Timing bug patch and x509 question.

[Marquess, Steve Mr JMLFDC]

First the bug:

I've found a timing problem in 2.1.1p1 at the point where the client version
string is read, a core dump with a "Did not receive ident string..." error.
This
problem does not appear to have been mentioned yet in the list archive.

This bug was noted on HP-UX 11.0 but could be a problem on other Unices as
well.
My Q&D fix (patch below) was to spin on EWOULDBLOCK (the BSDism seen on
HP-UX) or
EAGAIN.  In testing I see from 2 to 4 iterations before the first byte
arrives.  

Now the question:

Does anyone know of any plans to add a x.509 certificate capability to
openssh?
For political reasons only x.509 based crypto will be usable in my
environment.
We have used ssh heavily for some time and I'm thinking that adapting ssh
for
x.509 might be easier than switching the whole enterprise to another
product.
The commercial ssh now has a "x.509 toolkit", whatever that is, and openssh
already references openssl.

The patch:

*** sshd.c	Mon May 29 23:44:54 2000
--- /tmp/sshd.c	Wed Jun 21 15:08:54 2000
***************
*** 297,302 ****
--- 297,307 ----
  		/* Read other side\'s version identification. */
  		for (i = 0; i < sizeof(buf) - 1; i++) {
  			if (read(sock_in, &buf[i], 1) != 1) {
+ 				debug("version id %.100s, %d",
strerror(errno), i);
+ 				if ((errno == EWOULDBLOCK) || (errno ==
EAGAIN)) {
+ 					i--;
+ 					continue;
+ 				}
  				log("Did not receive ident string from %s.",
get_remote_ipaddr());
  				fatal_cleanup();
  			}


----------------------------------------------------------------------------
--------
Steve Marquess          301-663-1770 x238 / 301-619-3933 voice
DMLSS Technical Manager	DSN 343-3933
JMLFDC			301-663-6788 / 301-619-7831 fax
623 Porter Street		steve.marquess at amedd.army.mil
Ft. Detrick, MD  21702-5018