pam_ksu: Proactively address MIT KRB5 build failure

MIT KRB5 does not provide a krb5_make_principal() function. We need to
provide this ourselves for now. We provide the function for now while
MIT and Heimdal are both in the tree. When Heimdal is removed we can
inline the calls to krb5_get_default_realm() and
krb5_build_principal_va(). krb5_build_principal_va() is
deprecated in MIT KRB5. Its replacement, krb5_build_principal_alloc_va()
will be used instead at that time.

Sponsored by:		The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D50808

lib/libpam/modules/pam_ksu/Makefile

@@ -25,10 +25,21 @@
 
 PACKAGE=	kerberos
 
+.include <src.opts.mk>
+
 LIB=	pam_ksu
 SRCS=	pam_ksu.c
 MAN=	pam_ksu.8
+WARNS?=	3
 
 LIBADD+=	krb5
 
+.if ${MK_MITKRB5} != "no"
+WARNS=	2
+CFLAGS+=	-I${SRCTOP}/crypto/krb5/src/include
+CFLAGS+=	-I${SRCTOP}/krb5/include
+CFLAGS+=	-include ${SRCTOP}/crypto/krb5/src/include/k5-int.h
+CFLAGS+=	-DMK_MITKRB5=yes
+.endif
+
 .include <bsd.lib.mk>

lib/libpam/modules/pam_ksu/pam_ksu.c

@@ -48,6 +48,61 @@ static long	get_su_principal(krb5_context, const char *, const char *,
 static int	auth_krb5(pam_handle_t *, krb5_context, const char *,
 		    krb5_principal);
 
+#ifdef MK_MITKRB5
+/* For MIT KRB5 only. */
+
+/*
+ * XXX This entire module will need to be rewritten when heimdal
+ * XXX compatidibility is no longer needed.
+ */
+#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
+#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
+
+/*
+ * XXX We will replace krb5_build_principal_va() with
+ * XXX krb5_build_principal_alloc_va() when Heimdal is finally
+ * XXX removed.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_build_principal_va(krb5_context context,
+			krb5_principal princ,
+			unsigned int rlen,
+			const char *realm,
+			va_list ap);
+typedef char *heim_general_string;
+typedef heim_general_string Realm;
+typedef Realm krb5_realm;
+typedef const char *krb5_const_realm;
+
+static krb5_error_code
+krb5_make_principal(krb5_context context, krb5_principal principal,
+	krb5_const_realm realm, ...)
+{
+	krb5_error_code rc;
+	va_list ap;
+	if (realm == NULL) {
+		krb5_realm temp_realm = NULL;
+		if ((rc = krb5_get_default_realm(context, &temp_realm)))
+			return (rc);
+		realm=temp_realm;
+		if (temp_realm)
+			free(temp_realm);
+	}
+	va_start(ap, realm);
+	/*
+	 * XXX Ideally we should be using krb5_build_principal_alloc_va()
+	 * XXX here because krb5_build_principal_va() is deprecated. But,
+	 * XXX this would require changes elsewhere in the calling code
+	 * XXX to call krb5_free_principal() elsewhere to free the
+	 * XXX principal. We can do that after Heimdal is removed from
+	 * XXX our tree.
+	 */
+	rc = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
+	va_end(ap);
+	return (rc);
+}
+#endif
+
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
     int argc __unused, const char *argv[] __unused)
@@ -217,7 +272,13 @@ get_su_principal(krb5_context context, const char *target_user, const char *curr
 	if (rv != 0)
 		return (errno);
 	if (default_principal == NULL) {
+#ifdef MK_MITKRB5
+		/* For MIT KRB5. */
+		rv = krb5_make_principal(context, default_principal, NULL, current_user, NULL);
+#else
+		/* For Heimdal. */
 		rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
+#endif
 		if (rv != 0) {
 			PAM_LOG("Could not determine default principal name.");
 			return (rv);