From ece1a2f92b20fa59db7ea631b7ea97c9a53ba07c Mon Sep 17 00:00:00 2001
From: Marc Burns <m4burns@csclub.uwaterloo.ca>
Date: Tue, 28 May 2013 10:48:05 -0400
Subject: [PATCH] Work around bug in libgssapi 2.0.25 present in wheezy.

---
 debian/changelog |  8 +++++++-
 src/gss.c        | 27 +++++++++++++++++++++++++--
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 7ede3e98f..e4ce4b984 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ceo (0.5.20) testing; urgency=low
+
+  * Work around bug in libgssapi 2.0.25 present in wheezy.
+
+ -- Marc Burns <m4burns@csclub.uwaterloo.ca>  Tue, 28 May 2013 10:45:09 -0400
+
 ceo (0.5.19ubuntu2) quantal; urgency=low
 
   * Packaging for quantal.
@@ -24,7 +30,7 @@ ceo (0.5.18ubuntu1) precise; urgency=low
 
 ceo (0.5.18) stable; urgency=low
 
-  * Updated mailman host to be mail, not caffeine (following mail container migration) 
+  * Updated mailman host to be mail, not caffeine (following mail container migration)
 
  -- Sarah Harvey <sharvey@csclub.uwaterloo.ca>  Mon, 10 Sep 2012 19:06:16 -0400
 
diff --git a/src/gss.c b/src/gss.c
index 12e6ac420..888567edb 100644
--- a/src/gss.c
+++ b/src/gss.c
@@ -64,6 +64,7 @@ static void display_status(char *prefix, OM_uint32 code, int type) {
 
     maj_stat = gss_display_status(&min_stat, code, type, GSS_C_NULL_OID,
                                   &msg_ctx, &msg);
+    (void)maj_stat;
     msgstr = gssbuf2str(&msg);
     logmsg(LOG_ERR, "%s: %s", prefix, msgstr);
     gss_release_buffer(&min_stat, &msg);
@@ -135,8 +136,30 @@ void server_acquire_creds(const char *service) {
     if (maj_stat != GSS_S_COMPLETE)
         gss_fatal("gss_acquire_cred", maj_stat, min_stat);
 
-    if (time_rec != GSS_C_INDEFINITE)
-        fatal("credentials valid for %d seconds (oops)", time_rec);
+    /* Work around bug in libgssapi 2.0.25 / gssapi_krb5 2.2:
+     *  The expiry time returned by gss_acquire_cred is always zero. */
+    {
+        int names_match = 0;
+        gss_name_t cred_service;
+        gss_cred_usage_t cred_usage;
+        maj_stat = gss_inquire_cred(&min_stat, my_creds, &cred_service, &time_rec, &cred_usage, NULL);
+        if (maj_stat != GSS_S_COMPLETE)
+            gss_fatal("gss_inquire_cred", maj_stat, min_stat);
+
+        if (time_rec != GSS_C_INDEFINITE)
+            fatal("credentials valid for %d seconds (oops)", time_rec);
+
+        maj_stat = gss_compare_name(&min_stat, imported_service, cred_service, &names_match);
+
+        if (maj_stat != GSS_S_COMPLETE)
+            gss_fatal("gss_compare_name", maj_stat, min_stat);
+
+        if (!names_match)
+            fatal("credentials granted for wrong service (oops)");
+
+        if (!(cred_usage & GSS_C_ACCEPT))
+            fatal("credentials lack usage GSS_C_ACCEPT (oops)");
+    }
 }
 
 void client_acquire_creds(const char *service, const char *hostname) {