--- pykerberos-1.0+svn2447.orig/debian/changelog +++ pykerberos-1.0+svn2447/debian/changelog @@ -0,0 +1,111 @@ +pykerberos (1.0+svn2447-1) unstable; urgency=low + + * upload to unstable + * [39186bf] new upsteram SVN snapshot @2447 that has out password changing + support (Trac: #256) merged + * [b54f64b] Pick our wrap/unwrap patches from the more-kerberos branch of + upstream's svn (Trac: #213, #214) + * [5d197f5] reenable quilt + + -- Guido Guenther Fri, 23 May 2008 10:09:01 +0200 + +pykerberos (1.0+mk080218-1) experimental; urgency=low + + * new version based on upstream's more-kerberos branch that basically + consists ouf our patches: + http://trac.macosforge.org/projects/calendarserver/ticket/213 + http://trac.macosforge.org/projects/calendarserver/ticket/214 + plus the so far unapplied: + http://trac.macosforge.org/projects/calendarserver/ticket/256 + * Python should be uppercase according to lintian, thanks! + * bump standards version + * drop python-includes.diff - fixed upstream + + -- Guido Guenther Mon, 18 Feb 2008 10:41:19 +0100 + +pykerberos (1.0-1) unstable; urgency=low + + * "New" upstream version + * Upstream finally tagged a 1.0 version (which is identical to 0.0.svn1541) + + -- Guido Guenther Fri, 26 Oct 2007 13:14:57 +0200 + +pykerberos (0.0.svn1541-1) unstable; urgency=low + + * Forward to upstream svn revision 1541 + * new patch: python_includes.diff, upstream broke the python.h include again + + -- Guido Guenther Sat, 04 Aug 2007 23:27:24 +0200 + +pykerberos (0.0.svn271-2) unstable; urgency=low + + * build depend on python-all-dev, thanks to Cyril Brulebois + (Closes: #432353) + * allow the package into testing (Closes: #392540) + + -- Guido Guenther Mon, 16 Jul 2007 13:37:53 -0400 + +pykerberos (0.0.svn271-1) unstable; urgency=low + + * New Upstream Version. This fixes the bad error reporting, so after the API + is approved stable upstream we can move this package back to testing. + * dropped patches: + fix-setup: fixed upstream + + -- Guido Guenther Fri, 3 Nov 2006 18:01:08 +0100 + +pykerberos (0.0.svn202-1) unstable; urgency=low + + * New Upstream Version + * dropped patches: + kerberos-includes: applied upstream + python-includes: not needed anymore since upstream uses standard include + paths now + * modified patches: + fix-setup: most of it applied upstream, oneliner now + + -- Guido Guenther Wed, 27 Sep 2006 10:06:54 +0200 + +pykerberos (0.0.svn124-2) unstable; urgency=low + + * use MIT kerberos instead of heimdal kerberos. This makes it easier for us + to keep close to upstream. + * dropped patches: + declare-nt-service - not needed with MIT kerberos + * modified patches: + kerberos-includes + setup.py + pass the include dirs via setup.py instead of #ifdef'ing them in the + header files + + -- Guido Guenther Fri, 15 Sep 2006 13:57:13 +0200 + +pykerberos (0.0.svn124-1) unstable; urgency=low + + * new upstream SVN version + * drop patches: + - printf-cleanups + - include-stdlib + applied upstream + * remove superflous debian/dirs + + -- Guido Guenther Wed, 13 Sep 2006 18:59:24 +0200 + +pykerberos (0.0.svn96-1) unstable; urgency=low + + * new upstream SVN version + + -- Guido Guenther Fri, 8 Sep 2006 19:28:27 +0200 + +pykerberos (0.0.svn55-2) unstable; urgency=low + + * rename to python-kerberos + + -- Guido Guenther Thu, 7 Sep 2006 19:00:54 +0200 + +pykerberos (0.0.svn55-1) unstable; urgency=low + + * Initial release (Closes: #384589) + + -- Guido Guenther Thu, 24 Aug 2006 14:38:08 +0200 + --- pykerberos-1.0+svn2447.orig/debian/compat +++ pykerberos-1.0+svn2447/debian/compat @@ -0,0 +1 @@ +5 --- pykerberos-1.0+svn2447.orig/debian/control +++ pykerberos-1.0+svn2447/debian/control @@ -0,0 +1,25 @@ +Source: pykerberos +Section: python +Priority: optional +Maintainer: Guido Guenther +Build-Depends: cdbs, debhelper (>= 5), quilt, libkrb5-dev, python-all-dev, python-support (>= 0.3) +Standards-Version: 3.7.3 +Vcs-Git: git://git.debian.org/git/calendarserver/pykerberos.git +Vcs-Browser: http://git.debian.org/?p=calendarserver/pykerberos.git + +Package: python-kerberos +Architecture: any +Depends: ${python:Depends}, ${shlibs:Depends}, ${misc:Depends} +Replaces: python2.4-kerberos (<= 0.0.svn55-1) +Conflicts: python2.4-kerberos (<= 0.0.svn55-1) +Provides: ${python:Provides} +XB-Python-Version: ${python:Versions} +Description: A GSSAPI interface module for Python + This Python package is a high-level wrapper for Kerberos (GSSAPI) operations. + The goal is to avoid having to build a module that wraps the entire + Kerberos.framework, and instead offer a limited set of functions that do what + is needed for client/server Kerberos authentication based on + . + . + Much of the C-code here is adapted from Appache's mod_auth_kerb-5.0rc7. + --- pykerberos-1.0+svn2447.orig/debian/copyright +++ pykerberos-1.0+svn2447/debian/copyright @@ -0,0 +1,211 @@ +This package was debianized by Guido Guenther on +Thu, 24 Aug 2006 14:38:08 +0200. + +It was downloaded from http://trac.macosforge.org/projects/collaboration/browser/PyKerberos/trunk/ + +Upstream Author: Cyrus Daboo + +Copyright: 2006 Apple Computer, Inc. All rights reserved. + +License: + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. --- pykerberos-1.0+svn2447.orig/debian/docs +++ pykerberos-1.0+svn2447/debian/docs @@ -0,0 +1,2 @@ +README.txt +README.txt --- pykerberos-1.0+svn2447.orig/debian/pycompat +++ pykerberos-1.0+svn2447/debian/pycompat @@ -0,0 +1 @@ +2 --- pykerberos-1.0+svn2447.orig/debian/pyversions +++ pykerberos-1.0+svn2447/debian/pyversions @@ -0,0 +1 @@ +2.4- --- pykerberos-1.0+svn2447.orig/debian/rules +++ pykerberos-1.0+svn2447/debian/rules @@ -0,0 +1,12 @@ +#!/usr/bin/make -f + +DEB_TAR_SRCDIR := pykerberos-0.0.svn55 +DEB_AUTO_CLEANUP_RCS := yes + +DEB_PYTHON_SYSTEM = pysupport +DEB_PYTHON_CLEAN_ARGS = --all + +# Add here any variable or target overrides you need +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/python-distutils.mk +include /usr/share/cdbs/1/rules/patchsys-quilt.mk --- pykerberos-1.0+svn2447.orig/debian/patches/0002-Wrap-Unwrap.patch +++ pykerberos-1.0+svn2447/debian/patches/0002-Wrap-Unwrap.patch @@ -0,0 +1,330 @@ +From 6ab1953a5a6a05bc11444017801ac50ac9428d0a Mon Sep 17 00:00:00 2001 +From: Guido Guenther +Date: Fri, 23 May 2008 09:11:10 +0200 +Subject: [PATCH] Wrap/Unwrap patch from ticket #214. Plus some minor code clean-up. + +git-svn-id: http://svn.macosforge.org/repository/calendarserver/PyKerberos/branches/more-kerberos@2146 e27351fd-9f3e-4f54-a53b-843176b1656c + +Conflicts: + + src/kerberos.c + src/kerberosgss.c + src/kerberosgss.h +--- + pysrc/kerberos.py | 17 +++++++ + src/kerberos.c | 50 +++++++++++++++++++- + src/kerberosgss.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++++++- + src/kerberosgss.h | 10 +++- + 4 files changed, 206 insertions(+), 7 deletions(-) + +diff --git a/pysrc/kerberos.py b/pysrc/kerberos.py +index 0f593df..88a0e4b 100644 +--- a/pysrc/kerberos.py ++++ b/pysrc/kerberos.py +@@ -139,6 +139,23 @@ def authGSSClientUserName(context): + @return: a string containing the user name. + """ + ++def authGSSClientUnwrap(context, challenge): ++ """ ++ Perform the client side GSSAPI unwrap step ++ ++ @param challenge: a string containing the base64-encoded server data. ++ @return: a result code (see above) ++ """ ++ ++def authGSSClientWrap(context, data, user): ++ """ ++ Perform the client side GSSAPI wrap step. ++ ++ @param data:the result of the authGSSClientResponse after the authGSSClientUnwrap ++ @param user: the user to authorize ++ @return: a result code (see above) ++ """ ++ + def authGSSServerInit(service): + """ + Initializes a context for GSSAPI server-side authentication with the given service principal. +diff --git a/src/kerberos.c b/src/kerberos.c +index f015ee9..590bfb5 100644 +--- a/src/kerberos.c ++++ b/src/kerberos.c +@@ -84,7 +84,7 @@ static PyObject *getServerPrincipalDetails(PyObject *self, PyObject *args) + return NULL; + } + +-static PyObject *authGSSClientInit(PyObject *self, PyObject *args) ++static PyObject* authGSSClientInit(PyObject* self, PyObject* args) + { + const char *service; + gss_client_state *state; +@@ -176,6 +176,48 @@ static PyObject *authGSSClientUserName(PyObject *self, PyObject *args) + return Py_BuildValue("s", state->username); + } + ++static PyObject *authGSSClientUnwrap(PyObject *self, PyObject *args) ++{ ++ gss_client_state *state; ++ PyObject *pystate; ++ char *challenge; ++ int result = 0; ++ ++ if (!PyArg_ParseTuple(args, "Os", &pystate, &challenge) || !PyCObject_Check(pystate)) ++ return NULL; ++ ++ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); ++ if (state == NULL) ++ return NULL; ++ ++ result = authenticate_gss_client_unwrap(state, challenge); ++ if (result == AUTH_GSS_ERROR) ++ return NULL; ++ ++ return Py_BuildValue("i", result); ++} ++ ++static PyObject *authGSSClientWrap(PyObject *self, PyObject *args) ++{ ++ gss_client_state *state; ++ PyObject *pystate; ++ char *challenge, *user; ++ int result = 0; ++ ++ if (!PyArg_ParseTuple(args, "Oss", &pystate, &challenge, &user) || !PyCObject_Check(pystate)) ++ return NULL; ++ ++ state = (gss_client_state *)PyCObject_AsVoidPtr(pystate); ++ if (state == NULL) ++ return NULL; ++ ++ result = authenticate_gss_client_wrap(state, challenge, user); ++ if (result == AUTH_GSS_ERROR) ++ return NULL; ++ ++ return Py_BuildValue("i", result); ++} ++ + static PyObject *authGSSServerInit(PyObject *self, PyObject *args) + { + const char *service; +@@ -287,6 +329,10 @@ static PyMethodDef KerberosMethods[] = { + "Get the user name from the last client-side GSSAPI step."}, + {"authGSSServerInit", authGSSServerInit, METH_VARARGS, + "Initialize server-side GSSAPI operations."}, ++ {"authGSSClientWrap", authGSSClientWrap, METH_VARARGS, ++ "Do a GSSAPI wrap."}, ++ {"authGSSClientUnwrap", authGSSClientUnwrap, METH_VARARGS, ++ "Do a GSSAPI unwrap."}, + {"authGSSServerClean", authGSSServerClean, METH_VARARGS, + "Terminate server-side GSSAPI operations."}, + {"authGSSServerStep", authGSSServerStep, METH_VARARGS, +@@ -329,7 +375,7 @@ PyMODINIT_FUNC initkerberos(void) + PyDict_SetItemString(d, "GSSError", GssException_class); + + PyDict_SetItemString(d, "AUTH_GSS_COMPLETE", PyInt_FromLong(AUTH_GSS_COMPLETE)); +- PyDict_SetItemString(d, "AUTH_GSS_CONTINUE", PyInt_FromLong(AUTH_GSS_CONTINUE)); ++ PyDict_SetItemString(d, "AUTH_GSS_CONTINUE", PyInt_FromLong(AUTH_GSS_CONTINUE)); + + error: + if (PyErr_Occurred()) +diff --git a/src/kerberosgss.c b/src/kerberosgss.c +index 7a54751..e0b15b5 100644 +--- a/src/kerberosgss.c ++++ b/src/kerberosgss.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + static void set_gss_error(OM_uint32 err_maj, OM_uint32 err_min); + +@@ -106,7 +107,7 @@ end: + return result; + } + +-int authenticate_gss_client_init(const char* service, gss_client_state *state) ++int authenticate_gss_client_init(const char* service, gss_client_state* state) + { + OM_uint32 maj_stat; + OM_uint32 min_stat; +@@ -159,7 +160,7 @@ int authenticate_gss_client_clean(gss_client_state *state) + return ret; + } + +-int authenticate_gss_client_step(gss_client_state *state, const char* challenge) ++int authenticate_gss_client_step(gss_client_state* state, const char* challenge) + { + OM_uint32 maj_stat; + OM_uint32 min_stat; +@@ -254,7 +255,136 @@ end: + return ret; + } + +-int authenticate_gss_server_init(const char* service, gss_server_state *state) ++int authenticate_gss_client_unwrap(gss_client_state *state, const char *challenge) ++{ ++ OM_uint32 maj_stat; ++ OM_uint32 min_stat; ++ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; ++ int ret = AUTH_GSS_CONTINUE; ++ ++ // Always clear out the old response ++ if (state->response != NULL) ++ { ++ free(state->response); ++ state->response = NULL; ++ } ++ ++ // If there is a challenge (data from the server) we need to give it to GSS ++ if (challenge && *challenge) ++ { ++ int len; ++ input_token.value = base64_decode(challenge, &len); ++ input_token.length = len; ++ } ++ ++ // Do GSSAPI step ++ maj_stat = gss_unwrap(&min_stat, ++ state->context, ++ &input_token, ++ &output_token, ++ NULL, ++ NULL); ++ ++ if (maj_stat != GSS_S_COMPLETE) ++ { ++ set_gss_error(maj_stat, min_stat); ++ ret = AUTH_GSS_ERROR; ++ goto end; ++ } ++ else ++ ret = AUTH_GSS_COMPLETE; ++ ++ // Grab the client response ++ if (output_token.length) ++ { ++ state->response = base64_encode((const unsigned char *)output_token.value, output_token.length); ++ maj_stat = gss_release_buffer(&min_stat, &output_token); ++ } ++end: ++ if (output_token.value) ++ gss_release_buffer(&min_stat, &output_token); ++ if (input_token.value) ++ free(input_token.value); ++ return ret; ++} ++ ++int authenticate_gss_client_wrap(gss_client_state* state, const char* challenge, const char* user) ++{ ++ OM_uint32 maj_stat; ++ OM_uint32 min_stat; ++ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; ++ int ret = AUTH_GSS_CONTINUE; ++ char buf[4096], server_conf_flags; ++ unsigned long buf_size; ++ ++ // Always clear out the old response ++ if (state->response != NULL) ++ { ++ free(state->response); ++ state->response = NULL; ++ } ++ ++ if (challenge && *challenge) ++ { ++ int len; ++ input_token.value = base64_decode(challenge, &len); ++ input_token.length = len; ++ } ++ ++ // get bufsize ++ server_conf_flags = ((char*) input_token.value)[0]; ++ ((char*) input_token.value)[0] = 0; ++ buf_size = ntohl(*((long *) input_token.value)); ++ free(input_token.value); ++#ifdef PRINTFS ++ printf("User: %s, %c%c%c\n", user, ++ server_conf_flags & GSS_AUTH_P_NONE ? 'N' : '-', ++ server_conf_flags & GSS_AUTH_P_INTEGRITY ? 'I' : '-', ++ server_conf_flags & GSS_AUTH_P_PRIVACY ? 'P' : '-'); ++ printf("Maximum GSS token size is %ld\n", buf_size); ++#endif ++ ++ // agree to terms (hack!) ++ buf_size = htonl(buf_size); // not relevant without integrity/privacy ++ memcpy(buf, &buf_size, 4); ++ buf[0] = GSS_AUTH_P_NONE; ++ // server decides if principal can log in as user ++ strncpy(buf + 4, user, sizeof(buf) - 4); ++ input_token.value = buf; ++ input_token.length = 4 + strlen(user) + 1; ++ ++ // Do GSSAPI wrap ++ maj_stat = gss_wrap(&min_stat, ++ state->context, ++ 0, ++ GSS_C_QOP_DEFAULT, ++ &input_token, ++ NULL, ++ &output_token); ++ ++ if (maj_stat != GSS_S_COMPLETE) ++ { ++ set_gss_error(maj_stat, min_stat); ++ ret = AUTH_GSS_ERROR; ++ goto end; ++ } ++ else ++ ret = AUTH_GSS_COMPLETE; ++ // Grab the client response to send back to the server ++ if (output_token.length) ++ { ++ state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);; ++ maj_stat = gss_release_buffer(&min_stat, &output_token); ++ } ++end: ++ if (output_token.value) ++ gss_release_buffer(&min_stat, &output_token); ++ return ret; ++} ++ ++int authenticate_gss_server_init(const char *service, gss_server_state *state) + { + OM_uint32 maj_stat; + OM_uint32 min_stat; +diff --git a/src/kerberosgss.h b/src/kerberosgss.h +index 2604716..90cb919 100644 +--- a/src/kerberosgss.h ++++ b/src/kerberosgss.h +@@ -26,6 +26,10 @@ + #define AUTH_GSS_COMPLETE 1 + #define AUTH_GSS_CONTINUE 0 + ++#define GSS_AUTH_P_NONE 1 ++#define GSS_AUTH_P_INTEGRITY 2 ++#define GSS_AUTH_P_PRIVACY 4 ++ + typedef struct { + gss_ctx_id_t context; + gss_name_t server_name; +@@ -45,10 +49,12 @@ typedef struct { + + char* server_principal_details(const char* service, const char* hostname); + +-int authenticate_gss_client_init(const char* service, gss_client_state *state); ++int authenticate_gss_client_init(const char* service, gss_client_state* state); + int authenticate_gss_client_clean(gss_client_state *state); + int authenticate_gss_client_step(gss_client_state *state, const char *challenge); ++int authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge); ++int authenticate_gss_client_wrap(gss_client_state* state, const char* challenge, const char* user); + +-int authenticate_gss_server_init(const char* service, gss_server_state *state); ++int authenticate_gss_server_init(const char* service, gss_server_state* state); + int authenticate_gss_server_clean(gss_server_state *state); + int authenticate_gss_server_step(gss_server_state *state, const char *challenge); +-- +1.5.5.1 + --- pykerberos-1.0+svn2447.orig/debian/patches/series +++ pykerberos-1.0+svn2447/debian/patches/series @@ -0,0 +1,3 @@ +0001-Some-useful-constants.patch +0002-Wrap-Unwrap.patch +0003-Remove-some-OS-X-specific-descriptions.patch --- pykerberos-1.0+svn2447.orig/debian/patches/0003-Remove-some-OS-X-specific-descriptions.patch +++ pykerberos-1.0+svn2447/debian/patches/0003-Remove-some-OS-X-specific-descriptions.patch @@ -0,0 +1,45 @@ +From b7d44a0cd44dccecbd9efa3f8818ed10ca25de9c Mon Sep 17 00:00:00 2001 +From: cdaboo@apple.com +Date: Mon, 18 Feb 2008 16:23:48 +0000 +Subject: [PATCH] Remove some OS X specific descriptions. + +git-svn-id: http://svn.macosforge.org/repository/calendarserver/PyKerberos/branches/more-kerberos@2147 e27351fd-9f3e-4f54-a53b-843176b1656c +--- + README.txt | 4 ++-- + pysrc/kerberos.py | 3 +-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/README.txt b/README.txt +index 5fad7aa..3e62985 100644 +--- a/README.txt ++++ b/README.txt +@@ -48,10 +48,10 @@ TESTING + ======= + + You must have a valid Kerberos setup on the test machine and you should ensure that you have valid +-Kerberos tickets for any client authentication being done (run /System/Library/CoreServices/Kerberos.app). ++Kerberos tickets for any client authentication being done (run 'klist' on the command line). + Additionally, for the server: it must have been configured as a valid Kerberos service with the Kerbersos server + for its realm - this usually requires running kadmin on the server machine to add the principal and generate a keytab +-entry for it. ++entry for it (run 'sudo klist -k' to see the currently available keytab entries). + + Make sure that PYTHONPATH includes the appropriate build/lib.xxxx directory. + Then run test.py with suitable command line arguments: +diff --git a/pysrc/kerberos.py b/pysrc/kerberos.py +index 88a0e4b..6fb8a2c 100644 +--- a/pysrc/kerberos.py ++++ b/pysrc/kerberos.py +@@ -38,8 +38,7 @@ def checkPassword(user, pswd, service, default_realm): + + NB For this to work properly the Kerberos must be configured properly on this machine. + That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct +- realms and KDCs listed. This can be done via the /System/Library/CoreServices/Kerberos.app +- tool's 'Edit Realms' command. ++ realms and KDCs listed. + + @param user: a string containing the Kerberos user name. A realm may be + included by appending an '@' followed by the realm string to the actual user id. +-- +1.5.5.1 + --- pykerberos-1.0+svn2447.orig/debian/patches/0001-Some-useful-constants.patch +++ pykerberos-1.0+svn2447/debian/patches/0001-Some-useful-constants.patch @@ -0,0 +1,43 @@ +From 14627ea0a7b1d9fe90cb8033995cda429b9dc004 Mon Sep 17 00:00:00 2001 +From: cdaboo@apple.com +Date: Fri, 15 Feb 2008 15:11:14 +0000 +Subject: [PATCH] Some useful constants (contributed patch from ticket #213). + +git-svn-id: http://svn.macosforge.org/repository/calendarserver/PyKerberos/branches/more-kerberos@2145 e27351fd-9f3e-4f54-a53b-843176b1656c +--- + pysrc/kerberos.py | 4 ++++ + src/kerberos.c | 3 +++ + 2 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/pysrc/kerberos.py b/pysrc/kerberos.py +index 9218e41..0f593df 100644 +--- a/pysrc/kerberos.py ++++ b/pysrc/kerberos.py +@@ -87,6 +87,10 @@ GSSAPI Function Result Codes: + + """ + ++# Some useful result codes ++AUTH_GSS_CONTINUE=0 ++AUTH_GSS_COMPLETE=1 ++ + def authGSSClientInit(service): + """ + Initializes a context for GSSAPI client-side authentication with the given service principal. +diff --git a/src/kerberos.c b/src/kerberos.c +index 34c2141..f015ee9 100644 +--- a/src/kerberos.c ++++ b/src/kerberos.c +@@ -328,6 +328,9 @@ PyMODINIT_FUNC initkerberos(void) + Py_INCREF(GssException_class); + PyDict_SetItemString(d, "GSSError", GssException_class); + ++ PyDict_SetItemString(d, "AUTH_GSS_COMPLETE", PyInt_FromLong(AUTH_GSS_COMPLETE)); ++ PyDict_SetItemString(d, "AUTH_GSS_CONTINUE", PyInt_FromLong(AUTH_GSS_CONTINUE)); ++ + error: + if (PyErr_Occurred()) + PyErr_SetString(PyExc_ImportError, "kerberos: init failed"); +-- +1.5.5.1 +