Hello community,
here is the log from the commit of package krb5-plugin-preauth-pkinit-nss for openSUSE:Factory
checked in at Fri Mar 5 12:03:16 CET 2010.
--------
--- krb5-plugin-preauth-pkinit-nss/krb5-plugin-preauth-pkinit-nss.changes 2009-07-27 10:12:52.000000000 +0200
+++ /mounts/work_src_done/STABLE/krb5-plugin-preauth-pkinit-nss/krb5-plugin-preauth-pkinit-nss.changes 2010-03-04 11:15:56.000000000 +0100
@@ -1,0 +2,5 @@
+Thu Mar 4 11:15:39 CET 2010 - mc@suse.de
+
+- add support for krb5 1.8
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
New:
----
support-1-8.dif
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ krb5-plugin-preauth-pkinit-nss.spec ++++++
--- /var/tmp/diff_new_pack.E3D73u/_old 2010-03-05 12:02:23.000000000 +0100
+++ /var/tmp/diff_new_pack.E3D73u/_new 2010-03-05 12:02:23.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-plugin-preauth-pkinit-nss (Version 0.7.8)
#
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,10 +20,10 @@
Name: krb5-plugin-preauth-pkinit-nss
Version: 0.7.8
-Release: 1
+Release: 2
BuildRequires: keyutils-devel krb5-devel >= 1.6.1 mozilla-nss-devel >= 3.11.2 pkgconfig
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
-License: LGPL v2.1 or later
+License: LGPLv2.1+
Group: Productivity/Networking/Security
Provides: pkinit-nss
Obsoletes: pkinit-nss
@@ -31,6 +31,7 @@
Source: pkinit-nss-%{version}-1.tar.bz2
Patch0: pkinit-nss-0.6.1-match-default-realms.patch
Patch1: pkinit-nss-0.7.2-1-documentation.dif
+Patch2: support-1-8.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -47,6 +48,7 @@
%setup -q -n pkinit-nss-%{version}-1
%patch0
%patch1
+%patch2 -p1
%build
#autoreconf -i -f
++++++ pkinit-nss-0.6.1-match-default-realms.patch ++++++
--- /var/tmp/diff_new_pack.E3D73u/_old 2010-03-05 12:02:23.000000000 +0100
+++ /var/tmp/diff_new_pack.E3D73u/_new 2010-03-05 12:02:23.000000000 +0100
@@ -2,7 +2,7 @@
===================================================================
--- src/certs.c.orig
+++ src/certs.c
-@@ -1334,6 +1334,92 @@ cert_eku_matches_eku_for_realm(struct mo
+@@ -1369,6 +1369,92 @@ cert_eku_matches_eku_for_realm(struct mo
return status;
}
@@ -95,7 +95,7 @@
/* Check if the certificate subjectAltName UPN value matches the principal. */
static SECStatus
cert_san_matches_upn(struct module_context *mcontext, CERTCertificate *cert,
-@@ -1342,7 +1428,7 @@ cert_san_matches_upn(struct module_conte
+@@ -1377,7 +1463,7 @@ cert_san_matches_upn(struct module_conte
{
struct subject_alt_name **names;
SECItem san_value, unparsed_name, ms_upn_name;
@@ -104,7 +104,7 @@
int i;
i = 0;
-@@ -1376,6 +1462,11 @@ cert_san_matches_upn(struct module_conte
+@@ -1411,6 +1497,11 @@ cert_san_matches_upn(struct module_conte
unparsed_name.data = (unsigned char *) unparsed;
unparsed_name.len = strlen(unparsed);
@@ -116,7 +116,7 @@
/* Iterate over all of the values. */
*matches = PR_FALSE;
for (i = 0; (names != NULL) && (names[i] != NULL) && !(*matches); i++) {
-@@ -1392,12 +1483,11 @@ cert_san_matches_upn(struct module_conte
+@@ -1427,12 +1518,11 @@ cert_san_matches_upn(struct module_conte
ms_upn_name_template,
&names[i]->subject_alt_name_value.other_name.data) == SECSuccess) {
/* And it matches, then we're okay. */
++++++ support-1-8.dif ++++++
Index: pkinit-nss-0.7.8-1/backport-1.8/krb5/preauth_plugin.h
===================================================================
--- /dev/null
+++ pkinit-nss-0.7.8-1/backport-1.8/krb5/preauth_plugin.h
@@ -0,0 +1,525 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ *
+ *
+ * Copyright (c) 2006 Red Hat, Inc.
+ * Portions copyright (c) 2006 Massachusetts Institute of Technology
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Preauthentication plugin definitions for Kerberos 5.
+ */
+
+#ifndef KRB5_PREAUTH_PLUGIN_H_INCLUDED
+#define KRB5_PREAUTH_PLUGIN_H_INCLUDED
+#include
+
+/*
+ * While arguments of these types are passed-in, for the most part a preauth
+ * module can treat them as opaque. If we need keying data, we can ask for
+ * it directly.
+ */
+struct _krb5_db_entry_new;
+struct _krb5_key_data;
+struct _krb5_preauth_client_rock;
+
+/*
+ * Preauth mechanism property flags, unified from previous definitions in the
+ * KDC and libkrb5 sources.
+ */
+
+/* Provides a real answer which we can send back to the KDC (client-only). The
+ * client assumes that one real answer will be enough. */
+#define PA_REAL 0x00000001
+
+/* Doesn't provide a real answer, but must be given a chance to run before any
+ * REAL mechanism callbacks (client-only). */
+#define PA_INFO 0x00000002
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring hardware-based
+ * preauthentication (server-only). */
+#define PA_HARDWARE 0x00000004
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring preauthentication,
+ * and to fail preauthentication if we can't verify the client data. The
+ * flipside of PA_SUFFICIENT (server-only). */
+#define PA_REQUIRED 0x00000008
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring preauthentication,
+ * and to mark preauthentication as successful if we can verify the client
+ * data. The flipside of PA_REQUIRED (server-only). */
+#define PA_SUFFICIENT 0x00000010
+
+/* Marks this preauthentication mechanism as one which changes the key which is
+ * used for encrypting the response to the client. Modules which have this
+ * flag have their server_return_proc called before modules which do not, and
+ * are passed over if a previously-called module has modified the encrypting
+ * key (server-only). */
+#define PA_REPLACES_KEY 0x00000020
+
+/* Causes the KDC to check with this preauthentication module even if the
+ * client has no entry in the realm database. If the module returns a success
+ * code, continue processing and assume that its return_padata callback will
+ * supply us with a key for encrypting the AS reply (server-only). */
+/* #define PA_VIRTUAL (0x00000040 | PA_REPLACES_KEY) */
+
+/* Not really a padata type, so don't include it in any list of preauth types
+ * which gets sent over the wire. */
+#define PA_PSEUDO 0x00000080
+
+
+/***************************************************************************
+ *
+ * Client-side preauthentication plugin interface definition.
+ *
+ ***************************************************************************/
+
+/*
+ * A callback which will obtain the user's long-term AS key by prompting the
+ * user for the password, then salting it properly, and so on. For the moment,
+ * it's identical to the get_as_key callback used inside of libkrb5, but we
+ * define a new typedef here instead of making the existing one public to
+ * isolate ourselves from potential future changes.
+ */
+typedef krb5_error_code
+(*preauth_get_as_key_proc)(krb5_context,
+ krb5_principal,
+ krb5_enctype,
+ krb5_prompter_fct,
+ void *prompter_data,
+ krb5_data *salt,
+ krb5_data *s2kparams,
+ krb5_keyblock *as_key,
+ void *gak_data);
+
+/*
+ * A client module's callback functions are allowed to request various
+ * information to enable it to process a request.
+ */
+enum krb5plugin_preauth_client_request_type {
+ /* The returned krb5_data item holds the enctype expected to be used to encrypt the
+ * encrypted portion of the AS_REP packet. When handling a
+ * PREAUTH_REQUIRED error, this typically comes from etype-info2.
+ * When handling an AS reply, it is initialized from the AS reply itself.*/
+ krb5plugin_preauth_client_get_etype = 1,
+ /* Free the data returned from krb5plugin_preauth_client_req_get_etype */
+ krb5plugin_preauth_client_free_etype = 2,
+ /* The returned krb5_data contains the FAST armor key in a
+ * krb5_keyblock. Returns success with a NULL data item in the
+ * krb5_data if the client library supports FAST but is not using it.*/
+ krb5plugin_preauth_client_fast_armor = 3,
+ /* Frees return from KRB5PLUGIN_PREAUTH_CLIENT_FAST_ARMOR. It is
+ * acceptable to set data to NULL and free the keyblock using
+ * krb5_free_keyblock; in that case, this frees the krb5_data
+ * only.*/
+ krb5plugin_preauth_client_free_fast_armor = 4
+};
+typedef krb5_error_code
+(*preauth_get_client_data_proc)(krb5_context,
+ struct _krb5_preauth_client_rock *,
+ krb5_int32 request_type,
+ krb5_data **);
+
+/* Per-plugin initialization/cleanup. The init function is called
+ * by libkrb5 when the plugin is loaded, and the fini function is
+ * called before the plugin is unloaded. Both are optional and
+ * may be called multiple times in case the plugin is used in
+ * multiple contexts. The returned context lives the lifetime of
+ * the krb5_context */
+typedef krb5_error_code
+(*preauth_client_plugin_init_proc)(krb5_context context,
+ void **plugin_context);
+typedef void
+(*preauth_client_plugin_fini_proc)(krb5_context context,
+ void *plugin_context);
+
+/* A callback which returns flags indicating if the module is a "real" or
+ * an "info" mechanism, and so on. This function is called for each entry
+ * in the client_pa_type_list. */
+typedef int
+(*preauth_client_get_flags_proc)(krb5_context context,
+ krb5_preauthtype pa_type);
+
+/* Per-request initialization/cleanup. The request_init function is
+ * called when beginning to process a get_init_creds request and the
+ * request_fini function is called when processing of the request is
+ * complete. This is optional. It may be called multiple times in
+ * the lifetime of a krb5_context. */
+typedef void
+(*preauth_client_request_init_proc)(krb5_context context,
+ void *plugin_context,
+ void **request_context);
+typedef void
+(*preauth_client_request_fini_proc)(krb5_context context,
+ void *plugin_context,
+ void *request_context);
+
+/* Client function which processes server-supplied data in pa_data,
+ * returns created data in out_pa_data, storing any of its own state in
+ * client_context if data for the associated preauthentication type is
+ * needed. It is also called after the AS-REP is received if the AS-REP
+ * includes preauthentication data of the associated type.
+ * NOTE! the encoded_previous_request will be NULL the first time this
+ * function is called, because it is expected to only ever contain the data
+ * obtained from a previous call to this function. */
+typedef krb5_error_code
+(*preauth_client_process_proc)(krb5_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_get_init_creds_opt *opt,
+ preauth_get_client_data_proc get_data_proc,
+ struct _krb5_preauth_client_rock *rock,
+ krb5_kdc_req *request,
+ krb5_data *encoded_request_body,
+ krb5_data *encoded_previous_request,
+ krb5_pa_data *pa_data,
+ krb5_prompter_fct prompter,
+ void *prompter_data,
+ preauth_get_as_key_proc gak_fct,
+ void *gak_data,
+ krb5_data *salt,
+ krb5_data *s2kparams,
+ krb5_keyblock *as_key,
+ krb5_pa_data ***out_pa_data);
+
+/* Client function which can attempt to use e-data in the error response to
+ * try to recover from the given error. If this function is not NULL, and
+ * it stores data in out_pa_data which is different data from the contents
+ * of in_pa_data, then the client library will retransmit the request. */
+typedef krb5_error_code
+(*preauth_client_tryagain_proc)(krb5_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_get_init_creds_opt *opt,
+ preauth_get_client_data_proc get_data_proc,
+ struct _krb5_preauth_client_rock *rock,
+ krb5_kdc_req *request,
+ krb5_data *encoded_request_body,
+ krb5_data *encoded_previous_request,
+ krb5_pa_data *in_pa_data,
+ krb5_error *error,
+ krb5_prompter_fct prompter,
+ void *prompter_data,
+ preauth_get_as_key_proc gak_fct,
+ void *gak_data,
+ krb5_data *salt,
+ krb5_data *s2kparams,
+ krb5_keyblock *as_key,
+ krb5_pa_data ***out_pa_data);
+
+/*
+ * Client function which receives krb5_get_init_creds_opt information.
+ * The attr and value information supplied should be copied locally by
+ * the module if it wishes to reference it after returning from this call.
+ */
+typedef krb5_error_code
+(*preauth_client_supply_gic_opts_proc)(krb5_context context,
+ void *plugin_context,
+ krb5_get_init_creds_opt *opt,
+ const char *attr,
+ const char *value);
+
+/*
+ * The function table / structure which a preauth client module must export as
+ * "preauthentication_client_0". If the interfaces work correctly, future
+ * versions of the table will add either more callbacks or more arguments to
+ * callbacks, and in both cases we'll be able to wrap the v0 functions.
+ */
+typedef struct krb5plugin_preauth_client_ftable_v1 {
+ /* Not-usually-visible name. */
+ char *name;
+
+ /* Pointer to zero-terminated list of pa_types which this module can
+ * provide services for. */
+ krb5_preauthtype *pa_type_list;
+
+ /* Pointer to zero-terminated list of enc_types which this module claims
+ * to add support for. */
+ krb5_enctype *enctype_list;
+
+ /* Per-plugin initialization/cleanup. The init function is called
+ * by libkrb5 when the plugin is loaded, and the fini function is
+ * called before the plugin is unloaded. Both are optional and
+ * may be called multiple times in case the plugin is used in
+ * multiple contexts. The returned context lives the lifetime of
+ * the krb5_context */
+ preauth_client_plugin_init_proc init;
+ preauth_client_plugin_fini_proc fini;
+
+ /* A callback which returns flags indicating if the module is a "real" or
+ * an "info" mechanism, and so on. This function is called for each entry
+ * in the client_pa_type_list. */
+ preauth_client_get_flags_proc flags;
+
+ /* Per-request initialization/cleanup. The request_init function is
+ * called when beginning to process a get_init_creds request and the
+ * request_fini function is called when processing of the request is
+ * complete. This is optional. It may be called multiple times in
+ * the lifetime of a krb5_context. */
+ preauth_client_request_init_proc request_init;
+ preauth_client_request_fini_proc request_fini;
+
+ /* Client function which processes server-supplied data in pa_data,
+ * returns created data in out_pa_data, storing any of its own state in
+ * client_context if data for the associated preauthentication type is
+ * needed. It is also called after the AS-REP is received if the AS-REP
+ * includes preauthentication data of the associated type.
+ * NOTE! the encoded_previous_request will be NULL the first time this
+ * function is called, because it is expected to only ever contain the data
+ * obtained from a previous call to this function. */
+ preauth_client_process_proc process;
+
+ /* Client function which can attempt to use e-data in the error response to
+ * try to recover from the given error. If this function is not NULL, and
+ * it stores data in out_pa_data which is different data from the contents
+ * of in_pa_data, then the client library will retransmit the request. */
+ preauth_client_tryagain_proc tryagain;
+
+ /*
+ * Client function which receives krb5_get_init_creds_opt information.
+ * The attr and value information supplied should be copied locally by
+ * the module if it wishes to reference it after returning from this call.
+ */
+ preauth_client_supply_gic_opts_proc gic_opts;
+
+} krb5plugin_preauth_client_ftable_v1;
+
+
+/***************************************************************************
+ *
+ * Server-side preauthentication plugin interface definition.
+ *
+ ***************************************************************************/
+
+/*
+ * A server module's callback functions are allowed to request specific types
+ * of information about the given client or server record or request, even
+ * though the database records themselves are opaque to the module.
+ */
+enum krb5plugin_preauth_entry_request_type {
+ /* The returned krb5_data item holds a DER-encoded X.509 certificate. */
+ krb5plugin_preauth_entry_request_certificate = 1,
+ /* The returned krb5_data_item holds a krb5_deltat. */
+ krb5plugin_preauth_entry_max_time_skew = 2,
+ /* The returned krb5_data_item holds an array of krb5_keyblock structures,
+ * terminated by an entry with key type = 0.
+ * Each keyblock should have its contents freed in turn, and then the data
+ * item itself should be freed. */
+ krb5plugin_preauth_keys = 3,
+ /* The returned krb5_data_item holds the request structure, re-encoded
+ * using DER. Unless the client implementation is the same as the server
+ * implementation, there's a good chance that the result will not match
+ * what the client sent, so don't go creating any fatal errors if it
+ * doesn't match up. */
+ krb5plugin_preauth_request_body = 4,
+ /* The returned krb5_data contains a krb5_keyblock with the FAST
+ armor key. The data member is NULL if this method is not part
+ of a FAST tunnel */
+ krb5plugin_preauth_fast_armor = 5,
+ /* Frees a fast armor key; it is acceptable to set data to NULL
+ and free the keyblock using krb5_free_keyblock; in that case,
+ this function simply frees the data*/
+ krb5plugin_preauth_free_fast_armor = 6
+};
+
+typedef krb5_error_code
+(*preauth_get_entry_data_proc)(krb5_context,
+ krb5_kdc_req *,
+ struct _krb5_db_entry_new *,
+ krb5_int32 request_type,
+ krb5_data **);
+
+/* Preauth plugin initialization function */
+typedef krb5_error_code
+(*preauth_server_init_proc)(krb5_context context,
+ void **plugin_context,
+ const char** realmnames);
+
+/* Preauth plugin cleanup function */
+typedef void
+(*preauth_server_fini_proc)(krb5_context context, void *plugin_context);
+
+/* Return the flags which the KDC should use for this module. This is a
+ * callback instead of a static value because the module may or may not
+ * wish to count itself as a hardware preauthentication module (in other
+ * words, the flags may be affected by the configuration, for example if a
+ * site administrator can force a particular preauthentication type to be
+ * supported using only hardware). This function is called for each entry
+ * entry in the server_pa_type_list. */
+typedef int
+(*preauth_server_flags_proc)(krb5_context context, krb5_preauthtype patype);
+
+/* Get preauthentication data to send to the client as part of the "you
+ * need to use preauthentication" error. The module doesn't need to
+ * actually provide data if the protocol doesn't require it, but it should
+ * return either zero or non-zero to control whether its padata type is
+ * included in the list which is sent back to the client. Is not allowed
+ * to create a context because we have no guarantee that the client will
+ * ever call again (or that it will hit this server if it does), in which
+ * case a context might otherwise hang around forever. */
+typedef krb5_error_code
+(*preauth_server_edata_proc)(krb5_context,
+ krb5_kdc_req *request,
+ struct _krb5_db_entry_new *client,
+ struct _krb5_db_entry_new *server,
+ preauth_get_entry_data_proc,
+ void *pa_module_context,
+ krb5_pa_data *data);
+
+/* Verify preauthentication data sent by the client, setting the
+ * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
+ * field as appropriate, and returning nonzero on failure. Can create
+ * context data for consumption by the return_proc or freepa_proc below. */
+typedef krb5_error_code
+(*preauth_server_verify_proc)(krb5_context context,
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *data,
+ preauth_get_entry_data_proc,
+ void *pa_module_context,
+ void **pa_request_context,
+ krb5_data **e_data,
+ krb5_authdata ***authz_data);
+
+/* Generate preauthentication response data to send to the client as part
+ * of the AS-REP. If it needs to override the key which is used to encrypt
+ * the response, it can do so. The module is expected (but not required,
+ * if a preauth_server_free_reqcontext_proc is also provided) to free any
+ * context data it saved in "pa_request_context". */
+typedef krb5_error_code
+(*preauth_server_return_proc)(krb5_context context,
+ krb5_pa_data * padata,
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_kdc_rep *reply,
+ struct _krb5_key_data *client_keys,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa,
+ preauth_get_entry_data_proc,
+ void *pa_module_context,
+ void **pa_request_context);
+
+/* Free up the server-side per-request context, in cases where
+ * server_return_proc() didn't or for whatever reason was not called.
+ * Can be NULL. */
+typedef krb5_error_code
+(*preauth_server_free_reqcontext_proc)(krb5_context,
+ void *pa_module_context,
+ void **request_pa_context);
+
+/*
+ * The function table / structure which a preauth server module must export as
+ * "preauthentication_server_0". NOTE: replace "0" with "1" for the type and
+ * variable names if this gets picked up by upstream. If the interfaces work
+ * correctly, future versions of the table will add either more callbacks or
+ * more arguments to callbacks, and in both cases we'll be able to wrap the v0
+ * functions.
+ */
+typedef struct krb5plugin_preauth_server_ftable_v1 {
+ /* Not-usually-visible name. */
+ char *name;
+
+ /* Pointer to zero-terminated list of pa_types which this module can
+ * provide services for. */
+ krb5_preauthtype *pa_type_list;
+
+ /* Per-plugin initialization/cleanup. The init function is called by the
+ * KDC when the plugin is loaded, and the fini function is called before
+ * the plugin is unloaded. Both are optional. */
+ preauth_server_init_proc init_proc;
+ preauth_server_fini_proc fini_proc;
+
+ /* Return the flags which the KDC should use for this module. This is a
+ * callback instead of a static value because the module may or may not
+ * wish to count itself as a hardware preauthentication module (in other
+ * words, the flags may be affected by the configuration, for example if a
+ * site administrator can force a particular preauthentication type to be
+ * supported using only hardware). This function is called for each entry
+ * entry in the server_pa_type_list. */
+ preauth_server_flags_proc flags_proc;
+
+ /* Get preauthentication data to send to the client as part of the "you
+ * need to use preauthentication" error. The module doesn't need to
+ * actually provide data if the protocol doesn't require it, but it should
+ * return either zero or non-zero to control whether its padata type is
+ * included in the list which is sent back to the client. Is not allowed
+ * to create a context because we have no guarantee that the client will
+ * ever call again (or that it will hit this server if it does), in which
+ * case a context might otherwise hang around forever. */
+ preauth_server_edata_proc edata_proc;
+
+ /* Verify preauthentication data sent by the client, setting the
+ * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
+ * field as appropriate, and returning nonzero on failure. Can create
+ * context data for consumption by the return_proc or freepa_proc below. */
+ preauth_server_verify_proc verify_proc;
+
+ /* Generate preauthentication response data to send to the client as part
+ * of the AS-REP. If it needs to override the key which is used to encrypt
+ * the response, it can do so. The module is expected (but not required,
+ * if a freepa_proc is also provided) to free any context data it saved in
+ * "request_pa_context". */
+ preauth_server_return_proc return_proc;
+
+ /* Free up the server-side per-request context, in cases where
+ * server_return_proc() didn't or for whatever reason was not called.
+ * Can be NULL. */
+ preauth_server_free_reqcontext_proc freepa_reqcontext_proc;
+
+} krb5plugin_preauth_server_ftable_v1;
+
+
+/*
+ * This function allows a preauth plugin to obtain preauth
+ * options. The preauth_data returned from this function
+ * should be freed by calling krb5_get_init_creds_opt_free_pa().
+ *
+ * The 'opt' pointer supplied to this function must have been
+ * obtained using krb5_get_init_creds_opt_alloc()
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_pa(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ int *num_preauth_data,
+ krb5_gic_opt_pa_data **preauth_data);
+
+/*
+ * This function frees the preauth_data that was returned by
+ * krb5_get_init_creds_opt_get_pa().
+ */
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_free_pa(krb5_context context,
+ int num_preauth_data,
+ krb5_gic_opt_pa_data *preauth_data);
+
+#endif /* KRB5_PREAUTH_PLUGIN_H_INCLUDED */
Index: pkinit-nss-0.7.8-1/configure.ac
===================================================================
--- pkinit-nss-0.7.8-1.orig/configure.ac
+++ pkinit-nss-0.7.8-1/configure.ac
@@ -63,7 +63,7 @@ AC_CHECK_DECLS(KRB5KDC_ERR_SVC_UNAVAILAB
AC_ARG_WITH(krb5-version,[AS_HELP_STRING([--with-krb5-version=AUTO],[Attempt to build for a specified version of MIT Kerberos.])],krb5_version=$withval,krb5_version=AUTO)
if test "x$krb5_version" = xAUTO ; then
AC_MSG_RESULT([Using backport preauth plugin header support.])
- AC_MSG_CHECKING([whether this is Kerberos 1.5, 1.6, 1.6.1/1.6.2, 1.6.3/1.6.4, 1.7])
+ AC_MSG_CHECKING([whether this is Kerberos 1.5, 1.6, 1.6.1/1.6.2, 1.6.3/1.6.4, 1.7, 1.8])
dnl if test x$ac_cv_have_decl_KRB5KDC_ERR_SVC_UNAVAILABLE = xyes ; then
dnl AC_MSG_RESULT([looks like 1.6.3.])
dnl krb5_version=1.6.3
@@ -88,6 +88,9 @@ dnl krb5_version=1.6
elif test "$krb5_version" = 1.7 ; then
AC_MSG_RESULT([looks like 1.7.])
krb5_version=1.7
+ elif test "$krb5_version" = 1.8 ; then
+ AC_MSG_RESULT([looks like 1.8.])
+ krb5_version=1.8
else
AC_MSG_RESULT([looks like ${krb5_version}.])
fi
@@ -99,6 +102,14 @@ else
AC_MSG_RESULT([Requested build for $krb5_version.])
fi
case "$krb5_version" in
+ 1.8)
+ AC_MSG_RESULT([Building for Kerberos 1.8.])
+ if test x$ac_cv_header_krb5_preauth_plugin_h = xno ; then
+ BACKPORT_CPPFLAGS='-I$(top_srcdir)/backport-1.8'
+ fi
+ AC_DEFINE(BACKPORT_INTERFACE_1,1,[Define if version 1 of the preauth plugin interface should be implemented.])
+ AC_DEFINE(BACKPORT_INTERFACE_1_HAS_FAST,1,[Define if the plugin interface includes information about whether or not FAST is in use.])
+ ;;
1.7)
AC_MSG_RESULT([Building for Kerberos 1.7.])
if test x$ac_cv_header_krb5_preauth_plugin_h = xno ; then
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org