search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
intruduce krb5_generate_random() that can fail and return an error, check for it...
[heimdal.git] / lib / krb5 / context.c
blob179c4e8a19422ccfdaa462785dff2f87caf7a45b
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37 #include <assert.h>
38 #include <com_err.h>
39
40 #define INIT_FIELD(C, T, E, D, F) \
41 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
42 "libdefaults", F, NULL)
43
44 #define INIT_FLAG(C, O, V, D, F) \
45 do { \
46 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
47 (C)->O |= V; \
48 } \
49 } while(0)
50
51 /*
52 * Set the list of etypes `ret_etypes' from the configuration variable
53 * `name'
54 */
55
56 static krb5_error_code
57 set_etypes (krb5_context context,
58 const char *name,
59 krb5_enctype **ret_enctypes)
60 {
61 char **etypes_str;
62 krb5_enctype *etypes = NULL;
63
64 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
65 name, NULL);
66 if(etypes_str){
67 int i, j, k;
68 for(i = 0; etypes_str[i]; i++);
69 etypes = malloc((i+1) * sizeof(*etypes));
70 if (etypes == NULL) {
71 krb5_config_free_strings (etypes_str);
72 return krb5_enomem(context);
73 }
74 for(j = 0, k = 0; j < i; j++) {
75 krb5_enctype e;
76 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
77 continue;
78 if (krb5_enctype_valid(context, e) != 0)
79 continue;
80 etypes[k++] = e;
81 }
82 etypes[k] = ETYPE_NULL;
83 krb5_config_free_strings(etypes_str);
84 }
85 *ret_enctypes = etypes;
86 return 0;
87 }
88
89 /*
90 * read variables from the configuration file and set in `context'
91 */
92
93 static krb5_error_code
94 init_context_from_config_file(krb5_context context)
95 {
96 krb5_error_code ret;
97 const char * tmp;
98 char **s;
99 krb5_enctype *tmptypes;
100 uint8_t rnd;
101
102 /*
103 * Pick one random character to make sure our random-ness source
104 * is alive.
105 */
106 ret = krb5_generate_random(&rnd, sizeof(rnd));
107 if (ret)
108 return ret;
109
110 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
111 INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
112 INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
113 INIT_FIELD(context, int, max_retries, 3, "max_retries");
114
115 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
116
117 ret = krb5_config_get_bool_default(context, NULL, FALSE,
118 "libdefaults",
119 "allow_weak_crypto", NULL);
120 if (ret) {
121 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
122 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
123 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
124 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
125 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
126 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
127 }
128
129 ret = set_etypes (context, "default_etypes", &tmptypes);
130 if(ret)
131 return ret;
132 free(context->etypes);
133 context->etypes = tmptypes;
134
135 ret = set_etypes (context, "default_etypes_des", &tmptypes);
136 if(ret)
137 return ret;
138 free(context->etypes_des);
139 context->etypes_des = tmptypes;
140
141 ret = set_etypes (context, "default_as_etypes", &tmptypes);
142 if(ret)
143 return ret;
144 free(context->as_etypes);
145 context->as_etypes = tmptypes;
146
147 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
148 if(ret)
149 return ret;
150 free(context->tgs_etypes);
151 context->tgs_etypes = tmptypes;
152
153 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
154 if(ret)
155 return ret;
156 free(context->permitted_enctypes);
157 context->permitted_enctypes = tmptypes;
158
159 /* default keytab name */
160 tmp = NULL;
161 if(!issuid())
162 tmp = getenv("KRB5_KTNAME");
163 if(tmp != NULL)
164 context->default_keytab = tmp;
165 else
166 INIT_FIELD(context, string, default_keytab,
167 KEYTAB_DEFAULT, "default_keytab_name");
168
169 INIT_FIELD(context, string, default_keytab_modify,
170 NULL, "default_keytab_modify_name");
171
172 INIT_FIELD(context, string, time_fmt,
173 "%Y-%m-%dT%H:%M:%S", "time_format");
174
175 INIT_FIELD(context, string, date_fmt,
176 "%Y-%m-%d", "date_format");
177
178 INIT_FIELD(context, bool, log_utc,
179 FALSE, "log_utc");
180
181
182
183 /* init dns-proxy slime */
184 tmp = krb5_config_get_string(context, NULL, "libdefaults",
185 "dns_proxy", NULL);
186 if(tmp)
187 roken_gethostby_setup(context->http_proxy, tmp);
188 krb5_free_host_realm (context, context->default_realms);
189 context->default_realms = NULL;
190
191 {
192 krb5_addresses addresses;
193 char **adr, **a;
194
195 krb5_set_extra_addresses(context, NULL);
196 adr = krb5_config_get_strings(context, NULL,
197 "libdefaults",
198 "extra_addresses",
199 NULL);
200 memset(&addresses, 0, sizeof(addresses));
201 for(a = adr; a && *a; a++) {
202 ret = krb5_parse_address(context, *a, &addresses);
203 if (ret == 0) {
204 krb5_add_extra_addresses(context, &addresses);
205 krb5_free_addresses(context, &addresses);
206 }
207 }
208 krb5_config_free_strings(adr);
209
210 krb5_set_ignore_addresses(context, NULL);
211 adr = krb5_config_get_strings(context, NULL,
212 "libdefaults",
213 "ignore_addresses",
214 NULL);
215 memset(&addresses, 0, sizeof(addresses));
216 for(a = adr; a && *a; a++) {
217 ret = krb5_parse_address(context, *a, &addresses);
218 if (ret == 0) {
219 krb5_add_ignore_addresses(context, &addresses);
220 krb5_free_addresses(context, &addresses);
221 }
222 }
223 krb5_config_free_strings(adr);
224 }
225
226 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
227 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
228 /* prefer dns_lookup_kdc over srv_lookup. */
229 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
230 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
231 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
232 INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
233 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
234 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
235
236 if (context->default_cc_name)
237 free(context->default_cc_name);
238 context->default_cc_name = NULL;
239 context->default_cc_name_set = 0;
240
241 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
242 if(s) {
243 char **p;
244
245 if (context->debug_dest)
246 krb5_closelog(context, context->debug_dest);
247
248 krb5_initlog(context, "libkrb5", &context->debug_dest);
249 for(p = s; *p; p++)
250 krb5_addlog_dest(context, context->debug_dest, *p);
251 krb5_config_free_strings(s);
252 }
253
254 tmp = krb5_config_get_string(context, NULL, "libdefaults",
255 "check-rd-req-server", NULL);
256 if (tmp == NULL && !issuid())
257 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
258 if(tmp) {
259 if (strcasecmp(tmp, "ignore") == 0)
260 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
261 }
262 ret = krb5_config_get_bool_default(context, NULL, TRUE,
263 "libdefaults",
264 "fcache_strict_checking", NULL);
265 if (ret)
266 context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
267
268 return 0;
269 }
270
271 static krb5_error_code
272 cc_ops_register(krb5_context context)
273 {
274 context->cc_ops = NULL;
275 context->num_cc_ops = 0;
276
277 #ifndef KCM_IS_API_CACHE
278 krb5_cc_register(context, &krb5_acc_ops, TRUE);
279 #endif
280 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
281 krb5_cc_register(context, &krb5_dcc_ops, TRUE);
282 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
283 #ifdef HAVE_SCC
284 krb5_cc_register(context, &krb5_scc_ops, TRUE);
285 #endif
286 #ifdef HAVE_KCM
287 #ifdef KCM_IS_API_CACHE
288 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
289 #endif
290 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
291 #endif
292 _krb5_load_ccache_plugins(context);
293 return 0;
294 }
295
296 static krb5_error_code
297 cc_ops_copy(krb5_context context, const krb5_context src_context)
298 {
299 const krb5_cc_ops **cc_ops;
300
301 context->cc_ops = NULL;
302 context->num_cc_ops = 0;
303
304 if (src_context->num_cc_ops == 0)
305 return 0;
306
307 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
308 if (cc_ops == NULL) {
309 krb5_set_error_message(context, KRB5_CC_NOMEM,
310 N_("malloc: out of memory", ""));
311 return KRB5_CC_NOMEM;
312 }
313
314 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
315 sizeof(cc_ops[0]) * src_context->num_cc_ops);
316 context->cc_ops = cc_ops;
317 context->num_cc_ops = src_context->num_cc_ops;
318
319 return 0;
320 }
321
322 static krb5_error_code
323 kt_ops_register(krb5_context context)
324 {
325 context->num_kt_types = 0;
326 context->kt_types = NULL;
327
328 krb5_kt_register (context, &krb5_fkt_ops);
329 krb5_kt_register (context, &krb5_wrfkt_ops);
330 krb5_kt_register (context, &krb5_javakt_ops);
331 krb5_kt_register (context, &krb5_mkt_ops);
332 #ifndef HEIMDAL_SMALLER
333 krb5_kt_register (context, &krb5_akf_ops);
334 #endif
335 krb5_kt_register (context, &krb5_any_ops);
336 return 0;
337 }
338
339 static krb5_error_code
340 kt_ops_copy(krb5_context context, const krb5_context src_context)
341 {
342 context->num_kt_types = 0;
343 context->kt_types = NULL;
344
345 if (src_context->num_kt_types == 0)
346 return 0;
347
348 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
349 if (context->kt_types == NULL)
350 return krb5_enomem(context);
351
352 context->num_kt_types = src_context->num_kt_types;
353 memcpy(context->kt_types, src_context->kt_types,
354 sizeof(context->kt_types[0]) * src_context->num_kt_types);
355
356 return 0;
357 }
358
359 static const char *sysplugin_dirs[] = {
360 #ifdef _WIN32
361 "$ORIGIN",
362 #else
363 "$ORIGIN/../lib/plugin/krb5",
364 #endif
365 #ifdef __APPLE__
366 LIBDIR "/plugin/krb5",
367 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
368 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
369 #endif
370 NULL
371 };
372
373 static void
374 init_context_once(void *ctx)
375 {
376 krb5_context context = ctx;
377 char **dirs;
378
379 #ifdef _WIN32
380 dirs = rk_UNCONST(sysplugin_dirs);
381 #else
382 dirs = krb5_config_get_strings(context, NULL, "libdefaults",
383 "plugin_dir", NULL);
384 if (dirs == NULL)
385 dirs = rk_UNCONST(sysplugin_dirs);
386 #endif
387
388 _krb5_load_plugins(context, "krb5", (const char **)dirs);
389
390 if (dirs != rk_UNCONST(sysplugin_dirs))
391 krb5_config_free_strings(dirs);
392
393 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
394 }
395
396
397 /**
398 * Initializes the context structure and reads the configuration file
399 * /etc/krb5.conf. The structure should be freed by calling
400 * krb5_free_context() when it is no longer being used.
401 *
402 * @param context pointer to returned context
403 *
404 * @return Returns 0 to indicate success. Otherwise an errno code is
405 * returned. Failure means either that something bad happened during
406 * initialization (typically ENOMEM) or that Kerberos should not be
407 * used ENXIO.
408 *
409 * @ingroup krb5
410 */
411
412 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
413 krb5_init_context(krb5_context *context)
414 {
415 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
416 krb5_context p;
417 krb5_error_code ret;
418 char **files;
419
420 *context = NULL;
421
422 p = calloc(1, sizeof(*p));
423 if(!p)
424 return ENOMEM;
425
426 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
427 if (p->mutex == NULL) {
428 free(p);
429 return ENOMEM;
430 }
431 HEIMDAL_MUTEX_init(p->mutex);
432
433 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
434
435 ret = krb5_get_default_config_files(&files);
436 if(ret)
437 goto out;
438 ret = krb5_set_config_files(p, files);
439 krb5_free_config_files(files);
440 if(ret)
441 goto out;
442
443 /* done enough to load plugins */
444 heim_base_once_f(&init_context, p, init_context_once);
445
446 /* init error tables */
447 krb5_init_ets(p);
448 cc_ops_register(p);
449 kt_ops_register(p);
450
451 #ifdef PKINIT
452 ret = hx509_context_init(&p->hx509ctx);
453 if (ret)
454 goto out;
455 #endif
456 if (rk_SOCK_INIT())
457 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
458
459 out:
460 if(ret) {
461 krb5_free_context(p);
462 p = NULL;
463 }
464 *context = p;
465 return ret;
466 }
467
468 #ifndef HEIMDAL_SMALLER
469
470 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
471 krb5_get_permitted_enctypes(krb5_context context,
472 krb5_enctype **etypes)
473 {
474 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
475 }
476
477 /*
478 *
479 */
480
481 static krb5_error_code
482 copy_etypes (krb5_context context,
483 krb5_enctype *enctypes,
484 krb5_enctype **ret_enctypes)
485 {
486 unsigned int i;
487
488 for (i = 0; enctypes[i]; i++)
489 ;
490 i++;
491
492 *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
493 if (*ret_enctypes == NULL)
494 return krb5_enomem(context);
495 memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
496 return 0;
497 }
498
499 /**
500 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
501 * be freed with krb5_free_context().
502 *
503 * @param context the Kerberos context to copy
504 * @param out the copy of the Kerberos, set to NULL error.
505 *
506 * @return Returns 0 to indicate success. Otherwise an kerberos et
507 * error code is returned, see krb5_get_error_message().
508 *
509 * @ingroup krb5
510 */
511
512 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
513 krb5_copy_context(krb5_context context, krb5_context *out)
514 {
515 krb5_error_code ret;
516 krb5_context p;
517
518 *out = NULL;
519
520 p = calloc(1, sizeof(*p));
521 if (p == NULL)
522 return krb5_enomem(context);
523
524 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
525 if (p->mutex == NULL) {
526 free(p);
527 return krb5_enomem(context);
528 }
529 HEIMDAL_MUTEX_init(p->mutex);
530
531
532 if (context->default_cc_name)
533 p->default_cc_name = strdup(context->default_cc_name);
534 if (context->default_cc_name_env)
535 p->default_cc_name_env = strdup(context->default_cc_name_env);
536
537 if (context->etypes) {
538 ret = copy_etypes(context, context->etypes, &p->etypes);
539 if (ret)
540 goto out;
541 }
542 if (context->etypes_des) {
543 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
544 if (ret)
545 goto out;
546 }
547
548 if (context->default_realms) {
549 ret = krb5_copy_host_realm(context,
550 context->default_realms, &p->default_realms);
551 if (ret)
552 goto out;
553 }
554
555 ret = _krb5_config_copy(context, context->cf, &p->cf);
556 if (ret)
557 goto out;
558
559 /* XXX should copy */
560 krb5_init_ets(p);
561
562 cc_ops_copy(p, context);
563 kt_ops_copy(p, context);
564
565 #if 0 /* XXX */
566 if(context->warn_dest != NULL)
567 ;
568 if(context->debug_dest != NULL)
569 ;
570 #endif
571
572 ret = krb5_set_extra_addresses(p, context->extra_addresses);
573 if (ret)
574 goto out;
575 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
576 if (ret)
577 goto out;
578
579 ret = _krb5_copy_send_to_kdc_func(p, context);
580 if (ret)
581 goto out;
582
583 *out = p;
584
585 return 0;
586
587 out:
588 krb5_free_context(p);
589 return ret;
590 }
591
592 #endif
593
594 /**
595 * Frees the krb5_context allocated by krb5_init_context().
596 *
597 * @param context context to be freed.
598 *
599 * @ingroup krb5
600 */
601
602 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
603 krb5_free_context(krb5_context context)
604 {
605 if (context->default_cc_name)
606 free(context->default_cc_name);
607 if (context->default_cc_name_env)
608 free(context->default_cc_name_env);
609 free(context->etypes);
610 free(context->etypes_des);
611 krb5_free_host_realm (context, context->default_realms);
612 krb5_config_file_free (context, context->cf);
613 free_error_table (context->et_list);
614 free(rk_UNCONST(context->cc_ops));
615 free(context->kt_types);
616 krb5_clear_error_message(context);
617 if(context->warn_dest != NULL)
618 krb5_closelog(context, context->warn_dest);
619 if(context->debug_dest != NULL)
620 krb5_closelog(context, context->debug_dest);
621 krb5_set_extra_addresses(context, NULL);
622 krb5_set_ignore_addresses(context, NULL);
623 krb5_set_send_to_kdc_func(context, NULL, NULL);
624
625 #ifdef PKINIT
626 if (context->hx509ctx)
627 hx509_context_free(&context->hx509ctx);
628 #endif
629
630 HEIMDAL_MUTEX_destroy(context->mutex);
631 free(context->mutex);
632 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
633 rk_SOCK_EXIT();
634 }
635
636 memset(context, 0, sizeof(*context));
637 free(context);
638 }
639
640 /**
641 * Reinit the context from a new set of filenames.
642 *
643 * @param context context to add configuration too.
644 * @param filenames array of filenames, end of list is indicated with a NULL filename.
645 *
646 * @return Returns 0 to indicate success. Otherwise an kerberos et
647 * error code is returned, see krb5_get_error_message().
648 *
649 * @ingroup krb5
650 */
651
652 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
653 krb5_set_config_files(krb5_context context, char **filenames)
654 {
655 krb5_error_code ret;
656 krb5_config_binding *tmp = NULL;
657 while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
658 ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
659 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
660 krb5_config_file_free(context, tmp);
661 return ret;
662 }
663 filenames++;
664 }
665 #if 0
666 /* with this enabled and if there are no config files, Kerberos is
667 considererd disabled */
668 if(tmp == NULL)
669 return ENXIO;
670 #endif
671
672 #ifdef _WIN32
673 _krb5_load_config_from_registry(context, &tmp);
674 #endif
675
676 krb5_config_file_free(context, context->cf);
677 context->cf = tmp;
678 ret = init_context_from_config_file(context);
679 return ret;
680 }
681
682 static krb5_error_code
683 add_file(char ***pfilenames, int *len, char *file)
684 {
685 char **pp = *pfilenames;
686 int i;
687
688 for(i = 0; i < *len; i++) {
689 if(strcmp(pp[i], file) == 0) {
690 free(file);
691 return 0;
692 }
693 }
694
695 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
696 if (pp == NULL) {
697 free(file);
698 return ENOMEM;
699 }
700
701 pp[*len] = file;
702 pp[*len + 1] = NULL;
703 *pfilenames = pp;
704 *len += 1;
705 return 0;
706 }
707
708 /*
709 * `pq' isn't free, it's up the the caller
710 */
711
712 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
713 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
714 {
715 krb5_error_code ret;
716 const char *p, *q;
717 char **pp;
718 int len;
719 char *fn;
720
721 pp = NULL;
722
723 len = 0;
724 p = filelist;
725 while(1) {
726 ssize_t l;
727 q = p;
728 l = strsep_copy(&q, PATH_SEP, NULL, 0);
729 if(l == -1)
730 break;
731 fn = malloc(l + 1);
732 if(fn == NULL) {
733 krb5_free_config_files(pp);
734 return ENOMEM;
735 }
736 (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
737 ret = add_file(&pp, &len, fn);
738 if (ret) {
739 krb5_free_config_files(pp);
740 return ret;
741 }
742 }
743
744 if (pq != NULL) {
745 int i;
746
747 for (i = 0; pq[i] != NULL; i++) {
748 fn = strdup(pq[i]);
749 if (fn == NULL) {
750 krb5_free_config_files(pp);
751 return ENOMEM;
752 }
753 ret = add_file(&pp, &len, fn);
754 if (ret) {
755 krb5_free_config_files(pp);
756 return ret;
757 }
758 }
759 }
760
761 *ret_pp = pp;
762 return 0;
763 }
764
765 /**
766 * Prepend the filename to the global configuration list.
767 *
768 * @param filelist a filename to add to the default list of filename
769 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
770 *
771 * @return Returns 0 to indicate success. Otherwise an kerberos et
772 * error code is returned, see krb5_get_error_message().
773 *
774 * @ingroup krb5
775 */
776
777 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
778 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
779 {
780 krb5_error_code ret;
781 char **defpp, **pp = NULL;
782
783 ret = krb5_get_default_config_files(&defpp);
784 if (ret)
785 return ret;
786
787 ret = krb5_prepend_config_files(filelist, defpp, &pp);
788 krb5_free_config_files(defpp);
789 if (ret) {
790 return ret;
791 }
792 *pfilenames = pp;
793 return 0;
794 }
795
796 #ifdef _WIN32
797
798 /**
799 * Checks the registry for configuration file location
800 *
801 * Kerberos for Windows and other legacy Kerberos applications expect
802 * to find the configuration file location in the
803 * SOFTWARE\MIT\Kerberos registry key under the value "config".
804 */
805 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
806 _krb5_get_default_config_config_files_from_registry()
807 {
808 static const char * KeyName = "Software\\MIT\\Kerberos";
809 char *config_file = NULL;
810 LONG rcode;
811 HKEY key;
812
813 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
814 if (rcode == ERROR_SUCCESS) {
815 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
816 REG_NONE, 0, PATH_SEP);
817 RegCloseKey(key);
818 }
819
820 if (config_file)
821 return config_file;
822
823 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
824 if (rcode == ERROR_SUCCESS) {
825 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
826 REG_NONE, 0, PATH_SEP);
827 RegCloseKey(key);
828 }
829
830 return config_file;
831 }
832
833 #endif
834
835 /**
836 * Get the global configuration list.
837 *
838 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
839 *
840 * @return Returns 0 to indicate success. Otherwise an kerberos et
841 * error code is returned, see krb5_get_error_message().
842 *
843 * @ingroup krb5
844 */
845
846 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
847 krb5_get_default_config_files(char ***pfilenames)
848 {
849 const char *files = NULL;
850
851 if (pfilenames == NULL)
852 return EINVAL;
853 if(!issuid())
854 files = getenv("KRB5_CONFIG");
855
856 #ifdef _WIN32
857 if (files == NULL) {
858 char * reg_files;
859 reg_files = _krb5_get_default_config_config_files_from_registry();
860 if (reg_files != NULL) {
861 krb5_error_code code;
862
863 code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
864 free(reg_files);
865
866 return code;
867 }
868 }
869 #endif
870
871 if (files == NULL)
872 files = krb5_config_file;
873
874 return krb5_prepend_config_files(files, NULL, pfilenames);
875 }
876
877 /**
878 * Free a list of configuration files.
879 *
880 * @param filenames list, terminated with a NULL pointer, to be
881 * freed. NULL is an valid argument.
882 *
883 * @return Returns 0 to indicate success. Otherwise an kerberos et
884 * error code is returned, see krb5_get_error_message().
885 *
886 * @ingroup krb5
887 */
888
889 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
890 krb5_free_config_files(char **filenames)
891 {
892 char **p;
893 for(p = filenames; p && *p != NULL; p++)
894 free(*p);
895 free(filenames);
896 }
897
898 /**
899 * Returns the list of Kerberos encryption types sorted in order of
900 * most preferred to least preferred encryption type. Note that some
901 * encryption types might be disabled, so you need to check with
902 * krb5_enctype_valid() before using the encryption type.
903 *
904 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
905 * array completed into the Kerberos library so the content doesn't
906 * need to be freed.
907 *
908 * @ingroup krb5
909 */
910
911 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
912 krb5_kerberos_enctypes(krb5_context context)
913 {
914 static const krb5_enctype p[] = {
915 ETYPE_AES256_CTS_HMAC_SHA1_96,
916 ETYPE_AES128_CTS_HMAC_SHA1_96,
917 ETYPE_DES3_CBC_SHA1,
918 ETYPE_ARCFOUR_HMAC_MD5,
919 ETYPE_NULL
920 };
921
922 static const krb5_enctype weak[] = {
923 ETYPE_AES256_CTS_HMAC_SHA1_96,
924 ETYPE_AES128_CTS_HMAC_SHA1_96,
925 ETYPE_DES3_CBC_SHA1,
926 ETYPE_DES3_CBC_MD5,
927 ETYPE_ARCFOUR_HMAC_MD5,
928 ETYPE_DES_CBC_MD5,
929 ETYPE_DES_CBC_MD4,
930 ETYPE_DES_CBC_CRC,
931 ETYPE_NULL
932 };
933
934 /*
935 * if the list of enctypes enabled by "allow_weak_crypto"
936 * are valid, then return the former default enctype list
937 * that contained the weak entries.
938 */
939 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
940 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
941 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
942 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
943 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
944 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
945 return weak;
946
947 return p;
948 }
949
950 /*
951 *
952 */
953
954 static krb5_error_code
955 copy_enctypes(krb5_context context,
956 const krb5_enctype *in,
957 krb5_enctype **out)
958 {
959 krb5_enctype *p = NULL;
960 size_t m, n;
961
962 for (n = 0; in[n]; n++)
963 ;
964 n++;
965 ALLOC(p, n);
966 if(p == NULL)
967 return krb5_enomem(context);
968 for (n = 0, m = 0; in[n]; n++) {
969 if (krb5_enctype_valid(context, in[n]) != 0)
970 continue;
971 p[m++] = in[n];
972 }
973 p[m] = KRB5_ENCTYPE_NULL;
974 if (m == 0) {
975 free(p);
976 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
977 N_("no valid enctype set", ""));
978 return KRB5_PROG_ETYPE_NOSUPP;
979 }
980 *out = p;
981 return 0;
982 }
983
984
985 /*
986 * set `etype' to a malloced list of the default enctypes
987 */
988
989 static krb5_error_code
990 default_etypes(krb5_context context, krb5_enctype **etype)
991 {
992 const krb5_enctype *p = krb5_kerberos_enctypes(context);
993 return copy_enctypes(context, p, etype);
994 }
995
996 /**
997 * Set the default encryption types that will be use in communcation
998 * with the KDC, clients and servers.
999 *
1000 * @param context Kerberos 5 context.
1001 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
1002 *
1003 * @return Returns 0 to indicate success. Otherwise an kerberos et
1004 * error code is returned, see krb5_get_error_message().
1005 *
1006 * @ingroup krb5
1007 */
1008
1009 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1010 krb5_set_default_in_tkt_etypes(krb5_context context,
1011 const krb5_enctype *etypes)
1012 {
1013 krb5_error_code ret;
1014 krb5_enctype *p = NULL;
1015
1016 if(etypes) {
1017 ret = copy_enctypes(context, etypes, &p);
1018 if (ret)
1019 return ret;
1020 }
1021 if(context->etypes)
1022 free(context->etypes);
1023 context->etypes = p;
1024 return 0;
1025 }
1026
1027 /**
1028 * Get the default encryption types that will be use in communcation
1029 * with the KDC, clients and servers.
1030 *
1031 * @param context Kerberos 5 context.
1032 * @param etypes Encryption types, array terminated with
1033 * ETYPE_NULL(0), caller should free array with krb5_xfree():
1034 *
1035 * @return Returns 0 to indicate success. Otherwise an kerberos et
1036 * error code is returned, see krb5_get_error_message().
1037 *
1038 * @ingroup krb5
1039 */
1040
1041 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1042 krb5_get_default_in_tkt_etypes(krb5_context context,
1043 krb5_pdu pdu_type,
1044 krb5_enctype **etypes)
1045 {
1046 krb5_enctype *enctypes = NULL;
1047 krb5_error_code ret;
1048 krb5_enctype *p;
1049
1050 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
1051 pdu_type == KRB5_PDU_TGS_REQUEST ||
1052 pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
1053
1054 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
1055 enctypes = context->as_etypes;
1056 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
1057 enctypes = context->tgs_etypes;
1058 else if (context->etypes != NULL)
1059 enctypes = context->etypes;
1060
1061 if (enctypes != NULL) {
1062 ret = copy_enctypes(context, enctypes, &p);
1063 if (ret)
1064 return ret;
1065 } else {
1066 ret = default_etypes(context, &p);
1067 if (ret)
1068 return ret;
1069 }
1070 *etypes = p;
1071 return 0;
1072 }
1073
1074 /**
1075 * Init the built-in ets in the Kerberos library.
1076 *
1077 * @param context kerberos context to add the ets too
1078 *
1079 * @ingroup krb5
1080 */
1081
1082 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1083 krb5_init_ets(krb5_context context)
1084 {
1085 if(context->et_list == NULL){
1086 krb5_add_et_list(context, initialize_krb5_error_table_r);
1087 krb5_add_et_list(context, initialize_asn1_error_table_r);
1088 krb5_add_et_list(context, initialize_heim_error_table_r);
1089
1090 krb5_add_et_list(context, initialize_k524_error_table_r);
1091
1092 #ifdef COM_ERR_BINDDOMAIN_krb5
1093 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1094 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1095 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1096 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1097 #endif
1098
1099 #ifdef PKINIT
1100 krb5_add_et_list(context, initialize_hx_error_table_r);
1101 #ifdef COM_ERR_BINDDOMAIN_hx
1102 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1103 #endif
1104 #endif
1105 }
1106 }
1107
1108 /**
1109 * Make the kerberos library default to the admin KDC.
1110 *
1111 * @param context Kerberos 5 context.
1112 * @param flag boolean flag to select if the use the admin KDC or not.
1113 *
1114 * @ingroup krb5
1115 */
1116
1117 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1118 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1119 {
1120 context->use_admin_kdc = flag;
1121 }
1122
1123 /**
1124 * Make the kerberos library default to the admin KDC.
1125 *
1126 * @param context Kerberos 5 context.
1127 *
1128 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1129 *
1130 * @ingroup krb5
1131 */
1132
1133 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1134 krb5_get_use_admin_kdc (krb5_context context)
1135 {
1136 return context->use_admin_kdc;
1137 }
1138
1139 /**
1140 * Add extra address to the address list that the library will add to
1141 * the client's address list when communicating with the KDC.
1142 *
1143 * @param context Kerberos 5 context.
1144 * @param addresses addreses to add
1145 *
1146 * @return Returns 0 to indicate success. Otherwise an kerberos et
1147 * error code is returned, see krb5_get_error_message().
1148 *
1149 * @ingroup krb5
1150 */
1151
1152 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1153 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1154 {
1155
1156 if(context->extra_addresses)
1157 return krb5_append_addresses(context,
1158 context->extra_addresses, addresses);
1159 else
1160 return krb5_set_extra_addresses(context, addresses);
1161 }
1162
1163 /**
1164 * Set extra address to the address list that the library will add to
1165 * the client's address list when communicating with the KDC.
1166 *
1167 * @param context Kerberos 5 context.
1168 * @param addresses addreses to set
1169 *
1170 * @return Returns 0 to indicate success. Otherwise an kerberos et
1171 * error code is returned, see krb5_get_error_message().
1172 *
1173 * @ingroup krb5
1174 */
1175
1176 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1177 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1178 {
1179 if(context->extra_addresses)
1180 krb5_free_addresses(context, context->extra_addresses);
1181
1182 if(addresses == NULL) {
1183 if(context->extra_addresses != NULL) {
1184 free(context->extra_addresses);
1185 context->extra_addresses = NULL;
1186 }
1187 return 0;
1188 }
1189 if(context->extra_addresses == NULL) {
1190 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1191 if (context->extra_addresses == NULL)
1192 return krb5_enomem(context);
1193 }
1194 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1195 }
1196
1197 /**
1198 * Get extra address to the address list that the library will add to
1199 * the client's address list when communicating with the KDC.
1200 *
1201 * @param context Kerberos 5 context.
1202 * @param addresses addreses to set
1203 *
1204 * @return Returns 0 to indicate success. Otherwise an kerberos et
1205 * error code is returned, see krb5_get_error_message().
1206 *
1207 * @ingroup krb5
1208 */
1209
1210 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1211 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1212 {
1213 if(context->extra_addresses == NULL) {
1214 memset(addresses, 0, sizeof(*addresses));
1215 return 0;
1216 }
1217 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1218 }
1219
1220 /**
1221 * Add extra addresses to ignore when fetching addresses from the
1222 * underlaying operating system.
1223 *
1224 * @param context Kerberos 5 context.
1225 * @param addresses addreses to ignore
1226 *
1227 * @return Returns 0 to indicate success. Otherwise an kerberos et
1228 * error code is returned, see krb5_get_error_message().
1229 *
1230 * @ingroup krb5
1231 */
1232
1233 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1234 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1235 {
1236
1237 if(context->ignore_addresses)
1238 return krb5_append_addresses(context,
1239 context->ignore_addresses, addresses);
1240 else
1241 return krb5_set_ignore_addresses(context, addresses);
1242 }
1243
1244 /**
1245 * Set extra addresses to ignore when fetching addresses from the
1246 * underlaying operating system.
1247 *
1248 * @param context Kerberos 5 context.
1249 * @param addresses addreses to ignore
1250 *
1251 * @return Returns 0 to indicate success. Otherwise an kerberos et
1252 * error code is returned, see krb5_get_error_message().
1253 *
1254 * @ingroup krb5
1255 */
1256
1257 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1258 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1259 {
1260 if(context->ignore_addresses)
1261 krb5_free_addresses(context, context->ignore_addresses);
1262 if(addresses == NULL) {
1263 if(context->ignore_addresses != NULL) {
1264 free(context->ignore_addresses);
1265 context->ignore_addresses = NULL;
1266 }
1267 return 0;
1268 }
1269 if(context->ignore_addresses == NULL) {
1270 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1271 if (context->ignore_addresses == NULL)
1272 return krb5_enomem(context);
1273 }
1274 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1275 }
1276
1277 /**
1278 * Get extra addresses to ignore when fetching addresses from the
1279 * underlaying operating system.
1280 *
1281 * @param context Kerberos 5 context.
1282 * @param addresses list addreses ignored
1283 *
1284 * @return Returns 0 to indicate success. Otherwise an kerberos et
1285 * error code is returned, see krb5_get_error_message().
1286 *
1287 * @ingroup krb5
1288 */
1289
1290 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1291 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1292 {
1293 if(context->ignore_addresses == NULL) {
1294 memset(addresses, 0, sizeof(*addresses));
1295 return 0;
1296 }
1297 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1298 }
1299
1300 /**
1301 * Set version of fcache that the library should use.
1302 *
1303 * @param context Kerberos 5 context.
1304 * @param version version number.
1305 *
1306 * @return Returns 0 to indicate success. Otherwise an kerberos et
1307 * error code is returned, see krb5_get_error_message().
1308 *
1309 * @ingroup krb5
1310 */
1311
1312 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1313 krb5_set_fcache_version(krb5_context context, int version)
1314 {
1315 context->fcache_vno = version;
1316 return 0;
1317 }
1318
1319 /**
1320 * Get version of fcache that the library should use.
1321 *
1322 * @param context Kerberos 5 context.
1323 * @param version version number.
1324 *
1325 * @return Returns 0 to indicate success. Otherwise an kerberos et
1326 * error code is returned, see krb5_get_error_message().
1327 *
1328 * @ingroup krb5
1329 */
1330
1331 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1332 krb5_get_fcache_version(krb5_context context, int *version)
1333 {
1334 *version = context->fcache_vno;
1335 return 0;
1336 }
1337
1338 /**
1339 * Runtime check if the Kerberos library was complied with thread support.
1340 *
1341 * @return TRUE if the library was compiled with thread support, FALSE if not.
1342 *
1343 * @ingroup krb5
1344 */
1345
1346
1347 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1348 krb5_is_thread_safe(void)
1349 {
1350 #ifdef ENABLE_PTHREAD_SUPPORT
1351 return TRUE;
1352 #else
1353 return FALSE;
1354 #endif
1355 }
1356
1357 /**
1358 * Set if the library should use DNS to canonicalize hostnames.
1359 *
1360 * @param context Kerberos 5 context.
1361 * @param flag if its dns canonicalizion is used or not.
1362 *
1363 * @ingroup krb5
1364 */
1365
1366 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1367 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1368 {
1369 if (flag)
1370 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1371 else
1372 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1373 }
1374
1375 /**
1376 * Get if the library uses DNS to canonicalize hostnames.
1377 *
1378 * @param context Kerberos 5 context.
1379 *
1380 * @return return non zero if the library uses DNS to canonicalize hostnames.
1381 *
1382 * @ingroup krb5
1383 */
1384
1385 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1386 krb5_get_dns_canonicalize_hostname (krb5_context context)
1387 {
1388 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1389 }
1390
1391 /**
1392 * Get current offset in time to the KDC.
1393 *
1394 * @param context Kerberos 5 context.
1395 * @param sec seconds part of offset.
1396 * @param usec micro seconds part of offset.
1397 *
1398 * @return returns zero
1399 *
1400 * @ingroup krb5
1401 */
1402
1403 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1404 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1405 {
1406 if (sec)
1407 *sec = context->kdc_sec_offset;
1408 if (usec)
1409 *usec = context->kdc_usec_offset;
1410 return 0;
1411 }
1412
1413 /**
1414 * Set current offset in time to the KDC.
1415 *
1416 * @param context Kerberos 5 context.
1417 * @param sec seconds part of offset.
1418 * @param usec micro seconds part of offset.
1419 *
1420 * @return returns zero
1421 *
1422 * @ingroup krb5
1423 */
1424
1425 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1426 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1427 {
1428 context->kdc_sec_offset = sec;
1429 if (usec >= 0)
1430 context->kdc_usec_offset = usec;
1431 return 0;
1432 }
1433
1434 /**
1435 * Get max time skew allowed.
1436 *
1437 * @param context Kerberos 5 context.
1438 *
1439 * @return timeskew in seconds.
1440 *
1441 * @ingroup krb5
1442 */
1443
1444 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1445 krb5_get_max_time_skew (krb5_context context)
1446 {
1447 return context->max_skew;
1448 }
1449
1450 /**
1451 * Set max time skew allowed.
1452 *
1453 * @param context Kerberos 5 context.
1454 * @param t timeskew in seconds.
1455 *
1456 * @ingroup krb5
1457 */
1458
1459 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1460 krb5_set_max_time_skew (krb5_context context, time_t t)
1461 {
1462 context->max_skew = t;
1463 }
1464
1465 /*
1466 * Init encryption types in len, val with etypes.
1467 *
1468 * @param context Kerberos 5 context.
1469 * @param pdu_type type of pdu
1470 * @param len output length of val.
1471 * @param val output array of enctypes.
1472 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1473
1474 * @return Returns 0 to indicate success. Otherwise an kerberos et
1475 * error code is returned, see krb5_get_error_message().
1476 *
1477 * @ingroup krb5
1478 */
1479
1480 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1481 _krb5_init_etype(krb5_context context,
1482 krb5_pdu pdu_type,
1483 unsigned *len,
1484 krb5_enctype **val,
1485 const krb5_enctype *etypes)
1486 {
1487 krb5_error_code ret;
1488
1489 if (etypes == NULL)
1490 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1491 else
1492 ret = copy_enctypes(context, etypes, val);
1493 if (ret)
1494 return ret;
1495
1496 if (len) {
1497 *len = 0;
1498 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1499 (*len)++;
1500 }
1501 return 0;
1502 }
1503
1504 /*
1505 * Allow homedir accces
1506 */
1507
1508 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1509 static krb5_boolean allow_homedir = TRUE;
1510
1511 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1512 _krb5_homedir_access(krb5_context context)
1513 {
1514 krb5_boolean allow;
1515
1516 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1517 return FALSE;
1518
1519 HEIMDAL_MUTEX_lock(&homedir_mutex);
1520 allow = allow_homedir;
1521 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1522 return allow;
1523 }
1524
1525 /**
1526 * Enable and disable home directory access on either the global state
1527 * or the krb5_context state. By calling krb5_set_home_dir_access()
1528 * with context set to NULL, the global state is configured otherwise
1529 * the state for the krb5_context is modified.
1530 *
1531 * For home directory access to be allowed, both the global state and
1532 * the krb5_context state have to be allowed.
1533 *
1534 * Administrator (root user), never uses the home directory.
1535 *
1536 * @param context a Kerberos 5 context or NULL
1537 * @param allow allow if TRUE home directory
1538 * @return the old value
1539 *
1540 * @ingroup krb5
1541 */
1542
1543 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1544 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1545 {
1546 krb5_boolean old;
1547 if (context) {
1548 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1549 if (allow)
1550 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1551 else
1552 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1553 } else {
1554 HEIMDAL_MUTEX_lock(&homedir_mutex);
1555 old = allow_homedir;
1556 allow_homedir = allow;
1557 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1558 }
1559
1560 return old;
1561 }
Heimdal