[PATCH] Re: Kerberos support for portable

[Vern Staats]

On Sat, Nov 17, 2001 at 11:40:51AM +0000, Simon Wilkinson wrote:
> [...] 
> Thanks for these. Unfortunately, your vrs patches seem to be based on
> an earlier version of my patch than the one you're bundling. In particular,
> your patch adds back in the incorrect replay cache code (it uses the wrong
> cache name), and takes out the use_uid calls that are necessary to make
> verify_init_creds() work correctly. It also adds back in the xfree() calls
> in auth1.c that I removed - these have to be removed to make it work reliably.

I'm sorry not to have responded before now - I took last week off.

It looks like you're right.  I had intended to combine your later krb5
patch with your auth1.c patch, and then #ifdef out the parts that couldn't
be easily reconciled with krb5 1.0.6.
 
> I am right in thinking that the basic change that is required is to
> conditionally remove auth_krb5_password (or just make it a stub that
> does nothing useful) if built against old MIT Kerberoses?

Yes, because auth_krb5_password needs get_, verify_init_creds(), which
are missing in krb5 1.0.6.

> Finally there are a couple of patches to the rijandel code that don't seem
> related?

Some time back I had problems with the u8/u16/u32 unsigned typedefs
in openssl rijndael/rd_fst.h getting redefined.  I think this only
happened in the openssl applications (some subset of lynx, w3m, curl,
and stunnel)... and looking at my application patches all I see is
stunnel.  So why didn't I just patch stunnel instead of mucking with
the main code?  I'm not sure, but I think there was a reason.

I'm overdue to update the kssl patches.  I should probably revert to
the original rd_fst.h and revisit this.  

-- 
                "My company prefers to have that kind of decision made by
                 uninformed executives.  We call it "Empowerment".  --Dilbert
staatsvr at asc.hpc.mil
Vern Staats, ASC/HPTS, WPAFB OH 45433, 937-255-1616x449