PSARC/2006/690 Kerberos client configuration improvements

6496710 enable dns_lookup_kdc by default
6499339 krb zero conf needs better realm lookup logic
6523887 krb should support client side referrals
6528391 krb5.conf should not be delivered in a misconfigured state

4 files changed, 105 insertions, 49 deletions

diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
index 8fa321886f..970c5a2ac6 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
@@ -4,41 +4,46 @@
  */
 
 /*
- * Copyright (C) 1989-1995 by the Massachusetts Institute of Technology,
+ * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006 by the Massachusetts Institute of Technology,
  * Cambridge, MA, USA.  All Rights Reserved.
- *
- * This software is being provided to you, the LICENSEE, by the
- * Massachusetts Institute of Technology (M.I.T.) under the following
- * license.  By obtaining, using and/or copying this software, you agree
- * that you have read, understood, and will comply with these terms and
- * conditions:
- *
+ * 
+ * This software is being provided to you, the LICENSEE, by the 
+ * Massachusetts Institute of Technology (M.I.T.) under the following 
+ * license.  By obtaining, using and/or copying this software, you agree 
+ * that you have read, understood, and will comply with these terms and 
+ * conditions:  
+ * 
  * Export of this software from the United States of America may
  * require a specific license from the United States Government.
  * It is the responsibility of any person or organization contemplating
  * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
- * this software and its documentation for any purpose and without fee or
- * royalty is hereby granted, provided that you agree to comply with the
- * following copyright notice and statements, including the disclaimer, and
- * that the same appear on ALL copies of the software and documentation,
- * including modifications that you make for internal use or for
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute 
+ * this software and its documentation for any purpose and without fee or 
+ * royalty is hereby granted, provided that you agree to comply with the 
+ * following copyright notice and statements, including the disclaimer, and 
+ * that the same appear on ALL copies of the software and documentation, 
+ * including modifications that you make for internal use or for 
  * distribution:
- *
- * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
- * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
- * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
- * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
- * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
- * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
- *
- * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
- * be used in advertising or publicity pertaining to distribution of the
- * software.  Title to copyright in this software and any associated
- * documentation shall at all times remain with M.I.T., and USER agrees to
+ * 
+ * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS 
+ * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not 
+ * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF 
+ * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF 
+ * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY 
+ * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.   
+ * 
+ * The name of the Massachusetts Institute of Technology or M.I.T. may NOT 
+ * be used in advertising or publicity pertaining to distribution of the 
+ * software.  Title to copyright in this software and any associated 
+ * documentation shall at all times remain with M.I.T., and USER agrees to 
  * preserve same.
+ *
+ * Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.  
  */
+
 /*
  * Copyright (C) 1998 by the FundsXpress, INC.
  *
@@ -257,6 +262,13 @@ struct sockaddr;
 /* Get mutex support; currently used only for the replay cache.  */
 #include "k5-thread.h"
 
+/*
+ * Solaris Kerberos:
+ * Define whether or not to do a reverse lookup when looking up a host in DNS.
+ */
+#define REV_LOOKUP 1
+#define NO_REV_LOOKUP 0
+
 
 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
    The ones that it doesn't include, we include below.  */
@@ -648,6 +660,18 @@ krb5_error_code krb5_write_message
 
 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
 
+/*
+ * Solaris Kerberos
+ * The following two functions are needed for better realm
+ * determination based on the DNS domain name.
+ */
+krb5_error_code krb5int_lookup_host(int , const char *, char **);
+
+krb5_error_code krb5int_domain_get_realm(krb5_context, const char *,
+    char **);
+krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *,
+    char **);
+
 krb5_error_code krb5_os_init_context
         (krb5_context);
 
@@ -2230,5 +2254,21 @@ krb5_boolean KRB5_CALLCONV is_in_keytype
  * Use krb5_getuid() to select the mechanism to obtain the uid.
  */
 extern uid_t	krb5_getuid();
+/*
+ * Referral definitions, debugging hooks, and subfunctions.
+ */
+#define        KRB5_REFERRAL_MAXHOPS	5
+/* #define DEBUG_REFERRALS */
+
+#ifdef DEBUG_REFERRALS
+void krb5int_dbgref_dump_principal(char *, krb5_principal);
+#endif
+
+/* Common hostname-parsing code. */
+krb5_error_code KRB5_CALLCONV krb5int_clean_hostname
+	(krb5_context,
+		const char *,
+		char *,
+		size_t);
 
 #endif /* _KRB5_INT_H */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h b/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
index a49e204c12..31255ca355 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -25,14 +25,14 @@
 /*
  * include/krb5.h
  *
- * Copyright 1989,1990,1995 by the Massachusetts Institute of Technology.
+ * Copyright 1989,1990,1995,2001, 2003  by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- *
+ * 
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -326,6 +326,16 @@ typedef const krb5_principal_data *krb5_const_principal;
              : NULL) 
 
 /*
+ * Constants for realm referrals.
+ */
+#define        KRB5_REFERRAL_REALM	""
+
+/*
+ * Referral-specific functions.
+ */
+krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *);
+
+/*
  * end "base-defs.h"
  */
 
@@ -636,6 +646,9 @@ krb5_error_code KRB5_CALLCONV
 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID	26
 #define KRB5_KEYUSAGE_PA_SAM_RESPONSE		27
 
+/* Defined in KDC referrals draft */
+#define KRB5_KEYUSAGE_PA_REFERRAL		26 /* XXX note conflict with above */
+
 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype
         (krb5_enctype ktype);
 krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype
@@ -707,7 +720,7 @@ size_t KRB5_CALLCONV krb5_checksum_size
 /* #define	KDC_OPT_RESERVED	0x00080000 */
 /* #define	KDC_OPT_RESERVED	0x00040000 */
 #define	KDC_OPT_REQUEST_ANONYMOUS	0x00020000
-/* #define	KDC_OPT_RESERVED	0x00010000 */
+#define	KDC_OPT_CANONICALIZE		0x00010000
 /* #define	KDC_OPT_RESERVED	0x00008000 */
 /* #define	KDC_OPT_RESERVED	0x00004000 */
 /* #define	KDC_OPT_RESERVED	0x00002000 */
@@ -892,6 +905,7 @@ size_t KRB5_CALLCONV krb5_checksum_size
 #define KRB5_PADATA_PK_AS_REQ		14 /* PKINIT */
 #define KRB5_PADATA_PK_AS_REP		15 /* PKINIT */
 #define KRB5_PADATA_ETYPE_INFO2 	19
+#define KRB5_PADATA_REFERRAL		25 /* draft referral system */
 #define KRB5_PADATA_SAM_CHALLENGE_2	30 /* draft challenge system, updated */
 #define KRB5_PADATA_SAM_RESPONSE_2	31 /* draft challenge system, updated */
 
@@ -2320,6 +2334,10 @@ krb5_error_code KRB5_CALLCONV krb5_get_host_realm
 	(krb5_context,
 		const char *,
 		char *** );
+krb5_error_code KRB5_CALLCONV krb5_get_fallback_host_realm
+	(krb5_context,
+		krb5_data *,
+		char *** );
 krb5_error_code KRB5_CALLCONV krb5_free_host_realm
 	(krb5_context,
 		char * const * );
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_princ.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_princ.c
index 8792a03e38..c71dea8cbc 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_princ.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_princ.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -95,20 +95,18 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pri
      * realm and principle component strings alway leave a null byte after
      * 'length' bytes that needs to be malloc/freed.
      */
-    if (tempprinc->realm.length) {
-        tempprinc->realm.data = MALLOC(tempprinc->realm.length + 1);
-        if (!tempprinc->realm.data) {
-	    for (i = 0; i < nelems; i++)
-                FREE(krb5_princ_component(context, tempprinc, i)->data,
-			krb5_princ_component(context, inprinc, i)->length + 1);
-	    FREE(tempprinc->data, nelems * sizeof(krb5_data));
-	    FREE(tempprinc, sizeof(krb5_principal_data));
-	    return ENOMEM;
+    tempprinc->realm.data = MALLOC(tempprinc->realm.length + 1);
+    if (!tempprinc->realm.data) {
+    for (i = 0; i < nelems; i++)
+        FREE(krb5_princ_component(context, tempprinc, i)->data,
+            krb5_princ_component(context, inprinc, i)->length + 1);
+        FREE(tempprinc->data, nelems * sizeof(krb5_data));
+        FREE(tempprinc, sizeof(krb5_principal_data));
+        return ENOMEM;
         }
-	memcpy(tempprinc->realm.data, inprinc->realm.data,
-	       inprinc->realm.length);
-    } else
-        tempprinc->realm.data = 0;
+    memcpy(tempprinc->realm.data, inprinc->realm.data,
+           inprinc->realm.length);
+    tempprinc->realm.data[tempprinc->realm.length] = 0;
 
     *outprinc = tempprinc;
     return 0;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/parse.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/parse.c
index 79e72cd5f2..ff7e3c72df 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/parse.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/parse.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -125,10 +125,10 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip
 			size = 0;
 			i++;
 		} else if (c == REALM_SEP) {
-			if (parsed_realm || !*(cp + 1))
+			if (parsed_realm)
 				/*
-				 * Multiple realm separaters or null
-				 * realm names are not allowed!
+				 * Multiple realm separaters
+				 * not allowed; zero-length realms are.
 				 */
 				return (KRB5_PARSE_MALFORMED);
 			parsed_realm = cp + 1;