Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.5.x/source4/heimdal/lib/krb5/context.c

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 32.3 KB

Line
1	/*
2	* Copyright (c) 1997 - 2005 Kungliga Tekniska HÃ¶gskolan
3	* (Royal Institute of Technology, Stockholm, Sweden).
4	* All rights reserved.
5	*
6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions
8	* are met:
9	*
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	*
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* 3. Neither the name of the Institute nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#include "krb5_locl.h"
35	#include <com_err.h>
36
37	#define INIT_FIELD(C, T, E, D, F) \
38	(C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
39	"libdefaults", F, NULL)
40
41	#define INIT_FLAG(C, O, V, D, F) \
42	do { \
43	if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
44	(C)->O \|= V; \
45	} \
46	} while(0)
47
48	/*
49	* Set the list of etypes `ret_etypes' from the configuration variable
50	* `name'
51	*/
52
53	static krb5_error_code
54	set_etypes (krb5_context context,
55	const char *name,
56	krb5_enctype **ret_enctypes)
57	{
58	char **etypes_str;
59	krb5_enctype *etypes = NULL;
60
61	etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
62	name, NULL);
63	if(etypes_str){
64	int i, j, k;
65	for(i = 0; etypes_str[i]; i++);
66	etypes = malloc((i+1) * sizeof(*etypes));
67	if (etypes == NULL) {
68	krb5_config_free_strings (etypes_str);
69	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
70	return ENOMEM;
71	}
72	for(j = 0, k = 0; j < i; j++) {
73	krb5_enctype e;
74	if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
75	continue;
76	if (krb5_enctype_valid(context, e) != 0)
77	continue;
78	etypes[k++] = e;
79	}
80	etypes[k] = ETYPE_NULL;
81	krb5_config_free_strings(etypes_str);
82	}
83	*ret_enctypes = etypes;
84	return 0;
85	}
86
87	/*
88	*
89	*/
90
91	static krb5_error_code
92	copy_etypes (krb5_context context,
93	krb5_enctype *enctypes,
94	krb5_enctype **ret_enctypes)
95	{
96	unsigned int i;
97
98	for (i = 0; enctypes[i]; i++)
99	;
100	i++;
101
102	ret_enctypes = malloc(sizeof(ret_enctypes[0]) i);
103	if (*ret_enctypes == NULL) {
104	krb5_set_error_message(context, ENOMEM,
105	N_("malloc: out of memory", ""));
106	return ENOMEM;
107	}
108	memcpy(ret_enctypes, enctypes, sizeof(ret_enctypes[0]) i);
109	return 0;
110	}
111
112
113	/*
114	* read variables from the configuration file and set in `context'
115	*/
116
117	static krb5_error_code
118	init_context_from_config_file(krb5_context context)
119	{
120	krb5_error_code ret;
121	const char * tmp;
122	krb5_enctype *tmptypes;
123
124	INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
125	INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
126	INIT_FIELD(context, int, max_retries, 3, "max_retries");
127
128	INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
129
130	ret = set_etypes (context, "default_etypes", &tmptypes);
131	if(ret)
132	return ret;
133	free(context->etypes);
134	context->etypes = tmptypes;
135
136	ret = set_etypes (context, "default_etypes_des", &tmptypes);
137	if(ret)
138	return ret;
139	free(context->etypes_des);
140	context->etypes_des = tmptypes;
141
142	/* default keytab name */
143	tmp = NULL;
144	if(!issuid())
145	tmp = getenv("KRB5_KTNAME");
146	if(tmp != NULL)
147	context->default_keytab = tmp;
148	else
149	INIT_FIELD(context, string, default_keytab,
150	KEYTAB_DEFAULT, "default_keytab_name");
151
152	INIT_FIELD(context, string, default_keytab_modify,
153	NULL, "default_keytab_modify_name");
154
155	INIT_FIELD(context, string, time_fmt,
156	"%Y-%m-%dT%H:%M:%S", "time_format");
157
158	INIT_FIELD(context, string, date_fmt,
159	"%Y-%m-%d", "date_format");
160
161	INIT_FIELD(context, bool, log_utc,
162	FALSE, "log_utc");
163
164
165
166	/* init dns-proxy slime */
167	tmp = krb5_config_get_string(context, NULL, "libdefaults",
168	"dns_proxy", NULL);
169	if(tmp)
170	roken_gethostby_setup(context->http_proxy, tmp);
171	krb5_free_host_realm (context, context->default_realms);
172	context->default_realms = NULL;
173
174	{
175	krb5_addresses addresses;
176	char adr, a;
177
178	krb5_set_extra_addresses(context, NULL);
179	adr = krb5_config_get_strings(context, NULL,
180	"libdefaults",
181	"extra_addresses",
182	NULL);
183	memset(&addresses, 0, sizeof(addresses));
184	for(a = adr; a && *a; a++) {
185	ret = krb5_parse_address(context, *a, &addresses);
186	if (ret == 0) {
187	krb5_add_extra_addresses(context, &addresses);
188	krb5_free_addresses(context, &addresses);
189	}
190	}
191	krb5_config_free_strings(adr);
192
193	krb5_set_ignore_addresses(context, NULL);
194	adr = krb5_config_get_strings(context, NULL,
195	"libdefaults",
196	"ignore_addresses",
197	NULL);
198	memset(&addresses, 0, sizeof(addresses));
199	for(a = adr; a && *a; a++) {
200	ret = krb5_parse_address(context, *a, &addresses);
201	if (ret == 0) {
202	krb5_add_ignore_addresses(context, &addresses);
203	krb5_free_addresses(context, &addresses);
204	}
205	}
206	krb5_config_free_strings(adr);
207	}
208
209	INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
210	INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
211	/* prefer dns_lookup_kdc over srv_lookup. */
212	INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
213	INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
214	INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
215	INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
216	INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
217	context->default_cc_name = NULL;
218	context->default_cc_name_set = 0;
219
220	ret = krb5_config_get_bool_default(context, NULL, FALSE,
221	"libdefaults",
222	"allow_weak_crypto", NULL);
223	if (ret) {
224	krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
225	krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
226	krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
227	krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
228	krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
229	krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
230	}
231
232	return 0;
233	}
234
235	static krb5_error_code
236	cc_ops_register(krb5_context context)
237	{
238	context->cc_ops = NULL;
239	context->num_cc_ops = 0;
240
241	krb5_cc_register(context, &krb5_acc_ops, TRUE);
242	krb5_cc_register(context, &krb5_fcc_ops, TRUE);
243	krb5_cc_register(context, &krb5_mcc_ops, TRUE);
244	krb5_cc_register(context, &krb5_scc_ops, TRUE);
245	#ifdef HAVE_KCM
246	krb5_cc_register(context, &krb5_kcm_ops, TRUE);
247	#endif
248	return 0;
249	}
250
251	static krb5_error_code
252	kt_ops_register(krb5_context context)
253	{
254	context->num_kt_types = 0;
255	context->kt_types = NULL;
256
257	krb5_kt_register (context, &krb5_fkt_ops);
258	krb5_kt_register (context, &krb5_wrfkt_ops);
259	krb5_kt_register (context, &krb5_javakt_ops);
260	krb5_kt_register (context, &krb5_mkt_ops);
261	#ifndef HEIMDAL_SMALLER
262	krb5_kt_register (context, &krb5_akf_ops);
263	#endif
264	krb5_kt_register (context, &krb5_any_ops);
265	return 0;
266	}
267
268
269	/**
270	* Initializes the context structure and reads the configuration file
271	* /etc/krb5.conf. The structure should be freed by calling
272	* krb5_free_context() when it is no longer being used.
273	*
274	* @param context pointer to returned context
275	*
276	* @return Returns 0 to indicate success. Otherwise an errno code is
277	* returned. Failure means either that something bad happened during
278	* initialization (typically ENOMEM) or that Kerberos should not be
279	* used ENXIO.
280	*
281	* @ingroup krb5
282	*/
283
284	krb5_error_code KRB5_LIB_FUNCTION
285	krb5_init_context(krb5_context *context)
286	{
287	krb5_context p;
288	krb5_error_code ret;
289	char **files;
290
291	*context = NULL;
292
293	/* should have a run_once */
294	bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
295
296	p = calloc(1, sizeof(*p));
297	if(!p)
298	return ENOMEM;
299
300	p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
301	if (p->mutex == NULL) {
302	free(p);
303	return ENOMEM;
304	}
305	HEIMDAL_MUTEX_init(p->mutex);
306
307	p->flags \|= KRB5_CTX_F_HOMEDIR_ACCESS;
308
309	ret = krb5_get_default_config_files(&files);
310	if(ret)
311	goto out;
312	ret = krb5_set_config_files(p, files);
313	krb5_free_config_files(files);
314	if(ret)
315	goto out;
316
317	/* init error tables */
318	krb5_init_ets(p);
319	cc_ops_register(p);
320	kt_ops_register(p);
321
322	out:
323	if(ret) {
324	krb5_free_context(p);
325	p = NULL;
326	}
327	*context = p;
328	return ret;
329	}
330
331	/**
332	* Make a copy for the Kerberos 5 context, allocated krb5_contex shoud
333	* be freed with krb5_free_context().
334	*
335	* @param context the Kerberos context to copy
336	* @param out the copy of the Kerberos, set to NULL error.
337	*
338	* @return Returns 0 to indicate success. Otherwise an kerberos et
339	* error code is returned, see krb5_get_error_message().
340	*
341	* @ingroup krb5
342	*/
343
344	krb5_error_code KRB5_LIB_FUNCTION
345	krb5_copy_context(krb5_context context, krb5_context *out)
346	{
347	krb5_error_code ret;
348	krb5_context p;
349
350	*out = NULL;
351
352	p = calloc(1, sizeof(*p));
353	if (p == NULL) {
354	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
355	return ENOMEM;
356	}
357
358	p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
359	if (p->mutex == NULL) {
360	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
361	free(p);
362	return ENOMEM;
363	}
364	HEIMDAL_MUTEX_init(p->mutex);
365
366
367	if (context->default_cc_name)
368	p->default_cc_name = strdup(context->default_cc_name);
369	if (context->default_cc_name_env)
370	p->default_cc_name_env = strdup(context->default_cc_name_env);
371
372	if (context->etypes) {
373	ret = copy_etypes(context, context->etypes, &p->etypes);
374	if (ret)
375	goto out;
376	}
377	if (context->etypes_des) {
378	ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
379	if (ret)
380	goto out;
381	}
382
383	if (context->default_realms) {
384	ret = krb5_copy_host_realm(context,
385	context->default_realms, &p->default_realms);
386	if (ret)
387	goto out;
388	}
389
390	ret = _krb5_config_copy(context, context->cf, &p->cf);
391	if (ret)
392	goto out;
393
394	/* XXX should copy */
395	krb5_init_ets(p);
396	cc_ops_register(p);
397	kt_ops_register(p);
398
399	#if 0 /* XXX */
400	if(context->warn_dest != NULL)
401	;
402	#endif
403
404	ret = krb5_set_extra_addresses(p, context->extra_addresses);
405	if (ret)
406	goto out;
407	ret = krb5_set_extra_addresses(p, context->ignore_addresses);
408	if (ret)
409	goto out;
410
411	ret = _krb5_copy_send_to_kdc_func(p, context);
412	if (ret)
413	goto out;
414
415	*out = p;
416
417	return 0;
418
419	out:
420	krb5_free_context(p);
421	return ret;
422	}
423
424	/**
425	* Frees the krb5_context allocated by krb5_init_context().
426	*
427	* @param context context to be freed.
428	*
429	* @ingroup krb5
430	*/
431
432	void KRB5_LIB_FUNCTION
433	krb5_free_context(krb5_context context)
434	{
435	if (context->default_cc_name)
436	free(context->default_cc_name);
437	if (context->default_cc_name_env)
438	free(context->default_cc_name_env);
439	free(context->etypes);
440	free(context->etypes_des);
441	krb5_free_host_realm (context, context->default_realms);
442	krb5_config_file_free (context, context->cf);
443	free_error_table (context->et_list);
444	free(context->cc_ops);
445	free(context->kt_types);
446	krb5_clear_error_message(context);
447	if(context->warn_dest != NULL)
448	krb5_closelog(context, context->warn_dest);
449	krb5_set_extra_addresses(context, NULL);
450	krb5_set_ignore_addresses(context, NULL);
451	krb5_set_send_to_kdc_func(context, NULL, NULL);
452
453	HEIMDAL_MUTEX_destroy(context->mutex);
454	free(context->mutex);
455
456	memset(context, 0, sizeof(*context));
457	free(context);
458	}
459
460	/**
461	* Reinit the context from a new set of filenames.
462	*
463	* @param context context to add configuration too.
464	* @param filenames array of filenames, end of list is indicated with a NULL filename.
465	*
466	* @return Returns 0 to indicate success. Otherwise an kerberos et
467	* error code is returned, see krb5_get_error_message().
468	*
469	* @ingroup krb5
470	*/
471
472	krb5_error_code KRB5_LIB_FUNCTION
473	krb5_set_config_files(krb5_context context, char **filenames)
474	{
475	krb5_error_code ret;
476	krb5_config_binding *tmp = NULL;
477	while(filenames != NULL && filenames != NULL && *filenames != '\0') {
478	ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
479	if(ret != 0 && ret != ENOENT && ret != EACCES) {
480	krb5_config_file_free(context, tmp);
481	return ret;
482	}
483	filenames++;
484	}
485	#if 0
486	/* with this enabled and if there are no config files, Kerberos is
487	considererd disabled */
488	if(tmp == NULL)
489	return ENXIO;
490	#endif
491	krb5_config_file_free(context, context->cf);
492	context->cf = tmp;
493	ret = init_context_from_config_file(context);
494	return ret;
495	}
496
497	static krb5_error_code
498	add_file(char **pfilenames, int len, char *file)
499	{
500	char *pp = pfilenames;
501	int i;
502
503	for(i = 0; i < *len; i++) {
504	if(strcmp(pp[i], file) == 0) {
505	free(file);
506	return 0;
507	}
508	}
509
510	pp = realloc(pfilenames, (len + 2) * sizeof(*pp));
511	if (pp == NULL) {
512	free(file);
513	return ENOMEM;
514	}
515
516	pp[*len] = file;
517	pp[*len + 1] = NULL;
518	*pfilenames = pp;
519	*len += 1;
520	return 0;
521	}
522
523	/*
524	* `pq' isn't free, it's up the the caller
525	*/
526
527	krb5_error_code KRB5_LIB_FUNCTION
528	krb5_prepend_config_files(const char filelist, char pq, char **ret_pp)
529	{
530	krb5_error_code ret;
531	const char p, q;
532	char **pp;
533	int len;
534	char *fn;
535
536	pp = NULL;
537
538	len = 0;
539	p = filelist;
540	while(1) {
541	ssize_t l;
542	q = p;
543	l = strsep_copy(&q, ":", NULL, 0);
544	if(l == -1)
545	break;
546	fn = malloc(l + 1);
547	if(fn == NULL) {
548	krb5_free_config_files(pp);
549	return ENOMEM;
550	}
551	(void)strsep_copy(&p, ":", fn, l + 1);
552	ret = add_file(&pp, &len, fn);
553	if (ret) {
554	krb5_free_config_files(pp);
555	return ret;
556	}
557	}
558
559	if (pq != NULL) {
560	int i;
561
562	for (i = 0; pq[i] != NULL; i++) {
563	fn = strdup(pq[i]);
564	if (fn == NULL) {
565	krb5_free_config_files(pp);
566	return ENOMEM;
567	}
568	ret = add_file(&pp, &len, fn);
569	if (ret) {
570	krb5_free_config_files(pp);
571	return ret;
572	}
573	}
574	}
575
576	*ret_pp = pp;
577	return 0;
578	}
579
580	/**
581	* Prepend the filename to the global configuration list.
582	*
583	* @param filelist a filename to add to the default list of filename
584	* @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
585	*
586	* @return Returns 0 to indicate success. Otherwise an kerberos et
587	* error code is returned, see krb5_get_error_message().
588	*
589	* @ingroup krb5
590	*/
591
592	krb5_error_code KRB5_LIB_FUNCTION
593	krb5_prepend_config_files_default(const char filelist, char **pfilenames)
594	{
595	krb5_error_code ret;
596	char defpp, pp = NULL;
597
598	ret = krb5_get_default_config_files(&defpp);
599	if (ret)
600	return ret;
601
602	ret = krb5_prepend_config_files(filelist, defpp, &pp);
603	krb5_free_config_files(defpp);
604	if (ret) {
605	return ret;
606	}
607	*pfilenames = pp;
608	return 0;
609	}
610
611	/**
612	* Get the global configuration list.
613	*
614	* @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
615	*
616	* @return Returns 0 to indicate success. Otherwise an kerberos et
617	* error code is returned, see krb5_get_error_message().
618	*
619	* @ingroup krb5
620	*/
621
622	krb5_error_code KRB5_LIB_FUNCTION
623	krb5_get_default_config_files(char ***pfilenames)
624	{
625	const char *files = NULL;
626
627	if (pfilenames == NULL)
628	return EINVAL;
629	if(!issuid())
630	files = getenv("KRB5_CONFIG");
631	if (files == NULL)
632	files = krb5_config_file;
633
634	return krb5_prepend_config_files(files, NULL, pfilenames);
635	}
636
637	/**
638	* Free a list of configuration files.
639	*
640	* @param filenames list, terminated with a NULL pointer, to be
641	* freed. NULL is an valid argument.
642	*
643	* @return Returns 0 to indicate success. Otherwise an kerberos et
644	* error code is returned, see krb5_get_error_message().
645	*
646	* @ingroup krb5
647	*/
648
649	void KRB5_LIB_FUNCTION
650	krb5_free_config_files(char **filenames)
651	{
652	char **p;
653	for(p = filenames; p && *p != NULL; p++)
654	free(*p);
655	free(filenames);
656	}
657
658	/**
659	* Returns the list of Kerberos encryption types sorted in order of
660	* most preferred to least preferred encryption type. Note that some
661	* encryption types might be disabled, so you need to check with
662	* krb5_enctype_valid() before using the encryption type.
663	*
664	* @return list of enctypes, terminated with ETYPE_NULL. Its a static
665	* array completed into the Kerberos library so the content doesn't
666	* need to be freed.
667	*
668	* @ingroup krb5
669	*/
670
671	const krb5_enctype * KRB5_LIB_FUNCTION
672	krb5_kerberos_enctypes(krb5_context context)
673	{
674	static const krb5_enctype p[] = {
675	ETYPE_AES256_CTS_HMAC_SHA1_96,
676	ETYPE_AES128_CTS_HMAC_SHA1_96,
677	ETYPE_DES3_CBC_SHA1,
678	ETYPE_DES3_CBC_MD5,
679	ETYPE_ARCFOUR_HMAC_MD5,
680	ETYPE_DES_CBC_MD5,
681	ETYPE_DES_CBC_MD4,
682	ETYPE_DES_CBC_CRC,
683	ETYPE_NULL
684	};
685	return p;
686	}
687
688	/*
689	* set `etype' to a malloced list of the default enctypes
690	*/
691
692	static krb5_error_code
693	default_etypes(krb5_context context, krb5_enctype **etype)
694	{
695	const krb5_enctype *p;
696	krb5_enctype e = NULL, ep;
697	int i, n = 0;
698
699	p = krb5_kerberos_enctypes(context);
700
701	for (i = 0; p[i] != ETYPE_NULL; i++) {
702	if (krb5_enctype_valid(context, p[i]) != 0)
703	continue;
704	ep = realloc(e, (n + 2) * sizeof(*e));
705	if (ep == NULL) {
706	free(e);
707	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
708	return ENOMEM;
709	}
710	e = ep;
711	e[n] = p[i];
712	e[n + 1] = ETYPE_NULL;
713	n++;
714	}
715	*etype = e;
716	return 0;
717	}
718
719	/**
720	* Set the default encryption types that will be use in communcation
721	* with the KDC, clients and servers.
722	*
723	* @param context Kerberos 5 context.
724	* @param etypes Encryption types, array terminated with ETYPE_NULL (0).
725	*
726	* @return Returns 0 to indicate success. Otherwise an kerberos et
727	* error code is returned, see krb5_get_error_message().
728	*
729	* @ingroup krb5
730	*/
731
732	krb5_error_code KRB5_LIB_FUNCTION
733	krb5_set_default_in_tkt_etypes(krb5_context context,
734	const krb5_enctype *etypes)
735	{
736	krb5_enctype *p = NULL;
737	int i;
738
739	if(etypes) {
740	for (i = 0; etypes[i]; ++i) {
741	krb5_error_code ret;
742	ret = krb5_enctype_valid(context, etypes[i]);
743	if (ret)
744	return ret;
745	}
746	++i;
747	ALLOC(p, i);
748	if(!p) {
749	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
750	return ENOMEM;
751	}
752	memmove(p, etypes, i * sizeof(krb5_enctype));
753	}
754	if(context->etypes)
755	free(context->etypes);
756	context->etypes = p;
757	return 0;
758	}
759
760	/**
761	* Get the default encryption types that will be use in communcation
762	* with the KDC, clients and servers.
763	*
764	* @param context Kerberos 5 context.
765	* @param etypes Encryption types, array terminated with
766	* ETYPE_NULL(0), caller should free array with krb5_xfree():
767	*
768	* @return Returns 0 to indicate success. Otherwise an kerberos et
769	* error code is returned, see krb5_get_error_message().
770	*
771	* @ingroup krb5
772	*/
773
774	krb5_error_code KRB5_LIB_FUNCTION
775	krb5_get_default_in_tkt_etypes(krb5_context context,
776	krb5_enctype **etypes)
777	{
778	krb5_enctype *p;
779	int i;
780	krb5_error_code ret;
781
782	if(context->etypes) {
783	for(i = 0; context->etypes[i]; i++);
784	++i;
785	ALLOC(p, i);
786	if(!p) {
787	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
788	return ENOMEM;
789	}
790	memmove(p, context->etypes, i * sizeof(krb5_enctype));
791	} else {
792	ret = default_etypes(context, &p);
793	if (ret)
794	return ret;
795	}
796	*etypes = p;
797	return 0;
798	}
799
800	/**
801	* Return the error string for the error code. The caller must not
802	* free the string.
803	*
804	* @param context Kerberos 5 context.
805	* @param code Kerberos error code.
806	*
807	* @return the error message matching code
808	*
809	* @ingroup krb5
810	*/
811
812	const char* KRB5_LIB_FUNCTION
813	krb5_get_err_text(krb5_context context, krb5_error_code code)
814	{
815	const char *p = NULL;
816	if(context != NULL)
817	p = com_right(context->et_list, code);
818	if(p == NULL)
819	p = strerror(code);
820	if (p == NULL)
821	p = "Unknown error";
822	return p;
823	}
824
825	/**
826	* Init the built-in ets in the Kerberos library.
827	*
828	* @param context kerberos context to add the ets too
829	*
830	* @ingroup krb5
831	*/
832
833	void KRB5_LIB_FUNCTION
834	krb5_init_ets(krb5_context context)
835	{
836	if(context->et_list == NULL){
837	krb5_add_et_list(context, initialize_krb5_error_table_r);
838	bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
839
840	krb5_add_et_list(context, initialize_asn1_error_table_r);
841	bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
842
843	krb5_add_et_list(context, initialize_heim_error_table_r);
844	bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
845
846	krb5_add_et_list(context, initialize_k524_error_table_r);
847	bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
848
849	#ifdef PKINIT
850	krb5_add_et_list(context, initialize_hx_error_table_r);
851	bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
852	#endif
853	}
854	}
855
856	/**
857	* Make the kerberos library default to the admin KDC.
858	*
859	* @param context Kerberos 5 context.
860	* @param flag boolean flag to select if the use the admin KDC or not.
861	*
862	* @ingroup krb5
863	*/
864
865	void KRB5_LIB_FUNCTION
866	krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
867	{
868	context->use_admin_kdc = flag;
869	}
870
871	/**
872	* Make the kerberos library default to the admin KDC.
873	*
874	* @param context Kerberos 5 context.
875	*
876	* @return boolean flag to telling the context will use admin KDC as the default KDC.
877	*
878	* @ingroup krb5
879	*/
880
881	krb5_boolean KRB5_LIB_FUNCTION
882	krb5_get_use_admin_kdc (krb5_context context)
883	{
884	return context->use_admin_kdc;
885	}
886
887	/**
888	* Add extra address to the address list that the library will add to
889	* the client's address list when communicating with the KDC.
890	*
891	* @param context Kerberos 5 context.
892	* @param addresses addreses to add
893	*
894	* @return Returns 0 to indicate success. Otherwise an kerberos et
895	* error code is returned, see krb5_get_error_message().
896	*
897	* @ingroup krb5
898	*/
899
900	krb5_error_code KRB5_LIB_FUNCTION
901	krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
902	{
903
904	if(context->extra_addresses)
905	return krb5_append_addresses(context,
906	context->extra_addresses, addresses);
907	else
908	return krb5_set_extra_addresses(context, addresses);
909	}
910
911	/**
912	* Set extra address to the address list that the library will add to
913	* the client's address list when communicating with the KDC.
914	*
915	* @param context Kerberos 5 context.
916	* @param addresses addreses to set
917	*
918	* @return Returns 0 to indicate success. Otherwise an kerberos et
919	* error code is returned, see krb5_get_error_message().
920	*
921	* @ingroup krb5
922	*/
923
924	krb5_error_code KRB5_LIB_FUNCTION
925	krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
926	{
927	if(context->extra_addresses)
928	krb5_free_addresses(context, context->extra_addresses);
929
930	if(addresses == NULL) {
931	if(context->extra_addresses != NULL) {
932	free(context->extra_addresses);
933	context->extra_addresses = NULL;
934	}
935	return 0;
936	}
937	if(context->extra_addresses == NULL) {
938	context->extra_addresses = malloc(sizeof(*context->extra_addresses));
939	if(context->extra_addresses == NULL) {
940	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
941	return ENOMEM;
942	}
943	}
944	return krb5_copy_addresses(context, addresses, context->extra_addresses);
945	}
946
947	/**
948	* Get extra address to the address list that the library will add to
949	* the client's address list when communicating with the KDC.
950	*
951	* @param context Kerberos 5 context.
952	* @param addresses addreses to set
953	*
954	* @return Returns 0 to indicate success. Otherwise an kerberos et
955	* error code is returned, see krb5_get_error_message().
956	*
957	* @ingroup krb5
958	*/
959
960	krb5_error_code KRB5_LIB_FUNCTION
961	krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
962	{
963	if(context->extra_addresses == NULL) {
964	memset(addresses, 0, sizeof(*addresses));
965	return 0;
966	}
967	return krb5_copy_addresses(context,context->extra_addresses, addresses);
968	}
969
970	/**
971	* Add extra addresses to ignore when fetching addresses from the
972	* underlaying operating system.
973	*
974	* @param context Kerberos 5 context.
975	* @param addresses addreses to ignore
976	*
977	* @return Returns 0 to indicate success. Otherwise an kerberos et
978	* error code is returned, see krb5_get_error_message().
979	*
980	* @ingroup krb5
981	*/
982
983	krb5_error_code KRB5_LIB_FUNCTION
984	krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
985	{
986
987	if(context->ignore_addresses)
988	return krb5_append_addresses(context,
989	context->ignore_addresses, addresses);
990	else
991	return krb5_set_ignore_addresses(context, addresses);
992	}
993
994	/**
995	* Set extra addresses to ignore when fetching addresses from the
996	* underlaying operating system.
997	*
998	* @param context Kerberos 5 context.
999	* @param addresses addreses to ignore
1000	*
1001	* @return Returns 0 to indicate success. Otherwise an kerberos et
1002	* error code is returned, see krb5_get_error_message().
1003	*
1004	* @ingroup krb5
1005	*/
1006
1007	krb5_error_code KRB5_LIB_FUNCTION
1008	krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1009	{
1010	if(context->ignore_addresses)
1011	krb5_free_addresses(context, context->ignore_addresses);
1012	if(addresses == NULL) {
1013	if(context->ignore_addresses != NULL) {
1014	free(context->ignore_addresses);
1015	context->ignore_addresses = NULL;
1016	}
1017	return 0;
1018	}
1019	if(context->ignore_addresses == NULL) {
1020	context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1021	if(context->ignore_addresses == NULL) {
1022	krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1023	return ENOMEM;
1024	}
1025	}
1026	return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1027	}
1028
1029	/**
1030	* Get extra addresses to ignore when fetching addresses from the
1031	* underlaying operating system.
1032	*
1033	* @param context Kerberos 5 context.
1034	* @param addresses list addreses ignored
1035	*
1036	* @return Returns 0 to indicate success. Otherwise an kerberos et
1037	* error code is returned, see krb5_get_error_message().
1038	*
1039	* @ingroup krb5
1040	*/
1041
1042	krb5_error_code KRB5_LIB_FUNCTION
1043	krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1044	{
1045	if(context->ignore_addresses == NULL) {
1046	memset(addresses, 0, sizeof(*addresses));
1047	return 0;
1048	}
1049	return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1050	}
1051
1052	/**
1053	* Set version of fcache that the library should use.
1054	*
1055	* @param context Kerberos 5 context.
1056	* @param version version number.
1057	*
1058	* @return Returns 0 to indicate success. Otherwise an kerberos et
1059	* error code is returned, see krb5_get_error_message().
1060	*
1061	* @ingroup krb5
1062	*/
1063
1064	krb5_error_code KRB5_LIB_FUNCTION
1065	krb5_set_fcache_version(krb5_context context, int version)
1066	{
1067	context->fcache_vno = version;
1068	return 0;
1069	}
1070
1071	/**
1072	* Get version of fcache that the library should use.
1073	*
1074	* @param context Kerberos 5 context.
1075	* @param version version number.
1076	*
1077	* @return Returns 0 to indicate success. Otherwise an kerberos et
1078	* error code is returned, see krb5_get_error_message().
1079	*
1080	* @ingroup krb5
1081	*/
1082
1083	krb5_error_code KRB5_LIB_FUNCTION
1084	krb5_get_fcache_version(krb5_context context, int *version)
1085	{
1086	*version = context->fcache_vno;
1087	return 0;
1088	}
1089
1090	/**
1091	* Runtime check if the Kerberos library was complied with thread support.
1092	*
1093	* @return TRUE if the library was compiled with thread support, FALSE if not.
1094	*
1095	* @ingroup krb5
1096	*/
1097
1098
1099	krb5_boolean KRB5_LIB_FUNCTION
1100	krb5_is_thread_safe(void)
1101	{
1102	#ifdef ENABLE_PTHREAD_SUPPORT
1103	return TRUE;
1104	#else
1105	return FALSE;
1106	#endif
1107	}
1108
1109	/**
1110	* Set if the library should use DNS to canonicalize hostnames.
1111	*
1112	* @param context Kerberos 5 context.
1113	* @param flag if its dns canonicalizion is used or not.
1114	*
1115	* @ingroup krb5
1116	*/
1117
1118	void KRB5_LIB_FUNCTION
1119	krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1120	{
1121	if (flag)
1122	context->flags \|= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1123	else
1124	context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1125	}
1126
1127	/**
1128	* Get if the library uses DNS to canonicalize hostnames.
1129	*
1130	* @param context Kerberos 5 context.
1131	*
1132	* @return return non zero if the library uses DNS to canonicalize hostnames.
1133	*
1134	* @ingroup krb5
1135	*/
1136
1137	krb5_boolean KRB5_LIB_FUNCTION
1138	krb5_get_dns_canonicalize_hostname (krb5_context context)
1139	{
1140	return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1141	}
1142
1143	/**
1144	* Get current offset in time to the KDC.
1145	*
1146	* @param context Kerberos 5 context.
1147	* @param sec seconds part of offset.
1148	* @param usec micro seconds part of offset.
1149	*
1150	* @return returns zero
1151	*
1152	* @ingroup krb5
1153	*/
1154
1155	krb5_error_code KRB5_LIB_FUNCTION
1156	krb5_get_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1157	{
1158	if (sec)
1159	*sec = context->kdc_sec_offset;
1160	if (usec)
1161	*usec = context->kdc_usec_offset;
1162	return 0;
1163	}
1164
1165	/**
1166	* Set current offset in time to the KDC.
1167	*
1168	* @param context Kerberos 5 context.
1169	* @param sec seconds part of offset.
1170	* @param usec micro seconds part of offset.
1171	*
1172	* @return returns zero
1173	*
1174	* @ingroup krb5
1175	*/
1176
1177	krb5_error_code KRB5_LIB_FUNCTION
1178	krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1179	{
1180	context->kdc_sec_offset = sec;
1181	if (usec >= 0)
1182	context->kdc_usec_offset = usec;
1183	return 0;
1184	}
1185
1186	/**
1187	* Get max time skew allowed.
1188	*
1189	* @param context Kerberos 5 context.
1190	*
1191	* @return timeskew in seconds.
1192	*
1193	* @ingroup krb5
1194	*/
1195
1196	time_t KRB5_LIB_FUNCTION
1197	krb5_get_max_time_skew (krb5_context context)
1198	{
1199	return context->max_skew;
1200	}
1201
1202	/**
1203	* Set max time skew allowed.
1204	*
1205	* @param context Kerberos 5 context.
1206	* @param t timeskew in seconds.
1207	*
1208	* @ingroup krb5
1209	*/
1210
1211	void KRB5_LIB_FUNCTION
1212	krb5_set_max_time_skew (krb5_context context, time_t t)
1213	{
1214	context->max_skew = t;
1215	}
1216
1217	/**
1218	* Init encryption types in len, val with etypes.
1219	*
1220	* @param context Kerberos 5 context.
1221	* @param len output length of val.
1222	* @param val output array of enctypes.
1223	* @param etypes etypes to set val and len to, if NULL, use default enctypes.
1224
1225	* @return Returns 0 to indicate success. Otherwise an kerberos et
1226	* error code is returned, see krb5_get_error_message().
1227	*
1228	* @ingroup krb5
1229	*/
1230
1231	krb5_error_code KRB5_LIB_FUNCTION
1232	krb5_init_etype (krb5_context context,
1233	unsigned *len,
1234	krb5_enctype **val,
1235	const krb5_enctype *etypes)
1236	{
1237	unsigned int i;
1238	krb5_error_code ret;
1239	krb5_enctype *tmp = NULL;
1240
1241	ret = 0;
1242	if (etypes == NULL) {
1243	ret = krb5_get_default_in_tkt_etypes(context, &tmp);
1244	if (ret)
1245	return ret;
1246	etypes = tmp;
1247	}
1248
1249	for (i = 0; etypes[i]; ++i)
1250	;
1251	*len = i;
1252	val = malloc(i sizeof(**val));
1253	if (i != 0 && *val == NULL) {
1254	ret = ENOMEM;
1255	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1256	goto cleanup;
1257	}
1258	memmove (*val,
1259	etypes,
1260	i * sizeof(*tmp));
1261	cleanup:
1262	if (tmp != NULL)
1263	free (tmp);
1264	return ret;
1265	}
1266
1267	/*
1268	* Allow homedir accces
1269	*/
1270
1271	static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1272	static krb5_boolean allow_homedir = TRUE;
1273
1274	krb5_boolean
1275	_krb5_homedir_access(krb5_context context)
1276	{
1277	krb5_boolean allow;
1278
1279	/* is never allowed for root */
1280	if (geteuid() == 0)
1281	return FALSE;
1282
1283	if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1284	return FALSE;
1285
1286	HEIMDAL_MUTEX_lock(&homedir_mutex);
1287	allow = allow_homedir;
1288	HEIMDAL_MUTEX_unlock(&homedir_mutex);
1289	return allow;
1290	}
1291
1292	/**
1293	* Enable and disable home directory access on either the global state
1294	* or the krb5_context state. By calling krb5_set_home_dir_access()
1295	* with context set to NULL, the global state is configured otherwise
1296	* the state for the krb5_context is modified.
1297	*
1298	* For home directory access to be allowed, both the global state and
1299	* the krb5_context state have to be allowed.
1300	*
1301	* Administrator (root user), never uses the home directory.
1302	*
1303	* @param context a Kerberos 5 context or NULL
1304	* @param allow allow if TRUE home directory
1305	* @return the old value
1306	*
1307	*/
1308
1309	krb5_boolean
1310	krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1311	{
1312	krb5_boolean old;
1313	if (context) {
1314	old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1315	if (allow)
1316	context->flags \|= KRB5_CTX_F_HOMEDIR_ACCESS;
1317	else
1318	context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1319	} else {
1320	HEIMDAL_MUTEX_lock(&homedir_mutex);
1321	old = allow_homedir;
1322	allow_homedir = allow;
1323	HEIMDAL_MUTEX_unlock(&homedir_mutex);
1324	}
1325
1326	return old;
1327	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: