alt_prof.c revision 159d09a20817016f09b3ea28d1bdada4a336bb91
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
* Openvision retains the copyright to derivative works of
* this source code. Do *NOT* create a derivative of this
* source code before consulting with your legal department.
* Do *NOT* integrate *ANY* of this source code into another
* product before consulting with your legal department.
*
* For further information, read the top-level Openvision
* copyright which is contained in the top-level MIT Kerberos
* copyright.
*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
*/
/*
*
* Copyright 1995,2001 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*/
/*
* alt_prof.c - Implement alternate profile file handling.
*/
#include "k5-int.h"
#include "adm_proto.h"
#include <stdio.h>
#include <ctype.h>
#include <os-proto.h>
#define DEFAULT_ENCTYPE_LIST \
"aes256-cts-hmac-sha1-96:normal " \
"aes128-cts-hmac-sha1-96:normal " \
"des3-cbc-hmac-sha1-kd:normal " \
"arcfour-hmac-md5:normal " \
"arcfour-hmac-md5-exp:normal " \
"des-cbc-md5:normal " \
"des-cbc-crc:normal"
{
if((knew = (krb5_key_salt_tuple *)
return knew;
}
return 0;
}
/*
* krb5_aprof_init() - Initialize alternate profile context.
*
* Parameters:
* fname - default file name of the profile.
* envname - environment variable name which can override fname.
* acontextp - Pointer to opaque context for alternate profile.
*
* Returns:
* error codes from profile_init()
*/
char *fname;
char *envname;
{
const char *kdc_config;
char *profile_path;
char **filenames;
int i;
if (kret)
return kret;
krb5_config_len = 0;
if (i > 0)
kdc_config = fname;
if (kdc_config == NULL)
kdc_config_len = 0;
else
if (profile_path == NULL) {
return errno;
}
if (kdc_config_len)
else
profile_path[0] = 0;
if (krb5_config_len)
if (kdc_config_len || i)
}
if (kret)
return kret;
return 0;
}
/*
* krb5_aprof_getvals() - Get values from alternate profile.
*
* Parameters:
* acontext - opaque context for alternate profile.
* hierarchy - hierarchy of value to retrieve.
* retdata - Returned data values.
*
* Returns:
* error codes from profile_get_values()
*/
const char **hierarchy;
char ***retdata;
{
retdata));
}
/*
* krb5_aprof_get_boolean()
*
* Parameters:
* acontext - opaque context for alternate profile
* hierarchy - hierarchy of value to retrieve
* retdata - Returned data value
* Returns:
* error codes
*/
static krb5_error_code
{
int i;
*out = 1;
return 0;
}
*out = 0;
return 0;
}
return PROF_BAD_BOOLEAN;
}
{
char **values;
char *valp;
int idx;
if (kret)
return kret;
idx = 0;
if (uselast) {
idx++;
idx--;
}
if (kret)
return kret;
return 0;
}
/*
* krb5_aprof_get_deltat() - Get a delta time value from the alternate
* profile.
*
* Parameters:
* acontext - opaque context for alternate profile.
* hierarchy - hierarchy of value to retrieve.
* uselast - if true, use last value, otherwise use
* first value found.
* deltatp - returned delta time value.
*
* Returns:
* error codes from profile_get_values()
* error codes from krb5_string_to_deltat()
*/
const char **hierarchy;
{
char **values;
char *valp;
int idx;
idx = 0;
if (uselast) {
idx--;
}
/* Free the string storage */
}
return(kret);
}
/*
* krb5_aprof_get_string() - Get a string value from the alternate
* profile.
*
* Parameters:
* acontext - opaque context for alternate profile.
* hierarchy - hierarchy of value to retrieve.
* uselast - if true, use last value, otherwise use
* first value found.
* stringp - returned string value.
*
* Returns:
* error codes from profile_get_values()
*/
const char **hierarchy;
char **stringp;
{
char **values;
int idx, i;
idx = 0;
if (uselast) {
idx--;
}
/* Free the string storage */
for (i=0; values[i]; i++)
if (i != idx)
krb5_xfree(values[i]);
}
return(kret);
}
/*
* krb5_aprof_get_int32() - Get a 32-bit integer value from the alternate
* profile.
*
* Parameters:
* acontext - opaque context for alternate profile.
* hierarchy - hierarchy of value to retrieve.
* uselast - if true, use last value, otherwise use
* first value found.
* intp - returned 32-bit integer value.
*
* Returns:
* error codes from profile_get_values()
* EINVAL - value is not an integer
*/
const char **hierarchy;
{
char **values;
int idx;
idx = 0;
if (uselast) {
idx--;
}
/* Free the string storage */
}
return(kret);
}
/*
* krb5_aprof_finish() - Finish alternate profile context.
*
* Parameter:
* acontext - opaque context for alternate profile.
*
* Returns:
* 0 on success, something else on failure.
*/
{
return(0);
}
/*
* Function: kadm5_get_config_params
*
* Purpose: Merge configuration parameters provided by the caller with
* values specified in configuration files and with default values.
*
* Arguments:
*
* context (r) krb5_context to use
* profile (r) profile file to use
* envname (r) envname that contains a profile name to
* override profile
* params_in (r) params structure containing user-supplied
* values, or NULL
* params_out (w) params structure to be filled in
*
* Effects:
*
* The fields and mask of params_out are filled in with values
* obtained from params_in, the specified profile, and default
* values. Only and all fields specified in params_out->mask are
* set. The context of params_out must be freed with
* kadm5_free_config_params.
*
* params_in and params_out may be the same pointer. However, all pointers
* in params_in for which the mask is set will be re-assigned to newly copied
* versions, overwriting the old pointer value.
*/
int use_kdc_config;
{
char *filename;
char *envname;
char *lrealm;
krb5_pointer aprofile = 0;
const char *hierarchy[4];
char *svalue;
krb5_error_code kret = 0;
#ifdef KRB5_DNS_LOOKUP
char dns_host[MAX_DNS_NAMELEN];
unsigned short dns_portno;
#endif /* KRB5_DNS_LOOKUP */
} else {
if (kret)
goto cleanup;
}
/*
* XXX These defaults should to work on both client and
* server. kadm5_get_config_params can be implemented as a
* wrapper function in each library that provides correct
* defaults for NULL values.
*/
if (use_kdc_config) {
} else {
envname = "KRB5_CONFIG";
}
if (kret)
goto cleanup;
/* Initialize realm parameters */
hierarchy[0] = "realms";
#ifdef KRB5_DNS_LOOKUP
/*
* Initialize realm info for (possible) DNS lookups.
*/
#endif /* KRB5_DNS_LOOKUP */
/* Get the value for the admin server */
if (params.admin_server)
} else if (aprofile &&
}
#ifdef KRB5_DNS_LOOKUP
/*
* Solaris Kerberos: only do DNS lookup for admin_server if this
* is a krb5.conf type of config file. Note, the filename may
* envname string will consistently indicate the type of config
* file.
*/
"_kerberos-adm", "_udp",
dns_host, &dns_portno);
if (dnsret == 0) {
if (params.admin_server)
}
}
#endif /* KRB5_DNS_LOOKUP */
char *p;
if (p) {
*p = '\0';
}
}
/* Get the value for the database */
} else if (aprofile &&
} else {
}
/*
* admin database name and lockfile are now always derived from dbname
*/
if (params.admin_dbname) {
}
}
+ 6);
if (params.admin_lockfile) {
}
}
/* Get the value for the admin (policy) database lock file*/
if (params.admin_keytab)
} else if (aprofile &&
if (params.admin_keytab)
} else {
if (params.admin_keytab)
}
/* Get the name of the acl file */
} else if (aprofile &&
} else {
}
/* Get the name of the dict file */
} else if (aprofile &&
}
/* Get the value for the kadmind port */
} else if (aprofile &&
&ivalue)) {
} else {
}
}
/* Get the value for the kpasswd port */
} else if (aprofile &&
&ivalue)) {
} else {
}
}
/* Get the value for the master key name */
} else if (aprofile &&
}
/* Get the value for the master key type */
} else if (aprofile &&
}
} else {
}
/* Get the value for mkey_from_kbd */
}
/* Get the value for the stashfile */
if (params.stash_file)
} else if (aprofile &&
}
/*
* Solaris Kerberos
* Get the value for maximum ticket lifetime.
* See SEAM documentation or the Bug ID 4184504
* We have changed the logic so that the entries are
* created in the database with the maximum duration
* for life and renew life KRB5_INT32_MAX
* However this wil get negotiated down when
* as or tgs request is processed by KDC.
*/
} else {
}
/* Get the value for maximum renewable ticket lifetime. */
} else {
}
/* Get the value for the default principal expiration */
} else if (aprofile &&
}
} else {
params.expiration = 0;
}
/* Get the value for the default principal flags */
} else if (aprofile &&
while (sp) {
/* Fill in trailing whitespace of sp */
*tp = '\0';
tp--;
}
*ep = '\0';
ep++;
/* Skip over trailing whitespace of ep */
}
/* Convert this flag */
if (krb5_string_to_flags(sp,
"+",
"-",
break;
}
if (!sp)
} else {
}
if (params_in->num_keysalts > 0) {
goto cleanup;
}
}
} else {
if (aprofile)
params.num_keysalts = 0;
", \t",/* Tuple separators */
0, /* No duplicates */
if (params.num_keysalts)
if (svalue)
}
} else {
if (aprofile)
#ifdef KRB5_DNS_LOOKUP
/*
* Solaris Kerberos: only do DNS lookup for
* kpasswd_server if this is a krb5.conf type of
* config file. Note, the filename may not be
* KRB5_CONFIG envname string will consistently
* indicate the type of config file.
*/
dns_host, &dns_portno);
if (dnsret == 0) {
if (params.kpasswd_server) {
}
}
}
#endif /* KRB5_DNS_LOOKUP */
/*
* If a unique 'kpasswd_server' is not specified,
* use the normal 'admin_server'.
*/
dnsret) {
}
} else {
char *p;
*p = '\0';
}
}
}
/* default to current RPCSEC_GSS protocol */
} else {
if (aprofile)
}
}
if (svalue)
}
/*
* If the kpasswd_port is not yet defined, define it now.
*/
/*
* If kpasswd_port is not explicitly defined,
* determine the port to use based on the protocol.
* The alternative protocol uses a different port
* than the standard admind port.
*/
} else {
/*
* password changing, the default port is 464
* (officially recognized by IANA).
*/
}
}
} else {
}
}
} else {
if (ivalue > MAX_ULOGENTRIES)
else if (ivalue <= 0)
else
}
}
if (params.iprop_polltime)
if (params.iprop_polltime)
if (params.iprop_polltime)
} else {
if (params.iprop_polltime)
}
}
*params_out = params;
if (aprofile)
if (kret) {
params_out->mask = 0;
}
#ifdef KRB5_DNS_LOOKUP
#endif /* KRB5_DNS_LOOKUP */
return(kret);
}
/*
* kadm5_free_config_params() - Free data allocated by above.
*/
/*ARGSUSED*/
{
if (params) {
}
}
if (params->stash_file) {
}
params->num_keysalts = 0;
}
if (params->admin_keytab) {
}
}
}
}
if (params->admin_dbname) {
}
if (params->admin_lockfile) {
}
if (params->admin_server) {
}
if (params->kpasswd_server) {
}
if (params->iprop_polltime) {
}
}
return (0);
}
char *realm_in,
char *admin_name,
{
if (ret)
return ret;
goto err_params;
}
goto err_params;
}
goto err_params;
}
return ret;
}
/***********************************************************************
* This is the old krb5_realm_read_params, which I mutated into
* kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
* still uses.
***********************************************************************/
/*
* krb5_read_realm_params() - Read per-realm parameters from KDC
* alternate profile.
*/
char *realm;
{
char *filename;
char *envname;
char *lrealm;
krb5_pointer aprofile = 0;
const char *hierarchy[4];
char *svalue;
char *kdcprofile = 0;
char *kdcenv = 0;
if (realm)
else {
if (kret)
goto cleanup;
}
if (kret)
goto cleanup;
if (rparams == 0) {
goto cleanup;
}
/* Initialize realm parameters */
/* Get the value for the database */
hierarchy[0] = "realms";
/* Get the value for the KDC port list */
/* Get the name of the acl file */
/* Get the value for the kadmind port */
}
/* Get the value for the master key name */
/* Get the value for the master key type */
}
/* Get the value for the stashfile */
/* Get the value for maximum ticket lifetime. */
}
/* Get the value for maximum renewable ticket lifetime. */
}
/* Get the value for the default principal expiration */
}
}
/* Get the value for the default principal flags */
rparams->realm_flags = 0;
while (sp) {
/* Fill in trailing whitespace of sp */
*tp = '\0';
tp--;
}
*ep = '\0';
ep++;
/* Skip over trailing whitespace of ep */
}
/* Convert this flag */
if (krb5_string_to_flags(sp,
"+",
"-",
&rparams->realm_flags))
break;
}
if (!sp)
}
/*
* SUNWresync121
* Solaris kerberos: updated this code to support default values for
* the supported_enctypes.
*/
/*
* Set the default value if supported_enctypes was not explicitly
* set in the kdc.conf.
*/
}
", \t", /* Tuple separators */
0, /* No duplicates */
}
if (aprofile)
if (lrealm)
if (kret) {
if (rparams)
rparams = 0;
}
return(kret);
}
/*
* krb5_free_realm_params() - Free data allocated by above.
*/
{
if (rparams) {
if (rparams->realm_profile)
if (rparams->realm_dbname)
if (rparams->realm_mkey_name)
if (rparams->realm_stash_file)
if (rparams->realm_keysalts)
if (rparams->realm_kdc_ports)
if (rparams->realm_kdc_tcp_ports)
if (rparams->realm_acl_file)
}
return(0);
}