Module Name: src Committed By: elric Date: Sun Apr 24 18:48:05 UTC 2011
Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c Log Message: Remove use of functions marked as deprecated in Heimdal. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.23 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.24 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.23 Sat Apr 2 10:22:09 2011 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Sun Apr 24 18:48:04 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.23 2011/04/02 10:22:09 mbalmer Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.24 2011/04/24 18:48:04 elric Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.23 2011/04/02 10:22:09 mbalmer Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.24 2011/04/24 18:48:04 elric Exp $"); #endif #include <sys/types.h> @@ -83,6 +83,7 @@ #define COMPAT_HEIMDAL /* #define COMPAT_MIT */ +static void log_krb5(krb5_context, const char *, krb5_error_code); static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int); static void cleanup_cache(pam_handle_t *, void *, int); static const char *compat_princ_component(krb5_context, krb5_principal, int); @@ -111,7 +112,7 @@ krb5_creds creds; krb5_principal princ; krb5_ccache ccache; - krb5_get_init_creds_opt opts; + krb5_get_init_creds_opt *opts = NULL; struct passwd *pwd, pwres; int retval; const void *ccache_data; @@ -150,10 +151,14 @@ PAM_LOG("Context initialised"); - krb5_get_init_creds_opt_init(&opts); + krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + if (krbret != 0) { + PAM_VERBOSE_ERROR("Kerberos 5 error"); + return (PAM_SERVICE_ERR); + } if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE)) - krb5_get_init_creds_opt_set_forwardable(&opts, 1); + krb5_get_init_creds_opt_set_forwardable(opts, 1); if ((rtime = openpam_get_option(pamh, PAM_OPT_RENEWABLE)) != NULL) { krb5_deltat renew; @@ -169,7 +174,7 @@ else rtime = "1 month"; renew = parse_time(rtime, "s"); - krb5_get_init_creds_opt_set_renew_life(&opts, renew); + krb5_get_init_creds_opt_set_renew_life(opts, renew); } @@ -196,8 +201,7 @@ krbret = krb5_parse_name(pam_context, principal, &princ); free(principal); if (krbret != 0) { - PAM_LOG("Error krb5_parse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_parse_name(): %s", krbret); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup3; @@ -208,8 +212,7 @@ /* Now convert the principal name into something human readable */ krbret = krb5_unparse_name(pam_context, princ, &princ_name); if (krbret != 0) { - PAM_LOG("Error krb5_unparse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_unparse_name(): %s", krbret); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -233,8 +236,8 @@ sizeof(luser), luser); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_aname_to_localname(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, + "Error krb5_aname_to_localname(): %s", krbret); retval = PAM_USER_UNKNOWN; goto cleanup2; } @@ -257,11 +260,11 @@ /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); krbret = krb5_get_init_creds_password(pam_context, &creds, princ, - pass, NULL, pamh, 0, NULL, &opts); + pass, NULL, pamh, 0, NULL, opts); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_get_init_creds_password(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, + "Error krb5_get_init_creds_password(): %s", krbret); retval = PAM_AUTH_ERR; goto cleanup2; } @@ -269,27 +272,24 @@ PAM_LOG("Got TGT"); /* Generate a temporary cache */ - krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache); + krbret = krb5_cc_new_unique(pam_context, "MEMORY", NULL, &ccache); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_cc_gen_new(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_gen_new(): %s", krbret); retval = PAM_SERVICE_ERR; goto cleanup; } krbret = krb5_cc_initialize(pam_context, ccache, princ); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_cc_initialize(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_initialize(): %s", krbret); retval = PAM_SERVICE_ERR; goto cleanup; } krbret = krb5_cc_store_cred(pam_context, ccache, &creds); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_cc_store_cred(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_store_cred(): %s", krbret); krb5_cc_destroy(pam_context, ccache); retval = PAM_SERVICE_ERR; goto cleanup; @@ -351,6 +351,9 @@ if (princ_name) free(princ_name); + if (opts) + krb5_get_init_creds_opt_free(pam_context, opts); + krb5_free_context(pam_context); PAM_LOG("Done cleanup3"); @@ -379,6 +382,7 @@ const void *cache_data; char *cache_name_buf = NULL, *p, *cache_name_buf2 = NULL; char pwbuf[1024]; + const char *errtxt; uid_t euid; gid_t egid; @@ -423,8 +427,15 @@ } krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp); if (krbret != 0) { - PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)cache_data, - krb5_get_err_text(pam_context, krbret)); + errtxt = krb5_get_error_message(pam_context, krbret); + if (errtxt != NULL) { + PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", + (const char *)cache_data, errtxt); + krb5_free_error_message(pam_context, errtxt); + } else { + PAM_LOG("Error krb5_cc_resolve(\"%s\"): %d", + (const char *)cache_data, krbret); + } retval = PAM_SERVICE_ERR; goto cleanup3; } @@ -503,23 +514,21 @@ /* Initialize the new ccache */ krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ); if (krbret != 0) { - PAM_LOG("Error krb5_cc_get_principal(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_get_principal(): %s", + krbret); retval = PAM_SERVICE_ERR; goto cleanup3; } krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm); if (krbret != 0) { - PAM_LOG("Error krb5_cc_resolve(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_resolve(): %s", krbret); retval = PAM_SERVICE_ERR; goto cleanup2; } krbret = krb5_cc_initialize(pam_context, ccache_perm, princ); if (krbret != 0) { - PAM_LOG("Error krb5_cc_initialize(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_initialize(): %s", krbret); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -529,8 +538,8 @@ /* Prepare for iteration over creds */ krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor); if (krbret != 0) { - PAM_LOG("Error krb5_cc_start_seq_get(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_start_seq_get(): %s", + krbret); krb5_cc_destroy(pam_context, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -544,8 +553,8 @@ krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds); if (krbret != 0) { - PAM_LOG("Error krb5_cc_store_cred(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_store_cred(): %s", + krbret); krb5_cc_destroy(pam_context, ccache_perm); krb5_free_cred_contents(pam_context, &creds); retval = PAM_SERVICE_ERR; @@ -627,6 +636,7 @@ int retval; const void *user; const void *ccache_name; + const char *errtxt; retval = pam_get_item(pamh, PAM_USER, &user); if (retval != PAM_SUCCESS) @@ -650,8 +660,15 @@ krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache); if (krbret != 0) { - PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)ccache_name, - krb5_get_err_text(pam_context, krbret)); + errtxt = krb5_get_error_message(pam_context, krbret); + if (errtxt != NULL) { + PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", + (const char *)ccache_name, errtxt); + krb5_free_error_message(pam_context, errtxt); + } else { + PAM_LOG("Error krb5_cc_resolve(\"%s\"): %d", + (const char *)ccache_name, krbret); + } krb5_free_context(pam_context); return (PAM_PERM_DENIED); } @@ -661,8 +678,8 @@ krbret = krb5_cc_get_principal(pam_context, ccache, &princ); if (krbret != 0) { - PAM_LOG("Error krb5_cc_get_principal(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_cc_get_principal(): %s", + krbret); retval = PAM_PERM_DENIED;; goto cleanup; } @@ -696,13 +713,14 @@ krb5_context pam_context; krb5_creds creds; krb5_principal princ; - krb5_get_init_creds_opt opts; + krb5_get_init_creds_opt *opts; krb5_data result_code_string, result_string; int result_code, retval; const char *pass; const void *user; char *princ_name, *passdup; char password_prompt[80]; + const char *errtxt; princ_name = NULL; if (flags & PAM_PRELIM_CHECK) { @@ -729,19 +747,22 @@ PAM_LOG("Context initialised"); - krb5_get_init_creds_opt_init(&opts); + krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + if (krbret != 0) { + PAM_LOG("Error krb5_init_context() failed"); + return (PAM_SERVICE_ERR); + } - krb5_get_init_creds_opt_set_tkt_life(&opts, 300); - krb5_get_init_creds_opt_set_forwardable(&opts, FALSE); - krb5_get_init_creds_opt_set_proxiable(&opts, FALSE); + krb5_get_init_creds_opt_set_tkt_life(opts, 300); + krb5_get_init_creds_opt_set_forwardable(opts, FALSE); + krb5_get_init_creds_opt_set_proxiable(opts, FALSE); PAM_LOG("Credentials options initialised"); /* Get principal name */ krbret = krb5_parse_name(pam_context, (const char *)user, &princ); if (krbret != 0) { - PAM_LOG("Error krb5_parse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_parse_name(): %s", krbret); retval = PAM_USER_UNKNOWN; goto cleanup3; } @@ -749,8 +770,7 @@ /* Now convert the principal name into something human readable */ krbret = krb5_unparse_name(pam_context, princ, &princ_name); if (krbret != 0) { - PAM_LOG("Error krb5_unparse_name(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, "Error krb5_unparse_name(): %s", krbret); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -768,10 +788,10 @@ memset(&creds, 0, sizeof(krb5_creds)); krbret = krb5_get_init_creds_password(pam_context, &creds, princ, - pass, NULL, pamh, 0, "kadmin/changepw", &opts); + pass, NULL, pamh, 0, "kadmin/changepw", opts); if (krbret != 0) { - PAM_LOG("Error krb5_get_init_creds_password(): %s", - krb5_get_err_text(pam_context, krbret)); + log_krb5(pam_context, + "Error krb5_get_init_creds_password(): %s", krbret); retval = PAM_AUTH_ERR; goto cleanup2; } @@ -800,12 +820,17 @@ krb5_data_zero(&result_code_string); krb5_data_zero(&result_string); - krbret = krb5_change_password(pam_context, &creds, passdup, + krbret = krb5_set_password(pam_context, &creds, passdup, princ, &result_code, &result_code_string, &result_string); free(passdup); if (krbret != 0) { - pam_error(pamh, "Unable to set password: %s", - krb5_get_err_text(pam_context, krbret)); + errtxt = krb5_get_error_message(pam_context, krbret); + if (errtxt != NULL) { + pam_error(pamh, "Unable to set password: %s", errtxt); + krb5_free_error_message(pam_context, errtxt); + } else { + pam_error(pamh, "Unable to set password: %d", krbret); + } retval = PAM_AUTHTOK_ERR; goto cleanup; } @@ -833,6 +858,9 @@ if (princ_name) free(princ_name); + if (opts) + krb5_get_init_creds_opt_free(pam_context, opts); + krb5_free_context(pam_context); PAM_LOG("Done cleanup3"); @@ -842,6 +870,20 @@ PAM_MODULE_ENTRY("pam_krb5"); +static void +log_krb5(krb5_context ctx, const char *fmt, krb5_error_code err) +{ + const char *errtxt; + + errtxt = krb5_get_error_message(ctx, err); + if (errtxt != NULL) { + PAM_LOG(fmt, errtxt); + krb5_free_error_message(ctx, errtxt); + } else { + PAM_LOG(fmt, "unknown"); + } +} + /* * This routine with some modification is from the MIT V5B6 appl/bsd/login.c * Modified by Sam Hartman <hartm...@mit.edu> to support PAM services @@ -869,6 +911,7 @@ char phost[BUFSIZ]; const char *services[3], **service; struct syslog_data data = SYSLOG_DATA_INIT; + const char *errtxt; packet.data = 0; @@ -892,14 +935,22 @@ for (service = &services[0]; *service != NULL; service++) { retval = krb5_sname_to_principal(context, NULL, *service, KRB5_NT_SRV_HST, &princ); - if (retval != 0) { - if (debug) + if (retval != 0 && debug) { + errtxt = krb5_get_error_message(context, + retval); + if (errtxt != NULL) { syslog_r(LOG_DEBUG, &data, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_sname_to_principal()", - krb5_get_err_text(context, retval)); - return -1; + "krb5_sname_to_principal()", errtxt); + krb5_free_error_message(context, errtxt); + } else { + syslog_r(LOG_DEBUG, &data, + "pam_krb5: verify_krb_v5_tgt(): %s: %d", + "krb5_sname_to_principal()", retval); + } } + if (retval != 0) + return -1; /* Extract the name directly. */ strncpy(phost, compat_princ_component(context, princ, 1), @@ -919,11 +970,19 @@ } if (retval != 0) { /* failed to find key */ /* Keytab or service key does not exist */ - if (debug) - syslog_r(LOG_DEBUG, &data, - "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_kt_read_service_key()", - krb5_get_err_text(context, retval)); + if (debug) { + errtxt = krb5_get_error_message(context, retval); + if (errtxt != NULL) { + syslog_r(LOG_DEBUG, &data, + "pam_krb5: verify_krb_v5_tgt(): %s: %s", + "krb5_kt_read_service_key()", errtxt); + krb5_free_error_message(context, errtxt); + } else { + syslog_r(LOG_DEBUG, &data, + "pam_krb5: verify_krb_v5_tgt(): %s: %d", + "krb5_kt_read_service_key()", retval); + } + } retval = 0; goto cleanup; } @@ -939,11 +998,19 @@ auth_context = NULL; /* setup for rd_req */ } if (retval) { - if (debug) - syslog_r(LOG_DEBUG, &data, - "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_mk_req()", - krb5_get_err_text(context, retval)); + if (debug) { + errtxt = krb5_get_error_message(context, retval); + if (errtxt != NULL) { + syslog_r(LOG_DEBUG, &data, + "pam_krb5: verify_krb_v5_tgt(): %s: %s", + "krb5_mk_req()", errtxt); + krb5_free_error_message(context, errtxt); + } else { + syslog_r(LOG_DEBUG, &data, + "pam_krb5: verify_krb_v5_tgt(): %s: %d", + "krb5_mk_req()", retval); + } + } retval = -1; goto cleanup; } @@ -952,11 +1019,19 @@ retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL, NULL, NULL); if (retval) { - if (debug) - syslog_r(LOG_DEBUG, &data, - "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_rd_req()", - krb5_get_err_text(context, retval)); + if (debug) { + errtxt = krb5_get_error_message(context, retval); + if (errtxt != NULL) { + syslog_r(LOG_DEBUG, &data, + "pam_krb5: verify_krb_v5_tgt(): %s: %s", + "krb5_rd_req()", errtxt); + krb5_free_error_message(context, errtxt); + } else { + syslog_r(LOG_DEBUG, &data, + "pam_krb5: verify_krb_v5_tgt(): %s: %d", + "krb5_rd_req()", retval); + } + } retval = -1; } else