search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge new lorikeet heimdal, revision 85ed7247f515770c73b1f1ced1739f6ce19d75d2
[Samba.git] / source4 / heimdal / lib / krb5 / context.c
blobb6c6870938465990535241d0ee5643c1c3ffabeb
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37 #include <com_err.h>
38
39 #define INIT_FIELD(C, T, E, D, F) \
40 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
41 "libdefaults", F, NULL)
42
43 #define INIT_FLAG(C, O, V, D, F) \
44 do { \
45 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
46 (C)->O |= V; \
47 } \
48 } while(0)
49
50 /*
51 * Set the list of etypes `ret_etypes' from the configuration variable
52 * `name'
53 */
54
55 static krb5_error_code
56 set_etypes (krb5_context context,
57 const char *name,
58 krb5_enctype **ret_enctypes)
59 {
60 char **etypes_str;
61 krb5_enctype *etypes = NULL;
62
63 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
64 name, NULL);
65 if(etypes_str){
66 int i, j, k;
67 for(i = 0; etypes_str[i]; i++);
68 etypes = malloc((i+1) * sizeof(*etypes));
69 if (etypes == NULL) {
70 krb5_config_free_strings (etypes_str);
71 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
72 return ENOMEM;
73 }
74 for(j = 0, k = 0; j < i; j++) {
75 krb5_enctype e;
76 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
77 continue;
78 if (krb5_enctype_valid(context, e) != 0)
79 continue;
80 etypes[k++] = e;
81 }
82 etypes[k] = ETYPE_NULL;
83 krb5_config_free_strings(etypes_str);
84 }
85 *ret_enctypes = etypes;
86 return 0;
87 }
88
89 /*
90 * read variables from the configuration file and set in `context'
91 */
92
93 static krb5_error_code
94 init_context_from_config_file(krb5_context context)
95 {
96 krb5_error_code ret;
97 const char * tmp;
98 char **s;
99 krb5_enctype *tmptypes;
100
101 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
102 INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
103 INIT_FIELD(context, int, max_retries, 3, "max_retries");
104
105 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
106
107 ret = krb5_config_get_bool_default(context, NULL, FALSE,
108 "libdefaults",
109 "allow_weak_crypto", NULL);
110 if (ret) {
111 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
112 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
113 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
114 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
115 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
116 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
117 }
118
119 ret = set_etypes (context, "default_etypes", &tmptypes);
120 if(ret)
121 return ret;
122 free(context->etypes);
123 context->etypes = tmptypes;
124
125 ret = set_etypes (context, "default_etypes_des", &tmptypes);
126 if(ret)
127 return ret;
128 free(context->etypes_des);
129 context->etypes_des = tmptypes;
130
131 /* default keytab name */
132 tmp = NULL;
133 if(!issuid())
134 tmp = getenv("KRB5_KTNAME");
135 if(tmp != NULL)
136 context->default_keytab = tmp;
137 else
138 INIT_FIELD(context, string, default_keytab,
139 KEYTAB_DEFAULT, "default_keytab_name");
140
141 INIT_FIELD(context, string, default_keytab_modify,
142 NULL, "default_keytab_modify_name");
143
144 INIT_FIELD(context, string, time_fmt,
145 "%Y-%m-%dT%H:%M:%S", "time_format");
146
147 INIT_FIELD(context, string, date_fmt,
148 "%Y-%m-%d", "date_format");
149
150 INIT_FIELD(context, bool, log_utc,
151 FALSE, "log_utc");
152
153
154
155 /* init dns-proxy slime */
156 tmp = krb5_config_get_string(context, NULL, "libdefaults",
157 "dns_proxy", NULL);
158 if(tmp)
159 roken_gethostby_setup(context->http_proxy, tmp);
160 krb5_free_host_realm (context, context->default_realms);
161 context->default_realms = NULL;
162
163 {
164 krb5_addresses addresses;
165 char **adr, **a;
166
167 krb5_set_extra_addresses(context, NULL);
168 adr = krb5_config_get_strings(context, NULL,
169 "libdefaults",
170 "extra_addresses",
171 NULL);
172 memset(&addresses, 0, sizeof(addresses));
173 for(a = adr; a && *a; a++) {
174 ret = krb5_parse_address(context, *a, &addresses);
175 if (ret == 0) {
176 krb5_add_extra_addresses(context, &addresses);
177 krb5_free_addresses(context, &addresses);
178 }
179 }
180 krb5_config_free_strings(adr);
181
182 krb5_set_ignore_addresses(context, NULL);
183 adr = krb5_config_get_strings(context, NULL,
184 "libdefaults",
185 "ignore_addresses",
186 NULL);
187 memset(&addresses, 0, sizeof(addresses));
188 for(a = adr; a && *a; a++) {
189 ret = krb5_parse_address(context, *a, &addresses);
190 if (ret == 0) {
191 krb5_add_ignore_addresses(context, &addresses);
192 krb5_free_addresses(context, &addresses);
193 }
194 }
195 krb5_config_free_strings(adr);
196 }
197
198 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
199 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
200 /* prefer dns_lookup_kdc over srv_lookup. */
201 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
202 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
203 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
204 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
205 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
206 context->default_cc_name = NULL;
207 context->default_cc_name_set = 0;
208
209 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
210 if(s) {
211 char **p;
212 krb5_initlog(context, "libkrb5", &context->debug_dest);
213 for(p = s; *p; p++)
214 krb5_addlog_dest(context, context->debug_dest, *p);
215 krb5_config_free_strings(s);
216 }
217
218 tmp = krb5_config_get_string(context, NULL, "libdefaults",
219 "check-rd-req-server", NULL);
220 if (tmp == NULL && !issuid())
221 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
222 if(tmp) {
223 if (strcasecmp(tmp, "ignore") == 0)
224 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
225 }
226
227 return 0;
228 }
229
230 static krb5_error_code
231 cc_ops_register(krb5_context context)
232 {
233 context->cc_ops = NULL;
234 context->num_cc_ops = 0;
235
236 #ifndef KCM_IS_API_CACHE
237 krb5_cc_register(context, &krb5_acc_ops, TRUE);
238 #endif
239 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
240 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
241 #ifdef HAVE_SCC
242 krb5_cc_register(context, &krb5_scc_ops, TRUE);
243 #endif
244 #ifdef HAVE_KCM
245 #ifdef KCM_IS_API_CACHE
246 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
247 #endif
248 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
249 #endif
250 _krb5_load_ccache_plugins(context);
251 return 0;
252 }
253
254 static krb5_error_code
255 cc_ops_copy(krb5_context context, const krb5_context src_context)
256 {
257 const krb5_cc_ops **cc_ops;
258
259 context->cc_ops = NULL;
260 context->num_cc_ops = 0;
261
262 if (src_context->num_cc_ops == 0)
263 return 0;
264
265 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
266 if (cc_ops == NULL) {
267 krb5_set_error_message(context, KRB5_CC_NOMEM,
268 N_("malloc: out of memory", ""));
269 return KRB5_CC_NOMEM;
270 }
271
272 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
273 sizeof(cc_ops[0]) * src_context->num_cc_ops);
274 context->cc_ops = cc_ops;
275 context->num_cc_ops = src_context->num_cc_ops;
276
277 return 0;
278 }
279
280 static krb5_error_code
281 kt_ops_register(krb5_context context)
282 {
283 context->num_kt_types = 0;
284 context->kt_types = NULL;
285
286 krb5_kt_register (context, &krb5_fkt_ops);
287 krb5_kt_register (context, &krb5_wrfkt_ops);
288 krb5_kt_register (context, &krb5_javakt_ops);
289 krb5_kt_register (context, &krb5_mkt_ops);
290 #ifndef HEIMDAL_SMALLER
291 krb5_kt_register (context, &krb5_akf_ops);
292 #endif
293 krb5_kt_register (context, &krb5_any_ops);
294 return 0;
295 }
296
297 static krb5_error_code
298 kt_ops_copy(krb5_context context, const krb5_context src_context)
299 {
300 context->num_kt_types = 0;
301 context->kt_types = NULL;
302
303 if (src_context->num_kt_types == 0)
304 return 0;
305
306 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
307 if (context->kt_types == NULL) {
308 krb5_set_error_message(context, ENOMEM,
309 N_("malloc: out of memory", ""));
310 return ENOMEM;
311 }
312
313 context->num_kt_types = src_context->num_kt_types;
314 memcpy(context->kt_types, src_context->kt_types,
315 sizeof(context->kt_types[0]) * src_context->num_kt_types);
316
317 return 0;
318 }
319
320 static const char *sysplugin_dirs[] = {
321 LIBDIR "/plugin/krb5",
322 #ifdef __APPLE__
323 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
324 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
325 #endif
326 NULL
327 };
328
329 static void
330 init_context_once(void *ctx)
331 {
332 krb5_context context = ctx;
333
334 _krb5_load_plugins(context, "krb5", sysplugin_dirs);
335
336 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
337 }
338
339
340 /**
341 * Initializes the context structure and reads the configuration file
342 * /etc/krb5.conf. The structure should be freed by calling
343 * krb5_free_context() when it is no longer being used.
344 *
345 * @param context pointer to returned context
346 *
347 * @return Returns 0 to indicate success. Otherwise an errno code is
348 * returned. Failure means either that something bad happened during
349 * initialization (typically ENOMEM) or that Kerberos should not be
350 * used ENXIO.
351 *
352 * @ingroup krb5
353 */
354
355 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
356 krb5_init_context(krb5_context *context)
357 {
358 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
359 krb5_context p;
360 krb5_error_code ret;
361 char **files;
362
363 *context = NULL;
364
365 p = calloc(1, sizeof(*p));
366 if(!p)
367 return ENOMEM;
368
369 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
370 if (p->mutex == NULL) {
371 free(p);
372 return ENOMEM;
373 }
374 HEIMDAL_MUTEX_init(p->mutex);
375
376 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
377
378 ret = krb5_get_default_config_files(&files);
379 if(ret)
380 goto out;
381 ret = krb5_set_config_files(p, files);
382 krb5_free_config_files(files);
383 if(ret)
384 goto out;
385
386 /* init error tables */
387 krb5_init_ets(p);
388 cc_ops_register(p);
389 kt_ops_register(p);
390
391 #ifdef PKINIT
392 ret = hx509_context_init(&p->hx509ctx);
393 if (ret)
394 goto out;
395 #endif
396 if (rk_SOCK_INIT())
397 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
398
399 out:
400 if(ret) {
401 krb5_free_context(p);
402 p = NULL;
403 } else {
404 heim_base_once_f(&init_context, p, init_context_once);
405 }
406 *context = p;
407 return ret;
408 }
409
410 #ifndef HEIMDAL_SMALLER
411
412 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
413 krb5_get_permitted_enctypes(krb5_context context,
414 krb5_enctype **etypes)
415 {
416 return krb5_get_default_in_tkt_etypes(context, etypes);
417 }
418
419 /*
420 *
421 */
422
423 static krb5_error_code
424 copy_etypes (krb5_context context,
425 krb5_enctype *enctypes,
426 krb5_enctype **ret_enctypes)
427 {
428 unsigned int i;
429
430 for (i = 0; enctypes[i]; i++)
431 ;
432 i++;
433
434 *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
435 if (*ret_enctypes == NULL) {
436 krb5_set_error_message(context, ENOMEM,
437 N_("malloc: out of memory", ""));
438 return ENOMEM;
439 }
440 memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
441 return 0;
442 }
443
444 /**
445 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
446 * be freed with krb5_free_context().
447 *
448 * @param context the Kerberos context to copy
449 * @param out the copy of the Kerberos, set to NULL error.
450 *
451 * @return Returns 0 to indicate success. Otherwise an kerberos et
452 * error code is returned, see krb5_get_error_message().
453 *
454 * @ingroup krb5
455 */
456
457 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
458 krb5_copy_context(krb5_context context, krb5_context *out)
459 {
460 krb5_error_code ret;
461 krb5_context p;
462
463 *out = NULL;
464
465 p = calloc(1, sizeof(*p));
466 if (p == NULL) {
467 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
468 return ENOMEM;
469 }
470
471 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
472 if (p->mutex == NULL) {
473 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
474 free(p);
475 return ENOMEM;
476 }
477 HEIMDAL_MUTEX_init(p->mutex);
478
479
480 if (context->default_cc_name)
481 p->default_cc_name = strdup(context->default_cc_name);
482 if (context->default_cc_name_env)
483 p->default_cc_name_env = strdup(context->default_cc_name_env);
484
485 if (context->etypes) {
486 ret = copy_etypes(context, context->etypes, &p->etypes);
487 if (ret)
488 goto out;
489 }
490 if (context->etypes_des) {
491 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
492 if (ret)
493 goto out;
494 }
495
496 if (context->default_realms) {
497 ret = krb5_copy_host_realm(context,
498 context->default_realms, &p->default_realms);
499 if (ret)
500 goto out;
501 }
502
503 ret = _krb5_config_copy(context, context->cf, &p->cf);
504 if (ret)
505 goto out;
506
507 /* XXX should copy */
508 krb5_init_ets(p);
509
510 cc_ops_copy(p, context);
511 kt_ops_copy(p, context);
512
513 #if 0 /* XXX */
514 if(context->warn_dest != NULL)
515 ;
516 if(context->debug_dest != NULL)
517 ;
518 #endif
519
520 ret = krb5_set_extra_addresses(p, context->extra_addresses);
521 if (ret)
522 goto out;
523 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
524 if (ret)
525 goto out;
526
527 ret = _krb5_copy_send_to_kdc_func(p, context);
528 if (ret)
529 goto out;
530
531 *out = p;
532
533 return 0;
534
535 out:
536 krb5_free_context(p);
537 return ret;
538 }
539
540 #endif
541
542 /**
543 * Frees the krb5_context allocated by krb5_init_context().
544 *
545 * @param context context to be freed.
546 *
547 * @ingroup krb5
548 */
549
550 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
551 krb5_free_context(krb5_context context)
552 {
553 if (context->default_cc_name)
554 free(context->default_cc_name);
555 if (context->default_cc_name_env)
556 free(context->default_cc_name_env);
557 free(context->etypes);
558 free(context->etypes_des);
559 krb5_free_host_realm (context, context->default_realms);
560 krb5_config_file_free (context, context->cf);
561 free_error_table (context->et_list);
562 free(rk_UNCONST(context->cc_ops));
563 free(context->kt_types);
564 krb5_clear_error_message(context);
565 if(context->warn_dest != NULL)
566 krb5_closelog(context, context->warn_dest);
567 if(context->debug_dest != NULL)
568 krb5_closelog(context, context->debug_dest);
569 krb5_set_extra_addresses(context, NULL);
570 krb5_set_ignore_addresses(context, NULL);
571 krb5_set_send_to_kdc_func(context, NULL, NULL);
572
573 #ifdef PKINIT
574 if (context->hx509ctx)
575 hx509_context_free(&context->hx509ctx);
576 #endif
577
578 HEIMDAL_MUTEX_destroy(context->mutex);
579 free(context->mutex);
580 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
581 rk_SOCK_EXIT();
582 }
583
584 memset(context, 0, sizeof(*context));
585 free(context);
586 }
587
588 /**
589 * Reinit the context from a new set of filenames.
590 *
591 * @param context context to add configuration too.
592 * @param filenames array of filenames, end of list is indicated with a NULL filename.
593 *
594 * @return Returns 0 to indicate success. Otherwise an kerberos et
595 * error code is returned, see krb5_get_error_message().
596 *
597 * @ingroup krb5
598 */
599
600 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
601 krb5_set_config_files(krb5_context context, char **filenames)
602 {
603 krb5_error_code ret;
604 krb5_config_binding *tmp = NULL;
605 while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
606 ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
607 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
608 krb5_config_file_free(context, tmp);
609 return ret;
610 }
611 filenames++;
612 }
613 #if 0
614 /* with this enabled and if there are no config files, Kerberos is
615 considererd disabled */
616 if(tmp == NULL)
617 return ENXIO;
618 #endif
619
620 #ifdef _WIN32
621 _krb5_load_config_from_registry(context, &tmp);
622 #endif
623
624 krb5_config_file_free(context, context->cf);
625 context->cf = tmp;
626 ret = init_context_from_config_file(context);
627 return ret;
628 }
629
630 static krb5_error_code
631 add_file(char ***pfilenames, int *len, char *file)
632 {
633 char **pp = *pfilenames;
634 int i;
635
636 for(i = 0; i < *len; i++) {
637 if(strcmp(pp[i], file) == 0) {
638 free(file);
639 return 0;
640 }
641 }
642
643 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
644 if (pp == NULL) {
645 free(file);
646 return ENOMEM;
647 }
648
649 pp[*len] = file;
650 pp[*len + 1] = NULL;
651 *pfilenames = pp;
652 *len += 1;
653 return 0;
654 }
655
656 /*
657 * `pq' isn't free, it's up the the caller
658 */
659
660 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
661 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
662 {
663 krb5_error_code ret;
664 const char *p, *q;
665 char **pp;
666 int len;
667 char *fn;
668
669 pp = NULL;
670
671 len = 0;
672 p = filelist;
673 while(1) {
674 ssize_t l;
675 q = p;
676 l = strsep_copy(&q, PATH_SEP, NULL, 0);
677 if(l == -1)
678 break;
679 fn = malloc(l + 1);
680 if(fn == NULL) {
681 krb5_free_config_files(pp);
682 return ENOMEM;
683 }
684 (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
685 ret = add_file(&pp, &len, fn);
686 if (ret) {
687 krb5_free_config_files(pp);
688 return ret;
689 }
690 }
691
692 if (pq != NULL) {
693 int i;
694
695 for (i = 0; pq[i] != NULL; i++) {
696 fn = strdup(pq[i]);
697 if (fn == NULL) {
698 krb5_free_config_files(pp);
699 return ENOMEM;
700 }
701 ret = add_file(&pp, &len, fn);
702 if (ret) {
703 krb5_free_config_files(pp);
704 return ret;
705 }
706 }
707 }
708
709 *ret_pp = pp;
710 return 0;
711 }
712
713 /**
714 * Prepend the filename to the global configuration list.
715 *
716 * @param filelist a filename to add to the default list of filename
717 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
718 *
719 * @return Returns 0 to indicate success. Otherwise an kerberos et
720 * error code is returned, see krb5_get_error_message().
721 *
722 * @ingroup krb5
723 */
724
725 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
726 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
727 {
728 krb5_error_code ret;
729 char **defpp, **pp = NULL;
730
731 ret = krb5_get_default_config_files(&defpp);
732 if (ret)
733 return ret;
734
735 ret = krb5_prepend_config_files(filelist, defpp, &pp);
736 krb5_free_config_files(defpp);
737 if (ret) {
738 return ret;
739 }
740 *pfilenames = pp;
741 return 0;
742 }
743
744 #ifdef _WIN32
745
746 /**
747 * Checks the registry for configuration file location
748 *
749 * Kerberos for Windows and other legacy Kerberos applications expect
750 * to find the configuration file location in the
751 * SOFTWARE\MIT\Kerberos registry key under the value "config".
752 */
753 char *
754 _krb5_get_default_config_config_files_from_registry()
755 {
756 static const char * KeyName = "Software\\MIT\\Kerberos";
757 char *config_file = NULL;
758 LONG rcode;
759 HKEY key;
760
761 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
762 if (rcode == ERROR_SUCCESS) {
763 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
764 REG_NONE, 0, PATH_SEP);
765 RegCloseKey(key);
766 }
767
768 if (config_file)
769 return config_file;
770
771 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
772 if (rcode == ERROR_SUCCESS) {
773 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
774 REG_NONE, 0, PATH_SEP);
775 RegCloseKey(key);
776 }
777
778 return config_file;
779 }
780
781 #endif
782
783 /**
784 * Get the global configuration list.
785 *
786 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
787 *
788 * @return Returns 0 to indicate success. Otherwise an kerberos et
789 * error code is returned, see krb5_get_error_message().
790 *
791 * @ingroup krb5
792 */
793
794 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
795 krb5_get_default_config_files(char ***pfilenames)
796 {
797 const char *files = NULL;
798
799 if (pfilenames == NULL)
800 return EINVAL;
801 if(!issuid())
802 files = getenv("KRB5_CONFIG");
803
804 #ifdef _WIN32
805 if (files == NULL) {
806 char * reg_files;
807 reg_files = _krb5_get_default_config_config_files_from_registry();
808 if (reg_files != NULL) {
809 krb5_error_code code;
810
811 code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
812 free(reg_files);
813
814 return code;
815 }
816 }
817 #endif
818
819 if (files == NULL)
820 files = krb5_config_file;
821
822 return krb5_prepend_config_files(files, NULL, pfilenames);
823 }
824
825 /**
826 * Free a list of configuration files.
827 *
828 * @param filenames list, terminated with a NULL pointer, to be
829 * freed. NULL is an valid argument.
830 *
831 * @return Returns 0 to indicate success. Otherwise an kerberos et
832 * error code is returned, see krb5_get_error_message().
833 *
834 * @ingroup krb5
835 */
836
837 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
838 krb5_free_config_files(char **filenames)
839 {
840 char **p;
841 for(p = filenames; p && *p != NULL; p++)
842 free(*p);
843 free(filenames);
844 }
845
846 /**
847 * Returns the list of Kerberos encryption types sorted in order of
848 * most preferred to least preferred encryption type. Note that some
849 * encryption types might be disabled, so you need to check with
850 * krb5_enctype_valid() before using the encryption type.
851 *
852 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
853 * array completed into the Kerberos library so the content doesn't
854 * need to be freed.
855 *
856 * @ingroup krb5
857 */
858
859 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
860 krb5_kerberos_enctypes(krb5_context context)
861 {
862 static const krb5_enctype p[] = {
863 ETYPE_AES256_CTS_HMAC_SHA1_96,
864 ETYPE_AES128_CTS_HMAC_SHA1_96,
865 ETYPE_DES3_CBC_SHA1,
866 ETYPE_DES3_CBC_MD5,
867 ETYPE_ARCFOUR_HMAC_MD5,
868 ETYPE_DES_CBC_MD5,
869 ETYPE_DES_CBC_MD4,
870 ETYPE_DES_CBC_CRC,
871 ETYPE_NULL
872 };
873 return p;
874 }
875
876 /*
877 * set `etype' to a malloced list of the default enctypes
878 */
879
880 static krb5_error_code
881 default_etypes(krb5_context context, krb5_enctype **etype)
882 {
883 const krb5_enctype *p;
884 krb5_enctype *e = NULL, *ep;
885 int i, n = 0;
886
887 p = krb5_kerberos_enctypes(context);
888
889 for (i = 0; p[i] != ETYPE_NULL; i++) {
890 if (krb5_enctype_valid(context, p[i]) != 0)
891 continue;
892 ep = realloc(e, (n + 2) * sizeof(*e));
893 if (ep == NULL) {
894 free(e);
895 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
896 return ENOMEM;
897 }
898 e = ep;
899 e[n] = p[i];
900 e[n + 1] = ETYPE_NULL;
901 n++;
902 }
903 *etype = e;
904 return 0;
905 }
906
907 /**
908 * Set the default encryption types that will be use in communcation
909 * with the KDC, clients and servers.
910 *
911 * @param context Kerberos 5 context.
912 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
913 *
914 * @return Returns 0 to indicate success. Otherwise an kerberos et
915 * error code is returned, see krb5_get_error_message().
916 *
917 * @ingroup krb5
918 */
919
920 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
921 krb5_set_default_in_tkt_etypes(krb5_context context,
922 const krb5_enctype *etypes)
923 {
924 krb5_error_code ret;
925 krb5_enctype *p = NULL;
926 unsigned int n, m;
927
928 if(etypes) {
929 for (n = 0; etypes[n]; n++)
930 ;
931 n++;
932 ALLOC(p, n);
933 if(!p) {
934 krb5_set_error_message (context, ENOMEM,
935 N_("malloc: out of memory", ""));
936 return ENOMEM;
937 }
938 for (n = 0, m = 0; etypes[n]; n++) {
939 ret = krb5_enctype_valid(context, etypes[n]);
940 if (ret)
941 continue;
942 p[m++] = etypes[n];
943 }
944 p[m] = ETYPE_NULL;
945 if (m == 0) {
946 free(p);
947 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
948 N_("no valid enctype set", ""));
949 return KRB5_PROG_ETYPE_NOSUPP;
950 }
951 }
952 if(context->etypes)
953 free(context->etypes);
954 context->etypes = p;
955 return 0;
956 }
957
958 /**
959 * Get the default encryption types that will be use in communcation
960 * with the KDC, clients and servers.
961 *
962 * @param context Kerberos 5 context.
963 * @param etypes Encryption types, array terminated with
964 * ETYPE_NULL(0), caller should free array with krb5_xfree():
965 *
966 * @return Returns 0 to indicate success. Otherwise an kerberos et
967 * error code is returned, see krb5_get_error_message().
968 *
969 * @ingroup krb5
970 */
971
972 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
973 krb5_get_default_in_tkt_etypes(krb5_context context,
974 krb5_enctype **etypes)
975 {
976 krb5_enctype *p;
977 int i;
978 krb5_error_code ret;
979
980 if(context->etypes) {
981 for(i = 0; context->etypes[i]; i++);
982 ++i;
983 ALLOC(p, i);
984 if(!p) {
985 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
986 return ENOMEM;
987 }
988 memmove(p, context->etypes, i * sizeof(krb5_enctype));
989 } else {
990 ret = default_etypes(context, &p);
991 if (ret)
992 return ret;
993 }
994 *etypes = p;
995 return 0;
996 }
997
998 /**
999 * Init the built-in ets in the Kerberos library.
1000 *
1001 * @param context kerberos context to add the ets too
1002 *
1003 * @ingroup krb5
1004 */
1005
1006 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1007 krb5_init_ets(krb5_context context)
1008 {
1009 if(context->et_list == NULL){
1010 krb5_add_et_list(context, initialize_krb5_error_table_r);
1011 krb5_add_et_list(context, initialize_asn1_error_table_r);
1012 krb5_add_et_list(context, initialize_heim_error_table_r);
1013
1014 krb5_add_et_list(context, initialize_k524_error_table_r);
1015
1016 #ifdef COM_ERR_BINDDOMAIN_krb5
1017 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1018 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1019 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1020 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1021 #endif
1022
1023 #ifdef PKINIT
1024 krb5_add_et_list(context, initialize_hx_error_table_r);
1025 #ifdef COM_ERR_BINDDOMAIN_hx
1026 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1027 #endif
1028 #endif
1029 }
1030 }
1031
1032 /**
1033 * Make the kerberos library default to the admin KDC.
1034 *
1035 * @param context Kerberos 5 context.
1036 * @param flag boolean flag to select if the use the admin KDC or not.
1037 *
1038 * @ingroup krb5
1039 */
1040
1041 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1042 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1043 {
1044 context->use_admin_kdc = flag;
1045 }
1046
1047 /**
1048 * Make the kerberos library default to the admin KDC.
1049 *
1050 * @param context Kerberos 5 context.
1051 *
1052 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1053 *
1054 * @ingroup krb5
1055 */
1056
1057 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1058 krb5_get_use_admin_kdc (krb5_context context)
1059 {
1060 return context->use_admin_kdc;
1061 }
1062
1063 /**
1064 * Add extra address to the address list that the library will add to
1065 * the client's address list when communicating with the KDC.
1066 *
1067 * @param context Kerberos 5 context.
1068 * @param addresses addreses to add
1069 *
1070 * @return Returns 0 to indicate success. Otherwise an kerberos et
1071 * error code is returned, see krb5_get_error_message().
1072 *
1073 * @ingroup krb5
1074 */
1075
1076 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1077 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1078 {
1079
1080 if(context->extra_addresses)
1081 return krb5_append_addresses(context,
1082 context->extra_addresses, addresses);
1083 else
1084 return krb5_set_extra_addresses(context, addresses);
1085 }
1086
1087 /**
1088 * Set extra address to the address list that the library will add to
1089 * the client's address list when communicating with the KDC.
1090 *
1091 * @param context Kerberos 5 context.
1092 * @param addresses addreses to set
1093 *
1094 * @return Returns 0 to indicate success. Otherwise an kerberos et
1095 * error code is returned, see krb5_get_error_message().
1096 *
1097 * @ingroup krb5
1098 */
1099
1100 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1101 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1102 {
1103 if(context->extra_addresses)
1104 krb5_free_addresses(context, context->extra_addresses);
1105
1106 if(addresses == NULL) {
1107 if(context->extra_addresses != NULL) {
1108 free(context->extra_addresses);
1109 context->extra_addresses = NULL;
1110 }
1111 return 0;
1112 }
1113 if(context->extra_addresses == NULL) {
1114 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1115 if(context->extra_addresses == NULL) {
1116 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1117 return ENOMEM;
1118 }
1119 }
1120 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1121 }
1122
1123 /**
1124 * Get extra address to the address list that the library will add to
1125 * the client's address list when communicating with the KDC.
1126 *
1127 * @param context Kerberos 5 context.
1128 * @param addresses addreses to set
1129 *
1130 * @return Returns 0 to indicate success. Otherwise an kerberos et
1131 * error code is returned, see krb5_get_error_message().
1132 *
1133 * @ingroup krb5
1134 */
1135
1136 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1137 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1138 {
1139 if(context->extra_addresses == NULL) {
1140 memset(addresses, 0, sizeof(*addresses));
1141 return 0;
1142 }
1143 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1144 }
1145
1146 /**
1147 * Add extra addresses to ignore when fetching addresses from the
1148 * underlaying operating system.
1149 *
1150 * @param context Kerberos 5 context.
1151 * @param addresses addreses to ignore
1152 *
1153 * @return Returns 0 to indicate success. Otherwise an kerberos et
1154 * error code is returned, see krb5_get_error_message().
1155 *
1156 * @ingroup krb5
1157 */
1158
1159 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1160 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1161 {
1162
1163 if(context->ignore_addresses)
1164 return krb5_append_addresses(context,
1165 context->ignore_addresses, addresses);
1166 else
1167 return krb5_set_ignore_addresses(context, addresses);
1168 }
1169
1170 /**
1171 * Set extra addresses to ignore when fetching addresses from the
1172 * underlaying operating system.
1173 *
1174 * @param context Kerberos 5 context.
1175 * @param addresses addreses to ignore
1176 *
1177 * @return Returns 0 to indicate success. Otherwise an kerberos et
1178 * error code is returned, see krb5_get_error_message().
1179 *
1180 * @ingroup krb5
1181 */
1182
1183 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1184 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1185 {
1186 if(context->ignore_addresses)
1187 krb5_free_addresses(context, context->ignore_addresses);
1188 if(addresses == NULL) {
1189 if(context->ignore_addresses != NULL) {
1190 free(context->ignore_addresses);
1191 context->ignore_addresses = NULL;
1192 }
1193 return 0;
1194 }
1195 if(context->ignore_addresses == NULL) {
1196 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1197 if(context->ignore_addresses == NULL) {
1198 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1199 return ENOMEM;
1200 }
1201 }
1202 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1203 }
1204
1205 /**
1206 * Get extra addresses to ignore when fetching addresses from the
1207 * underlaying operating system.
1208 *
1209 * @param context Kerberos 5 context.
1210 * @param addresses list addreses ignored
1211 *
1212 * @return Returns 0 to indicate success. Otherwise an kerberos et
1213 * error code is returned, see krb5_get_error_message().
1214 *
1215 * @ingroup krb5
1216 */
1217
1218 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1219 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1220 {
1221 if(context->ignore_addresses == NULL) {
1222 memset(addresses, 0, sizeof(*addresses));
1223 return 0;
1224 }
1225 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1226 }
1227
1228 /**
1229 * Set version of fcache that the library should use.
1230 *
1231 * @param context Kerberos 5 context.
1232 * @param version version number.
1233 *
1234 * @return Returns 0 to indicate success. Otherwise an kerberos et
1235 * error code is returned, see krb5_get_error_message().
1236 *
1237 * @ingroup krb5
1238 */
1239
1240 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1241 krb5_set_fcache_version(krb5_context context, int version)
1242 {
1243 context->fcache_vno = version;
1244 return 0;
1245 }
1246
1247 /**
1248 * Get version of fcache that the library should use.
1249 *
1250 * @param context Kerberos 5 context.
1251 * @param version version number.
1252 *
1253 * @return Returns 0 to indicate success. Otherwise an kerberos et
1254 * error code is returned, see krb5_get_error_message().
1255 *
1256 * @ingroup krb5
1257 */
1258
1259 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1260 krb5_get_fcache_version(krb5_context context, int *version)
1261 {
1262 *version = context->fcache_vno;
1263 return 0;
1264 }
1265
1266 /**
1267 * Runtime check if the Kerberos library was complied with thread support.
1268 *
1269 * @return TRUE if the library was compiled with thread support, FALSE if not.
1270 *
1271 * @ingroup krb5
1272 */
1273
1274
1275 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1276 krb5_is_thread_safe(void)
1277 {
1278 #ifdef ENABLE_PTHREAD_SUPPORT
1279 return TRUE;
1280 #else
1281 return FALSE;
1282 #endif
1283 }
1284
1285 /**
1286 * Set if the library should use DNS to canonicalize hostnames.
1287 *
1288 * @param context Kerberos 5 context.
1289 * @param flag if its dns canonicalizion is used or not.
1290 *
1291 * @ingroup krb5
1292 */
1293
1294 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1295 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1296 {
1297 if (flag)
1298 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1299 else
1300 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1301 }
1302
1303 /**
1304 * Get if the library uses DNS to canonicalize hostnames.
1305 *
1306 * @param context Kerberos 5 context.
1307 *
1308 * @return return non zero if the library uses DNS to canonicalize hostnames.
1309 *
1310 * @ingroup krb5
1311 */
1312
1313 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1314 krb5_get_dns_canonicalize_hostname (krb5_context context)
1315 {
1316 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1317 }
1318
1319 /**
1320 * Get current offset in time to the KDC.
1321 *
1322 * @param context Kerberos 5 context.
1323 * @param sec seconds part of offset.
1324 * @param usec micro seconds part of offset.
1325 *
1326 * @return returns zero
1327 *
1328 * @ingroup krb5
1329 */
1330
1331 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1332 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1333 {
1334 if (sec)
1335 *sec = context->kdc_sec_offset;
1336 if (usec)
1337 *usec = context->kdc_usec_offset;
1338 return 0;
1339 }
1340
1341 /**
1342 * Set current offset in time to the KDC.
1343 *
1344 * @param context Kerberos 5 context.
1345 * @param sec seconds part of offset.
1346 * @param usec micro seconds part of offset.
1347 *
1348 * @return returns zero
1349 *
1350 * @ingroup krb5
1351 */
1352
1353 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1354 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1355 {
1356 context->kdc_sec_offset = sec;
1357 if (usec >= 0)
1358 context->kdc_usec_offset = usec;
1359 return 0;
1360 }
1361
1362 /**
1363 * Get max time skew allowed.
1364 *
1365 * @param context Kerberos 5 context.
1366 *
1367 * @return timeskew in seconds.
1368 *
1369 * @ingroup krb5
1370 */
1371
1372 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1373 krb5_get_max_time_skew (krb5_context context)
1374 {
1375 return context->max_skew;
1376 }
1377
1378 /**
1379 * Set max time skew allowed.
1380 *
1381 * @param context Kerberos 5 context.
1382 * @param t timeskew in seconds.
1383 *
1384 * @ingroup krb5
1385 */
1386
1387 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1388 krb5_set_max_time_skew (krb5_context context, time_t t)
1389 {
1390 context->max_skew = t;
1391 }
1392
1393 /**
1394 * Init encryption types in len, val with etypes.
1395 *
1396 * @param context Kerberos 5 context.
1397 * @param len output length of val.
1398 * @param val output array of enctypes.
1399 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1400
1401 * @return Returns 0 to indicate success. Otherwise an kerberos et
1402 * error code is returned, see krb5_get_error_message().
1403 *
1404 * @ingroup krb5
1405 */
1406
1407 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1408 krb5_init_etype (krb5_context context,
1409 unsigned *len,
1410 krb5_enctype **val,
1411 const krb5_enctype *etypes)
1412 {
1413 unsigned int i;
1414 krb5_error_code ret;
1415 krb5_enctype *tmp = NULL;
1416
1417 ret = 0;
1418 if (etypes == NULL) {
1419 ret = krb5_get_default_in_tkt_etypes(context, &tmp);
1420 if (ret)
1421 return ret;
1422 etypes = tmp;
1423 }
1424
1425 for (i = 0; etypes[i]; ++i)
1426 ;
1427 *len = i;
1428 *val = malloc(i * sizeof(**val));
1429 if (i != 0 && *val == NULL) {
1430 ret = ENOMEM;
1431 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1432 goto cleanup;
1433 }
1434 memmove (*val,
1435 etypes,
1436 i * sizeof(*tmp));
1437 cleanup:
1438 if (tmp != NULL)
1439 free (tmp);
1440 return ret;
1441 }
1442
1443 /*
1444 * Allow homedir accces
1445 */
1446
1447 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1448 static krb5_boolean allow_homedir = TRUE;
1449
1450 krb5_boolean
1451 _krb5_homedir_access(krb5_context context)
1452 {
1453 krb5_boolean allow;
1454
1455 #ifdef HAVE_GETEUID
1456 /* is never allowed for root */
1457 if (geteuid() == 0)
1458 return FALSE;
1459 #endif
1460
1461 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1462 return FALSE;
1463
1464 HEIMDAL_MUTEX_lock(&homedir_mutex);
1465 allow = allow_homedir;
1466 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1467 return allow;
1468 }
1469
1470 /**
1471 * Enable and disable home directory access on either the global state
1472 * or the krb5_context state. By calling krb5_set_home_dir_access()
1473 * with context set to NULL, the global state is configured otherwise
1474 * the state for the krb5_context is modified.
1475 *
1476 * For home directory access to be allowed, both the global state and
1477 * the krb5_context state have to be allowed.
1478 *
1479 * Administrator (root user), never uses the home directory.
1480 *
1481 * @param context a Kerberos 5 context or NULL
1482 * @param allow allow if TRUE home directory
1483 * @return the old value
1484 *
1485 * @ingroup krb5
1486 */
1487
1488 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1489 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1490 {
1491 krb5_boolean old;
1492 if (context) {
1493 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1494 if (allow)
1495 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1496 else
1497 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1498 } else {
1499 HEIMDAL_MUTEX_lock(&homedir_mutex);
1500 old = allow_homedir;
1501 allow_homedir = allow;
1502 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1503 }
1504
1505 return old;
1506 }
Samba GIT mirror