From 74a432c0606a6068342ece4d5f51cf90f7b4e339 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 15 Sep 2005 08:11:55 +0000
Subject: * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a
 slightly   different version of the gssapi authentication method (thanks,
 Aaron M.   Ucko; closes: #328388).

---
 sshconnect2.c | 41 +++++++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 8 deletions(-)

(limited to 'sshconnect2.c')

diff --git a/sshconnect2.c b/sshconnect2.c
index e40786f87..601a49429 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -266,6 +266,10 @@ Authmethod authmethods[] = {
 		userauth_gssapi,
 		&options.gss_authentication,
 		NULL},
+	{"gssapi",
+		userauth_gssapi,
+		&options.gss_authentication,
+		NULL},
 #endif
 	{"hostbased",
 		userauth_hostbased,
@@ -524,6 +528,7 @@ userauth_gssapi(Authctxt *authctxt)
 	static u_int mech = 0;
 	OM_uint32 min;
 	int ok = 0;
+	int old_gssapi_method;
 
 	/* Try one GSSAPI method at a time, rather than sending them all at
 	 * once. */
@@ -558,13 +563,25 @@ userauth_gssapi(Authctxt *authctxt)
 	packet_put_cstring(authctxt->service);
 	packet_put_cstring(authctxt->method->name);
 
-	packet_put_int(1);
+	old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
+
+	/* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
+	 * tagged OIDs.  As such we include both tagged and untagged oids
+	 * for the old gssapi method.
+	 * We only include tagged oids for the new gssapi-with-mic method.
+	 */
+	packet_put_int(old_gssapi_method?2:1);
 
 	packet_put_int((gss_supported->elements[mech].length) + 2);
 	packet_put_char(SSH_GSS_OIDTYPE);
 	packet_put_char(gss_supported->elements[mech].length);
 	packet_put_raw(gss_supported->elements[mech].elements,
 	    gss_supported->elements[mech].length);
+	if (old_gssapi_method) {
+		packet_put_int((gss_supported->elements[mech].length));
+		packet_put_raw(gss_supported->elements[mech].elements,
+			       gss_supported->elements[mech].length);
+	}
 
 	packet_send();
 
@@ -604,8 +621,10 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
 	}
 
 	if (status == GSS_S_COMPLETE) {
+		int old_gssapi_method = !strcmp(authctxt->method->name,
+						"gssapi");
 		/* send either complete or MIC, depending on mechanism */
-		if (!(flags & GSS_C_INTEG_FLAG)) {
+		if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
 			packet_send();
 		} else {
@@ -638,7 +657,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int oidlen;
-	char *oidv;
+	char *oidv, *oidv_free;
 
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
@@ -646,22 +665,28 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 
 	/* Setup our OID */
 	oidv = packet_get_string(&oidlen);
+	oidv_free = oidv;
 
 	if (oidlen <= 2 ||
 	    oidv[0] != SSH_GSS_OIDTYPE ||
 	    oidv[1] != oidlen - 2) {
-		xfree(oidv);
 		debug("Badly encoded mechanism OID received");
-		userauth(authctxt, NULL);
-		return;
+		if (oidlen < 2) {
+			xfree(oidv_free);
+			userauth(authctxt, NULL);
+			return;
+		}
+	} else {
+		oidlen -= 2;
+		oidv += 2;
 	}
 
-	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
+	if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
 		fatal("Server returned different OID than expected");
 
 	packet_check_eom();
 
-	xfree(oidv);
+	xfree(oidv_free);
 
 	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
 		/* Start again with next method on list */
-- 
cgit v1.2.3