public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/myproxy] rawhide: Compile with OpenSSL 4
@ 2026-06-14 10:27 Mattias Ellert
0 siblings, 0 replies; only message in thread
From: Mattias Ellert @ 2026-06-14 10:27 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/myproxy
Branch : rawhide
Commit : d166cea057e373cceda9f0b294cf145dfacbf33c
Author : Mattias Ellert <mattias.ellert@physics.uu.se>
Date : 2026-06-14T12:27:00+02:00
Stats : +6188/-2 in 4 file(s)
URL : https://src.fedoraproject.org/rpms/myproxy/c/d166cea057e373cceda9f0b294cf145dfacbf33c?branch=rawhide
Log:
Compile with OpenSSL 4
Fix compiler warnings
---
diff --git a/0001-Untabify-and-remove-trailing-white-space.patch b/0001-Untabify-and-remove-trailing-white-space.patch
new file mode 100644
index 0000000..b59378c
--- /dev/null
+++ b/0001-Untabify-and-remove-trailing-white-space.patch
@@ -0,0 +1,5677 @@
+From 3ccdaa0236230bbcbcbf339e7dfdfaf23c10bd6f Mon Sep 17 00:00:00 2001
+From: Mattias Ellert <mattias.ellert@physics.uu.se>
+Date: Wed, 20 May 2026 00:15:37 +0200
+Subject: [PATCH 1/3] Untabify and remove trailing white-space
+
+---
+ myproxy/source/certauth_extensions.c | 380 ++--
+ myproxy/source/gssapi.c | 2280 +++++++++++------------
+ myproxy/source/myproxy.c | 24 +-
+ myproxy/source/myproxy_alcf.c | 514 ++---
+ myproxy/source/myproxy_get_credential.c | 264 +--
+ myproxy/source/myproxy_ocsp.c | 12 +-
+ myproxy/source/myproxy_ocsp_aia.c | 106 +-
+ myproxy/source/myproxy_store.c | 458 ++---
+ myproxy/source/vomsclient.c | 46 +-
+ 9 files changed, 2042 insertions(+), 2042 deletions(-)
+
+diff --git a/myproxy/source/certauth_extensions.c b/myproxy/source/certauth_extensions.c
+index 14af33e54..4ebf83b9c 100644
+--- a/myproxy/source/certauth_extensions.c
++++ b/myproxy/source/certauth_extensions.c
+@@ -43,10 +43,10 @@ RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+
+ #endif
+
+-static int
++static int
+ read_cert_request(GSI_SOCKET *self,
+- unsigned char **buffer,
+- size_t *length) {
++ unsigned char **buffer,
++ size_t *length) {
+
+ int return_value = 1;
+ unsigned char * input_buffer = NULL;
+@@ -58,7 +58,7 @@ read_cert_request(GSI_SOCKET *self,
+ }
+
+ if (GSI_SOCKET_read_token(self, &input_buffer,
+- &input_buffer_length) == GSI_SOCKET_ERROR) {
++ &input_buffer_length) == GSI_SOCKET_ERROR) {
+ verror_put_string("read_cert_request(): Read from socket failed");
+ goto error;
+ }
+@@ -81,13 +81,13 @@ read_cert_request(GSI_SOCKET *self,
+
+ }
+
+-static int
++static int
+ send_certificate(GSI_SOCKET *self,
+- unsigned char *buffer,
+- size_t length) {
++ unsigned char *buffer,
++ size_t length) {
+
+- if (GSI_SOCKET_write_buffer(self, (const char *)buffer,
+- length) == GSI_SOCKET_ERROR) {
++ if (GSI_SOCKET_write_buffer(self, (const char *)buffer,
++ length) == GSI_SOCKET_ERROR) {
+ verror_put_string("Error writing certificate to client!");
+ return 1;
+ }
+@@ -96,7 +96,7 @@ send_certificate(GSI_SOCKET *self,
+
+ }
+
+-static void
++static void
+ add_key_value( char * key, char * value, char buffer[] ) {
+
+ strcat( buffer, key );
+@@ -110,11 +110,11 @@ add_key_value( char * key, char * value, char buffer[] ) {
+ }
+
+
+-static int
+-external_callout( X509_REQ *request,
+- X509 **cert,
+- myproxy_request_t *client_request,
+- myproxy_server_context_t *server_context) {
++static int
++external_callout( X509_REQ *request,
++ X509 **cert,
++ myproxy_request_t *client_request,
++ myproxy_server_context_t *server_context) {
+
+ int return_value = 1;
+
+@@ -131,12 +131,12 @@ external_callout( X509_REQ *request,
+ memset(buffer, '\0', BUF_SIZE);
+ memset(intbuf, '\0', 128);
+
+- myproxy_debug("callout using: %s",
+- server_context->certificate_issuer_program);
++ myproxy_debug("callout using: %s",
++ server_context->certificate_issuer_program);
+
+ if ((pid = myproxy_popen(fds,
+- server_context->certificate_issuer_program,
+- NULL)) < 0) {
++ server_context->certificate_issuer_program,
++ NULL)) < 0) {
+ return -1; /* myproxy_popen will set verror */
+ }
+
+@@ -162,7 +162,7 @@ external_callout( X509_REQ *request,
+ add_key_value( "authzcreds", client_request->authzcreds, buffer );
+ add_key_value( "keyretrieve", client_request->keyretrieve, buffer );
+ add_key_value( "trusted_retrievers", client_request->trusted_retrievers,
+- buffer );
++ buffer );
+
+ sprintf( intbuf, "%d", server_context->max_cert_lifetime );
+ add_key_value( "max_cert_lifetime", (char*)intbuf, buffer );
+@@ -253,10 +253,10 @@ lock_file(int fd)
+
+ while( fcntl( fd, F_SETLKW, &fl ) < 0 )
+ {
+- if ( errno != EINTR )
+- {
+- return -1;
+- }
++ if ( errno != EINTR )
++ {
++ return -1;
++ }
+ }
+ return 0;
+ }
+@@ -266,9 +266,9 @@ lock_file(int fd)
+ * of file locking
+ */
+
+-static int
+-assign_serial_number( X509 *cert,
+- myproxy_server_context_t *server_context ) {
++static int
++assign_serial_number( X509 *cert,
++ myproxy_server_context_t *server_context ) {
+
+ int retval = 1;
+ long serialset;
+@@ -301,7 +301,7 @@ assign_serial_number( X509 *cert,
+ const char *sdir;
+ sdir = myproxy_get_storage_dir();
+ if (sdir == NULL) {
+- goto error;
++ goto error;
+ }
+ serialfile = malloc(strlen(sdir)+strlen("/serial")+1);
+ sprintf(serialfile, "%s/serial", sdir);
+@@ -351,11 +351,11 @@ assign_serial_number( X509 *cert,
+
+ if (serialset) {
+ if (!a2i_ASN1_INTEGER(serialbio, current, buf, sizeof(buf))) {
+- verror_put_string("Asn1 int read/conversion error\n");
++ verror_put_string("Asn1 int read/conversion error\n");
+ ssl_error_to_verror();
+- goto error;
++ goto error;
+ } else {
+- myproxy_debug("Loaded serial number 0x%s from %s", buf, serialfile);
++ myproxy_debug("Loaded serial number 0x%s from %s", buf, serialfile);
+ }
+ } else {
+ ASN1_INTEGER_set(current, server_context->certificate_serial_skip);
+@@ -393,7 +393,7 @@ assign_serial_number( X509 *cert,
+ * the underlying file stream and close()ing the file descriptor,
+ * which will release the lock.
+ */
+-
++
+ BIO_free(serialbio);
+ serialbio = NULL;
+ serialstream = NULL;
+@@ -447,7 +447,7 @@ write_certificate(X509 *cert, const char serial[], const char dir[]) {
+ goto error;
+ }
+ close(fd);
+- if ((bp=BIO_new(BIO_s_file())) == NULL) {
++ if ((bp=BIO_new(BIO_s_file())) == NULL) {
+ myproxy_debug("BIO_new(BIO_s_file()) failed");
+ goto error;
+ }
+@@ -463,7 +463,7 @@ write_certificate(X509 *cert, const char serial[], const char dir[]) {
+
+ error:
+ free(path);
+- BIO_free_all(bp);
++ BIO_free_all(bp);
+
+ return rval;
+ }
+@@ -474,14 +474,14 @@ static ENGINE *engine=NULL;
+ static int engine_used=0;
+ #endif
+
+-static int
+-generate_certificate( X509_REQ *request,
+- X509 **certificate,
+- EVP_PKEY *pkey,
+- myproxy_request_t *client_request,
+- myproxy_server_context_t *server_context) {
++static int
++generate_certificate( X509_REQ *request,
++ X509 **certificate,
++ EVP_PKEY *pkey,
++ myproxy_request_t *client_request,
++ myproxy_server_context_t *server_context) {
+
+- int return_value = 1;
++ int return_value = 1;
+ int not_after;
+ int lockfd = -1;
+ int i;
+@@ -503,7 +503,7 @@ generate_certificate( X509_REQ *request,
+
+ cert = X509_new();
+
+- ctxp = &ctx; /* needed for X509V3 macros */
++ ctxp = &ctx; /* needed for X509V3 macros */
+ X509V3_set_ctx_nodb(ctxp);
+
+ if (cert == NULL) {
+@@ -517,7 +517,7 @@ generate_certificate( X509_REQ *request,
+ /* this has already been called successfully, but... */
+
+ if ( user_dn_lookup( client_request->username, &userdn,
+- server_context ) ) {
++ server_context ) ) {
+ verror_put_string("unknown username: %s", client_request->username);
+ goto error;
+ }
+@@ -561,16 +561,16 @@ generate_certificate( X509_REQ *request,
+ issuer_cert_file = fopen(server_context->certificate_issuer_cert, "r");
+ if (issuer_cert_file == NULL) {
+ verror_put_string("Error opening certificate file %s",
+- server_context->certificate_issuer_cert);
++ server_context->certificate_issuer_cert);
+ verror_put_errno(errno);
+ goto error;
+ }
+-
++
+ if ((issuer_cert = PEM_read_X509(issuer_cert_file,
+- NULL, NULL, NULL)) == NULL)
++ NULL, NULL, NULL)) == NULL)
+ {
+ verror_put_string("Error reading certificate %s",
+- server_context->certificate_issuer_cert);
++ server_context->certificate_issuer_cert);
+ ssl_error_to_verror();
+ fclose(issuer_cert_file);
+ goto error;
+@@ -595,10 +595,10 @@ generate_certificate( X509_REQ *request,
+
+ if (!server_context->max_cert_lifetime) {
+ not_after = MIN(client_request->proxy_lifetime,
+- SECONDS_PER_HOUR * MYPROXY_DEFAULT_DELEG_HOURS);
++ SECONDS_PER_HOUR * MYPROXY_DEFAULT_DELEG_HOURS);
+ } else {
+ not_after = MIN(client_request->proxy_lifetime,
+- server_context->max_cert_lifetime);
++ server_context->max_cert_lifetime);
+ }
+
+ myproxy_debug("cert lifetime: %d", not_after );
+@@ -606,7 +606,7 @@ generate_certificate( X509_REQ *request,
+ /* allow 5m clock skew */
+ X509_gmtime_adj(X509_get_notBefore(cert), -(MYPROXY_DEFAULT_CLOCK_SKEW));
+ X509_gmtime_adj(X509_get_notAfter(cert), (long)not_after);
+-
++
+ X509_set_pubkey(cert, pkey);
+
+ /* extensions */
+@@ -617,77 +617,77 @@ generate_certificate( X509_REQ *request,
+ long errorline = -1;
+ extconf = NCONF_new(NULL);
+ if (server_context->certificate_extfile) {
+- if (NCONF_load(extconf, server_context->certificate_extfile,
+- &errorline) <= 0) {
+- if (errorline <= 0) {
+- verror_put_string("OpenSSL error loading the certificate_extfile '%s'", server_context->certificate_extfile);
+- } else {
+- verror_put_string("OpenSSL error on line %ld of certificate_extfile '%s'\n", errorline, server_context->certificate_extfile);
+- }
+- goto error;
+- }
+- myproxy_debug("Successfully loaded extensions file %s.",
+- server_context->certificate_extfile);
++ if (NCONF_load(extconf, server_context->certificate_extfile,
++ &errorline) <= 0) {
++ if (errorline <= 0) {
++ verror_put_string("OpenSSL error loading the certificate_extfile '%s'", server_context->certificate_extfile);
++ } else {
++ verror_put_string("OpenSSL error on line %ld of certificate_extfile '%s'\n", errorline, server_context->certificate_extfile);
++ }
++ goto error;
++ }
++ myproxy_debug("Successfully loaded extensions file %s.",
++ server_context->certificate_extfile);
+ } else {
+- pid_t childpid;
+- int fds[3];
+- int exit_status;
+- FILE *nconf_stream = NULL;
+- myproxy_debug("calling %s", server_context->certificate_extapp);
+- if ((childpid = myproxy_popen(fds,
+- server_context->certificate_extapp,
+- client_request->username,
+- NULL)) < 0) {
+- return -1; /* myproxy_popen will set verror */
+- }
+- close(fds[0]);
+- if (waitpid(childpid, &exit_status, 0) == -1) {
+- verror_put_string("wait() failed for extapp child");
+- verror_put_errno(errno);
+- return -1;
+- }
+- if (exit_status != 0) {
+- FILE *fp = NULL;
+- char buf[100];
+- verror_put_string("Certificate extension call-out returned non-zero.");
+- fp = fdopen(fds[1], "r");
+- if (fp) {
+- while (fgets(buf, 100, fp) != NULL) {
+- verror_put_string("%s", buf);
+- }
+- fclose(fp);
+- }
+- fp = fdopen(fds[2], "r");
+- if (fp) {
+- while (fgets(buf, 100, fp) != NULL) {
+- verror_put_string("%s", buf);
+- }
+- fclose(fp);
+- }
+- goto error;
+- }
+- close(fds[2]);
+- nconf_stream = fdopen(fds[1], "r");
+- if (NCONF_load_fp(extconf, nconf_stream, &errorline) <= 0) {
+- if (errorline <= 0) {
+- verror_put_string("OpenSSL error parsing output of certificate_extapp call-out.");
+- } else {
+- verror_put_string("OpenSSL error parsing line %ld of of certificate_extapp call-out output.", errorline);
+- }
+- fclose(nconf_stream);
+- goto error;
+- }
+- fclose(nconf_stream);
++ pid_t childpid;
++ int fds[3];
++ int exit_status;
++ FILE *nconf_stream = NULL;
++ myproxy_debug("calling %s", server_context->certificate_extapp);
++ if ((childpid = myproxy_popen(fds,
++ server_context->certificate_extapp,
++ client_request->username,
++ NULL)) < 0) {
++ return -1; /* myproxy_popen will set verror */
++ }
++ close(fds[0]);
++ if (waitpid(childpid, &exit_status, 0) == -1) {
++ verror_put_string("wait() failed for extapp child");
++ verror_put_errno(errno);
++ return -1;
++ }
++ if (exit_status != 0) {
++ FILE *fp = NULL;
++ char buf[100];
++ verror_put_string("Certificate extension call-out returned non-zero.");
++ fp = fdopen(fds[1], "r");
++ if (fp) {
++ while (fgets(buf, 100, fp) != NULL) {
++ verror_put_string("%s", buf);
++ }
++ fclose(fp);
++ }
++ fp = fdopen(fds[2], "r");
++ if (fp) {
++ while (fgets(buf, 100, fp) != NULL) {
++ verror_put_string("%s", buf);
++ }
++ fclose(fp);
++ }
++ goto error;
++ }
++ close(fds[2]);
++ nconf_stream = fdopen(fds[1], "r");
++ if (NCONF_load_fp(extconf, nconf_stream, &errorline) <= 0) {
++ if (errorline <= 0) {
++ verror_put_string("OpenSSL error parsing output of certificate_extapp call-out.");
++ } else {
++ verror_put_string("OpenSSL error parsing line %ld of of certificate_extapp call-out output.", errorline);
++ }
++ fclose(nconf_stream);
++ goto error;
++ }
++ fclose(nconf_stream);
+ }
+ X509V3_set_nconf(&ctx, extconf);
+ if (!X509V3_EXT_add_nconf(extconf, &ctx, "default", cert))
+ {
+- verror_put_string("OpenSSL error adding extensions.");
++ verror_put_string("OpenSSL error adding extensions.");
+ ssl_error_to_verror();
+- goto error;
++ goto error;
+ }
+ myproxy_debug("Successfully added extensions.");
+- } else { /* add some defaults */
++ } else { /* add some defaults */
+ add_ext(ctxp, cert, NID_key_usage, "critical,Digital Signature, Key Encipherment, Data Encipherment");
+ add_ext(ctxp, cert, NID_ext_key_usage, "clientAuth");
+ add_ext(ctxp, cert, NID_basic_constraints, "critical,CA:FALSE");
+@@ -696,9 +696,9 @@ generate_certificate( X509_REQ *request,
+ if (server_context->certificate_issuer_email_domain) {
+ char *email;
+ email = malloc(strlen(client_request->username)+strlen("email:@")+1+
+- strlen(server_context->certificate_issuer_email_domain));
++ strlen(server_context->certificate_issuer_email_domain));
+ sprintf(email, "email:%s@%s", client_request->username,
+- server_context->certificate_issuer_email_domain);
++ server_context->certificate_issuer_email_domain);
+ add_ext(ctxp, cert, NID_subject_alt_name, email);
+ free(email);
+ }
+@@ -739,13 +739,13 @@ generate_certificate( X509_REQ *request,
+
+ if (!inkey) {
+ verror_put_string("Could not open cakey file handle: %s",
+- server_context->certificate_issuer_key);
++ server_context->certificate_issuer_key);
+ verror_put_errno(errno);
+ goto error;
+ }
+
+ cakey = PEM_read_PrivateKey( inkey, NULL, NULL,
+- (char *)server_context->certificate_issuer_key_passphrase );
++ (char *)server_context->certificate_issuer_key_passphrase );
+
+ fclose(inkey);
+ }
+@@ -774,7 +774,7 @@ generate_certificate( X509_REQ *request,
+ verror_put_string("Certificate/cakey sign failed.");
+ ssl_error_to_verror();
+ goto error;
+- }
++ }
+ serial = i2s_ASN1_OCTET_STRING(NULL, X509_get_serialNumber(cert));
+ #ifndef OPENSSL_NO_ENGINE
+ if (engine) {
+@@ -794,7 +794,7 @@ generate_certificate( X509_REQ *request,
+
+ myproxy_log("Issued certificate for user \"%s\", with DN \"%s\", "
+ "lifetime \"%d\", and serial number \"0x%s\"",
+- client_request->username, userdn,
++ client_request->username, userdn,
+ not_after,
+ serial
+ );
+@@ -824,7 +824,7 @@ generate_certificate( X509_REQ *request,
+ }
+
+
+-static int
++static int
+ arraylen(char **options) {
+ char **ptr;
+ int c = 0;
+@@ -850,30 +850,30 @@ void shutdown_openssl_engine(void) {
+
+ static int ui_read_fn(UI *ui, UI_STRING *ui_string) {
+ switch(UI_get_string_type(ui_string)) {
+- case UIT_PROMPT:
+- case UIT_VERIFY:
+- if(UI_get_input_flags(ui_string) & UI_INPUT_FLAG_ECHO) {
+- UI_set_result(ui, ui_string, (char *) UI_get0_user_data(ui));
+- return 1;
+- } else {
++ case UIT_PROMPT:
++ case UIT_VERIFY:
++ if(UI_get_input_flags(ui_string) & UI_INPUT_FLAG_ECHO) {
++ UI_set_result(ui, ui_string, (char *) UI_get0_user_data(ui));
++ return 1;
++ } else {
++ return 0; /* not supported! */
++ }
++ case UIT_BOOLEAN:
++ default:
+ return 0; /* not supported! */
+- }
+- case UIT_BOOLEAN:
+- default:
+- return 0; /* not supported! */
+ }
+ }
+
+ static int ui_write_fn(UI *ui, UI_STRING *ui_string) {
+ switch(UI_get_string_type(ui_string)) {
+- case UIT_ERROR:
+- verror_put_string("%s", UI_get0_output_string(ui_string));
+- break;
+- case UIT_INFO:
+- myproxy_log("%s", UI_get0_output_string(ui_string));
+- break;
+- default:
+- break;
++ case UIT_ERROR:
++ verror_put_string("%s", UI_get0_output_string(ui_string));
++ break;
++ case UIT_INFO:
++ myproxy_log("%s", UI_get0_output_string(ui_string));
++ break;
++ default:
++ break;
+ }
+ return 1;
+ }
+@@ -889,7 +889,7 @@ int initialise_openssl_engine(myproxy_server_context_t *server_context) {
+ UI_method_set_reader(ui_method, ui_read_fn);
+ UI_method_set_writer(ui_method, ui_write_fn);
+
+- SSL_load_error_strings();
++ SSL_load_error_strings();
+ ENGINE_load_builtin_engines();
+
+ myproxy_log("Initialising OpenSSL signing engine '%s'....", engine_id);
+@@ -900,12 +900,12 @@ int initialise_openssl_engine(myproxy_server_context_t *server_context) {
+ UI_destroy_method(ui_method);
+ return 0;
+ }
+- if(server_context->certificate_openssl_engine_pre) {
+- char **pre_cmds;
+- int pre_num;
++ if(server_context->certificate_openssl_engine_pre) {
++ char **pre_cmds;
++ int pre_num;
+ pre_cmds = server_context->certificate_openssl_engine_pre;
+- pre_num = arraylen(pre_cmds);
+- while(pre_num--) {
++ pre_num = arraylen(pre_cmds);
++ while(pre_num--) {
+ char *name, *value=NULL;
+ char *n = strchr(pre_cmds[0], ':');
+ if(n==NULL) {
+@@ -915,19 +915,19 @@ int initialise_openssl_engine(myproxy_server_context_t *server_context) {
+ name=pre_cmds[0];
+ value=n+1;
+ }
+- if(!ENGINE_ctrl_cmd_string(e, name, value, 0)) {
++ if(!ENGINE_ctrl_cmd_string(e, name, value, 0)) {
+ fprintf(stderr, "Failed pre command (%s - %s:%s)\n",
+ engine_id, name, value ? value : "(NULL)");
+ ENGINE_free(e);
+ ENGINE_cleanup();
+- UI_destroy_method(ui_method);
++ UI_destroy_method(ui_method);
+ return 0;
+- }
+- pre_cmds++;
+- }
++ }
++ pre_cmds++;
++ }
+ }
+ if(!ENGINE_init(e)) {
+- verror_put_string("Could not initialise engine '%s'.", engine_id);
++ verror_put_string("Could not initialise engine '%s'.", engine_id);
+ ssl_error_to_verror();
+ ENGINE_free(e);
+ ENGINE_cleanup();
+@@ -958,7 +958,7 @@ int initialise_openssl_engine(myproxy_server_context_t *server_context) {
+ engine_id, name, value ? value : "(NULL)");
+ ENGINE_free(e);
+ ENGINE_cleanup();
+- UI_destroy_method(ui_method);
++ UI_destroy_method(ui_method);
+ return 0;
+ }
+ post_cmds++;
+@@ -967,31 +967,31 @@ int initialise_openssl_engine(myproxy_server_context_t *server_context) {
+
+ cakey = ENGINE_load_private_key(e, server_context->certificate_issuer_key, ui_method, (char *)server_context->certificate_issuer_key_passphrase);
+
+- if (cakey == NULL) { /* may not be fatal... */
++ if (cakey == NULL) { /* may not be fatal... */
+ verror_put_string("WARNING: Could not load ENGINE cakey at %s.",
+ server_context->certificate_issuer_key);
+ ssl_error_to_verror();
+ myproxy_log_verror();
+ verror_clear();
+- }
++ }
+
+ if(atexit(&shutdown_openssl_engine)!=0) {
+ verror_put_string("Could not register shutdown handler for engine '%s'.", engine_id);
+- if (cakey) EVP_PKEY_free( cakey );
++ if (cakey) EVP_PKEY_free( cakey );
+ ENGINE_finish(e);
+ ENGINE_cleanup();
+ UI_destroy_method(ui_method);
+ return 0;
+- }
++ }
+
+ myproxy_log("Initialised engine '%s' (CAKey=%s)", engine_id, server_context->certificate_issuer_key);
+
+- /* Share with the other functions in this module. */
+- e_cakey = cakey;
+- engine = e;
++ /* Share with the other functions in this module. */
++ e_cakey = cakey;
++ engine = e;
+
+- UI_destroy_method(ui_method);
+- return 1;
++ UI_destroy_method(ui_method);
++ return 1;
+ }
+ #endif
+
+@@ -1067,13 +1067,13 @@ check_newcert(const char *callout, const X509 *cert)
+ return do_check(callout, NULL, cert);
+ }
+
+-static int
++static int
+ handle_certificate(unsigned char *input_buffer,
+- size_t input_buffer_length,
+- unsigned char **output_buffer,
+- int *output_buffer_length,
+- myproxy_request_t *client_request,
+- myproxy_server_context_t *server_context) {
++ size_t input_buffer_length,
++ unsigned char **output_buffer,
++ int *output_buffer_length,
++ myproxy_request_t *client_request,
++ myproxy_server_context_t *server_context) {
+
+ int return_value = 1;
+ int verify;
+@@ -1122,7 +1122,7 @@ handle_certificate(unsigned char *input_buffer,
+ verror_put_string("Could not extract public key from request.");
+ ssl_error_to_verror();
+ goto error;
+- }
++ }
+
+ if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
+ verror_put_string("Public key in certificate request is not of type RSA.");
+@@ -1155,15 +1155,15 @@ handle_certificate(unsigned char *input_buffer,
+ verror_put_string("Req/key did not verify: %d", verify );
+ ssl_error_to_verror();
+ goto error;
+- }
++ }
+
+ /* convert pkey into string for output to log */
+ ASN1_digest((i2d_of_void*)i2d_PUBKEY, EVP_sha1(), (char*)pkey, md, &md_len);
+- sub_hash = md[0] + (md[1] + (md[2] + (md[3] >> 1) * 256) * 256) * 256;
++ sub_hash = md[0] + (md[1] + (md[2] + (md[3] >> 1) * 256) * 256) * 256;
+
+ myproxy_log("Got a cert request for user \"%s\", "
+ "with pubkey hash \"0x%lx\", and lifetime \"%d\"",
+- client_request->username,
++ client_request->username,
+ sub_hash,
+ client_request->proxy_lifetime
+ );
+@@ -1177,30 +1177,30 @@ handle_certificate(unsigned char *input_buffer,
+ * these checks are duplicated in check_config().
+ */
+
+- if ( ( server_context->certificate_issuer_program != NULL ) &&
++ if ( ( server_context->certificate_issuer_program != NULL ) &&
+ ( server_context->certificate_issuer_cert != NULL ) ) {
+ verror_put_string("CA config error: both issuer and program defined");
+ goto error;
+- }
++ }
+
+- if ( ( server_context->certificate_issuer_program == NULL ) &&
++ if ( ( server_context->certificate_issuer_program == NULL ) &&
+ ( server_context->certificate_issuer_cert == NULL ) ) {
+ verror_put_string("CA config error: neither issuer or program defined");
+ goto error;
+ }
+
+- if ( ( server_context->certificate_issuer_cert != NULL ) &&
++ if ( ( server_context->certificate_issuer_cert != NULL ) &&
+ ( server_context->certificate_issuer_key == NULL ) ) {
+ verror_put_string("CA config error: issuer defined but no key defined");
+ goto error;
+ }
+
+- if ( ( server_context->certificate_issuer_cert != NULL ) &&
++ if ( ( server_context->certificate_issuer_cert != NULL ) &&
+ ( server_context->certificate_issuer_key != NULL ) ) {
+ myproxy_debug("Using internal openssl/generate_certificate() code");
+
+- if ( generate_certificate( req, &cert, pkey,
+- client_request, server_context ) ) {
++ if ( generate_certificate( req, &cert, pkey,
++ client_request, server_context ) ) {
+ verror_put_string("Internal cert generation failed");
+ goto error;
+ }
+@@ -1283,16 +1283,16 @@ int is_certificate_authority_configured(myproxy_server_context_t
+ }
+
+
+-void get_certificate_authority(myproxy_socket_attrs_t *server_attrs,
+- myproxy_creds_t *creds,
+- myproxy_request_t *client_request,
+- myproxy_response_t *response,
+- myproxy_server_context_t *server_context) {
++void get_certificate_authority(myproxy_socket_attrs_t *server_attrs,
++ myproxy_creds_t *creds,
++ myproxy_request_t *client_request,
++ myproxy_response_t *response,
++ myproxy_server_context_t *server_context) {
+
+ unsigned char * input_buffer = NULL;
+- size_t input_buffer_length;
+- unsigned char * output_buffer = NULL;
+- int output_buffer_length;
++ size_t input_buffer_length;
++ unsigned char * output_buffer = NULL;
++ int output_buffer_length;
+
+ myproxy_debug("Calling CA Extensions");
+
+@@ -1300,8 +1300,8 @@ void get_certificate_authority(myproxy_socket_attrs_t *server_attrs,
+
+ verror_clear();
+
+- if ( read_cert_request( server_attrs->gsi_socket,
+- &input_buffer, &input_buffer_length) ) {
++ if ( read_cert_request( server_attrs->gsi_socket,
++ &input_buffer, &input_buffer_length) ) {
+ verror_put_string("Unable to read request from client");
+ myproxy_log_verror();
+ response->error_string = \
+@@ -1310,8 +1310,8 @@ void get_certificate_authority(myproxy_socket_attrs_t *server_attrs,
+ }
+
+ if ( handle_certificate( input_buffer, input_buffer_length,
+- &output_buffer, &output_buffer_length,
+- client_request, server_context ) ) {
++ &output_buffer, &output_buffer_length,
++ client_request, server_context ) ) {
+ verror_put_string("CA failed to generate certificate");
+ response->error_string = strdup("Certificate generation failure.\n");
+ myproxy_log_verror();
+@@ -1319,7 +1319,7 @@ void get_certificate_authority(myproxy_socket_attrs_t *server_attrs,
+ }
+
+ if ( send_certificate( server_attrs->gsi_socket,
+- output_buffer, output_buffer_length ) ) {
++ output_buffer, output_buffer_length ) ) {
+ myproxy_log_verror();
+ myproxy_debug("Failure to send response to client!");
+ goto error;
+diff --git a/myproxy/source/gssapi.c b/myproxy/source/gssapi.c
+index e176392e4..70a6d27e4 100644
+--- a/myproxy/source/gssapi.c
++++ b/myproxy/source/gssapi.c
+@@ -4,7 +4,7 @@
+ * Rob Siemborski (SASL v2 Conversion)
+ * $Id: gssapi.c,v 1.9 2007/09/27 15:40:54 basney Exp $
+ */
+-/*
++/*
+ * Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -12,7 +12,7 @@
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+- * notice, this list of conditions and the following disclaimer.
++ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+@@ -22,7 +22,7 @@
+ * 3. The name "Carnegie Mellon University" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For permission or any other legal
+- * details, please contact
++ * details, please contact
+ * Office of Technology Transfer
+ * Carnegie Mellon University
+ * 5000 Forbes Avenue
+@@ -96,25 +96,25 @@ extern gss_OID gss_nt_service_name;
+ #ifdef WANT_KERBEROS5_3DES
+ /* Check if CyberSafe flag is defined */
+ #ifdef CSF_GSS_C_DES3_FLAG
+-#define K5_MAX_SSF 112
++#define K5_MAX_SSF 112
+ #endif
+
+ /* Heimdal and MIT use the following */
+ #ifdef GSS_KRB5_CONF_C_QOP_DES3_KD
+-#define K5_MAX_SSF 112
++#define K5_MAX_SSF 112
+ #endif
+
+ #endif
+
+ #ifndef K5_MAX_SSF
+ /* All Kerberos implementations support DES */
+-#define K5_MAX_SSF 56
++#define K5_MAX_SSF 56
+ #endif
+
+ /* GSSAPI SASL Mechanism by Leif Johansson <leifj@matematik.su.se>
+ * inspired by the kerberos mechanism and the gssapi_server and
+ * gssapi_client from the heimdal distribution by Assar Westerlund
+- * <assar@sics.se> and Johan Danielsson <joda@pdc.kth.se>.
++ * <assar@sics.se> and Johan Danielsson <joda@pdc.kth.se>.
+ * See the configure.in file for details on dependencies.
+ *
+ * Important contributions from Sam Hartman <hartmans@fundsxpress.com>.
+@@ -126,18 +126,18 @@ extern gss_OID gss_nt_service_name;
+
+ typedef struct context {
+ int state;
+-
++
+ gss_ctx_id_t gss_ctx;
+ gss_name_t client_name;
+ gss_name_t server_name;
+ gss_cred_id_t server_creds;
+ sasl_ssf_t limitssf, requiressf; /* application defined bounds, for the
+- server */
++ server */
+ const sasl_utils_t *utils;
+-
++
+ /* layers buffering */
+ decode_context_t decode_context;
+-
++
+ char *encode_buf; /* For encoding/decoding mem management */
+ char *decode_buf;
+ char *decode_once_buf;
+@@ -145,10 +145,10 @@ typedef struct context {
+ unsigned decode_buf_len;
+ unsigned decode_once_buf_len;
+ buffer_info_t *enc_in_buf;
+-
++
+ char *out_buf; /* per-step mem management */
+- unsigned out_buf_len;
+-
++ unsigned out_buf_len;
++
+ char *authid; /* hold the authid between steps - server */
+ const char *user; /* hold the userid between steps - client */
+ } context_t;
+@@ -210,7 +210,7 @@ static OM_uint32 (*p_krb5_gss_wrap_size_limit)
+ (OM_uint32 *, gss_ctx_id_t, int, gss_qop_t, OM_uint32, OM_uint32 *);
+ static OM_uint32 (*p_krb5_gss_add_cred)
+ (OM_uint32 *, gss_cred_id_t, gss_name_t, gss_OID, gss_cred_usage_t,
+- OM_uint32, OM_uint32, gss_cred_id_t *, gss_OID_set *, OM_uint32 *,
++ OM_uint32, OM_uint32, gss_cred_id_t *, gss_OID_set *, OM_uint32 *,
+ OM_uint32 *);
+ static OM_uint32 (*p_krb5_gss_seal)
+ (OM_uint32 *, gss_ctx_id_t, int, int, gss_buffer_t, int *,
+@@ -226,15 +226,15 @@ sasl_gss_lib_init(const sasl_utils_t *utils)
+ if (h_krb5lib) return SASL_OK;
+
+ if ((h_krb5lib = dlopen(KRB5_LIB_NAME, RTLD_LAZY)) == NULL) {
+- errmsg = "Failed to open GSSAPI library";
+- goto error;
++ errmsg = "Failed to open GSSAPI library";
++ goto error;
+ }
+
+-#define SASL_GSS_DLSYM(x) \
+- p_krb5_ ## x = dlsym(h_krb5lib, #x); \
+- if (p_krb5_ ## x == NULL) { \
+- errmsg = "Failed to dlsym(" #x ")"; \
+- goto error; \
++#define SASL_GSS_DLSYM(x) \
++ p_krb5_ ## x = dlsym(h_krb5lib, #x); \
++ if (p_krb5_ ## x == NULL) { \
++ errmsg = "Failed to dlsym(" #x ")"; \
++ goto error; \
+ }
+
+ SASL_GSS_DLSYM(gss_accept_sec_context);
+@@ -261,24 +261,24 @@ sasl_gss_lib_init(const sasl_utils_t *utils)
+ error:
+ dlerr = dlerror();
+ if (dlerr) {
+- char *saslerr;
+- saslerr = malloc(strlen(errmsg)+strlen(dlerr)+3);
+- sprintf(saslerr, "%s: %s", errmsg, dlerr);
+- SETERROR(utils, saslerr);
+- free(saslerr);
++ char *saslerr;
++ saslerr = malloc(strlen(errmsg)+strlen(dlerr)+3);
++ sprintf(saslerr, "%s: %s", errmsg, dlerr);
++ SETERROR(utils, saslerr);
++ free(saslerr);
+ } else {
+- SETERROR(utils, errmsg);
++ SETERROR(utils, errmsg);
+ }
+ if (h_krb5lib) {
+- dlclose(h_krb5lib);
+- h_krb5lib = NULL;
++ dlclose(h_krb5lib);
++ h_krb5lib = NULL;
+ }
+ return SASL_FAIL;
+ }
+
+ static void
+ sasl_gss_seterror_(const sasl_utils_t *utils, OM_uint32 maj, OM_uint32 min,
+- int logonly)
++ int logonly)
+ {
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc msg;
+@@ -288,116 +288,116 @@ sasl_gss_seterror_(const sasl_utils_t *utils, OM_uint32 maj, OM_uint32 min,
+ size_t len;
+ unsigned int curlen = 0;
+ const char prefix[] = "GSSAPI Error: ";
+-
++
+ if(!utils) return;
+
+ if (sasl_gss_lib_init(utils) != SASL_OK) return;
+-
++
+ len = sizeof(prefix);
+ ret = _plug_buf_alloc(utils, &out, &curlen, 256);
+ if(ret != SASL_OK) return;
+-
++
+ strcpy(out, prefix);
+-
++
+ msg_ctx = 0;
+ while (1) {
+- maj_stat = (*p_krb5_gss_display_status)(&min_stat, maj,
+- GSS_C_GSS_CODE, GSS_C_NULL_OID,
+- &msg_ctx, &msg);
+- if(GSS_ERROR(maj_stat)) {
+- if (logonly) {
+- utils->log(utils->conn, SASL_LOG_FAIL,
+- "GSSAPI Failure: (could not get major error message)");
+- } else {
+- utils->seterror(utils->conn, 0,
+- "GSSAPI Failure "
+- "(could not get major error message)");
+- }
+- utils->free(out);
+- return;
+- }
+-
+- len += len + msg.length;
+- ret = _plug_buf_alloc(utils, &out, &curlen, len);
+-
+- if(ret != SASL_OK) {
+- utils->free(out);
+- return;
+- }
+-
+- strcat(out, msg.value);
+-
+- (*p_krb5_gss_release_buffer)(&min_stat, &msg);
+-
+- if (!msg_ctx)
+- break;
++ maj_stat = (*p_krb5_gss_display_status)(&min_stat, maj,
++ GSS_C_GSS_CODE, GSS_C_NULL_OID,
++ &msg_ctx, &msg);
++ if(GSS_ERROR(maj_stat)) {
++ if (logonly) {
++ utils->log(utils->conn, SASL_LOG_FAIL,
++ "GSSAPI Failure: (could not get major error message)");
++ } else {
++ utils->seterror(utils->conn, 0,
++ "GSSAPI Failure "
++ "(could not get major error message)");
++ }
++ utils->free(out);
++ return;
++ }
++
++ len += len + msg.length;
++ ret = _plug_buf_alloc(utils, &out, &curlen, len);
++
++ if(ret != SASL_OK) {
++ utils->free(out);
++ return;
++ }
++
++ strcat(out, msg.value);
++
++ (*p_krb5_gss_release_buffer)(&min_stat, &msg);
++
++ if (!msg_ctx)
++ break;
+ }
+-
++
+ /* Now get the minor status */
+-
++
+ len += 2;
+ ret = _plug_buf_alloc(utils, &out, &curlen, len);
+ if(ret != SASL_OK) {
+- utils->free(out);
+- return;
++ utils->free(out);
++ return;
+ }
+-
++
+ strcat(out, " (");
+-
++
+ msg_ctx = 0;
+ while (1) {
+- maj_stat = (*p_krb5_gss_display_status)(&min_stat, min,
+- GSS_C_MECH_CODE, GSS_C_NULL_OID,
+- &msg_ctx, &msg);
+- if(GSS_ERROR(maj_stat)) {
+- if (logonly) {
+- utils->log(utils->conn, SASL_LOG_FAIL,
+- "GSSAPI Failure: (could not get minor error message)");
+- } else {
+- utils->seterror(utils->conn, 0,
+- "GSSAPI Failure "
+- "(could not get minor error message)");
+- }
+- utils->free(out);
+- return;
+- }
+-
+- len += len + msg.length;
+- ret = _plug_buf_alloc(utils, &out, &curlen, len);
+-
+- if(ret != SASL_OK) {
+- utils->free(out);
+- return;
+- }
+-
+- strcat(out, msg.value);
+-
+- (*p_krb5_gss_release_buffer)(&min_stat, &msg);
+-
+- if (!msg_ctx)
+- break;
++ maj_stat = (*p_krb5_gss_display_status)(&min_stat, min,
++ GSS_C_MECH_CODE, GSS_C_NULL_OID,
++ &msg_ctx, &msg);
++ if(GSS_ERROR(maj_stat)) {
++ if (logonly) {
++ utils->log(utils->conn, SASL_LOG_FAIL,
++ "GSSAPI Failure: (could not get minor error message)");
++ } else {
++ utils->seterror(utils->conn, 0,
++ "GSSAPI Failure "
++ "(could not get minor error message)");
++ }
++ utils->free(out);
++ return;
++ }
++
++ len += len + msg.length;
++ ret = _plug_buf_alloc(utils, &out, &curlen, len);
++
++ if(ret != SASL_OK) {
++ utils->free(out);
++ return;
++ }
++
++ strcat(out, msg.value);
++
++ (*p_krb5_gss_release_buffer)(&min_stat, &msg);
++
++ if (!msg_ctx)
++ break;
+ }
+-
++
+ len += 1;
+ ret = _plug_buf_alloc(utils, &out, &curlen, len);
+ if(ret != SASL_OK) {
+- utils->free(out);
+- return;
++ utils->free(out);
++ return;
+ }
+-
++
+ strcat(out, ")");
+-
++
+ if (logonly) {
+- utils->log(utils->conn, SASL_LOG_FAIL, "%s", out);
++ utils->log(utils->conn, SASL_LOG_FAIL, "%s", out);
+ } else {
+- utils->seterror(utils->conn, 0, "%s", out);
++ utils->seterror(utils->conn, 0, "%s", out);
+ }
+ utils->free(out);
+ }
+
+-static int
++static int
+ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+- const char **output, unsigned *outputlen, int privacy)
++ const char **output, unsigned *outputlen, int privacy)
+ {
+ context_t *text = (context_t *)context;
+ OM_uint32 maj_stat, min_stat;
+@@ -405,244 +405,244 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+ gss_buffer_desc real_input_token, real_output_token;
+ int ret;
+ struct buffer_info *inblob, bufinfo;
+-
++
+ if(!output) return SASL_BADPARAM;
+-
++
+ if (sasl_gss_lib_init(text->utils) != SASL_OK) return SASL_FAIL;
+-
++
+ if(numiov > 1) {
+- ret = _plug_iovec_to_buf(text->utils, invec, numiov, &text->enc_in_buf);
+- if(ret != SASL_OK) return ret;
+- inblob = text->enc_in_buf;
++ ret = _plug_iovec_to_buf(text->utils, invec, numiov, &text->enc_in_buf);
++ if(ret != SASL_OK) return ret;
++ inblob = text->enc_in_buf;
+ } else {
+- bufinfo.data = invec[0].iov_base;
+- bufinfo.curlen = invec[0].iov_len;
+- inblob = &bufinfo;
++ bufinfo.data = invec[0].iov_base;
++ bufinfo.curlen = invec[0].iov_len;
++ inblob = &bufinfo;
+ }
+-
++
+ if (text->state != SASL_GSSAPI_STATE_AUTHENTICATED) return SASL_NOTDONE;
+-
++
+ input_token = &real_input_token;
+-
++
+ real_input_token.value = inblob->data;
+ real_input_token.length = inblob->curlen;
+-
++
+ output_token = &real_output_token;
+ output_token->value = NULL;
+ output_token->length = 0;
+-
++
+ maj_stat = (*p_krb5_gss_wrap) (&min_stat,
+- text->gss_ctx,
+- privacy,
+- GSS_C_QOP_DEFAULT,
+- input_token,
+- NULL,
+- output_token);
+-
++ text->gss_ctx,
++ privacy,
++ GSS_C_QOP_DEFAULT,
++ input_token,
++ NULL,
++ output_token);
++
+ if (GSS_ERROR(maj_stat))
+- {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- if (output_token->value)
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return SASL_FAIL;
+- }
+-
++ {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ if (output_token->value)
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return SASL_FAIL;
++ }
++
+ if (output_token->value && output) {
+- int len;
+-
+- ret = _plug_buf_alloc(text->utils, &(text->encode_buf),
+- &(text->encode_buf_len), output_token->length + 4);
+-
+- if (ret != SASL_OK) {
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return ret;
+- }
+-
+- len = htonl(output_token->length);
+- memcpy(text->encode_buf, &len, 4);
+- memcpy(text->encode_buf + 4, output_token->value, output_token->length);
++ int len;
++
++ ret = _plug_buf_alloc(text->utils, &(text->encode_buf),
++ &(text->encode_buf_len), output_token->length + 4);
++
++ if (ret != SASL_OK) {
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return ret;
++ }
++
++ len = htonl(output_token->length);
++ memcpy(text->encode_buf, &len, 4);
++ memcpy(text->encode_buf + 4, output_token->value, output_token->length);
+ }
+-
++
+ if (outputlen) {
+- *outputlen = output_token->length + 4;
++ *outputlen = output_token->length + 4;
+ }
+-
++
+ *output = text->encode_buf;
+-
++
+ if (output_token->value)
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+-
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++
+ return SASL_OK;
+ }
+
+ static int gssapi_privacy_encode(void *context, const struct iovec *invec,
+- unsigned numiov, const char **output,
+- unsigned *outputlen)
++ unsigned numiov, const char **output,
++ unsigned *outputlen)
+ {
+ return sasl_gss_encode(context,invec,numiov,output,outputlen,1);
+ }
+
+ static int gssapi_integrity_encode(void *context, const struct iovec *invec,
+- unsigned numiov, const char **output,
+- unsigned *outputlen)
++ unsigned numiov, const char **output,
++ unsigned *outputlen)
+ {
+ return sasl_gss_encode(context,invec,numiov,output,outputlen,0);
+ }
+
+ static int gssapi_decode_packet(void *context,
+- const char *input, unsigned inputlen,
+- char **output, unsigned *outputlen)
++ const char *input, unsigned inputlen,
++ char **output, unsigned *outputlen)
+ {
+ context_t *text = (context_t *) context;
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_t input_token, output_token;
+ gss_buffer_desc real_input_token, real_output_token;
+ int result;
+-
++
+ if (sasl_gss_lib_init(text->utils) != SASL_OK) return SASL_FAIL;
+-
++
+ if (text->state != SASL_GSSAPI_STATE_AUTHENTICATED) {
+- SETERROR(text->utils, "GSSAPI Failure");
+- return SASL_NOTDONE;
++ SETERROR(text->utils, "GSSAPI Failure");
++ return SASL_NOTDONE;
+ }
+-
+- input_token = &real_input_token;
++
++ input_token = &real_input_token;
+ real_input_token.value = (char *) input;
+ real_input_token.length = inputlen;
+-
++
+ output_token = &real_output_token;
+ output_token->value = NULL;
+ output_token->length = 0;
+-
++
+ maj_stat = (*p_krb5_gss_unwrap) (&min_stat,
+- text->gss_ctx,
+- input_token,
+- output_token,
+- NULL,
+- NULL);
+-
++ text->gss_ctx,
++ input_token,
++ output_token,
++ NULL,
++ NULL);
++
+ if (GSS_ERROR(maj_stat))
+- {
+- sasl_gss_seterror(text->utils,maj_stat,min_stat);
+- if (output_token->value)
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return SASL_FAIL;
+- }
+-
++ {
++ sasl_gss_seterror(text->utils,maj_stat,min_stat);
++ if (output_token->value)
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return SASL_FAIL;
++ }
++
+ if (outputlen)
+- *outputlen = output_token->length;
+-
++ *outputlen = output_token->length;
++
+ if (output_token->value) {
+- if (output) {
+- result = _plug_buf_alloc(text->utils, &text->decode_once_buf,
+- &text->decode_once_buf_len,
+- *outputlen);
+- if(result != SASL_OK) {
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return result;
+- }
+- *output = text->decode_once_buf;
+- memcpy(*output, output_token->value, *outputlen);
+- }
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ if (output) {
++ result = _plug_buf_alloc(text->utils, &text->decode_once_buf,
++ &text->decode_once_buf_len,
++ *outputlen);
++ if(result != SASL_OK) {
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return result;
++ }
++ *output = text->decode_once_buf;
++ memcpy(*output, output_token->value, *outputlen);
++ }
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+ }
+-
++
+ return SASL_OK;
+ }
+
+ static int gssapi_decode(void *context,
+- const char *input, unsigned inputlen,
+- const char **output, unsigned *outputlen)
++ const char *input, unsigned inputlen,
++ const char **output, unsigned *outputlen)
+ {
+ context_t *text = (context_t *) context;
+ int ret;
+-
++
+ ret = _plug_decode(&text->decode_context, input, inputlen,
+- &text->decode_buf, &text->decode_buf_len, outputlen,
+- gssapi_decode_packet, text);
+-
++ &text->decode_buf, &text->decode_buf_len, outputlen,
++ gssapi_decode_packet, text);
++
+ *output = text->decode_buf;
+-
++
+ return ret;
+ }
+
+ static context_t *gss_new_context(const sasl_utils_t *utils)
+ {
+ context_t *ret;
+-
++
+ ret = utils->malloc(sizeof(context_t));
+ if(!ret) return NULL;
+-
++
+ memset(ret,0,sizeof(context_t));
+ ret->utils = utils;
+-
++
+ return ret;
+ }
+
+ static void sasl_gss_free_context_contents(context_t *text)
+ {
+ OM_uint32 maj_stat, min_stat;
+-
++
+ if (!text) return;
+-
++
+ if (sasl_gss_lib_init(text->utils) != SASL_OK) return;
+-
++
+ if (text->gss_ctx != GSS_C_NO_CONTEXT) {
+- maj_stat = (*p_krb5_gss_delete_sec_context)(&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER);
+- text->gss_ctx = GSS_C_NO_CONTEXT;
++ maj_stat = (*p_krb5_gss_delete_sec_context)(&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER);
++ text->gss_ctx = GSS_C_NO_CONTEXT;
+ }
+-
++
+ if (text->client_name != GSS_C_NO_NAME) {
+- maj_stat = (*p_krb5_gss_release_name)(&min_stat,&text->client_name);
+- text->client_name = GSS_C_NO_NAME;
++ maj_stat = (*p_krb5_gss_release_name)(&min_stat,&text->client_name);
++ text->client_name = GSS_C_NO_NAME;
+ }
+-
++
+ if (text->server_name != GSS_C_NO_NAME) {
+- maj_stat = (*p_krb5_gss_release_name)(&min_stat,&text->server_name);
+- text->server_name = GSS_C_NO_NAME;
++ maj_stat = (*p_krb5_gss_release_name)(&min_stat,&text->server_name);
++ text->server_name = GSS_C_NO_NAME;
+ }
+-
++
+ if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
+- maj_stat = (*p_krb5_gss_release_cred)(&min_stat, &text->server_creds);
+- text->server_creds = GSS_C_NO_CREDENTIAL;
++ maj_stat = (*p_krb5_gss_release_cred)(&min_stat, &text->server_creds);
++ text->server_creds = GSS_C_NO_CREDENTIAL;
+ }
+
+ if (text->out_buf) {
+- text->utils->free(text->out_buf);
+- text->out_buf = NULL;
++ text->utils->free(text->out_buf);
++ text->out_buf = NULL;
+ }
+-
++
+ if (text->encode_buf) {
+- text->utils->free(text->encode_buf);
+- text->encode_buf = NULL;
++ text->utils->free(text->encode_buf);
++ text->encode_buf = NULL;
+ }
+-
++
+ if (text->decode_buf) {
+- text->utils->free(text->decode_buf);
+- text->decode_buf = NULL;
++ text->utils->free(text->decode_buf);
++ text->decode_buf = NULL;
+ }
+-
++
+ if (text->decode_once_buf) {
+- text->utils->free(text->decode_once_buf);
+- text->decode_once_buf = NULL;
++ text->utils->free(text->decode_once_buf);
++ text->decode_once_buf = NULL;
+ }
+-
++
+ if (text->enc_in_buf) {
+- if(text->enc_in_buf->data) text->utils->free(text->enc_in_buf->data);
+- text->utils->free(text->enc_in_buf);
+- text->enc_in_buf = NULL;
++ if(text->enc_in_buf->data) text->utils->free(text->enc_in_buf->data);
++ text->utils->free(text->enc_in_buf);
++ text->enc_in_buf = NULL;
+ }
+
+ _plug_decode_free(&text->decode_context);
+-
++
+ if (text->authid) { /* works for both client and server */
+- text->utils->free(text->authid);
+- text->authid = NULL;
++ text->utils->free(text->authid);
++ text->authid = NULL;
+ }
+ }
+
+ static void gssapi_common_mech_dispose(void *conn_context,
+- const sasl_utils_t *utils)
++ const sasl_utils_t *utils)
+ {
+ sasl_gss_free_context_contents((context_t *)(conn_context));
+ utils->free(conn_context);
+@@ -650,40 +650,40 @@ static void gssapi_common_mech_dispose(void *conn_context,
+
+ /***************************** Server Section *****************************/
+
+-static int
+-gssapi_server_mech_new(void *glob_context __attribute__((unused)),
+- sasl_server_params_t *params,
+- const char *challenge __attribute__((unused)),
+- unsigned challen __attribute__((unused)),
+- void **conn_context)
++static int
++gssapi_server_mech_new(void *glob_context __attribute__((unused)),
++ sasl_server_params_t *params,
++ const char *challenge __attribute__((unused)),
++ unsigned challen __attribute__((unused)),
++ void **conn_context)
+ {
+ context_t *text;
+-
++
+ text = gss_new_context(params->utils);
+ if (text == NULL) {
+- MEMERROR(params->utils);
+- return SASL_NOMEM;
++ MEMERROR(params->utils);
++ return SASL_NOMEM;
+ }
+-
++
+ text->gss_ctx = GSS_C_NO_CONTEXT;
+ text->client_name = GSS_C_NO_NAME;
+ text->server_name = GSS_C_NO_NAME;
+ text->server_creds = GSS_C_NO_CREDENTIAL;
+ text->state = SASL_GSSAPI_STATE_AUTHNEG;
+-
++
+ *conn_context = text;
+-
++
+ return SASL_OK;
+ }
+
+-static int
++static int
+ gssapi_server_mech_step(void *conn_context,
+- sasl_server_params_t *params,
+- const char *clientin,
+- unsigned clientinlen,
+- const char **serverout,
+- unsigned *serveroutlen,
+- sasl_out_params_t *oparams)
++ sasl_server_params_t *params,
++ const char *clientin,
++ unsigned clientinlen,
++ const char **serverout,
++ unsigned *serveroutlen,
++ sasl_out_params_t *oparams)
+ {
+ context_t *text = (context_t *)conn_context;
+ gss_buffer_t input_token, output_token;
+@@ -692,257 +692,257 @@ gssapi_server_mech_step(void *conn_context,
+ OM_uint32 max_input;
+ gss_buffer_desc name_token;
+ int ret;
+-
++
+ input_token = &real_input_token;
+ output_token = &real_output_token;
+ output_token->value = NULL; output_token->length = 0;
+ input_token->value = NULL; input_token->length = 0;
+-
++
+ if(!serverout) {
+- PARAMERROR(text->utils);
+- return SASL_BADPARAM;
++ PARAMERROR(text->utils);
++ return SASL_BADPARAM;
+ }
+-
++
+ *serverout = NULL;
+- *serveroutlen = 0;
+-
++ *serveroutlen = 0;
++
+ if (sasl_gss_lib_init(text->utils) != SASL_OK) return SASL_FAIL;
+-
++
+ switch (text->state) {
+
+ case SASL_GSSAPI_STATE_AUTHNEG:
+- if (text->server_name == GSS_C_NO_NAME) { /* only once */
+- name_token.length = strlen(params->service) + 1 + strlen(params->serverFQDN);
+- name_token.value = (char *)params->utils->malloc((name_token.length + 1) * sizeof(char));
+- if (name_token.value == NULL) {
+- MEMERROR(text->utils);
+- sasl_gss_free_context_contents(text);
+- return SASL_NOMEM;
+- }
+- sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN);
+-
+- maj_stat = (*p_krb5_gss_import_name) (&min_stat,
+- &name_token,
+- GSS_C_NT_HOSTBASED_SERVICE,
+- &text->server_name);
+-
+- params->utils->free(name_token.value);
+- name_token.value = NULL;
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+- if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
+- maj_stat = (*p_krb5_gss_release_cred)(&min_stat, &text->server_creds);
+- text->server_creds = GSS_C_NO_CREDENTIAL;
+- }
+-
+- maj_stat = (*p_krb5_gss_acquire_cred)(&min_stat,
+- text->server_name,
+- GSS_C_INDEFINITE,
+- GSS_C_NO_OID_SET,
+- GSS_C_ACCEPT,
+- &text->server_creds,
+- NULL,
+- NULL);
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+- }
+-
+- if (clientinlen) {
+- real_input_token.value = (void *)clientin;
+- real_input_token.length = clientinlen;
+- }
+-
+-
+- maj_stat =
+- (*p_krb5_gss_accept_sec_context)(&min_stat,
+- &(text->gss_ctx),
+- text->server_creds,
+- input_token,
+- GSS_C_NO_CHANNEL_BINDINGS,
+- &text->client_name,
+- NULL,
+- output_token,
+- NULL,
+- NULL,
+- NULL);
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_log(text->utils, maj_stat, min_stat);
+- text->utils->seterror(text->utils->conn, SASL_NOLOG, "GSSAPI Failure: gss_accept_sec_context");
+- if (output_token->value) {
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- }
+- sasl_gss_free_context_contents(text);
+- return SASL_BADAUTH;
+- }
+-
+-
+- if (serveroutlen)
+- *serveroutlen = output_token->length;
+- if (output_token->value) {
+- if (serverout) {
+- ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+- &(text->out_buf_len), *serveroutlen);
+- if(ret != SASL_OK) {
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return ret;
+- }
+- memcpy(text->out_buf, output_token->value, *serveroutlen);
+- *serverout = text->out_buf;
+- }
+-
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- } else {
+- /* No output token, send an empty string */
+- *serverout = GSSAPI_BLANK_STRING;
+- serveroutlen = 0;
+- }
+-
+- if (maj_stat == GSS_S_COMPLETE) {
+- /* Switch to ssf negotiation */
+- text->state = SASL_GSSAPI_STATE_SSFCAP;
+- }
+-
+- return SASL_CONTINUE;
++ if (text->server_name == GSS_C_NO_NAME) { /* only once */
++ name_token.length = strlen(params->service) + 1 + strlen(params->serverFQDN);
++ name_token.value = (char *)params->utils->malloc((name_token.length + 1) * sizeof(char));
++ if (name_token.value == NULL) {
++ MEMERROR(text->utils);
++ sasl_gss_free_context_contents(text);
++ return SASL_NOMEM;
++ }
++ sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN);
++
++ maj_stat = (*p_krb5_gss_import_name) (&min_stat,
++ &name_token,
++ GSS_C_NT_HOSTBASED_SERVICE,
++ &text->server_name);
++
++ params->utils->free(name_token.value);
++ name_token.value = NULL;
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++ if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
++ maj_stat = (*p_krb5_gss_release_cred)(&min_stat, &text->server_creds);
++ text->server_creds = GSS_C_NO_CREDENTIAL;
++ }
++
++ maj_stat = (*p_krb5_gss_acquire_cred)(&min_stat,
++ text->server_name,
++ GSS_C_INDEFINITE,
++ GSS_C_NO_OID_SET,
++ GSS_C_ACCEPT,
++ &text->server_creds,
++ NULL,
++ NULL);
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++ }
++
++ if (clientinlen) {
++ real_input_token.value = (void *)clientin;
++ real_input_token.length = clientinlen;
++ }
++
++
++ maj_stat =
++ (*p_krb5_gss_accept_sec_context)(&min_stat,
++ &(text->gss_ctx),
++ text->server_creds,
++ input_token,
++ GSS_C_NO_CHANNEL_BINDINGS,
++ &text->client_name,
++ NULL,
++ output_token,
++ NULL,
++ NULL,
++ NULL);
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_log(text->utils, maj_stat, min_stat);
++ text->utils->seterror(text->utils->conn, SASL_NOLOG, "GSSAPI Failure: gss_accept_sec_context");
++ if (output_token->value) {
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ }
++ sasl_gss_free_context_contents(text);
++ return SASL_BADAUTH;
++ }
++
++
++ if (serveroutlen)
++ *serveroutlen = output_token->length;
++ if (output_token->value) {
++ if (serverout) {
++ ret = _plug_buf_alloc(text->utils, &(text->out_buf),
++ &(text->out_buf_len), *serveroutlen);
++ if(ret != SASL_OK) {
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return ret;
++ }
++ memcpy(text->out_buf, output_token->value, *serveroutlen);
++ *serverout = text->out_buf;
++ }
++
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ } else {
++ /* No output token, send an empty string */
++ *serverout = GSSAPI_BLANK_STRING;
++ serveroutlen = 0;
++ }
++
++ if (maj_stat == GSS_S_COMPLETE) {
++ /* Switch to ssf negotiation */
++ text->state = SASL_GSSAPI_STATE_SSFCAP;
++ }
++
++ return SASL_CONTINUE;
+
+ case SASL_GSSAPI_STATE_SSFCAP: {
+- unsigned char sasldata[4];
+- gss_buffer_desc name_token;
+- gss_buffer_desc name_without_realm;
+- gss_name_t without = NULL;
+- int equal;
+-
+- name_token.value = NULL;
+- name_without_realm.value = NULL;
+-
+- /* We ignore whatever the client sent us at this stage */
+-
+- maj_stat = (*p_krb5_gss_display_name) (&min_stat,
+- text->client_name,
+- &name_token,
+- NULL);
+-
+- if (GSS_ERROR(maj_stat)) {
+- if (name_without_realm.value)
+- params->utils->free(name_without_realm.value);
+-
+- if (name_token.value)
+- (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
+- if (without)
+- (*p_krb5_gss_release_name)(&min_stat, &without);
+- SETERROR(text->utils, "GSSAPI Failure");
+- sasl_gss_free_context_contents(text);
+- return SASL_BADAUTH;
+- }
+-
+- /* If the id contains a realm get the identifier for the user
+- without the realm and see if it's the same id (i.e.
+- tmartin == tmartin@ANDREW.CMU.EDU. If this is the case we just want
+- to return the id (i.e. just "tmartin" */
+- if (strchr((char *) name_token.value, (int) '@') != NULL) {
+- /* NOTE: libc malloc, as it is freed below by a gssapi internal
+- * function! */
+- name_without_realm.value = malloc(strlen(name_token.value)+1);
+- if (name_without_realm.value == NULL) {
+- MEMERROR(text->utils);
+- return SASL_NOMEM;
+- }
+-
+- strcpy(name_without_realm.value, name_token.value);
+-
+- /* cut off string at '@' */
+- (strchr(name_without_realm.value,'@'))[0] = '\0';
+-
+- name_without_realm.length = strlen( (char *) name_without_realm.value );
+-
+- maj_stat = (*p_krb5_gss_import_name) (&min_stat,
+- &name_without_realm,
+- /* Solaris 8/9 gss_import_name doesn't accept GSS_C_NULL_OID here,
+- so use GSS_C_NT_USER_NAME instead if available. */
++ unsigned char sasldata[4];
++ gss_buffer_desc name_token;
++ gss_buffer_desc name_without_realm;
++ gss_name_t without = NULL;
++ int equal;
++
++ name_token.value = NULL;
++ name_without_realm.value = NULL;
++
++ /* We ignore whatever the client sent us at this stage */
++
++ maj_stat = (*p_krb5_gss_display_name) (&min_stat,
++ text->client_name,
++ &name_token,
++ NULL);
++
++ if (GSS_ERROR(maj_stat)) {
++ if (name_without_realm.value)
++ params->utils->free(name_without_realm.value);
++
++ if (name_token.value)
++ (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
++ if (without)
++ (*p_krb5_gss_release_name)(&min_stat, &without);
++ SETERROR(text->utils, "GSSAPI Failure");
++ sasl_gss_free_context_contents(text);
++ return SASL_BADAUTH;
++ }
++
++ /* If the id contains a realm get the identifier for the user
++ without the realm and see if it's the same id (i.e.
++ tmartin == tmartin@ANDREW.CMU.EDU. If this is the case we just want
++ to return the id (i.e. just "tmartin" */
++ if (strchr((char *) name_token.value, (int) '@') != NULL) {
++ /* NOTE: libc malloc, as it is freed below by a gssapi internal
++ * function! */
++ name_without_realm.value = malloc(strlen(name_token.value)+1);
++ if (name_without_realm.value == NULL) {
++ MEMERROR(text->utils);
++ return SASL_NOMEM;
++ }
++
++ strcpy(name_without_realm.value, name_token.value);
++
++ /* cut off string at '@' */
++ (strchr(name_without_realm.value,'@'))[0] = '\0';
++
++ name_without_realm.length = strlen( (char *) name_without_realm.value );
++
++ maj_stat = (*p_krb5_gss_import_name) (&min_stat,
++ &name_without_realm,
++ /* Solaris 8/9 gss_import_name doesn't accept GSS_C_NULL_OID here,
++ so use GSS_C_NT_USER_NAME instead if available. */
+ #ifdef HAVE_GSS_C_NT_USER_NAME
+- GSS_C_NT_USER_NAME,
++ GSS_C_NT_USER_NAME,
+ #else
+- GSS_C_NULL_OID,
++ GSS_C_NULL_OID,
+ #endif
+- &without);
+-
+- if (GSS_ERROR(maj_stat)) {
+- params->utils->free(name_without_realm.value);
+- if (name_token.value)
+- (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
+- if (without)
+- (*p_krb5_gss_release_name)(&min_stat, &without);
+- SETERROR(text->utils, "GSSAPI Failure");
+- sasl_gss_free_context_contents(text);
+- return SASL_BADAUTH;
+- }
+-
+- maj_stat = (*p_krb5_gss_compare_name)(&min_stat,
+- text->client_name,
+- without,
+- &equal);
+-
+- if (GSS_ERROR(maj_stat)) {
+- params->utils->free(name_without_realm.value);
+- if (name_token.value)
+- (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
+- if (without)
+- (*p_krb5_gss_release_name)(&min_stat, &without);
+- SETERROR(text->utils, "GSSAPI Failure");
+- sasl_gss_free_context_contents(text);
+- return SASL_BADAUTH;
+- }
+-
+- (*p_krb5_gss_release_name)(&min_stat,&without);
+- } else {
+- equal = 0;
+- }
+-
+- if (equal) {
+- text->authid = strdup(name_without_realm.value);
+-
+- if (text->authid == NULL) {
+- MEMERROR(params->utils);
+- return SASL_NOMEM;
+- }
+- } else {
+- text->authid = strdup(name_token.value);
+-
+- if (text->authid == NULL) {
+- MEMERROR(params->utils);
+- return SASL_NOMEM;
+- }
+- }
+-
+- if (name_token.value)
+- (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
+- if (name_without_realm.value)
+- params->utils->free(name_without_realm.value);
+-
+-
+- /* we have to decide what sort of encryption/integrity/etc.,
+- we support */
+- if (params->props.max_ssf < params->external_ssf) {
+- text->limitssf = 0;
+- } else {
+- text->limitssf = params->props.max_ssf - params->external_ssf;
+- }
+- if (params->props.min_ssf < params->external_ssf) {
+- text->requiressf = 0;
+- } else {
+- text->requiressf = params->props.min_ssf - params->external_ssf;
+- }
+-
+- /* build up our security properties token */
++ &without);
++
++ if (GSS_ERROR(maj_stat)) {
++ params->utils->free(name_without_realm.value);
++ if (name_token.value)
++ (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
++ if (without)
++ (*p_krb5_gss_release_name)(&min_stat, &without);
++ SETERROR(text->utils, "GSSAPI Failure");
++ sasl_gss_free_context_contents(text);
++ return SASL_BADAUTH;
++ }
++
++ maj_stat = (*p_krb5_gss_compare_name)(&min_stat,
++ text->client_name,
++ without,
++ &equal);
++
++ if (GSS_ERROR(maj_stat)) {
++ params->utils->free(name_without_realm.value);
++ if (name_token.value)
++ (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
++ if (without)
++ (*p_krb5_gss_release_name)(&min_stat, &without);
++ SETERROR(text->utils, "GSSAPI Failure");
++ sasl_gss_free_context_contents(text);
++ return SASL_BADAUTH;
++ }
++
++ (*p_krb5_gss_release_name)(&min_stat,&without);
++ } else {
++ equal = 0;
++ }
++
++ if (equal) {
++ text->authid = strdup(name_without_realm.value);
++
++ if (text->authid == NULL) {
++ MEMERROR(params->utils);
++ return SASL_NOMEM;
++ }
++ } else {
++ text->authid = strdup(name_token.value);
++
++ if (text->authid == NULL) {
++ MEMERROR(params->utils);
++ return SASL_NOMEM;
++ }
++ }
++
++ if (name_token.value)
++ (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
++ if (name_without_realm.value)
++ params->utils->free(name_without_realm.value);
++
++
++ /* we have to decide what sort of encryption/integrity/etc.,
++ we support */
++ if (params->props.max_ssf < params->external_ssf) {
++ text->limitssf = 0;
++ } else {
++ text->limitssf = params->props.max_ssf - params->external_ssf;
++ }
++ if (params->props.min_ssf < params->external_ssf) {
++ text->requiressf = 0;
++ } else {
++ text->requiressf = params->props.min_ssf - params->external_ssf;
++ }
++
++ /* build up our security properties token */
+ if (params->props.maxbufsize > 0xFFFFFF) {
+ /* make sure maxbufsize isn't too large */
+ /* maxbufsize = 0xFFFFFF */
+@@ -952,226 +952,226 @@ gssapi_server_mech_step(void *conn_context,
+ sasldata[2] = (params->props.maxbufsize >> 8) & 0xFF;
+ sasldata[3] = (params->props.maxbufsize >> 0) & 0xFF;
+ }
+- sasldata[0] = 0;
+- if(text->requiressf != 0 && !params->props.maxbufsize) {
+- params->utils->seterror(params->utils->conn, 0,
+- "GSSAPI needs a security layer but one is forbidden");
+- return SASL_TOOWEAK;
+- }
+-
+- if (text->requiressf == 0) {
+- sasldata[0] |= 1; /* authentication */
+- }
+- if (text->requiressf <= 1 && text->limitssf >= 1
+- && params->props.maxbufsize) {
+- sasldata[0] |= 2;
+- }
+- if (text->requiressf <= K5_MAX_SSF && text->limitssf >= K5_MAX_SSF
+- && params->props.maxbufsize) {
+- sasldata[0] |= 4;
+- }
+-
+- real_input_token.value = (void *)sasldata;
+- real_input_token.length = 4;
+-
+- maj_stat = (*p_krb5_gss_wrap)(&min_stat,
+- text->gss_ctx,
+- 0, /* Just integrity checking here */
+- GSS_C_QOP_DEFAULT,
+- input_token,
+- NULL,
+- output_token);
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- if (output_token->value)
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+-
+- if (serveroutlen)
+- *serveroutlen = output_token->length;
+- if (output_token->value) {
+- if (serverout) {
+- ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+- &(text->out_buf_len), *serveroutlen);
+- if(ret != SASL_OK) {
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return ret;
+- }
+- memcpy(text->out_buf, output_token->value, *serveroutlen);
+- *serverout = text->out_buf;
+- }
+-
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- }
+-
+- /* Wait for ssf request and authid */
+- text->state = SASL_GSSAPI_STATE_SSFREQ;
+-
+- return SASL_CONTINUE;
++ sasldata[0] = 0;
++ if(text->requiressf != 0 && !params->props.maxbufsize) {
++ params->utils->seterror(params->utils->conn, 0,
++ "GSSAPI needs a security layer but one is forbidden");
++ return SASL_TOOWEAK;
++ }
++
++ if (text->requiressf == 0) {
++ sasldata[0] |= 1; /* authentication */
++ }
++ if (text->requiressf <= 1 && text->limitssf >= 1
++ && params->props.maxbufsize) {
++ sasldata[0] |= 2;
++ }
++ if (text->requiressf <= K5_MAX_SSF && text->limitssf >= K5_MAX_SSF
++ && params->props.maxbufsize) {
++ sasldata[0] |= 4;
++ }
++
++ real_input_token.value = (void *)sasldata;
++ real_input_token.length = 4;
++
++ maj_stat = (*p_krb5_gss_wrap)(&min_stat,
++ text->gss_ctx,
++ 0, /* Just integrity checking here */
++ GSS_C_QOP_DEFAULT,
++ input_token,
++ NULL,
++ output_token);
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ if (output_token->value)
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++
++ if (serveroutlen)
++ *serveroutlen = output_token->length;
++ if (output_token->value) {
++ if (serverout) {
++ ret = _plug_buf_alloc(text->utils, &(text->out_buf),
++ &(text->out_buf_len), *serveroutlen);
++ if(ret != SASL_OK) {
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return ret;
++ }
++ memcpy(text->out_buf, output_token->value, *serveroutlen);
++ *serverout = text->out_buf;
++ }
++
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ }
++
++ /* Wait for ssf request and authid */
++ text->state = SASL_GSSAPI_STATE_SSFREQ;
++
++ return SASL_CONTINUE;
+ }
+
+ case SASL_GSSAPI_STATE_SSFREQ: {
+- int layerchoice;
+-
+- real_input_token.value = (void *)clientin;
+- real_input_token.length = clientinlen;
+-
+- maj_stat = (*p_krb5_gss_unwrap)(&min_stat,
+- text->gss_ctx,
+- input_token,
+- output_token,
+- NULL,
+- NULL);
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+- layerchoice = (int)(((char *)(output_token->value))[0]);
+- if (layerchoice == 1 && text->requiressf == 0) { /* no encryption */
+- oparams->encode = NULL;
+- oparams->decode = NULL;
+- oparams->mech_ssf = 0;
+- } else if (layerchoice == 2 && text->requiressf <= 1 &&
+- text->limitssf >= 1) { /* integrity */
+- oparams->encode=&gssapi_integrity_encode;
+- oparams->decode=&gssapi_decode;
+- oparams->mech_ssf=1;
+- } else if (layerchoice == 4 && text->requiressf <= K5_MAX_SSF &&
+- text->limitssf >= K5_MAX_SSF) { /* privacy */
+- oparams->encode = &gssapi_privacy_encode;
+- oparams->decode = &gssapi_decode;
+- /* FIX ME: Need to extract the proper value here */
+- oparams->mech_ssf = K5_MAX_SSF;
+- } else {
+- /* not a supported encryption layer */
+- SETERROR(text->utils,
+- "protocol violation: client requested invalid layer");
+- /* Mark that we attempted negotiation */
+- oparams->mech_ssf = 2;
+- if (output_token->value)
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+- if (output_token->length > 4) {
+- int ret;
+-
+- ret = params->canon_user(params->utils->conn,
+- ((char *) output_token->value) + 4,
+- (output_token->length - 4) * sizeof(char),
+- SASL_CU_AUTHZID, oparams);
+-
+- if (ret != SASL_OK) {
+- sasl_gss_free_context_contents(text);
+- return ret;
+- }
+-
+- ret = params->canon_user(params->utils->conn,
+- text->authid,
+- 0, /* strlen(text->authid) */
+- SASL_CU_AUTHID, oparams);
+- if (ret != SASL_OK) {
+- sasl_gss_free_context_contents(text);
+- return ret;
+- }
+- } else if(output_token->length == 4) {
+- /* null authzid */
+- int ret;
+-
+- ret = params->canon_user(params->utils->conn,
+- text->authid,
+- 0, /* strlen(text->authid) */
+- SASL_CU_AUTHZID | SASL_CU_AUTHID,
+- oparams);
+-
+- if (ret != SASL_OK) {
+- sasl_gss_free_context_contents(text);
+- return ret;
+- }
+- } else {
+- SETERROR(text->utils,
+- "token too short");
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+- /* No matter what, set the rest of the oparams */
+-
++ int layerchoice;
++
++ real_input_token.value = (void *)clientin;
++ real_input_token.length = clientinlen;
++
++ maj_stat = (*p_krb5_gss_unwrap)(&min_stat,
++ text->gss_ctx,
++ input_token,
++ output_token,
++ NULL,
++ NULL);
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++ layerchoice = (int)(((char *)(output_token->value))[0]);
++ if (layerchoice == 1 && text->requiressf == 0) { /* no encryption */
++ oparams->encode = NULL;
++ oparams->decode = NULL;
++ oparams->mech_ssf = 0;
++ } else if (layerchoice == 2 && text->requiressf <= 1 &&
++ text->limitssf >= 1) { /* integrity */
++ oparams->encode=&gssapi_integrity_encode;
++ oparams->decode=&gssapi_decode;
++ oparams->mech_ssf=1;
++ } else if (layerchoice == 4 && text->requiressf <= K5_MAX_SSF &&
++ text->limitssf >= K5_MAX_SSF) { /* privacy */
++ oparams->encode = &gssapi_privacy_encode;
++ oparams->decode = &gssapi_decode;
++ /* FIX ME: Need to extract the proper value here */
++ oparams->mech_ssf = K5_MAX_SSF;
++ } else {
++ /* not a supported encryption layer */
++ SETERROR(text->utils,
++ "protocol violation: client requested invalid layer");
++ /* Mark that we attempted negotiation */
++ oparams->mech_ssf = 2;
++ if (output_token->value)
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++ if (output_token->length > 4) {
++ int ret;
++
++ ret = params->canon_user(params->utils->conn,
++ ((char *) output_token->value) + 4,
++ (output_token->length - 4) * sizeof(char),
++ SASL_CU_AUTHZID, oparams);
++
++ if (ret != SASL_OK) {
++ sasl_gss_free_context_contents(text);
++ return ret;
++ }
++
++ ret = params->canon_user(params->utils->conn,
++ text->authid,
++ 0, /* strlen(text->authid) */
++ SASL_CU_AUTHID, oparams);
++ if (ret != SASL_OK) {
++ sasl_gss_free_context_contents(text);
++ return ret;
++ }
++ } else if(output_token->length == 4) {
++ /* null authzid */
++ int ret;
++
++ ret = params->canon_user(params->utils->conn,
++ text->authid,
++ 0, /* strlen(text->authid) */
++ SASL_CU_AUTHZID | SASL_CU_AUTHID,
++ oparams);
++
++ if (ret != SASL_OK) {
++ sasl_gss_free_context_contents(text);
++ return ret;
++ }
++ } else {
++ SETERROR(text->utils,
++ "token too short");
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++ /* No matter what, set the rest of the oparams */
++
+ oparams->maxoutbuf =
+- (((unsigned char *) output_token->value)[1] << 16) |
++ (((unsigned char *) output_token->value)[1] << 16) |
+ (((unsigned char *) output_token->value)[2] << 8) |
+ (((unsigned char *) output_token->value)[3] << 0);
+
+- if (oparams->mech_ssf) {
+- maj_stat = (*p_krb5_gss_wrap_size_limit)(&min_stat,
+- text->gss_ctx,
+- 1,
+- GSS_C_QOP_DEFAULT,
+- (OM_uint32) oparams->maxoutbuf,
+- &max_input);
+-
+- if(max_input > oparams->maxoutbuf) {
+- /* Heimdal appears to get this wrong */
+- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+- } else {
+- /* This code is actually correct */
+- oparams->maxoutbuf = max_input;
+- }
+- }
+-
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+-
+- text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+-
+- /* used by layers */
+- _plug_decode_init(&text->decode_context, text->utils,
+- (params->props.maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
+- params->props.maxbufsize);
+-
+- oparams->doneflag = 1;
+-
+- return SASL_OK;
++ if (oparams->mech_ssf) {
++ maj_stat = (*p_krb5_gss_wrap_size_limit)(&min_stat,
++ text->gss_ctx,
++ 1,
++ GSS_C_QOP_DEFAULT,
++ (OM_uint32) oparams->maxoutbuf,
++ &max_input);
++
++ if(max_input > oparams->maxoutbuf) {
++ /* Heimdal appears to get this wrong */
++ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
++ } else {
++ /* This code is actually correct */
++ oparams->maxoutbuf = max_input;
++ }
++ }
++
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++
++ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
++
++ /* used by layers */
++ _plug_decode_init(&text->decode_context, text->utils,
++ (params->props.maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
++ params->props.maxbufsize);
++
++ oparams->doneflag = 1;
++
++ return SASL_OK;
+ }
+-
++
+ default:
+- params->utils->log(NULL, SASL_LOG_ERR,
+- "Invalid GSSAPI server step %d\n", text->state);
+- return SASL_FAIL;
++ params->utils->log(NULL, SASL_LOG_ERR,
++ "Invalid GSSAPI server step %d\n", text->state);
++ return SASL_FAIL;
+ }
+-
++
+ return SASL_FAIL; /* should never get here */
+ }
+
+-static sasl_server_plug_t gssapi_server_plugins[] =
++static sasl_server_plug_t gssapi_server_plugins[] =
+ {
+ {
+- "GSSAPI", /* mech_name */
+- K5_MAX_SSF, /* max_ssf */
+- SASL_SEC_NOPLAINTEXT
+- | SASL_SEC_NOACTIVE
+- | SASL_SEC_NOANONYMOUS
+- | SASL_SEC_MUTUAL_AUTH, /* security_flags */
+- SASL_FEAT_WANT_CLIENT_FIRST
+- | SASL_FEAT_ALLOWS_PROXY, /* features */
+- NULL, /* glob_context */
+- &gssapi_server_mech_new, /* mech_new */
+- &gssapi_server_mech_step, /* mech_step */
+- &gssapi_common_mech_dispose, /* mech_dispose */
+- NULL, /* mech_free */
+- NULL, /* setpass */
+- NULL, /* user_query */
+- NULL, /* idle */
+- NULL, /* mech_avail */
+- NULL /* spare */
++ "GSSAPI", /* mech_name */
++ K5_MAX_SSF, /* max_ssf */
++ SASL_SEC_NOPLAINTEXT
++ | SASL_SEC_NOACTIVE
++ | SASL_SEC_NOANONYMOUS
++ | SASL_SEC_MUTUAL_AUTH, /* security_flags */
++ SASL_FEAT_WANT_CLIENT_FIRST
++ | SASL_FEAT_ALLOWS_PROXY, /* features */
++ NULL, /* glob_context */
++ &gssapi_server_mech_new, /* mech_new */
++ &gssapi_server_mech_step, /* mech_step */
++ &gssapi_common_mech_dispose, /* mech_dispose */
++ NULL, /* mech_free */
++ NULL, /* setpass */
++ NULL, /* user_query */
++ NULL, /* idle */
++ NULL, /* mech_avail */
++ NULL /* spare */
+ }
+ };
+
+@@ -1180,7 +1180,7 @@ int gssapiv2_server_plug_init(
+ const sasl_utils_t *utils __attribute__((unused)),
+ #else
+ const sasl_utils_t *utils,
+-#endif
++#endif
+ int maxversion,
+ int *out_version,
+ sasl_server_plug_t **pluglist,
+@@ -1191,78 +1191,78 @@ int gssapiv2_server_plug_init(
+ char keytab_path[1024];
+ unsigned int rl;
+ #endif
+-
++
+ if (maxversion < SASL_SERVER_PLUG_VERSION) {
+- return SASL_BADVERS;
++ return SASL_BADVERS;
+ }
+-
++
+ #ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
+ /* unfortunately, we don't check for readability of keytab if it's
+ the standard one, since we don't know where it is */
+-
++
+ /* FIXME: This code is broken */
+-
++
+ utils->getopt(utils->getopt_context, "GSSAPI", "keytab", &keytab, &rl);
+ if (keytab != NULL) {
+- if (access(keytab, R_OK) != 0) {
+- utils->log(NULL, SASL_LOG_ERR,
+- "Could not find keytab file: %s: %m",
+- keytab, errno);
+- return SASL_FAIL;
+- }
+-
+- if(strlen(keytab) > 1024) {
+- utils->log(NULL, SASL_LOG_ERR,
+- "path to keytab is > 1024 characters");
+- return SASL_BUFOVER;
+- }
+-
+- strncpy(keytab_path, keytab, 1024);
+-
+- gsskrb5_register_acceptor_identity(keytab_path);
++ if (access(keytab, R_OK) != 0) {
++ utils->log(NULL, SASL_LOG_ERR,
++ "Could not find keytab file: %s: %m",
++ keytab, errno);
++ return SASL_FAIL;
++ }
++
++ if(strlen(keytab) > 1024) {
++ utils->log(NULL, SASL_LOG_ERR,
++ "path to keytab is > 1024 characters");
++ return SASL_BUFOVER;
++ }
++
++ strncpy(keytab_path, keytab, 1024);
++
++ gsskrb5_register_acceptor_identity(keytab_path);
+ }
+ #endif
+-
++
+ *out_version = SASL_SERVER_PLUG_VERSION;
+ *pluglist = gssapi_server_plugins;
+- *plugcount = 1;
+-
++ *plugcount = 1;
++
+ return SASL_OK;
+ }
+
+ /***************************** Client Section *****************************/
+
+-static int gssapi_client_mech_new(void *glob_context __attribute__((unused)),
+- sasl_client_params_t *params,
+- void **conn_context)
++static int gssapi_client_mech_new(void *glob_context __attribute__((unused)),
++ sasl_client_params_t *params,
++ void **conn_context)
+ {
+ context_t *text;
+-
++
+ /* holds state are in */
+ text = gss_new_context(params->utils);
+ if (text == NULL) {
+- MEMERROR(params->utils);
+- return SASL_NOMEM;
++ MEMERROR(params->utils);
++ return SASL_NOMEM;
+ }
+-
++
+ text->state = SASL_GSSAPI_STATE_AUTHNEG;
+ text->gss_ctx = GSS_C_NO_CONTEXT;
+ text->client_name = GSS_C_NO_NAME;
+ text->server_creds = GSS_C_NO_CREDENTIAL;
+
+ *conn_context = text;
+-
++
+ return SASL_OK;
+ }
+
+ static int gssapi_client_mech_step(void *conn_context,
+- sasl_client_params_t *params,
+- const char *serverin,
+- unsigned serverinlen,
+- sasl_interact_t **prompt_need,
+- const char **clientout,
+- unsigned *clientoutlen,
+- sasl_out_params_t *oparams)
++ sasl_client_params_t *params,
++ const char *serverin,
++ unsigned serverinlen,
++ sasl_interact_t **prompt_need,
++ const char **clientout,
++ unsigned *clientoutlen,
++ sasl_out_params_t *oparams)
+ {
+ context_t *text = (context_t *)conn_context;
+ gss_buffer_t input_token, output_token;
+@@ -1275,286 +1275,286 @@ static int gssapi_client_mech_step(void *conn_context,
+ input_token = &real_input_token;
+ output_token = &real_output_token;
+ output_token->value = NULL;
+- input_token->value = NULL;
++ input_token->value = NULL;
+ input_token->length = 0;
+-
++
+ *clientout = NULL;
+ *clientoutlen = 0;
+-
++
+ if (sasl_gss_lib_init(text->utils) != SASL_OK) return SASL_FAIL;
+-
++
+ switch (text->state) {
+
+ case SASL_GSSAPI_STATE_AUTHNEG:
+- /* try to get the userid */
+- if (text->user == NULL) {
+- int user_result = SASL_OK;
+-
+- user_result = _plug_get_userid(params->utils, &text->user,
+- prompt_need);
+-
+- if ((user_result != SASL_OK) && (user_result != SASL_INTERACT)) {
+- sasl_gss_free_context_contents(text);
+- return user_result;
+- }
+-
+- /* free prompts we got */
+- if (prompt_need && *prompt_need) {
+- params->utils->free(*prompt_need);
+- *prompt_need = NULL;
+- }
+-
+- /* if there are prompts not filled in */
+- if (user_result == SASL_INTERACT) {
+- /* make the prompt list */
+- int result =
+- _plug_make_prompts(params->utils, prompt_need,
+- user_result == SASL_INTERACT ?
+- "Please enter your authorization name" : NULL, NULL,
+- NULL, NULL,
+- NULL, NULL,
+- NULL, NULL, NULL,
+- NULL, NULL, NULL);
+- if (result != SASL_OK) return result;
+-
+- return SASL_INTERACT;
+- }
+- }
+-
+- if (text->server_name == GSS_C_NO_NAME) { /* only once */
+- name_token.length = strlen(params->service) + 1 + strlen(params->serverFQDN);
+- name_token.value = (char *)params->utils->malloc((name_token.length + 1) * sizeof(char));
+- if (name_token.value == NULL) {
+- sasl_gss_free_context_contents(text);
+- return SASL_NOMEM;
+- }
+- if (params->serverFQDN == NULL
+- || strlen(params->serverFQDN) == 0) {
+- SETERROR(text->utils, "GSSAPI Failure: no serverFQDN");
+- return SASL_FAIL;
+- }
+-
+- sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN);
+-
+- maj_stat = (*p_krb5_gss_import_name) (&min_stat,
+- &name_token,
+- GSS_C_NT_HOSTBASED_SERVICE,
+- &text->server_name);
+-
+- params->utils->free(name_token.value);
+- name_token.value = NULL;
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+- }
+-
+- if (serverinlen == 0)
+- input_token = GSS_C_NO_BUFFER;
+-
+- if (serverinlen) {
+- real_input_token.value = (void *)serverin;
+- real_input_token.length = serverinlen;
+- }
+- else if (text->gss_ctx != GSS_C_NO_CONTEXT ) {
+- /* This can't happen under GSSAPI: we have a non-null context
+- * and no input from the server. However, thanks to Imap,
+- * which discards our first output, this happens all the time.
+- * Throw away the context and try again. */
+- maj_stat = (*p_krb5_gss_delete_sec_context) (&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER);
+- text->gss_ctx = GSS_C_NO_CONTEXT;
+- }
+-
+- /* Setup req_flags properly */
+- req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
+- if(params->props.max_ssf > params->external_ssf) {
+- /* We are requesting a security layer */
+- req_flags |= GSS_C_INTEG_FLAG;
+- /* Any SSF bigger than 1 is confidentiality. */
+- /* Let's check if the client of the API requires confidentiality,
+- and it wasn't already provided by an external layer */
+- if(params->props.max_ssf - params->external_ssf > 1) {
+- /* We want to try for privacy */
+- req_flags |= GSS_C_CONF_FLAG;
+- }
+- }
+-
+- maj_stat = (*p_krb5_gss_init_sec_context)(&min_stat,
+- GSS_C_NO_CREDENTIAL,
+- &text->gss_ctx,
+- text->server_name,
+- GSS_C_NO_OID,
+- req_flags,
+- 0,
+- GSS_C_NO_CHANNEL_BINDINGS,
+- input_token,
+- NULL,
+- output_token,
+- &out_req_flags,
+- NULL);
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- if (output_token->value)
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+- *clientoutlen = output_token->length;
+-
+- if (output_token->value) {
+- if (clientout) {
+- ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+- &(text->out_buf_len), *clientoutlen);
+- if(ret != SASL_OK) {
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return ret;
+- }
+- memcpy(text->out_buf, output_token->value, *clientoutlen);
+- *clientout = text->out_buf;
+- }
+-
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- }
+-
+- if (maj_stat == GSS_S_COMPLETE) {
+- maj_stat = (*p_krb5_gss_inquire_context)(&min_stat,
+- text->gss_ctx,
+- &text->client_name,
+- NULL, /* targ_name */
+- NULL, /* lifetime */
+- NULL, /* mech */
+- /* FIX ME: Should check the resulting flags here */
+- NULL, /* flags */
+- NULL, /* local init */
+- NULL); /* open */
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+- name_token.length = 0;
+- maj_stat = (*p_krb5_gss_display_name)(&min_stat,
+- text->client_name,
+- &name_token,
+- NULL);
+-
+- if (GSS_ERROR(maj_stat)) {
+- if (name_token.value)
+- (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
+- SETERROR(text->utils, "GSSAPI Failure");
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+- if (text->user && text->user[0]) {
+- ret = params->canon_user(params->utils->conn,
+- text->user, 0,
+- SASL_CU_AUTHZID, oparams);
+- if (ret == SASL_OK)
+- ret = params->canon_user(params->utils->conn,
+- name_token.value, 0,
+- SASL_CU_AUTHID, oparams);
+- } else {
+- ret = params->canon_user(params->utils->conn,
+- name_token.value, 0,
+- SASL_CU_AUTHID | SASL_CU_AUTHZID,
+- oparams);
+- }
+- (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
+-
+- if (ret != SASL_OK) return ret;
+-
+- /* Switch to ssf negotiation */
+- text->state = SASL_GSSAPI_STATE_SSFCAP;
+- }
+-
+- return SASL_CONTINUE;
++ /* try to get the userid */
++ if (text->user == NULL) {
++ int user_result = SASL_OK;
++
++ user_result = _plug_get_userid(params->utils, &text->user,
++ prompt_need);
++
++ if ((user_result != SASL_OK) && (user_result != SASL_INTERACT)) {
++ sasl_gss_free_context_contents(text);
++ return user_result;
++ }
++
++ /* free prompts we got */
++ if (prompt_need && *prompt_need) {
++ params->utils->free(*prompt_need);
++ *prompt_need = NULL;
++ }
++
++ /* if there are prompts not filled in */
++ if (user_result == SASL_INTERACT) {
++ /* make the prompt list */
++ int result =
++ _plug_make_prompts(params->utils, prompt_need,
++ user_result == SASL_INTERACT ?
++ "Please enter your authorization name" : NULL, NULL,
++ NULL, NULL,
++ NULL, NULL,
++ NULL, NULL, NULL,
++ NULL, NULL, NULL);
++ if (result != SASL_OK) return result;
++
++ return SASL_INTERACT;
++ }
++ }
++
++ if (text->server_name == GSS_C_NO_NAME) { /* only once */
++ name_token.length = strlen(params->service) + 1 + strlen(params->serverFQDN);
++ name_token.value = (char *)params->utils->malloc((name_token.length + 1) * sizeof(char));
++ if (name_token.value == NULL) {
++ sasl_gss_free_context_contents(text);
++ return SASL_NOMEM;
++ }
++ if (params->serverFQDN == NULL
++ || strlen(params->serverFQDN) == 0) {
++ SETERROR(text->utils, "GSSAPI Failure: no serverFQDN");
++ return SASL_FAIL;
++ }
++
++ sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN);
++
++ maj_stat = (*p_krb5_gss_import_name) (&min_stat,
++ &name_token,
++ GSS_C_NT_HOSTBASED_SERVICE,
++ &text->server_name);
++
++ params->utils->free(name_token.value);
++ name_token.value = NULL;
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++ }
++
++ if (serverinlen == 0)
++ input_token = GSS_C_NO_BUFFER;
++
++ if (serverinlen) {
++ real_input_token.value = (void *)serverin;
++ real_input_token.length = serverinlen;
++ }
++ else if (text->gss_ctx != GSS_C_NO_CONTEXT ) {
++ /* This can't happen under GSSAPI: we have a non-null context
++ * and no input from the server. However, thanks to Imap,
++ * which discards our first output, this happens all the time.
++ * Throw away the context and try again. */
++ maj_stat = (*p_krb5_gss_delete_sec_context) (&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER);
++ text->gss_ctx = GSS_C_NO_CONTEXT;
++ }
++
++ /* Setup req_flags properly */
++ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
++ if(params->props.max_ssf > params->external_ssf) {
++ /* We are requesting a security layer */
++ req_flags |= GSS_C_INTEG_FLAG;
++ /* Any SSF bigger than 1 is confidentiality. */
++ /* Let's check if the client of the API requires confidentiality,
++ and it wasn't already provided by an external layer */
++ if(params->props.max_ssf - params->external_ssf > 1) {
++ /* We want to try for privacy */
++ req_flags |= GSS_C_CONF_FLAG;
++ }
++ }
++
++ maj_stat = (*p_krb5_gss_init_sec_context)(&min_stat,
++ GSS_C_NO_CREDENTIAL,
++ &text->gss_ctx,
++ text->server_name,
++ GSS_C_NO_OID,
++ req_flags,
++ 0,
++ GSS_C_NO_CHANNEL_BINDINGS,
++ input_token,
++ NULL,
++ output_token,
++ &out_req_flags,
++ NULL);
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ if (output_token->value)
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++ *clientoutlen = output_token->length;
++
++ if (output_token->value) {
++ if (clientout) {
++ ret = _plug_buf_alloc(text->utils, &(text->out_buf),
++ &(text->out_buf_len), *clientoutlen);
++ if(ret != SASL_OK) {
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return ret;
++ }
++ memcpy(text->out_buf, output_token->value, *clientoutlen);
++ *clientout = text->out_buf;
++ }
++
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ }
++
++ if (maj_stat == GSS_S_COMPLETE) {
++ maj_stat = (*p_krb5_gss_inquire_context)(&min_stat,
++ text->gss_ctx,
++ &text->client_name,
++ NULL, /* targ_name */
++ NULL, /* lifetime */
++ NULL, /* mech */
++ /* FIX ME: Should check the resulting flags here */
++ NULL, /* flags */
++ NULL, /* local init */
++ NULL); /* open */
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++ name_token.length = 0;
++ maj_stat = (*p_krb5_gss_display_name)(&min_stat,
++ text->client_name,
++ &name_token,
++ NULL);
++
++ if (GSS_ERROR(maj_stat)) {
++ if (name_token.value)
++ (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
++ SETERROR(text->utils, "GSSAPI Failure");
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++ if (text->user && text->user[0]) {
++ ret = params->canon_user(params->utils->conn,
++ text->user, 0,
++ SASL_CU_AUTHZID, oparams);
++ if (ret == SASL_OK)
++ ret = params->canon_user(params->utils->conn,
++ name_token.value, 0,
++ SASL_CU_AUTHID, oparams);
++ } else {
++ ret = params->canon_user(params->utils->conn,
++ name_token.value, 0,
++ SASL_CU_AUTHID | SASL_CU_AUTHZID,
++ oparams);
++ }
++ (*p_krb5_gss_release_buffer)(&min_stat, &name_token);
++
++ if (ret != SASL_OK) return ret;
++
++ /* Switch to ssf negotiation */
++ text->state = SASL_GSSAPI_STATE_SSFCAP;
++ }
++
++ return SASL_CONTINUE;
+
+ case SASL_GSSAPI_STATE_SSFCAP: {
+- sasl_security_properties_t *secprops = &(params->props);
+- unsigned int alen, external = params->external_ssf;
+- sasl_ssf_t need, allowed;
+- char serverhas, mychoice;
+-
+- real_input_token.value = (void *) serverin;
+- real_input_token.length = serverinlen;
+-
+- maj_stat = (*p_krb5_gss_unwrap)(&min_stat,
+- text->gss_ctx,
+- input_token,
+- output_token,
+- NULL,
+- NULL);
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- sasl_gss_free_context_contents(text);
+- if (output_token->value)
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return SASL_FAIL;
+- }
+-
+- /* taken from kerberos.c */
+- if (secprops->min_ssf > (K5_MAX_SSF + external)) {
+- return SASL_TOOWEAK;
+- } else if (secprops->min_ssf > secprops->max_ssf) {
+- return SASL_BADPARAM;
+- }
+-
+- /* need bits of layer -- sasl_ssf_t is unsigned so be careful */
+- if (secprops->max_ssf >= external) {
+- allowed = secprops->max_ssf - external;
+- } else {
+- allowed = 0;
+- }
+- if (secprops->min_ssf >= external) {
+- need = secprops->min_ssf - external;
+- } else {
+- /* good to go */
+- need = 0;
+- }
+-
+- /* bit mask of server support */
+- serverhas = ((char *)output_token->value)[0];
+-
+- /* if client didn't set use strongest layer available */
+- if (allowed >= K5_MAX_SSF && need <= K5_MAX_SSF && (serverhas & 4)) {
+- /* encryption */
+- oparams->encode = &gssapi_privacy_encode;
+- oparams->decode = &gssapi_decode;
+- /* FIX ME: Need to extract the proper value here */
+- oparams->mech_ssf = K5_MAX_SSF;
+- mychoice = 4;
+- } else if (allowed >= 1 && need <= 1 && (serverhas & 2)) {
+- /* integrity */
+- oparams->encode = &gssapi_integrity_encode;
+- oparams->decode = &gssapi_decode;
+- oparams->mech_ssf = 1;
+- mychoice = 2;
+- } else if (need <= 0 && (serverhas & 1)) {
+- /* no layer */
+- oparams->encode = NULL;
+- oparams->decode = NULL;
+- oparams->mech_ssf = 0;
+- mychoice = 1;
+- } else {
+- /* there's no appropriate layering for us! */
+- sasl_gss_free_context_contents(text);
+- return SASL_TOOWEAK;
+- }
+-
++ sasl_security_properties_t *secprops = &(params->props);
++ unsigned int alen, external = params->external_ssf;
++ sasl_ssf_t need, allowed;
++ char serverhas, mychoice;
++
++ real_input_token.value = (void *) serverin;
++ real_input_token.length = serverinlen;
++
++ maj_stat = (*p_krb5_gss_unwrap)(&min_stat,
++ text->gss_ctx,
++ input_token,
++ output_token,
++ NULL,
++ NULL);
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ sasl_gss_free_context_contents(text);
++ if (output_token->value)
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return SASL_FAIL;
++ }
++
++ /* taken from kerberos.c */
++ if (secprops->min_ssf > (K5_MAX_SSF + external)) {
++ return SASL_TOOWEAK;
++ } else if (secprops->min_ssf > secprops->max_ssf) {
++ return SASL_BADPARAM;
++ }
++
++ /* need bits of layer -- sasl_ssf_t is unsigned so be careful */
++ if (secprops->max_ssf >= external) {
++ allowed = secprops->max_ssf - external;
++ } else {
++ allowed = 0;
++ }
++ if (secprops->min_ssf >= external) {
++ need = secprops->min_ssf - external;
++ } else {
++ /* good to go */
++ need = 0;
++ }
++
++ /* bit mask of server support */
++ serverhas = ((char *)output_token->value)[0];
++
++ /* if client didn't set use strongest layer available */
++ if (allowed >= K5_MAX_SSF && need <= K5_MAX_SSF && (serverhas & 4)) {
++ /* encryption */
++ oparams->encode = &gssapi_privacy_encode;
++ oparams->decode = &gssapi_decode;
++ /* FIX ME: Need to extract the proper value here */
++ oparams->mech_ssf = K5_MAX_SSF;
++ mychoice = 4;
++ } else if (allowed >= 1 && need <= 1 && (serverhas & 2)) {
++ /* integrity */
++ oparams->encode = &gssapi_integrity_encode;
++ oparams->decode = &gssapi_decode;
++ oparams->mech_ssf = 1;
++ mychoice = 2;
++ } else if (need <= 0 && (serverhas & 1)) {
++ /* no layer */
++ oparams->encode = NULL;
++ oparams->decode = NULL;
++ oparams->mech_ssf = 0;
++ mychoice = 1;
++ } else {
++ /* there's no appropriate layering for us! */
++ sasl_gss_free_context_contents(text);
++ return SASL_TOOWEAK;
++ }
++
+ oparams->maxoutbuf =
+- (((unsigned char *) output_token->value)[1] << 16) |
++ (((unsigned char *) output_token->value)[1] << 16) |
+ (((unsigned char *) output_token->value)[2] << 8) |
+ (((unsigned char *) output_token->value)[3] << 0);
+
+- if(oparams->mech_ssf) {
++ if(oparams->mech_ssf) {
+ maj_stat = (*p_krb5_gss_wrap_size_limit)(&min_stat,
+ text->gss_ctx,
+ 1,
+@@ -1562,38 +1562,38 @@ static int gssapi_client_mech_step(void *conn_context,
+ (OM_uint32) oparams->maxoutbuf,
+ &max_input);
+
+- if(max_input > oparams->maxoutbuf) {
+- /* Heimdal appears to get this wrong */
+- oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+- } else {
+- /* This code is actually correct */
+- oparams->maxoutbuf = max_input;
+- }
+- }
+-
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+-
+- /* oparams->user is always set, due to canon_user requirements.
+- * Make sure the client actually requested it though, by checking
+- * if our context was set.
+- */
+- if (text->user && text->user[0])
+- alen = strlen(oparams->user);
+- else
+- alen = 0;
+-
+- input_token->length = 4 + alen;
+- input_token->value =
+- (char *)params->utils->malloc((input_token->length + 1)*sizeof(char));
+- if (input_token->value == NULL) {
+- sasl_gss_free_context_contents(text);
+- return SASL_NOMEM;
+- }
+-
+- if (alen)
+- memcpy((char *)input_token->value+4,oparams->user,alen);
+-
+- /* build up our security properties token */
++ if(max_input > oparams->maxoutbuf) {
++ /* Heimdal appears to get this wrong */
++ oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
++ } else {
++ /* This code is actually correct */
++ oparams->maxoutbuf = max_input;
++ }
++ }
++
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++
++ /* oparams->user is always set, due to canon_user requirements.
++ * Make sure the client actually requested it though, by checking
++ * if our context was set.
++ */
++ if (text->user && text->user[0])
++ alen = strlen(oparams->user);
++ else
++ alen = 0;
++
++ input_token->length = 4 + alen;
++ input_token->value =
++ (char *)params->utils->malloc((input_token->length + 1)*sizeof(char));
++ if (input_token->value == NULL) {
++ sasl_gss_free_context_contents(text);
++ return SASL_NOMEM;
++ }
++
++ if (alen)
++ memcpy((char *)input_token->value+4,oparams->user,alen);
++
++ /* build up our security properties token */
+ if (params->props.maxbufsize > 0xFFFFFF) {
+ /* make sure maxbufsize isn't too large */
+ /* maxbufsize = 0xFFFFFF */
+@@ -1601,115 +1601,115 @@ static int gssapi_client_mech_step(void *conn_context,
+ ((unsigned char *)input_token->value)[2] = 0xFF;
+ ((unsigned char *)input_token->value)[3] = 0xFF;
+ } else {
+- ((unsigned char *)input_token->value)[1] =
++ ((unsigned char *)input_token->value)[1] =
+ (params->props.maxbufsize >> 16) & 0xFF;
+- ((unsigned char *)input_token->value)[2] =
++ ((unsigned char *)input_token->value)[2] =
+ (params->props.maxbufsize >> 8) & 0xFF;
+- ((unsigned char *)input_token->value)[3] =
++ ((unsigned char *)input_token->value)[3] =
+ (params->props.maxbufsize >> 0) & 0xFF;
+ }
+- ((unsigned char *)input_token->value)[0] = mychoice;
+-
+- maj_stat = (*p_krb5_gss_wrap) (&min_stat,
+- text->gss_ctx,
+- 0, /* Just integrity checking here */
+- GSS_C_QOP_DEFAULT,
+- input_token,
+- NULL,
+- output_token);
+-
+- params->utils->free(input_token->value);
+- input_token->value = NULL;
+-
+- if (GSS_ERROR(maj_stat)) {
+- sasl_gss_seterror(text->utils, maj_stat, min_stat);
+- if (output_token->value)
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- sasl_gss_free_context_contents(text);
+- return SASL_FAIL;
+- }
+-
+- if (clientoutlen)
+- *clientoutlen = output_token->length;
+- if (output_token->value) {
+- if (clientout) {
+- ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+- &(text->out_buf_len), *clientoutlen);
+- if (ret != SASL_OK) {
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- return ret;
+- }
+- memcpy(text->out_buf, output_token->value, *clientoutlen);
+- *clientout = text->out_buf;
+- }
+-
+- (*p_krb5_gss_release_buffer)(&min_stat, output_token);
+- }
+-
+- text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+-
+- oparams->doneflag = 1;
+-
+- /* used by layers */
+- _plug_decode_init(&text->decode_context, text->utils,
+- (params->props.maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
+- params->props.maxbufsize);
+-
+- return SASL_OK;
++ ((unsigned char *)input_token->value)[0] = mychoice;
++
++ maj_stat = (*p_krb5_gss_wrap) (&min_stat,
++ text->gss_ctx,
++ 0, /* Just integrity checking here */
++ GSS_C_QOP_DEFAULT,
++ input_token,
++ NULL,
++ output_token);
++
++ params->utils->free(input_token->value);
++ input_token->value = NULL;
++
++ if (GSS_ERROR(maj_stat)) {
++ sasl_gss_seterror(text->utils, maj_stat, min_stat);
++ if (output_token->value)
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ sasl_gss_free_context_contents(text);
++ return SASL_FAIL;
++ }
++
++ if (clientoutlen)
++ *clientoutlen = output_token->length;
++ if (output_token->value) {
++ if (clientout) {
++ ret = _plug_buf_alloc(text->utils, &(text->out_buf),
++ &(text->out_buf_len), *clientoutlen);
++ if (ret != SASL_OK) {
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ return ret;
++ }
++ memcpy(text->out_buf, output_token->value, *clientoutlen);
++ *clientout = text->out_buf;
++ }
++
++ (*p_krb5_gss_release_buffer)(&min_stat, output_token);
++ }
++
++ text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
++
++ oparams->doneflag = 1;
++
++ /* used by layers */
++ _plug_decode_init(&text->decode_context, text->utils,
++ (params->props.maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
++ params->props.maxbufsize);
++
++ return SASL_OK;
+ }
+-
++
+ default:
+- params->utils->log(NULL, SASL_LOG_ERR,
+- "Invalid GSSAPI client step %d\n", text->state);
+- return SASL_FAIL;
++ params->utils->log(NULL, SASL_LOG_ERR,
++ "Invalid GSSAPI client step %d\n", text->state);
++ return SASL_FAIL;
+ }
+-
++
+ return SASL_FAIL; /* should never get here */
+ }
+
+ static const unsigned long gssapi_required_prompts[] = {
+ SASL_CB_LIST_END
+-};
++};
+
+-static sasl_client_plug_t gssapi_client_plugins[] =
++static sasl_client_plug_t gssapi_client_plugins[] =
+ {
+ {
+- "GSSAPI", /* mech_name */
+- K5_MAX_SSF, /* max_ssf */
+- SASL_SEC_NOPLAINTEXT
+- | SASL_SEC_NOACTIVE
+- | SASL_SEC_NOANONYMOUS
+- | SASL_SEC_MUTUAL_AUTH, /* security_flags */
+- SASL_FEAT_NEEDSERVERFQDN
+- | SASL_FEAT_WANT_CLIENT_FIRST
+- | SASL_FEAT_ALLOWS_PROXY, /* features */
+- gssapi_required_prompts, /* required_prompts */
+- NULL, /* glob_context */
+- &gssapi_client_mech_new, /* mech_new */
+- &gssapi_client_mech_step, /* mech_step */
+- &gssapi_common_mech_dispose, /* mech_dispose */
+- NULL, /* mech_free */
+- NULL, /* idle */
+- NULL, /* spare */
+- NULL /* spare */
++ "GSSAPI", /* mech_name */
++ K5_MAX_SSF, /* max_ssf */
++ SASL_SEC_NOPLAINTEXT
++ | SASL_SEC_NOACTIVE
++ | SASL_SEC_NOANONYMOUS
++ | SASL_SEC_MUTUAL_AUTH, /* security_flags */
++ SASL_FEAT_NEEDSERVERFQDN
++ | SASL_FEAT_WANT_CLIENT_FIRST
++ | SASL_FEAT_ALLOWS_PROXY, /* features */
++ gssapi_required_prompts, /* required_prompts */
++ NULL, /* glob_context */
++ &gssapi_client_mech_new, /* mech_new */
++ &gssapi_client_mech_step, /* mech_step */
++ &gssapi_common_mech_dispose, /* mech_dispose */
++ NULL, /* mech_free */
++ NULL, /* idle */
++ NULL, /* spare */
++ NULL /* spare */
+ }
+ };
+
+-int gssapiv2_client_plug_init(const sasl_utils_t *utils __attribute__((unused)),
+- int maxversion,
+- int *out_version,
+- sasl_client_plug_t **pluglist,
+- int *plugcount)
++int gssapiv2_client_plug_init(const sasl_utils_t *utils __attribute__((unused)),
++ int maxversion,
++ int *out_version,
++ sasl_client_plug_t **pluglist,
++ int *plugcount)
+ {
+ if (maxversion < SASL_CLIENT_PLUG_VERSION) {
+- SETERROR(utils, "Version mismatch in GSSAPI");
+- return SASL_BADVERS;
++ SETERROR(utils, "Version mismatch in GSSAPI");
++ return SASL_BADVERS;
+ }
+-
++
+ *out_version = SASL_CLIENT_PLUG_VERSION;
+ *pluglist = gssapi_client_plugins;
+ *plugcount = 1;
+-
++
+ return SASL_OK;
+ }
+
+@@ -1728,17 +1728,17 @@ int gssapiv2_client_plug_init(const sasl_utils_t *utils __attribute__((unused)),
+
+ OM_uint32
+ gss_add_cred(
+- OM_uint32 *minor_status,
+- gss_cred_id_t input_cred_handle,
+- gss_name_t desired_name,
+- gss_OID desired_mech,
+- gss_cred_usage_t cred_usage,
+- OM_uint32 initiator_time_req,
+- OM_uint32 acceptor_time_req,
+- gss_cred_id_t *output_cred_handle,
+- gss_OID_set *actual_mechs,
+- OM_uint32 *initiator_time_rec,
+- OM_uint32 *acceptor_time_rec)
++ OM_uint32 *minor_status,
++ gss_cred_id_t input_cred_handle,
++ gss_name_t desired_name,
++ gss_OID desired_mech,
++ gss_cred_usage_t cred_usage,
++ OM_uint32 initiator_time_req,
++ OM_uint32 acceptor_time_req,
++ gss_cred_id_t *output_cred_handle,
++ gss_OID_set *actual_mechs,
++ OM_uint32 *initiator_time_rec,
++ OM_uint32 *acceptor_time_rec)
+ {
+ return((*p_krb5_gss_add_cred)(minor_status, input_cred_handle,
+ desired_name,
+@@ -1758,8 +1758,8 @@ gss_seal(OM_uint32 *minor_status,
+ gss_buffer_t output_message_buffer)
+ {
+ return((*p_krb5_gss_seal)(minor_status, context_handle,
+- conf_req_flag, qop_req, input_message_buffer,
+- conf_state, output_message_buffer));
++ conf_req_flag, qop_req, input_message_buffer,
++ conf_state, output_message_buffer));
+ }
+
+ OM_uint32
+@@ -1771,8 +1771,8 @@ gss_unseal(OM_uint32 *minor_status,
+ int *qop_state)
+ {
+ return((*p_krb5_gss_unseal)(minor_status, context_handle,
+- input_message_buffer, output_message_buffer,
+- conf_state, qop_state));
++ input_message_buffer, output_message_buffer,
++ conf_state, qop_state));
+ }
+
+ #endif
+diff --git a/myproxy/source/myproxy.c b/myproxy/source/myproxy.c
+index 963449d6a..89ab0a306 100644
+--- a/myproxy/source/myproxy.c
++++ b/myproxy/source/myproxy.c
+@@ -898,16 +898,16 @@ myproxy_authenticate_init(myproxy_socket_attrs_t *attrs,
+ int s;
+ OM_uint32 major_status, minor_status;
+
+- fqhn = GSI_SOCKET_get_peer_hostname(attrs->gsi_socket);
+- if (!fqhn) {
+- GSI_SOCKET_get_error_string(attrs->gsi_socket, error_string,
+- sizeof(error_string));
+- verror_put_string("Error getting name of remote party: %s\n",
+- error_string);
+- goto error;
+- }
+- for (s = 0; s < (sizeof services)/(sizeof *services); s++)
+- {
++ fqhn = GSI_SOCKET_get_peer_hostname(attrs->gsi_socket);
++ if (!fqhn) {
++ GSI_SOCKET_get_error_string(attrs->gsi_socket, error_string,
++ sizeof(error_string));
++ verror_put_string("Error getting name of remote party: %s\n",
++ error_string);
++ goto error;
++ }
++ for (s = 0; s < (sizeof services)/(sizeof *services); s++)
++ {
+ name_buf.value = globus_common_create_string("%s@%s",
+ services[s], fqhn);
+ name_buf.length = strlen(name_buf.value);
+@@ -917,9 +917,9 @@ myproxy_authenticate_init(myproxy_socket_attrs_t *attrs,
+ &name_buf,
+ GSS_C_NT_HOSTBASED_SERVICE,
+ &accepted_peer_names[s]);
+- }
++ }
+
+- free(fqhn);
++ free(fqhn);
+ }
+ }
+
+diff --git a/myproxy/source/myproxy_alcf.c b/myproxy/source/myproxy_alcf.c
+index 308fd3498..61c1cbeef 100644
+--- a/myproxy/source/myproxy_alcf.c
++++ b/myproxy/source/myproxy_alcf.c
+@@ -5,10 +5,10 @@
+ *
+ */
+
+-#include "myproxy_common.h" /* all needed headers included here */
++#include "myproxy_common.h" /* all needed headers included here */
+
+ #define MYPROXY_DEFAULT_PROXY "/tmp/myproxy-proxy"
+-#define SECONDS_PER_HOUR (60 * 60)
++#define SECONDS_PER_HOUR (60 * 60)
+ static int dn_as_username = 0;
+
+ static char usage[] = \
+@@ -26,7 +26,7 @@ static char usage[] = \
+ " -c | --certfile <filename> Certificate file name\n"
+ " -y | --keyfile <filename> Key file name\n"
+ " -l | --username <username> Username for the delegated proxy\n"
+-" -t | --proxy_lifetime <hours> Lifetime of proxies delegated by\n"
++" -t | --proxy_lifetime <hours> Lifetime of proxies delegated by\n"
+ " server (default 12 hours)\n"
+ " -a | --allow_anonymous_retrievers Allow credentials to be retrieved\n"
+ " with just username/passphrase\n"
+@@ -55,8 +55,8 @@ struct option long_options[] =
+ {
+ {"help", no_argument, NULL, 'h'},
+ {"usage", no_argument, NULL, 'u'},
+- {"certfile", required_argument, NULL, 'c'},
+- {"keyfile", required_argument, NULL, 'y'},
++ {"certfile", required_argument, NULL, 'c'},
++ {"keyfile", required_argument, NULL, 'y'},
+ {"proxy_lifetime", required_argument, NULL, 't'},
+ {"storage", required_argument, NULL, 's'},
+ {"username", required_argument, NULL, 'l'},
+@@ -68,9 +68,9 @@ struct option long_options[] =
+ {"retrievable_by", required_argument, NULL, 'r'},
+ {"renewable_by", required_argument, NULL, 'R'},
+ {"regex_dn_match", no_argument, NULL, 'x'},
+- {"match_cn_only", no_argument, NULL, 'X'},
+- {"credname", required_argument, NULL, 'k'},
+- {"creddesc", required_argument, NULL, 'K'},
++ {"match_cn_only", no_argument, NULL, 'X'},
++ {"credname", required_argument, NULL, 'k'},
++ {"creddesc", required_argument, NULL, 'K'},
+ {"retrievable_by_cert", required_argument, NULL, 'Z'},
+ {"retrieve_key", required_argument, NULL, 'E'},
+ {0, 0, 0, 0}
+@@ -90,7 +90,7 @@ static char version[] =
+
+ void init_arguments(int argc, char *argv[], myproxy_creds_t *my_creds);
+ int makeproxy(const char certfile[], const char keyfile[],
+- const char proxyfile[]);
++ const char proxyfile[]);
+ int get_storage_dir_owner(uid_t *owner);
+
+ int main(int argc, char *argv[])
+@@ -101,10 +101,10 @@ int main(int argc, char *argv[])
+
+ /* check library version */
+ if (myproxy_check_version()) {
+- fprintf(stderr, "MyProxy library version mismatch.\n"
+- "Expecting %s. Found %s.\n",
+- MYPROXY_VERSION_DATE, myproxy_version(0,0,0));
+- exit(1);
++ fprintf(stderr, "MyProxy library version mismatch.\n"
++ "Expecting %s. Found %s.\n",
++ MYPROXY_VERSION_DATE, myproxy_version(0,0,0));
++ exit(1);
+ }
+
+ myproxy_log_use_stream (stderr);
+@@ -112,61 +112,61 @@ int main(int argc, char *argv[])
+ init_arguments (argc, argv, &my_creds);
+
+ if (certfile == NULL) {
+- fprintf (stderr, "Specify certificate file with -c option\n");
+- fprintf(stderr, "%s", usage);
+- goto cleanup;
++ fprintf (stderr, "Specify certificate file with -c option\n");
++ fprintf(stderr, "%s", usage);
++ goto cleanup;
+ }
+
+ if (keyfile == NULL) {
+- fprintf (stderr, "Specify key file with -y option\n");
+- fprintf(stderr, "%s", usage);
+- goto cleanup;
++ fprintf (stderr, "Specify key file with -y option\n");
++ fprintf(stderr, "%s", usage);
++ goto cleanup;
+ }
+
+ sprintf(proxyfile, "%s.%u.%u", MYPROXY_DEFAULT_PROXY,
+- (unsigned)getuid(), (unsigned)getpid());
++ (unsigned)getuid(), (unsigned)getpid());
+ /* Remove proxyfile if it already exists. */
+ ssl_proxy_file_destroy(proxyfile);
+ verror_clear();
+
+ if (makeproxy(certfile, keyfile, proxyfile) < 0) {
+- fprintf(stderr, "Failed to create temporary credentials file.\n");
+- goto cleanup;
++ fprintf(stderr, "Failed to create temporary credentials file.\n");
++ goto cleanup;
+ }
+-
++
+ if (my_creds.username == NULL) { /* set default username */
+- if (dn_as_username) {
+- if (ssl_get_base_subject_file(proxyfile,
+- &my_creds.username)) {
+- fprintf(stderr,
+- "Cannot get subject name from your certificate\n");
+- goto cleanup;
+- }
+- } else {
+- char *username = NULL;
+- if (!(username = getenv("LOGNAME"))) {
+- fprintf(stderr, "Please specify a username.\n");
+- goto cleanup;
+- }
+- my_creds.username = strdup(username);
+- }
++ if (dn_as_username) {
++ if (ssl_get_base_subject_file(proxyfile,
++ &my_creds.username)) {
++ fprintf(stderr,
++ "Cannot get subject name from your certificate\n");
++ goto cleanup;
++ }
++ } else {
++ char *username = NULL;
++ if (!(username = getenv("LOGNAME"))) {
++ fprintf(stderr, "Please specify a username.\n");
++ goto cleanup;
++ }
++ my_creds.username = strdup(username);
++ }
+ }
+
+ if (ssl_get_base_subject_file(proxyfile,
+- &my_creds.owner_name)) {
+- fprintf(stderr,
+- "Cannot get subject name from certificate.\n");
+- goto cleanup;
++ &my_creds.owner_name)) {
++ fprintf(stderr,
++ "Cannot get subject name from certificate.\n");
++ goto cleanup;
+ }
+ my_creds.location = strdup(proxyfile);
+
+ if (myproxy_creds_store(&my_creds) < 0) {
+- myproxy_log_verror();
+- fprintf (stderr, "Unable to store credentials. %s\n",
+- verror_get_string());
++ myproxy_log_verror();
++ fprintf (stderr, "Unable to store credentials. %s\n",
++ verror_get_string());
+ goto cleanup;
+ } else {
+- fprintf (stdout, "Credential stored successfully\n");
++ fprintf (stdout, "Credential stored successfully\n");
+ }
+
+ rval = 0;
+@@ -176,9 +176,9 @@ int main(int argc, char *argv[])
+ }
+
+
+-void
+-init_arguments(int argc,
+- char *argv[], myproxy_creds_t *my_creds)
++void
++init_arguments(int argc,
++ char *argv[], myproxy_creds_t *my_creds)
+ {
+ extern char *optarg;
+ int arg;
+@@ -186,176 +186,176 @@ init_arguments(int argc,
+
+ my_creds->lifetime = SECONDS_PER_HOUR * MYPROXY_DEFAULT_DELEG_HOURS;
+
+- while((arg = getopt_long(argc, argv, short_options,
+- long_options, NULL)) != EOF)
++ while((arg = getopt_long(argc, argv, short_options,
++ long_options, NULL)) != EOF)
+ {
+- switch(arg)
+- {
++ switch(arg)
++ {
+ case 's': /* set the credential storage directory */
+- myproxy_set_storage_dir(optarg);
++ myproxy_set_storage_dir(optarg);
+ storage_dir = optarg;
+- break;
+-
+- case 'c': /* credential file name*/
+- certfile = strdup (optarg);
+- break;
+- case 'y': /* key file name */
+- keyfile = strdup (optarg);
+- break;
+- case 'u': /* print help and exit */
++ break;
++
++ case 'c': /* credential file name*/
++ certfile = strdup (optarg);
++ break;
++ case 'y': /* key file name */
++ keyfile = strdup (optarg);
++ break;
++ case 'u': /* print help and exit */
+ printf("%s", usage);
+ exit(0);
+- break;
+- case 't': /* Specify proxy lifetime in hours */
+- my_creds->lifetime = SECONDS_PER_HOUR * atoi(optarg);
+- break;
+- case 'h': /* print help and exit */
++ break;
++ case 't': /* Specify proxy lifetime in hours */
++ my_creds->lifetime = SECONDS_PER_HOUR * atoi(optarg);
++ break;
++ case 'h': /* print help and exit */
+ printf("%s", usage);
+ exit(0);
+ break;
+- case 'l': /* username */
+- my_creds->username = strdup (optarg);
+- break;
+- case 'v': /* verbose */
+- myproxy_debug_set_level(1);
+- break;
++ case 'l': /* username */
++ my_creds->username = strdup (optarg);
++ break;
++ case 'v': /* verbose */
++ myproxy_debug_set_level(1);
++ break;
+ case 'V': /* print version and exit */
+ printf("%s", version);
+ exit(0);
+ break;
+-
+-
+- case 'r': /* retrievers list */
+- if (my_creds->renewers) {
+- fprintf(stderr, "-r is incompatible with -A and -R. A credential may not be used for both\nretrieval and renewal. If both are desired, upload multiple credentials with\ndifferent names, using the -k option.\n");
+- exit(1);
+- }
+- if (my_creds->retrievers) {
+- fprintf(stderr, "Only one -a or -r option may be specified.\n");
+- exit(1);
+- }
+- if (expr_type == REGULAR_EXP) /*copy as is */
+- my_creds->retrievers = strdup (optarg);
+- else
+- {
+- my_creds->retrievers = (char *)malloc(strlen(optarg)+6);
+- strcpy (my_creds->retrievers, "*/CN=");
+- my_creds->retrievers = strcat(my_creds->retrievers,
+- optarg);
+- myproxy_debug("authorized retriever %s",
+- my_creds->retrievers);
+- }
+- break;
+- case 'Z': /* retrievers list */
+- if (my_creds->trusted_retrievers) {
+- fprintf(stderr, "Only one -Z option may be specified.\n");
+- exit(1);
+- }
+- if (expr_type == REGULAR_EXP) /*copy as is */
+- my_creds->trusted_retrievers = strdup (optarg);
+- else
+- {
+- my_creds->trusted_retrievers = (char *)malloc(strlen(optarg)+6);
+- strcpy (my_creds->trusted_retrievers, "*/CN=");
+- my_creds->trusted_retrievers = strcat(my_creds->trusted_retrievers,
+- optarg);
+- myproxy_debug("trusted retriever %s",
+- my_creds->trusted_retrievers);
+- }
+- break;
+- case 'R': /* renewers list */
+- if (my_creds->retrievers) {
+- fprintf(stderr, "-R is incompatible with -a and -r. A credential may not be used for both\nretrieval and renewal. If both are desired, upload multiple credentials with\ndifferent names, using the -k option.\n");
+- exit(1);
+- }
+- if (my_creds->renewers) {
+- fprintf(stderr, "Only one -A or -R option may be specified.\n");
+- exit(1);
+- }
+- if (expr_type == REGULAR_EXP) /*copy as is */
+- my_creds->renewers = strdup (optarg);
+- else
+- {
+- my_creds->renewers = (char *)malloc(strlen(optarg)+6);
+- strcpy (my_creds->renewers, "*/CN=");
+- my_creds->renewers = strcat (my_creds->renewers,optarg);
+- myproxy_debug("authorized renewer %s",
+- my_creds->renewers);
+- }
+- break;
+- case 'd': /* use the certificate subject (DN) as the default
+- username instead of LOGNAME */
+- dn_as_username = 1;
+- break;
+- case 'x': /*set expression type to regex*/
+- expr_type = REGULAR_EXP;
+- myproxy_debug("expr-type = regex");
+- break;
+- case 'X': /*set expression type to common name*/
+- expr_type = MATCH_CN_ONLY;
+- myproxy_debug("expr-type = CN");
+- break;
+- case 'a': /*allow anonymous retrievers*/
+- if (my_creds->renewers) {
+- fprintf(stderr, "-a is incompatible with -A and -R. A credential may not be used for both\nretrieval and renewal. If both are desired, upload multiple credentials with\ndifferent names, using the -k option.\n");
+- exit(1);
+- }
+- if (my_creds->retrievers) {
+- fprintf(stderr, "Only one -a or -r option may be specified.\n");
+- exit(1);
+- }
+- my_creds->retrievers = strdup ("*");
+- myproxy_debug("anonymous retrievers allowed");
+- break;
+- case 'A': /*allow anonymous renewers*/
+- if (my_creds->retrievers) {
+- fprintf(stderr, "-A is incompatible with -a and -r. A credential may not be used for both\nretrieval and renewal. If both are desired, upload multiple credentials with\ndifferent names, using the -k option.\n");
+- exit(1);
+- }
+- if (my_creds->renewers) {
+- fprintf(stderr, "Only one -A or -R option may be specified.\n");
+- exit(1);
+- }
+- my_creds->renewers = strdup ("*");
+- myproxy_debug("anonymous renewers allowed");
+- break;
+- case 'E' : /* key retriever list */
+- if (expr_type == REGULAR_EXP) {
+- /* Copy as is */
+- my_creds->keyretrieve = strdup(optarg);
+- } else {
+- my_creds->keyretrieve =
+- (char *) malloc(strlen(optarg) + 6);
+- strcpy(my_creds->keyretrieve, "*/CN=");
+- my_creds->keyretrieve =
+- strcat(my_creds->keyretrieve, optarg);
+- myproxy_debug("authorized key retriever %s",
+- my_creds->keyretrieve);
+- }
+- break;
+- case 'k': /*credential name*/
+- my_creds->credname = strdup (optarg);
+- break;
+- case 'K': /*credential description*/
+- my_creds->creddesc = strdup (optarg);
+- break;
+-
+- default: /* print usage and exit */
++
++
++ case 'r': /* retrievers list */
++ if (my_creds->renewers) {
++ fprintf(stderr, "-r is incompatible with -A and -R. A credential may not be used for both\nretrieval and renewal. If both are desired, upload multiple credentials with\ndifferent names, using the -k option.\n");
++ exit(1);
++ }
++ if (my_creds->retrievers) {
++ fprintf(stderr, "Only one -a or -r option may be specified.\n");
++ exit(1);
++ }
++ if (expr_type == REGULAR_EXP) /*copy as is */
++ my_creds->retrievers = strdup (optarg);
++ else
++ {
++ my_creds->retrievers = (char *)malloc(strlen(optarg)+6);
++ strcpy (my_creds->retrievers, "*/CN=");
++ my_creds->retrievers = strcat(my_creds->retrievers,
++ optarg);
++ myproxy_debug("authorized retriever %s",
++ my_creds->retrievers);
++ }
++ break;
++ case 'Z': /* retrievers list */
++ if (my_creds->trusted_retrievers) {
++ fprintf(stderr, "Only one -Z option may be specified.\n");
++ exit(1);
++ }
++ if (expr_type == REGULAR_EXP) /*copy as is */
++ my_creds->trusted_retrievers = strdup (optarg);
++ else
++ {
++ my_creds->trusted_retrievers = (char *)malloc(strlen(optarg)+6);
++ strcpy (my_creds->trusted_retrievers, "*/CN=");
++ my_creds->trusted_retrievers = strcat(my_creds->trusted_retrievers,
++ optarg);
++ myproxy_debug("trusted retriever %s",
++ my_creds->trusted_retrievers);
++ }
++ break;
++ case 'R': /* renewers list */
++ if (my_creds->retrievers) {
++ fprintf(stderr, "-R is incompatible with -a and -r. A credential may not be used for both\nretrieval and renewal. If both are desired, upload multiple credentials with\ndifferent names, using the -k option.\n");
++ exit(1);
++ }
++ if (my_creds->renewers) {
++ fprintf(stderr, "Only one -A or -R option may be specified.\n");
++ exit(1);
++ }
++ if (expr_type == REGULAR_EXP) /*copy as is */
++ my_creds->renewers = strdup (optarg);
++ else
++ {
++ my_creds->renewers = (char *)malloc(strlen(optarg)+6);
++ strcpy (my_creds->renewers, "*/CN=");
++ my_creds->renewers = strcat (my_creds->renewers,optarg);
++ myproxy_debug("authorized renewer %s",
++ my_creds->renewers);
++ }
++ break;
++ case 'd': /* use the certificate subject (DN) as the default
++ username instead of LOGNAME */
++ dn_as_username = 1;
++ break;
++ case 'x': /*set expression type to regex*/
++ expr_type = REGULAR_EXP;
++ myproxy_debug("expr-type = regex");
++ break;
++ case 'X': /*set expression type to common name*/
++ expr_type = MATCH_CN_ONLY;
++ myproxy_debug("expr-type = CN");
++ break;
++ case 'a': /*allow anonymous retrievers*/
++ if (my_creds->renewers) {
++ fprintf(stderr, "-a is incompatible with -A and -R. A credential may not be used for both\nretrieval and renewal. If both are desired, upload multiple credentials with\ndifferent names, using the -k option.\n");
++ exit(1);
++ }
++ if (my_creds->retrievers) {
++ fprintf(stderr, "Only one -a or -r option may be specified.\n");
++ exit(1);
++ }
++ my_creds->retrievers = strdup ("*");
++ myproxy_debug("anonymous retrievers allowed");
++ break;
++ case 'A': /*allow anonymous renewers*/
++ if (my_creds->retrievers) {
++ fprintf(stderr, "-A is incompatible with -a and -r. A credential may not be used for both\nretrieval and renewal. If both are desired, upload multiple credentials with\ndifferent names, using the -k option.\n");
++ exit(1);
++ }
++ if (my_creds->renewers) {
++ fprintf(stderr, "Only one -A or -R option may be specified.\n");
++ exit(1);
++ }
++ my_creds->renewers = strdup ("*");
++ myproxy_debug("anonymous renewers allowed");
++ break;
++ case 'E' : /* key retriever list */
++ if (expr_type == REGULAR_EXP) {
++ /* Copy as is */
++ my_creds->keyretrieve = strdup(optarg);
++ } else {
++ my_creds->keyretrieve =
++ (char *) malloc(strlen(optarg) + 6);
++ strcpy(my_creds->keyretrieve, "*/CN=");
++ my_creds->keyretrieve =
++ strcat(my_creds->keyretrieve, optarg);
++ myproxy_debug("authorized key retriever %s",
++ my_creds->keyretrieve);
++ }
++ break;
++ case 'k': /*credential name*/
++ my_creds->credname = strdup (optarg);
++ break;
++ case 'K': /*credential description*/
++ my_creds->creddesc = strdup (optarg);
++ break;
++
++ default: /* print usage and exit */
+ fprintf(stderr, "%s", usage);
+- exit(1);
+- break;
++ exit(1);
++ break;
+ }
+ }
+ if (optind != argc) {
+- fprintf(stderr, "%s: invalid option -- %s\n", argv[0],
+- argv[optind]);
+- fprintf(stderr, "%s", usage);
+- exit(1);
++ fprintf(stderr, "%s: invalid option -- %s\n", argv[0],
++ argv[optind]);
++ fprintf(stderr, "%s", usage);
++ exit(1);
+ }
+ }
+
+ int makeproxy(const char certfile[], const char keyfile[],
+- const char proxyfile[])
++ const char proxyfile[])
+ {
+ static char BEGINCERT[] = "-----BEGIN CERTIFICATE-----";
+ static char ENDCERT[] = "-----END CERTIFICATE-----";
+@@ -372,14 +372,14 @@ int makeproxy(const char certfile[], const char keyfile[],
+
+ /* Read the certificate(s) into a buffer. */
+ if (buffer_from_file(certfile, &certbuf, NULL) < 0) {
+- fprintf(stderr, "Failed to read %s\n", certfile);
+- goto cleanup;
++ fprintf(stderr, "Failed to read %s\n", certfile);
++ goto cleanup;
+ }
+
+ /* Read the key into a buffer. */
+ if (buffer_from_file(keyfile, &keybuf, NULL) < 0) {
+- fprintf(stderr, "Failed to read %s\n", keyfile);
+- goto cleanup;
++ fprintf(stderr, "Failed to read %s\n", keyfile);
++ goto cleanup;
+ }
+
+ /* special case: run as root w/ non-root storage dir */
+@@ -390,96 +390,96 @@ int makeproxy(const char certfile[], const char keyfile[],
+
+ /* Open the output file. */
+ if ((fd = open(proxyfile, O_CREAT | O_EXCL | O_WRONLY,
+- S_IRUSR | S_IWUSR)) < 0) {
+- fprintf(stderr, "open(%s) failed: %s\n", proxyfile, strerror(errno));
+- goto cleanup;
++ S_IRUSR | S_IWUSR)) < 0) {
++ fprintf(stderr, "open(%s) failed: %s\n", proxyfile, strerror(errno));
++ goto cleanup;
+ }
+
+ /* Write the first certificate. */
+ if ((certstart = strstr((const char *)certbuf, BEGINCERT)) == NULL) {
+- fprintf(stderr, "%s doesn't contain '%s'.\n", certfile, BEGINCERT);
+- goto cleanup;
++ fprintf(stderr, "%s doesn't contain '%s'.\n", certfile, BEGINCERT);
++ goto cleanup;
+ }
+
+ if ((certend = strstr((const char *)certstart, ENDCERT)) == NULL) {
+- fprintf(stderr, "%s doesn't contain '%s'.\n", certfile, ENDCERT);
+- goto cleanup;
++ fprintf(stderr, "%s doesn't contain '%s'.\n", certfile, ENDCERT);
++ goto cleanup;
+ }
+ certend += strlen(ENDCERT);
+ size = certend-certstart;
+
+ while (size) {
+- if ((rval = write(fd, certstart, size)) < 0) {
+- perror("write");
+- goto cleanup;
+- }
+- size -= rval;
+- certstart += rval;
++ if ((rval = write(fd, certstart, size)) < 0) {
++ perror("write");
++ goto cleanup;
++ }
++ size -= rval;
++ certstart += rval;
+ }
+ if (write(fd, "\n", 1) < 0) {
+- perror("write");
+- goto cleanup;
++ perror("write");
++ goto cleanup;
+ }
+
+ /* Write the key. */
+ if ((keystart = strstr((const char *)keybuf, BEGINKEY1)) == NULL
+- && (keystart = strstr((const char *)keybuf, BEGINKEY2)) == NULL
+- && (keystart = strstr((const char *)keybuf, BEGINKEY3)) == NULL) {
+- fprintf(stderr, "%s doesn't contain '%s' nor '%s' nor '%s'.\n", keyfile,
+- BEGINKEY1, BEGINKEY2, BEGINKEY3);
+- goto cleanup;
++ && (keystart = strstr((const char *)keybuf, BEGINKEY2)) == NULL
++ && (keystart = strstr((const char *)keybuf, BEGINKEY3)) == NULL) {
++ fprintf(stderr, "%s doesn't contain '%s' nor '%s' nor '%s'.\n", keyfile,
++ BEGINKEY1, BEGINKEY2, BEGINKEY3);
++ goto cleanup;
+ }
+
+ if ((keyend = strstr((const char *)keystart, ENDKEY1)) != NULL)
+- keyend += strlen(ENDKEY1);
++ keyend += strlen(ENDKEY1);
+ else if ((keyend = strstr((const char *)keystart, ENDKEY2)) != NULL)
+- keyend += strlen(ENDKEY2);
++ keyend += strlen(ENDKEY2);
+ else if ((keyend = strstr((const char *)keystart, ENDKEY3)) != NULL)
+- keyend += strlen(ENDKEY3);
++ keyend += strlen(ENDKEY3);
+ else {
+- fprintf(stderr, "%s doesn't contain '%s' nor '%s' nor '%s'.\n", keyfile,
+- ENDKEY1, ENDKEY2, ENDKEY3);
+- goto cleanup;
++ fprintf(stderr, "%s doesn't contain '%s' nor '%s' nor '%s'.\n", keyfile,
++ ENDKEY1, ENDKEY2, ENDKEY3);
++ goto cleanup;
+ }
+
+ size = keyend-keystart;
+
+ while (size) {
+- if ((rval = write(fd, keystart, size)) < 0) {
+- perror("write");
+- goto cleanup;
+- }
+- size -= rval;
+- keystart += rval;
++ if ((rval = write(fd, keystart, size)) < 0) {
++ perror("write");
++ goto cleanup;
++ }
++ size -= rval;
++ keystart += rval;
+ }
+ if (write(fd, "\n", 1) < 0) {
+- perror("write");
+- goto cleanup;
++ perror("write");
++ goto cleanup;
+ }
+
+ /* Write any remaining certificates. */
+ while ((certstart = strstr((const char *)certstart, BEGINCERT)) != NULL) {
+
+- if ((certend = strstr((const char *)certstart, ENDCERT)) == NULL) {
+- fprintf(stderr, "Can't find matching '%s' in %s.\n", ENDCERT,
+- certfile);
+- goto cleanup;
+- }
+- certend += strlen(ENDCERT);
+- size = certend-certstart;
+-
+- while (size) {
+- if ((rval = write(fd, certstart, size)) < 0) {
+- perror("write");
+- goto cleanup;
+- }
+- size -= rval;
+- certstart += rval;
+- }
+- if (write(fd, "\n", 1) < 0) {
+- perror("write");
+- goto cleanup;
+- }
++ if ((certend = strstr((const char *)certstart, ENDCERT)) == NULL) {
++ fprintf(stderr, "Can't find matching '%s' in %s.\n", ENDCERT,
++ certfile);
++ goto cleanup;
++ }
++ certend += strlen(ENDCERT);
++ size = certend-certstart;
++
++ while (size) {
++ if ((rval = write(fd, certstart, size)) < 0) {
++ perror("write");
++ goto cleanup;
++ }
++ size -= rval;
++ certstart += rval;
++ }
++ if (write(fd, "\n", 1) < 0) {
++ perror("write");
++ goto cleanup;
++ }
+ }
+
+ return_value = 0;
+diff --git a/myproxy/source/myproxy_get_credential.c b/myproxy/source/myproxy_get_credential.c
+index 298856dbf..d1d15f386 100644
+--- a/myproxy/source/myproxy_get_credential.c
++++ b/myproxy/source/myproxy_get_credential.c
+@@ -4,7 +4,7 @@
+ * Webserver program to retrieve a end-entity credential from a myproxy-server
+ */
+
+-#include "myproxy_common.h" /* all needed headers included here */
++#include "myproxy_common.h" /* all needed headers included here */
+
+ #ifndef MAXPATHLEN
+ #define MAXPATHLEN 4096
+@@ -48,7 +48,7 @@ struct option long_options[] =
+ {"version", no_argument, NULL, 'V'},
+ {"authorization", required_argument, NULL, 'r'},
+ {"dn_as_username", no_argument, NULL, 'd'},
+- {"credname", required_argument, NULL, 'k'},
++ {"credname", required_argument, NULL, 'k'},
+ {"stdin_pass", no_argument, NULL, 'S'},
+ {"no_passphrase", no_argument, NULL, 'n'},
+ {"certfile", required_argument, NULL, 'c'},
+@@ -62,11 +62,11 @@ static char short_options[] = "hus:p:l:t:c:y:vVa:dk:SnT";
+ static char version[] =
+ "myproxy-retrieve version " MYPROXY_VERSION " (" MYPROXY_VERSION_DATE ") " "\n";
+
+-void
+-init_arguments(int argc, char *argv[],
+- myproxy_socket_attrs_t *attrs,
+- myproxy_request_t *request);
+-
++void
++init_arguments(int argc, char *argv[],
++ myproxy_socket_attrs_t *attrs,
++ myproxy_request_t *request);
++
+ int
+ store_credential( char *delegfile,
+ char *certfile,
+@@ -92,7 +92,7 @@ mkpath( char *path );
+ * Use setvbuf() instead of setlinebuf() since cygwin doesn't support
+ * setlinebuf().
+ */
+-#define my_setlinebuf(stream) setvbuf((stream), (char *) NULL, _IOLBF, 0)
++#define my_setlinebuf(stream) setvbuf((stream), (char *) NULL, _IOLBF, 0)
+
+ /* location of delegated proxy */
+ static char *certfile = NULL; /* certificate file name */
+@@ -102,8 +102,8 @@ static int read_passwd_from_stdin = 0;
+ static int use_empty_passwd = 0;
+
+ int
+-main(int argc, char *argv[])
+-{
++main(int argc, char *argv[])
++{
+ myproxy_socket_attrs_t *socket_attrs;
+ myproxy_request_t *client_request;
+ myproxy_response_t *server_response;
+@@ -116,10 +116,10 @@ main(int argc, char *argv[])
+
+ /* check library version */
+ if (myproxy_check_version()) {
+- fprintf(stderr, "MyProxy library version mismatch.\n"
+- "Expecting %s. Found %s.\n",
+- MYPROXY_VERSION_DATE, myproxy_version(0,0,0));
+- exit(1);
++ fprintf(stderr, "MyProxy library version mismatch.\n"
++ "Expecting %s. Found %s.\n",
++ MYPROXY_VERSION_DATE, myproxy_version(0,0,0));
++ exit(1);
+ }
+
+ myproxy_log_use_stream (stderr);
+@@ -154,36 +154,36 @@ main(int argc, char *argv[])
+ }
+
+ if (getuid() == 0) {
+- get_host_credential_filenames( &certfile, &keyfile );
++ get_host_credential_filenames( &certfile, &keyfile );
+ } else {
+- get_user_credential_filenames( &certfile, &keyfile );
++ get_user_credential_filenames( &certfile, &keyfile );
+ }
+
+ /* Initialize client arguments and create client request object */
+ init_arguments(argc, argv, socket_attrs, client_request);
+
+ if (!certfile && !keyfile) {
+- fprintf(stderr, "Unable to determine credential output locations.\n"
+- "Use --certfile and --keyfile options.\n");
+- goto error;
++ fprintf(stderr, "Unable to determine credential output locations.\n"
++ "Use --certfile and --keyfile options.\n");
++ goto error;
+ } else if (!certfile) {
+- fprintf(stderr, "Unable to determine certificate output location.\n"
+- "Use --certfile option.\n");
+- goto error;
++ fprintf(stderr, "Unable to determine certificate output location.\n"
++ "Use --certfile option.\n");
++ goto error;
+ } else if (!keyfile) {
+- fprintf(stderr, "Unable to determine private key output location.\n"
+- "Use --keyfile option.\n");
+- goto error;
++ fprintf(stderr, "Unable to determine private key output location.\n"
++ "Use --keyfile option.\n");
++ goto error;
+ }
+
+ if (access(certfile, F_OK) == 0) {
+- fprintf(stderr, "%s exists.\n", certfile);
+- goto error;
++ fprintf(stderr, "%s exists.\n", certfile);
++ goto error;
+ }
+
+ if (access(keyfile, F_OK) == 0) {
+- fprintf(stderr, "%s exists.\n", keyfile);
+- goto error;
++ fprintf(stderr, "%s exists.\n", keyfile);
++ goto error;
+ }
+
+ /* Bootstrap trusted certificate directory if none exists. */
+@@ -205,7 +205,7 @@ main(int argc, char *argv[])
+ verror_print_error(stderr);
+ goto error;
+ }
+-
++
+ /* Attempt anonymous-mode credential retrieval if we don't have a
+ credential. */
+ GSI_SOCKET_allow_anonymous(socket_attrs->gsi_socket, 1);
+@@ -239,60 +239,60 @@ main(int argc, char *argv[])
+
+ if (!use_empty_passwd) {
+ /* Allow user to provide a passphrase */
+- int rval;
+- if (read_passwd_from_stdin) {
+- rval = myproxy_read_passphrase_stdin(
+- client_request->passphrase,
+- sizeof(client_request->passphrase),
+- NULL);
+- } else {
+- rval = myproxy_read_passphrase(client_request->passphrase,
+- sizeof(client_request->passphrase),
+- NULL);
+- }
+- if (rval == -1) {
+- verror_print_error(stderr);
++ int rval;
++ if (read_passwd_from_stdin) {
++ rval = myproxy_read_passphrase_stdin(
++ client_request->passphrase,
++ sizeof(client_request->passphrase),
++ NULL);
++ } else {
++ rval = myproxy_read_passphrase(client_request->passphrase,
++ sizeof(client_request->passphrase),
++ NULL);
++ }
++ if (rval == -1) {
++ verror_print_error(stderr);
+ goto error;
+- }
++ }
+ }
+
+ if (client_request->username == NULL) { /* set default username */
+- if (dn_as_username) {
+- if (client_request->authzcreds) {
+- if (ssl_get_base_subject_file(client_request->authzcreds,
+- &client_request->username)) {
+- fprintf(stderr, "Cannot get subject name from %s\n",
+- client_request->authzcreds);
++ if (dn_as_username) {
++ if (client_request->authzcreds) {
++ if (ssl_get_base_subject_file(client_request->authzcreds,
++ &client_request->username)) {
++ fprintf(stderr, "Cannot get subject name from %s\n",
++ client_request->authzcreds);
+ goto error;
+- }
+- } else {
+- if (ssl_get_base_subject_file(NULL,
+- &client_request->username)) {
+- fprintf(stderr,
+- "Cannot get subject name from your certificate\n");
++ }
++ } else {
++ if (ssl_get_base_subject_file(NULL,
++ &client_request->username)) {
++ fprintf(stderr,
++ "Cannot get subject name from your certificate\n");
+ goto error;
+- }
+- }
+- } else {
+- char *username = NULL;
+- if (!(username = getenv("LOGNAME"))) {
+- fprintf(stderr, "Please specify a username.\n");
++ }
++ }
++ } else {
++ char *username = NULL;
++ if (!(username = getenv("LOGNAME"))) {
++ fprintf(stderr, "Please specify a username.\n");
+ goto error;
+- }
+- client_request->username = strdup(username);
+- }
++ }
++ client_request->username = strdup(username);
++ }
+ }
+
+ /* Serialize client request object */
+ requestlen = myproxy_serialize_request_ex(client_request, &request_buffer);
+ if (requestlen < 0) {
+- verror_print_error(stderr);
++ verror_print_error(stderr);
+ goto error;
+ }
+
+ /* Send request to the myproxy-server */
+ if (myproxy_send(socket_attrs, request_buffer, requestlen) < 0) {
+- verror_print_error(stderr);
++ verror_print_error(stderr);
+ goto error;
+ }
+ free(request_buffer);
+@@ -308,8 +308,8 @@ main(int argc, char *argv[])
+ /* Accept delegated credentials from server */
+ deletefile = 1;
+ if (myproxy_accept_credentials(socket_attrs, delegfile,
+- sizeof(delegfile)) < 0) {
+- verror_print_error(stderr);
++ sizeof(delegfile)) < 0) {
++ verror_print_error(stderr);
+ goto error;
+ }
+
+@@ -338,22 +338,22 @@ main(int argc, char *argv[])
+ /* Store file in trusted directory if requested and returned */
+ if (client_request->want_trusted_certs) {
+ if (server_response->trusted_certs != NULL) {
+- if (myproxy_install_trusted_cert_files(server_response->trusted_certs) != 0) {
+- verror_print_error(stderr);
+- goto error;
++ if (myproxy_install_trusted_cert_files(server_response->trusted_certs) != 0) {
++ verror_print_error(stderr);
++ goto error;
+ } else {
+- char *path;
+- path = get_trusted_certs_path();
++ char *path;
++ path = get_trusted_certs_path();
+ if (path) {
+ printf("Trust roots have been installed in %s.\n", path);
+ free(path);
+ }
+- }
++ }
+ } else {
+ myproxy_debug("Requested trusted certs but didn't get any.\n");
+ }
+ }
+-
++
+ retval = 0;
+
+ error:
+@@ -372,89 +372,89 @@ error:
+ return retval;
+ }
+
+-void
+-init_arguments(int argc,
+- char *argv[],
+- myproxy_socket_attrs_t *attrs,
+- myproxy_request_t *request)
+-{
++void
++init_arguments(int argc,
++ char *argv[],
++ myproxy_socket_attrs_t *attrs,
++ myproxy_request_t *request)
++{
+ extern char *optarg;
+ int arg;
+
+- while((arg = getopt_long(argc, argv, short_options,
+- long_options, NULL)) != EOF)
++ while((arg = getopt_long(argc, argv, short_options,
++ long_options, NULL)) != EOF)
+ {
+- switch(arg)
++ switch(arg)
+ {
+- case 's': /* pshost name */
+- attrs->pshost = strdup(optarg);
++ case 's': /* pshost name */
++ attrs->pshost = strdup(optarg);
+ break;
+- case 'p': /* psport */
++ case 'p': /* psport */
+ attrs->psport = atoi(optarg);
+ break;
+- case 'h': /* print help and exit */
+- case 'u': /* print help and exit */
++ case 'h': /* print help and exit */
++ case 'u': /* print help and exit */
+ printf("%s", usage);
+ exit(0);
+ break;
+- case 'l': /* username */
++ case 'l': /* username */
+ request->username = strdup(optarg);
+ break;
+- case 'a': /* special authorization */
+- request->authzcreds = strdup(optarg);
+- use_empty_passwd = 1;
+- break;
+- case 'n': /* no passphrase */
+- use_empty_passwd = 1;
+- break;
+- case 'v':
+- myproxy_debug_set_level(1);
+- break;
++ case 'a': /* special authorization */
++ request->authzcreds = strdup(optarg);
++ use_empty_passwd = 1;
++ break;
++ case 'n': /* no passphrase */
++ use_empty_passwd = 1;
++ break;
++ case 'v':
++ myproxy_debug_set_level(1);
++ break;
+ case 'V': /* print version and exit */
+ printf("%s", version);
+ exit(0);
+ break;
+- case 'd': /* use the certificate subject (DN) as the default
+- username instead of LOGNAME */
+- dn_as_username = 1;
+- break;
+- case 'k': /* credential name */
+- request->credname = strdup (optarg);
+- break;
+- case 'S':
+- read_passwd_from_stdin = 1;
+- break;
+- case 'T':
+- request->want_trusted_certs = 1;
++ case 'd': /* use the certificate subject (DN) as the default
++ username instead of LOGNAME */
++ dn_as_username = 1;
++ break;
++ case 'k': /* credential name */
++ request->credname = strdup (optarg);
++ break;
++ case 'S':
++ read_passwd_from_stdin = 1;
++ break;
++ case 'T':
++ request->want_trusted_certs = 1;
+ myproxy_debug("Requesting trusted certificates.\n");
+- break;
++ break;
+ case 'c': /* credential file name */
+- if (certfile) free(certfile);
++ if (certfile) free(certfile);
+ certfile = strdup(optarg);
+ break;
+ case 'y': /* key file name */
+- if (keyfile) free(keyfile);
++ if (keyfile) free(keyfile);
+ keyfile = strdup(optarg);
+ break;
+- default: /* print usage and exit */
++ default: /* print usage and exit */
+ fprintf(stderr, "%s", usage);
+- exit(1);
+- break;
++ exit(1);
++ break;
+ }
+ }
+
+ /* Check to see if myproxy-server specified */
+ if (attrs->pshost == NULL) {
+- fprintf(stderr, "Unspecified myproxy-server. Set the MYPROXY_SERVER environment variable to\nthe hostname of the myproxy-server or run with '-s server-hostname'.\n");
+- exit(1);
++ fprintf(stderr, "Unspecified myproxy-server. Set the MYPROXY_SERVER environment variable to\nthe hostname of the myproxy-server or run with '-s server-hostname'.\n");
++ exit(1);
+ }
+
+ return;
+ }
+
+ int
+-store_credential( char *delegfile,
+- char *certfile,
++store_credential( char *delegfile,
++ char *certfile,
+ char *keyfile )
+ {
+ unsigned char *input_buffer = NULL;
+@@ -488,7 +488,7 @@ error:
+ }
+
+ int
+-write_cert( char *path,
++write_cert( char *path,
+ const char *buffer )
+ {
+ int fd = 0;
+@@ -570,7 +570,7 @@ error:
+ }
+
+ int
+-write_key( char *path,
++write_key( char *path,
+ const char *buffer )
+ {
+ int fd = 0;
+@@ -607,24 +607,24 @@ write_key( char *path,
+
+ /* Write the key. */
+ if ((keystart = strstr(buffer, BEGINKEY1)) == NULL
+- && (keystart = strstr(buffer, BEGINKEY2)) == NULL
+- && (keystart = strstr(buffer, BEGINKEY3)) == NULL)
++ && (keystart = strstr(buffer, BEGINKEY2)) == NULL
++ && (keystart = strstr(buffer, BEGINKEY3)) == NULL)
+ {
+ fprintf(stderr, "CREDKEY doesn't contain '%s' nor '%s' nor '%s'.\n",
+- BEGINKEY1, BEGINKEY2, BEGINKEY3);
++ BEGINKEY1, BEGINKEY2, BEGINKEY3);
+ goto error;
+ }
+
+ if ((keyend = strstr(keystart, ENDKEY1)) != NULL)
+- keyend += strlen(ENDKEY1);
++ keyend += strlen(ENDKEY1);
+ else if ((keyend = strstr(keystart, ENDKEY2)) != NULL)
+- keyend += strlen(ENDKEY2);
++ keyend += strlen(ENDKEY2);
+ else if ((keyend = strstr(keystart, ENDKEY3)) != NULL)
+- keyend += strlen(ENDKEY3);
++ keyend += strlen(ENDKEY3);
+ else
+ {
+ fprintf(stderr, "CREDKEY doesn't contain '%s' nor '%s' nor '%s'.\n",
+- ENDKEY1, ENDKEY2, ENDKEY3);
++ ENDKEY1, ENDKEY2, ENDKEY3);
+ goto error;
+ }
+
+diff --git a/myproxy/source/myproxy_ocsp.c b/myproxy/source/myproxy_ocsp.c
+index cd584a3f3..411819852 100644
+--- a/myproxy/source/myproxy_ocsp.c
++++ b/myproxy/source/myproxy_ocsp.c
+@@ -4,19 +4,19 @@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+- * met:
++ * met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+- *
++ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+- *
++ *
+ * 3. Neither the names of the authors nor the names of the
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+@@ -86,7 +86,7 @@ myproxy_ocsp_set_responder_cert(const char *path) {
+ int count;
+ int rval = -1;
+
+- sk_X509_pop_free(responder_cert, X509_free);
++ sk_X509_pop_free(responder_cert, X509_free);
+ responder_cert = NULL;
+
+ in = BIO_new(BIO_s_file());
+@@ -365,7 +365,7 @@ int myproxy_ocsp_verify(X509 *cert, X509 *issuer) {
+ if (!responder_cert ||
+ (rc = OCSP_basic_verify(basic, responder_cert, store,
+ OCSP_TRUSTOTHER)) <= 0)
+- if ((rc = OCSP_basic_verify(basic, NULL, store, 0)) <= 0)
++ if ((rc = OCSP_basic_verify(basic, NULL, store, 0)) <= 0)
+ goto end;
+
+ if (!OCSP_resp_find_status(basic, id, &status, &reason, &producedAt,
+diff --git a/myproxy/source/myproxy_ocsp_aia.c b/myproxy/source/myproxy_ocsp_aia.c
+index 91ee306b1..c01d85e4f 100644
+--- a/myproxy/source/myproxy_ocsp_aia.c
++++ b/myproxy/source/myproxy_ocsp_aia.c
+@@ -37,77 +37,77 @@
+
+ static AUTHORITY_INFO_ACCESS *
+ my_aia_get(X509_EXTENSION *ext) {
+- const X509V3_EXT_METHOD *method = NULL;
+- void *ext_str = NULL;
+- const unsigned char *p;
+- int len;
+-
+- if (ext == NULL) {
+- verror_put_string("my_aia_get: ext is NULL");
+- return(NULL);
+- }
+-
+- method = X509V3_EXT_get(ext);
+- if (method == NULL) {
+- myproxy_debug("my_aia_get: cannot get method");
+- return(NULL);
+- }
+-
+- p = X509_EXTENSION_get_data(ext)->data;
+- len = X509_EXTENSION_get_data(ext)->length;
+- if (method->it) {
+- ext_str = ASN1_item_d2i(NULL, &p, len, ASN1_ITEM_ptr(method->it));
+- } else {
+- ext_str = method->d2i(NULL, &p, len);
+- }
+- if (ext_str == NULL) {
+- myproxy_debug("my_aia_get: null ext_str!");
+- return(NULL);
+- }
+-
+- return((AUTHORITY_INFO_ACCESS*)ext_str);
++ const X509V3_EXT_METHOD *method = NULL;
++ void *ext_str = NULL;
++ const unsigned char *p;
++ int len;
++
++ if (ext == NULL) {
++ verror_put_string("my_aia_get: ext is NULL");
++ return(NULL);
++ }
++
++ method = X509V3_EXT_get(ext);
++ if (method == NULL) {
++ myproxy_debug("my_aia_get: cannot get method");
++ return(NULL);
++ }
++
++ p = X509_EXTENSION_get_data(ext)->data;
++ len = X509_EXTENSION_get_data(ext)->length;
++ if (method->it) {
++ ext_str = ASN1_item_d2i(NULL, &p, len, ASN1_ITEM_ptr(method->it));
++ } else {
++ ext_str = method->d2i(NULL, &p, len);
++ }
++ if (ext_str == NULL) {
++ myproxy_debug("my_aia_get: null ext_str!");
++ return(NULL);
++ }
++
++ return((AUTHORITY_INFO_ACCESS*)ext_str);
+ }
+
+ static void
+ my_aia_free(X509_EXTENSION *ext, AUTHORITY_INFO_ACCESS* aia) {
+- const X509V3_EXT_METHOD *method = NULL;
++ const X509V3_EXT_METHOD *method = NULL;
+
+- if (ext == NULL) {
+- verror_put_string("my_aia_free: ext is NULL");
+- return;
+- }
++ if (ext == NULL) {
++ verror_put_string("my_aia_free: ext is NULL");
++ return;
++ }
+
+- method = X509V3_EXT_get(ext);
+- if (method == NULL) return;
++ method = X509V3_EXT_get(ext);
++ if (method == NULL) return;
+
+- if (method->it) {
+- ASN1_item_free((void*)aia, ASN1_ITEM_ptr(method->it));
+- } else {
+- method->ext_free(aia);
+- }
++ if (method->it) {
++ ASN1_item_free((void*)aia, ASN1_ITEM_ptr(method->it));
++ } else {
++ method->ext_free(aia);
++ }
+ }
+
+ char *
+ myproxy_get_aia_ocsp_uri(X509 *cert)
+ {
+- int loc = -1;
++ int loc = -1;
+ char *uri = NULL;
+
+- if (cert == NULL) return(0);
++ if (cert == NULL) return(0);
+
+- for (loc = X509_get_ext_by_NID(cert, NID_info_access, loc);
++ for (loc = X509_get_ext_by_NID(cert, NID_info_access, loc);
+ loc >= 0;
+ loc = X509_get_ext_by_NID(cert, NID_info_access, loc)) {
+
+- X509_EXTENSION *xe;
+- AUTHORITY_INFO_ACCESS *aia;
++ X509_EXTENSION *xe;
++ AUTHORITY_INFO_ACCESS *aia;
+ int k;
+
+- xe = X509_get_ext(cert, loc);
+- if (xe == NULL) {
+- myproxy_debug("get_aia_ocsp_uri: cannot get x509 extension");
+- continue;
+- }
++ xe = X509_get_ext(cert, loc);
++ if (xe == NULL) {
++ myproxy_debug("get_aia_ocsp_uri: cannot get x509 extension");
++ continue;
++ }
+
+ aia = my_aia_get(xe);
+ if (aia == NULL) continue;
+@@ -129,8 +129,8 @@ myproxy_get_aia_ocsp_uri(X509 *cert)
+
+ my_aia_free(xe, aia);
+
+- if (uri) break;
+- }
++ if (uri) break;
++ }
+
+ return uri;
+ }
+diff --git a/myproxy/source/myproxy_store.c b/myproxy/source/myproxy_store.c
+index 19d02e2f5..bdc482bd1 100644
+--- a/myproxy/source/myproxy_store.c
++++ b/myproxy/source/myproxy_store.c
+@@ -4,7 +4,7 @@
+ * Client program to store a end-entity credential to a myproxy-server
+ */
+
+-#include "myproxy_common.h" /* all needed headers included here */
++#include "myproxy_common.h" /* all needed headers included here */
+
+ /* Location of default proxy */
+ #define MYPROXY_DEFAULT_USERCERT "usercert.pem"
+@@ -85,27 +85,27 @@ static char version[] =
+ "myproxy-store version " MYPROXY_VERSION " (" MYPROXY_VERSION_DATE ") "
+ "\n";
+
+-static char *certfile = NULL; /* certificate file name */
+-static char *keyfile = NULL; /* key file name */
++static char *certfile = NULL; /* certificate file name */
++static char *keyfile = NULL; /* key file name */
+ static int dn_as_username = 0;
+ static int verbose = 0;
+
+ /* Function declarations */
+-int
++int
+ init_arguments( int argc,
+- char *argv[],
+- myproxy_socket_attrs_t *attrs,
++ char *argv[],
++ myproxy_socket_attrs_t *attrs,
+ myproxy_request_t *request);
+
+-int
++int
+ makecertfile( const char certfile[],
+- const char keyfile[],
++ const char keyfile[],
+ char **credbuf);
+
+-#define SECONDS_PER_HOUR (60 * 60)
++#define SECONDS_PER_HOUR (60 * 60)
+
+-int
+-main(int argc,
++int
++main(int argc,
+ char *argv[])
+ {
+ char *pshost = NULL;
+@@ -120,10 +120,10 @@ main(int argc,
+
+ /* check library version */
+ if (myproxy_check_version()) {
+- fprintf(stderr, "MyProxy library version mismatch.\n"
+- "Expecting %s. Found %s.\n",
+- MYPROXY_VERSION_DATE, myproxy_version(0,0,0));
+- exit(1);
++ fprintf(stderr, "MyProxy library version mismatch.\n"
++ "Expecting %s. Found %s.\n",
++ MYPROXY_VERSION_DATE, myproxy_version(0,0,0));
++ exit(1);
+ }
+
+ myproxy_log_use_stream(stderr);
+@@ -145,18 +145,18 @@ main(int argc,
+ pshost = getenv("MYPROXY_SERVER");
+
+ if (pshost != NULL) {
+- socket_attrs->pshost = strdup(pshost);
++ socket_attrs->pshost = strdup(pshost);
+ }
+
+ if (getenv("MYPROXY_SERVER_PORT")) {
+- socket_attrs->psport = atoi(getenv("MYPROXY_SERVER_PORT"));
++ socket_attrs->psport = atoi(getenv("MYPROXY_SERVER_PORT"));
+ } else {
+- socket_attrs->psport = MYPROXY_SERVER_PORT;
++ socket_attrs->psport = MYPROXY_SERVER_PORT;
+ }
+
+ globus_module_activate(GLOBUS_GSI_SYSCONFIG_MODULE);
+ GLOBUS_GSI_SYSCONFIG_GET_USER_CERT_FILENAME( &certfile,
+- &keyfile );
++ &keyfile );
+
+ client_request->proxy_lifetime = SECONDS_PER_HOUR *
+ MYPROXY_DEFAULT_DELEG_HOURS;
+@@ -168,17 +168,17 @@ main(int argc,
+ }
+
+ if (!certfile && !keyfile) {
+- fprintf(stderr, "Credentials not found in default location.\n"
+- "Use --certfile and --keyfile options.\n");
+- goto cleanup;
++ fprintf(stderr, "Credentials not found in default location.\n"
++ "Use --certfile and --keyfile options.\n");
++ goto cleanup;
+ } else if (!certfile) {
+- fprintf(stderr, "Certificate not found in default location.\n"
+- "Use --certfile option.\n");
+- goto cleanup;
++ fprintf(stderr, "Certificate not found in default location.\n"
++ "Use --certfile option.\n");
++ goto cleanup;
+ } else if (!keyfile) {
+- fprintf(stderr, "Private key not found in default location.\n"
+- "Use --keyfile option.\n");
+- goto cleanup;
++ fprintf(stderr, "Private key not found in default location.\n"
++ "Use --keyfile option.\n");
++ goto cleanup;
+ }
+
+ /*
+@@ -192,7 +192,7 @@ main(int argc,
+
+ /* Set up client socket attributes */
+ if (myproxy_init_client(socket_attrs) < 0) {
+- verror_print_error(stderr);
++ verror_print_error(stderr);
+ goto cleanup;
+ }
+
+@@ -217,7 +217,7 @@ main(int argc,
+
+ /* Authenticate client to server */
+ if (myproxy_authenticate_init(socket_attrs, NULL) < 0) {
+- verror_print_error(stderr);
++ verror_print_error(stderr);
+ goto cleanup;
+ }
+
+@@ -239,14 +239,14 @@ main(int argc,
+
+ /* Continue unless the response is not OK */
+ if (myproxy_recv_response_ex(socket_attrs,
+- server_response, client_request) != 0) {
++ server_response, client_request) != 0) {
+ verror_print_error(stderr);
+ goto cleanup;
+ }
+
+ /* Send end-entity credentials to server. */
+ if (myproxy_init_credentials(socket_attrs,
+- credkeybuf) < 0) {
++ credkeybuf) < 0) {
+ verror_print_error(stderr);
+ goto cleanup;
+ }
+@@ -273,93 +273,93 @@ main(int argc,
+
+ int
+ init_arguments(int argc,
+- char *argv[],
+- myproxy_socket_attrs_t *attrs,
++ char *argv[],
++ myproxy_socket_attrs_t *attrs,
+ myproxy_request_t * request)
+ {
+ extern char *optarg;
+- int expr_type = MATCH_CN_ONLY; /*default */
++ int expr_type = MATCH_CN_ONLY; /*default */
+ int arg;
+
+ while ((arg = getopt_long(argc,
+- argv,
+- short_options,
+- long_options, NULL)) != EOF) {
+- switch (arg) {
+- case 's': /* pshost name */
+- attrs->pshost = strdup(optarg);
+- break;
+-
+- case 'p': /* psport */
+- attrs->psport = atoi(optarg);
+- break;
+-
+- case 'c': /* credential file name */
+- if (certfile) free(certfile);
+- certfile = strdup(optarg);
+- break;
+-
+- case 'y': /* key file name */
+- if (keyfile) free(keyfile);
+- keyfile = strdup(optarg);
+- break;
+-
+- case 'u': /* print help and exit */
+- printf("%s", usage);
+- exit(0);
+- break;
+-
+- case 't': /* Specify proxy lifetime in hours */
+- request->proxy_lifetime = SECONDS_PER_HOUR * atoi(optarg);
++ argv,
++ short_options,
++ long_options, NULL)) != EOF) {
++ switch (arg) {
++ case 's': /* pshost name */
++ attrs->pshost = strdup(optarg);
++ break;
++
++ case 'p': /* psport */
++ attrs->psport = atoi(optarg);
++ break;
++
++ case 'c': /* credential file name */
++ if (certfile) free(certfile);
++ certfile = strdup(optarg);
++ break;
++
++ case 'y': /* key file name */
++ if (keyfile) free(keyfile);
++ keyfile = strdup(optarg);
++ break;
++
++ case 'u': /* print help and exit */
++ printf("%s", usage);
++ exit(0);
++ break;
++
++ case 't': /* Specify proxy lifetime in hours */
++ request->proxy_lifetime = SECONDS_PER_HOUR * atoi(optarg);
+ if (request->proxy_lifetime < 0) {
+ fprintf(stderr, "Requested lifetime (-t option) out of bounds.\n");
+ exit(1);
+ }
+- break;
++ break;
++
++ case 'h': /* print help and exit */
++ printf("%s", usage);
++ exit(0);
++ break;
+
+- case 'h': /* print help and exit */
+- printf("%s", usage);
+- exit(0);
+- break;
++ case 'l': /* username */
++ request->username = strdup(optarg);
++ break;
+
+- case 'l': /* username */
+- request->username = strdup(optarg);
+- break;
++ case 'v': /* verbose */
++ myproxy_debug_set_level(1);
++ verbose = 1;
++ break;
+
+- case 'v': /* verbose */
+- myproxy_debug_set_level(1);
+- verbose = 1;
+- break;
++ case 'V': /* print version and exit */
++ printf("%s", version);
++ exit(0);
++ break;
+
+- case 'V': /* print version and exit */
+- printf("%s", version);
+- exit(0);
+- break;
+
++ case 'r': /* retrievers list */
++ if (request->retrievers) {
++ fprintf(stderr,
++ "Only one -a or -r option may be specified.\n");
++ exit(1);
++ }
+
+- case 'r': /* retrievers list */
+- if (request->retrievers) {
+- fprintf(stderr,
+- "Only one -a or -r option may be specified.\n");
+- exit(1);
+- }
++ if (expr_type == REGULAR_EXP) {
+
+- if (expr_type == REGULAR_EXP) {
+-
+ /* Copy as is */
+- request->retrievers = strdup(optarg);
+- } else {
+- request->retrievers =
+- (char *) malloc(strlen(optarg) + 6);
+- strcpy(request->retrievers, "*/CN=");
+- myproxy_debug("authorized retriever %s",
+- request->retrievers);
+- request->retrievers =
+- strcat(request->retrievers, optarg);
+- }
+- break;
+-
+- case 'R': /* renewers list */
++ request->retrievers = strdup(optarg);
++ } else {
++ request->retrievers =
++ (char *) malloc(strlen(optarg) + 6);
++ strcpy(request->retrievers, "*/CN=");
++ myproxy_debug("authorized retriever %s",
++ request->retrievers);
++ request->retrievers =
++ strcat(request->retrievers, optarg);
++ }
++ break;
++
++ case 'R': /* renewers list */
+ /*
+ ** This needs to be readdressed. Right now, the private key is
+ ** being stored encrypted. This is a problem if the user calls
+@@ -368,127 +368,127 @@ init_arguments(int argc,
+ ** So, do we want to add code to unencrypt the private key if
+ ** this option is used?
+ */
+- if (request->renewers) {
+- fprintf(stderr,
+- "Only one -A or -R option may be specified.\n");
+- exit(1);
+- }
+-
+- if (expr_type == REGULAR_EXP) {
+- /* Copy as is */
+- request->renewers = strdup(optarg);
+- } else {
+- request->renewers =
+- (char *) malloc(strlen(optarg) + 6);
+- strcpy(request->renewers, "*/CN=");
+- myproxy_debug("authorized renewer %s", request->renewers);
+- request->renewers = strcat(request->renewers, optarg);
+- }
+- break;
+-
+- case 'Z': /* retrievers list */
+- if (request->trusted_retrievers) {
+- fprintf(stderr,
+- "Only one -Z option may be specified.\n");
+- exit(1);
+- }
+-
+- if (expr_type == REGULAR_EXP) {
+-
++ if (request->renewers) {
++ fprintf(stderr,
++ "Only one -A or -R option may be specified.\n");
++ exit(1);
++ }
++
++ if (expr_type == REGULAR_EXP) {
+ /* Copy as is */
+- request->trusted_retrievers = strdup(optarg);
+- } else {
+- request->trusted_retrievers =
+- (char *) malloc(strlen(optarg) + 6);
+- strcpy(request->trusted_retrievers, "*/CN=");
+- myproxy_debug("trusted retriever %s",
+- request->trusted_retrievers);
+- request->trusted_retrievers =
+- strcat(request->trusted_retrievers, optarg);
+- }
+- break;
+-
+- case 'E' : /* key retriever list */
+- if (expr_type == REGULAR_EXP) {
+- /* Copy as is */
+- request->keyretrieve = strdup(optarg);
+- } else {
+- request->keyretrieve =
+- (char *) malloc(strlen(optarg) + 6);
+- strcpy(request->keyretrieve, "*/CN=");
+- myproxy_debug("authorized key retriever %s",
+- request->keyretrieve);
+- request->keyretrieve =
+- strcat(request->keyretrieve, optarg);
+- }
+- break;
+-
+- case 'd': /*
+- ** use the certificate subject (DN) as the
+- ** default username instead of LOGNAME
+- */
+- dn_as_username = 1;
+- break;
+-
+- case 'x': /*set expression type to regex */
+- expr_type = REGULAR_EXP;
+- myproxy_debug("expr-type = regex");
+- break;
+-
+- case 'X': /*set expression type to common name */
+- expr_type = MATCH_CN_ONLY;
+- myproxy_debug("expr-type = CN");
+- break;
+-
+- case 'a': /*allow anonymous retrievers */
+- if (request->retrievers) {
+- fprintf(stderr,
+- "Only one -a or -r option may be specified.\n");
+- exit(1);
+- }
+-
+- request->retrievers = strdup("*");
+- myproxy_debug("anonymous retrievers allowed");
+- break;
+-
+- case 'A': /*allow anonymous renewers */
+- if (request->renewers) {
+- fprintf(stderr,
+- "Only one -A or -R option may be specified.\n");
+- exit(1);
+- }
+-
+- request->renewers = strdup("*");
+- myproxy_debug("anonymous renewers allowed");
+- break;
+-
+- case 'k': /*credential name */
+- request->credname = strdup(optarg);
+- break;
+-
+- case 'K': /*credential description */
+- request->creddesc = strdup(optarg);
+- break;
+-
+- default: /* print usage and exit */
+- fprintf(stderr, "%s", usage);
+- exit(1);
+- break;
+- }
++ request->renewers = strdup(optarg);
++ } else {
++ request->renewers =
++ (char *) malloc(strlen(optarg) + 6);
++ strcpy(request->renewers, "*/CN=");
++ myproxy_debug("authorized renewer %s", request->renewers);
++ request->renewers = strcat(request->renewers, optarg);
++ }
++ break;
++
++ case 'Z': /* retrievers list */
++ if (request->trusted_retrievers) {
++ fprintf(stderr,
++ "Only one -Z option may be specified.\n");
++ exit(1);
++ }
++
++ if (expr_type == REGULAR_EXP) {
++
++ /* Copy as is */
++ request->trusted_retrievers = strdup(optarg);
++ } else {
++ request->trusted_retrievers =
++ (char *) malloc(strlen(optarg) + 6);
++ strcpy(request->trusted_retrievers, "*/CN=");
++ myproxy_debug("trusted retriever %s",
++ request->trusted_retrievers);
++ request->trusted_retrievers =
++ strcat(request->trusted_retrievers, optarg);
++ }
++ break;
++
++ case 'E' : /* key retriever list */
++ if (expr_type == REGULAR_EXP) {
++ /* Copy as is */
++ request->keyretrieve = strdup(optarg);
++ } else {
++ request->keyretrieve =
++ (char *) malloc(strlen(optarg) + 6);
++ strcpy(request->keyretrieve, "*/CN=");
++ myproxy_debug("authorized key retriever %s",
++ request->keyretrieve);
++ request->keyretrieve =
++ strcat(request->keyretrieve, optarg);
++ }
++ break;
++
++ case 'd': /*
++ ** use the certificate subject (DN) as the
++ ** default username instead of LOGNAME
++ */
++ dn_as_username = 1;
++ break;
++
++ case 'x': /*set expression type to regex */
++ expr_type = REGULAR_EXP;
++ myproxy_debug("expr-type = regex");
++ break;
++
++ case 'X': /*set expression type to common name */
++ expr_type = MATCH_CN_ONLY;
++ myproxy_debug("expr-type = CN");
++ break;
++
++ case 'a': /*allow anonymous retrievers */
++ if (request->retrievers) {
++ fprintf(stderr,
++ "Only one -a or -r option may be specified.\n");
++ exit(1);
++ }
++
++ request->retrievers = strdup("*");
++ myproxy_debug("anonymous retrievers allowed");
++ break;
++
++ case 'A': /*allow anonymous renewers */
++ if (request->renewers) {
++ fprintf(stderr,
++ "Only one -A or -R option may be specified.\n");
++ exit(1);
++ }
++
++ request->renewers = strdup("*");
++ myproxy_debug("anonymous renewers allowed");
++ break;
++
++ case 'k': /*credential name */
++ request->credname = strdup(optarg);
++ break;
++
++ case 'K': /*credential description */
++ request->creddesc = strdup(optarg);
++ break;
++
++ default: /* print usage and exit */
++ fprintf(stderr, "%s", usage);
++ exit(1);
++ break;
++ }
+ }
+
+ /* Check to see if myproxy-server specified */
+ if (attrs->pshost == NULL) {
+ fprintf(stderr, "%s", usage);
+- fprintf(stderr,
+- "Unspecified myproxy-server! Either set the MYPROXY_SERVER environment variable or explicitly set the myproxy-server via the -s flag\n");
+- return -1;
++ fprintf(stderr,
++ "Unspecified myproxy-server! Either set the MYPROXY_SERVER environment variable or explicitly set the myproxy-server via the -s flag\n");
++ return -1;
+ }
+
+ return 0;
+ }
+
+-int
++int
+ makecertfile(const char certfile[],
+ const char keyfile[],
+ char **credbuf)
+@@ -506,10 +506,10 @@ makecertfile(const char certfile[],
+ static char ENDKEY1[] = "-----END RSA PRIVATE KEY-----";
+ static char ENDKEY2[] = "-----END PRIVATE KEY-----";
+ static char ENDKEY3[] = "-----END ENCRYPTED PRIVATE KEY-----";
+- char *certstart;
++ char *certstart;
+ char *certend;
+ int size;
+- char *keystart;
++ char *keystart;
+ char *keyend;
+
+
+@@ -530,8 +530,8 @@ makecertfile(const char certfile[],
+
+ /* Read the certificate(s) into a buffer. */
+ if (buffer_from_file(certfile, &certbuf, NULL) < 0) {
+- fprintf(stderr, "Failed to read %s\n", certfile);
+- goto cleanup;
++ fprintf(stderr, "Failed to read %s\n", certfile);
++ goto cleanup;
+ }
+
+ /* Read the key into a buffer. */
+@@ -554,29 +554,29 @@ makecertfile(const char certfile[],
+ certend += strlen(ENDCERT);
+ size = certend-certstart;
+
+- strncat( *credbuf, certstart, size );
++ strncat( *credbuf, certstart, size );
+ strcat( *credbuf, "\n" );
+ certstart += size;
+
+ /* Write the key. */
+ if ((keystart = strstr((const char *)keybuf, BEGINKEY1)) == NULL
+- && (keystart = strstr((const char *)keybuf, BEGINKEY2)) == NULL
+- && (keystart = strstr((const char *)keybuf, BEGINKEY3)) == NULL) {
+- fprintf(stderr, "%s doesn't contain '%s' nor '%s' nor %s.\n", keyfile,
+- BEGINKEY1, BEGINKEY2, BEGINKEY3);
+- goto cleanup;
++ && (keystart = strstr((const char *)keybuf, BEGINKEY2)) == NULL
++ && (keystart = strstr((const char *)keybuf, BEGINKEY3)) == NULL) {
++ fprintf(stderr, "%s doesn't contain '%s' nor '%s' nor %s.\n", keyfile,
++ BEGINKEY1, BEGINKEY2, BEGINKEY3);
++ goto cleanup;
+ }
+
+ if ((keyend = strstr(keystart, ENDKEY1)) != NULL)
+- keyend += strlen(ENDKEY1);
++ keyend += strlen(ENDKEY1);
+ else if ((keyend = strstr(keystart, ENDKEY2)) != NULL)
+- keyend += strlen(ENDKEY2);
++ keyend += strlen(ENDKEY2);
+ else if ((keyend = strstr(keystart, ENDKEY3)) != NULL)
+- keyend += strlen(ENDKEY3);
++ keyend += strlen(ENDKEY3);
+ else {
+- fprintf(stderr, "%s doesn't contain '%s' nor '%s' nor %s.\n", keyfile, ENDKEY1,
+- ENDKEY2, ENDKEY3);
+- goto cleanup;
++ fprintf(stderr, "%s doesn't contain '%s' nor '%s' nor %s.\n", keyfile, ENDKEY1,
++ ENDKEY2, ENDKEY3);
++ goto cleanup;
+ }
+
+ size = keyend-keystart;
+@@ -595,8 +595,8 @@ makecertfile(const char certfile[],
+ certend += strlen(ENDCERT);
+ size = certend-certstart;
+
+- strncat( *credbuf, certstart, size );
+- strcat( *credbuf, "\n" );
++ strncat( *credbuf, certstart, size );
++ strcat( *credbuf, "\n" );
+ certstart += size;
+ }
+
+diff --git a/myproxy/source/vomsclient.c b/myproxy/source/vomsclient.c
+index b441f9880..67f5ee318 100644
+--- a/myproxy/source/vomsclient.c
++++ b/myproxy/source/vomsclient.c
+@@ -14,7 +14,7 @@ int voms_init_delegation(myproxy_socket_attrs_t *attrs,
+ char *voname, char *vomses, char *voms_userconf);
+
+
+-int voms_contact(SSL_CREDENTIALS *creds, int lifetime,
++int voms_contact(SSL_CREDENTIALS *creds, int lifetime,
+ char *voname, char *vomses, char *voms_userconf,
+ unsigned char **aclist, int *aclist_length);
+
+@@ -35,7 +35,7 @@ voms_put_error_message(struct vomsdata *vd, int err)
+ * get the user info for specified vo
+ */
+ static int
+-voms_get_user_info(struct vomsdata *vd,
++voms_get_user_info(struct vomsdata *vd,
+ voms_command_t *command,
+ char *vomses_path)
+ {
+@@ -60,7 +60,7 @@ voms_get_user_info(struct vomsdata *vd,
+ info->contact,
+ command->command,
+ vd,
+- &err);
++ &err);
+ if (result) {
+ /* if contact succeded jumps to other VOs */
+ return_code = 0;
+@@ -164,7 +164,7 @@ vomses_write_to_temporary(char *vomses, char *template)
+
+ done:
+
+- return return_status;
++ return return_status;
+ }
+
+ static int
+@@ -199,7 +199,7 @@ voms_get_role_command(const char *str)
+ {
+ char *buf = NULL;
+ char *p_role = NULL;
+- size_t buf_len, role_len;;
++ size_t buf_len, role_len;;
+ int i = 0;
+
+ if ((str == NULL) || (str[0] == '\0')) {
+@@ -280,7 +280,7 @@ static char *
+ voms_get_group_command(const char *str)
+ {
+ char *buf = NULL;
+- size_t buf_len = 0, str_len = 0;
++ size_t buf_len = 0, str_len = 0;
+ int i = 0;
+
+ if ((str == NULL) || (str[0] == '\0')) {
+@@ -341,7 +341,7 @@ voms_convert_command(const char *str)
+ return result;
+ }
+
+-static int
++static int
+ voms_parse_command(const char *voms, char **vo, char **command)
+ {
+ int result = 1;
+@@ -448,12 +448,12 @@ voms_command_list_add(voms_command_t **headRef, const char *vo, const char *cmd)
+ result = 0;
+ }
+ } else {
+- node = voms_command_list_find(current, vo);
++ node = voms_command_list_find(current, vo);
+ if (node != NULL) {
+ /* Append command to the node */
+ my_append(&(node->command), ",", cmd, NULL);
+ result = 0;
+- } else {
++ } else {
+ /* Create and Add a new node to last */
+ node = voms_command_new(vo, cmd);
+ if (node != NULL) {
+@@ -575,13 +575,13 @@ get_AC_SEQ(struct vomsdata *vd, unsigned char **aclist, int *aclist_length)
+
+ /*
+ * Get VOMS User info
+- *
++ *
+ * @param aclist DER-encoded AC-sequence
+ * @param aclist_length length of aclist
+ * Returns 0 on success or 1 on error.
+ */
+-int
+-voms_contact(SSL_CREDENTIALS *creds, int lifetime,
++int
++voms_contact(SSL_CREDENTIALS *creds, int lifetime,
+ char *voname, char *vomses, char *voms_userconf,
+ unsigned char **aclist, int *aclist_length)
+
+@@ -589,7 +589,7 @@ voms_contact(SSL_CREDENTIALS *creds, int lifetime,
+
+ int return_code = 1;
+ int verify_ac = 0;
+- struct vomsdata *vd = NULL;
++ struct vomsdata *vd = NULL;
+ int err;
+ int result = 1;
+ int is_write_temp_vomses = 0;
+@@ -642,7 +642,7 @@ voms_contact(SSL_CREDENTIALS *creds, int lifetime,
+ }
+ is_write_temp_vomses = 1;
+ } else {
+- if (voms_userconf == NULL) {
++ if (voms_userconf == NULL) {
+ verror_put_string("No VOMS Server Information");
+ goto error;
+ }
+@@ -661,8 +661,8 @@ voms_contact(SSL_CREDENTIALS *creds, int lifetime,
+ /* Set X509_USER_CERT, X509_USER_KEY */
+ old_ucert = getenv("X509_USER_CERT");
+ old_ukey = getenv("X509_USER_KEY");
+- /*
+- Save credential (cert & private key) to cred_path
++ /*
++ Save credential (cert & private key) to cred_path
+ cred_path is modified on success.
+ */
+ if ( credential_write_to_temporary(creds, cred_path) != SSL_SUCCESS ) {
+@@ -755,7 +755,7 @@ void get_voms_proxy(myproxy_socket_attrs_t *attrs,
+ lifetime,
+ request->passphrase,
+ request->voname,
+- request->vomses,
++ request->vomses,
+ config->voms_userconf) < 0) {
+ response->response_type = MYPROXY_ERROR_RESPONSE;
+ response->error_string = strdup( verror_get_string() );
+@@ -803,11 +803,11 @@ voms_create_AC_SEQ_X509_EXTENSION(unsigned char *acseq, int acseq_length)
+
+ static int
+ voms_contact_ext(const char *source_credentials, const int lifetime,
+- char *passphrase,
++ char *passphrase,
+ char *voname, char *vomses, char *voms_userconf)
+-{
++{
+ int result = 1;
+- SSL_CREDENTIALS *creds = NULL;
++ SSL_CREDENTIALS *creds = NULL;
+ unsigned char *acseq= NULL;
+ int acseq_length = 0;
+ X509_EXTENSION *ext = NULL;
+@@ -817,7 +817,7 @@ voms_contact_ext(const char *source_credentials, const int lifetime,
+ if (creds == NULL) {
+ goto done;
+ }
+- if (ssl_proxy_load_from_file(creds, source_credentials,
++ if (ssl_proxy_load_from_file(creds, source_credentials,
+ passphrase) == SSL_ERROR) {
+ goto done;
+ }
+@@ -862,7 +862,7 @@ voms_init_delegation(myproxy_socket_attrs_t *attrs,
+ const char *delegfile,
+ const int lifetime,
+ char *passphrase,
+- char *voname, char *vomses,
++ char *voname, char *vomses,
+ char *voms_userconf)
+ {
+
+@@ -874,7 +874,7 @@ voms_init_delegation(myproxy_socket_attrs_t *attrs,
+ return -1;
+
+
+- if (voms_contact_ext(delegfile, lifetime, passphrase,
++ if (voms_contact_ext(delegfile, lifetime, passphrase,
+ voname, vomses, voms_userconf))
+ {
+ verror_put_string("Couldn't get VOMS User Information.");
+--
+2.54.0
+
diff --git a/0002-Build-with-OpenSSL-4.patch b/0002-Build-with-OpenSSL-4.patch
new file mode 100644
index 0000000..e333143
--- /dev/null
+++ b/0002-Build-with-OpenSSL-4.patch
@@ -0,0 +1,233 @@
+From 24375b8503d2a4373600b14d03700b697415737b Mon Sep 17 00:00:00 2001
+From: Mattias Ellert <mattias.ellert@physics.uu.se>
+Date: Wed, 20 May 2026 00:15:37 +0200
+Subject: [PATCH 2/3] Build with OpenSSL 4
+
+---
+ myproxy/source/certauth_extensions.c | 23 ++++++++++++-----------
+ myproxy/source/myproxy_ocsp.c | 10 +++++++---
+ myproxy/source/myproxy_ocsp_aia.c | 26 +++++++++++++++++++++-----
+ myproxy/source/ssl_utils.c | 11 ++++++++++-
+ myproxy/source/vomsclient.c | 6 ++----
+ 5 files changed, 52 insertions(+), 24 deletions(-)
+
+diff --git a/myproxy/source/certauth_extensions.c b/myproxy/source/certauth_extensions.c
+index 4ebf83b9c..dd2f5d3af 100644
+--- a/myproxy/source/certauth_extensions.c
++++ b/myproxy/source/certauth_extensions.c
+@@ -361,7 +361,7 @@ assign_serial_number( X509 *cert,
+ ASN1_INTEGER_set(current, server_context->certificate_serial_skip);
+ }
+
+- serial = BN_bin2bn( current->data, current->length, serial );
++ serial = BN_bin2bn( ASN1_STRING_get0_data(current), ASN1_STRING_length(current), serial );
+ if ( serial == NULL ) {
+ verror_put_string("Error converting to bignum\n");
+ ssl_error_to_verror();
+@@ -522,7 +522,7 @@ generate_certificate( X509_REQ *request,
+ goto error;
+ }
+
+- subject = X509_get_subject_name(cert);
++ subject = X509_NAME_dup(X509_get_subject_name(cert));
+
+ globus_result =
+ globus_gsi_cert_utils_get_x509_name(userdn, strlen(userdn), subject);
+@@ -536,23 +536,21 @@ generate_certificate( X509_REQ *request,
+ problems we find.*/
+ for (i = 0; i < X509_NAME_entry_count(subject); i++)
+ {
+- X509_NAME_ENTRY *ne = NULL;
+- ASN1_STRING *str = NULL;
+- ASN1_OBJECT *obj = NULL;
++ const X509_NAME_ENTRY *ne = NULL;
++ const ASN1_STRING *str = NULL;
++ const ASN1_OBJECT *obj = NULL;
+
+ ne = X509_NAME_get_entry(subject, i);
+ str = X509_NAME_ENTRY_get_data(ne);
+ obj = X509_NAME_ENTRY_get_object(ne);
+
+ if ((OBJ_obj2nid(obj) == NID_domainComponent) &&
+- (str->type == V_ASN1_PRINTABLESTRING)) {
+- myproxy_debug("Setting DC type to IA5String.");
+- str->type = V_ASN1_IA5STRING;
++ (ASN1_STRING_type(str) == V_ASN1_PRINTABLESTRING)) {
++ myproxy_debug("Can't set DC type to IA5String.");
+ }
+ if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
+- (str->type == V_ASN1_PRINTABLESTRING)) {
+- myproxy_debug("Setting emailAddress type to IA5String.");
+- str->type = V_ASN1_IA5STRING;
++ (ASN1_STRING_type(str) == V_ASN1_PRINTABLESTRING)) {
++ myproxy_debug("Can't set emailAddress type to IA5String.");
+ }
+ }
+
+@@ -566,6 +564,9 @@ generate_certificate( X509_REQ *request,
+ goto error;
+ }
+
++ X509_set_subject_name(cert, subject);
++ X509_NAME_free(subject);
++
+ if ((issuer_cert = PEM_read_X509(issuer_cert_file,
+ NULL, NULL, NULL)) == NULL)
+ {
+diff --git a/myproxy/source/myproxy_ocsp.c b/myproxy/source/myproxy_ocsp.c
+index 411819852..1cde641c7 100644
+--- a/myproxy/source/myproxy_ocsp.c
++++ b/myproxy/source/myproxy_ocsp.c
+@@ -164,11 +164,15 @@ static int
+ verify_cert_hostname(X509 *cert, char *hostname) {
+ int extcount, i, j, ok = 0;
+ char name[256];
+- X509_NAME *subj;
++ const X509_NAME *subj;
+ const char *extstr;
+ CONF_VALUE *nval;
+ const unsigned char *data;
++#if OPENSSL_VERSION_NUMBER < 0x40000000L
+ X509_EXTENSION *ext;
++#else
++ const X509_EXTENSION *ext;
++#endif
+ X509V3_EXT_METHOD *meth;
+ STACK_OF(CONF_VALUE) *val;
+
+@@ -178,9 +182,9 @@ verify_cert_hostname(X509 *cert, char *hostname) {
+ extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
+ if (!strcasecmp(extstr, "subjectAltName")) {
+ if (!(meth = (X509V3_EXT_METHOD *)X509V3_EXT_get(ext))) break;
+- data = X509_EXTENSION_get_data(ext)->data;
++ data = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext));
+
+- val = meth->i2v(meth, meth->d2i(0, &data, X509_EXTENSION_get_data(ext)->length), 0);
++ val = meth->i2v(meth, meth->d2i(0, &data, ASN1_STRING_length(X509_EXTENSION_get_data(ext))), 0);
+ for (j = 0; j < sk_CONF_VALUE_num(val); j++) {
+ nval = sk_CONF_VALUE_value(val, j);
+ if (!strcasecmp(nval->name, "DNS") && !strcasecmp(nval->value, hostname)) {
+diff --git a/myproxy/source/myproxy_ocsp_aia.c b/myproxy/source/myproxy_ocsp_aia.c
+index c01d85e4f..4a62465f5 100644
+--- a/myproxy/source/myproxy_ocsp_aia.c
++++ b/myproxy/source/myproxy_ocsp_aia.c
+@@ -35,8 +35,14 @@
+ #include <openssl/ssl.h>
+ #include <openssl/x509v3.h>
+
++#if OPENSSL_VERSION_NUMBER < 0x40000000L
+ static AUTHORITY_INFO_ACCESS *
+-my_aia_get(X509_EXTENSION *ext) {
++my_aia_get(X509_EXTENSION *ext)
++#else
++static AUTHORITY_INFO_ACCESS *
++my_aia_get(const X509_EXTENSION *ext)
++#endif
++{
+ const X509V3_EXT_METHOD *method = NULL;
+ void *ext_str = NULL;
+ const unsigned char *p;
+@@ -53,8 +59,8 @@ my_aia_get(X509_EXTENSION *ext) {
+ return(NULL);
+ }
+
+- p = X509_EXTENSION_get_data(ext)->data;
+- len = X509_EXTENSION_get_data(ext)->length;
++ p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext));
++ len = ASN1_STRING_length(X509_EXTENSION_get_data(ext));
+ if (method->it) {
+ ext_str = ASN1_item_d2i(NULL, &p, len, ASN1_ITEM_ptr(method->it));
+ } else {
+@@ -68,8 +74,14 @@ my_aia_get(X509_EXTENSION *ext) {
+ return((AUTHORITY_INFO_ACCESS*)ext_str);
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x40000000L
++static void
++my_aia_free(X509_EXTENSION *ext, AUTHORITY_INFO_ACCESS* aia)
++#else
+ static void
+-my_aia_free(X509_EXTENSION *ext, AUTHORITY_INFO_ACCESS* aia) {
++my_aia_free(const X509_EXTENSION *ext, AUTHORITY_INFO_ACCESS* aia)
++#endif
++{
+ const X509V3_EXT_METHOD *method = NULL;
+
+ if (ext == NULL) {
+@@ -99,7 +111,11 @@ myproxy_get_aia_ocsp_uri(X509 *cert)
+ loc >= 0;
+ loc = X509_get_ext_by_NID(cert, NID_info_access, loc)) {
+
++#if OPENSSL_VERSION_NUMBER < 0x40000000L
+ X509_EXTENSION *xe;
++#else
++ const X509_EXTENSION *xe;
++#endif
+ AUTHORITY_INFO_ACCESS *aia;
+ int k;
+
+@@ -123,7 +139,7 @@ myproxy_get_aia_ocsp_uri(X509 *cert)
+ if (gn->type != GEN_URI) continue;
+
+ asn1_uri = gn->d.uniformResourceIdentifier;
+- uri = strdup((const char*)asn1_uri->data);
++ uri = strdup((const char*)ASN1_STRING_get0_data(asn1_uri));
+ break;
+ }
+
+diff --git a/myproxy/source/ssl_utils.c b/myproxy/source/ssl_utils.c
+index e36134e2c..c83848784 100644
+--- a/myproxy/source/ssl_utils.c
++++ b/myproxy/source/ssl_utils.c
+@@ -79,18 +79,27 @@ void
+ ssl_error_to_verror()
+ {
+ unsigned long error;
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ ERR_STATE *error_state;
+- const char *error_data;
+ int error_number;
++#else
++ int flags;
++#endif
++ const char *error_data;
+
+ while ((error = ERR_peek_error()) != 0)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ /* Find data for last error */
+ error_state = ERR_get_state();
+
+ error_number = (error_state->bottom + 1) % ERR_NUM_ERRORS;
+
+ error_data = error_state->err_data[error_number];
++#else
++ ERR_peek_error_data(&error_data, &flags);
++ if (!(flags & ERR_TXT_STRING)) error_data = NULL;
++#endif
+
+ /* Now add to verror state */
+ verror_put_string("%s", ERR_error_string(error, NULL));
+diff --git a/myproxy/source/vomsclient.c b/myproxy/source/vomsclient.c
+index 67f5ee318..97879ea56 100644
+--- a/myproxy/source/vomsclient.c
++++ b/myproxy/source/vomsclient.c
+@@ -779,13 +779,11 @@ voms_create_AC_SEQ_X509_EXTENSION(unsigned char *acseq, int acseq_length)
+ goto error;
+ }
+
+- ac_DER_string->data = (unsigned char*)malloc(acseq_length);
+- if (ac_DER_string->data == NULL) {
++ if (ASN1_OCTET_STRING_set(ac_DER_string, acseq, acseq_length) == 0) {
+ verror_put_string("Couldn't allocate ASN1_OCTET");
+ goto error;
+ }
+- memcpy(ac_DER_string->data, acseq, acseq_length);
+- ac_DER_string->length = acseq_length;
++
+ ext = X509_EXTENSION_create_by_NID(NULL, OBJ_txt2nid("acseq"),
+ 0, ac_DER_string);
+ if (ext == NULL) {
+--
+2.54.0
+
diff --git a/0003-Fix-compiler-and-doxygen-warnings.patch b/0003-Fix-compiler-and-doxygen-warnings.patch
new file mode 100644
index 0000000..b61111b
--- /dev/null
+++ b/0003-Fix-compiler-and-doxygen-warnings.patch
@@ -0,0 +1,266 @@
+From 4ee08d13e2963309e2063dc45dedd067337d3b76 Mon Sep 17 00:00:00 2001
+From: Mattias Ellert <mattias.ellert@physics.uu.se>
+Date: Wed, 20 May 2026 00:15:37 +0200
+Subject: [PATCH 3/3] Fix compiler and doxygen warnings
+
+---
+ myproxy/source/certauth_extensions.c | 4 +---
+ myproxy/source/gssapi.c | 10 +++++-----
+ myproxy/source/myproxy.c | 8 ++++----
+ myproxy/source/myproxy_alcf.c | 2 +-
+ myproxy/source/myproxy_get_credential.c | 10 +++++-----
+ myproxy/source/myproxy_store.c | 8 ++++----
+ myproxy/source/plugin_common.c | 2 +-
+ myproxy/source/vomsclient.c | 8 ++++----
+ 8 files changed, 25 insertions(+), 27 deletions(-)
+
+diff --git a/myproxy/source/certauth_extensions.c b/myproxy/source/certauth_extensions.c
+index dd2f5d3af..47a12116a 100644
+--- a/myproxy/source/certauth_extensions.c
++++ b/myproxy/source/certauth_extensions.c
+@@ -825,6 +825,7 @@ generate_certificate( X509_REQ *request,
+ }
+
+
++#ifndef OPENSSL_NO_ENGINE
+ static int
+ arraylen(char **options) {
+ char **ptr;
+@@ -836,7 +837,6 @@ arraylen(char **options) {
+ return c;
+ }
+
+-#ifndef OPENSSL_NO_ENGINE
+ void shutdown_openssl_engine(void) {
+ if (e_cakey) EVP_PKEY_free( e_cakey );
+ if (engine) ENGINE_finish(engine);
+@@ -847,7 +847,6 @@ void shutdown_openssl_engine(void) {
+
+ if (engine_used) ENGINE_cleanup();
+ }
+-#endif
+
+ static int ui_read_fn(UI *ui, UI_STRING *ui_string) {
+ switch(UI_get_string_type(ui_string)) {
+@@ -879,7 +878,6 @@ static int ui_write_fn(UI *ui, UI_STRING *ui_string) {
+ return 1;
+ }
+
+-#ifndef OPENSSL_NO_ENGINE
+ int initialise_openssl_engine(myproxy_server_context_t *server_context) {
+ ENGINE *e;
+ EVP_PKEY *cakey;
+diff --git a/myproxy/source/gssapi.c b/myproxy/source/gssapi.c
+index 70a6d27e4..e78229f4e 100644
+--- a/myproxy/source/gssapi.c
++++ b/myproxy/source/gssapi.c
+@@ -581,29 +581,29 @@ static context_t *gss_new_context(const sasl_utils_t *utils)
+
+ static void sasl_gss_free_context_contents(context_t *text)
+ {
+- OM_uint32 maj_stat, min_stat;
++ OM_uint32 min_stat;
+
+ if (!text) return;
+
+ if (sasl_gss_lib_init(text->utils) != SASL_OK) return;
+
+ if (text->gss_ctx != GSS_C_NO_CONTEXT) {
+- maj_stat = (*p_krb5_gss_delete_sec_context)(&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER);
++ (*p_krb5_gss_delete_sec_context)(&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER);
+ text->gss_ctx = GSS_C_NO_CONTEXT;
+ }
+
+ if (text->client_name != GSS_C_NO_NAME) {
+- maj_stat = (*p_krb5_gss_release_name)(&min_stat,&text->client_name);
++ (*p_krb5_gss_release_name)(&min_stat,&text->client_name);
+ text->client_name = GSS_C_NO_NAME;
+ }
+
+ if (text->server_name != GSS_C_NO_NAME) {
+- maj_stat = (*p_krb5_gss_release_name)(&min_stat,&text->server_name);
++ (*p_krb5_gss_release_name)(&min_stat,&text->server_name);
+ text->server_name = GSS_C_NO_NAME;
+ }
+
+ if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
+- maj_stat = (*p_krb5_gss_release_cred)(&min_stat, &text->server_creds);
++ (*p_krb5_gss_release_cred)(&min_stat, &text->server_creds);
+ text->server_creds = GSS_C_NO_CREDENTIAL;
+ }
+
+diff --git a/myproxy/source/myproxy.c b/myproxy/source/myproxy.c
+index 89ab0a306..34e804127 100644
+--- a/myproxy/source/myproxy.c
++++ b/myproxy/source/myproxy.c
+@@ -896,7 +896,7 @@ myproxy_authenticate_init(myproxy_socket_attrs_t *attrs,
+ gss_buffer_desc name_buf;
+ const char *services[] = { "myproxy", "host" };
+ int s;
+- OM_uint32 major_status, minor_status;
++ OM_uint32 minor_status;
+
+ fqhn = GSI_SOCKET_get_peer_hostname(attrs->gsi_socket);
+ if (!fqhn) {
+@@ -912,7 +912,7 @@ myproxy_authenticate_init(myproxy_socket_attrs_t *attrs,
+ services[s], fqhn);
+ name_buf.length = strlen(name_buf.value);
+
+- major_status = gss_import_name(
++ gss_import_name(
+ &minor_status,
+ &name_buf,
+ GSS_C_NT_HOSTBASED_SERVICE,
+@@ -2812,7 +2812,7 @@ convert_message(const char *buffer,
+ char **line)
+ {
+ int foundone = 0;
+- char *varname_start;
++ const char *varname_start;
+ int return_value = -1;
+ int line_index = 0;
+ const char *buffer_p;
+@@ -2836,7 +2836,7 @@ convert_message(const char *buffer,
+
+ while ((varname_start = strstr(buffer_p, varname)) != NULL)
+ {
+- char *value_start;
++ const char *value_start;
+ int value_length;
+
+ /* Have is this the first varname we've found? */
+diff --git a/myproxy/source/myproxy_alcf.c b/myproxy/source/myproxy_alcf.c
+index 61c1cbeef..e67ea464e 100644
+--- a/myproxy/source/myproxy_alcf.c
++++ b/myproxy/source/myproxy_alcf.c
+@@ -366,7 +366,7 @@ int makeproxy(const char certfile[], const char keyfile[],
+ static char ENDKEY2[] = "-----END PRIVATE KEY-----";
+ static char ENDKEY3[] = "-----END ENCRYPTED PRIVATE KEY-----";
+ unsigned char *certbuf=NULL, *keybuf=NULL;
+- char *certstart, *certend, *keystart, *keyend;
++ const char *certstart, *certend, *keystart, *keyend;
+ int return_value = -1, size, rval, fd=0;
+ uid_t owner;
+
+diff --git a/myproxy/source/myproxy_get_credential.c b/myproxy/source/myproxy_get_credential.c
+index d1d15f386..b60efaf38 100644
+--- a/myproxy/source/myproxy_get_credential.c
++++ b/myproxy/source/myproxy_get_credential.c
+@@ -73,7 +73,7 @@ store_credential( char *delegfile,
+ char *keyfile );
+
+ int
+-buffer2file( char *buffer,
++buffer2file( const char *buffer,
+ int size,
+ int fd );
+
+@@ -494,7 +494,7 @@ write_cert( char *path,
+ int fd = 0;
+ static char BEGINCERT[] = "-----BEGIN CERTIFICATE-----";
+ static char ENDCERT[] = "-----END CERTIFICATE-----";
+- char *certstart,
++ const char *certstart,
+ *certend;
+ int retval = -1;
+ int size;
+@@ -580,7 +580,7 @@ write_key( char *path,
+ static char ENDKEY1[] = "-----END RSA PRIVATE KEY-----";
+ static char ENDKEY2[] = "-----END PRIVATE KEY-----";
+ static char ENDKEY3[] = "-----END ENCRYPTED PRIVATE KEY-----";
+- char *keystart,
++ const char *keystart,
+ *keyend;
+ int retval = -1;
+ int size;
+@@ -648,12 +648,12 @@ error:
+ }
+
+ int
+-buffer2file( char *buffer,
++buffer2file( const char *buffer,
+ int size,
+ int fd )
+ {
+ int rval;
+- char *certstart;
++ const char *certstart;
+
+ certstart = buffer;
+
+diff --git a/myproxy/source/myproxy_store.c b/myproxy/source/myproxy_store.c
+index bdc482bd1..1efd8ce7c 100644
+--- a/myproxy/source/myproxy_store.c
++++ b/myproxy/source/myproxy_store.c
+@@ -506,11 +506,11 @@ makecertfile(const char certfile[],
+ static char ENDKEY1[] = "-----END RSA PRIVATE KEY-----";
+ static char ENDKEY2[] = "-----END PRIVATE KEY-----";
+ static char ENDKEY3[] = "-----END ENCRYPTED PRIVATE KEY-----";
+- char *certstart;
+- char *certend;
++ const char *certstart;
++ const char *certend;
+ int size;
+- char *keystart;
+- char *keyend;
++ const char *keystart;
++ const char *keyend;
+
+
+ /* Figure out how much memory we are going to need */
+diff --git a/myproxy/source/plugin_common.c b/myproxy/source/plugin_common.c
+index d744c0d46..8c0f96976 100644
+--- a/myproxy/source/plugin_common.c
++++ b/myproxy/source/plugin_common.c
+@@ -731,7 +731,7 @@ int _plug_parseuser(const sasl_utils_t *utils,
+ return SASL_BADPARAM;
+ }
+
+- r = strchr(input, '@');
++ r = (char *) strchr(input, '@');
+ if (!r) {
+ /* hmmm, the user didn't specify a realm */
+ if(user_realm && user_realm[0]) {
+diff --git a/myproxy/source/vomsclient.c b/myproxy/source/vomsclient.c
+index 97879ea56..7f41e4174 100644
+--- a/myproxy/source/vomsclient.c
++++ b/myproxy/source/vomsclient.c
+@@ -198,7 +198,7 @@ static char *
+ voms_get_role_command(const char *str)
+ {
+ char *buf = NULL;
+- char *p_role = NULL;
++ const char *p_role = NULL;
+ size_t buf_len, role_len;;
+ int i = 0;
+
+@@ -232,7 +232,7 @@ static char *
+ voms_get_mapping_command(const char *str)
+ {
+ char *buf = NULL;
+- char *p_role = NULL;
++ const char *p_role = NULL;
+ size_t buf_len = 0, group_len = 0, role_len = 0;
+ int i = 0;
+
+@@ -315,7 +315,7 @@ voms_get_group_command(const char *str)
+ static char *
+ voms_convert_command(const char *str)
+ {
+- char *p = NULL;
++ const char *p = NULL;
+ char *result = NULL;
+
+ if (str == NULL) {
+@@ -345,7 +345,7 @@ static int
+ voms_parse_command(const char *voms, char **vo, char **command)
+ {
+ int result = 1;
+- char *p_colon = NULL;
++ const char *p_colon = NULL;
+ p_colon = strchr(voms, ':');
+ if (p_colon == NULL) {
+ *vo = strdup(voms);
+--
+2.54.0
+
diff --git a/myproxy.spec b/myproxy.spec
index 53bc422..5dde14e 100644
--- a/myproxy.spec
+++ b/myproxy.spec
@@ -8,7 +8,7 @@
Name: myproxy
Version: 6.2.20
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Manage X.509 Public Key Infrastructure (PKI) security credentials
License: NCSA AND BSD-4-Clause AND BSD-2-Clause AND Apache-2.0
@@ -16,6 +16,9 @@ URL: http://grid.ncsa.illinois.edu/myproxy/
Source: https://repo.gridcf.org/gct6/sources/%{name}-%{version}.tar.gz
Source1: myproxy-server-systemd-sysusers.conf
Source8: README
+Patch0: 0001-Untabify-and-remove-trailing-white-space.patch
+Patch1: 0002-Build-with-OpenSSL-4.patch
+Patch2: 0003-Fix-compiler-and-doxygen-warnings.patch
BuildRequires: make
BuildRequires: gcc
@@ -30,7 +33,7 @@ BuildRequires: globus-gsi-callback-devel >= 4
BuildRequires: cyrus-sasl-devel
BuildRequires: krb5-devel
BuildRequires: openssl-devel
-%if %{?fedora}%{!?fedora:0} >= 41
+%if %{?fedora}%{!?fedora:0} >= 41 && %{?fedora}%{!?fedora:0} <= 44
BuildRequires: openssl-devel-engine
%endif
BuildRequires: openldap-devel >= 2.3
@@ -156,6 +159,9 @@ Package %{name}-doc contains the MyProxy documentation.
%prep
%setup -q
+%patch -P0 -p3
+%patch -P1 -p3
+%patch -P2 -p3
%build
# Reduce overlinking
@@ -317,6 +323,10 @@ rm %{buildroot}%{_sbindir}/myproxy-server-setup
%license LICENSE*
%changelog
+* Sun Jun 14 2026 Mattias Ellert <mattias.ellert@physics.uu.se> - 6.2.20-4
+- Compile with OpenSSL 4
+- Fix compiler warnings
+
* Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 6.2.20-3
- Rebuilt for openssl 4.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-14 10:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-14 10:27 [rpms/myproxy] rawhide: Compile with OpenSSL 4 Mattias Ellert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox