[Bug 2198] New: GSSAPIKeyExchange gssapi-keyex bug in kex.c choose_kex()

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Jan 25 09:26:21 EST 2014


            Bug ID: 2198
           Summary: GSSAPIKeyExchange gssapi-keyex bug in kex.c
           Product: Portable OpenSSH
           Version: 6.4p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Kerberos support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: staatsvr at afrl.hpc.mil

Created attachment 2400
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2400&action=edit
Possible fix for kex.c GSSAPIKeyExchange strcmp problem

Reported problem: Attempted connections from new 6.4p1 client to old
6.0p1 server fails when using "GSSAPIKeyExchange yes".

Client error message:
  unsupported kex alg gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
Server error message: (nothing much useful, even with -ddd)

In kex.c :: choose_kex() prior to 6.3p1 the search for Kex k->name was
performed using a mix of strcmp() and strncmp().  The strncmp() name
comparisons on just the leading part of the name were necessary for
  Starting with 6.3.p1 and continuing in 6.4p1 and
openssh-SNAP-20140125.tar.gz kex.c moved to a kexalgs table with a
kex_alg_by_name() lookup.  Since kex_alg_by_name() only uses strcmp,
the above kex algorith names fail to make an exact match.  For example,
KEX_GSS_GEX_SHA1_ID = gss-gex-sha1- vs 
k->name = gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==

Proposed fix: Add strncmp() special cases for the KEX_GSS_* algorithms.
See example patch in attachments.  Not elegant, but I think safe.
Note:  Why not just use strncmp() in kex_alg_by_name(const char *name)
for all cases?  But what if someday there's an algorithm name which is
a substring of another name?

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list