From 8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sat, 27 Feb 2010 14:05:10 +0000
Subject: Convert to source format 3.0 (quilt).

---
 debian/patches/old-gssapi.patch | 141 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100644 debian/patches/old-gssapi.patch

(limited to 'debian/patches/old-gssapi.patch')

diff --git a/debian/patches/old-gssapi.patch b/debian/patches/old-gssapi.patch
new file mode 100644
index 000000000..272654fd8
--- /dev/null
+++ b/debian/patches/old-gssapi.patch
@@ -0,0 +1,141 @@
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
++++ b/servconf.c
+@@ -375,16 +375,20 @@
+ #ifdef GSSAPI
+ 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++	{ "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
+ 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ #else
+ 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
++	{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+ #endif
++	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
++	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+ 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+ 	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+@@ -1620,7 +1624,9 @@
+ #endif
+ #ifdef GSSAPI
+ 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
++	dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+ 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
++	dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ #endif
+ #ifdef JPAKE
+ 	dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
+Index: b/sshconnect2.c
+===================================================================
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -314,6 +314,11 @@
+ 		NULL,
+ 		&options.gss_authentication,
+ 		NULL},
++	{"gssapi",
++		userauth_gssapi,
++		NULL,
++		&options.gss_authentication,
++		NULL},
+ #endif
+ 	{"hostbased",
+ 		userauth_hostbased,
+@@ -601,6 +606,7 @@
+ 	OM_uint32 min;
+ 	int ok = 0;
+ 	const char *gss_host;
++	int old_gssapi_method;
+ 
+ 	if (options.gss_trust_dns)
+ 		gss_host = get_canonical_hostname(1);
+@@ -639,13 +645,25 @@
+ 	packet_put_cstring(authctxt->service);
+ 	packet_put_cstring(authctxt->method->name);
+ 
+-	packet_put_int(1);
++	old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
++
++	/* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
++	 * tagged OIDs.  As such we include both tagged and untagged oids
++	 * for the old gssapi method.
++	 * We only include tagged oids for the new gssapi-with-mic method.
++	 */
++	packet_put_int(old_gssapi_method ? 2 : 1);
+ 
+ 	packet_put_int((gss_supported->elements[mech].length) + 2);
+ 	packet_put_char(SSH_GSS_OIDTYPE);
+ 	packet_put_char(gss_supported->elements[mech].length);
+ 	packet_put_raw(gss_supported->elements[mech].elements,
+ 	    gss_supported->elements[mech].length);
++	if (old_gssapi_method) {
++		packet_put_int(gss_supported->elements[mech].length);
++		packet_put_raw(gss_supported->elements[mech].elements,
++			       gss_supported->elements[mech].length);
++	}
+ 
+ 	packet_send();
+ 
+@@ -685,8 +703,10 @@
+ 	}
+ 
+ 	if (status == GSS_S_COMPLETE) {
++		int old_gssapi_method = !strcmp(authctxt->method->name,
++						"gssapi");
+ 		/* send either complete or MIC, depending on mechanism */
+-		if (!(flags & GSS_C_INTEG_FLAG)) {
++		if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
+ 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
+ 			packet_send();
+ 		} else {
+@@ -720,7 +740,7 @@
+ 	Authctxt *authctxt = ctxt;
+ 	Gssctxt *gssctxt;
+ 	u_int oidlen;
+-	u_char *oidv;
++	u_char *oidv, *oidv_free;
+ 
+ 	if (authctxt == NULL)
+ 		fatal("input_gssapi_response: no authentication context");
+@@ -728,22 +748,28 @@
+ 
+ 	/* Setup our OID */
+ 	oidv = packet_get_string(&oidlen);
++	oidv_free = oidv;
+ 
+ 	if (oidlen <= 2 ||
+ 	    oidv[0] != SSH_GSS_OIDTYPE ||
+ 	    oidv[1] != oidlen - 2) {
+-		xfree(oidv);
+ 		debug("Badly encoded mechanism OID received");
+-		userauth(authctxt, NULL);
+-		return;
++		if (oidlen < 2) {
++			xfree(oidv_free);
++			userauth(authctxt, NULL);
++			return;
++		}
++	} else {
++		oidlen -= 2;
++		oidv += 2;
+ 	}
+ 
+-	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
++	if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
+ 		fatal("Server returned different OID than expected");
+ 
+ 	packet_check_eom();
+ 
+-	xfree(oidv);
++	xfree(oidv_free);
+ 
+ 	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
+ 		/* Start again with next method on list */
-- 
cgit v1.2.3