Context Navigation

← Previous Revision
Next Revision →
Normal
Revision Log

context.c

Last change on this file was 8, checked in by Paul Smedley, 9 years ago
Remove unneccessary patch
File size: 37.7 KB

Rev	Line
[1]	1	/*
	2	* Copyright (c) 1997 - 2010 Kungliga Tekniska HÃ¶gskolan
	3	* (Royal Institute of Technology, Stockholm, Sweden).
	4	* All rights reserved.
	5	*
	6	* Portions Copyright (c) 2009 Apple Inc. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in the
	17	* documentation and/or other materials provided with the distribution.
	18	*
	19	* 3. Neither the name of the Institute nor the names of its contributors
	20	* may be used to endorse or promote products derived from this software
	21	* without specific prior written permission.
	22	*
	23	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
	24	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	25	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	26	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
	27	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	28	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	29	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	30	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	31	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	32	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	33	* SUCH DAMAGE.
	34	*/
	35
	36	#include "krb5_locl.h"
	37	#include <assert.h>
	38	#include <com_err.h>
	39
	40	#define INIT_FIELD(C, T, E, D, F) \
	41	(C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
	42	"libdefaults", F, NULL)
	43
	44	#define INIT_FLAG(C, O, V, D, F) \
	45	do { \
	46	if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
	47	(C)->O \|= V; \
	48	} \
	49	} while(0)
	50
	51	/*
	52	* Set the list of etypes `ret_etypes' from the configuration variable
	53	* `name'
	54	*/
	55
	56	static krb5_error_code
	57	set_etypes (krb5_context context,
	58	const char *name,
	59	krb5_enctype **ret_enctypes)
	60	{
	61	char **etypes_str;
	62	krb5_enctype *etypes = NULL;
	63
	64	etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
	65	name, NULL);
	66	if(etypes_str){
	67	int i, j, k;
	68	for(i = 0; etypes_str[i]; i++);
	69	etypes = malloc((i+1) * sizeof(*etypes));
	70	if (etypes == NULL) {
	71	krb5_config_free_strings (etypes_str);
	72	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
	73	return ENOMEM;
	74	}
	75	for(j = 0, k = 0; j < i; j++) {
	76	krb5_enctype e;
	77	if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
	78	continue;
	79	if (krb5_enctype_valid(context, e) != 0)
	80	continue;
	81	etypes[k++] = e;
	82	}
	83	etypes[k] = ETYPE_NULL;
	84	krb5_config_free_strings(etypes_str);
	85	}
	86	*ret_enctypes = etypes;
	87	return 0;
	88	}
	89
	90	/*
	91	* read variables from the configuration file and set in `context'
	92	*/
	93
	94	static krb5_error_code
	95	init_context_from_config_file(krb5_context context)
	96	{
	97	krb5_error_code ret;
	98	const char * tmp;
	99	char **s;
	100	krb5_enctype *tmptypes;
	101
	102	INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
	103	INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
	104	INIT_FIELD(context, int, max_retries, 3, "max_retries");
	105
	106	INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
	107
	108	ret = krb5_config_get_bool_default(context, NULL, FALSE,
	109	"libdefaults",
	110	"allow_weak_crypto", NULL);
	111	if (ret) {
	112	krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
	113	krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
	114	krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
	115	krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
	116	krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
	117	krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
	118	}
	119
	120	ret = set_etypes (context, "default_etypes", &tmptypes);
	121	if(ret)
	122	return ret;
	123	free(context->etypes);
	124	context->etypes = tmptypes;
	125
	126	ret = set_etypes (context, "default_etypes_des", &tmptypes);
	127	if(ret)
	128	return ret;
	129	free(context->etypes_des);
	130	context->etypes_des = tmptypes;
	131
	132	ret = set_etypes (context, "default_as_etypes", &tmptypes);
	133	if(ret)
	134	return ret;
	135	free(context->as_etypes);
	136	context->as_etypes = tmptypes;
	137
	138	ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
	139	if(ret)
	140	return ret;
	141	free(context->tgs_etypes);
	142	context->tgs_etypes = tmptypes;
	143
	144	ret = set_etypes (context, "permitted_enctypes", &tmptypes);
	145	if(ret)
	146	return ret;
	147	free(context->permitted_enctypes);
	148	context->permitted_enctypes = tmptypes;
	149
	150	/* default keytab name */
	151	tmp = NULL;
	152	if(!issuid())
	153	tmp = getenv("KRB5_KTNAME");
	154	if(tmp != NULL)
	155	context->default_keytab = tmp;
	156	else
	157	INIT_FIELD(context, string, default_keytab,
	158	KEYTAB_DEFAULT, "default_keytab_name");
	159
	160	INIT_FIELD(context, string, default_keytab_modify,
	161	NULL, "default_keytab_modify_name");
	162
	163	INIT_FIELD(context, string, time_fmt,
	164	"%Y-%m-%dT%H:%M:%S", "time_format");
	165
	166	INIT_FIELD(context, string, date_fmt,
	167	"%Y-%m-%d", "date_format");
	168
	169	INIT_FIELD(context, bool, log_utc,
	170	FALSE, "log_utc");
	171
	172
	173
	174	/* init dns-proxy slime */
	175	tmp = krb5_config_get_string(context, NULL, "libdefaults",
	176	"dns_proxy", NULL);
	177	if(tmp)
	178	roken_gethostby_setup(context->http_proxy, tmp);
	179	krb5_free_host_realm (context, context->default_realms);
	180	context->default_realms = NULL;
	181
	182	{
	183	krb5_addresses addresses;
	184	char adr, a;
	185
	186	krb5_set_extra_addresses(context, NULL);
	187	adr = krb5_config_get_strings(context, NULL,
	188	"libdefaults",
	189	"extra_addresses",
	190	NULL);
	191	memset(&addresses, 0, sizeof(addresses));
	192	for(a = adr; a && *a; a++) {
	193	ret = krb5_parse_address(context, *a, &addresses);
	194	if (ret == 0) {
	195	krb5_add_extra_addresses(context, &addresses);
	196	krb5_free_addresses(context, &addresses);
	197	}
	198	}
	199	krb5_config_free_strings(adr);
	200
	201	krb5_set_ignore_addresses(context, NULL);
	202	adr = krb5_config_get_strings(context, NULL,
	203	"libdefaults",
	204	"ignore_addresses",
	205	NULL);
	206	memset(&addresses, 0, sizeof(addresses));
	207	for(a = adr; a && *a; a++) {
	208	ret = krb5_parse_address(context, *a, &addresses);
	209	if (ret == 0) {
	210	krb5_add_ignore_addresses(context, &addresses);
	211	krb5_free_addresses(context, &addresses);
	212	}
	213	}
	214	krb5_config_free_strings(adr);
	215	}
	216
	217	INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
	218	INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
	219	/* prefer dns_lookup_kdc over srv_lookup. */
	220	INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
	221	INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
	222	INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
	223	INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
	224	INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
	225	context->default_cc_name = NULL;
	226	context->default_cc_name_set = 0;
	227
	228	s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
	229	if(s) {
	230	char **p;
	231	krb5_initlog(context, "libkrb5", &context->debug_dest);
	232	for(p = s; *p; p++)
	233	krb5_addlog_dest(context, context->debug_dest, *p);
	234	krb5_config_free_strings(s);
	235	}
	236
	237	tmp = krb5_config_get_string(context, NULL, "libdefaults",
	238	"check-rd-req-server", NULL);
	239	if (tmp == NULL && !issuid())
	240	tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
	241	if(tmp) {
	242	if (strcasecmp(tmp, "ignore") == 0)
	243	context->flags \|= KRB5_CTX_F_RD_REQ_IGNORE;
	244	}
	245
	246	return 0;
	247	}
	248
	249	static krb5_error_code
	250	cc_ops_register(krb5_context context)
	251	{
	252	context->cc_ops = NULL;
	253	context->num_cc_ops = 0;
	254
	255	#ifndef KCM_IS_API_CACHE
	256	krb5_cc_register(context, &krb5_acc_ops, TRUE);
	257	#endif
	258	krb5_cc_register(context, &krb5_fcc_ops, TRUE);
	259	krb5_cc_register(context, &krb5_mcc_ops, TRUE);
	260	#ifdef HAVE_SCC
	261	krb5_cc_register(context, &krb5_scc_ops, TRUE);
	262	#endif
	263	#ifdef HAVE_KCM
	264	#ifdef KCM_IS_API_CACHE
	265	krb5_cc_register(context, &krb5_akcm_ops, TRUE);
	266	#endif
	267	krb5_cc_register(context, &krb5_kcm_ops, TRUE);
	268	#endif
	269	_krb5_load_ccache_plugins(context);
	270	return 0;
	271	}
	272
	273	static krb5_error_code
	274	cc_ops_copy(krb5_context context, const krb5_context src_context)
	275	{
	276	const krb5_cc_ops **cc_ops;
	277
	278	context->cc_ops = NULL;
	279	context->num_cc_ops = 0;
	280
	281	if (src_context->num_cc_ops == 0)
	282	return 0;
	283
	284	cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
	285	if (cc_ops == NULL) {
	286	krb5_set_error_message(context, KRB5_CC_NOMEM,
	287	N_("malloc: out of memory", ""));
	288	return KRB5_CC_NOMEM;
	289	}
	290
	291	memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
	292	sizeof(cc_ops[0]) * src_context->num_cc_ops);
	293	context->cc_ops = cc_ops;
	294	context->num_cc_ops = src_context->num_cc_ops;
	295
	296	return 0;
	297	}
	298
	299	static krb5_error_code
	300	kt_ops_register(krb5_context context)
	301	{
	302	context->num_kt_types = 0;
	303	context->kt_types = NULL;
	304
	305	krb5_kt_register (context, &krb5_fkt_ops);
	306	krb5_kt_register (context, &krb5_wrfkt_ops);
	307	krb5_kt_register (context, &krb5_javakt_ops);
	308	krb5_kt_register (context, &krb5_mkt_ops);
	309	#ifndef HEIMDAL_SMALLER
	310	krb5_kt_register (context, &krb5_akf_ops);
	311	#endif
	312	krb5_kt_register (context, &krb5_any_ops);
	313	return 0;
	314	}
	315
	316	static krb5_error_code
	317	kt_ops_copy(krb5_context context, const krb5_context src_context)
	318	{
	319	context->num_kt_types = 0;
	320	context->kt_types = NULL;
	321
	322	if (src_context->num_kt_types == 0)
	323	return 0;
	324
	325	context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
	326	if (context->kt_types == NULL) {
	327	krb5_set_error_message(context, ENOMEM,
	328	N_("malloc: out of memory", ""));
	329	return ENOMEM;
	330	}
	331
	332	context->num_kt_types = src_context->num_kt_types;
	333	memcpy(context->kt_types, src_context->kt_types,
	334	sizeof(context->kt_types[0]) * src_context->num_kt_types);
	335
	336	return 0;
	337	}
	338
	339	static const char *sysplugin_dirs[] = {
	340	LIBDIR "/plugin/krb5",
	341	#ifdef __APPLE__
	342	"/Library/KerberosPlugins/KerberosFrameworkPlugins",
	343	"/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
	344	#endif
	345	NULL
	346	};
	347
	348	static void
	349	init_context_once(void *ctx)
	350	{
	351	krb5_context context = ctx;
	352
	353	_krb5_load_plugins(context, "krb5", sysplugin_dirs);
	354
	355	bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
	356	}
	357
	358
	359	/**
	360	* Initializes the context structure and reads the configuration file
	361	* /etc/krb5.conf. The structure should be freed by calling
	362	* krb5_free_context() when it is no longer being used.
	363	*
	364	* @param context pointer to returned context
	365	*
	366	* @return Returns 0 to indicate success. Otherwise an errno code is
	367	* returned. Failure means either that something bad happened during
	368	* initialization (typically ENOMEM) or that Kerberos should not be
	369	* used ENXIO.
	370	*
	371	* @ingroup krb5
	372	*/
	373
	374	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	375	krb5_init_context(krb5_context *context)
	376	{
	377	static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
	378	krb5_context p;
	379	krb5_error_code ret;
	380	char **files;
	381
	382	*context = NULL;
	383
	384	p = calloc(1, sizeof(*p));
	385	if(!p)
	386	return ENOMEM;
	387
	388	p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
	389	if (p->mutex == NULL) {
	390	free(p);
	391	return ENOMEM;
	392	}
	393	HEIMDAL_MUTEX_init(p->mutex);
	394
	395	p->flags \|= KRB5_CTX_F_HOMEDIR_ACCESS;
	396
	397	ret = krb5_get_default_config_files(&files);
	398	if(ret)
	399	goto out;
	400	ret = krb5_set_config_files(p, files);
	401	krb5_free_config_files(files);
	402	if(ret)
	403	goto out;
	404
	405	/* init error tables */
	406	krb5_init_ets(p);
	407	cc_ops_register(p);
	408	kt_ops_register(p);
	409
	410	#ifdef PKINIT
	411	ret = hx509_context_init(&p->hx509ctx);
	412	if (ret)
	413	goto out;
	414	#endif
	415	if (rk_SOCK_INIT())
	416	p->flags \|= KRB5_CTX_F_SOCKETS_INITIALIZED;
	417
	418	out:
	419	if(ret) {
	420	krb5_free_context(p);
	421	p = NULL;
	422	} else {
	423	heim_base_once_f(&init_context, p, init_context_once);
	424	}
	425	*context = p;
	426	return ret;
	427	}
	428
	429	#ifndef HEIMDAL_SMALLER
	430
	431	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	432	krb5_get_permitted_enctypes(krb5_context context,
	433	krb5_enctype **etypes)
	434	{
	435	return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
	436	}
	437
	438	/*
	439	*
	440	*/
	441
	442	static krb5_error_code
	443	copy_etypes (krb5_context context,
	444	krb5_enctype *enctypes,
	445	krb5_enctype **ret_enctypes)
	446	{
	447	unsigned int i;
	448
	449	for (i = 0; enctypes[i]; i++)
	450	;
	451	i++;
	452
	453	ret_enctypes = malloc(sizeof(ret_enctypes[0]) i);
	454	if (*ret_enctypes == NULL) {
	455	krb5_set_error_message(context, ENOMEM,
	456	N_("malloc: out of memory", ""));
	457	return ENOMEM;
	458	}
	459	memcpy(ret_enctypes, enctypes, sizeof(ret_enctypes[0]) i);
	460	return 0;
	461	}
	462
	463	/**
	464	* Make a copy for the Kerberos 5 context, the new krb5_context shoud
	465	* be freed with krb5_free_context().
	466	*
	467	* @param context the Kerberos context to copy
	468	* @param out the copy of the Kerberos, set to NULL error.
	469	*
	470	* @return Returns 0 to indicate success. Otherwise an kerberos et
	471	* error code is returned, see krb5_get_error_message().
	472	*
	473	* @ingroup krb5
	474	*/
	475
	476	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	477	krb5_copy_context(krb5_context context, krb5_context *out)
	478	{
	479	krb5_error_code ret;
	480	krb5_context p;
	481
	482	*out = NULL;
	483
	484	p = calloc(1, sizeof(*p));
	485	if (p == NULL) {
	486	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
	487	return ENOMEM;
	488	}
	489
	490	p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
	491	if (p->mutex == NULL) {
	492	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
	493	free(p);
	494	return ENOMEM;
	495	}
	496	HEIMDAL_MUTEX_init(p->mutex);
	497
	498
	499	if (context->default_cc_name)
	500	p->default_cc_name = strdup(context->default_cc_name);
	501	if (context->default_cc_name_env)
	502	p->default_cc_name_env = strdup(context->default_cc_name_env);
	503
	504	if (context->etypes) {
	505	ret = copy_etypes(context, context->etypes, &p->etypes);
	506	if (ret)
	507	goto out;
	508	}
	509	if (context->etypes_des) {
	510	ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
	511	if (ret)
	512	goto out;
	513	}
	514
	515	if (context->default_realms) {
	516	ret = krb5_copy_host_realm(context,
	517	context->default_realms, &p->default_realms);
	518	if (ret)
	519	goto out;
	520	}
	521
	522	ret = _krb5_config_copy(context, context->cf, &p->cf);
	523	if (ret)
	524	goto out;
	525
	526	/* XXX should copy */
	527	krb5_init_ets(p);
	528
	529	cc_ops_copy(p, context);
	530	kt_ops_copy(p, context);
	531
	532	#if 0 /* XXX */
	533	if(context->warn_dest != NULL)
	534	;
	535	if(context->debug_dest != NULL)
	536	;
	537	#endif
	538
	539	ret = krb5_set_extra_addresses(p, context->extra_addresses);
	540	if (ret)
	541	goto out;
	542	ret = krb5_set_extra_addresses(p, context->ignore_addresses);
	543	if (ret)
	544	goto out;
	545
	546	ret = _krb5_copy_send_to_kdc_func(p, context);
	547	if (ret)
	548	goto out;
	549
	550	*out = p;
	551
	552	return 0;
	553
	554	out:
	555	krb5_free_context(p);
	556	return ret;
	557	}
	558
	559	#endif
	560
	561	/**
	562	* Frees the krb5_context allocated by krb5_init_context().
	563	*
	564	* @param context context to be freed.
	565	*
	566	* @ingroup krb5
	567	*/
	568
	569	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
	570	krb5_free_context(krb5_context context)
	571	{
	572	if (context->default_cc_name)
	573	free(context->default_cc_name);
	574	if (context->default_cc_name_env)
	575	free(context->default_cc_name_env);
	576	free(context->etypes);
	577	free(context->etypes_des);
	578	krb5_free_host_realm (context, context->default_realms);
	579	krb5_config_file_free (context, context->cf);
	580	free_error_table (context->et_list);
	581	free(rk_UNCONST(context->cc_ops));
	582	free(context->kt_types);
	583	krb5_clear_error_message(context);
	584	if(context->warn_dest != NULL)
	585	krb5_closelog(context, context->warn_dest);
	586	if(context->debug_dest != NULL)
	587	krb5_closelog(context, context->debug_dest);
	588	krb5_set_extra_addresses(context, NULL);
	589	krb5_set_ignore_addresses(context, NULL);
	590	krb5_set_send_to_kdc_func(context, NULL, NULL);
	591
	592	#ifdef PKINIT
	593	if (context->hx509ctx)
	594	hx509_context_free(&context->hx509ctx);
	595	#endif
	596
	597	HEIMDAL_MUTEX_destroy(context->mutex);
	598	free(context->mutex);
	599	if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
	600	rk_SOCK_EXIT();
	601	}
	602
	603	memset(context, 0, sizeof(*context));
	604	free(context);
	605	}
	606
	607	/**
	608	* Reinit the context from a new set of filenames.
	609	*
	610	* @param context context to add configuration too.
	611	* @param filenames array of filenames, end of list is indicated with a NULL filename.
	612	*
	613	* @return Returns 0 to indicate success. Otherwise an kerberos et
	614	* error code is returned, see krb5_get_error_message().
	615	*
	616	* @ingroup krb5
	617	*/
	618
	619	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	620	krb5_set_config_files(krb5_context context, char **filenames)
	621	{
	622	krb5_error_code ret;
	623	krb5_config_binding *tmp = NULL;
	624	while(filenames != NULL && filenames != NULL && *filenames != '\0') {
	625	ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
	626	if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
	627	krb5_config_file_free(context, tmp);
	628	return ret;
	629	}
	630	filenames++;
	631	}
	632	#if 0
	633	/* with this enabled and if there are no config files, Kerberos is
	634	considererd disabled */
	635	if(tmp == NULL)
	636	return ENXIO;
	637	#endif
	638
	639	#ifdef _WIN32
	640	_krb5_load_config_from_registry(context, &tmp);
	641	#endif
	642
	643	krb5_config_file_free(context, context->cf);
	644	context->cf = tmp;
	645	ret = init_context_from_config_file(context);
	646	return ret;
	647	}
	648
	649	static krb5_error_code
	650	add_file(char **pfilenames, int len, char *file)
	651	{
	652	char *pp = pfilenames;
	653	int i;
	654
	655	for(i = 0; i < *len; i++) {
	656	if(strcmp(pp[i], file) == 0) {
	657	free(file);
	658	return 0;
	659	}
	660	}
	661
	662	pp = realloc(pfilenames, (len + 2) * sizeof(*pp));
	663	if (pp == NULL) {
	664	free(file);
	665	return ENOMEM;
	666	}
	667
	668	pp[*len] = file;
	669	pp[*len + 1] = NULL;
	670	*pfilenames = pp;
	671	*len += 1;
	672	return 0;
	673	}
	674
	675	/*
	676	* `pq' isn't free, it's up the the caller
	677	*/
	678
	679	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	680	krb5_prepend_config_files(const char filelist, char pq, char **ret_pp)
	681	{
	682	krb5_error_code ret;
	683	const char p, q;
	684	char **pp;
	685	int len;
	686	char *fn;
	687
	688	pp = NULL;
	689
	690	len = 0;
	691	p = filelist;
	692	while(1) {
	693	ssize_t l;
	694	q = p;
	695	l = strsep_copy(&q, PATH_SEP, NULL, 0);
	696	if(l == -1)
	697	break;
	698	fn = malloc(l + 1);
	699	if(fn == NULL) {
	700	krb5_free_config_files(pp);
	701	return ENOMEM;
	702	}
	703	(void)strsep_copy(&p, PATH_SEP, fn, l + 1);
	704	ret = add_file(&pp, &len, fn);
	705	if (ret) {
	706	krb5_free_config_files(pp);
	707	return ret;
	708	}
	709	}
	710
	711	if (pq != NULL) {
	712	int i;
	713
	714	for (i = 0; pq[i] != NULL; i++) {
	715	fn = strdup(pq[i]);
	716	if (fn == NULL) {
	717	krb5_free_config_files(pp);
	718	return ENOMEM;
	719	}
	720	ret = add_file(&pp, &len, fn);
	721	if (ret) {
	722	krb5_free_config_files(pp);
	723	return ret;
	724	}
	725	}
	726	}
	727
	728	*ret_pp = pp;
	729	return 0;
	730	}
	731
	732	/**
	733	* Prepend the filename to the global configuration list.
	734	*
	735	* @param filelist a filename to add to the default list of filename
	736	* @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
	737	*
	738	* @return Returns 0 to indicate success. Otherwise an kerberos et
	739	* error code is returned, see krb5_get_error_message().
	740	*
	741	* @ingroup krb5
	742	*/
	743
	744	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	745	krb5_prepend_config_files_default(const char filelist, char **pfilenames)
	746	{
	747	krb5_error_code ret;
	748	char defpp, pp = NULL;
	749
	750	ret = krb5_get_default_config_files(&defpp);
	751	if (ret)
	752	return ret;
	753
	754	ret = krb5_prepend_config_files(filelist, defpp, &pp);
	755	krb5_free_config_files(defpp);
	756	if (ret) {
	757	return ret;
	758	}
	759	*pfilenames = pp;
	760	return 0;
	761	}
	762
	763	#ifdef _WIN32
	764
	765	/**
	766	* Checks the registry for configuration file location
	767	*
	768	* Kerberos for Windows and other legacy Kerberos applications expect
	769	* to find the configuration file location in the
	770	* SOFTWARE\MIT\Kerberos registry key under the value "config".
	771	*/
	772	char *
	773	_krb5_get_default_config_config_files_from_registry()
	774	{
	775	static const char * KeyName = "Software\\MIT\\Kerberos";
	776	char *config_file = NULL;
	777	LONG rcode;
	778	HKEY key;
	779
	780	rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
	781	if (rcode == ERROR_SUCCESS) {
	782	config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
	783	REG_NONE, 0, PATH_SEP);
	784	RegCloseKey(key);
	785	}
	786
	787	if (config_file)
	788	return config_file;
	789
	790	rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
	791	if (rcode == ERROR_SUCCESS) {
	792	config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
	793	REG_NONE, 0, PATH_SEP);
	794	RegCloseKey(key);
	795	}
	796
	797	return config_file;
	798	}
	799
	800	#endif
	801
	802	/**
	803	* Get the global configuration list.
	804	*
	805	* @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
	806	*
	807	* @return Returns 0 to indicate success. Otherwise an kerberos et
	808	* error code is returned, see krb5_get_error_message().
	809	*
	810	* @ingroup krb5
	811	*/
	812
	813	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	814	krb5_get_default_config_files(char ***pfilenames)
	815	{
	816	const char *files = NULL;
	817
	818	if (pfilenames == NULL)
	819	return EINVAL;
	820	if(!issuid())
	821	files = getenv("KRB5_CONFIG");
	822
	823	#ifdef _WIN32
	824	if (files == NULL) {
	825	char * reg_files;
	826	reg_files = _krb5_get_default_config_config_files_from_registry();
	827	if (reg_files != NULL) {
	828	krb5_error_code code;
	829
	830	code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
	831	free(reg_files);
	832
	833	return code;
	834	}
	835	}
	836	#endif
	837
	838	if (files == NULL)
	839	files = krb5_config_file;
	840
	841	return krb5_prepend_config_files(files, NULL, pfilenames);
	842	}
	843
	844	/**
	845	* Free a list of configuration files.
	846	*
	847	* @param filenames list, terminated with a NULL pointer, to be
	848	* freed. NULL is an valid argument.
	849	*
	850	* @return Returns 0 to indicate success. Otherwise an kerberos et
	851	* error code is returned, see krb5_get_error_message().
	852	*
	853	* @ingroup krb5
	854	*/
	855
	856	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
	857	krb5_free_config_files(char **filenames)
	858	{
	859	char **p;
	860	for(p = filenames; p && *p != NULL; p++)
	861	free(*p);
	862	free(filenames);
	863	}
	864
	865	/**
	866	* Returns the list of Kerberos encryption types sorted in order of
	867	* most preferred to least preferred encryption type. Note that some
	868	* encryption types might be disabled, so you need to check with
	869	* krb5_enctype_valid() before using the encryption type.
	870	*
	871	* @return list of enctypes, terminated with ETYPE_NULL. Its a static
	872	* array completed into the Kerberos library so the content doesn't
	873	* need to be freed.
	874	*
	875	* @ingroup krb5
	876	*/
	877
	878	KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
	879	krb5_kerberos_enctypes(krb5_context context)
	880	{
	881	static const krb5_enctype p[] = {
	882	ETYPE_AES256_CTS_HMAC_SHA1_96,
	883	ETYPE_AES128_CTS_HMAC_SHA1_96,
	884	ETYPE_DES3_CBC_SHA1,
	885	ETYPE_DES3_CBC_MD5,
	886	ETYPE_ARCFOUR_HMAC_MD5,
	887	ETYPE_DES_CBC_MD5,
	888	ETYPE_DES_CBC_MD4,
	889	ETYPE_DES_CBC_CRC,
	890	ETYPE_NULL
	891	};
	892	return p;
	893	}
	894
	895	/*
	896	*
	897	*/
	898
	899	static krb5_error_code
	900	copy_enctypes(krb5_context context,
	901	const krb5_enctype *in,
	902	krb5_enctype **out)
	903	{
	904	krb5_enctype *p = NULL;
	905	size_t m, n;
	906
	907	for (n = 0; in[n]; n++)
	908	;
	909	n++;
	910	ALLOC(p, n);
	911	if(p == NULL)
	912	return krb5_enomem(context);
	913	for (n = 0, m = 0; in[n]; n++) {
	914	if (krb5_enctype_valid(context, in[n]) != 0)
	915	continue;
	916	p[m++] = in[n];
	917	}
	918	p[m] = KRB5_ENCTYPE_NULL;
	919	if (m == 0) {
	920	free(p);
	921	krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
	922	N_("no valid enctype set", ""));
	923	return KRB5_PROG_ETYPE_NOSUPP;
	924	}
	925	*out = p;
	926	return 0;
	927	}
	928
	929
	930	/*
	931	* set `etype' to a malloced list of the default enctypes
	932	*/
	933
	934	static krb5_error_code
	935	default_etypes(krb5_context context, krb5_enctype **etype)
	936	{
	937	const krb5_enctype *p = krb5_kerberos_enctypes(context);
	938	return copy_enctypes(context, p, etype);
	939	}
	940
	941	/**
	942	* Set the default encryption types that will be use in communcation
	943	* with the KDC, clients and servers.
	944	*
	945	* @param context Kerberos 5 context.
	946	* @param etypes Encryption types, array terminated with ETYPE_NULL (0).
	947	*
	948	* @return Returns 0 to indicate success. Otherwise an kerberos et
	949	* error code is returned, see krb5_get_error_message().
	950	*
	951	* @ingroup krb5
	952	*/
	953
	954	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	955	krb5_set_default_in_tkt_etypes(krb5_context context,
	956	const krb5_enctype *etypes)
	957	{
	958	krb5_error_code ret;
	959	krb5_enctype *p = NULL;
	960
	961	if(etypes) {
	962	ret = copy_enctypes(context, etypes, &p);
	963	if (ret)
	964	return ret;
	965	}
	966	if(context->etypes)
	967	free(context->etypes);
	968	context->etypes = p;
	969	return 0;
	970	}
	971
	972	/**
	973	* Get the default encryption types that will be use in communcation
	974	* with the KDC, clients and servers.
	975	*
	976	* @param context Kerberos 5 context.
	977	* @param etypes Encryption types, array terminated with
	978	* ETYPE_NULL(0), caller should free array with krb5_xfree():
	979	*
	980	* @return Returns 0 to indicate success. Otherwise an kerberos et
	981	* error code is returned, see krb5_get_error_message().
	982	*
	983	* @ingroup krb5
	984	*/
	985
	986	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	987	krb5_get_default_in_tkt_etypes(krb5_context context,
	988	krb5_pdu pdu_type,
	989	krb5_enctype **etypes)
	990	{
	991	krb5_enctype *enctypes = NULL;
	992	krb5_error_code ret;
	993	krb5_enctype *p;
	994
	995	heim_assert(pdu_type == KRB5_PDU_AS_REQUEST \|\|
	996	pdu_type == KRB5_PDU_TGS_REQUEST \|\|
	997	pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
	998
	999	if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
	1000	enctypes = context->as_etypes;
	1001	else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
	1002	enctypes = context->tgs_etypes;
	1003	else if (context->etypes != NULL)
	1004	enctypes = context->etypes;
	1005
	1006	if (enctypes != NULL) {
	1007	ret = copy_enctypes(context, enctypes, &p);
	1008	if (ret)
	1009	return ret;
	1010	} else {
	1011	ret = default_etypes(context, &p);
	1012	if (ret)
	1013	return ret;
	1014	}
	1015	*etypes = p;
	1016	return 0;
	1017	}
	1018
	1019	/**
	1020	* Init the built-in ets in the Kerberos library.
	1021	*
	1022	* @param context kerberos context to add the ets too
	1023	*
	1024	* @ingroup krb5
	1025	*/
	1026
	1027	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
	1028	krb5_init_ets(krb5_context context)
	1029	{
	1030	if(context->et_list == NULL){
	1031	krb5_add_et_list(context, initialize_krb5_error_table_r);
	1032	krb5_add_et_list(context, initialize_asn1_error_table_r);
	1033	krb5_add_et_list(context, initialize_heim_error_table_r);
	1034
	1035	krb5_add_et_list(context, initialize_k524_error_table_r);
	1036
	1037	#ifdef COM_ERR_BINDDOMAIN_krb5
	1038	bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
	1039	bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
	1040	bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
	1041	bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
	1042	#endif
	1043
	1044	#ifdef PKINIT
	1045	krb5_add_et_list(context, initialize_hx_error_table_r);
	1046	#ifdef COM_ERR_BINDDOMAIN_hx
	1047	bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
	1048	#endif
	1049	#endif
	1050	}
	1051	}
	1052
	1053	/**
	1054	* Make the kerberos library default to the admin KDC.
	1055	*
	1056	* @param context Kerberos 5 context.
	1057	* @param flag boolean flag to select if the use the admin KDC or not.
	1058	*
	1059	* @ingroup krb5
	1060	*/
	1061
	1062	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
	1063	krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
	1064	{
	1065	context->use_admin_kdc = flag;
	1066	}
	1067
	1068	/**
	1069	* Make the kerberos library default to the admin KDC.
	1070	*
	1071	* @param context Kerberos 5 context.
	1072	*
	1073	* @return boolean flag to telling the context will use admin KDC as the default KDC.
	1074	*
	1075	* @ingroup krb5
	1076	*/
	1077
	1078	KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
	1079	krb5_get_use_admin_kdc (krb5_context context)
	1080	{
	1081	return context->use_admin_kdc;
	1082	}
	1083
	1084	/**
	1085	* Add extra address to the address list that the library will add to
	1086	* the client's address list when communicating with the KDC.
	1087	*
	1088	* @param context Kerberos 5 context.
	1089	* @param addresses addreses to add
	1090	*
	1091	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1092	* error code is returned, see krb5_get_error_message().
	1093	*
	1094	* @ingroup krb5
	1095	*/
	1096
	1097	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1098	krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
	1099	{
	1100
	1101	if(context->extra_addresses)
	1102	return krb5_append_addresses(context,
	1103	context->extra_addresses, addresses);
	1104	else
	1105	return krb5_set_extra_addresses(context, addresses);
	1106	}
	1107
	1108	/**
	1109	* Set extra address to the address list that the library will add to
	1110	* the client's address list when communicating with the KDC.
	1111	*
	1112	* @param context Kerberos 5 context.
	1113	* @param addresses addreses to set
	1114	*
	1115	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1116	* error code is returned, see krb5_get_error_message().
	1117	*
	1118	* @ingroup krb5
	1119	*/
	1120
	1121	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1122	krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
	1123	{
	1124	if(context->extra_addresses)
	1125	krb5_free_addresses(context, context->extra_addresses);
	1126
	1127	if(addresses == NULL) {
	1128	if(context->extra_addresses != NULL) {
	1129	free(context->extra_addresses);
	1130	context->extra_addresses = NULL;
	1131	}
	1132	return 0;
	1133	}
	1134	if(context->extra_addresses == NULL) {
	1135	context->extra_addresses = malloc(sizeof(*context->extra_addresses));
	1136	if(context->extra_addresses == NULL) {
	1137	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
	1138	return ENOMEM;
	1139	}
	1140	}
	1141	return krb5_copy_addresses(context, addresses, context->extra_addresses);
	1142	}
	1143
	1144	/**
	1145	* Get extra address to the address list that the library will add to
	1146	* the client's address list when communicating with the KDC.
	1147	*
	1148	* @param context Kerberos 5 context.
	1149	* @param addresses addreses to set
	1150	*
	1151	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1152	* error code is returned, see krb5_get_error_message().
	1153	*
	1154	* @ingroup krb5
	1155	*/
	1156
	1157	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1158	krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
	1159	{
	1160	if(context->extra_addresses == NULL) {
	1161	memset(addresses, 0, sizeof(*addresses));
	1162	return 0;
	1163	}
	1164	return krb5_copy_addresses(context,context->extra_addresses, addresses);
	1165	}
	1166
	1167	/**
	1168	* Add extra addresses to ignore when fetching addresses from the
	1169	* underlaying operating system.
	1170	*
	1171	* @param context Kerberos 5 context.
	1172	* @param addresses addreses to ignore
	1173	*
	1174	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1175	* error code is returned, see krb5_get_error_message().
	1176	*
	1177	* @ingroup krb5
	1178	*/
	1179
	1180	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1181	krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
	1182	{
	1183
	1184	if(context->ignore_addresses)
	1185	return krb5_append_addresses(context,
	1186	context->ignore_addresses, addresses);
	1187	else
	1188	return krb5_set_ignore_addresses(context, addresses);
	1189	}
	1190
	1191	/**
	1192	* Set extra addresses to ignore when fetching addresses from the
	1193	* underlaying operating system.
	1194	*
	1195	* @param context Kerberos 5 context.
	1196	* @param addresses addreses to ignore
	1197	*
	1198	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1199	* error code is returned, see krb5_get_error_message().
	1200	*
	1201	* @ingroup krb5
	1202	*/
	1203
	1204	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1205	krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
	1206	{
	1207	if(context->ignore_addresses)
	1208	krb5_free_addresses(context, context->ignore_addresses);
	1209	if(addresses == NULL) {
	1210	if(context->ignore_addresses != NULL) {
	1211	free(context->ignore_addresses);
	1212	context->ignore_addresses = NULL;
	1213	}
	1214	return 0;
	1215	}
	1216	if(context->ignore_addresses == NULL) {
	1217	context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
	1218	if(context->ignore_addresses == NULL) {
	1219	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
	1220	return ENOMEM;
	1221	}
	1222	}
	1223	return krb5_copy_addresses(context, addresses, context->ignore_addresses);
	1224	}
	1225
	1226	/**
	1227	* Get extra addresses to ignore when fetching addresses from the
	1228	* underlaying operating system.
	1229	*
	1230	* @param context Kerberos 5 context.
	1231	* @param addresses list addreses ignored
	1232	*
	1233	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1234	* error code is returned, see krb5_get_error_message().
	1235	*
	1236	* @ingroup krb5
	1237	*/
	1238
	1239	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1240	krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
	1241	{
	1242	if(context->ignore_addresses == NULL) {
	1243	memset(addresses, 0, sizeof(*addresses));
	1244	return 0;
	1245	}
	1246	return krb5_copy_addresses(context, context->ignore_addresses, addresses);
	1247	}
	1248
	1249	/**
	1250	* Set version of fcache that the library should use.
	1251	*
	1252	* @param context Kerberos 5 context.
	1253	* @param version version number.
	1254	*
	1255	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1256	* error code is returned, see krb5_get_error_message().
	1257	*
	1258	* @ingroup krb5
	1259	*/
	1260
	1261	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1262	krb5_set_fcache_version(krb5_context context, int version)
	1263	{
	1264	context->fcache_vno = version;
	1265	return 0;
	1266	}
	1267
	1268	/**
	1269	* Get version of fcache that the library should use.
	1270	*
	1271	* @param context Kerberos 5 context.
	1272	* @param version version number.
	1273	*
	1274	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1275	* error code is returned, see krb5_get_error_message().
	1276	*
	1277	* @ingroup krb5
	1278	*/
	1279
	1280	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1281	krb5_get_fcache_version(krb5_context context, int *version)
	1282	{
	1283	*version = context->fcache_vno;
	1284	return 0;
	1285	}
	1286
	1287	/**
	1288	* Runtime check if the Kerberos library was complied with thread support.
	1289	*
	1290	* @return TRUE if the library was compiled with thread support, FALSE if not.
	1291	*
	1292	* @ingroup krb5
	1293	*/
	1294
	1295
	1296	KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
	1297	krb5_is_thread_safe(void)
	1298	{
	1299	#ifdef ENABLE_PTHREAD_SUPPORT
	1300	return TRUE;
	1301	#else
	1302	return FALSE;
	1303	#endif
	1304	}
	1305
	1306	/**
	1307	* Set if the library should use DNS to canonicalize hostnames.
	1308	*
	1309	* @param context Kerberos 5 context.
	1310	* @param flag if its dns canonicalizion is used or not.
	1311	*
	1312	* @ingroup krb5
	1313	*/
	1314
	1315	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
	1316	krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
	1317	{
	1318	if (flag)
	1319	context->flags \|= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
	1320	else
	1321	context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
	1322	}
	1323
	1324	/**
	1325	* Get if the library uses DNS to canonicalize hostnames.
	1326	*
	1327	* @param context Kerberos 5 context.
	1328	*
	1329	* @return return non zero if the library uses DNS to canonicalize hostnames.
	1330	*
	1331	* @ingroup krb5
	1332	*/
	1333
	1334	KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
	1335	krb5_get_dns_canonicalize_hostname (krb5_context context)
	1336	{
	1337	return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
	1338	}
	1339
	1340	/**
	1341	* Get current offset in time to the KDC.
	1342	*
	1343	* @param context Kerberos 5 context.
	1344	* @param sec seconds part of offset.
	1345	* @param usec micro seconds part of offset.
	1346	*
	1347	* @return returns zero
	1348	*
	1349	* @ingroup krb5
	1350	*/
	1351
	1352	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1353	krb5_get_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
	1354	{
	1355	if (sec)
	1356	*sec = context->kdc_sec_offset;
	1357	if (usec)
	1358	*usec = context->kdc_usec_offset;
	1359	return 0;
	1360	}
	1361
	1362	/**
	1363	* Set current offset in time to the KDC.
	1364	*
	1365	* @param context Kerberos 5 context.
	1366	* @param sec seconds part of offset.
	1367	* @param usec micro seconds part of offset.
	1368	*
	1369	* @return returns zero
	1370	*
	1371	* @ingroup krb5
	1372	*/
	1373
	1374	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1375	krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
	1376	{
	1377	context->kdc_sec_offset = sec;
	1378	if (usec >= 0)
	1379	context->kdc_usec_offset = usec;
	1380	return 0;
	1381	}
	1382
	1383	/**
	1384	* Get max time skew allowed.
	1385	*
	1386	* @param context Kerberos 5 context.
	1387	*
	1388	* @return timeskew in seconds.
	1389	*
	1390	* @ingroup krb5
	1391	*/
	1392
	1393	KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
	1394	krb5_get_max_time_skew (krb5_context context)
	1395	{
	1396	return context->max_skew;
	1397	}
	1398
	1399	/**
	1400	* Set max time skew allowed.
	1401	*
	1402	* @param context Kerberos 5 context.
	1403	* @param t timeskew in seconds.
	1404	*
	1405	* @ingroup krb5
	1406	*/
	1407
	1408	KRB5_LIB_FUNCTION void KRB5_LIB_CALL
	1409	krb5_set_max_time_skew (krb5_context context, time_t t)
	1410	{
	1411	context->max_skew = t;
	1412	}
	1413
	1414	/*
	1415	* Init encryption types in len, val with etypes.
	1416	*
	1417	* @param context Kerberos 5 context.
	1418	* @param pdu_type type of pdu
	1419	* @param len output length of val.
	1420	* @param val output array of enctypes.
	1421	* @param etypes etypes to set val and len to, if NULL, use default enctypes.
	1422
	1423	* @return Returns 0 to indicate success. Otherwise an kerberos et
	1424	* error code is returned, see krb5_get_error_message().
	1425	*
	1426	* @ingroup krb5
	1427	*/
	1428
	1429	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
	1430	_krb5_init_etype(krb5_context context,
	1431	krb5_pdu pdu_type,
	1432	unsigned *len,
	1433	krb5_enctype **val,
	1434	const krb5_enctype *etypes)
	1435	{
	1436	krb5_error_code ret;
	1437
	1438	if (etypes == NULL)
	1439	ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
	1440	else
	1441	ret = copy_enctypes(context, etypes, val);
	1442	if (ret)
	1443	return ret;
	1444
	1445	if (len) {
	1446	*len = 0;
	1447	while ((val)[len] != KRB5_ENCTYPE_NULL)
	1448	(*len)++;
	1449	}
	1450	return 0;
	1451	}
	1452
	1453	/*
	1454	* Allow homedir accces
	1455	*/
	1456
	1457	static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
	1458	static krb5_boolean allow_homedir = TRUE;
	1459
	1460	krb5_boolean
	1461	_krb5_homedir_access(krb5_context context)
	1462	{
	1463	krb5_boolean allow;
	1464
	1465	#ifdef HAVE_GETEUID
	1466	/* is never allowed for root */
	1467	if (geteuid() == 0)
	1468	return FALSE;
	1469	#endif
	1470
	1471	if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
	1472	return FALSE;
	1473
	1474	HEIMDAL_MUTEX_lock(&homedir_mutex);
	1475	allow = allow_homedir;
	1476	HEIMDAL_MUTEX_unlock(&homedir_mutex);
	1477	return allow;
	1478	}
	1479
	1480	/**
	1481	* Enable and disable home directory access on either the global state
	1482	* or the krb5_context state. By calling krb5_set_home_dir_access()
	1483	* with context set to NULL, the global state is configured otherwise
	1484	* the state for the krb5_context is modified.
	1485	*
	1486	* For home directory access to be allowed, both the global state and
	1487	* the krb5_context state have to be allowed.
	1488	*
	1489	* Administrator (root user), never uses the home directory.
	1490	*
	1491	* @param context a Kerberos 5 context or NULL
	1492	* @param allow allow if TRUE home directory
	1493	* @return the old value
	1494	*
	1495	* @ingroup krb5
	1496	*/
	1497
	1498	KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
	1499	krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
	1500	{
	1501	krb5_boolean old;
	1502	if (context) {
	1503	old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
	1504	if (allow)
	1505	context->flags \|= KRB5_CTX_F_HOMEDIR_ACCESS;
	1506	else
	1507	context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
	1508	} else {
	1509	HEIMDAL_MUTEX_lock(&homedir_mutex);
	1510	old = allow_homedir;
	1511	allow_homedir = allow;
	1512	HEIMDAL_MUTEX_unlock(&homedir_mutex);
	1513	}
	1514
	1515	return old;
	1516	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: heimdal/trunk/lib/krb5/context.c

Download in other formats: