search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libtommath: Fix possible integer overflow CVE-2023-36328
[heimdal.git] / lib / krb5 / context.c
blob0b9c967fb62add855c363de4b154ed1e1edc8cd7
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #undef KRB5_DEPRECATED_FUNCTION
37 #define KRB5_DEPRECATED_FUNCTION(x)
38
39 #include "krb5_locl.h"
40 #include <assert.h>
41 #include <com_err.h>
42
43 static void _krb5_init_ets(krb5_context);
44
45 #define INIT_FIELD(C, T, E, D, F) \
46 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
47 "libdefaults", F, NULL)
48
49 #define INIT_FLAG(C, O, V, D, F) \
50 do { \
51 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
52 (C)->O |= V; \
53 } \
54 } while(0)
55
56 static krb5_error_code
57 copy_enctypes(krb5_context context,
58 const krb5_enctype *in,
59 krb5_enctype **out);
60
61 /*
62 * Set the list of etypes `ret_etypes' from the configuration variable
63 * `name'
64 */
65
66 static krb5_error_code
67 set_etypes (krb5_context context,
68 const char *name,
69 krb5_enctype **ret_enctypes)
70 {
71 char **etypes_str;
72 krb5_enctype *etypes = NULL;
73
74 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
75 name, NULL);
76 if(etypes_str){
77 int i, j, k;
78 for(i = 0; etypes_str[i]; i++);
79 etypes = malloc((i+1) * sizeof(*etypes));
80 if (etypes == NULL) {
81 krb5_config_free_strings (etypes_str);
82 return krb5_enomem(context);
83 }
84 for(j = 0, k = 0; j < i; j++) {
85 krb5_enctype e;
86 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
87 continue;
88 if (krb5_enctype_valid(context, e) != 0)
89 continue;
90 etypes[k++] = e;
91 }
92 etypes[k] = ETYPE_NULL;
93 krb5_config_free_strings(etypes_str);
94 }
95 *ret_enctypes = etypes;
96 return 0;
97 }
98
99 /*
100 * read variables from the configuration file and set in `context'
101 */
102
103 static krb5_error_code
104 init_context_from_config_file(krb5_context context)
105 {
106 krb5_error_code ret;
107 const char * tmp;
108 char **s;
109 krb5_enctype *tmptypes = NULL;
110
111 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
112 INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
113 INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
114 INIT_FIELD(context, int, max_retries, 3, "max_retries");
115
116 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
117
118 ret = krb5_config_get_bool_default(context, NULL, FALSE,
119 "libdefaults",
120 "allow_weak_crypto", NULL);
121 if (ret) {
122 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
123 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
124 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
125 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
126 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
127 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
128 }
129
130 ret = set_etypes (context, "default_etypes", &tmptypes);
131 if(ret)
132 return ret;
133 free(context->etypes);
134 context->etypes = tmptypes;
135
136 /* The etypes member may change during the lifetime
137 * of the context. To be able to reset it to
138 * config value, we keep another copy.
139 */
140 free(context->cfg_etypes);
141 context->cfg_etypes = NULL;
142 if (tmptypes) {
143 ret = copy_enctypes(context, tmptypes, &context->cfg_etypes);
144 if (ret)
145 return ret;
146 }
147
148 ret = set_etypes (context, "default_etypes_des", &tmptypes);
149 if(ret)
150 return ret;
151 free(context->etypes_des);
152 context->etypes_des = tmptypes;
153
154 ret = set_etypes (context, "default_as_etypes", &tmptypes);
155 if(ret)
156 return ret;
157 free(context->as_etypes);
158 context->as_etypes = tmptypes;
159
160 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
161 if(ret)
162 return ret;
163 free(context->tgs_etypes);
164 context->tgs_etypes = tmptypes;
165
166 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
167 if(ret)
168 return ret;
169 free(context->permitted_enctypes);
170 context->permitted_enctypes = tmptypes;
171
172 INIT_FIELD(context, string, default_keytab,
173 KEYTAB_DEFAULT, "default_keytab_name");
174
175 INIT_FIELD(context, string, default_keytab_modify,
176 NULL, "default_keytab_modify_name");
177
178 INIT_FIELD(context, string, time_fmt,
179 "%Y-%m-%dT%H:%M:%S", "time_format");
180
181 INIT_FIELD(context, string, date_fmt,
182 "%Y-%m-%d", "date_format");
183
184 INIT_FIELD(context, bool, log_utc,
185 FALSE, "log_utc");
186
187 context->no_ticket_store =
188 getenv("KRB5_NO_TICKET_STORE") != NULL;
189
190 /* init dns-proxy slime */
191 tmp = krb5_config_get_string(context, NULL, "libdefaults",
192 "dns_proxy", NULL);
193 if(tmp)
194 roken_gethostby_setup(context->http_proxy, tmp);
195 krb5_free_host_realm (context, context->default_realms);
196 context->default_realms = NULL;
197
198 {
199 krb5_addresses addresses;
200 char **adr, **a;
201
202 krb5_set_extra_addresses(context, NULL);
203 adr = krb5_config_get_strings(context, NULL,
204 "libdefaults",
205 "extra_addresses",
206 NULL);
207 memset(&addresses, 0, sizeof(addresses));
208 for(a = adr; a && *a; a++) {
209 ret = krb5_parse_address(context, *a, &addresses);
210 if (ret == 0) {
211 krb5_add_extra_addresses(context, &addresses);
212 krb5_free_addresses(context, &addresses);
213 }
214 }
215 krb5_config_free_strings(adr);
216
217 krb5_set_ignore_addresses(context, NULL);
218 adr = krb5_config_get_strings(context, NULL,
219 "libdefaults",
220 "ignore_addresses",
221 NULL);
222 memset(&addresses, 0, sizeof(addresses));
223 for(a = adr; a && *a; a++) {
224 ret = krb5_parse_address(context, *a, &addresses);
225 if (ret == 0) {
226 krb5_add_ignore_addresses(context, &addresses);
227 krb5_free_addresses(context, &addresses);
228 }
229 }
230 krb5_config_free_strings(adr);
231 }
232
233 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
234 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
235 /* prefer dns_lookup_kdc over srv_lookup. */
236 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
237 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
238 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
239 INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
240 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
241 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
242 INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
243 INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE, "report_canonical_client_name");
244
245 /* report_canonical_client_name implies check_pac */
246 if (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
247 context->flags |= KRB5_CTX_F_CHECK_PAC;
248
249 free(context->default_cc_name);
250 context->default_cc_name = NULL;
251 context->default_cc_name_set = 0;
252 free(context->configured_default_cc_name);
253 context->configured_default_cc_name = NULL;
254
255 tmp = secure_getenv("KRB5_TRACE");
256 if (tmp)
257 heim_add_debug_dest(context->hcontext, "libkrb5", tmp);
258 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
259 if (s) {
260 char **p;
261
262 for (p = s; *p; p++)
263 heim_add_debug_dest(context->hcontext, "libkrb5", *p);
264 krb5_config_free_strings(s);
265 }
266
267 tmp = krb5_config_get_string(context, NULL, "libdefaults",
268 "check-rd-req-server", NULL);
269 if (tmp == NULL)
270 tmp = secure_getenv("KRB5_CHECK_RD_REQ_SERVER");
271 if(tmp) {
272 if (strcasecmp(tmp, "ignore") == 0)
273 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
274 }
275 ret = krb5_config_get_bool_default(context, NULL, TRUE,
276 "libdefaults",
277 "fcache_strict_checking", NULL);
278 if (ret)
279 context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
280
281 return 0;
282 }
283
284 static krb5_error_code
285 cc_ops_register(krb5_context context)
286 {
287 krb5_error_code ret;
288
289 context->cc_ops = NULL;
290 context->num_cc_ops = 0;
291
292 #ifndef KCM_IS_API_CACHE
293 ret = krb5_cc_register(context, &krb5_acc_ops, TRUE);
294 if (ret)
295 return ret;
296 #endif
297 ret = krb5_cc_register(context, &krb5_fcc_ops, TRUE);
298 if (ret)
299 return ret;
300 ret = krb5_cc_register(context, &krb5_dcc_ops, TRUE);
301 if (ret)
302 return ret;
303 ret = krb5_cc_register(context, &krb5_mcc_ops, TRUE);
304 if (ret)
305 return ret;
306 #ifdef HAVE_SCC
307 ret = krb5_cc_register(context, &krb5_scc_ops, TRUE);
308 if (ret)
309 return ret;
310 #endif
311 #ifdef HAVE_KCM
312 #ifdef KCM_IS_API_CACHE
313 ret = krb5_cc_register(context, &krb5_akcm_ops, TRUE);
314 if (ret)
315 return ret;
316 #endif
317 ret = krb5_cc_register(context, &krb5_kcm_ops, TRUE);
318 if (ret)
319 return ret;
320 #endif
321 #if defined(HAVE_KEYUTILS_H)
322 ret = krb5_cc_register(context, &krb5_krcc_ops, TRUE);
323 if (ret)
324 return ret;
325 #endif
326 ret = _krb5_load_ccache_plugins(context);
327 return ret;
328 }
329
330 static krb5_error_code
331 cc_ops_copy(krb5_context context, const krb5_context src_context)
332 {
333 const krb5_cc_ops **cc_ops;
334
335 context->cc_ops = NULL;
336 context->num_cc_ops = 0;
337
338 if (src_context->num_cc_ops == 0)
339 return 0;
340
341 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
342 if (cc_ops == NULL) {
343 krb5_set_error_message(context, KRB5_CC_NOMEM,
344 N_("malloc: out of memory", ""));
345 return KRB5_CC_NOMEM;
346 }
347
348 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
349 sizeof(cc_ops[0]) * src_context->num_cc_ops);
350 context->cc_ops = cc_ops;
351 context->num_cc_ops = src_context->num_cc_ops;
352
353 return 0;
354 }
355
356 static krb5_error_code
357 kt_ops_register(krb5_context context)
358 {
359 krb5_error_code ret;
360
361 context->num_kt_types = 0;
362 context->kt_types = NULL;
363
364 ret = krb5_kt_register (context, &krb5_fkt_ops);
365 if (ret)
366 return ret;
367 ret = krb5_kt_register (context, &krb5_wrfkt_ops);
368 if (ret)
369 return ret;
370 ret = krb5_kt_register (context, &krb5_javakt_ops);
371 if (ret)
372 return ret;
373 ret = krb5_kt_register (context, &krb5_mkt_ops);
374 if (ret)
375 return ret;
376 #ifndef HEIMDAL_SMALLER
377 ret = krb5_kt_register (context, &krb5_akf_ops);
378 if (ret)
379 return ret;
380 #endif
381 ret = krb5_kt_register (context, &krb5_any_ops);
382 return ret;
383 }
384
385 static krb5_error_code
386 kt_ops_copy(krb5_context context, const krb5_context src_context)
387 {
388 context->num_kt_types = 0;
389 context->kt_types = NULL;
390
391 if (src_context->num_kt_types == 0)
392 return 0;
393
394 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
395 if (context->kt_types == NULL)
396 return krb5_enomem(context);
397
398 context->num_kt_types = src_context->num_kt_types;
399 memcpy(context->kt_types, src_context->kt_types,
400 sizeof(context->kt_types[0]) * src_context->num_kt_types);
401
402 return 0;
403 }
404
405 static const char *const sysplugin_dirs[] = {
406 #ifdef _WIN32
407 "$ORIGIN",
408 #else
409 "$ORIGIN/../lib/plugin/krb5",
410 #endif
411 #ifdef __APPLE__
412 LIBDIR "/plugin/krb5",
413 #ifdef HEIM_PLUGINS_SEARCH_SYSTEM
414 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
415 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
416 #endif
417 #endif
418 NULL
419 };
420
421 static void
422 init_context_once(void *ctx)
423 {
424 krb5_context context = ctx;
425 char **dirs;
426
427 #ifdef _WIN32
428 dirs = rk_UNCONST(sysplugin_dirs);
429 #else
430 dirs = krb5_config_get_strings(context, NULL, "libdefaults",
431 "plugin_dir", NULL);
432 if (dirs == NULL)
433 dirs = rk_UNCONST(sysplugin_dirs);
434 #endif
435
436 _krb5_load_plugins(context, "krb5", (const char **)dirs);
437
438 if (dirs != rk_UNCONST(sysplugin_dirs))
439 krb5_config_free_strings(dirs);
440
441 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
442 }
443
444 /**
445 * Initializes the context structure and reads the configuration file
446 * /etc/krb5.conf. The structure should be freed by calling
447 * krb5_free_context() when it is no longer being used.
448 *
449 * @param context pointer to returned context
450 *
451 * @return Returns 0 to indicate success. Otherwise an errno code is
452 * returned. Failure means either that something bad happened during
453 * initialization (typically ENOMEM) or that Kerberos should not be
454 * used ENXIO. If the function returns HEIM_ERR_RANDOM_OFFLINE, the
455 * random source is not available and later Kerberos calls might fail.
456 *
457 * @ingroup krb5
458 */
459
460 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
461 krb5_init_context(krb5_context *context)
462 {
463 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
464 krb5_context p;
465 krb5_error_code ret;
466 char **files;
467 uint8_t rnd;
468
469 *context = NULL;
470
471 /**
472 * krb5_init_context() will get one random byte to make sure our
473 * random is alive. Assumption is that once the non blocking
474 * source allows us to pull bytes, its all seeded and allows us to
475 * pull more bytes.
476 *
477 * Most Kerberos users calls krb5_init_context(), so this is
478 * useful point where we can do the checking.
479 */
480 ret = krb5_generate_random(&rnd, sizeof(rnd));
481 if (ret)
482 return ret;
483
484 p = calloc(1, sizeof(*p));
485 if(!p)
486 return ENOMEM;
487
488 if ((p->hcontext = heim_context_init()) == NULL) {
489 ret = ENOMEM;
490 goto out;
491 }
492
493 if (!issuid())
494 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
495
496 ret = krb5_get_default_config_files(&files);
497 if(ret)
498 goto out;
499 ret = krb5_set_config_files(p, files);
500 krb5_free_config_files(files);
501 if(ret)
502 goto out;
503
504 /* done enough to load plugins */
505 heim_base_once_f(&init_context, p, init_context_once);
506
507 /* init error tables */
508 _krb5_init_ets(p);
509 ret = cc_ops_register(p);
510 if (ret)
511 goto out;
512 ret = kt_ops_register(p);
513 if (ret)
514 goto out;
515
516 #ifdef PKINIT
517 ret = hx509_context_init(&p->hx509ctx);
518 if (ret)
519 goto out;
520 #endif
521 if (rk_SOCK_INIT())
522 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
523
524 out:
525 if (ret) {
526 krb5_free_context(p);
527 p = NULL;
528 } else {
529 heim_context_set_log_utc(p->hcontext, p->log_utc);
530 }
531 *context = p;
532 return ret;
533 }
534
535 #ifndef HEIMDAL_SMALLER
536
537 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
538 krb5_get_permitted_enctypes(krb5_context context,
539 krb5_enctype **etypes)
540 {
541 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
542 }
543
544 /*
545 *
546 */
547
548 static krb5_error_code
549 copy_etypes (krb5_context context,
550 krb5_enctype *enctypes,
551 krb5_enctype **ret_enctypes)
552 {
553 unsigned int i;
554
555 for (i = 0; enctypes[i]; i++)
556 ;
557 i++;
558
559 *ret_enctypes = malloc(sizeof(enctypes[0]) * i);
560 if (*ret_enctypes == NULL)
561 return krb5_enomem(context);
562 memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * i);
563 return 0;
564 }
565
566 /**
567 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
568 * be freed with krb5_free_context().
569 *
570 * @param context the Kerberos context to copy
571 * @param out the copy of the Kerberos, set to NULL error.
572 *
573 * @return Returns 0 to indicate success. Otherwise an kerberos et
574 * error code is returned, see krb5_get_error_message().
575 *
576 * @ingroup krb5
577 */
578
579 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
580 krb5_copy_context(krb5_context context, krb5_context *out)
581 {
582 krb5_error_code ret = 0;
583 krb5_context p;
584
585 *out = NULL;
586
587 p = calloc(1, sizeof(*p));
588 if (p == NULL)
589 return krb5_enomem(context);
590
591 p->cc_ops = NULL;
592 p->etypes = NULL;
593 p->kt_types = NULL;
594 p->cfg_etypes = NULL;
595 p->etypes_des = NULL;
596 p->default_realms = NULL;
597 p->extra_addresses = NULL;
598 p->ignore_addresses = NULL;
599
600 if ((p->hcontext = heim_context_init()) == NULL)
601 ret = ENOMEM;
602
603 if (ret == 0) {
604 heim_context_set_log_utc(p->hcontext, context->log_utc);
605 ret = _krb5_config_copy(context, context->cf, &p->cf);
606 }
607 if (ret == 0)
608 ret = init_context_from_config_file(p);
609 if (ret == 0 && context->default_cc_name) {
610 free(p->default_cc_name);
611 if ((p->default_cc_name = strdup(context->default_cc_name)) == NULL)
612 ret = ENOMEM;
613 }
614 if (ret == 0 && context->default_cc_name_env) {
615 free(p->default_cc_name_env);
616 if ((p->default_cc_name_env =
617 strdup(context->default_cc_name_env)) == NULL)
618 ret = ENOMEM;
619 }
620 if (ret == 0 && context->configured_default_cc_name) {
621 free(p->configured_default_cc_name);
622 if ((p->configured_default_cc_name =
623 strdup(context->configured_default_cc_name)) == NULL)
624 ret = ENOMEM;
625 }
626
627 if (ret == 0 && context->etypes) {
628 free(p->etypes);
629 ret = copy_etypes(context, context->etypes, &p->etypes);
630 }
631 if (ret == 0 && context->cfg_etypes) {
632 free(p->cfg_etypes);
633 ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
634 }
635 if (ret == 0 && context->etypes_des) {
636 free(p->etypes_des);
637 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
638 }
639
640 if (ret == 0 && context->default_realms) {
641 krb5_free_host_realm(context, p->default_realms);
642 ret = krb5_copy_host_realm(context,
643 context->default_realms, &p->default_realms);
644 }
645
646 /* XXX should copy */
647 if (ret == 0)
648 _krb5_init_ets(p);
649
650 if (ret == 0)
651 ret = cc_ops_copy(p, context);
652 if (ret == 0)
653 ret = kt_ops_copy(p, context);
654 if (ret == 0)
655 ret = krb5_set_extra_addresses(p, context->extra_addresses);
656 if (ret == 0)
657 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
658 if (ret == 0)
659 ret = _krb5_copy_send_to_kdc_func(p, context);
660
661 if (ret == 0)
662 *out = p;
663 else
664 krb5_free_context(p);
665 return ret;
666 }
667
668 #endif
669
670 /**
671 * Frees the krb5_context allocated by krb5_init_context().
672 *
673 * @param context context to be freed.
674 *
675 * @ingroup krb5
676 */
677
678 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
679 krb5_free_context(krb5_context context)
680 {
681 _krb5_free_name_canon_rules(context, context->name_canon_rules);
682 free(context->default_cc_name);
683 free(context->default_cc_name_env);
684 free(context->configured_default_cc_name);
685 free(context->etypes);
686 free(context->cfg_etypes);
687 free(context->etypes_des);
688 free(context->permitted_enctypes);
689 free(context->tgs_etypes);
690 free(context->as_etypes);
691 krb5_free_host_realm (context, context->default_realms);
692 krb5_config_file_free (context, context->cf);
693 free(rk_UNCONST(context->cc_ops));
694 free(context->kt_types);
695 krb5_clear_error_message(context);
696 krb5_set_extra_addresses(context, NULL);
697 krb5_set_ignore_addresses(context, NULL);
698 krb5_set_send_to_kdc_func(context, NULL, NULL);
699
700 #ifdef PKINIT
701 hx509_context_free(&context->hx509ctx);
702 #endif
703
704 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
705 rk_SOCK_EXIT();
706 }
707
708 heim_context_free(&context->hcontext);
709 memset(context, 0, sizeof(*context));
710 free(context);
711 }
712
713 /**
714 * Reinit the context from a new set of filenames.
715 *
716 * @param context context to add configuration too.
717 * @param filenames array of filenames, end of list is indicated with a NULL filename.
718 *
719 * @return Returns 0 to indicate success. Otherwise an kerberos et
720 * error code is returned, see krb5_get_error_message().
721 *
722 * @ingroup krb5
723 */
724
725 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
726 krb5_set_config_files(krb5_context context, char **filenames)
727 {
728 krb5_error_code ret;
729 heim_config_binding *tmp = NULL;
730
731 if ((ret = heim_set_config_files(context->hcontext, filenames,
732 &tmp)))
733 return ret;
734 krb5_config_file_free(context, context->cf);
735 context->cf = (krb5_config_binding *)tmp;
736 return init_context_from_config_file(context);
737 }
738
739 #ifndef HEIMDAL_SMALLER
740 /**
741 * Reinit the context from configuration file contents in a C string.
742 * This should only be used in tests.
743 *
744 * @param context context to add configuration too.
745 * @param config configuration.
746 *
747 * @return Returns 0 to indicate success. Otherwise an kerberos et
748 * error code is returned, see krb5_get_error_message().
749 *
750 * @ingroup krb5
751 */
752
753 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
754 krb5_set_config(krb5_context context, const char *config)
755 {
756 krb5_error_code ret;
757 krb5_config_binding *tmp = NULL;
758
759 if ((ret = krb5_config_parse_string_multi(context, config, &tmp)))
760 return ret;
761 #if 0
762 /* with this enabled and if there are no config files, Kerberos is
763 considererd disabled */
764 if (tmp == NULL)
765 return ENXIO;
766 #endif
767
768 krb5_config_file_free(context, context->cf);
769 context->cf = tmp;
770 ret = init_context_from_config_file(context);
771 return ret;
772 }
773 #endif
774
775 /*
776 * `pq' isn't free, it's up the the caller
777 */
778
779 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
780 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
781 {
782 return heim_prepend_config_files(filelist, pq, ret_pp);
783 }
784
785 /**
786 * Prepend the filename to the global configuration list.
787 *
788 * @param filelist a filename to add to the default list of filename
789 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
790 *
791 * @return Returns 0 to indicate success. Otherwise an kerberos et
792 * error code is returned, see krb5_get_error_message().
793 *
794 * @ingroup krb5
795 */
796
797 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
798 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
799 {
800 return heim_prepend_config_files_default(filelist, krb5_config_file,
801 "KRB5_CONFIG", pfilenames);
802 }
803
804 /**
805 * Get the global configuration list.
806 *
807 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
808 *
809 * @return Returns 0 to indicate success. Otherwise an kerberos et
810 * error code is returned, see krb5_get_error_message().
811 *
812 * @ingroup krb5
813 */
814
815 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
816 krb5_get_default_config_files(char ***pfilenames)
817 {
818 if (pfilenames == NULL)
819 return EINVAL;
820 return heim_get_default_config_files(krb5_config_file, "KRB5_CONFIG",
821 pfilenames);
822 }
823
824 /**
825 * Free a list of configuration files.
826 *
827 * @param filenames list, terminated with a NULL pointer, to be
828 * freed. NULL is an valid argument.
829 *
830 * @return Returns 0 to indicate success. Otherwise an kerberos et
831 * error code is returned, see krb5_get_error_message().
832 *
833 * @ingroup krb5
834 */
835
836 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
837 krb5_free_config_files(char **filenames)
838 {
839 heim_free_config_files(filenames);
840 }
841
842 /**
843 * Returns the list of Kerberos encryption types sorted in order of
844 * most preferred to least preferred encryption type. Note that some
845 * encryption types might be disabled, so you need to check with
846 * krb5_enctype_valid() before using the encryption type.
847 *
848 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
849 * array completed into the Kerberos library so the content doesn't
850 * need to be freed.
851 *
852 * @ingroup krb5
853 */
854
855 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
856 krb5_kerberos_enctypes(krb5_context context)
857 {
858 static const krb5_enctype p[] = {
859 ETYPE_AES256_CTS_HMAC_SHA1_96,
860 ETYPE_AES128_CTS_HMAC_SHA1_96,
861 ETYPE_AES256_CTS_HMAC_SHA384_192,
862 ETYPE_AES128_CTS_HMAC_SHA256_128,
863 ETYPE_DES3_CBC_SHA1,
864 ETYPE_ARCFOUR_HMAC_MD5,
865 ETYPE_NULL
866 };
867
868 static const krb5_enctype weak[] = {
869 ETYPE_AES256_CTS_HMAC_SHA1_96,
870 ETYPE_AES128_CTS_HMAC_SHA1_96,
871 ETYPE_AES256_CTS_HMAC_SHA384_192,
872 ETYPE_AES128_CTS_HMAC_SHA256_128,
873 ETYPE_DES3_CBC_SHA1,
874 ETYPE_DES3_CBC_MD5,
875 ETYPE_ARCFOUR_HMAC_MD5,
876 ETYPE_DES_CBC_MD5,
877 ETYPE_DES_CBC_MD4,
878 ETYPE_DES_CBC_CRC,
879 ETYPE_NULL
880 };
881
882 /*
883 * if the list of enctypes enabled by "allow_weak_crypto"
884 * are valid, then return the former default enctype list
885 * that contained the weak entries.
886 */
887 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
888 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
889 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
890 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
891 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
892 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
893 return weak;
894
895 return p;
896 }
897
898 /*
899 *
900 */
901
902 static krb5_error_code
903 copy_enctypes(krb5_context context,
904 const krb5_enctype *in,
905 krb5_enctype **out)
906 {
907 krb5_enctype *p = NULL;
908 size_t m, n;
909
910 for (n = 0; in[n]; n++)
911 ;
912 n++;
913 ALLOC(p, n);
914 if(p == NULL)
915 return krb5_enomem(context);
916 for (n = 0, m = 0; in[n]; n++) {
917 if (krb5_enctype_valid(context, in[n]) != 0)
918 continue;
919 p[m++] = in[n];
920 }
921 p[m] = KRB5_ENCTYPE_NULL;
922 if (m == 0) {
923 free(p);
924 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
925 N_("no valid enctype set", ""));
926 return KRB5_PROG_ETYPE_NOSUPP;
927 }
928 *out = p;
929 return 0;
930 }
931
932
933 /*
934 * set `etype' to a malloced list of the default enctypes
935 */
936
937 static krb5_error_code
938 default_etypes(krb5_context context, krb5_enctype **etype)
939 {
940 const krb5_enctype *p = krb5_kerberos_enctypes(context);
941 return copy_enctypes(context, p, etype);
942 }
943
944 /**
945 * Set the default encryption types that will be use in communcation
946 * with the KDC, clients and servers.
947 *
948 * @param context Kerberos 5 context.
949 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
950 * A value of NULL resets the encryption types to the defaults set in the
951 * configuration file.
952 *
953 * @return Returns 0 to indicate success. Otherwise an kerberos et
954 * error code is returned, see krb5_get_error_message().
955 *
956 * @ingroup krb5
957 */
958
959 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
960 krb5_set_default_in_tkt_etypes(krb5_context context,
961 const krb5_enctype *etypes)
962 {
963 krb5_error_code ret;
964 krb5_enctype *p = NULL;
965
966 if(!etypes) {
967 etypes = context->cfg_etypes;
968 }
969
970 if(etypes) {
971 ret = copy_enctypes(context, etypes, &p);
972 if (ret)
973 return ret;
974 }
975 if(context->etypes)
976 free(context->etypes);
977 context->etypes = p;
978 return 0;
979 }
980
981 /**
982 * Get the default encryption types that will be use in communcation
983 * with the KDC, clients and servers.
984 *
985 * @param context Kerberos 5 context.
986 * @param pdu_type request type (AS, TGS or none)
987 * @param etypes Encryption types, array terminated with
988 * ETYPE_NULL(0), caller should free array with krb5_xfree():
989 *
990 * @return Returns 0 to indicate success. Otherwise an kerberos et
991 * error code is returned, see krb5_get_error_message().
992 *
993 * @ingroup krb5
994 */
995
996 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
997 krb5_get_default_in_tkt_etypes(krb5_context context,
998 krb5_pdu pdu_type,
999 krb5_enctype **etypes)
1000 {
1001 krb5_enctype *enctypes = NULL;
1002 krb5_error_code ret;
1003 krb5_enctype *p;
1004
1005 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
1006 pdu_type == KRB5_PDU_TGS_REQUEST ||
1007 pdu_type == KRB5_PDU_NONE, "unexpected pdu type");
1008
1009 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
1010 enctypes = context->as_etypes;
1011 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
1012 enctypes = context->tgs_etypes;
1013 else if (context->etypes != NULL)
1014 enctypes = context->etypes;
1015
1016 if (enctypes != NULL) {
1017 ret = copy_enctypes(context, enctypes, &p);
1018 if (ret)
1019 return ret;
1020 } else {
1021 ret = default_etypes(context, &p);
1022 if (ret)
1023 return ret;
1024 }
1025 *etypes = p;
1026 return 0;
1027 }
1028
1029 /**
1030 * Init the built-in ets in the Kerberos library.
1031 *
1032 * @param context kerberos context to add the ets too
1033 *
1034 * @ingroup krb5
1035 */
1036
1037 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1038 krb5_init_ets(krb5_context context)
1039 {
1040 }
1041
1042 static void
1043 _krb5_init_ets(krb5_context context)
1044 {
1045 heim_add_et_list(context->hcontext, initialize_krb5_error_table_r);
1046 heim_add_et_list(context->hcontext, initialize_asn1_error_table_r);
1047 heim_add_et_list(context->hcontext, initialize_heim_error_table_r);
1048
1049 heim_add_et_list(context->hcontext, initialize_k524_error_table_r);
1050 heim_add_et_list(context->hcontext, initialize_k5e1_error_table_r);
1051
1052 #ifdef COM_ERR_BINDDOMAIN_krb5
1053 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1054 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1055 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1056 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1057 #endif
1058
1059 #ifdef PKINIT
1060 heim_add_et_list(context->hcontext, initialize_hx_error_table_r);
1061 #ifdef COM_ERR_BINDDOMAIN_hx
1062 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1063 #endif
1064 #endif
1065 }
1066
1067 /**
1068 * Make the kerberos library default to the admin KDC.
1069 *
1070 * @param context Kerberos 5 context.
1071 * @param flag boolean flag to select if the use the admin KDC or not.
1072 *
1073 * @ingroup krb5
1074 */
1075
1076 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1077 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1078 {
1079 context->use_admin_kdc = flag;
1080 }
1081
1082 /**
1083 * Make the kerberos library default to the admin KDC.
1084 *
1085 * @param context Kerberos 5 context.
1086 *
1087 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1088 *
1089 * @ingroup krb5
1090 */
1091
1092 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1093 krb5_get_use_admin_kdc (krb5_context context)
1094 {
1095 return context->use_admin_kdc;
1096 }
1097
1098 /**
1099 * Add extra address to the address list that the library will add to
1100 * the client's address list when communicating with the KDC.
1101 *
1102 * @param context Kerberos 5 context.
1103 * @param addresses addresses to add
1104 *
1105 * @return Returns 0 to indicate success. Otherwise an kerberos et
1106 * error code is returned, see krb5_get_error_message().
1107 *
1108 * @ingroup krb5
1109 */
1110
1111 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1112 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1113 {
1114
1115 if(context->extra_addresses)
1116 return krb5_append_addresses(context,
1117 context->extra_addresses, addresses);
1118 else
1119 return krb5_set_extra_addresses(context, addresses);
1120 }
1121
1122 /**
1123 * Set extra address to the address list that the library will add to
1124 * the client's address list when communicating with the KDC.
1125 *
1126 * @param context Kerberos 5 context.
1127 * @param addresses addresses to set
1128 *
1129 * @return Returns 0 to indicate success. Otherwise an kerberos et
1130 * error code is returned, see krb5_get_error_message().
1131 *
1132 * @ingroup krb5
1133 */
1134
1135 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1136 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1137 {
1138 if(context->extra_addresses)
1139 krb5_free_addresses(context, context->extra_addresses);
1140
1141 if(addresses == NULL) {
1142 if(context->extra_addresses != NULL) {
1143 free(context->extra_addresses);
1144 context->extra_addresses = NULL;
1145 }
1146 return 0;
1147 }
1148 if(context->extra_addresses == NULL) {
1149 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1150 if (context->extra_addresses == NULL)
1151 return krb5_enomem(context);
1152 }
1153 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1154 }
1155
1156 /**
1157 * Get extra address to the address list that the library will add to
1158 * the client's address list when communicating with the KDC.
1159 *
1160 * @param context Kerberos 5 context.
1161 * @param addresses addresses to set
1162 *
1163 * @return Returns 0 to indicate success. Otherwise an kerberos et
1164 * error code is returned, see krb5_get_error_message().
1165 *
1166 * @ingroup krb5
1167 */
1168
1169 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1170 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1171 {
1172 if(context->extra_addresses == NULL) {
1173 memset(addresses, 0, sizeof(*addresses));
1174 return 0;
1175 }
1176 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1177 }
1178
1179 /**
1180 * Add extra addresses to ignore when fetching addresses from the
1181 * underlaying operating system.
1182 *
1183 * @param context Kerberos 5 context.
1184 * @param addresses addresses to ignore
1185 *
1186 * @return Returns 0 to indicate success. Otherwise an kerberos et
1187 * error code is returned, see krb5_get_error_message().
1188 *
1189 * @ingroup krb5
1190 */
1191
1192 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1193 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1194 {
1195
1196 if(context->ignore_addresses)
1197 return krb5_append_addresses(context,
1198 context->ignore_addresses, addresses);
1199 else
1200 return krb5_set_ignore_addresses(context, addresses);
1201 }
1202
1203 /**
1204 * Set extra addresses to ignore when fetching addresses from the
1205 * underlaying operating system.
1206 *
1207 * @param context Kerberos 5 context.
1208 * @param addresses addresses to ignore
1209 *
1210 * @return Returns 0 to indicate success. Otherwise an kerberos et
1211 * error code is returned, see krb5_get_error_message().
1212 *
1213 * @ingroup krb5
1214 */
1215
1216 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1217 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1218 {
1219 if(context->ignore_addresses)
1220 krb5_free_addresses(context, context->ignore_addresses);
1221 if(addresses == NULL) {
1222 if(context->ignore_addresses != NULL) {
1223 free(context->ignore_addresses);
1224 context->ignore_addresses = NULL;
1225 }
1226 return 0;
1227 }
1228 if(context->ignore_addresses == NULL) {
1229 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1230 if (context->ignore_addresses == NULL)
1231 return krb5_enomem(context);
1232 }
1233 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1234 }
1235
1236 /**
1237 * Get extra addresses to ignore when fetching addresses from the
1238 * underlaying operating system.
1239 *
1240 * @param context Kerberos 5 context.
1241 * @param addresses list addresses ignored
1242 *
1243 * @return Returns 0 to indicate success. Otherwise an kerberos et
1244 * error code is returned, see krb5_get_error_message().
1245 *
1246 * @ingroup krb5
1247 */
1248
1249 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1250 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1251 {
1252 if(context->ignore_addresses == NULL) {
1253 memset(addresses, 0, sizeof(*addresses));
1254 return 0;
1255 }
1256 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1257 }
1258
1259 /**
1260 * Set version of fcache that the library should use.
1261 *
1262 * @param context Kerberos 5 context.
1263 * @param version version number.
1264 *
1265 * @return Returns 0 to indicate success. Otherwise an kerberos et
1266 * error code is returned, see krb5_get_error_message().
1267 *
1268 * @ingroup krb5
1269 */
1270
1271 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1272 krb5_set_fcache_version(krb5_context context, int version)
1273 {
1274 context->fcache_vno = version;
1275 return 0;
1276 }
1277
1278 /**
1279 * Get version of fcache that the library should use.
1280 *
1281 * @param context Kerberos 5 context.
1282 * @param version version number.
1283 *
1284 * @return Returns 0 to indicate success. Otherwise an kerberos et
1285 * error code is returned, see krb5_get_error_message().
1286 *
1287 * @ingroup krb5
1288 */
1289
1290 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1291 krb5_get_fcache_version(krb5_context context, int *version)
1292 {
1293 *version = context->fcache_vno;
1294 return 0;
1295 }
1296
1297 /**
1298 * Runtime check if the Kerberos library was complied with thread support.
1299 *
1300 * @return TRUE if the library was compiled with thread support, FALSE if not.
1301 *
1302 * @ingroup krb5
1303 */
1304
1305
1306 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1307 krb5_is_thread_safe(void)
1308 {
1309 #ifdef ENABLE_PTHREAD_SUPPORT
1310 return TRUE;
1311 #else
1312 return FALSE;
1313 #endif
1314 }
1315
1316 /**
1317 * Set if the library should use DNS to canonicalize hostnames.
1318 *
1319 * @param context Kerberos 5 context.
1320 * @param flag if its dns canonicalizion is used or not.
1321 *
1322 * @ingroup krb5
1323 */
1324
1325 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1326 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1327 {
1328 if (flag)
1329 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1330 else
1331 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1332 }
1333
1334 /**
1335 * Get if the library uses DNS to canonicalize hostnames.
1336 *
1337 * @param context Kerberos 5 context.
1338 *
1339 * @return return non zero if the library uses DNS to canonicalize hostnames.
1340 *
1341 * @ingroup krb5
1342 */
1343
1344 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1345 krb5_get_dns_canonicalize_hostname (krb5_context context)
1346 {
1347 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1348 }
1349
1350 /**
1351 * Get current offset in time to the KDC.
1352 *
1353 * @param context Kerberos 5 context.
1354 * @param sec seconds part of offset.
1355 * @param usec micro seconds part of offset.
1356 *
1357 * @return returns zero
1358 *
1359 * @ingroup krb5
1360 */
1361
1362 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1363 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1364 {
1365 if (sec)
1366 *sec = context->kdc_sec_offset;
1367 if (usec)
1368 *usec = context->kdc_usec_offset;
1369 return 0;
1370 }
1371
1372 /**
1373 * Set current offset in time to the KDC.
1374 *
1375 * @param context Kerberos 5 context.
1376 * @param sec seconds part of offset.
1377 * @param usec micro seconds part of offset.
1378 *
1379 * @return returns zero
1380 *
1381 * @ingroup krb5
1382 */
1383
1384 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1385 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1386 {
1387 context->kdc_sec_offset = sec;
1388 if (usec >= 0)
1389 context->kdc_usec_offset = usec;
1390 return 0;
1391 }
1392
1393 /**
1394 * Get max time skew allowed.
1395 *
1396 * @param context Kerberos 5 context.
1397 *
1398 * @return timeskew in seconds.
1399 *
1400 * @ingroup krb5
1401 */
1402
1403 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1404 krb5_get_max_time_skew (krb5_context context)
1405 {
1406 return context->max_skew;
1407 }
1408
1409 /**
1410 * Set max time skew allowed.
1411 *
1412 * @param context Kerberos 5 context.
1413 * @param t timeskew in seconds.
1414 *
1415 * @ingroup krb5
1416 */
1417
1418 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1419 krb5_set_max_time_skew (krb5_context context, time_t t)
1420 {
1421 context->max_skew = t;
1422 }
1423
1424 /*
1425 * Init encryption types in len, val with etypes.
1426 *
1427 * @param context Kerberos 5 context.
1428 * @param pdu_type type of pdu
1429 * @param len output length of val.
1430 * @param val output array of enctypes.
1431 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1432
1433 * @return Returns 0 to indicate success. Otherwise an kerberos et
1434 * error code is returned, see krb5_get_error_message().
1435 *
1436 * @ingroup krb5
1437 */
1438
1439 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1440 _krb5_init_etype(krb5_context context,
1441 krb5_pdu pdu_type,
1442 unsigned *len,
1443 krb5_enctype **val,
1444 const krb5_enctype *etypes)
1445 {
1446 krb5_error_code ret;
1447
1448 if (etypes == NULL)
1449 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1450 else
1451 ret = copy_enctypes(context, etypes, val);
1452 if (ret)
1453 return ret;
1454
1455 if (len) {
1456 *len = 0;
1457 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1458 (*len)++;
1459 }
1460 return 0;
1461 }
1462
1463 /*
1464 * Allow homedir access
1465 */
1466
1467 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1468 _krb5_homedir_access(krb5_context context)
1469 {
1470 if (context)
1471 return !!(context->flags & KRB5_CTX_F_HOMEDIR_ACCESS);
1472 return !issuid();
1473 }
1474
1475 /**
1476 * Enable and disable home directory access on either the global state
1477 * or the krb5_context state. By calling krb5_set_home_dir_access()
1478 * with context set to NULL, the global state is configured otherwise
1479 * the state for the krb5_context is modified.
1480 *
1481 * For home directory access to be allowed, both the global state and
1482 * the krb5_context state have to be allowed.
1483 *
1484 * @param context a Kerberos 5 context or NULL
1485 * @param allow allow if TRUE home directory
1486 * @return the old value
1487 *
1488 * @ingroup krb5
1489 */
1490
1491 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1492 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1493 {
1494 krb5_boolean old = _krb5_homedir_access(context);
1495
1496 if (context) {
1497 if (allow)
1498 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1499 else
1500 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1501 heim_context_set_homedir_access(context->hcontext, allow ? 1 : 0);
1502 }
1503
1504 return old;
1505 }
1506
Heimdal