From eccb9de72aa29da5a3fad87a4287b32438689c1f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 17 Jun 2005 12:59:34 +1000 Subject: - djm@cvs.openbsd.org 2005/06/17 02:44:33 [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c] [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c] [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c] [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c] [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c] make this -Wsign-compare clean; ok avsm@ markus@ NB. auth1.c changes not committed yet (conflicts with uncommitted sync) NB2. more work may be needed to make portable Wsign-compare clean --- gss-serv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gss-serv.c') diff --git a/gss-serv.c b/gss-serv.c index de32a3f2e..e1b843f01 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.5 2003/11/17 11:06:07 markus Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.6 2005/06/17 02:44:32 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -134,7 +134,7 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, static OM_uint32 ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) { - char *tok; + u_char *tok; OM_uint32 offset; OM_uint32 oidl; -- cgit v1.2.3 From 0dc1bef12d30162ba09bfcc0b1cd6a5535ebdaab Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 17 Jul 2005 17:22:45 +1000 Subject: - djm@cvs.openbsd.org 2005/07/17 07:17:55 [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c] [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c] [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c] [sshconnect.c sshconnect2.c] knf says that a 2nd level indent is four (not three or five) spaces --- ChangeLog | 8 +++++++- auth-rh-rsa.c | 4 ++-- auth-rhosts.c | 4 ++-- auth2-chall.c | 4 ++-- auth2-gss.c | 7 +++---- channels.c | 10 +++++----- cipher-ctr.c | 4 ++-- gss-genr.c | 6 +++--- gss-serv.c | 6 +++--- kex.c | 4 ++-- moduli.c | 24 ++++++++++++------------ readconf.c | 4 ++-- serverloop.c | 4 ++-- session.c | 4 ++-- sftp-client.c | 4 ++-- sftp.c | 4 ++-- ssh-add.c | 4 ++-- ssh-keygen.c | 4 ++-- sshconnect.c | 8 ++++---- sshconnect2.c | 6 +++--- 20 files changed, 64 insertions(+), 59 deletions(-) (limited to 'gss-serv.c') diff --git a/ChangeLog b/ChangeLog index 84b82cccc..f1bf43095 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,12 @@ the one that made the single connection 3. Destroy X11 listeners when the session owning them goes away testing and ok dtucker@ + - djm@cvs.openbsd.org 2005/07/17 07:17:55 + [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c] + [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c] + [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c] + [sshconnect.c sshconnect2.c] + knf says that a 2nd level indent is four (not three or five) spaces 20050716 - (dtucker) [auth-pam.c] Ensure that only one side of the authentication @@ -2849,4 +2855,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3850 2005/07/17 07:19:24 djm Exp $ +$Id: ChangeLog,v 1.3851 2005/07/17 07:22:45 djm Exp $ diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 29eb538ec..c31f2b97b 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.37 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.38 2005/07/17 07:17:54 djm Exp $"); #include "packet.h" #include "uidswap.h" @@ -86,7 +86,7 @@ auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key) */ verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.", - pw->pw_name, cuser, chost); + pw->pw_name, cuser, chost); packet_send_debug("Rhosts with RSA host authentication accepted."); return 1; } diff --git a/auth-rhosts.c b/auth-rhosts.c index 585246e82..aaba8557e 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.32 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.33 2005/07/17 07:17:54 djm Exp $"); #include "packet.h" #include "uidswap.h" @@ -133,7 +133,7 @@ check_rhosts_file(const char *filename, const char *hostname, /* If the entry was negated, deny access. */ if (negated) { auth_debug_add("Matched negative entry in %.100s.", - filename); + filename); return 0; } /* Accept authentication. */ diff --git a/auth2-chall.c b/auth2-chall.c index 1cea15378..b147cadf3 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -23,7 +23,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.23 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.24 2005/07/17 07:17:54 djm Exp $"); #include "ssh2.h" #include "auth.h" @@ -167,7 +167,7 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt) kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; xfree(t); debug2("kbdint_next_device: devices %s", kbdintctxt->devices ? - kbdintctxt->devices : ""); + kbdintctxt->devices : ""); } while (kbdintctxt->devices && !kbdintctxt->device); return kbdintctxt->device ? 1 : 0; diff --git a/auth2-gss.c b/auth2-gss.c index 855b61b4e..4d468a0e8 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.9 2005/06/17 02:44:32 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -82,9 +82,8 @@ userauth_gssapi(Authctxt *authctxt) present = 0; doid = packet_get_string(&len); - if (len > 2 && - doid[0] == SSH_GSS_OIDTYPE && - doid[1] == len - 2) { + if (len > 2 && doid[0] == SSH_GSS_OIDTYPE && + doid[1] == len - 2) { goid.elements = doid + 2; goid.length = len - 2; gss_test_oid_set_member(&ms, &goid, supported, diff --git a/channels.c b/channels.c index 8da399b69..8c7b2b369 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.222 2005/07/17 06:49:04 djm Exp $"); +RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -730,8 +730,8 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset) FD_SET(c->wfd, writeset); } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) - debug2("channel %d: obuf_empty delayed efd %d/(%d)", - c->self, c->efd, buffer_len(&c->extended)); + debug2("channel %d: obuf_empty delayed efd %d/(%d)", + c->self, c->efd, buffer_len(&c->extended)); else chan_obuf_empty(c); } @@ -1813,8 +1813,8 @@ channel_output_poll(void) * hack for extended data: delay EOF if EFD still in use. */ if (CHANNEL_EFD_INPUT_ACTIVE(c)) - debug2("channel %d: ibuf_empty delayed efd %d/(%d)", - c->self, c->efd, buffer_len(&c->extended)); + debug2("channel %d: ibuf_empty delayed efd %d/(%d)", + c->self, c->efd, buffer_len(&c->extended)); else chan_ibuf_empty(c); } diff --git a/cipher-ctr.c b/cipher-ctr.c index 43f1ede57..856177349 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $"); +RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $"); #include @@ -95,7 +95,7 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, } if (key != NULL) AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, - &c->aes_ctx); + &c->aes_ctx); if (iv != NULL) memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); return (1); diff --git a/gss-genr.c b/gss-genr.c index 3f5727b3e..9bc31aa2a 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.3 2003/11/21 11:57:03 djm Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -78,8 +78,8 @@ ssh_gssapi_error(Gssctxt *ctxt) } char * -ssh_gssapi_last_error(Gssctxt *ctxt, - OM_uint32 *major_status, OM_uint32 *minor_status) +ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status, + OM_uint32 *minor_status) { OM_uint32 lmin; gss_buffer_desc msg = GSS_C_EMPTY_BUFFER; diff --git a/gss-serv.c b/gss-serv.c index e1b843f01..e191eb5a0 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.6 2005/06/17 02:44:32 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.7 2005/07/17 07:17:55 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -164,7 +164,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) */ if (tok[4] != 0x06 || tok[5] != oidl || ename->length < oidl+6 || - !ssh_gssapi_check_oid(ctx,tok+6,oidl)) + !ssh_gssapi_check_oid(ctx,tok+6,oidl)) return GSS_S_FAILURE; offset = oidl+6; @@ -267,7 +267,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) debug("Setting %s to %s", gssapi_client.store.envvar, gssapi_client.store.envval); child_set_env(envp, envsizep, gssapi_client.store.envvar, - gssapi_client.store.envval); + gssapi_client.store.envval); } } diff --git a/kex.c b/kex.c index 32c6d03ea..06a3ad4cc 100644 --- a/kex.c +++ b/kex.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.62 2005/07/16 01:35:24 djm Exp $"); +RCSID("$OpenBSD: kex.c,v 1.63 2005/07/17 07:17:55 djm Exp $"); #include @@ -392,7 +392,7 @@ kex_choose_conf(Kex *kex) /* ignore the next message if the proposals do not match */ if (first_kex_follows && !proposals_match(my, peer) && - !(datafellows & SSH_BUG_FIRSTKEX)) { + !(datafellows & SSH_BUG_FIRSTKEX)) { type = packet_read(); debug2("skipping next packet (type %u)", type); } diff --git a/moduli.c b/moduli.c index c13c535d6..d53806ea6 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.11 2005/05/23 22:44:01 avsm Exp $ */ +/* $OpenBSD: moduli.c,v 1.12 2005/07/17 07:17:55 djm Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -112,22 +112,22 @@ #define TINY_NUMBER (1UL<<16) /* Ensure enough bit space for testing 2*q. */ -#define TEST_MAXIMUM (1UL<<16) -#define TEST_MINIMUM (QSIZE_MINIMUM + 1) -/* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */ -#define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */ +#define TEST_MAXIMUM (1UL<<16) +#define TEST_MINIMUM (QSIZE_MINIMUM + 1) +/* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */ +#define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */ /* bit operations on 32-bit words */ -#define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31))) -#define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31))) -#define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31))) +#define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31))) +#define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31))) +#define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31))) /* * Prime testing defines */ /* Minimum number of primality tests to perform */ -#define TRIAL_MINIMUM (4) +#define TRIAL_MINIMUM (4) /* * Sieving data (XXX - move to struct) @@ -254,7 +254,7 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) largememory = memory; if (memory != 0 && - (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) { + (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) { error("Invalid memory amount (min %ld, max %ld)", LARGE_MINIMUM, LARGE_MAXIMUM); return (-1); @@ -372,8 +372,8 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start) * fencepost errors, the last pass is skipped. */ for (smallbase = TINY_NUMBER + 3; - smallbase < (SMALL_MAXIMUM - TINY_NUMBER); - smallbase += TINY_NUMBER) { + smallbase < (SMALL_MAXIMUM - TINY_NUMBER); + smallbase += TINY_NUMBER) { for (i = 0; i < tinybits; i++) { if (BIT_TEST(TinySieve, i)) continue; /* 2*i+3 is composite */ diff --git a/readconf.c b/readconf.c index 5ec89e2f0..1e3c13239 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.141 2005/06/08 11:25:09 djm Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.142 2005/07/17 07:17:55 djm Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -839,7 +839,7 @@ parse_int: /* Check that there is no garbage at end of line. */ if ((arg = strdelim(&s)) != NULL && *arg != '\0') { fatal("%.200s line %d: garbage at end of line; \"%.200s\".", - filename, linenum, arg); + filename, linenum, arg); } return 0; } diff --git a/serverloop.c b/serverloop.c index eee1e7959..b0c4aafa0 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.117 2004/08/11 21:43:05 avsm Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.118 2005/07/17 07:17:55 djm Exp $"); #include "xmalloc.h" #include "packet.h" @@ -865,7 +865,7 @@ server_request_direct_tcpip(void) packet_check_eom(); debug("server_request_direct_tcpip: originator %s port %d, target %s port %d", - originator, originator_port, target, target_port); + originator, originator_port, target, target_port); /* XXX check permission */ sock = channel_connect_to(target, target_port); diff --git a/session.c b/session.c index 81d7d53e8..171c239e2 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.184 2005/07/17 06:49:04 djm Exp $"); +RCSID("$OpenBSD: session.c,v 1.185 2005/07/17 07:17:55 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1530,7 +1530,7 @@ do_child(Session *s, const char *command) */ if (options.kerberos_get_afs_token && k_hasafs() && - (s->authctxt->krb5_ctx != NULL)) { + (s->authctxt->krb5_ctx != NULL)) { char cell[64]; debug("Getting AFS token"); diff --git a/sftp-client.c b/sftp-client.c index ce15fc0a3..e4f95b0e5 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -20,7 +20,7 @@ /* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-client.c,v 1.55 2005/06/17 02:44:33 djm Exp $"); +RCSID("$OpenBSD: sftp-client.c,v 1.56 2005/07/17 07:17:55 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -1126,7 +1126,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, goto done; } debug3("In write loop, ack for %u %u bytes at %llu", - ack->id, ack->len, (unsigned long long)ack->offset); + ack->id, ack->len, (unsigned long long)ack->offset); ++ackid; xfree(ack); } diff --git a/sftp.c b/sftp.c index 6dff39ede..9d2360743 100644 --- a/sftp.c +++ b/sftp.c @@ -16,7 +16,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.64 2005/06/17 02:44:33 djm Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.65 2005/07/17 07:17:55 djm Exp $"); #ifdef USE_LIBEDIT #include @@ -1476,7 +1476,7 @@ main(int argc, char **argv) /* Allow "-" as stdin */ if (strcmp(optarg, "-") != 0 && - (infile = fopen(optarg, "r")) == NULL) + (infile = fopen(optarg, "r")) == NULL) fatal("%s (%s).", strerror(errno), optarg); showprogress = 0; batchmode = 1; diff --git a/ssh-add.c b/ssh-add.c index a796647a7..a3428769c 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.71 2005/03/10 22:01:06 deraadt Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.72 2005/07/17 07:17:55 djm Exp $"); #include @@ -145,7 +145,7 @@ add_file(AuthenticationConnection *ac, const char *filename) /* clear passphrase since it did not work */ clear_pass(); snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ", - comment); + comment); for (;;) { pass = read_passphrase(msg, RP_ALLOW_STDIN); if (strcmp(pass, "") == 0) { diff --git a/ssh-keygen.c b/ssh-keygen.c index 828d2be79..b17851946 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.127 2005/06/08 03:50:00 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $"); #include #include @@ -738,7 +738,7 @@ do_known_hosts(struct passwd *pw, const char *name) fprintf(stderr, "WARNING: %s contains unhashed " "entries\n", old); fprintf(stderr, "Delete this file to ensure privacy " - "of hostnames\n"); + "of hostnames\n"); } } diff --git a/sshconnect.c b/sshconnect.c index 84f287145..ba7b9b71e 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.167 2005/07/16 01:35:24 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.168 2005/07/17 07:17:55 djm Exp $"); #include @@ -547,7 +547,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, switch (hostaddr->sa_family) { case AF_INET: local = (ntohl(((struct sockaddr_in *)hostaddr)-> - sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; + sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; salen = sizeof(struct sockaddr_in); break; case AF_INET6: @@ -680,8 +680,8 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, if (show_other_keys(host, host_key)) snprintf(msg1, sizeof(msg1), - "\nbut keys of different type are already" - " known for this host."); + "\nbut keys of different type are already" + " known for this host."); else snprintf(msg1, sizeof(msg1), "."); /* The default */ diff --git a/sshconnect2.c b/sshconnect2.c index 60afd6d3d..012ce2b42 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.139 2005/06/17 02:44:33 djm Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.140 2005/07/17 07:17:55 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -352,7 +352,7 @@ void input_userauth_error(int type, u_int32_t seq, void *ctxt) { fatal("input_userauth_error: bad message during authentication: " - "type %d", type); + "type %d", type); } void @@ -679,7 +679,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) /* Stick it into GSSAPI and see what it says */ status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, - &recv_tok, &send_tok, NULL); + &recv_tok, &send_tok, NULL); xfree(recv_tok.value); gss_release_buffer(&ms, &send_tok); -- cgit v1.2.3 From da9984fc3aafc194485556ae2c7dc6c52cbd56c2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 31 Aug 2005 19:46:26 +1000 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2005/08/30 22:08:05 [gss-serv.c sshconnect2.c] destroy credentials if krb5_kuserok() call fails. Stops credentials being delegated to users who are not authorised for GSSAPIAuthentication when GSSAPIDeletegateCredentials=yes and another authentication mechanism succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@ --- ChangeLog | 12 +++++++++++- gss-serv.c | 15 +++++++++++++-- sshconnect2.c | 5 +++-- 3 files changed, 27 insertions(+), 5 deletions(-) (limited to 'gss-serv.c') diff --git a/ChangeLog b/ChangeLog index e88efdbfa..5d48e8f5f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +20050830 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2005/08/30 22:08:05 + [gss-serv.c sshconnect2.c] + destroy credentials if krb5_kuserok() call fails. Stops credentials being + delegated to users who are not authorised for GSSAPIAuthentication when + GSSAPIDeletegateCredentials=yes and another authentication mechanism + succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by + simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@ + 20050830 - (tim) [configure.ac] Back out last change. It needs to be done differently. @@ -2968,4 +2978,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3882 2005/08/31 09:42:20 djm Exp $ +$Id: ChangeLog,v 1.3883 2005/08/31 09:46:26 djm Exp $ diff --git a/gss-serv.c b/gss-serv.c index e191eb5a0..117130459 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.7 2005/07/17 07:17:55 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -275,13 +275,24 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) int ssh_gssapi_userok(char *user) { + OM_uint32 lmin; + if (gssapi_client.exportedname.length == 0 || gssapi_client.exportedname.value == NULL) { debug("No suitable client data"); return 0; } if (gssapi_client.mech && gssapi_client.mech->userok) - return ((*gssapi_client.mech->userok)(&gssapi_client, user)); + if ((*gssapi_client.mech->userok)(&gssapi_client, user)) + return 1; + else { + /* Destroy delegated credentials if userok fails */ + gss_release_buffer(&lmin, &gssapi_client.displayname); + gss_release_buffer(&lmin, &gssapi_client.exportedname); + gss_release_cred(&lmin, &gssapi_client.creds); + memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); + return 0; + } else debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); return (0); diff --git a/sshconnect2.c b/sshconnect2.c index baee664ea..ee7932d68 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.141 2005/07/25 11:59:40 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -545,7 +545,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) Authctxt *authctxt = ctxt; Gssctxt *gssctxt = authctxt->methoddata; gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; - gss_buffer_desc gssbuf, mic; + gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; + gss_buffer_desc gssbuf; OM_uint32 status, ms, flags; Buffer b; -- cgit v1.2.3