2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
40 #define INIT_FIELD(C, T, E, D, F) \
41 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
42 "libdefaults", F, NULL)
44 #define INIT_FLAG(C, O, V, D, F) \
46 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
52 * Set the list of etypes `ret_etypes' from the configuration variable
56 static krb5_error_code
57 set_etypes (krb5_context context
,
59 krb5_enctype
**ret_enctypes
)
62 krb5_enctype
*etypes
= NULL
;
64 etypes_str
= krb5_config_get_strings(context
, NULL
, "libdefaults",
68 for(i
= 0; etypes_str
[i
]; i
++);
69 etypes
= malloc((i
+1) * sizeof(*etypes
));
71 krb5_config_free_strings (etypes_str
);
72 return krb5_enomem(context
);
74 for(j
= 0, k
= 0; j
< i
; j
++) {
76 if(krb5_string_to_enctype(context
, etypes_str
[j
], &e
) != 0)
78 if (krb5_enctype_valid(context
, e
) != 0)
82 etypes
[k
] = ETYPE_NULL
;
83 krb5_config_free_strings(etypes_str
);
85 *ret_enctypes
= etypes
;
90 * read variables from the configuration file and set in `context'
93 static krb5_error_code
94 init_context_from_config_file(krb5_context context
)
99 krb5_enctype
*tmptypes
;
101 INIT_FIELD(context
, time
, max_skew
, 5 * 60, "clockskew");
102 INIT_FIELD(context
, time
, kdc_timeout
, 30, "kdc_timeout");
103 INIT_FIELD(context
, time
, host_timeout
, 3, "host_timeout");
104 INIT_FIELD(context
, int, max_retries
, 3, "max_retries");
106 INIT_FIELD(context
, string
, http_proxy
, NULL
, "http_proxy");
108 ret
= krb5_config_get_bool_default(context
, NULL
, FALSE
,
110 "allow_weak_crypto", NULL
);
112 krb5_enctype_enable(context
, ETYPE_DES_CBC_CRC
);
113 krb5_enctype_enable(context
, ETYPE_DES_CBC_MD4
);
114 krb5_enctype_enable(context
, ETYPE_DES_CBC_MD5
);
115 krb5_enctype_enable(context
, ETYPE_DES_CBC_NONE
);
116 krb5_enctype_enable(context
, ETYPE_DES_CFB64_NONE
);
117 krb5_enctype_enable(context
, ETYPE_DES_PCBC_NONE
);
120 ret
= set_etypes (context
, "default_etypes", &tmptypes
);
123 free(context
->etypes
);
124 context
->etypes
= tmptypes
;
126 ret
= set_etypes (context
, "default_etypes_des", &tmptypes
);
129 free(context
->etypes_des
);
130 context
->etypes_des
= tmptypes
;
132 ret
= set_etypes (context
, "default_as_etypes", &tmptypes
);
135 free(context
->as_etypes
);
136 context
->as_etypes
= tmptypes
;
138 ret
= set_etypes (context
, "default_tgs_etypes", &tmptypes
);
141 free(context
->tgs_etypes
);
142 context
->tgs_etypes
= tmptypes
;
144 ret
= set_etypes (context
, "permitted_enctypes", &tmptypes
);
147 free(context
->permitted_enctypes
);
148 context
->permitted_enctypes
= tmptypes
;
150 /* default keytab name */
153 tmp
= getenv("KRB5_KTNAME");
155 context
->default_keytab
= tmp
;
157 INIT_FIELD(context
, string
, default_keytab
,
158 KEYTAB_DEFAULT
, "default_keytab_name");
160 INIT_FIELD(context
, string
, default_keytab_modify
,
161 NULL
, "default_keytab_modify_name");
163 INIT_FIELD(context
, string
, time_fmt
,
164 "%Y-%m-%dT%H:%M:%S", "time_format");
166 INIT_FIELD(context
, string
, date_fmt
,
167 "%Y-%m-%d", "date_format");
169 INIT_FIELD(context
, bool, log_utc
,
174 /* init dns-proxy slime */
175 tmp
= krb5_config_get_string(context
, NULL
, "libdefaults",
178 roken_gethostby_setup(context
->http_proxy
, tmp
);
179 krb5_free_host_realm (context
, context
->default_realms
);
180 context
->default_realms
= NULL
;
183 krb5_addresses addresses
;
186 krb5_set_extra_addresses(context
, NULL
);
187 adr
= krb5_config_get_strings(context
, NULL
,
191 memset(&addresses
, 0, sizeof(addresses
));
192 for(a
= adr
; a
&& *a
; a
++) {
193 ret
= krb5_parse_address(context
, *a
, &addresses
);
195 krb5_add_extra_addresses(context
, &addresses
);
196 krb5_free_addresses(context
, &addresses
);
199 krb5_config_free_strings(adr
);
201 krb5_set_ignore_addresses(context
, NULL
);
202 adr
= krb5_config_get_strings(context
, NULL
,
206 memset(&addresses
, 0, sizeof(addresses
));
207 for(a
= adr
; a
&& *a
; a
++) {
208 ret
= krb5_parse_address(context
, *a
, &addresses
);
210 krb5_add_ignore_addresses(context
, &addresses
);
211 krb5_free_addresses(context
, &addresses
);
214 krb5_config_free_strings(adr
);
217 INIT_FIELD(context
, bool, scan_interfaces
, TRUE
, "scan_interfaces");
218 INIT_FIELD(context
, int, fcache_vno
, 0, "fcache_version");
219 /* prefer dns_lookup_kdc over srv_lookup. */
220 INIT_FIELD(context
, bool, srv_lookup
, TRUE
, "srv_lookup");
221 INIT_FIELD(context
, bool, srv_lookup
, context
->srv_lookup
, "dns_lookup_kdc");
222 INIT_FIELD(context
, int, large_msg_size
, 1400, "large_message_size");
223 INIT_FIELD(context
, int, max_msg_size
, 1000 * 1024, "maximum_message_size");
224 INIT_FLAG(context
, flags
, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME
, TRUE
, "dns_canonicalize_hostname");
225 INIT_FLAG(context
, flags
, KRB5_CTX_F_CHECK_PAC
, TRUE
, "check_pac");
227 if (context
->default_cc_name
)
228 free(context
->default_cc_name
);
229 context
->default_cc_name
= NULL
;
230 context
->default_cc_name_set
= 0;
232 s
= krb5_config_get_strings(context
, NULL
, "logging", "krb5", NULL
);
236 if (context
->debug_dest
)
237 krb5_closelog(context
, context
->debug_dest
);
239 krb5_initlog(context
, "libkrb5", &context
->debug_dest
);
241 krb5_addlog_dest(context
, context
->debug_dest
, *p
);
242 krb5_config_free_strings(s
);
245 tmp
= krb5_config_get_string(context
, NULL
, "libdefaults",
246 "check-rd-req-server", NULL
);
247 if (tmp
== NULL
&& !issuid())
248 tmp
= getenv("KRB5_CHECK_RD_REQ_SERVER");
250 if (strcasecmp(tmp
, "ignore") == 0)
251 context
->flags
|= KRB5_CTX_F_RD_REQ_IGNORE
;
253 ret
= krb5_config_get_bool_default(context
, NULL
, TRUE
,
255 "fcache_strict_checking", NULL
);
257 context
->flags
|= KRB5_CTX_F_FCACHE_STRICT_CHECKING
;
262 static krb5_error_code
263 cc_ops_register(krb5_context context
)
265 context
->cc_ops
= NULL
;
266 context
->num_cc_ops
= 0;
268 #ifndef KCM_IS_API_CACHE
269 krb5_cc_register(context
, &krb5_acc_ops
, TRUE
);
271 krb5_cc_register(context
, &krb5_fcc_ops
, TRUE
);
272 krb5_cc_register(context
, &krb5_dcc_ops
, TRUE
);
273 krb5_cc_register(context
, &krb5_mcc_ops
, TRUE
);
275 krb5_cc_register(context
, &krb5_scc_ops
, TRUE
);
278 #ifdef KCM_IS_API_CACHE
279 krb5_cc_register(context
, &krb5_akcm_ops
, TRUE
);
281 krb5_cc_register(context
, &krb5_kcm_ops
, TRUE
);
283 _krb5_load_ccache_plugins(context
);
287 static krb5_error_code
288 cc_ops_copy(krb5_context context
, const krb5_context src_context
)
290 const krb5_cc_ops
**cc_ops
;
292 context
->cc_ops
= NULL
;
293 context
->num_cc_ops
= 0;
295 if (src_context
->num_cc_ops
== 0)
298 cc_ops
= malloc(sizeof(cc_ops
[0]) * src_context
->num_cc_ops
);
299 if (cc_ops
== NULL
) {
300 krb5_set_error_message(context
, KRB5_CC_NOMEM
,
301 N_("malloc: out of memory", ""));
302 return KRB5_CC_NOMEM
;
305 memcpy(rk_UNCONST(cc_ops
), src_context
->cc_ops
,
306 sizeof(cc_ops
[0]) * src_context
->num_cc_ops
);
307 context
->cc_ops
= cc_ops
;
308 context
->num_cc_ops
= src_context
->num_cc_ops
;
313 static krb5_error_code
314 kt_ops_register(krb5_context context
)
316 context
->num_kt_types
= 0;
317 context
->kt_types
= NULL
;
319 krb5_kt_register (context
, &krb5_fkt_ops
);
320 krb5_kt_register (context
, &krb5_wrfkt_ops
);
321 krb5_kt_register (context
, &krb5_javakt_ops
);
322 krb5_kt_register (context
, &krb5_mkt_ops
);
323 #ifndef HEIMDAL_SMALLER
324 krb5_kt_register (context
, &krb5_akf_ops
);
326 krb5_kt_register (context
, &krb5_any_ops
);
330 static krb5_error_code
331 kt_ops_copy(krb5_context context
, const krb5_context src_context
)
333 context
->num_kt_types
= 0;
334 context
->kt_types
= NULL
;
336 if (src_context
->num_kt_types
== 0)
339 context
->kt_types
= malloc(sizeof(context
->kt_types
[0]) * src_context
->num_kt_types
);
340 if (context
->kt_types
== NULL
)
341 return krb5_enomem(context
);
343 context
->num_kt_types
= src_context
->num_kt_types
;
344 memcpy(context
->kt_types
, src_context
->kt_types
,
345 sizeof(context
->kt_types
[0]) * src_context
->num_kt_types
);
350 static const char *sysplugin_dirs
[] = {
354 "$ORIGIN/../lib/plugin/krb5",
357 LIBDIR
"/plugin/krb5",
358 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
359 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
365 init_context_once(void *ctx
)
367 krb5_context context
= ctx
;
371 dirs
= rk_UNCONST(sysplugin_dirs
);
373 dirs
= krb5_config_get_strings(context
, NULL
, "libdefaults",
376 dirs
= rk_UNCONST(sysplugin_dirs
);
379 _krb5_load_plugins(context
, "krb5", (const char **)dirs
);
381 if (dirs
!= rk_UNCONST(sysplugin_dirs
))
382 krb5_config_free_strings(dirs
);
384 bindtextdomain(HEIMDAL_TEXTDOMAIN
, HEIMDAL_LOCALEDIR
);
389 * Initializes the context structure and reads the configuration file
390 * /etc/krb5.conf. The structure should be freed by calling
391 * krb5_free_context() when it is no longer being used.
393 * @param context pointer to returned context
395 * @return Returns 0 to indicate success. Otherwise an errno code is
396 * returned. Failure means either that something bad happened during
397 * initialization (typically ENOMEM) or that Kerberos should not be
398 * used ENXIO. If the function returns HEIM_ERR_RANDOM_OFFLINE, the
399 * random source is not available and later Kerberos calls might fail.
404 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
405 krb5_init_context(krb5_context
*context
)
407 static heim_base_once_t init_context
= HEIM_BASE_ONCE_INIT
;
416 * krb5_init_context() will get one random byte to make sure our
417 * random is alive. Assumption is that once the non blocking
418 * source allows us to pull bytes, its all seeded and allows us to
421 * Most Kerberos users calls krb5_init_context(), so this is
422 * useful point where we can do the checking.
424 ret
= krb5_generate_random(&rnd
, sizeof(rnd
));
428 p
= calloc(1, sizeof(*p
));
432 p
->mutex
= malloc(sizeof(HEIMDAL_MUTEX
));
433 if (p
->mutex
== NULL
) {
437 HEIMDAL_MUTEX_init(p
->mutex
);
439 p
->flags
|= KRB5_CTX_F_HOMEDIR_ACCESS
;
441 ret
= krb5_get_default_config_files(&files
);
444 ret
= krb5_set_config_files(p
, files
);
445 krb5_free_config_files(files
);
449 /* done enough to load plugins */
450 heim_base_once_f(&init_context
, p
, init_context_once
);
452 /* init error tables */
458 ret
= hx509_context_init(&p
->hx509ctx
);
463 p
->flags
|= KRB5_CTX_F_SOCKETS_INITIALIZED
;
467 krb5_free_context(p
);
474 #ifndef HEIMDAL_SMALLER
476 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
477 krb5_get_permitted_enctypes(krb5_context context
,
478 krb5_enctype
**etypes
)
480 return krb5_get_default_in_tkt_etypes(context
, KRB5_PDU_NONE
, etypes
);
487 static krb5_error_code
488 copy_etypes (krb5_context context
,
489 krb5_enctype
*enctypes
,
490 krb5_enctype
**ret_enctypes
)
494 for (i
= 0; enctypes
[i
]; i
++)
498 *ret_enctypes
= malloc(sizeof(enctypes
[0]) * i
);
499 if (*ret_enctypes
== NULL
)
500 return krb5_enomem(context
);
501 memcpy(*ret_enctypes
, enctypes
, sizeof(enctypes
[0]) * i
);
506 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
507 * be freed with krb5_free_context().
509 * @param context the Kerberos context to copy
510 * @param out the copy of the Kerberos, set to NULL error.
512 * @return Returns 0 to indicate success. Otherwise an kerberos et
513 * error code is returned, see krb5_get_error_message().
518 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
519 krb5_copy_context(krb5_context context
, krb5_context
*out
)
526 p
= calloc(1, sizeof(*p
));
528 return krb5_enomem(context
);
530 p
->mutex
= malloc(sizeof(HEIMDAL_MUTEX
));
531 if (p
->mutex
== NULL
) {
533 return krb5_enomem(context
);
535 HEIMDAL_MUTEX_init(p
->mutex
);
538 if (context
->default_cc_name
)
539 p
->default_cc_name
= strdup(context
->default_cc_name
);
540 if (context
->default_cc_name_env
)
541 p
->default_cc_name_env
= strdup(context
->default_cc_name_env
);
543 if (context
->etypes
) {
544 ret
= copy_etypes(context
, context
->etypes
, &p
->etypes
);
548 if (context
->etypes_des
) {
549 ret
= copy_etypes(context
, context
->etypes_des
, &p
->etypes_des
);
554 if (context
->default_realms
) {
555 ret
= krb5_copy_host_realm(context
,
556 context
->default_realms
, &p
->default_realms
);
561 ret
= _krb5_config_copy(context
, context
->cf
, &p
->cf
);
565 /* XXX should copy */
568 cc_ops_copy(p
, context
);
569 kt_ops_copy(p
, context
);
572 if(context
->warn_dest
!= NULL
)
574 if(context
->debug_dest
!= NULL
)
578 ret
= krb5_set_extra_addresses(p
, context
->extra_addresses
);
581 ret
= krb5_set_extra_addresses(p
, context
->ignore_addresses
);
585 ret
= _krb5_copy_send_to_kdc_func(p
, context
);
594 krb5_free_context(p
);
601 * Frees the krb5_context allocated by krb5_init_context().
603 * @param context context to be freed.
608 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
609 krb5_free_context(krb5_context context
)
611 if (context
->default_cc_name
)
612 free(context
->default_cc_name
);
613 if (context
->default_cc_name_env
)
614 free(context
->default_cc_name_env
);
615 free(context
->etypes
);
616 free(context
->etypes_des
);
617 krb5_free_host_realm (context
, context
->default_realms
);
618 krb5_config_file_free (context
, context
->cf
);
619 free_error_table (context
->et_list
);
620 free(rk_UNCONST(context
->cc_ops
));
621 free(context
->kt_types
);
622 krb5_clear_error_message(context
);
623 if(context
->warn_dest
!= NULL
)
624 krb5_closelog(context
, context
->warn_dest
);
625 if(context
->debug_dest
!= NULL
)
626 krb5_closelog(context
, context
->debug_dest
);
627 krb5_set_extra_addresses(context
, NULL
);
628 krb5_set_ignore_addresses(context
, NULL
);
629 krb5_set_send_to_kdc_func(context
, NULL
, NULL
);
632 if (context
->hx509ctx
)
633 hx509_context_free(&context
->hx509ctx
);
636 HEIMDAL_MUTEX_destroy(context
->mutex
);
637 free(context
->mutex
);
638 if (context
->flags
& KRB5_CTX_F_SOCKETS_INITIALIZED
) {
642 memset(context
, 0, sizeof(*context
));
647 * Reinit the context from a new set of filenames.
649 * @param context context to add configuration too.
650 * @param filenames array of filenames, end of list is indicated with a NULL filename.
652 * @return Returns 0 to indicate success. Otherwise an kerberos et
653 * error code is returned, see krb5_get_error_message().
658 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
659 krb5_set_config_files(krb5_context context
, char **filenames
)
662 krb5_config_binding
*tmp
= NULL
;
663 while(filenames
!= NULL
&& *filenames
!= NULL
&& **filenames
!= '\0') {
664 ret
= krb5_config_parse_file_multi(context
, *filenames
, &tmp
);
665 if(ret
!= 0 && ret
!= ENOENT
&& ret
!= EACCES
&& ret
!= EPERM
) {
666 krb5_config_file_free(context
, tmp
);
672 /* with this enabled and if there are no config files, Kerberos is
673 considererd disabled */
679 _krb5_load_config_from_registry(context
, &tmp
);
682 krb5_config_file_free(context
, context
->cf
);
684 ret
= init_context_from_config_file(context
);
688 static krb5_error_code
689 add_file(char ***pfilenames
, int *len
, char *file
)
691 char **pp
= *pfilenames
;
694 for(i
= 0; i
< *len
; i
++) {
695 if(strcmp(pp
[i
], file
) == 0) {
701 pp
= realloc(*pfilenames
, (*len
+ 2) * sizeof(*pp
));
715 * `pq' isn't free, it's up the the caller
718 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
719 krb5_prepend_config_files(const char *filelist
, char **pq
, char ***ret_pp
)
734 l
= strsep_copy(&q
, PATH_SEP
, NULL
, 0);
739 krb5_free_config_files(pp
);
742 (void)strsep_copy(&p
, PATH_SEP
, fn
, l
+ 1);
743 ret
= add_file(&pp
, &len
, fn
);
745 krb5_free_config_files(pp
);
753 for (i
= 0; pq
[i
] != NULL
; i
++) {
756 krb5_free_config_files(pp
);
759 ret
= add_file(&pp
, &len
, fn
);
761 krb5_free_config_files(pp
);
772 * Prepend the filename to the global configuration list.
774 * @param filelist a filename to add to the default list of filename
775 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
777 * @return Returns 0 to indicate success. Otherwise an kerberos et
778 * error code is returned, see krb5_get_error_message().
783 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
784 krb5_prepend_config_files_default(const char *filelist
, char ***pfilenames
)
787 char **defpp
, **pp
= NULL
;
789 ret
= krb5_get_default_config_files(&defpp
);
793 ret
= krb5_prepend_config_files(filelist
, defpp
, &pp
);
794 krb5_free_config_files(defpp
);
805 * Checks the registry for configuration file location
807 * Kerberos for Windows and other legacy Kerberos applications expect
808 * to find the configuration file location in the
809 * SOFTWARE\MIT\Kerberos registry key under the value "config".
811 KRB5_LIB_FUNCTION
char * KRB5_LIB_CALL
812 _krb5_get_default_config_config_files_from_registry()
814 static const char * KeyName
= "Software\\MIT\\Kerberos";
815 char *config_file
= NULL
;
819 rcode
= RegOpenKeyEx(HKEY_CURRENT_USER
, KeyName
, 0, KEY_READ
, &key
);
820 if (rcode
== ERROR_SUCCESS
) {
821 config_file
= _krb5_parse_reg_value_as_multi_string(NULL
, key
, "config",
822 REG_NONE
, 0, PATH_SEP
);
829 rcode
= RegOpenKeyEx(HKEY_LOCAL_MACHINE
, KeyName
, 0, KEY_READ
, &key
);
830 if (rcode
== ERROR_SUCCESS
) {
831 config_file
= _krb5_parse_reg_value_as_multi_string(NULL
, key
, "config",
832 REG_NONE
, 0, PATH_SEP
);
842 * Get the global configuration list.
844 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
846 * @return Returns 0 to indicate success. Otherwise an kerberos et
847 * error code is returned, see krb5_get_error_message().
852 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
853 krb5_get_default_config_files(char ***pfilenames
)
855 const char *files
= NULL
;
857 if (pfilenames
== NULL
)
860 files
= getenv("KRB5_CONFIG");
865 reg_files
= _krb5_get_default_config_config_files_from_registry();
866 if (reg_files
!= NULL
) {
867 krb5_error_code code
;
869 code
= krb5_prepend_config_files(reg_files
, NULL
, pfilenames
);
878 files
= krb5_config_file
;
880 return krb5_prepend_config_files(files
, NULL
, pfilenames
);
884 * Free a list of configuration files.
886 * @param filenames list, terminated with a NULL pointer, to be
887 * freed. NULL is an valid argument.
889 * @return Returns 0 to indicate success. Otherwise an kerberos et
890 * error code is returned, see krb5_get_error_message().
895 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
896 krb5_free_config_files(char **filenames
)
899 for(p
= filenames
; p
&& *p
!= NULL
; p
++)
905 * Returns the list of Kerberos encryption types sorted in order of
906 * most preferred to least preferred encryption type. Note that some
907 * encryption types might be disabled, so you need to check with
908 * krb5_enctype_valid() before using the encryption type.
910 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
911 * array completed into the Kerberos library so the content doesn't
917 KRB5_LIB_FUNCTION
const krb5_enctype
* KRB5_LIB_CALL
918 krb5_kerberos_enctypes(krb5_context context
)
920 static const krb5_enctype p
[] = {
921 ETYPE_AES256_CTS_HMAC_SHA1_96
,
922 ETYPE_AES128_CTS_HMAC_SHA1_96
,
924 ETYPE_ARCFOUR_HMAC_MD5
,
928 static const krb5_enctype weak
[] = {
929 ETYPE_AES256_CTS_HMAC_SHA1_96
,
930 ETYPE_AES128_CTS_HMAC_SHA1_96
,
933 ETYPE_ARCFOUR_HMAC_MD5
,
941 * if the list of enctypes enabled by "allow_weak_crypto"
942 * are valid, then return the former default enctype list
943 * that contained the weak entries.
945 if (krb5_enctype_valid(context
, ETYPE_DES_CBC_CRC
) == 0 &&
946 krb5_enctype_valid(context
, ETYPE_DES_CBC_MD4
) == 0 &&
947 krb5_enctype_valid(context
, ETYPE_DES_CBC_MD5
) == 0 &&
948 krb5_enctype_valid(context
, ETYPE_DES_CBC_NONE
) == 0 &&
949 krb5_enctype_valid(context
, ETYPE_DES_CFB64_NONE
) == 0 &&
950 krb5_enctype_valid(context
, ETYPE_DES_PCBC_NONE
) == 0)
960 static krb5_error_code
961 copy_enctypes(krb5_context context
,
962 const krb5_enctype
*in
,
965 krb5_enctype
*p
= NULL
;
968 for (n
= 0; in
[n
]; n
++)
973 return krb5_enomem(context
);
974 for (n
= 0, m
= 0; in
[n
]; n
++) {
975 if (krb5_enctype_valid(context
, in
[n
]) != 0)
979 p
[m
] = KRB5_ENCTYPE_NULL
;
982 krb5_set_error_message (context
, KRB5_PROG_ETYPE_NOSUPP
,
983 N_("no valid enctype set", ""));
984 return KRB5_PROG_ETYPE_NOSUPP
;
992 * set `etype' to a malloced list of the default enctypes
995 static krb5_error_code
996 default_etypes(krb5_context context
, krb5_enctype
**etype
)
998 const krb5_enctype
*p
= krb5_kerberos_enctypes(context
);
999 return copy_enctypes(context
, p
, etype
);
1003 * Set the default encryption types that will be use in communcation
1004 * with the KDC, clients and servers.
1006 * @param context Kerberos 5 context.
1007 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
1009 * @return Returns 0 to indicate success. Otherwise an kerberos et
1010 * error code is returned, see krb5_get_error_message().
1015 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1016 krb5_set_default_in_tkt_etypes(krb5_context context
,
1017 const krb5_enctype
*etypes
)
1019 krb5_error_code ret
;
1020 krb5_enctype
*p
= NULL
;
1023 ret
= copy_enctypes(context
, etypes
, &p
);
1028 free(context
->etypes
);
1029 context
->etypes
= p
;
1034 * Get the default encryption types that will be use in communcation
1035 * with the KDC, clients and servers.
1037 * @param context Kerberos 5 context.
1038 * @param etypes Encryption types, array terminated with
1039 * ETYPE_NULL(0), caller should free array with krb5_xfree():
1041 * @return Returns 0 to indicate success. Otherwise an kerberos et
1042 * error code is returned, see krb5_get_error_message().
1047 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1048 krb5_get_default_in_tkt_etypes(krb5_context context
,
1050 krb5_enctype
**etypes
)
1052 krb5_enctype
*enctypes
= NULL
;
1053 krb5_error_code ret
;
1056 heim_assert(pdu_type
== KRB5_PDU_AS_REQUEST
||
1057 pdu_type
== KRB5_PDU_TGS_REQUEST
||
1058 pdu_type
== KRB5_PDU_NONE
, "pdu contant not as expected");
1060 if (pdu_type
== KRB5_PDU_AS_REQUEST
&& context
->as_etypes
!= NULL
)
1061 enctypes
= context
->as_etypes
;
1062 else if (pdu_type
== KRB5_PDU_TGS_REQUEST
&& context
->tgs_etypes
!= NULL
)
1063 enctypes
= context
->tgs_etypes
;
1064 else if (context
->etypes
!= NULL
)
1065 enctypes
= context
->etypes
;
1067 if (enctypes
!= NULL
) {
1068 ret
= copy_enctypes(context
, enctypes
, &p
);
1072 ret
= default_etypes(context
, &p
);
1081 * Init the built-in ets in the Kerberos library.
1083 * @param context kerberos context to add the ets too
1088 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1089 krb5_init_ets(krb5_context context
)
1091 if(context
->et_list
== NULL
){
1092 krb5_add_et_list(context
, initialize_krb5_error_table_r
);
1093 krb5_add_et_list(context
, initialize_asn1_error_table_r
);
1094 krb5_add_et_list(context
, initialize_heim_error_table_r
);
1096 krb5_add_et_list(context
, initialize_k524_error_table_r
);
1098 #ifdef COM_ERR_BINDDOMAIN_krb5
1099 bindtextdomain(COM_ERR_BINDDOMAIN_krb5
, HEIMDAL_LOCALEDIR
);
1100 bindtextdomain(COM_ERR_BINDDOMAIN_asn1
, HEIMDAL_LOCALEDIR
);
1101 bindtextdomain(COM_ERR_BINDDOMAIN_heim
, HEIMDAL_LOCALEDIR
);
1102 bindtextdomain(COM_ERR_BINDDOMAIN_k524
, HEIMDAL_LOCALEDIR
);
1106 krb5_add_et_list(context
, initialize_hx_error_table_r
);
1107 #ifdef COM_ERR_BINDDOMAIN_hx
1108 bindtextdomain(COM_ERR_BINDDOMAIN_hx
, HEIMDAL_LOCALEDIR
);
1115 * Make the kerberos library default to the admin KDC.
1117 * @param context Kerberos 5 context.
1118 * @param flag boolean flag to select if the use the admin KDC or not.
1123 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1124 krb5_set_use_admin_kdc (krb5_context context
, krb5_boolean flag
)
1126 context
->use_admin_kdc
= flag
;
1130 * Make the kerberos library default to the admin KDC.
1132 * @param context Kerberos 5 context.
1134 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1139 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1140 krb5_get_use_admin_kdc (krb5_context context
)
1142 return context
->use_admin_kdc
;
1146 * Add extra address to the address list that the library will add to
1147 * the client's address list when communicating with the KDC.
1149 * @param context Kerberos 5 context.
1150 * @param addresses addreses to add
1152 * @return Returns 0 to indicate success. Otherwise an kerberos et
1153 * error code is returned, see krb5_get_error_message().
1158 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1159 krb5_add_extra_addresses(krb5_context context
, krb5_addresses
*addresses
)
1162 if(context
->extra_addresses
)
1163 return krb5_append_addresses(context
,
1164 context
->extra_addresses
, addresses
);
1166 return krb5_set_extra_addresses(context
, addresses
);
1170 * Set extra address to the address list that the library will add to
1171 * the client's address list when communicating with the KDC.
1173 * @param context Kerberos 5 context.
1174 * @param addresses addreses to set
1176 * @return Returns 0 to indicate success. Otherwise an kerberos et
1177 * error code is returned, see krb5_get_error_message().
1182 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1183 krb5_set_extra_addresses(krb5_context context
, const krb5_addresses
*addresses
)
1185 if(context
->extra_addresses
)
1186 krb5_free_addresses(context
, context
->extra_addresses
);
1188 if(addresses
== NULL
) {
1189 if(context
->extra_addresses
!= NULL
) {
1190 free(context
->extra_addresses
);
1191 context
->extra_addresses
= NULL
;
1195 if(context
->extra_addresses
== NULL
) {
1196 context
->extra_addresses
= malloc(sizeof(*context
->extra_addresses
));
1197 if (context
->extra_addresses
== NULL
)
1198 return krb5_enomem(context
);
1200 return krb5_copy_addresses(context
, addresses
, context
->extra_addresses
);
1204 * Get extra address to the address list that the library will add to
1205 * the client's address list when communicating with the KDC.
1207 * @param context Kerberos 5 context.
1208 * @param addresses addreses to set
1210 * @return Returns 0 to indicate success. Otherwise an kerberos et
1211 * error code is returned, see krb5_get_error_message().
1216 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1217 krb5_get_extra_addresses(krb5_context context
, krb5_addresses
*addresses
)
1219 if(context
->extra_addresses
== NULL
) {
1220 memset(addresses
, 0, sizeof(*addresses
));
1223 return krb5_copy_addresses(context
,context
->extra_addresses
, addresses
);
1227 * Add extra addresses to ignore when fetching addresses from the
1228 * underlaying operating system.
1230 * @param context Kerberos 5 context.
1231 * @param addresses addreses to ignore
1233 * @return Returns 0 to indicate success. Otherwise an kerberos et
1234 * error code is returned, see krb5_get_error_message().
1239 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1240 krb5_add_ignore_addresses(krb5_context context
, krb5_addresses
*addresses
)
1243 if(context
->ignore_addresses
)
1244 return krb5_append_addresses(context
,
1245 context
->ignore_addresses
, addresses
);
1247 return krb5_set_ignore_addresses(context
, addresses
);
1251 * Set extra addresses to ignore when fetching addresses from the
1252 * underlaying operating system.
1254 * @param context Kerberos 5 context.
1255 * @param addresses addreses to ignore
1257 * @return Returns 0 to indicate success. Otherwise an kerberos et
1258 * error code is returned, see krb5_get_error_message().
1263 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1264 krb5_set_ignore_addresses(krb5_context context
, const krb5_addresses
*addresses
)
1266 if(context
->ignore_addresses
)
1267 krb5_free_addresses(context
, context
->ignore_addresses
);
1268 if(addresses
== NULL
) {
1269 if(context
->ignore_addresses
!= NULL
) {
1270 free(context
->ignore_addresses
);
1271 context
->ignore_addresses
= NULL
;
1275 if(context
->ignore_addresses
== NULL
) {
1276 context
->ignore_addresses
= malloc(sizeof(*context
->ignore_addresses
));
1277 if (context
->ignore_addresses
== NULL
)
1278 return krb5_enomem(context
);
1280 return krb5_copy_addresses(context
, addresses
, context
->ignore_addresses
);
1284 * Get extra addresses to ignore when fetching addresses from the
1285 * underlaying operating system.
1287 * @param context Kerberos 5 context.
1288 * @param addresses list addreses ignored
1290 * @return Returns 0 to indicate success. Otherwise an kerberos et
1291 * error code is returned, see krb5_get_error_message().
1296 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1297 krb5_get_ignore_addresses(krb5_context context
, krb5_addresses
*addresses
)
1299 if(context
->ignore_addresses
== NULL
) {
1300 memset(addresses
, 0, sizeof(*addresses
));
1303 return krb5_copy_addresses(context
, context
->ignore_addresses
, addresses
);
1307 * Set version of fcache that the library should use.
1309 * @param context Kerberos 5 context.
1310 * @param version version number.
1312 * @return Returns 0 to indicate success. Otherwise an kerberos et
1313 * error code is returned, see krb5_get_error_message().
1318 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1319 krb5_set_fcache_version(krb5_context context
, int version
)
1321 context
->fcache_vno
= version
;
1326 * Get version of fcache that the library should use.
1328 * @param context Kerberos 5 context.
1329 * @param version version number.
1331 * @return Returns 0 to indicate success. Otherwise an kerberos et
1332 * error code is returned, see krb5_get_error_message().
1337 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1338 krb5_get_fcache_version(krb5_context context
, int *version
)
1340 *version
= context
->fcache_vno
;
1345 * Runtime check if the Kerberos library was complied with thread support.
1347 * @return TRUE if the library was compiled with thread support, FALSE if not.
1353 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1354 krb5_is_thread_safe(void)
1356 #ifdef ENABLE_PTHREAD_SUPPORT
1364 * Set if the library should use DNS to canonicalize hostnames.
1366 * @param context Kerberos 5 context.
1367 * @param flag if its dns canonicalizion is used or not.
1372 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1373 krb5_set_dns_canonicalize_hostname (krb5_context context
, krb5_boolean flag
)
1376 context
->flags
|= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME
;
1378 context
->flags
&= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME
;
1382 * Get if the library uses DNS to canonicalize hostnames.
1384 * @param context Kerberos 5 context.
1386 * @return return non zero if the library uses DNS to canonicalize hostnames.
1391 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1392 krb5_get_dns_canonicalize_hostname (krb5_context context
)
1394 return (context
->flags
& KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME
) ? 1 : 0;
1398 * Get current offset in time to the KDC.
1400 * @param context Kerberos 5 context.
1401 * @param sec seconds part of offset.
1402 * @param usec micro seconds part of offset.
1404 * @return returns zero
1409 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1410 krb5_get_kdc_sec_offset (krb5_context context
, int32_t *sec
, int32_t *usec
)
1413 *sec
= context
->kdc_sec_offset
;
1415 *usec
= context
->kdc_usec_offset
;
1420 * Set current offset in time to the KDC.
1422 * @param context Kerberos 5 context.
1423 * @param sec seconds part of offset.
1424 * @param usec micro seconds part of offset.
1426 * @return returns zero
1431 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1432 krb5_set_kdc_sec_offset (krb5_context context
, int32_t sec
, int32_t usec
)
1434 context
->kdc_sec_offset
= sec
;
1436 context
->kdc_usec_offset
= usec
;
1441 * Get max time skew allowed.
1443 * @param context Kerberos 5 context.
1445 * @return timeskew in seconds.
1450 KRB5_LIB_FUNCTION
time_t KRB5_LIB_CALL
1451 krb5_get_max_time_skew (krb5_context context
)
1453 return context
->max_skew
;
1457 * Set max time skew allowed.
1459 * @param context Kerberos 5 context.
1460 * @param t timeskew in seconds.
1465 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1466 krb5_set_max_time_skew (krb5_context context
, time_t t
)
1468 context
->max_skew
= t
;
1472 * Init encryption types in len, val with etypes.
1474 * @param context Kerberos 5 context.
1475 * @param pdu_type type of pdu
1476 * @param len output length of val.
1477 * @param val output array of enctypes.
1478 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1480 * @return Returns 0 to indicate success. Otherwise an kerberos et
1481 * error code is returned, see krb5_get_error_message().
1486 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1487 _krb5_init_etype(krb5_context context
,
1491 const krb5_enctype
*etypes
)
1493 krb5_error_code ret
;
1496 ret
= krb5_get_default_in_tkt_etypes(context
, pdu_type
, val
);
1498 ret
= copy_enctypes(context
, etypes
, val
);
1504 while ((*val
)[*len
] != KRB5_ENCTYPE_NULL
)
1511 * Allow homedir accces
1514 static HEIMDAL_MUTEX homedir_mutex
= HEIMDAL_MUTEX_INITIALIZER
;
1515 static krb5_boolean allow_homedir
= TRUE
;
1517 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1518 _krb5_homedir_access(krb5_context context
)
1522 if (context
&& (context
->flags
& KRB5_CTX_F_HOMEDIR_ACCESS
) == 0)
1525 HEIMDAL_MUTEX_lock(&homedir_mutex
);
1526 allow
= allow_homedir
;
1527 HEIMDAL_MUTEX_unlock(&homedir_mutex
);
1532 * Enable and disable home directory access on either the global state
1533 * or the krb5_context state. By calling krb5_set_home_dir_access()
1534 * with context set to NULL, the global state is configured otherwise
1535 * the state for the krb5_context is modified.
1537 * For home directory access to be allowed, both the global state and
1538 * the krb5_context state have to be allowed.
1540 * Administrator (root user), never uses the home directory.
1542 * @param context a Kerberos 5 context or NULL
1543 * @param allow allow if TRUE home directory
1544 * @return the old value
1549 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1550 krb5_set_home_dir_access(krb5_context context
, krb5_boolean allow
)
1554 old
= (context
->flags
& KRB5_CTX_F_HOMEDIR_ACCESS
) ? TRUE
: FALSE
;
1556 context
->flags
|= KRB5_CTX_F_HOMEDIR_ACCESS
;
1558 context
->flags
&= ~KRB5_CTX_F_HOMEDIR_ACCESS
;
1560 HEIMDAL_MUTEX_lock(&homedir_mutex
);
1561 old
= allow_homedir
;
1562 allow_homedir
= allow
;
1563 HEIMDAL_MUTEX_unlock(&homedir_mutex
);