From ef7201572ef8765eae7926ff72562d30a1a2bfab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Mon, 23 Apr 2007 07:46:57 +0000 Subject: [PATCH] Make the default configuration fetch info from the krb5.conf. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20532 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/default_config.c | 327 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 295 insertions(+), 32 deletions(-) diff --git a/kdc/default_config.c b/kdc/default_config.c index c4d9f51fd..9f3495286 100644 --- a/kdc/default_config.c +++ b/kdc/default_config.c @@ -1,6 +1,7 @@ /* - * Copyright (c) 2005 Andrew Bartlett - * + * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -14,10 +15,14 @@ * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) @@ -28,35 +33,293 @@ */ #include "kdc_locl.h" +#include +#include -/* - * Setup some of the defaults for the KDC configuration. - * - * Note: Caller must also fill in: - * - db - * - num_db - * - logf - * -*/ +RCSID("$Id$"); -void -krb5_kdc_default_config(krb5_kdc_configuration *config) +static void +get_dbinfo(krb5_context context, struct krb5_kdc_configuration *c) { - memset(config, 0, sizeof(*config)); - config->require_preauth = TRUE; - config->kdc_warn_pwexpire = 0; - config->encode_as_rep_as_tgs_rep = FALSE; /* bug compatibility */ - config->check_ticket_addresses = TRUE; - config->allow_null_ticket_addresses = TRUE; - config->allow_anonymous = FALSE; - config->trpolicy = TRPOLICY_ALWAYS_CHECK; - config->enable_v4 = FALSE; - config->enable_kaserver = FALSE; - config->enable_524 = FALSE; /* overriden by enable_v4 in configure()) */ - config->enable_v4_cross_realm = FALSE; - config->enable_pkinit = FALSE; - config->enable_pkinit_princ_in_cert = TRUE; - config->db = NULL; - config->num_db = 0; - config->logf = NULL; + struct hdb_dbinfo *info, *d; + krb5_error_code ret; + + /* fetch the databases */ + ret = hdb_get_dbinfo(context, &info); + if (ret) + krb5_err(context, 1, ret, "hdb_get_dbinfo"); + + d = NULL; + while ((d = hdb_dbinfo_get_next(info, d)) != NULL) { + void *ptr; + + ptr = realloc(c->db, (c->num_db + 1) * sizeof(*c->db)); + if (ptr == NULL) + krb5_err(context, 1, ret, "out of memory"); + c->db = ptr; + + ret = hdb_create(context, &c->db[c->num_db], + hdb_dbinfo_get_dbname(context, d)); + if(ret) + krb5_err(context, 1, ret, "hdb_create %s", + hdb_dbinfo_get_dbname(context, d)); + + ret = hdb_set_master_keyfile(context, c->db[c->num_db], + hdb_dbinfo_get_mkey_file(context, d)); + if (ret) + krb5_err(context, 1, ret, "hdb_set_master_keyfile"); + + c->num_db++; + + kdc_log(context, c, 0, "label: %s\n", + hdb_dbinfo_get_label(context, d)); + kdc_log(context, c, 0, "\trealm: %s\n", + hdb_dbinfo_get_realm(context, d)); + kdc_log(context, c, 0, "\tdbname: %s\n", + hdb_dbinfo_get_dbname(context, d)); + kdc_log(context, c, 0, "\tmkey_file: %s\n", + hdb_dbinfo_get_mkey_file(context, d)); + } + hdb_free_dbinfo(context, &info); +} + + +int +krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) +{ + krb5_kdc_configuration *c; + + c = calloc(1, sizeof(*c)); + if (c == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + c->require_preauth = TRUE; + c->kdc_warn_pwexpire = 0; + c->encode_as_rep_as_tgs_rep = FALSE; + c->check_ticket_addresses = TRUE; + c->allow_null_ticket_addresses = TRUE; + c->allow_anonymous = FALSE; + c->trpolicy = TRPOLICY_ALWAYS_CHECK; + c->enable_v4 = FALSE; + c->enable_kaserver = FALSE; + c->enable_524 = FALSE; + c->enable_v4_cross_realm = FALSE; + c->enable_pkinit = FALSE; + c->enable_pkinit_princ_in_cert = TRUE; + c->db = NULL; + c->num_db = 0; + c->logf = NULL; + + get_dbinfo(context, c); + + c->require_preauth = + krb5_config_get_bool_default(context, NULL, + c->require_preauth, + "kdc", "require-preauth", NULL); + c->enable_v4 = + krb5_config_get_bool_default(context, NULL, + c->enable_v4, + "kdc", "enable-kerberos4", NULL); + c->enable_v4_cross_realm = + krb5_config_get_bool_default(context, NULL, + c->enable_v4_cross_realm, + "kdc", + "enable-kerberos4-cross-realm", NULL); + c->enable_524 = + krb5_config_get_bool_default(context, NULL, + c->enable_v4, + "kdc", "enable-524", NULL); + c->enable_digest = + krb5_config_get_bool_default(context, NULL, + FALSE, + "kdc", "enable-digest", NULL); + + { + const char *digests; + + digests = krb5_config_get_string(context, NULL, + "kdc", + "digests_allowed", NULL); + if (digests == NULL) + digests = "ntlm-v2"; + c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0); + if (c->digests_allowed == -1) { + kdc_log(context, c, 0, + "unparsable digest units (%s), turning off digest", + digests); + c->enable_digest = 0; + } else if (c->digests_allowed == 0) { + kdc_log(context, c, 0, + "no digest enable, turning digest off", + digests); + c->enable_digest = 0; + } + } + + c->enable_kx509 = + krb5_config_get_bool_default(context, NULL, + FALSE, + "kdc", "enable-kx509", NULL); + + if (c->enable_kx509) { + c->kx509_template = + krb5_config_get_string(context, NULL, + "kdc", "kx509_template", NULL); + c->kx509_ca = + krb5_config_get_string(context, NULL, + "kdc", "kx509_ca", NULL); + if (c->kx509_ca == NULL || c->kx509_template == NULL) { + kdc_log(context, c, 0, + "missing kx509 configuration, turning off"); + c->enable_kx509 = FALSE; + } + } + + c->check_ticket_addresses = + krb5_config_get_bool_default(context, NULL, + c->check_ticket_addresses, + "kdc", + "check-ticket-addresses", NULL); + c->allow_null_ticket_addresses = + krb5_config_get_bool_default(context, NULL, + c->allow_null_ticket_addresses, + "kdc", + "allow-null-ticket-addresses", NULL); + + c->allow_anonymous = + krb5_config_get_bool_default(context, NULL, + c->allow_anonymous, + "kdc", + "allow-anonymous", NULL); + + c->max_datagram_reply_length = + krb5_config_get_int_default(context, + NULL, + 1400, + "kdc", + "max-kdc-datagram-reply-length", + NULL); + + { + const char *trpolicy_str; + + trpolicy_str = + krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", + "transited-policy", NULL); + if(strcasecmp(trpolicy_str, "always-check") == 0) { + c->trpolicy = TRPOLICY_ALWAYS_CHECK; + } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) { + c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; + } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { + c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; + } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { + /* default */ + } else { + kdc_log(context, c, 0, + "unknown transited-policy: %s, " + "reverting to default (always-check)", + trpolicy_str); + } + } + + { + const char *p; + p = krb5_config_get_string (context, NULL, + "kdc", + "v4-realm", + NULL); + if(p != NULL) { + c->v4_realm = strdup(p); + if (c->v4_realm == NULL) + krb5_errx(context, 1, "out of memory"); + } else { + c->v4_realm = NULL; + } + } + + c->enable_kaserver = + krb5_config_get_bool_default(context, + NULL, + c->enable_kaserver, + "kdc", "enable-kaserver", NULL); + + + c->encode_as_rep_as_tgs_rep = + krb5_config_get_bool_default(context, NULL, + c->encode_as_rep_as_tgs_rep, + "kdc", + "encode_as_rep_as_tgs_rep", NULL); + + c->kdc_warn_pwexpire = + krb5_config_get_time_default (context, NULL, + c->kdc_warn_pwexpire, + "kdc", "kdc_warn_pwexpire", NULL); + + +#ifdef PKINIT + c->enable_pkinit = + krb5_config_get_bool_default(context, + NULL, + c->enable_pkinit, + "kdc", + "enable-pkinit", + NULL); + if (c->enable_pkinit) { + const char *user_id, *anchors, *ocsp_file; + char **pool_list, **revoke_list; + + user_id = + krb5_config_get_string(context, NULL, + "kdc", "pkinit_identity", NULL); + if (user_id == NULL) + krb5_errx(context, 1, "pkinit enabled but no identity"); + + anchors = krb5_config_get_string(context, NULL, + "kdc", "pkinit_anchors", NULL); + if (anchors == NULL) + krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); + + pool_list = + krb5_config_get_strings(context, NULL, + "kdc", "pkinit_pool", NULL); + + revoke_list = + krb5_config_get_strings(context, NULL, + "kdc", "pkinit_revoke", NULL); + + ocsp_file = + krb5_config_get_string(context, NULL, + "kdc", "pkinit_kdc_ocsp", NULL); + if (ocsp_file) { + c->pkinit_kdc_ocsp_file = strdup(ocsp_file); + if (c->pkinit_kdc_ocsp_file == NULL) + krb5_errx(context, 1, "out of memory"); + } + + _kdc_pk_initialize(context, c, user_id, anchors, + pool_list, revoke_list); + + krb5_config_free_strings(pool_list); + krb5_config_free_strings(revoke_list); + + c->enable_pkinit_princ_in_cert = + krb5_config_get_bool_default(context, NULL, + c->enable_pkinit_princ_in_cert, + "kdc", + "pkinit_principal_in_certificate", + NULL); + } + + c->pkinit_dh_min_bits = + krb5_config_get_int_default(context, NULL, + 0, + "kdc", "pkinit_dh_min_bits", NULL); + +#endif + + *config = c; + + return 0; }