From fc38e7c21ef236032e617f0d1d382bcd809b74cc Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Sat, 9 Jun 2007 11:24:49 +0000
Subject: [PATCH]  o use krb5_verify_user() if available instead of doing it by
 hand  o use krb5_init_secure_context() if we have it  o pass an encryption
 type of 0 to krb5_kt_read_service_key() instead of    ENCTYPE_DES_CBC_MD5 to
 let kerberos choose.

---
 auth/kerb5.c | 38 +++++++++++++++++++++++++++++++++++---
 config.h.in  |  6 ++++++
 configure.in |  9 ++++++++-
 3 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/auth/kerb5.c b/auth/kerb5.c
index b0a0ebde9..0824b2747 100644
--- a/auth/kerb5.c
+++ b/auth/kerb5.c
@@ -46,6 +46,9 @@
 #endif /* HAVE_UNISTD_H */
 #include <pwd.h>
 #include <krb5.h>
+#ifdef HAVE_HEIMDAL
+#include <com_err.h>
+#endif
 
 #include "sudo.h"
 #include "sudo_auth.h"
@@ -57,12 +60,13 @@ __unused static const char rcsid[] = "$Sudo$";
 #ifdef HAVE_HEIMDAL
 # define extract_name(c, p)		krb5_principal_get_comp_string(c, p, 1)
 # define krb5_free_data_contents(c, d)	krb5_data_free(d)
-# define ENCTYPE_DES_CBC_MD5		ETYPE_DES_CBC_MD5	/* XXX */
 #else
 # define extract_name(c, p)		(krb5_princ_component(c, p, 1)->data)
 #endif
 
+#ifndef HAVE_KRB5_VERIFY_USER
 static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
+#endif
 static struct _sudo_krb5_data {
     krb5_context	sudo_context;
     krb5_principal	princ;
@@ -87,7 +91,12 @@ kerb5_init(pw, promptp, auth)
 
     auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
 
-    if ((error = krb5_init_context(&(sudo_krb5_data.sudo_context))))
+#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
+    error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
+#else
+    error = krb5_init_context(&(sudo_krb5_data.sudo_context));
+#endif
+    if (error)
 	return(AUTH_FAILURE);
     sudo_context = sudo_krb5_data.sudo_context;
 
@@ -150,6 +159,26 @@ kerb5_init(pw, promptp, auth)
     return(AUTH_SUCCESS);
 }
 
+#ifdef HAVE_KRB5_VERIFY_USER
+int
+kerb5_verify(pw, pass, auth)
+    struct passwd *pw;
+    char *pass;
+    sudo_auth *auth;
+{
+    krb5_context	sudo_context;
+    krb5_principal	princ;
+    krb5_ccache		ccache;
+    krb5_error_code	error;
+
+    sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
+    princ = ((sudo_krb5_datap) auth->data)->princ;
+    ccache = ((sudo_krb5_datap) auth->data)->ccache;
+
+    error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
+    return (error ? AUTH_FAILURE : AUTH_SUCCESS);
+}
+#else
 int
 kerb5_verify(pw, pass, auth)
     struct passwd *pw;
@@ -195,6 +224,7 @@ kerb5_verify(pw, pass, auth)
     krb5_free_cred_contents(sudo_context, &creds);
     return (error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
+#endif
 
 int
 kerb5_cleanup(pw, auth)
@@ -220,6 +250,7 @@ kerb5_cleanup(pw, auth)
     return(AUTH_SUCCESS);
 }
 
+#ifndef HAVE_KRB5_VERIFY_USER
 /*
  * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
  *
@@ -269,7 +300,7 @@ verify_krb_v5_tgt(sudo_context, ccache, auth_name)
      * and enctype is currently ignored anyhow.)
      */
     if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
-					 ENCTYPE_DES_CBC_MD5, &keyblock))) {
+					 0, &keyblock))) {
 	/* Keytab or service key does not exist. */
 	log_error(NO_EXIT,
 		  "%s: host service key not found: %s", auth_name,
@@ -302,3 +333,4 @@ cleanup:
 		  error_message(error));
     return(error);
 }
+#endif
diff --git a/config.h.in b/config.h.in
index 5502a8491..ffe79a1ce 100644
--- a/config.h.in
+++ b/config.h.in
@@ -191,6 +191,12 @@
 /* Define to 1 if you use Kerberos V. */
 #undef HAVE_KERB5
 
+/* Define to 1 if you have the `krb5_init_secure_context' function. */
+#undef HAVE_KRB5_INIT_SECURE_CONTEXT
+
+/* Define to 1 if you have the `krb5_verify_user' function. */
+#undef HAVE_KRB5_VERIFY_USER
+
 /* Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not) */
 #undef HAVE_LBER_H
 
diff --git a/configure.in b/configure.in
index 579cf83e6..716ececbc 100644
--- a/configure.in
+++ b/configure.in
@@ -1897,6 +1897,8 @@ if test "$with_kerb5" = "yes"; then
 	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
 		AC_MSG_RESULT(yes)
 		AC_DEFINE(HAVE_HEIMDAL)
+	    ], [
+		AC_MSG_RESULT(no)
 	    ]
 	)
     fi
@@ -1930,7 +1932,8 @@ if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then
     AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
 	    AC_MSG_RESULT(yes)
 	    AC_DEFINE(HAVE_HEIMDAL)
-	    SUDO_LIBS="${SUDO_LIBS} -lkrb5 -ldes -lcom_err -lasn1"
+	    # XXX - need to check whether -lcrypo is needed!
+	    SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
 	    AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
 	], [
 	    AC_MSG_RESULT(no)
@@ -1942,6 +1945,10 @@ if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then
     else
 	AUTH_OBJS="${AUTH_OBJS} kerb5.o"
     fi
+    _LIBS="$LIBS"
+    LIBS="${LIBS} ${SUDO_LIBS}"
+    AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
+    LIBS="$_LIBS"
 fi
 
 dnl
-- 
2.50.1