1 /* 2 * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include "krb5_locl.h" 37 #include <assert.h> 38 #include <com_err.h> 39 40 #define INIT_FIELD(C, T, E, D, F) \ 41 (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ 42 "libdefaults", F, NULL) 43 44 #define INIT_FLAG(C, O, V, D, F) \ 45 do { \ 46 if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \ 47 (C)->O |= V; \ 48 } \ 49 } while(0) 50 51 /* 52 * Set the list of etypes `ret_etypes' from the configuration variable 53 * `name' 54 */ 55 56 static krb5_error_code 57 set_etypes (krb5_context context, 58 const char *name, 59 krb5_enctype **ret_enctypes) 60 { 61 char **etypes_str; 62 krb5_enctype *etypes = NULL; 63 64 etypes_str = krb5_config_get_strings(context, NULL, "libdefaults", 65 name, NULL); 66 if(etypes_str){ 67 int i, j, k; 68 for(i = 0; etypes_str[i]; i++); 69 etypes = malloc((i+1) * sizeof(*etypes)); 70 if (etypes == NULL) { 71 krb5_config_free_strings (etypes_str); 72 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); 73 return ENOMEM; 74 } 75 for(j = 0, k = 0; j < i; j++) { 76 krb5_enctype e; 77 if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0) 78 continue; 79 if (krb5_enctype_valid(context, e) != 0) 80 continue; 81 etypes[k++] = e; 82 } 83 etypes[k] = ETYPE_NULL; 84 krb5_config_free_strings(etypes_str); 85 } 86 *ret_enctypes = etypes; 87 return 0; 88 } 89 90 /* 91 * read variables from the configuration file and set in `context' 92 */ 93 94 static krb5_error_code 95 init_context_from_config_file(krb5_context context) 96 { 97 krb5_error_code ret; 98 const char * tmp; 99 char **s; 100 krb5_enctype *tmptypes = NULL; 101 102 INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew"); 103 INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout"); 104 INIT_FIELD(context, int, max_retries, 3, "max_retries"); 105 106 INIT_FIELD(context, string, http_proxy, NULL, "http_proxy"); 107 108 ret = krb5_config_get_bool_default(context, NULL, FALSE, 109 "libdefaults", 110 "allow_weak_crypto", NULL); 111 if (ret) { 112 krb5_enctype_enable(context, ETYPE_DES_CBC_CRC); 113 krb5_enctype_enable(context, ETYPE_DES_CBC_MD4); 114 krb5_enctype_enable(context, ETYPE_DES_CBC_MD5); 115 krb5_enctype_enable(context, ETYPE_DES_CBC_NONE); 116 krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE); 117 krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE); 118 } 119 120 ret = set_etypes (context, "default_etypes", &tmptypes); 121 if(ret) 122 return ret; 123 free(context->etypes); 124 context->etypes = tmptypes; 125 126 ret = set_etypes (context, "default_etypes_des", &tmptypes); 127 if(ret) 128 return ret; 129 free(context->etypes_des); 130 context->etypes_des = tmptypes; 131 132 ret = set_etypes (context, "default_as_etypes", &tmptypes); 133 if(ret) 134 return ret; 135 free(context->as_etypes); 136 context->as_etypes = tmptypes; 137 138 ret = set_etypes (context, "default_tgs_etypes", &tmptypes); 139 if(ret) 140 return ret; 141 free(context->tgs_etypes); 142 context->tgs_etypes = tmptypes; 143 144 ret = set_etypes (context, "permitted_enctypes", &tmptypes); 145 if(ret) 146 return ret; 147 free(context->permitted_enctypes); 148 context->permitted_enctypes = tmptypes; 149 150 /* default keytab name */ 151 tmp = NULL; 152 if(!issuid()) 153 tmp = getenv("KRB5_KTNAME"); 154 if(tmp != NULL) 155 context->default_keytab = tmp; 156 else 157 INIT_FIELD(context, string, default_keytab, 158 KEYTAB_DEFAULT, "default_keytab_name"); 159 160 INIT_FIELD(context, string, default_keytab_modify, 161 NULL, "default_keytab_modify_name"); 162 163 INIT_FIELD(context, string, time_fmt, 164 "%Y-%m-%dT%H:%M:%S", "time_format"); 165 166 INIT_FIELD(context, string, date_fmt, 167 "%Y-%m-%d", "date_format"); 168 169 INIT_FIELD(context, bool, log_utc, 170 FALSE, "log_utc"); 171 172 173 174 /* init dns-proxy slime */ 175 tmp = krb5_config_get_string(context, NULL, "libdefaults", 176 "dns_proxy", NULL); 177 if(tmp) 178 roken_gethostby_setup(context->http_proxy, tmp); 179 krb5_free_host_realm (context, context->default_realms); 180 context->default_realms = NULL; 181 182 { 183 krb5_addresses addresses; 184 char **adr, **a; 185 186 krb5_set_extra_addresses(context, NULL); 187 adr = krb5_config_get_strings(context, NULL, 188 "libdefaults", 189 "extra_addresses", 190 NULL); 191 memset(&addresses, 0, sizeof(addresses)); 192 for(a = adr; a && *a; a++) { 193 ret = krb5_parse_address(context, *a, &addresses); 194 if (ret == 0) { 195 krb5_add_extra_addresses(context, &addresses); 196 krb5_free_addresses(context, &addresses); 197 } 198 } 199 krb5_config_free_strings(adr); 200 201 krb5_set_ignore_addresses(context, NULL); 202 adr = krb5_config_get_strings(context, NULL, 203 "libdefaults", 204 "ignore_addresses", 205 NULL); 206 memset(&addresses, 0, sizeof(addresses)); 207 for(a = adr; a && *a; a++) { 208 ret = krb5_parse_address(context, *a, &addresses); 209 if (ret == 0) { 210 krb5_add_ignore_addresses(context, &addresses); 211 krb5_free_addresses(context, &addresses); 212 } 213 } 214 krb5_config_free_strings(adr); 215 } 216 217 INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces"); 218 INIT_FIELD(context, int, fcache_vno, 0, "fcache_version"); 219 /* prefer dns_lookup_kdc over srv_lookup. */ 220 INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); 221 INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc"); 222 INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size"); 223 INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname"); 224 INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac"); 225 context->default_cc_name = NULL; 226 context->default_cc_name_set = 0; 227 228 s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL); 229 if(s) { 230 char **p; 231 krb5_initlog(context, "libkrb5", &context->debug_dest); 232 for(p = s; *p; p++) 233 krb5_addlog_dest(context, context->debug_dest, *p); 234 krb5_config_free_strings(s); 235 } 236 237 tmp = krb5_config_get_string(context, NULL, "libdefaults", 238 "check-rd-req-server", NULL); 239 if (tmp == NULL && !issuid()) 240 tmp = getenv("KRB5_CHECK_RD_REQ_SERVER"); 241 if(tmp) { 242 if (strcasecmp(tmp, "ignore") == 0) 243 context->flags |= KRB5_CTX_F_RD_REQ_IGNORE; 244 } 245 246 return 0; 247 } 248 249 static krb5_error_code 250 cc_ops_register(krb5_context context) 251 { 252 context->cc_ops = NULL; 253 context->num_cc_ops = 0; 254 255 #ifndef KCM_IS_API_CACHE 256 krb5_cc_register(context, &krb5_acc_ops, TRUE); 257 #endif 258 krb5_cc_register(context, &krb5_fcc_ops, TRUE); 259 krb5_cc_register(context, &krb5_mcc_ops, TRUE); 260 #ifdef HAVE_SCC 261 krb5_cc_register(context, &krb5_scc_ops, TRUE); 262 #endif 263 #ifdef HAVE_KCM 264 #ifdef KCM_IS_API_CACHE 265 krb5_cc_register(context, &krb5_akcm_ops, TRUE); 266 #endif 267 krb5_cc_register(context, &krb5_kcm_ops, TRUE); 268 #endif 269 _krb5_load_ccache_plugins(context); 270 return 0; 271 } 272 273 static krb5_error_code 274 cc_ops_copy(krb5_context context, const krb5_context src_context) 275 { 276 const krb5_cc_ops **cc_ops; 277 278 context->cc_ops = NULL; 279 context->num_cc_ops = 0; 280 281 if (src_context->num_cc_ops == 0) 282 return 0; 283 284 cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops); 285 if (cc_ops == NULL) { 286 krb5_set_error_message(context, KRB5_CC_NOMEM, 287 N_("malloc: out of memory", "")); 288 return KRB5_CC_NOMEM; 289 } 290 291 memcpy(rk_UNCONST(cc_ops), src_context->cc_ops, 292 sizeof(cc_ops[0]) * src_context->num_cc_ops); 293 context->cc_ops = cc_ops; 294 context->num_cc_ops = src_context->num_cc_ops; 295 296 return 0; 297 } 298 299 static krb5_error_code 300 kt_ops_register(krb5_context context) 301 { 302 context->num_kt_types = 0; 303 context->kt_types = NULL; 304 305 krb5_kt_register (context, &krb5_fkt_ops); 306 krb5_kt_register (context, &krb5_wrfkt_ops); 307 krb5_kt_register (context, &krb5_javakt_ops); 308 krb5_kt_register (context, &krb5_mkt_ops); 309 #ifndef HEIMDAL_SMALLER 310 krb5_kt_register (context, &krb5_akf_ops); 311 #endif 312 krb5_kt_register (context, &krb5_any_ops); 313 return 0; 314 } 315 316 static krb5_error_code 317 kt_ops_copy(krb5_context context, const krb5_context src_context) 318 { 319 context->num_kt_types = 0; 320 context->kt_types = NULL; 321 322 if (src_context->num_kt_types == 0) 323 return 0; 324 325 context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types); 326 if (context->kt_types == NULL) { 327 krb5_set_error_message(context, ENOMEM, 328 N_("malloc: out of memory", "")); 329 return ENOMEM; 330 } 331 332 context->num_kt_types = src_context->num_kt_types; 333 memcpy(context->kt_types, src_context->kt_types, 334 sizeof(context->kt_types[0]) * src_context->num_kt_types); 335 336 return 0; 337 } 338 339 static const char *sysplugin_dirs[] = { 340 LIBDIR "/plugin/krb5", 341 #ifdef __APPLE__ 342 "/Library/KerberosPlugins/KerberosFrameworkPlugins", 343 "/System/Library/KerberosPlugins/KerberosFrameworkPlugins", 344 #endif 345 NULL 346 }; 347 348 static void 349 init_context_once(void *ctx) 350 { 351 krb5_context context = ctx; 352 353 _krb5_load_plugins(context, "krb5", sysplugin_dirs); 354 355 bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR); 356 } 357 358 359 /** 360 * Initializes the context structure and reads the configuration file 361 * /etc/krb5.conf. The structure should be freed by calling 362 * krb5_free_context() when it is no longer being used. 363 * 364 * @param context pointer to returned context 365 * 366 * @return Returns 0 to indicate success. Otherwise an errno code is 367 * returned. Failure means either that something bad happened during 368 * initialization (typically ENOMEM) or that Kerberos should not be 369 * used ENXIO. 370 * 371 * @ingroup krb5 372 */ 373 374 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 375 krb5_init_context(krb5_context *context) 376 { 377 static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT; 378 krb5_context p; 379 krb5_error_code ret; 380 char **files; 381 382 *context = NULL; 383 384 p = calloc(1, sizeof(*p)); 385 if(!p) 386 return ENOMEM; 387 388 p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); 389 if (p->mutex == NULL) { 390 free(p); 391 return ENOMEM; 392 } 393 HEIMDAL_MUTEX_init(p->mutex); 394 395 p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS; 396 397 ret = krb5_get_default_config_files(&files); 398 if(ret) 399 goto out; 400 ret = krb5_set_config_files(p, files); 401 krb5_free_config_files(files); 402 if(ret) 403 goto out; 404 405 /* init error tables */ 406 krb5_init_ets(p); 407 cc_ops_register(p); 408 kt_ops_register(p); 409 410 #ifdef PKINIT 411 ret = hx509_context_init(&p->hx509ctx); 412 if (ret) 413 goto out; 414 #endif 415 if (rk_SOCK_INIT()) 416 p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED; 417 418 out: 419 if(ret) { 420 krb5_free_context(p); 421 p = NULL; 422 } else { 423 heim_base_once_f(&init_context, p, init_context_once); 424 } 425 *context = p; 426 return ret; 427 } 428 429 #ifndef HEIMDAL_SMALLER 430 431 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 432 krb5_get_permitted_enctypes(krb5_context context, 433 krb5_enctype **etypes) 434 { 435 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes); 436 } 437 438 /* 439 * 440 */ 441 442 static krb5_error_code 443 copy_etypes (krb5_context context, 444 krb5_enctype *enctypes, 445 krb5_enctype **ret_enctypes) 446 { 447 unsigned int i; 448 449 for (i = 0; enctypes[i]; i++) 450 ; 451 i++; 452 453 *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i); 454 if (*ret_enctypes == NULL) { 455 krb5_set_error_message(context, ENOMEM, 456 N_("malloc: out of memory", "")); 457 return ENOMEM; 458 } 459 memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i); 460 return 0; 461 } 462 463 /** 464 * Make a copy for the Kerberos 5 context, the new krb5_context shoud 465 * be freed with krb5_free_context(). 466 * 467 * @param context the Kerberos context to copy 468 * @param out the copy of the Kerberos, set to NULL error. 469 * 470 * @return Returns 0 to indicate success. Otherwise an kerberos et 471 * error code is returned, see krb5_get_error_message(). 472 * 473 * @ingroup krb5 474 */ 475 476 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 477 krb5_copy_context(krb5_context context, krb5_context *out) 478 { 479 krb5_error_code ret; 480 krb5_context p; 481 482 *out = NULL; 483 484 p = calloc(1, sizeof(*p)); 485 if (p == NULL) { 486 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 487 return ENOMEM; 488 } 489 490 p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); 491 if (p->mutex == NULL) { 492 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); 493 free(p); 494 return ENOMEM; 495 } 496 HEIMDAL_MUTEX_init(p->mutex); 497 498 499 if (context->default_cc_name) 500 p->default_cc_name = strdup(context->default_cc_name); 501 if (context->default_cc_name_env) 502 p->default_cc_name_env = strdup(context->default_cc_name_env); 503 504 if (context->etypes) { 505 ret = copy_etypes(context, context->etypes, &p->etypes); 506 if (ret) 507 goto out; 508 } 509 if (context->etypes_des) { 510 ret = copy_etypes(context, context->etypes_des, &p->etypes_des); 511 if (ret) 512 goto out; 513 } 514 515 if (context->default_realms) { 516 ret = krb5_copy_host_realm(context, 517 context->default_realms, &p->default_realms); 518 if (ret) 519 goto out; 520 } 521 522 ret = _krb5_config_copy(context, context->cf, &p->cf); 523 if (ret) 524 goto out; 525 526 /* XXX should copy */ 527 krb5_init_ets(p); 528 529 cc_ops_copy(p, context); 530 kt_ops_copy(p, context); 531 532 #if 0 /* XXX */ 533 if(context->warn_dest != NULL) 534 ; 535 if(context->debug_dest != NULL) 536 ; 537 #endif 538 539 ret = krb5_set_extra_addresses(p, context->extra_addresses); 540 if (ret) 541 goto out; 542 ret = krb5_set_extra_addresses(p, context->ignore_addresses); 543 if (ret) 544 goto out; 545 546 ret = _krb5_copy_send_to_kdc_func(p, context); 547 if (ret) 548 goto out; 549 550 *out = p; 551 552 return 0; 553 554 out: 555 krb5_free_context(p); 556 return ret; 557 } 558 559 #endif 560 561 /** 562 * Frees the krb5_context allocated by krb5_init_context(). 563 * 564 * @param context context to be freed. 565 * 566 * @ingroup krb5 567 */ 568 569 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 570 krb5_free_context(krb5_context context) 571 { 572 if (context->default_cc_name) 573 free(context->default_cc_name); 574 if (context->default_cc_name_env) 575 free(context->default_cc_name_env); 576 free(context->etypes); 577 free(context->etypes_des); 578 krb5_free_host_realm (context, context->default_realms); 579 krb5_config_file_free (context, context->cf); 580 free_error_table (context->et_list); 581 free(rk_UNCONST(context->cc_ops)); 582 free(context->kt_types); 583 krb5_clear_error_message(context); 584 if(context->warn_dest != NULL) 585 krb5_closelog(context, context->warn_dest); 586 if(context->debug_dest != NULL) 587 krb5_closelog(context, context->debug_dest); 588 krb5_set_extra_addresses(context, NULL); 589 krb5_set_ignore_addresses(context, NULL); 590 krb5_set_send_to_kdc_func(context, NULL, NULL); 591 592 #ifdef PKINIT 593 if (context->hx509ctx) 594 hx509_context_free(&context->hx509ctx); 595 #endif 596 597 HEIMDAL_MUTEX_destroy(context->mutex); 598 free(context->mutex); 599 if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) { 600 rk_SOCK_EXIT(); 601 } 602 603 memset(context, 0, sizeof(*context)); 604 free(context); 605 } 606 607 /** 608 * Reinit the context from a new set of filenames. 609 * 610 * @param context context to add configuration too. 611 * @param filenames array of filenames, end of list is indicated with a NULL filename. 612 * 613 * @return Returns 0 to indicate success. Otherwise an kerberos et 614 * error code is returned, see krb5_get_error_message(). 615 * 616 * @ingroup krb5 617 */ 618 619 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 620 krb5_set_config_files(krb5_context context, char **filenames) 621 { 622 krb5_error_code ret; 623 krb5_config_binding *tmp = NULL; 624 while(filenames != NULL && *filenames != NULL && **filenames != '\0') { 625 ret = krb5_config_parse_file_multi(context, *filenames, &tmp); 626 if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) { 627 krb5_config_file_free(context, tmp); 628 return ret; 629 } 630 filenames++; 631 } 632 #if 0 633 /* with this enabled and if there are no config files, Kerberos is 634 considererd disabled */ 635 if(tmp == NULL) 636 return ENXIO; 637 #endif 638 639 #ifdef _WIN32 640 _krb5_load_config_from_registry(context, &tmp); 641 #endif 642 643 krb5_config_file_free(context, context->cf); 644 context->cf = tmp; 645 ret = init_context_from_config_file(context); 646 return ret; 647 } 648 649 static krb5_error_code 650 add_file(char ***pfilenames, int *len, char *file) 651 { 652 char **pp = *pfilenames; 653 int i; 654 655 for(i = 0; i < *len; i++) { 656 if(strcmp(pp[i], file) == 0) { 657 free(file); 658 return 0; 659 } 660 } 661 662 pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp)); 663 if (pp == NULL) { 664 free(file); 665 return ENOMEM; 666 } 667 668 pp[*len] = file; 669 pp[*len + 1] = NULL; 670 *pfilenames = pp; 671 *len += 1; 672 return 0; 673 } 674 675 /* 676 * `pq' isn't free, it's up the the caller 677 */ 678 679 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 680 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) 681 { 682 krb5_error_code ret; 683 const char *p, *q; 684 char **pp; 685 int len; 686 char *fn; 687 688 pp = NULL; 689 690 len = 0; 691 p = filelist; 692 while(1) { 693 ssize_t l; 694 q = p; 695 l = strsep_copy(&q, PATH_SEP, NULL, 0); 696 if(l == -1) 697 break; 698 fn = malloc(l + 1); 699 if(fn == NULL) { 700 krb5_free_config_files(pp); 701 return ENOMEM; 702 } 703 (void)strsep_copy(&p, PATH_SEP, fn, l + 1); 704 ret = add_file(&pp, &len, fn); 705 if (ret) { 706 krb5_free_config_files(pp); 707 return ret; 708 } 709 } 710 711 if (pq != NULL) { 712 int i; 713 714 for (i = 0; pq[i] != NULL; i++) { 715 fn = strdup(pq[i]); 716 if (fn == NULL) { 717 krb5_free_config_files(pp); 718 return ENOMEM; 719 } 720 ret = add_file(&pp, &len, fn); 721 if (ret) { 722 krb5_free_config_files(pp); 723 return ret; 724 } 725 } 726 } 727 728 *ret_pp = pp; 729 return 0; 730 } 731 732 /** 733 * Prepend the filename to the global configuration list. 734 * 735 * @param filelist a filename to add to the default list of filename 736 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files(). 737 * 738 * @return Returns 0 to indicate success. Otherwise an kerberos et 739 * error code is returned, see krb5_get_error_message(). 740 * 741 * @ingroup krb5 742 */ 743 744 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 745 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) 746 { 747 krb5_error_code ret; 748 char **defpp, **pp = NULL; 749 750 ret = krb5_get_default_config_files(&defpp); 751 if (ret) 752 return ret; 753 754 ret = krb5_prepend_config_files(filelist, defpp, &pp); 755 krb5_free_config_files(defpp); 756 if (ret) { 757 return ret; 758 } 759 *pfilenames = pp; 760 return 0; 761 } 762 763 #ifdef _WIN32 764 765 /** 766 * Checks the registry for configuration file location 767 * 768 * Kerberos for Windows and other legacy Kerberos applications expect 769 * to find the configuration file location in the 770 * SOFTWARE\MIT\Kerberos registry key under the value "config". 771 */ 772 char * 773 _krb5_get_default_config_config_files_from_registry() 774 { 775 static const char * KeyName = "Software\\MIT\\Kerberos"; 776 char *config_file = NULL; 777 LONG rcode; 778 HKEY key; 779 780 rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key); 781 if (rcode == ERROR_SUCCESS) { 782 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config", 783 REG_NONE, 0, PATH_SEP); 784 RegCloseKey(key); 785 } 786 787 if (config_file) 788 return config_file; 789 790 rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key); 791 if (rcode == ERROR_SUCCESS) { 792 config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config", 793 REG_NONE, 0, PATH_SEP); 794 RegCloseKey(key); 795 } 796 797 return config_file; 798 } 799 800 #endif 801 802 /** 803 * Get the global configuration list. 804 * 805 * @param pfilenames return array of filenames, should be freed with krb5_free_config_files(). 806 * 807 * @return Returns 0 to indicate success. Otherwise an kerberos et 808 * error code is returned, see krb5_get_error_message(). 809 * 810 * @ingroup krb5 811 */ 812 813 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 814 krb5_get_default_config_files(char ***pfilenames) 815 { 816 const char *files = NULL; 817 818 if (pfilenames == NULL) 819 return EINVAL; 820 if(!issuid()) 821 files = getenv("KRB5_CONFIG"); 822 823 #ifdef _WIN32 824 if (files == NULL) { 825 char * reg_files; 826 reg_files = _krb5_get_default_config_config_files_from_registry(); 827 if (reg_files != NULL) { 828 krb5_error_code code; 829 830 code = krb5_prepend_config_files(reg_files, NULL, pfilenames); 831 free(reg_files); 832 833 return code; 834 } 835 } 836 #endif 837 838 if (files == NULL) 839 files = krb5_config_file; 840 841 return krb5_prepend_config_files(files, NULL, pfilenames); 842 } 843 844 /** 845 * Free a list of configuration files. 846 * 847 * @param filenames list, terminated with a NULL pointer, to be 848 * freed. NULL is an valid argument. 849 * 850 * @return Returns 0 to indicate success. Otherwise an kerberos et 851 * error code is returned, see krb5_get_error_message(). 852 * 853 * @ingroup krb5 854 */ 855 856 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 857 krb5_free_config_files(char **filenames) 858 { 859 char **p; 860 for(p = filenames; p && *p != NULL; p++) 861 free(*p); 862 free(filenames); 863 } 864 865 /** 866 * Returns the list of Kerberos encryption types sorted in order of 867 * most preferred to least preferred encryption type. Note that some 868 * encryption types might be disabled, so you need to check with 869 * krb5_enctype_valid() before using the encryption type. 870 * 871 * @return list of enctypes, terminated with ETYPE_NULL. Its a static 872 * array completed into the Kerberos library so the content doesn't 873 * need to be freed. 874 * 875 * @ingroup krb5 876 */ 877 878 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL 879 krb5_kerberos_enctypes(krb5_context context) 880 { 881 static const krb5_enctype p[] = { 882 ETYPE_AES256_CTS_HMAC_SHA1_96, 883 ETYPE_AES128_CTS_HMAC_SHA1_96, 884 ETYPE_DES3_CBC_SHA1, 885 ETYPE_DES3_CBC_MD5, 886 ETYPE_ARCFOUR_HMAC_MD5, 887 ETYPE_DES_CBC_MD5, 888 ETYPE_DES_CBC_MD4, 889 ETYPE_DES_CBC_CRC, 890 ETYPE_NULL 891 }; 892 return p; 893 } 894 895 /* 896 * 897 */ 898 899 static krb5_error_code 900 copy_enctypes(krb5_context context, 901 const krb5_enctype *in, 902 krb5_enctype **out) 903 { 904 krb5_enctype *p = NULL; 905 size_t m, n; 906 907 for (n = 0; in[n]; n++) 908 ; 909 n++; 910 ALLOC(p, n); 911 if(p == NULL) 912 return krb5_enomem(context); 913 for (n = 0, m = 0; in[n]; n++) { 914 if (krb5_enctype_valid(context, in[n]) != 0) 915 continue; 916 p[m++] = in[n]; 917 } 918 p[m] = KRB5_ENCTYPE_NULL; 919 if (m == 0) { 920 free(p); 921 krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, 922 N_("no valid enctype set", "")); 923 return KRB5_PROG_ETYPE_NOSUPP; 924 } 925 *out = p; 926 return 0; 927 } 928 929 930 /* 931 * set `etype' to a malloced list of the default enctypes 932 */ 933 934 static krb5_error_code 935 default_etypes(krb5_context context, krb5_enctype **etype) 936 { 937 const krb5_enctype *p = krb5_kerberos_enctypes(context); 938 return copy_enctypes(context, p, etype); 939 } 940 941 /** 942 * Set the default encryption types that will be use in communcation 943 * with the KDC, clients and servers. 944 * 945 * @param context Kerberos 5 context. 946 * @param etypes Encryption types, array terminated with ETYPE_NULL (0). 947 * 948 * @return Returns 0 to indicate success. Otherwise an kerberos et 949 * error code is returned, see krb5_get_error_message(). 950 * 951 * @ingroup krb5 952 */ 953 954 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 955 krb5_set_default_in_tkt_etypes(krb5_context context, 956 const krb5_enctype *etypes) 957 { 958 krb5_error_code ret; 959 krb5_enctype *p = NULL; 960 961 if(etypes) { 962 ret = copy_enctypes(context, etypes, &p); 963 if (ret) 964 return ret; 965 } 966 if(context->etypes) 967 free(context->etypes); 968 context->etypes = p; 969 return 0; 970 } 971 972 /** 973 * Get the default encryption types that will be use in communcation 974 * with the KDC, clients and servers. 975 * 976 * @param context Kerberos 5 context. 977 * @param etypes Encryption types, array terminated with 978 * ETYPE_NULL(0), caller should free array with krb5_xfree(): 979 * 980 * @return Returns 0 to indicate success. Otherwise an kerberos et 981 * error code is returned, see krb5_get_error_message(). 982 * 983 * @ingroup krb5 984 */ 985 986 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 987 krb5_get_default_in_tkt_etypes(krb5_context context, 988 krb5_pdu pdu_type, 989 krb5_enctype **etypes) 990 { 991 krb5_enctype *enctypes = NULL; 992 krb5_error_code ret; 993 krb5_enctype *p; 994 995 heim_assert(pdu_type == KRB5_PDU_AS_REQUEST || 996 pdu_type == KRB5_PDU_TGS_REQUEST || 997 pdu_type == KRB5_PDU_NONE, "pdu contant not as expected"); 998 999 if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL) 1000 enctypes = context->as_etypes; 1001 else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL) 1002 enctypes = context->tgs_etypes; 1003 else if (context->etypes != NULL) 1004 enctypes = context->etypes; 1005 1006 if (enctypes != NULL) { 1007 ret = copy_enctypes(context, enctypes, &p); 1008 if (ret) 1009 return ret; 1010 } else { 1011 ret = default_etypes(context, &p); 1012 if (ret) 1013 return ret; 1014 } 1015 *etypes = p; 1016 return 0; 1017 } 1018 1019 /** 1020 * Init the built-in ets in the Kerberos library. 1021 * 1022 * @param context kerberos context to add the ets too 1023 * 1024 * @ingroup krb5 1025 */ 1026 1027 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1028 krb5_init_ets(krb5_context context) 1029 { 1030 if(context->et_list == NULL){ 1031 krb5_add_et_list(context, initialize_krb5_error_table_r); 1032 krb5_add_et_list(context, initialize_asn1_error_table_r); 1033 krb5_add_et_list(context, initialize_heim_error_table_r); 1034 1035 krb5_add_et_list(context, initialize_k524_error_table_r); 1036 1037 #ifdef COM_ERR_BINDDOMAIN_krb5 1038 bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR); 1039 bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR); 1040 bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR); 1041 bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR); 1042 #endif 1043 1044 #ifdef PKINIT 1045 krb5_add_et_list(context, initialize_hx_error_table_r); 1046 #ifdef COM_ERR_BINDDOMAIN_hx 1047 bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR); 1048 #endif 1049 #endif 1050 } 1051 } 1052 1053 /** 1054 * Make the kerberos library default to the admin KDC. 1055 * 1056 * @param context Kerberos 5 context. 1057 * @param flag boolean flag to select if the use the admin KDC or not. 1058 * 1059 * @ingroup krb5 1060 */ 1061 1062 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1063 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag) 1064 { 1065 context->use_admin_kdc = flag; 1066 } 1067 1068 /** 1069 * Make the kerberos library default to the admin KDC. 1070 * 1071 * @param context Kerberos 5 context. 1072 * 1073 * @return boolean flag to telling the context will use admin KDC as the default KDC. 1074 * 1075 * @ingroup krb5 1076 */ 1077 1078 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1079 krb5_get_use_admin_kdc (krb5_context context) 1080 { 1081 return context->use_admin_kdc; 1082 } 1083 1084 /** 1085 * Add extra address to the address list that the library will add to 1086 * the client's address list when communicating with the KDC. 1087 * 1088 * @param context Kerberos 5 context. 1089 * @param addresses addreses to add 1090 * 1091 * @return Returns 0 to indicate success. Otherwise an kerberos et 1092 * error code is returned, see krb5_get_error_message(). 1093 * 1094 * @ingroup krb5 1095 */ 1096 1097 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1098 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) 1099 { 1100 1101 if(context->extra_addresses) 1102 return krb5_append_addresses(context, 1103 context->extra_addresses, addresses); 1104 else 1105 return krb5_set_extra_addresses(context, addresses); 1106 } 1107 1108 /** 1109 * Set extra address to the address list that the library will add to 1110 * the client's address list when communicating with the KDC. 1111 * 1112 * @param context Kerberos 5 context. 1113 * @param addresses addreses to set 1114 * 1115 * @return Returns 0 to indicate success. Otherwise an kerberos et 1116 * error code is returned, see krb5_get_error_message(). 1117 * 1118 * @ingroup krb5 1119 */ 1120 1121 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1122 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) 1123 { 1124 if(context->extra_addresses) 1125 krb5_free_addresses(context, context->extra_addresses); 1126 1127 if(addresses == NULL) { 1128 if(context->extra_addresses != NULL) { 1129 free(context->extra_addresses); 1130 context->extra_addresses = NULL; 1131 } 1132 return 0; 1133 } 1134 if(context->extra_addresses == NULL) { 1135 context->extra_addresses = malloc(sizeof(*context->extra_addresses)); 1136 if(context->extra_addresses == NULL) { 1137 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); 1138 return ENOMEM; 1139 } 1140 } 1141 return krb5_copy_addresses(context, addresses, context->extra_addresses); 1142 } 1143 1144 /** 1145 * Get extra address to the address list that the library will add to 1146 * the client's address list when communicating with the KDC. 1147 * 1148 * @param context Kerberos 5 context. 1149 * @param addresses addreses to set 1150 * 1151 * @return Returns 0 to indicate success. Otherwise an kerberos et 1152 * error code is returned, see krb5_get_error_message(). 1153 * 1154 * @ingroup krb5 1155 */ 1156 1157 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1158 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) 1159 { 1160 if(context->extra_addresses == NULL) { 1161 memset(addresses, 0, sizeof(*addresses)); 1162 return 0; 1163 } 1164 return krb5_copy_addresses(context,context->extra_addresses, addresses); 1165 } 1166 1167 /** 1168 * Add extra addresses to ignore when fetching addresses from the 1169 * underlaying operating system. 1170 * 1171 * @param context Kerberos 5 context. 1172 * @param addresses addreses to ignore 1173 * 1174 * @return Returns 0 to indicate success. Otherwise an kerberos et 1175 * error code is returned, see krb5_get_error_message(). 1176 * 1177 * @ingroup krb5 1178 */ 1179 1180 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1181 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) 1182 { 1183 1184 if(context->ignore_addresses) 1185 return krb5_append_addresses(context, 1186 context->ignore_addresses, addresses); 1187 else 1188 return krb5_set_ignore_addresses(context, addresses); 1189 } 1190 1191 /** 1192 * Set extra addresses to ignore when fetching addresses from the 1193 * underlaying operating system. 1194 * 1195 * @param context Kerberos 5 context. 1196 * @param addresses addreses to ignore 1197 * 1198 * @return Returns 0 to indicate success. Otherwise an kerberos et 1199 * error code is returned, see krb5_get_error_message(). 1200 * 1201 * @ingroup krb5 1202 */ 1203 1204 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1205 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) 1206 { 1207 if(context->ignore_addresses) 1208 krb5_free_addresses(context, context->ignore_addresses); 1209 if(addresses == NULL) { 1210 if(context->ignore_addresses != NULL) { 1211 free(context->ignore_addresses); 1212 context->ignore_addresses = NULL; 1213 } 1214 return 0; 1215 } 1216 if(context->ignore_addresses == NULL) { 1217 context->ignore_addresses = malloc(sizeof(*context->ignore_addresses)); 1218 if(context->ignore_addresses == NULL) { 1219 krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", "")); 1220 return ENOMEM; 1221 } 1222 } 1223 return krb5_copy_addresses(context, addresses, context->ignore_addresses); 1224 } 1225 1226 /** 1227 * Get extra addresses to ignore when fetching addresses from the 1228 * underlaying operating system. 1229 * 1230 * @param context Kerberos 5 context. 1231 * @param addresses list addreses ignored 1232 * 1233 * @return Returns 0 to indicate success. Otherwise an kerberos et 1234 * error code is returned, see krb5_get_error_message(). 1235 * 1236 * @ingroup krb5 1237 */ 1238 1239 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1240 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) 1241 { 1242 if(context->ignore_addresses == NULL) { 1243 memset(addresses, 0, sizeof(*addresses)); 1244 return 0; 1245 } 1246 return krb5_copy_addresses(context, context->ignore_addresses, addresses); 1247 } 1248 1249 /** 1250 * Set version of fcache that the library should use. 1251 * 1252 * @param context Kerberos 5 context. 1253 * @param version version number. 1254 * 1255 * @return Returns 0 to indicate success. Otherwise an kerberos et 1256 * error code is returned, see krb5_get_error_message(). 1257 * 1258 * @ingroup krb5 1259 */ 1260 1261 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1262 krb5_set_fcache_version(krb5_context context, int version) 1263 { 1264 context->fcache_vno = version; 1265 return 0; 1266 } 1267 1268 /** 1269 * Get version of fcache that the library should use. 1270 * 1271 * @param context Kerberos 5 context. 1272 * @param version version number. 1273 * 1274 * @return Returns 0 to indicate success. Otherwise an kerberos et 1275 * error code is returned, see krb5_get_error_message(). 1276 * 1277 * @ingroup krb5 1278 */ 1279 1280 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1281 krb5_get_fcache_version(krb5_context context, int *version) 1282 { 1283 *version = context->fcache_vno; 1284 return 0; 1285 } 1286 1287 /** 1288 * Runtime check if the Kerberos library was complied with thread support. 1289 * 1290 * @return TRUE if the library was compiled with thread support, FALSE if not. 1291 * 1292 * @ingroup krb5 1293 */ 1294 1295 1296 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1297 krb5_is_thread_safe(void) 1298 { 1299 #ifdef ENABLE_PTHREAD_SUPPORT 1300 return TRUE; 1301 #else 1302 return FALSE; 1303 #endif 1304 } 1305 1306 /** 1307 * Set if the library should use DNS to canonicalize hostnames. 1308 * 1309 * @param context Kerberos 5 context. 1310 * @param flag if its dns canonicalizion is used or not. 1311 * 1312 * @ingroup krb5 1313 */ 1314 1315 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1316 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag) 1317 { 1318 if (flag) 1319 context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME; 1320 else 1321 context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME; 1322 } 1323 1324 /** 1325 * Get if the library uses DNS to canonicalize hostnames. 1326 * 1327 * @param context Kerberos 5 context. 1328 * 1329 * @return return non zero if the library uses DNS to canonicalize hostnames. 1330 * 1331 * @ingroup krb5 1332 */ 1333 1334 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1335 krb5_get_dns_canonicalize_hostname (krb5_context context) 1336 { 1337 return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0; 1338 } 1339 1340 /** 1341 * Get current offset in time to the KDC. 1342 * 1343 * @param context Kerberos 5 context. 1344 * @param sec seconds part of offset. 1345 * @param usec micro seconds part of offset. 1346 * 1347 * @return returns zero 1348 * 1349 * @ingroup krb5 1350 */ 1351 1352 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1353 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec) 1354 { 1355 if (sec) 1356 *sec = context->kdc_sec_offset; 1357 if (usec) 1358 *usec = context->kdc_usec_offset; 1359 return 0; 1360 } 1361 1362 /** 1363 * Set current offset in time to the KDC. 1364 * 1365 * @param context Kerberos 5 context. 1366 * @param sec seconds part of offset. 1367 * @param usec micro seconds part of offset. 1368 * 1369 * @return returns zero 1370 * 1371 * @ingroup krb5 1372 */ 1373 1374 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1375 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec) 1376 { 1377 context->kdc_sec_offset = sec; 1378 if (usec >= 0) 1379 context->kdc_usec_offset = usec; 1380 return 0; 1381 } 1382 1383 /** 1384 * Get max time skew allowed. 1385 * 1386 * @param context Kerberos 5 context. 1387 * 1388 * @return timeskew in seconds. 1389 * 1390 * @ingroup krb5 1391 */ 1392 1393 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL 1394 krb5_get_max_time_skew (krb5_context context) 1395 { 1396 return context->max_skew; 1397 } 1398 1399 /** 1400 * Set max time skew allowed. 1401 * 1402 * @param context Kerberos 5 context. 1403 * @param t timeskew in seconds. 1404 * 1405 * @ingroup krb5 1406 */ 1407 1408 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 1409 krb5_set_max_time_skew (krb5_context context, time_t t) 1410 { 1411 context->max_skew = t; 1412 } 1413 1414 /* 1415 * Init encryption types in len, val with etypes. 1416 * 1417 * @param context Kerberos 5 context. 1418 * @param pdu_type type of pdu 1419 * @param len output length of val. 1420 * @param val output array of enctypes. 1421 * @param etypes etypes to set val and len to, if NULL, use default enctypes. 1422 1423 * @return Returns 0 to indicate success. Otherwise an kerberos et 1424 * error code is returned, see krb5_get_error_message(). 1425 * 1426 * @ingroup krb5 1427 */ 1428 1429 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 1430 _krb5_init_etype(krb5_context context, 1431 krb5_pdu pdu_type, 1432 unsigned *len, 1433 krb5_enctype **val, 1434 const krb5_enctype *etypes) 1435 { 1436 krb5_error_code ret; 1437 1438 if (etypes == NULL) 1439 ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val); 1440 else 1441 ret = copy_enctypes(context, etypes, val); 1442 if (ret) 1443 return ret; 1444 1445 if (len) { 1446 *len = 0; 1447 while ((*val)[*len] != KRB5_ENCTYPE_NULL) 1448 (*len)++; 1449 } 1450 return 0; 1451 } 1452 1453 /* 1454 * Allow homedir accces 1455 */ 1456 1457 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER; 1458 static krb5_boolean allow_homedir = TRUE; 1459 1460 krb5_boolean 1461 _krb5_homedir_access(krb5_context context) 1462 { 1463 krb5_boolean allow; 1464 1465 #ifdef HAVE_GETEUID 1466 /* is never allowed for root */ 1467 if (geteuid() == 0) 1468 return FALSE; 1469 #endif 1470 1471 if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0) 1472 return FALSE; 1473 1474 HEIMDAL_MUTEX_lock(&homedir_mutex); 1475 allow = allow_homedir; 1476 HEIMDAL_MUTEX_unlock(&homedir_mutex); 1477 return allow; 1478 } 1479 1480 /** 1481 * Enable and disable home directory access on either the global state 1482 * or the krb5_context state. By calling krb5_set_home_dir_access() 1483 * with context set to NULL, the global state is configured otherwise 1484 * the state for the krb5_context is modified. 1485 * 1486 * For home directory access to be allowed, both the global state and 1487 * the krb5_context state have to be allowed. 1488 * 1489 * Administrator (root user), never uses the home directory. 1490 * 1491 * @param context a Kerberos 5 context or NULL 1492 * @param allow allow if TRUE home directory 1493 * @return the old value 1494 * 1495 * @ingroup krb5 1496 */ 1497 1498 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL 1499 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow) 1500 { 1501 krb5_boolean old; 1502 if (context) { 1503 old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE; 1504 if (allow) 1505 context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS; 1506 else 1507 context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS; 1508 } else { 1509 HEIMDAL_MUTEX_lock(&homedir_mutex); 1510 old = allow_homedir; 1511 allow_homedir = allow; 1512 HEIMDAL_MUTEX_unlock(&homedir_mutex); 1513 } 1514 1515 return old; 1516 } 1517