Convert to source format 3.0 (quilt).

author: Colin Watson <cjwatson@debian.org> 2010-02-27 14:05:10 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-02-27 14:05:10 +0000
commit: 8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 (patch)
tree: 2e0d8058bdfc24a60a20c5bcbfd1075ef1048ff3 /debian/patches/old-gssapi.patch
parent: e44a1fb6e8e59e67e5c8b6e83c0d8566d146aad9 (diff)
1 files changed, 141 insertions, 0 deletions
diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
new file mode 100644
index 000000000..272654fd8
--- /dev/null
+++ b/debian/patches/old-gssapi.patch
@@ -0,0 +1,141 @@
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
+++ b/servconf.c
+@@ -375,16 +375,20 @@
+ #ifdef GSSAPI
+        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+       { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+        { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+        { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ #else
+        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+ #endif
+       { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+       { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+@@ -1620,7 +1624,9 @@
+ #endif
+ #ifdef GSSAPI
+        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+       dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+       dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ #endif
+ #ifdef JPAKE
+        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
+Index: b/sshconnect2.c
+===================================================================
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -314,6 +314,11 @@
+                NULL,
+                &options.gss_authentication,
+                NULL},
+       {"gssapi",
+               userauth_gssapi,
+               NULL,
+               &options.gss_authentication,
+               NULL},
+ #endif
+        {"hostbased",
+                userauth_hostbased,
+@@ -601,6 +606,7 @@
+        OM_uint32 min;
+        int ok = 0;
+        const char *gss_host;
+       int old_gssapi_method;
+ 
+        if (options.gss_trust_dns)
+                gss_host = get_canonical_hostname(1);
+@@ -639,13 +645,25 @@
+        packet_put_cstring(authctxt->service);
+        packet_put_cstring(authctxt->method->name);
+ 
+-       packet_put_int(1);
+       old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
+
+       /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
+        * tagged OIDs.  As such we include both tagged and untagged oids
+        * for the old gssapi method.
+        * We only include tagged oids for the new gssapi-with-mic method.
+        */
+       packet_put_int(old_gssapi_method ? 2 : 1);
+ 
+        packet_put_int((gss_supported->elements[mech].length) + 2);
+        packet_put_char(SSH_GSS_OIDTYPE);
+        packet_put_char(gss_supported->elements[mech].length);
+        packet_put_raw(gss_supported->elements[mech].elements,
+            gss_supported->elements[mech].length);
+       if (old_gssapi_method) {
+               packet_put_int(gss_supported->elements[mech].length);
+               packet_put_raw(gss_supported->elements[mech].elements,
+                              gss_supported->elements[mech].length);
+       }
+ 
+        packet_send();
+ 
+@@ -685,8 +703,10 @@
+        }
+ 
+        if (status == GSS_S_COMPLETE) {
+               int old_gssapi_method = !strcmp(authctxt->method->name,
+                                               "gssapi");
+                /* send either complete or MIC, depending on mechanism */
+-               if (!(flags & GSS_C_INTEG_FLAG)) {
+               if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
+                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
+                        packet_send();
+                } else {
+@@ -720,7 +740,7 @@
+        Authctxt *authctxt = ctxt;
+        Gssctxt *gssctxt;
+        u_int oidlen;
+-       u_char *oidv;
+       u_char *oidv, *oidv_free;
+ 
+        if (authctxt == NULL)
+                fatal("input_gssapi_response: no authentication context");
+@@ -728,22 +748,28 @@
+ 
+        /* Setup our OID */
+        oidv = packet_get_string(&oidlen);
+       oidv_free = oidv;
+ 
+        if (oidlen <= 2 ||
+            oidv[0] != SSH_GSS_OIDTYPE ||
+            oidv[1] != oidlen - 2) {
+-               xfree(oidv);
+                debug("Badly encoded mechanism OID received");
+-               userauth(authctxt, NULL);
+-               return;
+               if (oidlen < 2) {
+                       xfree(oidv_free);
+                       userauth(authctxt, NULL);
+                       return;
+               }
+       } else {
+               oidlen -= 2;
+               oidv += 2;
+        }
+ 
+-       if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
+       if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
+                fatal("Server returned different OID than expected");
+ 
+        packet_check_eom();
+ 
+-       xfree(oidv);
+       xfree(oidv_free);
+ 
+        if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
+                /* Start again with next method on list */
author	Colin Watson <cjwatson@debian.org>	2010-02-27 14:05:10 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-02-27 14:05:10 +0000
commit	8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 (patch)
tree	2e0d8058bdfc24a60a20c5bcbfd1075ef1048ff3 /debian/patches/old-gssapi.patch
parent	e44a1fb6e8e59e67e5c8b6e83c0d8566d146aad9 (diff)

diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch new file mode 100644 index 000000000..272654fd8 --- /dev/null +++ b/debian/patches/old-gssapi.patch
@@ -0,0 +1,141 @@
	1	Index: b/servconf.c
	2	===================================================================
	3	--- a/servconf.c
	4	+++ b/servconf.c
	5	@@ -375,16 +375,20 @@
	6	#ifdef GSSAPI
	7	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
	8	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
	9	+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
	10	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
	11	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
	12	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
	13	#else
	14	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
	15	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
	16	+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
	17	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
	18	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
	19	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
	20	#endif
	21	+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
	22	+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
	23	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
	24	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
	25	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
	26	@@ -1620,7 +1624,9 @@
	27	#endif
	28	#ifdef GSSAPI
	29	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
	30	+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
	31	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
	32	+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
	33	#endif
	34	#ifdef JPAKE
	35	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
	36	Index: b/sshconnect2.c
	37	===================================================================
	38	--- a/sshconnect2.c
	39	+++ b/sshconnect2.c
	40	@@ -314,6 +314,11 @@
	41	NULL,
	42	&options.gss_authentication,
	43	NULL},
	44	+ {"gssapi",
	45	+ userauth_gssapi,
	46	+ NULL,
	47	+ &options.gss_authentication,
	48	+ NULL},
	49	#endif
	50	{"hostbased",
	51	userauth_hostbased,
	52	@@ -601,6 +606,7 @@
	53	OM_uint32 min;
	54	int ok = 0;
	55	const char *gss_host;
	56	+ int old_gssapi_method;
	57
	58	if (options.gss_trust_dns)
	59	gss_host = get_canonical_hostname(1);
	60	@@ -639,13 +645,25 @@
	61	packet_put_cstring(authctxt->service);
	62	packet_put_cstring(authctxt->method->name);
	63
	64	- packet_put_int(1);
	65	+ old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
	66	+
	67	+ /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
	68	+ * tagged OIDs. As such we include both tagged and untagged oids
	69	+ * for the old gssapi method.
	70	+ * We only include tagged oids for the new gssapi-with-mic method.
	71	+ */
	72	+ packet_put_int(old_gssapi_method ? 2 : 1);
	73
	74	packet_put_int((gss_supported->elements[mech].length) + 2);
	75	packet_put_char(SSH_GSS_OIDTYPE);
	76	packet_put_char(gss_supported->elements[mech].length);
	77	packet_put_raw(gss_supported->elements[mech].elements,
	78	gss_supported->elements[mech].length);
	79	+ if (old_gssapi_method) {
	80	+ packet_put_int(gss_supported->elements[mech].length);
	81	+ packet_put_raw(gss_supported->elements[mech].elements,
	82	+ gss_supported->elements[mech].length);
	83	+ }
	84
	85	packet_send();
	86
	87	@@ -685,8 +703,10 @@
	88	}
	89
	90	if (status == GSS_S_COMPLETE) {
	91	+ int old_gssapi_method = !strcmp(authctxt->method->name,
	92	+ "gssapi");
	93	/* send either complete or MIC, depending on mechanism */
	94	- if (!(flags & GSS_C_INTEG_FLAG)) {
	95	+ if (old_gssapi_method \|\| !(flags & GSS_C_INTEG_FLAG)) {
	96	packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
	97	packet_send();
	98	} else {
	99	@@ -720,7 +740,7 @@
	100	Authctxt *authctxt = ctxt;
	101	Gssctxt *gssctxt;
	102	u_int oidlen;
	103	- u_char *oidv;
	104	+ u_char oidv, oidv_free;
	105
	106	if (authctxt == NULL)
	107	fatal("input_gssapi_response: no authentication context");
	108	@@ -728,22 +748,28 @@
	109
	110	/* Setup our OID */
	111	oidv = packet_get_string(&oidlen);
	112	+ oidv_free = oidv;
	113
	114	if (oidlen <= 2 \|\|
	115	oidv[0] != SSH_GSS_OIDTYPE \|\|
	116	oidv[1] != oidlen - 2) {
	117	- xfree(oidv);
	118	debug("Badly encoded mechanism OID received");
	119	- userauth(authctxt, NULL);
	120	- return;
	121	+ if (oidlen < 2) {
	122	+ xfree(oidv_free);
	123	+ userauth(authctxt, NULL);
	124	+ return;
	125	+ }
	126	+ } else {
	127	+ oidlen -= 2;
	128	+ oidv += 2;
	129	}
	130
	131	- if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
	132	+ if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
	133	fatal("Server returned different OID than expected");
	134
	135	packet_check_eom();
	136
	137	- xfree(oidv);
	138	+ xfree(oidv_free);
	139
	140	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
	141	/* Start again with next method on list */