2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
40 #define INIT_FIELD(C, T, E, D, F) \
41 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
42 "libdefaults", F, NULL)
44 #define INIT_FLAG(C, O, V, D, F) \
46 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
52 * Set the list of etypes `ret_etypes' from the configuration variable
56 static krb5_error_code
57 set_etypes (krb5_context context
,
59 krb5_enctype
**ret_enctypes
)
62 krb5_enctype
*etypes
= NULL
;
64 etypes_str
= krb5_config_get_strings(context
, NULL
, "libdefaults",
68 for(i
= 0; etypes_str
[i
]; i
++);
69 etypes
= malloc((i
+1) * sizeof(*etypes
));
71 krb5_config_free_strings (etypes_str
);
72 return krb5_enomem(context
);
74 for(j
= 0, k
= 0; j
< i
; j
++) {
76 if(krb5_string_to_enctype(context
, etypes_str
[j
], &e
) != 0)
78 if (krb5_enctype_valid(context
, e
) != 0)
82 etypes
[k
] = ETYPE_NULL
;
83 krb5_config_free_strings(etypes_str
);
85 *ret_enctypes
= etypes
;
90 * read variables from the configuration file and set in `context'
93 static krb5_error_code
94 init_context_from_config_file(krb5_context context
)
99 krb5_enctype
*tmptypes
;
103 * Pick one random character to make sure our random-ness source
106 ret
= krb5_generate_random(&rnd
, sizeof(rnd
));
110 INIT_FIELD(context
, time
, max_skew
, 5 * 60, "clockskew");
111 INIT_FIELD(context
, time
, kdc_timeout
, 30, "kdc_timeout");
112 INIT_FIELD(context
, time
, host_timeout
, 3, "host_timeout");
113 INIT_FIELD(context
, int, max_retries
, 3, "max_retries");
115 INIT_FIELD(context
, string
, http_proxy
, NULL
, "http_proxy");
117 ret
= krb5_config_get_bool_default(context
, NULL
, FALSE
,
119 "allow_weak_crypto", NULL
);
121 krb5_enctype_enable(context
, ETYPE_DES_CBC_CRC
);
122 krb5_enctype_enable(context
, ETYPE_DES_CBC_MD4
);
123 krb5_enctype_enable(context
, ETYPE_DES_CBC_MD5
);
124 krb5_enctype_enable(context
, ETYPE_DES_CBC_NONE
);
125 krb5_enctype_enable(context
, ETYPE_DES_CFB64_NONE
);
126 krb5_enctype_enable(context
, ETYPE_DES_PCBC_NONE
);
129 ret
= set_etypes (context
, "default_etypes", &tmptypes
);
132 free(context
->etypes
);
133 context
->etypes
= tmptypes
;
135 ret
= set_etypes (context
, "default_etypes_des", &tmptypes
);
138 free(context
->etypes_des
);
139 context
->etypes_des
= tmptypes
;
141 ret
= set_etypes (context
, "default_as_etypes", &tmptypes
);
144 free(context
->as_etypes
);
145 context
->as_etypes
= tmptypes
;
147 ret
= set_etypes (context
, "default_tgs_etypes", &tmptypes
);
150 free(context
->tgs_etypes
);
151 context
->tgs_etypes
= tmptypes
;
153 ret
= set_etypes (context
, "permitted_enctypes", &tmptypes
);
156 free(context
->permitted_enctypes
);
157 context
->permitted_enctypes
= tmptypes
;
159 /* default keytab name */
162 tmp
= getenv("KRB5_KTNAME");
164 context
->default_keytab
= tmp
;
166 INIT_FIELD(context
, string
, default_keytab
,
167 KEYTAB_DEFAULT
, "default_keytab_name");
169 INIT_FIELD(context
, string
, default_keytab_modify
,
170 NULL
, "default_keytab_modify_name");
172 INIT_FIELD(context
, string
, time_fmt
,
173 "%Y-%m-%dT%H:%M:%S", "time_format");
175 INIT_FIELD(context
, string
, date_fmt
,
176 "%Y-%m-%d", "date_format");
178 INIT_FIELD(context
, bool, log_utc
,
183 /* init dns-proxy slime */
184 tmp
= krb5_config_get_string(context
, NULL
, "libdefaults",
187 roken_gethostby_setup(context
->http_proxy
, tmp
);
188 krb5_free_host_realm (context
, context
->default_realms
);
189 context
->default_realms
= NULL
;
192 krb5_addresses addresses
;
195 krb5_set_extra_addresses(context
, NULL
);
196 adr
= krb5_config_get_strings(context
, NULL
,
200 memset(&addresses
, 0, sizeof(addresses
));
201 for(a
= adr
; a
&& *a
; a
++) {
202 ret
= krb5_parse_address(context
, *a
, &addresses
);
204 krb5_add_extra_addresses(context
, &addresses
);
205 krb5_free_addresses(context
, &addresses
);
208 krb5_config_free_strings(adr
);
210 krb5_set_ignore_addresses(context
, NULL
);
211 adr
= krb5_config_get_strings(context
, NULL
,
215 memset(&addresses
, 0, sizeof(addresses
));
216 for(a
= adr
; a
&& *a
; a
++) {
217 ret
= krb5_parse_address(context
, *a
, &addresses
);
219 krb5_add_ignore_addresses(context
, &addresses
);
220 krb5_free_addresses(context
, &addresses
);
223 krb5_config_free_strings(adr
);
226 INIT_FIELD(context
, bool, scan_interfaces
, TRUE
, "scan_interfaces");
227 INIT_FIELD(context
, int, fcache_vno
, 0, "fcache_version");
228 /* prefer dns_lookup_kdc over srv_lookup. */
229 INIT_FIELD(context
, bool, srv_lookup
, TRUE
, "srv_lookup");
230 INIT_FIELD(context
, bool, srv_lookup
, context
->srv_lookup
, "dns_lookup_kdc");
231 INIT_FIELD(context
, int, large_msg_size
, 1400, "large_message_size");
232 INIT_FIELD(context
, int, max_msg_size
, 1000 * 1024, "maximum_message_size");
233 INIT_FLAG(context
, flags
, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME
, TRUE
, "dns_canonicalize_hostname");
234 INIT_FLAG(context
, flags
, KRB5_CTX_F_CHECK_PAC
, TRUE
, "check_pac");
236 if (context
->default_cc_name
)
237 free(context
->default_cc_name
);
238 context
->default_cc_name
= NULL
;
239 context
->default_cc_name_set
= 0;
241 s
= krb5_config_get_strings(context
, NULL
, "logging", "krb5", NULL
);
245 if (context
->debug_dest
)
246 krb5_closelog(context
, context
->debug_dest
);
248 krb5_initlog(context
, "libkrb5", &context
->debug_dest
);
250 krb5_addlog_dest(context
, context
->debug_dest
, *p
);
251 krb5_config_free_strings(s
);
254 tmp
= krb5_config_get_string(context
, NULL
, "libdefaults",
255 "check-rd-req-server", NULL
);
256 if (tmp
== NULL
&& !issuid())
257 tmp
= getenv("KRB5_CHECK_RD_REQ_SERVER");
259 if (strcasecmp(tmp
, "ignore") == 0)
260 context
->flags
|= KRB5_CTX_F_RD_REQ_IGNORE
;
262 ret
= krb5_config_get_bool_default(context
, NULL
, TRUE
,
264 "fcache_strict_checking", NULL
);
266 context
->flags
|= KRB5_CTX_F_FCACHE_STRICT_CHECKING
;
271 static krb5_error_code
272 cc_ops_register(krb5_context context
)
274 context
->cc_ops
= NULL
;
275 context
->num_cc_ops
= 0;
277 #ifndef KCM_IS_API_CACHE
278 krb5_cc_register(context
, &krb5_acc_ops
, TRUE
);
280 krb5_cc_register(context
, &krb5_fcc_ops
, TRUE
);
281 krb5_cc_register(context
, &krb5_dcc_ops
, TRUE
);
282 krb5_cc_register(context
, &krb5_mcc_ops
, TRUE
);
284 krb5_cc_register(context
, &krb5_scc_ops
, TRUE
);
287 #ifdef KCM_IS_API_CACHE
288 krb5_cc_register(context
, &krb5_akcm_ops
, TRUE
);
290 krb5_cc_register(context
, &krb5_kcm_ops
, TRUE
);
292 _krb5_load_ccache_plugins(context
);
296 static krb5_error_code
297 cc_ops_copy(krb5_context context
, const krb5_context src_context
)
299 const krb5_cc_ops
**cc_ops
;
301 context
->cc_ops
= NULL
;
302 context
->num_cc_ops
= 0;
304 if (src_context
->num_cc_ops
== 0)
307 cc_ops
= malloc(sizeof(cc_ops
[0]) * src_context
->num_cc_ops
);
308 if (cc_ops
== NULL
) {
309 krb5_set_error_message(context
, KRB5_CC_NOMEM
,
310 N_("malloc: out of memory", ""));
311 return KRB5_CC_NOMEM
;
314 memcpy(rk_UNCONST(cc_ops
), src_context
->cc_ops
,
315 sizeof(cc_ops
[0]) * src_context
->num_cc_ops
);
316 context
->cc_ops
= cc_ops
;
317 context
->num_cc_ops
= src_context
->num_cc_ops
;
322 static krb5_error_code
323 kt_ops_register(krb5_context context
)
325 context
->num_kt_types
= 0;
326 context
->kt_types
= NULL
;
328 krb5_kt_register (context
, &krb5_fkt_ops
);
329 krb5_kt_register (context
, &krb5_wrfkt_ops
);
330 krb5_kt_register (context
, &krb5_javakt_ops
);
331 krb5_kt_register (context
, &krb5_mkt_ops
);
332 #ifndef HEIMDAL_SMALLER
333 krb5_kt_register (context
, &krb5_akf_ops
);
335 krb5_kt_register (context
, &krb5_any_ops
);
339 static krb5_error_code
340 kt_ops_copy(krb5_context context
, const krb5_context src_context
)
342 context
->num_kt_types
= 0;
343 context
->kt_types
= NULL
;
345 if (src_context
->num_kt_types
== 0)
348 context
->kt_types
= malloc(sizeof(context
->kt_types
[0]) * src_context
->num_kt_types
);
349 if (context
->kt_types
== NULL
)
350 return krb5_enomem(context
);
352 context
->num_kt_types
= src_context
->num_kt_types
;
353 memcpy(context
->kt_types
, src_context
->kt_types
,
354 sizeof(context
->kt_types
[0]) * src_context
->num_kt_types
);
359 static const char *sysplugin_dirs
[] = {
363 "$ORIGIN/../lib/plugin/krb5",
366 LIBDIR
"/plugin/krb5",
367 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
368 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
374 init_context_once(void *ctx
)
376 krb5_context context
= ctx
;
380 dirs
= rk_UNCONST(sysplugin_dirs
);
382 dirs
= krb5_config_get_strings(context
, NULL
, "libdefaults",
385 dirs
= rk_UNCONST(sysplugin_dirs
);
388 _krb5_load_plugins(context
, "krb5", (const char **)dirs
);
390 if (dirs
!= rk_UNCONST(sysplugin_dirs
))
391 krb5_config_free_strings(dirs
);
393 bindtextdomain(HEIMDAL_TEXTDOMAIN
, HEIMDAL_LOCALEDIR
);
398 * Initializes the context structure and reads the configuration file
399 * /etc/krb5.conf. The structure should be freed by calling
400 * krb5_free_context() when it is no longer being used.
402 * @param context pointer to returned context
404 * @return Returns 0 to indicate success. Otherwise an errno code is
405 * returned. Failure means either that something bad happened during
406 * initialization (typically ENOMEM) or that Kerberos should not be
412 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
413 krb5_init_context(krb5_context
*context
)
415 static heim_base_once_t init_context
= HEIM_BASE_ONCE_INIT
;
422 p
= calloc(1, sizeof(*p
));
426 p
->mutex
= malloc(sizeof(HEIMDAL_MUTEX
));
427 if (p
->mutex
== NULL
) {
431 HEIMDAL_MUTEX_init(p
->mutex
);
433 p
->flags
|= KRB5_CTX_F_HOMEDIR_ACCESS
;
435 ret
= krb5_get_default_config_files(&files
);
438 ret
= krb5_set_config_files(p
, files
);
439 krb5_free_config_files(files
);
443 /* done enough to load plugins */
444 heim_base_once_f(&init_context
, p
, init_context_once
);
446 /* init error tables */
452 ret
= hx509_context_init(&p
->hx509ctx
);
457 p
->flags
|= KRB5_CTX_F_SOCKETS_INITIALIZED
;
461 krb5_free_context(p
);
468 #ifndef HEIMDAL_SMALLER
470 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
471 krb5_get_permitted_enctypes(krb5_context context
,
472 krb5_enctype
**etypes
)
474 return krb5_get_default_in_tkt_etypes(context
, KRB5_PDU_NONE
, etypes
);
481 static krb5_error_code
482 copy_etypes (krb5_context context
,
483 krb5_enctype
*enctypes
,
484 krb5_enctype
**ret_enctypes
)
488 for (i
= 0; enctypes
[i
]; i
++)
492 *ret_enctypes
= malloc(sizeof(ret_enctypes
[0]) * i
);
493 if (*ret_enctypes
== NULL
)
494 return krb5_enomem(context
);
495 memcpy(*ret_enctypes
, enctypes
, sizeof(ret_enctypes
[0]) * i
);
500 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
501 * be freed with krb5_free_context().
503 * @param context the Kerberos context to copy
504 * @param out the copy of the Kerberos, set to NULL error.
506 * @return Returns 0 to indicate success. Otherwise an kerberos et
507 * error code is returned, see krb5_get_error_message().
512 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
513 krb5_copy_context(krb5_context context
, krb5_context
*out
)
520 p
= calloc(1, sizeof(*p
));
522 return krb5_enomem(context
);
524 p
->mutex
= malloc(sizeof(HEIMDAL_MUTEX
));
525 if (p
->mutex
== NULL
) {
527 return krb5_enomem(context
);
529 HEIMDAL_MUTEX_init(p
->mutex
);
532 if (context
->default_cc_name
)
533 p
->default_cc_name
= strdup(context
->default_cc_name
);
534 if (context
->default_cc_name_env
)
535 p
->default_cc_name_env
= strdup(context
->default_cc_name_env
);
537 if (context
->etypes
) {
538 ret
= copy_etypes(context
, context
->etypes
, &p
->etypes
);
542 if (context
->etypes_des
) {
543 ret
= copy_etypes(context
, context
->etypes_des
, &p
->etypes_des
);
548 if (context
->default_realms
) {
549 ret
= krb5_copy_host_realm(context
,
550 context
->default_realms
, &p
->default_realms
);
555 ret
= _krb5_config_copy(context
, context
->cf
, &p
->cf
);
559 /* XXX should copy */
562 cc_ops_copy(p
, context
);
563 kt_ops_copy(p
, context
);
566 if(context
->warn_dest
!= NULL
)
568 if(context
->debug_dest
!= NULL
)
572 ret
= krb5_set_extra_addresses(p
, context
->extra_addresses
);
575 ret
= krb5_set_extra_addresses(p
, context
->ignore_addresses
);
579 ret
= _krb5_copy_send_to_kdc_func(p
, context
);
588 krb5_free_context(p
);
595 * Frees the krb5_context allocated by krb5_init_context().
597 * @param context context to be freed.
602 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
603 krb5_free_context(krb5_context context
)
605 if (context
->default_cc_name
)
606 free(context
->default_cc_name
);
607 if (context
->default_cc_name_env
)
608 free(context
->default_cc_name_env
);
609 free(context
->etypes
);
610 free(context
->etypes_des
);
611 krb5_free_host_realm (context
, context
->default_realms
);
612 krb5_config_file_free (context
, context
->cf
);
613 free_error_table (context
->et_list
);
614 free(rk_UNCONST(context
->cc_ops
));
615 free(context
->kt_types
);
616 krb5_clear_error_message(context
);
617 if(context
->warn_dest
!= NULL
)
618 krb5_closelog(context
, context
->warn_dest
);
619 if(context
->debug_dest
!= NULL
)
620 krb5_closelog(context
, context
->debug_dest
);
621 krb5_set_extra_addresses(context
, NULL
);
622 krb5_set_ignore_addresses(context
, NULL
);
623 krb5_set_send_to_kdc_func(context
, NULL
, NULL
);
626 if (context
->hx509ctx
)
627 hx509_context_free(&context
->hx509ctx
);
630 HEIMDAL_MUTEX_destroy(context
->mutex
);
631 free(context
->mutex
);
632 if (context
->flags
& KRB5_CTX_F_SOCKETS_INITIALIZED
) {
636 memset(context
, 0, sizeof(*context
));
641 * Reinit the context from a new set of filenames.
643 * @param context context to add configuration too.
644 * @param filenames array of filenames, end of list is indicated with a NULL filename.
646 * @return Returns 0 to indicate success. Otherwise an kerberos et
647 * error code is returned, see krb5_get_error_message().
652 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
653 krb5_set_config_files(krb5_context context
, char **filenames
)
656 krb5_config_binding
*tmp
= NULL
;
657 while(filenames
!= NULL
&& *filenames
!= NULL
&& **filenames
!= '\0') {
658 ret
= krb5_config_parse_file_multi(context
, *filenames
, &tmp
);
659 if(ret
!= 0 && ret
!= ENOENT
&& ret
!= EACCES
&& ret
!= EPERM
) {
660 krb5_config_file_free(context
, tmp
);
666 /* with this enabled and if there are no config files, Kerberos is
667 considererd disabled */
673 _krb5_load_config_from_registry(context
, &tmp
);
676 krb5_config_file_free(context
, context
->cf
);
678 ret
= init_context_from_config_file(context
);
682 static krb5_error_code
683 add_file(char ***pfilenames
, int *len
, char *file
)
685 char **pp
= *pfilenames
;
688 for(i
= 0; i
< *len
; i
++) {
689 if(strcmp(pp
[i
], file
) == 0) {
695 pp
= realloc(*pfilenames
, (*len
+ 2) * sizeof(*pp
));
709 * `pq' isn't free, it's up the the caller
712 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
713 krb5_prepend_config_files(const char *filelist
, char **pq
, char ***ret_pp
)
728 l
= strsep_copy(&q
, PATH_SEP
, NULL
, 0);
733 krb5_free_config_files(pp
);
736 (void)strsep_copy(&p
, PATH_SEP
, fn
, l
+ 1);
737 ret
= add_file(&pp
, &len
, fn
);
739 krb5_free_config_files(pp
);
747 for (i
= 0; pq
[i
] != NULL
; i
++) {
750 krb5_free_config_files(pp
);
753 ret
= add_file(&pp
, &len
, fn
);
755 krb5_free_config_files(pp
);
766 * Prepend the filename to the global configuration list.
768 * @param filelist a filename to add to the default list of filename
769 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
771 * @return Returns 0 to indicate success. Otherwise an kerberos et
772 * error code is returned, see krb5_get_error_message().
777 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
778 krb5_prepend_config_files_default(const char *filelist
, char ***pfilenames
)
781 char **defpp
, **pp
= NULL
;
783 ret
= krb5_get_default_config_files(&defpp
);
787 ret
= krb5_prepend_config_files(filelist
, defpp
, &pp
);
788 krb5_free_config_files(defpp
);
799 * Checks the registry for configuration file location
801 * Kerberos for Windows and other legacy Kerberos applications expect
802 * to find the configuration file location in the
803 * SOFTWARE\MIT\Kerberos registry key under the value "config".
805 KRB5_LIB_FUNCTION
char * KRB5_LIB_CALL
806 _krb5_get_default_config_config_files_from_registry()
808 static const char * KeyName
= "Software\\MIT\\Kerberos";
809 char *config_file
= NULL
;
813 rcode
= RegOpenKeyEx(HKEY_CURRENT_USER
, KeyName
, 0, KEY_READ
, &key
);
814 if (rcode
== ERROR_SUCCESS
) {
815 config_file
= _krb5_parse_reg_value_as_multi_string(NULL
, key
, "config",
816 REG_NONE
, 0, PATH_SEP
);
823 rcode
= RegOpenKeyEx(HKEY_LOCAL_MACHINE
, KeyName
, 0, KEY_READ
, &key
);
824 if (rcode
== ERROR_SUCCESS
) {
825 config_file
= _krb5_parse_reg_value_as_multi_string(NULL
, key
, "config",
826 REG_NONE
, 0, PATH_SEP
);
836 * Get the global configuration list.
838 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
840 * @return Returns 0 to indicate success. Otherwise an kerberos et
841 * error code is returned, see krb5_get_error_message().
846 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
847 krb5_get_default_config_files(char ***pfilenames
)
849 const char *files
= NULL
;
851 if (pfilenames
== NULL
)
854 files
= getenv("KRB5_CONFIG");
859 reg_files
= _krb5_get_default_config_config_files_from_registry();
860 if (reg_files
!= NULL
) {
861 krb5_error_code code
;
863 code
= krb5_prepend_config_files(reg_files
, NULL
, pfilenames
);
872 files
= krb5_config_file
;
874 return krb5_prepend_config_files(files
, NULL
, pfilenames
);
878 * Free a list of configuration files.
880 * @param filenames list, terminated with a NULL pointer, to be
881 * freed. NULL is an valid argument.
883 * @return Returns 0 to indicate success. Otherwise an kerberos et
884 * error code is returned, see krb5_get_error_message().
889 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
890 krb5_free_config_files(char **filenames
)
893 for(p
= filenames
; p
&& *p
!= NULL
; p
++)
899 * Returns the list of Kerberos encryption types sorted in order of
900 * most preferred to least preferred encryption type. Note that some
901 * encryption types might be disabled, so you need to check with
902 * krb5_enctype_valid() before using the encryption type.
904 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
905 * array completed into the Kerberos library so the content doesn't
911 KRB5_LIB_FUNCTION
const krb5_enctype
* KRB5_LIB_CALL
912 krb5_kerberos_enctypes(krb5_context context
)
914 static const krb5_enctype p
[] = {
915 ETYPE_AES256_CTS_HMAC_SHA1_96
,
916 ETYPE_AES128_CTS_HMAC_SHA1_96
,
918 ETYPE_ARCFOUR_HMAC_MD5
,
922 static const krb5_enctype weak
[] = {
923 ETYPE_AES256_CTS_HMAC_SHA1_96
,
924 ETYPE_AES128_CTS_HMAC_SHA1_96
,
927 ETYPE_ARCFOUR_HMAC_MD5
,
935 * if the list of enctypes enabled by "allow_weak_crypto"
936 * are valid, then return the former default enctype list
937 * that contained the weak entries.
939 if (krb5_enctype_valid(context
, ETYPE_DES_CBC_CRC
) == 0 &&
940 krb5_enctype_valid(context
, ETYPE_DES_CBC_MD4
) == 0 &&
941 krb5_enctype_valid(context
, ETYPE_DES_CBC_MD5
) == 0 &&
942 krb5_enctype_valid(context
, ETYPE_DES_CBC_NONE
) == 0 &&
943 krb5_enctype_valid(context
, ETYPE_DES_CFB64_NONE
) == 0 &&
944 krb5_enctype_valid(context
, ETYPE_DES_PCBC_NONE
) == 0)
954 static krb5_error_code
955 copy_enctypes(krb5_context context
,
956 const krb5_enctype
*in
,
959 krb5_enctype
*p
= NULL
;
962 for (n
= 0; in
[n
]; n
++)
967 return krb5_enomem(context
);
968 for (n
= 0, m
= 0; in
[n
]; n
++) {
969 if (krb5_enctype_valid(context
, in
[n
]) != 0)
973 p
[m
] = KRB5_ENCTYPE_NULL
;
976 krb5_set_error_message (context
, KRB5_PROG_ETYPE_NOSUPP
,
977 N_("no valid enctype set", ""));
978 return KRB5_PROG_ETYPE_NOSUPP
;
986 * set `etype' to a malloced list of the default enctypes
989 static krb5_error_code
990 default_etypes(krb5_context context
, krb5_enctype
**etype
)
992 const krb5_enctype
*p
= krb5_kerberos_enctypes(context
);
993 return copy_enctypes(context
, p
, etype
);
997 * Set the default encryption types that will be use in communcation
998 * with the KDC, clients and servers.
1000 * @param context Kerberos 5 context.
1001 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
1003 * @return Returns 0 to indicate success. Otherwise an kerberos et
1004 * error code is returned, see krb5_get_error_message().
1009 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1010 krb5_set_default_in_tkt_etypes(krb5_context context
,
1011 const krb5_enctype
*etypes
)
1013 krb5_error_code ret
;
1014 krb5_enctype
*p
= NULL
;
1017 ret
= copy_enctypes(context
, etypes
, &p
);
1022 free(context
->etypes
);
1023 context
->etypes
= p
;
1028 * Get the default encryption types that will be use in communcation
1029 * with the KDC, clients and servers.
1031 * @param context Kerberos 5 context.
1032 * @param etypes Encryption types, array terminated with
1033 * ETYPE_NULL(0), caller should free array with krb5_xfree():
1035 * @return Returns 0 to indicate success. Otherwise an kerberos et
1036 * error code is returned, see krb5_get_error_message().
1041 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1042 krb5_get_default_in_tkt_etypes(krb5_context context
,
1044 krb5_enctype
**etypes
)
1046 krb5_enctype
*enctypes
= NULL
;
1047 krb5_error_code ret
;
1050 heim_assert(pdu_type
== KRB5_PDU_AS_REQUEST
||
1051 pdu_type
== KRB5_PDU_TGS_REQUEST
||
1052 pdu_type
== KRB5_PDU_NONE
, "pdu contant not as expected");
1054 if (pdu_type
== KRB5_PDU_AS_REQUEST
&& context
->as_etypes
!= NULL
)
1055 enctypes
= context
->as_etypes
;
1056 else if (pdu_type
== KRB5_PDU_TGS_REQUEST
&& context
->tgs_etypes
!= NULL
)
1057 enctypes
= context
->tgs_etypes
;
1058 else if (context
->etypes
!= NULL
)
1059 enctypes
= context
->etypes
;
1061 if (enctypes
!= NULL
) {
1062 ret
= copy_enctypes(context
, enctypes
, &p
);
1066 ret
= default_etypes(context
, &p
);
1075 * Init the built-in ets in the Kerberos library.
1077 * @param context kerberos context to add the ets too
1082 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1083 krb5_init_ets(krb5_context context
)
1085 if(context
->et_list
== NULL
){
1086 krb5_add_et_list(context
, initialize_krb5_error_table_r
);
1087 krb5_add_et_list(context
, initialize_asn1_error_table_r
);
1088 krb5_add_et_list(context
, initialize_heim_error_table_r
);
1090 krb5_add_et_list(context
, initialize_k524_error_table_r
);
1092 #ifdef COM_ERR_BINDDOMAIN_krb5
1093 bindtextdomain(COM_ERR_BINDDOMAIN_krb5
, HEIMDAL_LOCALEDIR
);
1094 bindtextdomain(COM_ERR_BINDDOMAIN_asn1
, HEIMDAL_LOCALEDIR
);
1095 bindtextdomain(COM_ERR_BINDDOMAIN_heim
, HEIMDAL_LOCALEDIR
);
1096 bindtextdomain(COM_ERR_BINDDOMAIN_k524
, HEIMDAL_LOCALEDIR
);
1100 krb5_add_et_list(context
, initialize_hx_error_table_r
);
1101 #ifdef COM_ERR_BINDDOMAIN_hx
1102 bindtextdomain(COM_ERR_BINDDOMAIN_hx
, HEIMDAL_LOCALEDIR
);
1109 * Make the kerberos library default to the admin KDC.
1111 * @param context Kerberos 5 context.
1112 * @param flag boolean flag to select if the use the admin KDC or not.
1117 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1118 krb5_set_use_admin_kdc (krb5_context context
, krb5_boolean flag
)
1120 context
->use_admin_kdc
= flag
;
1124 * Make the kerberos library default to the admin KDC.
1126 * @param context Kerberos 5 context.
1128 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1133 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1134 krb5_get_use_admin_kdc (krb5_context context
)
1136 return context
->use_admin_kdc
;
1140 * Add extra address to the address list that the library will add to
1141 * the client's address list when communicating with the KDC.
1143 * @param context Kerberos 5 context.
1144 * @param addresses addreses to add
1146 * @return Returns 0 to indicate success. Otherwise an kerberos et
1147 * error code is returned, see krb5_get_error_message().
1152 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1153 krb5_add_extra_addresses(krb5_context context
, krb5_addresses
*addresses
)
1156 if(context
->extra_addresses
)
1157 return krb5_append_addresses(context
,
1158 context
->extra_addresses
, addresses
);
1160 return krb5_set_extra_addresses(context
, addresses
);
1164 * Set extra address to the address list that the library will add to
1165 * the client's address list when communicating with the KDC.
1167 * @param context Kerberos 5 context.
1168 * @param addresses addreses to set
1170 * @return Returns 0 to indicate success. Otherwise an kerberos et
1171 * error code is returned, see krb5_get_error_message().
1176 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1177 krb5_set_extra_addresses(krb5_context context
, const krb5_addresses
*addresses
)
1179 if(context
->extra_addresses
)
1180 krb5_free_addresses(context
, context
->extra_addresses
);
1182 if(addresses
== NULL
) {
1183 if(context
->extra_addresses
!= NULL
) {
1184 free(context
->extra_addresses
);
1185 context
->extra_addresses
= NULL
;
1189 if(context
->extra_addresses
== NULL
) {
1190 context
->extra_addresses
= malloc(sizeof(*context
->extra_addresses
));
1191 if (context
->extra_addresses
== NULL
)
1192 return krb5_enomem(context
);
1194 return krb5_copy_addresses(context
, addresses
, context
->extra_addresses
);
1198 * Get extra address to the address list that the library will add to
1199 * the client's address list when communicating with the KDC.
1201 * @param context Kerberos 5 context.
1202 * @param addresses addreses to set
1204 * @return Returns 0 to indicate success. Otherwise an kerberos et
1205 * error code is returned, see krb5_get_error_message().
1210 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1211 krb5_get_extra_addresses(krb5_context context
, krb5_addresses
*addresses
)
1213 if(context
->extra_addresses
== NULL
) {
1214 memset(addresses
, 0, sizeof(*addresses
));
1217 return krb5_copy_addresses(context
,context
->extra_addresses
, addresses
);
1221 * Add extra addresses to ignore when fetching addresses from the
1222 * underlaying operating system.
1224 * @param context Kerberos 5 context.
1225 * @param addresses addreses to ignore
1227 * @return Returns 0 to indicate success. Otherwise an kerberos et
1228 * error code is returned, see krb5_get_error_message().
1233 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1234 krb5_add_ignore_addresses(krb5_context context
, krb5_addresses
*addresses
)
1237 if(context
->ignore_addresses
)
1238 return krb5_append_addresses(context
,
1239 context
->ignore_addresses
, addresses
);
1241 return krb5_set_ignore_addresses(context
, addresses
);
1245 * Set extra addresses to ignore when fetching addresses from the
1246 * underlaying operating system.
1248 * @param context Kerberos 5 context.
1249 * @param addresses addreses to ignore
1251 * @return Returns 0 to indicate success. Otherwise an kerberos et
1252 * error code is returned, see krb5_get_error_message().
1257 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1258 krb5_set_ignore_addresses(krb5_context context
, const krb5_addresses
*addresses
)
1260 if(context
->ignore_addresses
)
1261 krb5_free_addresses(context
, context
->ignore_addresses
);
1262 if(addresses
== NULL
) {
1263 if(context
->ignore_addresses
!= NULL
) {
1264 free(context
->ignore_addresses
);
1265 context
->ignore_addresses
= NULL
;
1269 if(context
->ignore_addresses
== NULL
) {
1270 context
->ignore_addresses
= malloc(sizeof(*context
->ignore_addresses
));
1271 if (context
->ignore_addresses
== NULL
)
1272 return krb5_enomem(context
);
1274 return krb5_copy_addresses(context
, addresses
, context
->ignore_addresses
);
1278 * Get extra addresses to ignore when fetching addresses from the
1279 * underlaying operating system.
1281 * @param context Kerberos 5 context.
1282 * @param addresses list addreses ignored
1284 * @return Returns 0 to indicate success. Otherwise an kerberos et
1285 * error code is returned, see krb5_get_error_message().
1290 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1291 krb5_get_ignore_addresses(krb5_context context
, krb5_addresses
*addresses
)
1293 if(context
->ignore_addresses
== NULL
) {
1294 memset(addresses
, 0, sizeof(*addresses
));
1297 return krb5_copy_addresses(context
, context
->ignore_addresses
, addresses
);
1301 * Set version of fcache that the library should use.
1303 * @param context Kerberos 5 context.
1304 * @param version version number.
1306 * @return Returns 0 to indicate success. Otherwise an kerberos et
1307 * error code is returned, see krb5_get_error_message().
1312 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1313 krb5_set_fcache_version(krb5_context context
, int version
)
1315 context
->fcache_vno
= version
;
1320 * Get version of fcache that the library should use.
1322 * @param context Kerberos 5 context.
1323 * @param version version number.
1325 * @return Returns 0 to indicate success. Otherwise an kerberos et
1326 * error code is returned, see krb5_get_error_message().
1331 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1332 krb5_get_fcache_version(krb5_context context
, int *version
)
1334 *version
= context
->fcache_vno
;
1339 * Runtime check if the Kerberos library was complied with thread support.
1341 * @return TRUE if the library was compiled with thread support, FALSE if not.
1347 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1348 krb5_is_thread_safe(void)
1350 #ifdef ENABLE_PTHREAD_SUPPORT
1358 * Set if the library should use DNS to canonicalize hostnames.
1360 * @param context Kerberos 5 context.
1361 * @param flag if its dns canonicalizion is used or not.
1366 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1367 krb5_set_dns_canonicalize_hostname (krb5_context context
, krb5_boolean flag
)
1370 context
->flags
|= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME
;
1372 context
->flags
&= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME
;
1376 * Get if the library uses DNS to canonicalize hostnames.
1378 * @param context Kerberos 5 context.
1380 * @return return non zero if the library uses DNS to canonicalize hostnames.
1385 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1386 krb5_get_dns_canonicalize_hostname (krb5_context context
)
1388 return (context
->flags
& KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME
) ? 1 : 0;
1392 * Get current offset in time to the KDC.
1394 * @param context Kerberos 5 context.
1395 * @param sec seconds part of offset.
1396 * @param usec micro seconds part of offset.
1398 * @return returns zero
1403 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1404 krb5_get_kdc_sec_offset (krb5_context context
, int32_t *sec
, int32_t *usec
)
1407 *sec
= context
->kdc_sec_offset
;
1409 *usec
= context
->kdc_usec_offset
;
1414 * Set current offset in time to the KDC.
1416 * @param context Kerberos 5 context.
1417 * @param sec seconds part of offset.
1418 * @param usec micro seconds part of offset.
1420 * @return returns zero
1425 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1426 krb5_set_kdc_sec_offset (krb5_context context
, int32_t sec
, int32_t usec
)
1428 context
->kdc_sec_offset
= sec
;
1430 context
->kdc_usec_offset
= usec
;
1435 * Get max time skew allowed.
1437 * @param context Kerberos 5 context.
1439 * @return timeskew in seconds.
1444 KRB5_LIB_FUNCTION
time_t KRB5_LIB_CALL
1445 krb5_get_max_time_skew (krb5_context context
)
1447 return context
->max_skew
;
1451 * Set max time skew allowed.
1453 * @param context Kerberos 5 context.
1454 * @param t timeskew in seconds.
1459 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1460 krb5_set_max_time_skew (krb5_context context
, time_t t
)
1462 context
->max_skew
= t
;
1466 * Init encryption types in len, val with etypes.
1468 * @param context Kerberos 5 context.
1469 * @param pdu_type type of pdu
1470 * @param len output length of val.
1471 * @param val output array of enctypes.
1472 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1474 * @return Returns 0 to indicate success. Otherwise an kerberos et
1475 * error code is returned, see krb5_get_error_message().
1480 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1481 _krb5_init_etype(krb5_context context
,
1485 const krb5_enctype
*etypes
)
1487 krb5_error_code ret
;
1490 ret
= krb5_get_default_in_tkt_etypes(context
, pdu_type
, val
);
1492 ret
= copy_enctypes(context
, etypes
, val
);
1498 while ((*val
)[*len
] != KRB5_ENCTYPE_NULL
)
1505 * Allow homedir accces
1508 static HEIMDAL_MUTEX homedir_mutex
= HEIMDAL_MUTEX_INITIALIZER
;
1509 static krb5_boolean allow_homedir
= TRUE
;
1511 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1512 _krb5_homedir_access(krb5_context context
)
1516 if (context
&& (context
->flags
& KRB5_CTX_F_HOMEDIR_ACCESS
) == 0)
1519 HEIMDAL_MUTEX_lock(&homedir_mutex
);
1520 allow
= allow_homedir
;
1521 HEIMDAL_MUTEX_unlock(&homedir_mutex
);
1526 * Enable and disable home directory access on either the global state
1527 * or the krb5_context state. By calling krb5_set_home_dir_access()
1528 * with context set to NULL, the global state is configured otherwise
1529 * the state for the krb5_context is modified.
1531 * For home directory access to be allowed, both the global state and
1532 * the krb5_context state have to be allowed.
1534 * Administrator (root user), never uses the home directory.
1536 * @param context a Kerberos 5 context or NULL
1537 * @param allow allow if TRUE home directory
1538 * @return the old value
1543 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1544 krb5_set_home_dir_access(krb5_context context
, krb5_boolean allow
)
1548 old
= (context
->flags
& KRB5_CTX_F_HOMEDIR_ACCESS
) ? TRUE
: FALSE
;
1550 context
->flags
|= KRB5_CTX_F_HOMEDIR_ACCESS
;
1552 context
->flags
&= ~KRB5_CTX_F_HOMEDIR_ACCESS
;
1554 HEIMDAL_MUTEX_lock(&homedir_mutex
);
1555 old
= allow_homedir
;
1556 allow_homedir
= allow
;
1557 HEIMDAL_MUTEX_unlock(&homedir_mutex
);