Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Mar 2012 01:02:03 +0000 (UTC)
From:      Stanislav Sedov <stas@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r233406 - head/lib/libpam/modules/pam_krb5
Message-ID:  <201203240102.q2O123x3002760@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: stas
Date: Sat Mar 24 01:02:03 2012
New Revision: 233406
URL: http://svn.freebsd.org/changeset/base/233406

Log:
  - Avoid using deprecated heimdal functions in pam_krb5.

Modified:
  head/lib/libpam/modules/pam_krb5/Makefile
  head/lib/libpam/modules/pam_krb5/pam_krb5.c

Modified: head/lib/libpam/modules/pam_krb5/Makefile
==============================================================================
--- head/lib/libpam/modules/pam_krb5/Makefile	Sat Mar 24 00:42:38 2012	(r233405)
+++ head/lib/libpam/modules/pam_krb5/Makefile	Sat Mar 24 01:02:03 2012	(r233406)
@@ -32,8 +32,6 @@ CFLAGS+=-D_FREEFALL_CONFIG
 WARNS?=	3
 .endif
 
-NO_WERROR=	yes
-
 DPADD=	${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO}
 LDADD=	-lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto
 

Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c
==============================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.c	Sat Mar 24 00:42:38 2012	(r233405)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.c	Sat Mar 24 01:02:03 2012	(r233406)
@@ -92,6 +92,13 @@ static void	compat_free_data_contents(kr
 #define PAM_OPT_NO_USER_CHECK	"no_user_check"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 
+#define	PAM_LOG_KRB5_ERR(ctx, rv, fmt, ...)				\
+	do {								\
+		const char *krb5msg = krb5_get_error_message(ctx, rv);	\
+		PAM_LOG(fmt ": %s", ##__VA_ARGS__, krb5msg);		\
+		krb5_free_error_message(ctx, krb5msg);			\
+	} while (0)
+
 /*
  * authentication management
  */
@@ -104,7 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	krb5_creds creds;
 	krb5_principal princ;
 	krb5_ccache ccache;
-	krb5_get_init_creds_opt opts;
+	krb5_get_init_creds_opt *opts;
 	struct passwd *pwd;
 	int retval;
 	const void *ccache_data;
@@ -139,13 +146,6 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 
 	PAM_LOG("Context initialised");
 
-	krb5_get_init_creds_opt_init(&opts);
-
-	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
-		krb5_get_init_creds_opt_set_forwardable(&opts, 1);
-
-	PAM_LOG("Credentials initialised");
-
 	krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
 	if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
@@ -166,8 +166,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	krbret = krb5_parse_name(pam_context, principal, &princ);
 	free(principal);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_parse_name(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_parse_name()");
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
 		retval = PAM_SERVICE_ERR;
 		goto cleanup3;
@@ -179,8 +178,8 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	princ_name = NULL;
 	krbret = krb5_unparse_name(pam_context, princ, &princ_name);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_unparse_name(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_unparse_name()");
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
 		retval = PAM_SERVICE_ERR;
 		goto cleanup2;
@@ -206,8 +205,8 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 			    sizeof(luser), luser);
 			if (krbret != 0) {
 				PAM_VERBOSE_ERROR("Kerberos 5 error");
-				PAM_LOG("Error krb5_aname_to_localname(): %s",
-				    krb5_get_err_text(pam_context, krbret));
+				PAM_LOG_KRB5_ERR(pam_context, krbret,
+				    "Error krb5_aname_to_localname()");
 				retval = PAM_USER_UNKNOWN;
 				goto cleanup2;
 			}
@@ -228,14 +227,30 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 		PAM_LOG("Done getpwnam()");
 	}
 
+	/* Initialize credentials request options. */
+	krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
+	if (krbret != 0) {
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_get_init_creds_opt_alloc()");
+		PAM_VERBOSE_ERROR("Kerberos 5 error");
+		retval = PAM_SERVICE_ERR;
+		goto cleanup2;
+	}
+
+	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
+		krb5_get_init_creds_opt_set_forwardable(opts, 1);
+
+	PAM_LOG("Credential options initialised");
+
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
-	    pass, NULL, pamh, 0, NULL, &opts);
+	    pass, NULL, pamh, 0, NULL, opts);
+	krb5_get_init_creds_opt_free(pam_context, opts);
 	if (krbret != 0) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
-		PAM_LOG("Error krb5_get_init_creds_password(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_get_init_creds_password()");
 		retval = PAM_AUTH_ERR;
 		goto cleanup2;
 	}
@@ -243,27 +258,27 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	PAM_LOG("Got TGT");
 
 	/* Generate a temporary cache */
-	krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache);
+	krbret = krb5_cc_new_unique(pam_context, krb5_cc_type_memory, NULL, &ccache);
 	if (krbret != 0) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
-		PAM_LOG("Error krb5_cc_gen_new(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_new_unique()");
 		retval = PAM_SERVICE_ERR;
 		goto cleanup;
 	}
 	krbret = krb5_cc_initialize(pam_context, ccache, princ);
 	if (krbret != 0) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
-		PAM_LOG("Error krb5_cc_initialize(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_initialize()");
 		retval = PAM_SERVICE_ERR;
 		goto cleanup;
 	}
 	krbret = krb5_cc_store_cred(pam_context, ccache, &creds);
 	if (krbret != 0) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
-		PAM_LOG("Error krb5_cc_store_cred(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_store_cred()");
 		krb5_cc_destroy(pam_context, ccache);
 		retval = PAM_SERVICE_ERR;
 		goto cleanup;
@@ -406,8 +421,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 	}
 	krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)cache_data,
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_resolve(\"%s\")", (const char *)cache_data);
 		retval = PAM_SERVICE_ERR;
 		goto cleanup3;
 	}
@@ -479,22 +494,21 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 	/* Initialize the new ccache */
 	krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_cc_get_principal(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_get_principal()");
 		retval = PAM_SERVICE_ERR;
 		goto cleanup3;
 	}
 	krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_cc_resolve(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_cc_resolve()");
 		retval = PAM_SERVICE_ERR;
 		goto cleanup2;
 	}
 	krbret = krb5_cc_initialize(pam_context, ccache_perm, princ);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_cc_initialize(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_initialize()");
 		retval = PAM_SERVICE_ERR;
 		goto cleanup2;
 	}
@@ -504,8 +518,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 	/* Prepare for iteration over creds */
 	krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_cc_start_seq_get(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_start_seq_get()");
 		krb5_cc_destroy(pam_context, ccache_perm);
 		retval = PAM_SERVICE_ERR;
 		goto cleanup2;
@@ -518,8 +532,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 				&cursor, &creds) == 0)) {
 		krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds);
 		if (krbret != 0) {
-			PAM_LOG("Error krb5_cc_store_cred(): %s",
-			    krb5_get_err_text(pam_context, krbret));
+			PAM_LOG_KRB5_ERR(pam_context, krbret,
+			    "Error krb5_cc_store_cred()");
 			krb5_cc_destroy(pam_context, ccache_perm);
 			krb5_free_cred_contents(pam_context, &creds);
 			retval = PAM_SERVICE_ERR;
@@ -620,8 +634,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
 
 	krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)ccache_name,
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_resolve(\"%s\")", (const char *)ccache_name);
 		krb5_free_context(pam_context);
 		return (PAM_PERM_DENIED);
 	}
@@ -631,8 +645,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
 
 	krbret = krb5_cc_get_principal(pam_context, ccache, &princ);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_cc_get_principal(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_cc_get_principal()");
 		retval = PAM_PERM_DENIED;;
 		goto cleanup;
 	}
@@ -666,7 +680,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
 	krb5_context pam_context;
 	krb5_creds creds;
 	krb5_principal princ;
-	krb5_get_init_creds_opt opts;
+	krb5_get_init_creds_opt *opts;
 	krb5_data result_code_string, result_string;
 	int result_code, retval;
 	const char *pass;
@@ -690,15 +704,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
 
 	PAM_LOG("Context initialised");
 
-	krb5_get_init_creds_opt_init(&opts);
-
-	PAM_LOG("Credentials options initialised");
-
 	/* Get principal name */
 	krbret = krb5_parse_name(pam_context, (const char *)user, &princ);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_parse_name(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_parse_name()");
 		retval = PAM_USER_UNKNOWN;
 		goto cleanup3;
 	}
@@ -707,8 +717,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
 	princ_name = NULL;
 	krbret = krb5_unparse_name(pam_context, princ, &princ_name);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_unparse_name(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_unparse_name()");
 		retval = PAM_SERVICE_ERR;
 		goto cleanup2;
 	}
@@ -722,12 +732,25 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
 
 	PAM_LOG("Got password");
 
+	/* Initialize credentials request options. */
+	krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
+	if (krbret != 0) {
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_get_init_creds_opt_alloc()");
+		PAM_VERBOSE_ERROR("Kerberos 5 error");
+		retval = PAM_SERVICE_ERR;
+		goto cleanup2;
+	}
+
+	PAM_LOG("Credentials options initialised");
+
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
-	    pass, NULL, pamh, 0, "kadmin/changepw", &opts);
+	    pass, NULL, pamh, 0, "kadmin/changepw", opts);
+	krb5_get_init_creds_opt_free(pam_context, opts);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_get_init_creds_password(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_get_init_creds_password()");
 		retval = PAM_AUTH_ERR;
 		goto cleanup2;
 	}
@@ -752,12 +775,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
 		retval = PAM_BUF_ERR;
 		goto cleanup;
 	}
-	krbret = krb5_change_password(pam_context, &creds, passdup,
+	krbret = krb5_set_password(pam_context, &creds, passdup, NULL,
 	    &result_code, &result_code_string, &result_string);
 	free(passdup);
 	if (krbret != 0) {
-		PAM_LOG("Error krb5_change_password(): %s",
-		    krb5_get_err_text(pam_context, krbret));
+		PAM_LOG_KRB5_ERR(pam_context, krbret,
+		    "Error krb5_change_password()");
 		retval = PAM_AUTHTOK_ERR;
 		goto cleanup;
 	}
@@ -840,11 +863,14 @@ verify_krb_v5_tgt(krb5_context context, 
 		retval = krb5_sname_to_principal(context, NULL, *service,
 		    KRB5_NT_SRV_HST, &princ);
 		if (retval != 0) {
-			if (debug)
+			if (debug) {
+				const char *msg = krb5_get_error_message(
+				    context, retval);
 				syslog(LOG_DEBUG,
 				    "pam_krb5: verify_krb_v5_tgt(): %s: %s",
-				    "krb5_sname_to_principal()",
-				    krb5_get_err_text(context, retval));
+				    "krb5_sname_to_principal()", msg);
+				krb5_free_error_message(context, msg);
+			}
 			return -1;
 		}
 
@@ -866,11 +892,14 @@ verify_krb_v5_tgt(krb5_context context, 
 	}
 	if (retval != 0) {	/* failed to find key */
 		/* Keytab or service key does not exist */
-		if (debug)
+		if (debug) {
+			const char *msg = krb5_get_error_message(context,
+			    retval);
 			syslog(LOG_DEBUG,
 			    "pam_krb5: verify_krb_v5_tgt(): %s: %s",
-			    "krb5_kt_read_service_key()",
-			    krb5_get_err_text(context, retval));
+			    "krb5_kt_read_service_key()", msg);
+			krb5_free_error_message(context, msg);
+		}
 		retval = 0;
 		goto cleanup;
 	}
@@ -886,11 +915,14 @@ verify_krb_v5_tgt(krb5_context context, 
 		auth_context = NULL;	/* setup for rd_req */
 	}
 	if (retval) {
-		if (debug)
+		if (debug) {
+			const char *msg = krb5_get_error_message(context,
+			    retval);
 			syslog(LOG_DEBUG,
 			    "pam_krb5: verify_krb_v5_tgt(): %s: %s",
-			    "krb5_mk_req()",
-			    krb5_get_err_text(context, retval));
+			    "krb5_mk_req()", msg);
+			krb5_free_error_message(context, msg);
+		}
 		retval = -1;
 		goto cleanup;
 	}
@@ -899,11 +931,14 @@ verify_krb_v5_tgt(krb5_context context, 
 	retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
 	    NULL, NULL);
 	if (retval) {
-		if (debug)
+		if (debug) {
+			const char *msg = krb5_get_error_message(context,
+			    retval);
 			syslog(LOG_DEBUG,
 			    "pam_krb5: verify_krb_v5_tgt(): %s: %s",
-			    "krb5_rd_req()",
-			    krb5_get_err_text(context, retval));
+			    "krb5_rd_req()", msg);
+			krb5_free_error_message(context, msg);
+		}
 		retval = -1;
 	}
 	else



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203240102.q2O123x3002760>