2
/***********************************************************************
3
* Copyright (c) 2009, Secure Endpoints Inc.
6
* Redistribution and use in source and binary forms, with or without
7
* modification, are permitted provided that the following conditions
10
* - Redistributions of source code must retain the above copyright
11
* notice, this list of conditions and the following disclaimer.
13
* - Redistributions in binary form must reproduce the above copyright
14
* notice, this list of conditions and the following disclaimer in
15
* the documentation and/or other materials provided with the
18
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
23
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
29
* OF THE POSSIBILITY OF SUCH DAMAGE.
31
**********************************************************************/
33
#include "krb5_locl.h"
42
* Expand a %{TEMP} token
44
* The %{TEMP} token expands to the temporary path for the current
45
* user as returned by GetTempPath().
47
* @note: Since the GetTempPath() function relies on the TMP or TEMP
48
* environment variables, this function will failover to the system
49
* temporary directory until the user profile is loaded. In addition,
50
* the returned path may or may not exist.
53
_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret)
55
TCHAR tpath[MAX_PATH];
58
if (!GetTempPath(sizeof(tpath)/sizeof(tpath[0]), tpath)) {
60
krb5_set_error_message(context, EINVAL,
61
"Failed to get temporary path (GLE=%d)",
68
if (len > 0 && tpath[len - 1] == '\\')
69
tpath[len - 1] = '\0';
75
krb5_set_error_message(context, ENOMEM, "strdup - Out of memory");
82
extern HINSTANCE _krb5_hInstance;
85
* Expand a %{BINDIR} token
87
* This is also used to expand a few other tokens on Windows, since
88
* most of the executable binaries end up in the same directory. The
89
* "bin" directory is considered to be the directory in which the
90
* krb5.dll is located.
93
_expand_bin_dir(krb5_context context, PTYPE param, const char *postfix, char **ret)
99
nc = GetModuleFileName(_krb5_hInstance, path, sizeof(path)/sizeof(path[0]));
101
nc == sizeof(path)/sizeof(path[0])) {
105
lastSlash = strrchr(path, '\\');
106
if (lastSlash != NULL) {
107
TCHAR *fslash = strrchr(lastSlash, '/');
116
if (strlcat(path, postfix, sizeof(path)/sizeof(path[0])) >= sizeof(path)/sizeof(path[0]))
128
* Expand a %{USERID} token
130
* The %{USERID} token expands to the string representation of the
131
* user's SID. The user account that will be used is the account
132
* corresponding to the current thread's security token. This means
135
* - If the current thread token has the anonymous impersonation
136
* level, the call will fail.
138
* - If the current thread is impersonating a token at
139
* SecurityIdentification level the call will fail.
143
_expand_userid(krb5_context context, PTYPE param, const char *postfix, char **ret)
146
HANDLE hThread = NULL;
147
HANDLE hToken = NULL;
148
PTOKEN_OWNER pOwner = NULL;
150
LPTSTR strSid = NULL;
152
hThread = GetCurrentThread();
154
if (!OpenThreadToken(hThread, TOKEN_QUERY,
155
FALSE, /* Open the thread token as the
156
current thread user. */
159
DWORD le = GetLastError();
161
if (le == ERROR_NO_TOKEN) {
162
HANDLE hProcess = GetCurrentProcess();
165
if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))
171
krb5_set_error_message(context, rv,
172
"Can't open thread token (GLE=%d)", le);
177
if (!GetTokenInformation(hToken, TokenOwner, NULL, 0, &len)) {
178
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
180
krb5_set_error_message(context, rv,
181
"Unexpected error reading token information (GLE=%d)",
188
krb5_set_error_message(context, rv,
189
"GetTokenInformation() returned truncated buffer");
193
pOwner = malloc(len);
194
if (pOwner == NULL) {
196
krb5_set_error_message(context, rv, "Out of memory");
201
krb5_set_error_message(context, rv, "GetTokenInformation() returned truncated buffer");
205
if (!GetTokenInformation(hToken, TokenOwner, pOwner, len, &len)) {
207
krb5_set_error_message(context, rv, "GetTokenInformation() failed. GLE=%d", GetLastError());
211
if (!ConvertSidToStringSid(pOwner->Owner, &strSid)) {
213
krb5_set_error_message(context, rv, "Can't convert SID to string. GLE=%d", GetLastError());
217
*ret = strdup(strSid);
218
if (*ret == NULL && context)
219
krb5_set_error_message(context, rv, "Out of memory");
237
* Expand a folder identified by a CSIDL
241
_expand_csidl(krb5_context context, PTYPE folder, const char *postfix, char **ret)
243
TCHAR path[MAX_PATH];
246
if (SHGetFolderPath(NULL, folder, NULL, SHGFP_TYPE_CURRENT, path) != S_OK) {
248
krb5_set_error_message(context, EINVAL, "Unable to determine folder path");
254
if (len > 0 && path[len - 1] == '\\')
255
path[len - 1] = '\0';
258
strlcat(path, postfix, sizeof(path)/sizeof(path[0])) >= sizeof(path)/sizeof(path[0])) {
265
krb5_set_error_message(context, ENOMEM, "Out of memory");
274
_expand_path(krb5_context context, PTYPE param, const char *postfix, char **ret)
276
*ret = strdup(postfix);
278
krb5_set_error_message(context, ENOMEM, "malloc - out of memory");
285
_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret)
287
const char *p = NULL;
294
*ret = strdup("/tmp");
301
_expand_userid(krb5_context context, PTYPE param, const char *postfix, char **str)
303
int ret = asprintf(str, "%ld", (unsigned long)getuid());
304
if (ret < 0 || *str == NULL)
313
* Expand a %{null} token
315
* The expansion of a %{null} token is always the empty string.
319
_expand_null(krb5_context context, PTYPE param, const char *postfix, char **ret)
324
krb5_set_error_message(context, ENOMEM, "Out of memory");
331
static const struct token {
334
#define FTYPE_CSIDL 0
335
#define FTYPE_SPECIAL 1
338
const char * postfix;
340
int (*exp_func)(krb5_context, PTYPE, const char *, char **);
342
#define SPECIALP(f, P) FTYPE_SPECIAL, 0, P, f
343
#define SPECIAL(f) SPECIALP(f, NULL)
347
#define CSIDLP(C,P) FTYPE_CSIDL, C, P, _expand_csidl
348
#define CSIDL(C) CSIDLP(C, NULL)
350
{"APPDATA", CSIDL(CSIDL_APPDATA)}, /* Roaming application data (for current user) */
351
{"COMMON_APPDATA", CSIDL(CSIDL_COMMON_APPDATA)}, /* Application data (all users) */
352
{"LOCAL_APPDATA", CSIDL(CSIDL_LOCAL_APPDATA)}, /* Local application data (for current user) */
353
{"SYSTEM", CSIDL(CSIDL_SYSTEM)}, /* Windows System folder (e.g. %WINDIR%\System32) */
354
{"WINDOWS", CSIDL(CSIDL_WINDOWS)}, /* Windows folder */
355
{"USERCONFIG", CSIDLP(CSIDL_APPDATA, "\\" PACKAGE)}, /* Per user Heimdal configuration file path */
356
{"COMMONCONFIG", CSIDLP(CSIDL_COMMON_APPDATA, "\\" PACKAGE)}, /* Common Heimdal configuration file path */
357
{"LIBDIR", SPECIAL(_expand_bin_dir)},
358
{"BINDIR", SPECIAL(_expand_bin_dir)},
359
{"LIBEXEC", SPECIAL(_expand_bin_dir)},
360
{"SBINDIR", SPECIAL(_expand_bin_dir)},
362
{"LIBDIR", FTYPE_SPECIAL, 0, LIBDIR, _expand_path},
363
{"BINDIR", FTYPE_SPECIAL, 0, BINDIR, _expand_path},
364
{"LIBEXEC", FTYPE_SPECIAL, 0, LIBEXECDIR, _expand_path},
365
{"SBINDIR", FTYPE_SPECIAL, 0, SBINDIR, _expand_path},
367
{"TEMP", SPECIAL(_expand_temp_folder)},
368
{"USERID", SPECIAL(_expand_userid)},
369
{"uid", SPECIAL(_expand_userid)},
370
{"null", SPECIAL(_expand_null)}
374
_expand_token(krb5_context context,
376
const char *token_end,
383
if (token[0] != '%' || token[1] != '{' || token_end[0] != '}' ||
384
token_end - token <= 2) {
386
krb5_set_error_message(context, EINVAL,"Invalid token.");
390
for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) {
391
if (!strncmp(token+2, tokens[i].tok, (token_end - token) - 2))
392
return tokens[i].exp_func(context, tokens[i].param,
393
tokens[i].postfix, ret);
397
krb5_set_error_message(context, EINVAL, "Invalid token.");
401
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
402
_krb5_expand_path_tokens(krb5_context context,
406
char *tok_begin, *tok_end, *append;
407
const char *path_left;
410
if (path_in == NULL || *path_in == '\0') {
411
*ppath_out = strdup("");
417
for (path_left = path_in; path_left && *path_left; ) {
419
tok_begin = strstr(path_left, "%{");
421
if (tok_begin && tok_begin != path_left) {
423
append = malloc((tok_begin - path_left) + 1);
425
memcpy(append, path_left, tok_begin - path_left);
426
append[tok_begin - path_left] = '\0';
428
path_left = tok_begin;
430
} else if (tok_begin) {
432
tok_end = strchr(tok_begin, '}');
433
if (tok_end == NULL) {
438
krb5_set_error_message(context, EINVAL, "variable missing }");
442
if (_expand_token(context, tok_begin, tok_end, &append)) {
449
path_left = tok_end + 1;
452
append = strdup(path_left);
457
if (append == NULL) {
463
krb5_set_error_message(context, ENOMEM, "malloc - out of memory");
469
size_t append_len = strlen(append);
470
char * new_str = realloc(*ppath_out, len + append_len + 1);
472
if (new_str == NULL) {
478
krb5_set_error_message(context, ENOMEM, "malloc - out of memory");
482
*ppath_out = new_str;
483
memcpy(*ppath_out + len, append, append_len + 1);
484
len = len + append_len;
490
/* Also deal with slashes */
493
for (c = *ppath_out; *c; c++)