Kerberos support:

* Copy keyblock from credentials as fallback in the case if krb5_auth_con_getkey returns success but keyblock is null.
* Add compile time definition KRB5_HAS_krb5_creds_keyblock.
* Use krb5_data_copy instead of krb5_data_alloc() and memcpy() in KrbClient::Request().
* Include terminal null character when copying principal name to ensure that is always a null terminated string.
* Remove unused include file.
* Fix comments in meta server authentication configuration.

Author: mikeov

src/cc/krb/KfsKrb5.h

@@ -110,11 +110,11 @@ class KfsKrb5
             return EINVAL;
         }
         krb5_data theData = {0};
-        krb5_error_code theRet = krb5_data_alloc(&theData, strlen(theStr));
+        krb5_error_code theRet = krb5_data_copy(
+            &theData, theStr, strlen(theStr) + 1);
         if (theRet) {
             return theRet;
         }
-        memcpy(theData.data, theStr, theData.length);
         theRet = krb5_get_server_rcache(inCtx, &theData, inRCache);
         krb5_data_free(&theData);
         return theRet;

src/cc/krb/KrbClient.cc

@@ -161,17 +161,31 @@ class KrbClient::Impl
         if (theCredsPtr) {
             mLastCredEndTime = theCredsPtr->times.endtime;
         }
+        if (0 == mErrCode) {
+            mErrCode = krb5_auth_con_getkey(mCtx, mAuthCtx, &mKeyBlockPtr);
+        }
+#ifdef KRB5_HAS_krb5_creds_keyblock
+        if (0 == mErrCode && ! mKeyBlockPtr) {
+            mErrCode = krb5_copy_keyblock(
+                mCtx, &theCredsPtr->keyblock, &mKeyBlockPtr);
+        }
+#endif
         krb5_free_creds(mCtx, theCredsPtr);
-        if (mErrCode != 0) {
+        if (0 != mErrCode) {
             return ErrStr();
         }
-        if ((mErrCode = krb5_auth_con_getkey(mCtx, mAuthCtx, &mKeyBlockPtr))) {
-            return ErrStr();
+        if (0 == mErrCode && ! mKeyBlockPtr) {
+            mErrCode = EINVAL;
+            return "no session key";
         }
-        outDataPtr       = (const char*)mOutBuf.data;
-        outDataLen       = (int)mOutBuf.length;
         outSessionKeyPtr = KfsKrb5::get_key_block_contents(mKeyBlockPtr);
         outSessionKeyLen = KfsKrb5::get_key_block_length(mKeyBlockPtr);
+        if (! outSessionKeyPtr || outSessionKeyLen <= 0) {
+            mErrCode = EINVAL;
+            return "invalid empty session key";
+        }
+        outDataPtr = (const char*)mOutBuf.data;
+        outDataLen = (int)mOutBuf.length;
         return 0;
     }
     const char* Reply(

src/cc/krb/krbtest_main.cc

@@ -34,7 +34,6 @@
 
 #include <time.h>
 #include <iostream>
-#include <vector>
 #include <string>
 
 namespace

src/cc/meta/AuthContext.cc

@@ -520,8 +520,8 @@ class AuthContext::Impl
                 // No replay detection is needed, as either AP_REP or TLS-PSK
                 // are used. Both these mechanisms are sufficient to protect
                 // against replay attack as both provide mutual authentication.
-                // With no TLS once assume that party other than QFS protects
-                // against replay, man-in-the-middle attacks etc.
+                // With no TLS one assumes that the party other than QFS
+                // protects against replay, man-in-the-middle attacks etc.
                 theKrbServicePtr.reset(new KrbService());
                 const char* theErrMsgPtr = theKrbServicePtr->Init(
                     inParameters.getValue(