From: Mark Andrews <marka@isc.org>
Date: Thu, 9 Jul 2020 05:30:59 +0000 (+1000)
Subject: Only call gsskrb5_register_acceptor_identity if we have gssapi_krb5.h.
X-Git-Tag: v9.17.4~49^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=488eef63ca82f41dd28155077d0a792411aff108;p=thirdparty%2Fbind9.git

Only call gsskrb5_register_acceptor_identity if we have gssapi_krb5.h.
---

diff --git a/CHANGES b/CHANGES
index ade4b3ca76d..f7a45582821 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5470.	[port]		illumos: only call gsskrb5_register_acceptor_identity
+			if we have gssapi_krb5.h. [GL #1995]
+
 5469.	[port]		illumos: SEC is defined in <sys/time.h> which
 			conflicted with our use of SEC. [GL #1993]
 
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index 5852b5e35dd..a95d5d81166 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -678,6 +678,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab,
 	}
 
 	if (gssapi_keytab != NULL) {
+#if HAVE_GSSAPI_GSSAPI_KRB5_H || HAVE_GSSAPI_KRB5_H || defined(WIN32)
 		gret = gsskrb5_register_acceptor_identity(gssapi_keytab);
 		if (gret != GSS_S_COMPLETE) {
 			gss_log(3,
@@ -687,6 +688,27 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, const char *gssapi_keytab,
 				gss_error_tostring(gret, 0, buf, sizeof(buf)));
 			return (DNS_R_INVALIDTKEY);
 		}
+#else
+		/*
+		 * Minimize memory leakage by only setting KRB5_KTNAME
+		 * if it needs to change.
+		 */
+		const char *old = getenv("KRB5_KTNAME");
+		if (old == NULL || strcmp(old, gssapi_keytab) != 0) {
+			size_t size;
+			char *kt;
+
+			size = strlen(gssapi_keytab) + 13;
+			kt = malloc(size);
+			if (kt == NULL) {
+				return (ISC_R_NOMEMORY);
+			}
+			snprintf(kt, size, "KRB5_KTNAME=%s", gssapi_keytab);
+			if (putenv(kt) != 0) {
+				return (ISC_R_NOMEMORY);
+			}
+		}
+#endif
 	}
 
 	log_cred(cred);