Hello community,
here is the log from the commit of package krb5-plugin-preauth-pkinit-nss for openSUSE:Factory
checked in at Tue Jul 28 00:01:30 CEST 2009.
--------
--- krb5-plugin-preauth-pkinit-nss/krb5-plugin-preauth-pkinit-nss.changes 2009-07-16 14:50:37.000000000 +0200
+++ krb5-plugin-preauth-pkinit-nss/krb5-plugin-preauth-pkinit-nss.changes 2009-07-27 10:12:52.000000000 +0200
@@ -1,0 +2,7 @@
+Mon Jul 27 10:10:51 CEST 2009 - mc@novell.com
+
+- version 0.7.8
+ * upstream support for krb5 1.7 release.
+ * Refuse to participate when the client is using armoring.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
fix-1.7.patch
pkinit-nss-0.7.7-1.tar.bz2
New:
----
pkinit-nss-0.7.8-1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ krb5-plugin-preauth-pkinit-nss.spec ++++++
--- /var/tmp/diff_new_pack.bDT6c2/_old 2009-07-28 00:01:01.000000000 +0200
+++ /var/tmp/diff_new_pack.bDT6c2/_new 2009-07-28 00:01:01.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package krb5-plugin-preauth-pkinit-nss (Version 0.7.7)
+# spec file for package krb5-plugin-preauth-pkinit-nss (Version 0.7.8)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -19,8 +19,8 @@
Name: krb5-plugin-preauth-pkinit-nss
-Version: 0.7.7
-Release: 8
+Version: 0.7.8
+Release: 1
BuildRequires: keyutils-devel krb5-devel >= 1.6.1 mozilla-nss-devel >= 3.11.2 pkgconfig
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
License: LGPL v2.1 or later
@@ -31,7 +31,6 @@
Source: pkinit-nss-%{version}-1.tar.bz2
Patch0: pkinit-nss-0.6.1-match-default-realms.patch
Patch1: pkinit-nss-0.7.2-1-documentation.dif
-Patch2: fix-1.7.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -48,7 +47,6 @@
%setup -q -n pkinit-nss-%{version}-1
%patch0
%patch1
-%patch2 -p1
%build
#autoreconf -i -f
++++++ pkinit-nss-0.7.7-1.tar.bz2 -> pkinit-nss-0.7.8-1.tar.bz2 ++++++
++++ 59308 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/Makefile.am new/pkinit-nss-0.7.8-1/Makefile.am
--- old/pkinit-nss-0.7.7-1/Makefile.am 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/Makefile.am 2009-07-20 10:01:54.000000000 +0200
@@ -7,7 +7,8 @@
$(top_srcdir)/backport/*.h \
$(top_srcdir)/backport-1.6/krb5/*.h \
$(top_srcdir)/backport-1.6.1/krb5/*.h \
- $(top_srcdir)/backport-1.6.3/krb5/*.h
+ $(top_srcdir)/backport-1.6.3/krb5/*.h \
+ $(top_srcdir)/backport-1.7/krb5/*.h
VERSION=$(shell rpm -q --specfile $(top_srcdir)/pkinit-nss.spec --define 'dist %{nil}' --qf '%{version}\n' | head -n1)
RELEASE=$(shell rpm -q --specfile $(top_srcdir)/pkinit-nss.spec --define 'dist %{nil}' --qf '%{release}\n' | head -n1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/NEWS new/pkinit-nss-0.7.8-1/NEWS
--- old/pkinit-nss-0.7.7-1/NEWS 2008-09-04 10:24:53.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/NEWS 2009-07-20 10:01:54.000000000 +0200
@@ -1,3 +1,7 @@
+0.7.8
+* Learn about the 1.7 release.
+* Refuse to participate when the client is using armoring.
+
0.7.7
* Learn to match certificates on email addresses, and to handle references to
parts of the relevant principal name in matching rules.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/backport-1.7/krb5/preauth_plugin.h new/pkinit-nss-0.7.8-1/backport-1.7/krb5/preauth_plugin.h
--- old/pkinit-nss-0.7.7-1/backport-1.7/krb5/preauth_plugin.h 1970-01-01 01:00:00.000000000 +0100
+++ new/pkinit-nss-0.7.8-1/backport-1.7/krb5/preauth_plugin.h 2009-07-20 10:01:54.000000000 +0200
@@ -0,0 +1,526 @@
+/*
+ *
+ *
+ * Copyright (c) 2006 Red Hat, Inc.
+ * Portions copyright (c) 2006 Massachusetts Institute of Technology
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Red Hat, Inc., nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Preauthentication plugin definitions for Kerberos 5.
+ */
+
+#ifndef KRB5_PREAUTH_PLUGIN_H_INCLUDED
+#define KRB5_PREAUTH_PLUGIN_H_INCLUDED
+#include
+
+/*
+ * While arguments of these types are passed-in, for the most part a preauth
+ * module can treat them as opaque. If we need keying data, we can ask for
+ * it directly.
+ */
+struct _krb5_db_entry_new;
+struct _krb5_key_data;
+struct _krb5_preauth_client_rock;
+
+/*
+ * Preauth mechanism property flags, unified from previous definitions in the
+ * KDC and libkrb5 sources.
+ */
+
+/* Provides a real answer which we can send back to the KDC (client-only). The
+ * client assumes that one real answer will be enough. */
+#define PA_REAL 0x00000001
+
+/* Doesn't provide a real answer, but must be given a chance to run before any
+ * REAL mechanism callbacks (client-only). */
+#define PA_INFO 0x00000002
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring hardware-based
+ * preauthentication (server-only). */
+#define PA_HARDWARE 0x00000004
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring preauthentication,
+ * and to fail preauthentication if we can't verify the client data. The
+ * flipside of PA_SUFFICIENT (server-only). */
+#define PA_REQUIRED 0x00000008
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring preauthentication,
+ * and to mark preauthentication as successful if we can verify the client
+ * data. The flipside of PA_REQUIRED (server-only). */
+#define PA_SUFFICIENT 0x00000010
+
+/* Marks this preauthentication mechanism as one which changes the key which is
+ * used for encrypting the response to the client. Modules which have this
+ * flag have their server_return_proc called before modules which do not, and
+ * are passed over if a previously-called module has modified the encrypting
+ * key (server-only). */
+#define PA_REPLACES_KEY 0x00000020
+
+/* Causes the KDC to check with this preauthentication module even if the
+ * client has no entry in the realm database. If the module returns a success
+ * code, continue processing and assume that its return_padata callback will
+ * supply us with a key for encrypting the AS reply (server-only). */
+/* #define PA_VIRTUAL (0x00000040 | PA_REPLACES_KEY) */
+
+/* Not really a padata type, so don't include it in any list of preauth types
+ * which gets sent over the wire. */
+#define PA_PSEUDO 0x00000080
+
+
+/***************************************************************************
+ *
+ * Client-side preauthentication plugin interface definition.
+ *
+ ***************************************************************************/
+
+/*
+ * A callback which will obtain the user's long-term AS key by prompting the
+ * user for the password, then salting it properly, and so on. For the moment,
+ * it's identical to the get_as_key callback used inside of libkrb5, but we
+ * define a new typedef here instead of making the existing one public to
+ * isolate ourselves from potential future changes.
+ */
+typedef krb5_error_code
+(*preauth_get_as_key_proc)(krb5_context,
+ krb5_principal,
+ krb5_enctype,
+ krb5_prompter_fct,
+ void *prompter_data,
+ krb5_data *salt,
+ krb5_data *s2kparams,
+ krb5_keyblock *as_key,
+ void *gak_data);
+
+/*
+ * A client module's callback functions are allowed to request various
+ * information to enable it to process a request.
+ */
+enum krb5plugin_preauth_client_request_type {
+ /* The returned krb5_data item holds the enctype expected to be used to encrypt the
+ * encrypted portion of the AS_REP packet. When handling a
+ * PREAUTH_REQUIRED error, this typically comes from etype-info2.
+ * When handling an AS reply, it is initialized from the AS reply itself.*/
+ krb5plugin_preauth_client_get_etype = 1,
+ /* Free the data returned from krb5plugin_preauth_client_req_get_etype */
+ krb5plugin_preauth_client_free_etype = 2,
+ /* The returned krb5_data contains the FAST armor key in a
+ * krb5_keyblock. Returns success with a NULL data item in the
+ * krb5_data if the client library supports FAST but is not using it.*/
+ krb5plugin_preauth_client_fast_armor = 3,
+ /* Frees return from KRB5PLUGIN_PREAUTH_CLIENT_FAST_ARMOR. It is
+ * acceptable to set data to NULL and free the keyblock using
+ * krb5_free_keyblock; in that case, this frees the krb5_data
+ * only.*/
+krb5plugin_preauth_client_free_fast_armor = 4,
+};
+typedef krb5_error_code
+(*preauth_get_client_data_proc)(krb5_context,
+ struct _krb5_preauth_client_rock *,
+ krb5_int32 request_type,
+ krb5_data **);
+
+/* Per-plugin initialization/cleanup. The init function is called
+ * by libkrb5 when the plugin is loaded, and the fini function is
+ * called before the plugin is unloaded. Both are optional and
+ * may be called multiple times in case the plugin is used in
+ * multiple contexts. The returned context lives the lifetime of
+ * the krb5_context */
+typedef krb5_error_code
+(*preauth_client_plugin_init_proc)(krb5_context context,
+ void **plugin_context);
+typedef void
+(*preauth_client_plugin_fini_proc)(krb5_context context,
+ void *plugin_context);
+
+/* A callback which returns flags indicating if the module is a "real" or
+ * an "info" mechanism, and so on. This function is called for each entry
+ * in the client_pa_type_list. */
+typedef int
+(*preauth_client_get_flags_proc)(krb5_context context,
+ krb5_preauthtype pa_type);
+
+/* Per-request initialization/cleanup. The request_init function is
+ * called when beginning to process a get_init_creds request and the
+ * request_fini function is called when processing of the request is
+ * complete. This is optional. It may be called multiple times in
+ * the lifetime of a krb5_context. */
+typedef void
+(*preauth_client_request_init_proc)(krb5_context context,
+ void *plugin_context,
+ void **request_context);
+typedef void
+(*preauth_client_request_fini_proc)(krb5_context context,
+ void *plugin_context,
+ void *request_context);
+
+/* Client function which processes server-supplied data in pa_data,
+ * returns created data in out_pa_data, storing any of its own state in
+ * client_context if data for the associated preauthentication type is
+ * needed. It is also called after the AS-REP is received if the AS-REP
+ * includes preauthentication data of the associated type.
+ * NOTE! the encoded_previous_request will be NULL the first time this
+ * function is called, because it is expected to only ever contain the data
+ * obtained from a previous call to this function. */
+typedef krb5_error_code
+(*preauth_client_process_proc)(krb5_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_get_init_creds_opt *opt,
+ preauth_get_client_data_proc get_data_proc,
+ struct _krb5_preauth_client_rock *rock,
+ krb5_kdc_req *request,
+ krb5_data *encoded_request_body,
+ krb5_data *encoded_previous_request,
+ krb5_pa_data *pa_data,
+ krb5_prompter_fct prompter,
+ void *prompter_data,
+ preauth_get_as_key_proc gak_fct,
+ void *gak_data,
+ krb5_data *salt,
+ krb5_data *s2kparams,
+ krb5_keyblock *as_key,
+ krb5_pa_data ***out_pa_data);
+
+/* Client function which can attempt to use e-data in the error response to
+ * try to recover from the given error. If this function is not NULL, and
+ * it stores data in out_pa_data which is different data from the contents
+ * of in_pa_data, then the client library will retransmit the request. */
+typedef krb5_error_code
+(*preauth_client_tryagain_proc)(krb5_context context,
+ void *plugin_context,
+ void *request_context,
+ krb5_get_init_creds_opt *opt,
+ preauth_get_client_data_proc get_data_proc,
+ struct _krb5_preauth_client_rock *rock,
+ krb5_kdc_req *request,
+ krb5_data *encoded_request_body,
+ krb5_data *encoded_previous_request,
+ krb5_pa_data *in_pa_data,
+ krb5_error *error,
+ krb5_prompter_fct prompter,
+ void *prompter_data,
+ preauth_get_as_key_proc gak_fct,
+ void *gak_data,
+ krb5_data *salt,
+ krb5_data *s2kparams,
+ krb5_keyblock *as_key,
+ krb5_pa_data ***out_pa_data);
+
+/*
+ * Client function which receives krb5_get_init_creds_opt information.
+ * The attr and value information supplied should be copied locally by
+ * the module if it wishes to reference it after returning from this call.
+ */
+typedef krb5_error_code
+(*preauth_client_supply_gic_opts_proc)(krb5_context context,
+ void *plugin_context,
+ krb5_get_init_creds_opt *opt,
+ const char *attr,
+ const char *value);
+
+/*
+ * The function table / structure which a preauth client module must export as
+ * "preauthentication_client_0". If the interfaces work correctly, future
+ * versions of the table will add either more callbacks or more arguments to
+ * callbacks, and in both cases we'll be able to wrap the v0 functions.
+ */
+typedef struct krb5plugin_preauth_client_ftable_v1 {
+ /* Not-usually-visible name. */
+ char *name;
+
+ /* Pointer to zero-terminated list of pa_types which this module can
+ * provide services for. */
+ krb5_preauthtype *pa_type_list;
+
+ /* Pointer to zero-terminated list of enc_types which this module claims
+ * to add support for. */
+ krb5_enctype *enctype_list;
+
+ /* Per-plugin initialization/cleanup. The init function is called
+ * by libkrb5 when the plugin is loaded, and the fini function is
+ * called before the plugin is unloaded. Both are optional and
+ * may be called multiple times in case the plugin is used in
+ * multiple contexts. The returned context lives the lifetime of
+ * the krb5_context */
+ preauth_client_plugin_init_proc init;
+ preauth_client_plugin_fini_proc fini;
+
+ /* A callback which returns flags indicating if the module is a "real" or
+ * an "info" mechanism, and so on. This function is called for each entry
+ * in the client_pa_type_list. */
+ preauth_client_get_flags_proc flags;
+
+ /* Per-request initialization/cleanup. The request_init function is
+ * called when beginning to process a get_init_creds request and the
+ * request_fini function is called when processing of the request is
+ * complete. This is optional. It may be called multiple times in
+ * the lifetime of a krb5_context. */
+ preauth_client_request_init_proc request_init;
+ preauth_client_request_fini_proc request_fini;
+
+ /* Client function which processes server-supplied data in pa_data,
+ * returns created data in out_pa_data, storing any of its own state in
+ * client_context if data for the associated preauthentication type is
+ * needed. It is also called after the AS-REP is received if the AS-REP
+ * includes preauthentication data of the associated type.
+ * NOTE! the encoded_previous_request will be NULL the first time this
+ * function is called, because it is expected to only ever contain the data
+ * obtained from a previous call to this function. */
+ preauth_client_process_proc process;
+
+ /* Client function which can attempt to use e-data in the error response to
+ * try to recover from the given error. If this function is not NULL, and
+ * it stores data in out_pa_data which is different data from the contents
+ * of in_pa_data, then the client library will retransmit the request. */
+ preauth_client_tryagain_proc tryagain;
+
+ /*
+ * Client function which receives krb5_get_init_creds_opt information.
+ * The attr and value information supplied should be copied locally by
+ * the module if it wishes to reference it after returning from this call.
+ */
+ preauth_client_supply_gic_opts_proc gic_opts;
+
+} krb5plugin_preauth_client_ftable_v1;
+
+
+/***************************************************************************
+ *
+ * Server-side preauthentication plugin interface definition.
+ *
+ ***************************************************************************/
+
+/*
+ * A server module's callback functions are allowed to request specific types
+ * of information about the given client or server record or request, even
+ * though the database records themselves are opaque to the module.
+ */
+enum krb5plugin_preauth_entry_request_type {
+ /* The returned krb5_data item holds a DER-encoded X.509 certificate. */
+ krb5plugin_preauth_entry_request_certificate = 1,
+ /* The returned krb5_data_item holds a krb5_deltat. */
+ krb5plugin_preauth_entry_max_time_skew = 2,
+ /* The returned krb5_data_item holds an array of krb5_keyblock structures,
+ * terminated by an entry with key type = 0.
+ * Each keyblock should have its contents freed in turn, and then the data
+ * item itself should be freed. */
+ krb5plugin_preauth_keys = 3,
+ /* The returned krb5_data_item holds the request structure, re-encoded
+ * using DER. Unless the client implementation is the same as the server
+ * implementation, there's a good chance that the result will not match
+ * what the client sent, so don't go creating any fatal errors if it
+ * doesn't match up. */
+ krb5plugin_preauth_request_body = 4,
+ /* The returned krb5_data contains a krb5_keyblock with the FAST
+ armor key. The data member is NULL if this method is not part
+ of a FAST tunnel */
+ krb5plugin_preauth_fast_armor = 5,
+ /* Frees a fast armor key; it is acceptable to set data to NULL
+ and free the keyblock using krb5_free_keyblock; in that case,
+ this function simply frees the data*/
+ krb5plugin_preauth_free_fast_armor = 6,
+ };
+
+typedef krb5_error_code
+(*preauth_get_entry_data_proc)(krb5_context,
+ krb5_kdc_req *,
+ struct _krb5_db_entry_new *,
+ krb5_int32 request_type,
+ krb5_data **);
+
+/* Preauth plugin initialization function */
+typedef krb5_error_code
+(*preauth_server_init_proc)(krb5_context context,
+ void **plugin_context,
+ const char** realmnames);
+
+/* Preauth plugin cleanup function */
+typedef void
+(*preauth_server_fini_proc)(krb5_context context, void *plugin_context);
+
+/* Return the flags which the KDC should use for this module. This is a
+ * callback instead of a static value because the module may or may not
+ * wish to count itself as a hardware preauthentication module (in other
+ * words, the flags may be affected by the configuration, for example if a
+ * site administrator can force a particular preauthentication type to be
+ * supported using only hardware). This function is called for each entry
+ * entry in the server_pa_type_list. */
+typedef int
+(*preauth_server_flags_proc)(krb5_context context, krb5_preauthtype patype);
+
+/* Get preauthentication data to send to the client as part of the "you
+ * need to use preauthentication" error. The module doesn't need to
+ * actually provide data if the protocol doesn't require it, but it should
+ * return either zero or non-zero to control whether its padata type is
+ * included in the list which is sent back to the client. Is not allowed
+ * to create a context because we have no guarantee that the client will
+ * ever call again (or that it will hit this server if it does), in which
+ * case a context might otherwise hang around forever. */
+typedef krb5_error_code
+(*preauth_server_edata_proc)(krb5_context,
+ krb5_kdc_req *request,
+ struct _krb5_db_entry_new *client,
+ struct _krb5_db_entry_new *server,
+ preauth_get_entry_data_proc,
+ void *pa_module_context,
+ krb5_pa_data *data);
+
+/* Verify preauthentication data sent by the client, setting the
+ * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
+ * field as appropriate, and returning nonzero on failure. Can create
+ * context data for consumption by the return_proc or freepa_proc below. */
+typedef krb5_error_code
+(*preauth_server_verify_proc)(krb5_context context,
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *data,
+ preauth_get_entry_data_proc,
+ void *pa_module_context,
+ void **pa_request_context,
+ krb5_data **e_data,
+ krb5_authdata ***authz_data);
+
+/* Generate preauthentication response data to send to the client as part
+ * of the AS-REP. If it needs to override the key which is used to encrypt
+ * the response, it can do so. The module is expected (but not required,
+ * if a preauth_server_free_reqcontext_proc is also provided) to free any
+ * context data it saved in "pa_request_context". */
+typedef krb5_error_code
+(*preauth_server_return_proc)(krb5_context context,
+ krb5_pa_data * padata,
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_kdc_rep *reply,
+ struct _krb5_key_data *client_keys,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa,
+ preauth_get_entry_data_proc,
+ void *pa_module_context,
+ void **pa_request_context);
+
+/* Free up the server-side per-request context, in cases where
+ * server_return_proc() didn't or for whatever reason was not called.
+ * Can be NULL. */
+typedef krb5_error_code
+(*preauth_server_free_reqcontext_proc)(krb5_context,
+ void *pa_module_context,
+ void **request_pa_context);
+
+/*
+ * The function table / structure which a preauth server module must export as
+ * "preauthentication_server_0". NOTE: replace "0" with "1" for the type and
+ * variable names if this gets picked up by upstream. If the interfaces work
+ * correctly, future versions of the table will add either more callbacks or
+ * more arguments to callbacks, and in both cases we'll be able to wrap the v0
+ * functions.
+ */
+typedef struct krb5plugin_preauth_server_ftable_v1 {
+ /* Not-usually-visible name. */
+ char *name;
+
+ /* Pointer to zero-terminated list of pa_types which this module can
+ * provide services for. */
+ krb5_preauthtype *pa_type_list;
+
+ /* Per-plugin initialization/cleanup. The init function is called by the
+ * KDC when the plugin is loaded, and the fini function is called before
+ * the plugin is unloaded. Both are optional. */
+ preauth_server_init_proc init_proc;
+ preauth_server_fini_proc fini_proc;
+
+ /* Return the flags which the KDC should use for this module. This is a
+ * callback instead of a static value because the module may or may not
+ * wish to count itself as a hardware preauthentication module (in other
+ * words, the flags may be affected by the configuration, for example if a
+ * site administrator can force a particular preauthentication type to be
+ * supported using only hardware). This function is called for each entry
+ * entry in the server_pa_type_list. */
+ preauth_server_flags_proc flags_proc;
+
+ /* Get preauthentication data to send to the client as part of the "you
+ * need to use preauthentication" error. The module doesn't need to
+ * actually provide data if the protocol doesn't require it, but it should
+ * return either zero or non-zero to control whether its padata type is
+ * included in the list which is sent back to the client. Is not allowed
+ * to create a context because we have no guarantee that the client will
+ * ever call again (or that it will hit this server if it does), in which
+ * case a context might otherwise hang around forever. */
+ preauth_server_edata_proc edata_proc;
+
+ /* Verify preauthentication data sent by the client, setting the
+ * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
+ * field as appropriate, and returning nonzero on failure. Can create
+ * context data for consumption by the return_proc or freepa_proc below. */
+ preauth_server_verify_proc verify_proc;
+
+ /* Generate preauthentication response data to send to the client as part
+ * of the AS-REP. If it needs to override the key which is used to encrypt
+ * the response, it can do so. The module is expected (but not required,
+ * if a freepa_proc is also provided) to free any context data it saved in
+ * "request_pa_context". */
+ preauth_server_return_proc return_proc;
+
+ /* Free up the server-side per-request context, in cases where
+ * server_return_proc() didn't or for whatever reason was not called.
+ * Can be NULL. */
+ preauth_server_free_reqcontext_proc freepa_reqcontext_proc;
+
+} krb5plugin_preauth_server_ftable_v1;
+
+
+/*
+ * This function allows a preauth plugin to obtain preauth
+ * options. The preauth_data returned from this function
+ * should be freed by calling krb5_get_init_creds_opt_free_pa().
+ *
+ * The 'opt' pointer supplied to this function must have been
+ * obtained using krb5_get_init_creds_opt_alloc()
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_pa
+ (krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ int *num_preauth_data,
+ krb5_gic_opt_pa_data **preauth_data);
+
+/*
+ * This function frees the preauth_data that was returned by
+ * krb5_get_init_creds_opt_get_pa().
+ */
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_free_pa
+ (krb5_context context,
+ int num_preauth_data,
+ krb5_gic_opt_pa_data *preauth_data);
+
+#endif /* KRB5_PREAUTH_PLUGIN_H_INCLUDED */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/config.h new/pkinit-nss-0.7.8-1/config.h
--- old/pkinit-nss-0.7.7-1/config.h 2008-09-05 11:26:43.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/config.h 2009-07-27 10:08:41.000000000 +0200
@@ -9,6 +9,10 @@
*/
#define BACKPORT_INTERFACE_1 1
+/* Define if the plugin interface includes information about whether or not
+ FAST is in use. */
+/* #undef BACKPORT_INTERFACE_1_HAS_FAST */
+
/* Define to the location of your NSS client databases */
#define DEFAULT_PKINIT_CLIENT_DBDIR "/etc/pki/nssdb"
@@ -88,6 +92,10 @@
/* Define to the location of your locale data. */
#define LOCALEDATADIR "NONE/share/locale"
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+ */
+#define LT_OBJDIR ".libs/"
+
/* Name of package */
#define PACKAGE "pkinit-nss"
@@ -98,13 +106,13 @@
#define PACKAGE_NAME "pkinit-nss"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "pkinit-nss 0.7.7"
+#define PACKAGE_STRING "pkinit-nss 0.7.8"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "pkinit-nss"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "0.7.7"
+#define PACKAGE_VERSION "0.7.8"
/* Define if your PAL doesn't provide an option for a supply_gic_opts_proc
callback function. */
@@ -121,4 +129,4 @@
#define STDC_HEADERS 1
/* Version number of package */
-#define VERSION "0.7.7"
+#define VERSION "0.7.8"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/config.h.in new/pkinit-nss-0.7.8-1/config.h.in
--- old/pkinit-nss-0.7.7-1/config.h.in 2008-09-05 11:26:24.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/config.h.in 2009-07-27 10:08:36.000000000 +0200
@@ -8,6 +8,10 @@
*/
#undef BACKPORT_INTERFACE_1
+/* Define if the plugin interface includes information about whether or not
+ FAST is in use. */
+#undef BACKPORT_INTERFACE_1_HAS_FAST
+
/* Define to the location of your NSS client databases */
#undef DEFAULT_PKINIT_CLIENT_DBDIR
@@ -87,6 +91,10 @@
/* Define to the location of your locale data. */
#undef LOCALEDATADIR
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+ */
+#undef LT_OBJDIR
+
/* Name of package */
#undef PACKAGE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/configure.ac new/pkinit-nss-0.7.8-1/configure.ac
--- old/pkinit-nss-0.7.7-1/configure.ac 2008-09-04 10:24:53.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/configure.ac 2009-07-20 10:01:54.000000000 +0200
@@ -1,4 +1,4 @@
-AC_INIT(pkinit-nss,0.7.7)
+AC_INIT(pkinit-nss,0.7.8)
AM_INIT_AUTOMAKE(foreign)
AM_PROG_LIBTOOL
AM_GLIB_GNU_GETTEXT
@@ -63,7 +63,7 @@
AC_ARG_WITH(krb5-version,[AS_HELP_STRING([--with-krb5-version=AUTO],[Attempt to build for a specified version of MIT Kerberos.])],krb5_version=$withval,krb5_version=AUTO)
if test "x$krb5_version" = xAUTO ; then
AC_MSG_RESULT([Using backport preauth plugin header support.])
- AC_MSG_CHECKING([whether this is Kerberos 1.5, 1.6, 1.6.1/1.6.2, 1.6.3/1.6.4])
+ AC_MSG_CHECKING([whether this is Kerberos 1.5, 1.6, 1.6.1/1.6.2, 1.6.3/1.6.4, 1.7])
dnl if test x$ac_cv_have_decl_KRB5KDC_ERR_SVC_UNAVAILABLE = xyes ; then
dnl AC_MSG_RESULT([looks like 1.6.3.])
dnl krb5_version=1.6.3
@@ -85,6 +85,9 @@
elif test "$krb5_version" = 1.6.4 ; then
AC_MSG_RESULT([looks like 1.6.3 or 1.6.4.])
krb5_version=1.6.3
+ elif test "$krb5_version" = 1.7 ; then
+ AC_MSG_RESULT([looks like 1.7.])
+ krb5_version=1.7
else
AC_MSG_RESULT([looks like ${krb5_version}.])
fi
@@ -96,6 +99,14 @@
AC_MSG_RESULT([Requested build for $krb5_version.])
fi
case "$krb5_version" in
+ 1.7)
+ AC_MSG_RESULT([Building for Kerberos 1.7.])
+ if test x$ac_cv_header_krb5_preauth_plugin_h = xno ; then
+ BACKPORT_CPPFLAGS='-I$(top_srcdir)/backport-1.7'
+ fi
+ AC_DEFINE(BACKPORT_INTERFACE_1,1,[Define if version 1 of the preauth plugin interface should be implemented.])
+ AC_DEFINE(BACKPORT_INTERFACE_1_HAS_FAST,1,[Define if the plugin interface includes information about whether or not FAST is in use.])
+ ;;
1.6.3)
AC_MSG_RESULT([Building for Kerberos 1.6.3/1.6.4.])
if test x$ac_cv_header_krb5_preauth_plugin_h = xno ; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/doc/CONFIGURATION new/pkinit-nss-0.7.8-1/doc/CONFIGURATION
--- old/pkinit-nss-0.7.7-1/doc/CONFIGURATION 2008-09-04 10:24:53.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/doc/CONFIGURATION 2009-07-20 10:01:54.000000000 +0200
@@ -44,8 +44,10 @@
<EMAIL> Regular expression.
<COMPONENTS> Number.
<EKU> List of zero or more values, possibly
- including "pkinit", "msScLogin",
- "clientAuth", and "emailProtection".
+ including "pkinit" (for clients),
+ "pkinitKDC" (for KDCs), "msScLogin",
+ "clientAuth", "serverAuth", and
+ "emailProtection".
<KU> List of zero or more values, possibly
including "digitalSignature" and
"keyEncipherment".
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/pkinit-nss.spec new/pkinit-nss-0.7.8-1/pkinit-nss.spec
--- old/pkinit-nss-0.7.7-1/pkinit-nss.spec 2008-09-05 11:26:43.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/pkinit-nss.spec 2009-07-27 10:08:40.000000000 +0200
@@ -1,5 +1,5 @@
Name: pkinit-nss
-Version: 0.7.7
+Version: 0.7.8
Release: 1%{?dist}
Source: http://people.redhat.com/~nalin/pkinit-nss/%{name}-%{version}-1.tar.gz
License: LGPL
@@ -44,6 +44,10 @@
%{_libdir}/krb5
%changelog
+* Fri Jul 17 2009 Nalin Dahyabhai 0.7.8-1
+- learn about the krb5-1.7 release
+- disable participation when FAST is in use
+
* Tue Sep 2 2008 Nalin Dahyabhai 0.7.7-1
- add the ability to restrict matching of certificates by the number of
components in the principal name to which it is being compared
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/pkinit-nss.spec.in new/pkinit-nss-0.7.8-1/pkinit-nss.spec.in
--- old/pkinit-nss-0.7.7-1/pkinit-nss.spec.in 2008-09-04 10:24:53.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/pkinit-nss.spec.in 2009-07-20 10:01:54.000000000 +0200
@@ -44,6 +44,10 @@
%{_libdir}/krb5
%changelog
+* Fri Jul 17 2009 Nalin Dahyabhai 0.7.8-1
+- learn about the krb5-1.7 release
+- disable participation when FAST is in use
+
* Tue Sep 2 2008 Nalin Dahyabhai 0.7.7-1
- add the ability to restrict matching of certificates by the number of
components in the principal name to which it is being compared
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/po/LINGUAS new/pkinit-nss-0.7.8-1/po/LINGUAS
--- old/pkinit-nss-0.7.7-1/po/LINGUAS 1970-01-01 01:00:00.000000000 +0100
+++ new/pkinit-nss-0.7.8-1/po/LINGUAS 2009-05-19 11:32:33.000000000 +0200
@@ -0,0 +1,13 @@
+bal
+bg
+ca
+cs
+de
+fr
+hu
+it
+nl
+pl
+pt_BR
+sr
+sr@latin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/po/Makefile.in.in new/pkinit-nss-0.7.8-1/po/Makefile.in.in
--- old/pkinit-nss-0.7.7-1/po/Makefile.in.in 2008-06-16 14:24:29.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/po/Makefile.in.in 2009-04-22 13:14:38.000000000 +0200
@@ -55,7 +55,7 @@
SOURCES =
POFILES = @POFILES@
GMOFILES = @GMOFILES@
-DISTFILES = ChangeLog Makefile.in.in POTFILES.in $(GETTEXT_PACKAGE).pot \
+DISTFILES = LINGUAS ChangeLog Makefile.in.in POTFILES.in $(GETTEXT_PACKAGE).pot \
$(POFILES) $(GMOFILES) $(SOURCES)
POTFILES = \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/aabag.c new/pkinit-nss-0.7.8-1/src/aabag.c
--- old/pkinit-nss-0.7.7-1/src/aabag.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/aabag.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: aabag.c,v 1.8 2007/06/20 21:27:27 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/aabag.h new/pkinit-nss-0.7.8-1/src/aabag.h
--- old/pkinit-nss-0.7.7-1/src/aabag.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/aabag.h 2009-07-20 10:01:54.000000000 +0200
@@ -22,7 +22,6 @@
#ifndef aabag_h
#define aabag_h
-#ident "$Id: aabag.h,v 1.3 2007/05/30 12:28:57 nalin Exp $"
#include
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/aacat.c new/pkinit-nss-0.7.8-1/src/aacat.c
--- old/pkinit-nss-0.7.7-1/src/aacat.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/aacat.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: aacat.c,v 1.9 2007/06/20 21:27:27 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/bcmst.c new/pkinit-nss-0.7.8-1/src/bcmst.c
--- old/pkinit-nss-0.7.7-1/src/bcmst.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/bcmst.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: bcmst.c,v 1.30 2007/06/08 21:44:27 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/bcmst.h new/pkinit-nss-0.7.8-1/src/bcmst.h
--- old/pkinit-nss-0.7.7-1/src/bcmst.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/bcmst.h 2009-07-20 10:01:54.000000000 +0200
@@ -22,7 +22,6 @@
#ifndef bcmst_h
#define bcmst_h
-#ident "$Id: bcmst.h,v 1.11 2007/05/28 05:24:45 nalin Exp $"
#include
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/bcmsutil.c new/pkinit-nss-0.7.8-1/src/bcmsutil.c
--- old/pkinit-nss-0.7.7-1/src/bcmsutil.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/bcmsutil.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: bcmsutil.c,v 1.13 2007/06/20 21:27:27 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/bpk5.c new/pkinit-nss-0.7.8-1/src/bpk5.c
--- old/pkinit-nss-0.7.7-1/src/bpk5.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/bpk5.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: bpk5.c,v 1.2 2007/06/20 12:11:19 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/bpk5.h new/pkinit-nss-0.7.8-1/src/bpk5.h
--- old/pkinit-nss-0.7.7-1/src/bpk5.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/bpk5.h 2009-07-20 10:01:54.000000000 +0200
@@ -22,7 +22,6 @@
#ifndef bpk5_h
#define bpk5_h
-#ident "$Id: bpk5.h,v 1.1 2007/05/22 20:39:21 nalin Exp $"
#include
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/certhash.c new/pkinit-nss-0.7.8-1/src/certhash.c
--- old/pkinit-nss-0.7.7-1/src/certhash.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/certhash.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: certhash.c,v 1.1 2007/05/22 20:48:23 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/certs.c new/pkinit-nss-0.7.8-1/src/certs.c
--- old/pkinit-nss-0.7.7-1/src/certs.c 2008-09-04 10:24:53.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/certs.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: certs.c,v 1.37 2007/06/08 21:44:27 nalin Exp $"
-
#include "../config.h"
#include
@@ -50,6 +48,7 @@
#define APPDEFAULT_LIST_SEPARATORS " \t,"
#define RULE_LIST_SEPARATORS " \t"
#define REGEX_SPECIAL_CHARS "[]{}().+?*|\\-^$"
+#define MATCHING_EXTENSIONS
static unsigned char oid_ms_sc_login_data[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x02};
static const SECOidData
@@ -452,6 +451,7 @@
q = p + 1 + strcspn(p + 1, "<");
pkinit_debug(mcontext, 2, "Clause: \"%.*s\".\n",
q - p, p);
+#ifdef MATCHING_EXTENSIONS
/* Save the expected size of the principal name. */
if (strncasecmp(p, "<COMPONENTS>", 12) == 0) {
p += 12;
@@ -466,6 +466,7 @@
record->size);
}
}
+#endif
/* Compile the regular expression for the subject name.
* */
if (strncasecmp(p, "<SUBJECT>", 9) == 0) {
@@ -543,6 +544,7 @@
pkinit_debug(mcontext, 3, "<SAN> \"%s\"\n",
pattern);
}
+#ifdef MATCHING_EXTENSIONS
/* Compile the regular expression for the
* subjectAlternativeName (rfc822Name type). */
if (strncasecmp(p, "<EMAIL>", 7) == 0) {
@@ -568,6 +570,7 @@
pkinit_debug(mcontext, 3, "<EMAIL> \"%s\"\n",
pattern);
}
+#endif
/* Make a copy of the keyUsage. */
if (strncasecmp(p, "<KU>", 4) == 0) {
p += 4;
@@ -798,6 +801,7 @@
}
}
+#ifdef MATCHING_EXTENSIONS
static char *
cert_match_expand_rule(PLArenaPool *pool,
krb5_context kcontext, krb5_principal principal,
@@ -875,6 +879,20 @@
}
return ret;
}
+#else
+static char *
+cert_match_expand_rule(PLArenaPool *pool,
+ krb5_context kcontext, krb5_principal principal,
+ const char *pattern, int length)
+{
+ char *ret;
+ ret = PORT_ArenaZAlloc(pool, length + 1);
+ if (ret != NULL) {
+ memcpy(ret, pattern, length);
+ }
+ return ret;
+}
+#endif
/* Check if the certificate contains the desired OID as an EKU value. */
static SECStatus
@@ -979,6 +997,14 @@
name);
oid = &oid_pkinit_key_purpose_client;
} else
+#ifdef MATCHING_EXTENSIONS
+ if (strcasecmp(name, "pkinitKDC") == 0) {
+ pkinit_debug(mcontext, 3,
+ "Checking for \"%s\" EKU.\n",
+ name);
+ oid = &oid_pkinit_key_purpose_kdc;
+ } else
+#endif
if (strcasecmp(name, "msScLogin") == 0) {
pkinit_debug(mcontext, 3,
"Checking for \"%s\" EKU.\n",
@@ -992,6 +1018,15 @@
tag = SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH;
oid = SECOID_FindOIDByTag(tag);
} else
+#ifdef MATCHING_EXTENSIONS
+ if (strcasecmp(name, "serverAuth") == 0) {
+ pkinit_debug(mcontext, 3,
+ "Checking for \"%s\" EKU.\n",
+ name);
+ tag = SEC_OID_EXT_KEY_USAGE_SERVER_AUTH;
+ oid = SECOID_FindOIDByTag(tag);
+ } else
+#endif
if (strcasecmp(name, "emailProtection") == 0) {
pkinit_debug(mcontext, 3,
"Checking for \"%s\" EKU.\n",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/certs.h new/pkinit-nss-0.7.8-1/src/certs.h
--- old/pkinit-nss-0.7.7-1/src/certs.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/certs.h 2009-07-20 10:01:54.000000000 +0200
@@ -23,7 +23,6 @@
#ifndef certs_h
#define certs_h
-#ident "$Id: certs.h,v 1.19 2007/06/08 21:44:27 nalin Exp $"
#include "aabag.h"
#include "bcmst.h"
#include "pkinit.h"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/commont.c new/pkinit-nss-0.7.8-1/src/commont.c
--- old/pkinit-nss-0.7.7-1/src/commont.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/commont.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: commont.c,v 1.19 2007/05/22 21:20:42 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/commont.h new/pkinit-nss-0.7.8-1/src/commont.h
--- old/pkinit-nss-0.7.7-1/src/commont.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/commont.h 2009-07-20 10:01:54.000000000 +0200
@@ -23,8 +23,6 @@
#ifndef commont_h
#define commont_h
-#ident "$Id: commont.h,v 1.15 2007/02/07 00:17:26 nalin Exp $"
-
#include
#include
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/deroid.c new/pkinit-nss-0.7.8-1/src/deroid.c
--- old/pkinit-nss-0.7.7-1/src/deroid.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/deroid.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: deroid.c,v 1.3 2006/10/10 20:13:10 nalin Exp $"
-
#include "../config.h"
/* You can only take figuring this stuff out manually so many times... */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/fragment/openp12.c new/pkinit-nss-0.7.8-1/src/fragment/openp12.c
--- old/pkinit-nss-0.7.7-1/src/fragment/openp12.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/fragment/openp12.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: openp12.c,v 1.2 2007/05/24 19:16:19 nalin Exp $"
-
#include "../../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/get-pkinit-san.c new/pkinit-nss-0.7.8-1/src/get-pkinit-san.c
--- old/pkinit-nss-0.7.7-1/src/get-pkinit-san.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/get-pkinit-san.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: get-pkinit-san.c,v 1.2 2007/05/31 19:08:20 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/make-pkinit-san.c new/pkinit-nss-0.7.8-1/src/make-pkinit-san.c
--- old/pkinit-nss-0.7.7-1/src/make-pkinit-san.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/make-pkinit-san.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: make-pkinit-san.c,v 1.5 2007/01/25 21:32:03 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/map-file.c new/pkinit-nss-0.7.8-1/src/map-file.c
--- old/pkinit-nss-0.7.7-1/src/map-file.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/map-file.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: map-file.c,v 1.3 2007/05/22 21:19:02 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/map-file.h new/pkinit-nss-0.7.8-1/src/map-file.h
--- old/pkinit-nss-0.7.7-1/src/map-file.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/map-file.h 2009-07-20 10:01:54.000000000 +0200
@@ -23,8 +23,6 @@
#ifndef map_file_h
#define map_file_h
-#ident "$Id: map-file.h,v 1.2 2007/02/05 16:21:14 nalin Exp $"
-
#include "../config.h"
struct map_file;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/oakley.c new/pkinit-nss-0.7.8-1/src/oakley.c
--- old/pkinit-nss-0.7.7-1/src/oakley.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/oakley.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: oakley.c,v 1.7 2007/02/06 01:58:10 nalin Exp $"
-
#include "../config.h"
#include
#include "oakley.h"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/oakley.h new/pkinit-nss-0.7.8-1/src/oakley.h
--- old/pkinit-nss-0.7.7-1/src/oakley.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/oakley.h 2009-07-20 10:01:54.000000000 +0200
@@ -22,7 +22,6 @@
#ifndef oakley_h
#define oakley_h
-#ident "$Id: oakley.h,v 1.4 2007/02/05 16:23:16 nalin Exp $"
#include "../config.h"
#include "commont.h"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/pkinit.c new/pkinit-nss-0.7.8-1/src/pkinit.c
--- old/pkinit-nss-0.7.7-1/src/pkinit.c 2008-09-04 10:24:53.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/pkinit.c 2009-07-20 10:01:54.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006,2007 Red Hat, Inc.
+ * Copyright (C) 2006,2007,2009 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: pkinit.c,v 1.64 2007/10/23 20:48:47 nalin Exp $"
-
#include "../config.h"
#include
@@ -1669,14 +1667,79 @@
}
}
+#ifdef BACKPORT_INTERFACE_1_HAS_FAST
+/* Return non-zero if the client used FAST in this request. */
+static krb5_error_code
+server_get_req_uses_fast(krb5_context kcontext,
+ krb5_kdc_req *request,
+ struct _krb5_db_entry_new *client_db_entry,
+ preauth_get_entry_data_proc server_get_entry_data)
+{
+ krb5_error_code ret;
+ krb5_data *req_armor_key;
+ req_armor_key = NULL;
+ ret = (*server_get_entry_data)(kcontext, request, client_db_entry,
+ krb5plugin_preauth_fast_armor,
+ &req_armor_key);
+ /* Check if we actually got a keyblock. */
+ if ((ret == 0) && (req_armor_key != NULL)) {
+ if (req_armor_key->data != NULL) {
+ ret = EINVAL;
+ }
+ /* We don't actually need the keyblock, so free it. */
+ (*server_get_entry_data)(kcontext, request, client_db_entry,
+ krb5plugin_preauth_free_fast_armor,
+ &req_armor_key);
+ /* Bail if we found a keyblock. */
+ if (ret != 0) {
+ return ret;
+ }
+ }
+ return 0;
+}
+
+/* Return non-zero if the client is using FAST in this request. */
+static krb5_error_code
+client_get_req_uses_fast(krb5_context kcontext,
+ krb5_kdc_req *request,
+ preauth_get_client_data_proc get_data_proc,
+ struct _krb5_preauth_client_rock *rock)
+{
+ krb5_error_code ret;
+ krb5_data *client_armor_key;
+ /* If the client is using FAST in this request, bail now, because our
+ * behavior in the presence of armoring isn't specified yet. */
+ client_armor_key = NULL;
+ ret = (*get_data_proc)(kcontext, rock,
+ krb5plugin_preauth_client_fast_armor,
+ &client_armor_key);
+ if ((ret == 0) &&
+ (client_armor_key != NULL)) {
+ /* Check if we actually got a keyblock. */
+ if (client_armor_key->data != NULL) {
+ ret = EINVAL;
+ }
+ /* We don't actually need the keyblock, so free it. */
+ (*get_data_proc)(kcontext, rock,
+ krb5plugin_preauth_client_free_fast_armor,
+ &client_armor_key);
+ /* Bail if we found a keyblock. */
+ if (ret != 0) {
+ return ret;
+ }
+ }
+ return 0;
+}
+#endif
+
/* Obtain and return any preauthentication data (which is destined for the
* client) which matches type data->pa_type. */
static krb5_error_code
server_get_edata(krb5_context kcontext,
krb5_kdc_req *request,
- struct _krb5_db_entry_new *unused_client,
- struct _krb5_db_entry_new *unused_server,
- preauth_get_entry_data_proc unused_server_get_entry_data,
+ struct _krb5_db_entry_new *maybe_unused_client_db_entry,
+ struct _krb5_db_entry_new *unused_server_db_entry,
+ preauth_get_entry_data_proc maybe_unused_server_get_entry_data,
void *plugin_context,
krb5_pa_data *data)
{
@@ -1694,6 +1757,17 @@
return ret;
}
+#ifdef BACKPORT_INTERFACE_1_HAS_FAST
+ /* Since we don't know how to interact with FAST (yet), bail. */
+ if (server_get_req_uses_fast(kcontext, request,
+ maybe_unused_client_db_entry,
+ maybe_unused_server_get_entry_data) != 0) {
+ pkinit_debug(plugin_context, 2,
+ "Client wants to use FAST, skipping.\n");
+ return EINVAL;
+ }
+#endif
+
/* No data, but double-check that we do in fact support this type of
* preauthentication. */
if (data->pa_type != KRB5_PADATA_PK_AS_REQ) {
@@ -1848,6 +1922,16 @@
}
pkinit_debug(context, 2, "Called to handle a client request.\n");
+#ifdef BACKPORT_INTERFACE_1_HAS_FAST
+ /* Since we don't know how to interact with FAST (yet), bail. */
+ if (server_get_req_uses_fast(kcontext, request, client_db_entry,
+ server_get_entry_data) != 0) {
+ pkinit_debug(context, 2,
+ "Client wants to use FAST, skipping.\n");
+ return EINVAL;
+ }
+#endif
+
/* Load certificates and keys, if needed. */
load_certs(context);
@@ -2260,16 +2344,25 @@
krb5_error_code ret;
krb5_pa_data *tmp_pa_data;
+#ifdef BACKPORT_INTERFACE_1_HAS_FAST
+ /* Since we don't know how to interact with FAST (yet), bail. */
+ if (client_get_req_uses_fast(kcontext, request,
+ get_data_proc, rock) != 0) {
+ pkinit_debug(plugin_context, 2,
+ "Client wants to use FAST, skipping.\n");
+ return EINVAL;
+ }
+#endif
tmp_pa_data = NULL;
ret = client_process_0(kcontext, plugin_context, request_context,
- opt,
- get_data_proc, rock,
- request,
- encoded_request_body, encoded_previous_request,
- pa_data,
- prompter, prompter_data,
- gak_fct, gak_data, salt, s2kparams, as_key,
- &tmp_pa_data);
+ opt,
+ get_data_proc, rock,
+ request,
+ encoded_request_body, encoded_previous_request,
+ pa_data,
+ prompter, prompter_data,
+ gak_fct, gak_data, salt, s2kparams, as_key,
+ &tmp_pa_data);
if (tmp_pa_data != NULL) {
*out_pa_data = (krb5_pa_data **) make_pointer_list((void **) *out_pa_data, tmp_pa_data);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/pkinit.h new/pkinit-nss-0.7.8-1/src/pkinit.h
--- old/pkinit-nss-0.7.7-1/src/pkinit.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/pkinit.h 2009-07-20 10:01:54.000000000 +0200
@@ -22,7 +22,6 @@
#ifndef pkinit_h
#define pkinit_h
-#ident "$Id: pkinit.h,v 1.6 2007/06/20 21:27:51 nalin Exp $"
#include "../config.h"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/pkinitt.c new/pkinit-nss-0.7.8-1/src/pkinitt.c
--- old/pkinit-nss-0.7.7-1/src/pkinitt.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/pkinitt.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: pkinitt.c,v 1.42 2007/06/08 21:46:31 nalin Exp $"
-
#include "../config.h"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/pkinitt.h new/pkinit-nss-0.7.8-1/src/pkinitt.h
--- old/pkinit-nss-0.7.7-1/src/pkinitt.h 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/pkinitt.h 2009-07-20 10:01:54.000000000 +0200
@@ -22,7 +22,6 @@
#ifndef pkinitt_h
#define pkinitt_h
-#ident "$Id: pkinitt.h,v 1.20 2007/05/28 05:26:24 nalin Exp $"
#include
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pkinit-nss-0.7.7-1/src/show-cert-guid.c new/pkinit-nss-0.7.8-1/src/show-cert-guid.c
--- old/pkinit-nss-0.7.7-1/src/show-cert-guid.c 2008-08-29 10:16:51.000000000 +0200
+++ new/pkinit-nss-0.7.8-1/src/show-cert-guid.c 2009-07-20 10:01:54.000000000 +0200
@@ -20,8 +20,6 @@
* USA.
*/
-#ident "$Id: show-cert-guid.c,v 1.4 2007/01/25 21:32:03 nalin Exp $"
-
#include "../config.h"
#include
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org