summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2008-01-21 19:44:30 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2008-01-21 19:44:30 +0000
commitb1383a9947d14d043f1f3b1f7488d3f69e2bb7ec (patch)
tree3ebd0e46c757c0d9e50f5300d0db4519c091d8c4 /usr.bin
parent7d3cf5f78e38308b6c5f95dd944b94c03a55f29e (diff)
update to sudo 1.6.9p12
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/sudo/CHANGES16
-rw-r--r--usr.bin/sudo/Makefile.in4
-rw-r--r--usr.bin/sudo/README.LDAP2
-rw-r--r--usr.bin/sudo/auth/kerb5.c143
-rw-r--r--usr.bin/sudo/config.h.in9
-rw-r--r--usr.bin/sudo/configure154
-rw-r--r--usr.bin/sudo/configure.in16
-rw-r--r--usr.bin/sudo/ldap.c24
-rw-r--r--usr.bin/sudo/parse.yacc16
-rw-r--r--usr.bin/sudo/tgetpass.c8
-rw-r--r--usr.bin/sudo/version.h4
11 files changed, 282 insertions, 114 deletions
diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES
index 08be41123a6..fcb8d5596b7 100644
--- a/usr.bin/sudo/CHANGES
+++ b/usr.bin/sudo/CHANGES
@@ -2029,3 +2029,19 @@ Sudo 1.6.9p10 released.
640) New %p prompt escape that expands to the user whose password
is being prompted, as specified by the rootpw, targetpw and
runaspw sudoers flags. Based on a diff from Patrick Schoenfeld.
+
+Sudo 1.6.9p11 released.
+
+641) Added a configure check for the ber_set_option() function.
+
+642) Fixed a compilation problem with the HP-UX K&R C compiler.
+
+643) Revamped the Kerberos 5 ticket verification code.
+
+644) Added support for the checkpeer ldap.conf variable for
+ netscape-based LDAP SDKs.
+
+645) Fixed a problem where an incomplete password could be echoed
+ to the screen if there was a read timeout.
+
+Sudo 1.6.9p12 released.
diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in
index c0472bd7ea0..1ed0b8b4931 100644
--- a/usr.bin/sudo/Makefile.in
+++ b/usr.bin/sudo/Makefile.in
@@ -20,7 +20,7 @@
#
# @configure_input@
#
-# $Sudo: Makefile.in,v 1.246.2.22 2008/01/05 23:31:51 millert Exp $
+# $Sudo: Makefile.in,v 1.246.2.23 2008/01/14 12:22:57 millert Exp $
#
#### Start of system configuration section. ####
@@ -131,7 +131,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS)
LIBOBJS = @LIBOBJS@ @ALLOCA@
-VERSION = 1.6.9p11
+VERSION = 1.6.9p12
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
LICENSE Makefile.in PORTING README README.LDAP \
diff --git a/usr.bin/sudo/README.LDAP b/usr.bin/sudo/README.LDAP
index 501471d6803..df4ad2107ec 100644
--- a/usr.bin/sudo/README.LDAP
+++ b/usr.bin/sudo/README.LDAP
@@ -256,7 +256,7 @@ when you imported the sudoers. Below is an example /etc/ldap.conf
#ssl start_tls
#
# Additional TLS options follow that allow tweaking of the
- # SSL/TLS connection. Only supported when using OpenLDAP.
+ # SSL/TLS connection.
#
#tls_checkpeer yes # verify server SSL certificate
#tls_checkpeer no # ignore server SSL certificate
diff --git a/usr.bin/sudo/auth/kerb5.c b/usr.bin/sudo/auth/kerb5.c
index 57f183e4e54..763ce851b0d 100644
--- a/usr.bin/sudo/auth/kerb5.c
+++ b/usr.bin/sudo/auth/kerb5.c
@@ -54,7 +54,7 @@
#include "sudo_auth.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.4 2007/06/12 01:28:42 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.7 2008/01/13 14:54:40 millert Exp $";
#endif /* lint */
#ifdef HAVE_HEIMDAL
@@ -65,7 +65,7 @@ __unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.4 2007/06/12 01:28
#endif
#ifndef HAVE_KRB5_VERIFY_USER
-static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
+static int verify_krb_v5_tgt __P((krb5_context, krb5_creds *, char *));
#endif
static struct _sudo_krb5_data {
krb5_context sudo_context;
@@ -74,8 +74,6 @@ static struct _sudo_krb5_data {
} sudo_krb5_data = { NULL, NULL, NULL };
typedef struct _sudo_krb5_data *sudo_krb5_datap;
-extern const krb5_cc_ops krb5_mcc_ops;
-
int
kerb5_init(pw, promptp, auth)
struct passwd *pw;
@@ -128,16 +126,6 @@ kerb5_init(pw, promptp, auth)
free(pname);
#endif
- /* For CNS compatibility */
- if ((error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE))) {
- if (error != KRB5_CC_TYPE_EXISTS) {
- log_error(NO_EXIT|NO_MAIL,
- "%s: unable to use Memory ccache: %s", auth->name,
- error_message(error));
- return(AUTH_FAILURE);
- }
- }
-
(void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
(long) getpid());
if ((error = krb5_cc_resolve(sudo_context, cache_name,
@@ -149,13 +137,6 @@ kerb5_init(pw, promptp, auth)
}
ccache = sudo_krb5_data.ccache;
- if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
- log_error(NO_EXIT|NO_MAIL,
- "%s: unable to initialize ccache: %s", auth->name,
- error_message(error));
- return(AUTH_FAILURE);
- }
-
return(AUTH_SUCCESS);
}
@@ -187,41 +168,59 @@ kerb5_verify(pw, pass, auth)
{
krb5_context sudo_context;
krb5_principal princ;
+ krb5_creds credbuf, *creds = NULL;
krb5_ccache ccache;
- krb5_creds creds;
krb5_error_code error;
- krb5_get_init_creds_opt opts;
+ krb5_get_init_creds_opt *opts = NULL;
sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
princ = ((sudo_krb5_datap) auth->data)->princ;
ccache = ((sudo_krb5_datap) auth->data)->ccache;
- /* Initialize options to defaults */
- krb5_get_init_creds_opt_init(&opts);
+ /* Set default flags based on the local config file. */
+ error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
+ if (error) {
+ log_error(NO_EXIT|NO_MAIL,
+ "%s: unable to allocate options: %s", auth->name,
+ error_message(error));
+ goto done;
+ }
+ krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
+ krb5_principal_get_realm(sudo_context, princ), opts);
/* Note that we always obtain a new TGT to verify the user */
- if ((error = krb5_get_init_creds_password(sudo_context, &creds, princ,
+ if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
pass, krb5_prompter_posix,
- NULL, 0, NULL, &opts))) {
- if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY) /* Bad password */
- return(AUTH_FAILURE);
- /* Some other error */
- log_error(NO_EXIT|NO_MAIL,
- "%s: unable to get credentials: %s", auth->name,
- error_message(error));
- return(AUTH_FAILURE);
+ NULL, 0, NULL, opts))) {
+ /* Don't print error if just a bad password */
+ if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
+ log_error(NO_EXIT|NO_MAIL,
+ "%s: unable to get credentials: %s", auth->name,
+ error_message(error));
+ goto done;
}
+ creds = &credbuf;
+
+ /* Verify the TGT to prevent spoof attacks. */
+ if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
+ goto done;
- /* Stash the TGT so we can verify it. */
- if ((error = krb5_cc_store_cred(sudo_context, ccache, &creds))) {
+ /* Store cred in cred cache. */
+ if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
+ log_error(NO_EXIT|NO_MAIL,
+ "%s: unable to initialize ccache: %s", auth->name,
+ error_message(error));
+ } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
log_error(NO_EXIT|NO_MAIL,
- "%s: unable to store credentials: %s", auth->name,
+ "%s: unable to store cred in ccache: %s", auth->name,
error_message(error));
- } else {
- error = verify_krb_v5_tgt(sudo_context, ccache, auth->name);
}
- krb5_free_cred_contents(sudo_context, &creds);
+done:
+ if (opts)
+ krb5_get_init_creds_opt_free(opts);
+ if (creds)
+ krb5_free_cred_contents(sudo_context, creds);
return (error ? AUTH_FAILURE : AUTH_SUCCESS);
}
#endif
@@ -252,81 +251,43 @@ kerb5_cleanup(pw, auth)
#ifndef HAVE_KRB5_VERIFY_USER
/*
- * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
- *
* Verify the Kerberos ticket-granting ticket just retrieved for the
* user. If the Kerberos server doesn't respond, assume the user is
* trying to fake us out (since we DID just get a TGT from what is
- * supposedly our KDC). If the host/<host> service is unknown (i.e.,
- * the local keytab doesn't have it), return success but log the error.
- *
- * This needs to run as root (to read the host service ticket).
+ * supposedly our KDC).
*
* Returns 0 for successful authentication, non-zero for failure.
*/
static int
-verify_krb_v5_tgt(sudo_context, ccache, auth_name)
+verify_krb_v5_tgt(sudo_context, cred, auth_name)
krb5_context sudo_context;
- krb5_ccache ccache;
+ krb5_creds *cred;
char *auth_name; /* For error reporting */
{
- char phost[BUFSIZ];
krb5_error_code error;
- krb5_principal princ;
- krb5_data packet;
- krb5_keyblock *keyblock = 0;
- krb5_auth_context auth_context = NULL;
-
- packet.data = 0;
+ krb5_principal server;
+ krb5_verify_init_creds_opt vopt;
/*
* Get the server principal for the local host.
* (Use defaults of "host" and canonicalized local name.)
*/
if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
- KRB5_NT_SRV_HST, &princ))) {
+ KRB5_NT_SRV_HST, &server))) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to get host principal: %s", auth_name,
error_message(error));
return(-1);
}
- /* Extract the name directly. Yow. */
- strlcpy(phost, extract_name(sudo_context, princ), sizeof(phost));
-
- /*
- * Do we have host/<host> keys?
- * (use default keytab, kvno IGNORE_VNO to get the first match,
- * and enctype is currently ignored anyhow.)
- */
- if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
- 0, &keyblock))) {
- /* Keytab or service key does not exist. */
- log_error(NO_EXIT,
- "%s: host service key not found: %s", auth_name,
- error_message(error));
- goto cleanup;
- }
- if (keyblock)
- krb5_free_keyblock(sudo_context, keyblock);
-
- /* Talk to the kdc and construct the ticket. */
- error = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost,
- NULL, ccache, &packet);
- if (auth_context) {
- krb5_auth_con_free(sudo_context, auth_context);
- auth_context = NULL; /* setup for rd_req */
- }
-
- /* Try to use the ticket. */
- if (!error)
- error = krb5_rd_req(sudo_context, &auth_context, &packet, princ,
- NULL, NULL, NULL);
-cleanup:
- if (packet.data)
- krb5_free_data_contents(sudo_context, &packet);
- krb5_free_principal(sudo_context, princ);
+ /* Initialize verify opts and set secure mode */
+ krb5_verify_init_creds_opt_init(&vopt);
+ krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
+ /* verify the Kerberos ticket-granting ticket we just retrieved */
+ error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
+ NULL, &vopt);
+ krb5_free_principal(sudo_context, server);
if (error)
log_error(NO_EXIT|NO_MAIL,
"%s: Cannot verify TGT! Possible attack!: %s", auth_name,
diff --git a/usr.bin/sudo/config.h.in b/usr.bin/sudo/config.h.in
index 822ff6b2358..2ce67d7af9d 100644
--- a/usr.bin/sudo/config.h.in
+++ b/usr.bin/sudo/config.h.in
@@ -221,12 +221,18 @@
/* Define to 1 if you have the `ldap_initialize' function. */
#undef HAVE_LDAP_INITIALIZE
+/* Define to 1 if you have the <ldap_ssl.h> header file. */
+#undef HAVE_LDAP_SSL_H
+
/* Define to 1 if you have the `ldap_start_tls_s' function. */
#undef HAVE_LDAP_START_TLS_S
/* Define to 1 if you have the `ldapssl_init' function. */
#undef HAVE_LDAPSSL_INIT
+/* Define to 1 if you have the `ldapssl_set_strength' function. */
+#undef HAVE_LDAPSSL_SET_STRENGTH
+
/* Define to 1 if you have the `lockf' function. */
#undef HAVE_LOCKF
@@ -263,6 +269,9 @@
/* Define to 1 if you have the `mkstemp' function. */
#undef HAVE_MKSTEMP
+/* Define to 1 if you have the <mps/ldap_ssl.h> header file. */
+#undef HAVE_MPS_LDAP_SSL_H
+
/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
#undef HAVE_NDIR_H
diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure
index b36ee338f82..38fe5c15e28 100644
--- a/usr.bin/sudo/configure
+++ b/usr.bin/sudo/configure
@@ -22473,13 +22473,103 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
done
if test "$found" = "no"; then
- LDAP_LIBS=" -lldap"
+ LIBS="${_LIBS} -lldap"
+ LDAP_LIBS="-lldap"
{ echo "$as_me:$LINENO: result: not found, using -lldap" >&5
echo "${ECHO_T}not found, using -lldap" >&6; }
else
{ echo "$as_me:$LINENO: result: $LDAP_LIBS" >&5
echo "${ECHO_T}$LDAP_LIBS" >&6; }
fi
+ OLIBS="$LIBS"
+ { echo "$as_me:$LINENO: checking for library containing ber_set_option" >&5
+echo $ECHO_N "checking for library containing ber_set_option... $ECHO_C" >&6; }
+if test "${ac_cv_search_ber_set_option+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_func_search_save_LIBS=$LIBS
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ber_set_option ();
+int
+main ()
+{
+return ber_set_option ();
+ ;
+ return 0;
+}
+_ACEOF
+for ac_lib in '' lber; do
+ if test -z "$ac_lib"; then
+ ac_res="none required"
+ else
+ ac_res=-l$ac_lib
+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
+ fi
+ rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
+ ac_cv_search_ber_set_option=$ac_res
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext
+ if test "${ac_cv_search_ber_set_option+set}" = set; then
+ break
+fi
+done
+if test "${ac_cv_search_ber_set_option+set}" = set; then
+ :
+else
+ ac_cv_search_ber_set_option=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_search_ber_set_option" >&5
+echo "${ECHO_T}$ac_cv_search_ber_set_option" >&6; }
+ac_res=$ac_cv_search_ber_set_option
+if test "$ac_res" != no; then
+ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+ found=yes
+else
+ found=no
+fi
+
+ if test X"$found" = X"yes" -a X"$LIBS" != X"$OLIBS"; then
+ LDAP_LIBS="$LDAP_LIBS -llber"
+ fi
{ echo "$as_me:$LINENO: checking whether lber.h is needed" >&5
echo $ECHO_N "checking whether lber.h is needed... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
@@ -22537,7 +22627,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
-for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init
+
+for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -22631,6 +22722,65 @@ fi
done
+
+for ac_header in ldap_ssl.h mps/ldap_ssl.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <ldap.h>
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ eval "$as_ac_Header=yes"
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ break
+fi
+
+done
+
+
SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
LIBS="$_LIBS"
LDFLAGS="$_LDFLAGS"
diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in
index a766f923cc2..32994e9a7b2 100644
--- a/usr.bin/sudo/configure.in
+++ b/usr.bin/sudo/configure.in
@@ -1,6 +1,6 @@
dnl
dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.413.2.36 2008/01/03 16:05:42 millert Exp $
+dnl $Sudo: configure.in,v 1.413.2.43 2008/01/21 16:46:50 millert Exp $
dnl
dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
@@ -2274,19 +2274,27 @@ if test ${with_ldap-'no'} != "no"; then
done
dnl if nothing linked just try with -lldap
if test "$found" = "no"; then
- LDAP_LIBS=" -lldap"
+ LIBS="${_LIBS} -lldap"
+ LDAP_LIBS="-lldap"
AC_MSG_RESULT([not found, using -lldap])
else
AC_MSG_RESULT([$LDAP_LIBS])
fi
- dnl try again w/o explicitly including lber.h
+ dnl check if we need to link with -llber for ber_set_option
+ OLIBS="$LIBS"
+ AC_SEARCH_LIBS([ber_set_option], [lber], [found=yes], [found=no])
+ if test X"$found" = X"yes" -a X"$LIBS" != X"$OLIBS"; then
+ LDAP_LIBS="$LDAP_LIBS -llber"
+ fi
+ dnl check if ldap.h includes lber.h for us
AC_MSG_CHECKING([whether lber.h is needed])
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
#include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [AC_MSG_RESULT([no])], [
AC_MSG_RESULT([yes])
AC_DEFINE(HAVE_LBER_H)])
- AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init)
+ AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength)
+ AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
LIBS="$_LIBS"
diff --git a/usr.bin/sudo/ldap.c b/usr.bin/sudo/ldap.c
index c4fbfbf6008..9097310cbf9 100644
--- a/usr.bin/sudo/ldap.c
+++ b/usr.bin/sudo/ldap.c
@@ -61,12 +61,17 @@
# include <lber.h>
#endif
#include <ldap.h>
+#if defined(HAVE_LDAP_SSL_H)
+# include <ldap_ssl.h>
+#elif defined(HAVE_MPS_LDAP_SSL_H)
+# include <mps/ldap_ssl.h>
+#endif
#include "sudo.h"
#include "parse.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.32 2008/01/05 23:27:10 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $";
#endif /* lint */
#ifndef LINE_MAX
@@ -136,6 +141,8 @@ struct ldap_config_table ldap_conf_table[] = {
#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
{ "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
&ldap_conf.tls_checkpeer },
+#else
+ { "tls_checkpeer", CONF_BOOL, FALSE, -1, &ldap_conf.tls_checkpeer },
#endif
#ifdef LDAP_OPT_X_TLS_CACERTFILE
{ "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
@@ -810,12 +817,19 @@ sudo_ldap_read_config()
* Interpret SSL option
*/
if (ldap_conf.ssl != NULL) {
- if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
- ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
- else if (_atobool(ldap_conf.ssl))
- ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+ if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
+ ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
+ else if (_atobool(ldap_conf.ssl))
+ ldap_conf.ssl_mode = SUDO_LDAP_SSL;
}
+#if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
+ if (ldap_conf.tls_checkpeer != -1) {
+ ldapssl_set_strength(NULL,
+ ldap_conf.tls_checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK);
+ }
+#endif
+
#ifndef HAVE_LDAP_INITIALIZE
/* Convert uri list to host list if no ldap_initialize(). */
if (ldap_conf.uri) {
diff --git a/usr.bin/sudo/parse.yacc b/usr.bin/sudo/parse.yacc
index 4137d8197be..5b1c856bb16 100644
--- a/usr.bin/sudo/parse.yacc
+++ b/usr.bin/sudo/parse.yacc
@@ -60,6 +60,7 @@
#ifdef HAVE_LSEARCH
# include <search.h>
#endif /* HAVE_LSEARCH */
+#include <limits.h>
#include "sudo.h"
#include "parse.h"
@@ -69,10 +70,23 @@
#endif /* HAVE_LSEARCH */
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.9 2007/11/21 18:15:49 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.10 2008/01/16 23:20:53 millert Exp $";
#endif /* lint */
/*
+ * We must define SIZE_MAX for yacc's skeleton.c.
+ * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t
+ * could be signed (as it is on SunOS 4.x).
+ */
+#ifndef SIZE_MAX
+# ifdef SIZE_T_MAX
+# define SIZE_MAX SIZE_T_MAX
+# else
+# define SIZE_MAX INT_MAX
+# endif /* SIZE_T_MAX */
+#endif /* SIZE_MAX */
+
+/*
* Globals
*/
extern int sudolineno, parse_error;
diff --git a/usr.bin/sudo/tgetpass.c b/usr.bin/sudo/tgetpass.c
index c008c156cdd..9e22b5d64c2 100644
--- a/usr.bin/sudo/tgetpass.c
+++ b/usr.bin/sudo/tgetpass.c
@@ -70,7 +70,7 @@
#include "sudo.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 15:39:43 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 18:03:24 millert Exp $";
#endif /* lint */
#ifndef TCSASOFT
@@ -107,8 +107,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 1
# define tcsetattr(f, a, t) ioctl(f, a, t)
# undef TCSAFLUSH
# define TCSAFLUSH TCSETAF
-# undef TCSANOW
-# define TCSANOW TCSETA
# else
# undef termios
# define termios sgttyb
@@ -117,8 +115,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 1
# define tcsetattr(f, a, t) ioctl(f, a, t)
# undef TCSAFLUSH
# define TCSAFLUSH TIOCSETP
-# undef TCSANOW
-# define TCSANOW TIOCSETN
# endif /* HAVE_TERMIO_H */
#endif /* HAVE_TERMIOS_H */
@@ -202,7 +198,7 @@ restart:
/* Restore old tty settings and signals. */
if (memcmp(&term, &oterm, sizeof(term)) != 0) {
- while (tcsetattr(input, TCSANOW|TCSASOFT, &oterm) == -1 &&
+ while (tcsetattr(input, TCSAFLUSH|TCSASOFT, &oterm) == -1 &&
errno == EINTR)
continue;
}
diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h
index 4394ff199a9..a51e62a4f0d 100644
--- a/usr.bin/sudo/version.h
+++ b/usr.bin/sudo/version.h
@@ -17,12 +17,12 @@
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*
- * $Sudo: version.h,v 1.66.2.14 2008/01/05 23:31:52 millert Exp $
+ * $Sudo: version.h,v 1.66.2.15 2008/01/14 12:22:57 millert Exp $
*/
#ifndef _SUDO_VERSION_H
#define _SUDO_VERSION_H
-static const char version[] = "1.6.9p11";
+static const char version[] = "1.6.9p12";
#endif /* _SUDO_VERSION_H */