: %s",
208	__func__, ssh_err(r));	181	__func__, ssh_err(r));
209	#ifdef DEBUG_PK	182	#ifdef DEBUG_PK