search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Use anon realm for anonymous PKINIT
[heimdal.git] / lib / krb5 / context.c
blobe738916d04a66add1370ee9499a77126704d6ff0
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37 #include <assert.h>
38 #include <com_err.h>
39
40 #define INIT_FIELD(C, T, E, D, F) \
41 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
42 "libdefaults", F, NULL)
43
44 #define INIT_FLAG(C, O, V, D, F) \
45 do { \
46 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
47 (C)->O |= V; \
48 } \
49 } while(0)
50
51 /*
52 * Set the list of etypes `ret_etypes' from the configuration variable
53 * `name'
54 */
55
56 static krb5_error_code
57 set_etypes (krb5_context context,
58 const char *name,
59 krb5_enctype **ret_enctypes)
60 {
61 char **etypes_str;
62 krb5_enctype *etypes = NULL;
63
64 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
65 name, NULL);
66 if(etypes_str){
67 int i, j, k;
68 for(i = 0; etypes_str[i]; i++);
69 etypes = malloc((i+1) * sizeof(*etypes));
70 if (etypes == NULL) {
71 krb5_config_free_strings (etypes_str);
72 return krb5_enomem(context);
73 }
74 for(j = 0, k = 0; j < i; j++) {
75 krb5_enctype e;
76 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
77 continue;
78 if (krb5_enctype_valid(context, e) != 0)
79 continue;
80 etypes[k++] = e;
81 }
82 etypes[k] = ETYPE_NULL;
83 krb5_config_free_strings(etypes_str);
84 }
85 *ret_enctypes = etypes;
86 return 0;
87 }
88
89 /*
90 * read variables from the configuration file and set in `context'
91 */
92
93 static krb5_error_code
94 init_context_from_config_file(krb5_context context)
95 {
96 krb5_error_code ret;
97 const char * tmp;
98 char **s;
99 krb5_enctype *tmptypes;
100
101 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
102 INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
103 INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
104 INIT_FIELD(context, int, max_retries, 3, "max_retries");
105
106 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
107
108 ret = krb5_config_get_bool_default(context, NULL, FALSE,
109 "libdefaults",
110 "allow_weak_crypto", NULL);
111 if (ret) {
112 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
113 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
114 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
115 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
116 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
117 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
118 }
119
120 ret = set_etypes (context, "default_etypes", &tmptypes);
121 if(ret)
122 return ret;
123 free(context->etypes);
124 context->etypes = tmptypes;
125
126 ret = set_etypes (context, "default_etypes_des", &tmptypes);
127 if(ret)
128 return ret;
129 free(context->etypes_des);
130 context->etypes_des = tmptypes;
131
132 ret = set_etypes (context, "default_as_etypes", &tmptypes);
133 if(ret)
134 return ret;
135 free(context->as_etypes);
136 context->as_etypes = tmptypes;
137
138 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
139 if(ret)
140 return ret;
141 free(context->tgs_etypes);
142 context->tgs_etypes = tmptypes;
143
144 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
145 if(ret)
146 return ret;
147 free(context->permitted_enctypes);
148 context->permitted_enctypes = tmptypes;
149
150 /* default keytab name */
151 tmp = NULL;
152 if(!issuid())
153 tmp = getenv("KRB5_KTNAME");
154 if(tmp != NULL)
155 context->default_keytab = tmp;
156 else
157 INIT_FIELD(context, string, default_keytab,
158 KEYTAB_DEFAULT, "default_keytab_name");
159
160 INIT_FIELD(context, string, default_keytab_modify,
161 NULL, "default_keytab_modify_name");
162
163 INIT_FIELD(context, string, time_fmt,
164 "%Y-%m-%dT%H:%M:%S", "time_format");
165
166 INIT_FIELD(context, string, date_fmt,
167 "%Y-%m-%d", "date_format");
168
169 INIT_FIELD(context, bool, log_utc,
170 FALSE, "log_utc");
171
172
173
174 /* init dns-proxy slime */
175 tmp = krb5_config_get_string(context, NULL, "libdefaults",
176 "dns_proxy", NULL);
177 if(tmp)
178 roken_gethostby_setup(context->http_proxy, tmp);
179 krb5_free_host_realm (context, context->default_realms);
180 context->default_realms = NULL;
181
182 {
183 krb5_addresses addresses;
184 char **adr, **a;
185
186 krb5_set_extra_addresses(context, NULL);
187 adr = krb5_config_get_strings(context, NULL,
188 "libdefaults",
189 "extra_addresses",
190 NULL);
191 memset(&addresses, 0, sizeof(addresses));
192 for(a = adr; a && *a; a++) {
193 ret = krb5_parse_address(context, *a, &addresses);
194 if (ret == 0) {
195 krb5_add_extra_addresses(context, &addresses);
196 krb5_free_addresses(context, &addresses);
197 }
198 }
199 krb5_config_free_strings(adr);
200
201 krb5_set_ignore_addresses(context, NULL);
202 adr = krb5_config_get_strings(context, NULL,
203 "libdefaults",
204 "ignore_addresses",
205 NULL);
206 memset(&addresses, 0, sizeof(addresses));
207 for(a = adr; a && *a; a++) {
208 ret = krb5_parse_address(context, *a, &addresses);
209 if (ret == 0) {
210 krb5_add_ignore_addresses(context, &addresses);
211 krb5_free_addresses(context, &addresses);
212 }
213 }
214 krb5_config_free_strings(adr);
215 }
216
217 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
218 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
219 /* prefer dns_lookup_kdc over srv_lookup. */
220 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
221 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
222 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
223 INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
224 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
225 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
226
227 if (context->default_cc_name)
228 free(context->default_cc_name);
229 context->default_cc_name = NULL;
230 context->default_cc_name_set = 0;
231
232 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
233 if(s) {
234 char **p;
235
236 if (context->debug_dest)
237 krb5_closelog(context, context->debug_dest);
238
239 krb5_initlog(context, "libkrb5", &context->debug_dest);
240 for(p = s; *p; p++)
241 krb5_addlog_dest(context, context->debug_dest, *p);
242 krb5_config_free_strings(s);
243 }
244
245 tmp = krb5_config_get_string(context, NULL, "libdefaults",
246 "check-rd-req-server", NULL);
247 if (tmp == NULL && !issuid())
248 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
249 if(tmp) {
250 if (strcasecmp(tmp, "ignore") == 0)
251 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
252 }
253 ret = krb5_config_get_bool_default(context, NULL, TRUE,
254 "libdefaults",
255 "fcache_strict_checking", NULL);
256 if (ret)
257 context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
258
259 return 0;
260 }
261
262 static krb5_error_code
263 cc_ops_register(krb5_context context)
264 {
265 context->cc_ops = NULL;
266 context->num_cc_ops = 0;
267
268 #ifndef KCM_IS_API_CACHE
269 krb5_cc_register(context, &krb5_acc_ops, TRUE);
270 #endif
271 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
272 krb5_cc_register(context, &krb5_dcc_ops, TRUE);
273 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
274 #ifdef HAVE_SCC
275 krb5_cc_register(context, &krb5_scc_ops, TRUE);
276 #endif
277 #ifdef HAVE_KCM
278 #ifdef KCM_IS_API_CACHE
279 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
280 #endif
281 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
282 #endif
283 _krb5_load_ccache_plugins(context);
284 return 0;
285 }
286
287 static krb5_error_code
288 cc_ops_copy(krb5_context context, const krb5_context src_context)
289 {
290 const krb5_cc_ops **cc_ops;
291
292 context->cc_ops = NULL;
293 context->num_cc_ops = 0;
294
295 if (src_context->num_cc_ops == 0)
296 return 0;
297
298 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
299 if (cc_ops == NULL) {
300 krb5_set_error_message(context, KRB5_CC_NOMEM,
301 N_("malloc: out of memory", ""));
302 return KRB5_CC_NOMEM;
303 }
304
305 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
306 sizeof(cc_ops[0]) * src_context->num_cc_ops);
307 context->cc_ops = cc_ops;
308 context->num_cc_ops = src_context->num_cc_ops;
309
310 return 0;
311 }
312
313 static krb5_error_code
314 kt_ops_register(krb5_context context)
315 {
316 context->num_kt_types = 0;
317 context->kt_types = NULL;
318
319 krb5_kt_register (context, &krb5_fkt_ops);
320 krb5_kt_register (context, &krb5_wrfkt_ops);
321 krb5_kt_register (context, &krb5_javakt_ops);
322 krb5_kt_register (context, &krb5_mkt_ops);
323 #ifndef HEIMDAL_SMALLER
324 krb5_kt_register (context, &krb5_akf_ops);
325 #endif
326 krb5_kt_register (context, &krb5_any_ops);
327 return 0;
328 }
329
330 static krb5_error_code
331 kt_ops_copy(krb5_context context, const krb5_context src_context)
332 {
333 context->num_kt_types = 0;
334 context->kt_types = NULL;
335
336 if (src_context->num_kt_types == 0)
337 return 0;
338
339 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
340 if (context->kt_types == NULL)
341 return krb5_enomem(context);
342
343 context->num_kt_types = src_context->num_kt_types;
344 memcpy(context->kt_types, src_context->kt_types,
345 sizeof(context->kt_types[0]) * src_context->num_kt_types);
346
347 return 0;
348 }
349
350 static const char *sysplugin_dirs[] = {
351 #ifdef _WIN32
352 "$ORIGIN",
353 #else
354 "$ORIGIN/../lib/plugin/krb5",
355 #endif
356 #ifdef __APPLE__
357 LIBDIR "/plugin/krb5",
358 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
359 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
360 #endif
361 NULL
362 };
363
364 static void
365 init_context_once(void *ctx)
366 {
367 krb5_context context = ctx;
368 char **dirs;
369
370 #ifdef _WIN32
371 dirs = rk_UNCONST(sysplugin_dirs);
372 #else
373 dirs = krb5_config_get_strings(context, NULL, "libdefaults",
374 "plugin_dir", NULL);
375 if (dirs == NULL)
376 dirs = rk_UNCONST(sysplugin_dirs);
377 #endif
378
379 _krb5_load_plugins(context, "krb5", (const char **)dirs);
380
381 if (dirs != rk_UNCONST(sysplugin_dirs))
382 krb5_config_free_strings(dirs);
383
384 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
385 }
386
387
388 /**
389 * Initializes the context structure and reads the configuration file
390 * /etc/krb5.conf. The structure should be freed by calling
391 * krb5_free_context() when it is no longer being used.
392 *
393 * @param context pointer to returned context
394 *
395 * @return Returns 0 to indicate success. Otherwise an errno code is
396 * returned. Failure means either that something bad happened during
397 * initialization (typically ENOMEM) or that Kerberos should not be
398 * used ENXIO. If the function returns HEIM_ERR_RANDOM_OFFLINE, the
399 * random source is not available and later Kerberos calls might fail.
400 *
401 * @ingroup krb5
402 */
403
404 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
405 krb5_init_context(krb5_context *context)
406 {
407 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
408 krb5_context p;
409 krb5_error_code ret;
410 char **files;
411 uint8_t rnd;
412
413 *context = NULL;
414
415 /**
416 * krb5_init_context() will get one random byte to make sure our
417 * random is alive. Assumption is that once the non blocking
418 * source allows us to pull bytes, its all seeded and allows us to
419 * pull more bytes.
420 *
421 * Most Kerberos users calls krb5_init_context(), so this is
422 * useful point where we can do the checking.
423 */
424 ret = krb5_generate_random(&rnd, sizeof(rnd));
425 if (ret)
426 return ret;
427
428 p = calloc(1, sizeof(*p));
429 if(!p)
430 return ENOMEM;
431
432 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
433 if (p->mutex == NULL) {
434 free(p);
435 return ENOMEM;
436 }
437 HEIMDAL_MUTEX_init(p->mutex);
438
439 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
440
441 ret = krb5_get_default_config_files(&files);
442 if(ret)
443 goto out;
444 ret = krb5_set_config_files(p, files);
445 krb5_free_config_files(files);
446 if(ret)
447 goto out;
448
449 /* done enough to load plugins */
450 heim_base_once_f(&init_context, p, init_context_once);
451
452 /* init error tables */
453 krb5_init_ets(p);
454 cc_ops_register(p);
455 kt_ops_register(p);
456
457 #ifdef PKINIT
458 ret = hx509_context_init(&p->hx509ctx);
459 if (ret)
460 goto out;
461 #endif
462 if (rk_SOCK_INIT())
463 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
464
465 out:
466 if(ret) {
467 krb5_free_context(p);
468 p = NULL;
469 }
470 *context = p;
471 return ret;
472 }
473
474 #ifndef HEIMDAL_SMALLER
475
476 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
477 krb5_get_permitted_enctypes(krb5_context context,
478 krb5_enctype **etypes)
479 {
480 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
481 }
482
483 /*
484 *
485 */
486
487 static krb5_error_code
488 copy_etypes (krb5_context context,
489 krb5_enctype *enctypes,
490 krb5_enctype **ret_enctypes)
491 {
492 unsigned int i;
493
494 for (i = 0; enctypes[i]; i++)
495 ;
496 i++;
497
498 *ret_enctypes = malloc(sizeof(enctypes[0]) * i);
499 if (*ret_enctypes == NULL)
500 return krb5_enomem(context);
501 memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * i);
502 return 0;
503 }
504
505 /**
506 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
507 * be freed with krb5_free_context().
508 *
509 * @param context the Kerberos context to copy
510 * @param out the copy of the Kerberos, set to NULL error.
511 *
512 * @return Returns 0 to indicate success. Otherwise an kerberos et
513 * error code is returned, see krb5_get_error_message().
514 *
515 * @ingroup krb5
516 */
517
518 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
519 krb5_copy_context(krb5_context context, krb5_context *out)
520 {
521 krb5_error_code ret;
522 krb5_context p;
523
524 *out = NULL;
525
526 p = calloc(1, sizeof(*p));
527 if (p == NULL)
528 return krb5_enomem(context);
529
530 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
531 if (p->mutex == NULL) {
532 free(p);
533 return krb5_enomem(context);
534 }
535 HEIMDAL_MUTEX_init(p->mutex);
536
537
538 if (context->default_cc_name)
539 p->default_cc_name = strdup(context->default_cc_name);
540 if (context->default_cc_name_env)
541 p->default_cc_name_env = strdup(context->default_cc_name_env);
542
543 if (context->etypes) {
544 ret = copy_etypes(context, context->etypes, &p->etypes);
545 if (ret)
546 goto out;
547 }
548 if (context->etypes_des) {
549 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
550 if (ret)
551 goto out;
552 }
553
554 if (context->default_realms) {
555 ret = krb5_copy_host_realm(context,
556 context->default_realms, &p->default_realms);
557 if (ret)
558 goto out;
559 }
560
561 ret = _krb5_config_copy(context, context->cf, &p->cf);
562 if (ret)
563 goto out;
564
565 /* XXX should copy */
566 krb5_init_ets(p);
567
568 cc_ops_copy(p, context);
569 kt_ops_copy(p, context);
570
571 #if 0 /* XXX */
572 if(context->warn_dest != NULL)
573 ;
574 if(context->debug_dest != NULL)
575 ;
576 #endif
577
578 ret = krb5_set_extra_addresses(p, context->extra_addresses);
579 if (ret)
580 goto out;
581 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
582 if (ret)
583 goto out;
584
585 ret = _krb5_copy_send_to_kdc_func(p, context);
586 if (ret)
587 goto out;
588
589 *out = p;
590
591 return 0;
592
593 out:
594 krb5_free_context(p);
595 return ret;
596 }
597
598 #endif
599
600 /**
601 * Frees the krb5_context allocated by krb5_init_context().
602 *
603 * @param context context to be freed.
604 *
605 * @ingroup krb5
606 */
607
608 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
609 krb5_free_context(krb5_context context)
610 {
611 if (context->default_cc_name)
612 free(context->default_cc_name);
613 if (context->default_cc_name_env)
614 free(context->default_cc_name_env);
615 free(context->etypes);
616 free(context->etypes_des);
617 krb5_free_host_realm (context, context->default_realms);
618 krb5_config_file_free (context, context->cf);
619 free_error_table (context->et_list);
620 free(rk_UNCONST(context->cc_ops));
621 free(context->kt_types);
622 krb5_clear_error_message(context);
623 if(context->warn_dest != NULL)
624 krb5_closelog(context, context->warn_dest);
625 if(context->debug_dest != NULL)
626 krb5_closelog(context, context->debug_dest);
627 krb5_set_extra_addresses(context, NULL);
628 krb5_set_ignore_addresses(context, NULL);
629 krb5_set_send_to_kdc_func(context, NULL, NULL);
630
631 #ifdef PKINIT
632 if (context->hx509ctx)
633 hx509_context_free(&context->hx509ctx);
634 #endif
635
636 HEIMDAL_MUTEX_destroy(context->mutex);
637 free(context->mutex);
638 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
639 rk_SOCK_EXIT();
640 }
641
642 memset(context, 0, sizeof(*context));
643 free(context);
644 }
645
646 /**
647 * Reinit the context from a new set of filenames.
648 *
649 * @param context context to add configuration too.
650 * @param filenames array of filenames, end of list is indicated with a NULL filename.
651 *
652 * @return Returns 0 to indicate success. Otherwise an kerberos et
653 * error code is returned, see krb5_get_error_message().
654 *
655 * @ingroup krb5
656 */
657
658 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
659 krb5_set_config_files(krb5_context context, char **filenames)
660 {
661 krb5_error_code ret;
662 krb5_config_binding *tmp = NULL;
663 while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
664 ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
665 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
666 krb5_config_file_free(context, tmp);
667 return ret;
668 }
669 filenames++;
670 }
671 #if 0
672 /* with this enabled and if there are no config files, Kerberos is
673 considererd disabled */
674 if(tmp == NULL)
675 return ENXIO;
676 #endif
677
678 #ifdef _WIN32
679 _krb5_load_config_from_registry(context, &tmp);
680 #endif
681
682 krb5_config_file_free(context, context->cf);
683 context->cf = tmp;
684 ret = init_context_from_config_file(context);
685 return ret;
686 }
687
688 static krb5_error_code
689 add_file(char ***pfilenames, int *len, char *file)
690 {
691 char **pp = *pfilenames;
692 int i;
693
694 for(i = 0; i < *len; i++) {
695 if(strcmp(pp[i], file) == 0) {
696 free(file);
697 return 0;
698 }
699 }
700
701 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
702 if (pp == NULL) {
703 free(file);
704 return ENOMEM;
705 }
706
707 pp[*len] = file;
708 pp[*len + 1] = NULL;
709 *pfilenames = pp;
710 *len += 1;
711 return 0;
712 }
713
714 /*
715 * `pq' isn't free, it's up the the caller
716 */
717
718 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
719 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
720 {
721 krb5_error_code ret;
722 const char *p, *q;
723 char **pp;
724 int len;
725 char *fn;
726
727 pp = NULL;
728
729 len = 0;
730 p = filelist;
731 while(1) {
732 ssize_t l;
733 q = p;
734 l = strsep_copy(&q, PATH_SEP, NULL, 0);
735 if(l == -1)
736 break;
737 fn = malloc(l + 1);
738 if(fn == NULL) {
739 krb5_free_config_files(pp);
740 return ENOMEM;
741 }
742 (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
743 ret = add_file(&pp, &len, fn);
744 if (ret) {
745 krb5_free_config_files(pp);
746 return ret;
747 }
748 }
749
750 if (pq != NULL) {
751 int i;
752
753 for (i = 0; pq[i] != NULL; i++) {
754 fn = strdup(pq[i]);
755 if (fn == NULL) {
756 krb5_free_config_files(pp);
757 return ENOMEM;
758 }
759 ret = add_file(&pp, &len, fn);
760 if (ret) {
761 krb5_free_config_files(pp);
762 return ret;
763 }
764 }
765 }
766
767 *ret_pp = pp;
768 return 0;
769 }
770
771 /**
772 * Prepend the filename to the global configuration list.
773 *
774 * @param filelist a filename to add to the default list of filename
775 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
776 *
777 * @return Returns 0 to indicate success. Otherwise an kerberos et
778 * error code is returned, see krb5_get_error_message().
779 *
780 * @ingroup krb5
781 */
782
783 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
784 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
785 {
786 krb5_error_code ret;
787 char **defpp, **pp = NULL;
788
789 ret = krb5_get_default_config_files(&defpp);
790 if (ret)
791 return ret;
792
793 ret = krb5_prepend_config_files(filelist, defpp, &pp);
794 krb5_free_config_files(defpp);
795 if (ret) {
796 return ret;
797 }
798 *pfilenames = pp;
799 return 0;
800 }
801
802 #ifdef _WIN32
803
804 /**
805 * Checks the registry for configuration file location
806 *
807 * Kerberos for Windows and other legacy Kerberos applications expect
808 * to find the configuration file location in the
809 * SOFTWARE\MIT\Kerberos registry key under the value "config".
810 */
811 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
812 _krb5_get_default_config_config_files_from_registry()
813 {
814 static const char * KeyName = "Software\\MIT\\Kerberos";
815 char *config_file = NULL;
816 LONG rcode;
817 HKEY key;
818
819 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
820 if (rcode == ERROR_SUCCESS) {
821 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
822 REG_NONE, 0, PATH_SEP);
823 RegCloseKey(key);
824 }
825
826 if (config_file)
827 return config_file;
828
829 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
830 if (rcode == ERROR_SUCCESS) {
831 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
832 REG_NONE, 0, PATH_SEP);
833 RegCloseKey(key);
834 }
835
836 return config_file;
837 }
838
839 #endif
840
841 /**
842 * Get the global configuration list.
843 *
844 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
845 *
846 * @return Returns 0 to indicate success. Otherwise an kerberos et
847 * error code is returned, see krb5_get_error_message().
848 *
849 * @ingroup krb5
850 */
851
852 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
853 krb5_get_default_config_files(char ***pfilenames)
854 {
855 const char *files = NULL;
856
857 if (pfilenames == NULL)
858 return EINVAL;
859 if(!issuid())
860 files = getenv("KRB5_CONFIG");
861
862 #ifdef _WIN32
863 if (files == NULL) {
864 char * reg_files;
865 reg_files = _krb5_get_default_config_config_files_from_registry();
866 if (reg_files != NULL) {
867 krb5_error_code code;
868
869 code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
870 free(reg_files);
871
872 return code;
873 }
874 }
875 #endif
876
877 if (files == NULL)
878 files = krb5_config_file;
879
880 return krb5_prepend_config_files(files, NULL, pfilenames);
881 }
882
883 /**
884 * Free a list of configuration files.
885 *
886 * @param filenames list, terminated with a NULL pointer, to be
887 * freed. NULL is an valid argument.
888 *
889 * @return Returns 0 to indicate success. Otherwise an kerberos et
890 * error code is returned, see krb5_get_error_message().
891 *
892 * @ingroup krb5
893 */
894
895 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
896 krb5_free_config_files(char **filenames)
897 {
898 char **p;
899 for(p = filenames; p && *p != NULL; p++)
900 free(*p);
901 free(filenames);
902 }
903
904 /**
905 * Returns the list of Kerberos encryption types sorted in order of
906 * most preferred to least preferred encryption type. Note that some
907 * encryption types might be disabled, so you need to check with
908 * krb5_enctype_valid() before using the encryption type.
909 *
910 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
911 * array completed into the Kerberos library so the content doesn't
912 * need to be freed.
913 *
914 * @ingroup krb5
915 */
916
917 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
918 krb5_kerberos_enctypes(krb5_context context)
919 {
920 static const krb5_enctype p[] = {
921 ETYPE_AES256_CTS_HMAC_SHA1_96,
922 ETYPE_AES128_CTS_HMAC_SHA1_96,
923 ETYPE_DES3_CBC_SHA1,
924 ETYPE_ARCFOUR_HMAC_MD5,
925 ETYPE_NULL
926 };
927
928 static const krb5_enctype weak[] = {
929 ETYPE_AES256_CTS_HMAC_SHA1_96,
930 ETYPE_AES128_CTS_HMAC_SHA1_96,
931 ETYPE_DES3_CBC_SHA1,
932 ETYPE_DES3_CBC_MD5,
933 ETYPE_ARCFOUR_HMAC_MD5,
934 ETYPE_DES_CBC_MD5,
935 ETYPE_DES_CBC_MD4,
936 ETYPE_DES_CBC_CRC,
937 ETYPE_NULL
938 };
939
940 /*
941 * if the list of enctypes enabled by "allow_weak_crypto"
942 * are valid, then return the former default enctype list
943 * that contained the weak entries.
944 */
945 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
946 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
947 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
948 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
949 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
950 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
951 return weak;
952
953 return p;
954 }
955
956 /*
957 *
958 */
959
960 static krb5_error_code
961 copy_enctypes(krb5_context context,
962 const krb5_enctype *in,
963 krb5_enctype **out)
964 {
965 krb5_enctype *p = NULL;
966 size_t m, n;
967
968 for (n = 0; in[n]; n++)
969 ;
970 n++;
971 ALLOC(p, n);
972 if(p == NULL)
973 return krb5_enomem(context);
974 for (n = 0, m = 0; in[n]; n++) {
975 if (krb5_enctype_valid(context, in[n]) != 0)
976 continue;
977 p[m++] = in[n];
978 }
979 p[m] = KRB5_ENCTYPE_NULL;
980 if (m == 0) {
981 free(p);
982 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
983 N_("no valid enctype set", ""));
984 return KRB5_PROG_ETYPE_NOSUPP;
985 }
986 *out = p;
987 return 0;
988 }
989
990
991 /*
992 * set `etype' to a malloced list of the default enctypes
993 */
994
995 static krb5_error_code
996 default_etypes(krb5_context context, krb5_enctype **etype)
997 {
998 const krb5_enctype *p = krb5_kerberos_enctypes(context);
999 return copy_enctypes(context, p, etype);
1000 }
1001
1002 /**
1003 * Set the default encryption types that will be use in communcation
1004 * with the KDC, clients and servers.
1005 *
1006 * @param context Kerberos 5 context.
1007 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
1008 *
1009 * @return Returns 0 to indicate success. Otherwise an kerberos et
1010 * error code is returned, see krb5_get_error_message().
1011 *
1012 * @ingroup krb5
1013 */
1014
1015 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1016 krb5_set_default_in_tkt_etypes(krb5_context context,
1017 const krb5_enctype *etypes)
1018 {
1019 krb5_error_code ret;
1020 krb5_enctype *p = NULL;
1021
1022 if(etypes) {
1023 ret = copy_enctypes(context, etypes, &p);
1024 if (ret)
1025 return ret;
1026 }
1027 if(context->etypes)
1028 free(context->etypes);
1029 context->etypes = p;
1030 return 0;
1031 }
1032
1033 /**
1034 * Get the default encryption types that will be use in communcation
1035 * with the KDC, clients and servers.
1036 *
1037 * @param context Kerberos 5 context.
1038 * @param etypes Encryption types, array terminated with
1039 * ETYPE_NULL(0), caller should free array with krb5_xfree():
1040 *
1041 * @return Returns 0 to indicate success. Otherwise an kerberos et
1042 * error code is returned, see krb5_get_error_message().
1043 *
1044 * @ingroup krb5
1045 */
1046
1047 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1048 krb5_get_default_in_tkt_etypes(krb5_context context,
1049 krb5_pdu pdu_type,
1050 krb5_enctype **etypes)
1051 {
1052 krb5_enctype *enctypes = NULL;
1053 krb5_error_code ret;
1054 krb5_enctype *p;
1055
1056 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
1057 pdu_type == KRB5_PDU_TGS_REQUEST ||
1058 pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
1059
1060 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
1061 enctypes = context->as_etypes;
1062 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
1063 enctypes = context->tgs_etypes;
1064 else if (context->etypes != NULL)
1065 enctypes = context->etypes;
1066
1067 if (enctypes != NULL) {
1068 ret = copy_enctypes(context, enctypes, &p);
1069 if (ret)
1070 return ret;
1071 } else {
1072 ret = default_etypes(context, &p);
1073 if (ret)
1074 return ret;
1075 }
1076 *etypes = p;
1077 return 0;
1078 }
1079
1080 /**
1081 * Init the built-in ets in the Kerberos library.
1082 *
1083 * @param context kerberos context to add the ets too
1084 *
1085 * @ingroup krb5
1086 */
1087
1088 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1089 krb5_init_ets(krb5_context context)
1090 {
1091 if(context->et_list == NULL){
1092 krb5_add_et_list(context, initialize_krb5_error_table_r);
1093 krb5_add_et_list(context, initialize_asn1_error_table_r);
1094 krb5_add_et_list(context, initialize_heim_error_table_r);
1095
1096 krb5_add_et_list(context, initialize_k524_error_table_r);
1097
1098 #ifdef COM_ERR_BINDDOMAIN_krb5
1099 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1100 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1101 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1102 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1103 #endif
1104
1105 #ifdef PKINIT
1106 krb5_add_et_list(context, initialize_hx_error_table_r);
1107 #ifdef COM_ERR_BINDDOMAIN_hx
1108 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1109 #endif
1110 #endif
1111 }
1112 }
1113
1114 /**
1115 * Make the kerberos library default to the admin KDC.
1116 *
1117 * @param context Kerberos 5 context.
1118 * @param flag boolean flag to select if the use the admin KDC or not.
1119 *
1120 * @ingroup krb5
1121 */
1122
1123 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1124 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1125 {
1126 context->use_admin_kdc = flag;
1127 }
1128
1129 /**
1130 * Make the kerberos library default to the admin KDC.
1131 *
1132 * @param context Kerberos 5 context.
1133 *
1134 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1135 *
1136 * @ingroup krb5
1137 */
1138
1139 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1140 krb5_get_use_admin_kdc (krb5_context context)
1141 {
1142 return context->use_admin_kdc;
1143 }
1144
1145 /**
1146 * Add extra address to the address list that the library will add to
1147 * the client's address list when communicating with the KDC.
1148 *
1149 * @param context Kerberos 5 context.
1150 * @param addresses addreses to add
1151 *
1152 * @return Returns 0 to indicate success. Otherwise an kerberos et
1153 * error code is returned, see krb5_get_error_message().
1154 *
1155 * @ingroup krb5
1156 */
1157
1158 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1159 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1160 {
1161
1162 if(context->extra_addresses)
1163 return krb5_append_addresses(context,
1164 context->extra_addresses, addresses);
1165 else
1166 return krb5_set_extra_addresses(context, addresses);
1167 }
1168
1169 /**
1170 * Set extra address to the address list that the library will add to
1171 * the client's address list when communicating with the KDC.
1172 *
1173 * @param context Kerberos 5 context.
1174 * @param addresses addreses to set
1175 *
1176 * @return Returns 0 to indicate success. Otherwise an kerberos et
1177 * error code is returned, see krb5_get_error_message().
1178 *
1179 * @ingroup krb5
1180 */
1181
1182 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1183 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1184 {
1185 if(context->extra_addresses)
1186 krb5_free_addresses(context, context->extra_addresses);
1187
1188 if(addresses == NULL) {
1189 if(context->extra_addresses != NULL) {
1190 free(context->extra_addresses);
1191 context->extra_addresses = NULL;
1192 }
1193 return 0;
1194 }
1195 if(context->extra_addresses == NULL) {
1196 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1197 if (context->extra_addresses == NULL)
1198 return krb5_enomem(context);
1199 }
1200 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1201 }
1202
1203 /**
1204 * Get extra address to the address list that the library will add to
1205 * the client's address list when communicating with the KDC.
1206 *
1207 * @param context Kerberos 5 context.
1208 * @param addresses addreses to set
1209 *
1210 * @return Returns 0 to indicate success. Otherwise an kerberos et
1211 * error code is returned, see krb5_get_error_message().
1212 *
1213 * @ingroup krb5
1214 */
1215
1216 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1217 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1218 {
1219 if(context->extra_addresses == NULL) {
1220 memset(addresses, 0, sizeof(*addresses));
1221 return 0;
1222 }
1223 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1224 }
1225
1226 /**
1227 * Add extra addresses to ignore when fetching addresses from the
1228 * underlaying operating system.
1229 *
1230 * @param context Kerberos 5 context.
1231 * @param addresses addreses to ignore
1232 *
1233 * @return Returns 0 to indicate success. Otherwise an kerberos et
1234 * error code is returned, see krb5_get_error_message().
1235 *
1236 * @ingroup krb5
1237 */
1238
1239 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1240 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1241 {
1242
1243 if(context->ignore_addresses)
1244 return krb5_append_addresses(context,
1245 context->ignore_addresses, addresses);
1246 else
1247 return krb5_set_ignore_addresses(context, addresses);
1248 }
1249
1250 /**
1251 * Set extra addresses to ignore when fetching addresses from the
1252 * underlaying operating system.
1253 *
1254 * @param context Kerberos 5 context.
1255 * @param addresses addreses to ignore
1256 *
1257 * @return Returns 0 to indicate success. Otherwise an kerberos et
1258 * error code is returned, see krb5_get_error_message().
1259 *
1260 * @ingroup krb5
1261 */
1262
1263 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1264 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1265 {
1266 if(context->ignore_addresses)
1267 krb5_free_addresses(context, context->ignore_addresses);
1268 if(addresses == NULL) {
1269 if(context->ignore_addresses != NULL) {
1270 free(context->ignore_addresses);
1271 context->ignore_addresses = NULL;
1272 }
1273 return 0;
1274 }
1275 if(context->ignore_addresses == NULL) {
1276 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1277 if (context->ignore_addresses == NULL)
1278 return krb5_enomem(context);
1279 }
1280 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1281 }
1282
1283 /**
1284 * Get extra addresses to ignore when fetching addresses from the
1285 * underlaying operating system.
1286 *
1287 * @param context Kerberos 5 context.
1288 * @param addresses list addreses ignored
1289 *
1290 * @return Returns 0 to indicate success. Otherwise an kerberos et
1291 * error code is returned, see krb5_get_error_message().
1292 *
1293 * @ingroup krb5
1294 */
1295
1296 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1297 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1298 {
1299 if(context->ignore_addresses == NULL) {
1300 memset(addresses, 0, sizeof(*addresses));
1301 return 0;
1302 }
1303 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1304 }
1305
1306 /**
1307 * Set version of fcache that the library should use.
1308 *
1309 * @param context Kerberos 5 context.
1310 * @param version version number.
1311 *
1312 * @return Returns 0 to indicate success. Otherwise an kerberos et
1313 * error code is returned, see krb5_get_error_message().
1314 *
1315 * @ingroup krb5
1316 */
1317
1318 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1319 krb5_set_fcache_version(krb5_context context, int version)
1320 {
1321 context->fcache_vno = version;
1322 return 0;
1323 }
1324
1325 /**
1326 * Get version of fcache that the library should use.
1327 *
1328 * @param context Kerberos 5 context.
1329 * @param version version number.
1330 *
1331 * @return Returns 0 to indicate success. Otherwise an kerberos et
1332 * error code is returned, see krb5_get_error_message().
1333 *
1334 * @ingroup krb5
1335 */
1336
1337 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1338 krb5_get_fcache_version(krb5_context context, int *version)
1339 {
1340 *version = context->fcache_vno;
1341 return 0;
1342 }
1343
1344 /**
1345 * Runtime check if the Kerberos library was complied with thread support.
1346 *
1347 * @return TRUE if the library was compiled with thread support, FALSE if not.
1348 *
1349 * @ingroup krb5
1350 */
1351
1352
1353 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1354 krb5_is_thread_safe(void)
1355 {
1356 #ifdef ENABLE_PTHREAD_SUPPORT
1357 return TRUE;
1358 #else
1359 return FALSE;
1360 #endif
1361 }
1362
1363 /**
1364 * Set if the library should use DNS to canonicalize hostnames.
1365 *
1366 * @param context Kerberos 5 context.
1367 * @param flag if its dns canonicalizion is used or not.
1368 *
1369 * @ingroup krb5
1370 */
1371
1372 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1373 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1374 {
1375 if (flag)
1376 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1377 else
1378 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1379 }
1380
1381 /**
1382 * Get if the library uses DNS to canonicalize hostnames.
1383 *
1384 * @param context Kerberos 5 context.
1385 *
1386 * @return return non zero if the library uses DNS to canonicalize hostnames.
1387 *
1388 * @ingroup krb5
1389 */
1390
1391 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1392 krb5_get_dns_canonicalize_hostname (krb5_context context)
1393 {
1394 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1395 }
1396
1397 /**
1398 * Get current offset in time to the KDC.
1399 *
1400 * @param context Kerberos 5 context.
1401 * @param sec seconds part of offset.
1402 * @param usec micro seconds part of offset.
1403 *
1404 * @return returns zero
1405 *
1406 * @ingroup krb5
1407 */
1408
1409 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1410 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1411 {
1412 if (sec)
1413 *sec = context->kdc_sec_offset;
1414 if (usec)
1415 *usec = context->kdc_usec_offset;
1416 return 0;
1417 }
1418
1419 /**
1420 * Set current offset in time to the KDC.
1421 *
1422 * @param context Kerberos 5 context.
1423 * @param sec seconds part of offset.
1424 * @param usec micro seconds part of offset.
1425 *
1426 * @return returns zero
1427 *
1428 * @ingroup krb5
1429 */
1430
1431 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1432 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1433 {
1434 context->kdc_sec_offset = sec;
1435 if (usec >= 0)
1436 context->kdc_usec_offset = usec;
1437 return 0;
1438 }
1439
1440 /**
1441 * Get max time skew allowed.
1442 *
1443 * @param context Kerberos 5 context.
1444 *
1445 * @return timeskew in seconds.
1446 *
1447 * @ingroup krb5
1448 */
1449
1450 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1451 krb5_get_max_time_skew (krb5_context context)
1452 {
1453 return context->max_skew;
1454 }
1455
1456 /**
1457 * Set max time skew allowed.
1458 *
1459 * @param context Kerberos 5 context.
1460 * @param t timeskew in seconds.
1461 *
1462 * @ingroup krb5
1463 */
1464
1465 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1466 krb5_set_max_time_skew (krb5_context context, time_t t)
1467 {
1468 context->max_skew = t;
1469 }
1470
1471 /*
1472 * Init encryption types in len, val with etypes.
1473 *
1474 * @param context Kerberos 5 context.
1475 * @param pdu_type type of pdu
1476 * @param len output length of val.
1477 * @param val output array of enctypes.
1478 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1479
1480 * @return Returns 0 to indicate success. Otherwise an kerberos et
1481 * error code is returned, see krb5_get_error_message().
1482 *
1483 * @ingroup krb5
1484 */
1485
1486 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1487 _krb5_init_etype(krb5_context context,
1488 krb5_pdu pdu_type,
1489 unsigned *len,
1490 krb5_enctype **val,
1491 const krb5_enctype *etypes)
1492 {
1493 krb5_error_code ret;
1494
1495 if (etypes == NULL)
1496 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1497 else
1498 ret = copy_enctypes(context, etypes, val);
1499 if (ret)
1500 return ret;
1501
1502 if (len) {
1503 *len = 0;
1504 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1505 (*len)++;
1506 }
1507 return 0;
1508 }
1509
1510 /*
1511 * Allow homedir accces
1512 */
1513
1514 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1515 static krb5_boolean allow_homedir = TRUE;
1516
1517 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1518 _krb5_homedir_access(krb5_context context)
1519 {
1520 krb5_boolean allow;
1521
1522 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1523 return FALSE;
1524
1525 HEIMDAL_MUTEX_lock(&homedir_mutex);
1526 allow = allow_homedir;
1527 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1528 return allow;
1529 }
1530
1531 /**
1532 * Enable and disable home directory access on either the global state
1533 * or the krb5_context state. By calling krb5_set_home_dir_access()
1534 * with context set to NULL, the global state is configured otherwise
1535 * the state for the krb5_context is modified.
1536 *
1537 * For home directory access to be allowed, both the global state and
1538 * the krb5_context state have to be allowed.
1539 *
1540 * Administrator (root user), never uses the home directory.
1541 *
1542 * @param context a Kerberos 5 context or NULL
1543 * @param allow allow if TRUE home directory
1544 * @return the old value
1545 *
1546 * @ingroup krb5
1547 */
1548
1549 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1550 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1551 {
1552 krb5_boolean old;
1553 if (context) {
1554 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1555 if (allow)
1556 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1557 else
1558 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1559 } else {
1560 HEIMDAL_MUTEX_lock(&homedir_mutex);
1561 old = allow_homedir;
1562 allow_homedir = allow;
1563 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1564 }
1565
1566 return old;
1567 }
Heimdal