static char *
kdb_get_conf_section(krb5_context kcontext)
{
krb5_error_code status = 0;
char *result = NULL;
char *value = NULL;
if (kcontext->default_realm == NULL)
return NULL;
/* The profile has to have been initialized. If the profile was
not initialized, expect nothing less than a crash. */
status = profile_get_string(kcontext->profile,
/* realms */
KDB_REALM_SECTION,
kcontext->default_realm,
/* under the realm name, database_module */
KDB_MODULE_POINTER,
/* default value is the realm name itself */
kcontext->default_realm,
&value);
if (status) {
/* some problem */
result = strdup(kcontext->default_realm);
/* let NULL be handled by the caller */
} else {
result = strdup(value);
/* free profile string */
profile_release_string(value);
}
return result;
}
const char * KRB5_CALLCONV
krb5_cc_default_name(krb5_context context)
{
krb5_os_context os_ctx;
char *profstr, *envstr;
if (!context || context->magic != KV5M_CONTEXT)
return NULL;
os_ctx = &context->os_context;
if (os_ctx->default_ccname != NULL)
return os_ctx->default_ccname;
/* Try the environment variable first. */
envstr = getenv(KRB5_ENV_CCNAME);
if (envstr != NULL) {
os_ctx->default_ccname = strdup(envstr);
return os_ctx->default_ccname;
}
if (profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
KRB5_CONF_DEFAULT_CCACHE_NAME, NULL, NULL,
&profstr) == 0 && profstr != NULL) {
(void)k5_expand_path_tokens(context, profstr, &os_ctx->default_ccname);
profile_release_string(profstr);
return os_ctx->default_ccname;
}
/* Fall back on the default ccache name for the OS. */
get_from_os(context);
return os_ctx->default_ccname;
}
/*
* Find the k5login filename for luser, either in the user's homedir or in a
* configured directory under the username.
*/
static krb5_error_code
get_k5login_filename(krb5_context context, const char *luser,
const char *homedir, char **filename_out)
{
krb5_error_code ret;
char *dir, *filename;
*filename_out = NULL;
ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir);
if (ret != 0)
return ret;
if (dir == NULL) {
/* Look in the user's homedir. */
if (asprintf(&filename, "%s/.k5login", homedir) < 0)
return ENOMEM;
} else {
/* Look in the configured directory. */
if (asprintf(&filename, "%s/%s", dir, luser) < 0)
ret = ENOMEM;
profile_release_string(dir);
if (ret)
return ret;
}
*filename_out = filename;
return 0;
}
static char *
kdb_get_library_name(krb5_context kcontext)
{
krb5_error_code status = 0;
char *result = NULL;
char *value = NULL;
char *lib = NULL;
status = profile_get_string(kcontext->profile,
/* realms */
KDB_REALM_SECTION,
kcontext->default_realm,
/* under the realm name, database_module */
KDB_MODULE_POINTER,
/* default value is the realm name itself */
kcontext->default_realm,
&value);
if (status) {
goto clean_n_exit;
}
#define DB2_NAME "db2"
/* we got the module section. Get the library name from the module */
status = profile_get_string(kcontext->profile, KDB_MODULE_SECTION, value,
KDB_LIB_POINTER,
/* default to db2 */
DB2_NAME,
&lib);
if (status) {
goto clean_n_exit;
}
result = strdup(lib);
clean_n_exit:
if (value) {
/* free profile string */
profile_release_string(value);
}
if (lib) {
/* free profile string */
profile_release_string(lib);
}
return result;
}
static int
maybe_use_reverse_dns (krb5_context context, int defalt)
{
krb5_error_code code;
char * value = NULL;
int use_rdns = 0;
code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
KRB5_CONF_RDNS, 0, 0, &value);
if (code)
return defalt;
if (value == 0)
return defalt;
use_rdns = _krb5_conf_boolean(value);
profile_release_string(value);
return use_rdns;
}
static int
maybe_use_dns (krb5_context context, const char *name, int defalt)
{
krb5_error_code code;
char * value = NULL;
int use_dns = 0;
code = profile_get_string(context->profile, "libdefaults",
name, 0, 0, &value);
if (value == 0 && code == 0)
code = profile_get_string(context->profile, "libdefaults",
"dns_fallback", 0, 0, &value);
if (code)
return defalt;
if (value == 0)
return defalt;
use_dns = _krb5_conf_boolean(value);
profile_release_string(value);
return use_dns;
}
static int
maybe_use_dns (krb5_context context, const char *name, int defalt)
{
krb5_error_code code;
char * value = NULL;
int use_dns = 0;
code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
name, 0, 0, &value);
if (value == 0 && code == 0) {
code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
KRB5_CONF_DNS_FALLBACK, 0, 0, &value);
}
if (code)
return defalt;
if (value == 0)
return defalt;
use_dns = _krb5_conf_boolean(value);
profile_release_string(value);
return use_dns;
}
/*
* Set *etypes_ptr to a zero-terminated list of enctypes. ctx_list
* (containing application-specified enctypes) is used if non-NULL;
* otherwise the libdefaults profile string specified by profkey is
* used. default_list is the default enctype list to be used while
* parsing profile strings, and is also used if the profile string is
* not set.
*/
static krb5_error_code
get_profile_etype_list(krb5_context context, krb5_enctype **etypes_ptr,
char *profkey, krb5_enctype *ctx_list,
krb5_enctype *default_list)
{
krb5_enctype *etypes;
krb5_error_code code;
char *profstr;
*etypes_ptr = NULL;
if (ctx_list) {
/* Use application defaults. */
code = k5_copy_etypes(ctx_list, &etypes);
if (code)
return code;
} else {
/* Parse profile setting, or "DEFAULT" if not specified. */
code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
profkey, NULL, "DEFAULT", &profstr);
if (code)
return code;
code = krb5int_parse_enctype_list(context, profkey, profstr,
default_list, &etypes);
profile_release_string(profstr);
if (code)
return code;
}
if (etypes[0] == 0) {
free(etypes);
return KRB5_CONFIG_ETYPE_NOSUPP;
}
*etypes_ptr = etypes;
return 0;
}
/*
* This function reads the parameters from the krb5.conf file. The
* parameters read here are DAL-LDAP specific attributes. Some of
* these are ldap_server ....
*/
krb5_error_code
krb5_ldap_read_server_params(krb5_context context, char *conf_section,
int srv_type)
{
char *servers, *save_ptr, *item;
const char *delims = "\t\n\f\v\r ,", *name;
krb5_error_code ret = 0;
kdb5_dal_handle *dal_handle = context->dal_handle;
krb5_ldap_context *ldap_context = dal_handle->db_context;
/* copy the conf_section into ldap_context for later use */
if (conf_section != NULL) {
ldap_context->conf_section = strdup(conf_section);
if (ldap_context->conf_section == NULL)
return ENOMEM;
}
/* This mutex is used in the LDAP connection pool. */
if (k5_mutex_init(&(ldap_context->hndl_lock)) != 0)
return KRB5_KDB_SERVER_INTERNAL_ERR;
/* Read the maximum number of LDAP connections per server. */
if (ldap_context->max_server_conns == 0) {
ret = prof_get_integer_def(context, conf_section,
KRB5_CONF_LDAP_CONNS_PER_SERVER,
DEFAULT_CONNS_PER_SERVER,
&ldap_context->max_server_conns);
if (ret)
return ret;
}
if (ldap_context->max_server_conns < 2) {
k5_setmsg(context, EINVAL,
_("Minimum connections required per server is 2"));
return EINVAL;
}
/* Read the DN used to connect to the LDAP server. */
if (ldap_context->bind_dn == NULL) {
name = choose_var(srv_type, KRB5_CONF_LDAP_KDC_DN,
KRB5_CONF_LDAP_KADMIND_DN);
ret = prof_get_string_def(context, conf_section, name,
&ldap_context->bind_dn);
if (ret)
return ret;
}
/* Read the filename containing stashed DN passwords. */
if (ldap_context->service_password_file == NULL) {
ret = prof_get_string_def(context, conf_section,
KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE,
&ldap_context->service_password_file);
if (ret)
return ret;
}
if (ldap_context->sasl_mech == NULL) {
name = choose_var(srv_type, KRB5_CONF_LDAP_KDC_SASL_MECH,
KRB5_CONF_LDAP_KADMIND_SASL_MECH);
ret = prof_get_string_def(context, conf_section, name,
&ldap_context->sasl_mech);
if (ret)
return ret;
}
if (ldap_context->sasl_authcid == NULL) {
name = choose_var(srv_type, KRB5_CONF_LDAP_KDC_SASL_AUTHCID,
KRB5_CONF_LDAP_KADMIND_SASL_AUTHCID);
ret = prof_get_string_def(context, conf_section, name,
&ldap_context->sasl_authcid);
if (ret)
return ret;
}
if (ldap_context->sasl_authzid == NULL) {
name = choose_var(srv_type, KRB5_CONF_LDAP_KDC_SASL_AUTHZID,
KRB5_CONF_LDAP_KADMIND_SASL_AUTHZID);
ret = prof_get_string_def(context, conf_section, name,
&ldap_context->sasl_authzid);
if (ret)
return ret;
}
if (ldap_context->sasl_realm == NULL) {
name = choose_var(srv_type, KRB5_CONF_LDAP_KDC_SASL_REALM,
KRB5_CONF_LDAP_KADMIND_SASL_REALM);
ret = prof_get_string_def(context, conf_section, name,
&ldap_context->sasl_realm);
if (ret)
return ret;
}
/* Read the LDAP server URL list. */
if (ldap_context->server_info_list == NULL) {
ret = profile_get_string(context->profile, KDB_MODULE_SECTION,
conf_section, KRB5_CONF_LDAP_SERVERS, NULL,
&servers);
if (ret)
return attr_read_error(context, ret, KRB5_CONF_LDAP_SERVERS);
if (servers == NULL) {
ret = add_server_entry(context, "ldapi://");
if (ret)
return ret;
} else {
item = strtok_r(servers, delims, &save_ptr);
while (item != NULL) {
ret = add_server_entry(context, item);
if (ret) {
profile_release_string(servers);
return ret;
}
item = strtok_r(NULL, delims, &save_ptr);
}
profile_release_string(servers);
}
}
ret = prof_get_boolean_def(context, conf_section,
KRB5_CONF_DISABLE_LAST_SUCCESS, FALSE,
&ldap_context->disable_last_success);
if (ret)
return ret;
return prof_get_boolean_def(context, conf_section,
KRB5_CONF_DISABLE_LOCKOUT, FALSE,
&ldap_context->disable_lockout);
}
/* Using db_args and the profile, initialize the configurable parameters of the
* DB context inside context. */
static krb5_error_code
configure_context(krb5_context context, char *conf_section, char **db_args)
{
krb5_error_code status;
krb5_db2_context *db_ctx;
char **t_ptr, *opt = NULL, *val = NULL, *pval = NULL;
profile_t profile = KRB5_DB_GET_PROFILE(context);
int bval;
status = k5db2_init_context(context);
if (status != 0)
return status;
db_ctx = context->dal_handle->db_context;
for (t_ptr = db_args; t_ptr && *t_ptr; t_ptr++) {
free(opt);
free(val);
status = krb5_db2_get_db_opt(*t_ptr, &opt, &val);
if (opt && !strcmp(opt, "dbname")) {
db_ctx->db_name = strdup(val);
if (db_ctx->db_name == NULL) {
status = ENOMEM;
goto cleanup;
}
}
else if (!opt && !strcmp(val, "temporary")) {
db_ctx->tempdb = 1;
} else if (!opt && !strcmp(val, "merge_nra")) {
;
} else if (opt && !strcmp(opt, "hash")) {
db_ctx->hashfirst = TRUE;
} else {
status = EINVAL;
krb5_set_error_message(context, status,
"Unsupported argument \"%s\" for db2",
opt ? opt : val);
goto cleanup;
}
}
if (db_ctx->db_name == NULL) {
/* Check for database_name in the db_module section. */
status = profile_get_string(profile, KDB_MODULE_SECTION, conf_section,
KDB_DB2_DATABASE_NAME, NULL, &pval);
if (status == 0 && pval == NULL) {
/* For compatibility, check for database_name in the realm. */
status = profile_get_string(profile, KDB_REALM_SECTION,
KRB5_DB_GET_REALM(context),
KDB_DB2_DATABASE_NAME,
DEFAULT_KDB_FILE, &pval);
}
if (status != 0)
goto cleanup;
db_ctx->db_name = strdup(pval);
}
status = profile_get_boolean(profile, KDB_MODULE_SECTION, conf_section,
KRB5_CONF_DISABLE_LAST_SUCCESS, FALSE, &bval);
if (status != 0)
goto cleanup;
db_ctx->disable_last_success = bval;
status = profile_get_boolean(profile, KDB_MODULE_SECTION, conf_section,
KRB5_CONF_DISABLE_LOCKOUT, FALSE, &bval);
if (status != 0)
goto cleanup;
db_ctx->disable_lockout = bval;
cleanup:
free(opt);
free(val);
profile_release_string(pval);
return status;
}
krb5_error_code KRB5_CALLCONV
krb5_425_conv_principal(krb5_context context, const char *name,
const char *instance, const char *realm,
krb5_principal *princ)
{
const struct krb_convert *p;
char buf[256]; /* V4 instances are limited to 40 characters */
krb5_error_code retval;
char *domain, *cp;
char **full_name = 0;
const char *names[5], *names2[2];
void* iterator = NULL;
char** v4realms = NULL;
char* realm_name = NULL;
char* dummy_value = NULL;
/* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm
To do that, iterate over all the realms in the config file, looking for a matching
v4_realm line */
names2 [0] = "realms";
names2 [1] = NULL;
retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator);
while (retval == 0) {
retval = profile_iterator (&iterator, &realm_name, &dummy_value);
if ((retval == 0) && (realm_name != NULL)) {
names [0] = "realms";
names [1] = realm_name;
names [2] = "v4_realm";
names [3] = NULL;
retval = profile_get_values (context -> profile, names, &v4realms);
if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) {
realm = realm_name;
break;
} else if (retval == PROF_NO_RELATION) {
/* If it's not found, just keep going */
retval = 0;
}
} else if ((retval == 0) && (realm_name == NULL)) {
break;
}
if (v4realms != NULL) {
profile_free_list(v4realms);
v4realms = NULL;
}
if (realm_name != NULL) {
profile_release_string (realm_name);
realm_name = NULL;
}
if (dummy_value != NULL) {
profile_release_string (dummy_value);
dummy_value = NULL;
}
}
if (instance) {
if (instance[0] == '\0') {
instance = 0;
goto not_service;
}
p = sconv_list;
while (1) {
if (!p->v4_str)
goto not_service;
if (!strcmp(p->v4_str, name))
break;
p++;
}
name = p->v5_str;
if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) {
names[0] = "realms";
names[1] = realm;
names[2] = "v4_instance_convert";
names[3] = instance;
names[4] = 0;
retval = profile_get_values(context->profile, names, &full_name);
if (retval == 0 && full_name && full_name[0]) {
instance = full_name[0];
} else {
strncpy(buf, instance, sizeof(buf));
buf[sizeof(buf) - 1] = '\0';
retval = krb5_get_realm_domain(context, realm, &domain);
if (retval)
return retval;
if (domain) {
for (cp = domain; *cp; cp++)
if (isupper((unsigned char) (*cp)))
*cp = tolower((unsigned char) *cp);
strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
strncat(buf, domain, sizeof(buf) - 1 - strlen(buf));
krb5_xfree(domain);
}
instance = buf;
}
}
}
not_service:
retval = krb5_build_principal(context, princ, strlen(realm), realm, name,
instance, NULL);
if (iterator) profile_iterator_free (&iterator);
if (full_name) profile_free_list(full_name);
if (v4realms) profile_free_list(v4realms);
if (realm_name) profile_release_string (realm_name);
if (dummy_value) profile_release_string (dummy_value);
return retval;
}
static krb5_error_code
get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr,
unsigned int ctx_count, krb5_enctype *ctx_list)
{
krb5_enctype *old_ktypes = NULL;
if (ctx_count) {
/* application-set defaults */
if ((old_ktypes =
(krb5_enctype *)malloc(sizeof(krb5_enctype) *
(ctx_count + 1)))) {
(void) memcpy(old_ktypes, ctx_list,
sizeof(krb5_enctype) * ctx_count);
old_ktypes[ctx_count] = 0;
} else {
return ENOMEM;
}
} else {
/*
XXX - For now, we only support libdefaults
Perhaps this should be extended to allow for per-host / per-realm
session key types.
*/
char *retval = NULL;
char *sp, *ep;
int j, checked_enctypes, count;
krb5_error_code code;
code = profile_get_string(context->profile, "libdefaults", profstr,
NULL, DEFAULT_ETYPE_LIST, &retval);
if (code)
return code;
if (!retval) /* SUNW14resync - just in case */
return PROF_EINVAL; /* XXX */
count = 0;
sp = retval;
while (*sp) {
for (ep = sp; *ep && (*ep != ',') && !isspace((int) (*ep)); ep++)
;
if (*ep) {
*ep++ = '\0';
while (isspace((int) (*ep)) || *ep == ',')
*ep++ = '\0';
}
count++;
sp = ep;
}
if ((old_ktypes =
(krb5_enctype *)malloc(sizeof(krb5_enctype) * (count + 1))) ==
(krb5_enctype *) NULL)
return ENOMEM;
sp = retval;
j = checked_enctypes = 0;
/*CONSTCOND*/
while (TRUE) {
checked_enctypes++;
if (krb5_string_to_enctype(sp, &old_ktypes[j]))
old_ktypes[j] = (unsigned int)ENCTYPE_UNKNOWN;
/*
* If 'null' has been specified as a tkt_enctype in
* krb5.conf, we need to assign an ENCTYPE_UNKNOWN
* value to the corresponding old_ktypes[j] entry.
*/
if (old_ktypes[j] == (unsigned int)ENCTYPE_NULL)
old_ktypes[j] = (unsigned int)ENCTYPE_UNKNOWN;
/* Only include known/valid enctypes in the final list */
if (old_ktypes[j] != ENCTYPE_UNKNOWN) {
j++;
}
/* If we checked all the enctypes, we are done */
if (checked_enctypes == count) {
break;
}
/* skip to next token */
while (*sp) sp++;
while (! *sp) sp++;
}
old_ktypes[j] = (krb5_enctype) 0;
profile_release_string(retval);
}
if (old_ktypes[0] == 0) {
free (old_ktypes);
*ktypes = 0;
return KRB5_CONFIG_ETYPE_NOSUPP;
}
*ktypes = old_ktypes;
return 0;
}
static krb5_error_code
get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr,
unsigned int ctx_count, krb5_enctype *ctx_list)
{
krb5_enctype *old_ktypes;
if (ctx_count) {
/* application-set defaults */
if ((old_ktypes =
(krb5_enctype *)malloc(sizeof(krb5_enctype) *
(ctx_count + 1)))) {
memcpy(old_ktypes, ctx_list, sizeof(krb5_enctype) * ctx_count);
old_ktypes[ctx_count] = 0;
} else {
return ENOMEM;
}
} else {
/*
XXX - For now, we only support libdefaults
Perhaps this should be extended to allow for per-host / per-realm
session key types.
*/
char *retval;
char *sp, *ep;
int i, j, count;
krb5_error_code code;
code = profile_get_string(context->profile, "libdefaults", profstr,
NULL, DEFAULT_ETYPE_LIST, &retval);
if (code)
return code;
count = 0;
sp = retval;
while (*sp) {
for (ep = sp; *ep && (*ep != ',') && !isspace((int) (*ep)); ep++)
;
if (*ep) {
*ep++ = '\0';
while (isspace((int) (*ep)) || *ep == ',')
*ep++ = '\0';
}
count++;
sp = ep;
}
if ((old_ktypes =
(krb5_enctype *)malloc(sizeof(krb5_enctype) * (count + 1))) ==
(krb5_enctype *) NULL) {
profile_release_string(retval);
return ENOMEM;
}
sp = retval;
j = 0;
i = 1;
while (1) {
if (! krb5_string_to_enctype(sp, &old_ktypes[j]))
j++;
if (i++ >= count)
break;
/* skip to next token */
while (*sp) sp++;
while (! *sp) sp++;
}
old_ktypes[j] = (krb5_enctype) 0;
profile_release_string(retval);
}
if (old_ktypes[0] == 0) {
free (old_ktypes);
*ktypes = 0;
return KRB5_CONFIG_ETYPE_NOSUPP;
}
*ktypes = old_ktypes;
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp)
{
char **retrealms;
char *realm, *cp, *temp_realm;
krb5_error_code retval;
char local_host[MAXDNAME+1];
#ifdef DEBUG_REFERRALS
printf("get_host_realm(host:%s) called\n",host);
#endif
retval = krb5int_clean_hostname(context, host, local_host, sizeof local_host);
if (retval)
return retval;
/*
Search for the best match for the host or domain.
Example: Given a host a.b.c.d, try to match on:
1) A.B.C.D
2) .B.C.D
3) B.C.D
4) .C.D
5) C.D
6) .D
7) D
*/
cp = local_host;
#ifdef DEBUG_REFERRALS
printf(" local_host: %s\n",local_host);
#endif
realm = (char *)NULL;
temp_realm = 0;
while (cp) {
#ifdef DEBUG_REFERRALS
printf(" trying to look up %s in the domain_realm map\n",cp);
#endif
retval = profile_get_string(context->profile, KRB5_CONF_DOMAIN_REALM, cp,
0, (char *)NULL, &temp_realm);
if (retval)
return retval;
if (temp_realm != (char *)NULL)
break; /* Match found */
/* Setup for another test */
if (*cp == '.') {
cp++;
} else {
cp = strchr(cp, '.');
}
}
#ifdef DEBUG_REFERRALS
printf(" done searching the domain_realm map\n");
#endif
if (temp_realm) {
#ifdef DEBUG_REFERRALS
printf(" temp_realm is %s\n",temp_realm);
#endif
realm = strdup(temp_realm);
if (!realm) {
profile_release_string(temp_realm);
return ENOMEM;
}
profile_release_string(temp_realm);
}
if (realm == (char *)NULL) {
if (!(cp = strdup(KRB5_REFERRAL_REALM)))
return ENOMEM;
realm = cp;
}
if (!(retrealms = (char **)calloc(2, sizeof(*retrealms)))) {
if (realm != (char *)NULL)
free(realm);
return ENOMEM;
}
retrealms[0] = realm;
retrealms[1] = 0;
*realmsp = retrealms;
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_get_default_realm(krb5_context context, char **lrealm)
{
char *realm = 0;
char *cp;
char localhost[MAX_DNS_NAMELEN+1];
krb5_error_code retval;
(void) memset(localhost, 0, sizeof(localhost));
if (!context || (context->magic != KV5M_CONTEXT))
return KV5M_CONTEXT;
/*
* Solaris Kerberos: (illumos)
* Another way to provide the default realm.
*/
if (!context->default_realm) {
if ((realm = getenv("KRB5_DEFAULT_REALM")) != NULL) {
context->default_realm = strdup(realm);
if (context->default_realm == NULL)
return ENOMEM;
}
}
if (!context->default_realm) {
context->default_realm = 0;
if (context->profile != 0) {
retval = profile_get_string(context->profile, "libdefaults",
"default_realm", 0, 0,
&realm);
if (!retval && realm) {
context->default_realm = malloc(strlen(realm) + 1);
if (!context->default_realm) {
profile_release_string(realm);
return ENOMEM;
}
strcpy(context->default_realm, realm);
profile_release_string(realm);
}
}
if (context->default_realm == 0) {
#ifdef KRB5_DNS_LOOKUP
if (_krb5_use_dns_realm(context)) {
/*
* Since this didn't appear in our config file, try looking
* it up via DNS. Look for a TXT records of the form:
*
* _kerberos.<localhost>
* _kerberos.<domainname>
* _kerberos.<searchlist>
*
*/
char * p;
krb5int_get_fq_local_hostname (localhost, sizeof(localhost));
if ( localhost[0] ) {
p = localhost;
do {
retval = krb5_try_realm_txt_rr("_kerberos", p,
&context->default_realm);
p = strchr(p,'.');
if (p)
p++;
} while (retval && p && p[0]);
if (retval)
retval = krb5_try_realm_txt_rr("_kerberos", "",
&context->default_realm);
} else {
retval = krb5_try_realm_txt_rr("_kerberos", "",
&context->default_realm);
}
if (retval) {
return(KRB5_CONFIG_NODEFREALM);
}
} else
#endif /* KRB5_DNS_LOOKUP */
if (getenv("MS_INTEROP") == NULL) {
/*
* Solaris Kerberos:
* Try to find a realm based on one of the local IP addresses.
* Don't do this for AD, which often does _not_ support any
* DNS reverse lookup, making these queries take forever.
*/
(void) krb5int_foreach_localaddr(context,
krb5int_address_get_realm, 0, 0);
/*
* Solaris Kerberos:
* As a final fallback try to find a realm based on the resolver search
* list
*/
if (context->default_realm == 0) {
struct __res_state res;
int i;
(void) memset(&res, 0, sizeof (res));
if (res_ninit(&res) == 0) {
for (i = 0; res.dnsrch[i]; i++) {
krb5int_domain_get_realm(context,
res.dnsrch[i], &context->default_realm);
if (context->default_realm != 0)
break;
}
res_ndestroy(&res);
}
}
}
}
}
if (context->default_realm == 0)
return(KRB5_CONFIG_NODEFREALM);
if (context->default_realm[0] == 0) {
free (context->default_realm);
context->default_realm = 0;
return KRB5_CONFIG_NODEFREALM;
}
realm = context->default_realm;
/*LINTED*/
if (!(*lrealm = cp = malloc((unsigned int) strlen(realm) + 1)))
return ENOMEM;
strcpy(cp, realm);
return(0);
}
krb5_error_code KRB5_CALLCONV
krb5_init_context_profile(profile_t profile, krb5_flags flags,
krb5_context *context_out)
{
krb5_context ctx = 0;
krb5_error_code retval;
struct {
krb5_timestamp now;
krb5_int32 now_usec;
long pid;
} seed_data;
krb5_data seed;
int tmp;
char *plugin_dir = NULL;
/* Verify some assumptions. If the assumptions hold and the
compiler is optimizing, this should result in no code being
executed. If we're guessing "unsigned long long" instead
of using uint64_t, the possibility does exist that we're
wrong. */
{
uint64_t i64;
assert(sizeof(i64) == 8);
i64 = 0, i64--, i64 >>= 62;
assert(i64 == 3);
i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1;
assert(i64 != 0);
i64 <<= 1;
assert(i64 == 0);
}
retval = krb5int_initialize_library();
if (retval)
return retval;
#if (defined(_WIN32))
/*
* Load the krbcc32.dll if necessary. We do this here so that
* we know to use API: later on during initialization.
* The context being NULL is ok.
*/
krb5_win_ccdll_load(ctx);
/*
* krb5_vercheck() is defined in win_glue.c, and this is
* where we handle the timebomb and version server checks.
*/
retval = krb5_vercheck();
if (retval)
return retval;
#endif
*context_out = NULL;
ctx = calloc(1, sizeof(struct _krb5_context));
if (!ctx)
return ENOMEM;
ctx->magic = KV5M_CONTEXT;
ctx->profile_secure = (flags & KRB5_INIT_CONTEXT_SECURE) != 0;
retval = k5_os_init_context(ctx, profile, flags);
if (retval)
goto cleanup;
ctx->trace_callback = NULL;
#ifndef DISABLE_TRACING
if (!ctx->profile_secure)
k5_init_trace(ctx);
#endif
retval = get_boolean(ctx, KRB5_CONF_ALLOW_WEAK_CRYPTO, 0, &tmp);
if (retval)
goto cleanup;
ctx->allow_weak_crypto = tmp;
retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp);
if (retval)
goto cleanup;
ctx->ignore_acceptor_hostname = tmp;
retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback",
CANONHOST_FALLBACK, 1, &tmp);
if (retval)
goto cleanup;
ctx->dns_canonicalize_hostname = tmp;
/* initialize the prng (not well, but passable) */
if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0)
goto cleanup;
if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec)))
goto cleanup;
seed_data.pid = getpid ();
seed.length = sizeof(seed_data);
seed.data = (char *) &seed_data;
if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed)))
goto cleanup;
ctx->default_realm = 0;
get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp);
ctx->clockskew = tmp;
/* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */
/* DCE add kdc_req_checksum_type = 2 to krb5.conf */
get_integer(ctx, KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5,
&tmp);
ctx->kdc_req_sumtype = tmp;
get_integer(ctx, KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, &tmp);
ctx->default_ap_req_sumtype = tmp;
get_integer(ctx, KRB5_CONF_SAFE_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5_DES,
&tmp);
ctx->default_safe_sumtype = tmp;
get_integer(ctx, KRB5_CONF_KDC_DEFAULT_OPTIONS, KDC_OPT_RENEWABLE_OK,
&tmp);
ctx->kdc_default_options = tmp;
#define DEFAULT_KDC_TIMESYNC 1
get_integer(ctx, KRB5_CONF_KDC_TIMESYNC, DEFAULT_KDC_TIMESYNC, &tmp);
ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS,
KRB5_CONF_PLUGIN_BASE_DIR, 0,
DEFAULT_PLUGIN_BASE_DIR, &plugin_dir);
if (!retval)
retval = k5_expand_path_tokens(ctx, plugin_dir, &ctx->plugin_base_dir);
if (retval) {
TRACE_PROFILE_ERR(ctx, KRB5_CONF_PLUGIN_BASE_DIR,
KRB5_CONF_LIBDEFAULTS, retval);
goto cleanup;
}
/*
* We use a default file credentials cache of 3. See
* lib/krb5/krb/ccache/file/fcc.h for a description of the
* credentials cache types.
*
* Note: DCE 1.0.3a only supports a cache type of 1
* DCE 1.1 supports a cache type of 2.
*/
#define DEFAULT_CCACHE_TYPE 4
get_integer(ctx, KRB5_CONF_CCACHE_TYPE, DEFAULT_CCACHE_TYPE, &tmp);
ctx->fcc_default_format = tmp + 0x0500;
ctx->prompt_types = 0;
ctx->use_conf_ktypes = 0;
ctx->udp_pref_limit = -1;
/* It's OK if this fails */
(void)profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS,
KRB5_CONF_ERR_FMT, NULL, NULL, &ctx->err_fmt);
*context_out = ctx;
ctx = NULL;
cleanup:
profile_release_string(plugin_dir);
krb5_free_context(ctx);
return retval;
}
krb5_error_code KRB5_CALLCONV
krb5_524_conv_principal(krb5_context context, krb5_const_principal princ,
char *name, char *inst, char *realm)
{
const struct krb_convert *p;
const krb5_data *compo;
char *c, *tmp_realm, *tmp_prealm;
unsigned int tmp_realm_len;
int retval;
*name = *inst = '\0';
switch (krb5_princ_size(context, princ)) {
case 2:
/* Check if this principal is listed in the table */
compo = krb5_princ_component(context, princ, 0);
p = sconv_list;
while (p->v4_str) {
if (p->len == compo->length
&& memcmp(p->v5_str, compo->data, compo->length) == 0) {
/*
* It is, so set the new name now, and chop off
* instance's domain name if requested.
*/
if (strlcpy(name, p->v4_str, ANAME_SZ) >= ANAME_SZ)
return KRB5_INVALID_PRINCIPAL;
if (p->flags & DO_REALM_CONVERSION) {
compo = krb5_princ_component(context, princ, 1);
c = strnchr(compo->data, '.', compo->length);
if (!c || (c - compo->data) >= INST_SZ - 1)
return KRB5_INVALID_PRINCIPAL;
memcpy(inst, compo->data, (size_t) (c - compo->data));
inst[c - compo->data] = '\0';
}
break;
}
p++;
}
/* If inst isn't set, the service isn't listed in the table, */
/* so just copy it. */
if (*inst == '\0') {
compo = krb5_princ_component(context, princ, 1);
if (compo->length >= INST_SZ - 1)
return KRB5_INVALID_PRINCIPAL;
memcpy(inst, compo->data, compo->length);
inst[compo->length] = '\0';
}
/* fall through */
case 1:
/* name may have been set above; otherwise, just copy it */
if (*name == '\0') {
compo = krb5_princ_component(context, princ, 0);
if (compo->length >= ANAME_SZ)
return KRB5_INVALID_PRINCIPAL;
memcpy(name, compo->data, compo->length);
name[compo->length] = '\0';
}
break;
default:
return KRB5_INVALID_PRINCIPAL;
}
compo = krb5_princ_realm(context, princ);
tmp_prealm = malloc(compo->length + 1);
if (tmp_prealm == NULL)
return ENOMEM;
strncpy(tmp_prealm, compo->data, compo->length);
tmp_prealm[compo->length] = '\0';
/* Ask for v4_realm corresponding to
krb5 principal realm from krb5.conf realms stanza */
if (context->profile == 0)
return KRB5_CONFIG_CANTOPEN;
retval = profile_get_string(context->profile, "realms",
tmp_prealm, "v4_realm", 0,
&tmp_realm);
free(tmp_prealm);
if (retval) {
return retval;
} else {
if (tmp_realm == 0) {
if (compo->length > REALM_SZ - 1)
return KRB5_INVALID_PRINCIPAL;
strncpy(realm, compo->data, compo->length);
realm[compo->length] = '\0';
} else {
tmp_realm_len = strlen(tmp_realm);
if (tmp_realm_len > REALM_SZ - 1)
return KRB5_INVALID_PRINCIPAL;
strncpy(realm, tmp_realm, tmp_realm_len);
realm[tmp_realm_len] = '\0';
profile_release_string(tmp_realm);
}
}
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_get_default_realm(krb5_context context, char **lrealm)
{
char *realm = 0;
krb5_error_code retval;
if (!context || (context->magic != KV5M_CONTEXT))
return KV5M_CONTEXT;
if (!context->default_realm) {
/*
* XXX should try to figure out a reasonable default based
* on the host's DNS domain.
*/
context->default_realm = 0;
if (context->profile != 0) {
retval = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
KRB5_CONF_DEFAULT_REALM, 0, 0,
&realm);
if (!retval && realm) {
context->default_realm = strdup(realm);
if (!context->default_realm) {
profile_release_string(realm);
return ENOMEM;
}
profile_release_string(realm);
}
}
#ifndef KRB5_DNS_LOOKUP
else
return KRB5_CONFIG_CANTOPEN;
#else /* KRB5_DNS_LOOKUP */
if (context->default_realm == 0) {
int use_dns = _krb5_use_dns_realm(context);
if ( use_dns ) {
/*
* Since this didn't appear in our config file, try looking
* it up via DNS. Look for a TXT records of the form:
*
* _kerberos.<localhost>
* _kerberos.<domainname>
* _kerberos.<searchlist>
*
*/
char localhost[MAX_DNS_NAMELEN+1];
char * p;
krb5int_get_fq_local_hostname (localhost, sizeof(localhost));
if ( localhost[0] ) {
p = localhost;
do {
retval = krb5_try_realm_txt_rr("_kerberos", p,
&context->default_realm);
p = strchr(p,'.');
if (p)
p++;
} while (retval && p && p[0]);
if (retval)
retval = krb5_try_realm_txt_rr("_kerberos", "",
&context->default_realm);
} else {
retval = krb5_try_realm_txt_rr("_kerberos", "",
&context->default_realm);
}
if (retval) {
return(KRB5_CONFIG_NODEFREALM);
}
}
}
#endif /* KRB5_DNS_LOOKUP */
}
if (context->default_realm == 0)
return(KRB5_CONFIG_NODEFREALM);
if (context->default_realm[0] == 0) {
free (context->default_realm);
context->default_realm = 0;
return KRB5_CONFIG_NODEFREALM;
}
realm = context->default_realm;
if (!(*lrealm = strdup(realm)))
return ENOMEM;
return(0);
}
