summaryrefslogtreecommitdiff
path: root/debian/patches/old-gssapi.patch
blob: e2c4baa49b563505447cfdb4e06cb30ccca1e120 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
Description: Interoperate with old GSSAPI authentication method
 ssh-krb5 << 3.8.1p1-1 servers used a slightly different version.
Author: "Aaron M. Ucko" <ucko@debian.org>
Bug-Debian: http://bugs.debian.org/328388
Last-Updated: 2010-02-27

Index: b/sshconnect2.c
===================================================================
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -314,6 +314,11 @@
 		NULL,
 		&options.gss_authentication,
 		NULL},
+	{"gssapi",
+		userauth_gssapi,
+		NULL,
+		&options.gss_authentication,
+		NULL},
 #endif
 	{"hostbased",
 		userauth_hostbased,
@@ -601,6 +606,7 @@
 	OM_uint32 min;
 	int ok = 0;
 	const char *gss_host;
+	int old_gssapi_method;
 
 	if (options.gss_trust_dns)
 		gss_host = get_canonical_hostname(1);
@@ -639,13 +645,25 @@
 	packet_put_cstring(authctxt->service);
 	packet_put_cstring(authctxt->method->name);
 
-	packet_put_int(1);
+	old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
+
+	/* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
+	 * tagged OIDs.  As such we include both tagged and untagged oids
+	 * for the old gssapi method.
+	 * We only include tagged oids for the new gssapi-with-mic method.
+	 */
+	packet_put_int(old_gssapi_method ? 2 : 1);
 
 	packet_put_int((gss_supported->elements[mech].length) + 2);
 	packet_put_char(SSH_GSS_OIDTYPE);
 	packet_put_char(gss_supported->elements[mech].length);
 	packet_put_raw(gss_supported->elements[mech].elements,
 	    gss_supported->elements[mech].length);
+	if (old_gssapi_method) {
+		packet_put_int(gss_supported->elements[mech].length);
+		packet_put_raw(gss_supported->elements[mech].elements,
+			       gss_supported->elements[mech].length);
+	}
 
 	packet_send();
 
@@ -685,8 +703,10 @@
 	}
 
 	if (status == GSS_S_COMPLETE) {
+		int old_gssapi_method = !strcmp(authctxt->method->name,
+						"gssapi");
 		/* send either complete or MIC, depending on mechanism */
-		if (!(flags & GSS_C_INTEG_FLAG)) {
+		if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
 			packet_send();
 		} else {
@@ -720,7 +740,7 @@
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	u_int oidlen;
-	u_char *oidv;
+	u_char *oidv, *oidv_free;
 
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
@@ -728,22 +748,28 @@
 
 	/* Setup our OID */
 	oidv = packet_get_string(&oidlen);
+	oidv_free = oidv;
 
 	if (oidlen <= 2 ||
 	    oidv[0] != SSH_GSS_OIDTYPE ||
 	    oidv[1] != oidlen - 2) {
-		xfree(oidv);
 		debug("Badly encoded mechanism OID received");
-		userauth(authctxt, NULL);
-		return;
+		if (oidlen < 2) {
+			xfree(oidv_free);
+			userauth(authctxt, NULL);
+			return;
+		}
+	} else {
+		oidlen -= 2;
+		oidv += 2;
 	}
 
-	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
+	if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
 		fatal("Server returned different OID than expected");
 
 	packet_check_eom();
 
-	xfree(oidv);
+	xfree(oidv_free);
 
 	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
 		/* Start again with next method on list */