search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Allow KDC to always return the salt in the PA-ETYPE-INFO[2]
[heimdal.git] / lib / krb5 / context.c
blob071b2a8c1054b9f5a37a81504d62518b87803a2f
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #undef KRB5_DEPRECATED_FUNCTION
37 #define KRB5_DEPRECATED_FUNCTION(x)
38
39 #include "krb5_locl.h"
40 #include <assert.h>
41 #include <com_err.h>
42
43 static void _krb5_init_ets(krb5_context);
44
45 #define INIT_FIELD(C, T, E, D, F) \
46 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
47 "libdefaults", F, NULL)
48
49 #define INIT_FLAG(C, O, V, D, F) \
50 do { \
51 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
52 (C)->O |= V; \
53 } \
54 } while(0)
55
56 static krb5_error_code
57 copy_enctypes(krb5_context context,
58 const krb5_enctype *in,
59 krb5_enctype **out);
60
61 /*
62 * Set the list of etypes `ret_etypes' from the configuration variable
63 * `name'
64 */
65
66 static krb5_error_code
67 set_etypes (krb5_context context,
68 const char *name,
69 krb5_enctype **ret_enctypes)
70 {
71 char **etypes_str;
72 krb5_enctype *etypes = NULL;
73
74 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
75 name, NULL);
76 if(etypes_str){
77 int i, j, k;
78 for(i = 0; etypes_str[i]; i++);
79 etypes = malloc((i+1) * sizeof(*etypes));
80 if (etypes == NULL) {
81 krb5_config_free_strings (etypes_str);
82 return krb5_enomem(context);
83 }
84 for(j = 0, k = 0; j < i; j++) {
85 krb5_enctype e;
86 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
87 continue;
88 if (krb5_enctype_valid(context, e) != 0)
89 continue;
90 etypes[k++] = e;
91 }
92 etypes[k] = ETYPE_NULL;
93 krb5_config_free_strings(etypes_str);
94 }
95 *ret_enctypes = etypes;
96 return 0;
97 }
98
99 /*
100 * read variables from the configuration file and set in `context'
101 */
102
103 static krb5_error_code
104 init_context_from_config_file(krb5_context context)
105 {
106 krb5_error_code ret;
107 const char * tmp;
108 char **s;
109 krb5_enctype *tmptypes;
110
111 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
112 INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
113 INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
114 INIT_FIELD(context, int, max_retries, 3, "max_retries");
115
116 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
117
118 ret = krb5_config_get_bool_default(context, NULL, FALSE,
119 "libdefaults",
120 "allow_weak_crypto", NULL);
121 if (ret) {
122 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
123 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
124 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
125 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
126 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
127 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
128 }
129
130 ret = set_etypes (context, "default_etypes", &tmptypes);
131 if(ret)
132 return ret;
133 free(context->etypes);
134 context->etypes = tmptypes;
135
136 /* The etypes member may change during the lifetime
137 * of the context. To be able to reset it to
138 * config value, we keep another copy.
139 */
140 free(context->cfg_etypes);
141 context->cfg_etypes = NULL;
142 if (tmptypes) {
143 ret = copy_enctypes(context, tmptypes, &context->cfg_etypes);
144 if (ret)
145 return ret;
146 }
147
148 ret = set_etypes (context, "default_etypes_des", &tmptypes);
149 if(ret)
150 return ret;
151 free(context->etypes_des);
152 context->etypes_des = tmptypes;
153
154 ret = set_etypes (context, "default_as_etypes", &tmptypes);
155 if(ret)
156 return ret;
157 free(context->as_etypes);
158 context->as_etypes = tmptypes;
159
160 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
161 if(ret)
162 return ret;
163 free(context->tgs_etypes);
164 context->tgs_etypes = tmptypes;
165
166 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
167 if(ret)
168 return ret;
169 free(context->permitted_enctypes);
170 context->permitted_enctypes = tmptypes;
171
172 INIT_FIELD(context, string, default_keytab,
173 KEYTAB_DEFAULT, "default_keytab_name");
174
175 INIT_FIELD(context, string, default_keytab_modify,
176 NULL, "default_keytab_modify_name");
177
178 INIT_FIELD(context, string, time_fmt,
179 "%Y-%m-%dT%H:%M:%S", "time_format");
180
181 INIT_FIELD(context, string, date_fmt,
182 "%Y-%m-%d", "date_format");
183
184 INIT_FIELD(context, bool, log_utc,
185 FALSE, "log_utc");
186
187 context->no_ticket_store =
188 getenv("KRB5_NO_TICKET_STORE") != NULL;
189
190 /* init dns-proxy slime */
191 tmp = krb5_config_get_string(context, NULL, "libdefaults",
192 "dns_proxy", NULL);
193 if(tmp)
194 roken_gethostby_setup(context->http_proxy, tmp);
195 krb5_free_host_realm (context, context->default_realms);
196 context->default_realms = NULL;
197
198 {
199 krb5_addresses addresses;
200 char **adr, **a;
201
202 krb5_set_extra_addresses(context, NULL);
203 adr = krb5_config_get_strings(context, NULL,
204 "libdefaults",
205 "extra_addresses",
206 NULL);
207 memset(&addresses, 0, sizeof(addresses));
208 for(a = adr; a && *a; a++) {
209 ret = krb5_parse_address(context, *a, &addresses);
210 if (ret == 0) {
211 krb5_add_extra_addresses(context, &addresses);
212 krb5_free_addresses(context, &addresses);
213 }
214 }
215 krb5_config_free_strings(adr);
216
217 krb5_set_ignore_addresses(context, NULL);
218 adr = krb5_config_get_strings(context, NULL,
219 "libdefaults",
220 "ignore_addresses",
221 NULL);
222 memset(&addresses, 0, sizeof(addresses));
223 for(a = adr; a && *a; a++) {
224 ret = krb5_parse_address(context, *a, &addresses);
225 if (ret == 0) {
226 krb5_add_ignore_addresses(context, &addresses);
227 krb5_free_addresses(context, &addresses);
228 }
229 }
230 krb5_config_free_strings(adr);
231 }
232
233 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
234 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
235 /* prefer dns_lookup_kdc over srv_lookup. */
236 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
237 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
238 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
239 INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
240 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
241 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
242 INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
243
244 if (context->default_cc_name)
245 free(context->default_cc_name);
246 context->default_cc_name = NULL;
247 context->default_cc_name_set = 0;
248 context->configured_default_cc_name = NULL;
249
250 tmp = secure_getenv("KRB5_TRACE");
251 if (tmp)
252 heim_add_debug_dest(context->hcontext, "libkrb5", tmp);
253 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
254 if (s) {
255 char **p;
256
257 for (p = s; *p; p++)
258 heim_add_debug_dest(context->hcontext, "libkrb5", *p);
259 krb5_config_free_strings(s);
260 }
261
262 tmp = krb5_config_get_string(context, NULL, "libdefaults",
263 "check-rd-req-server", NULL);
264 if (tmp == NULL)
265 tmp = secure_getenv("KRB5_CHECK_RD_REQ_SERVER");
266 if(tmp) {
267 if (strcasecmp(tmp, "ignore") == 0)
268 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
269 }
270 ret = krb5_config_get_bool_default(context, NULL, TRUE,
271 "libdefaults",
272 "fcache_strict_checking", NULL);
273 if (ret)
274 context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
275
276 return 0;
277 }
278
279 static krb5_error_code
280 cc_ops_register(krb5_context context)
281 {
282 context->cc_ops = NULL;
283 context->num_cc_ops = 0;
284
285 #ifndef KCM_IS_API_CACHE
286 krb5_cc_register(context, &krb5_acc_ops, TRUE);
287 #endif
288 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
289 krb5_cc_register(context, &krb5_dcc_ops, TRUE);
290 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
291 #ifdef HAVE_SCC
292 krb5_cc_register(context, &krb5_scc_ops, TRUE);
293 #endif
294 #ifdef HAVE_KCM
295 #ifdef KCM_IS_API_CACHE
296 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
297 #endif
298 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
299 #endif
300 #if defined(HAVE_KEYUTILS_H)
301 krb5_cc_register(context, &krb5_krcc_ops, TRUE);
302 #endif
303 _krb5_load_ccache_plugins(context);
304 return 0;
305 }
306
307 static krb5_error_code
308 cc_ops_copy(krb5_context context, const krb5_context src_context)
309 {
310 const krb5_cc_ops **cc_ops;
311
312 context->cc_ops = NULL;
313 context->num_cc_ops = 0;
314
315 if (src_context->num_cc_ops == 0)
316 return 0;
317
318 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
319 if (cc_ops == NULL) {
320 krb5_set_error_message(context, KRB5_CC_NOMEM,
321 N_("malloc: out of memory", ""));
322 return KRB5_CC_NOMEM;
323 }
324
325 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
326 sizeof(cc_ops[0]) * src_context->num_cc_ops);
327 context->cc_ops = cc_ops;
328 context->num_cc_ops = src_context->num_cc_ops;
329
330 return 0;
331 }
332
333 static krb5_error_code
334 kt_ops_register(krb5_context context)
335 {
336 context->num_kt_types = 0;
337 context->kt_types = NULL;
338
339 krb5_kt_register (context, &krb5_fkt_ops);
340 krb5_kt_register (context, &krb5_wrfkt_ops);
341 krb5_kt_register (context, &krb5_javakt_ops);
342 krb5_kt_register (context, &krb5_mkt_ops);
343 #ifndef HEIMDAL_SMALLER
344 krb5_kt_register (context, &krb5_akf_ops);
345 #endif
346 krb5_kt_register (context, &krb5_any_ops);
347 return 0;
348 }
349
350 static krb5_error_code
351 kt_ops_copy(krb5_context context, const krb5_context src_context)
352 {
353 context->num_kt_types = 0;
354 context->kt_types = NULL;
355
356 if (src_context->num_kt_types == 0)
357 return 0;
358
359 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
360 if (context->kt_types == NULL)
361 return krb5_enomem(context);
362
363 context->num_kt_types = src_context->num_kt_types;
364 memcpy(context->kt_types, src_context->kt_types,
365 sizeof(context->kt_types[0]) * src_context->num_kt_types);
366
367 return 0;
368 }
369
370 static const char *sysplugin_dirs[] = {
371 #ifdef _WIN32
372 "$ORIGIN",
373 #else
374 "$ORIGIN/../lib/plugin/krb5",
375 #endif
376 #ifdef __APPLE__
377 LIBDIR "/plugin/krb5",
378 #ifdef HEIM_PLUGINS_SEARCH_SYSTEM
379 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
380 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
381 #endif
382 #endif
383 NULL
384 };
385
386 static void
387 init_context_once(void *ctx)
388 {
389 krb5_context context = ctx;
390 char **dirs;
391
392 #ifdef _WIN32
393 dirs = rk_UNCONST(sysplugin_dirs);
394 #else
395 dirs = krb5_config_get_strings(context, NULL, "libdefaults",
396 "plugin_dir", NULL);
397 if (dirs == NULL)
398 dirs = rk_UNCONST(sysplugin_dirs);
399 #endif
400
401 _krb5_load_plugins(context, "krb5", (const char **)dirs);
402
403 if (dirs != rk_UNCONST(sysplugin_dirs))
404 krb5_config_free_strings(dirs);
405
406 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
407 }
408
409 /**
410 * Initializes the context structure and reads the configuration file
411 * /etc/krb5.conf. The structure should be freed by calling
412 * krb5_free_context() when it is no longer being used.
413 *
414 * @param context pointer to returned context
415 *
416 * @return Returns 0 to indicate success. Otherwise an errno code is
417 * returned. Failure means either that something bad happened during
418 * initialization (typically ENOMEM) or that Kerberos should not be
419 * used ENXIO. If the function returns HEIM_ERR_RANDOM_OFFLINE, the
420 * random source is not available and later Kerberos calls might fail.
421 *
422 * @ingroup krb5
423 */
424
425 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
426 krb5_init_context(krb5_context *context)
427 {
428 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
429 krb5_context p;
430 krb5_error_code ret;
431 char **files;
432 uint8_t rnd;
433
434 *context = NULL;
435
436 /**
437 * krb5_init_context() will get one random byte to make sure our
438 * random is alive. Assumption is that once the non blocking
439 * source allows us to pull bytes, its all seeded and allows us to
440 * pull more bytes.
441 *
442 * Most Kerberos users calls krb5_init_context(), so this is
443 * useful point where we can do the checking.
444 */
445 ret = krb5_generate_random(&rnd, sizeof(rnd));
446 if (ret)
447 return ret;
448
449 p = calloc(1, sizeof(*p));
450 if(!p)
451 return ENOMEM;
452
453 if ((p->hcontext = heim_context_init()) == NULL) {
454 ret = ENOMEM;
455 goto out;
456 }
457
458 if (!issuid())
459 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
460
461 ret = krb5_get_default_config_files(&files);
462 if(ret)
463 goto out;
464 ret = krb5_set_config_files(p, files);
465 krb5_free_config_files(files);
466 if(ret)
467 goto out;
468
469 /* done enough to load plugins */
470 heim_base_once_f(&init_context, p, init_context_once);
471
472 /* init error tables */
473 _krb5_init_ets(p);
474 cc_ops_register(p);
475 kt_ops_register(p);
476
477 #ifdef PKINIT
478 ret = hx509_context_init(&p->hx509ctx);
479 if (ret)
480 goto out;
481 #endif
482 if (rk_SOCK_INIT())
483 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
484
485 out:
486 if (ret) {
487 krb5_free_context(p);
488 p = NULL;
489 } else {
490 heim_context_set_log_utc(p->hcontext, p->log_utc);
491 }
492 *context = p;
493 return ret;
494 }
495
496 #ifndef HEIMDAL_SMALLER
497
498 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
499 krb5_get_permitted_enctypes(krb5_context context,
500 krb5_enctype **etypes)
501 {
502 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
503 }
504
505 /*
506 *
507 */
508
509 static krb5_error_code
510 copy_etypes (krb5_context context,
511 krb5_enctype *enctypes,
512 krb5_enctype **ret_enctypes)
513 {
514 unsigned int i;
515
516 for (i = 0; enctypes[i]; i++)
517 ;
518 i++;
519
520 *ret_enctypes = malloc(sizeof(enctypes[0]) * i);
521 if (*ret_enctypes == NULL)
522 return krb5_enomem(context);
523 memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * i);
524 return 0;
525 }
526
527 /**
528 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
529 * be freed with krb5_free_context().
530 *
531 * @param context the Kerberos context to copy
532 * @param out the copy of the Kerberos, set to NULL error.
533 *
534 * @return Returns 0 to indicate success. Otherwise an kerberos et
535 * error code is returned, see krb5_get_error_message().
536 *
537 * @ingroup krb5
538 */
539
540 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
541 krb5_copy_context(krb5_context context, krb5_context *out)
542 {
543 krb5_error_code ret;
544 krb5_context p;
545
546 *out = NULL;
547
548 p = calloc(1, sizeof(*p));
549 if (p == NULL)
550 return krb5_enomem(context);
551
552 if ((p->hcontext = heim_context_init()) == NULL) {
553 ret = ENOMEM;
554 goto out;
555 }
556
557 heim_context_set_log_utc(p->hcontext, context->log_utc);
558
559 if (context->default_cc_name &&
560 (p->default_cc_name = strdup(context->default_cc_name)) == NULL) {
561 ret = ENOMEM;
562 goto out;
563 }
564 if (context->default_cc_name_env &&
565 (p->default_cc_name_env =
566 strdup(context->default_cc_name_env)) == NULL) {
567 ret = ENOMEM;
568 goto out;
569 }
570 if (context->configured_default_cc_name &&
571 (p->configured_default_cc_name =
572 strdup(context->configured_default_cc_name)) == NULL) {
573 ret = ENOMEM;
574 goto out;
575 }
576
577 if (context->etypes) {
578 ret = copy_etypes(context, context->etypes, &p->etypes);
579 if (ret)
580 goto out;
581 }
582 if (context->cfg_etypes) {
583 ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
584 if (ret)
585 goto out;
586 }
587 if (context->etypes_des) {
588 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
589 if (ret)
590 goto out;
591 }
592
593 if (context->default_realms) {
594 ret = krb5_copy_host_realm(context,
595 context->default_realms, &p->default_realms);
596 if (ret)
597 goto out;
598 }
599
600 ret = _krb5_config_copy(context, context->cf, &p->cf);
601 if (ret)
602 goto out;
603
604 /* XXX should copy */
605 _krb5_init_ets(p);
606
607 cc_ops_copy(p, context);
608 kt_ops_copy(p, context);
609
610 ret = krb5_set_extra_addresses(p, context->extra_addresses);
611 if (ret)
612 goto out;
613 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
614 if (ret)
615 goto out;
616
617 ret = _krb5_copy_send_to_kdc_func(p, context);
618 if (ret)
619 goto out;
620
621 *out = p;
622
623 return 0;
624
625 out:
626 krb5_free_context(p);
627 return ret;
628 }
629
630 #endif
631
632 /**
633 * Frees the krb5_context allocated by krb5_init_context().
634 *
635 * @param context context to be freed.
636 *
637 * @ingroup krb5
638 */
639
640 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
641 krb5_free_context(krb5_context context)
642 {
643 _krb5_free_name_canon_rules(context, context->name_canon_rules);
644 if (context->default_cc_name)
645 free(context->default_cc_name);
646 if (context->default_cc_name_env)
647 free(context->default_cc_name_env);
648 if (context->configured_default_cc_name)
649 free(context->configured_default_cc_name);
650 free(context->etypes);
651 free(context->cfg_etypes);
652 free(context->etypes_des);
653 free(context->permitted_enctypes);
654 free(context->tgs_etypes);
655 free(context->as_etypes);
656 krb5_free_host_realm (context, context->default_realms);
657 krb5_config_file_free (context, context->cf);
658 free(rk_UNCONST(context->cc_ops));
659 free(context->kt_types);
660 krb5_clear_error_message(context);
661 krb5_set_extra_addresses(context, NULL);
662 krb5_set_ignore_addresses(context, NULL);
663 krb5_set_send_to_kdc_func(context, NULL, NULL);
664
665 #ifdef PKINIT
666 hx509_context_free(&context->hx509ctx);
667 #endif
668
669 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
670 rk_SOCK_EXIT();
671 }
672
673 heim_context_free(&context->hcontext);
674 memset(context, 0, sizeof(*context));
675 free(context);
676 }
677
678 /**
679 * Reinit the context from a new set of filenames.
680 *
681 * @param context context to add configuration too.
682 * @param filenames array of filenames, end of list is indicated with a NULL filename.
683 *
684 * @return Returns 0 to indicate success. Otherwise an kerberos et
685 * error code is returned, see krb5_get_error_message().
686 *
687 * @ingroup krb5
688 */
689
690 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
691 krb5_set_config_files(krb5_context context, char **filenames)
692 {
693 krb5_error_code ret;
694 heim_config_binding *tmp = NULL;
695
696 if ((ret = heim_set_config_files(context->hcontext, filenames,
697 &tmp)))
698 return ret;
699 krb5_config_file_free(context, context->cf);
700 context->cf = (krb5_config_binding *)tmp;
701 return init_context_from_config_file(context);
702 }
703
704 #ifndef HEIMDAL_SMALLER
705 /**
706 * Reinit the context from configuration file contents in a C string.
707 * This should only be used in tests.
708 *
709 * @param context context to add configuration too.
710 * @param config configuration.
711 *
712 * @return Returns 0 to indicate success. Otherwise an kerberos et
713 * error code is returned, see krb5_get_error_message().
714 *
715 * @ingroup krb5
716 */
717
718 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
719 krb5_set_config(krb5_context context, const char *config)
720 {
721 krb5_error_code ret;
722 krb5_config_binding *tmp = NULL;
723
724 if ((ret = krb5_config_parse_string_multi(context, config, &tmp)))
725 return ret;
726 #if 0
727 /* with this enabled and if there are no config files, Kerberos is
728 considererd disabled */
729 if (tmp == NULL)
730 return ENXIO;
731 #endif
732
733 krb5_config_file_free(context, context->cf);
734 context->cf = tmp;
735 ret = init_context_from_config_file(context);
736 return ret;
737 }
738 #endif
739
740 /*
741 * `pq' isn't free, it's up the the caller
742 */
743
744 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
745 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
746 {
747 return heim_prepend_config_files(filelist, pq, ret_pp);
748 }
749
750 /**
751 * Prepend the filename to the global configuration list.
752 *
753 * @param filelist a filename to add to the default list of filename
754 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
755 *
756 * @return Returns 0 to indicate success. Otherwise an kerberos et
757 * error code is returned, see krb5_get_error_message().
758 *
759 * @ingroup krb5
760 */
761
762 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
763 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
764 {
765 return heim_prepend_config_files_default(filelist, krb5_config_file,
766 "KRB5_CONFIG", pfilenames);
767 }
768
769 /**
770 * Get the global configuration list.
771 *
772 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
773 *
774 * @return Returns 0 to indicate success. Otherwise an kerberos et
775 * error code is returned, see krb5_get_error_message().
776 *
777 * @ingroup krb5
778 */
779
780 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
781 krb5_get_default_config_files(char ***pfilenames)
782 {
783 if (pfilenames == NULL)
784 return EINVAL;
785 return heim_get_default_config_files(krb5_config_file, "KRB5_CONFIG",
786 pfilenames);
787 }
788
789 /**
790 * Free a list of configuration files.
791 *
792 * @param filenames list, terminated with a NULL pointer, to be
793 * freed. NULL is an valid argument.
794 *
795 * @return Returns 0 to indicate success. Otherwise an kerberos et
796 * error code is returned, see krb5_get_error_message().
797 *
798 * @ingroup krb5
799 */
800
801 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
802 krb5_free_config_files(char **filenames)
803 {
804 heim_free_config_files(filenames);
805 }
806
807 /**
808 * Returns the list of Kerberos encryption types sorted in order of
809 * most preferred to least preferred encryption type. Note that some
810 * encryption types might be disabled, so you need to check with
811 * krb5_enctype_valid() before using the encryption type.
812 *
813 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
814 * array completed into the Kerberos library so the content doesn't
815 * need to be freed.
816 *
817 * @ingroup krb5
818 */
819
820 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
821 krb5_kerberos_enctypes(krb5_context context)
822 {
823 static const krb5_enctype p[] = {
824 ETYPE_AES256_CTS_HMAC_SHA1_96,
825 ETYPE_AES128_CTS_HMAC_SHA1_96,
826 ETYPE_AES256_CTS_HMAC_SHA384_192,
827 ETYPE_AES128_CTS_HMAC_SHA256_128,
828 ETYPE_DES3_CBC_SHA1,
829 ETYPE_ARCFOUR_HMAC_MD5,
830 ETYPE_NULL
831 };
832
833 static const krb5_enctype weak[] = {
834 ETYPE_AES256_CTS_HMAC_SHA1_96,
835 ETYPE_AES128_CTS_HMAC_SHA1_96,
836 ETYPE_AES256_CTS_HMAC_SHA384_192,
837 ETYPE_AES128_CTS_HMAC_SHA256_128,
838 ETYPE_DES3_CBC_SHA1,
839 ETYPE_DES3_CBC_MD5,
840 ETYPE_ARCFOUR_HMAC_MD5,
841 ETYPE_DES_CBC_MD5,
842 ETYPE_DES_CBC_MD4,
843 ETYPE_DES_CBC_CRC,
844 ETYPE_NULL
845 };
846
847 /*
848 * if the list of enctypes enabled by "allow_weak_crypto"
849 * are valid, then return the former default enctype list
850 * that contained the weak entries.
851 */
852 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
853 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
854 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
855 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
856 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
857 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
858 return weak;
859
860 return p;
861 }
862
863 /*
864 *
865 */
866
867 static krb5_error_code
868 copy_enctypes(krb5_context context,
869 const krb5_enctype *in,
870 krb5_enctype **out)
871 {
872 krb5_enctype *p = NULL;
873 size_t m, n;
874
875 for (n = 0; in[n]; n++)
876 ;
877 n++;
878 ALLOC(p, n);
879 if(p == NULL)
880 return krb5_enomem(context);
881 for (n = 0, m = 0; in[n]; n++) {
882 if (krb5_enctype_valid(context, in[n]) != 0)
883 continue;
884 p[m++] = in[n];
885 }
886 p[m] = KRB5_ENCTYPE_NULL;
887 if (m == 0) {
888 free(p);
889 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
890 N_("no valid enctype set", ""));
891 return KRB5_PROG_ETYPE_NOSUPP;
892 }
893 *out = p;
894 return 0;
895 }
896
897
898 /*
899 * set `etype' to a malloced list of the default enctypes
900 */
901
902 static krb5_error_code
903 default_etypes(krb5_context context, krb5_enctype **etype)
904 {
905 const krb5_enctype *p = krb5_kerberos_enctypes(context);
906 return copy_enctypes(context, p, etype);
907 }
908
909 /**
910 * Set the default encryption types that will be use in communcation
911 * with the KDC, clients and servers.
912 *
913 * @param context Kerberos 5 context.
914 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
915 * A value of NULL resets the encryption types to the defaults set in the
916 * configuration file.
917 *
918 * @return Returns 0 to indicate success. Otherwise an kerberos et
919 * error code is returned, see krb5_get_error_message().
920 *
921 * @ingroup krb5
922 */
923
924 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
925 krb5_set_default_in_tkt_etypes(krb5_context context,
926 const krb5_enctype *etypes)
927 {
928 krb5_error_code ret;
929 krb5_enctype *p = NULL;
930
931 if(!etypes) {
932 etypes = context->cfg_etypes;
933 }
934
935 if(etypes) {
936 ret = copy_enctypes(context, etypes, &p);
937 if (ret)
938 return ret;
939 }
940 if(context->etypes)
941 free(context->etypes);
942 context->etypes = p;
943 return 0;
944 }
945
946 /**
947 * Get the default encryption types that will be use in communcation
948 * with the KDC, clients and servers.
949 *
950 * @param context Kerberos 5 context.
951 * @param pdu_type request type (AS, TGS or none)
952 * @param etypes Encryption types, array terminated with
953 * ETYPE_NULL(0), caller should free array with krb5_xfree():
954 *
955 * @return Returns 0 to indicate success. Otherwise an kerberos et
956 * error code is returned, see krb5_get_error_message().
957 *
958 * @ingroup krb5
959 */
960
961 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
962 krb5_get_default_in_tkt_etypes(krb5_context context,
963 krb5_pdu pdu_type,
964 krb5_enctype **etypes)
965 {
966 krb5_enctype *enctypes = NULL;
967 krb5_error_code ret;
968 krb5_enctype *p;
969
970 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
971 pdu_type == KRB5_PDU_TGS_REQUEST ||
972 pdu_type == KRB5_PDU_NONE, "unexpected pdu type");
973
974 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
975 enctypes = context->as_etypes;
976 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
977 enctypes = context->tgs_etypes;
978 else if (context->etypes != NULL)
979 enctypes = context->etypes;
980
981 if (enctypes != NULL) {
982 ret = copy_enctypes(context, enctypes, &p);
983 if (ret)
984 return ret;
985 } else {
986 ret = default_etypes(context, &p);
987 if (ret)
988 return ret;
989 }
990 *etypes = p;
991 return 0;
992 }
993
994 /**
995 * Init the built-in ets in the Kerberos library.
996 *
997 * @param context kerberos context to add the ets too
998 *
999 * @ingroup krb5
1000 */
1001
1002 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1003 krb5_init_ets(krb5_context context)
1004 {
1005 }
1006
1007 static void
1008 _krb5_init_ets(krb5_context context)
1009 {
1010 heim_add_et_list(context->hcontext, initialize_krb5_error_table_r);
1011 heim_add_et_list(context->hcontext, initialize_asn1_error_table_r);
1012 heim_add_et_list(context->hcontext, initialize_heim_error_table_r);
1013
1014 heim_add_et_list(context->hcontext, initialize_k524_error_table_r);
1015 heim_add_et_list(context->hcontext, initialize_k5e1_error_table_r);
1016
1017 #ifdef COM_ERR_BINDDOMAIN_krb5
1018 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1019 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1020 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1021 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1022 #endif
1023
1024 #ifdef PKINIT
1025 heim_add_et_list(context->hcontext, initialize_hx_error_table_r);
1026 #ifdef COM_ERR_BINDDOMAIN_hx
1027 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1028 #endif
1029 #endif
1030 }
1031
1032 /**
1033 * Make the kerberos library default to the admin KDC.
1034 *
1035 * @param context Kerberos 5 context.
1036 * @param flag boolean flag to select if the use the admin KDC or not.
1037 *
1038 * @ingroup krb5
1039 */
1040
1041 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1042 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1043 {
1044 context->use_admin_kdc = flag;
1045 }
1046
1047 /**
1048 * Make the kerberos library default to the admin KDC.
1049 *
1050 * @param context Kerberos 5 context.
1051 *
1052 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1053 *
1054 * @ingroup krb5
1055 */
1056
1057 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1058 krb5_get_use_admin_kdc (krb5_context context)
1059 {
1060 return context->use_admin_kdc;
1061 }
1062
1063 /**
1064 * Add extra address to the address list that the library will add to
1065 * the client's address list when communicating with the KDC.
1066 *
1067 * @param context Kerberos 5 context.
1068 * @param addresses addreses to add
1069 *
1070 * @return Returns 0 to indicate success. Otherwise an kerberos et
1071 * error code is returned, see krb5_get_error_message().
1072 *
1073 * @ingroup krb5
1074 */
1075
1076 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1077 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1078 {
1079
1080 if(context->extra_addresses)
1081 return krb5_append_addresses(context,
1082 context->extra_addresses, addresses);
1083 else
1084 return krb5_set_extra_addresses(context, addresses);
1085 }
1086
1087 /**
1088 * Set extra address to the address list that the library will add to
1089 * the client's address list when communicating with the KDC.
1090 *
1091 * @param context Kerberos 5 context.
1092 * @param addresses addreses to set
1093 *
1094 * @return Returns 0 to indicate success. Otherwise an kerberos et
1095 * error code is returned, see krb5_get_error_message().
1096 *
1097 * @ingroup krb5
1098 */
1099
1100 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1101 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1102 {
1103 if(context->extra_addresses)
1104 krb5_free_addresses(context, context->extra_addresses);
1105
1106 if(addresses == NULL) {
1107 if(context->extra_addresses != NULL) {
1108 free(context->extra_addresses);
1109 context->extra_addresses = NULL;
1110 }
1111 return 0;
1112 }
1113 if(context->extra_addresses == NULL) {
1114 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1115 if (context->extra_addresses == NULL)
1116 return krb5_enomem(context);
1117 }
1118 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1119 }
1120
1121 /**
1122 * Get extra address to the address list that the library will add to
1123 * the client's address list when communicating with the KDC.
1124 *
1125 * @param context Kerberos 5 context.
1126 * @param addresses addreses to set
1127 *
1128 * @return Returns 0 to indicate success. Otherwise an kerberos et
1129 * error code is returned, see krb5_get_error_message().
1130 *
1131 * @ingroup krb5
1132 */
1133
1134 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1135 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1136 {
1137 if(context->extra_addresses == NULL) {
1138 memset(addresses, 0, sizeof(*addresses));
1139 return 0;
1140 }
1141 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1142 }
1143
1144 /**
1145 * Add extra addresses to ignore when fetching addresses from the
1146 * underlaying operating system.
1147 *
1148 * @param context Kerberos 5 context.
1149 * @param addresses addreses to ignore
1150 *
1151 * @return Returns 0 to indicate success. Otherwise an kerberos et
1152 * error code is returned, see krb5_get_error_message().
1153 *
1154 * @ingroup krb5
1155 */
1156
1157 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1158 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1159 {
1160
1161 if(context->ignore_addresses)
1162 return krb5_append_addresses(context,
1163 context->ignore_addresses, addresses);
1164 else
1165 return krb5_set_ignore_addresses(context, addresses);
1166 }
1167
1168 /**
1169 * Set extra addresses to ignore when fetching addresses from the
1170 * underlaying operating system.
1171 *
1172 * @param context Kerberos 5 context.
1173 * @param addresses addreses to ignore
1174 *
1175 * @return Returns 0 to indicate success. Otherwise an kerberos et
1176 * error code is returned, see krb5_get_error_message().
1177 *
1178 * @ingroup krb5
1179 */
1180
1181 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1182 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1183 {
1184 if(context->ignore_addresses)
1185 krb5_free_addresses(context, context->ignore_addresses);
1186 if(addresses == NULL) {
1187 if(context->ignore_addresses != NULL) {
1188 free(context->ignore_addresses);
1189 context->ignore_addresses = NULL;
1190 }
1191 return 0;
1192 }
1193 if(context->ignore_addresses == NULL) {
1194 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1195 if (context->ignore_addresses == NULL)
1196 return krb5_enomem(context);
1197 }
1198 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1199 }
1200
1201 /**
1202 * Get extra addresses to ignore when fetching addresses from the
1203 * underlaying operating system.
1204 *
1205 * @param context Kerberos 5 context.
1206 * @param addresses list addreses ignored
1207 *
1208 * @return Returns 0 to indicate success. Otherwise an kerberos et
1209 * error code is returned, see krb5_get_error_message().
1210 *
1211 * @ingroup krb5
1212 */
1213
1214 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1215 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1216 {
1217 if(context->ignore_addresses == NULL) {
1218 memset(addresses, 0, sizeof(*addresses));
1219 return 0;
1220 }
1221 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1222 }
1223
1224 /**
1225 * Set version of fcache that the library should use.
1226 *
1227 * @param context Kerberos 5 context.
1228 * @param version version number.
1229 *
1230 * @return Returns 0 to indicate success. Otherwise an kerberos et
1231 * error code is returned, see krb5_get_error_message().
1232 *
1233 * @ingroup krb5
1234 */
1235
1236 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1237 krb5_set_fcache_version(krb5_context context, int version)
1238 {
1239 context->fcache_vno = version;
1240 return 0;
1241 }
1242
1243 /**
1244 * Get version of fcache that the library should use.
1245 *
1246 * @param context Kerberos 5 context.
1247 * @param version version number.
1248 *
1249 * @return Returns 0 to indicate success. Otherwise an kerberos et
1250 * error code is returned, see krb5_get_error_message().
1251 *
1252 * @ingroup krb5
1253 */
1254
1255 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1256 krb5_get_fcache_version(krb5_context context, int *version)
1257 {
1258 *version = context->fcache_vno;
1259 return 0;
1260 }
1261
1262 /**
1263 * Runtime check if the Kerberos library was complied with thread support.
1264 *
1265 * @return TRUE if the library was compiled with thread support, FALSE if not.
1266 *
1267 * @ingroup krb5
1268 */
1269
1270
1271 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1272 krb5_is_thread_safe(void)
1273 {
1274 #ifdef ENABLE_PTHREAD_SUPPORT
1275 return TRUE;
1276 #else
1277 return FALSE;
1278 #endif
1279 }
1280
1281 /**
1282 * Set if the library should use DNS to canonicalize hostnames.
1283 *
1284 * @param context Kerberos 5 context.
1285 * @param flag if its dns canonicalizion is used or not.
1286 *
1287 * @ingroup krb5
1288 */
1289
1290 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1291 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1292 {
1293 if (flag)
1294 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1295 else
1296 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1297 }
1298
1299 /**
1300 * Get if the library uses DNS to canonicalize hostnames.
1301 *
1302 * @param context Kerberos 5 context.
1303 *
1304 * @return return non zero if the library uses DNS to canonicalize hostnames.
1305 *
1306 * @ingroup krb5
1307 */
1308
1309 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1310 krb5_get_dns_canonicalize_hostname (krb5_context context)
1311 {
1312 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1313 }
1314
1315 /**
1316 * Get current offset in time to the KDC.
1317 *
1318 * @param context Kerberos 5 context.
1319 * @param sec seconds part of offset.
1320 * @param usec micro seconds part of offset.
1321 *
1322 * @return returns zero
1323 *
1324 * @ingroup krb5
1325 */
1326
1327 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1328 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1329 {
1330 if (sec)
1331 *sec = context->kdc_sec_offset;
1332 if (usec)
1333 *usec = context->kdc_usec_offset;
1334 return 0;
1335 }
1336
1337 /**
1338 * Set current offset in time to the KDC.
1339 *
1340 * @param context Kerberos 5 context.
1341 * @param sec seconds part of offset.
1342 * @param usec micro seconds part of offset.
1343 *
1344 * @return returns zero
1345 *
1346 * @ingroup krb5
1347 */
1348
1349 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1350 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1351 {
1352 context->kdc_sec_offset = sec;
1353 if (usec >= 0)
1354 context->kdc_usec_offset = usec;
1355 return 0;
1356 }
1357
1358 /**
1359 * Get max time skew allowed.
1360 *
1361 * @param context Kerberos 5 context.
1362 *
1363 * @return timeskew in seconds.
1364 *
1365 * @ingroup krb5
1366 */
1367
1368 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1369 krb5_get_max_time_skew (krb5_context context)
1370 {
1371 return context->max_skew;
1372 }
1373
1374 /**
1375 * Set max time skew allowed.
1376 *
1377 * @param context Kerberos 5 context.
1378 * @param t timeskew in seconds.
1379 *
1380 * @ingroup krb5
1381 */
1382
1383 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1384 krb5_set_max_time_skew (krb5_context context, time_t t)
1385 {
1386 context->max_skew = t;
1387 }
1388
1389 /*
1390 * Init encryption types in len, val with etypes.
1391 *
1392 * @param context Kerberos 5 context.
1393 * @param pdu_type type of pdu
1394 * @param len output length of val.
1395 * @param val output array of enctypes.
1396 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1397
1398 * @return Returns 0 to indicate success. Otherwise an kerberos et
1399 * error code is returned, see krb5_get_error_message().
1400 *
1401 * @ingroup krb5
1402 */
1403
1404 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1405 _krb5_init_etype(krb5_context context,
1406 krb5_pdu pdu_type,
1407 unsigned *len,
1408 krb5_enctype **val,
1409 const krb5_enctype *etypes)
1410 {
1411 krb5_error_code ret;
1412
1413 if (etypes == NULL)
1414 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1415 else
1416 ret = copy_enctypes(context, etypes, val);
1417 if (ret)
1418 return ret;
1419
1420 if (len) {
1421 *len = 0;
1422 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1423 (*len)++;
1424 }
1425 return 0;
1426 }
1427
1428 /*
1429 * Allow homedir access
1430 */
1431
1432 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1433 _krb5_homedir_access(krb5_context context)
1434 {
1435 if (context)
1436 return !!(context->flags & KRB5_CTX_F_HOMEDIR_ACCESS);
1437 return !issuid();
1438 }
1439
1440 /**
1441 * Enable and disable home directory access on either the global state
1442 * or the krb5_context state. By calling krb5_set_home_dir_access()
1443 * with context set to NULL, the global state is configured otherwise
1444 * the state for the krb5_context is modified.
1445 *
1446 * For home directory access to be allowed, both the global state and
1447 * the krb5_context state have to be allowed.
1448 *
1449 * @param context a Kerberos 5 context or NULL
1450 * @param allow allow if TRUE home directory
1451 * @return the old value
1452 *
1453 * @ingroup krb5
1454 */
1455
1456 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1457 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1458 {
1459 krb5_boolean old = _krb5_homedir_access(context);
1460
1461 if (context) {
1462 if (allow)
1463 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1464 else
1465 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1466 heim_context_set_homedir_access(context->hcontext, allow ? 1 : 0);
1467 }
1468
1469 return old;
1470 }
1471
Heimdal