3005. [port] Solaris: Work around the lack of

gsskrb5_register_acceptor_identity() by setting
			the KRB5_KTNAME environment variable to the
			contents of tkey-gssapi-keytab.  Also fixed
			test errors on MacOSX.  [RT #22853]

CHANGES

@@ -1,3 +1,9 @@
+3005.	[port]		Solaris: Work around the lack of
+			gsskrb5_register_acceptor_identity() by setting
+			the KRB5_KTNAME environment variable to the
+			contents of tkey-gssapi-keytab.  Also fixed
+			test errors on MacOSX.  [RT #22853]
+
 3004.	[func]		DNS64 reverse support. [RT #22769]
 
 3003.	[experimental]	Added update-policy match type "external",

bin/tests/system/tsiggss/tests.sh

@@ -9,7 +9,8 @@ status=0
 DIGOPTS="@10.53.0.1 -p 5300"
 
 # we don't want a KRB5_CONFIG setting breaking the tests
-unset KRB5_CONFIG
+KRB5_CONFIG=/dev/null
+export KRB5_CONFIG
 
 test_update() {
     host="$1"
@@ -28,7 +29,7 @@ EOF
 	return 1
     }
 
-    out=`$DIG $DIGOPTS -t $type -q $host | egrep ^$host`
+    out=`$DIG $DIGOPTS -t $type -q $host | egrep "^${host}"`
     lines=`echo "$out" | grep "$digout" | wc -l`
     [ $lines -eq 1 ] || {
 	echo "I:dig output incorrect for $host $type $cmd: $out"
@@ -38,7 +39,7 @@ EOF
 }
 
 echo "I:testing updates as administrator"
-KRB5CCNAME=`pwd`/ns1/administrator.ccache
+KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache
 export KRB5CCNAME
 
 test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || status=1
@@ -46,7 +47,7 @@ test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || status=1
 test_update denied.example.nil. TXT "86400 TXT helloworld" "helloworld" && status=1
 
 echo "I:testing updates as a user"
-KRB5CCNAME=`pwd`/ns1/testdenied.ccache
+KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache
 export KRB5CCNAME
 
 test_update testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" && status=1
@@ -61,6 +62,6 @@ test_update testcname.example.nil. TXT "86400 A 10.53.0.13" "10.53.0.13" && stat
 
 [ $status -eq 0 ] && echo "I:tsiggss tests all OK"
 
-kill $(cat authsock.pid)
+kill `cat authsock.pid`
 
 exit $status

lib/dns/gssapictx.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.23 2010/12/24 02:20:47 each Exp $ */
+/* $Id: gssapictx.c,v 1.24 2011/01/08 00:33:12 each Exp $ */
 
 #include <config.h>
 
@@ -542,7 +542,7 @@ gss_err_message(isc_mem_t *mctx, isc_uint32_t major, isc_uint32_t minor,
 isc_result_t
 dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
-		   dns_name_t *zone, isc_mem_t *mctx, char **err_message)
+		   isc_mem_t *mctx, char **err_message)
 {
 #ifdef GSSAPI
 	isc_region_t r;
@@ -629,7 +629,6 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 	UNUSED(intoken);
 	UNUSED(outtoken);
 	UNUSED(gssctx);
-	UNUSED(zone);
 	UNUSED(mctx);
 	UNUSED(err_message);
 
@@ -654,6 +653,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 	gss_name_t gname = NULL;
 	isc_result_t result;
 	char buf[1024];
+	char *kt = NULL;
 
 	REQUIRE(outtoken != NULL && *outtoken == NULL);
 
@@ -667,9 +667,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 		context = *ctxout;
 
 	if (gssapi_keytab != NULL) {
-#ifndef ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
-		return (ISC_R_NOTIMPLEMENTED);
-#else
 		gret = gsskrb5_register_acceptor_identity(gssapi_keytab);
 		if (gret != GSS_S_COMPLETE) {
 			gss_log(3, "failed "
@@ -679,6 +677,10 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 						   buf, sizeof(buf)));
 			return (DNS_R_INVALIDTKEY);
 		}
+#else
+		kt = isc_mem_allocate(mctx, strlen(gssapi_keytab) + 13);
+		sprintf(kt, "KRB5_KTNAME=%s", gssapi_keytab);
+		putenv(kt);
 #endif
 	}
 
@@ -770,6 +772,9 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 						   sizeof(buf)));
 	}
 
+	if (kt != NULL)
+		isc_mem_free(mctx, kt);
+
 	return (result);
 #else
 	UNUSED(cred);

lib/dns/include/dns/tkey.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey.h,v 1.30 2010/12/20 23:47:21 tbox Exp $ */
+/* $Id: tkey.h,v 1.31 2011/01/08 00:33:12 each Exp $ */
 
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
@@ -125,7 +125,7 @@ isc_result_t
 dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
 		       isc_buffer_t *intoken, isc_uint32_t lifetime,
 		       gss_ctx_id_t *context, isc_boolean_t win2k,
-		       dns_name_t *zone, isc_mem_t *mctx, char **err_message);
+		       isc_mem_t *mctx, char **err_message);
 /*%<
  *	Builds a query containing a TKEY that will generate a GSSAPI context.
  *	The key is requested to have the specified lifetime (in seconds).
@@ -218,8 +218,7 @@ isc_result_t
 dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 		      dns_name_t *server, gss_ctx_id_t *context,
 		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
-		      isc_boolean_t win2k, dns_name_t *zone,
+		      isc_boolean_t win2k, char **err_message);
-		      char **err_message);
 
 /*
  *	Client side negotiation of GSS-TSIG.  Process the response

lib/dns/include/dst/gssapi.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapi.h,v 1.14 2010/12/20 23:47:21 tbox Exp $ */
+/* $Id: gssapi.h,v 1.15 2011/01/08 00:33:12 each Exp $ */
 
 #ifndef DST_GSSAPI_H
 #define DST_GSSAPI_H 1
@@ -95,7 +95,7 @@ dst_gssapi_releasecred(gss_cred_id_t *cred);
 isc_result_t
 dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
-		   dns_name_t *zone, isc_mem_t *mctx, char **err_message);
+		   isc_mem_t *mctx, char **err_message);
 /*
  *	Initiates a GSS context.
  *

lib/dns/tkey.c

@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.98 2010/12/18 23:47:11 tbox Exp $
+ * $Id: tkey.c,v 1.99 2011/01/08 00:33:12 each Exp $
  */
 /*! \file */
 #include <config.h>
@@ -1003,7 +1003,7 @@ isc_result_t
 dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
 		       isc_buffer_t *intoken, isc_uint32_t lifetime,
 		       gss_ctx_id_t *context, isc_boolean_t win2k,
-		       dns_name_t *zone, isc_mem_t *mctx, char **err_message)
+		       isc_mem_t *mctx, char **err_message)
 {
 	dns_rdata_tkey_t tkey;
 	isc_result_t result;
@@ -1020,7 +1020,7 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
 	REQUIRE(mctx != NULL);
 
 	isc_buffer_init(&token, array, sizeof(array));
-	result = dst_gssapi_initctx(gname, NULL, &token, context, zone,
+	result = dst_gssapi_initctx(gname, NULL, &token, context,
 				    mctx, err_message);
 	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
 		return (result);
@@ -1290,7 +1290,7 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	isc_buffer_init(outtoken, array, sizeof(array));
 	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
 	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context,
-				  NULL, ring->mctx, err_message));
+				  ring->mctx, err_message));
 
 	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
 				  &dstkey, NULL));
@@ -1371,8 +1371,7 @@ isc_result_t
 dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 		      dns_name_t *server, gss_ctx_id_t *context,
 		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
-		      isc_boolean_t win2k, dns_name_t *zone,
+		      isc_boolean_t win2k, char **err_message)
-		      char **err_message)
 {
 	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
 	dns_name_t *tkeyname;
@@ -1417,7 +1416,7 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 	isc_buffer_init(&outtoken, array, sizeof(array));
 
 	result = dst_gssapi_initctx(server, &intoken, &outtoken, context,
-				    zone, ring->mctx, err_message);
+				    ring->mctx, err_message);
 	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
 		return (result);