- djm@cvs.openbsd.org 2013/07/20 01:55:13

     [auth-krb5.c gss-serv-krb5.c gss-serv.c]
     fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@

4 files changed, 43 insertions, 29 deletions

diff --git a/ChangeLog b/ChangeLog
index dc6ea90ef..dc2f73bd9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,9 @@
      [ssh-agent.c]
      call cleanup_handler on SIGINT when in debug mode to ensure sockets
      are cleaned up on manual exit; bz#2120
+   - djm@cvs.openbsd.org 2013/07/20 01:55:13
+     [auth-krb5.c gss-serv-krb5.c gss-serv.c]
+     fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
 
 20130718
  - (djm) OpenBSD CVS Sync
diff --git a/auth-krb5.c b/auth-krb5.c
index ff1462ad1..43ee9272f 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
 /*
  *    Kerberos v5 authentication and ticket-passing routines.
  *
@@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
         krb5_ccache ccache = NULL;
         int len;
         char *client, *platform_client;
+        const char *errmsg;
 
         /* get platform-specific kerberos client principal name (if it exists) */
         platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
@@ -96,7 +97,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                 goto out;
 
 #ifdef HEIMDAL
-        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
+        problem = krb5_cc_new_unique(authctxt->krb5_ctx,
+             krb5_mcc_ops.prefix, NULL, &ccache);
         if (problem)
                 goto out;
 
@@ -115,8 +117,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
         if (problem)
                 goto out;
 
-        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
-            &authctxt->krb5_fwd_ccache);
+        problem = krb5_cc_new_unique(authctxt->krb5_ctx,
+             krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
         if (problem)
                 goto out;
 
@@ -187,10 +189,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                 if (ccache)
                         krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 
-                if (authctxt->krb5_ctx != NULL && problem!=-1)
-                        debug("Kerberos password authentication failed: %s",
-                            krb5_get_err_text(authctxt->krb5_ctx, problem));
-                else
+                if (authctxt->krb5_ctx != NULL && problem!=-1) {
+                        errmsg = krb5_get_error_message(authctxt->krb5_ctx,
+                            problem);
+                        debug("Kerberos password authentication failed: %s",
+                            errmsg);
+                        krb5_free_error_message(authctxt->krb5_ctx, errmsg);
+                } else
                         debug("Kerberos password authentication failed: %d",
                             problem);
 
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 5a625acb8..87f26831a 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -48,12 +48,11 @@ extern ServerOptions options;
 
 #ifdef HEIMDAL
 # include <krb5.h>
-#else
-# ifdef HAVE_GSSAPI_KRB5_H
-#  include <gssapi_krb5.h>
-# elif HAVE_GSSAPI_GSSAPI_KRB5_H
-#  include <gssapi/gssapi_krb5.h>
-# endif
+#endif
+#ifdef HAVE_GSSAPI_KRB5_H
+# include <gssapi_krb5.h>
+#elif HAVE_GSSAPI_GSSAPI_KRB5_H
+# include <gssapi/gssapi_krb5.h>
 #endif
 
 static krb5_context krb_context = NULL;
@@ -87,14 +86,16 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 {
         krb5_principal princ;
         int retval;
+        const char *errmsg;
 
         if (ssh_gssapi_krb5_init() == 0)
                 return 0;
 
         if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
             &princ))) {
-                logit("krb5_parse_name(): %.100s",
-                    krb5_get_err_text(krb_context, retval));
+                errmsg = krb5_get_error_message(krb_context, retval);
+                logit("krb5_parse_name(): %.100s", errmsg);
+                krb5_free_error_message(krb_context, errmsg);
                 return 0;
         }
         if (krb5_kuserok(krb_context, princ, name)) {
@@ -120,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
         krb5_principal princ;
         OM_uint32 maj_status, min_status;
         int len;
+        const char *errmsg;
 
         if (client->creds == NULL) {
                 debug("No credentials stored");
@@ -130,30 +132,34 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
                 return;
 
 #ifdef HEIMDAL
-        if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
-                logit("krb5_cc_gen_new(): %.100s",
-                    krb5_get_err_text(krb_context, problem));
+        if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
+            NULL, &ccache)) != 0) {
+                errmsg = krb5_get_error_message(krb_context, problem);
+                logit("krb5_cc_new_unique(): %.100s", errmsg);
+                krb5_free_error_message(krb_context, errmsg);
                 return;
         }
 #else
         if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
-                logit("ssh_krb5_cc_gen(): %.100s",
-                    krb5_get_err_text(krb_context, problem));
+                errmsg = krb5_get_error_message(krb_context, problem);
+                logit("ssh_krb5_cc_gen(): %.100s", errmsg);
+                krb5_free_error_message(krb_context, errmsg);
                 return;
         }
 #endif  /* #ifdef HEIMDAL */
 
         if ((problem = krb5_parse_name(krb_context,
             client->exportedname.value, &princ))) {
-                logit("krb5_parse_name(): %.100s",
-                    krb5_get_err_text(krb_context, problem));
-                krb5_cc_destroy(krb_context, ccache);
+                errmsg = krb5_get_error_message(krb_context, problem);
+                logit("krb5_parse_name(): %.100s", errmsg);
+                krb5_free_error_message(krb_context, errmsg);
                 return;
         }
 
         if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
-                logit("krb5_cc_initialize(): %.100s",
-                    krb5_get_err_text(krb_context, problem));
+                errmsg = krb5_get_error_message(krb_context, problem);
+                logit("krb5_cc_initialize(): %.100s", errmsg);
+                krb5_free_error_message(krb_context, errmsg);
                 krb5_free_principal(krb_context, princ);
                 krb5_cc_destroy(krb_context, ccache);
                 return;
diff --git a/gss-serv.c b/gss-serv.c
index c719c1306..95348e251 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -50,7 +50,7 @@
 
 static ssh_gssapi_client gssapi_client =
     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
 
 ssh_gssapi_mech gssapi_null_mech =
     { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};