File support-1-8.dif of Package krb5-plugin-preauth-pkinit-nss

Index: pkinit-nss-0.7.8-1/backport-1.8/krb5/preauth_plugin.h
===================================================================
--- /dev/null
+++ pkinit-nss-0.7.8-1/backport-1.8/krb5/preauth_plugin.h
@@ -0,0 +1,525 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * <krb5/preauth_plugin.h>
+ *
+ * Copyright (c) 2006 Red Hat, Inc.
+ * Portions copyright (c) 2006 Massachusetts Institute of Technology
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *  * Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *  * Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *  * Neither the name of Red Hat, Inc., nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Preauthentication plugin definitions for Kerberos 5.
+ */
+
+#ifndef KRB5_PREAUTH_PLUGIN_H_INCLUDED
+#define KRB5_PREAUTH_PLUGIN_H_INCLUDED
+#include <krb5/krb5.h>
+
+/*
+ * While arguments of these types are passed-in, for the most part a preauth
+ * module can treat them as opaque.  If we need keying data, we can ask for
+ * it directly.
+ */
+struct _krb5_db_entry_new;
+struct _krb5_key_data;
+struct _krb5_preauth_client_rock;
+
+/*
+ * Preauth mechanism property flags, unified from previous definitions in the
+ * KDC and libkrb5 sources.
+ */
+
+/* Provides a real answer which we can send back to the KDC (client-only).  The
+ * client assumes that one real answer will be enough. */
+#define PA_REAL         0x00000001
+
+/* Doesn't provide a real answer, but must be given a chance to run before any
+ * REAL mechanism callbacks (client-only). */
+#define PA_INFO         0x00000002
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring hardware-based
+ * preauthentication (server-only). */
+#define PA_HARDWARE     0x00000004
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring preauthentication,
+ * and to fail preauthentication if we can't verify the client data.  The
+ * flipside of PA_SUFFICIENT (server-only). */
+#define PA_REQUIRED     0x00000008
+
+/* Causes the KDC to include this mechanism in a list of supported preauth
+ * types if the user's DB entry flags the user as requiring preauthentication,
+ * and to mark preauthentication as successful if we can verify the client
+ * data.  The flipside of PA_REQUIRED (server-only). */
+#define PA_SUFFICIENT   0x00000010
+
+/* Marks this preauthentication mechanism as one which changes the key which is
+ * used for encrypting the response to the client.  Modules which have this
+ * flag have their server_return_proc called before modules which do not, and
+ * are passed over if a previously-called module has modified the encrypting
+ * key (server-only). */
+#define PA_REPLACES_KEY 0x00000020
+
+/* Causes the KDC to check with this preauthentication module even if the
+ * client has no entry in the realm database.  If the module returns a success
+ * code, continue processing and assume that its return_padata callback will
+ * supply us with a key for encrypting the AS reply (server-only). */
+/* #define PA_VIRTUAL   (0x00000040 | PA_REPLACES_KEY) */
+
+/* Not really a padata type, so don't include it in any list of preauth types
+ * which gets sent over the wire. */
+#define PA_PSEUDO       0x00000080
+
+
+/***************************************************************************
+ *
+ * Client-side preauthentication plugin interface definition.
+ *
+ ***************************************************************************/
+
+/*
+ * A callback which will obtain the user's long-term AS key by prompting the
+ * user for the password, then salting it properly, and so on.  For the moment,
+ * it's identical to the get_as_key callback used inside of libkrb5, but we
+ * define a new typedef here instead of making the existing one public to
+ * isolate ourselves from potential future changes.
+ */
+typedef krb5_error_code
+(*preauth_get_as_key_proc)(krb5_context,
+                           krb5_principal,
+                           krb5_enctype,
+                           krb5_prompter_fct,
+                           void *prompter_data,
+                           krb5_data *salt,
+                           krb5_data *s2kparams,
+                           krb5_keyblock *as_key,
+                           void *gak_data);
+
+/*
+ * A client module's callback functions are allowed to request various
+ * information to enable it to process a request.
+ */
+enum krb5plugin_preauth_client_request_type {
+    /* The returned krb5_data item holds the enctype expected to be  used to encrypt the
+     * encrypted portion of the AS_REP packet. When handling a
+     * PREAUTH_REQUIRED error, this typically comes from etype-info2.
+     * When handling an AS reply, it is initialized from the AS reply itself.*/
+    krb5plugin_preauth_client_get_etype = 1,
+    /* Free the data returned from krb5plugin_preauth_client_req_get_etype */
+    krb5plugin_preauth_client_free_etype = 2,
+    /* The returned krb5_data contains the FAST armor key in a
+     * krb5_keyblock.  Returns success with a NULL data item in the
+     * krb5_data if the client library supports FAST but is not using it.*/
+    krb5plugin_preauth_client_fast_armor = 3,
+    /* Frees return from KRB5PLUGIN_PREAUTH_CLIENT_FAST_ARMOR.  It is
+     * acceptable to set data to NULL and free the keyblock using
+     * krb5_free_keyblock; in that case, this frees the krb5_data
+     * only.*/
+    krb5plugin_preauth_client_free_fast_armor = 4
+};
+typedef krb5_error_code
+(*preauth_get_client_data_proc)(krb5_context,
+                                struct _krb5_preauth_client_rock *,
+                                krb5_int32 request_type,
+                                krb5_data **);
+
+/* Per-plugin initialization/cleanup.  The init function is called
+ * by libkrb5 when the plugin is loaded, and the fini function is
+ * called before the plugin is unloaded.  Both are optional and
+ * may be called multiple times in case the plugin is used in
+ * multiple contexts.  The returned context lives the lifetime of
+ * the krb5_context */
+typedef krb5_error_code
+(*preauth_client_plugin_init_proc)(krb5_context context,
+                                   void **plugin_context);
+typedef void
+(*preauth_client_plugin_fini_proc)(krb5_context context,
+                                   void *plugin_context);
+
+/* A callback which returns flags indicating if the module is a "real" or
+ * an "info" mechanism, and so on.  This function is called for each entry
+ * in the client_pa_type_list. */
+typedef int
+(*preauth_client_get_flags_proc)(krb5_context context,
+                                 krb5_preauthtype pa_type);
+
+/* Per-request initialization/cleanup.  The request_init function is
+ * called when beginning to process a get_init_creds request and the
+ * request_fini function is called when processing of the request is
+ * complete.  This is optional.  It may be called multiple times in
+ * the lifetime of a krb5_context. */
+typedef void
+(*preauth_client_request_init_proc)(krb5_context context,
+                                    void *plugin_context,
+                                    void **request_context);
+typedef void
+(*preauth_client_request_fini_proc)(krb5_context context,
+                                    void *plugin_context,
+                                    void *request_context);
+
+/* Client function which processes server-supplied data in pa_data,
+ * returns created data in out_pa_data, storing any of its own state in
+ * client_context if data for the associated preauthentication type is
+ * needed.  It is also called after the AS-REP is received if the AS-REP
+ * includes preauthentication data of the associated type.
+ * NOTE! the encoded_previous_request will be NULL the first time this
+ * function is called, because it is expected to only ever contain the data
+ * obtained from a previous call to this function. */
+typedef krb5_error_code
+(*preauth_client_process_proc)(krb5_context context,
+                               void *plugin_context,
+                               void *request_context,
+                               krb5_get_init_creds_opt *opt,
+                               preauth_get_client_data_proc get_data_proc,
+                               struct _krb5_preauth_client_rock *rock,
+                               krb5_kdc_req *request,
+                               krb5_data *encoded_request_body,
+                               krb5_data *encoded_previous_request,
+                               krb5_pa_data *pa_data,
+                               krb5_prompter_fct prompter,
+                               void *prompter_data,
+                               preauth_get_as_key_proc gak_fct,
+                               void *gak_data,
+                               krb5_data *salt,
+                               krb5_data *s2kparams,
+                               krb5_keyblock *as_key,
+                               krb5_pa_data ***out_pa_data);
+
+/* Client function which can attempt to use e-data in the error response to
+ * try to recover from the given error.  If this function is not NULL, and
+ * it stores data in out_pa_data which is different data from the contents
+ * of in_pa_data, then the client library will retransmit the request. */
+typedef krb5_error_code
+(*preauth_client_tryagain_proc)(krb5_context context,
+                                void *plugin_context,
+                                void *request_context,
+                                krb5_get_init_creds_opt *opt,
+                                preauth_get_client_data_proc get_data_proc,
+                                struct _krb5_preauth_client_rock *rock,
+                                krb5_kdc_req *request,
+                                krb5_data *encoded_request_body,
+                                krb5_data *encoded_previous_request,
+                                krb5_pa_data *in_pa_data,
+                                krb5_error *error,
+                                krb5_prompter_fct prompter,
+                                void *prompter_data,
+                                preauth_get_as_key_proc gak_fct,
+                                void *gak_data,
+                                krb5_data *salt,
+                                krb5_data *s2kparams,
+                                krb5_keyblock *as_key,
+                                krb5_pa_data ***out_pa_data);
+
+/*
+ * Client function which receives krb5_get_init_creds_opt information.
+ * The attr and value information supplied should be copied locally by
+ * the module if it wishes to reference it after returning from this call.
+ */
+typedef krb5_error_code
+(*preauth_client_supply_gic_opts_proc)(krb5_context context,
+                                       void *plugin_context,
+                                       krb5_get_init_creds_opt *opt,
+                                       const char *attr,
+                                       const char *value);
+
+/*
+ * The function table / structure which a preauth client module must export as
+ * "preauthentication_client_0".  If the interfaces work correctly, future
+ * versions of the table will add either more callbacks or more arguments to
+ * callbacks, and in both cases we'll be able to wrap the v0 functions.
+ */
+typedef struct krb5plugin_preauth_client_ftable_v1 {
+    /* Not-usually-visible name. */
+    char *name;
+
+    /* Pointer to zero-terminated list of pa_types which this module can
+     * provide services for. */
+    krb5_preauthtype *pa_type_list;
+
+    /* Pointer to zero-terminated list of enc_types which this module claims
+     * to add support for. */
+    krb5_enctype *enctype_list;
+
+    /* Per-plugin initialization/cleanup.  The init function is called
+     * by libkrb5 when the plugin is loaded, and the fini function is
+     * called before the plugin is unloaded.  Both are optional and
+     * may be called multiple times in case the plugin is used in
+     * multiple contexts.  The returned context lives the lifetime of
+     * the krb5_context */
+    preauth_client_plugin_init_proc init;
+    preauth_client_plugin_fini_proc fini;
+
+    /* A callback which returns flags indicating if the module is a "real" or
+     * an "info" mechanism, and so on.  This function is called for each entry
+     * in the client_pa_type_list. */
+    preauth_client_get_flags_proc flags;
+
+    /* Per-request initialization/cleanup.  The request_init function is
+     * called when beginning to process a get_init_creds request and the
+     * request_fini function is called when processing of the request is
+     * complete.  This is optional.  It may be called multiple times in
+     * the lifetime of a krb5_context. */
+    preauth_client_request_init_proc request_init;
+    preauth_client_request_fini_proc request_fini;
+
+    /* Client function which processes server-supplied data in pa_data,
+     * returns created data in out_pa_data, storing any of its own state in
+     * client_context if data for the associated preauthentication type is
+     * needed.  It is also called after the AS-REP is received if the AS-REP
+     * includes preauthentication data of the associated type.
+     * NOTE! the encoded_previous_request will be NULL the first time this
+     * function is called, because it is expected to only ever contain the data
+     * obtained from a previous call to this function. */
+    preauth_client_process_proc process;
+
+    /* Client function which can attempt to use e-data in the error response to
+     * try to recover from the given error.  If this function is not NULL, and
+     * it stores data in out_pa_data which is different data from the contents
+     * of in_pa_data, then the client library will retransmit the request. */
+    preauth_client_tryagain_proc tryagain;
+
+    /*
+     * Client function which receives krb5_get_init_creds_opt information.
+     * The attr and value information supplied should be copied locally by
+     * the module if it wishes to reference it after returning from this call.
+     */
+    preauth_client_supply_gic_opts_proc gic_opts;
+
+} krb5plugin_preauth_client_ftable_v1;
+
+
+/***************************************************************************
+ *
+ * Server-side preauthentication plugin interface definition.
+ *
+ ***************************************************************************/
+
+/*
+ * A server module's callback functions are allowed to request specific types
+ * of information about the given client or server record or request, even
+ * though the database records themselves are opaque to the module.
+ */
+enum krb5plugin_preauth_entry_request_type {
+    /* The returned krb5_data item holds a DER-encoded X.509 certificate. */
+    krb5plugin_preauth_entry_request_certificate = 1,
+    /* The returned krb5_data_item holds a krb5_deltat. */
+    krb5plugin_preauth_entry_max_time_skew = 2,
+    /* The returned krb5_data_item holds an array of krb5_keyblock structures,
+     * terminated by an entry with key type = 0.
+     * Each keyblock should have its contents freed in turn, and then the data
+     * item itself should be freed. */
+    krb5plugin_preauth_keys = 3,
+    /* The returned krb5_data_item holds the request structure, re-encoded
+     * using DER.  Unless the client implementation is the same as the server
+     * implementation, there's a good chance that the result will not match
+     * what the client sent, so don't go creating any fatal errors if it
+     * doesn't match up. */
+    krb5plugin_preauth_request_body = 4,
+    /* The returned krb5_data contains a krb5_keyblock with the FAST
+       armor key.  The data member is NULL if this method is not part
+       of a FAST tunnel */
+    krb5plugin_preauth_fast_armor = 5,
+    /* Frees a fast armor key; it is acceptable to set data to NULL
+       and free the keyblock using krb5_free_keyblock; in that  case,
+       this function simply frees the data*/
+    krb5plugin_preauth_free_fast_armor = 6
+};
+
+typedef krb5_error_code
+(*preauth_get_entry_data_proc)(krb5_context,
+                               krb5_kdc_req *,
+                               struct _krb5_db_entry_new *,
+                               krb5_int32 request_type,
+                               krb5_data **);
+
+/* Preauth plugin initialization function */
+typedef krb5_error_code
+(*preauth_server_init_proc)(krb5_context context,
+                            void **plugin_context,
+                            const char** realmnames);
+
+/* Preauth plugin cleanup function */
+typedef void
+(*preauth_server_fini_proc)(krb5_context context, void *plugin_context);
+
+/* Return the flags which the KDC should use for this module.  This is a
+ * callback instead of a static value because the module may or may not
+ * wish to count itself as a hardware preauthentication module (in other
+ * words, the flags may be affected by the configuration, for example if a
+ * site administrator can force a particular preauthentication type to be
+ * supported using only hardware).  This function is called for each entry
+ * entry in the server_pa_type_list. */
+typedef int
+(*preauth_server_flags_proc)(krb5_context context, krb5_preauthtype patype);
+
+/* Get preauthentication data to send to the client as part of the "you
+ * need to use preauthentication" error.  The module doesn't need to
+ * actually provide data if the protocol doesn't require it, but it should
+ * return either zero or non-zero to control whether its padata type is
+ * included in the list which is sent back to the client.  Is not allowed
+ * to create a context because we have no guarantee that the client will
+ * ever call again (or that it will hit this server if it does), in which
+ * case a context might otherwise hang around forever. */
+typedef krb5_error_code
+(*preauth_server_edata_proc)(krb5_context,
+                             krb5_kdc_req *request,
+                             struct _krb5_db_entry_new *client,
+                             struct _krb5_db_entry_new *server,
+                             preauth_get_entry_data_proc,
+                             void *pa_module_context,
+                             krb5_pa_data *data);
+
+/* Verify preauthentication data sent by the client, setting the
+ * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
+ * field as appropriate, and returning nonzero on failure.  Can create
+ * context data for consumption by the return_proc or freepa_proc below. */
+typedef krb5_error_code
+(*preauth_server_verify_proc)(krb5_context context,
+                              struct _krb5_db_entry_new *client,
+                              krb5_data *req_pkt,
+                              krb5_kdc_req *request,
+                              krb5_enc_tkt_part *enc_tkt_reply,
+                              krb5_pa_data *data,
+                              preauth_get_entry_data_proc,
+                              void *pa_module_context,
+                              void **pa_request_context,
+                              krb5_data **e_data,
+                              krb5_authdata ***authz_data);
+
+/* Generate preauthentication response data to send to the client as part
+ * of the AS-REP.  If it needs to override the key which is used to encrypt
+ * the response, it can do so.  The module is expected (but not required,
+ * if a preauth_server_free_reqcontext_proc is also provided) to free any
+ * context data it saved in "pa_request_context". */
+typedef krb5_error_code
+(*preauth_server_return_proc)(krb5_context context,
+                              krb5_pa_data * padata,
+                              struct _krb5_db_entry_new *client,
+                              krb5_data *req_pkt,
+                              krb5_kdc_req *request,
+                              krb5_kdc_rep *reply,
+                              struct _krb5_key_data *client_keys,
+                              krb5_keyblock *encrypting_key,
+                              krb5_pa_data **send_pa,
+                              preauth_get_entry_data_proc,
+                              void *pa_module_context,
+                              void **pa_request_context);
+
+/* Free up the server-side per-request context, in cases where
+ * server_return_proc() didn't or for whatever reason was not called.
+ * Can be NULL. */
+typedef krb5_error_code
+(*preauth_server_free_reqcontext_proc)(krb5_context,
+                                       void *pa_module_context,
+                                       void **request_pa_context);
+
+/*
+ * The function table / structure which a preauth server module must export as
+ * "preauthentication_server_0".  NOTE: replace "0" with "1" for the type and
+ * variable names if this gets picked up by upstream.  If the interfaces work
+ * correctly, future versions of the table will add either more callbacks or
+ * more arguments to callbacks, and in both cases we'll be able to wrap the v0
+ * functions.
+ */
+typedef struct krb5plugin_preauth_server_ftable_v1 {
+    /* Not-usually-visible name. */
+    char *name;
+
+    /* Pointer to zero-terminated list of pa_types which this module can
+     * provide services for. */
+    krb5_preauthtype *pa_type_list;
+
+    /* Per-plugin initialization/cleanup.  The init function is called by the
+     * KDC when the plugin is loaded, and the fini function is called before
+     * the plugin is unloaded.  Both are optional. */
+    preauth_server_init_proc init_proc;
+    preauth_server_fini_proc fini_proc;
+
+    /* Return the flags which the KDC should use for this module.  This is a
+     * callback instead of a static value because the module may or may not
+     * wish to count itself as a hardware preauthentication module (in other
+     * words, the flags may be affected by the configuration, for example if a
+     * site administrator can force a particular preauthentication type to be
+     * supported using only hardware).  This function is called for each entry
+     * entry in the server_pa_type_list. */
+    preauth_server_flags_proc flags_proc;
+
+    /* Get preauthentication data to send to the client as part of the "you
+     * need to use preauthentication" error.  The module doesn't need to
+     * actually provide data if the protocol doesn't require it, but it should
+     * return either zero or non-zero to control whether its padata type is
+     * included in the list which is sent back to the client.  Is not allowed
+     * to create a context because we have no guarantee that the client will
+     * ever call again (or that it will hit this server if it does), in which
+     * case a context might otherwise hang around forever. */
+    preauth_server_edata_proc edata_proc;
+
+    /* Verify preauthentication data sent by the client, setting the
+     * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
+     * field as appropriate, and returning nonzero on failure.  Can create
+     * context data for consumption by the return_proc or freepa_proc below. */
+    preauth_server_verify_proc verify_proc;
+
+    /* Generate preauthentication response data to send to the client as part
+     * of the AS-REP.  If it needs to override the key which is used to encrypt
+     * the response, it can do so.  The module is expected (but not required,
+     * if a freepa_proc is also provided) to free any context data it saved in
+     * "request_pa_context". */
+    preauth_server_return_proc return_proc;
+
+    /* Free up the server-side per-request context, in cases where
+     * server_return_proc() didn't or for whatever reason was not called.
+     * Can be NULL. */
+    preauth_server_free_reqcontext_proc freepa_reqcontext_proc;
+
+} krb5plugin_preauth_server_ftable_v1;
+
+
+/*
+ * This function allows a preauth plugin to obtain preauth
+ * options.  The preauth_data returned from this function
+ * should be freed by calling krb5_get_init_creds_opt_free_pa().
+ *
+ * The 'opt' pointer supplied to this function must have been
+ * obtained using krb5_get_init_creds_opt_alloc()
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_pa(krb5_context context,
+                               krb5_get_init_creds_opt *opt,
+                               int *num_preauth_data,
+                               krb5_gic_opt_pa_data **preauth_data);
+
+/*
+ * This function frees the preauth_data that was returned by
+ * krb5_get_init_creds_opt_get_pa().
+ */
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_free_pa(krb5_context context,
+                                int num_preauth_data,
+                                krb5_gic_opt_pa_data *preauth_data);
+
+#endif /* KRB5_PREAUTH_PLUGIN_H_INCLUDED */
Index: pkinit-nss-0.7.8-1/configure.ac
===================================================================
--- pkinit-nss-0.7.8-1.orig/configure.ac
+++ pkinit-nss-0.7.8-1/configure.ac
@@ -63,7 +63,7 @@ AC_CHECK_DECLS(KRB5KDC_ERR_SVC_UNAVAILAB
 AC_ARG_WITH(krb5-version,[AS_HELP_STRING([--with-krb5-version=AUTO],[Attempt to build for a specified version of MIT Kerberos.])],krb5_version=$withval,krb5_version=AUTO)
 if test "x$krb5_version" = xAUTO ; then
 	AC_MSG_RESULT([Using backport preauth plugin header support.])
-	AC_MSG_CHECKING([whether this is Kerberos 1.5, 1.6, 1.6.1/1.6.2, 1.6.3/1.6.4, 1.7])
+	AC_MSG_CHECKING([whether this is Kerberos 1.5, 1.6, 1.6.1/1.6.2, 1.6.3/1.6.4, 1.7, 1.8/1.8.1/1.8.2/1.8.3])
 dnl	if test x$ac_cv_have_decl_KRB5KDC_ERR_SVC_UNAVAILABLE = xyes ; then
 dnl		AC_MSG_RESULT([looks like 1.6.3.])
 dnl		krb5_version=1.6.3
@@ -88,7 +88,18 @@ dnl		krb5_version=1.6
 		elif test "$krb5_version" = 1.7 ; then
 			AC_MSG_RESULT([looks like 1.7.])
 			krb5_version=1.7
-		else
+		elif test "$krb5_version" = 1.8 ; then
+			AC_MSG_RESULT([looks like 1.8 or 1.8.1.])
+		elif test "$krb5_version" = 1.8.1 ; then
+			AC_MSG_RESULT([looks like 1.8 or 1.8.1.])
+			krb5_version=1.8
+		elif test "$krb5_version" = 1.8.2 ; then
+			AC_MSG_RESULT([looks like 1.8.2.])
+			krb5_version=1.8
+		elif test "$krb5_version" = 1.8.3 ; then
+			AC_MSG_RESULT([looks like 1.8.3.])
+			krb5_version=1.8
+	else
 			AC_MSG_RESULT([looks like ${krb5_version}.])
 		fi
 	else
@@ -99,6 +110,14 @@ else
 	AC_MSG_RESULT([Requested build for $krb5_version.])
 fi
 case "$krb5_version" in
+	1.8)
+		AC_MSG_RESULT([Building for Kerberos 1.8.])
+		if test x$ac_cv_header_krb5_preauth_plugin_h = xno ; then
+			BACKPORT_CPPFLAGS='-I$(top_srcdir)/backport-1.8'
+		fi
+		AC_DEFINE(BACKPORT_INTERFACE_1,1,[Define if version 1 of the preauth plugin interface should be implemented.])
+		AC_DEFINE(BACKPORT_INTERFACE_1_HAS_FAST,1,[Define if the plugin interface includes information about whether or not FAST is in use.])
+		;;
 	1.7)
 		AC_MSG_RESULT([Building for Kerberos 1.7.])
 		if test x$ac_cv_header_krb5_preauth_plugin_h = xno ; then
openSUSE Build Service is sponsored by