4854431 krb5_gss_acquire_cred() does not implement correct GSS_C_NO_NAME semantics

6290693 krb mech isn't doing the right thing in regards to gss_delete_sec_context and the output token
6491792 gss_unwrap() is causing duplicate token detection to fail for subsequent calls to gss_unwrap()

5 files changed, 70 insertions, 70 deletions

diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c b/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c
index 2cc59a4892..0285fb9e13 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -415,7 +415,13 @@ krb5_gss_accept_sec_context(ct, minor_status, context_handle,
    }
 
    /* handle default cred handle */
-   if (verifier_cred_handle == GSS_C_NO_CREDENTIAL) {
+   /* 
+    * Solaris Kerberos:
+    * If there is no princ associated with the cred then treat it the
+    * the same as GSS_C_NO_CREDENTIAL. 
+    */
+   if (verifier_cred_handle == GSS_C_NO_CREDENTIAL ||
+    ((krb5_gss_cred_id_t)verifier_cred_handle)->princ == NULL) {
        /* Note that we try to acquire a cred for the service principal
 	* named in the AP-REQ. This allows us to implement option (ii)
 	* of the recommended behaviour for GSS_Accept_sec_context() as
diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c
index fe9f995d64..d19b98e99b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -122,51 +122,33 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred)
       return(GSS_S_NO_CRED);
    }
 
-   /* figure out what principal to use.  If the default name is
-      requested, use the default sn2princ output */
-
-   if (desired_name == (gss_name_t) NULL) {
-      if ((code = krb5_sname_to_principal(context, NULL, NULL, KRB5_NT_SRV_HST,
-					  &princ))) {
+   if (desired_name != GSS_C_NO_NAME) {
+      princ = (krb5_principal) desired_name;
+      if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
 	 (void) krb5_kt_close(context, kt);
+	 if (code == KRB5_KT_NOTFOUND)
+	    *minor_status = KG_KEYTAB_NOMATCH;
+	 else
+	    *minor_status = code;
+      /* NOTE: GSS_S_CRED_UNAVAIL is not RFC 2743 compliant */
+	 return(GSS_S_NO_CRED);
+      }
+      krb5_kt_free_entry(context, &entry);
+
+      /* Open the replay cache for this principal. */
+      if ((code = krb5_get_server_rcache(context,
+					 krb5_princ_component(context, princ, 0),
+					 &cred->rcache))) {
 	 *minor_status = code;
 	 return(GSS_S_FAILURE);
       }
-      *output_princ = princ;
-   } else {
-      princ = (krb5_principal) desired_name;
-   }
 
-   code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry);
-   if (code) {
-	(void) krb5_kt_close(context, kt);
-	if (code == KRB5_KT_NOTFOUND)
-	     *minor_status = KG_KEYTAB_NOMATCH;
-	else
-	     *minor_status = code;
-
-	if (*output_princ != NULL) {
-	    krb5_free_principal(context, *output_princ);
-	    *output_princ = NULL;
-	}
-
-	return(GSS_S_FAILURE);
    }
 
-   krb5_kt_free_entry(context, &entry);
-
    /* hooray.  we made it */
 
    cred->keytab = kt;
 
-   /* Open the replay cache for this principal. */
-   if ((code = krb5_get_server_rcache(context,
-				      krb5_princ_component(context, princ, 0),
-				      &cred->rcache))) {
-       *minor_status = code;
-       return(GSS_S_FAILURE);
-   }
-
    return(GSS_S_COMPLETE);
 }
 
@@ -488,9 +470,12 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req,
 	 return(ret);
       }
 
-   /* if the princ wasn't filled in already, fill it in now */
-
-   if (!cred->princ)
+   /* Solaris Kerberos:
+    * if the princ wasn't filled in already, fill it in now unless 
+    * a cred with no associated princ is requested (will invoke default
+    * behaviour when gss_accept_init_context() is called).
+    */
+   if (!cred->princ && (desired_name != GSS_C_NO_NAME))
       if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
 				      &(cred->princ)))) {
 	 if (cred->ccache)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/inq_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/inq_cred.c
index 1fa879e0db..a4a54438e8 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/inq_cred.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/inq_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -170,7 +170,8 @@ krb5_gss_inquire_cred_no_lock(ctx, minor_status, cred_handle, name,
        lifetime = GSS_C_INDEFINITE;
 
    if (name) {
-      if ((code = krb5_copy_principal(context, cred->princ, &ret_name))) {
+     if (cred->princ &&
+      (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
 	 *minor_status = code;
 	 return(GSS_S_FAILURE);
       }
@@ -193,7 +194,12 @@ krb5_gss_inquire_cred_no_lock(ctx, minor_status, cred_handle, name,
        }
    }
 
-   if (name) {
+   /* Solaris Kerberos:
+    * Don't set name to ret_name if cred->princ is NULL.
+    * If cred->princ is NULL, ret_name is uninitialized and
+    * name already points to NULL. 
+    */ 
+   if (name && cred->princ) {
       if (! kg_save_name((gss_name_t) ret_name)) {
 	 (void) gss_release_oid_set(minor_status, &mechs);
 	 krb5_free_principal(context, ret_name);
diff --git a/usr/src/lib/libgss/g_acquire_cred.c b/usr/src/lib/libgss/g_acquire_cred.c
index 9fffa3c63d..b2a9451538 100644
--- a/usr/src/lib/libgss/g_acquire_cred.c
+++ b/usr/src/lib/libgss/g_acquire_cred.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -341,27 +340,18 @@ gss_add_cred(minor_status, input_cred_handle,
 		union_cred->auxinfo.time_rec = time_rec;
 		union_cred->auxinfo.cred_usage = cred_usage;
 
-		/*
-		 * we must set the name; if name is not supplied
-		 * we must do inquire cred to get it
-		 */
-		if (internal_name == GSS_C_NO_NAME) {
-			if (mech->gss_inquire_cred == NULL ||
-				((status = mech->gss_inquire_cred(
-						mech->context,
-						&temp_minor_status, cred,
-						&allocated_name, NULL, NULL,
-						NULL)) != GSS_S_COMPLETE))
+	/*
+	 * If internal_name is GSS_C_NO_NAME a cred with no associated
+	 * name was requested: don't set auxinfo.name or auxinfo.name_type.
+	 */
+		if (internal_name != GSS_C_NO_NAME) {
+			if ((status = mech->gss_display_name(mech->context,
+					&temp_minor_status, internal_name,
+					&union_cred->auxinfo.name,
+					&union_cred->auxinfo.name_type)) !=
+				GSS_S_COMPLETE)
 				goto errout;
-			internal_name = allocated_name;
 		}
-
-		if ((status = mech->gss_display_name(mech->context,
-				&temp_minor_status, internal_name,
-				&union_cred->auxinfo.name,
-				&union_cred->auxinfo.name_type)) !=
-			GSS_S_COMPLETE)
-			goto errout;
 	}
 
 	/* now add the new credential elements */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/mech/k5sealv3.c b/usr/src/uts/common/gssapi/mechs/krb5/mech/k5sealv3.c
index 0d29d158eb..36263e6a1f 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/mech/k5sealv3.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/mech/k5sealv3.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -313,9 +313,12 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
 	message2 = &empty_message;
 	goto wrap_with_checksum;
     } else if (toktype == KG_TOK_DEL_CTX) {
-	tok_id = 0x0405;
-	message = message2 = &empty_message;
-	goto wrap_with_checksum;
+	/*
+	 * Solaris Kerberos:
+	 * No token should be generated for context deletion. Just
+	 * return.
+	 */
+	return 0;
     } else {
 	err = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	goto error;
@@ -512,6 +515,16 @@ gss_krb5int_unseal_token_v3(krb5_context context,
 		goto no_mem;
 	    (void) memcpy(message_buffer->value,
 		plain.data, message_buffer->length);
+
+		/*
+		 * Solaris Kerberos: Restore the original token.
+		 * This allows the token to be detected as a duplicate if it
+		 * is passed in to gss_unwrap() again.
+		 */
+		if (!rotate_left(ptr, bodysize-ec, bodysize - ec - 16))
+			goto no_mem;
+		store_16_be(ec, ptr+4);
+		store_16_be(rrc, ptr+6);
 	}
 	err = g_order_check(&ctx->seqstate, seqnum);
 	*minor_status = 0;