xref: /freebsd/crypto/heimdal/lib/krb5/context.c (revision 87c1627502a5dde91e5284118eec8682b60f27a2)
1 /*
2  * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "krb5_locl.h"
37 #include <assert.h>
38 #include <com_err.h>
39 
40 #define INIT_FIELD(C, T, E, D, F)					\
41     (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), 	\
42 						"libdefaults", F, NULL)
43 
44 #define INIT_FLAG(C, O, V, D, F)					\
45     do {								\
46 	if (krb5_config_get_bool_default((C), NULL, (D),"libdefaults", F, NULL)) { \
47 	    (C)->O |= V;						\
48         }								\
49     } while(0)
50 
51 /*
52  * Set the list of etypes `ret_etypes' from the configuration variable
53  * `name'
54  */
55 
56 static krb5_error_code
57 set_etypes (krb5_context context,
58 	    const char *name,
59 	    krb5_enctype **ret_enctypes)
60 {
61     char **etypes_str;
62     krb5_enctype *etypes = NULL;
63 
64     etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
65 					 name, NULL);
66     if(etypes_str){
67 	int i, j, k;
68 	for(i = 0; etypes_str[i]; i++);
69 	etypes = malloc((i+1) * sizeof(*etypes));
70 	if (etypes == NULL) {
71 	    krb5_config_free_strings (etypes_str);
72 	    krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
73 	    return ENOMEM;
74 	}
75 	for(j = 0, k = 0; j < i; j++) {
76 	    krb5_enctype e;
77 	    if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
78 		continue;
79 	    if (krb5_enctype_valid(context, e) != 0)
80 		continue;
81 	    etypes[k++] = e;
82 	}
83 	etypes[k] = ETYPE_NULL;
84 	krb5_config_free_strings(etypes_str);
85     }
86     *ret_enctypes = etypes;
87     return 0;
88 }
89 
90 /*
91  * read variables from the configuration file and set in `context'
92  */
93 
94 static krb5_error_code
95 init_context_from_config_file(krb5_context context)
96 {
97     krb5_error_code ret;
98     const char * tmp;
99     char **s;
100     krb5_enctype *tmptypes;
101 
102     INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
103     INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
104     INIT_FIELD(context, int, max_retries, 3, "max_retries");
105 
106     INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
107 
108     ret = krb5_config_get_bool_default(context, NULL, FALSE,
109 				       "libdefaults",
110 				       "allow_weak_crypto", NULL);
111     if (ret) {
112 	krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
113 	krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
114 	krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
115 	krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
116 	krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
117 	krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
118     }
119 
120     ret = set_etypes (context, "default_etypes", &tmptypes);
121     if(ret)
122 	return ret;
123     free(context->etypes);
124     context->etypes = tmptypes;
125 
126     ret = set_etypes (context, "default_etypes_des", &tmptypes);
127     if(ret)
128 	return ret;
129     free(context->etypes_des);
130     context->etypes_des = tmptypes;
131 
132     ret = set_etypes (context, "default_as_etypes", &tmptypes);
133     if(ret)
134 	return ret;
135     free(context->as_etypes);
136     context->as_etypes = tmptypes;
137 
138     ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
139     if(ret)
140 	return ret;
141     free(context->tgs_etypes);
142     context->tgs_etypes = tmptypes;
143 
144     ret = set_etypes (context, "permitted_enctypes", &tmptypes);
145     if(ret)
146 	return ret;
147     free(context->permitted_enctypes);
148     context->permitted_enctypes = tmptypes;
149 
150     /* default keytab name */
151     tmp = NULL;
152     if(!issuid())
153 	tmp = getenv("KRB5_KTNAME");
154     if(tmp != NULL)
155 	context->default_keytab = tmp;
156     else
157 	INIT_FIELD(context, string, default_keytab,
158 		   KEYTAB_DEFAULT, "default_keytab_name");
159 
160     INIT_FIELD(context, string, default_keytab_modify,
161 	       NULL, "default_keytab_modify_name");
162 
163     INIT_FIELD(context, string, time_fmt,
164 	       "%Y-%m-%dT%H:%M:%S", "time_format");
165 
166     INIT_FIELD(context, string, date_fmt,
167 	       "%Y-%m-%d", "date_format");
168 
169     INIT_FIELD(context, bool, log_utc,
170 	       FALSE, "log_utc");
171 
172 
173 
174     /* init dns-proxy slime */
175     tmp = krb5_config_get_string(context, NULL, "libdefaults",
176 				 "dns_proxy", NULL);
177     if(tmp)
178 	roken_gethostby_setup(context->http_proxy, tmp);
179     krb5_free_host_realm (context, context->default_realms);
180     context->default_realms = NULL;
181 
182     {
183 	krb5_addresses addresses;
184 	char **adr, **a;
185 
186 	krb5_set_extra_addresses(context, NULL);
187 	adr = krb5_config_get_strings(context, NULL,
188 				      "libdefaults",
189 				      "extra_addresses",
190 				      NULL);
191 	memset(&addresses, 0, sizeof(addresses));
192 	for(a = adr; a && *a; a++) {
193 	    ret = krb5_parse_address(context, *a, &addresses);
194 	    if (ret == 0) {
195 		krb5_add_extra_addresses(context, &addresses);
196 		krb5_free_addresses(context, &addresses);
197 	    }
198 	}
199 	krb5_config_free_strings(adr);
200 
201 	krb5_set_ignore_addresses(context, NULL);
202 	adr = krb5_config_get_strings(context, NULL,
203 				      "libdefaults",
204 				      "ignore_addresses",
205 				      NULL);
206 	memset(&addresses, 0, sizeof(addresses));
207 	for(a = adr; a && *a; a++) {
208 	    ret = krb5_parse_address(context, *a, &addresses);
209 	    if (ret == 0) {
210 		krb5_add_ignore_addresses(context, &addresses);
211 		krb5_free_addresses(context, &addresses);
212 	    }
213 	}
214 	krb5_config_free_strings(adr);
215     }
216 
217     INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
218     INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
219     /* prefer dns_lookup_kdc over srv_lookup. */
220     INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
221     INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
222     INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
223     INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
224     INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
225     context->default_cc_name = NULL;
226     context->default_cc_name_set = 0;
227 
228     s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
229     if(s) {
230 	char **p;
231 	krb5_initlog(context, "libkrb5", &context->debug_dest);
232 	for(p = s; *p; p++)
233 	    krb5_addlog_dest(context, context->debug_dest, *p);
234 	krb5_config_free_strings(s);
235     }
236 
237     tmp = krb5_config_get_string(context, NULL, "libdefaults",
238 				 "check-rd-req-server", NULL);
239     if (tmp == NULL && !issuid())
240 	tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
241     if(tmp) {
242 	if (strcasecmp(tmp, "ignore") == 0)
243 	    context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
244     }
245 
246     return 0;
247 }
248 
249 static krb5_error_code
250 cc_ops_register(krb5_context context)
251 {
252     context->cc_ops = NULL;
253     context->num_cc_ops = 0;
254 
255 #ifndef KCM_IS_API_CACHE
256     krb5_cc_register(context, &krb5_acc_ops, TRUE);
257 #endif
258     krb5_cc_register(context, &krb5_fcc_ops, TRUE);
259     krb5_cc_register(context, &krb5_mcc_ops, TRUE);
260 #ifdef HAVE_SCC
261     krb5_cc_register(context, &krb5_scc_ops, TRUE);
262 #endif
263 #ifdef HAVE_KCM
264 #ifdef KCM_IS_API_CACHE
265     krb5_cc_register(context, &krb5_akcm_ops, TRUE);
266 #endif
267     krb5_cc_register(context, &krb5_kcm_ops, TRUE);
268 #endif
269     _krb5_load_ccache_plugins(context);
270     return 0;
271 }
272 
273 static krb5_error_code
274 cc_ops_copy(krb5_context context, const krb5_context src_context)
275 {
276     const krb5_cc_ops **cc_ops;
277 
278     context->cc_ops = NULL;
279     context->num_cc_ops = 0;
280 
281     if (src_context->num_cc_ops == 0)
282 	return 0;
283 
284     cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
285     if (cc_ops == NULL) {
286 	krb5_set_error_message(context, KRB5_CC_NOMEM,
287 			       N_("malloc: out of memory", ""));
288 	return KRB5_CC_NOMEM;
289     }
290 
291     memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
292 	   sizeof(cc_ops[0]) * src_context->num_cc_ops);
293     context->cc_ops = cc_ops;
294     context->num_cc_ops = src_context->num_cc_ops;
295 
296     return 0;
297 }
298 
299 static krb5_error_code
300 kt_ops_register(krb5_context context)
301 {
302     context->num_kt_types = 0;
303     context->kt_types     = NULL;
304 
305     krb5_kt_register (context, &krb5_fkt_ops);
306     krb5_kt_register (context, &krb5_wrfkt_ops);
307     krb5_kt_register (context, &krb5_javakt_ops);
308     krb5_kt_register (context, &krb5_mkt_ops);
309 #ifndef HEIMDAL_SMALLER
310     krb5_kt_register (context, &krb5_akf_ops);
311 #endif
312     krb5_kt_register (context, &krb5_any_ops);
313     return 0;
314 }
315 
316 static krb5_error_code
317 kt_ops_copy(krb5_context context, const krb5_context src_context)
318 {
319     context->num_kt_types = 0;
320     context->kt_types     = NULL;
321 
322     if (src_context->num_kt_types == 0)
323 	return 0;
324 
325     context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
326     if (context->kt_types == NULL) {
327 	krb5_set_error_message(context, ENOMEM,
328 			       N_("malloc: out of memory", ""));
329 	return ENOMEM;
330     }
331 
332     context->num_kt_types = src_context->num_kt_types;
333     memcpy(context->kt_types, src_context->kt_types,
334 	   sizeof(context->kt_types[0]) * src_context->num_kt_types);
335 
336     return 0;
337 }
338 
339 static const char *sysplugin_dirs[] =  {
340     LIBDIR "/plugin/krb5",
341 #ifdef __APPLE__
342     "/Library/KerberosPlugins/KerberosFrameworkPlugins",
343     "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
344 #endif
345     NULL
346 };
347 
348 static void
349 init_context_once(void *ctx)
350 {
351     krb5_context context = ctx;
352 
353     _krb5_load_plugins(context, "krb5", sysplugin_dirs);
354 
355     bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
356 }
357 
358 
359 /**
360  * Initializes the context structure and reads the configuration file
361  * /etc/krb5.conf. The structure should be freed by calling
362  * krb5_free_context() when it is no longer being used.
363  *
364  * @param context pointer to returned context
365  *
366  * @return Returns 0 to indicate success.  Otherwise an errno code is
367  * returned.  Failure means either that something bad happened during
368  * initialization (typically ENOMEM) or that Kerberos should not be
369  * used ENXIO.
370  *
371  * @ingroup krb5
372  */
373 
374 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
375 krb5_init_context(krb5_context *context)
376 {
377     static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
378     krb5_context p;
379     krb5_error_code ret;
380     char **files;
381 
382     *context = NULL;
383 
384     p = calloc(1, sizeof(*p));
385     if(!p)
386 	return ENOMEM;
387 
388     p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
389     if (p->mutex == NULL) {
390 	free(p);
391 	return ENOMEM;
392     }
393     HEIMDAL_MUTEX_init(p->mutex);
394 
395     p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
396 
397     ret = krb5_get_default_config_files(&files);
398     if(ret)
399 	goto out;
400     ret = krb5_set_config_files(p, files);
401     krb5_free_config_files(files);
402     if(ret)
403 	goto out;
404 
405     /* init error tables */
406     krb5_init_ets(p);
407     cc_ops_register(p);
408     kt_ops_register(p);
409 
410 #ifdef PKINIT
411     ret = hx509_context_init(&p->hx509ctx);
412     if (ret)
413 	goto out;
414 #endif
415     if (rk_SOCK_INIT())
416 	p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
417 
418 out:
419     if(ret) {
420 	krb5_free_context(p);
421 	p = NULL;
422     } else {
423 	heim_base_once_f(&init_context, p, init_context_once);
424     }
425     *context = p;
426     return ret;
427 }
428 
429 #ifndef HEIMDAL_SMALLER
430 
431 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
432 krb5_get_permitted_enctypes(krb5_context context,
433 			    krb5_enctype **etypes)
434 {
435     return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
436 }
437 
438 /*
439  *
440  */
441 
442 static krb5_error_code
443 copy_etypes (krb5_context context,
444 	     krb5_enctype *enctypes,
445 	     krb5_enctype **ret_enctypes)
446 {
447     unsigned int i;
448 
449     for (i = 0; enctypes[i]; i++)
450 	;
451     i++;
452 
453     *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
454     if (*ret_enctypes == NULL) {
455 	krb5_set_error_message(context, ENOMEM,
456 			       N_("malloc: out of memory", ""));
457 	return ENOMEM;
458     }
459     memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
460     return 0;
461 }
462 
463 /**
464  * Make a copy for the Kerberos 5 context, the new krb5_context shoud
465  * be freed with krb5_free_context().
466  *
467  * @param context the Kerberos context to copy
468  * @param out the copy of the Kerberos, set to NULL error.
469  *
470  * @return Returns 0 to indicate success.  Otherwise an kerberos et
471  * error code is returned, see krb5_get_error_message().
472  *
473  * @ingroup krb5
474  */
475 
476 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
477 krb5_copy_context(krb5_context context, krb5_context *out)
478 {
479     krb5_error_code ret;
480     krb5_context p;
481 
482     *out = NULL;
483 
484     p = calloc(1, sizeof(*p));
485     if (p == NULL) {
486 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
487 	return ENOMEM;
488     }
489 
490     p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
491     if (p->mutex == NULL) {
492 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
493 	free(p);
494 	return ENOMEM;
495     }
496     HEIMDAL_MUTEX_init(p->mutex);
497 
498 
499     if (context->default_cc_name)
500 	p->default_cc_name = strdup(context->default_cc_name);
501     if (context->default_cc_name_env)
502 	p->default_cc_name_env = strdup(context->default_cc_name_env);
503 
504     if (context->etypes) {
505 	ret = copy_etypes(context, context->etypes, &p->etypes);
506 	if (ret)
507 	    goto out;
508     }
509     if (context->etypes_des) {
510 	ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
511 	if (ret)
512 	    goto out;
513     }
514 
515     if (context->default_realms) {
516 	ret = krb5_copy_host_realm(context,
517 				   context->default_realms, &p->default_realms);
518 	if (ret)
519 	    goto out;
520     }
521 
522     ret = _krb5_config_copy(context, context->cf, &p->cf);
523     if (ret)
524 	goto out;
525 
526     /* XXX should copy */
527     krb5_init_ets(p);
528 
529     cc_ops_copy(p, context);
530     kt_ops_copy(p, context);
531 
532 #if 0 /* XXX */
533     if(context->warn_dest != NULL)
534 	;
535     if(context->debug_dest != NULL)
536 	;
537 #endif
538 
539     ret = krb5_set_extra_addresses(p, context->extra_addresses);
540     if (ret)
541 	goto out;
542     ret = krb5_set_extra_addresses(p, context->ignore_addresses);
543     if (ret)
544 	goto out;
545 
546     ret = _krb5_copy_send_to_kdc_func(p, context);
547     if (ret)
548 	goto out;
549 
550     *out = p;
551 
552     return 0;
553 
554  out:
555     krb5_free_context(p);
556     return ret;
557 }
558 
559 #endif
560 
561 /**
562  * Frees the krb5_context allocated by krb5_init_context().
563  *
564  * @param context context to be freed.
565  *
566  * @ingroup krb5
567  */
568 
569 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
570 krb5_free_context(krb5_context context)
571 {
572     if (context->default_cc_name)
573 	free(context->default_cc_name);
574     if (context->default_cc_name_env)
575 	free(context->default_cc_name_env);
576     free(context->etypes);
577     free(context->etypes_des);
578     krb5_free_host_realm (context, context->default_realms);
579     krb5_config_file_free (context, context->cf);
580     free_error_table (context->et_list);
581     free(rk_UNCONST(context->cc_ops));
582     free(context->kt_types);
583     krb5_clear_error_message(context);
584     if(context->warn_dest != NULL)
585 	krb5_closelog(context, context->warn_dest);
586     if(context->debug_dest != NULL)
587 	krb5_closelog(context, context->debug_dest);
588     krb5_set_extra_addresses(context, NULL);
589     krb5_set_ignore_addresses(context, NULL);
590     krb5_set_send_to_kdc_func(context, NULL, NULL);
591 
592 #ifdef PKINIT
593     if (context->hx509ctx)
594 	hx509_context_free(&context->hx509ctx);
595 #endif
596 
597     HEIMDAL_MUTEX_destroy(context->mutex);
598     free(context->mutex);
599     if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
600  	rk_SOCK_EXIT();
601     }
602 
603     memset(context, 0, sizeof(*context));
604     free(context);
605 }
606 
607 /**
608  * Reinit the context from a new set of filenames.
609  *
610  * @param context context to add configuration too.
611  * @param filenames array of filenames, end of list is indicated with a NULL filename.
612  *
613  * @return Returns 0 to indicate success.  Otherwise an kerberos et
614  * error code is returned, see krb5_get_error_message().
615  *
616  * @ingroup krb5
617  */
618 
619 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
620 krb5_set_config_files(krb5_context context, char **filenames)
621 {
622     krb5_error_code ret;
623     krb5_config_binding *tmp = NULL;
624     while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
625 	ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
626 	if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
627 	    krb5_config_file_free(context, tmp);
628 	    return ret;
629 	}
630 	filenames++;
631     }
632 #if 0
633     /* with this enabled and if there are no config files, Kerberos is
634        considererd disabled */
635     if(tmp == NULL)
636 	return ENXIO;
637 #endif
638 
639 #ifdef _WIN32
640     _krb5_load_config_from_registry(context, &tmp);
641 #endif
642 
643     krb5_config_file_free(context, context->cf);
644     context->cf = tmp;
645     ret = init_context_from_config_file(context);
646     return ret;
647 }
648 
649 static krb5_error_code
650 add_file(char ***pfilenames, int *len, char *file)
651 {
652     char **pp = *pfilenames;
653     int i;
654 
655     for(i = 0; i < *len; i++) {
656 	if(strcmp(pp[i], file) == 0) {
657 	    free(file);
658 	    return 0;
659 	}
660     }
661 
662     pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
663     if (pp == NULL) {
664 	free(file);
665 	return ENOMEM;
666     }
667 
668     pp[*len] = file;
669     pp[*len + 1] = NULL;
670     *pfilenames = pp;
671     *len += 1;
672     return 0;
673 }
674 
675 /*
676  *  `pq' isn't free, it's up the the caller
677  */
678 
679 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
680 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
681 {
682     krb5_error_code ret;
683     const char *p, *q;
684     char **pp;
685     int len;
686     char *fn;
687 
688     pp = NULL;
689 
690     len = 0;
691     p = filelist;
692     while(1) {
693 	ssize_t l;
694 	q = p;
695 	l = strsep_copy(&q, PATH_SEP, NULL, 0);
696 	if(l == -1)
697 	    break;
698 	fn = malloc(l + 1);
699 	if(fn == NULL) {
700 	    krb5_free_config_files(pp);
701 	    return ENOMEM;
702 	}
703 	(void)strsep_copy(&p, PATH_SEP, fn, l + 1);
704 	ret = add_file(&pp, &len, fn);
705 	if (ret) {
706 	    krb5_free_config_files(pp);
707 	    return ret;
708 	}
709     }
710 
711     if (pq != NULL) {
712 	int i;
713 
714 	for (i = 0; pq[i] != NULL; i++) {
715 	    fn = strdup(pq[i]);
716 	    if (fn == NULL) {
717 		krb5_free_config_files(pp);
718 		return ENOMEM;
719 	    }
720 	    ret = add_file(&pp, &len, fn);
721 	    if (ret) {
722 		krb5_free_config_files(pp);
723 		return ret;
724 	    }
725 	}
726     }
727 
728     *ret_pp = pp;
729     return 0;
730 }
731 
732 /**
733  * Prepend the filename to the global configuration list.
734  *
735  * @param filelist a filename to add to the default list of filename
736  * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
737  *
738  * @return Returns 0 to indicate success.  Otherwise an kerberos et
739  * error code is returned, see krb5_get_error_message().
740  *
741  * @ingroup krb5
742  */
743 
744 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
745 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
746 {
747     krb5_error_code ret;
748     char **defpp, **pp = NULL;
749 
750     ret = krb5_get_default_config_files(&defpp);
751     if (ret)
752 	return ret;
753 
754     ret = krb5_prepend_config_files(filelist, defpp, &pp);
755     krb5_free_config_files(defpp);
756     if (ret) {
757 	return ret;
758     }
759     *pfilenames = pp;
760     return 0;
761 }
762 
763 #ifdef _WIN32
764 
765 /**
766  * Checks the registry for configuration file location
767  *
768  * Kerberos for Windows and other legacy Kerberos applications expect
769  * to find the configuration file location in the
770  * SOFTWARE\MIT\Kerberos registry key under the value "config".
771  */
772 char *
773 _krb5_get_default_config_config_files_from_registry()
774 {
775     static const char * KeyName = "Software\\MIT\\Kerberos";
776     char *config_file = NULL;
777     LONG rcode;
778     HKEY key;
779 
780     rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
781     if (rcode == ERROR_SUCCESS) {
782         config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
783                                                             REG_NONE, 0, PATH_SEP);
784         RegCloseKey(key);
785     }
786 
787     if (config_file)
788         return config_file;
789 
790     rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
791     if (rcode == ERROR_SUCCESS) {
792         config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
793                                                             REG_NONE, 0, PATH_SEP);
794         RegCloseKey(key);
795     }
796 
797     return config_file;
798 }
799 
800 #endif
801 
802 /**
803  * Get the global configuration list.
804  *
805  * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
806  *
807  * @return Returns 0 to indicate success.  Otherwise an kerberos et
808  * error code is returned, see krb5_get_error_message().
809  *
810  * @ingroup krb5
811  */
812 
813 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
814 krb5_get_default_config_files(char ***pfilenames)
815 {
816     const char *files = NULL;
817 
818     if (pfilenames == NULL)
819         return EINVAL;
820     if(!issuid())
821 	files = getenv("KRB5_CONFIG");
822 
823 #ifdef _WIN32
824     if (files == NULL) {
825         char * reg_files;
826         reg_files = _krb5_get_default_config_config_files_from_registry();
827         if (reg_files != NULL) {
828             krb5_error_code code;
829 
830             code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
831             free(reg_files);
832 
833             return code;
834         }
835     }
836 #endif
837 
838     if (files == NULL)
839 	files = krb5_config_file;
840 
841     return krb5_prepend_config_files(files, NULL, pfilenames);
842 }
843 
844 /**
845  * Free a list of configuration files.
846  *
847  * @param filenames list, terminated with a NULL pointer, to be
848  * freed. NULL is an valid argument.
849  *
850  * @return Returns 0 to indicate success. Otherwise an kerberos et
851  * error code is returned, see krb5_get_error_message().
852  *
853  * @ingroup krb5
854  */
855 
856 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
857 krb5_free_config_files(char **filenames)
858 {
859     char **p;
860     for(p = filenames; p && *p != NULL; p++)
861 	free(*p);
862     free(filenames);
863 }
864 
865 /**
866  * Returns the list of Kerberos encryption types sorted in order of
867  * most preferred to least preferred encryption type.  Note that some
868  * encryption types might be disabled, so you need to check with
869  * krb5_enctype_valid() before using the encryption type.
870  *
871  * @return list of enctypes, terminated with ETYPE_NULL. Its a static
872  * array completed into the Kerberos library so the content doesn't
873  * need to be freed.
874  *
875  * @ingroup krb5
876  */
877 
878 KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
879 krb5_kerberos_enctypes(krb5_context context)
880 {
881     static const krb5_enctype p[] = {
882 	ETYPE_AES256_CTS_HMAC_SHA1_96,
883 	ETYPE_AES128_CTS_HMAC_SHA1_96,
884 	ETYPE_DES3_CBC_SHA1,
885 	ETYPE_DES3_CBC_MD5,
886 	ETYPE_ARCFOUR_HMAC_MD5,
887 	ETYPE_DES_CBC_MD5,
888 	ETYPE_DES_CBC_MD4,
889 	ETYPE_DES_CBC_CRC,
890 	ETYPE_NULL
891     };
892     return p;
893 }
894 
895 /*
896  *
897  */
898 
899 static krb5_error_code
900 copy_enctypes(krb5_context context,
901 	      const krb5_enctype *in,
902 	      krb5_enctype **out)
903 {
904     krb5_enctype *p = NULL;
905     size_t m, n;
906 
907     for (n = 0; in[n]; n++)
908 	;
909     n++;
910     ALLOC(p, n);
911     if(p == NULL)
912 	return krb5_enomem(context);
913     for (n = 0, m = 0; in[n]; n++) {
914 	if (krb5_enctype_valid(context, in[n]) != 0)
915 	    continue;
916 	p[m++] = in[n];
917     }
918     p[m] = KRB5_ENCTYPE_NULL;
919     if (m == 0) {
920 	free(p);
921 	krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
922 				N_("no valid enctype set", ""));
923 	return KRB5_PROG_ETYPE_NOSUPP;
924     }
925     *out = p;
926     return 0;
927 }
928 
929 
930 /*
931  * set `etype' to a malloced list of the default enctypes
932  */
933 
934 static krb5_error_code
935 default_etypes(krb5_context context, krb5_enctype **etype)
936 {
937     const krb5_enctype *p = krb5_kerberos_enctypes(context);
938     return copy_enctypes(context, p, etype);
939 }
940 
941 /**
942  * Set the default encryption types that will be use in communcation
943  * with the KDC, clients and servers.
944  *
945  * @param context Kerberos 5 context.
946  * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
947  *
948  * @return Returns 0 to indicate success. Otherwise an kerberos et
949  * error code is returned, see krb5_get_error_message().
950  *
951  * @ingroup krb5
952  */
953 
954 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
955 krb5_set_default_in_tkt_etypes(krb5_context context,
956 			       const krb5_enctype *etypes)
957 {
958     krb5_error_code ret;
959     krb5_enctype *p = NULL;
960 
961     if(etypes) {
962 	ret = copy_enctypes(context, etypes, &p);
963 	if (ret)
964 	    return ret;
965     }
966     if(context->etypes)
967 	free(context->etypes);
968     context->etypes = p;
969     return 0;
970 }
971 
972 /**
973  * Get the default encryption types that will be use in communcation
974  * with the KDC, clients and servers.
975  *
976  * @param context Kerberos 5 context.
977  * @param etypes Encryption types, array terminated with
978  * ETYPE_NULL(0), caller should free array with krb5_xfree():
979  *
980  * @return Returns 0 to indicate success. Otherwise an kerberos et
981  * error code is returned, see krb5_get_error_message().
982  *
983  * @ingroup krb5
984  */
985 
986 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
987 krb5_get_default_in_tkt_etypes(krb5_context context,
988 			       krb5_pdu pdu_type,
989 			       krb5_enctype **etypes)
990 {
991     krb5_enctype *enctypes = NULL;
992     krb5_error_code ret;
993     krb5_enctype *p;
994 
995     heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
996 		pdu_type == KRB5_PDU_TGS_REQUEST ||
997 		pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
998 
999     if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
1000 	enctypes = context->as_etypes;
1001     else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
1002 	enctypes = context->tgs_etypes;
1003     else if (context->etypes != NULL)
1004 	enctypes = context->etypes;
1005 
1006     if (enctypes != NULL) {
1007 	ret = copy_enctypes(context, enctypes, &p);
1008 	if (ret)
1009 	    return ret;
1010     } else {
1011 	ret = default_etypes(context, &p);
1012 	if (ret)
1013 	    return ret;
1014     }
1015     *etypes = p;
1016     return 0;
1017 }
1018 
1019 /**
1020  * Init the built-in ets in the Kerberos library.
1021  *
1022  * @param context kerberos context to add the ets too
1023  *
1024  * @ingroup krb5
1025  */
1026 
1027 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1028 krb5_init_ets(krb5_context context)
1029 {
1030     if(context->et_list == NULL){
1031 	krb5_add_et_list(context, initialize_krb5_error_table_r);
1032 	krb5_add_et_list(context, initialize_asn1_error_table_r);
1033 	krb5_add_et_list(context, initialize_heim_error_table_r);
1034 
1035 	krb5_add_et_list(context, initialize_k524_error_table_r);
1036 
1037 #ifdef COM_ERR_BINDDOMAIN_krb5
1038 	bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
1039 	bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
1040 	bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
1041 	bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
1042 #endif
1043 
1044 #ifdef PKINIT
1045 	krb5_add_et_list(context, initialize_hx_error_table_r);
1046 #ifdef COM_ERR_BINDDOMAIN_hx
1047 	bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
1048 #endif
1049 #endif
1050     }
1051 }
1052 
1053 /**
1054  * Make the kerberos library default to the admin KDC.
1055  *
1056  * @param context Kerberos 5 context.
1057  * @param flag boolean flag to select if the use the admin KDC or not.
1058  *
1059  * @ingroup krb5
1060  */
1061 
1062 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1063 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
1064 {
1065     context->use_admin_kdc = flag;
1066 }
1067 
1068 /**
1069  * Make the kerberos library default to the admin KDC.
1070  *
1071  * @param context Kerberos 5 context.
1072  *
1073  * @return boolean flag to telling the context will use admin KDC as the default KDC.
1074  *
1075  * @ingroup krb5
1076  */
1077 
1078 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1079 krb5_get_use_admin_kdc (krb5_context context)
1080 {
1081     return context->use_admin_kdc;
1082 }
1083 
1084 /**
1085  * Add extra address to the address list that the library will add to
1086  * the client's address list when communicating with the KDC.
1087  *
1088  * @param context Kerberos 5 context.
1089  * @param addresses addreses to add
1090  *
1091  * @return Returns 0 to indicate success. Otherwise an kerberos et
1092  * error code is returned, see krb5_get_error_message().
1093  *
1094  * @ingroup krb5
1095  */
1096 
1097 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1098 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
1099 {
1100 
1101     if(context->extra_addresses)
1102 	return krb5_append_addresses(context,
1103 				     context->extra_addresses, addresses);
1104     else
1105 	return krb5_set_extra_addresses(context, addresses);
1106 }
1107 
1108 /**
1109  * Set extra address to the address list that the library will add to
1110  * the client's address list when communicating with the KDC.
1111  *
1112  * @param context Kerberos 5 context.
1113  * @param addresses addreses to set
1114  *
1115  * @return Returns 0 to indicate success. Otherwise an kerberos et
1116  * error code is returned, see krb5_get_error_message().
1117  *
1118  * @ingroup krb5
1119  */
1120 
1121 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1122 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
1123 {
1124     if(context->extra_addresses)
1125 	krb5_free_addresses(context, context->extra_addresses);
1126 
1127     if(addresses == NULL) {
1128 	if(context->extra_addresses != NULL) {
1129 	    free(context->extra_addresses);
1130 	    context->extra_addresses = NULL;
1131 	}
1132 	return 0;
1133     }
1134     if(context->extra_addresses == NULL) {
1135 	context->extra_addresses = malloc(sizeof(*context->extra_addresses));
1136 	if(context->extra_addresses == NULL) {
1137 	    krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1138 	    return ENOMEM;
1139 	}
1140     }
1141     return krb5_copy_addresses(context, addresses, context->extra_addresses);
1142 }
1143 
1144 /**
1145  * Get extra address to the address list that the library will add to
1146  * the client's address list when communicating with the KDC.
1147  *
1148  * @param context Kerberos 5 context.
1149  * @param addresses addreses to set
1150  *
1151  * @return Returns 0 to indicate success. Otherwise an kerberos et
1152  * error code is returned, see krb5_get_error_message().
1153  *
1154  * @ingroup krb5
1155  */
1156 
1157 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1158 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
1159 {
1160     if(context->extra_addresses == NULL) {
1161 	memset(addresses, 0, sizeof(*addresses));
1162 	return 0;
1163     }
1164     return krb5_copy_addresses(context,context->extra_addresses, addresses);
1165 }
1166 
1167 /**
1168  * Add extra addresses to ignore when fetching addresses from the
1169  * underlaying operating system.
1170  *
1171  * @param context Kerberos 5 context.
1172  * @param addresses addreses to ignore
1173  *
1174  * @return Returns 0 to indicate success. Otherwise an kerberos et
1175  * error code is returned, see krb5_get_error_message().
1176  *
1177  * @ingroup krb5
1178  */
1179 
1180 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1181 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1182 {
1183 
1184     if(context->ignore_addresses)
1185 	return krb5_append_addresses(context,
1186 				     context->ignore_addresses, addresses);
1187     else
1188 	return krb5_set_ignore_addresses(context, addresses);
1189 }
1190 
1191 /**
1192  * Set extra addresses to ignore when fetching addresses from the
1193  * underlaying operating system.
1194  *
1195  * @param context Kerberos 5 context.
1196  * @param addresses addreses to ignore
1197  *
1198  * @return Returns 0 to indicate success. Otherwise an kerberos et
1199  * error code is returned, see krb5_get_error_message().
1200  *
1201  * @ingroup krb5
1202  */
1203 
1204 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1205 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
1206 {
1207     if(context->ignore_addresses)
1208 	krb5_free_addresses(context, context->ignore_addresses);
1209     if(addresses == NULL) {
1210 	if(context->ignore_addresses != NULL) {
1211 	    free(context->ignore_addresses);
1212 	    context->ignore_addresses = NULL;
1213 	}
1214 	return 0;
1215     }
1216     if(context->ignore_addresses == NULL) {
1217 	context->ignore_addresses = malloc(sizeof(*context->ignore_addresses));
1218 	if(context->ignore_addresses == NULL) {
1219 	    krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
1220 	    return ENOMEM;
1221 	}
1222     }
1223     return krb5_copy_addresses(context, addresses, context->ignore_addresses);
1224 }
1225 
1226 /**
1227  * Get extra addresses to ignore when fetching addresses from the
1228  * underlaying operating system.
1229  *
1230  * @param context Kerberos 5 context.
1231  * @param addresses list addreses ignored
1232  *
1233  * @return Returns 0 to indicate success. Otherwise an kerberos et
1234  * error code is returned, see krb5_get_error_message().
1235  *
1236  * @ingroup krb5
1237  */
1238 
1239 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1240 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
1241 {
1242     if(context->ignore_addresses == NULL) {
1243 	memset(addresses, 0, sizeof(*addresses));
1244 	return 0;
1245     }
1246     return krb5_copy_addresses(context, context->ignore_addresses, addresses);
1247 }
1248 
1249 /**
1250  * Set version of fcache that the library should use.
1251  *
1252  * @param context Kerberos 5 context.
1253  * @param version version number.
1254  *
1255  * @return Returns 0 to indicate success. Otherwise an kerberos et
1256  * error code is returned, see krb5_get_error_message().
1257  *
1258  * @ingroup krb5
1259  */
1260 
1261 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1262 krb5_set_fcache_version(krb5_context context, int version)
1263 {
1264     context->fcache_vno = version;
1265     return 0;
1266 }
1267 
1268 /**
1269  * Get version of fcache that the library should use.
1270  *
1271  * @param context Kerberos 5 context.
1272  * @param version version number.
1273  *
1274  * @return Returns 0 to indicate success. Otherwise an kerberos et
1275  * error code is returned, see krb5_get_error_message().
1276  *
1277  * @ingroup krb5
1278  */
1279 
1280 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1281 krb5_get_fcache_version(krb5_context context, int *version)
1282 {
1283     *version = context->fcache_vno;
1284     return 0;
1285 }
1286 
1287 /**
1288  * Runtime check if the Kerberos library was complied with thread support.
1289  *
1290  * @return TRUE if the library was compiled with thread support, FALSE if not.
1291  *
1292  * @ingroup krb5
1293  */
1294 
1295 
1296 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1297 krb5_is_thread_safe(void)
1298 {
1299 #ifdef ENABLE_PTHREAD_SUPPORT
1300     return TRUE;
1301 #else
1302     return FALSE;
1303 #endif
1304 }
1305 
1306 /**
1307  * Set if the library should use DNS to canonicalize hostnames.
1308  *
1309  * @param context Kerberos 5 context.
1310  * @param flag if its dns canonicalizion is used or not.
1311  *
1312  * @ingroup krb5
1313  */
1314 
1315 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1316 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
1317 {
1318     if (flag)
1319 	context->flags |= KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1320     else
1321 	context->flags &= ~KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME;
1322 }
1323 
1324 /**
1325  * Get if the library uses DNS to canonicalize hostnames.
1326  *
1327  * @param context Kerberos 5 context.
1328  *
1329  * @return return non zero if the library uses DNS to canonicalize hostnames.
1330  *
1331  * @ingroup krb5
1332  */
1333 
1334 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1335 krb5_get_dns_canonicalize_hostname (krb5_context context)
1336 {
1337     return (context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) ? 1 : 0;
1338 }
1339 
1340 /**
1341  * Get current offset in time to the KDC.
1342  *
1343  * @param context Kerberos 5 context.
1344  * @param sec seconds part of offset.
1345  * @param usec micro seconds part of offset.
1346  *
1347  * @return returns zero
1348  *
1349  * @ingroup krb5
1350  */
1351 
1352 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1353 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
1354 {
1355     if (sec)
1356 	*sec = context->kdc_sec_offset;
1357     if (usec)
1358 	*usec = context->kdc_usec_offset;
1359     return 0;
1360 }
1361 
1362 /**
1363  * Set current offset in time to the KDC.
1364  *
1365  * @param context Kerberos 5 context.
1366  * @param sec seconds part of offset.
1367  * @param usec micro seconds part of offset.
1368  *
1369  * @return returns zero
1370  *
1371  * @ingroup krb5
1372  */
1373 
1374 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1375 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
1376 {
1377     context->kdc_sec_offset = sec;
1378     if (usec >= 0)
1379 	context->kdc_usec_offset = usec;
1380     return 0;
1381 }
1382 
1383 /**
1384  * Get max time skew allowed.
1385  *
1386  * @param context Kerberos 5 context.
1387  *
1388  * @return timeskew in seconds.
1389  *
1390  * @ingroup krb5
1391  */
1392 
1393 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
1394 krb5_get_max_time_skew (krb5_context context)
1395 {
1396     return context->max_skew;
1397 }
1398 
1399 /**
1400  * Set max time skew allowed.
1401  *
1402  * @param context Kerberos 5 context.
1403  * @param t timeskew in seconds.
1404  *
1405  * @ingroup krb5
1406  */
1407 
1408 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
1409 krb5_set_max_time_skew (krb5_context context, time_t t)
1410 {
1411     context->max_skew = t;
1412 }
1413 
1414 /*
1415  * Init encryption types in len, val with etypes.
1416  *
1417  * @param context Kerberos 5 context.
1418  * @param pdu_type type of pdu
1419  * @param len output length of val.
1420  * @param val output array of enctypes.
1421  * @param etypes etypes to set val and len to, if NULL, use default enctypes.
1422 
1423  * @return Returns 0 to indicate success. Otherwise an kerberos et
1424  * error code is returned, see krb5_get_error_message().
1425  *
1426  * @ingroup krb5
1427  */
1428 
1429 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1430 _krb5_init_etype(krb5_context context,
1431 		 krb5_pdu pdu_type,
1432 		 unsigned *len,
1433 		 krb5_enctype **val,
1434 		 const krb5_enctype *etypes)
1435 {
1436     krb5_error_code ret;
1437 
1438     if (etypes == NULL)
1439 	ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
1440     else
1441 	ret = copy_enctypes(context, etypes, val);
1442     if (ret)
1443 	return ret;
1444 
1445     if (len) {
1446 	*len = 0;
1447 	while ((*val)[*len] != KRB5_ENCTYPE_NULL)
1448 	    (*len)++;
1449     }
1450     return 0;
1451 }
1452 
1453 /*
1454  * Allow homedir accces
1455  */
1456 
1457 static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
1458 static krb5_boolean allow_homedir = TRUE;
1459 
1460 krb5_boolean
1461 _krb5_homedir_access(krb5_context context)
1462 {
1463     krb5_boolean allow;
1464 
1465 #ifdef HAVE_GETEUID
1466     /* is never allowed for root */
1467     if (geteuid() == 0)
1468 	return FALSE;
1469 #endif
1470 
1471     if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
1472 	return FALSE;
1473 
1474     HEIMDAL_MUTEX_lock(&homedir_mutex);
1475     allow = allow_homedir;
1476     HEIMDAL_MUTEX_unlock(&homedir_mutex);
1477     return allow;
1478 }
1479 
1480 /**
1481  * Enable and disable home directory access on either the global state
1482  * or the krb5_context state. By calling krb5_set_home_dir_access()
1483  * with context set to NULL, the global state is configured otherwise
1484  * the state for the krb5_context is modified.
1485  *
1486  * For home directory access to be allowed, both the global state and
1487  * the krb5_context state have to be allowed.
1488  *
1489  * Administrator (root user), never uses the home directory.
1490  *
1491  * @param context a Kerberos 5 context or NULL
1492  * @param allow allow if TRUE home directory
1493  * @return the old value
1494  *
1495  * @ingroup krb5
1496  */
1497 
1498 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
1499 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
1500 {
1501     krb5_boolean old;
1502     if (context) {
1503 	old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
1504 	if (allow)
1505 	    context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
1506 	else
1507 	    context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
1508     } else {
1509 	HEIMDAL_MUTEX_lock(&homedir_mutex);
1510 	old = allow_homedir;
1511 	allow_homedir = allow;
1512 	HEIMDAL_MUTEX_unlock(&homedir_mutex);
1513     }
1514 
1515     return old;
1516 }
1517