search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Spelling
[heimdal.git] / lib / krb5 / context.c
blob79e1000fd0982a02b537419982ef71cf8abce427
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5_locl.h"
35 #include <com_err.h>
36
37 #define INIT_FIELD(C, T, E, D, F) \
38 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
39 "libdefaults", F, NULL)
40
41 #define INIT_FLAG(C, O, V, D, F) \
42 do { \
43 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
44 (C)->O |= V; \
45 } \
46 } while(0)
47
48 /*
49 * Set the list of etypes `ret_etypes' from the configuration variable
50 * `name'
51 */
52
53 static krb5_error_code
54 set_etypes (krb5_context context,
55 const char *name,
56 krb5_enctype **ret_enctypes)
57 {
58 char **etypes_str;
59 krb5_enctype *etypes = NULL;
60
61 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
62 name, NULL);
63 if(etypes_str){
64 int i, j, k;
65 for(i = 0; etypes_str[i]; i++);
66 etypes = malloc((i+1) * sizeof(*etypes));
67 if (etypes == NULL) {
68 krb5_config_free_strings (etypes_str);
69 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
70 return ENOMEM;
71 }
72 for(j = 0, k = 0; j < i; j++) {
73 krb5_enctype e;
74 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
75 continue;
76 if (krb5_enctype_valid(context, e) != 0)
77 continue;
78 etypes[k++] = e;
79 }
80 etypes[k] = ETYPE_NULL;
81 krb5_config_free_strings(etypes_str);
82 }
83 *ret_enctypes = etypes;
84 return 0;
85 }
86
87 /*
88 * read variables from the configuration file and set in `context'
89 */
90
91 static krb5_error_code
92 init_context_from_config_file(krb5_context context)
93 {
94 krb5_error_code ret;
95 const char * tmp;
96 char **s;
97 krb5_enctype *tmptypes;
98
99 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
100 INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
101 INIT_FIELD(context, int, max_retries, 3, "max_retries");
102
103 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
104
105 ret = set_etypes (context, "default_etypes", &tmptypes);
106 if(ret)
107 return ret;
108 free(context->etypes);
109 context->etypes = tmptypes;
110
111 ret = set_etypes (context, "default_etypes_des", &tmptypes);
112 if(ret)
113 return ret;
114 free(context->etypes_des);
115 context->etypes_des = tmptypes;
116
117 /* default keytab name */
118 tmp = NULL;
119 if(!issuid())
120 tmp = getenv("KRB5_KTNAME");
121 if(tmp != NULL)
122 context->default_keytab = tmp;
123 else
124 INIT_FIELD(context, string, default_keytab,
125 KEYTAB_DEFAULT, "default_keytab_name");
126
127 INIT_FIELD(context, string, default_keytab_modify,
128 NULL, "default_keytab_modify_name");
129
130 INIT_FIELD(context, string, time_fmt,
131 "%Y-%m-%dT%H:%M:%S", "time_format");
132
133 INIT_FIELD(context, string, date_fmt,
134 "%Y-%m-%d", "date_format");
135
136 INIT_FIELD(context, bool, log_utc,
137 FALSE, "log_utc");
138
139
140
141 /* init dns-proxy slime */
142 tmp = krb5_config_get_string(context, NULL, "libdefaults",
143 "dns_proxy", NULL);
144 if(tmp)
145 roken_gethostby_setup(context->http_proxy, tmp);
146 krb5_free_host_realm (context, context->default_realms);
147 context->default_realms = NULL;
148
149 {
150 krb5_addresses addresses;
151 char **adr, **a;
152
153 krb5_set_extra_addresses(context, NULL);
154 adr = krb5_config_get_strings(context, NULL,
155 "libdefaults",
156 "extra_addresses",
157 NULL);
158 memset(&addresses, 0, sizeof(addresses));
159 for(a = adr; a && *a; a++) {
160 ret = krb5_parse_address(context, *a, &addresses);
161 if (ret == 0) {
162 krb5_add_extra_addresses(context, &addresses);
163 krb5_free_addresses(context, &addresses);
164 }
165 }
166 krb5_config_free_strings(adr);
167
168 krb5_set_ignore_addresses(context, NULL);
169 adr = krb5_config_get_strings(context, NULL,
170 "libdefaults",
171 "ignore_addresses",
172 NULL);
173 memset(&addresses, 0, sizeof(addresses));
174 for(a = adr; a && *a; a++) {
175 ret = krb5_parse_address(context, *a, &addresses);
176 if (ret == 0) {
177 krb5_add_ignore_addresses(context, &addresses);
178 krb5_free_addresses(context, &addresses);
179 }
180 }
181 krb5_config_free_strings(adr);
182 }
183
184 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
185 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
186 /* prefer dns_lookup_kdc over srv_lookup. */
187 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
188 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
189 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
190 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
191 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
192 context->default_cc_name = NULL;
193 context->default_cc_name_set = 0;
194
195 ret = krb5_config_get_bool_default(context, NULL, FALSE,
196 "libdefaults",
197 "allow_weak_crypto", NULL);
198 if (ret) {
199 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
200 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
201 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
202 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
203 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
204 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
205 }
206
207 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
208 if(s) {
209 char **p;
210 krb5_initlog(context, "libkrb5", &context->debug_dest);
211 for(p = s; *p; p++)
212 krb5_addlog_dest(context, context->debug_dest, *p);
213 krb5_config_free_strings(s);
214 }
215
216
217 return 0;
218 }
219
220 static krb5_error_code
221 cc_ops_register(krb5_context context)
222 {
223 context->cc_ops = NULL;
224 context->num_cc_ops = 0;
225
226 krb5_cc_register(context, &krb5_acc_ops, TRUE);
227 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
228 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
229 krb5_cc_register(context, &krb5_scc_ops, TRUE);
230 #ifdef HAVE_KCM
231 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
232 #endif
233 return 0;
234 }
235
236 static krb5_error_code
237 kt_ops_register(krb5_context context)
238 {
239 context->num_kt_types = 0;
240 context->kt_types = NULL;
241
242 krb5_kt_register (context, &krb5_fkt_ops);
243 krb5_kt_register (context, &krb5_wrfkt_ops);
244 krb5_kt_register (context, &krb5_javakt_ops);
245 krb5_kt_register (context, &krb5_mkt_ops);
246 #ifndef HEIMDAL_SMALLER
247 krb5_kt_register (context, &krb5_akf_ops);
248 #endif
249 krb5_kt_register (context, &krb5_any_ops);
250 return 0;
251 }
252
253
254 /**
255 * Initializes the context structure and reads the configuration file
256 * /etc/krb5.conf. The structure should be freed by calling
257 * krb5_free_context() when it is no longer being used.
258 *
259 * @param context pointer to returned context
260 *
261 * @return Returns 0 to indicate success. Otherwise an errno code is
262 * returned. Failure means either that something bad happened during
263 * initialization (typically ENOMEM) or that Kerberos should not be
264 * used ENXIO.
265 *
266 * @ingroup krb5
267 */
268
269 krb5_error_code KRB5_LIB_FUNCTION
270 krb5_init_context(krb5_context *context)
271 {
272 krb5_context p;
273 krb5_error_code ret;
274 char **files;
275
276 *context = NULL;
277
278 /* should have a run_once */
279 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
280
281 p = calloc(1, sizeof(*p));
282 if(!p)
283 return ENOMEM;
284
285 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
286 if (p->mutex == NULL) {
287 free(p);
288 return ENOMEM;
289 }
290 HEIMDAL_MUTEX_init(p->mutex);
291
292 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
293
294 ret = krb5_get_default_config_files(&files);
295 if(ret)
296 goto out;
297 ret = krb5_set_config_files(p, files);
298 krb5_free_config_files(files);
299 if(ret)
300 goto out;
301
302 /* init error tables */
303 krb5_init_ets(p);
304 cc_ops_register(p);
305 kt_ops_register(p);
306
307 #ifdef PKINIT
308 ret = hx509_context_init(&p->hx509ctx);
309 if (ret)
310 goto out;
311 #endif
312
313 out:
314 if(ret) {
315 krb5_free_context(p);
316 p = NULL;
317 }
318 *context = p;
319 return ret;
320 }
321
322 #ifndef HEIMDAL_SMALLER
323
324 /*
325 *
326 */
327
328 static krb5_error_code
329 copy_etypes (krb5_context context,
330 krb5_enctype *enctypes,
331 krb5_enctype **ret_enctypes)
332 {
333 unsigned int i;
334
335 for (i = 0; enctypes[i]; i++)
336 ;
337 i++;
338
339 *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
340 if (*ret_enctypes == NULL) {
341 krb5_set_error_message(context, ENOMEM,
342 N_("malloc: out of memory", ""));
343 return ENOMEM;
344 }
345 memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
346 return 0;
347 }
348
349 /**
350 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
351 * be freed with krb5_free_context().
352 *
353 * @param context the Kerberos context to copy
354 * @param out the copy of the Kerberos, set to NULL error.
355 *
356 * @return Returns 0 to indicate success. Otherwise an kerberos et
357 * error code is returned, see krb5_get_error_message().
358 *
359 * @ingroup krb5
360 */
361
362 krb5_error_code KRB5_LIB_FUNCTION
363 krb5_copy_context(krb5_context context, krb5_context *out)
364 {
365 krb5_error_code ret;
366 krb5_context p;
367
368 *out = NULL;
369
370 p = calloc(1, sizeof(*p));
371 if (p == NULL) {
372 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
373 return ENOMEM;
374 }
375
376 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
377 if (p->mutex == NULL) {
378 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
379 free(p);
380 return ENOMEM;
381 }
382 HEIMDAL_MUTEX_init(p->mutex);
383
384
385 if (context->default_cc_name)
386 p->default_cc_name = strdup(context->default_cc_name);
387 if (context->default_cc_name_env)
388 p->default_cc_name_env = strdup(context->default_cc_name_env);
389
390 if (context->etypes) {
391 ret = copy_etypes(context, context->etypes, &p->etypes);
392 if (ret)
393 goto out;
394 }
395 if (context->etypes_des) {
396 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
397 if (ret)
398 goto out;
399 }
400
401 if (context->default_realms) {
402 ret = krb5_copy_host_realm(context,
403 context->default_realms, &p->default_realms);
404 if (ret)
405 goto out;
406 }
407
408 ret = _krb5_config_copy(context, context->cf, &p->cf);
409 if (ret)
410 goto out;
411
412 /* XXX should copy */
413 krb5_init_ets(p);
414 cc_ops_register(p);
415 kt_ops_register(p);
416
417 #if 0 /* XXX */
418 if(context->warn_dest != NULL)
419 ;
420 if(context->debug_dest != NULL)
421 ;
422 #endif
423
424 ret = krb5_set_extra_addresses(p, context->extra_addresses);
425 if (ret)
426 goto out;
427 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
428 if (ret)
429 goto out;
430
431 ret = _krb5_copy_send_to_kdc_func(p, context);
432 if (ret)
433 goto out;
434
435 *out = p;
436
437 return 0;
438
439 out:
440 krb5_free_context(p);
441 return ret;
442 }
443
444 #endif
445
446 /**
447 * Frees the krb5_context allocated by krb5_init_context().
448 *
449 * @param context context to be freed.
450 *
451 * @ingroup krb5
452 */
453
454 void KRB5_LIB_FUNCTION
455 krb5_free_context(krb5_context context)
456 {
457 if (context->default_cc_name)
458 free(context->default_cc_name);
459 if (context->default_cc_name_env)
460 free(context->default_cc_name_env);
461 free(context->etypes);
462 free(context->etypes_des);
463 krb5_free_host_realm (context, context->default_realms);
464 krb5_config_file_free (context, context->cf);
465 free_error_table (context->et_list);
466 free(context->cc_ops);
467 free(context->kt_types);
468 krb5_clear_error_message(context);
469 if(context->warn_dest != NULL)
470 krb5_closelog(context, context->warn_dest);
471 if(context->debug_dest != NULL)
472 krb5_closelog(context, context->debug_dest);
473 krb5_set_extra_addresses(context, NULL);
474 krb5_set_ignore_addresses(context, NULL);
475 krb5_set_send_to_kdc_func(context, NULL, NULL);
476
477 HEIMDAL_MUTEX_destroy(context->mutex);
478 free(context->mutex);
479
480 memset(context, 0, sizeof(*context));
481 free(context);
482 }
483
484 /**
485 * Reinit the context from a new set of filenames.
486 *
487 * @param context context to add configuration too.
488 * @param filenames array of filenames, end of list is indicated with a NULL filename.
489 *
490 * @return Returns 0 to indicate success. Otherwise an kerberos et
491 * error code is returned, see krb5_get_error_message().
492 *
493 * @ingroup krb5
494 */
495
496 krb5_error_code KRB5_LIB_FUNCTION
497 krb5_set_config_files(krb5_context context, char **filenames)
498 {
499 krb5_error_code ret;
500 krb5_config_binding *tmp = NULL;
501 while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
502 ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
503 if(ret != 0 && ret != ENOENT && ret != EACCES) {
504 krb5_config_file_free(context, tmp);
505 return ret;
506 }
507 filenames++;
508 }
509 #if 0
510 /* with this enabled and if there are no config files, Kerberos is
511 considererd disabled */
512 if(tmp == NULL)
513 return ENXIO;
514 #endif
515 krb5_config_file_free(context, context->cf);
516 context->cf = tmp;
517 ret = init_context_from_config_file(context);
518 return ret;
519 }
520
521 static krb5_error_code
522 add_file(char ***pfilenames, int *len, char *file)
523 {
524 char **pp = *pfilenames;
525 int i;
526
527 for(i = 0; i < *len; i++) {
528 if(strcmp(pp[i], file) == 0) {
529 free(file);
530 return 0;
531 }
532 }
533
534 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
535 if (pp == NULL) {
536 free(file);
537 return ENOMEM;
538 }
539
540 pp[*len] = file;
541 pp[*len + 1] = NULL;
542 *pfilenames = pp;
543 *len += 1;
544 return 0;
545 }
546
547 /*
548 * `pq' isn't free, it's up the the caller
549 */
550
551 krb5_error_code KRB5_LIB_FUNCTION
552 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
553 {
554 krb5_error_code ret;
555 const char *p, *q;
556 char **pp;
557 int len;
558 char *fn;
559
560 pp = NULL;
561
562 len = 0;
563 p = filelist;
564 while(1) {
565 ssize_t l;
566 q = p;
567 l = strsep_copy(&q, ":", NULL, 0);
568 if(l == -1)
569 break;
570 fn = malloc(l + 1);
571 if(fn == NULL) {
572 krb5_free_config_files(pp);
573 return ENOMEM;
574 }
575 (void)strsep_copy(&p, ":", fn, l + 1);
576 ret = add_file(&pp, &len, fn);
577 if (ret) {
578 krb5_free_config_files(pp);
579 return ret;
580 }
581 }
582
583 if (pq != NULL) {
584 int i;
585
586 for (i = 0; pq[i] != NULL; i++) {
587 fn = strdup(pq[i]);
588 if (fn == NULL) {
589 krb5_free_config_files(pp);
590 return ENOMEM;
591 }
592 ret = add_file(&pp, &len, fn);
593 if (ret) {
594 krb5_free_config_files(pp);
595 return ret;
596 }
597 }
598 }
599
600 *ret_pp = pp;
601 return 0;
602 }
603
604 /**
605 * Prepend the filename to the global configuration list.
606 *
607 * @param filelist a filename to add to the default list of filename
608 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
609 *
610 * @return Returns 0 to indicate success. Otherwise an kerberos et
611 * error code is returned, see krb5_get_error_message().
612 *
613 * @ingroup krb5
614 */
615
616 krb5_error_code KRB5_LIB_FUNCTION
617 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
618 {
619 krb5_error_code ret;
620 char **defpp, **pp = NULL;
621
622 ret = krb5_get_default_config_files(&defpp);
623 if (ret)
624 return ret;
625
626 ret = krb5_prepend_config_files(filelist, defpp, &pp);
627 krb5_free_config_files(defpp);
628 if (ret) {
629 return ret;
630 }
631 *pfilenames = pp;
632 return 0;
633 }
634
635 /**
636 * Get the global configuration list.
637 *
638 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
639 *
640 * @return Returns 0 to indicate success. Otherwise an kerberos et
641 * error code is returned, see krb5_get_error_message().
642 *
643 * @ingroup krb5
644 */
645
646 krb5_error_code KRB5_LIB_FUNCTION
647 krb5_get_default_config_files(char ***pfilenames)
648 {
649 const char *files = NULL;
650
651 if (pfilenames == NULL)
652 return EINVAL;
653 if(!issuid())
654 files = getenv("KRB5_CONFIG");
655 if (files == NULL)
656 files = krb5_config_file;
657
658 return krb5_prepend_config_files(files, NULL, pfilenames);
659 }
660
661 /**
662 * Free a list of configuration files.
663 *
664 * @param filenames list, terminated with a NULL pointer, to be
665 * freed. NULL is an valid argument.
666 *
667 * @return Returns 0 to indicate success. Otherwise an kerberos et
668 * error code is returned, see krb5_get_error_message().
669 *
670 * @ingroup krb5
671 */
672
673 void KRB5_LIB_FUNCTION
674 krb5_free_config_files(char **filenames)
675 {
676 char **p;
677 for(p = filenames; p && *p != NULL; p++)
678 free(*p);
679 free(filenames);
680 }
681
682 /**
683 * Returns the list of Kerberos encryption types sorted in order of
684 * most preferred to least preferred encryption type. Note that some
685 * encryption types might be disabled, so you need to check with
686 * krb5_enctype_valid() before using the encryption type.
687 *
688 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
689 * array completed into the Kerberos library so the content doesn't
690 * need to be freed.
691 *
692 * @ingroup krb5
693 */
694
695 const krb5_enctype * KRB5_LIB_FUNCTION
696 krb5_kerberos_enctypes(krb5_context context)
697 {
698 static const krb5_enctype p[] = {
699 ETYPE_AES256_CTS_HMAC_SHA1_96,
700 ETYPE_AES128_CTS_HMAC_SHA1_96,
701 ETYPE_DES3_CBC_SHA1,
702 ETYPE_DES3_CBC_MD5,
703 ETYPE_ARCFOUR_HMAC_MD5,
704 ETYPE_DES_CBC_MD5,
705 ETYPE_DES_CBC_MD4,
706 ETYPE_DES_CBC_CRC,
707 ETYPE_NULL
708 };
709 return p;
710 }
711
712 /*
713 * set `etype' to a malloced list of the default enctypes
714 */
715
716 static krb5_error_code
717 default_etypes(krb5_context context, krb5_enctype **etype)
718 {
719 const krb5_enctype *p;
720 krb5_enctype *e = NULL, *ep;
721 int i, n = 0;
722
723 p = krb5_kerberos_enctypes(context);
724
725 for (i = 0; p[i] != ETYPE_NULL; i++) {
726 if (krb5_enctype_valid(context, p[i]) != 0)
727 continue;
728 ep = realloc(e, (n + 2) * sizeof(*e));
729 if (ep == NULL) {
730 free(e);
731 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
732 return ENOMEM;
733 }
734 e = ep;
735 e[n] = p[i];
736 e[n + 1] = ETYPE_NULL;
737 n++;
738 }
739 *etype = e;
740 return 0;
741 }
742
743 /**
744 * Set the default encryption types that will be use in communcation
745 * with the KDC, clients and servers.
746 *
747 * @param context Kerberos 5 context.
748 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
749 *
750 * @return Returns 0 to indicate success. Otherwise an kerberos et
751 * error code is returned, see krb5_get_error_message().
752 *
753 * @ingroup krb5
754 */
755
756 krb5_error_code KRB5_LIB_FUNCTION
757 krb5_set_default_in_tkt_etypes(krb5_context context,
758 const krb5_enctype *etypes)
759 {
760 krb5_enctype *p = NULL;
761 int i;
762
763 if(etypes) {
764 for (i = 0; etypes[i]; ++i) {
765 krb5_error_code ret;
766 ret = krb5_enctype_valid(context, etypes[i]);
767 if (ret)
768 return ret;
769 }
770 ++i;
771 ALLOC(p, i);
772 if(!p) {
773 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
774 return ENOMEM;
775 }
776 memmove(p, etypes, i * sizeof(krb5_enctype));
777 }
778 if(context->etypes)
779 free(context->etypes);
780 context->etypes = p;
781 return 0;
782 }
783
784 /**
785 * Get the default encryption types that will be use in communcation
786 * with the KDC, clients and servers.
787 *
788 * @param context Kerberos 5 context.
789 * @param etypes Encryption types, array terminated with
790 * ETYPE_NULL(0), caller should free array with krb5_xfree():
791 *
792 * @return Returns 0 to indicate success. Otherwise an kerberos et
793 * error code is returned, see krb5_get_error_message().
794 *
795 * @ingroup krb5
796 */
797
798 krb5_error_code KRB5_LIB_FUNCTION
799 krb5_get_default_in_tkt_etypes(krb5_context context,
800 krb5_enctype **etypes)
801 {
802 krb5_enctype *p;
803 int i;
804 krb5_error_code ret;
805
806 if(context->etypes) {
807 for(i = 0; context->etypes[i]; i++);
808 ++i;
809 ALLOC(p, i);
810 if(!p) {
811 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
812 return ENOMEM;
813 }
814 memmove(p, context->etypes, i * sizeof(krb5_enctype));
815 } else {
816 ret = default_etypes(context, &p);
817 if (ret)
818 return ret;
819 }
820 *etypes = p;
821 return 0;
822 }
823
824 /**
825 * Init the built-in ets in the Kerberos library.
826 *
827 * @param context kerberos context to add the ets too
828 *
829 * @ingroup krb5
830 */
831
832 void KRB5_LIB_FUNCTION
833 krb5_init_ets(krb5_context context)
834 {
835 if(context->et_list == NULL){
836 krb5_add_et_list(context, initialize_krb5_error_table_r);
837 krb5_add_et_list(context, initialize_asn1_error_table_r);
838 krb5_add_et_list(context, initialize_heim_error_table_r);
839
840 krb5_add_et_list(context, initialize_k524_error_table_r);
841
842 #ifdef COM_ERR_BINDDOMAIN_krb5
843 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
844 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
845 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
846 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
847 #endif
848
849 #ifdef PKINIT
850 krb5_add_et_list(context, initialize_hx_error_table_r);
851 #ifdef COM_ERR_BINDDOMAIN_hx
852 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
853 #endif
854 #endif
855 }
856 }
857
858 /**
859 * Make the kerberos library default to the admin KDC.
860 *
861 * @param context Kerberos 5 context.
862 * @param flag boolean flag to select if the use the admin KDC or not.
863 *
864 * @ingroup krb5
865 */
866
867 void KRB5_LIB_FUNCTION
868 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
869 {
870 context->use_admin_kdc = flag;
871 }
872
873 /**
874 * Make the kerberos library default to the admin KDC.
875 *
876 * @param context Kerberos 5 context.
877 *
878 * @return boolean flag to telling the context will use admin KDC as the default KDC.
879 *
880 * @ingroup krb5
881 */
882
883 krb5_boolean KRB5_LIB_FUNCTION
884 krb5_get_use_admin_kdc (krb5_context context)
885 {
886 return context->use_admin_kdc;
887 }
888
889 /**
890 * Add extra address to the address list that the library will add to
891 * the client's address list when communicating with the KDC.
892 *
893 * @param context Kerberos 5 context.
894 * @param addresses addreses to add
895 *
896 * @return Returns 0 to indicate success. Otherwise an kerberos et
897 * error code is returned, see krb5_get_error_message().
898 *
899 * @ingroup krb5
900 */
901
902 krb5_error_code KRB5_LIB_FUNCTION
903 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
904 {
905
906 if(context->extra_addresses)
907 return krb5_append_addresses(context,
908 context->extra_addresses, addresses);
909 else
910 return krb5_set_extra_addresses(context, addresses);
911 }
912
913 /**
914 * Set extra address to the address list that the library will add to
915 * the client's address list when communicating with the KDC.
916 *
917 * @param context Kerberos 5 context.
918 * @param addresses addreses to set
919 *
920 * @return Returns 0 to indicate success. Otherwise an kerberos et
921 * error code is returned, see krb5_get_error_message().
922 *
923 * @ingroup krb5
924 */
925
926 krb5_error_code KRB5_LIB_FUNCTION
927 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
928 {
929 if(context->extra_addresses)
930 krb5_free_addresses(context, context->extra_addresses);
931
932 if(addresses == NULL) {
933 if(context->extra_addresses != NULL) {
934 free(context->extra_addresses);
935 context->extra_addresses = NULL;
936 }
937 return 0;
938 }
939 if(context->extra_addresses == NULL) {
940 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
941 if(context->extra_addresses == NULL) {
942 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
943 return ENOMEM;
944 }
945 }
946 return krb5_copy_addresses(context, addresses, context->extra_addresses);
947 }
948
949 /**
950 * Get extra address to the address list that the library will add to
951 * the client's address list when communicating with the KDC.
952 *
953 * @param context Kerberos 5 context.
954 * @param addresses addreses to set
955 *
956 * @return Returns 0 to indicate success. Otherwise an kerberos et
957 * error code is returned, see krb5_get_error_message().
958 *
959 * @ingroup krb5
960 */
961
962 krb5_error_code KRB5_LIB_FUNCTION
963 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
964 {
965 if(context->extra_addresses == NULL) {
966 memset(addresses, 0, sizeof(*addresses));
967 return 0;
968 }
969 return krb5_copy_addresses(context,context->extra_addresses, addresses);
970 }
971
972 /**
973 * Add extra addresses to ignore when fetching addresses from the
974 * underlaying operating system.
975 *
976 * @param context Kerberos 5 context.
977 * @param addresses addreses to ignore
978 *
979 * @return Returns 0 to indicate success. Otherwise an kerberos et
980 * error code is returned, see krb5_get_error_message().
981 *
982 * @ingroup krb5
983 */
984
985 krb5_error_code KRB5_LIB_FUNCTION
986 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
987 {
988
989 if(context->ignore_addresses)
990 return krb5_append_addresses(context,
991 context->ignore_addresses, addresses);
992 else
993 return krb5_set_ignore_addresses(context, addresses);
994 }
995
996 /**
997 * Set extra addresses to ignore when fetching addresses from the
998 * underlaying operating system.
999 *
1000 * @param context Kerberos 5 context.
1001 * @param addresses addreses to ignore
1002 *
1003 * @return Returns 0 to indicate success. Otherwise an kerberos et
1004 * error code is returned, see krb5_get_error_message().
1005 *
1006 * @ingroup krb5
1007 */
1008
1009 krb5_error_code KRB5_LIB_FUNCTION
1010 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1011 {
1012 if(context->ignore_addresses)
1013 krb5_free_addresses(context, context->ignore_addresses);
1014 if(addresses == NULL) {
1015 if(context->ignore_addresses != NULL) {
1016 free(context->ignore_addresses);
1017 context->ignore_addresses = NULL;
1018 }
1019 return 0;
1020 }
1021 if(context->ignore_addresses == NULL) {
1022 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1023 if(context->ignore_addresses == NULL) {
1024 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1025 return ENOMEM;
1026 }
1027 }
1028 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1029 }
1030
1031 /**
1032 * Get extra addresses to ignore when fetching addresses from the
1033 * underlaying operating system.
1034 *
1035 * @param context Kerberos 5 context.
1036 * @param addresses list addreses ignored
1037 *
1038 * @return Returns 0 to indicate success. Otherwise an kerberos et
1039 * error code is returned, see krb5_get_error_message().
1040 *
1041 * @ingroup krb5
1042 */
1043
1044 krb5_error_code KRB5_LIB_FUNCTION
1045 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1046 {
1047 if(context->ignore_addresses == NULL) {
1048 memset(addresses, 0, sizeof(*addresses));
1049 return 0;
1050 }
1051 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1052 }
1053
1054 /**
1055 * Set version of fcache that the library should use.
1056 *
1057 * @param context Kerberos 5 context.
1058 * @param version version number.
1059 *
1060 * @return Returns 0 to indicate success. Otherwise an kerberos et
1061 * error code is returned, see krb5_get_error_message().
1062 *
1063 * @ingroup krb5
1064 */
1065
1066 krb5_error_code KRB5_LIB_FUNCTION
1067 krb5_set_fcache_version(krb5_context context, int version)
1068 {
1069 context->fcache_vno = version;
1070 return 0;
1071 }
1072
1073 /**
1074 * Get version of fcache that the library should use.
1075 *
1076 * @param context Kerberos 5 context.
1077 * @param version version number.
1078 *
1079 * @return Returns 0 to indicate success. Otherwise an kerberos et
1080 * error code is returned, see krb5_get_error_message().
1081 *
1082 * @ingroup krb5
1083 */
1084
1085 krb5_error_code KRB5_LIB_FUNCTION
1086 krb5_get_fcache_version(krb5_context context, int *version)
1087 {
1088 *version = context->fcache_vno;
1089 return 0;
1090 }
1091
1092 /**
1093 * Runtime check if the Kerberos library was complied with thread support.
1094 *
1095 * @return TRUE if the library was compiled with thread support, FALSE if not.
1096 *
1097 * @ingroup krb5
1098 */
1099
1100
1101 krb5_boolean KRB5_LIB_FUNCTION
1102 krb5_is_thread_safe(void)
1103 {
1104 #ifdef ENABLE_PTHREAD_SUPPORT
1105 return TRUE;
1106 #else
1107 return FALSE;
1108 #endif
1109 }
1110
1111 /**
1112 * Set if the library should use DNS to canonicalize hostnames.
1113 *
1114 * @param context Kerberos 5 context.
1115 * @param flag if its dns canonicalizion is used or not.
1116 *
1117 * @ingroup krb5
1118 */
1119
1120 void KRB5_LIB_FUNCTION
1121 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1122 {
1123 if (flag)
1124 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1125 else
1126 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1127 }
1128
1129 /**
1130 * Get if the library uses DNS to canonicalize hostnames.
1131 *
1132 * @param context Kerberos 5 context.
1133 *
1134 * @return return non zero if the library uses DNS to canonicalize hostnames.
1135 *
1136 * @ingroup krb5
1137 */
1138
1139 krb5_boolean KRB5_LIB_FUNCTION
1140 krb5_get_dns_canonicalize_hostname (krb5_context context)
1141 {
1142 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1143 }
1144
1145 /**
1146 * Get current offset in time to the KDC.
1147 *
1148 * @param context Kerberos 5 context.
1149 * @param sec seconds part of offset.
1150 * @param usec micro seconds part of offset.
1151 *
1152 * @return returns zero
1153 *
1154 * @ingroup krb5
1155 */
1156
1157 krb5_error_code KRB5_LIB_FUNCTION
1158 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1159 {
1160 if (sec)
1161 *sec = context->kdc_sec_offset;
1162 if (usec)
1163 *usec = context->kdc_usec_offset;
1164 return 0;
1165 }
1166
1167 /**
1168 * Set current offset in time to the KDC.
1169 *
1170 * @param context Kerberos 5 context.
1171 * @param sec seconds part of offset.
1172 * @param usec micro seconds part of offset.
1173 *
1174 * @return returns zero
1175 *
1176 * @ingroup krb5
1177 */
1178
1179 krb5_error_code KRB5_LIB_FUNCTION
1180 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1181 {
1182 context->kdc_sec_offset = sec;
1183 if (usec >= 0)
1184 context->kdc_usec_offset = usec;
1185 return 0;
1186 }
1187
1188 /**
1189 * Get max time skew allowed.
1190 *
1191 * @param context Kerberos 5 context.
1192 *
1193 * @return timeskew in seconds.
1194 *
1195 * @ingroup krb5
1196 */
1197
1198 time_t KRB5_LIB_FUNCTION
1199 krb5_get_max_time_skew (krb5_context context)
1200 {
1201 return context->max_skew;
1202 }
1203
1204 /**
1205 * Set max time skew allowed.
1206 *
1207 * @param context Kerberos 5 context.
1208 * @param t timeskew in seconds.
1209 *
1210 * @ingroup krb5
1211 */
1212
1213 void KRB5_LIB_FUNCTION
1214 krb5_set_max_time_skew (krb5_context context, time_t t)
1215 {
1216 context->max_skew = t;
1217 }
1218
1219 /**
1220 * Init encryption types in len, val with etypes.
1221 *
1222 * @param context Kerberos 5 context.
1223 * @param len output length of val.
1224 * @param val output array of enctypes.
1225 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1226
1227 * @return Returns 0 to indicate success. Otherwise an kerberos et
1228 * error code is returned, see krb5_get_error_message().
1229 *
1230 * @ingroup krb5
1231 */
1232
1233 krb5_error_code KRB5_LIB_FUNCTION
1234 krb5_init_etype (krb5_context context,
1235 unsigned *len,
1236 krb5_enctype **val,
1237 const krb5_enctype *etypes)
1238 {
1239 unsigned int i;
1240 krb5_error_code ret;
1241 krb5_enctype *tmp = NULL;
1242
1243 ret = 0;
1244 if (etypes == NULL) {
1245 ret = krb5_get_default_in_tkt_etypes(context, &tmp);
1246 if (ret)
1247 return ret;
1248 etypes = tmp;
1249 }
1250
1251 for (i = 0; etypes[i]; ++i)
1252 ;
1253 *len = i;
1254 *val = malloc(i * sizeof(**val));
1255 if (i != 0 && *val == NULL) {
1256 ret = ENOMEM;
1257 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1258 goto cleanup;
1259 }
1260 memmove (*val,
1261 etypes,
1262 i * sizeof(*tmp));
1263 cleanup:
1264 if (tmp != NULL)
1265 free (tmp);
1266 return ret;
1267 }
1268
1269 /*
1270 * Allow homedir accces
1271 */
1272
1273 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1274 static krb5_boolean allow_homedir = TRUE;
1275
1276 krb5_boolean
1277 _krb5_homedir_access(krb5_context context)
1278 {
1279 krb5_boolean allow;
1280
1281 /* is never allowed for root */
1282 if (geteuid() == 0)
1283 return FALSE;
1284
1285 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1286 return FALSE;
1287
1288 HEIMDAL_MUTEX_lock(&homedir_mutex);
1289 allow = allow_homedir;
1290 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1291 return allow;
1292 }
1293
1294 /**
1295 * Enable and disable home directory access on either the global state
1296 * or the krb5_context state. By calling krb5_set_home_dir_access()
1297 * with context set to NULL, the global state is configured otherwise
1298 * the state for the krb5_context is modified.
1299 *
1300 * For home directory access to be allowed, both the global state and
1301 * the krb5_context state have to be allowed.
1302 *
1303 * Administrator (root user), never uses the home directory.
1304 *
1305 * @param context a Kerberos 5 context or NULL
1306 * @param allow allow if TRUE home directory
1307 * @return the old value
1308 *
1309 */
1310
1311 krb5_boolean
1312 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1313 {
1314 krb5_boolean old;
1315 if (context) {
1316 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1317 if (allow)
1318 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1319 else
1320 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1321 } else {
1322 HEIMDAL_MUTEX_lock(&homedir_mutex);
1323 old = allow_homedir;
1324 allow_homedir = allow;
1325 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1326 }
1327
1328 return old;
1329 }
Heimdal