search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
add [libdefaults]fcache_strict_checking to gate the strict checking, defaults to on
[heimdal.git] / lib / krb5 / context.c
blobd69738bb598d35b7f24b7f3e4da0f2c56fce7c39
1 /*
2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37 #include <assert.h>
38 #include <com_err.h>
39
40 #define INIT_FIELD(C, T, E, D, F) \
41 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
42 "libdefaults", F, NULL)
43
44 #define INIT_FLAG(C, O, V, D, F) \
45 do { \
46 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
47 (C)->O |= V; \
48 } \
49 } while(0)
50
51 /*
52 * Set the list of etypes `ret_etypes' from the configuration variable
53 * `name'
54 */
55
56 static krb5_error_code
57 set_etypes (krb5_context context,
58 const char *name,
59 krb5_enctype **ret_enctypes)
60 {
61 char **etypes_str;
62 krb5_enctype *etypes = NULL;
63
64 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
65 name, NULL);
66 if(etypes_str){
67 int i, j, k;
68 for(i = 0; etypes_str[i]; i++);
69 etypes = malloc((i+1) * sizeof(*etypes));
70 if (etypes == NULL) {
71 krb5_config_free_strings (etypes_str);
72 return krb5_enomem(context);
73 }
74 for(j = 0, k = 0; j < i; j++) {
75 krb5_enctype e;
76 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
77 continue;
78 if (krb5_enctype_valid(context, e) != 0)
79 continue;
80 etypes[k++] = e;
81 }
82 etypes[k] = ETYPE_NULL;
83 krb5_config_free_strings(etypes_str);
84 }
85 *ret_enctypes = etypes;
86 return 0;
87 }
88
89 /*
90 * read variables from the configuration file and set in `context'
91 */
92
93 static krb5_error_code
94 init_context_from_config_file(krb5_context context)
95 {
96 krb5_error_code ret;
97 const char * tmp;
98 char **s;
99 krb5_enctype *tmptypes;
100
101 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
102 INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
103 INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
104 INIT_FIELD(context, int, max_retries, 3, "max_retries");
105
106 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
107
108 ret = krb5_config_get_bool_default(context, NULL, FALSE,
109 "libdefaults",
110 "allow_weak_crypto", NULL);
111 if (ret) {
112 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
113 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
114 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
115 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
116 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
117 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
118 }
119
120 ret = set_etypes (context, "default_etypes", &tmptypes);
121 if(ret)
122 return ret;
123 free(context->etypes);
124 context->etypes = tmptypes;
125
126 ret = set_etypes (context, "default_etypes_des", &tmptypes);
127 if(ret)
128 return ret;
129 free(context->etypes_des);
130 context->etypes_des = tmptypes;
131
132 ret = set_etypes (context, "default_as_etypes", &tmptypes);
133 if(ret)
134 return ret;
135 free(context->as_etypes);
136 context->as_etypes = tmptypes;
137
138 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
139 if(ret)
140 return ret;
141 free(context->tgs_etypes);
142 context->tgs_etypes = tmptypes;
143
144 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
145 if(ret)
146 return ret;
147 free(context->permitted_enctypes);
148 context->permitted_enctypes = tmptypes;
149
150 /* default keytab name */
151 tmp = NULL;
152 if(!issuid())
153 tmp = getenv("KRB5_KTNAME");
154 if(tmp != NULL)
155 context->default_keytab = tmp;
156 else
157 INIT_FIELD(context, string, default_keytab,
158 KEYTAB_DEFAULT, "default_keytab_name");
159
160 INIT_FIELD(context, string, default_keytab_modify,
161 NULL, "default_keytab_modify_name");
162
163 INIT_FIELD(context, string, time_fmt,
164 "%Y-%m-%dT%H:%M:%S", "time_format");
165
166 INIT_FIELD(context, string, date_fmt,
167 "%Y-%m-%d", "date_format");
168
169 INIT_FIELD(context, bool, log_utc,
170 FALSE, "log_utc");
171
172
173
174 /* init dns-proxy slime */
175 tmp = krb5_config_get_string(context, NULL, "libdefaults",
176 "dns_proxy", NULL);
177 if(tmp)
178 roken_gethostby_setup(context->http_proxy, tmp);
179 krb5_free_host_realm (context, context->default_realms);
180 context->default_realms = NULL;
181
182 {
183 krb5_addresses addresses;
184 char **adr, **a;
185
186 krb5_set_extra_addresses(context, NULL);
187 adr = krb5_config_get_strings(context, NULL,
188 "libdefaults",
189 "extra_addresses",
190 NULL);
191 memset(&addresses, 0, sizeof(addresses));
192 for(a = adr; a && *a; a++) {
193 ret = krb5_parse_address(context, *a, &addresses);
194 if (ret == 0) {
195 krb5_add_extra_addresses(context, &addresses);
196 krb5_free_addresses(context, &addresses);
197 }
198 }
199 krb5_config_free_strings(adr);
200
201 krb5_set_ignore_addresses(context, NULL);
202 adr = krb5_config_get_strings(context, NULL,
203 "libdefaults",
204 "ignore_addresses",
205 NULL);
206 memset(&addresses, 0, sizeof(addresses));
207 for(a = adr; a && *a; a++) {
208 ret = krb5_parse_address(context, *a, &addresses);
209 if (ret == 0) {
210 krb5_add_ignore_addresses(context, &addresses);
211 krb5_free_addresses(context, &addresses);
212 }
213 }
214 krb5_config_free_strings(adr);
215 }
216
217 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
218 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
219 /* prefer dns_lookup_kdc over srv_lookup. */
220 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
221 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
222 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
223 INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
224 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
225 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
226
227 if (context->default_cc_name)
228 free(context->default_cc_name);
229 context->default_cc_name = NULL;
230 context->default_cc_name_set = 0;
231
232 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
233 if(s) {
234 char **p;
235
236 if (context->debug_dest)
237 krb5_closelog(context, context->debug_dest);
238
239 krb5_initlog(context, "libkrb5", &context->debug_dest);
240 for(p = s; *p; p++)
241 krb5_addlog_dest(context, context->debug_dest, *p);
242 krb5_config_free_strings(s);
243 }
244
245 tmp = krb5_config_get_string(context, NULL, "libdefaults",
246 "check-rd-req-server", NULL);
247 if (tmp == NULL && !issuid())
248 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
249 if(tmp) {
250 if (strcasecmp(tmp, "ignore") == 0)
251 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
252 }
253 ret = krb5_config_get_bool_default(context, NULL, TRUE,
254 "libdefaults",
255 "fcache_strict_checking", NULL);
256 if (ret)
257 context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
258
259 return 0;
260 }
261
262 static krb5_error_code
263 cc_ops_register(krb5_context context)
264 {
265 context->cc_ops = NULL;
266 context->num_cc_ops = 0;
267
268 #ifndef KCM_IS_API_CACHE
269 krb5_cc_register(context, &krb5_acc_ops, TRUE);
270 #endif
271 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
272 krb5_cc_register(context, &krb5_dcc_ops, TRUE);
273 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
274 #ifdef HAVE_SCC
275 krb5_cc_register(context, &krb5_scc_ops, TRUE);
276 #endif
277 #ifdef HAVE_KCM
278 #ifdef KCM_IS_API_CACHE
279 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
280 #endif
281 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
282 #endif
283 _krb5_load_ccache_plugins(context);
284 return 0;
285 }
286
287 static krb5_error_code
288 cc_ops_copy(krb5_context context, const krb5_context src_context)
289 {
290 const krb5_cc_ops **cc_ops;
291
292 context->cc_ops = NULL;
293 context->num_cc_ops = 0;
294
295 if (src_context->num_cc_ops == 0)
296 return 0;
297
298 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
299 if (cc_ops == NULL) {
300 krb5_set_error_message(context, KRB5_CC_NOMEM,
301 N_("malloc: out of memory", ""));
302 return KRB5_CC_NOMEM;
303 }
304
305 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
306 sizeof(cc_ops[0]) * src_context->num_cc_ops);
307 context->cc_ops = cc_ops;
308 context->num_cc_ops = src_context->num_cc_ops;
309
310 return 0;
311 }
312
313 static krb5_error_code
314 kt_ops_register(krb5_context context)
315 {
316 context->num_kt_types = 0;
317 context->kt_types = NULL;
318
319 krb5_kt_register (context, &krb5_fkt_ops);
320 krb5_kt_register (context, &krb5_wrfkt_ops);
321 krb5_kt_register (context, &krb5_javakt_ops);
322 krb5_kt_register (context, &krb5_mkt_ops);
323 #ifndef HEIMDAL_SMALLER
324 krb5_kt_register (context, &krb5_akf_ops);
325 #endif
326 krb5_kt_register (context, &krb5_any_ops);
327 return 0;
328 }
329
330 static krb5_error_code
331 kt_ops_copy(krb5_context context, const krb5_context src_context)
332 {
333 context->num_kt_types = 0;
334 context->kt_types = NULL;
335
336 if (src_context->num_kt_types == 0)
337 return 0;
338
339 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
340 if (context->kt_types == NULL)
341 return krb5_enomem(context);
342
343 context->num_kt_types = src_context->num_kt_types;
344 memcpy(context->kt_types, src_context->kt_types,
345 sizeof(context->kt_types[0]) * src_context->num_kt_types);
346
347 return 0;
348 }
349
350 static const char *sysplugin_dirs[] = {
351 LIBDIR "/plugin/krb5",
352 #ifdef __APPLE__
353 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
354 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
355 #endif
356 NULL
357 };
358
359 static void
360 init_context_once(void *ctx)
361 {
362 krb5_context context = ctx;
363 char **dirs;
364
365 dirs = krb5_config_get_strings(context, NULL, "libdefaults",
366 "plugin_dir", NULL);
367 if (dirs == NULL)
368 dirs = rk_UNCONST(sysplugin_dirs);
369
370 _krb5_load_plugins(context, "krb5", (const char **)dirs);
371
372 if (dirs != rk_UNCONST(sysplugin_dirs))
373 krb5_config_free_strings(dirs);
374
375 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
376 }
377
378
379 /**
380 * Initializes the context structure and reads the configuration file
381 * /etc/krb5.conf. The structure should be freed by calling
382 * krb5_free_context() when it is no longer being used.
383 *
384 * @param context pointer to returned context
385 *
386 * @return Returns 0 to indicate success. Otherwise an errno code is
387 * returned. Failure means either that something bad happened during
388 * initialization (typically ENOMEM) or that Kerberos should not be
389 * used ENXIO.
390 *
391 * @ingroup krb5
392 */
393
394 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
395 krb5_init_context(krb5_context *context)
396 {
397 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
398 krb5_context p;
399 krb5_error_code ret;
400 char **files;
401
402 *context = NULL;
403
404 p = calloc(1, sizeof(*p));
405 if(!p)
406 return ENOMEM;
407
408 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
409 if (p->mutex == NULL) {
410 free(p);
411 return ENOMEM;
412 }
413 HEIMDAL_MUTEX_init(p->mutex);
414
415 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
416
417 ret = krb5_get_default_config_files(&files);
418 if(ret)
419 goto out;
420 ret = krb5_set_config_files(p, files);
421 krb5_free_config_files(files);
422 if(ret)
423 goto out;
424
425 /* done enough to load plugins */
426 heim_base_once_f(&init_context, p, init_context_once);
427
428 /* init error tables */
429 krb5_init_ets(p);
430 cc_ops_register(p);
431 kt_ops_register(p);
432
433 #ifdef PKINIT
434 ret = hx509_context_init(&p->hx509ctx);
435 if (ret)
436 goto out;
437 #endif
438 if (rk_SOCK_INIT())
439 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
440
441 out:
442 if(ret) {
443 krb5_free_context(p);
444 p = NULL;
445 }
446 *context = p;
447 return ret;
448 }
449
450 #ifndef HEIMDAL_SMALLER
451
452 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
453 krb5_get_permitted_enctypes(krb5_context context,
454 krb5_enctype **etypes)
455 {
456 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
457 }
458
459 /*
460 *
461 */
462
463 static krb5_error_code
464 copy_etypes (krb5_context context,
465 krb5_enctype *enctypes,
466 krb5_enctype **ret_enctypes)
467 {
468 unsigned int i;
469
470 for (i = 0; enctypes[i]; i++)
471 ;
472 i++;
473
474 *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
475 if (*ret_enctypes == NULL)
476 return krb5_enomem(context);
477 memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
478 return 0;
479 }
480
481 /**
482 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
483 * be freed with krb5_free_context().
484 *
485 * @param context the Kerberos context to copy
486 * @param out the copy of the Kerberos, set to NULL error.
487 *
488 * @return Returns 0 to indicate success. Otherwise an kerberos et
489 * error code is returned, see krb5_get_error_message().
490 *
491 * @ingroup krb5
492 */
493
494 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
495 krb5_copy_context(krb5_context context, krb5_context *out)
496 {
497 krb5_error_code ret;
498 krb5_context p;
499
500 *out = NULL;
501
502 p = calloc(1, sizeof(*p));
503 if (p == NULL)
504 return krb5_enomem(context);
505
506 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
507 if (p->mutex == NULL) {
508 free(p);
509 return krb5_enomem(context);
510 }
511 HEIMDAL_MUTEX_init(p->mutex);
512
513
514 if (context->default_cc_name)
515 p->default_cc_name = strdup(context->default_cc_name);
516 if (context->default_cc_name_env)
517 p->default_cc_name_env = strdup(context->default_cc_name_env);
518
519 if (context->etypes) {
520 ret = copy_etypes(context, context->etypes, &p->etypes);
521 if (ret)
522 goto out;
523 }
524 if (context->etypes_des) {
525 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
526 if (ret)
527 goto out;
528 }
529
530 if (context->default_realms) {
531 ret = krb5_copy_host_realm(context,
532 context->default_realms, &p->default_realms);
533 if (ret)
534 goto out;
535 }
536
537 ret = _krb5_config_copy(context, context->cf, &p->cf);
538 if (ret)
539 goto out;
540
541 /* XXX should copy */
542 krb5_init_ets(p);
543
544 cc_ops_copy(p, context);
545 kt_ops_copy(p, context);
546
547 #if 0 /* XXX */
548 if(context->warn_dest != NULL)
549 ;
550 if(context->debug_dest != NULL)
551 ;
552 #endif
553
554 ret = krb5_set_extra_addresses(p, context->extra_addresses);
555 if (ret)
556 goto out;
557 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
558 if (ret)
559 goto out;
560
561 ret = _krb5_copy_send_to_kdc_func(p, context);
562 if (ret)
563 goto out;
564
565 *out = p;
566
567 return 0;
568
569 out:
570 krb5_free_context(p);
571 return ret;
572 }
573
574 #endif
575
576 /**
577 * Frees the krb5_context allocated by krb5_init_context().
578 *
579 * @param context context to be freed.
580 *
581 * @ingroup krb5
582 */
583
584 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
585 krb5_free_context(krb5_context context)
586 {
587 if (context->default_cc_name)
588 free(context->default_cc_name);
589 if (context->default_cc_name_env)
590 free(context->default_cc_name_env);
591 free(context->etypes);
592 free(context->etypes_des);
593 krb5_free_host_realm (context, context->default_realms);
594 krb5_config_file_free (context, context->cf);
595 free_error_table (context->et_list);
596 free(rk_UNCONST(context->cc_ops));
597 free(context->kt_types);
598 krb5_clear_error_message(context);
599 if(context->warn_dest != NULL)
600 krb5_closelog(context, context->warn_dest);
601 if(context->debug_dest != NULL)
602 krb5_closelog(context, context->debug_dest);
603 krb5_set_extra_addresses(context, NULL);
604 krb5_set_ignore_addresses(context, NULL);
605 krb5_set_send_to_kdc_func(context, NULL, NULL);
606
607 #ifdef PKINIT
608 if (context->hx509ctx)
609 hx509_context_free(&context->hx509ctx);
610 #endif
611
612 HEIMDAL_MUTEX_destroy(context->mutex);
613 free(context->mutex);
614 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
615 rk_SOCK_EXIT();
616 }
617
618 memset(context, 0, sizeof(*context));
619 free(context);
620 }
621
622 /**
623 * Reinit the context from a new set of filenames.
624 *
625 * @param context context to add configuration too.
626 * @param filenames array of filenames, end of list is indicated with a NULL filename.
627 *
628 * @return Returns 0 to indicate success. Otherwise an kerberos et
629 * error code is returned, see krb5_get_error_message().
630 *
631 * @ingroup krb5
632 */
633
634 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
635 krb5_set_config_files(krb5_context context, char **filenames)
636 {
637 krb5_error_code ret;
638 krb5_config_binding *tmp = NULL;
639 while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
640 ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
641 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
642 krb5_config_file_free(context, tmp);
643 return ret;
644 }
645 filenames++;
646 }
647 #if 0
648 /* with this enabled and if there are no config files, Kerberos is
649 considererd disabled */
650 if(tmp == NULL)
651 return ENXIO;
652 #endif
653
654 #ifdef _WIN32
655 _krb5_load_config_from_registry(context, &tmp);
656 #endif
657
658 krb5_config_file_free(context, context->cf);
659 context->cf = tmp;
660 ret = init_context_from_config_file(context);
661 return ret;
662 }
663
664 static krb5_error_code
665 add_file(char ***pfilenames, int *len, char *file)
666 {
667 char **pp = *pfilenames;
668 int i;
669
670 for(i = 0; i < *len; i++) {
671 if(strcmp(pp[i], file) == 0) {
672 free(file);
673 return 0;
674 }
675 }
676
677 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
678 if (pp == NULL) {
679 free(file);
680 return ENOMEM;
681 }
682
683 pp[*len] = file;
684 pp[*len + 1] = NULL;
685 *pfilenames = pp;
686 *len += 1;
687 return 0;
688 }
689
690 /*
691 * `pq' isn't free, it's up the the caller
692 */
693
694 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
695 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
696 {
697 krb5_error_code ret;
698 const char *p, *q;
699 char **pp;
700 int len;
701 char *fn;
702
703 pp = NULL;
704
705 len = 0;
706 p = filelist;
707 while(1) {
708 ssize_t l;
709 q = p;
710 l = strsep_copy(&q, PATH_SEP, NULL, 0);
711 if(l == -1)
712 break;
713 fn = malloc(l + 1);
714 if(fn == NULL) {
715 krb5_free_config_files(pp);
716 return ENOMEM;
717 }
718 (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
719 ret = add_file(&pp, &len, fn);
720 if (ret) {
721 krb5_free_config_files(pp);
722 return ret;
723 }
724 }
725
726 if (pq != NULL) {
727 int i;
728
729 for (i = 0; pq[i] != NULL; i++) {
730 fn = strdup(pq[i]);
731 if (fn == NULL) {
732 krb5_free_config_files(pp);
733 return ENOMEM;
734 }
735 ret = add_file(&pp, &len, fn);
736 if (ret) {
737 krb5_free_config_files(pp);
738 return ret;
739 }
740 }
741 }
742
743 *ret_pp = pp;
744 return 0;
745 }
746
747 /**
748 * Prepend the filename to the global configuration list.
749 *
750 * @param filelist a filename to add to the default list of filename
751 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
752 *
753 * @return Returns 0 to indicate success. Otherwise an kerberos et
754 * error code is returned, see krb5_get_error_message().
755 *
756 * @ingroup krb5
757 */
758
759 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
760 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
761 {
762 krb5_error_code ret;
763 char **defpp, **pp = NULL;
764
765 ret = krb5_get_default_config_files(&defpp);
766 if (ret)
767 return ret;
768
769 ret = krb5_prepend_config_files(filelist, defpp, &pp);
770 krb5_free_config_files(defpp);
771 if (ret) {
772 return ret;
773 }
774 *pfilenames = pp;
775 return 0;
776 }
777
778 #ifdef _WIN32
779
780 /**
781 * Checks the registry for configuration file location
782 *
783 * Kerberos for Windows and other legacy Kerberos applications expect
784 * to find the configuration file location in the
785 * SOFTWARE\MIT\Kerberos registry key under the value "config".
786 */
787 KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
788 _krb5_get_default_config_config_files_from_registry()
789 {
790 static const char * KeyName = "Software\\MIT\\Kerberos";
791 char *config_file = NULL;
792 LONG rcode;
793 HKEY key;
794
795 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
796 if (rcode == ERROR_SUCCESS) {
797 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
798 REG_NONE, 0, PATH_SEP);
799 RegCloseKey(key);
800 }
801
802 if (config_file)
803 return config_file;
804
805 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
806 if (rcode == ERROR_SUCCESS) {
807 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
808 REG_NONE, 0, PATH_SEP);
809 RegCloseKey(key);
810 }
811
812 return config_file;
813 }
814
815 #endif
816
817 /**
818 * Get the global configuration list.
819 *
820 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
821 *
822 * @return Returns 0 to indicate success. Otherwise an kerberos et
823 * error code is returned, see krb5_get_error_message().
824 *
825 * @ingroup krb5
826 */
827
828 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
829 krb5_get_default_config_files(char ***pfilenames)
830 {
831 const char *files = NULL;
832
833 if (pfilenames == NULL)
834 return EINVAL;
835 if(!issuid())
836 files = getenv("KRB5_CONFIG");
837
838 #ifdef _WIN32
839 if (files == NULL) {
840 char * reg_files;
841 reg_files = _krb5_get_default_config_config_files_from_registry();
842 if (reg_files != NULL) {
843 krb5_error_code code;
844
845 code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
846 free(reg_files);
847
848 return code;
849 }
850 }
851 #endif
852
853 if (files == NULL)
854 files = krb5_config_file;
855
856 return krb5_prepend_config_files(files, NULL, pfilenames);
857 }
858
859 /**
860 * Free a list of configuration files.
861 *
862 * @param filenames list, terminated with a NULL pointer, to be
863 * freed. NULL is an valid argument.
864 *
865 * @return Returns 0 to indicate success. Otherwise an kerberos et
866 * error code is returned, see krb5_get_error_message().
867 *
868 * @ingroup krb5
869 */
870
871 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
872 krb5_free_config_files(char **filenames)
873 {
874 char **p;
875 for(p = filenames; p && *p != NULL; p++)
876 free(*p);
877 free(filenames);
878 }
879
880 /**
881 * Returns the list of Kerberos encryption types sorted in order of
882 * most preferred to least preferred encryption type. Note that some
883 * encryption types might be disabled, so you need to check with
884 * krb5_enctype_valid() before using the encryption type.
885 *
886 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
887 * array completed into the Kerberos library so the content doesn't
888 * need to be freed.
889 *
890 * @ingroup krb5
891 */
892
893 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
894 krb5_kerberos_enctypes(krb5_context context)
895 {
896 static const krb5_enctype p[] = {
897 ETYPE_AES256_CTS_HMAC_SHA1_96,
898 ETYPE_AES128_CTS_HMAC_SHA1_96,
899 ETYPE_DES3_CBC_SHA1,
900 ETYPE_ARCFOUR_HMAC_MD5,
901 ETYPE_NULL
902 };
903
904 static const krb5_enctype weak[] = {
905 ETYPE_AES256_CTS_HMAC_SHA1_96,
906 ETYPE_AES128_CTS_HMAC_SHA1_96,
907 ETYPE_DES3_CBC_SHA1,
908 ETYPE_DES3_CBC_MD5,
909 ETYPE_ARCFOUR_HMAC_MD5,
910 ETYPE_DES_CBC_MD5,
911 ETYPE_DES_CBC_MD4,
912 ETYPE_DES_CBC_CRC,
913 ETYPE_NULL
914 };
915
916 /*
917 * if the list of enctypes enabled by "allow_weak_crypto"
918 * are valid, then return the former default enctype list
919 * that contained the weak entries.
920 */
921 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
922 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
923 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
924 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
925 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
926 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
927 return weak;
928
929 return p;
930 }
931
932 /*
933 *
934 */
935
936 static krb5_error_code
937 copy_enctypes(krb5_context context,
938 const krb5_enctype *in,
939 krb5_enctype **out)
940 {
941 krb5_enctype *p = NULL;
942 size_t m, n;
943
944 for (n = 0; in[n]; n++)
945 ;
946 n++;
947 ALLOC(p, n);
948 if(p == NULL)
949 return krb5_enomem(context);
950 for (n = 0, m = 0; in[n]; n++) {
951 if (krb5_enctype_valid(context, in[n]) != 0)
952 continue;
953 p[m++] = in[n];
954 }
955 p[m] = KRB5_ENCTYPE_NULL;
956 if (m == 0) {
957 free(p);
958 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
959 N_("no valid enctype set", ""));
960 return KRB5_PROG_ETYPE_NOSUPP;
961 }
962 *out = p;
963 return 0;
964 }
965
966
967 /*
968 * set `etype' to a malloced list of the default enctypes
969 */
970
971 static krb5_error_code
972 default_etypes(krb5_context context, krb5_enctype **etype)
973 {
974 const krb5_enctype *p = krb5_kerberos_enctypes(context);
975 return copy_enctypes(context, p, etype);
976 }
977
978 /**
979 * Set the default encryption types that will be use in communcation
980 * with the KDC, clients and servers.
981 *
982 * @param context Kerberos 5 context.
983 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
984 *
985 * @return Returns 0 to indicate success. Otherwise an kerberos et
986 * error code is returned, see krb5_get_error_message().
987 *
988 * @ingroup krb5
989 */
990
991 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
992 krb5_set_default_in_tkt_etypes(krb5_context context,
993 const krb5_enctype *etypes)
994 {
995 krb5_error_code ret;
996 krb5_enctype *p = NULL;
997
998 if(etypes) {
999 ret = copy_enctypes(context, etypes, &p);
1000 if (ret)
1001 return ret;
1002 }
1003 if(context->etypes)
1004 free(context->etypes);
1005 context->etypes = p;
1006 return 0;
1007 }
1008
1009 /**
1010 * Get the default encryption types that will be use in communcation
1011 * with the KDC, clients and servers.
1012 *
1013 * @param context Kerberos 5 context.
1014 * @param etypes Encryption types, array terminated with
1015 * ETYPE_NULL(0), caller should free array with krb5_xfree():
1016 *
1017 * @return Returns 0 to indicate success. Otherwise an kerberos et
1018 * error code is returned, see krb5_get_error_message().
1019 *
1020 * @ingroup krb5
1021 */
1022
1023 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1024 krb5_get_default_in_tkt_etypes(krb5_context context,
1025 krb5_pdu pdu_type,
1026 krb5_enctype **etypes)
1027 {
1028 krb5_enctype *enctypes = NULL;
1029 krb5_error_code ret;
1030 krb5_enctype *p;
1031
1032 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
1033 pdu_type == KRB5_PDU_TGS_REQUEST ||
1034 pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
1035
1036 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
1037 enctypes = context->as_etypes;
1038 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
1039 enctypes = context->tgs_etypes;
1040 else if (context->etypes != NULL)
1041 enctypes = context->etypes;
1042
1043 if (enctypes != NULL) {
1044 ret = copy_enctypes(context, enctypes, &p);
1045 if (ret)
1046 return ret;
1047 } else {
1048 ret = default_etypes(context, &p);
1049 if (ret)
1050 return ret;
1051 }
1052 *etypes = p;
1053 return 0;
1054 }
1055
1056 /**
1057 * Init the built-in ets in the Kerberos library.
1058 *
1059 * @param context kerberos context to add the ets too
1060 *
1061 * @ingroup krb5
1062 */
1063
1064 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1065 krb5_init_ets(krb5_context context)
1066 {
1067 if(context->et_list == NULL){
1068 krb5_add_et_list(context, initialize_krb5_error_table_r);
1069 krb5_add_et_list(context, initialize_asn1_error_table_r);
1070 krb5_add_et_list(context, initialize_heim_error_table_r);
1071
1072 krb5_add_et_list(context, initialize_k524_error_table_r);
1073
1074 #ifdef COM_ERR_BINDDOMAIN_krb5
1075 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1076 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1077 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1078 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1079 #endif
1080
1081 #ifdef PKINIT
1082 krb5_add_et_list(context, initialize_hx_error_table_r);
1083 #ifdef COM_ERR_BINDDOMAIN_hx
1084 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1085 #endif
1086 #endif
1087 }
1088 }
1089
1090 /**
1091 * Make the kerberos library default to the admin KDC.
1092 *
1093 * @param context Kerberos 5 context.
1094 * @param flag boolean flag to select if the use the admin KDC or not.
1095 *
1096 * @ingroup krb5
1097 */
1098
1099 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1100 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1101 {
1102 context->use_admin_kdc = flag;
1103 }
1104
1105 /**
1106 * Make the kerberos library default to the admin KDC.
1107 *
1108 * @param context Kerberos 5 context.
1109 *
1110 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1111 *
1112 * @ingroup krb5
1113 */
1114
1115 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1116 krb5_get_use_admin_kdc (krb5_context context)
1117 {
1118 return context->use_admin_kdc;
1119 }
1120
1121 /**
1122 * Add extra address to the address list that the library will add to
1123 * the client's address list when communicating with the KDC.
1124 *
1125 * @param context Kerberos 5 context.
1126 * @param addresses addreses to add
1127 *
1128 * @return Returns 0 to indicate success. Otherwise an kerberos et
1129 * error code is returned, see krb5_get_error_message().
1130 *
1131 * @ingroup krb5
1132 */
1133
1134 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1135 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1136 {
1137
1138 if(context->extra_addresses)
1139 return krb5_append_addresses(context,
1140 context->extra_addresses, addresses);
1141 else
1142 return krb5_set_extra_addresses(context, addresses);
1143 }
1144
1145 /**
1146 * Set extra address to the address list that the library will add to
1147 * the client's address list when communicating with the KDC.
1148 *
1149 * @param context Kerberos 5 context.
1150 * @param addresses addreses to set
1151 *
1152 * @return Returns 0 to indicate success. Otherwise an kerberos et
1153 * error code is returned, see krb5_get_error_message().
1154 *
1155 * @ingroup krb5
1156 */
1157
1158 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1159 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1160 {
1161 if(context->extra_addresses)
1162 krb5_free_addresses(context, context->extra_addresses);
1163
1164 if(addresses == NULL) {
1165 if(context->extra_addresses != NULL) {
1166 free(context->extra_addresses);
1167 context->extra_addresses = NULL;
1168 }
1169 return 0;
1170 }
1171 if(context->extra_addresses == NULL) {
1172 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1173 if (context->extra_addresses == NULL)
1174 return krb5_enomem(context);
1175 }
1176 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1177 }
1178
1179 /**
1180 * Get extra address to the address list that the library will add to
1181 * the client's address list when communicating with the KDC.
1182 *
1183 * @param context Kerberos 5 context.
1184 * @param addresses addreses to set
1185 *
1186 * @return Returns 0 to indicate success. Otherwise an kerberos et
1187 * error code is returned, see krb5_get_error_message().
1188 *
1189 * @ingroup krb5
1190 */
1191
1192 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1193 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1194 {
1195 if(context->extra_addresses == NULL) {
1196 memset(addresses, 0, sizeof(*addresses));
1197 return 0;
1198 }
1199 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1200 }
1201
1202 /**
1203 * Add extra addresses to ignore when fetching addresses from the
1204 * underlaying operating system.
1205 *
1206 * @param context Kerberos 5 context.
1207 * @param addresses addreses to ignore
1208 *
1209 * @return Returns 0 to indicate success. Otherwise an kerberos et
1210 * error code is returned, see krb5_get_error_message().
1211 *
1212 * @ingroup krb5
1213 */
1214
1215 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1216 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1217 {
1218
1219 if(context->ignore_addresses)
1220 return krb5_append_addresses(context,
1221 context->ignore_addresses, addresses);
1222 else
1223 return krb5_set_ignore_addresses(context, addresses);
1224 }
1225
1226 /**
1227 * Set extra addresses to ignore when fetching addresses from the
1228 * underlaying operating system.
1229 *
1230 * @param context Kerberos 5 context.
1231 * @param addresses addreses to ignore
1232 *
1233 * @return Returns 0 to indicate success. Otherwise an kerberos et
1234 * error code is returned, see krb5_get_error_message().
1235 *
1236 * @ingroup krb5
1237 */
1238
1239 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1240 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1241 {
1242 if(context->ignore_addresses)
1243 krb5_free_addresses(context, context->ignore_addresses);
1244 if(addresses == NULL) {
1245 if(context->ignore_addresses != NULL) {
1246 free(context->ignore_addresses);
1247 context->ignore_addresses = NULL;
1248 }
1249 return 0;
1250 }
1251 if(context->ignore_addresses == NULL) {
1252 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1253 if (context->ignore_addresses == NULL)
1254 return krb5_enomem(context);
1255 }
1256 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1257 }
1258
1259 /**
1260 * Get extra addresses to ignore when fetching addresses from the
1261 * underlaying operating system.
1262 *
1263 * @param context Kerberos 5 context.
1264 * @param addresses list addreses ignored
1265 *
1266 * @return Returns 0 to indicate success. Otherwise an kerberos et
1267 * error code is returned, see krb5_get_error_message().
1268 *
1269 * @ingroup krb5
1270 */
1271
1272 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1273 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1274 {
1275 if(context->ignore_addresses == NULL) {
1276 memset(addresses, 0, sizeof(*addresses));
1277 return 0;
1278 }
1279 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1280 }
1281
1282 /**
1283 * Set version of fcache that the library should use.
1284 *
1285 * @param context Kerberos 5 context.
1286 * @param version version number.
1287 *
1288 * @return Returns 0 to indicate success. Otherwise an kerberos et
1289 * error code is returned, see krb5_get_error_message().
1290 *
1291 * @ingroup krb5
1292 */
1293
1294 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1295 krb5_set_fcache_version(krb5_context context, int version)
1296 {
1297 context->fcache_vno = version;
1298 return 0;
1299 }
1300
1301 /**
1302 * Get version of fcache that the library should use.
1303 *
1304 * @param context Kerberos 5 context.
1305 * @param version version number.
1306 *
1307 * @return Returns 0 to indicate success. Otherwise an kerberos et
1308 * error code is returned, see krb5_get_error_message().
1309 *
1310 * @ingroup krb5
1311 */
1312
1313 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1314 krb5_get_fcache_version(krb5_context context, int *version)
1315 {
1316 *version = context->fcache_vno;
1317 return 0;
1318 }
1319
1320 /**
1321 * Runtime check if the Kerberos library was complied with thread support.
1322 *
1323 * @return TRUE if the library was compiled with thread support, FALSE if not.
1324 *
1325 * @ingroup krb5
1326 */
1327
1328
1329 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1330 krb5_is_thread_safe(void)
1331 {
1332 #ifdef ENABLE_PTHREAD_SUPPORT
1333 return TRUE;
1334 #else
1335 return FALSE;
1336 #endif
1337 }
1338
1339 /**
1340 * Set if the library should use DNS to canonicalize hostnames.
1341 *
1342 * @param context Kerberos 5 context.
1343 * @param flag if its dns canonicalizion is used or not.
1344 *
1345 * @ingroup krb5
1346 */
1347
1348 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1349 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1350 {
1351 if (flag)
1352 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1353 else
1354 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1355 }
1356
1357 /**
1358 * Get if the library uses DNS to canonicalize hostnames.
1359 *
1360 * @param context Kerberos 5 context.
1361 *
1362 * @return return non zero if the library uses DNS to canonicalize hostnames.
1363 *
1364 * @ingroup krb5
1365 */
1366
1367 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1368 krb5_get_dns_canonicalize_hostname (krb5_context context)
1369 {
1370 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1371 }
1372
1373 /**
1374 * Get current offset in time to the KDC.
1375 *
1376 * @param context Kerberos 5 context.
1377 * @param sec seconds part of offset.
1378 * @param usec micro seconds part of offset.
1379 *
1380 * @return returns zero
1381 *
1382 * @ingroup krb5
1383 */
1384
1385 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1386 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1387 {
1388 if (sec)
1389 *sec = context->kdc_sec_offset;
1390 if (usec)
1391 *usec = context->kdc_usec_offset;
1392 return 0;
1393 }
1394
1395 /**
1396 * Set current offset in time to the KDC.
1397 *
1398 * @param context Kerberos 5 context.
1399 * @param sec seconds part of offset.
1400 * @param usec micro seconds part of offset.
1401 *
1402 * @return returns zero
1403 *
1404 * @ingroup krb5
1405 */
1406
1407 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1408 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1409 {
1410 context->kdc_sec_offset = sec;
1411 if (usec >= 0)
1412 context->kdc_usec_offset = usec;
1413 return 0;
1414 }
1415
1416 /**
1417 * Get max time skew allowed.
1418 *
1419 * @param context Kerberos 5 context.
1420 *
1421 * @return timeskew in seconds.
1422 *
1423 * @ingroup krb5
1424 */
1425
1426 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1427 krb5_get_max_time_skew (krb5_context context)
1428 {
1429 return context->max_skew;
1430 }
1431
1432 /**
1433 * Set max time skew allowed.
1434 *
1435 * @param context Kerberos 5 context.
1436 * @param t timeskew in seconds.
1437 *
1438 * @ingroup krb5
1439 */
1440
1441 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1442 krb5_set_max_time_skew (krb5_context context, time_t t)
1443 {
1444 context->max_skew = t;
1445 }
1446
1447 /*
1448 * Init encryption types in len, val with etypes.
1449 *
1450 * @param context Kerberos 5 context.
1451 * @param pdu_type type of pdu
1452 * @param len output length of val.
1453 * @param val output array of enctypes.
1454 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1455
1456 * @return Returns 0 to indicate success. Otherwise an kerberos et
1457 * error code is returned, see krb5_get_error_message().
1458 *
1459 * @ingroup krb5
1460 */
1461
1462 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1463 _krb5_init_etype(krb5_context context,
1464 krb5_pdu pdu_type,
1465 unsigned *len,
1466 krb5_enctype **val,
1467 const krb5_enctype *etypes)
1468 {
1469 krb5_error_code ret;
1470
1471 if (etypes == NULL)
1472 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1473 else
1474 ret = copy_enctypes(context, etypes, val);
1475 if (ret)
1476 return ret;
1477
1478 if (len) {
1479 *len = 0;
1480 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1481 (*len)++;
1482 }
1483 return 0;
1484 }
1485
1486 /*
1487 * Allow homedir accces
1488 */
1489
1490 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1491 static krb5_boolean allow_homedir = TRUE;
1492
1493 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1494 _krb5_homedir_access(krb5_context context)
1495 {
1496 krb5_boolean allow;
1497
1498 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1499 return FALSE;
1500
1501 HEIMDAL_MUTEX_lock(&homedir_mutex);
1502 allow = allow_homedir;
1503 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1504 return allow;
1505 }
1506
1507 /**
1508 * Enable and disable home directory access on either the global state
1509 * or the krb5_context state. By calling krb5_set_home_dir_access()
1510 * with context set to NULL, the global state is configured otherwise
1511 * the state for the krb5_context is modified.
1512 *
1513 * For home directory access to be allowed, both the global state and
1514 * the krb5_context state have to be allowed.
1515 *
1516 * Administrator (root user), never uses the home directory.
1517 *
1518 * @param context a Kerberos 5 context or NULL
1519 * @param allow allow if TRUE home directory
1520 * @return the old value
1521 *
1522 * @ingroup krb5
1523 */
1524
1525 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1526 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1527 {
1528 krb5_boolean old;
1529 if (context) {
1530 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1531 if (allow)
1532 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1533 else
1534 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1535 } else {
1536 HEIMDAL_MUTEX_lock(&homedir_mutex);
1537 old = allow_homedir;
1538 allow_homedir = allow;
1539 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1540 }
1541
1542 return old;
1543 }
Heimdal