17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * lib/krb5/os/def_realm.c
37c478bd9Sstevel@tonic-gate *
47c478bd9Sstevel@tonic-gate * Copyright 1990,1991 by the Massachusetts Institute of Technology.
57c478bd9Sstevel@tonic-gate * All Rights Reserved.
67c478bd9Sstevel@tonic-gate *
77c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may
87c478bd9Sstevel@tonic-gate * require a specific license from the United States Government.
97c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating
107c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting.
11*48bbca81SDaniel Hoffman *
127c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
137c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
147c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
157c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
167c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
177c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining
187c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior
197c478bd9Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label
207c478bd9Sstevel@tonic-gate * your software as modified software and not distribute it in such a
217c478bd9Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software.
227c478bd9Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of
237c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
247c478bd9Sstevel@tonic-gate * or implied warranty.
25*48bbca81SDaniel Hoffman *
267c478bd9Sstevel@tonic-gate *
277c478bd9Sstevel@tonic-gate * krb5_get_default_realm(), krb5_set_default_realm(),
287c478bd9Sstevel@tonic-gate * krb5_free_default_realm() functions.
297c478bd9Sstevel@tonic-gate */
307c478bd9Sstevel@tonic-gate
31fe598cdcSmp /*
32159d09a2SMark Phalan * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
33fe598cdcSmp * Use is subject to license terms.
34b3700b07SGordon Ross *
35b3700b07SGordon Ross * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
36*48bbca81SDaniel Hoffman * Copyright (c) 2016 by Delphix. All rights reserved.
37fe598cdcSmp */
38fe598cdcSmp
39159d09a2SMark Phalan #include "k5-int.h"
407c478bd9Sstevel@tonic-gate #include "os-proto.h"
417c478bd9Sstevel@tonic-gate #include <stdio.h>
427c478bd9Sstevel@tonic-gate
43*48bbca81SDaniel Hoffman /*
44fe598cdcSmp * Solaris Kerberos:
45fe598cdcSmp * For krb5int_foreach_localaddr()
46fe598cdcSmp */
47fe598cdcSmp #include "foreachaddr.h"
48fe598cdcSmp
49*48bbca81SDaniel Hoffman #ifdef KRB5_DNS_LOOKUP
507c478bd9Sstevel@tonic-gate #ifdef WSHELPER
517c478bd9Sstevel@tonic-gate #include <wshelper.h>
527c478bd9Sstevel@tonic-gate #else /* WSHELPER */
537c478bd9Sstevel@tonic-gate #ifdef HAVE_NETINET_IN_H
547c478bd9Sstevel@tonic-gate #include <netinet/in.h>
557c478bd9Sstevel@tonic-gate #endif
567c478bd9Sstevel@tonic-gate #include <arpa/inet.h>
577c478bd9Sstevel@tonic-gate #include <arpa/nameser.h>
587c478bd9Sstevel@tonic-gate #include <resolv.h>
597c478bd9Sstevel@tonic-gate #include <netdb.h>
607c478bd9Sstevel@tonic-gate #endif /* WSHELPER */
617c478bd9Sstevel@tonic-gate
627c478bd9Sstevel@tonic-gate /* for old Unixes and friends ... */
637c478bd9Sstevel@tonic-gate #ifndef MAXHOSTNAMELEN
647c478bd9Sstevel@tonic-gate #define MAXHOSTNAMELEN 64
657c478bd9Sstevel@tonic-gate #endif
667c478bd9Sstevel@tonic-gate
677c478bd9Sstevel@tonic-gate #define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
687c478bd9Sstevel@tonic-gate
697c478bd9Sstevel@tonic-gate #endif /* KRB5_DNS_LOOKUP */
707c478bd9Sstevel@tonic-gate
71fe598cdcSmp /*
72fe598cdcSmp * Solaris Kerberos:
73fe598cdcSmp * The following prototype is needed because it is a
74fe598cdcSmp * private interface that does not have a prototype in any .h
75fe598cdcSmp */
76fe598cdcSmp extern struct hostent *res_gethostbyaddr(const char *addr, int len, int type);
77fe598cdcSmp
78fe598cdcSmp /*
79fe598cdcSmp * Solaris Kerberos:
80fe598cdcSmp * krb5int_address_get_realm() given an address (either IPv4 or IPv6) tries to
81fe598cdcSmp * find a realm based on the DNS name of that address. Assumes that its being
82fe598cdcSmp * used as a callback for krb5int_foreach_localaddr().
83fe598cdcSmp */
krb5int_address_get_realm(void * data,struct sockaddr * addr)84fe598cdcSmp static int krb5int_address_get_realm(void *data, struct sockaddr *addr) {
85*48bbca81SDaniel Hoffman
86fe598cdcSmp krb5_context context = data;
87fe598cdcSmp struct hostent *he = NULL;
88fe598cdcSmp
89fe598cdcSmp switch (addr->sa_family) {
90fe598cdcSmp case AF_INET:
91fe598cdcSmp he = res_gethostbyaddr((char*)(&sa2sin(addr)->sin_addr),
92fe598cdcSmp sizeof(sa2sin(addr)->sin_addr), AF_INET);
93fe598cdcSmp break;
94fe598cdcSmp case AF_INET6:
95fe598cdcSmp he = res_gethostbyaddr(
96fe598cdcSmp (char*)(&sa2sin6(addr)->sin6_addr),
97fe598cdcSmp sizeof(sa2sin6(addr)->sin6_addr), AF_INET6);
98fe598cdcSmp break;
99fe598cdcSmp }
100fe598cdcSmp
101fe598cdcSmp if (he) {
102fe598cdcSmp /* Try to find realm using returned DNS name */
103fe598cdcSmp krb5int_fqdn_get_realm(context, he->h_name,
104fe598cdcSmp &context->default_realm);
105fe598cdcSmp
106fe598cdcSmp /* If a realm was found return 1 to immediately halt
107fe598cdcSmp * krb5int_foreach_localaddr()
108*48bbca81SDaniel Hoffman */
109fe598cdcSmp if (context->default_realm != 0) {
110fe598cdcSmp return (1);
111fe598cdcSmp }
112fe598cdcSmp }
113fe598cdcSmp return (0);
114fe598cdcSmp }
115fe598cdcSmp
116fe598cdcSmp
1177c478bd9Sstevel@tonic-gate /*
1187c478bd9Sstevel@tonic-gate * Retrieves the default realm to be used if no user-specified realm is
1197c478bd9Sstevel@tonic-gate * available. [e.g. to interpret a user-typed principal name with the
1207c478bd9Sstevel@tonic-gate * realm omitted for convenience]
121*48bbca81SDaniel Hoffman *
1227c478bd9Sstevel@tonic-gate * returns system errors, NOT_ENOUGH_SPACE, KV5M_CONTEXT
1237c478bd9Sstevel@tonic-gate */
1247c478bd9Sstevel@tonic-gate
1257c478bd9Sstevel@tonic-gate /*
1267c478bd9Sstevel@tonic-gate * Implementation: the default realm is stored in a configuration file,
1277c478bd9Sstevel@tonic-gate * named by krb5_config_file; the first token in this file is taken as
1287c478bd9Sstevel@tonic-gate * the default local realm name.
1297c478bd9Sstevel@tonic-gate */
1307c478bd9Sstevel@tonic-gate
1317c478bd9Sstevel@tonic-gate krb5_error_code KRB5_CALLCONV
krb5_get_default_realm(krb5_context context,char ** lrealm)1327c478bd9Sstevel@tonic-gate krb5_get_default_realm(krb5_context context, char **lrealm)
1337c478bd9Sstevel@tonic-gate {
1347c478bd9Sstevel@tonic-gate char *realm = 0;
1357c478bd9Sstevel@tonic-gate char *cp;
136fe598cdcSmp char localhost[MAX_DNS_NAMELEN+1];
1377c478bd9Sstevel@tonic-gate krb5_error_code retval;
1387c478bd9Sstevel@tonic-gate
139fe598cdcSmp (void) memset(localhost, 0, sizeof(localhost));
140fe598cdcSmp
141*48bbca81SDaniel Hoffman if (!context || (context->magic != KV5M_CONTEXT))
1427c478bd9Sstevel@tonic-gate return KV5M_CONTEXT;
1437c478bd9Sstevel@tonic-gate
144b3700b07SGordon Ross /*
145b3700b07SGordon Ross * Solaris Kerberos: (illumos)
146b3700b07SGordon Ross * Another way to provide the default realm.
147b3700b07SGordon Ross */
148b3700b07SGordon Ross if (!context->default_realm) {
149b3700b07SGordon Ross if ((realm = getenv("KRB5_DEFAULT_REALM")) != NULL) {
150b3700b07SGordon Ross context->default_realm = strdup(realm);
151b3700b07SGordon Ross if (context->default_realm == NULL)
152b3700b07SGordon Ross return ENOMEM;
153b3700b07SGordon Ross }
154b3700b07SGordon Ross }
155b3700b07SGordon Ross
1567c478bd9Sstevel@tonic-gate if (!context->default_realm) {
1577c478bd9Sstevel@tonic-gate context->default_realm = 0;
1587c478bd9Sstevel@tonic-gate if (context->profile != 0) {
1597c478bd9Sstevel@tonic-gate retval = profile_get_string(context->profile, "libdefaults",
1607c478bd9Sstevel@tonic-gate "default_realm", 0, 0,
1617c478bd9Sstevel@tonic-gate &realm);
1627c478bd9Sstevel@tonic-gate
1637c478bd9Sstevel@tonic-gate if (!retval && realm) {
1647c478bd9Sstevel@tonic-gate context->default_realm = malloc(strlen(realm) + 1);
1657c478bd9Sstevel@tonic-gate if (!context->default_realm) {
1667c478bd9Sstevel@tonic-gate profile_release_string(realm);
1677c478bd9Sstevel@tonic-gate return ENOMEM;
1687c478bd9Sstevel@tonic-gate }
1697c478bd9Sstevel@tonic-gate strcpy(context->default_realm, realm);
1707c478bd9Sstevel@tonic-gate profile_release_string(realm);
1717c478bd9Sstevel@tonic-gate }
1727c478bd9Sstevel@tonic-gate }
1737c478bd9Sstevel@tonic-gate if (context->default_realm == 0) {
174fe598cdcSmp #ifdef KRB5_DNS_LOOKUP
175fe598cdcSmp if (_krb5_use_dns_realm(context)) {
1767c478bd9Sstevel@tonic-gate /*
1777c478bd9Sstevel@tonic-gate * Since this didn't appear in our config file, try looking
1787c478bd9Sstevel@tonic-gate * it up via DNS. Look for a TXT records of the form:
1797c478bd9Sstevel@tonic-gate *
1807c478bd9Sstevel@tonic-gate * _kerberos.<localhost>
1817c478bd9Sstevel@tonic-gate * _kerberos.<domainname>
1827c478bd9Sstevel@tonic-gate * _kerberos.<searchlist>
1837c478bd9Sstevel@tonic-gate *
1847c478bd9Sstevel@tonic-gate */
1857c478bd9Sstevel@tonic-gate char * p;
1867c478bd9Sstevel@tonic-gate krb5int_get_fq_local_hostname (localhost, sizeof(localhost));
1877c478bd9Sstevel@tonic-gate
1887c478bd9Sstevel@tonic-gate if ( localhost[0] ) {
1897c478bd9Sstevel@tonic-gate p = localhost;
1907c478bd9Sstevel@tonic-gate do {
191*48bbca81SDaniel Hoffman retval = krb5_try_realm_txt_rr("_kerberos", p,
1927c478bd9Sstevel@tonic-gate &context->default_realm);
1937c478bd9Sstevel@tonic-gate p = strchr(p,'.');
1947c478bd9Sstevel@tonic-gate if (p)
1957c478bd9Sstevel@tonic-gate p++;
1967c478bd9Sstevel@tonic-gate } while (retval && p && p[0]);
1977c478bd9Sstevel@tonic-gate
1987c478bd9Sstevel@tonic-gate if (retval)
199*48bbca81SDaniel Hoffman retval = krb5_try_realm_txt_rr("_kerberos", "",
2007c478bd9Sstevel@tonic-gate &context->default_realm);
2017c478bd9Sstevel@tonic-gate } else {
202*48bbca81SDaniel Hoffman retval = krb5_try_realm_txt_rr("_kerberos", "",
2037c478bd9Sstevel@tonic-gate &context->default_realm);
2047c478bd9Sstevel@tonic-gate }
2057c478bd9Sstevel@tonic-gate if (retval) {
2067c478bd9Sstevel@tonic-gate return(KRB5_CONFIG_NODEFREALM);
2077c478bd9Sstevel@tonic-gate }
208fe598cdcSmp } else
2097c478bd9Sstevel@tonic-gate #endif /* KRB5_DNS_LOOKUP */
210b3700b07SGordon Ross if (getenv("MS_INTEROP") == NULL) {
211fe598cdcSmp
212fe598cdcSmp /*
213fe598cdcSmp * Solaris Kerberos:
214b3700b07SGordon Ross * Try to find a realm based on one of the local IP addresses.
215b3700b07SGordon Ross * Don't do this for AD, which often does _not_ support any
216b3700b07SGordon Ross * DNS reverse lookup, making these queries take forever.
217fe598cdcSmp */
218fe598cdcSmp (void) krb5int_foreach_localaddr(context,
219fe598cdcSmp krb5int_address_get_realm, 0, 0);
220fe598cdcSmp
221fe598cdcSmp /*
222fe598cdcSmp * Solaris Kerberos:
223fe598cdcSmp * As a final fallback try to find a realm based on the resolver search
224fe598cdcSmp * list
225fe598cdcSmp */
226fe598cdcSmp if (context->default_realm == 0) {
227fe598cdcSmp struct __res_state res;
228fe598cdcSmp int i;
229fe598cdcSmp
230fe598cdcSmp (void) memset(&res, 0, sizeof (res));
231fe598cdcSmp
232fe598cdcSmp if (res_ninit(&res) == 0) {
233fe598cdcSmp for (i = 0; res.dnsrch[i]; i++) {
234fe598cdcSmp krb5int_domain_get_realm(context,
235*48bbca81SDaniel Hoffman res.dnsrch[i], &context->default_realm);
236fe598cdcSmp
237fe598cdcSmp if (context->default_realm != 0)
238fe598cdcSmp break;
239fe598cdcSmp }
240fe598cdcSmp res_ndestroy(&res);
241fe598cdcSmp }
242fe598cdcSmp }
243fe598cdcSmp
244fe598cdcSmp }
245fe598cdcSmp }
246fe598cdcSmp }
2477c478bd9Sstevel@tonic-gate
2487c478bd9Sstevel@tonic-gate if (context->default_realm == 0)
2497c478bd9Sstevel@tonic-gate return(KRB5_CONFIG_NODEFREALM);
2507c478bd9Sstevel@tonic-gate if (context->default_realm[0] == 0) {
2517c478bd9Sstevel@tonic-gate free (context->default_realm);
2527c478bd9Sstevel@tonic-gate context->default_realm = 0;
2537c478bd9Sstevel@tonic-gate return KRB5_CONFIG_NODEFREALM;
2547c478bd9Sstevel@tonic-gate }
2557c478bd9Sstevel@tonic-gate
2567c478bd9Sstevel@tonic-gate realm = context->default_realm;
257*48bbca81SDaniel Hoffman
2587c478bd9Sstevel@tonic-gate /*LINTED*/
2597c478bd9Sstevel@tonic-gate if (!(*lrealm = cp = malloc((unsigned int) strlen(realm) + 1)))
2607c478bd9Sstevel@tonic-gate return ENOMEM;
2617c478bd9Sstevel@tonic-gate strcpy(cp, realm);
2627c478bd9Sstevel@tonic-gate return(0);
2637c478bd9Sstevel@tonic-gate }
2647c478bd9Sstevel@tonic-gate
2657c478bd9Sstevel@tonic-gate krb5_error_code KRB5_CALLCONV
krb5_set_default_realm(krb5_context context,const char * lrealm)2667c478bd9Sstevel@tonic-gate krb5_set_default_realm(krb5_context context, const char *lrealm)
2677c478bd9Sstevel@tonic-gate {
268*48bbca81SDaniel Hoffman if (!context || (context->magic != KV5M_CONTEXT))
2697c478bd9Sstevel@tonic-gate return KV5M_CONTEXT;
2707c478bd9Sstevel@tonic-gate
2717c478bd9Sstevel@tonic-gate if (context->default_realm) {
2727c478bd9Sstevel@tonic-gate free(context->default_realm);
2737c478bd9Sstevel@tonic-gate context->default_realm = 0;
2747c478bd9Sstevel@tonic-gate }
2757c478bd9Sstevel@tonic-gate
276*48bbca81SDaniel Hoffman /* Allow the user to clear the default realm setting by passing in
2777c478bd9Sstevel@tonic-gate NULL */
2787c478bd9Sstevel@tonic-gate if (!lrealm) return 0;
2797c478bd9Sstevel@tonic-gate
2807c478bd9Sstevel@tonic-gate context->default_realm = malloc(strlen (lrealm) + 1);
2817c478bd9Sstevel@tonic-gate
2827c478bd9Sstevel@tonic-gate if (!context->default_realm)
2837c478bd9Sstevel@tonic-gate return ENOMEM;
2847c478bd9Sstevel@tonic-gate
2857c478bd9Sstevel@tonic-gate strcpy(context->default_realm, lrealm);
2867c478bd9Sstevel@tonic-gate return(0);
2877c478bd9Sstevel@tonic-gate
2887c478bd9Sstevel@tonic-gate }
2897c478bd9Sstevel@tonic-gate
2907c478bd9Sstevel@tonic-gate /*ARGSUSED*/
2917c478bd9Sstevel@tonic-gate void KRB5_CALLCONV
krb5_free_default_realm(krb5_context context,char * lrealm)2927c478bd9Sstevel@tonic-gate krb5_free_default_realm(krb5_context context, char *lrealm)
2937c478bd9Sstevel@tonic-gate {
2947c478bd9Sstevel@tonic-gate free (lrealm);
2957c478bd9Sstevel@tonic-gate }
296