From owner-svn-src-head@FreeBSD.ORG Sat Mar 24 01:02:04 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 05110106566B; Sat, 24 Mar 2012 01:02:04 +0000 (UTC) (envelope-from stas@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id D96608FC18; Sat, 24 Mar 2012 01:02:03 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q2O123b8002763; Sat, 24 Mar 2012 01:02:03 GMT (envelope-from stas@svn.freebsd.org) Received: (from stas@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q2O123x3002760; Sat, 24 Mar 2012 01:02:03 GMT (envelope-from stas@svn.freebsd.org) Message-Id: <201203240102.q2O123x3002760@svn.freebsd.org> From: Stanislav Sedov Date: Sat, 24 Mar 2012 01:02:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r233406 - head/lib/libpam/modules/pam_krb5 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2012 01:02:04 -0000 Author: stas Date: Sat Mar 24 01:02:03 2012 New Revision: 233406 URL: http://svn.freebsd.org/changeset/base/233406 Log: - Avoid using deprecated heimdal functions in pam_krb5. Modified: head/lib/libpam/modules/pam_krb5/Makefile head/lib/libpam/modules/pam_krb5/pam_krb5.c Modified: head/lib/libpam/modules/pam_krb5/Makefile ============================================================================== --- head/lib/libpam/modules/pam_krb5/Makefile Sat Mar 24 00:42:38 2012 (r233405) +++ head/lib/libpam/modules/pam_krb5/Makefile Sat Mar 24 01:02:03 2012 (r233406) @@ -32,8 +32,6 @@ CFLAGS+=-D_FREEFALL_CONFIG WARNS?= 3 .endif -NO_WERROR= yes - DPADD= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO} LDADD= -lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c ============================================================================== --- head/lib/libpam/modules/pam_krb5/pam_krb5.c Sat Mar 24 00:42:38 2012 (r233405) +++ head/lib/libpam/modules/pam_krb5/pam_krb5.c Sat Mar 24 01:02:03 2012 (r233406) @@ -92,6 +92,13 @@ static void compat_free_data_contents(kr #define PAM_OPT_NO_USER_CHECK "no_user_check" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" +#define PAM_LOG_KRB5_ERR(ctx, rv, fmt, ...) \ + do { \ + const char *krb5msg = krb5_get_error_message(ctx, rv); \ + PAM_LOG(fmt ": %s", ##__VA_ARGS__, krb5msg); \ + krb5_free_error_message(ctx, krb5msg); \ + } while (0) + /* * authentication management */ @@ -104,7 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, krb5_creds creds; krb5_principal princ; krb5_ccache ccache; - krb5_get_init_creds_opt opts; + krb5_get_init_creds_opt *opts; struct passwd *pwd; int retval; const void *ccache_data; @@ -139,13 +146,6 @@ pam_sm_authenticate(pam_handle_t *pamh, PAM_LOG("Context initialised"); - krb5_get_init_creds_opt_init(&opts); - - if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE)) - krb5_get_init_creds_opt_set_forwardable(&opts, 1); - - PAM_LOG("Credentials initialised"); - krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE); if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) { PAM_VERBOSE_ERROR("Kerberos 5 error"); @@ -166,8 +166,7 @@ pam_sm_authenticate(pam_handle_t *pamh, krbret = krb5_parse_name(pam_context, principal, &princ); free(principal); if (krbret != 0) { - PAM_LOG("Error krb5_parse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_parse_name()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup3; @@ -179,8 +178,8 @@ pam_sm_authenticate(pam_handle_t *pamh, princ_name = NULL; krbret = krb5_unparse_name(pam_context, princ, &princ_name); if (krbret != 0) { - PAM_LOG("Error krb5_unparse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_unparse_name()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -206,8 +205,8 @@ pam_sm_authenticate(pam_handle_t *pamh, sizeof(luser), luser); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_aname_to_localname(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_aname_to_localname()"); retval = PAM_USER_UNKNOWN; goto cleanup2; } @@ -228,14 +227,30 @@ pam_sm_authenticate(pam_handle_t *pamh, PAM_LOG("Done getpwnam()"); } + /* Initialize credentials request options. */ + krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + if (krbret != 0) { + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_get_init_creds_opt_alloc()"); + PAM_VERBOSE_ERROR("Kerberos 5 error"); + retval = PAM_SERVICE_ERR; + goto cleanup2; + } + + if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE)) + krb5_get_init_creds_opt_set_forwardable(opts, 1); + + PAM_LOG("Credential options initialised"); + /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); krbret = krb5_get_init_creds_password(pam_context, &creds, princ, - pass, NULL, pamh, 0, NULL, &opts); + pass, NULL, pamh, 0, NULL, opts); + krb5_get_init_creds_opt_free(pam_context, opts); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_get_init_creds_password(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_get_init_creds_password()"); retval = PAM_AUTH_ERR; goto cleanup2; } @@ -243,27 +258,27 @@ pam_sm_authenticate(pam_handle_t *pamh, PAM_LOG("Got TGT"); /* Generate a temporary cache */ - krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache); + krbret = krb5_cc_new_unique(pam_context, krb5_cc_type_memory, NULL, &ccache); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_cc_gen_new(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_new_unique()"); retval = PAM_SERVICE_ERR; goto cleanup; } krbret = krb5_cc_initialize(pam_context, ccache, princ); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_cc_initialize(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_initialize()"); retval = PAM_SERVICE_ERR; goto cleanup; } krbret = krb5_cc_store_cred(pam_context, ccache, &creds); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_cc_store_cred(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_store_cred()"); krb5_cc_destroy(pam_context, ccache); retval = PAM_SERVICE_ERR; goto cleanup; @@ -406,8 +421,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f } krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp); if (krbret != 0) { - PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)cache_data, - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_resolve(\"%s\")", (const char *)cache_data); retval = PAM_SERVICE_ERR; goto cleanup3; } @@ -479,22 +494,21 @@ pam_sm_setcred(pam_handle_t *pamh, int f /* Initialize the new ccache */ krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ); if (krbret != 0) { - PAM_LOG("Error krb5_cc_get_principal(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_get_principal()"); retval = PAM_SERVICE_ERR; goto cleanup3; } krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm); if (krbret != 0) { - PAM_LOG("Error krb5_cc_resolve(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_cc_resolve()"); retval = PAM_SERVICE_ERR; goto cleanup2; } krbret = krb5_cc_initialize(pam_context, ccache_perm, princ); if (krbret != 0) { - PAM_LOG("Error krb5_cc_initialize(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_initialize()"); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -504,8 +518,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f /* Prepare for iteration over creds */ krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor); if (krbret != 0) { - PAM_LOG("Error krb5_cc_start_seq_get(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_start_seq_get()"); krb5_cc_destroy(pam_context, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -518,8 +532,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f &cursor, &creds) == 0)) { krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds); if (krbret != 0) { - PAM_LOG("Error krb5_cc_store_cred(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_store_cred()"); krb5_cc_destroy(pam_context, ccache_perm); krb5_free_cred_contents(pam_context, &creds); retval = PAM_SERVICE_ERR; @@ -620,8 +634,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache); if (krbret != 0) { - PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)ccache_name, - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_resolve(\"%s\")", (const char *)ccache_name); krb5_free_context(pam_context); return (PAM_PERM_DENIED); } @@ -631,8 +645,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int krbret = krb5_cc_get_principal(pam_context, ccache, &princ); if (krbret != 0) { - PAM_LOG("Error krb5_cc_get_principal(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_cc_get_principal()"); retval = PAM_PERM_DENIED;; goto cleanup; } @@ -666,7 +680,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int krb5_context pam_context; krb5_creds creds; krb5_principal princ; - krb5_get_init_creds_opt opts; + krb5_get_init_creds_opt *opts; krb5_data result_code_string, result_string; int result_code, retval; const char *pass; @@ -690,15 +704,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int PAM_LOG("Context initialised"); - krb5_get_init_creds_opt_init(&opts); - - PAM_LOG("Credentials options initialised"); - /* Get principal name */ krbret = krb5_parse_name(pam_context, (const char *)user, &princ); if (krbret != 0) { - PAM_LOG("Error krb5_parse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_parse_name()"); retval = PAM_USER_UNKNOWN; goto cleanup3; } @@ -707,8 +717,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int princ_name = NULL; krbret = krb5_unparse_name(pam_context, princ, &princ_name); if (krbret != 0) { - PAM_LOG("Error krb5_unparse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_unparse_name()"); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -722,12 +732,25 @@ pam_sm_chauthtok(pam_handle_t *pamh, int PAM_LOG("Got password"); + /* Initialize credentials request options. */ + krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + if (krbret != 0) { + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_get_init_creds_opt_alloc()"); + PAM_VERBOSE_ERROR("Kerberos 5 error"); + retval = PAM_SERVICE_ERR; + goto cleanup2; + } + + PAM_LOG("Credentials options initialised"); + memset(&creds, 0, sizeof(krb5_creds)); krbret = krb5_get_init_creds_password(pam_context, &creds, princ, - pass, NULL, pamh, 0, "kadmin/changepw", &opts); + pass, NULL, pamh, 0, "kadmin/changepw", opts); + krb5_get_init_creds_opt_free(pam_context, opts); if (krbret != 0) { - PAM_LOG("Error krb5_get_init_creds_password(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_get_init_creds_password()"); retval = PAM_AUTH_ERR; goto cleanup2; } @@ -752,12 +775,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int retval = PAM_BUF_ERR; goto cleanup; } - krbret = krb5_change_password(pam_context, &creds, passdup, + krbret = krb5_set_password(pam_context, &creds, passdup, NULL, &result_code, &result_code_string, &result_string); free(passdup); if (krbret != 0) { - PAM_LOG("Error krb5_change_password(): %s", - krb5_get_err_text(pam_context, krbret)); + PAM_LOG_KRB5_ERR(pam_context, krbret, + "Error krb5_change_password()"); retval = PAM_AUTHTOK_ERR; goto cleanup; } @@ -840,11 +863,14 @@ verify_krb_v5_tgt(krb5_context context, retval = krb5_sname_to_principal(context, NULL, *service, KRB5_NT_SRV_HST, &princ); if (retval != 0) { - if (debug) + if (debug) { + const char *msg = krb5_get_error_message( + context, retval); syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_sname_to_principal()", - krb5_get_err_text(context, retval)); + "krb5_sname_to_principal()", msg); + krb5_free_error_message(context, msg); + } return -1; } @@ -866,11 +892,14 @@ verify_krb_v5_tgt(krb5_context context, } if (retval != 0) { /* failed to find key */ /* Keytab or service key does not exist */ - if (debug) + if (debug) { + const char *msg = krb5_get_error_message(context, + retval); syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_kt_read_service_key()", - krb5_get_err_text(context, retval)); + "krb5_kt_read_service_key()", msg); + krb5_free_error_message(context, msg); + } retval = 0; goto cleanup; } @@ -886,11 +915,14 @@ verify_krb_v5_tgt(krb5_context context, auth_context = NULL; /* setup for rd_req */ } if (retval) { - if (debug) + if (debug) { + const char *msg = krb5_get_error_message(context, + retval); syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_mk_req()", - krb5_get_err_text(context, retval)); + "krb5_mk_req()", msg); + krb5_free_error_message(context, msg); + } retval = -1; goto cleanup; } @@ -899,11 +931,14 @@ verify_krb_v5_tgt(krb5_context context, retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL, NULL, NULL); if (retval) { - if (debug) + if (debug) { + const char *msg = krb5_get_error_message(context, + retval); syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_rd_req()", - krb5_get_err_text(context, retval)); + "krb5_rd_req()", msg); + krb5_free_error_message(context, msg); + } retval = -1; } else