1 /* $NetBSD: context.c,v 1.4 2014/04/24 13:45:34 pettai Exp $ */
2
3 /*
4 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 *
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 *
21 * 3. Neither the name of the Institute nor the names of its contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 */
37
38 #include "krb5_locl.h"
39 #include <assert.h>
40 #include <krb5/com_err.h>
41
42 #define INIT_FIELD(C, T, E, D, F) \
43 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
44 "libdefaults", F, NULL)
45
46 #define INIT_FLAG(C, O, V, D, F) \
47 do { \
48 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
49 (C)->O |= V; \
50 } \
51 } while(0)
52
53 /*
54 * Set the list of etypes `ret_etypes' from the configuration variable
55 * `name'
56 */
57
58 static krb5_error_code
set_etypes(krb5_context context,const char * name,krb5_enctype ** ret_enctypes)59 set_etypes (krb5_context context,
60 const char *name,
61 krb5_enctype **ret_enctypes)
62 {
63 char **etypes_str;
64 krb5_enctype *etypes = NULL;
65
66 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
67 name, NULL);
68 if(etypes_str){
69 int i, j, k;
70 for(i = 0; etypes_str[i]; i++);
71 etypes = malloc((i+1) * sizeof(*etypes));
72 if (etypes == NULL) {
73 krb5_config_free_strings (etypes_str);
74 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
75 return ENOMEM;
76 }
77 for(j = 0, k = 0; j < i; j++) {
78 krb5_enctype e;
79 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
80 continue;
81 if (krb5_enctype_valid(context, e) != 0)
82 continue;
83 etypes[k++] = e;
84 }
85 etypes[k] = ETYPE_NULL;
86 krb5_config_free_strings(etypes_str);
87 }
88 *ret_enctypes = etypes;
89 return 0;
90 }
91
92 /*
93 * read variables from the configuration file and set in `context'
94 */
95
96 static krb5_error_code
init_context_from_config_file(krb5_context context)97 init_context_from_config_file(krb5_context context)
98 {
99 krb5_error_code ret;
100 const char * tmp;
101 char **s;
102 krb5_enctype *tmptypes;
103
104 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
105 INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
106 INIT_FIELD(context, int, max_retries, 3, "max_retries");
107
108 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
109
110 ret = krb5_config_get_bool_default(context, NULL, FALSE,
111 "libdefaults",
112 "allow_weak_crypto", NULL);
113 if (ret) {
114 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
115 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
116 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
117 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
118 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
119 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
120 }
121
122 ret = set_etypes (context, "default_etypes", &tmptypes);
123 if(ret)
124 return ret;
125 free(context->etypes);
126 context->etypes = tmptypes;
127
128 ret = set_etypes (context, "default_etypes_des", &tmptypes);
129 if(ret)
130 return ret;
131 free(context->etypes_des);
132 context->etypes_des = tmptypes;
133
134 ret = set_etypes (context, "default_as_etypes", &tmptypes);
135 if(ret)
136 return ret;
137 free(context->as_etypes);
138 context->as_etypes = tmptypes;
139
140 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
141 if(ret)
142 return ret;
143 free(context->tgs_etypes);
144 context->tgs_etypes = tmptypes;
145
146 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
147 if(ret)
148 return ret;
149 free(context->permitted_enctypes);
150 context->permitted_enctypes = tmptypes;
151
152 /* default keytab name */
153 tmp = NULL;
154 if(!issuid())
155 tmp = getenv("KRB5_KTNAME");
156 if(tmp != NULL)
157 context->default_keytab = tmp;
158 else
159 INIT_FIELD(context, string, default_keytab,
160 KEYTAB_DEFAULT, "default_keytab_name");
161
162 INIT_FIELD(context, string, default_keytab_modify,
163 NULL, "default_keytab_modify_name");
164
165 INIT_FIELD(context, string, time_fmt,
166 "%Y-%m-%dT%H:%M:%S", "time_format");
167
168 INIT_FIELD(context, string, date_fmt,
169 "%Y-%m-%d", "date_format");
170
171 INIT_FIELD(context, bool, log_utc,
172 FALSE, "log_utc");
173
174
175
176 /* init dns-proxy slime */
177 tmp = krb5_config_get_string(context, NULL, "libdefaults",
178 "dns_proxy", NULL);
179 if(tmp)
180 roken_gethostby_setup(context->http_proxy, tmp);
181 krb5_free_host_realm (context, context->default_realms);
182 context->default_realms = NULL;
183
184 {
185 krb5_addresses addresses;
186 char **adr, **a;
187
188 krb5_set_extra_addresses(context, NULL);
189 adr = krb5_config_get_strings(context, NULL,
190 "libdefaults",
191 "extra_addresses",
192 NULL);
193 memset(&addresses, 0, sizeof(addresses));
194 for(a = adr; a && *a; a++) {
195 ret = krb5_parse_address(context, *a, &addresses);
196 if (ret == 0) {
197 krb5_add_extra_addresses(context, &addresses);
198 krb5_free_addresses(context, &addresses);
199 }
200 }
201 krb5_config_free_strings(adr);
202
203 krb5_set_ignore_addresses(context, NULL);
204 adr = krb5_config_get_strings(context, NULL,
205 "libdefaults",
206 "ignore_addresses",
207 NULL);
208 memset(&addresses, 0, sizeof(addresses));
209 for(a = adr; a && *a; a++) {
210 ret = krb5_parse_address(context, *a, &addresses);
211 if (ret == 0) {
212 krb5_add_ignore_addresses(context, &addresses);
213 krb5_free_addresses(context, &addresses);
214 }
215 }
216 krb5_config_free_strings(adr);
217 }
218
219 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
220 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
221 /* prefer dns_lookup_kdc over srv_lookup. */
222 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
223 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
224 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
225 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
226 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
227 context->default_cc_name = NULL;
228 context->default_cc_name_set = 0;
229
230 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
231 if(s) {
232 char **p;
233 krb5_initlog(context, "libkrb5", &context->debug_dest);
234 for(p = s; *p; p++)
235 krb5_addlog_dest(context, context->debug_dest, *p);
236 krb5_config_free_strings(s);
237 }
238
239 tmp = krb5_config_get_string(context, NULL, "libdefaults",
240 "check-rd-req-server", NULL);
241 if (tmp == NULL && !issuid())
242 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
243 if(tmp) {
244 if (strcasecmp(tmp, "ignore") == 0)
245 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
246 }
247
248 return 0;
249 }
250
251 static krb5_error_code
cc_ops_register(krb5_context context)252 cc_ops_register(krb5_context context)
253 {
254 context->cc_ops = NULL;
255 context->num_cc_ops = 0;
256
257 #ifndef KCM_IS_API_CACHE
258 krb5_cc_register(context, &krb5_acc_ops, TRUE);
259 #endif
260 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
261 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
262 #ifdef HAVE_SCC
263 krb5_cc_register(context, &krb5_scc_ops, TRUE);
264 #endif
265 #ifdef HAVE_KCM
266 #ifdef KCM_IS_API_CACHE
267 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
268 #endif
269 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
270 #endif
271 _krb5_load_ccache_plugins(context);
272 return 0;
273 }
274
275 static krb5_error_code
cc_ops_copy(krb5_context context,const krb5_context src_context)276 cc_ops_copy(krb5_context context, const krb5_context src_context)
277 {
278 const krb5_cc_ops **cc_ops;
279
280 context->cc_ops = NULL;
281 context->num_cc_ops = 0;
282
283 if (src_context->num_cc_ops == 0)
284 return 0;
285
286 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
287 if (cc_ops == NULL) {
288 krb5_set_error_message(context, KRB5_CC_NOMEM,
289 N_("malloc: out of memory", ""));
290 return KRB5_CC_NOMEM;
291 }
292
293 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
294 sizeof(cc_ops[0]) * src_context->num_cc_ops);
295 context->cc_ops = cc_ops;
296 context->num_cc_ops = src_context->num_cc_ops;
297
298 return 0;
299 }
300
301 static krb5_error_code
kt_ops_register(krb5_context context)302 kt_ops_register(krb5_context context)
303 {
304 context->num_kt_types = 0;
305 context->kt_types = NULL;
306
307 krb5_kt_register (context, &krb5_fkt_ops);
308 krb5_kt_register (context, &krb5_wrfkt_ops);
309 krb5_kt_register (context, &krb5_javakt_ops);
310 krb5_kt_register (context, &krb5_mkt_ops);
311 #ifndef HEIMDAL_SMALLER
312 krb5_kt_register (context, &krb5_akf_ops);
313 #endif
314 krb5_kt_register (context, &krb5_any_ops);
315 return 0;
316 }
317
318 static krb5_error_code
kt_ops_copy(krb5_context context,const krb5_context src_context)319 kt_ops_copy(krb5_context context, const krb5_context src_context)
320 {
321 context->num_kt_types = 0;
322 context->kt_types = NULL;
323
324 if (src_context->num_kt_types == 0)
325 return 0;
326
327 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
328 if (context->kt_types == NULL) {
329 krb5_set_error_message(context, ENOMEM,
330 N_("malloc: out of memory", ""));
331 return ENOMEM;
332 }
333
334 context->num_kt_types = src_context->num_kt_types;
335 memcpy(context->kt_types, src_context->kt_types,
336 sizeof(context->kt_types[0]) * src_context->num_kt_types);
337
338 return 0;
339 }
340
341 static const char *sysplugin_dirs[] = {
342 LIBDIR "/plugin/krb5",
343 #ifdef __APPLE__
344 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
345 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
346 #endif
347 NULL
348 };
349
350 static void
init_context_once(void * ctx)351 init_context_once(void *ctx)
352 {
353 krb5_context context = ctx;
354
355 _krb5_load_plugins(context, "krb5", sysplugin_dirs);
356
357 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
358 }
359
360
361 /**
362 * Initializes the context structure and reads the configuration file
363 * /etc/krb5.conf. The structure should be freed by calling
364 * krb5_free_context() when it is no longer being used.
365 *
366 * @param context pointer to returned context
367 *
368 * @return Returns 0 to indicate success. Otherwise an errno code is
369 * returned. Failure means either that something bad happened during
370 * initialization (typically ENOMEM) or that Kerberos should not be
371 * used ENXIO.
372 *
373 * @ingroup krb5
374 */
375
376 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_init_context(krb5_context * context)377 krb5_init_context(krb5_context *context)
378 {
379 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
380 krb5_context p;
381 krb5_error_code ret;
382 char **files;
383
384 *context = NULL;
385
386 p = calloc(1, sizeof(*p));
387 if(!p)
388 return ENOMEM;
389
390 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
391 if (p->mutex == NULL) {
392 free(p);
393 return ENOMEM;
394 }
395 HEIMDAL_MUTEX_init(p->mutex);
396
397 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
398
399 ret = krb5_get_default_config_files(&files);
400 if(ret)
401 goto out;
402 ret = krb5_set_config_files(p, files);
403 krb5_free_config_files(files);
404 if(ret)
405 goto out;
406
407 /* init error tables */
408 krb5_init_ets(p);
409 cc_ops_register(p);
410 kt_ops_register(p);
411
412 #ifdef PKINIT
413 ret = hx509_context_init(&p->hx509ctx);
414 if (ret)
415 goto out;
416 #endif
417 if (rk_SOCK_INIT())
418 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
419
420 out:
421 if(ret) {
422 krb5_free_context(p);
423 p = NULL;
424 } else {
425 heim_base_once_f(&init_context, p, init_context_once);
426 }
427 *context = p;
428 return ret;
429 }
430
431 #ifndef HEIMDAL_SMALLER
432
433 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_permitted_enctypes(krb5_context context,krb5_enctype ** etypes)434 krb5_get_permitted_enctypes(krb5_context context,
435 krb5_enctype **etypes)
436 {
437 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
438 }
439
440 /*
441 *
442 */
443
444 static krb5_error_code
copy_etypes(krb5_context context,krb5_enctype * enctypes,krb5_enctype ** ret_enctypes)445 copy_etypes (krb5_context context,
446 krb5_enctype *enctypes,
447 krb5_enctype **ret_enctypes)
448 {
449 unsigned int i;
450
451 for (i = 0; enctypes[i]; i++)
452 ;
453 i++;
454
455 *ret_enctypes = malloc(sizeof(**ret_enctypes) * i);
456 if (*ret_enctypes == NULL) {
457 krb5_set_error_message(context, ENOMEM,
458 N_("malloc: out of memory", ""));
459 return ENOMEM;
460 }
461 memcpy(*ret_enctypes, enctypes, sizeof(**ret_enctypes) * i);
462 return 0;
463 }
464
465 /**
466 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
467 * be freed with krb5_free_context().
468 *
469 * @param context the Kerberos context to copy
470 * @param out the copy of the Kerberos, set to NULL error.
471 *
472 * @return Returns 0 to indicate success. Otherwise an kerberos et
473 * error code is returned, see krb5_get_error_message().
474 *
475 * @ingroup krb5
476 */
477
478 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_copy_context(krb5_context context,krb5_context * out)479 krb5_copy_context(krb5_context context, krb5_context *out)
480 {
481 krb5_error_code ret;
482 krb5_context p;
483
484 *out = NULL;
485
486 p = calloc(1, sizeof(*p));
487 if (p == NULL) {
488 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
489 return ENOMEM;
490 }
491
492 p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
493 if (p->mutex == NULL) {
494 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
495 free(p);
496 return ENOMEM;
497 }
498 HEIMDAL_MUTEX_init(p->mutex);
499
500
501 if (context->default_cc_name)
502 p->default_cc_name = strdup(context->default_cc_name);
503 if (context->default_cc_name_env)
504 p->default_cc_name_env = strdup(context->default_cc_name_env);
505
506 if (context->etypes) {
507 ret = copy_etypes(context, context->etypes, &p->etypes);
508 if (ret)
509 goto out;
510 }
511 if (context->etypes_des) {
512 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
513 if (ret)
514 goto out;
515 }
516
517 if (context->default_realms) {
518 ret = krb5_copy_host_realm(context,
519 context->default_realms, &p->default_realms);
520 if (ret)
521 goto out;
522 }
523
524 ret = _krb5_config_copy(context, context->cf, &p->cf);
525 if (ret)
526 goto out;
527
528 /* XXX should copy */
529 krb5_init_ets(p);
530
531 cc_ops_copy(p, context);
532 kt_ops_copy(p, context);
533
534 #if 0 /* XXX */
535 if(context->warn_dest != NULL)
536 ;
537 if(context->debug_dest != NULL)
538 ;
539 #endif
540
541 ret = krb5_set_extra_addresses(p, context->extra_addresses);
542 if (ret)
543 goto out;
544 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
545 if (ret)
546 goto out;
547
548 ret = _krb5_copy_send_to_kdc_func(p, context);
549 if (ret)
550 goto out;
551
552 *out = p;
553
554 return 0;
555
556 out:
557 krb5_free_context(p);
558 return ret;
559 }
560
561 #endif
562
563 /**
564 * Frees the krb5_context allocated by krb5_init_context().
565 *
566 * @param context context to be freed.
567 *
568 * @ingroup krb5
569 */
570
571 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_context(krb5_context context)572 krb5_free_context(krb5_context context)
573 {
574 if (context->default_cc_name)
575 free(context->default_cc_name);
576 if (context->default_cc_name_env)
577 free(context->default_cc_name_env);
578 free(context->etypes);
579 free(context->etypes_des);
580 krb5_free_host_realm (context, context->default_realms);
581 krb5_config_file_free (context, context->cf);
582 free_error_table (context->et_list);
583 free(rk_UNCONST(context->cc_ops));
584 free(context->kt_types);
585 krb5_clear_error_message(context);
586 if(context->warn_dest != NULL)
587 krb5_closelog(context, context->warn_dest);
588 if(context->debug_dest != NULL)
589 krb5_closelog(context, context->debug_dest);
590 krb5_set_extra_addresses(context, NULL);
591 krb5_set_ignore_addresses(context, NULL);
592 krb5_set_send_to_kdc_func(context, NULL, NULL);
593
594 #ifdef PKINIT
595 if (context->hx509ctx)
596 hx509_context_free(&context->hx509ctx);
597 #endif
598
599 HEIMDAL_MUTEX_destroy(context->mutex);
600 free(context->mutex);
601 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
602 rk_SOCK_EXIT();
603 }
604
605 memset(context, 0, sizeof(*context));
606 free(context);
607 }
608
609 /**
610 * Reinit the context from a new set of filenames.
611 *
612 * @param context context to add configuration too.
613 * @param filenames array of filenames, end of list is indicated with a NULL filename.
614 *
615 * @return Returns 0 to indicate success. Otherwise an kerberos et
616 * error code is returned, see krb5_get_error_message().
617 *
618 * @ingroup krb5
619 */
620
621 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_config_files(krb5_context context,char ** filenames)622 krb5_set_config_files(krb5_context context, char **filenames)
623 {
624 krb5_error_code ret;
625 krb5_config_binding *tmp = NULL;
626 while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
627 ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
628 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
629 krb5_config_file_free(context, tmp);
630 return ret;
631 }
632 filenames++;
633 }
634 #if 1
635 /* with this enabled and if there are no config files, Kerberos is
636 considererd disabled */
637 if(tmp == NULL)
638 return ENXIO;
639 #endif
640
641 #ifdef _WIN32
642 _krb5_load_config_from_registry(context, &tmp);
643 #endif
644
645 krb5_config_file_free(context, context->cf);
646 context->cf = tmp;
647 ret = init_context_from_config_file(context);
648 return ret;
649 }
650
651 static krb5_error_code
add_file(char *** pfilenames,int * len,char * file)652 add_file(char ***pfilenames, int *len, char *file)
653 {
654 char **pp = *pfilenames;
655 int i;
656
657 for(i = 0; i < *len; i++) {
658 if(strcmp(pp[i], file) == 0) {
659 free(file);
660 return 0;
661 }
662 }
663
664 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
665 if (pp == NULL) {
666 free(file);
667 return ENOMEM;
668 }
669
670 pp[*len] = file;
671 pp[*len + 1] = NULL;
672 *pfilenames = pp;
673 *len += 1;
674 return 0;
675 }
676
677 /*
678 * `pq' isn't free, it's up the the caller
679 */
680
681 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_prepend_config_files(const char * filelist,char ** pq,char *** ret_pp)682 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
683 {
684 krb5_error_code ret;
685 const char *p, *q;
686 char **pp;
687 int len;
688 char *fn;
689
690 pp = NULL;
691
692 len = 0;
693 p = filelist;
694 while(1) {
695 ssize_t l;
696 q = p;
697 l = strsep_copy(&q, PATH_SEP, NULL, 0);
698 if(l == -1)
699 break;
700 fn = malloc(l + 1);
701 if(fn == NULL) {
702 krb5_free_config_files(pp);
703 return ENOMEM;
704 }
705 (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
706 ret = add_file(&pp, &len, fn);
707 if (ret) {
708 krb5_free_config_files(pp);
709 return ret;
710 }
711 }
712
713 if (pq != NULL) {
714 int i;
715
716 for (i = 0; pq[i] != NULL; i++) {
717 fn = strdup(pq[i]);
718 if (fn == NULL) {
719 krb5_free_config_files(pp);
720 return ENOMEM;
721 }
722 ret = add_file(&pp, &len, fn);
723 if (ret) {
724 krb5_free_config_files(pp);
725 return ret;
726 }
727 }
728 }
729
730 *ret_pp = pp;
731 return 0;
732 }
733
734 /**
735 * Prepend the filename to the global configuration list.
736 *
737 * @param filelist a filename to add to the default list of filename
738 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
739 *
740 * @return Returns 0 to indicate success. Otherwise an kerberos et
741 * error code is returned, see krb5_get_error_message().
742 *
743 * @ingroup krb5
744 */
745
746 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_prepend_config_files_default(const char * filelist,char *** pfilenames)747 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
748 {
749 krb5_error_code ret;
750 char **defpp, **pp = NULL;
751
752 ret = krb5_get_default_config_files(&defpp);
753 if (ret)
754 return ret;
755
756 ret = krb5_prepend_config_files(filelist, defpp, &pp);
757 krb5_free_config_files(defpp);
758 if (ret) {
759 return ret;
760 }
761 *pfilenames = pp;
762 return 0;
763 }
764
765 #ifdef _WIN32
766
767 /**
768 * Checks the registry for configuration file location
769 *
770 * Kerberos for Windows and other legacy Kerberos applications expect
771 * to find the configuration file location in the
772 * SOFTWARE\MIT\Kerberos registry key under the value "config".
773 */
774 char *
_krb5_get_default_config_config_files_from_registry()775 _krb5_get_default_config_config_files_from_registry()
776 {
777 static const char * KeyName = "Software\\MIT\\Kerberos";
778 char *config_file = NULL;
779 LONG rcode;
780 HKEY key;
781
782 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
783 if (rcode == ERROR_SUCCESS) {
784 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
785 REG_NONE, 0, PATH_SEP);
786 RegCloseKey(key);
787 }
788
789 if (config_file)
790 return config_file;
791
792 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
793 if (rcode == ERROR_SUCCESS) {
794 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
795 REG_NONE, 0, PATH_SEP);
796 RegCloseKey(key);
797 }
798
799 return config_file;
800 }
801
802 #endif
803
804 /**
805 * Get the global configuration list.
806 *
807 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
808 *
809 * @return Returns 0 to indicate success. Otherwise an kerberos et
810 * error code is returned, see krb5_get_error_message().
811 *
812 * @ingroup krb5
813 */
814
815 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_default_config_files(char *** pfilenames)816 krb5_get_default_config_files(char ***pfilenames)
817 {
818 const char *files = NULL;
819
820 if (pfilenames == NULL)
821 return EINVAL;
822 if(!issuid())
823 files = getenv("KRB5_CONFIG");
824
825 #ifdef _WIN32
826 if (files == NULL) {
827 char * reg_files;
828 reg_files = _krb5_get_default_config_config_files_from_registry();
829 if (reg_files != NULL) {
830 krb5_error_code code;
831
832 code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
833 free(reg_files);
834
835 return code;
836 }
837 }
838 #endif
839
840 if (files == NULL)
841 files = krb5_config_file;
842
843 return krb5_prepend_config_files(files, NULL, pfilenames);
844 }
845
846 /**
847 * Free a list of configuration files.
848 *
849 * @param filenames list, terminated with a NULL pointer, to be
850 * freed. NULL is an valid argument.
851 *
852 * @return Returns 0 to indicate success. Otherwise an kerberos et
853 * error code is returned, see krb5_get_error_message().
854 *
855 * @ingroup krb5
856 */
857
858 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_config_files(char ** filenames)859 krb5_free_config_files(char **filenames)
860 {
861 char **p;
862 for(p = filenames; p && *p != NULL; p++)
863 free(*p);
864 free(filenames);
865 }
866
867 /**
868 * Returns the list of Kerberos encryption types sorted in order of
869 * most preferred to least preferred encryption type. Note that some
870 * encryption types might be disabled, so you need to check with
871 * krb5_enctype_valid() before using the encryption type.
872 *
873 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
874 * array completed into the Kerberos library so the content doesn't
875 * need to be freed.
876 *
877 * @ingroup krb5
878 */
879
880 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
krb5_kerberos_enctypes(krb5_context context)881 krb5_kerberos_enctypes(krb5_context context)
882 {
883 static const krb5_enctype p[] = {
884 ETYPE_AES256_CTS_HMAC_SHA1_96,
885 ETYPE_AES128_CTS_HMAC_SHA1_96,
886 ETYPE_DES3_CBC_SHA1,
887 ETYPE_DES3_CBC_MD5,
888 ETYPE_ARCFOUR_HMAC_MD5,
889 ETYPE_DES_CBC_MD5,
890 ETYPE_DES_CBC_MD4,
891 ETYPE_DES_CBC_CRC,
892 ETYPE_NULL
893 };
894 return p;
895 }
896
897 /*
898 *
899 */
900
901 static krb5_error_code
copy_enctypes(krb5_context context,const krb5_enctype * in,krb5_enctype ** out)902 copy_enctypes(krb5_context context,
903 const krb5_enctype *in,
904 krb5_enctype **out)
905 {
906 krb5_enctype *p = NULL;
907 size_t m, n;
908
909 for (n = 0; in[n]; n++)
910 ;
911 n++;
912 ALLOC(p, n);
913 if(p == NULL)
914 return krb5_enomem(context);
915 for (n = 0, m = 0; in[n]; n++) {
916 if (krb5_enctype_valid(context, in[n]) != 0)
917 continue;
918 p[m++] = in[n];
919 }
920 p[m] = KRB5_ENCTYPE_NULL;
921 if (m == 0) {
922 free(p);
923 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
924 N_("no valid enctype set", ""));
925 return KRB5_PROG_ETYPE_NOSUPP;
926 }
927 *out = p;
928 return 0;
929 }
930
931
932 /*
933 * set `etype' to a malloced list of the default enctypes
934 */
935
936 static krb5_error_code
default_etypes(krb5_context context,krb5_enctype ** etype)937 default_etypes(krb5_context context, krb5_enctype **etype)
938 {
939 const krb5_enctype *p = krb5_kerberos_enctypes(context);
940 return copy_enctypes(context, p, etype);
941 }
942
943 /**
944 * Set the default encryption types that will be use in communcation
945 * with the KDC, clients and servers.
946 *
947 * @param context Kerberos 5 context.
948 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
949 *
950 * @return Returns 0 to indicate success. Otherwise an kerberos et
951 * error code is returned, see krb5_get_error_message().
952 *
953 * @ingroup krb5
954 */
955
956 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_default_in_tkt_etypes(krb5_context context,const krb5_enctype * etypes)957 krb5_set_default_in_tkt_etypes(krb5_context context,
958 const krb5_enctype *etypes)
959 {
960 krb5_error_code ret;
961 krb5_enctype *p = NULL;
962
963 if(etypes) {
964 ret = copy_enctypes(context, etypes, &p);
965 if (ret)
966 return ret;
967 }
968 if(context->etypes)
969 free(context->etypes);
970 context->etypes = p;
971 return 0;
972 }
973
974 /**
975 * Get the default encryption types that will be use in communcation
976 * with the KDC, clients and servers.
977 *
978 * @param context Kerberos 5 context.
979 * @param etypes Encryption types, array terminated with
980 * ETYPE_NULL(0), caller should free array with krb5_xfree():
981 *
982 * @return Returns 0 to indicate success. Otherwise an kerberos et
983 * error code is returned, see krb5_get_error_message().
984 *
985 * @ingroup krb5
986 */
987
988 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_default_in_tkt_etypes(krb5_context context,krb5_pdu pdu_type,krb5_enctype ** etypes)989 krb5_get_default_in_tkt_etypes(krb5_context context,
990 krb5_pdu pdu_type,
991 krb5_enctype **etypes)
992 {
993 krb5_enctype *enctypes = NULL;
994 krb5_error_code ret;
995 krb5_enctype *p;
996
997 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
998 pdu_type == KRB5_PDU_TGS_REQUEST ||
999 pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
1000
1001 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
1002 enctypes = context->as_etypes;
1003 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
1004 enctypes = context->tgs_etypes;
1005 else if (context->etypes != NULL)
1006 enctypes = context->etypes;
1007
1008 if (enctypes != NULL) {
1009 ret = copy_enctypes(context, enctypes, &p);
1010 if (ret)
1011 return ret;
1012 } else {
1013 ret = default_etypes(context, &p);
1014 if (ret)
1015 return ret;
1016 }
1017 *etypes = p;
1018 return 0;
1019 }
1020
1021 /**
1022 * Init the built-in ets in the Kerberos library.
1023 *
1024 * @param context kerberos context to add the ets too
1025 *
1026 * @ingroup krb5
1027 */
1028
1029 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_init_ets(krb5_context context)1030 krb5_init_ets(krb5_context context)
1031 {
1032 if(context->et_list == NULL){
1033 krb5_add_et_list(context, initialize_krb5_error_table_r);
1034 krb5_add_et_list(context, initialize_asn1_error_table_r);
1035 krb5_add_et_list(context, initialize_heim_error_table_r);
1036
1037 krb5_add_et_list(context, initialize_k524_error_table_r);
1038
1039 #ifdef COM_ERR_BINDDOMAIN_krb5
1040 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1041 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1042 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1043 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1044 #endif
1045
1046 #ifdef PKINIT
1047 krb5_add_et_list(context, initialize_hx_error_table_r);
1048 #ifdef COM_ERR_BINDDOMAIN_hx
1049 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1050 #endif
1051 #endif
1052 }
1053 }
1054
1055 /**
1056 * Make the kerberos library default to the admin KDC.
1057 *
1058 * @param context Kerberos 5 context.
1059 * @param flag boolean flag to select if the use the admin KDC or not.
1060 *
1061 * @ingroup krb5
1062 */
1063
1064 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_set_use_admin_kdc(krb5_context context,krb5_boolean flag)1065 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1066 {
1067 context->use_admin_kdc = flag;
1068 }
1069
1070 /**
1071 * Make the kerberos library default to the admin KDC.
1072 *
1073 * @param context Kerberos 5 context.
1074 *
1075 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1076 *
1077 * @ingroup krb5
1078 */
1079
1080 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_get_use_admin_kdc(krb5_context context)1081 krb5_get_use_admin_kdc (krb5_context context)
1082 {
1083 return context->use_admin_kdc;
1084 }
1085
1086 /**
1087 * Add extra address to the address list that the library will add to
1088 * the client's address list when communicating with the KDC.
1089 *
1090 * @param context Kerberos 5 context.
1091 * @param addresses addreses to add
1092 *
1093 * @return Returns 0 to indicate success. Otherwise an kerberos et
1094 * error code is returned, see krb5_get_error_message().
1095 *
1096 * @ingroup krb5
1097 */
1098
1099 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_add_extra_addresses(krb5_context context,krb5_addresses * addresses)1100 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1101 {
1102
1103 if(context->extra_addresses)
1104 return krb5_append_addresses(context,
1105 context->extra_addresses, addresses);
1106 else
1107 return krb5_set_extra_addresses(context, addresses);
1108 }
1109
1110 /**
1111 * Set extra address to the address list that the library will add to
1112 * the client's address list when communicating with the KDC.
1113 *
1114 * @param context Kerberos 5 context.
1115 * @param addresses addreses to set
1116 *
1117 * @return Returns 0 to indicate success. Otherwise an kerberos et
1118 * error code is returned, see krb5_get_error_message().
1119 *
1120 * @ingroup krb5
1121 */
1122
1123 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_extra_addresses(krb5_context context,const krb5_addresses * addresses)1124 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1125 {
1126 if(context->extra_addresses)
1127 krb5_free_addresses(context, context->extra_addresses);
1128
1129 if(addresses == NULL) {
1130 if(context->extra_addresses != NULL) {
1131 free(context->extra_addresses);
1132 context->extra_addresses = NULL;
1133 }
1134 return 0;
1135 }
1136 if(context->extra_addresses == NULL) {
1137 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1138 if(context->extra_addresses == NULL) {
1139 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1140 return ENOMEM;
1141 }
1142 }
1143 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1144 }
1145
1146 /**
1147 * Get extra address to the address list that the library will add to
1148 * the client's address list when communicating with the KDC.
1149 *
1150 * @param context Kerberos 5 context.
1151 * @param addresses addreses to set
1152 *
1153 * @return Returns 0 to indicate success. Otherwise an kerberos et
1154 * error code is returned, see krb5_get_error_message().
1155 *
1156 * @ingroup krb5
1157 */
1158
1159 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_extra_addresses(krb5_context context,krb5_addresses * addresses)1160 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1161 {
1162 if(context->extra_addresses == NULL) {
1163 memset(addresses, 0, sizeof(*addresses));
1164 return 0;
1165 }
1166 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1167 }
1168
1169 /**
1170 * Add extra addresses to ignore when fetching addresses from the
1171 * underlaying operating system.
1172 *
1173 * @param context Kerberos 5 context.
1174 * @param addresses addreses to ignore
1175 *
1176 * @return Returns 0 to indicate success. Otherwise an kerberos et
1177 * error code is returned, see krb5_get_error_message().
1178 *
1179 * @ingroup krb5
1180 */
1181
1182 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_add_ignore_addresses(krb5_context context,krb5_addresses * addresses)1183 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1184 {
1185
1186 if(context->ignore_addresses)
1187 return krb5_append_addresses(context,
1188 context->ignore_addresses, addresses);
1189 else
1190 return krb5_set_ignore_addresses(context, addresses);
1191 }
1192
1193 /**
1194 * Set extra addresses to ignore when fetching addresses from the
1195 * underlaying operating system.
1196 *
1197 * @param context Kerberos 5 context.
1198 * @param addresses addreses to ignore
1199 *
1200 * @return Returns 0 to indicate success. Otherwise an kerberos et
1201 * error code is returned, see krb5_get_error_message().
1202 *
1203 * @ingroup krb5
1204 */
1205
1206 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_ignore_addresses(krb5_context context,const krb5_addresses * addresses)1207 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1208 {
1209 if(context->ignore_addresses)
1210 krb5_free_addresses(context, context->ignore_addresses);
1211 if(addresses == NULL) {
1212 if(context->ignore_addresses != NULL) {
1213 free(context->ignore_addresses);
1214 context->ignore_addresses = NULL;
1215 }
1216 return 0;
1217 }
1218 if(context->ignore_addresses == NULL) {
1219 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1220 if(context->ignore_addresses == NULL) {
1221 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1222 return ENOMEM;
1223 }
1224 }
1225 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1226 }
1227
1228 /**
1229 * Get extra addresses to ignore when fetching addresses from the
1230 * underlaying operating system.
1231 *
1232 * @param context Kerberos 5 context.
1233 * @param addresses list addreses ignored
1234 *
1235 * @return Returns 0 to indicate success. Otherwise an kerberos et
1236 * error code is returned, see krb5_get_error_message().
1237 *
1238 * @ingroup krb5
1239 */
1240
1241 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_ignore_addresses(krb5_context context,krb5_addresses * addresses)1242 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1243 {
1244 if(context->ignore_addresses == NULL) {
1245 memset(addresses, 0, sizeof(*addresses));
1246 return 0;
1247 }
1248 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1249 }
1250
1251 /**
1252 * Set version of fcache that the library should use.
1253 *
1254 * @param context Kerberos 5 context.
1255 * @param version version number.
1256 *
1257 * @return Returns 0 to indicate success. Otherwise an kerberos et
1258 * error code is returned, see krb5_get_error_message().
1259 *
1260 * @ingroup krb5
1261 */
1262
1263 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_fcache_version(krb5_context context,int version)1264 krb5_set_fcache_version(krb5_context context, int version)
1265 {
1266 context->fcache_vno = version;
1267 return 0;
1268 }
1269
1270 /**
1271 * Get version of fcache that the library should use.
1272 *
1273 * @param context Kerberos 5 context.
1274 * @param version version number.
1275 *
1276 * @return Returns 0 to indicate success. Otherwise an kerberos et
1277 * error code is returned, see krb5_get_error_message().
1278 *
1279 * @ingroup krb5
1280 */
1281
1282 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_fcache_version(krb5_context context,int * version)1283 krb5_get_fcache_version(krb5_context context, int *version)
1284 {
1285 *version = context->fcache_vno;
1286 return 0;
1287 }
1288
1289 /**
1290 * Runtime check if the Kerberos library was complied with thread support.
1291 *
1292 * @return TRUE if the library was compiled with thread support, FALSE if not.
1293 *
1294 * @ingroup krb5
1295 */
1296
1297
1298 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_is_thread_safe(void)1299 krb5_is_thread_safe(void)
1300 {
1301 #ifdef ENABLE_PTHREAD_SUPPORT
1302 return TRUE;
1303 #else
1304 return FALSE;
1305 #endif
1306 }
1307
1308 /**
1309 * Set if the library should use DNS to canonicalize hostnames.
1310 *
1311 * @param context Kerberos 5 context.
1312 * @param flag if its dns canonicalizion is used or not.
1313 *
1314 * @ingroup krb5
1315 */
1316
1317 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_set_dns_canonicalize_hostname(krb5_context context,krb5_boolean flag)1318 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1319 {
1320 if (flag)
1321 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1322 else
1323 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1324 }
1325
1326 /**
1327 * Get if the library uses DNS to canonicalize hostnames.
1328 *
1329 * @param context Kerberos 5 context.
1330 *
1331 * @return return non zero if the library uses DNS to canonicalize hostnames.
1332 *
1333 * @ingroup krb5
1334 */
1335
1336 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_get_dns_canonicalize_hostname(krb5_context context)1337 krb5_get_dns_canonicalize_hostname (krb5_context context)
1338 {
1339 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1340 }
1341
1342 /**
1343 * Get current offset in time to the KDC.
1344 *
1345 * @param context Kerberos 5 context.
1346 * @param sec seconds part of offset.
1347 * @param usec micro seconds part of offset.
1348 *
1349 * @return returns zero
1350 *
1351 * @ingroup krb5
1352 */
1353
1354 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_kdc_sec_offset(krb5_context context,int32_t * sec,int32_t * usec)1355 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1356 {
1357 if (sec)
1358 *sec = context->kdc_sec_offset;
1359 if (usec)
1360 *usec = context->kdc_usec_offset;
1361 return 0;
1362 }
1363
1364 /**
1365 * Set current offset in time to the KDC.
1366 *
1367 * @param context Kerberos 5 context.
1368 * @param sec seconds part of offset.
1369 * @param usec micro seconds part of offset.
1370 *
1371 * @return returns zero
1372 *
1373 * @ingroup krb5
1374 */
1375
1376 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_kdc_sec_offset(krb5_context context,int32_t sec,int32_t usec)1377 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1378 {
1379 context->kdc_sec_offset = sec;
1380 if (usec >= 0)
1381 context->kdc_usec_offset = usec;
1382 return 0;
1383 }
1384
1385 /**
1386 * Get max time skew allowed.
1387 *
1388 * @param context Kerberos 5 context.
1389 *
1390 * @return timeskew in seconds.
1391 *
1392 * @ingroup krb5
1393 */
1394
1395 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
krb5_get_max_time_skew(krb5_context context)1396 krb5_get_max_time_skew (krb5_context context)
1397 {
1398 return context->max_skew;
1399 }
1400
1401 /**
1402 * Set max time skew allowed.
1403 *
1404 * @param context Kerberos 5 context.
1405 * @param t timeskew in seconds.
1406 *
1407 * @ingroup krb5
1408 */
1409
1410 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_set_max_time_skew(krb5_context context,time_t t)1411 krb5_set_max_time_skew (krb5_context context, time_t t)
1412 {
1413 context->max_skew = t;
1414 }
1415
1416 /*
1417 * Init encryption types in len, val with etypes.
1418 *
1419 * @param context Kerberos 5 context.
1420 * @param pdu_type type of pdu
1421 * @param len output length of val.
1422 * @param val output array of enctypes.
1423 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1424
1425 * @return Returns 0 to indicate success. Otherwise an kerberos et
1426 * error code is returned, see krb5_get_error_message().
1427 *
1428 * @ingroup krb5
1429 */
1430
1431 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_init_etype(krb5_context context,krb5_pdu pdu_type,unsigned * len,krb5_enctype ** val,const krb5_enctype * etypes)1432 _krb5_init_etype(krb5_context context,
1433 krb5_pdu pdu_type,
1434 unsigned *len,
1435 krb5_enctype **val,
1436 const krb5_enctype *etypes)
1437 {
1438 krb5_error_code ret;
1439
1440 if (etypes == NULL)
1441 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1442 else
1443 ret = copy_enctypes(context, etypes, val);
1444 if (ret)
1445 return ret;
1446
1447 if (len) {
1448 *len = 0;
1449 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1450 (*len)++;
1451 }
1452 return 0;
1453 }
1454
1455 /*
1456 * Allow homedir accces
1457 */
1458
1459 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1460 static krb5_boolean allow_homedir = TRUE;
1461
1462 krb5_boolean
_krb5_homedir_access(krb5_context context)1463 _krb5_homedir_access(krb5_context context)
1464 {
1465 krb5_boolean allow;
1466
1467 #ifdef HAVE_GETEUID
1468 /* is never allowed for root */
1469 if (geteuid() == 0)
1470 return FALSE;
1471 #endif
1472
1473 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1474 return FALSE;
1475
1476 HEIMDAL_MUTEX_lock(&homedir_mutex);
1477 allow = allow_homedir;
1478 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1479 return allow;
1480 }
1481
1482 /**
1483 * Enable and disable home directory access on either the global state
1484 * or the krb5_context state. By calling krb5_set_home_dir_access()
1485 * with context set to NULL, the global state is configured otherwise
1486 * the state for the krb5_context is modified.
1487 *
1488 * For home directory access to be allowed, both the global state and
1489 * the krb5_context state have to be allowed.
1490 *
1491 * Administrator (root user), never uses the home directory.
1492 *
1493 * @param context a Kerberos 5 context or NULL
1494 * @param allow allow if TRUE home directory
1495 * @return the old value
1496 *
1497 * @ingroup krb5
1498 */
1499
1500 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_set_home_dir_access(krb5_context context,krb5_boolean allow)1501 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1502 {
1503 krb5_boolean old;
1504 if (context) {
1505 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1506 if (allow)
1507 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1508 else
1509 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1510 } else {
1511 HEIMDAL_MUTEX_lock(&homedir_mutex);
1512 old = allow_homedir;
1513 allow_homedir = allow;
1514 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1515 }
1516
1517 return old;
1518 }
1519