2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
40 static void _krb5_init_ets(krb5_context);
42 #define INIT_FIELD(C, T, E, D, F) \
43 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \
44 "libdefaults", F, NULL)
46 #define INIT_FLAG(C, O, V, D, F) \
48 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
53 static krb5_error_code
54 copy_enctypes(krb5_context context,
55 const krb5_enctype *in,
59 * Set the list of etypes `ret_etypes' from the configuration variable
63 static krb5_error_code
64 set_etypes (krb5_context context,
66 krb5_enctype **ret_enctypes)
69 krb5_enctype *etypes = NULL;
71 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
75 for(i = 0; etypes_str[i]; i++);
76 etypes = malloc((i+1) * sizeof(*etypes));
78 krb5_config_free_strings (etypes_str);
79 return krb5_enomem(context);
81 for(j = 0, k = 0; j < i; j++) {
83 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
85 if (krb5_enctype_valid(context, e) != 0)
89 etypes[k] = ETYPE_NULL;
90 krb5_config_free_strings(etypes_str);
92 *ret_enctypes = etypes;
97 * read variables from the configuration file and set in `context'
100 static krb5_error_code
101 init_context_from_config_file(krb5_context context)
106 krb5_enctype *tmptypes;
108 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
109 INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
110 INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
111 INIT_FIELD(context, int, max_retries, 3, "max_retries");
113 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
115 ret = krb5_config_get_bool_default(context, NULL, FALSE,
117 "allow_weak_crypto", NULL);
119 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
120 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
121 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
122 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
123 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
124 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
127 ret = set_etypes (context, "default_etypes", &tmptypes);
130 free(context->etypes);
131 context->etypes = tmptypes;
133 /* The etypes member may change during the lifetime
134 * of the context. To be able to reset it to
135 * config value, we keep another copy.
137 free(context->cfg_etypes);
138 context->cfg_etypes = NULL;
140 ret = copy_enctypes(context, tmptypes, &context->cfg_etypes);
145 ret = set_etypes (context, "default_etypes_des", &tmptypes);
148 free(context->etypes_des);
149 context->etypes_des = tmptypes;
151 ret = set_etypes (context, "default_as_etypes", &tmptypes);
154 free(context->as_etypes);
155 context->as_etypes = tmptypes;
157 ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
160 free(context->tgs_etypes);
161 context->tgs_etypes = tmptypes;
163 ret = set_etypes (context, "permitted_enctypes", &tmptypes);
166 free(context->permitted_enctypes);
167 context->permitted_enctypes = tmptypes;
169 INIT_FIELD(context, string, default_keytab,
170 KEYTAB_DEFAULT, "default_keytab_name");
172 INIT_FIELD(context, string, default_keytab_modify,
173 NULL, "default_keytab_modify_name");
175 INIT_FIELD(context, string, time_fmt,
176 "%Y-%m-%dT%H:%M:%S", "time_format");
178 INIT_FIELD(context, string, date_fmt,
179 "%Y-%m-%d", "date_format");
181 INIT_FIELD(context, bool, log_utc,
184 context->no_ticket_store =
185 getenv("KRB5_NO_TICKET_STORE") != NULL;
187 /* init dns-proxy slime */
188 tmp = krb5_config_get_string(context, NULL, "libdefaults",
191 roken_gethostby_setup(context->http_proxy, tmp);
192 krb5_free_host_realm (context, context->default_realms);
193 context->default_realms = NULL;
196 krb5_addresses addresses;
199 krb5_set_extra_addresses(context, NULL);
200 adr = krb5_config_get_strings(context, NULL,
204 memset(&addresses, 0, sizeof(addresses));
205 for(a = adr; a && *a; a++) {
206 ret = krb5_parse_address(context, *a, &addresses);
208 krb5_add_extra_addresses(context, &addresses);
209 krb5_free_addresses(context, &addresses);
212 krb5_config_free_strings(adr);
214 krb5_set_ignore_addresses(context, NULL);
215 adr = krb5_config_get_strings(context, NULL,
219 memset(&addresses, 0, sizeof(addresses));
220 for(a = adr; a && *a; a++) {
221 ret = krb5_parse_address(context, *a, &addresses);
223 krb5_add_ignore_addresses(context, &addresses);
224 krb5_free_addresses(context, &addresses);
227 krb5_config_free_strings(adr);
230 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
231 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
232 /* prefer dns_lookup_kdc over srv_lookup. */
233 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
234 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
235 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
236 INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
237 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
238 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
239 INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
241 if (context->default_cc_name)
242 free(context->default_cc_name);
243 context->default_cc_name = NULL;
244 context->default_cc_name_set = 0;
245 context->configured_default_cc_name = NULL;
247 tmp = secure_getenv("KRB5_TRACE");
249 heim_add_debug_dest(context->hcontext, "libkrb5", tmp);
250 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
255 heim_add_debug_dest(context->hcontext, "libkrb5", *p);
256 krb5_config_free_strings(s);
259 tmp = krb5_config_get_string(context, NULL, "libdefaults",
260 "check-rd-req-server", NULL);
262 tmp = secure_getenv("KRB5_CHECK_RD_REQ_SERVER");
264 if (strcasecmp(tmp, "ignore") == 0)
265 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
267 ret = krb5_config_get_bool_default(context, NULL, TRUE,
269 "fcache_strict_checking", NULL);
271 context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
276 static krb5_error_code
277 cc_ops_register(krb5_context context)
279 context->cc_ops = NULL;
280 context->num_cc_ops = 0;
282 #ifndef KCM_IS_API_CACHE
283 krb5_cc_register(context, &krb5_acc_ops, TRUE);
285 krb5_cc_register(context, &krb5_fcc_ops, TRUE);
286 krb5_cc_register(context, &krb5_dcc_ops, TRUE);
287 krb5_cc_register(context, &krb5_mcc_ops, TRUE);
289 krb5_cc_register(context, &krb5_scc_ops, TRUE);
292 #ifdef KCM_IS_API_CACHE
293 krb5_cc_register(context, &krb5_akcm_ops, TRUE);
295 krb5_cc_register(context, &krb5_kcm_ops, TRUE);
297 #if defined(HAVE_KEYUTILS_H)
298 krb5_cc_register(context, &krb5_krcc_ops, TRUE);
300 _krb5_load_ccache_plugins(context);
304 static krb5_error_code
305 cc_ops_copy(krb5_context context, const krb5_context src_context)
307 const krb5_cc_ops **cc_ops;
309 context->cc_ops = NULL;
310 context->num_cc_ops = 0;
312 if (src_context->num_cc_ops == 0)
315 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
316 if (cc_ops == NULL) {
317 krb5_set_error_message(context, KRB5_CC_NOMEM,
318 N_("malloc: out of memory", ""));
319 return KRB5_CC_NOMEM;
322 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
323 sizeof(cc_ops[0]) * src_context->num_cc_ops);
324 context->cc_ops = cc_ops;
325 context->num_cc_ops = src_context->num_cc_ops;
330 static krb5_error_code
331 kt_ops_register(krb5_context context)
333 context->num_kt_types = 0;
334 context->kt_types = NULL;
336 krb5_kt_register (context, &krb5_fkt_ops);
337 krb5_kt_register (context, &krb5_wrfkt_ops);
338 krb5_kt_register (context, &krb5_javakt_ops);
339 krb5_kt_register (context, &krb5_mkt_ops);
340 #ifndef HEIMDAL_SMALLER
341 krb5_kt_register (context, &krb5_akf_ops);
343 krb5_kt_register (context, &krb5_any_ops);
347 static krb5_error_code
348 kt_ops_copy(krb5_context context, const krb5_context src_context)
350 context->num_kt_types = 0;
351 context->kt_types = NULL;
353 if (src_context->num_kt_types == 0)
356 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
357 if (context->kt_types == NULL)
358 return krb5_enomem(context);
360 context->num_kt_types = src_context->num_kt_types;
361 memcpy(context->kt_types, src_context->kt_types,
362 sizeof(context->kt_types[0]) * src_context->num_kt_types);
367 static const char *sysplugin_dirs[] = {
371 "$ORIGIN/../lib/plugin/krb5",
374 LIBDIR "/plugin/krb5",
375 #ifdef HEIM_PLUGINS_SEARCH_SYSTEM
376 "/Library/KerberosPlugins/KerberosFrameworkPlugins",
377 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
384 init_context_once(void *ctx)
386 krb5_context context = ctx;
390 dirs = rk_UNCONST(sysplugin_dirs);
392 dirs = krb5_config_get_strings(context, NULL, "libdefaults",
395 dirs = rk_UNCONST(sysplugin_dirs);
398 _krb5_load_plugins(context, "krb5", (const char **)dirs);
400 if (dirs != rk_UNCONST(sysplugin_dirs))
401 krb5_config_free_strings(dirs);
403 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
407 * Initializes the context structure and reads the configuration file
408 * /etc/krb5.conf. The structure should be freed by calling
409 * krb5_free_context() when it is no longer being used.
411 * @param context pointer to returned context
413 * @return Returns 0 to indicate success. Otherwise an errno code is
414 * returned. Failure means either that something bad happened during
415 * initialization (typically ENOMEM) or that Kerberos should not be
416 * used ENXIO. If the function returns HEIM_ERR_RANDOM_OFFLINE, the
417 * random source is not available and later Kerberos calls might fail.
422 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
423 krb5_init_context(krb5_context *context)
425 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
434 * krb5_init_context() will get one random byte to make sure our
435 * random is alive. Assumption is that once the non blocking
436 * source allows us to pull bytes, its all seeded and allows us to
439 * Most Kerberos users calls krb5_init_context(), so this is
440 * useful point where we can do the checking.
442 ret = krb5_generate_random(&rnd, sizeof(rnd));
446 p = calloc(1, sizeof(*p));
450 if ((p->hcontext = heim_context_init()) == NULL) {
455 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
457 ret = krb5_get_default_config_files(&files);
460 ret = krb5_set_config_files(p, files);
461 krb5_free_config_files(files);
465 /* done enough to load plugins */
466 heim_base_once_f(&init_context, p, init_context_once);
468 /* init error tables */
474 ret = hx509_context_init(&p->hx509ctx);
479 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
483 krb5_free_context(p);
486 heim_context_set_log_utc(p->hcontext, p->log_utc);
492 #ifndef HEIMDAL_SMALLER
494 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
495 krb5_get_permitted_enctypes(krb5_context context,
496 krb5_enctype **etypes)
498 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
505 static krb5_error_code
506 copy_etypes (krb5_context context,
507 krb5_enctype *enctypes,
508 krb5_enctype **ret_enctypes)
512 for (i = 0; enctypes[i]; i++)
516 *ret_enctypes = malloc(sizeof(enctypes[0]) * i);
517 if (*ret_enctypes == NULL)
518 return krb5_enomem(context);
519 memcpy(*ret_enctypes, enctypes, sizeof(enctypes[0]) * i);
524 * Make a copy for the Kerberos 5 context, the new krb5_context shoud
525 * be freed with krb5_free_context().
527 * @param context the Kerberos context to copy
528 * @param out the copy of the Kerberos, set to NULL error.
530 * @return Returns 0 to indicate success. Otherwise an kerberos et
531 * error code is returned, see krb5_get_error_message().
536 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
537 krb5_copy_context(krb5_context context, krb5_context *out)
544 p = calloc(1, sizeof(*p));
546 return krb5_enomem(context);
548 if ((p->hcontext = heim_context_init()) == NULL) {
553 heim_context_set_log_utc(p->hcontext, context->log_utc);
555 if (context->default_cc_name &&
556 (p->default_cc_name = strdup(context->default_cc_name)) == NULL) {
560 if (context->default_cc_name_env &&
561 (p->default_cc_name_env =
562 strdup(context->default_cc_name_env)) == NULL) {
566 if (context->configured_default_cc_name &&
567 (p->configured_default_cc_name =
568 strdup(context->configured_default_cc_name)) == NULL) {
573 if (context->etypes) {
574 ret = copy_etypes(context, context->etypes, &p->etypes);
578 if (context->cfg_etypes) {
579 ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
583 if (context->etypes_des) {
584 ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
589 if (context->default_realms) {
590 ret = krb5_copy_host_realm(context,
591 context->default_realms, &p->default_realms);
596 ret = _krb5_config_copy(context, context->cf, &p->cf);
600 /* XXX should copy */
603 cc_ops_copy(p, context);
604 kt_ops_copy(p, context);
606 ret = krb5_set_extra_addresses(p, context->extra_addresses);
609 ret = krb5_set_extra_addresses(p, context->ignore_addresses);
613 ret = _krb5_copy_send_to_kdc_func(p, context);
622 krb5_free_context(p);
629 * Frees the krb5_context allocated by krb5_init_context().
631 * @param context context to be freed.
636 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
637 krb5_free_context(krb5_context context)
639 _krb5_free_name_canon_rules(context, context->name_canon_rules);
640 if (context->default_cc_name)
641 free(context->default_cc_name);
642 if (context->default_cc_name_env)
643 free(context->default_cc_name_env);
644 if (context->configured_default_cc_name)
645 free(context->configured_default_cc_name);
646 free(context->etypes);
647 free(context->cfg_etypes);
648 free(context->etypes_des);
649 free(context->permitted_enctypes);
650 free(context->tgs_etypes);
651 free(context->as_etypes);
652 krb5_free_host_realm (context, context->default_realms);
653 krb5_config_file_free (context, context->cf);
654 free(rk_UNCONST(context->cc_ops));
655 free(context->kt_types);
656 krb5_clear_error_message(context);
657 krb5_set_extra_addresses(context, NULL);
658 krb5_set_ignore_addresses(context, NULL);
659 krb5_set_send_to_kdc_func(context, NULL, NULL);
662 if (context->hx509ctx)
663 hx509_context_free(&context->hx509ctx);
666 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
670 heim_context_free(&context->hcontext);
671 memset(context, 0, sizeof(*context));
676 * Reinit the context from a new set of filenames.
678 * @param context context to add configuration too.
679 * @param filenames array of filenames, end of list is indicated with a NULL filename.
681 * @return Returns 0 to indicate success. Otherwise an kerberos et
682 * error code is returned, see krb5_get_error_message().
687 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
688 krb5_set_config_files(krb5_context context, char **filenames)
691 heim_config_binding *tmp = NULL;
693 if ((ret = heim_set_config_files(context->hcontext, filenames,
696 krb5_config_file_free(context, context->cf);
698 return init_context_from_config_file(context);
701 #ifndef HEIMDAL_SMALLER
703 * Reinit the context from configuration file contents in a C string.
704 * This should only be used in tests.
706 * @param context context to add configuration too.
707 * @param config configuration.
709 * @return Returns 0 to indicate success. Otherwise an kerberos et
710 * error code is returned, see krb5_get_error_message().
715 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
716 krb5_set_config(krb5_context context, const char *config)
719 krb5_config_binding *tmp = NULL;
721 if ((ret = krb5_config_parse_string_multi(context, config, &tmp)))
724 /* with this enabled and if there are no config files, Kerberos is
725 considererd disabled */
730 krb5_config_file_free(context, context->cf);
732 ret = init_context_from_config_file(context);
738 * `pq' isn't free, it's up the the caller
741 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
742 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
744 return heim_prepend_config_files(filelist, pq, ret_pp);
748 * Prepend the filename to the global configuration list.
750 * @param filelist a filename to add to the default list of filename
751 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
753 * @return Returns 0 to indicate success. Otherwise an kerberos et
754 * error code is returned, see krb5_get_error_message().
759 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
760 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
762 return heim_prepend_config_files_default(filelist, krb5_config_file,
763 "KRB5_CONFIG", pfilenames);
767 * Get the global configuration list.
769 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
771 * @return Returns 0 to indicate success. Otherwise an kerberos et
772 * error code is returned, see krb5_get_error_message().
777 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
778 krb5_get_default_config_files(char ***pfilenames)
780 if (pfilenames == NULL)
782 return heim_get_default_config_files(krb5_config_file, "KRB5_CONFIG",
787 * Free a list of configuration files.
789 * @param filenames list, terminated with a NULL pointer, to be
790 * freed. NULL is an valid argument.
792 * @return Returns 0 to indicate success. Otherwise an kerberos et
793 * error code is returned, see krb5_get_error_message().
798 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
799 krb5_free_config_files(char **filenames)
801 heim_free_config_files(filenames);
805 * Returns the list of Kerberos encryption types sorted in order of
806 * most preferred to least preferred encryption type. Note that some
807 * encryption types might be disabled, so you need to check with
808 * krb5_enctype_valid() before using the encryption type.
810 * @return list of enctypes, terminated with ETYPE_NULL. Its a static
811 * array completed into the Kerberos library so the content doesn't
817 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
818 krb5_kerberos_enctypes(krb5_context context)
820 static const krb5_enctype p[] = {
821 ETYPE_AES256_CTS_HMAC_SHA1_96,
822 ETYPE_AES128_CTS_HMAC_SHA1_96,
823 ETYPE_AES256_CTS_HMAC_SHA384_192,
824 ETYPE_AES128_CTS_HMAC_SHA256_128,
826 ETYPE_ARCFOUR_HMAC_MD5,
830 static const krb5_enctype weak[] = {
831 ETYPE_AES256_CTS_HMAC_SHA1_96,
832 ETYPE_AES128_CTS_HMAC_SHA1_96,
833 ETYPE_AES256_CTS_HMAC_SHA384_192,
834 ETYPE_AES128_CTS_HMAC_SHA256_128,
837 ETYPE_ARCFOUR_HMAC_MD5,
845 * if the list of enctypes enabled by "allow_weak_crypto"
846 * are valid, then return the former default enctype list
847 * that contained the weak entries.
849 if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
850 krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
851 krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
852 krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
853 krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
854 krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
864 static krb5_error_code
865 copy_enctypes(krb5_context context,
866 const krb5_enctype *in,
869 krb5_enctype *p = NULL;
872 for (n = 0; in[n]; n++)
877 return krb5_enomem(context);
878 for (n = 0, m = 0; in[n]; n++) {
879 if (krb5_enctype_valid(context, in[n]) != 0)
883 p[m] = KRB5_ENCTYPE_NULL;
886 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
887 N_("no valid enctype set", ""));
888 return KRB5_PROG_ETYPE_NOSUPP;
896 * set `etype' to a malloced list of the default enctypes
899 static krb5_error_code
900 default_etypes(krb5_context context, krb5_enctype **etype)
902 const krb5_enctype *p = krb5_kerberos_enctypes(context);
903 return copy_enctypes(context, p, etype);
907 * Set the default encryption types that will be use in communcation
908 * with the KDC, clients and servers.
910 * @param context Kerberos 5 context.
911 * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
912 * A value of NULL resets the encryption types to the defaults set in the
913 * configuration file.
915 * @return Returns 0 to indicate success. Otherwise an kerberos et
916 * error code is returned, see krb5_get_error_message().
921 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
922 krb5_set_default_in_tkt_etypes(krb5_context context,
923 const krb5_enctype *etypes)
926 krb5_enctype *p = NULL;
929 etypes = context->cfg_etypes;
933 ret = copy_enctypes(context, etypes, &p);
938 free(context->etypes);
944 * Get the default encryption types that will be use in communcation
945 * with the KDC, clients and servers.
947 * @param context Kerberos 5 context.
948 * @param pdu_type request type (AS, TGS or none)
949 * @param etypes Encryption types, array terminated with
950 * ETYPE_NULL(0), caller should free array with krb5_xfree():
952 * @return Returns 0 to indicate success. Otherwise an kerberos et
953 * error code is returned, see krb5_get_error_message().
958 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
959 krb5_get_default_in_tkt_etypes(krb5_context context,
961 krb5_enctype **etypes)
963 krb5_enctype *enctypes = NULL;
967 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
968 pdu_type == KRB5_PDU_TGS_REQUEST ||
969 pdu_type == KRB5_PDU_NONE, "unexpected pdu type");
971 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
972 enctypes = context->as_etypes;
973 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
974 enctypes = context->tgs_etypes;
975 else if (context->etypes != NULL)
976 enctypes = context->etypes;
978 if (enctypes != NULL) {
979 ret = copy_enctypes(context, enctypes, &p);
983 ret = default_etypes(context, &p);
992 * Init the built-in ets in the Kerberos library.
994 * @param context kerberos context to add the ets too
999 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1000 krb5_init_ets(krb5_context context)
1005 _krb5_init_ets(krb5_context context)
1007 heim_add_et_list(context->hcontext, initialize_krb5_error_table_r);
1008 heim_add_et_list(context->hcontext, initialize_asn1_error_table_r);
1009 heim_add_et_list(context->hcontext, initialize_heim_error_table_r);
1011 heim_add_et_list(context->hcontext, initialize_k524_error_table_r);
1012 heim_add_et_list(context->hcontext, initialize_k5e1_error_table_r);
1014 #ifdef COM_ERR_BINDDOMAIN_krb5
1015 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1016 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1017 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1018 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1022 heim_add_et_list(context->hcontext, initialize_hx_error_table_r);
1023 #ifdef COM_ERR_BINDDOMAIN_hx
1024 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1030 * Make the kerberos library default to the admin KDC.
1032 * @param context Kerberos 5 context.
1033 * @param flag boolean flag to select if the use the admin KDC or not.
1038 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1039 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1041 context->use_admin_kdc = flag;
1045 * Make the kerberos library default to the admin KDC.
1047 * @param context Kerberos 5 context.
1049 * @return boolean flag to telling the context will use admin KDC as the default KDC.
1054 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1055 krb5_get_use_admin_kdc (krb5_context context)
1057 return context->use_admin_kdc;
1061 * Add extra address to the address list that the library will add to
1062 * the client's address list when communicating with the KDC.
1064 * @param context Kerberos 5 context.
1065 * @param addresses addreses to add
1067 * @return Returns 0 to indicate success. Otherwise an kerberos et
1068 * error code is returned, see krb5_get_error_message().
1073 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1074 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1077 if(context->extra_addresses)
1078 return krb5_append_addresses(context,
1079 context->extra_addresses, addresses);
1081 return krb5_set_extra_addresses(context, addresses);
1085 * Set extra address to the address list that the library will add to
1086 * the client's address list when communicating with the KDC.
1088 * @param context Kerberos 5 context.
1089 * @param addresses addreses to set
1091 * @return Returns 0 to indicate success. Otherwise an kerberos et
1092 * error code is returned, see krb5_get_error_message().
1097 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1098 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1100 if(context->extra_addresses)
1101 krb5_free_addresses(context, context->extra_addresses);
1103 if(addresses == NULL) {
1104 if(context->extra_addresses != NULL) {
1105 free(context->extra_addresses);
1106 context->extra_addresses = NULL;
1110 if(context->extra_addresses == NULL) {
1111 context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1112 if (context->extra_addresses == NULL)
1113 return krb5_enomem(context);
1115 return krb5_copy_addresses(context, addresses, context->extra_addresses);
1119 * Get extra address to the address list that the library will add to
1120 * the client's address list when communicating with the KDC.
1122 * @param context Kerberos 5 context.
1123 * @param addresses addreses to set
1125 * @return Returns 0 to indicate success. Otherwise an kerberos et
1126 * error code is returned, see krb5_get_error_message().
1131 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1132 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1134 if(context->extra_addresses == NULL) {
1135 memset(addresses, 0, sizeof(*addresses));
1138 return krb5_copy_addresses(context,context->extra_addresses, addresses);
1142 * Add extra addresses to ignore when fetching addresses from the
1143 * underlaying operating system.
1145 * @param context Kerberos 5 context.
1146 * @param addresses addreses to ignore
1148 * @return Returns 0 to indicate success. Otherwise an kerberos et
1149 * error code is returned, see krb5_get_error_message().
1154 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1155 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1158 if(context->ignore_addresses)
1159 return krb5_append_addresses(context,
1160 context->ignore_addresses, addresses);
1162 return krb5_set_ignore_addresses(context, addresses);
1166 * Set extra addresses to ignore when fetching addresses from the
1167 * underlaying operating system.
1169 * @param context Kerberos 5 context.
1170 * @param addresses addreses to ignore
1172 * @return Returns 0 to indicate success. Otherwise an kerberos et
1173 * error code is returned, see krb5_get_error_message().
1178 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1179 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1181 if(context->ignore_addresses)
1182 krb5_free_addresses(context, context->ignore_addresses);
1183 if(addresses == NULL) {
1184 if(context->ignore_addresses != NULL) {
1185 free(context->ignore_addresses);
1186 context->ignore_addresses = NULL;
1190 if(context->ignore_addresses == NULL) {
1191 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1192 if (context->ignore_addresses == NULL)
1193 return krb5_enomem(context);
1195 return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1199 * Get extra addresses to ignore when fetching addresses from the
1200 * underlaying operating system.
1202 * @param context Kerberos 5 context.
1203 * @param addresses list addreses ignored
1205 * @return Returns 0 to indicate success. Otherwise an kerberos et
1206 * error code is returned, see krb5_get_error_message().
1211 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1212 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1214 if(context->ignore_addresses == NULL) {
1215 memset(addresses, 0, sizeof(*addresses));
1218 return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1222 * Set version of fcache that the library should use.
1224 * @param context Kerberos 5 context.
1225 * @param version version number.
1227 * @return Returns 0 to indicate success. Otherwise an kerberos et
1228 * error code is returned, see krb5_get_error_message().
1233 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1234 krb5_set_fcache_version(krb5_context context, int version)
1236 context->fcache_vno = version;
1241 * Get version of fcache that the library should use.
1243 * @param context Kerberos 5 context.
1244 * @param version version number.
1246 * @return Returns 0 to indicate success. Otherwise an kerberos et
1247 * error code is returned, see krb5_get_error_message().
1252 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1253 krb5_get_fcache_version(krb5_context context, int *version)
1255 *version = context->fcache_vno;
1260 * Runtime check if the Kerberos library was complied with thread support.
1262 * @return TRUE if the library was compiled with thread support, FALSE if not.
1268 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1269 krb5_is_thread_safe(void)
1271 #ifdef ENABLE_PTHREAD_SUPPORT
1279 * Set if the library should use DNS to canonicalize hostnames.
1281 * @param context Kerberos 5 context.
1282 * @param flag if its dns canonicalizion is used or not.
1287 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1288 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1291 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1293 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1297 * Get if the library uses DNS to canonicalize hostnames.
1299 * @param context Kerberos 5 context.
1301 * @return return non zero if the library uses DNS to canonicalize hostnames.
1306 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1307 krb5_get_dns_canonicalize_hostname (krb5_context context)
1309 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1313 * Get current offset in time to the KDC.
1315 * @param context Kerberos 5 context.
1316 * @param sec seconds part of offset.
1317 * @param usec micro seconds part of offset.
1319 * @return returns zero
1324 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1325 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1328 *sec = context->kdc_sec_offset;
1330 *usec = context->kdc_usec_offset;
1335 * Set current offset in time to the KDC.
1337 * @param context Kerberos 5 context.
1338 * @param sec seconds part of offset.
1339 * @param usec micro seconds part of offset.
1341 * @return returns zero
1346 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1347 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1349 context->kdc_sec_offset = sec;
1351 context->kdc_usec_offset = usec;
1356 * Get max time skew allowed.
1358 * @param context Kerberos 5 context.
1360 * @return timeskew in seconds.
1365 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1366 krb5_get_max_time_skew (krb5_context context)
1368 return context->max_skew;
1372 * Set max time skew allowed.
1374 * @param context Kerberos 5 context.
1375 * @param t timeskew in seconds.
1380 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1381 krb5_set_max_time_skew (krb5_context context, time_t t)
1383 context->max_skew = t;
1387 * Init encryption types in len, val with etypes.
1389 * @param context Kerberos 5 context.
1390 * @param pdu_type type of pdu
1391 * @param len output length of val.
1392 * @param val output array of enctypes.
1393 * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1395 * @return Returns 0 to indicate success. Otherwise an kerberos et
1396 * error code is returned, see krb5_get_error_message().
1401 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1402 _krb5_init_etype(krb5_context context,
1406 const krb5_enctype *etypes)
1408 krb5_error_code ret;
1411 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1413 ret = copy_enctypes(context, etypes, val);
1419 while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1426 * Allow homedir access
1429 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1430 static krb5_boolean allow_homedir = TRUE;
1432 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1433 _krb5_homedir_access(krb5_context context)
1437 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1440 HEIMDAL_MUTEX_lock(&homedir_mutex);
1441 allow = allow_homedir;
1442 HEIMDAL_MUTEX_unlock(&homedir_mutex);
1447 * Enable and disable home directory access on either the global state
1448 * or the krb5_context state. By calling krb5_set_home_dir_access()
1449 * with context set to NULL, the global state is configured otherwise
1450 * the state for the krb5_context is modified.
1452 * For home directory access to be allowed, both the global state and
1453 * the krb5_context state have to be allowed.
1455 * @param context a Kerberos 5 context or NULL
1456 * @param allow allow if TRUE home directory
1457 * @return the old value
1462 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1463 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1468 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1470 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1472 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1473 heim_context_set_homedir_access(context->hcontext, allow ? 1 : 0);
1475 HEIMDAL_MUTEX_lock(&homedir_mutex);
1476 old = allow_homedir;
1477 allow_homedir = allow;
1478 HEIMDAL_MUTEX_unlock(&homedir_mutex);
git.samba.org / metze / heimdal / wip.git / blob