search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix racy file ccache corruption in cred_delete()
[heimdal.git] / lib / krb5 / context.c
blobf35adc3240b95d2af59bce38d52eddc694351a48
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37 #include <assert.h>
38 #include <com_err.h>
39
40 #define INIT_FIELD(C, T, E, D, F) \
41 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
42 "libdefaults", F, NULL)
43
44 #define INIT_FLAG(C, O, V, D, F) \
45 do { \
46 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
47 (C)->O |= V; \
48 } \
49 } while(0)
50
51 /*
52 * Set the list of etypes `ret_etypes' from the configuration variable
53 * `name'
54 */
55
56 static krb5_error_code
57 set_etypes (krb5_context context,
58 const char *name,
59 krb5_enctype **ret_enctypes)
60 {
61 char **etypes_str;
62 krb5_enctype *etypes = NULL;
63
64 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
65 name, NULL);
66 if(etypes_str){
67 int i, j, k;
68 for(i = 0; etypes_str[i]; i++);
69 etypes = malloc((i+1) * sizeof(*etypes));
70 if (etypes == NULL) {
71 krb5_config_free_strings (etypes_str);
72 return krb5_enomem(context);
73 }
74 for(j = 0, k = 0; j < i; j++) {
75 krb5_enctype e;
76 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
77 continue;
78 if (krb5_enctype_valid(context, e) != 0)
79 continue;
80 etypes[k++] = e;
81 }
82 etypes[k] = ETYPE_NULL;
83 krb5_config_free_strings(etypes_str);
84 }
85 *ret_enctypes = etypes;
86 return 0;
87 }
88
89 /*
90 * read variables from the configuration file and set in `context'
91 */
92
93 static krb5_error_code
94 init_context_from_config_file(krb5_context context)
95 {
96 krb5_error_code ret;
97 const char * tmp;
98 char **s;
99 krb5_enctype *tmptypes;
100
101 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
102 INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
103 INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
104 INIT_FIELD(context, int, max_retries, 3, "max_retries");
105
106 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
107
108 ret = krb5_config_get_bool_default(context, NULL, FALSE,
109 "libdefaults",
110 "allow_weak_crypto", NULL);
111 if (ret) {
112 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
113 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
114 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
115 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
116 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
117 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
118 }
119
120 ret = set_etypes (context, "default_etypes", &tmptypes);
121 if(ret)
122 return ret;
123 free(context->etypes);
124 context->etypes = tmptypes;
125
126 ret = set_etypes (context, "default_etypes_des", &tmptypes);
127 if(ret)
128 return ret;
129 free(context->etypes_des);
130 context->etypes_des = tmptypes;
131
132 ret = set_etypes (context, "default_as_etypes", &tmptypes);
133 if(ret)
134 return ret;
135 free(context->as_etypes);
136 context->as_etypes = tmptypes;
137
138 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
139 if(ret)
140 return ret;
141 free(context->tgs_etypes);
142 context->tgs_etypes = tmptypes;
143
144 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
145 if(ret)
146 return ret;
147 free(context->permitted_enctypes);
148 context->permitted_enctypes = tmptypes;
149
150 /* default keytab name */
151 tmp = NULL;
152 if(!issuid())
153 tmp = getenv("KRB5_KTNAME");
154 if(tmp != NULL)
155 context->default_keytab = tmp;
156 else
157 INIT_FIELD(context, string, default_keytab,
158 KEYTAB_DEFAULT, "default_keytab_name");
159
160 INIT_FIELD(context, string, default_keytab_modify,
161 NULL, "default_keytab_modify_name");
162
163 INIT_FIELD(context, string, time_fmt,
164 "%Y-%m-%dT%H:%M:%S", "time_format");
165
166 INIT_FIELD(context, string, date_fmt,
167 "%Y-%m-%d", "date_format");
168
169 INIT_FIELD(context, bool, log_utc,
170 FALSE, "log_utc");
171
172
173
174 /* init dns-proxy slime */
175 tmp = krb5_config_get_string(context, NULL, "libdefaults",
176 "dns_proxy", NULL);
177 if(tmp)
178 roken_gethostby_setup(context->http_proxy, tmp);
179 krb5_free_host_realm (context, context->default_realms);
180 context->default_realms = NULL;
181
182 {
183 krb5_addresses addresses;
184 char **adr, **a;
185
186 krb5_set_extra_addresses(context, NULL);
187 adr = krb5_config_get_strings(context, NULL,
188 "libdefaults",
189 "extra_addresses",
190 NULL);
191 memset(&addresses, 0, sizeof(addresses));
192 for(a = adr; a && *a; a++) {
193 ret = krb5_parse_address(context, *a, &addresses);
194 if (ret == 0) {
195 krb5_add_extra_addresses(context, &addresses);
196 krb5_free_addresses(context, &addresses);
197 }
198 }
199 krb5_config_free_strings(adr);
200
201 krb5_set_ignore_addresses(context, NULL);
202 adr = krb5_config_get_strings(context, NULL,
203 "libdefaults",
204 "ignore_addresses",
205 NULL);
206 memset(&addresses, 0, sizeof(addresses));
207 for(a = adr; a && *a; a++) {
208 ret = krb5_parse_address(context, *a, &addresses);
209 if (ret == 0) {
210 krb5_add_ignore_addresses(context, &addresses);
211 krb5_free_addresses(context, &addresses);
212 }
213 }
214 krb5_config_free_strings(adr);
215 }
216
217 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
218 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
219 /* prefer dns_lookup_kdc over srv_lookup. */
220 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
221 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
222 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
223 INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
224 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
225 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
226
227 if (context->default_cc_name)
228 free(context->default_cc_name);
229 context->default_cc_name = NULL;
230 context->default_cc_name_set = 0;
231
232 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
233 if(s) {
234 char **p;
235
236 if (context->debug_dest)
237 krb5_closelog(context, context->debug_dest);
238
239 krb5_initlog(context, "libkrb5", &context->debug_dest);
240 for(p = s; *p; p++)
241 krb5_addlog_dest(context, context->debug_dest, *p);
242 krb5_config_free_strings(s);
243 }
244
245 tmp = krb5_config_get_string(context, NULL, "libdefaults",
246 "check-rd-req-server", NULL);
247 if (tmp == NULL && !issuid())
248 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
249 if(tmp) {
250 if (strcasecmp(tmp, "ignore") == 0)
251 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
252 }
253 ret = krb5_config_get_bool_default(context, NULL, TRUE,
254 "libdefaults",
255 "fcache_strict_checking", NULL);
256 if (ret)
257 context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
258
259 return 0;
260 }
261
262 static krb5_error_code
263 cc_ops_register(krb5_context context)
264 {
265 context->cc_ops = NULL;
266 context->num_cc_ops = 0;
267
268 #ifndef KCM_IS_API_CACHE
269 krb5_cc_register(context, &krb5_acc_ops, TRUE);
270 #endif
271 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
272 krb5_cc_register(context, &krb5_dcc_ops, TRUE);
273 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
274 #ifdef HAVE_SCC
275 krb5_cc_register(context, &krb5_scc_ops, TRUE);
276 #endif
277 #ifdef HAVE_KCM
278 #ifdef KCM_IS_API_CACHE
279 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
280 #endif
281 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
282 #endif
283 _krb5_load_ccache_plugins(context);
284 return 0;
285 }
286
287 static krb5_error_code
288 cc_ops_copy(krb5_context context, const krb5_context src_context)
289 {
290 const krb5_cc_ops **cc_ops;
291
292 context->cc_ops = NULL;
293 context->num_cc_ops = 0;
294
295 if (src_context->num_cc_ops == 0)
296 return 0;
297
298 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
299 if (cc_ops == NULL) {
300 krb5_set_error_message(context, KRB5_CC_NOMEM,
301 N_("malloc: out of memory", ""));
302 return KRB5_CC_NOMEM;
303 }
304
305 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
306 sizeof(cc_ops[0]) * src_context->num_cc_ops);
307 context->cc_ops = cc_ops;
308 context->num_cc_ops = src_context->num_cc_ops;
309
310 return 0;
311 }
312
313 static krb5_error_code
314 kt_ops_register(krb5_context context)
315 {
316 context->num_kt_types = 0;
317 context->kt_types = NULL;
318
319 krb5_kt_register (context, &krb5_fkt_ops);
320 krb5_kt_register (context, &krb5_wrfkt_ops);
321 krb5_kt_register (context, &krb5_javakt_ops);
322 krb5_kt_register (context, &krb5_mkt_ops);
323 #ifndef HEIMDAL_SMALLER
324 krb5_kt_register (context, &krb5_akf_ops);
325 #endif
326 krb5_kt_register (context, &krb5_any_ops);
327 return 0;
328 }
329
330 static krb5_error_code
331 kt_ops_copy(krb5_context context, const krb5_context src_context)
332 {
333 context->num_kt_types = 0;
334 context->kt_types = NULL;
335
336 if (src_context->num_kt_types == 0)
337 return 0;
338
339 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
340 if (context->kt_types == NULL)
341 return krb5_enomem(context);
342
343 context->num_kt_types = src_context->num_kt_types;
344 memcpy(context->kt_types, src_context->kt_types,
345 sizeof(context->kt_types[0]) * src_context->num_kt_types);
346
347 return 0;
348 }
349
350 static const char *sysplugin_dirs[] = {
351 #ifdef _WIN32
352 "$ORIGIN",
353 #else
354 "$ORIGIN/../lib/plugin/krb5",
355 #endif
356 #ifdef __APPLE__
357 LIBDIR "/plugin/krb5",
358 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
359 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
360 #endif
361 NULL
362 };
363
364 static void
365 init_context_once(void *ctx)
366 {
367 krb5_context context = ctx;
368 char **dirs;
369
370 #ifdef _WIN32
371 dirs = rk_UNCONST(sysplugin_dirs);
372 #else
373 dirs = krb5_config_get_strings(context, NULL, "libdefaults",
374 "plugin_dir", NULL);
375 if (dirs == NULL)
376 dirs = rk_UNCONST(sysplugin_dirs);
377 #endif
378
379 _krb5_load_plugins(context, "krb5", (const char **)dirs);
380
381 if (dirs != rk_UNCONST(sysplugin_dirs))
382 krb5_config_free_strings(dirs);
383
384 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
385 }
386
387
388 /**
389 * Initializes the context structure and reads the configuration file
390 * /etc/krb5.conf. The structure should be freed by calling
391 * krb5_free_context() when it is no longer being used.
392 *
393 * @param context pointer to returned context
394 *
395 * @return Returns 0 to indicate success. Otherwise an errno code is
396 * returned. Failure means either that something bad happened during
397 * initialization (typically ENOMEM) or that Kerberos should not be
398 * used ENXIO.
399 *
400 * @ingroup krb5
401 */
402
403 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
404 krb5_init_context(krb5_context *context)
405 {
406 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
407 krb5_context p;
408 krb5_error_code ret;
409 char **files;
410
411 *context = NULL;
412
413 p = calloc(1, sizeof(*p));
414 if(!p)
415 return ENOMEM;
416
417 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
418 if (p->mutex == NULL) {
419 free(p);
420 return ENOMEM;
421 }
422 HEIMDAL_MUTEX_init(p->mutex);
423
424 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
425
426 ret = krb5_get_default_config_files(&files);
427 if(ret)
428 goto out;
429 ret = krb5_set_config_files(p, files);
430 krb5_free_config_files(files);
431 if(ret)
432 goto out;
433
434 /* done enough to load plugins */
435 heim_base_once_f(&init_context, p, init_context_once);
436
437 /* init error tables */
438 krb5_init_ets(p);
439 cc_ops_register(p);
440 kt_ops_register(p);
441
442 #ifdef PKINIT
443 ret = hx509_context_init(&p->hx509ctx);
444 if (ret)
445 goto out;
446 #endif
447 if (rk_SOCK_INIT())
448 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
449
450 out:
451 if(ret) {
452 krb5_free_context(p);
453 p = NULL;
454 }
455 *context = p;
456 return ret;
457 }
458
459 #ifndef HEIMDAL_SMALLER
460
461 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
462 krb5_get_permitted_enctypes(krb5_context context,
463 krb5_enctype **etypes)
464 {
465 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
466 }
467
468 /*
469 *
470 */
471
472 static krb5_error_code
473 copy_etypes (krb5_context context,
474 krb5_enctype *enctypes,
475 krb5_enctype **ret_enctypes)
476 {
477 unsigned int i;
478
479 for (i = 0; enctypes[i]; i++)
480 ;
481 i++;
482
483 *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
484 if (*ret_enctypes == NULL)
485 return krb5_enomem(context);
486 memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
487 return 0;
488 }
489
490 /**
491 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
492 * be freed with krb5_free_context().
493 *
494 * @param context the Kerberos context to copy
495 * @param out the copy of the Kerberos, set to NULL error.
496 *
497 * @return Returns 0 to indicate success. Otherwise an kerberos et
498 * error code is returned, see krb5_get_error_message().
499 *
500 * @ingroup krb5
501 */
502
503 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
504 krb5_copy_context(krb5_context context, krb5_context *out)
505 {
506 krb5_error_code ret;
507 krb5_context p;
508
509 *out = NULL;
510
511 p = calloc(1, sizeof(*p));
512 if (p == NULL)
513 return krb5_enomem(context);
514
515 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
516 if (p->mutex == NULL) {
517 free(p);
518 return krb5_enomem(context);
519 }
520 HEIMDAL_MUTEX_init(p->mutex);
521
522
523 if (context->default_cc_name)
524 p->default_cc_name = strdup(context->default_cc_name);
525 if (context->default_cc_name_env)
526 p->default_cc_name_env = strdup(context->default_cc_name_env);
527
528 if (context->etypes) {
529 ret = copy_etypes(context, context->etypes, &p->etypes);
530 if (ret)
531 goto out;
532 }
533 if (context->etypes_des) {
534 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
535 if (ret)
536 goto out;
537 }
538
539 if (context->default_realms) {
540 ret = krb5_copy_host_realm(context,
541 context->default_realms, &p->default_realms);
542 if (ret)
543 goto out;
544 }
545
546 ret = _krb5_config_copy(context, context->cf, &p->cf);
547 if (ret)
548 goto out;
549
550 /* XXX should copy */
551 krb5_init_ets(p);
552
553 cc_ops_copy(p, context);
554 kt_ops_copy(p, context);
555
556 #if 0 /* XXX */
557 if(context->warn_dest != NULL)
558 ;
559 if(context->debug_dest != NULL)
560 ;
561 #endif
562
563 ret = krb5_set_extra_addresses(p, context->extra_addresses);
564 if (ret)
565 goto out;
566 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
567 if (ret)
568 goto out;
569
570 ret = _krb5_copy_send_to_kdc_func(p, context);
571 if (ret)
572 goto out;
573
574 *out = p;
575
576 return 0;
577
578 out:
579 krb5_free_context(p);
580 return ret;
581 }
582
583 #endif
584
585 /**
586 * Frees the krb5_context allocated by krb5_init_context().
587 *
588 * @param context context to be freed.
589 *
590 * @ingroup krb5
591 */
592
593 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
594 krb5_free_context(krb5_context context)
595 {
596 if (context->default_cc_name)
597 free(context->default_cc_name);
598 if (context->default_cc_name_env)
599 free(context->default_cc_name_env);
600 free(context->etypes);
601 free(context->etypes_des);
602 krb5_free_host_realm (context, context->default_realms);
603 krb5_config_file_free (context, context->cf);
604 free_error_table (context->et_list);
605 free(rk_UNCONST(context->cc_ops));
606 free(context->kt_types);
607 krb5_clear_error_message(context);
608 if(context->warn_dest != NULL)
609 krb5_closelog(context, context->warn_dest);
610 if(context->debug_dest != NULL)
611 krb5_closelog(context, context->debug_dest);
612 krb5_set_extra_addresses(context, NULL);
613 krb5_set_ignore_addresses(context, NULL);
614 krb5_set_send_to_kdc_func(context, NULL, NULL);
615
616 #ifdef PKINIT
617 if (context->hx509ctx)
618 hx509_context_free(&context->hx509ctx);
619 #endif
620
621 HEIMDAL_MUTEX_destroy(context->mutex);
622 free(context->mutex);
623 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
624 rk_SOCK_EXIT();
625 }
626
627 memset(context, 0, sizeof(*context));
628 free(context);
629 }
630
631 /**
632 * Reinit the context from a new set of filenames.
633 *
634 * @param context context to add configuration too.
635 * @param filenames array of filenames, end of list is indicated with a NULL filename.
636 *
637 * @return Returns 0 to indicate success. Otherwise an kerberos et
638 * error code is returned, see krb5_get_error_message().
639 *
640 * @ingroup krb5
641 */
642
643 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
644 krb5_set_config_files(krb5_context context, char **filenames)
645 {
646 krb5_error_code ret;
647 krb5_config_binding *tmp = NULL;
648 while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
649 ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
650 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
651 krb5_config_file_free(context, tmp);
652 return ret;
653 }
654 filenames++;
655 }
656 #if 0
657 /* with this enabled and if there are no config files, Kerberos is
658 considererd disabled */
659 if(tmp == NULL)
660 return ENXIO;
661 #endif
662
663 #ifdef _WIN32
664 _krb5_load_config_from_registry(context, &tmp);
665 #endif
666
667 krb5_config_file_free(context, context->cf);
668 context->cf = tmp;
669 ret = init_context_from_config_file(context);
670 return ret;
671 }
672
673 static krb5_error_code
674 add_file(char ***pfilenames, int *len, char *file)
675 {
676 char **pp = *pfilenames;
677 int i;
678
679 for(i = 0; i < *len; i++) {
680 if(strcmp(pp[i], file) == 0) {
681 free(file);
682 return 0;
683 }
684 }
685
686 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
687 if (pp == NULL) {
688 free(file);
689 return ENOMEM;
690 }
691
692 pp[*len] = file;
693 pp[*len + 1] = NULL;
694 *pfilenames = pp;
695 *len += 1;
696 return 0;
697 }
698
699 /*
700 * `pq' isn't free, it's up the the caller
701 */
702
703 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
704 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
705 {
706 krb5_error_code ret;
707 const char *p, *q;
708 char **pp;
709 int len;
710 char *fn;
711
712 pp = NULL;
713
714 len = 0;
715 p = filelist;
716 while(1) {
717 ssize_t l;
718 q = p;
719 l = strsep_copy(&q, PATH_SEP, NULL, 0);
720 if(l == -1)
721 break;
722 fn = malloc(l + 1);
723 if(fn == NULL) {
724 krb5_free_config_files(pp);
725 return ENOMEM;
726 }
727 (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
728 ret = add_file(&pp, &len, fn);
729 if (ret) {
730 krb5_free_config_files(pp);
731 return ret;
732 }
733 }
734
735 if (pq != NULL) {
736 int i;
737
738 for (i = 0; pq[i] != NULL; i++) {
739 fn = strdup(pq[i]);
740 if (fn == NULL) {
741 krb5_free_config_files(pp);
742 return ENOMEM;
743 }
744 ret = add_file(&pp, &len, fn);
745 if (ret) {
746 krb5_free_config_files(pp);
747 return ret;
748 }
749 }
750 }
751
752 *ret_pp = pp;
753 return 0;
754 }
755
756 /**
757 * Prepend the filename to the global configuration list.
758 *
759 * @param filelist a filename to add to the default list of filename
760 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
761 *
762 * @return Returns 0 to indicate success. Otherwise an kerberos et
763 * error code is returned, see krb5_get_error_message().
764 *
765 * @ingroup krb5
766 */
767
768 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
769 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
770 {
771 krb5_error_code ret;
772 char **defpp, **pp = NULL;
773
774 ret = krb5_get_default_config_files(&defpp);
775 if (ret)
776 return ret;
777
778 ret = krb5_prepend_config_files(filelist, defpp, &pp);
779 krb5_free_config_files(defpp);
780 if (ret) {
781 return ret;
782 }
783 *pfilenames = pp;
784 return 0;
785 }
786
787 #ifdef _WIN32
788
789 /**
790 * Checks the registry for configuration file location
791 *
792 * Kerberos for Windows and other legacy Kerberos applications expect
793 * to find the configuration file location in the
794 * SOFTWARE\MIT\Kerberos registry key under the value "config".
795 */
796 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
797 _krb5_get_default_config_config_files_from_registry()
798 {
799 static const char * KeyName = "Software\\MIT\\Kerberos";
800 char *config_file = NULL;
801 LONG rcode;
802 HKEY key;
803
804 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
805 if (rcode == ERROR_SUCCESS) {
806 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
807 REG_NONE, 0, PATH_SEP);
808 RegCloseKey(key);
809 }
810
811 if (config_file)
812 return config_file;
813
814 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
815 if (rcode == ERROR_SUCCESS) {
816 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
817 REG_NONE, 0, PATH_SEP);
818 RegCloseKey(key);
819 }
820
821 return config_file;
822 }
823
824 #endif
825
826 /**
827 * Get the global configuration list.
828 *
829 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
830 *
831 * @return Returns 0 to indicate success. Otherwise an kerberos et
832 * error code is returned, see krb5_get_error_message().
833 *
834 * @ingroup krb5
835 */
836
837 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
838 krb5_get_default_config_files(char ***pfilenames)
839 {
840 const char *files = NULL;
841
842 if (pfilenames == NULL)
843 return EINVAL;
844 if(!issuid())
845 files = getenv("KRB5_CONFIG");
846
847 #ifdef _WIN32
848 if (files == NULL) {
849 char * reg_files;
850 reg_files = _krb5_get_default_config_config_files_from_registry();
851 if (reg_files != NULL) {
852 krb5_error_code code;
853
854 code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
855 free(reg_files);
856
857 return code;
858 }
859 }
860 #endif
861
862 if (files == NULL)
863 files = krb5_config_file;
864
865 return krb5_prepend_config_files(files, NULL, pfilenames);
866 }
867
868 /**
869 * Free a list of configuration files.
870 *
871 * @param filenames list, terminated with a NULL pointer, to be
872 * freed. NULL is an valid argument.
873 *
874 * @return Returns 0 to indicate success. Otherwise an kerberos et
875 * error code is returned, see krb5_get_error_message().
876 *
877 * @ingroup krb5
878 */
879
880 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
881 krb5_free_config_files(char **filenames)
882 {
883 char **p;
884 for(p = filenames; p && *p != NULL; p++)
885 free(*p);
886 free(filenames);
887 }
888
889 /**
890 * Returns the list of Kerberos encryption types sorted in order of
891 * most preferred to least preferred encryption type. Note that some
892 * encryption types might be disabled, so you need to check with
893 * krb5_enctype_valid() before using the encryption type.
894 *
895 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
896 * array completed into the Kerberos library so the content doesn't
897 * need to be freed.
898 *
899 * @ingroup krb5
900 */
901
902 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
903 krb5_kerberos_enctypes(krb5_context context)
904 {
905 static const krb5_enctype p[] = {
906 ETYPE_AES256_CTS_HMAC_SHA1_96,
907 ETYPE_AES128_CTS_HMAC_SHA1_96,
908 ETYPE_DES3_CBC_SHA1,
909 ETYPE_ARCFOUR_HMAC_MD5,
910 ETYPE_NULL
911 };
912
913 static const krb5_enctype weak[] = {
914 ETYPE_AES256_CTS_HMAC_SHA1_96,
915 ETYPE_AES128_CTS_HMAC_SHA1_96,
916 ETYPE_DES3_CBC_SHA1,
917 ETYPE_DES3_CBC_MD5,
918 ETYPE_ARCFOUR_HMAC_MD5,
919 ETYPE_DES_CBC_MD5,
920 ETYPE_DES_CBC_MD4,
921 ETYPE_DES_CBC_CRC,
922 ETYPE_NULL
923 };
924
925 /*
926 * if the list of enctypes enabled by "allow_weak_crypto"
927 * are valid, then return the former default enctype list
928 * that contained the weak entries.
929 */
930 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
931 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
932 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
933 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
934 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
935 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
936 return weak;
937
938 return p;
939 }
940
941 /*
942 *
943 */
944
945 static krb5_error_code
946 copy_enctypes(krb5_context context,
947 const krb5_enctype *in,
948 krb5_enctype **out)
949 {
950 krb5_enctype *p = NULL;
951 size_t m, n;
952
953 for (n = 0; in[n]; n++)
954 ;
955 n++;
956 ALLOC(p, n);
957 if(p == NULL)
958 return krb5_enomem(context);
959 for (n = 0, m = 0; in[n]; n++) {
960 if (krb5_enctype_valid(context, in[n]) != 0)
961 continue;
962 p[m++] = in[n];
963 }
964 p[m] = KRB5_ENCTYPE_NULL;
965 if (m == 0) {
966 free(p);
967 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
968 N_("no valid enctype set", ""));
969 return KRB5_PROG_ETYPE_NOSUPP;
970 }
971 *out = p;
972 return 0;
973 }
974
975
976 /*
977 * set `etype' to a malloced list of the default enctypes
978 */
979
980 static krb5_error_code
981 default_etypes(krb5_context context, krb5_enctype **etype)
982 {
983 const krb5_enctype *p = krb5_kerberos_enctypes(context);
984 return copy_enctypes(context, p, etype);
985 }
986
987 /**
988 * Set the default encryption types that will be use in communcation
989 * with the KDC, clients and servers.
990 *
991 * @param context Kerberos 5 context.
992 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
993 *
994 * @return Returns 0 to indicate success. Otherwise an kerberos et
995 * error code is returned, see krb5_get_error_message().
996 *
997 * @ingroup krb5
998 */
999
1000 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1001 krb5_set_default_in_tkt_etypes(krb5_context context,
1002 const krb5_enctype *etypes)
1003 {
1004 krb5_error_code ret;
1005 krb5_enctype *p = NULL;
1006
1007 if(etypes) {
1008 ret = copy_enctypes(context, etypes, &p);
1009 if (ret)
1010 return ret;
1011 }
1012 if(context->etypes)
1013 free(context->etypes);
1014 context->etypes = p;
1015 return 0;
1016 }
1017
1018 /**
1019 * Get the default encryption types that will be use in communcation
1020 * with the KDC, clients and servers.
1021 *
1022 * @param context Kerberos 5 context.
1023 * @param etypes Encryption types, array terminated with
1024 * ETYPE_NULL(0), caller should free array with krb5_xfree():
1025 *
1026 * @return Returns 0 to indicate success. Otherwise an kerberos et
1027 * error code is returned, see krb5_get_error_message().
1028 *
1029 * @ingroup krb5
1030 */
1031
1032 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1033 krb5_get_default_in_tkt_etypes(krb5_context context,
1034 krb5_pdu pdu_type,
1035 krb5_enctype **etypes)
1036 {
1037 krb5_enctype *enctypes = NULL;
1038 krb5_error_code ret;
1039 krb5_enctype *p;
1040
1041 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
1042 pdu_type == KRB5_PDU_TGS_REQUEST ||
1043 pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
1044
1045 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
1046 enctypes = context->as_etypes;
1047 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
1048 enctypes = context->tgs_etypes;
1049 else if (context->etypes != NULL)
1050 enctypes = context->etypes;
1051
1052 if (enctypes != NULL) {
1053 ret = copy_enctypes(context, enctypes, &p);
1054 if (ret)
1055 return ret;
1056 } else {
1057 ret = default_etypes(context, &p);
1058 if (ret)
1059 return ret;
1060 }
1061 *etypes = p;
1062 return 0;
1063 }
1064
1065 /**
1066 * Init the built-in ets in the Kerberos library.
1067 *
1068 * @param context kerberos context to add the ets too
1069 *
1070 * @ingroup krb5
1071 */
1072
1073 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1074 krb5_init_ets(krb5_context context)
1075 {
1076 if(context->et_list == NULL){
1077 krb5_add_et_list(context, initialize_krb5_error_table_r);
1078 krb5_add_et_list(context, initialize_asn1_error_table_r);
1079 krb5_add_et_list(context, initialize_heim_error_table_r);
1080
1081 krb5_add_et_list(context, initialize_k524_error_table_r);
1082
1083 #ifdef COM_ERR_BINDDOMAIN_krb5
1084 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1085 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1086 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1087 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1088 #endif
1089
1090 #ifdef PKINIT
1091 krb5_add_et_list(context, initialize_hx_error_table_r);
1092 #ifdef COM_ERR_BINDDOMAIN_hx
1093 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1094 #endif
1095 #endif
1096 }
1097 }
1098
1099 /**
1100 * Make the kerberos library default to the admin KDC.
1101 *
1102 * @param context Kerberos 5 context.
1103 * @param flag boolean flag to select if the use the admin KDC or not.
1104 *
1105 * @ingroup krb5
1106 */
1107
1108 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1109 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1110 {
1111 context->use_admin_kdc = flag;
1112 }
1113
1114 /**
1115 * Make the kerberos library default to the admin KDC.
1116 *
1117 * @param context Kerberos 5 context.
1118 *
1119 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1120 *
1121 * @ingroup krb5
1122 */
1123
1124 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1125 krb5_get_use_admin_kdc (krb5_context context)
1126 {
1127 return context->use_admin_kdc;
1128 }
1129
1130 /**
1131 * Add extra address to the address list that the library will add to
1132 * the client's address list when communicating with the KDC.
1133 *
1134 * @param context Kerberos 5 context.
1135 * @param addresses addreses to add
1136 *
1137 * @return Returns 0 to indicate success. Otherwise an kerberos et
1138 * error code is returned, see krb5_get_error_message().
1139 *
1140 * @ingroup krb5
1141 */
1142
1143 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1144 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1145 {
1146
1147 if(context->extra_addresses)
1148 return krb5_append_addresses(context,
1149 context->extra_addresses, addresses);
1150 else
1151 return krb5_set_extra_addresses(context, addresses);
1152 }
1153
1154 /**
1155 * Set extra address to the address list that the library will add to
1156 * the client's address list when communicating with the KDC.
1157 *
1158 * @param context Kerberos 5 context.
1159 * @param addresses addreses to set
1160 *
1161 * @return Returns 0 to indicate success. Otherwise an kerberos et
1162 * error code is returned, see krb5_get_error_message().
1163 *
1164 * @ingroup krb5
1165 */
1166
1167 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1168 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1169 {
1170 if(context->extra_addresses)
1171 krb5_free_addresses(context, context->extra_addresses);
1172
1173 if(addresses == NULL) {
1174 if(context->extra_addresses != NULL) {
1175 free(context->extra_addresses);
1176 context->extra_addresses = NULL;
1177 }
1178 return 0;
1179 }
1180 if(context->extra_addresses == NULL) {
1181 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1182 if (context->extra_addresses == NULL)
1183 return krb5_enomem(context);
1184 }
1185 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1186 }
1187
1188 /**
1189 * Get extra address to the address list that the library will add to
1190 * the client's address list when communicating with the KDC.
1191 *
1192 * @param context Kerberos 5 context.
1193 * @param addresses addreses to set
1194 *
1195 * @return Returns 0 to indicate success. Otherwise an kerberos et
1196 * error code is returned, see krb5_get_error_message().
1197 *
1198 * @ingroup krb5
1199 */
1200
1201 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1202 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1203 {
1204 if(context->extra_addresses == NULL) {
1205 memset(addresses, 0, sizeof(*addresses));
1206 return 0;
1207 }
1208 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1209 }
1210
1211 /**
1212 * Add extra addresses to ignore when fetching addresses from the
1213 * underlaying operating system.
1214 *
1215 * @param context Kerberos 5 context.
1216 * @param addresses addreses to ignore
1217 *
1218 * @return Returns 0 to indicate success. Otherwise an kerberos et
1219 * error code is returned, see krb5_get_error_message().
1220 *
1221 * @ingroup krb5
1222 */
1223
1224 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1225 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1226 {
1227
1228 if(context->ignore_addresses)
1229 return krb5_append_addresses(context,
1230 context->ignore_addresses, addresses);
1231 else
1232 return krb5_set_ignore_addresses(context, addresses);
1233 }
1234
1235 /**
1236 * Set extra addresses to ignore when fetching addresses from the
1237 * underlaying operating system.
1238 *
1239 * @param context Kerberos 5 context.
1240 * @param addresses addreses to ignore
1241 *
1242 * @return Returns 0 to indicate success. Otherwise an kerberos et
1243 * error code is returned, see krb5_get_error_message().
1244 *
1245 * @ingroup krb5
1246 */
1247
1248 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1249 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1250 {
1251 if(context->ignore_addresses)
1252 krb5_free_addresses(context, context->ignore_addresses);
1253 if(addresses == NULL) {
1254 if(context->ignore_addresses != NULL) {
1255 free(context->ignore_addresses);
1256 context->ignore_addresses = NULL;
1257 }
1258 return 0;
1259 }
1260 if(context->ignore_addresses == NULL) {
1261 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1262 if (context->ignore_addresses == NULL)
1263 return krb5_enomem(context);
1264 }
1265 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1266 }
1267
1268 /**
1269 * Get extra addresses to ignore when fetching addresses from the
1270 * underlaying operating system.
1271 *
1272 * @param context Kerberos 5 context.
1273 * @param addresses list addreses ignored
1274 *
1275 * @return Returns 0 to indicate success. Otherwise an kerberos et
1276 * error code is returned, see krb5_get_error_message().
1277 *
1278 * @ingroup krb5
1279 */
1280
1281 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1282 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1283 {
1284 if(context->ignore_addresses == NULL) {
1285 memset(addresses, 0, sizeof(*addresses));
1286 return 0;
1287 }
1288 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1289 }
1290
1291 /**
1292 * Set version of fcache that the library should use.
1293 *
1294 * @param context Kerberos 5 context.
1295 * @param version version number.
1296 *
1297 * @return Returns 0 to indicate success. Otherwise an kerberos et
1298 * error code is returned, see krb5_get_error_message().
1299 *
1300 * @ingroup krb5
1301 */
1302
1303 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1304 krb5_set_fcache_version(krb5_context context, int version)
1305 {
1306 context->fcache_vno = version;
1307 return 0;
1308 }
1309
1310 /**
1311 * Get version of fcache that the library should use.
1312 *
1313 * @param context Kerberos 5 context.
1314 * @param version version number.
1315 *
1316 * @return Returns 0 to indicate success. Otherwise an kerberos et
1317 * error code is returned, see krb5_get_error_message().
1318 *
1319 * @ingroup krb5
1320 */
1321
1322 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1323 krb5_get_fcache_version(krb5_context context, int *version)
1324 {
1325 *version = context->fcache_vno;
1326 return 0;
1327 }
1328
1329 /**
1330 * Runtime check if the Kerberos library was complied with thread support.
1331 *
1332 * @return TRUE if the library was compiled with thread support, FALSE if not.
1333 *
1334 * @ingroup krb5
1335 */
1336
1337
1338 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1339 krb5_is_thread_safe(void)
1340 {
1341 #ifdef ENABLE_PTHREAD_SUPPORT
1342 return TRUE;
1343 #else
1344 return FALSE;
1345 #endif
1346 }
1347
1348 /**
1349 * Set if the library should use DNS to canonicalize hostnames.
1350 *
1351 * @param context Kerberos 5 context.
1352 * @param flag if its dns canonicalizion is used or not.
1353 *
1354 * @ingroup krb5
1355 */
1356
1357 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1358 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1359 {
1360 if (flag)
1361 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1362 else
1363 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1364 }
1365
1366 /**
1367 * Get if the library uses DNS to canonicalize hostnames.
1368 *
1369 * @param context Kerberos 5 context.
1370 *
1371 * @return return non zero if the library uses DNS to canonicalize hostnames.
1372 *
1373 * @ingroup krb5
1374 */
1375
1376 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1377 krb5_get_dns_canonicalize_hostname (krb5_context context)
1378 {
1379 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1380 }
1381
1382 /**
1383 * Get current offset in time to the KDC.
1384 *
1385 * @param context Kerberos 5 context.
1386 * @param sec seconds part of offset.
1387 * @param usec micro seconds part of offset.
1388 *
1389 * @return returns zero
1390 *
1391 * @ingroup krb5
1392 */
1393
1394 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1395 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1396 {
1397 if (sec)
1398 *sec = context->kdc_sec_offset;
1399 if (usec)
1400 *usec = context->kdc_usec_offset;
1401 return 0;
1402 }
1403
1404 /**
1405 * Set current offset in time to the KDC.
1406 *
1407 * @param context Kerberos 5 context.
1408 * @param sec seconds part of offset.
1409 * @param usec micro seconds part of offset.
1410 *
1411 * @return returns zero
1412 *
1413 * @ingroup krb5
1414 */
1415
1416 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1417 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1418 {
1419 context->kdc_sec_offset = sec;
1420 if (usec >= 0)
1421 context->kdc_usec_offset = usec;
1422 return 0;
1423 }
1424
1425 /**
1426 * Get max time skew allowed.
1427 *
1428 * @param context Kerberos 5 context.
1429 *
1430 * @return timeskew in seconds.
1431 *
1432 * @ingroup krb5
1433 */
1434
1435 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1436 krb5_get_max_time_skew (krb5_context context)
1437 {
1438 return context->max_skew;
1439 }
1440
1441 /**
1442 * Set max time skew allowed.
1443 *
1444 * @param context Kerberos 5 context.
1445 * @param t timeskew in seconds.
1446 *
1447 * @ingroup krb5
1448 */
1449
1450 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1451 krb5_set_max_time_skew (krb5_context context, time_t t)
1452 {
1453 context->max_skew = t;
1454 }
1455
1456 /*
1457 * Init encryption types in len, val with etypes.
1458 *
1459 * @param context Kerberos 5 context.
1460 * @param pdu_type type of pdu
1461 * @param len output length of val.
1462 * @param val output array of enctypes.
1463 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1464
1465 * @return Returns 0 to indicate success. Otherwise an kerberos et
1466 * error code is returned, see krb5_get_error_message().
1467 *
1468 * @ingroup krb5
1469 */
1470
1471 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1472 _krb5_init_etype(krb5_context context,
1473 krb5_pdu pdu_type,
1474 unsigned *len,
1475 krb5_enctype **val,
1476 const krb5_enctype *etypes)
1477 {
1478 krb5_error_code ret;
1479
1480 if (etypes == NULL)
1481 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1482 else
1483 ret = copy_enctypes(context, etypes, val);
1484 if (ret)
1485 return ret;
1486
1487 if (len) {
1488 *len = 0;
1489 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1490 (*len)++;
1491 }
1492 return 0;
1493 }
1494
1495 /*
1496 * Allow homedir accces
1497 */
1498
1499 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1500 static krb5_boolean allow_homedir = TRUE;
1501
1502 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1503 _krb5_homedir_access(krb5_context context)
1504 {
1505 krb5_boolean allow;
1506
1507 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1508 return FALSE;
1509
1510 HEIMDAL_MUTEX_lock(&homedir_mutex);
1511 allow = allow_homedir;
1512 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1513 return allow;
1514 }
1515
1516 /**
1517 * Enable and disable home directory access on either the global state
1518 * or the krb5_context state. By calling krb5_set_home_dir_access()
1519 * with context set to NULL, the global state is configured otherwise
1520 * the state for the krb5_context is modified.
1521 *
1522 * For home directory access to be allowed, both the global state and
1523 * the krb5_context state have to be allowed.
1524 *
1525 * Administrator (root user), never uses the home directory.
1526 *
1527 * @param context a Kerberos 5 context or NULL
1528 * @param allow allow if TRUE home directory
1529 * @return the old value
1530 *
1531 * @ingroup krb5
1532 */
1533
1534 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1535 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1536 {
1537 krb5_boolean old;
1538 if (context) {
1539 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1540 if (allow)
1541 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1542 else
1543 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1544 } else {
1545 HEIMDAL_MUTEX_lock(&homedir_mutex);
1546 old = allow_homedir;
1547 allow_homedir = allow;
1548 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1549 }
1550
1551 return old;
1552 }
Heimdal