search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Plugin symbols can't have '-' in them... Also add example to krb5-plugin.7
[heimdal.git] / lib / krb5 / context.c
blobd126f77000e5a6b91d91a458ea71c531cbbbb085
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37 #include <assert.h>
38 #include <com_err.h>
39
40 #define INIT_FIELD(C, T, E, D, F) \
41 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
42 "libdefaults", F, NULL)
43
44 #define INIT_FLAG(C, O, V, D, F) \
45 do { \
46 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
47 (C)->O |= V; \
48 } \
49 } while(0)
50
51 /*
52 * Set the list of etypes `ret_etypes' from the configuration variable
53 * `name'
54 */
55
56 static krb5_error_code
57 set_etypes (krb5_context context,
58 const char *name,
59 krb5_enctype **ret_enctypes)
60 {
61 char **etypes_str;
62 krb5_enctype *etypes = NULL;
63
64 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
65 name, NULL);
66 if(etypes_str){
67 int i, j, k;
68 for(i = 0; etypes_str[i]; i++);
69 etypes = malloc((i+1) * sizeof(*etypes));
70 if (etypes == NULL) {
71 krb5_config_free_strings (etypes_str);
72 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
73 return ENOMEM;
74 }
75 for(j = 0, k = 0; j < i; j++) {
76 krb5_enctype e;
77 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
78 continue;
79 if (krb5_enctype_valid(context, e) != 0)
80 continue;
81 etypes[k++] = e;
82 }
83 etypes[k] = ETYPE_NULL;
84 krb5_config_free_strings(etypes_str);
85 }
86 *ret_enctypes = etypes;
87 return 0;
88 }
89
90 /*
91 * read variables from the configuration file and set in `context'
92 */
93
94 static krb5_error_code
95 init_context_from_config_file(krb5_context context)
96 {
97 krb5_error_code ret;
98 const char * tmp;
99 char **s;
100 krb5_enctype *tmptypes;
101
102 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
103 INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
104 INIT_FIELD(context, int, max_retries, 3, "max_retries");
105
106 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
107
108 ret = krb5_config_get_bool_default(context, NULL, FALSE,
109 "libdefaults",
110 "allow_weak_crypto", NULL);
111 if (ret) {
112 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
113 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
114 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
115 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
116 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
117 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
118 }
119
120 ret = set_etypes (context, "default_etypes", &tmptypes);
121 if(ret)
122 return ret;
123 free(context->etypes);
124 context->etypes = tmptypes;
125
126 ret = set_etypes (context, "default_etypes_des", &tmptypes);
127 if(ret)
128 return ret;
129 free(context->etypes_des);
130 context->etypes_des = tmptypes;
131
132 ret = set_etypes (context, "default_as_etypes", &tmptypes);
133 if(ret)
134 return ret;
135 free(context->as_etypes);
136 context->as_etypes = tmptypes;
137
138 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
139 if(ret)
140 return ret;
141 free(context->tgs_etypes);
142 context->tgs_etypes = tmptypes;
143
144 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
145 if(ret)
146 return ret;
147 free(context->permitted_enctypes);
148 context->permitted_enctypes = tmptypes;
149
150 /* default keytab name */
151 tmp = NULL;
152 if(!issuid())
153 tmp = getenv("KRB5_KTNAME");
154 if(tmp != NULL)
155 context->default_keytab = tmp;
156 else
157 INIT_FIELD(context, string, default_keytab,
158 KEYTAB_DEFAULT, "default_keytab_name");
159
160 INIT_FIELD(context, string, default_keytab_modify,
161 NULL, "default_keytab_modify_name");
162
163 INIT_FIELD(context, string, time_fmt,
164 "%Y-%m-%dT%H:%M:%S", "time_format");
165
166 INIT_FIELD(context, string, date_fmt,
167 "%Y-%m-%d", "date_format");
168
169 INIT_FIELD(context, bool, log_utc,
170 FALSE, "log_utc");
171
172
173
174 /* init dns-proxy slime */
175 tmp = krb5_config_get_string(context, NULL, "libdefaults",
176 "dns_proxy", NULL);
177 if(tmp)
178 roken_gethostby_setup(context->http_proxy, tmp);
179 krb5_free_host_realm (context, context->default_realms);
180 context->default_realms = NULL;
181
182 {
183 krb5_addresses addresses;
184 char **adr, **a;
185
186 krb5_set_extra_addresses(context, NULL);
187 adr = krb5_config_get_strings(context, NULL,
188 "libdefaults",
189 "extra_addresses",
190 NULL);
191 memset(&addresses, 0, sizeof(addresses));
192 for(a = adr; a && *a; a++) {
193 ret = krb5_parse_address(context, *a, &addresses);
194 if (ret == 0) {
195 krb5_add_extra_addresses(context, &addresses);
196 krb5_free_addresses(context, &addresses);
197 }
198 }
199 krb5_config_free_strings(adr);
200
201 krb5_set_ignore_addresses(context, NULL);
202 adr = krb5_config_get_strings(context, NULL,
203 "libdefaults",
204 "ignore_addresses",
205 NULL);
206 memset(&addresses, 0, sizeof(addresses));
207 for(a = adr; a && *a; a++) {
208 ret = krb5_parse_address(context, *a, &addresses);
209 if (ret == 0) {
210 krb5_add_ignore_addresses(context, &addresses);
211 krb5_free_addresses(context, &addresses);
212 }
213 }
214 krb5_config_free_strings(adr);
215 }
216
217 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
218 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
219 /* prefer dns_lookup_kdc over srv_lookup. */
220 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
221 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
222 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
223 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
224 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
225 context->default_cc_name = NULL;
226 context->default_cc_name_set = 0;
227
228 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
229 if(s) {
230 char **p;
231 krb5_initlog(context, "libkrb5", &context->debug_dest);
232 for(p = s; *p; p++)
233 krb5_addlog_dest(context, context->debug_dest, *p);
234 krb5_config_free_strings(s);
235 }
236
237 tmp = krb5_config_get_string(context, NULL, "libdefaults",
238 "check-rd-req-server", NULL);
239 if (tmp == NULL && !issuid())
240 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
241 if(tmp) {
242 if (strcasecmp(tmp, "ignore") == 0)
243 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
244 }
245
246 return 0;
247 }
248
249 static krb5_error_code
250 cc_ops_register(krb5_context context)
251 {
252 context->cc_ops = NULL;
253 context->num_cc_ops = 0;
254
255 #ifndef KCM_IS_API_CACHE
256 krb5_cc_register(context, &krb5_acc_ops, TRUE);
257 #endif
258 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
259 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
260 #ifdef HAVE_SCC
261 krb5_cc_register(context, &krb5_scc_ops, TRUE);
262 #endif
263 #ifdef HAVE_KCM
264 #ifdef KCM_IS_API_CACHE
265 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
266 #endif
267 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
268 #endif
269 _krb5_load_ccache_plugins(context);
270 return 0;
271 }
272
273 static krb5_error_code
274 cc_ops_copy(krb5_context context, const krb5_context src_context)
275 {
276 const krb5_cc_ops **cc_ops;
277
278 context->cc_ops = NULL;
279 context->num_cc_ops = 0;
280
281 if (src_context->num_cc_ops == 0)
282 return 0;
283
284 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
285 if (cc_ops == NULL) {
286 krb5_set_error_message(context, KRB5_CC_NOMEM,
287 N_("malloc: out of memory", ""));
288 return KRB5_CC_NOMEM;
289 }
290
291 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
292 sizeof(cc_ops[0]) * src_context->num_cc_ops);
293 context->cc_ops = cc_ops;
294 context->num_cc_ops = src_context->num_cc_ops;
295
296 return 0;
297 }
298
299 static krb5_error_code
300 kt_ops_register(krb5_context context)
301 {
302 context->num_kt_types = 0;
303 context->kt_types = NULL;
304
305 krb5_kt_register (context, &krb5_fkt_ops);
306 krb5_kt_register (context, &krb5_wrfkt_ops);
307 krb5_kt_register (context, &krb5_javakt_ops);
308 krb5_kt_register (context, &krb5_mkt_ops);
309 #ifndef HEIMDAL_SMALLER
310 krb5_kt_register (context, &krb5_akf_ops);
311 #endif
312 krb5_kt_register (context, &krb5_any_ops);
313 return 0;
314 }
315
316 static krb5_error_code
317 kt_ops_copy(krb5_context context, const krb5_context src_context)
318 {
319 context->num_kt_types = 0;
320 context->kt_types = NULL;
321
322 if (src_context->num_kt_types == 0)
323 return 0;
324
325 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
326 if (context->kt_types == NULL) {
327 krb5_set_error_message(context, ENOMEM,
328 N_("malloc: out of memory", ""));
329 return ENOMEM;
330 }
331
332 context->num_kt_types = src_context->num_kt_types;
333 memcpy(context->kt_types, src_context->kt_types,
334 sizeof(context->kt_types[0]) * src_context->num_kt_types);
335
336 return 0;
337 }
338
339 static const char *sysplugin_dirs[] = {
340 LIBDIR "/plugin/krb5",
341 #ifdef __APPLE__
342 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
343 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
344 #endif
345 NULL
346 };
347
348 static void
349 init_context_once(void *ctx)
350 {
351 krb5_context context = ctx;
352
353 _krb5_load_plugins(context, "krb5", sysplugin_dirs);
354
355 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
356 }
357
358
359 /**
360 * Initializes the context structure and reads the configuration file
361 * /etc/krb5.conf. The structure should be freed by calling
362 * krb5_free_context() when it is no longer being used.
363 *
364 * @param context pointer to returned context
365 *
366 * @return Returns 0 to indicate success. Otherwise an errno code is
367 * returned. Failure means either that something bad happened during
368 * initialization (typically ENOMEM) or that Kerberos should not be
369 * used ENXIO.
370 *
371 * @ingroup krb5
372 */
373
374 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
375 krb5_init_context(krb5_context *context)
376 {
377 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
378 krb5_context p;
379 krb5_error_code ret;
380 char **files;
381
382 *context = NULL;
383
384 p = calloc(1, sizeof(*p));
385 if(!p)
386 return ENOMEM;
387
388 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
389 if (p->mutex == NULL) {
390 free(p);
391 return ENOMEM;
392 }
393 HEIMDAL_MUTEX_init(p->mutex);
394
395 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
396
397 ret = krb5_get_default_config_files(&files);
398 if(ret)
399 goto out;
400 ret = krb5_set_config_files(p, files);
401 krb5_free_config_files(files);
402 if(ret)
403 goto out;
404
405 /* init error tables */
406 krb5_init_ets(p);
407 cc_ops_register(p);
408 kt_ops_register(p);
409
410 #ifdef PKINIT
411 ret = hx509_context_init(&p->hx509ctx);
412 if (ret)
413 goto out;
414 #endif
415 if (rk_SOCK_INIT())
416 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
417
418 out:
419 if(ret) {
420 krb5_free_context(p);
421 p = NULL;
422 } else {
423 heim_base_once_f(&init_context, p, init_context_once);
424 }
425 *context = p;
426 return ret;
427 }
428
429 #ifndef HEIMDAL_SMALLER
430
431 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
432 krb5_get_permitted_enctypes(krb5_context context,
433 krb5_enctype **etypes)
434 {
435 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
436 }
437
438 /*
439 *
440 */
441
442 static krb5_error_code
443 copy_etypes (krb5_context context,
444 krb5_enctype *enctypes,
445 krb5_enctype **ret_enctypes)
446 {
447 unsigned int i;
448
449 for (i = 0; enctypes[i]; i++)
450 ;
451 i++;
452
453 *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
454 if (*ret_enctypes == NULL) {
455 krb5_set_error_message(context, ENOMEM,
456 N_("malloc: out of memory", ""));
457 return ENOMEM;
458 }
459 memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
460 return 0;
461 }
462
463 /**
464 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
465 * be freed with krb5_free_context().
466 *
467 * @param context the Kerberos context to copy
468 * @param out the copy of the Kerberos, set to NULL error.
469 *
470 * @return Returns 0 to indicate success. Otherwise an kerberos et
471 * error code is returned, see krb5_get_error_message().
472 *
473 * @ingroup krb5
474 */
475
476 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
477 krb5_copy_context(krb5_context context, krb5_context *out)
478 {
479 krb5_error_code ret;
480 krb5_context p;
481
482 *out = NULL;
483
484 p = calloc(1, sizeof(*p));
485 if (p == NULL) {
486 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
487 return ENOMEM;
488 }
489
490 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
491 if (p->mutex == NULL) {
492 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
493 free(p);
494 return ENOMEM;
495 }
496 HEIMDAL_MUTEX_init(p->mutex);
497
498
499 if (context->default_cc_name)
500 p->default_cc_name = strdup(context->default_cc_name);
501 if (context->default_cc_name_env)
502 p->default_cc_name_env = strdup(context->default_cc_name_env);
503
504 if (context->etypes) {
505 ret = copy_etypes(context, context->etypes, &p->etypes);
506 if (ret)
507 goto out;
508 }
509 if (context->etypes_des) {
510 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
511 if (ret)
512 goto out;
513 }
514
515 if (context->default_realms) {
516 ret = krb5_copy_host_realm(context,
517 context->default_realms, &p->default_realms);
518 if (ret)
519 goto out;
520 }
521
522 ret = _krb5_config_copy(context, context->cf, &p->cf);
523 if (ret)
524 goto out;
525
526 /* XXX should copy */
527 krb5_init_ets(p);
528
529 cc_ops_copy(p, context);
530 kt_ops_copy(p, context);
531
532 #if 0 /* XXX */
533 if(context->warn_dest != NULL)
534 ;
535 if(context->debug_dest != NULL)
536 ;
537 #endif
538
539 ret = krb5_set_extra_addresses(p, context->extra_addresses);
540 if (ret)
541 goto out;
542 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
543 if (ret)
544 goto out;
545
546 ret = _krb5_copy_send_to_kdc_func(p, context);
547 if (ret)
548 goto out;
549
550 *out = p;
551
552 return 0;
553
554 out:
555 krb5_free_context(p);
556 return ret;
557 }
558
559 #endif
560
561 /**
562 * Frees the krb5_context allocated by krb5_init_context().
563 *
564 * @param context context to be freed.
565 *
566 * @ingroup krb5
567 */
568
569 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
570 krb5_free_context(krb5_context context)
571 {
572 if (context->default_cc_name)
573 free(context->default_cc_name);
574 if (context->default_cc_name_env)
575 free(context->default_cc_name_env);
576 free(context->etypes);
577 free(context->etypes_des);
578 krb5_free_host_realm (context, context->default_realms);
579 krb5_config_file_free (context, context->cf);
580 free_error_table (context->et_list);
581 free(rk_UNCONST(context->cc_ops));
582 free(context->kt_types);
583 krb5_clear_error_message(context);
584 if(context->warn_dest != NULL)
585 krb5_closelog(context, context->warn_dest);
586 if(context->debug_dest != NULL)
587 krb5_closelog(context, context->debug_dest);
588 krb5_set_extra_addresses(context, NULL);
589 krb5_set_ignore_addresses(context, NULL);
590 krb5_set_send_to_kdc_func(context, NULL, NULL);
591
592 #ifdef PKINIT
593 if (context->hx509ctx)
594 hx509_context_free(&context->hx509ctx);
595 #endif
596
597 HEIMDAL_MUTEX_destroy(context->mutex);
598 free(context->mutex);
599 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
600 rk_SOCK_EXIT();
601 }
602
603 memset(context, 0, sizeof(*context));
604 free(context);
605 }
606
607 /**
608 * Reinit the context from a new set of filenames.
609 *
610 * @param context context to add configuration too.
611 * @param filenames array of filenames, end of list is indicated with a NULL filename.
612 *
613 * @return Returns 0 to indicate success. Otherwise an kerberos et
614 * error code is returned, see krb5_get_error_message().
615 *
616 * @ingroup krb5
617 */
618
619 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
620 krb5_set_config_files(krb5_context context, char **filenames)
621 {
622 krb5_error_code ret;
623 krb5_config_binding *tmp = NULL;
624 while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
625 ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
626 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
627 krb5_config_file_free(context, tmp);
628 return ret;
629 }
630 filenames++;
631 }
632 #if 0
633 /* with this enabled and if there are no config files, Kerberos is
634 considererd disabled */
635 if(tmp == NULL)
636 return ENXIO;
637 #endif
638
639 #ifdef _WIN32
640 _krb5_load_config_from_registry(context, &tmp);
641 #endif
642
643 krb5_config_file_free(context, context->cf);
644 context->cf = tmp;
645 ret = init_context_from_config_file(context);
646 return ret;
647 }
648
649 static krb5_error_code
650 add_file(char ***pfilenames, int *len, char *file)
651 {
652 char **pp = *pfilenames;
653 int i;
654
655 for(i = 0; i < *len; i++) {
656 if(strcmp(pp[i], file) == 0) {
657 free(file);
658 return 0;
659 }
660 }
661
662 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
663 if (pp == NULL) {
664 free(file);
665 return ENOMEM;
666 }
667
668 pp[*len] = file;
669 pp[*len + 1] = NULL;
670 *pfilenames = pp;
671 *len += 1;
672 return 0;
673 }
674
675 /*
676 * `pq' isn't free, it's up the the caller
677 */
678
679 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
680 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
681 {
682 krb5_error_code ret;
683 const char *p, *q;
684 char **pp;
685 int len;
686 char *fn;
687
688 pp = NULL;
689
690 len = 0;
691 p = filelist;
692 while(1) {
693 ssize_t l;
694 q = p;
695 l = strsep_copy(&q, PATH_SEP, NULL, 0);
696 if(l == -1)
697 break;
698 fn = malloc(l + 1);
699 if(fn == NULL) {
700 krb5_free_config_files(pp);
701 return ENOMEM;
702 }
703 (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
704 ret = add_file(&pp, &len, fn);
705 if (ret) {
706 krb5_free_config_files(pp);
707 return ret;
708 }
709 }
710
711 if (pq != NULL) {
712 int i;
713
714 for (i = 0; pq[i] != NULL; i++) {
715 fn = strdup(pq[i]);
716 if (fn == NULL) {
717 krb5_free_config_files(pp);
718 return ENOMEM;
719 }
720 ret = add_file(&pp, &len, fn);
721 if (ret) {
722 krb5_free_config_files(pp);
723 return ret;
724 }
725 }
726 }
727
728 *ret_pp = pp;
729 return 0;
730 }
731
732 /**
733 * Prepend the filename to the global configuration list.
734 *
735 * @param filelist a filename to add to the default list of filename
736 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
737 *
738 * @return Returns 0 to indicate success. Otherwise an kerberos et
739 * error code is returned, see krb5_get_error_message().
740 *
741 * @ingroup krb5
742 */
743
744 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
745 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
746 {
747 krb5_error_code ret;
748 char **defpp, **pp = NULL;
749
750 ret = krb5_get_default_config_files(&defpp);
751 if (ret)
752 return ret;
753
754 ret = krb5_prepend_config_files(filelist, defpp, &pp);
755 krb5_free_config_files(defpp);
756 if (ret) {
757 return ret;
758 }
759 *pfilenames = pp;
760 return 0;
761 }
762
763 #ifdef _WIN32
764
765 /**
766 * Checks the registry for configuration file location
767 *
768 * Kerberos for Windows and other legacy Kerberos applications expect
769 * to find the configuration file location in the
770 * SOFTWARE\MIT\Kerberos registry key under the value "config".
771 */
772 char *
773 _krb5_get_default_config_config_files_from_registry()
774 {
775 static const char * KeyName = "Software\\MIT\\Kerberos";
776 char *config_file = NULL;
777 LONG rcode;
778 HKEY key;
779
780 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
781 if (rcode == ERROR_SUCCESS) {
782 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
783 REG_NONE, 0, PATH_SEP);
784 RegCloseKey(key);
785 }
786
787 if (config_file)
788 return config_file;
789
790 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
791 if (rcode == ERROR_SUCCESS) {
792 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
793 REG_NONE, 0, PATH_SEP);
794 RegCloseKey(key);
795 }
796
797 return config_file;
798 }
799
800 #endif
801
802 /**
803 * Get the global configuration list.
804 *
805 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
806 *
807 * @return Returns 0 to indicate success. Otherwise an kerberos et
808 * error code is returned, see krb5_get_error_message().
809 *
810 * @ingroup krb5
811 */
812
813 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
814 krb5_get_default_config_files(char ***pfilenames)
815 {
816 const char *files = NULL;
817
818 if (pfilenames == NULL)
819 return EINVAL;
820 if(!issuid())
821 files = getenv("KRB5_CONFIG");
822
823 #ifdef _WIN32
824 if (files == NULL) {
825 char * reg_files;
826 reg_files = _krb5_get_default_config_config_files_from_registry();
827 if (reg_files != NULL) {
828 krb5_error_code code;
829
830 code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
831 free(reg_files);
832
833 return code;
834 }
835 }
836 #endif
837
838 if (files == NULL)
839 files = krb5_config_file;
840
841 return krb5_prepend_config_files(files, NULL, pfilenames);
842 }
843
844 /**
845 * Free a list of configuration files.
846 *
847 * @param filenames list, terminated with a NULL pointer, to be
848 * freed. NULL is an valid argument.
849 *
850 * @return Returns 0 to indicate success. Otherwise an kerberos et
851 * error code is returned, see krb5_get_error_message().
852 *
853 * @ingroup krb5
854 */
855
856 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
857 krb5_free_config_files(char **filenames)
858 {
859 char **p;
860 for(p = filenames; p && *p != NULL; p++)
861 free(*p);
862 free(filenames);
863 }
864
865 /**
866 * Returns the list of Kerberos encryption types sorted in order of
867 * most preferred to least preferred encryption type. Note that some
868 * encryption types might be disabled, so you need to check with
869 * krb5_enctype_valid() before using the encryption type.
870 *
871 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
872 * array completed into the Kerberos library so the content doesn't
873 * need to be freed.
874 *
875 * @ingroup krb5
876 */
877
878 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
879 krb5_kerberos_enctypes(krb5_context context)
880 {
881 static const krb5_enctype p[] = {
882 ETYPE_AES256_CTS_HMAC_SHA1_96,
883 ETYPE_AES128_CTS_HMAC_SHA1_96,
884 ETYPE_DES3_CBC_SHA1,
885 ETYPE_ARCFOUR_HMAC_MD5,
886 ETYPE_NULL
887 };
888
889 static const krb5_enctype weak[] = {
890 ETYPE_AES256_CTS_HMAC_SHA1_96,
891 ETYPE_AES128_CTS_HMAC_SHA1_96,
892 ETYPE_DES3_CBC_SHA1,
893 ETYPE_DES3_CBC_MD5,
894 ETYPE_ARCFOUR_HMAC_MD5,
895 ETYPE_DES_CBC_MD5,
896 ETYPE_DES_CBC_MD4,
897 ETYPE_DES_CBC_CRC,
898 ETYPE_NULL
899 };
900
901 /*
902 * if the list of enctypes enabled by "allow_weak_crypto"
903 * are valid, then return the former default enctype list
904 * that contained the weak entries.
905 */
906 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
907 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
908 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
909 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
910 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
911 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
912 return weak;
913
914 return p;
915 }
916
917 /*
918 *
919 */
920
921 static krb5_error_code
922 copy_enctypes(krb5_context context,
923 const krb5_enctype *in,
924 krb5_enctype **out)
925 {
926 krb5_enctype *p = NULL;
927 size_t m, n;
928
929 for (n = 0; in[n]; n++)
930 ;
931 n++;
932 ALLOC(p, n);
933 if(p == NULL)
934 return krb5_enomem(context);
935 for (n = 0, m = 0; in[n]; n++) {
936 if (krb5_enctype_valid(context, in[n]) != 0)
937 continue;
938 p[m++] = in[n];
939 }
940 p[m] = KRB5_ENCTYPE_NULL;
941 if (m == 0) {
942 free(p);
943 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
944 N_("no valid enctype set", ""));
945 return KRB5_PROG_ETYPE_NOSUPP;
946 }
947 *out = p;
948 return 0;
949 }
950
951
952 /*
953 * set `etype' to a malloced list of the default enctypes
954 */
955
956 static krb5_error_code
957 default_etypes(krb5_context context, krb5_enctype **etype)
958 {
959 const krb5_enctype *p = krb5_kerberos_enctypes(context);
960 return copy_enctypes(context, p, etype);
961 }
962
963 /**
964 * Set the default encryption types that will be use in communcation
965 * with the KDC, clients and servers.
966 *
967 * @param context Kerberos 5 context.
968 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
969 *
970 * @return Returns 0 to indicate success. Otherwise an kerberos et
971 * error code is returned, see krb5_get_error_message().
972 *
973 * @ingroup krb5
974 */
975
976 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
977 krb5_set_default_in_tkt_etypes(krb5_context context,
978 const krb5_enctype *etypes)
979 {
980 krb5_error_code ret;
981 krb5_enctype *p = NULL;
982
983 if(etypes) {
984 ret = copy_enctypes(context, etypes, &p);
985 if (ret)
986 return ret;
987 }
988 if(context->etypes)
989 free(context->etypes);
990 context->etypes = p;
991 return 0;
992 }
993
994 /**
995 * Get the default encryption types that will be use in communcation
996 * with the KDC, clients and servers.
997 *
998 * @param context Kerberos 5 context.
999 * @param etypes Encryption types, array terminated with
1000 * ETYPE_NULL(0), caller should free array with krb5_xfree():
1001 *
1002 * @return Returns 0 to indicate success. Otherwise an kerberos et
1003 * error code is returned, see krb5_get_error_message().
1004 *
1005 * @ingroup krb5
1006 */
1007
1008 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1009 krb5_get_default_in_tkt_etypes(krb5_context context,
1010 krb5_pdu pdu_type,
1011 krb5_enctype **etypes)
1012 {
1013 krb5_enctype *enctypes = NULL;
1014 krb5_error_code ret;
1015 krb5_enctype *p;
1016
1017 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
1018 pdu_type == KRB5_PDU_TGS_REQUEST ||
1019 pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
1020
1021 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
1022 enctypes = context->as_etypes;
1023 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
1024 enctypes = context->tgs_etypes;
1025 else if (context->etypes != NULL)
1026 enctypes = context->etypes;
1027
1028 if (enctypes != NULL) {
1029 ret = copy_enctypes(context, enctypes, &p);
1030 if (ret)
1031 return ret;
1032 } else {
1033 ret = default_etypes(context, &p);
1034 if (ret)
1035 return ret;
1036 }
1037 *etypes = p;
1038 return 0;
1039 }
1040
1041 /**
1042 * Init the built-in ets in the Kerberos library.
1043 *
1044 * @param context kerberos context to add the ets too
1045 *
1046 * @ingroup krb5
1047 */
1048
1049 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1050 krb5_init_ets(krb5_context context)
1051 {
1052 if(context->et_list == NULL){
1053 krb5_add_et_list(context, initialize_krb5_error_table_r);
1054 krb5_add_et_list(context, initialize_asn1_error_table_r);
1055 krb5_add_et_list(context, initialize_heim_error_table_r);
1056
1057 krb5_add_et_list(context, initialize_k524_error_table_r);
1058
1059 #ifdef COM_ERR_BINDDOMAIN_krb5
1060 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1061 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1062 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1063 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1064 #endif
1065
1066 #ifdef PKINIT
1067 krb5_add_et_list(context, initialize_hx_error_table_r);
1068 #ifdef COM_ERR_BINDDOMAIN_hx
1069 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1070 #endif
1071 #endif
1072 }
1073 }
1074
1075 /**
1076 * Make the kerberos library default to the admin KDC.
1077 *
1078 * @param context Kerberos 5 context.
1079 * @param flag boolean flag to select if the use the admin KDC or not.
1080 *
1081 * @ingroup krb5
1082 */
1083
1084 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1085 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1086 {
1087 context->use_admin_kdc = flag;
1088 }
1089
1090 /**
1091 * Make the kerberos library default to the admin KDC.
1092 *
1093 * @param context Kerberos 5 context.
1094 *
1095 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1096 *
1097 * @ingroup krb5
1098 */
1099
1100 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1101 krb5_get_use_admin_kdc (krb5_context context)
1102 {
1103 return context->use_admin_kdc;
1104 }
1105
1106 /**
1107 * Add extra address to the address list that the library will add to
1108 * the client's address list when communicating with the KDC.
1109 *
1110 * @param context Kerberos 5 context.
1111 * @param addresses addreses to add
1112 *
1113 * @return Returns 0 to indicate success. Otherwise an kerberos et
1114 * error code is returned, see krb5_get_error_message().
1115 *
1116 * @ingroup krb5
1117 */
1118
1119 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1120 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1121 {
1122
1123 if(context->extra_addresses)
1124 return krb5_append_addresses(context,
1125 context->extra_addresses, addresses);
1126 else
1127 return krb5_set_extra_addresses(context, addresses);
1128 }
1129
1130 /**
1131 * Set extra address to the address list that the library will add to
1132 * the client's address list when communicating with the KDC.
1133 *
1134 * @param context Kerberos 5 context.
1135 * @param addresses addreses to set
1136 *
1137 * @return Returns 0 to indicate success. Otherwise an kerberos et
1138 * error code is returned, see krb5_get_error_message().
1139 *
1140 * @ingroup krb5
1141 */
1142
1143 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1144 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1145 {
1146 if(context->extra_addresses)
1147 krb5_free_addresses(context, context->extra_addresses);
1148
1149 if(addresses == NULL) {
1150 if(context->extra_addresses != NULL) {
1151 free(context->extra_addresses);
1152 context->extra_addresses = NULL;
1153 }
1154 return 0;
1155 }
1156 if(context->extra_addresses == NULL) {
1157 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1158 if(context->extra_addresses == NULL) {
1159 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1160 return ENOMEM;
1161 }
1162 }
1163 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1164 }
1165
1166 /**
1167 * Get extra address to the address list that the library will add to
1168 * the client's address list when communicating with the KDC.
1169 *
1170 * @param context Kerberos 5 context.
1171 * @param addresses addreses to set
1172 *
1173 * @return Returns 0 to indicate success. Otherwise an kerberos et
1174 * error code is returned, see krb5_get_error_message().
1175 *
1176 * @ingroup krb5
1177 */
1178
1179 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1180 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1181 {
1182 if(context->extra_addresses == NULL) {
1183 memset(addresses, 0, sizeof(*addresses));
1184 return 0;
1185 }
1186 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1187 }
1188
1189 /**
1190 * Add extra addresses to ignore when fetching addresses from the
1191 * underlaying operating system.
1192 *
1193 * @param context Kerberos 5 context.
1194 * @param addresses addreses to ignore
1195 *
1196 * @return Returns 0 to indicate success. Otherwise an kerberos et
1197 * error code is returned, see krb5_get_error_message().
1198 *
1199 * @ingroup krb5
1200 */
1201
1202 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1203 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1204 {
1205
1206 if(context->ignore_addresses)
1207 return krb5_append_addresses(context,
1208 context->ignore_addresses, addresses);
1209 else
1210 return krb5_set_ignore_addresses(context, addresses);
1211 }
1212
1213 /**
1214 * Set extra addresses to ignore when fetching addresses from the
1215 * underlaying operating system.
1216 *
1217 * @param context Kerberos 5 context.
1218 * @param addresses addreses to ignore
1219 *
1220 * @return Returns 0 to indicate success. Otherwise an kerberos et
1221 * error code is returned, see krb5_get_error_message().
1222 *
1223 * @ingroup krb5
1224 */
1225
1226 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1227 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1228 {
1229 if(context->ignore_addresses)
1230 krb5_free_addresses(context, context->ignore_addresses);
1231 if(addresses == NULL) {
1232 if(context->ignore_addresses != NULL) {
1233 free(context->ignore_addresses);
1234 context->ignore_addresses = NULL;
1235 }
1236 return 0;
1237 }
1238 if(context->ignore_addresses == NULL) {
1239 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1240 if(context->ignore_addresses == NULL) {
1241 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1242 return ENOMEM;
1243 }
1244 }
1245 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1246 }
1247
1248 /**
1249 * Get extra addresses to ignore when fetching addresses from the
1250 * underlaying operating system.
1251 *
1252 * @param context Kerberos 5 context.
1253 * @param addresses list addreses ignored
1254 *
1255 * @return Returns 0 to indicate success. Otherwise an kerberos et
1256 * error code is returned, see krb5_get_error_message().
1257 *
1258 * @ingroup krb5
1259 */
1260
1261 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1262 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1263 {
1264 if(context->ignore_addresses == NULL) {
1265 memset(addresses, 0, sizeof(*addresses));
1266 return 0;
1267 }
1268 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1269 }
1270
1271 /**
1272 * Set version of fcache that the library should use.
1273 *
1274 * @param context Kerberos 5 context.
1275 * @param version version number.
1276 *
1277 * @return Returns 0 to indicate success. Otherwise an kerberos et
1278 * error code is returned, see krb5_get_error_message().
1279 *
1280 * @ingroup krb5
1281 */
1282
1283 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1284 krb5_set_fcache_version(krb5_context context, int version)
1285 {
1286 context->fcache_vno = version;
1287 return 0;
1288 }
1289
1290 /**
1291 * Get version of fcache that the library should use.
1292 *
1293 * @param context Kerberos 5 context.
1294 * @param version version number.
1295 *
1296 * @return Returns 0 to indicate success. Otherwise an kerberos et
1297 * error code is returned, see krb5_get_error_message().
1298 *
1299 * @ingroup krb5
1300 */
1301
1302 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1303 krb5_get_fcache_version(krb5_context context, int *version)
1304 {
1305 *version = context->fcache_vno;
1306 return 0;
1307 }
1308
1309 /**
1310 * Runtime check if the Kerberos library was complied with thread support.
1311 *
1312 * @return TRUE if the library was compiled with thread support, FALSE if not.
1313 *
1314 * @ingroup krb5
1315 */
1316
1317
1318 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1319 krb5_is_thread_safe(void)
1320 {
1321 #ifdef ENABLE_PTHREAD_SUPPORT
1322 return TRUE;
1323 #else
1324 return FALSE;
1325 #endif
1326 }
1327
1328 /**
1329 * Set if the library should use DNS to canonicalize hostnames.
1330 *
1331 * @param context Kerberos 5 context.
1332 * @param flag if its dns canonicalizion is used or not.
1333 *
1334 * @ingroup krb5
1335 */
1336
1337 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1338 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1339 {
1340 if (flag)
1341 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1342 else
1343 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1344 }
1345
1346 /**
1347 * Get if the library uses DNS to canonicalize hostnames.
1348 *
1349 * @param context Kerberos 5 context.
1350 *
1351 * @return return non zero if the library uses DNS to canonicalize hostnames.
1352 *
1353 * @ingroup krb5
1354 */
1355
1356 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1357 krb5_get_dns_canonicalize_hostname (krb5_context context)
1358 {
1359 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1360 }
1361
1362 /**
1363 * Get current offset in time to the KDC.
1364 *
1365 * @param context Kerberos 5 context.
1366 * @param sec seconds part of offset.
1367 * @param usec micro seconds part of offset.
1368 *
1369 * @return returns zero
1370 *
1371 * @ingroup krb5
1372 */
1373
1374 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1375 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1376 {
1377 if (sec)
1378 *sec = context->kdc_sec_offset;
1379 if (usec)
1380 *usec = context->kdc_usec_offset;
1381 return 0;
1382 }
1383
1384 /**
1385 * Set current offset in time to the KDC.
1386 *
1387 * @param context Kerberos 5 context.
1388 * @param sec seconds part of offset.
1389 * @param usec micro seconds part of offset.
1390 *
1391 * @return returns zero
1392 *
1393 * @ingroup krb5
1394 */
1395
1396 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1397 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1398 {
1399 context->kdc_sec_offset = sec;
1400 if (usec >= 0)
1401 context->kdc_usec_offset = usec;
1402 return 0;
1403 }
1404
1405 /**
1406 * Get max time skew allowed.
1407 *
1408 * @param context Kerberos 5 context.
1409 *
1410 * @return timeskew in seconds.
1411 *
1412 * @ingroup krb5
1413 */
1414
1415 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1416 krb5_get_max_time_skew (krb5_context context)
1417 {
1418 return context->max_skew;
1419 }
1420
1421 /**
1422 * Set max time skew allowed.
1423 *
1424 * @param context Kerberos 5 context.
1425 * @param t timeskew in seconds.
1426 *
1427 * @ingroup krb5
1428 */
1429
1430 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1431 krb5_set_max_time_skew (krb5_context context, time_t t)
1432 {
1433 context->max_skew = t;
1434 }
1435
1436 /*
1437 * Init encryption types in len, val with etypes.
1438 *
1439 * @param context Kerberos 5 context.
1440 * @param pdu_type type of pdu
1441 * @param len output length of val.
1442 * @param val output array of enctypes.
1443 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1444
1445 * @return Returns 0 to indicate success. Otherwise an kerberos et
1446 * error code is returned, see krb5_get_error_message().
1447 *
1448 * @ingroup krb5
1449 */
1450
1451 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1452 _krb5_init_etype(krb5_context context,
1453 krb5_pdu pdu_type,
1454 unsigned *len,
1455 krb5_enctype **val,
1456 const krb5_enctype *etypes)
1457 {
1458 krb5_error_code ret;
1459
1460 if (etypes == NULL)
1461 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1462 else
1463 ret = copy_enctypes(context, etypes, val);
1464 if (ret)
1465 return ret;
1466
1467 if (len) {
1468 *len = 0;
1469 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1470 (*len)++;
1471 }
1472 return 0;
1473 }
1474
1475 /*
1476 * Allow homedir accces
1477 */
1478
1479 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1480 static krb5_boolean allow_homedir = TRUE;
1481
1482 krb5_boolean
1483 _krb5_homedir_access(krb5_context context)
1484 {
1485 krb5_boolean allow;
1486
1487 #ifdef HAVE_GETEUID
1488 /* is never allowed for root */
1489 if (geteuid() == 0)
1490 return FALSE;
1491 #endif
1492
1493 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1494 return FALSE;
1495
1496 HEIMDAL_MUTEX_lock(&homedir_mutex);
1497 allow = allow_homedir;
1498 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1499 return allow;
1500 }
1501
1502 /**
1503 * Enable and disable home directory access on either the global state
1504 * or the krb5_context state. By calling krb5_set_home_dir_access()
1505 * with context set to NULL, the global state is configured otherwise
1506 * the state for the krb5_context is modified.
1507 *
1508 * For home directory access to be allowed, both the global state and
1509 * the krb5_context state have to be allowed.
1510 *
1511 * Administrator (root user), never uses the home directory.
1512 *
1513 * @param context a Kerberos 5 context or NULL
1514 * @param allow allow if TRUE home directory
1515 * @return the old value
1516 *
1517 * @ingroup krb5
1518 */
1519
1520 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1521 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1522 {
1523 krb5_boolean old;
1524 if (context) {
1525 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1526 if (allow)
1527 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1528 else
1529 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1530 } else {
1531 HEIMDAL_MUTEX_lock(&homedir_mutex);
1532 old = allow_homedir;
1533 allow_homedir = allow;
1534 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1535 }
1536
1537 return old;
1538 }
Heimdal