From 4189cebf7a591e740fccb77c318ab7d589b8d858 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 2 Jan 2017 14:42:38 +0100
Subject: [PATCH] Cache supported OIDS for GSSAPI kex (#1395288)

---
 openssh-7.0p1-gssKexAlgorithms.patch | 13 +++++++------
 openssh-7.2p1-gsskex.patch           | 20 ++++++++++++++------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/openssh-7.0p1-gssKexAlgorithms.patch b/openssh-7.0p1-gssKexAlgorithms.patch
index 6988f2f..4e989dc 100644
--- a/openssh-7.0p1-gssKexAlgorithms.patch
+++ b/openssh-7.0p1-gssKexAlgorithms.patch
@@ -82,12 +82,13 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
 diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
 --- openssh-7.0p1/gss-serv.c.gsskexalg	2015-08-19 12:28:38.024518959 +0200
 +++ openssh-7.0p1/gss-serv.c	2015-08-19 12:28:38.078518839 +0200
-@@ -150,7 +150,7 @@ ssh_gssapi_server_mechanisms() {
- 
- 	ssh_gssapi_supported_oids(&supported);
- 	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
--	    NULL, NULL));
-+	    NULL, NULL, options.gss_kex_algorithms));
+@@ -149,7 +149,8 @@ ssh_gssapi_server_mechanisms() {
+ 	if (supported_oids == NULL)
+ 		ssh_gssapi_prepare_supported_oids();
+ 	return (ssh_gssapi_kex_mechs(supported_oids,
+-	    &ssh_gssapi_server_check_mech, NULL, NULL));
++	    &ssh_gssapi_server_check_mech, NULL, NULL,
++	    options.gss_kex_algorithms));
  }
  
  /* Unprivileged */
diff --git a/openssh-7.2p1-gsskex.patch b/openssh-7.2p1-gsskex.patch
index deb6637..8ffea3c 100644
--- a/openssh-7.2p1-gsskex.patch
+++ b/openssh-7.2p1-gsskex.patch
@@ -546,17 +546,16 @@ diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
  
  #ifdef KRB5
  extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -142,6 +144,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
+@@ -142,6 +144,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
  }
  
  /* Unprivileged */
 +char *
 +ssh_gssapi_server_mechanisms() {
-+	gss_OID_set	supported;
-+
-+	ssh_gssapi_supported_oids(&supported);
-+	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
-+	    NULL, NULL));
++	if (supported_oids == NULL)
++		ssh_gssapi_prepare_supported_oids();
++	return (ssh_gssapi_kex_mechs(supported_oids,
++	    &ssh_gssapi_server_check_mech, NULL, NULL));
 +}
 +
 +/* Unprivileged */
@@ -2489,6 +2488,15 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
 diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
 --- openssh-7.2p1/sshd.c.gsskex	2016-02-19 10:01:04.860969328 +0100
 +++ openssh-7.2p1/sshd.c	2016-02-19 10:01:04.872969321 +0100
+@@ -547,7 +547,7 @@ privsep_preauth_child(void)
+ 
+ #ifdef GSSAPI
+ 	/* Cache supported mechanism OIDs for later use */
+-	if (options.gss_authentication)
++	if (options.gss_authentication || options.gss_keyex)
+ 		ssh_gssapi_prepare_supported_oids();
+ #endif
+ 
 @@ -974,8 +974,9 @@ notify_hostkeys(struct ssh *ssh)
  	}
  	debug3("%s: sent %d hostkeys", __func__, nkeys);