1 /* $NetBSD: context.c,v 1.4 2014/04/24 13:45:34 pettai Exp $ */ 2 3 /* 4 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 #include "krb5_locl.h" 39 #include <assert.h> 40 #include <krb5/com_err.h> 41 42 #define INIT_FIELD(C, T, E, D, F) \ 43 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ 44 "libdefaults", F, NULL) 45 46 #define INIT_FLAG(C, O, V, D, F) \ 47 do { \ 48 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \ 49 (C)->O |= V; \ 50 } \ 51 } while(0) 52 53 /* 54 * Set the list of etypes `ret_etypes' from the configuration variable 55 * `name' 56 */ 57 58 static krb5_error_code 59 set_etypes (krb5_context context, 60 const char *name, 61 krb5_enctype **ret_enctypes) 62 { 63 char **etypes_str; 64 krb5_enctype *etypes = NULL; 65 66 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults", 67 name, NULL); 68 if(etypes_str){ 69 int i, j, k; 70 for(i = 0; etypes_str[i]; i++); 71 etypes = malloc((i+1) * sizeof(*etypes)); 72 if (etypes == NULL) { 73 krb5_config_free_strings (etypes_str); 74 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); 75 return ENOMEM; 76 } 77 for(j = 0, k = 0; j < i; j++) { 78 krb5_enctype e; 79 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0) 80 continue; 81 if (krb5_enctype_valid(context, e) != 0) 82 continue; 83 etypes[k++] = e; 84 } 85 etypes[k] = ETYPE_NULL; 86 krb5_config_free_strings(etypes_str); 87 } 88 *ret_enctypes = etypes; 89 return 0; 90 } 91 92 /* 93 * read variables from the configuration file and set in `context' 94 */ 95 96 static krb5_error_code 97 init_context_from_config_file(krb5_context context) 98 { 99 krb5_error_code ret; 100 const char * tmp; 101 char **s; 102 krb5_enctype *tmptypes; 103 104 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew"); 105 INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout"); 106 INIT_FIELD(context, int, max_retries, 3, "max_retries"); 107 108 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy"); 109 110 ret = krb5_config_get_bool_default(context, NULL, FALSE, 111 "libdefaults", 112 "allow_weak_crypto", NULL); 113 if (ret) { 114 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC); 115 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4); 116 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5); 117 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE); 118 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE); 119 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE); 120 } 121 122 ret = set_etypes (context, "default_etypes", &tmptypes); 123 if(ret) 124 return ret; 125 free(context->etypes); 126 context->etypes = tmptypes; 127 128 ret = set_etypes (context, "default_etypes_des", &tmptypes); 129 if(ret) 130 return ret; 131 free(context->etypes_des); 132 context->etypes_des = tmptypes; 133 134 ret = set_etypes (context, "default_as_etypes", &tmptypes); 135 if(ret) 136 return ret; 137 free(context->as_etypes); 138 context->as_etypes = tmptypes; 139 140 ret = set_etypes (context, "default_tgs_etypes", &tmptypes); 141 if(ret) 142 return ret; 143 free(context->tgs_etypes); 144 context->tgs_etypes = tmptypes; 145 146 ret = set_etypes (context, "permitted_enctypes", &tmptypes); 147 if(ret) 148 return ret; 149 free(context->permitted_enctypes); 150 context->permitted_enctypes = tmptypes; 151 152 /* default keytab name */ 153 tmp = NULL; 154 if(!issuid()) 155 tmp = getenv("KRB5_KTNAME"); 156 if(tmp != NULL) 157 context->default_keytab = tmp; 158 else 159 INIT_FIELD(context, string, default_keytab, 160 KEYTAB_DEFAULT, "default_keytab_name"); 161 162 INIT_FIELD(context, string, default_keytab_modify, 163 NULL, "default_keytab_modify_name"); 164 165 INIT_FIELD(context, string, time_fmt, 166 "%Y-%m-%dT%H:%M:%S", "time_format"); 167 168 INIT_FIELD(context, string, date_fmt, 169 "%Y-%m-%d", "date_format"); 170 171 INIT_FIELD(context, bool, log_utc, 172 FALSE, "log_utc"); 173 174 175 176 /* init dns-proxy slime */ 177 tmp = krb5_config_get_string(context, NULL, "libdefaults", 178 "dns_proxy", NULL); 179 if(tmp) 180 roken_gethostby_setup(context->http_proxy, tmp); 181 krb5_free_host_realm (context, context->default_realms); 182 context->default_realms = NULL; 183 184 { 185 krb5_addresses addresses; 186 char **adr, **a; 187 188 krb5_set_extra_addresses(context, NULL); 189 adr = krb5_config_get_strings(context, NULL, 190 "libdefaults", 191 "extra_addresses", 192 NULL); 193 memset(&addresses, 0, sizeof(addresses)); 194 for(a = adr; a && *a; a++) { 195 ret = krb5_parse_address(context, *a, &addresses); 196 if (ret == 0) { 197 krb5_add_extra_addresses(context, &addresses); 198 krb5_free_addresses(context, &addresses); 199 } 200 } 201 krb5_config_free_strings(adr); 202 203 krb5_set_ignore_addresses(context, NULL); 204 adr = krb5_config_get_strings(context, NULL, 205 "libdefaults", 206 "ignore_addresses", 207 NULL); 208 memset(&addresses, 0, sizeof(addresses)); 209 for(a = adr; a && *a; a++) { 210 ret = krb5_parse_address(context, *a, &addresses); 211 if (ret == 0) { 212 krb5_add_ignore_addresses(context, &addresses); 213 krb5_free_addresses(context, &addresses); 214 } 215 } 216 krb5_config_free_strings(adr); 217 } 218 219 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces"); 220 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version"); 221 /* prefer dns_lookup_kdc over srv_lookup. */ 222 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); 223 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc"); 224 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size"); 225 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname"); 226 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac"); 227 context->default_cc_name = NULL; 228 context->default_cc_name_set = 0; 229 230 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL); 231 if(s) { 232 char **p; 233 krb5_initlog(context, "libkrb5", &context->debug_dest); 234 for(p = s; *p; p++) 235 krb5_addlog_dest(context, context->debug_dest, *p); 236 krb5_config_free_strings(s); 237 } 238 239 tmp = krb5_config_get_string(context, NULL, "libdefaults", 240 "check-rd-req-server", NULL); 241 if (tmp == NULL && !issuid()) 242 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER"); 243 if(tmp) { 244 if (strcasecmp(tmp, "ignore") == 0) 245 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE; 246 } 247 248 return 0; 249 } 250 251 static krb5_error_code 252 cc_ops_register(krb5_context context) 253 { 254 context->cc_ops = NULL; 255 context->num_cc_ops = 0; 256 257 #ifndef KCM_IS_API_CACHE 258 krb5_cc_register(context, &krb5_acc_ops, TRUE); 259 #endif 260 krb5_cc_register(context, &krb5_fcc_ops, TRUE); 261 krb5_cc_register(context, &krb5_mcc_ops, TRUE); 262 #ifdef HAVE_SCC 263 krb5_cc_register(context, &krb5_scc_ops, TRUE); 264 #endif 265 #ifdef HAVE_KCM 266 #ifdef KCM_IS_API_CACHE 267 krb5_cc_register(context, &krb5_akcm_ops, TRUE); 268 #endif 269 krb5_cc_register(context, &krb5_kcm_ops, TRUE); 270 #endif 271 _krb5_load_ccache_plugins(context); 272 return 0; 273 } 274 275 static krb5_error_code 276 cc_ops_copy(krb5_context context, const krb5_context src_context) 277 { 278 const krb5_cc_ops **cc_ops; 279 280 context->cc_ops = NULL; 281 context->num_cc_ops = 0; 282 283 if (src_context->num_cc_ops == 0) 284 return 0; 285 286 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops); 287 if (cc_ops == NULL) { 288 krb5_set_error_message(context, KRB5_CC_NOMEM, 289 N_("malloc: out of memory", "")); 290 return KRB5_CC_NOMEM; 291 } 292 293 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops, 294 sizeof(cc_ops[0]) * src_context->num_cc_ops); 295 context->cc_ops = cc_ops; 296 context->num_cc_ops = src_context->num_cc_ops; 297 298 return 0; 299 } 300 301 static krb5_error_code 302 kt_ops_register(krb5_context context) 303 { 304 context->num_kt_types = 0; 305 context->kt_types = NULL; 306 307 krb5_kt_register (context, &krb5_fkt_ops); 308 krb5_kt_register (context, &krb5_wrfkt_ops); 309 krb5_kt_register (context, &krb5_javakt_ops); 310 krb5_kt_register (context, &krb5_mkt_ops); 311 #ifndef HEIMDAL_SMALLER 312 krb5_kt_register (context, &krb5_akf_ops); 313 #endif 314 krb5_kt_register (context, &krb5_any_ops); 315 return 0; 316 } 317 318 static krb5_error_code 319 kt_ops_copy(krb5_context context, const krb5_context src_context) 320 { 321 context->num_kt_types = 0; 322 context->kt_types = NULL; 323 324 if (src_context->num_kt_types == 0) 325 return 0; 326 327 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types); 328 if (context->kt_types == NULL) { 329 krb5_set_error_message(context, ENOMEM, 330 N_("malloc: out of memory", "")); 331 return ENOMEM; 332 } 333 334 context->num_kt_types = src_context->num_kt_types; 335 memcpy(context->kt_types, src_context->kt_types, 336 sizeof(context->kt_types[0]) * src_context->num_kt_types); 337 338 return 0; 339 } 340 341 static const char *sysplugin_dirs[] = { 342 LIBDIR "/plugin/krb5", 343 #ifdef __APPLE__ 344 "/Library/KerberosPlugins/KerberosFrameworkPlugins", 345 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins", 346 #endif 347 NULL 348 }; 349 350 static void 351 init_context_once(void *ctx) 352 { 353 krb5_context context = ctx; 354 355 _krb5_load_plugins(context, "krb5", sysplugin_dirs); 356 357 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR); 358 } 359 360 361 /** 362 * Initializes the context structure and reads the configuration file 363 * /etc/krb5.conf. The structure should be freed by calling 364 * krb5_free_context() when it is no longer being used. 365 * 366 * @param context pointer to returned context 367 * 368 * @return Returns 0 to indicate success. Otherwise an errno code is 369 * returned. Failure means either that something bad happened during 370 * initialization (typically ENOMEM) or that Kerberos should not be 371 * used ENXIO. 372 * 373 * @ingroup krb5 374 */ 375 376 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 377 krb5_init_context(krb5_context *context) 378 { 379 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT; 380 krb5_context p; 381 krb5_error_code ret; 382 char **files; 383 384 *context = NULL; 385 386 p = calloc(1, sizeof(*p)); 387 if(!p) 388 return ENOMEM; 389 390 p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); 391 if (p->mutex == NULL) { 392 free(p); 393 return ENOMEM; 394 } 395 HEIMDAL_MUTEX_init(p->mutex); 396 397 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS; 398 399 ret = krb5_get_default_config_files(&files); 400 if(ret) 401 goto out; 402 ret = krb5_set_config_files(p, files); 403 krb5_free_config_files(files); 404 if(ret) 405 goto out; 406 407 /* init error tables */ 408 krb5_init_ets(p); 409 cc_ops_register(p); 410 kt_ops_register(p); 411 412 #ifdef PKINIT 413 ret = hx509_context_init(&p->hx509ctx); 414 if (ret) 415 goto out; 416 #endif 417 if (rk_SOCK_INIT()) 418 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED; 419 420 out: 421 if(ret) { 422 krb5_free_context(p); 423 p = NULL; 424 } else { 425 heim_base_once_f(&init_context, p, init_context_once); 426 } 427 *context = p; 428 return ret; 429 } 430 431 #ifndef HEIMDAL_SMALLER 432 433 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 434 krb5_get_permitted_enctypes(krb5_context context, 435 krb5_enctype **etypes) 436 { 437 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes); 438 } 439 440 /* 441 * 442 */ 443 444 static krb5_error_code 445 copy_etypes (krb5_context context, 446 krb5_enctype *enctypes, 447 krb5_enctype **ret_enctypes) 448 { 449 unsigned int i; 450 451 for (i = 0; enctypes[i]; i++) 452 ; 453 i++; 454 455 *ret_enctypes = malloc(sizeof(**ret_enctypes) * i); 456 if (*ret_enctypes == NULL) { 457 krb5_set_error_message(context, ENOMEM, 458 N_("malloc: out of memory", "")); 459 return ENOMEM; 460 } 461 memcpy(*ret_enctypes, enctypes, sizeof(**ret_enctypes) * i); 462 return 0; 463 } 464 465 /** 466 * Make a copy for the Kerberos 5 context, the new krb5_context shoud 467 * be freed with krb5_free_context(). 468 * 469 * @param context the Kerberos context to copy 470 * @param out the copy of the Kerberos, set to NULL error. 471 * 472 * @return Returns 0 to indicate success. Otherwise an kerberos et 473 * error code is returned, see krb5_get_error_message(). 474 * 475 * @ingroup krb5 476 */ 477 478 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 479 krb5_copy_context(krb5_context context, krb5_context *out) 480 { 481 krb5_error_code ret; 482 krb5_context p; 483 484 *out = NULL; 485 486 p = calloc(1, sizeof(*p)); 487 if (p == NULL) { 488 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 489 return ENOMEM; 490 } 491 492 p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); 493 if (p->mutex == NULL) { 494 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 495 free(p); 496 return ENOMEM; 497 } 498 HEIMDAL_MUTEX_init(p->mutex); 499 500 501 if (context->default_cc_name) 502 p->default_cc_name = strdup(context->default_cc_name); 503 if (context->default_cc_name_env) 504 p->default_cc_name_env = strdup(context->default_cc_name_env); 505 506 if (context->etypes) { 507 ret = copy_etypes(context, context->etypes, &p->etypes); 508 if (ret) 509 goto out; 510 } 511 if (context->etypes_des) { 512 ret = copy_etypes(context, context->etypes_des, &p->etypes_des); 513 if (ret) 514 goto out; 515 } 516 517 if (context->default_realms) { 518 ret = krb5_copy_host_realm(context, 519 context->default_realms, &p->default_realms); 520 if (ret) 521 goto out; 522 } 523 524 ret = _krb5_config_copy(context, context->cf, &p->cf); 525 if (ret) 526 goto out; 527 528 /* XXX should copy */ 529 krb5_init_ets(p); 530 531 cc_ops_copy(p, context); 532 kt_ops_copy(p, context); 533 534 #if 0 /* XXX */ 535 if(context->warn_dest != NULL) 536 ; 537 if(context->debug_dest != NULL) 538 ; 539 #endif 540 541 ret = krb5_set_extra_addresses(p, context->extra_addresses); 542 if (ret) 543 goto out; 544 ret = krb5_set_extra_addresses(p, context->ignore_addresses); 545 if (ret) 546 goto out; 547 548 ret = _krb5_copy_send_to_kdc_func(p, context); 549 if (ret) 550 goto out; 551 552 *out = p; 553 554 return 0; 555 556 out: 557 krb5_free_context(p); 558 return ret; 559 } 560 561 #endif 562 563 /** 564 * Frees the krb5_context allocated by krb5_init_context(). 565 * 566 * @param context context to be freed. 567 * 568 * @ingroup krb5 569 */ 570 571 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 572 krb5_free_context(krb5_context context) 573 { 574 if (context->default_cc_name) 575 free(context->default_cc_name); 576 if (context->default_cc_name_env) 577 free(context->default_cc_name_env); 578 free(context->etypes); 579 free(context->etypes_des); 580 krb5_free_host_realm (context, context->default_realms); 581 krb5_config_file_free (context, context->cf); 582 free_error_table (context->et_list); 583 free(rk_UNCONST(context->cc_ops)); 584 free(context->kt_types); 585 krb5_clear_error_message(context); 586 if(context->warn_dest != NULL) 587 krb5_closelog(context, context->warn_dest); 588 if(context->debug_dest != NULL) 589 krb5_closelog(context, context->debug_dest); 590 krb5_set_extra_addresses(context, NULL); 591 krb5_set_ignore_addresses(context, NULL); 592 krb5_set_send_to_kdc_func(context, NULL, NULL); 593 594 #ifdef PKINIT 595 if (context->hx509ctx) 596 hx509_context_free(&context->hx509ctx); 597 #endif 598 599 HEIMDAL_MUTEX_destroy(context->mutex); 600 free(context->mutex); 601 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) { 602 rk_SOCK_EXIT(); 603 } 604 605 memset(context, 0, sizeof(*context)); 606 free(context); 607 } 608 609 /** 610 * Reinit the context from a new set of filenames. 611 * 612 * @param context context to add configuration too. 613 * @param filenames array of filenames, end of list is indicated with a NULL filename. 614 * 615 * @return Returns 0 to indicate success. Otherwise an kerberos et 616 * error code is returned, see krb5_get_error_message(). 617 * 618 * @ingroup krb5 619 */ 620 621 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 622 krb5_set_config_files(krb5_context context, char **filenames) 623 { 624 krb5_error_code ret; 625 krb5_config_binding *tmp = NULL; 626 while(filenames != NULL && *filenames != NULL && **filenames != '\0') { 627 ret = krb5_config_parse_file_multi(context, *filenames, &tmp); 628 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) { 629 krb5_config_file_free(context, tmp); 630 return ret; 631 } 632 filenames++; 633 } 634 #if 1 635 /* with this enabled and if there are no config files, Kerberos is 636 considererd disabled */ 637 if(tmp == NULL) 638 return ENXIO; 639 #endif 640 641 #ifdef _WIN32 642 _krb5_load_config_from_registry(context, &tmp); 643 #endif 644 645 krb5_config_file_free(context, context->cf); 646 context->cf = tmp; 647 ret = init_context_from_config_file(context); 648 return ret; 649 } 650 651 static krb5_error_code 652 add_file(char ***pfilenames, int *len, char *file) 653 { 654 char **pp = *pfilenames; 655 int i; 656 657 for(i = 0; i < *len; i++) { 658 if(strcmp(pp[i], file) == 0) { 659 free(file); 660 return 0; 661 } 662 } 663 664 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp)); 665 if (pp == NULL) { 666 free(file); 667 return ENOMEM; 668 } 669 670 pp[*len] = file; 671 pp[*len + 1] = NULL; 672 *pfilenames = pp; 673 *len += 1; 674 return 0; 675 } 676 677 /* 678 * `pq' isn't free, it's up the the caller 679 */ 680 681 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 682 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) 683 { 684 krb5_error_code ret; 685 const char *p, *q; 686 char **pp; 687 int len; 688 char *fn; 689 690 pp = NULL; 691 692 len = 0; 693 p = filelist; 694 while(1) { 695 ssize_t l; 696 q = p; 697 l = strsep_copy(&q, PATH_SEP, NULL, 0); 698 if(l == -1) 699 break; 700 fn = malloc(l + 1); 701 if(fn == NULL) { 702 krb5_free_config_files(pp); 703 return ENOMEM; 704 } 705 (void)strsep_copy(&p, PATH_SEP, fn, l + 1); 706 ret = add_file(&pp, &len, fn); 707 if (ret) { 708 krb5_free_config_files(pp); 709 return ret; 710 } 711 } 712 713 if (pq != NULL) { 714 int i; 715 716 for (i = 0; pq[i] != NULL; i++) { 717 fn = strdup(pq[i]); 718 if (fn == NULL) { 719 krb5_free_config_files(pp); 720 return ENOMEM; 721 } 722 ret = add_file(&pp, &len, fn); 723 if (ret) { 724 krb5_free_config_files(pp); 725 return ret; 726 } 727 } 728 } 729 730 *ret_pp = pp; 731 return 0; 732 } 733 734 /** 735 * Prepend the filename to the global configuration list. 736 * 737 * @param filelist a filename to add to the default list of filename 738 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files(). 739 * 740 * @return Returns 0 to indicate success. Otherwise an kerberos et 741 * error code is returned, see krb5_get_error_message(). 742 * 743 * @ingroup krb5 744 */ 745 746 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 747 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) 748 { 749 krb5_error_code ret; 750 char **defpp, **pp = NULL; 751 752 ret = krb5_get_default_config_files(&defpp); 753 if (ret) 754 return ret; 755 756 ret = krb5_prepend_config_files(filelist, defpp, &pp); 757 krb5_free_config_files(defpp); 758 if (ret) { 759 return ret; 760 } 761 *pfilenames = pp; 762 return 0; 763 } 764 765 #ifdef _WIN32 766 767 /** 768 * Checks the registry for configuration file location 769 * 770 * Kerberos for Windows and other legacy Kerberos applications expect 771 * to find the configuration file location in the 772 * SOFTWARE\MIT\Kerberos registry key under the value "config". 773 */ 774 char * 775 _krb5_get_default_config_config_files_from_registry() 776 { 777 static const char * KeyName = "Software\\MIT\\Kerberos"; 778 char *config_file = NULL; 779 LONG rcode; 780 HKEY key; 781 782 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key); 783 if (rcode == ERROR_SUCCESS) { 784 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config", 785 REG_NONE, 0, PATH_SEP); 786 RegCloseKey(key); 787 } 788 789 if (config_file) 790 return config_file; 791 792 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key); 793 if (rcode == ERROR_SUCCESS) { 794 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config", 795 REG_NONE, 0, PATH_SEP); 796 RegCloseKey(key); 797 } 798 799 return config_file; 800 } 801 802 #endif 803 804 /** 805 * Get the global configuration list. 806 * 807 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files(). 808 * 809 * @return Returns 0 to indicate success. Otherwise an kerberos et 810 * error code is returned, see krb5_get_error_message(). 811 * 812 * @ingroup krb5 813 */ 814 815 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 816 krb5_get_default_config_files(char ***pfilenames) 817 { 818 const char *files = NULL; 819 820 if (pfilenames == NULL) 821 return EINVAL; 822 if(!issuid()) 823 files = getenv("KRB5_CONFIG"); 824 825 #ifdef _WIN32 826 if (files == NULL) { 827 char * reg_files; 828 reg_files = _krb5_get_default_config_config_files_from_registry(); 829 if (reg_files != NULL) { 830 krb5_error_code code; 831 832 code = krb5_prepend_config_files(reg_files, NULL, pfilenames); 833 free(reg_files); 834 835 return code; 836 } 837 } 838 #endif 839 840 if (files == NULL) 841 files = krb5_config_file; 842 843 return krb5_prepend_config_files(files, NULL, pfilenames); 844 } 845 846 /** 847 * Free a list of configuration files. 848 * 849 * @param filenames list, terminated with a NULL pointer, to be 850 * freed. NULL is an valid argument. 851 * 852 * @return Returns 0 to indicate success. Otherwise an kerberos et 853 * error code is returned, see krb5_get_error_message(). 854 * 855 * @ingroup krb5 856 */ 857 858 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 859 krb5_free_config_files(char **filenames) 860 { 861 char **p; 862 for(p = filenames; p && *p != NULL; p++) 863 free(*p); 864 free(filenames); 865 } 866 867 /** 868 * Returns the list of Kerberos encryption types sorted in order of 869 * most preferred to least preferred encryption type. Note that some 870 * encryption types might be disabled, so you need to check with 871 * krb5_enctype_valid() before using the encryption type. 872 * 873 * @return list of enctypes, terminated with ETYPE_NULL. Its a static 874 * array completed into the Kerberos library so the content doesn't 875 * need to be freed. 876 * 877 * @ingroup krb5 878 */ 879 880 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL 881 krb5_kerberos_enctypes(krb5_context context) 882 { 883 static const krb5_enctype p[] = { 884 ETYPE_AES256_CTS_HMAC_SHA1_96, 885 ETYPE_AES128_CTS_HMAC_SHA1_96, 886 ETYPE_DES3_CBC_SHA1, 887 ETYPE_DES3_CBC_MD5, 888 ETYPE_ARCFOUR_HMAC_MD5, 889 ETYPE_DES_CBC_MD5, 890 ETYPE_DES_CBC_MD4, 891 ETYPE_DES_CBC_CRC, 892 ETYPE_NULL 893 }; 894 return p; 895 } 896 897 /* 898 * 899 */ 900 901 static krb5_error_code 902 copy_enctypes(krb5_context context, 903 const krb5_enctype *in, 904 krb5_enctype **out) 905 { 906 krb5_enctype *p = NULL; 907 size_t m, n; 908 909 for (n = 0; in[n]; n++) 910 ; 911 n++; 912 ALLOC(p, n); 913 if(p == NULL) 914 return krb5_enomem(context); 915 for (n = 0, m = 0; in[n]; n++) { 916 if (krb5_enctype_valid(context, in[n]) != 0) 917 continue; 918 p[m++] = in[n]; 919 } 920 p[m] = KRB5_ENCTYPE_NULL; 921 if (m == 0) { 922 free(p); 923 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, 924 N_("no valid enctype set", "")); 925 return KRB5_PROG_ETYPE_NOSUPP; 926 } 927 *out = p; 928 return 0; 929 } 930 931 932 /* 933 * set `etype' to a malloced list of the default enctypes 934 */ 935 936 static krb5_error_code 937 default_etypes(krb5_context context, krb5_enctype **etype) 938 { 939 const krb5_enctype *p = krb5_kerberos_enctypes(context); 940 return copy_enctypes(context, p, etype); 941 } 942 943 /** 944 * Set the default encryption types that will be use in communcation 945 * with the KDC, clients and servers. 946 * 947 * @param context Kerberos 5 context. 948 * @param etypes Encryption types, array terminated with ETYPE_NULL (0). 949 * 950 * @return Returns 0 to indicate success. Otherwise an kerberos et 951 * error code is returned, see krb5_get_error_message(). 952 * 953 * @ingroup krb5 954 */ 955 956 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 957 krb5_set_default_in_tkt_etypes(krb5_context context, 958 const krb5_enctype *etypes) 959 { 960 krb5_error_code ret; 961 krb5_enctype *p = NULL; 962 963 if(etypes) { 964 ret = copy_enctypes(context, etypes, &p); 965 if (ret) 966 return ret; 967 } 968 if(context->etypes) 969 free(context->etypes); 970 context->etypes = p; 971 return 0; 972 } 973 974 /** 975 * Get the default encryption types that will be use in communcation 976 * with the KDC, clients and servers. 977 * 978 * @param context Kerberos 5 context. 979 * @param etypes Encryption types, array terminated with 980 * ETYPE_NULL(0), caller should free array with krb5_xfree(): 981 * 982 * @return Returns 0 to indicate success. Otherwise an kerberos et 983 * error code is returned, see krb5_get_error_message(). 984 * 985 * @ingroup krb5 986 */ 987 988 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 989 krb5_get_default_in_tkt_etypes(krb5_context context, 990 krb5_pdu pdu_type, 991 krb5_enctype **etypes) 992 { 993 krb5_enctype *enctypes = NULL; 994 krb5_error_code ret; 995 krb5_enctype *p; 996 997 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST || 998 pdu_type == KRB5_PDU_TGS_REQUEST || 999 pdu_type == KRB5_PDU_NONE, "pdu contant not as expected"); 1000 1001 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL) 1002 enctypes = context->as_etypes; 1003 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL) 1004 enctypes = context->tgs_etypes; 1005 else if (context->etypes != NULL) 1006 enctypes = context->etypes; 1007 1008 if (enctypes != NULL) { 1009 ret = copy_enctypes(context, enctypes, &p); 1010 if (ret) 1011 return ret; 1012 } else { 1013 ret = default_etypes(context, &p); 1014 if (ret) 1015 return ret; 1016 } 1017 *etypes = p; 1018 return 0; 1019 } 1020 1021 /** 1022 * Init the built-in ets in the Kerberos library. 1023 * 1024 * @param context kerberos context to add the ets too 1025 * 1026 * @ingroup krb5 1027 */ 1028 1029 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1030 krb5_init_ets(krb5_context context) 1031 { 1032 if(context->et_list == NULL){ 1033 krb5_add_et_list(context, initialize_krb5_error_table_r); 1034 krb5_add_et_list(context, initialize_asn1_error_table_r); 1035 krb5_add_et_list(context, initialize_heim_error_table_r); 1036 1037 krb5_add_et_list(context, initialize_k524_error_table_r); 1038 1039 #ifdef COM_ERR_BINDDOMAIN_krb5 1040 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR); 1041 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR); 1042 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR); 1043 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR); 1044 #endif 1045 1046 #ifdef PKINIT 1047 krb5_add_et_list(context, initialize_hx_error_table_r); 1048 #ifdef COM_ERR_BINDDOMAIN_hx 1049 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR); 1050 #endif 1051 #endif 1052 } 1053 } 1054 1055 /** 1056 * Make the kerberos library default to the admin KDC. 1057 * 1058 * @param context Kerberos 5 context. 1059 * @param flag boolean flag to select if the use the admin KDC or not. 1060 * 1061 * @ingroup krb5 1062 */ 1063 1064 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1065 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag) 1066 { 1067 context->use_admin_kdc = flag; 1068 } 1069 1070 /** 1071 * Make the kerberos library default to the admin KDC. 1072 * 1073 * @param context Kerberos 5 context. 1074 * 1075 * @return boolean flag to telling the context will use admin KDC as the default KDC. 1076 * 1077 * @ingroup krb5 1078 */ 1079 1080 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1081 krb5_get_use_admin_kdc (krb5_context context) 1082 { 1083 return context->use_admin_kdc; 1084 } 1085 1086 /** 1087 * Add extra address to the address list that the library will add to 1088 * the client's address list when communicating with the KDC. 1089 * 1090 * @param context Kerberos 5 context. 1091 * @param addresses addreses to add 1092 * 1093 * @return Returns 0 to indicate success. Otherwise an kerberos et 1094 * error code is returned, see krb5_get_error_message(). 1095 * 1096 * @ingroup krb5 1097 */ 1098 1099 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1100 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) 1101 { 1102 1103 if(context->extra_addresses) 1104 return krb5_append_addresses(context, 1105 context->extra_addresses, addresses); 1106 else 1107 return krb5_set_extra_addresses(context, addresses); 1108 } 1109 1110 /** 1111 * Set extra address to the address list that the library will add to 1112 * the client's address list when communicating with the KDC. 1113 * 1114 * @param context Kerberos 5 context. 1115 * @param addresses addreses to set 1116 * 1117 * @return Returns 0 to indicate success. Otherwise an kerberos et 1118 * error code is returned, see krb5_get_error_message(). 1119 * 1120 * @ingroup krb5 1121 */ 1122 1123 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1124 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) 1125 { 1126 if(context->extra_addresses) 1127 krb5_free_addresses(context, context->extra_addresses); 1128 1129 if(addresses == NULL) { 1130 if(context->extra_addresses != NULL) { 1131 free(context->extra_addresses); 1132 context->extra_addresses = NULL; 1133 } 1134 return 0; 1135 } 1136 if(context->extra_addresses == NULL) { 1137 context->extra_addresses = malloc(sizeof(*context->extra_addresses)); 1138 if(context->extra_addresses == NULL) { 1139 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); 1140 return ENOMEM; 1141 } 1142 } 1143 return krb5_copy_addresses(context, addresses, context->extra_addresses); 1144 } 1145 1146 /** 1147 * Get extra address to the address list that the library will add to 1148 * the client's address list when communicating with the KDC. 1149 * 1150 * @param context Kerberos 5 context. 1151 * @param addresses addreses to set 1152 * 1153 * @return Returns 0 to indicate success. Otherwise an kerberos et 1154 * error code is returned, see krb5_get_error_message(). 1155 * 1156 * @ingroup krb5 1157 */ 1158 1159 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1160 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) 1161 { 1162 if(context->extra_addresses == NULL) { 1163 memset(addresses, 0, sizeof(*addresses)); 1164 return 0; 1165 } 1166 return krb5_copy_addresses(context,context->extra_addresses, addresses); 1167 } 1168 1169 /** 1170 * Add extra addresses to ignore when fetching addresses from the 1171 * underlaying operating system. 1172 * 1173 * @param context Kerberos 5 context. 1174 * @param addresses addreses to ignore 1175 * 1176 * @return Returns 0 to indicate success. Otherwise an kerberos et 1177 * error code is returned, see krb5_get_error_message(). 1178 * 1179 * @ingroup krb5 1180 */ 1181 1182 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1183 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) 1184 { 1185 1186 if(context->ignore_addresses) 1187 return krb5_append_addresses(context, 1188 context->ignore_addresses, addresses); 1189 else 1190 return krb5_set_ignore_addresses(context, addresses); 1191 } 1192 1193 /** 1194 * Set extra addresses to ignore when fetching addresses from the 1195 * underlaying operating system. 1196 * 1197 * @param context Kerberos 5 context. 1198 * @param addresses addreses to ignore 1199 * 1200 * @return Returns 0 to indicate success. Otherwise an kerberos et 1201 * error code is returned, see krb5_get_error_message(). 1202 * 1203 * @ingroup krb5 1204 */ 1205 1206 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1207 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) 1208 { 1209 if(context->ignore_addresses) 1210 krb5_free_addresses(context, context->ignore_addresses); 1211 if(addresses == NULL) { 1212 if(context->ignore_addresses != NULL) { 1213 free(context->ignore_addresses); 1214 context->ignore_addresses = NULL; 1215 } 1216 return 0; 1217 } 1218 if(context->ignore_addresses == NULL) { 1219 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses)); 1220 if(context->ignore_addresses == NULL) { 1221 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); 1222 return ENOMEM; 1223 } 1224 } 1225 return krb5_copy_addresses(context, addresses, context->ignore_addresses); 1226 } 1227 1228 /** 1229 * Get extra addresses to ignore when fetching addresses from the 1230 * underlaying operating system. 1231 * 1232 * @param context Kerberos 5 context. 1233 * @param addresses list addreses ignored 1234 * 1235 * @return Returns 0 to indicate success. Otherwise an kerberos et 1236 * error code is returned, see krb5_get_error_message(). 1237 * 1238 * @ingroup krb5 1239 */ 1240 1241 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1242 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) 1243 { 1244 if(context->ignore_addresses == NULL) { 1245 memset(addresses, 0, sizeof(*addresses)); 1246 return 0; 1247 } 1248 return krb5_copy_addresses(context, context->ignore_addresses, addresses); 1249 } 1250 1251 /** 1252 * Set version of fcache that the library should use. 1253 * 1254 * @param context Kerberos 5 context. 1255 * @param version version number. 1256 * 1257 * @return Returns 0 to indicate success. Otherwise an kerberos et 1258 * error code is returned, see krb5_get_error_message(). 1259 * 1260 * @ingroup krb5 1261 */ 1262 1263 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1264 krb5_set_fcache_version(krb5_context context, int version) 1265 { 1266 context->fcache_vno = version; 1267 return 0; 1268 } 1269 1270 /** 1271 * Get version of fcache that the library should use. 1272 * 1273 * @param context Kerberos 5 context. 1274 * @param version version number. 1275 * 1276 * @return Returns 0 to indicate success. Otherwise an kerberos et 1277 * error code is returned, see krb5_get_error_message(). 1278 * 1279 * @ingroup krb5 1280 */ 1281 1282 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1283 krb5_get_fcache_version(krb5_context context, int *version) 1284 { 1285 *version = context->fcache_vno; 1286 return 0; 1287 } 1288 1289 /** 1290 * Runtime check if the Kerberos library was complied with thread support. 1291 * 1292 * @return TRUE if the library was compiled with thread support, FALSE if not. 1293 * 1294 * @ingroup krb5 1295 */ 1296 1297 1298 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1299 krb5_is_thread_safe(void) 1300 { 1301 #ifdef ENABLE_PTHREAD_SUPPORT 1302 return TRUE; 1303 #else 1304 return FALSE; 1305 #endif 1306 } 1307 1308 /** 1309 * Set if the library should use DNS to canonicalize hostnames. 1310 * 1311 * @param context Kerberos 5 context. 1312 * @param flag if its dns canonicalizion is used or not. 1313 * 1314 * @ingroup krb5 1315 */ 1316 1317 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1318 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag) 1319 { 1320 if (flag) 1321 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME; 1322 else 1323 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME; 1324 } 1325 1326 /** 1327 * Get if the library uses DNS to canonicalize hostnames. 1328 * 1329 * @param context Kerberos 5 context. 1330 * 1331 * @return return non zero if the library uses DNS to canonicalize hostnames. 1332 * 1333 * @ingroup krb5 1334 */ 1335 1336 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1337 krb5_get_dns_canonicalize_hostname (krb5_context context) 1338 { 1339 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0; 1340 } 1341 1342 /** 1343 * Get current offset in time to the KDC. 1344 * 1345 * @param context Kerberos 5 context. 1346 * @param sec seconds part of offset. 1347 * @param usec micro seconds part of offset. 1348 * 1349 * @return returns zero 1350 * 1351 * @ingroup krb5 1352 */ 1353 1354 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1355 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) 1356 { 1357 if (sec) 1358 *sec = context->kdc_sec_offset; 1359 if (usec) 1360 *usec = context->kdc_usec_offset; 1361 return 0; 1362 } 1363 1364 /** 1365 * Set current offset in time to the KDC. 1366 * 1367 * @param context Kerberos 5 context. 1368 * @param sec seconds part of offset. 1369 * @param usec micro seconds part of offset. 1370 * 1371 * @return returns zero 1372 * 1373 * @ingroup krb5 1374 */ 1375 1376 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1377 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec) 1378 { 1379 context->kdc_sec_offset = sec; 1380 if (usec >= 0) 1381 context->kdc_usec_offset = usec; 1382 return 0; 1383 } 1384 1385 /** 1386 * Get max time skew allowed. 1387 * 1388 * @param context Kerberos 5 context. 1389 * 1390 * @return timeskew in seconds. 1391 * 1392 * @ingroup krb5 1393 */ 1394 1395 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL 1396 krb5_get_max_time_skew (krb5_context context) 1397 { 1398 return context->max_skew; 1399 } 1400 1401 /** 1402 * Set max time skew allowed. 1403 * 1404 * @param context Kerberos 5 context. 1405 * @param t timeskew in seconds. 1406 * 1407 * @ingroup krb5 1408 */ 1409 1410 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1411 krb5_set_max_time_skew (krb5_context context, time_t t) 1412 { 1413 context->max_skew = t; 1414 } 1415 1416 /* 1417 * Init encryption types in len, val with etypes. 1418 * 1419 * @param context Kerberos 5 context. 1420 * @param pdu_type type of pdu 1421 * @param len output length of val. 1422 * @param val output array of enctypes. 1423 * @param etypes etypes to set val and len to, if NULL, use default enctypes. 1424 1425 * @return Returns 0 to indicate success. Otherwise an kerberos et 1426 * error code is returned, see krb5_get_error_message(). 1427 * 1428 * @ingroup krb5 1429 */ 1430 1431 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1432 _krb5_init_etype(krb5_context context, 1433 krb5_pdu pdu_type, 1434 unsigned *len, 1435 krb5_enctype **val, 1436 const krb5_enctype *etypes) 1437 { 1438 krb5_error_code ret; 1439 1440 if (etypes == NULL) 1441 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val); 1442 else 1443 ret = copy_enctypes(context, etypes, val); 1444 if (ret) 1445 return ret; 1446 1447 if (len) { 1448 *len = 0; 1449 while ((*val)[*len] != KRB5_ENCTYPE_NULL) 1450 (*len)++; 1451 } 1452 return 0; 1453 } 1454 1455 /* 1456 * Allow homedir accces 1457 */ 1458 1459 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER; 1460 static krb5_boolean allow_homedir = TRUE; 1461 1462 krb5_boolean 1463 _krb5_homedir_access(krb5_context context) 1464 { 1465 krb5_boolean allow; 1466 1467 #ifdef HAVE_GETEUID 1468 /* is never allowed for root */ 1469 if (geteuid() == 0) 1470 return FALSE; 1471 #endif 1472 1473 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0) 1474 return FALSE; 1475 1476 HEIMDAL_MUTEX_lock(&homedir_mutex); 1477 allow = allow_homedir; 1478 HEIMDAL_MUTEX_unlock(&homedir_mutex); 1479 return allow; 1480 } 1481 1482 /** 1483 * Enable and disable home directory access on either the global state 1484 * or the krb5_context state. By calling krb5_set_home_dir_access() 1485 * with context set to NULL, the global state is configured otherwise 1486 * the state for the krb5_context is modified. 1487 * 1488 * For home directory access to be allowed, both the global state and 1489 * the krb5_context state have to be allowed. 1490 * 1491 * Administrator (root user), never uses the home directory. 1492 * 1493 * @param context a Kerberos 5 context or NULL 1494 * @param allow allow if TRUE home directory 1495 * @return the old value 1496 * 1497 * @ingroup krb5 1498 */ 1499 1500 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1501 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow) 1502 { 1503 krb5_boolean old; 1504 if (context) { 1505 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE; 1506 if (allow) 1507 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS; 1508 else 1509 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS; 1510 } else { 1511 HEIMDAL_MUTEX_lock(&homedir_mutex); 1512 old = allow_homedir; 1513 allow_homedir = allow; 1514 HEIMDAL_MUTEX_unlock(&homedir_mutex); 1515 } 1516 1517 return old; 1518 } 1519