xref: /freebsd/crypto/heimdal/kdc/config.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 1997-2003 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kdc_locl.h"
35 #include <getarg.h>
36 #include <parse_bytes.h>
37 
38 RCSID("$Id: config.c,v 1.46.2.2 2003/10/27 11:06:52 joda Exp $");
39 
40 static const char *config_file;	/* location of kdc config file */
41 
42 int require_preauth = -1;	/* 1 == require preauth for all principals */
43 
44 size_t max_request;		/* maximal size of a request */
45 
46 static char *max_request_str;	/* `max_request' as a string */
47 
48 time_t kdc_warn_pwexpire;	/* time before expiration to print a warning */
49 
50 struct dbinfo *databases;
51 HDB **db;
52 int num_db;
53 
54 const char *port_str;
55 
56 #ifdef HAVE_DAEMON
57 int detach_from_console = -1;
58 #define DETACH_IS_DEFAULT FALSE
59 #endif
60 
61 int enable_http = -1;
62 krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
63 
64 krb5_boolean check_ticket_addresses;
65 krb5_boolean allow_null_ticket_addresses;
66 krb5_boolean allow_anonymous;
67 int trpolicy;
68 static const char *trpolicy_str;
69 
70 static struct getarg_strings addresses_str;	/* addresses to listen on */
71 krb5_addresses explicit_addresses;
72 
73 #ifdef KRB4
74 char *v4_realm;
75 int enable_v4 = -1;
76 int enable_kaserver = -1;
77 #endif
78 
79 int enable_524 = -1;
80 int enable_v4_cross_realm = -1;
81 
82 static int help_flag;
83 static int version_flag;
84 
85 static struct getargs args[] = {
86     {
87 	"config-file",	'c',	arg_string,	&config_file,
88 	"location of config file",	"file"
89     },
90     {
91 	"require-preauth",	'p',	arg_negative_flag, &require_preauth,
92 	"don't require pa-data in as-reqs"
93     },
94     {
95 	"max-request",	0,	arg_string, &max_request,
96 	"max size for a kdc-request", "size"
97     },
98 #if 0
99     {
100 	"database",	'd', 	arg_string, &databases,
101 	"location of database", "database"
102     },
103 #endif
104     { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
105     {	"524",		0, 	arg_negative_flag, &enable_524,
106 	"don't respond to 524 requests"
107     },
108 #ifdef KRB4
109     {
110 	"kaserver", 'K', arg_flag,   &enable_kaserver,
111 	"enable kaserver support"
112     },
113     {	"kerberos4",	0, 	arg_flag, &enable_v4,
114 	"respond to kerberos 4 requests"
115     },
116     {
117 	"v4-realm",	'r',	arg_string, &v4_realm,
118 	"realm to serve v4-requests for"
119     },
120 #endif
121     {	"kerberos4-cross-realm",	0, 	arg_flag,
122 	&enable_v4_cross_realm,
123 	"respond to kerberos 4 requests from foreign realms"
124     },
125     {	"ports",	'P', 	arg_string, &port_str,
126 	"ports to listen to", "portspec"
127     },
128 #ifdef HAVE_DAEMON
129 #if DETACH_IS_DEFAULT
130     {
131 	"detach",       'D',      arg_negative_flag, &detach_from_console,
132 	"don't detach from console"
133     },
134 #else
135     {
136 	"detach",       0 ,      arg_flag, &detach_from_console,
137 	"detach from console"
138     },
139 #endif
140 #endif
141     {	"addresses",	0,	arg_strings, &addresses_str,
142 	"addresses to listen on", "list of addresses" },
143     {	"help",		'h',	arg_flag,   &help_flag },
144     {	"version",	'v',	arg_flag,   &version_flag }
145 };
146 
147 static int num_args = sizeof(args) / sizeof(args[0]);
148 
149 static void
150 usage(int ret)
151 {
152     arg_printusage (args, num_args, NULL, "");
153     exit (ret);
154 }
155 
156 static void
157 get_dbinfo(void)
158 {
159     const krb5_config_binding *top_binding = NULL;
160     const krb5_config_binding *db_binding;
161     const krb5_config_binding *default_binding = NULL;
162     struct dbinfo *di, **dt;
163     const char *default_dbname = HDB_DEFAULT_DB;
164     const char *default_mkey = HDB_DB_DIR "/m-key";
165     const char *p;
166 
167     databases = NULL;
168     dt = &databases;
169     while((db_binding = (const krb5_config_binding *)
170 	   krb5_config_get_next(context, NULL, &top_binding,
171 				krb5_config_list,
172 				"kdc",
173 				"database",
174 				NULL))) {
175 	p = krb5_config_get_string(context, db_binding, "realm", NULL);
176 	if(p == NULL) {
177 	    if(default_binding) {
178 		krb5_warnx(context, "WARNING: more than one realm-less "
179 			   "database specification");
180 		krb5_warnx(context, "WARNING: using the first encountered");
181 	    } else
182 		default_binding = db_binding;
183 	    continue;
184 	}
185 	di = calloc(1, sizeof(*di));
186 	di->realm = strdup(p);
187 	p = krb5_config_get_string(context, db_binding, "dbname", NULL);
188 	if(p)
189 	    di->dbname = strdup(p);
190 	p = krb5_config_get_string(context, db_binding, "mkey_file", NULL);
191 	if(p)
192 	    di->mkey_file = strdup(p);
193 	*dt = di;
194 	dt = &di->next;
195     }
196     if(default_binding) {
197 	di = calloc(1, sizeof(*di));
198 	p = krb5_config_get_string(context, default_binding, "dbname", NULL);
199 	if(p) {
200 	    di->dbname = strdup(p);
201 	    default_dbname = p;
202 	}
203 	p = krb5_config_get_string(context, default_binding, "mkey_file", NULL);
204 	if(p) {
205 	    di->mkey_file = strdup(p);
206 	    default_mkey = p;
207 	}
208 	*dt = di;
209 	dt = &di->next;
210     } else if(databases == NULL) {
211 	/* if there are none specified, use some default */
212 	di = calloc(1, sizeof(*di));
213 	di->dbname = strdup(default_dbname);
214 	di->mkey_file = strdup(default_mkey);
215 	*dt = di;
216 	dt = &di->next;
217     }
218     for(di = databases; di; di = di->next) {
219 	if(di->dbname == NULL)
220 	    di->dbname = strdup(default_dbname);
221 	if(di->mkey_file == NULL) {
222 	    p = strrchr(di->dbname, '.');
223 	    if(p == NULL || strchr(p, '/') != NULL)
224 		/* final pathname component does not contain a . */
225 		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
226 	    else
227 		/* the filename is something.else, replace .else with
228                    .mkey */
229 		asprintf(&di->mkey_file, "%.*s.mkey",
230 			 (int)(p - di->dbname), di->dbname);
231 	}
232     }
233 }
234 
235 static void
236 add_one_address (const char *str, int first)
237 {
238     krb5_error_code ret;
239     krb5_addresses tmp;
240 
241     ret = krb5_parse_address (context, str, &tmp);
242     if (ret)
243 	krb5_err (context, 1, ret, "parse_address `%s'", str);
244     if (first)
245 	krb5_copy_addresses(context, &tmp, &explicit_addresses);
246     else
247 	krb5_append_addresses(context, &explicit_addresses, &tmp);
248     krb5_free_addresses (context, &tmp);
249 }
250 
251 void
252 configure(int argc, char **argv)
253 {
254     int optind = 0;
255     int e;
256     const char *p;
257 
258     while((e = getarg(args, num_args, argc, argv, &optind)))
259 	warnx("error at argument `%s'", argv[optind]);
260 
261     if(help_flag)
262 	usage (0);
263 
264     if (version_flag) {
265 	print_version(NULL);
266 	exit(0);
267     }
268 
269     argc -= optind;
270     argv += optind;
271 
272     if (argc != 0)
273 	usage(1);
274 
275     {
276 	krb5_error_code ret;
277 	char **files;
278 	char *tmp;
279 	if(config_file == NULL)
280 	    config_file = _PATH_KDC_CONF;
281 	asprintf(&tmp, "%s:%s", config_file, krb5_config_file);
282 	if(tmp == NULL)
283 	    krb5_errx(context, 1, "out of memory");
284 
285 	krb5_config_file = tmp;
286 
287 	ret = krb5_get_default_config_files(&files);
288 	if(ret)
289 	    krb5_err(context, 1, ret, "reading configuration files");
290 	ret = krb5_set_config_files(context, files);
291 	krb5_free_config_files(files);
292 	if(ret)
293 	    krb5_err(context, 1, ret, "reading configuration files");
294     }
295 
296     get_dbinfo();
297 
298     if(max_request_str)
299 	max_request = parse_bytes(max_request_str, NULL);
300 
301     if(max_request == 0){
302 	p = krb5_config_get_string (context,
303 				    NULL,
304 				    "kdc",
305 				    "max-request",
306 				    NULL);
307 	if(p)
308 	    max_request = parse_bytes(p, NULL);
309     }
310 
311     if(require_preauth == -1)
312 	require_preauth = krb5_config_get_bool(context, NULL, "kdc",
313 					       "require-preauth", NULL);
314 
315     if(port_str == NULL){
316 	p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL);
317 	if (p != NULL)
318 	    port_str = strdup(p);
319     }
320 
321     explicit_addresses.len = 0;
322 
323     if (addresses_str.num_strings) {
324 	int i;
325 
326 	for (i = 0; i < addresses_str.num_strings; ++i)
327 	    add_one_address (addresses_str.strings[i], i == 0);
328 	free_getarg_strings (&addresses_str);
329     } else {
330 	char **foo = krb5_config_get_strings (context, NULL,
331 					      "kdc", "addresses", NULL);
332 
333 	if (foo != NULL) {
334 	    add_one_address (*foo++, TRUE);
335 	    while (*foo)
336 		add_one_address (*foo++, FALSE);
337 	}
338     }
339 
340 #ifdef KRB4
341     if(enable_v4 == -1)
342 	enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc",
343 					 "enable-kerberos4", NULL);
344 #else
345 #define enable_v4 0
346 #endif
347     if(enable_v4_cross_realm == -1)
348 	enable_v4_cross_realm =
349 	    krb5_config_get_bool_default(context, NULL,
350 					 FALSE, "kdc",
351 					 "enable-kerberos4-cross-realm",
352 					 NULL);
353     if(enable_524 == -1)
354 	enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4,
355 						  "kdc", "enable-524", NULL);
356 
357     if(enable_http == -1)
358 	enable_http = krb5_config_get_bool(context, NULL, "kdc",
359 					   "enable-http", NULL);
360     check_ticket_addresses =
361 	krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
362 				     "check-ticket-addresses", NULL);
363     allow_null_ticket_addresses =
364 	krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
365 				     "allow-null-ticket-addresses", NULL);
366 
367     allow_anonymous =
368 	krb5_config_get_bool(context, NULL, "kdc",
369 			     "allow-anonymous", NULL);
370     trpolicy_str =
371 	krb5_config_get_string_default(context, NULL, "always-check", "kdc",
372 				       "transited-policy", NULL);
373     if(strcasecmp(trpolicy_str, "always-check") == 0)
374 	trpolicy = TRPOLICY_ALWAYS_CHECK;
375     else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0)
376 	trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
377     else if(strcasecmp(trpolicy_str, "always-honour-request") == 0)
378 	trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
379     else {
380 	kdc_log(0, "unknown transited-policy: %s, reverting to always-check",
381 		trpolicy_str);
382 	trpolicy = TRPOLICY_ALWAYS_CHECK;
383     }
384 
385 	krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
386 				     "enforce-transited-policy", NULL);
387 #ifdef KRB4
388     if(v4_realm == NULL){
389 	p = krb5_config_get_string (context, NULL,
390 				    "kdc",
391 				    "v4-realm",
392 				    NULL);
393 	if(p != NULL) {
394 	    v4_realm = strdup(p);
395 	    if (v4_realm == NULL)
396 		krb5_errx(context, 1, "out of memory");
397 	}
398     }
399     if (enable_kaserver == -1)
400 	enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
401 						       "kdc",
402 						       "enable-kaserver",
403 						       NULL);
404 #endif
405 
406     encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, NULL, "kdc",
407 						    "encode_as_rep_as_tgs_rep",
408 						    NULL);
409 
410     kdc_warn_pwexpire = krb5_config_get_time (context, NULL,
411 					      "kdc",
412 					      "kdc_warn_pwexpire",
413 					      NULL);
414 
415 #ifdef HAVE_DAEMON
416     if(detach_from_console == -1)
417 	detach_from_console = krb5_config_get_bool_default(context, NULL,
418 							   DETACH_IS_DEFAULT,
419 							   "kdc",
420 							   "detach", NULL);
421 #endif
422     kdc_openlog();
423     if(max_request == 0)
424 	max_request = 64 * 1024;
425     if(require_preauth == -1)
426 	require_preauth = 1;
427     if (port_str == NULL)
428 	port_str = "+";
429 #ifdef KRB4
430     if(v4_realm == NULL){
431 	v4_realm = malloc(40); /* REALM_SZ */
432 	if (v4_realm == NULL)
433 	    krb5_errx(context, 1, "out of memory");
434 	krb_get_lrealm(v4_realm, 1);
435     }
436 #endif
437 }
438