config.c revision 127808 
1254219Scy/*
2254219Scy * Copyright (c) 1997-2003 Kungliga Tekniska H�gskolan
3254219Scy * (Royal Institute of Technology, Stockholm, Sweden).
4254219Scy * All rights reserved.
5254219Scy *
6254219Scy * Redistribution and use in source and binary forms, with or without
7254219Scy * modification, are permitted provided that the following conditions
8254219Scy * are met:
9254219Scy *
10254219Scy * 1. Redistributions of source code must retain the above copyright
11254219Scy *    notice, this list of conditions and the following disclaimer.
12254219Scy *
13254219Scy * 2. Redistributions in binary form must reproduce the above copyright
14254219Scy *    notice, this list of conditions and the following disclaimer in the
15254219Scy *    documentation and/or other materials provided with the distribution.
16254219Scy *
17254219Scy * 3. Neither the name of the Institute nor the names of its contributors
18254219Scy *    may be used to endorse or promote products derived from this software
19254219Scy *    without specific prior written permission.
20254219Scy *
21254219Scy * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22254219Scy * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23254219Scy * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24254219Scy * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25254219Scy * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26254219Scy * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27254219Scy * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28254219Scy * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29254219Scy * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30254219Scy * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31254219Scy * SUCH DAMAGE.
32254219Scy */
33254219Scy
34254219Scy#include "kdc_locl.h"
35254219Scy#include <getarg.h>
36254219Scy#include <parse_bytes.h>
37254219Scy
38254219ScyRCSID("$Id: config.c,v 1.46.2.2 2003/10/27 11:06:52 joda Exp $");
39254219Scy
40254219Scystatic const char *config_file;	/* location of kdc config file */
41254219Scy
42254219Scyint require_preauth = -1;	/* 1 == require preauth for all principals */
43254219Scy
44254219Scysize_t max_request;		/* maximal size of a request */
45254219Scy
46254219Scystatic char *max_request_str;	/* `max_request' as a string */
47254219Scy
48254219Scytime_t kdc_warn_pwexpire;	/* time before expiration to print a warning */
49254219Scy
50254219Scystruct dbinfo *databases;
51254219ScyHDB **db;
52254219Scyint num_db;
53254219Scy
54254219Scyconst char *port_str;
55254219Scy
56254219Scy#ifdef HAVE_DAEMON
57254219Scyint detach_from_console = -1;
58254219Scy#define DETACH_IS_DEFAULT FALSE
59254219Scy#endif
60254219Scy
61254219Scyint enable_http = -1;
62254219Scykrb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
63254219Scy
64254219Scykrb5_boolean check_ticket_addresses;
65254219Scykrb5_boolean allow_null_ticket_addresses;
66254219Scykrb5_boolean allow_anonymous;
67254219Scyint trpolicy;
68254219Scystatic const char *trpolicy_str;
69
70static struct getarg_strings addresses_str;	/* addresses to listen on */
71krb5_addresses explicit_addresses;
72
73#ifdef KRB4
74char *v4_realm;
75int enable_v4 = -1;
76int enable_kaserver = -1;
77#endif
78
79int enable_524 = -1;
80int enable_v4_cross_realm = -1;
81
82static int help_flag;
83static int version_flag;
84
85static struct getargs args[] = {
86    {
87	"config-file",	'c',	arg_string,	&config_file,
88	"location of config file",	"file"
89    },
90    {
91	"require-preauth",	'p',	arg_negative_flag, &require_preauth,
92	"don't require pa-data in as-reqs"
93    },
94    {
95	"max-request",	0,	arg_string, &max_request,
96	"max size for a kdc-request", "size"
97    },
98#if 0
99    {
100	"database",	'd', 	arg_string, &databases,
101	"location of database", "database"
102    },
103#endif
104    { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
105    {	"524",		0, 	arg_negative_flag, &enable_524,
106	"don't respond to 524 requests"
107    },
108#ifdef KRB4
109    {
110	"kaserver", 'K', arg_flag,   &enable_kaserver,
111	"enable kaserver support"
112    },
113    {	"kerberos4",	0, 	arg_flag, &enable_v4,
114	"respond to kerberos 4 requests"
115    },
116    {
117	"v4-realm",	'r',	arg_string, &v4_realm,
118	"realm to serve v4-requests for"
119    },
120#endif
121    {	"kerberos4-cross-realm",	0, 	arg_flag,
122	&enable_v4_cross_realm,
123	"respond to kerberos 4 requests from foreign realms"
124    },
125    {	"ports",	'P', 	arg_string, &port_str,
126	"ports to listen to", "portspec"
127    },
128#ifdef HAVE_DAEMON
129#if DETACH_IS_DEFAULT
130    {
131	"detach",       'D',      arg_negative_flag, &detach_from_console,
132	"don't detach from console"
133    },
134#else
135    {
136	"detach",       0 ,      arg_flag, &detach_from_console,
137	"detach from console"
138    },
139#endif
140#endif
141    {	"addresses",	0,	arg_strings, &addresses_str,
142	"addresses to listen on", "list of addresses" },
143    {	"help",		'h',	arg_flag,   &help_flag },
144    {	"version",	'v',	arg_flag,   &version_flag }
145};
146
147static int num_args = sizeof(args) / sizeof(args[0]);
148
149static void
150usage(int ret)
151{
152    arg_printusage (args, num_args, NULL, "");
153    exit (ret);
154}
155
156static void
157get_dbinfo(void)
158{
159    const krb5_config_binding *top_binding = NULL;
160    const krb5_config_binding *db_binding;
161    const krb5_config_binding *default_binding = NULL;
162    struct dbinfo *di, **dt;
163    const char *default_dbname = HDB_DEFAULT_DB;
164    const char *default_mkey = HDB_DB_DIR "/m-key";
165    const char *p;
166
167    databases = NULL;
168    dt = &databases;
169    while((db_binding = (const krb5_config_binding *)
170	   krb5_config_get_next(context, NULL, &top_binding,
171				krb5_config_list,
172				"kdc",
173				"database",
174				NULL))) {
175	p = krb5_config_get_string(context, db_binding, "realm", NULL);
176	if(p == NULL) {
177	    if(default_binding) {
178		krb5_warnx(context, "WARNING: more than one realm-less "
179			   "database specification");
180		krb5_warnx(context, "WARNING: using the first encountered");
181	    } else
182		default_binding = db_binding;
183	    continue;
184	}
185	di = calloc(1, sizeof(*di));
186	di->realm = strdup(p);
187	p = krb5_config_get_string(context, db_binding, "dbname", NULL);
188	if(p)
189	    di->dbname = strdup(p);
190	p = krb5_config_get_string(context, db_binding, "mkey_file", NULL);
191	if(p)
192	    di->mkey_file = strdup(p);
193	*dt = di;
194	dt = &di->next;
195    }
196    if(default_binding) {
197	di = calloc(1, sizeof(*di));
198	p = krb5_config_get_string(context, default_binding, "dbname", NULL);
199	if(p) {
200	    di->dbname = strdup(p);
201	    default_dbname = p;
202	}
203	p = krb5_config_get_string(context, default_binding, "mkey_file", NULL);
204	if(p) {
205	    di->mkey_file = strdup(p);
206	    default_mkey = p;
207	}
208	*dt = di;
209	dt = &di->next;
210    } else if(databases == NULL) {
211	/* if there are none specified, use some default */
212	di = calloc(1, sizeof(*di));
213	di->dbname = strdup(default_dbname);
214	di->mkey_file = strdup(default_mkey);
215	*dt = di;
216	dt = &di->next;
217    }
218    for(di = databases; di; di = di->next) {
219	if(di->dbname == NULL)
220	    di->dbname = strdup(default_dbname);
221	if(di->mkey_file == NULL) {
222	    p = strrchr(di->dbname, '.');
223	    if(p == NULL || strchr(p, '/') != NULL)
224		/* final pathname component does not contain a . */
225		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
226	    else
227		/* the filename is something.else, replace .else with
228                   .mkey */
229		asprintf(&di->mkey_file, "%.*s.mkey",
230			 (int)(p - di->dbname), di->dbname);
231	}
232    }
233}
234
235static void
236add_one_address (const char *str, int first)
237{
238    krb5_error_code ret;
239    krb5_addresses tmp;
240
241    ret = krb5_parse_address (context, str, &tmp);
242    if (ret)
243	krb5_err (context, 1, ret, "parse_address `%s'", str);
244    if (first)
245	krb5_copy_addresses(context, &tmp, &explicit_addresses);
246    else
247	krb5_append_addresses(context, &explicit_addresses, &tmp);
248    krb5_free_addresses (context, &tmp);
249}
250
251void
252configure(int argc, char **argv)
253{
254    int optind = 0;
255    int e;
256    const char *p;
257
258    while((e = getarg(args, num_args, argc, argv, &optind)))
259	warnx("error at argument `%s'", argv[optind]);
260
261    if(help_flag)
262	usage (0);
263
264    if (version_flag) {
265	print_version(NULL);
266	exit(0);
267    }
268
269    argc -= optind;
270    argv += optind;
271
272    if (argc != 0)
273	usage(1);
274
275    {
276	krb5_error_code ret;
277	char **files;
278	char *tmp;
279	if(config_file == NULL)
280	    config_file = _PATH_KDC_CONF;
281	asprintf(&tmp, "%s:%s", config_file, krb5_config_file);
282	if(tmp == NULL)
283	    krb5_errx(context, 1, "out of memory");
284
285	krb5_config_file = tmp;
286
287	ret = krb5_get_default_config_files(&files);
288	if(ret)
289	    krb5_err(context, 1, ret, "reading configuration files");
290	ret = krb5_set_config_files(context, files);
291	krb5_free_config_files(files);
292	if(ret)
293	    krb5_err(context, 1, ret, "reading configuration files");
294    }
295
296    get_dbinfo();
297
298    if(max_request_str)
299	max_request = parse_bytes(max_request_str, NULL);
300
301    if(max_request == 0){
302	p = krb5_config_get_string (context,
303				    NULL,
304				    "kdc",
305				    "max-request",
306				    NULL);
307	if(p)
308	    max_request = parse_bytes(p, NULL);
309    }
310
311    if(require_preauth == -1)
312	require_preauth = krb5_config_get_bool(context, NULL, "kdc",
313					       "require-preauth", NULL);
314
315    if(port_str == NULL){
316	p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL);
317	if (p != NULL)
318	    port_str = strdup(p);
319    }
320
321    explicit_addresses.len = 0;
322
323    if (addresses_str.num_strings) {
324	int i;
325
326	for (i = 0; i < addresses_str.num_strings; ++i)
327	    add_one_address (addresses_str.strings[i], i == 0);
328	free_getarg_strings (&addresses_str);
329    } else {
330	char **foo = krb5_config_get_strings (context, NULL,
331					      "kdc", "addresses", NULL);
332
333	if (foo != NULL) {
334	    add_one_address (*foo++, TRUE);
335	    while (*foo)
336		add_one_address (*foo++, FALSE);
337	}
338    }
339
340#ifdef KRB4
341    if(enable_v4 == -1)
342	enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc",
343					 "enable-kerberos4", NULL);
344#else
345#define enable_v4 0
346#endif
347    if(enable_v4_cross_realm == -1)
348	enable_v4_cross_realm =
349	    krb5_config_get_bool_default(context, NULL,
350					 FALSE, "kdc",
351					 "enable-kerberos4-cross-realm",
352					 NULL);
353    if(enable_524 == -1)
354	enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4,
355						  "kdc", "enable-524", NULL);
356
357    if(enable_http == -1)
358	enable_http = krb5_config_get_bool(context, NULL, "kdc",
359					   "enable-http", NULL);
360    check_ticket_addresses =
361	krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
362				     "check-ticket-addresses", NULL);
363    allow_null_ticket_addresses =
364	krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
365				     "allow-null-ticket-addresses", NULL);
366
367    allow_anonymous =
368	krb5_config_get_bool(context, NULL, "kdc",
369			     "allow-anonymous", NULL);
370    trpolicy_str =
371	krb5_config_get_string_default(context, NULL, "always-check", "kdc",
372				       "transited-policy", NULL);
373    if(strcasecmp(trpolicy_str, "always-check") == 0)
374	trpolicy = TRPOLICY_ALWAYS_CHECK;
375    else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0)
376	trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
377    else if(strcasecmp(trpolicy_str, "always-honour-request") == 0)
378	trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
379    else {
380	kdc_log(0, "unknown transited-policy: %s, reverting to always-check",
381		trpolicy_str);
382	trpolicy = TRPOLICY_ALWAYS_CHECK;
383    }
384
385	krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
386				     "enforce-transited-policy", NULL);
387#ifdef KRB4
388    if(v4_realm == NULL){
389	p = krb5_config_get_string (context, NULL,
390				    "kdc",
391				    "v4-realm",
392				    NULL);
393	if(p != NULL) {
394	    v4_realm = strdup(p);
395	    if (v4_realm == NULL)
396		krb5_errx(context, 1, "out of memory");
397	}
398    }
399    if (enable_kaserver == -1)
400	enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
401						       "kdc",
402						       "enable-kaserver",
403						       NULL);
404#endif
405
406    encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, NULL, "kdc",
407						    "encode_as_rep_as_tgs_rep",
408						    NULL);
409
410    kdc_warn_pwexpire = krb5_config_get_time (context, NULL,
411					      "kdc",
412					      "kdc_warn_pwexpire",
413					      NULL);
414
415#ifdef HAVE_DAEMON
416    if(detach_from_console == -1)
417	detach_from_console = krb5_config_get_bool_default(context, NULL,
418							   DETACH_IS_DEFAULT,
419							   "kdc",
420							   "detach", NULL);
421#endif
422    kdc_openlog();
423    if(max_request == 0)
424	max_request = 64 * 1024;
425    if(require_preauth == -1)
426	require_preauth = 1;
427    if (port_str == NULL)
428	port_str = "+";
429#ifdef KRB4
430    if(v4_realm == NULL){
431	v4_realm = malloc(40); /* REALM_SZ */
432	if (v4_realm == NULL)
433	    krb5_errx(context, 1, "out of memory");
434	krb_get_lrealm(v4_realm, 1);
435    }
436#endif
437}
438