update to sudo 1.6.9p12

11 files changed, 282 insertions, 114 deletions

diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES
index 08be41123a6..fcb8d5596b7 100644
--- a/usr.bin/sudo/CHANGES
+++ b/usr.bin/sudo/CHANGES
@@ -2029,3 +2029,19 @@ Sudo 1.6.9p10 released.
 640) New %p prompt escape that expands to the user whose password
      is being prompted, as specified by the rootpw, targetpw and
      runaspw sudoers flags.  Based on a diff from Patrick Schoenfeld.
+
+Sudo 1.6.9p11 released.
+
+641) Added a configure check for the ber_set_option() function.
+
+642) Fixed a compilation problem with the HP-UX K&R C compiler.
+
+643) Revamped the Kerberos 5 ticket verification code.
+
+644) Added support for the checkpeer ldap.conf variable for
+     netscape-based LDAP SDKs.
+
+645) Fixed a problem where an incomplete password could be echoed
+     to the screen if there was a read timeout.
+
+Sudo 1.6.9p12 released.
diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in
index c0472bd7ea0..1ed0b8b4931 100644
--- a/usr.bin/sudo/Makefile.in
+++ b/usr.bin/sudo/Makefile.in
@@ -20,7 +20,7 @@
 #
 # @configure_input@
 #
-# $Sudo: Makefile.in,v 1.246.2.22 2008/01/05 23:31:51 millert Exp $
+# $Sudo: Makefile.in,v 1.246.2.23 2008/01/14 12:22:57 millert Exp $
 #
 
 #### Start of system configuration section. ####
@@ -131,7 +131,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS)
 
 LIBOBJS = @LIBOBJS@ @ALLOCA@
 
-VERSION = 1.6.9p11
+VERSION = 1.6.9p12
 
 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
             LICENSE Makefile.in PORTING README README.LDAP \
diff --git a/usr.bin/sudo/README.LDAP b/usr.bin/sudo/README.LDAP
index 501471d6803..df4ad2107ec 100644
--- a/usr.bin/sudo/README.LDAP
+++ b/usr.bin/sudo/README.LDAP
@@ -256,7 +256,7 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
   #ssl start_tls
   #
   # Additional TLS options follow that allow tweaking of the
-  # SSL/TLS connection.  Only supported when using OpenLDAP.
+  # SSL/TLS connection.
   #
   #tls_checkpeer yes # verify server SSL certificate
   #tls_checkpeer no  # ignore server SSL certificate
diff --git a/usr.bin/sudo/auth/kerb5.c b/usr.bin/sudo/auth/kerb5.c
index 57f183e4e54..763ce851b0d 100644
--- a/usr.bin/sudo/auth/kerb5.c
+++ b/usr.bin/sudo/auth/kerb5.c
@@ -54,7 +54,7 @@
 #include "sudo_auth.h"
 
 #ifndef lint
-__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.4 2007/06/12 01:28:42 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.7 2008/01/13 14:54:40 millert Exp $";
 #endif /* lint */
 
 #ifdef HAVE_HEIMDAL
@@ -65,7 +65,7 @@ __unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.4 2007/06/12 01:28
 #endif
 
 #ifndef HAVE_KRB5_VERIFY_USER
-static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
+static int verify_krb_v5_tgt __P((krb5_context, krb5_creds *, char *));
 #endif
 static struct _sudo_krb5_data {
     krb5_context	sudo_context;
@@ -74,8 +74,6 @@ static struct _sudo_krb5_data {
 } sudo_krb5_data = { NULL, NULL, NULL };
 typedef struct _sudo_krb5_data *sudo_krb5_datap;
 
-extern const krb5_cc_ops krb5_mcc_ops;
-
 int
 kerb5_init(pw, promptp, auth)
     struct passwd *pw;
@@ -128,16 +126,6 @@ kerb5_init(pw, promptp, auth)
     free(pname);
 #endif
 
-    /* For CNS compatibility */
-    if ((error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE))) {
-	if (error != KRB5_CC_TYPE_EXISTS) {
-	    log_error(NO_EXIT|NO_MAIL,
-		      "%s: unable to use Memory ccache: %s", auth->name,
-		      error_message(error));
-	    return(AUTH_FAILURE);
-	}
-    }
-
     (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
 		    (long) getpid());
     if ((error = krb5_cc_resolve(sudo_context, cache_name,
@@ -149,13 +137,6 @@ kerb5_init(pw, promptp, auth)
     }
     ccache = sudo_krb5_data.ccache;
 
-    if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
-	log_error(NO_EXIT|NO_MAIL,
-		  "%s: unable to initialize ccache: %s", auth->name,
-		  error_message(error));
-	return(AUTH_FAILURE);
-    }
-
     return(AUTH_SUCCESS);
 }
 
@@ -187,41 +168,59 @@ kerb5_verify(pw, pass, auth)
 {
     krb5_context	sudo_context;
     krb5_principal	princ;
+    krb5_creds		credbuf, *creds = NULL;
     krb5_ccache		ccache;
-    krb5_creds		creds;
     krb5_error_code	error;
-    krb5_get_init_creds_opt opts;
+    krb5_get_init_creds_opt *opts = NULL;
 
     sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
     princ = ((sudo_krb5_datap) auth->data)->princ;
     ccache = ((sudo_krb5_datap) auth->data)->ccache;
 
-    /* Initialize options to defaults */
-    krb5_get_init_creds_opt_init(&opts);
+    /* Set default flags based on the local config file. */
+    error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
+    if (error) {
+	log_error(NO_EXIT|NO_MAIL,
+		  "%s: unable to allocate options: %s", auth->name,
+		  error_message(error));
+	goto done;
+    }
+    krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
+	krb5_principal_get_realm(sudo_context, princ), opts);
 
     /* Note that we always obtain a new TGT to verify the user */
-    if ((error = krb5_get_init_creds_password(sudo_context, &creds, princ,
+    if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
 					     pass, krb5_prompter_posix,
-					     NULL, 0, NULL, &opts))) {
-	if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY) /* Bad password */
-	    return(AUTH_FAILURE);
-	/* Some other error */
-	log_error(NO_EXIT|NO_MAIL,
-		  "%s: unable to get credentials: %s", auth->name,
-		  error_message(error));
-	return(AUTH_FAILURE);
+					     NULL, 0, NULL, opts))) {
+	/* Don't print error if just a bad password */
+	if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
+	    log_error(NO_EXIT|NO_MAIL,
+		      "%s: unable to get credentials: %s", auth->name,
+		      error_message(error));
+	goto done;
     }
+    creds = &credbuf;
+
+    /* Verify the TGT to prevent spoof attacks. */
+    if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
+	goto done;
 
-    /* Stash the TGT so we can verify it. */
-    if ((error = krb5_cc_store_cred(sudo_context, ccache, &creds))) {
+    /* Store cred in cred cache. */
+    if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
+	log_error(NO_EXIT|NO_MAIL,
+		  "%s: unable to initialize ccache: %s", auth->name,
+		  error_message(error));
+    } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
 	log_error(NO_EXIT|NO_MAIL,
-		  "%s: unable to store credentials: %s", auth->name,
+		  "%s: unable to store cred in ccache: %s", auth->name,
 		  error_message(error));
-    } else {
-	error = verify_krb_v5_tgt(sudo_context, ccache, auth->name);
     }
 
-    krb5_free_cred_contents(sudo_context, &creds);
+done:
+    if (opts)
+	krb5_get_init_creds_opt_free(opts);
+    if (creds)
+	krb5_free_cred_contents(sudo_context, creds);
     return (error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
 #endif
@@ -252,81 +251,43 @@ kerb5_cleanup(pw, auth)
 
 #ifndef HAVE_KRB5_VERIFY_USER
 /*
- * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
- *
  * Verify the Kerberos ticket-granting ticket just retrieved for the
  * user.  If the Kerberos server doesn't respond, assume the user is
  * trying to fake us out (since we DID just get a TGT from what is
- * supposedly our KDC). If the host/<host> service is unknown (i.e.,
- * the local keytab doesn't have it), return success but log the error.
- *
- * This needs to run as root (to read the host service ticket).
+ * supposedly our KDC).
  *
  * Returns 0 for successful authentication, non-zero for failure.
  */
 static int
-verify_krb_v5_tgt(sudo_context, ccache, auth_name)
+verify_krb_v5_tgt(sudo_context, cred, auth_name)
     krb5_context	sudo_context;
-    krb5_ccache		ccache;
+    krb5_creds		*cred;
     char		*auth_name; /* For error reporting */
 {
-    char		phost[BUFSIZ];
     krb5_error_code	error;
-    krb5_principal	princ;
-    krb5_data		packet;
-    krb5_keyblock	*keyblock = 0;
-    krb5_auth_context	auth_context = NULL;
-
-    packet.data = 0;
+    krb5_principal	server;
+    krb5_verify_init_creds_opt vopt;
 
     /*
      * Get the server principal for the local host.
      * (Use defaults of "host" and canonicalized local name.)
      */
     if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
-					KRB5_NT_SRV_HST, &princ))) {
+					KRB5_NT_SRV_HST, &server))) {
 	log_error(NO_EXIT|NO_MAIL,
 		  "%s: unable to get host principal: %s", auth_name,
 		  error_message(error));
 	return(-1);
     }
 
-    /* Extract the name directly. Yow. */
-    strlcpy(phost, extract_name(sudo_context, princ), sizeof(phost));
-
-    /*
-     * Do we have host/<host> keys?
-     * (use default keytab, kvno IGNORE_VNO to get the first match,
-     * and enctype is currently ignored anyhow.)
-     */
-    if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
-					 0, &keyblock))) {
-	/* Keytab or service key does not exist. */
-	log_error(NO_EXIT,
-		  "%s: host service key not found: %s", auth_name,
-		  error_message(error));
-	goto cleanup;
-    }
-    if (keyblock)
-	krb5_free_keyblock(sudo_context, keyblock);
-
-    /* Talk to the kdc and construct the ticket. */
-    error = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost,
-			NULL, ccache, &packet);
-    if (auth_context) {
-	krb5_auth_con_free(sudo_context, auth_context);
-	auth_context = NULL;	/* setup for rd_req */
-    }
-
-    /* Try to use the ticket. */
-    if (!error)
-	error = krb5_rd_req(sudo_context, &auth_context, &packet, princ,
-			    NULL, NULL, NULL);
-cleanup:
-    if (packet.data)
-	krb5_free_data_contents(sudo_context, &packet);
-    krb5_free_principal(sudo_context, princ);
+    /* Initialize verify opts and set secure mode */
+    krb5_verify_init_creds_opt_init(&vopt);
+    krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
 
+    /* verify the Kerberos ticket-granting ticket we just retrieved */
+    error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
+				   NULL, &vopt);
+    krb5_free_principal(sudo_context, server);
     if (error)
 	log_error(NO_EXIT|NO_MAIL,
 		  "%s: Cannot verify TGT! Possible attack!: %s", auth_name,
diff --git a/usr.bin/sudo/config.h.in b/usr.bin/sudo/config.h.in
index 822ff6b2358..2ce67d7af9d 100644
--- a/usr.bin/sudo/config.h.in
+++ b/usr.bin/sudo/config.h.in
@@ -221,12 +221,18 @@
 /* Define to 1 if you have the `ldap_initialize' function. */
 #undef HAVE_LDAP_INITIALIZE
 
+/* Define to 1 if you have the <ldap_ssl.h> header file. */
+#undef HAVE_LDAP_SSL_H
+
 /* Define to 1 if you have the `ldap_start_tls_s' function. */
 #undef HAVE_LDAP_START_TLS_S
 
 /* Define to 1 if you have the `ldapssl_init' function. */
 #undef HAVE_LDAPSSL_INIT
 
+/* Define to 1 if you have the `ldapssl_set_strength' function. */
+#undef HAVE_LDAPSSL_SET_STRENGTH
+
 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF
 
@@ -263,6 +269,9 @@
 /* Define to 1 if you have the `mkstemp' function. */
 #undef HAVE_MKSTEMP
 
+/* Define to 1 if you have the <mps/ldap_ssl.h> header file. */
+#undef HAVE_MPS_LDAP_SSL_H
+
 /* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
 #undef HAVE_NDIR_H
 
diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure
index b36ee338f82..38fe5c15e28 100644
--- a/usr.bin/sudo/configure
+++ b/usr.bin/sudo/configure
@@ -22473,13 +22473,103 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
     done
         if test "$found" = "no"; then
-	LDAP_LIBS=" -lldap"
+	LIBS="${_LIBS} -lldap"
+	LDAP_LIBS="-lldap"
 	{ echo "$as_me:$LINENO: result: not found, using -lldap" >&5
 echo "${ECHO_T}not found, using -lldap" >&6; }
     else
 	{ echo "$as_me:$LINENO: result: $LDAP_LIBS" >&5
 echo "${ECHO_T}$LDAP_LIBS" >&6; }
     fi
+        OLIBS="$LIBS"
+    { echo "$as_me:$LINENO: checking for library containing ber_set_option" >&5
+echo $ECHO_N "checking for library containing ber_set_option... $ECHO_C" >&6; }
+if test "${ac_cv_search_ber_set_option+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ber_set_option ();
+int
+main ()
+{
+return ber_set_option ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' lber; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_search_ber_set_option=$ac_res
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_ber_set_option+set}" = set; then
+  break
+fi
+done
+if test "${ac_cv_search_ber_set_option+set}" = set; then
+  :
+else
+  ac_cv_search_ber_set_option=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_search_ber_set_option" >&5
+echo "${ECHO_T}$ac_cv_search_ber_set_option" >&6; }
+ac_res=$ac_cv_search_ber_set_option
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+  found=yes
+else
+  found=no
+fi
+
+    if test X"$found" = X"yes" -a X"$LIBS" != X"$OLIBS"; then
+	LDAP_LIBS="$LDAP_LIBS -llber"
+    fi
         { echo "$as_me:$LINENO: checking whether lber.h is needed" >&5
 echo $ECHO_N "checking whether lber.h is needed... $ECHO_C" >&6; }
     cat >conftest.$ac_ext <<_ACEOF
@@ -22537,7 +22627,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
 
 
 
-for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init
+
+for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -22631,6 +22722,65 @@ fi
 done
 
 
+
+for ac_header in ldap_ssl.h mps/ldap_ssl.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ldap.h>
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ break
+fi
+
+done
+
+
     SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
     LIBS="$_LIBS"
     LDFLAGS="$_LDFLAGS"
diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in
index a766f923cc2..32994e9a7b2 100644
--- a/usr.bin/sudo/configure.in
+++ b/usr.bin/sudo/configure.in
@@ -1,6 +1,6 @@
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.413.2.36 2008/01/03 16:05:42 millert Exp $
+dnl $Sudo: configure.in,v 1.413.2.43 2008/01/21 16:46:50 millert Exp $
 dnl
 dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
@@ -2274,19 +2274,27 @@ if test ${with_ldap-'no'} != "no"; then
     done
     dnl if nothing linked just try with -lldap
     if test "$found" = "no"; then
-	LDAP_LIBS=" -lldap"
+	LIBS="${_LIBS} -lldap"
+	LDAP_LIBS="-lldap"
 	AC_MSG_RESULT([not found, using -lldap])
     else
 	AC_MSG_RESULT([$LDAP_LIBS])
     fi
-    dnl try again w/o explicitly including lber.h
+    dnl check if we need to link with -llber for ber_set_option
+    OLIBS="$LIBS"
+    AC_SEARCH_LIBS([ber_set_option], [lber], [found=yes], [found=no])
+    if test X"$found" = X"yes" -a X"$LIBS" != X"$OLIBS"; then
+	LDAP_LIBS="$LDAP_LIBS -llber"
+    fi
+    dnl check if ldap.h includes lber.h for us
     AC_MSG_CHECKING([whether lber.h is needed])
     AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
     #include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [AC_MSG_RESULT([no])], [
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength)
+    AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
 
     SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
     LIBS="$_LIBS"
diff --git a/usr.bin/sudo/ldap.c b/usr.bin/sudo/ldap.c
index c4fbfbf6008..9097310cbf9 100644
--- a/usr.bin/sudo/ldap.c
+++ b/usr.bin/sudo/ldap.c
@@ -61,12 +61,17 @@
 # include <lber.h>
 #endif
 #include <ldap.h>
+#if defined(HAVE_LDAP_SSL_H)
+# include <ldap_ssl.h>
+#elif defined(HAVE_MPS_LDAP_SSL_H)
+# include <mps/ldap_ssl.h>
+#endif
 
 #include "sudo.h"
 #include "parse.h"
 
 #ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.32 2008/01/05 23:27:10 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $";
 #endif /* lint */
 
 #ifndef LINE_MAX
@@ -136,6 +141,8 @@ struct ldap_config_table ldap_conf_table[] = {
 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
     { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
 	&ldap_conf.tls_checkpeer },
+#else
+    { "tls_checkpeer", CONF_BOOL, FALSE, -1, &ldap_conf.tls_checkpeer },
 #endif
 #ifdef LDAP_OPT_X_TLS_CACERTFILE
     { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
@@ -810,12 +817,19 @@ sudo_ldap_read_config()
      * Interpret SSL option
      */
     if (ldap_conf.ssl != NULL) {
-	    if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
-		ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
-	    else if (_atobool(ldap_conf.ssl))
-		ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+	if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
+	    ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
+	else if (_atobool(ldap_conf.ssl))
+	    ldap_conf.ssl_mode = SUDO_LDAP_SSL;
     }
 
+#if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
+    if (ldap_conf.tls_checkpeer != -1) {
+	ldapssl_set_strength(NULL,
+	    ldap_conf.tls_checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK);
+    }
+#endif
+
 #ifndef HAVE_LDAP_INITIALIZE
     /* Convert uri list to host list if no ldap_initialize(). */
     if (ldap_conf.uri) {
diff --git a/usr.bin/sudo/parse.yacc b/usr.bin/sudo/parse.yacc
index 4137d8197be..5b1c856bb16 100644
--- a/usr.bin/sudo/parse.yacc
+++ b/usr.bin/sudo/parse.yacc
@@ -60,6 +60,7 @@
 #ifdef HAVE_LSEARCH
 # include <search.h>
 #endif /* HAVE_LSEARCH */
+#include <limits.h>
 
 #include "sudo.h"
 #include "parse.h"
@@ -69,10 +70,23 @@
 #endif /* HAVE_LSEARCH */
 
 #ifndef lint
-__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.9 2007/11/21 18:15:49 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.10 2008/01/16 23:20:53 millert Exp $";
 #endif /* lint */
 
 /*
+ * We must define SIZE_MAX for yacc's skeleton.c.
+ * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t
+ * could be signed (as it is on SunOS 4.x).
+ */
+#ifndef SIZE_MAX
+# ifdef SIZE_T_MAX
+#  define SIZE_MAX	SIZE_T_MAX
+# else
+#  define SIZE_MAX	INT_MAX
+# endif /* SIZE_T_MAX */
+#endif /* SIZE_MAX */
+
+/*
  * Globals
  */
 extern int sudolineno, parse_error;
diff --git a/usr.bin/sudo/tgetpass.c b/usr.bin/sudo/tgetpass.c
index c008c156cdd..9e22b5d64c2 100644
--- a/usr.bin/sudo/tgetpass.c
+++ b/usr.bin/sudo/tgetpass.c
@@ -70,7 +70,7 @@
 #include "sudo.h"
 
 #ifndef lint
-__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 15:39:43 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 18:03:24 millert Exp $";
 #endif /* lint */
 
 #ifndef TCSASOFT
@@ -107,8 +107,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 1
 #  define tcsetattr(f, a, t)	ioctl(f, a, t)
 #  undef TCSAFLUSH
 #  define TCSAFLUSH		TCSETAF
-#  undef TCSANOW
-#  define TCSANOW		TCSETA
 # else
 #  undef termios
 #  define termios		sgttyb
@@ -117,8 +115,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 1
 #  define tcsetattr(f, a, t)	ioctl(f, a, t)
 #  undef TCSAFLUSH
 #  define TCSAFLUSH		TIOCSETP
-#  undef TCSANOW
-#  define TCSANOW		TIOCSETN
 # endif /* HAVE_TERMIO_H */
 #endif /* HAVE_TERMIOS_H */
 
@@ -202,7 +198,7 @@ restart:
 
     /* Restore old tty settings and signals. */
     if (memcmp(&term, &oterm, sizeof(term)) != 0) {
-	while (tcsetattr(input, TCSANOW|TCSASOFT, &oterm) == -1 &&
+	while (tcsetattr(input, TCSAFLUSH|TCSASOFT, &oterm) == -1 &&
 	    errno == EINTR)
 	    continue;
     }
diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h
index 4394ff199a9..a51e62a4f0d 100644
--- a/usr.bin/sudo/version.h
+++ b/usr.bin/sudo/version.h
@@ -17,12 +17,12 @@
  * Agency (DARPA) and Air Force Research Laboratory, Air Force
  * Materiel Command, USAF, under agreement number F39502-99-1-0512.
  *
- * $Sudo: version.h,v 1.66.2.14 2008/01/05 23:31:52 millert Exp $
+ * $Sudo: version.h,v 1.66.2.15 2008/01/14 12:22:57 millert Exp $
  */
 
 #ifndef _SUDO_VERSION_H
 #define _SUDO_VERSION_H
 
-static const char version[] = "1.6.9p11";
+static const char version[] = "1.6.9p12";
 
 #endif /* _SUDO_VERSION_H */