fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@

author: djm <djm@openbsd.org> 2013-07-20 01:55:13 +0000
committer: djm <djm@openbsd.org> 2013-07-20 01:55:13 +0000
commit: c21abc57e047d3125addb78e779182a88455781e (patch)
tree: 94c67ae671f70cb0a94d612d0b5f9f0c64b90912
parent: call cleanup_handler on SIGINT when in debug mode to ensure sockets (diff)
download: wireguard-openbsd-c21abc57e047d3125addb78e779182a88455781e.tar.xz
wireguard-openbsd-c21abc57e047d3125addb78e779182a88455781e.zip
5 files changed, 39 insertions, 24 deletions
diff --git a/usr.bin/ssh/auth-krb5.c b/usr.bin/ssh/auth-krb5.c
index 94dff9f87de..8305e0ce44d 100644
--- a/usr.bin/ssh/auth-krb5.c
+++ b/usr.bin/ssh/auth-krb5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
 /*
  *    Kerberos v5 authentication and ticket-passing routines.
  *
@@ -69,6 +69,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 {
 	krb5_error_code problem;
 	krb5_ccache ccache = NULL;
+	const char *errmsg;
 
 	temporarily_use_uid(authctxt->pw);
 
@@ -81,7 +82,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	if (problem)
 		goto out;
 
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
+	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
+	     krb5_mcc_ops.prefix, NULL, &ccache);
 	if (problem)
 		goto out;
 
@@ -100,8 +102,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	if (problem)
 		goto out;
 
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
-	    &authctxt->krb5_fwd_ccache);
+	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
+	     krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
 	if (problem)
 		goto out;
 
@@ -122,10 +124,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 		if (ccache)
 			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 
-		if (authctxt->krb5_ctx != NULL)
+		if (authctxt->krb5_ctx != NULL) {
+			errmsg = krb5_get_error_message(authctxt->krb5_ctx,
+			    problem);
 			debug("Kerberos password authentication failed: %s",
-			    krb5_get_err_text(authctxt->krb5_ctx, problem));
-		else
+			    errmsg);
+			krb5_free_error_message(authctxt->krb5_ctx, errmsg);
+		} else
 			debug("Kerberos password authentication failed: %d",
 			    problem);
 
diff --git a/usr.bin/ssh/gss-serv-krb5.c b/usr.bin/ssh/gss-serv-krb5.c
index 4cc6073381c..530216bf25f 100644
--- a/usr.bin/ssh/gss-serv-krb5.c
+++ b/usr.bin/ssh/gss-serv-krb5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -39,6 +39,7 @@
 #include "ssh-gss.h"
 
 #include <krb5.h>
+#include <gssapi/gssapi_krb5.h>
 
 static krb5_context krb_context = NULL;
 
@@ -72,14 +73,16 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 {
 	krb5_principal princ;
 	int retval;
+	const char *errmsg;
 
 	if (ssh_gssapi_krb5_init() == 0)
 		return 0;
 
 	if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
 	    &princ))) {
-		logit("krb5_parse_name(): %.100s",
-		    krb5_get_err_text(krb_context, retval));
+		errmsg = krb5_get_error_message(krb_context, retval);
+		logit("krb5_parse_name(): %.100s", errmsg);
+		krb5_free_error_message(krb_context, errmsg);
 		return 0;
 	}
 	if (krb5_kuserok(krb_context, princ, name)) {
@@ -104,6 +107,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 	krb5_error_code problem;
 	krb5_principal princ;
 	OM_uint32 maj_status, min_status;
+	const char *errmsg;
 
 	if (client->creds == NULL) {
 		debug("No credentials stored");
@@ -113,23 +117,27 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 	if (ssh_gssapi_krb5_init() == 0)
 		return;
 
-	if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
-		logit("krb5_cc_gen_new(): %.100s",
-		    krb5_get_err_text(krb_context, problem));
+	if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
+	    NULL, &ccache)) != 0) {
+		errmsg = krb5_get_error_message(krb_context, problem);
+		logit("krb5_cc_new_unique(): %.100s", errmsg);
+		krb5_free_error_message(krb_context, errmsg);
 		return;
 	}
 
 	if ((problem = krb5_parse_name(krb_context,
 	    client->exportedname.value, &princ))) {
-		logit("krb5_parse_name(): %.100s",
-		    krb5_get_err_text(krb_context, problem));
+		errmsg = krb5_get_error_message(krb_context, problem);
+		logit("krb5_parse_name(): %.100s", errmsg);
+		krb5_free_error_message(krb_context, errmsg);
 		krb5_cc_destroy(krb_context, ccache);
 		return;
 	}
 
 	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
-		logit("krb5_cc_initialize(): %.100s",
-		    krb5_get_err_text(krb_context, problem));
+		errmsg = krb5_get_error_message(krb_context, problem);
+		logit("krb5_cc_initialize(): %.100s", errmsg);
+		krb5_free_error_message(krb_context, errmsg);
 		krb5_free_principal(krb_context, princ);
 		krb5_cc_destroy(krb_context, ccache);
 		return;
diff --git a/usr.bin/ssh/gss-serv.c b/usr.bin/ssh/gss-serv.c
index 1bbc988a69f..cc7e4260d5c 100644
--- a/usr.bin/ssh/gss-serv.c
+++ b/usr.bin/ssh/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -46,7 +46,7 @@
 
 static ssh_gssapi_client gssapi_client =
     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
 
 ssh_gssapi_mech gssapi_null_mech =
     { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
diff --git a/usr.bin/ssh/ssh/Makefile b/usr.bin/ssh/ssh/Makefile
index 828384d0115..530993d121c 100644
--- a/usr.bin/ssh/ssh/Makefile
+++ b/usr.bin/ssh/ssh/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.61 2013/07/02 13:32:38 markus Exp $
+#	$OpenBSD: Makefile,v 1.62 2013/07/20 01:55:13 djm Exp $
 
 .PATH:		${.CURDIR}/..
 
@@ -17,6 +17,7 @@ SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
 	roaming_common.c roaming_client.c
 
 .include <bsd.own.mk>
+
 KERBEROS5=no
 
 .if (${KERBEROS5:L} == "yes")
@@ -27,7 +28,7 @@ CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV -DGSSAPI
 
 .if (${KERBEROS5:L} == "yes")
 DPADD+=  ${LIBGSSAPI} ${LIBKRB5}
-LDADD+=  -lgssapi -lkrb5 -lhx509 -lasn1 -lheimntlm
+LDADD+=  -lgssapi -lkrb5 -lasn1
 LDADD+=  -lwind -lroken -lcom_err -lpthread -lheimbase
 .endif # KERBEROS5
 
diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile
index 72ef5da3a42..8d240c5d43c 100644
--- a/usr.bin/ssh/sshd/Makefile
+++ b/usr.bin/ssh/sshd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.77 2013/07/02 13:32:38 markus Exp $
+#	$OpenBSD: Makefile,v 1.78 2013/07/20 01:55:13 djm Exp $
 
 .PATH:		${.CURDIR}/..
 
@@ -19,6 +19,7 @@ SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
 	roaming_common.c roaming_serv.c sandbox-systrace.c
 
 .include <bsd.own.mk> # for KERBEROS and AFS
+
 KERBEROS5=no
 
 .if (${KERBEROS5:L} == "yes")
@@ -29,8 +30,8 @@ SRCS+=  auth-krb5.c auth2-gss.c gss-serv.c gss-serv-krb5.c
 .include <bsd.prog.mk>
 
 .if (${KERBEROS5:L} == "yes")
-LDADD+= -lgssapi -lkrb5 -lhx509 -lasn1 -lheimntlm
-LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase -lkafs
+LDADD+= -lgssapi -lkrb5 -lasn1
+LDADD+= -lwind -lroken -lcom_err -lpthread -lheimbase -lkafs5
 DPADD+= ${LIBGSSAPI} ${LIBKRB5}
 .endif
author	djm <djm@openbsd.org>	2013-07-20 01:55:13 +0000
committer	djm <djm@openbsd.org>	2013-07-20 01:55:13 +0000
commit	c21abc57e047d3125addb78e779182a88455781e (patch)
tree	94c67ae671f70cb0a94d612d0b5f9f0c64b90912
parent	call cleanup_handler on SIGINT when in debug mode to ensure sockets (diff)
download	wireguard-openbsd-c21abc57e047d3125addb78e779182a88455781e.tar.xz wireguard-openbsd-c21abc57e047d3125addb78e779182a88455781e.zip