From ea474025770717aa31a3a3fc8aef00f758dde18d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Mon, 23 Apr 2007 07:47:56 +0000 Subject: [PATCH] Use krb5_kdc_get_config and just fill in what the users wanted differently. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20533 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/config.c | 370 ++------------------------------------------------- 1 file changed, 13 insertions(+), 357 deletions(-) diff --git a/kdc/config.c b/kdc/config.c index f117a700e..24ae67514 100644 --- a/kdc/config.c +++ b/kdc/config.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * * All rights reserved. @@ -50,8 +50,6 @@ static const char *config_file; /* location of kdc config file */ static int require_preauth = -1; /* 1 == require preauth for all principals */ static char *max_request_str; /* `max_request' as a string */ -static const char *trpolicy_str; - static int disable_des = -1; static int enable_v4 = -1; static int enable_kaserver = -1; @@ -131,113 +129,6 @@ usage(int ret) exit (ret); } -static void -get_dbinfo(krb5_context context, krb5_kdc_configuration *config) -{ - const krb5_config_binding *top_binding = NULL; - const krb5_config_binding *db_binding; - const krb5_config_binding *default_binding = NULL; - struct dbinfo *di, **dt; - const char *default_dbname = HDB_DEFAULT_DB; - const char *default_mkey = HDB_DB_DIR "/m-key"; - const char *p; - krb5_error_code ret; - - struct dbinfo *databases = NULL; - - dt = &databases; - while((db_binding = (const krb5_config_binding *) - krb5_config_get_next(context, NULL, &top_binding, - krb5_config_list, - "kdc", - "database", - NULL))) { - p = krb5_config_get_string(context, db_binding, "realm", NULL); - if(p == NULL) { - if(default_binding) { - krb5_warnx(context, "WARNING: more than one realm-less " - "database specification"); - krb5_warnx(context, "WARNING: using the first encountered"); - } else - default_binding = db_binding; - continue; - } - di = calloc(1, sizeof(*di)); - di->realm = strdup(p); - p = krb5_config_get_string(context, db_binding, "dbname", NULL); - if(p) - di->dbname = strdup(p); - p = krb5_config_get_string(context, db_binding, "mkey_file", NULL); - if(p) - di->mkey_file = strdup(p); - *dt = di; - dt = &di->next; - } - if(default_binding) { - di = calloc(1, sizeof(*di)); - p = krb5_config_get_string(context, default_binding, "dbname", NULL); - if(p) { - di->dbname = strdup(p); - default_dbname = p; - } - p = krb5_config_get_string(context, default_binding, "mkey_file", NULL); - if(p) { - di->mkey_file = strdup(p); - default_mkey = p; - } - *dt = di; - dt = &di->next; - } else if(databases == NULL) { - /* if there are none specified, use some default */ - di = calloc(1, sizeof(*di)); - di->dbname = strdup(default_dbname); - di->mkey_file = strdup(default_mkey); - *dt = di; - dt = &di->next; - } - for(di = databases; di; di = di->next) { - if(di->dbname == NULL) - di->dbname = strdup(default_dbname); - if(di->mkey_file == NULL) { - p = strrchr(di->dbname, '.'); - if(p == NULL || strchr(p, '/') != NULL) - /* final pathname component does not contain a . */ - asprintf(&di->mkey_file, "%s.mkey", di->dbname); - else - /* the filename is something.else, replace .else with - .mkey */ - asprintf(&di->mkey_file, "%.*s.mkey", - (int)(p - di->dbname), di->dbname); - } - } - - if (databases == NULL) { - config->db = malloc(sizeof(*config->db)); - config->num_db = 1; - ret = hdb_create(context, &config->db[0], NULL); - if(ret) - krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB); - ret = hdb_set_master_keyfile(context, config->db[0], NULL); - if (ret) - krb5_err(context, 1, ret, "hdb_set_master_keyfile"); - } else { - struct dbinfo *d; - int i; - /* count databases */ - for(d = databases, i = 0; d; d = d->next, i++); - config->db = malloc(i * sizeof(*config->db)); - for(d = databases, config->num_db = 0; d; d = d->next, config->num_db++) { - ret = hdb_create(context, &config->db[config->num_db], d->dbname); - if(ret) - krb5_err(context, 1, ret, "hdb_create %s", d->dbname); - ret = hdb_set_master_keyfile(context, config->db[config->num_db], d->mkey_file); - if (ret) - krb5_err(context, 1, ret, "hdb_set_master_keyfile"); - } - } - -} - static void add_one_address (krb5_context context, const char *str, int first) { @@ -257,17 +148,11 @@ add_one_address (krb5_context context, const char *str, int first) krb5_kdc_configuration * configure(krb5_context context, int argc, char **argv) { - krb5_kdc_configuration *config = malloc(sizeof(*config)); + krb5_kdc_configuration *config; krb5_error_code ret; int optidx = 0; const char *p; - if (!config) { - return NULL; - } - - krb5_kdc_default_config(config); - while(getarg(args, num_args, argc, argv, &optidx)) warnx("error at argument `%s'", argv[optidx]); @@ -311,10 +196,12 @@ configure(krb5_context context, int argc, char **argv) krb5_err(context, 1, ret, "reading configuration files"); } + ret = krb5_kdc_get_config(context, &config); + if (ret) + krb5_err(context, 1, ret, "krb5_kdc_default_config"); + kdc_openlog(context, config); - get_dbinfo(context, config); - if(max_request_str) max_request = parse_bytes(max_request_str, NULL); @@ -328,14 +215,8 @@ configure(krb5_context context, int argc, char **argv) max_request = parse_bytes(p, NULL); } - if(require_preauth == -1) { - config->require_preauth = krb5_config_get_bool_default(context, NULL, - config->require_preauth, - "kdc", - "require-preauth", NULL); - } else { + if(require_preauth != -1) config->require_preauth = require_preauth; - } if(port_str == NULL){ p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL); @@ -362,180 +243,26 @@ configure(krb5_context context, int argc, char **argv) } } - if(enable_v4 == -1) { - config->enable_v4 = krb5_config_get_bool_default(context, NULL, - config->enable_v4, - "kdc", - "enable-kerberos4", - NULL); - } else { + if(enable_v4 != -1) config->enable_v4 = enable_v4; - } - if(enable_v4_cross_realm == -1) { - config->enable_v4_cross_realm = - krb5_config_get_bool_default(context, NULL, - config->enable_v4_cross_realm, - "kdc", - "enable-kerberos4-cross-realm", - NULL); - } else { + if(enable_v4_cross_realm != -1) config->enable_v4_cross_realm = enable_v4_cross_realm; - } - if(enable_524 == -1) { - config->enable_524 = krb5_config_get_bool_default(context, NULL, - config->enable_v4, - "kdc", "enable-524", - NULL); - } else { + if(enable_524 != -1) config->enable_524 = enable_524; - } if(enable_http == -1) enable_http = krb5_config_get_bool(context, NULL, "kdc", "enable-http", NULL); - config->enable_digest = - krb5_config_get_bool_default(context, NULL, - FALSE, - "kdc", - "enable-digest", NULL); - - { - const char *digests; - - digests = krb5_config_get_string(context, NULL, - "kdc", - "digests_allowed", NULL); - if (digests == NULL) - digests = "ntlm-v2"; - config->digests_allowed = parse_flags(digests, - _kdc_digestunits, - 0); - if (config->digests_allowed == -1) { - kdc_log(context, config, 0, - "unparsable digest units (%s), turning off digest", - digests); - config->enable_digest = 0; - } else if (config->digests_allowed == 0) { - kdc_log(context, config, 0, - "no digest enable, turning digest off", - digests); - config->enable_digest = 0; - } - } - - config->enable_kx509 = - krb5_config_get_bool_default(context, NULL, - FALSE, - "kdc", - "enable-kx509", NULL); - - if (config->enable_kx509) { - config->kx509_template = krb5_config_get_string(context, NULL, - "kdc", - "kx509_template", - NULL); - config->kx509_ca = krb5_config_get_string(context, NULL, - "kdc", - "kx509_ca", - NULL); - if (config->kx509_ca == NULL || config->kx509_template == NULL) { - kdc_log(context, config, 0, - "missing kx509 configuration, turning off"); - config->enable_kx509 = FALSE; - } - } - - config->check_ticket_addresses = - krb5_config_get_bool_default(context, NULL, - config->check_ticket_addresses, - "kdc", - "check-ticket-addresses", NULL); - config->allow_null_ticket_addresses = - krb5_config_get_bool_default(context, NULL, - config->allow_null_ticket_addresses, - "kdc", - "allow-null-ticket-addresses", NULL); - - config->allow_anonymous = - krb5_config_get_bool_default(context, NULL, - config->allow_anonymous, - "kdc", - "allow-anonymous", NULL); - - config->max_datagram_reply_length = - krb5_config_get_int_default(context, - NULL, - 1400, - "kdc", - "max-kdc-datagram-reply-length", - NULL); - - trpolicy_str = - krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", - "transited-policy", NULL); - if(strcasecmp(trpolicy_str, "always-check") == 0) { - config->trpolicy = TRPOLICY_ALWAYS_CHECK; - } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) { - config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; - } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { - config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; - } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { - /* default */ - } else { - kdc_log(context, config, - 0, "unknown transited-policy: %s, reverting to default (always-check)", - trpolicy_str); - } - if (krb5_config_get_string(context, NULL, "kdc", "enforce-transited-policy", NULL)) krb5_errx(context, 1, "enforce-transited-policy deprecated, " "use [kdc]transited-policy instead"); - if(v4_realm == NULL){ - p = krb5_config_get_string (context, NULL, - "kdc", - "v4-realm", - NULL); - if(p != NULL) { - config->v4_realm = strdup(p); - if (config->v4_realm == NULL) - krb5_errx(context, 1, "out of memory"); - } else { - config->v4_realm = NULL; - } - } else { - config->v4_realm = v4_realm; - } - - if (enable_kaserver == -1) { - config->enable_kaserver = - krb5_config_get_bool_default(context, - NULL, - config->enable_kaserver, - "kdc", - "enable-kaserver", - NULL); - } else { + if (enable_kaserver != -1) config->enable_kaserver = enable_kaserver; - } - - config->encode_as_rep_as_tgs_rep = - krb5_config_get_bool_default(context, NULL, - config->encode_as_rep_as_tgs_rep, - "kdc", - "encode_as_rep_as_tgs_rep", - NULL); - - config->kdc_warn_pwexpire = - krb5_config_get_time_default (context, NULL, - config->kdc_warn_pwexpire, - "kdc", - "kdc_warn_pwexpire", - NULL); if(detach_from_console == -1) detach_from_console = krb5_config_get_bool_default(context, NULL, @@ -546,82 +273,11 @@ configure(krb5_context context, int argc, char **argv) if(max_request == 0) max_request = 64 * 1024; - if(require_preauth != -1) { - config->require_preauth = require_preauth; - } if (port_str == NULL) port_str = "+"; -#ifdef PKINIT - config->enable_pkinit = - krb5_config_get_bool_default(context, - NULL, - config->enable_pkinit, - "kdc", - "enable-pkinit", - NULL); - if (config->enable_pkinit) { - const char *user_id, *anchors, *ocsp_file; - char **pool_list, **revoke_list; - - user_id = krb5_config_get_string(context, NULL, - "kdc", - "pkinit_identity", - NULL); - if (user_id == NULL) - krb5_errx(context, 1, "pkinit enabled but no identity"); - - anchors = krb5_config_get_string(context, NULL, - "kdc", - "pkinit_anchors", - NULL); - if (anchors == NULL) - krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); - - pool_list = krb5_config_get_strings(context, NULL, - "kdc", - "pkinit_pool", - NULL); - - revoke_list = krb5_config_get_strings(context, NULL, - "kdc", - "pkinit_revoke", - NULL); - - ocsp_file = - krb5_config_get_string(context, NULL, - "kdc", - "pkinit_kdc_ocsp", - NULL); - if (ocsp_file) { - config->pkinit_kdc_ocsp_file = strdup(ocsp_file); - if (config->pkinit_kdc_ocsp_file == NULL) - krb5_errx(context, 1, "out of memory"); - } - _kdc_pk_initialize(context, config, user_id, anchors, - pool_list, revoke_list); - - krb5_config_free_strings(pool_list); - krb5_config_free_strings(revoke_list); - - config->enable_pkinit_princ_in_cert = - krb5_config_get_bool_default(context, - NULL, - config->enable_pkinit_princ_in_cert, - "kdc", - "pkinit_principal_in_certificate", - NULL); - } - - config->pkinit_dh_min_bits = - krb5_config_get_int_default(context, - NULL, - 0, - "kdc", - "pkinit_dh_min_bits", - NULL); - -#endif + if (v4_realm) + config->v4_realm = v4_realm; if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)) krb5_errx(context, 1, "Kerberos 4 enabled but no realm configured");