search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef7...
[Samba.git] / third_party / heimdal / lib / krb5 / context.c
blob19548d4130db88166ae55ff8ec6395a815239c1b
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #undef KRB5_DEPRECATED_FUNCTION
37 #define KRB5_DEPRECATED_FUNCTION(x)
38
39 #include "krb5_locl.h"
40 #include <assert.h>
41 #include <com_err.h>
42
43 static void _krb5_init_ets(krb5_context);
44
45 #define INIT_FIELD(C, T, E, D, F) \
46 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
47 "libdefaults", F, NULL)
48
49 #define INIT_FLAG(C, O, V, D, F) \
50 do { \
51 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
52 (C)->O |= V; \
53 } \
54 } while(0)
55
56 static krb5_error_code
57 copy_enctypes(krb5_context context,
58 const krb5_enctype *in,
59 krb5_enctype **out);
60
61 /*
62 * Set the list of etypes `ret_etypes' from the configuration variable
63 * `name'
64 */
65
66 static krb5_error_code
67 set_etypes (krb5_context context,
68 const char *name,
69 krb5_enctype **ret_enctypes)
70 {
71 char **etypes_str;
72 krb5_enctype *etypes = NULL;
73
74 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
75 name, NULL);
76 if(etypes_str){
77 int i, j, k;
78 for(i = 0; etypes_str[i]; i++);
79 etypes = malloc((i+1) * sizeof(*etypes));
80 if (etypes == NULL) {
81 krb5_config_free_strings (etypes_str);
82 return krb5_enomem(context);
83 }
84 for(j = 0, k = 0; j < i; j++) {
85 krb5_enctype e;
86 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
87 continue;
88 if (krb5_enctype_valid(context, e) != 0)
89 continue;
90 etypes[k++] = e;
91 }
92 etypes[k] = ETYPE_NULL;
93 krb5_config_free_strings(etypes_str);
94 }
95 *ret_enctypes = etypes;
96 return 0;
97 }
98
99 /*
100 * read variables from the configuration file and set in `context'
101 */
102
103 static krb5_error_code
104 init_context_from_config_file(krb5_context context)
105 {
106 krb5_error_code ret;
107 const char * tmp;
108 char **s;
109 krb5_enctype *tmptypes = NULL;
110
111 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
112 INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
113 INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
114 INIT_FIELD(context, int, max_retries, 3, "max_retries");
115
116 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
117
118 ret = krb5_config_get_bool_default(context, NULL, FALSE,
119 "libdefaults",
120 "allow_weak_crypto", NULL);
121 if (ret) {
122 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
123 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
124 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
125 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
126 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
127 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
128 }
129
130 ret = set_etypes (context, "default_etypes", &tmptypes);
131 if(ret)
132 return ret;
133 free(context->etypes);
134 context->etypes = tmptypes;
135
136 /* The etypes member may change during the lifetime
137 * of the context. To be able to reset it to
138 * config value, we keep another copy.
139 */
140 free(context->cfg_etypes);
141 context->cfg_etypes = NULL;
142 if (tmptypes) {
143 ret = copy_enctypes(context, tmptypes, &context->cfg_etypes);
144 if (ret)
145 return ret;
146 }
147
148 ret = set_etypes (context, "default_etypes_des", &tmptypes);
149 if(ret)
150 return ret;
151 free(context->etypes_des);
152 context->etypes_des = tmptypes;
153
154 ret = set_etypes (context, "default_as_etypes", &tmptypes);
155 if(ret)
156 return ret;
157 free(context->as_etypes);
158 context->as_etypes = tmptypes;
159
160 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
161 if(ret)
162 return ret;
163 free(context->tgs_etypes);
164 context->tgs_etypes = tmptypes;
165
166 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
167 if(ret)
168 return ret;
169 free(context->permitted_enctypes);
170 context->permitted_enctypes = tmptypes;
171
172 INIT_FIELD(context, string, default_keytab,
173 KEYTAB_DEFAULT, "default_keytab_name");
174
175 INIT_FIELD(context, string, default_keytab_modify,
176 NULL, "default_keytab_modify_name");
177
178 INIT_FIELD(context, string, time_fmt,
179 "%Y-%m-%dT%H:%M:%S", "time_format");
180
181 INIT_FIELD(context, string, date_fmt,
182 "%Y-%m-%d", "date_format");
183
184 INIT_FIELD(context, bool, log_utc,
185 FALSE, "log_utc");
186
187 context->no_ticket_store =
188 getenv("KRB5_NO_TICKET_STORE") != NULL;
189
190 /* init dns-proxy slime */
191 tmp = krb5_config_get_string(context, NULL, "libdefaults",
192 "dns_proxy", NULL);
193 if(tmp)
194 roken_gethostby_setup(context->http_proxy, tmp);
195 krb5_free_host_realm (context, context->default_realms);
196 context->default_realms = NULL;
197
198 {
199 krb5_addresses addresses;
200 char **adr, **a;
201
202 krb5_set_extra_addresses(context, NULL);
203 adr = krb5_config_get_strings(context, NULL,
204 "libdefaults",
205 "extra_addresses",
206 NULL);
207 memset(&addresses, 0, sizeof(addresses));
208 for(a = adr; a && *a; a++) {
209 ret = krb5_parse_address(context, *a, &addresses);
210 if (ret == 0) {
211 krb5_add_extra_addresses(context, &addresses);
212 krb5_free_addresses(context, &addresses);
213 }
214 }
215 krb5_config_free_strings(adr);
216
217 krb5_set_ignore_addresses(context, NULL);
218 adr = krb5_config_get_strings(context, NULL,
219 "libdefaults",
220 "ignore_addresses",
221 NULL);
222 memset(&addresses, 0, sizeof(addresses));
223 for(a = adr; a && *a; a++) {
224 ret = krb5_parse_address(context, *a, &addresses);
225 if (ret == 0) {
226 krb5_add_ignore_addresses(context, &addresses);
227 krb5_free_addresses(context, &addresses);
228 }
229 }
230 krb5_config_free_strings(adr);
231 }
232
233 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
234 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
235 /* prefer dns_lookup_kdc over srv_lookup. */
236 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
237 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
238 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
239 INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
240 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
241 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
242 INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
243 INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE, "report_canonical_client_name");
244
245 /* report_canonical_client_name implies check_pac */
246 if (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
247 context->flags |= KRB5_CTX_F_CHECK_PAC;
248
249 free(context->default_cc_name);
250 context->default_cc_name = NULL;
251 context->default_cc_name_set = 0;
252 free(context->configured_default_cc_name);
253 context->configured_default_cc_name = NULL;
254
255 tmp = secure_getenv("KRB5_TRACE");
256 if (tmp)
257 heim_add_debug_dest(context->hcontext, "libkrb5", tmp);
258 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
259 if (s) {
260 char **p;
261
262 for (p = s; *p; p++)
263 heim_add_debug_dest(context->hcontext, "libkrb5", *p);
264 krb5_config_free_strings(s);
265 }
266
267 tmp = krb5_config_get_string(context, NULL, "libdefaults",
268 "check-rd-req-server", NULL);
269 if (tmp == NULL)
270 tmp = secure_getenv("KRB5_CHECK_RD_REQ_SERVER");
271 if(tmp) {
272 if (strcasecmp(tmp, "ignore") == 0)
273 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
274 }
275 ret = krb5_config_get_bool_default(context, NULL, TRUE,
276 "libdefaults",
277 "fcache_strict_checking", NULL);
278 if (ret)
279 context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
280
281 return 0;
282 }
283
284 static krb5_error_code
285 cc_ops_register(krb5_context context)
286 {
287 context->cc_ops = NULL;
288 context->num_cc_ops = 0;
289
290 #ifndef KCM_IS_API_CACHE
291 krb5_cc_register(context, &krb5_acc_ops, TRUE);
292 #endif
293 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
294 krb5_cc_register(context, &krb5_dcc_ops, TRUE);
295 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
296 #ifdef HAVE_SCC
297 krb5_cc_register(context, &krb5_scc_ops, TRUE);
298 #endif
299 #ifdef HAVE_KCM
300 #ifdef KCM_IS_API_CACHE
301 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
302 #endif
303 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
304 #endif
305 #if defined(HAVE_KEYUTILS_H)
306 krb5_cc_register(context, &krb5_krcc_ops, TRUE);
307 #endif
308 _krb5_load_ccache_plugins(context);
309 return 0;
310 }
311
312 static krb5_error_code
313 cc_ops_copy(krb5_context context, const krb5_context src_context)
314 {
315 const krb5_cc_ops **cc_ops;
316
317 context->cc_ops = NULL;
318 context->num_cc_ops = 0;
319
320 if (src_context->num_cc_ops == 0)
321 return 0;
322
323 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
324 if (cc_ops == NULL) {
325 krb5_set_error_message(context, KRB5_CC_NOMEM,
326 N_("malloc: out of memory", ""));
327 return KRB5_CC_NOMEM;
328 }
329
330 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
331 sizeof(cc_ops[0]) * src_context->num_cc_ops);
332 context->cc_ops = cc_ops;
333 context->num_cc_ops = src_context->num_cc_ops;
334
335 return 0;
336 }
337
338 static krb5_error_code
339 kt_ops_register(krb5_context context)
340 {
341 context->num_kt_types = 0;
342 context->kt_types = NULL;
343
344 krb5_kt_register (context, &krb5_fkt_ops);
345 krb5_kt_register (context, &krb5_wrfkt_ops);
346 krb5_kt_register (context, &krb5_javakt_ops);
347 krb5_kt_register (context, &krb5_mkt_ops);
348 #ifndef HEIMDAL_SMALLER
349 krb5_kt_register (context, &krb5_akf_ops);
350 #endif
351 krb5_kt_register (context, &krb5_any_ops);
352 return 0;
353 }
354
355 static krb5_error_code
356 kt_ops_copy(krb5_context context, const krb5_context src_context)
357 {
358 context->num_kt_types = 0;
359 context->kt_types = NULL;
360
361 if (src_context->num_kt_types == 0)
362 return 0;
363
364 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
365 if (context->kt_types == NULL)
366 return krb5_enomem(context);
367
368 context->num_kt_types = src_context->num_kt_types;
369 memcpy(context->kt_types, src_context->kt_types,
370 sizeof(context->kt_types[0]) * src_context->num_kt_types);
371
372 return 0;
373 }
374
375 static const char *const sysplugin_dirs[] = {
376 #ifdef _WIN32
377 "$ORIGIN",
378 #else
379 "$ORIGIN/../lib/plugin/krb5",
380 #endif
381 #ifdef __APPLE__
382 LIBDIR "/plugin/krb5",
383 #ifdef HEIM_PLUGINS_SEARCH_SYSTEM
384 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
385 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
386 #endif
387 #endif
388 NULL
389 };
390
391 static void
392 init_context_once(void *ctx)
393 {
394 krb5_context context = ctx;
395 char **dirs;
396
397 #ifdef _WIN32
398 dirs = rk_UNCONST(sysplugin_dirs);
399 #else
400 dirs = krb5_config_get_strings(context, NULL, "libdefaults",
401 "plugin_dir", NULL);
402 if (dirs == NULL)
403 dirs = rk_UNCONST(sysplugin_dirs);
404 #endif
405
406 _krb5_load_plugins(context, "krb5", (const char **)dirs);
407
408 if (dirs != rk_UNCONST(sysplugin_dirs))
409 krb5_config_free_strings(dirs);
410
411 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
412 }
413
414 /**
415 * Initializes the context structure and reads the configuration file
416 * /etc/krb5.conf. The structure should be freed by calling
417 * krb5_free_context() when it is no longer being used.
418 *
419 * @param context pointer to returned context
420 *
421 * @return Returns 0 to indicate success. Otherwise an errno code is
422 * returned. Failure means either that something bad happened during
423 * initialization (typically ENOMEM) or that Kerberos should not be
424 * used ENXIO. If the function returns HEIM_ERR_RANDOM_OFFLINE, the
425 * random source is not available and later Kerberos calls might fail.
426 *
427 * @ingroup krb5
428 */
429
430 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
431 krb5_init_context(krb5_context *context)
432 {
433 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
434 krb5_context p;
435 krb5_error_code ret;
436 char **files;
437 uint8_t rnd;
438
439 *context = NULL;
440
441 /**
442 * krb5_init_context() will get one random byte to make sure our
443 * random is alive. Assumption is that once the non blocking
444 * source allows us to pull bytes, its all seeded and allows us to
445 * pull more bytes.
446 *
447 * Most Kerberos users calls krb5_init_context(), so this is
448 * useful point where we can do the checking.
449 */
450 ret = krb5_generate_random(&rnd, sizeof(rnd));
451 if (ret)
452 return ret;
453
454 p = calloc(1, sizeof(*p));
455 if(!p)
456 return ENOMEM;
457
458 if ((p->hcontext = heim_context_init()) == NULL) {
459 ret = ENOMEM;
460 goto out;
461 }
462
463 if (!issuid())
464 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
465
466 ret = krb5_get_default_config_files(&files);
467 if(ret)
468 goto out;
469 ret = krb5_set_config_files(p, files);
470 krb5_free_config_files(files);
471 if(ret)
472 goto out;
473
474 /* done enough to load plugins */
475 heim_base_once_f(&init_context, p, init_context_once);
476
477 /* init error tables */
478 _krb5_init_ets(p);
479 cc_ops_register(p);
480 kt_ops_register(p);
481
482 #ifdef PKINIT
483 ret = hx509_context_init(&p->hx509ctx);
484 if (ret)
485 goto out;
486 #endif
487 if (rk_SOCK_INIT())
488 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
489
490 out:
491 if (ret) {
492 krb5_free_context(p);
493 p = NULL;
494 } else {
495 heim_context_set_log_utc(p->hcontext, p->log_utc);
496 }
497 *context = p;
498 return ret;
499 }
500
501 #ifndef HEIMDAL_SMALLER
502
503 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
504 krb5_get_permitted_enctypes(krb5_context context,
505 krb5_enctype **etypes)
506 {
507 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
508 }
509
510 /*
511 *
512 */
513
514 static krb5_error_code
515 copy_etypes (krb5_context context,
516 krb5_enctype *enctypes,
517 krb5_enctype **ret_enctypes)
518 {
519 unsigned int i;
520
521 for (i = 0; enctypes[i]; i++)
522 ;
523 i++;
524
525 *ret_enctypes = malloc(sizeof(enctypes[0]) * i);
526 if (*ret_enctypes == NULL)
527 return krb5_enomem(context);
528 memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * i);
529 return 0;
530 }
531
532 /**
533 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
534 * be freed with krb5_free_context().
535 *
536 * @param context the Kerberos context to copy
537 * @param out the copy of the Kerberos, set to NULL error.
538 *
539 * @return Returns 0 to indicate success. Otherwise an kerberos et
540 * error code is returned, see krb5_get_error_message().
541 *
542 * @ingroup krb5
543 */
544
545 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
546 krb5_copy_context(krb5_context context, krb5_context *out)
547 {
548 krb5_error_code ret = 0;
549 krb5_context p;
550
551 *out = NULL;
552
553 p = calloc(1, sizeof(*p));
554 if (p == NULL)
555 return krb5_enomem(context);
556
557 p->cc_ops = NULL;
558 p->etypes = NULL;
559 p->kt_types = NULL;
560 p->cfg_etypes = NULL;
561 p->etypes_des = NULL;
562 p->default_realms = NULL;
563 p->extra_addresses = NULL;
564 p->ignore_addresses = NULL;
565
566 if ((p->hcontext = heim_context_init()) == NULL)
567 ret = ENOMEM;
568
569 if (ret == 0) {
570 heim_context_set_log_utc(p->hcontext, context->log_utc);
571 ret = _krb5_config_copy(context, context->cf, &p->cf);
572 }
573 if (ret == 0)
574 ret = init_context_from_config_file(p);
575 if (ret == 0 && context->default_cc_name) {
576 free(p->default_cc_name);
577 if ((p->default_cc_name = strdup(context->default_cc_name)) == NULL)
578 ret = ENOMEM;
579 }
580 if (ret == 0 && context->default_cc_name_env) {
581 free(p->default_cc_name_env);
582 if ((p->default_cc_name_env =
583 strdup(context->default_cc_name_env)) == NULL)
584 ret = ENOMEM;
585 }
586 if (ret == 0 && context->configured_default_cc_name) {
587 free(p->configured_default_cc_name);
588 if ((p->configured_default_cc_name =
589 strdup(context->configured_default_cc_name)) == NULL)
590 ret = ENOMEM;
591 }
592
593 if (ret == 0 && context->etypes) {
594 free(p->etypes);
595 ret = copy_etypes(context, context->etypes, &p->etypes);
596 }
597 if (ret == 0 && context->cfg_etypes) {
598 free(p->cfg_etypes);
599 ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
600 }
601 if (ret == 0 && context->etypes_des) {
602 free(p->etypes_des);
603 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
604 }
605
606 if (ret == 0 && context->default_realms) {
607 krb5_free_host_realm(context, p->default_realms);
608 ret = krb5_copy_host_realm(context,
609 context->default_realms, &p->default_realms);
610 }
611
612 /* XXX should copy */
613 if (ret == 0)
614 _krb5_init_ets(p);
615
616 if (ret == 0)
617 ret = cc_ops_copy(p, context);
618 if (ret == 0)
619 ret = kt_ops_copy(p, context);
620 if (ret == 0)
621 ret = krb5_set_extra_addresses(p, context->extra_addresses);
622 if (ret == 0)
623 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
624 if (ret == 0)
625 ret = _krb5_copy_send_to_kdc_func(p, context);
626
627 if (ret == 0)
628 *out = p;
629 else
630 krb5_free_context(p);
631 return ret;
632 }
633
634 #endif
635
636 /**
637 * Frees the krb5_context allocated by krb5_init_context().
638 *
639 * @param context context to be freed.
640 *
641 * @ingroup krb5
642 */
643
644 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
645 krb5_free_context(krb5_context context)
646 {
647 _krb5_free_name_canon_rules(context, context->name_canon_rules);
648 free(context->default_cc_name);
649 free(context->default_cc_name_env);
650 free(context->configured_default_cc_name);
651 free(context->etypes);
652 free(context->cfg_etypes);
653 free(context->etypes_des);
654 free(context->permitted_enctypes);
655 free(context->tgs_etypes);
656 free(context->as_etypes);
657 krb5_free_host_realm (context, context->default_realms);
658 krb5_config_file_free (context, context->cf);
659 free(rk_UNCONST(context->cc_ops));
660 free(context->kt_types);
661 krb5_clear_error_message(context);
662 krb5_set_extra_addresses(context, NULL);
663 krb5_set_ignore_addresses(context, NULL);
664 krb5_set_send_to_kdc_func(context, NULL, NULL);
665
666 #ifdef PKINIT
667 hx509_context_free(&context->hx509ctx);
668 #endif
669
670 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
671 rk_SOCK_EXIT();
672 }
673
674 heim_context_free(&context->hcontext);
675 memset(context, 0, sizeof(*context));
676 free(context);
677 }
678
679 /**
680 * Reinit the context from a new set of filenames.
681 *
682 * @param context context to add configuration too.
683 * @param filenames array of filenames, end of list is indicated with a NULL filename.
684 *
685 * @return Returns 0 to indicate success. Otherwise an kerberos et
686 * error code is returned, see krb5_get_error_message().
687 *
688 * @ingroup krb5
689 */
690
691 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
692 krb5_set_config_files(krb5_context context, char **filenames)
693 {
694 krb5_error_code ret;
695 heim_config_binding *tmp = NULL;
696
697 if ((ret = heim_set_config_files(context->hcontext, filenames,
698 &tmp)))
699 return ret;
700 krb5_config_file_free(context, context->cf);
701 context->cf = (krb5_config_binding *)tmp;
702 return init_context_from_config_file(context);
703 }
704
705 #ifndef HEIMDAL_SMALLER
706 /**
707 * Reinit the context from configuration file contents in a C string.
708 * This should only be used in tests.
709 *
710 * @param context context to add configuration too.
711 * @param config configuration.
712 *
713 * @return Returns 0 to indicate success. Otherwise an kerberos et
714 * error code is returned, see krb5_get_error_message().
715 *
716 * @ingroup krb5
717 */
718
719 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
720 krb5_set_config(krb5_context context, const char *config)
721 {
722 krb5_error_code ret;
723 krb5_config_binding *tmp = NULL;
724
725 if ((ret = krb5_config_parse_string_multi(context, config, &tmp)))
726 return ret;
727 #if 0
728 /* with this enabled and if there are no config files, Kerberos is
729 considererd disabled */
730 if (tmp == NULL)
731 return ENXIO;
732 #endif
733
734 krb5_config_file_free(context, context->cf);
735 context->cf = tmp;
736 ret = init_context_from_config_file(context);
737 return ret;
738 }
739 #endif
740
741 /*
742 * `pq' isn't free, it's up the the caller
743 */
744
745 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
746 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
747 {
748 return heim_prepend_config_files(filelist, pq, ret_pp);
749 }
750
751 /**
752 * Prepend the filename to the global configuration list.
753 *
754 * @param filelist a filename to add to the default list of filename
755 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
756 *
757 * @return Returns 0 to indicate success. Otherwise an kerberos et
758 * error code is returned, see krb5_get_error_message().
759 *
760 * @ingroup krb5
761 */
762
763 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
764 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
765 {
766 return heim_prepend_config_files_default(filelist, krb5_config_file,
767 "KRB5_CONFIG", pfilenames);
768 }
769
770 /**
771 * Get the global configuration list.
772 *
773 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
774 *
775 * @return Returns 0 to indicate success. Otherwise an kerberos et
776 * error code is returned, see krb5_get_error_message().
777 *
778 * @ingroup krb5
779 */
780
781 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
782 krb5_get_default_config_files(char ***pfilenames)
783 {
784 if (pfilenames == NULL)
785 return EINVAL;
786 return heim_get_default_config_files(krb5_config_file, "KRB5_CONFIG",
787 pfilenames);
788 }
789
790 /**
791 * Free a list of configuration files.
792 *
793 * @param filenames list, terminated with a NULL pointer, to be
794 * freed. NULL is an valid argument.
795 *
796 * @return Returns 0 to indicate success. Otherwise an kerberos et
797 * error code is returned, see krb5_get_error_message().
798 *
799 * @ingroup krb5
800 */
801
802 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
803 krb5_free_config_files(char **filenames)
804 {
805 heim_free_config_files(filenames);
806 }
807
808 /**
809 * Returns the list of Kerberos encryption types sorted in order of
810 * most preferred to least preferred encryption type. Note that some
811 * encryption types might be disabled, so you need to check with
812 * krb5_enctype_valid() before using the encryption type.
813 *
814 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
815 * array completed into the Kerberos library so the content doesn't
816 * need to be freed.
817 *
818 * @ingroup krb5
819 */
820
821 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
822 krb5_kerberos_enctypes(krb5_context context)
823 {
824 static const krb5_enctype p[] = {
825 ETYPE_AES256_CTS_HMAC_SHA1_96,
826 ETYPE_AES128_CTS_HMAC_SHA1_96,
827 ETYPE_AES256_CTS_HMAC_SHA384_192,
828 ETYPE_AES128_CTS_HMAC_SHA256_128,
829 ETYPE_DES3_CBC_SHA1,
830 ETYPE_ARCFOUR_HMAC_MD5,
831 ETYPE_NULL
832 };
833
834 static const krb5_enctype weak[] = {
835 ETYPE_AES256_CTS_HMAC_SHA1_96,
836 ETYPE_AES128_CTS_HMAC_SHA1_96,
837 ETYPE_AES256_CTS_HMAC_SHA384_192,
838 ETYPE_AES128_CTS_HMAC_SHA256_128,
839 ETYPE_DES3_CBC_SHA1,
840 ETYPE_DES3_CBC_MD5,
841 ETYPE_ARCFOUR_HMAC_MD5,
842 ETYPE_DES_CBC_MD5,
843 ETYPE_DES_CBC_MD4,
844 ETYPE_DES_CBC_CRC,
845 ETYPE_NULL
846 };
847
848 /*
849 * if the list of enctypes enabled by "allow_weak_crypto"
850 * are valid, then return the former default enctype list
851 * that contained the weak entries.
852 */
853 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
854 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
855 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
856 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
857 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
858 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
859 return weak;
860
861 return p;
862 }
863
864 /*
865 *
866 */
867
868 static krb5_error_code
869 copy_enctypes(krb5_context context,
870 const krb5_enctype *in,
871 krb5_enctype **out)
872 {
873 krb5_enctype *p = NULL;
874 size_t m, n;
875
876 for (n = 0; in[n]; n++)
877 ;
878 n++;
879 ALLOC(p, n);
880 if(p == NULL)
881 return krb5_enomem(context);
882 for (n = 0, m = 0; in[n]; n++) {
883 if (krb5_enctype_valid(context, in[n]) != 0)
884 continue;
885 p[m++] = in[n];
886 }
887 p[m] = KRB5_ENCTYPE_NULL;
888 if (m == 0) {
889 free(p);
890 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
891 N_("no valid enctype set", ""));
892 return KRB5_PROG_ETYPE_NOSUPP;
893 }
894 *out = p;
895 return 0;
896 }
897
898
899 /*
900 * set `etype' to a malloced list of the default enctypes
901 */
902
903 static krb5_error_code
904 default_etypes(krb5_context context, krb5_enctype **etype)
905 {
906 const krb5_enctype *p = krb5_kerberos_enctypes(context);
907 return copy_enctypes(context, p, etype);
908 }
909
910 /**
911 * Set the default encryption types that will be use in communcation
912 * with the KDC, clients and servers.
913 *
914 * @param context Kerberos 5 context.
915 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
916 * A value of NULL resets the encryption types to the defaults set in the
917 * configuration file.
918 *
919 * @return Returns 0 to indicate success. Otherwise an kerberos et
920 * error code is returned, see krb5_get_error_message().
921 *
922 * @ingroup krb5
923 */
924
925 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
926 krb5_set_default_in_tkt_etypes(krb5_context context,
927 const krb5_enctype *etypes)
928 {
929 krb5_error_code ret;
930 krb5_enctype *p = NULL;
931
932 if(!etypes) {
933 etypes = context->cfg_etypes;
934 }
935
936 if(etypes) {
937 ret = copy_enctypes(context, etypes, &p);
938 if (ret)
939 return ret;
940 }
941 if(context->etypes)
942 free(context->etypes);
943 context->etypes = p;
944 return 0;
945 }
946
947 /**
948 * Get the default encryption types that will be use in communcation
949 * with the KDC, clients and servers.
950 *
951 * @param context Kerberos 5 context.
952 * @param pdu_type request type (AS, TGS or none)
953 * @param etypes Encryption types, array terminated with
954 * ETYPE_NULL(0), caller should free array with krb5_xfree():
955 *
956 * @return Returns 0 to indicate success. Otherwise an kerberos et
957 * error code is returned, see krb5_get_error_message().
958 *
959 * @ingroup krb5
960 */
961
962 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
963 krb5_get_default_in_tkt_etypes(krb5_context context,
964 krb5_pdu pdu_type,
965 krb5_enctype **etypes)
966 {
967 krb5_enctype *enctypes = NULL;
968 krb5_error_code ret;
969 krb5_enctype *p;
970
971 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
972 pdu_type == KRB5_PDU_TGS_REQUEST ||
973 pdu_type == KRB5_PDU_NONE, "unexpected pdu type");
974
975 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
976 enctypes = context->as_etypes;
977 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
978 enctypes = context->tgs_etypes;
979 else if (context->etypes != NULL)
980 enctypes = context->etypes;
981
982 if (enctypes != NULL) {
983 ret = copy_enctypes(context, enctypes, &p);
984 if (ret)
985 return ret;
986 } else {
987 ret = default_etypes(context, &p);
988 if (ret)
989 return ret;
990 }
991 *etypes = p;
992 return 0;
993 }
994
995 /**
996 * Init the built-in ets in the Kerberos library.
997 *
998 * @param context kerberos context to add the ets too
999 *
1000 * @ingroup krb5
1001 */
1002
1003 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1004 krb5_init_ets(krb5_context context)
1005 {
1006 }
1007
1008 static void
1009 _krb5_init_ets(krb5_context context)
1010 {
1011 heim_add_et_list(context->hcontext, initialize_krb5_error_table_r);
1012 heim_add_et_list(context->hcontext, initialize_asn1_error_table_r);
1013 heim_add_et_list(context->hcontext, initialize_heim_error_table_r);
1014
1015 heim_add_et_list(context->hcontext, initialize_k524_error_table_r);
1016 heim_add_et_list(context->hcontext, initialize_k5e1_error_table_r);
1017
1018 #ifdef COM_ERR_BINDDOMAIN_krb5
1019 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1020 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1021 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1022 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1023 #endif
1024
1025 #ifdef PKINIT
1026 heim_add_et_list(context->hcontext, initialize_hx_error_table_r);
1027 #ifdef COM_ERR_BINDDOMAIN_hx
1028 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1029 #endif
1030 #endif
1031 }
1032
1033 /**
1034 * Make the kerberos library default to the admin KDC.
1035 *
1036 * @param context Kerberos 5 context.
1037 * @param flag boolean flag to select if the use the admin KDC or not.
1038 *
1039 * @ingroup krb5
1040 */
1041
1042 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1043 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1044 {
1045 context->use_admin_kdc = flag;
1046 }
1047
1048 /**
1049 * Make the kerberos library default to the admin KDC.
1050 *
1051 * @param context Kerberos 5 context.
1052 *
1053 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1054 *
1055 * @ingroup krb5
1056 */
1057
1058 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1059 krb5_get_use_admin_kdc (krb5_context context)
1060 {
1061 return context->use_admin_kdc;
1062 }
1063
1064 /**
1065 * Add extra address to the address list that the library will add to
1066 * the client's address list when communicating with the KDC.
1067 *
1068 * @param context Kerberos 5 context.
1069 * @param addresses addreses to add
1070 *
1071 * @return Returns 0 to indicate success. Otherwise an kerberos et
1072 * error code is returned, see krb5_get_error_message().
1073 *
1074 * @ingroup krb5
1075 */
1076
1077 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1078 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1079 {
1080
1081 if(context->extra_addresses)
1082 return krb5_append_addresses(context,
1083 context->extra_addresses, addresses);
1084 else
1085 return krb5_set_extra_addresses(context, addresses);
1086 }
1087
1088 /**
1089 * Set extra address to the address list that the library will add to
1090 * the client's address list when communicating with the KDC.
1091 *
1092 * @param context Kerberos 5 context.
1093 * @param addresses addreses to set
1094 *
1095 * @return Returns 0 to indicate success. Otherwise an kerberos et
1096 * error code is returned, see krb5_get_error_message().
1097 *
1098 * @ingroup krb5
1099 */
1100
1101 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1102 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1103 {
1104 if(context->extra_addresses)
1105 krb5_free_addresses(context, context->extra_addresses);
1106
1107 if(addresses == NULL) {
1108 if(context->extra_addresses != NULL) {
1109 free(context->extra_addresses);
1110 context->extra_addresses = NULL;
1111 }
1112 return 0;
1113 }
1114 if(context->extra_addresses == NULL) {
1115 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1116 if (context->extra_addresses == NULL)
1117 return krb5_enomem(context);
1118 }
1119 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1120 }
1121
1122 /**
1123 * Get extra address to the address list that the library will add to
1124 * the client's address list when communicating with the KDC.
1125 *
1126 * @param context Kerberos 5 context.
1127 * @param addresses addreses to set
1128 *
1129 * @return Returns 0 to indicate success. Otherwise an kerberos et
1130 * error code is returned, see krb5_get_error_message().
1131 *
1132 * @ingroup krb5
1133 */
1134
1135 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1136 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1137 {
1138 if(context->extra_addresses == NULL) {
1139 memset(addresses, 0, sizeof(*addresses));
1140 return 0;
1141 }
1142 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1143 }
1144
1145 /**
1146 * Add extra addresses to ignore when fetching addresses from the
1147 * underlaying operating system.
1148 *
1149 * @param context Kerberos 5 context.
1150 * @param addresses addreses to ignore
1151 *
1152 * @return Returns 0 to indicate success. Otherwise an kerberos et
1153 * error code is returned, see krb5_get_error_message().
1154 *
1155 * @ingroup krb5
1156 */
1157
1158 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1159 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1160 {
1161
1162 if(context->ignore_addresses)
1163 return krb5_append_addresses(context,
1164 context->ignore_addresses, addresses);
1165 else
1166 return krb5_set_ignore_addresses(context, addresses);
1167 }
1168
1169 /**
1170 * Set extra addresses to ignore when fetching addresses from the
1171 * underlaying operating system.
1172 *
1173 * @param context Kerberos 5 context.
1174 * @param addresses addreses to ignore
1175 *
1176 * @return Returns 0 to indicate success. Otherwise an kerberos et
1177 * error code is returned, see krb5_get_error_message().
1178 *
1179 * @ingroup krb5
1180 */
1181
1182 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1183 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1184 {
1185 if(context->ignore_addresses)
1186 krb5_free_addresses(context, context->ignore_addresses);
1187 if(addresses == NULL) {
1188 if(context->ignore_addresses != NULL) {
1189 free(context->ignore_addresses);
1190 context->ignore_addresses = NULL;
1191 }
1192 return 0;
1193 }
1194 if(context->ignore_addresses == NULL) {
1195 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1196 if (context->ignore_addresses == NULL)
1197 return krb5_enomem(context);
1198 }
1199 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1200 }
1201
1202 /**
1203 * Get extra addresses to ignore when fetching addresses from the
1204 * underlaying operating system.
1205 *
1206 * @param context Kerberos 5 context.
1207 * @param addresses list addreses ignored
1208 *
1209 * @return Returns 0 to indicate success. Otherwise an kerberos et
1210 * error code is returned, see krb5_get_error_message().
1211 *
1212 * @ingroup krb5
1213 */
1214
1215 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1216 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1217 {
1218 if(context->ignore_addresses == NULL) {
1219 memset(addresses, 0, sizeof(*addresses));
1220 return 0;
1221 }
1222 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1223 }
1224
1225 /**
1226 * Set version of fcache that the library should use.
1227 *
1228 * @param context Kerberos 5 context.
1229 * @param version version number.
1230 *
1231 * @return Returns 0 to indicate success. Otherwise an kerberos et
1232 * error code is returned, see krb5_get_error_message().
1233 *
1234 * @ingroup krb5
1235 */
1236
1237 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1238 krb5_set_fcache_version(krb5_context context, int version)
1239 {
1240 context->fcache_vno = version;
1241 return 0;
1242 }
1243
1244 /**
1245 * Get version of fcache that the library should use.
1246 *
1247 * @param context Kerberos 5 context.
1248 * @param version version number.
1249 *
1250 * @return Returns 0 to indicate success. Otherwise an kerberos et
1251 * error code is returned, see krb5_get_error_message().
1252 *
1253 * @ingroup krb5
1254 */
1255
1256 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1257 krb5_get_fcache_version(krb5_context context, int *version)
1258 {
1259 *version = context->fcache_vno;
1260 return 0;
1261 }
1262
1263 /**
1264 * Runtime check if the Kerberos library was complied with thread support.
1265 *
1266 * @return TRUE if the library was compiled with thread support, FALSE if not.
1267 *
1268 * @ingroup krb5
1269 */
1270
1271
1272 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1273 krb5_is_thread_safe(void)
1274 {
1275 #ifdef ENABLE_PTHREAD_SUPPORT
1276 return TRUE;
1277 #else
1278 return FALSE;
1279 #endif
1280 }
1281
1282 /**
1283 * Set if the library should use DNS to canonicalize hostnames.
1284 *
1285 * @param context Kerberos 5 context.
1286 * @param flag if its dns canonicalizion is used or not.
1287 *
1288 * @ingroup krb5
1289 */
1290
1291 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1292 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1293 {
1294 if (flag)
1295 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1296 else
1297 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1298 }
1299
1300 /**
1301 * Get if the library uses DNS to canonicalize hostnames.
1302 *
1303 * @param context Kerberos 5 context.
1304 *
1305 * @return return non zero if the library uses DNS to canonicalize hostnames.
1306 *
1307 * @ingroup krb5
1308 */
1309
1310 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1311 krb5_get_dns_canonicalize_hostname (krb5_context context)
1312 {
1313 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1314 }
1315
1316 /**
1317 * Get current offset in time to the KDC.
1318 *
1319 * @param context Kerberos 5 context.
1320 * @param sec seconds part of offset.
1321 * @param usec micro seconds part of offset.
1322 *
1323 * @return returns zero
1324 *
1325 * @ingroup krb5
1326 */
1327
1328 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1329 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1330 {
1331 if (sec)
1332 *sec = context->kdc_sec_offset;
1333 if (usec)
1334 *usec = context->kdc_usec_offset;
1335 return 0;
1336 }
1337
1338 /**
1339 * Set current offset in time to the KDC.
1340 *
1341 * @param context Kerberos 5 context.
1342 * @param sec seconds part of offset.
1343 * @param usec micro seconds part of offset.
1344 *
1345 * @return returns zero
1346 *
1347 * @ingroup krb5
1348 */
1349
1350 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1351 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1352 {
1353 context->kdc_sec_offset = sec;
1354 if (usec >= 0)
1355 context->kdc_usec_offset = usec;
1356 return 0;
1357 }
1358
1359 /**
1360 * Get max time skew allowed.
1361 *
1362 * @param context Kerberos 5 context.
1363 *
1364 * @return timeskew in seconds.
1365 *
1366 * @ingroup krb5
1367 */
1368
1369 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1370 krb5_get_max_time_skew (krb5_context context)
1371 {
1372 return context->max_skew;
1373 }
1374
1375 /**
1376 * Set max time skew allowed.
1377 *
1378 * @param context Kerberos 5 context.
1379 * @param t timeskew in seconds.
1380 *
1381 * @ingroup krb5
1382 */
1383
1384 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1385 krb5_set_max_time_skew (krb5_context context, time_t t)
1386 {
1387 context->max_skew = t;
1388 }
1389
1390 /*
1391 * Init encryption types in len, val with etypes.
1392 *
1393 * @param context Kerberos 5 context.
1394 * @param pdu_type type of pdu
1395 * @param len output length of val.
1396 * @param val output array of enctypes.
1397 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1398
1399 * @return Returns 0 to indicate success. Otherwise an kerberos et
1400 * error code is returned, see krb5_get_error_message().
1401 *
1402 * @ingroup krb5
1403 */
1404
1405 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1406 _krb5_init_etype(krb5_context context,
1407 krb5_pdu pdu_type,
1408 unsigned *len,
1409 krb5_enctype **val,
1410 const krb5_enctype *etypes)
1411 {
1412 krb5_error_code ret;
1413
1414 if (etypes == NULL)
1415 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1416 else
1417 ret = copy_enctypes(context, etypes, val);
1418 if (ret)
1419 return ret;
1420
1421 if (len) {
1422 *len = 0;
1423 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1424 (*len)++;
1425 }
1426 return 0;
1427 }
1428
1429 /*
1430 * Allow homedir access
1431 */
1432
1433 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1434 _krb5_homedir_access(krb5_context context)
1435 {
1436 if (context)
1437 return !!(context->flags & KRB5_CTX_F_HOMEDIR_ACCESS);
1438 return !issuid();
1439 }
1440
1441 /**
1442 * Enable and disable home directory access on either the global state
1443 * or the krb5_context state. By calling krb5_set_home_dir_access()
1444 * with context set to NULL, the global state is configured otherwise
1445 * the state for the krb5_context is modified.
1446 *
1447 * For home directory access to be allowed, both the global state and
1448 * the krb5_context state have to be allowed.
1449 *
1450 * @param context a Kerberos 5 context or NULL
1451 * @param allow allow if TRUE home directory
1452 * @return the old value
1453 *
1454 * @ingroup krb5
1455 */
1456
1457 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1458 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1459 {
1460 krb5_boolean old = _krb5_homedir_access(context);
1461
1462 if (context) {
1463 if (allow)
1464 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1465 else
1466 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1467 heim_context_set_homedir_access(context->hcontext, allow ? 1 : 0);
1468 }
1469
1470 return old;
1471 }
1472
Samba GIT mirror