krb5/krb5-1.8-opte.patch

Fall back to the library default for whether or not to prompt for a password-
change during authentication, if we weren't passed any options.  RT#6681

diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte krb5-1.8/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte	2009-12-23 11:00:05.000000000 -0500
+++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c	2010-03-05 11:03:42.000000000 -0500
@@ -123,6 +123,7 @@ krb5_get_init_creds_password(krb5_contex
     int tries;
     krb5_creds chpw_creds;
     krb5_get_init_creds_opt *chpw_opts = NULL;
+    krb5_gic_opt_ext *opte = NULL;
     krb5_data pw0, pw1;
     char banner[1024], pw0array[1024], pw1array[1024];
     krb5_prompt prompt[2];
@@ -218,7 +219,8 @@ krb5_get_init_creds_password(krb5_contex
      * to prompt.  Prompting is only disabled if the option has been set
      * and the value has been set to false.
      */
-    if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+    krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);
+    if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
         goto cleanup;
 
     /* ok, we have an expired password.  Give the user a few chances
@@ -332,6 +334,8 @@ krb5_get_init_creds_password(krb5_contex
                                  &use_master, &as_reply);
 
 cleanup:
+    if (opte != options)
+        krb5_get_init_creds_opt_free(context, opte);
     krb5int_set_prompt_types(context, 0);
     /* if getting the password was successful, then check to see if the
        password is about to expire, and warn if so */
- update to 1.8 - temporarily bundling the krb5-appl package (split upstream as of 1.8) until its package review is complete - profile.d scriptlets are now only needed by -workstation-clients - adjust paths in init scripts - drop upstreamed fix for KDC denial of service (CVE-2010-0283) - drop patch to check the user's password correctly using crypt(), which isn't a code path we hit when we're using PAM 2010-03-05 22:19:38 +00:00			`Fall back to the library default for whether or not to prompt for a password-`
- add the RT entry number 2010-03-12 22:13:15 +00:00			`change during authentication, if we weren't passed any options. RT#6681`
- update to 1.8 - temporarily bundling the krb5-appl package (split upstream as of 1.8) until its package review is complete - profile.d scriptlets are now only needed by -workstation-clients - adjust paths in init scripts - drop upstreamed fix for KDC denial of service (CVE-2010-0283) - drop patch to check the user's password correctly using crypt(), which isn't a code path we hit when we're using PAM 2010-03-05 22:19:38 +00:00
			`diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte krb5-1.8/src/lib/krb5/krb/gic_pwd.c`
			`--- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte 2009-12-23 11:00:05.000000000 -0500`
			`+++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:03:42.000000000 -0500`
			`@@ -123,6 +123,7 @@ krb5_get_init_creds_password(krb5_contex`
			`int tries;`
			`krb5_creds chpw_creds;`
			`krb5_get_init_creds_opt *chpw_opts = NULL;`
			`+ krb5_gic_opt_ext *opte = NULL;`
			`krb5_data pw0, pw1;`
			`char banner[1024], pw0array[1024], pw1array[1024];`
			`krb5_prompt prompt[2];`
			`@@ -218,7 +219,8 @@ krb5_get_init_creds_password(krb5_contex`
			`* to prompt. Prompting is only disabled if the option has been set`
			`* and the value has been set to false.`
			`*/`
			`- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))`
			`+ krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);`
			`+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))`
			`goto cleanup;`

			`/* ok, we have an expired password. Give the user a few chances`
			`@@ -332,6 +334,8 @@ krb5_get_init_creds_password(krb5_contex`
			`&use_master, &as_reply);`

			`cleanup:`
			`+ if (opte != options)`
			`+ krb5_get_init_creds_opt_free(context, opte);`
			`krb5int_set_prompt_types(context, 0);`
			`/* if getting the password was successful, then check to see if the`
			`password is about to expire, and warn if so */`