17c478bd9Sstevel@tonic-gate /*
27c64d375Smp * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
37c478bd9Sstevel@tonic-gate * Use is subject to license terms.
47c478bd9Sstevel@tonic-gate */
57c478bd9Sstevel@tonic-gate
67c478bd9Sstevel@tonic-gate
77c478bd9Sstevel@tonic-gate /*
87c478bd9Sstevel@tonic-gate * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
97c478bd9Sstevel@tonic-gate *
107c478bd9Sstevel@tonic-gate * Openvision retains the copyright to derivative works of
117c478bd9Sstevel@tonic-gate * this source code. Do *NOT* create a derivative of this
127c478bd9Sstevel@tonic-gate * source code before consulting with your legal department.
137c478bd9Sstevel@tonic-gate * Do *NOT* integrate *ANY* of this source code into another
147c478bd9Sstevel@tonic-gate * product before consulting with your legal department.
157c478bd9Sstevel@tonic-gate *
167c478bd9Sstevel@tonic-gate * For further information, read the top-level Openvision
177c478bd9Sstevel@tonic-gate * copyright which is contained in the top-level MIT Kerberos
187c478bd9Sstevel@tonic-gate * copyright.
197c478bd9Sstevel@tonic-gate *
207c478bd9Sstevel@tonic-gate * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
217c478bd9Sstevel@tonic-gate *
227c478bd9Sstevel@tonic-gate */
237c478bd9Sstevel@tonic-gate
247c478bd9Sstevel@tonic-gate
257c478bd9Sstevel@tonic-gate /*
267c478bd9Sstevel@tonic-gate * lib/kadm/alt_prof.c
277c478bd9Sstevel@tonic-gate *
2856a424ccSmp * Copyright 1995,2001 by the Massachusetts Institute of Technology.
297c478bd9Sstevel@tonic-gate * All Rights Reserved.
307c478bd9Sstevel@tonic-gate *
317c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may
327c478bd9Sstevel@tonic-gate * require a specific license from the United States Government.
337c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating
347c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting.
357c478bd9Sstevel@tonic-gate *
367c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
377c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
387c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
397c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
407c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
417c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining
427c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior
4356a424ccSmp * permission. Furthermore if you modify this software you must label
4456a424ccSmp * your software as modified software and not distribute it in such a
4556a424ccSmp * fashion that it might be confused with the original M.I.T. software.
4656a424ccSmp * M.I.T. makes no representations about the suitability of
477c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
487c478bd9Sstevel@tonic-gate * or implied warranty.
497c478bd9Sstevel@tonic-gate *
507c478bd9Sstevel@tonic-gate */
517c478bd9Sstevel@tonic-gate
527c478bd9Sstevel@tonic-gate /*
537c478bd9Sstevel@tonic-gate * alt_prof.c - Implement alternate profile file handling.
547c478bd9Sstevel@tonic-gate */
55159d09a2SMark Phalan #include "k5-int.h"
567c478bd9Sstevel@tonic-gate #include <kadm5/admin.h>
57159d09a2SMark Phalan #include "adm_proto.h"
587c478bd9Sstevel@tonic-gate #include <stdio.h>
597c478bd9Sstevel@tonic-gate #include <ctype.h>
607c478bd9Sstevel@tonic-gate #include <os-proto.h>
617c478bd9Sstevel@tonic-gate #include <kdb/kdb_log.h>
627c478bd9Sstevel@tonic-gate
637c478bd9Sstevel@tonic-gate krb5_error_code kadm5_free_config_params();
647c478bd9Sstevel@tonic-gate
657c478bd9Sstevel@tonic-gate #define DEFAULT_ENCTYPE_LIST \
667c478bd9Sstevel@tonic-gate "aes256-cts-hmac-sha1-96:normal " \
677c478bd9Sstevel@tonic-gate "aes128-cts-hmac-sha1-96:normal " \
687c478bd9Sstevel@tonic-gate "des3-cbc-hmac-sha1-kd:normal " \
697c478bd9Sstevel@tonic-gate "arcfour-hmac-md5:normal " \
7045526e97Ssemery "arcfour-hmac-md5-exp:normal " \
717c478bd9Sstevel@tonic-gate "des-cbc-md5:normal " \
727c478bd9Sstevel@tonic-gate "des-cbc-crc:normal"
737c478bd9Sstevel@tonic-gate
copy_key_salt_tuple(ksalt,len)7456a424ccSmp static krb5_key_salt_tuple *copy_key_salt_tuple(ksalt, len)
7556a424ccSmp krb5_key_salt_tuple *ksalt;
7656a424ccSmp krb5_int32 len;
7756a424ccSmp {
78*55fea89dSDan Cross krb5_key_salt_tuple *knew;
7956a424ccSmp
8056a424ccSmp if((knew = (krb5_key_salt_tuple *)
8156a424ccSmp malloc((len ) * sizeof(krb5_key_salt_tuple)))) {
8256a424ccSmp memcpy(knew, ksalt, len * sizeof(krb5_key_salt_tuple));
8356a424ccSmp return knew;
8456a424ccSmp }
8556a424ccSmp return 0;
8656a424ccSmp }
8756a424ccSmp
887c478bd9Sstevel@tonic-gate /*
897c478bd9Sstevel@tonic-gate * krb5_aprof_init() - Initialize alternate profile context.
907c478bd9Sstevel@tonic-gate *
917c478bd9Sstevel@tonic-gate * Parameters:
927c478bd9Sstevel@tonic-gate * fname - default file name of the profile.
937c478bd9Sstevel@tonic-gate * envname - environment variable name which can override fname.
947c478bd9Sstevel@tonic-gate * acontextp - Pointer to opaque context for alternate profile.
957c478bd9Sstevel@tonic-gate *
967c478bd9Sstevel@tonic-gate * Returns:
977c478bd9Sstevel@tonic-gate * error codes from profile_init()
987c478bd9Sstevel@tonic-gate */
997c478bd9Sstevel@tonic-gate krb5_error_code
krb5_aprof_init(fname,envname,acontextp)1007c478bd9Sstevel@tonic-gate krb5_aprof_init(fname, envname, acontextp)
10156a424ccSmp char *fname;
10256a424ccSmp char *envname;
10356a424ccSmp krb5_pointer *acontextp;
1047c478bd9Sstevel@tonic-gate {
10556a424ccSmp krb5_error_code kret;
10656a424ccSmp profile_t profile;
107159d09a2SMark Phalan const char *kdc_config;
108159d09a2SMark Phalan size_t krb5_config_len, kdc_config_len;
109159d09a2SMark Phalan char *profile_path;
110159d09a2SMark Phalan char **filenames;
111159d09a2SMark Phalan int i;
112159d09a2SMark Phalan
113159d09a2SMark Phalan kret = krb5_get_default_config_files (&filenames);
114159d09a2SMark Phalan if (kret)
115159d09a2SMark Phalan return kret;
116159d09a2SMark Phalan krb5_config_len = 0;
117159d09a2SMark Phalan for (i = 0; filenames[i] != NULL; i++)
118159d09a2SMark Phalan krb5_config_len += strlen(filenames[i]) + 1;
119159d09a2SMark Phalan if (i > 0)
120159d09a2SMark Phalan krb5_config_len--;
121159d09a2SMark Phalan if (envname == NULL
122159d09a2SMark Phalan || (kdc_config = getenv(envname)) == NULL)
123159d09a2SMark Phalan kdc_config = fname;
124159d09a2SMark Phalan if (kdc_config == NULL)
125159d09a2SMark Phalan kdc_config_len = 0;
126159d09a2SMark Phalan else
127159d09a2SMark Phalan kdc_config_len = strlen(kdc_config);
128159d09a2SMark Phalan profile_path = malloc(2 + krb5_config_len + kdc_config_len);
129159d09a2SMark Phalan if (profile_path == NULL) {
130159d09a2SMark Phalan krb5_free_config_files(filenames);
131159d09a2SMark Phalan return errno;
13256a424ccSmp }
133159d09a2SMark Phalan if (kdc_config_len)
134159d09a2SMark Phalan strcpy(profile_path, kdc_config);
135159d09a2SMark Phalan else
136159d09a2SMark Phalan profile_path[0] = 0;
137159d09a2SMark Phalan if (krb5_config_len)
138159d09a2SMark Phalan for (i = 0; filenames[i] != NULL; i++) {
139159d09a2SMark Phalan if (kdc_config_len || i)
140159d09a2SMark Phalan strcat(profile_path, ":");
141159d09a2SMark Phalan strcat(profile_path, filenames[i]);
142159d09a2SMark Phalan }
143159d09a2SMark Phalan krb5_free_config_files(filenames);
14456a424ccSmp profile = (profile_t) NULL;
145159d09a2SMark Phalan kret = profile_init_path(profile_path, &profile);
146159d09a2SMark Phalan free(profile_path);
147159d09a2SMark Phalan if (kret)
148159d09a2SMark Phalan return kret;
149159d09a2SMark Phalan *acontextp = profile;
15056a424ccSmp return 0;
1517c478bd9Sstevel@tonic-gate }
1527c478bd9Sstevel@tonic-gate
1537c478bd9Sstevel@tonic-gate /*
1547c478bd9Sstevel@tonic-gate * krb5_aprof_getvals() - Get values from alternate profile.
1557c478bd9Sstevel@tonic-gate *
1567c478bd9Sstevel@tonic-gate * Parameters:
1577c478bd9Sstevel@tonic-gate * acontext - opaque context for alternate profile.
1587c478bd9Sstevel@tonic-gate * hierarchy - hierarchy of value to retrieve.
1597c478bd9Sstevel@tonic-gate * retdata - Returned data values.
1607c478bd9Sstevel@tonic-gate *
1617c478bd9Sstevel@tonic-gate * Returns:
1627c478bd9Sstevel@tonic-gate * error codes from profile_get_values()
1637c478bd9Sstevel@tonic-gate */
1647c478bd9Sstevel@tonic-gate krb5_error_code
krb5_aprof_getvals(acontext,hierarchy,retdata)1657c478bd9Sstevel@tonic-gate krb5_aprof_getvals(acontext, hierarchy, retdata)
16656a424ccSmp krb5_pointer acontext;
16756a424ccSmp const char **hierarchy;
16856a424ccSmp char ***retdata;
1697c478bd9Sstevel@tonic-gate {
17056a424ccSmp return(profile_get_values((profile_t) acontext,
17156a424ccSmp hierarchy,
17256a424ccSmp retdata));
17356a424ccSmp }
17456a424ccSmp
17556a424ccSmp /*
17656a424ccSmp * krb5_aprof_get_boolean()
17756a424ccSmp *
17856a424ccSmp * Parameters:
17956a424ccSmp * acontext - opaque context for alternate profile
18056a424ccSmp * hierarchy - hierarchy of value to retrieve
18156a424ccSmp * retdata - Returned data value
18256a424ccSmp * Returns:
18356a424ccSmp * error codes
18456a424ccSmp */
18556a424ccSmp
18656a424ccSmp static krb5_error_code
string_to_boolean(const char * string,krb5_boolean * out)18756a424ccSmp string_to_boolean (const char *string, krb5_boolean *out)
18856a424ccSmp {
18956a424ccSmp static const char *const yes[] = { "y", "yes", "true", "t", "1", "on" };
19056a424ccSmp static const char *const no[] = { "n", "no", "false", "f", "nil", "0", "off" };
19156a424ccSmp int i;
19256a424ccSmp
19356a424ccSmp for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++)
19456a424ccSmp if (!strcasecmp(string, yes[i])) {
19556a424ccSmp *out = 1;
19656a424ccSmp return 0;
19756a424ccSmp }
19856a424ccSmp for (i = 0; i < sizeof(no)/sizeof(no[0]); i++)
19956a424ccSmp if (!strcasecmp(string, no[i])) {
20056a424ccSmp *out = 0;
20156a424ccSmp return 0;
20256a424ccSmp }
20356a424ccSmp return PROF_BAD_BOOLEAN;
20456a424ccSmp }
20556a424ccSmp
20656a424ccSmp krb5_error_code
krb5_aprof_get_boolean(krb5_pointer acontext,const char ** hierarchy,int uselast,krb5_boolean * retdata)20756a424ccSmp krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy,
20856a424ccSmp int uselast, krb5_boolean *retdata)
20956a424ccSmp {
21056a424ccSmp krb5_error_code kret;
21156a424ccSmp char **values;
21256a424ccSmp char *valp;
21356a424ccSmp int idx;
21456a424ccSmp krb5_boolean val;
21556a424ccSmp
21656a424ccSmp kret = krb5_aprof_getvals (acontext, hierarchy, &values);
21756a424ccSmp if (kret)
21856a424ccSmp return kret;
21956a424ccSmp idx = 0;
22056a424ccSmp if (uselast) {
22156a424ccSmp while (values[idx])
22256a424ccSmp idx++;
22356a424ccSmp idx--;
22456a424ccSmp }
22556a424ccSmp valp = values[idx];
22656a424ccSmp kret = string_to_boolean (valp, &val);
22756a424ccSmp if (kret)
22856a424ccSmp return kret;
22956a424ccSmp *retdata = val;
23056a424ccSmp return 0;
2317c478bd9Sstevel@tonic-gate }
2327c478bd9Sstevel@tonic-gate
2337c478bd9Sstevel@tonic-gate /*
2347c478bd9Sstevel@tonic-gate * krb5_aprof_get_deltat() - Get a delta time value from the alternate
2357c478bd9Sstevel@tonic-gate * profile.
2367c478bd9Sstevel@tonic-gate *
2377c478bd9Sstevel@tonic-gate * Parameters:
2387c478bd9Sstevel@tonic-gate * acontext - opaque context for alternate profile.
2397c478bd9Sstevel@tonic-gate * hierarchy - hierarchy of value to retrieve.
2407c478bd9Sstevel@tonic-gate * uselast - if true, use last value, otherwise use
2417c478bd9Sstevel@tonic-gate * first value found.
2427c478bd9Sstevel@tonic-gate * deltatp - returned delta time value.
2437c478bd9Sstevel@tonic-gate *
2447c478bd9Sstevel@tonic-gate * Returns:
2457c478bd9Sstevel@tonic-gate * error codes from profile_get_values()
2467c478bd9Sstevel@tonic-gate * error codes from krb5_string_to_deltat()
2477c478bd9Sstevel@tonic-gate */
2487c478bd9Sstevel@tonic-gate krb5_error_code
krb5_aprof_get_deltat(acontext,hierarchy,uselast,deltatp)2497c478bd9Sstevel@tonic-gate krb5_aprof_get_deltat(acontext, hierarchy, uselast, deltatp)
25056a424ccSmp krb5_pointer acontext;
25156a424ccSmp const char **hierarchy;
25256a424ccSmp krb5_boolean uselast;
25356a424ccSmp krb5_deltat *deltatp;
2547c478bd9Sstevel@tonic-gate {
25556a424ccSmp krb5_error_code kret;
25656a424ccSmp char **values;
25756a424ccSmp char *valp;
25856a424ccSmp int idx;
25956a424ccSmp
26056a424ccSmp if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) {
26156a424ccSmp idx = 0;
26256a424ccSmp if (uselast) {
26356a424ccSmp for (idx=0; values[idx]; idx++);
26456a424ccSmp idx--;
2657c478bd9Sstevel@tonic-gate }
26656a424ccSmp valp = values[idx];
26756a424ccSmp kret = krb5_string_to_deltat(valp, deltatp);
26856a424ccSmp
26956a424ccSmp /* Free the string storage */
27056a424ccSmp for (idx=0; values[idx]; idx++)
27156a424ccSmp krb5_xfree(values[idx]);
27256a424ccSmp krb5_xfree(values);
27356a424ccSmp }
27456a424ccSmp return(kret);
2757c478bd9Sstevel@tonic-gate }
2767c478bd9Sstevel@tonic-gate
2777c478bd9Sstevel@tonic-gate /*
2787c478bd9Sstevel@tonic-gate * krb5_aprof_get_string() - Get a string value from the alternate
2797c478bd9Sstevel@tonic-gate * profile.
2807c478bd9Sstevel@tonic-gate *
2817c478bd9Sstevel@tonic-gate * Parameters:
2827c478bd9Sstevel@tonic-gate * acontext - opaque context for alternate profile.
2837c478bd9Sstevel@tonic-gate * hierarchy - hierarchy of value to retrieve.
2847c478bd9Sstevel@tonic-gate * uselast - if true, use last value, otherwise use
2857c478bd9Sstevel@tonic-gate * first value found.
2867c478bd9Sstevel@tonic-gate * stringp - returned string value.
2877c478bd9Sstevel@tonic-gate *
2887c478bd9Sstevel@tonic-gate * Returns:
2897c478bd9Sstevel@tonic-gate * error codes from profile_get_values()
2907c478bd9Sstevel@tonic-gate */
2917c478bd9Sstevel@tonic-gate krb5_error_code
krb5_aprof_get_string(acontext,hierarchy,uselast,stringp)2927c478bd9Sstevel@tonic-gate krb5_aprof_get_string(acontext, hierarchy, uselast, stringp)
29356a424ccSmp krb5_pointer acontext;
29456a424ccSmp const char **hierarchy;
29556a424ccSmp krb5_boolean uselast;
29656a424ccSmp char **stringp;
2977c478bd9Sstevel@tonic-gate {
29856a424ccSmp krb5_error_code kret;
29956a424ccSmp char **values;
30056a424ccSmp int idx, i;
30156a424ccSmp
30256a424ccSmp if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) {
30356a424ccSmp idx = 0;
30456a424ccSmp if (uselast) {
30556a424ccSmp for (idx=0; values[idx]; idx++);
30656a424ccSmp idx--;
30756a424ccSmp }
3087c478bd9Sstevel@tonic-gate
30956a424ccSmp *stringp = values[idx];
3107c478bd9Sstevel@tonic-gate
31156a424ccSmp /* Free the string storage */
31256a424ccSmp for (i=0; values[i]; i++)
31356a424ccSmp if (i != idx)
31456a424ccSmp krb5_xfree(values[i]);
31556a424ccSmp krb5_xfree(values);
31656a424ccSmp }
31756a424ccSmp return(kret);
3187c478bd9Sstevel@tonic-gate }
3197c478bd9Sstevel@tonic-gate
3207c478bd9Sstevel@tonic-gate /*
3217c478bd9Sstevel@tonic-gate * krb5_aprof_get_int32() - Get a 32-bit integer value from the alternate
3227c478bd9Sstevel@tonic-gate * profile.
3237c478bd9Sstevel@tonic-gate *
3247c478bd9Sstevel@tonic-gate * Parameters:
3257c478bd9Sstevel@tonic-gate * acontext - opaque context for alternate profile.
3267c478bd9Sstevel@tonic-gate * hierarchy - hierarchy of value to retrieve.
3277c478bd9Sstevel@tonic-gate * uselast - if true, use last value, otherwise use
3287c478bd9Sstevel@tonic-gate * first value found.
3297c478bd9Sstevel@tonic-gate * intp - returned 32-bit integer value.
3307c478bd9Sstevel@tonic-gate *
3317c478bd9Sstevel@tonic-gate * Returns:
3327c478bd9Sstevel@tonic-gate * error codes from profile_get_values()
3337c478bd9Sstevel@tonic-gate * EINVAL - value is not an integer
3347c478bd9Sstevel@tonic-gate */
3357c478bd9Sstevel@tonic-gate krb5_error_code
krb5_aprof_get_int32(acontext,hierarchy,uselast,intp)3367c478bd9Sstevel@tonic-gate krb5_aprof_get_int32(acontext, hierarchy, uselast, intp)
33756a424ccSmp krb5_pointer acontext;
33856a424ccSmp const char **hierarchy;
33956a424ccSmp krb5_boolean uselast;
34056a424ccSmp krb5_int32 *intp;
3417c478bd9Sstevel@tonic-gate {
34256a424ccSmp krb5_error_code kret;
34356a424ccSmp char **values;
34456a424ccSmp int idx;
34556a424ccSmp
34656a424ccSmp if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) {
34756a424ccSmp idx = 0;
34856a424ccSmp if (uselast) {
34956a424ccSmp for (idx=0; values[idx]; idx++);
35056a424ccSmp idx--;
35156a424ccSmp }
3527c478bd9Sstevel@tonic-gate
35356a424ccSmp if (sscanf(values[idx], "%d", intp) != 1)
35456a424ccSmp kret = EINVAL;
3557c478bd9Sstevel@tonic-gate
35656a424ccSmp /* Free the string storage */
35756a424ccSmp for (idx=0; values[idx]; idx++)
35856a424ccSmp krb5_xfree(values[idx]);
35956a424ccSmp krb5_xfree(values);
36056a424ccSmp }
36156a424ccSmp return(kret);
3627c478bd9Sstevel@tonic-gate }
3637c478bd9Sstevel@tonic-gate
3647c478bd9Sstevel@tonic-gate /*
3657c478bd9Sstevel@tonic-gate * krb5_aprof_finish() - Finish alternate profile context.
3667c478bd9Sstevel@tonic-gate *
3677c478bd9Sstevel@tonic-gate * Parameter:
3687c478bd9Sstevel@tonic-gate * acontext - opaque context for alternate profile.
3697c478bd9Sstevel@tonic-gate *
3707c478bd9Sstevel@tonic-gate * Returns:
3717c478bd9Sstevel@tonic-gate * 0 on success, something else on failure.
3727c478bd9Sstevel@tonic-gate */
3737c478bd9Sstevel@tonic-gate krb5_error_code
krb5_aprof_finish(acontext)3747c478bd9Sstevel@tonic-gate krb5_aprof_finish(acontext)
37556a424ccSmp krb5_pointer acontext;
3767c478bd9Sstevel@tonic-gate {
37756a424ccSmp profile_release(acontext);
37856a424ccSmp return(0);
3797c478bd9Sstevel@tonic-gate }
3807c478bd9Sstevel@tonic-gate
3817c478bd9Sstevel@tonic-gate /*
3827c478bd9Sstevel@tonic-gate * Function: kadm5_get_config_params
3837c478bd9Sstevel@tonic-gate *
3847c478bd9Sstevel@tonic-gate * Purpose: Merge configuration parameters provided by the caller with
3857c478bd9Sstevel@tonic-gate * values specified in configuration files and with default values.
3867c478bd9Sstevel@tonic-gate *
3877c478bd9Sstevel@tonic-gate * Arguments:
3887c478bd9Sstevel@tonic-gate *
38956a424ccSmp * context (r) krb5_context to use
39056a424ccSmp * profile (r) profile file to use
39156a424ccSmp * envname (r) envname that contains a profile name to
3927c478bd9Sstevel@tonic-gate * override profile
39356a424ccSmp * params_in (r) params structure containing user-supplied
3947c478bd9Sstevel@tonic-gate * values, or NULL
39556a424ccSmp * params_out (w) params structure to be filled in
3967c478bd9Sstevel@tonic-gate *
3977c478bd9Sstevel@tonic-gate * Effects:
3987c478bd9Sstevel@tonic-gate *
3997c478bd9Sstevel@tonic-gate * The fields and mask of params_out are filled in with values
4007c478bd9Sstevel@tonic-gate * obtained from params_in, the specified profile, and default
4017c478bd9Sstevel@tonic-gate * values. Only and all fields specified in params_out->mask are
4027c478bd9Sstevel@tonic-gate * set. The context of params_out must be freed with
4037c478bd9Sstevel@tonic-gate * kadm5_free_config_params.
4047c478bd9Sstevel@tonic-gate *
4057c478bd9Sstevel@tonic-gate * params_in and params_out may be the same pointer. However, all pointers
4067c478bd9Sstevel@tonic-gate * in params_in for which the mask is set will be re-assigned to newly copied
4077c478bd9Sstevel@tonic-gate * versions, overwriting the old pointer value.
4087c478bd9Sstevel@tonic-gate */
kadm5_get_config_params(context,use_kdc_config,params_in,params_out)409159d09a2SMark Phalan krb5_error_code kadm5_get_config_params(context, use_kdc_config,
4107c478bd9Sstevel@tonic-gate params_in, params_out)
41156a424ccSmp krb5_context context;
412159d09a2SMark Phalan int use_kdc_config;
41356a424ccSmp kadm5_config_params *params_in, *params_out;
4147c478bd9Sstevel@tonic-gate {
41556a424ccSmp char *filename;
41656a424ccSmp char *envname;
41756a424ccSmp char *lrealm;
41856a424ccSmp krb5_pointer aprofile = 0;
41956a424ccSmp const char *hierarchy[4];
42056a424ccSmp char *svalue;
42156a424ccSmp krb5_int32 ivalue;
42256a424ccSmp kadm5_config_params params, empty_params;
42356a424ccSmp
42456a424ccSmp krb5_error_code kret = 0;
425159d09a2SMark Phalan krb5_error_code dnsret = 1;
4267c478bd9Sstevel@tonic-gate
4277c478bd9Sstevel@tonic-gate #ifdef KRB5_DNS_LOOKUP
4287c478bd9Sstevel@tonic-gate char dns_host[MAX_DNS_NAMELEN];
4297c478bd9Sstevel@tonic-gate unsigned short dns_portno;
4307c478bd9Sstevel@tonic-gate krb5_data dns_realm;
431eda50310Smp memset((char *)&dns_realm, 0, sizeof (dns_realm));
4327c478bd9Sstevel@tonic-gate #endif /* KRB5_DNS_LOOKUP */
4337c478bd9Sstevel@tonic-gate
43456a424ccSmp memset((char *) ¶ms, 0, sizeof(params));
43556a424ccSmp memset((char *) &empty_params, 0, sizeof(empty_params));
43656a424ccSmp
43756a424ccSmp if (params_in == NULL) params_in = &empty_params;
43856a424ccSmp
43956a424ccSmp if (params_in->mask & KADM5_CONFIG_REALM) {
44056a424ccSmp lrealm = params.realm = strdup(params_in->realm);
44156a424ccSmp if (params.realm)
44256a424ccSmp params.mask |= KADM5_CONFIG_REALM;
44356a424ccSmp } else {
44456a424ccSmp kret = krb5_get_default_realm(context, &lrealm);
44556a424ccSmp if (kret)
44656a424ccSmp goto cleanup;
44756a424ccSmp params.realm = lrealm;
44856a424ccSmp params.mask |= KADM5_CONFIG_REALM;
44956a424ccSmp }
450159d09a2SMark Phalan /*
451159d09a2SMark Phalan * XXX These defaults should to work on both client and
452159d09a2SMark Phalan * server. kadm5_get_config_params can be implemented as a
453159d09a2SMark Phalan * wrapper function in each library that provides correct
454159d09a2SMark Phalan * defaults for NULL values.
455159d09a2SMark Phalan */
456159d09a2SMark Phalan if (use_kdc_config) {
457159d09a2SMark Phalan filename = DEFAULT_KDC_PROFILE;
458159d09a2SMark Phalan envname = KDC_PROFILE_ENV;
45956a424ccSmp } else {
460159d09a2SMark Phalan filename = DEFAULT_PROFILE_PATH;
461159d09a2SMark Phalan envname = "KRB5_CONFIG";
46256a424ccSmp }
463159d09a2SMark Phalan if (context->profile_secure == TRUE) envname = 0;
46456a424ccSmp
46556a424ccSmp kret = krb5_aprof_init(filename, envname, &aprofile);
46656a424ccSmp if (kret)
46756a424ccSmp goto cleanup;
468*55fea89dSDan Cross
46956a424ccSmp /* Initialize realm parameters */
47056a424ccSmp hierarchy[0] = "realms";
47156a424ccSmp hierarchy[1] = lrealm;
47256a424ccSmp hierarchy[3] = (char *) NULL;
4737c478bd9Sstevel@tonic-gate
4747c478bd9Sstevel@tonic-gate #ifdef KRB5_DNS_LOOKUP
4757c478bd9Sstevel@tonic-gate /*
4767c478bd9Sstevel@tonic-gate * Initialize realm info for (possible) DNS lookups.
4777c478bd9Sstevel@tonic-gate */
4787c478bd9Sstevel@tonic-gate dns_realm.data = strdup(lrealm);
4797c478bd9Sstevel@tonic-gate dns_realm.length = strlen(lrealm);
4807c478bd9Sstevel@tonic-gate dns_realm.magic = 0;
4817c478bd9Sstevel@tonic-gate #endif /* KRB5_DNS_LOOKUP */
4827c478bd9Sstevel@tonic-gate
48356a424ccSmp /* Get the value for the admin server */
48456a424ccSmp hierarchy[2] = "admin_server";
48556a424ccSmp if (params_in->mask & KADM5_CONFIG_ADMIN_SERVER) {
48656a424ccSmp params.admin_server = strdup(params_in->admin_server);
48756a424ccSmp if (params.admin_server)
48856a424ccSmp params.mask |= KADM5_CONFIG_ADMIN_SERVER;
48956a424ccSmp } else if (aprofile &&
49056a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
49156a424ccSmp params.admin_server = svalue;
49256a424ccSmp params.mask |= KADM5_CONFIG_ADMIN_SERVER;
49356a424ccSmp }
4947c478bd9Sstevel@tonic-gate #ifdef KRB5_DNS_LOOKUP
4957c478bd9Sstevel@tonic-gate else if (strcmp(envname, "KRB5_CONFIG") == 0) {
4967c478bd9Sstevel@tonic-gate /*
4977c478bd9Sstevel@tonic-gate * Solaris Kerberos: only do DNS lookup for admin_server if this
4987c478bd9Sstevel@tonic-gate * is a krb5.conf type of config file. Note, the filename may
4997c478bd9Sstevel@tonic-gate * not be /etc/krb5/krb5.conf so we assume that the KRB5_CONFIG
5007c478bd9Sstevel@tonic-gate * envname string will consistently indicate the type of config
5017c478bd9Sstevel@tonic-gate * file.
5027c478bd9Sstevel@tonic-gate */
5037c478bd9Sstevel@tonic-gate dnsret = krb5_get_servername(context, &dns_realm,
5047c478bd9Sstevel@tonic-gate "_kerberos-adm", "_udp",
5057c478bd9Sstevel@tonic-gate dns_host, &dns_portno);
5067c478bd9Sstevel@tonic-gate if (dnsret == 0) {
5077c478bd9Sstevel@tonic-gate params.admin_server = strdup(dns_host);
5087c478bd9Sstevel@tonic-gate if (params.admin_server)
5097c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_ADMIN_SERVER;
5107c478bd9Sstevel@tonic-gate params.kadmind_port = dns_portno;
5117c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KADMIND_PORT;
5127c478bd9Sstevel@tonic-gate }
5137c478bd9Sstevel@tonic-gate }
5147c478bd9Sstevel@tonic-gate #endif /* KRB5_DNS_LOOKUP */
5157c478bd9Sstevel@tonic-gate
51656a424ccSmp if ((params.mask & KADM5_CONFIG_ADMIN_SERVER) && dnsret) {
51756a424ccSmp char *p;
51856a424ccSmp p = strchr(params.admin_server, ':');
51956a424ccSmp if (p) {
52056a424ccSmp params.kadmind_port = atoi(p+1);
52156a424ccSmp params.mask |= KADM5_CONFIG_KADMIND_PORT;
52256a424ccSmp *p = '\0';
52356a424ccSmp }
52456a424ccSmp }
52556a424ccSmp
52656a424ccSmp /* Get the value for the database */
52756a424ccSmp hierarchy[2] = "database_name";
52856a424ccSmp if (params_in->mask & KADM5_CONFIG_DBNAME) {
52956a424ccSmp params.dbname = strdup(params_in->dbname);
53056a424ccSmp if (params.dbname)
53156a424ccSmp params.mask |= KADM5_CONFIG_DBNAME;
53256a424ccSmp } else if (aprofile &&
53356a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
53456a424ccSmp params.dbname = svalue;
53556a424ccSmp params.mask |= KADM5_CONFIG_DBNAME;
53656a424ccSmp } else {
53756a424ccSmp params.dbname = strdup(DEFAULT_KDB_FILE);
538*55fea89dSDan Cross if (params.dbname)
53956a424ccSmp params.mask |= KADM5_CONFIG_DBNAME;
54056a424ccSmp }
54156a424ccSmp
54256a424ccSmp /*
54356a424ccSmp * admin database name and lockfile are now always derived from dbname
54456a424ccSmp */
54556a424ccSmp if (params.mask & KADM5_CONFIG_DBNAME) {
54656a424ccSmp params.admin_dbname = (char *) malloc(strlen(params.dbname) + 7);
54756a424ccSmp if (params.admin_dbname) {
54856a424ccSmp sprintf(params.admin_dbname, "%s.kadm5", params.dbname);
54956a424ccSmp params.mask |= KADM5_CONFIG_ADBNAME;
55056a424ccSmp }
55156a424ccSmp }
55256a424ccSmp
55356a424ccSmp if (params.mask & KADM5_CONFIG_ADBNAME) {
55456a424ccSmp params.admin_lockfile = (char *) malloc(strlen(params.admin_dbname)
55556a424ccSmp + 6);
55656a424ccSmp if (params.admin_lockfile) {
55756a424ccSmp sprintf(params.admin_lockfile, "%s.lock", params.admin_dbname);
55856a424ccSmp params.mask |= KADM5_CONFIG_ADB_LOCKFILE;
55956a424ccSmp }
56056a424ccSmp }
561*55fea89dSDan Cross
56256a424ccSmp /* Get the value for the admin (policy) database lock file*/
56356a424ccSmp hierarchy[2] = "admin_keytab";
56456a424ccSmp if (params_in->mask & KADM5_CONFIG_ADMIN_KEYTAB) {
56556a424ccSmp params.admin_keytab = strdup(params_in->admin_keytab);
56656a424ccSmp if (params.admin_keytab)
56756a424ccSmp params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
56856a424ccSmp } else if (aprofile &&
56956a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
57056a424ccSmp params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
57156a424ccSmp params.admin_keytab = svalue;
57256a424ccSmp } else if ((params.admin_keytab = (char *) getenv("KRB5_KTNAME"))) {
57356a424ccSmp params.admin_keytab = strdup(params.admin_keytab);
57456a424ccSmp if (params.admin_keytab)
57556a424ccSmp params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
57656a424ccSmp } else {
57756a424ccSmp params.admin_keytab = strdup(DEFAULT_KADM5_KEYTAB);
57856a424ccSmp if (params.admin_keytab)
57956a424ccSmp params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
58056a424ccSmp }
581*55fea89dSDan Cross
58256a424ccSmp /* Get the name of the acl file */
58356a424ccSmp hierarchy[2] = "acl_file";
58456a424ccSmp if (params_in->mask & KADM5_CONFIG_ACL_FILE) {
58556a424ccSmp params.acl_file = strdup(params_in->acl_file);
58656a424ccSmp if (params.acl_file)
58756a424ccSmp params.mask |= KADM5_CONFIG_ACL_FILE;
58856a424ccSmp } else if (aprofile &&
58956a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
59056a424ccSmp params.mask |= KADM5_CONFIG_ACL_FILE;
59156a424ccSmp params.acl_file = svalue;
59256a424ccSmp } else {
59356a424ccSmp params.acl_file = strdup(DEFAULT_KADM5_ACL_FILE);
59456a424ccSmp if (params.acl_file)
59556a424ccSmp params.mask |= KADM5_CONFIG_ACL_FILE;
59656a424ccSmp }
597*55fea89dSDan Cross
59856a424ccSmp /* Get the name of the dict file */
59956a424ccSmp hierarchy[2] = "dict_file";
60056a424ccSmp if (params_in->mask & KADM5_CONFIG_DICT_FILE) {
60156a424ccSmp params.dict_file = strdup(params_in->dict_file);
60256a424ccSmp if (params.dict_file)
60356a424ccSmp params.mask |= KADM5_CONFIG_DICT_FILE;
60456a424ccSmp } else if (aprofile &&
60556a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
60656a424ccSmp params.mask |= KADM5_CONFIG_DICT_FILE;
60756a424ccSmp params.dict_file = svalue;
60856a424ccSmp }
609*55fea89dSDan Cross
61056a424ccSmp /* Get the value for the kadmind port */
61156a424ccSmp if (! (params.mask & KADM5_CONFIG_KADMIND_PORT)) {
61256a424ccSmp hierarchy[2] = "kadmind_port";
61356a424ccSmp if (params_in->mask & KADM5_CONFIG_KADMIND_PORT) {
61456a424ccSmp params.mask |= KADM5_CONFIG_KADMIND_PORT;
61556a424ccSmp params.kadmind_port = params_in->kadmind_port;
61656a424ccSmp } else if (aprofile &&
61756a424ccSmp !krb5_aprof_get_int32(aprofile, hierarchy, TRUE,
618*55fea89dSDan Cross &ivalue)) {
61956a424ccSmp params.kadmind_port = ivalue;
62056a424ccSmp params.mask |= KADM5_CONFIG_KADMIND_PORT;
62156a424ccSmp } else {
62256a424ccSmp params.kadmind_port = DEFAULT_KADM5_PORT;
62356a424ccSmp params.mask |= KADM5_CONFIG_KADMIND_PORT;
62456a424ccSmp }
62556a424ccSmp }
626*55fea89dSDan Cross
62756a424ccSmp /* Get the value for the kpasswd port */
62856a424ccSmp if (! (params.mask & KADM5_CONFIG_KPASSWD_PORT)) {
62956a424ccSmp hierarchy[2] = "kpasswd_port";
63056a424ccSmp if (params_in->mask & KADM5_CONFIG_KPASSWD_PORT) {
63156a424ccSmp params.mask |= KADM5_CONFIG_KPASSWD_PORT;
63256a424ccSmp params.kpasswd_port = params_in->kpasswd_port;
6337c478bd9Sstevel@tonic-gate } else if (aprofile &&
63456a424ccSmp !krb5_aprof_get_int32(aprofile, hierarchy, TRUE,
635*55fea89dSDan Cross &ivalue)) {
63656a424ccSmp params.kpasswd_port = ivalue;
63756a424ccSmp params.mask |= KADM5_CONFIG_KPASSWD_PORT;
6387c478bd9Sstevel@tonic-gate } else {
63956a424ccSmp params.kpasswd_port = DEFAULT_KPASSWD_PORT;
64056a424ccSmp params.mask |= KADM5_CONFIG_KPASSWD_PORT;
6417c478bd9Sstevel@tonic-gate }
64256a424ccSmp }
643*55fea89dSDan Cross
64456a424ccSmp /* Get the value for the master key name */
64556a424ccSmp hierarchy[2] = "master_key_name";
64656a424ccSmp if (params_in->mask & KADM5_CONFIG_MKEY_NAME) {
64756a424ccSmp params.mkey_name = strdup(params_in->mkey_name);
64856a424ccSmp if (params.mkey_name)
64956a424ccSmp params.mask |= KADM5_CONFIG_MKEY_NAME;
65056a424ccSmp } else if (aprofile &&
65156a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
65256a424ccSmp params.mask |= KADM5_CONFIG_MKEY_NAME;
65356a424ccSmp params.mkey_name = svalue;
65456a424ccSmp }
655*55fea89dSDan Cross
65656a424ccSmp /* Get the value for the master key type */
65756a424ccSmp hierarchy[2] = "master_key_type";
65856a424ccSmp if (params_in->mask & KADM5_CONFIG_ENCTYPE) {
65956a424ccSmp params.mask |= KADM5_CONFIG_ENCTYPE;
66056a424ccSmp params.enctype = params_in->enctype;
66156a424ccSmp } else if (aprofile &&
66256a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
66356a424ccSmp if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) {
66456a424ccSmp params.mask |= KADM5_CONFIG_ENCTYPE;
66556a424ccSmp krb5_xfree(svalue);
66656a424ccSmp }
66756a424ccSmp } else {
66856a424ccSmp params.mask |= KADM5_CONFIG_ENCTYPE;
66956a424ccSmp params.enctype = DEFAULT_KDC_ENCTYPE;
67056a424ccSmp }
671*55fea89dSDan Cross
67256a424ccSmp /* Get the value for mkey_from_kbd */
67356a424ccSmp if (params_in->mask & KADM5_CONFIG_MKEY_FROM_KBD) {
67456a424ccSmp params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
67556a424ccSmp params.mkey_from_kbd = params_in->mkey_from_kbd;
67656a424ccSmp }
677*55fea89dSDan Cross
67856a424ccSmp /* Get the value for the stashfile */
67956a424ccSmp hierarchy[2] = "key_stash_file";
68056a424ccSmp if (params_in->mask & KADM5_CONFIG_STASH_FILE) {
68156a424ccSmp params.stash_file = strdup(params_in->stash_file);
68256a424ccSmp if (params.stash_file)
68356a424ccSmp params.mask |= KADM5_CONFIG_STASH_FILE;
68456a424ccSmp } else if (aprofile &&
68556a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
68656a424ccSmp params.mask |= KADM5_CONFIG_STASH_FILE;
68756a424ccSmp params.stash_file = svalue;
68856a424ccSmp }
689*55fea89dSDan Cross
690159d09a2SMark Phalan /*
691159d09a2SMark Phalan * Solaris Kerberos
692*55fea89dSDan Cross * Get the value for maximum ticket lifetime.
6937c478bd9Sstevel@tonic-gate * See SEAM documentation or the Bug ID 4184504
6947c478bd9Sstevel@tonic-gate * We have changed the logic so that the entries are
6957c478bd9Sstevel@tonic-gate * created in the database with the maximum duration
6967c478bd9Sstevel@tonic-gate * for life and renew life KRB5_INT32_MAX
6977c478bd9Sstevel@tonic-gate * However this wil get negotiated down when
6987c478bd9Sstevel@tonic-gate * as or tgs request is processed by KDC.
6997c478bd9Sstevel@tonic-gate */
70056a424ccSmp hierarchy[2] = "max_life";
70156a424ccSmp if (params_in->mask & KADM5_CONFIG_MAX_LIFE) {
70256a424ccSmp params.mask |= KADM5_CONFIG_MAX_LIFE;
70356a424ccSmp params.max_life = params_in->max_life;
70456a424ccSmp } else {
70556a424ccSmp params.max_life = KRB5_INT32_MAX;
70656a424ccSmp params.mask |= KADM5_CONFIG_MAX_LIFE;
707*55fea89dSDan Cross }
708*55fea89dSDan Cross
70956a424ccSmp /* Get the value for maximum renewable ticket lifetime. */
71056a424ccSmp hierarchy[2] = "max_renewable_life";
71156a424ccSmp if (params_in->mask & KADM5_CONFIG_MAX_RLIFE) {
71256a424ccSmp params.mask |= KADM5_CONFIG_MAX_RLIFE;
71356a424ccSmp params.max_rlife = params_in->max_rlife;
71456a424ccSmp } else {
71556a424ccSmp params.max_rlife = KRB5_INT32_MAX;
71656a424ccSmp params.mask |= KADM5_CONFIG_MAX_RLIFE;
71756a424ccSmp }
718*55fea89dSDan Cross
71956a424ccSmp /* Get the value for the default principal expiration */
72056a424ccSmp hierarchy[2] = "default_principal_expiration";
72156a424ccSmp if (params_in->mask & KADM5_CONFIG_EXPIRATION) {
72256a424ccSmp params.mask |= KADM5_CONFIG_EXPIRATION;
72356a424ccSmp params.expiration = params_in->expiration;
72456a424ccSmp } else if (aprofile &&
72556a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
72656a424ccSmp if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) {
72756a424ccSmp params.mask |= KADM5_CONFIG_EXPIRATION;
72856a424ccSmp krb5_xfree(svalue);
72956a424ccSmp }
73056a424ccSmp } else {
73156a424ccSmp params.mask |= KADM5_CONFIG_EXPIRATION;
73256a424ccSmp params.expiration = 0;
73356a424ccSmp }
734*55fea89dSDan Cross
73556a424ccSmp /* Get the value for the default principal flags */
73656a424ccSmp hierarchy[2] = "default_principal_flags";
73756a424ccSmp if (params_in->mask & KADM5_CONFIG_FLAGS) {
73856a424ccSmp params.mask |= KADM5_CONFIG_FLAGS;
73956a424ccSmp params.flags = params_in->flags;
74056a424ccSmp } else if (aprofile &&
74156a424ccSmp !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
74256a424ccSmp char *sp, *ep, *tp;
743*55fea89dSDan Cross
74456a424ccSmp sp = svalue;
74556a424ccSmp params.flags = 0;
74656a424ccSmp while (sp) {
74756a424ccSmp if ((ep = strchr(sp, (int) ',')) ||
74856a424ccSmp (ep = strchr(sp, (int) ' ')) ||
74956a424ccSmp (ep = strchr(sp, (int) '\t'))) {
75056a424ccSmp /* Fill in trailing whitespace of sp */
75156a424ccSmp tp = ep - 1;
75256a424ccSmp while (isspace((int) *tp) && (tp > sp)) {
75356a424ccSmp *tp = '\0';
75456a424ccSmp tp--;
75556a424ccSmp }
75656a424ccSmp *ep = '\0';
75756a424ccSmp ep++;
75856a424ccSmp /* Skip over trailing whitespace of ep */
75956a424ccSmp while (isspace((int) *ep) && (*ep)) ep++;
76056a424ccSmp }
76156a424ccSmp /* Convert this flag */
76256a424ccSmp if (krb5_string_to_flags(sp,
76356a424ccSmp "+",
76456a424ccSmp "-",
76556a424ccSmp ¶ms.flags))
76656a424ccSmp break;
76756a424ccSmp sp = ep;
76856a424ccSmp }
76956a424ccSmp if (!sp)
77056a424ccSmp params.mask |= KADM5_CONFIG_FLAGS;
77156a424ccSmp krb5_xfree(svalue);
77256a424ccSmp } else {
77356a424ccSmp params.mask |= KADM5_CONFIG_FLAGS;
77456a424ccSmp params.flags = KRB5_KDB_DEF_FLAGS;
77556a424ccSmp }
77656a424ccSmp
77756a424ccSmp /* Get the value for the supported enctype/salttype matrix */
77856a424ccSmp hierarchy[2] = "supported_enctypes";
77956a424ccSmp if (params_in->mask & KADM5_CONFIG_ENCTYPES) {
7807c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_ENCTYPES;
7817c478bd9Sstevel@tonic-gate if (params_in->num_keysalts > 0) {
7827c478bd9Sstevel@tonic-gate params.keysalts = malloc(params_in->num_keysalts *
7837c478bd9Sstevel@tonic-gate sizeof (*params.keysalts));
7847c478bd9Sstevel@tonic-gate if (params.keysalts == NULL) {
7857c478bd9Sstevel@tonic-gate kret = ENOMEM;
7867c478bd9Sstevel@tonic-gate goto cleanup;
7877c478bd9Sstevel@tonic-gate }
7887c478bd9Sstevel@tonic-gate (void) memcpy(params.keysalts, params_in->keysalts,
7897c478bd9Sstevel@tonic-gate (params_in->num_keysalts *
7907c478bd9Sstevel@tonic-gate sizeof (*params.keysalts)));
79156a424ccSmp params.num_keysalts = params_in->num_keysalts;
79256a424ccSmp }
79356a424ccSmp } else {
79456a424ccSmp svalue = NULL;
79556a424ccSmp if (aprofile)
79656a424ccSmp krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
79756a424ccSmp if (svalue == NULL)
79856a424ccSmp svalue = strdup(DEFAULT_ENCTYPE_LIST);
79956a424ccSmp
80056a424ccSmp params.keysalts = NULL;
80156a424ccSmp params.num_keysalts = 0;
80256a424ccSmp krb5_string_to_keysalts(svalue,
80356a424ccSmp ", \t",/* Tuple separators */
80456a424ccSmp ":.-", /* Key/salt separators */
80556a424ccSmp 0, /* No duplicates */
80656a424ccSmp ¶ms.keysalts,
80756a424ccSmp ¶ms.num_keysalts);
80856a424ccSmp if (params.num_keysalts)
80956a424ccSmp params.mask |= KADM5_CONFIG_ENCTYPES;
81056a424ccSmp
81156a424ccSmp if (svalue)
81256a424ccSmp krb5_xfree(svalue);
81356a424ccSmp }
8147c478bd9Sstevel@tonic-gate
8157c478bd9Sstevel@tonic-gate hierarchy[2] = "kpasswd_server";
8167c478bd9Sstevel@tonic-gate if (params_in->mask & KADM5_CONFIG_KPASSWD_SERVER) {
8177c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_SERVER;
8187c478bd9Sstevel@tonic-gate params.kpasswd_server = strdup(params_in->kpasswd_server);
8197c478bd9Sstevel@tonic-gate } else {
8207c478bd9Sstevel@tonic-gate svalue = NULL;
8217c478bd9Sstevel@tonic-gate
8227c478bd9Sstevel@tonic-gate if (aprofile)
8237c478bd9Sstevel@tonic-gate krb5_aprof_get_string(aprofile, hierarchy,
8247c478bd9Sstevel@tonic-gate TRUE, &svalue);
8257c478bd9Sstevel@tonic-gate if (svalue == NULL) {
8267c478bd9Sstevel@tonic-gate #ifdef KRB5_DNS_LOOKUP
8277c478bd9Sstevel@tonic-gate if (strcmp(envname, "KRB5_CONFIG") == 0) {
8287c478bd9Sstevel@tonic-gate /*
8297c478bd9Sstevel@tonic-gate * Solaris Kerberos: only do DNS lookup for
8307c478bd9Sstevel@tonic-gate * kpasswd_server if this is a krb5.conf type of
8317c478bd9Sstevel@tonic-gate * config file. Note, the filename may not be
8327c478bd9Sstevel@tonic-gate * /etc/krb5/krb5.conf so we assume that the
8337c478bd9Sstevel@tonic-gate * KRB5_CONFIG envname string will consistently
8347c478bd9Sstevel@tonic-gate * indicate the type of config file.
8357c478bd9Sstevel@tonic-gate */
8367c478bd9Sstevel@tonic-gate dnsret = krb5_get_servername(context,
8377c478bd9Sstevel@tonic-gate &dns_realm, "_kpasswd", "_udp",
8387c478bd9Sstevel@tonic-gate dns_host, &dns_portno);
8397c478bd9Sstevel@tonic-gate
8407c478bd9Sstevel@tonic-gate if (dnsret == 0) {
8417c478bd9Sstevel@tonic-gate params.kpasswd_server =
8427c478bd9Sstevel@tonic-gate strdup(dns_host);
8437c478bd9Sstevel@tonic-gate if (params.kpasswd_server) {
8447c478bd9Sstevel@tonic-gate params.mask |=
8457c478bd9Sstevel@tonic-gate KADM5_CONFIG_KPASSWD_SERVER;
8467c478bd9Sstevel@tonic-gate }
8477c478bd9Sstevel@tonic-gate params.kpasswd_port = dns_portno;
8487c478bd9Sstevel@tonic-gate params.mask |=
8497c478bd9Sstevel@tonic-gate KADM5_CONFIG_KPASSWD_PORT;
8507c478bd9Sstevel@tonic-gate }
8517c478bd9Sstevel@tonic-gate }
8527c478bd9Sstevel@tonic-gate #endif /* KRB5_DNS_LOOKUP */
8537c478bd9Sstevel@tonic-gate
8547c478bd9Sstevel@tonic-gate /*
8557c478bd9Sstevel@tonic-gate * If a unique 'kpasswd_server' is not specified,
8567c478bd9Sstevel@tonic-gate * use the normal 'admin_server'.
8577c478bd9Sstevel@tonic-gate */
8587c478bd9Sstevel@tonic-gate if ((params.mask & KADM5_CONFIG_ADMIN_SERVER) &&
8597c478bd9Sstevel@tonic-gate dnsret) {
8607c478bd9Sstevel@tonic-gate params.kpasswd_server =
8617c478bd9Sstevel@tonic-gate strdup(params.admin_server);
8627c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_SERVER;
8637c478bd9Sstevel@tonic-gate }
8647c478bd9Sstevel@tonic-gate } else {
8657c478bd9Sstevel@tonic-gate char *p;
8667c478bd9Sstevel@tonic-gate params.kpasswd_server = svalue;
8677c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_SERVER;
8687c478bd9Sstevel@tonic-gate
8697c478bd9Sstevel@tonic-gate if ((p = strchr(params.kpasswd_server, ':'))) {
8707c478bd9Sstevel@tonic-gate params.kpasswd_port = atoi(p+1);
8717c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_PORT;
8727c478bd9Sstevel@tonic-gate *p = '\0';
8737c478bd9Sstevel@tonic-gate }
8747c478bd9Sstevel@tonic-gate }
8757c478bd9Sstevel@tonic-gate }
8767c478bd9Sstevel@tonic-gate
8777c478bd9Sstevel@tonic-gate hierarchy[2] = "kpasswd_protocol";
8787c478bd9Sstevel@tonic-gate
8797c478bd9Sstevel@tonic-gate /* default to current RPCSEC_GSS protocol */
8807c478bd9Sstevel@tonic-gate params.kpasswd_protocol = KRB5_CHGPWD_RPCSEC;
8817c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_PROTOCOL;
8827c478bd9Sstevel@tonic-gate
8837c478bd9Sstevel@tonic-gate if (params_in->mask & KADM5_CONFIG_KPASSWD_PROTOCOL) {
8847c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_PROTOCOL;
8857c478bd9Sstevel@tonic-gate params.kpasswd_protocol = params_in->kpasswd_protocol;
8867c478bd9Sstevel@tonic-gate } else {
8877c478bd9Sstevel@tonic-gate svalue = NULL;
8887c478bd9Sstevel@tonic-gate
8897c478bd9Sstevel@tonic-gate if (aprofile)
8907c478bd9Sstevel@tonic-gate krb5_aprof_get_string(aprofile, hierarchy,
8917c478bd9Sstevel@tonic-gate TRUE, &svalue);
8927c478bd9Sstevel@tonic-gate if (svalue != NULL) {
8937c478bd9Sstevel@tonic-gate if (strcasecmp(svalue, "RPCSEC_GSS") == 0) {
8947c478bd9Sstevel@tonic-gate params.kpasswd_protocol = KRB5_CHGPWD_RPCSEC;
8957c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_PROTOCOL;
8967c478bd9Sstevel@tonic-gate } else if (strcasecmp(svalue, "SET_CHANGE") == 0) {
8977c478bd9Sstevel@tonic-gate params.kpasswd_protocol =
8987c478bd9Sstevel@tonic-gate KRB5_CHGPWD_CHANGEPW_V2;
8997c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_PROTOCOL;
9007c478bd9Sstevel@tonic-gate }
9017c478bd9Sstevel@tonic-gate }
9027c478bd9Sstevel@tonic-gate if (svalue)
9037c478bd9Sstevel@tonic-gate krb5_xfree(svalue);
9047c478bd9Sstevel@tonic-gate }
9057c478bd9Sstevel@tonic-gate
9067c478bd9Sstevel@tonic-gate /*
9077c478bd9Sstevel@tonic-gate * If the kpasswd_port is not yet defined, define it now.
9087c478bd9Sstevel@tonic-gate */
9097c478bd9Sstevel@tonic-gate if (! (params.mask & KADM5_CONFIG_KPASSWD_PORT)) {
9107c478bd9Sstevel@tonic-gate if (params_in->mask & KADM5_CONFIG_KPASSWD_PORT)
9117c478bd9Sstevel@tonic-gate params.kpasswd_port = params_in->kpasswd_port;
9127c478bd9Sstevel@tonic-gate /*
9137c478bd9Sstevel@tonic-gate * If kpasswd_port is not explicitly defined,
9147c478bd9Sstevel@tonic-gate * determine the port to use based on the protocol.
9157c478bd9Sstevel@tonic-gate * The alternative protocol uses a different port
9167c478bd9Sstevel@tonic-gate * than the standard admind port.
9177c478bd9Sstevel@tonic-gate */
9187c478bd9Sstevel@tonic-gate else if (params.kpasswd_protocol == KRB5_CHGPWD_RPCSEC) {
9197c478bd9Sstevel@tonic-gate params.kpasswd_port = DEFAULT_KADM5_PORT;
9207c478bd9Sstevel@tonic-gate } else {
9217c478bd9Sstevel@tonic-gate /*
9227c478bd9Sstevel@tonic-gate * When using the Horowitz/IETF protocol for
9237c478bd9Sstevel@tonic-gate * password changing, the default port is 464
9247c478bd9Sstevel@tonic-gate * (officially recognized by IANA).
9257c478bd9Sstevel@tonic-gate */
9267c478bd9Sstevel@tonic-gate params.kpasswd_port = DEFAULT_KPASSWD_PORT;
9277c478bd9Sstevel@tonic-gate }
9287c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_KPASSWD_PORT;
9297c478bd9Sstevel@tonic-gate }
9307c478bd9Sstevel@tonic-gate
9317c478bd9Sstevel@tonic-gate hierarchy[2] = "sunw_dbprop_enable";
9327c478bd9Sstevel@tonic-gate
9337c478bd9Sstevel@tonic-gate params.iprop_enabled = FALSE;
9347c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_IPROP_ENABLED;
9357c478bd9Sstevel@tonic-gate
9367c478bd9Sstevel@tonic-gate if (params_in->mask & KADM5_CONFIG_IPROP_ENABLED) {
9377c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_IPROP_ENABLED;
9387c478bd9Sstevel@tonic-gate params.iprop_enabled = params_in->iprop_enabled;
9397c478bd9Sstevel@tonic-gate } else {
9407c478bd9Sstevel@tonic-gate if (aprofile && !krb5_aprof_get_string(aprofile, hierarchy,
9417c478bd9Sstevel@tonic-gate TRUE, &svalue)) {
9427c478bd9Sstevel@tonic-gate if (strncasecmp(svalue, "Y", 1) == 0)
9437c478bd9Sstevel@tonic-gate params.iprop_enabled = TRUE;
9447c478bd9Sstevel@tonic-gate if (strncasecmp(svalue, "true", 4) == 0)
9457c478bd9Sstevel@tonic-gate params.iprop_enabled = TRUE;
9467c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_IPROP_ENABLED;
9477c478bd9Sstevel@tonic-gate krb5_xfree(svalue);
9487c478bd9Sstevel@tonic-gate }
9497c478bd9Sstevel@tonic-gate }
9507c478bd9Sstevel@tonic-gate
9517c478bd9Sstevel@tonic-gate hierarchy[2] = "sunw_dbprop_master_ulogsize";
9527c478bd9Sstevel@tonic-gate
9537c478bd9Sstevel@tonic-gate params.iprop_ulogsize = DEF_ULOGENTRIES;
9547c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_ULOG_SIZE;
9557c478bd9Sstevel@tonic-gate
9567c478bd9Sstevel@tonic-gate if (params_in->mask & KADM5_CONFIG_ULOG_SIZE) {
9577c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_ULOG_SIZE;
9587c478bd9Sstevel@tonic-gate params.iprop_ulogsize = params_in->iprop_ulogsize;
9597c478bd9Sstevel@tonic-gate } else {
9607c478bd9Sstevel@tonic-gate if (aprofile && !krb5_aprof_get_int32(aprofile, hierarchy,
9617c478bd9Sstevel@tonic-gate TRUE, &ivalue)) {
9627c478bd9Sstevel@tonic-gate if (ivalue > MAX_ULOGENTRIES)
9637c478bd9Sstevel@tonic-gate params.iprop_ulogsize = MAX_ULOGENTRIES;
9647c478bd9Sstevel@tonic-gate else if (ivalue <= 0)
9657c478bd9Sstevel@tonic-gate params.iprop_ulogsize = DEF_ULOGENTRIES;
9667c478bd9Sstevel@tonic-gate else
9677c478bd9Sstevel@tonic-gate params.iprop_ulogsize = ivalue;
9687c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_ULOG_SIZE;
9697c478bd9Sstevel@tonic-gate }
9707c478bd9Sstevel@tonic-gate }
9717c478bd9Sstevel@tonic-gate
9727c478bd9Sstevel@tonic-gate hierarchy[2] = "sunw_dbprop_slave_poll";
9737c478bd9Sstevel@tonic-gate
9747c64d375Smp params.iprop_polltime = strdup("2m");
9757c64d375Smp if (params.iprop_polltime)
9767c64d375Smp params.mask |= KADM5_CONFIG_POLL_TIME;
9777c478bd9Sstevel@tonic-gate
9787c478bd9Sstevel@tonic-gate if (params_in->mask & KADM5_CONFIG_POLL_TIME) {
9797c64d375Smp if (params.iprop_polltime)
9807c64d375Smp free(params.iprop_polltime);
9817c478bd9Sstevel@tonic-gate params.iprop_polltime = strdup(params_in->iprop_polltime);
9827c478bd9Sstevel@tonic-gate if (params.iprop_polltime)
9837c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_POLL_TIME;
9847c478bd9Sstevel@tonic-gate } else {
9857c478bd9Sstevel@tonic-gate if (aprofile && !krb5_aprof_get_string(aprofile, hierarchy,
9867c478bd9Sstevel@tonic-gate TRUE, &svalue)) {
9877c64d375Smp if (params.iprop_polltime)
9887c64d375Smp free(params.iprop_polltime);
9897c478bd9Sstevel@tonic-gate params.iprop_polltime = strdup(svalue);
9907c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_POLL_TIME;
9917c478bd9Sstevel@tonic-gate krb5_xfree(svalue);
9927c478bd9Sstevel@tonic-gate }
9937c478bd9Sstevel@tonic-gate }
9947c478bd9Sstevel@tonic-gate
9957c478bd9Sstevel@tonic-gate *params_out = params;
9967c478bd9Sstevel@tonic-gate
9977c478bd9Sstevel@tonic-gate cleanup:
99856a424ccSmp if (aprofile)
99956a424ccSmp krb5_aprof_finish(aprofile);
100056a424ccSmp if (kret) {
100156a424ccSmp kadm5_free_config_params(context, ¶ms);
100256a424ccSmp params_out->mask = 0;
100356a424ccSmp }
10047c478bd9Sstevel@tonic-gate #ifdef KRB5_DNS_LOOKUP
10057c478bd9Sstevel@tonic-gate if (dns_realm.data)
10067c478bd9Sstevel@tonic-gate free(dns_realm.data);
10077c478bd9Sstevel@tonic-gate #endif /* KRB5_DNS_LOOKUP */
10087c478bd9Sstevel@tonic-gate
100956a424ccSmp return(kret);
10107c478bd9Sstevel@tonic-gate }
10117c478bd9Sstevel@tonic-gate /*
10127c478bd9Sstevel@tonic-gate * kadm5_free_config_params() - Free data allocated by above.
10137c478bd9Sstevel@tonic-gate */
10147c478bd9Sstevel@tonic-gate /*ARGSUSED*/
10157c478bd9Sstevel@tonic-gate krb5_error_code
kadm5_free_config_params(context,params)10167c478bd9Sstevel@tonic-gate kadm5_free_config_params(context, params)
101756a424ccSmp krb5_context context;
101856a424ccSmp kadm5_config_params *params;
10197c478bd9Sstevel@tonic-gate {
102056a424ccSmp if (params) {
1021159d09a2SMark Phalan if (params->dbname) {
1022159d09a2SMark Phalan krb5_xfree(params->dbname);
1023159d09a2SMark Phalan params->dbname = NULL;
1024159d09a2SMark Phalan }
1025159d09a2SMark Phalan if (params->mkey_name) {
1026159d09a2SMark Phalan krb5_xfree(params->mkey_name);
1027159d09a2SMark Phalan params->mkey_name = NULL;
1028159d09a2SMark Phalan }
1029159d09a2SMark Phalan if (params->stash_file) {
1030159d09a2SMark Phalan krb5_xfree(params->stash_file);
1031159d09a2SMark Phalan params->stash_file = NULL;
1032159d09a2SMark Phalan }
1033159d09a2SMark Phalan if (params->keysalts) {
1034159d09a2SMark Phalan krb5_xfree(params->keysalts);
1035159d09a2SMark Phalan params->keysalts = NULL;
1036159d09a2SMark Phalan params->num_keysalts = 0;
1037159d09a2SMark Phalan }
1038159d09a2SMark Phalan if (params->admin_keytab) {
1039159d09a2SMark Phalan free(params->admin_keytab);
1040159d09a2SMark Phalan params->admin_keytab = NULL;
1041159d09a2SMark Phalan }
1042159d09a2SMark Phalan if (params->dict_file) {
1043159d09a2SMark Phalan free(params->dict_file);
1044159d09a2SMark Phalan params->dict_file = NULL;
1045159d09a2SMark Phalan }
1046159d09a2SMark Phalan if (params->acl_file) {
1047159d09a2SMark Phalan free(params->acl_file);
1048159d09a2SMark Phalan params->acl_file = NULL;
1049159d09a2SMark Phalan }
1050159d09a2SMark Phalan if (params->realm) {
1051159d09a2SMark Phalan free(params->realm);
1052159d09a2SMark Phalan params->realm = NULL;
1053159d09a2SMark Phalan }
1054159d09a2SMark Phalan if (params->admin_dbname) {
1055159d09a2SMark Phalan free(params->admin_dbname);
1056159d09a2SMark Phalan params->admin_dbname = NULL;
1057159d09a2SMark Phalan }
1058159d09a2SMark Phalan if (params->admin_lockfile) {
1059159d09a2SMark Phalan free(params->admin_lockfile);
1060159d09a2SMark Phalan params->admin_lockfile = NULL;
1061159d09a2SMark Phalan }
1062159d09a2SMark Phalan if (params->admin_server) {
1063159d09a2SMark Phalan free(params->admin_server);
1064159d09a2SMark Phalan params->admin_server = NULL;
1065159d09a2SMark Phalan }
1066159d09a2SMark Phalan if (params->kpasswd_server) {
1067159d09a2SMark Phalan free(params->kpasswd_server);
1068159d09a2SMark Phalan params->kpasswd_server = NULL;
1069159d09a2SMark Phalan }
1070159d09a2SMark Phalan if (params->iprop_polltime) {
1071159d09a2SMark Phalan free(params->iprop_polltime);
1072159d09a2SMark Phalan params->iprop_polltime = NULL;
1073159d09a2SMark Phalan }
10747c478bd9Sstevel@tonic-gate }
10757c478bd9Sstevel@tonic-gate return (0);
10767c478bd9Sstevel@tonic-gate }
10777c478bd9Sstevel@tonic-gate
107856a424ccSmp krb5_error_code
kadm5_get_admin_service_name(krb5_context ctx,char * realm_in,char * admin_name,size_t maxlen)107956a424ccSmp kadm5_get_admin_service_name(krb5_context ctx,
108056a424ccSmp char *realm_in,
108156a424ccSmp char *admin_name,
108256a424ccSmp size_t maxlen)
108356a424ccSmp {
108456a424ccSmp krb5_error_code ret;
108556a424ccSmp kadm5_config_params params_in, params_out;
108656a424ccSmp struct hostent *hp;
108756a424ccSmp
108856a424ccSmp memset(¶ms_in, 0, sizeof(params_in));
108956a424ccSmp memset(¶ms_out, 0, sizeof(params_out));
109056a424ccSmp
109156a424ccSmp params_in.mask |= KADM5_CONFIG_REALM;
109256a424ccSmp params_in.realm = realm_in;
1093159d09a2SMark Phalan ret = kadm5_get_config_params(ctx, 0, ¶ms_in, ¶ms_out);
109456a424ccSmp if (ret)
109556a424ccSmp return ret;
109656a424ccSmp
109756a424ccSmp if (!(params_out.mask & KADM5_CONFIG_ADMIN_SERVER)) {
109856a424ccSmp ret = KADM5_MISSING_KRB5_CONF_PARAMS;
109956a424ccSmp goto err_params;
110056a424ccSmp }
110156a424ccSmp
110256a424ccSmp hp = gethostbyname(params_out.admin_server);
110356a424ccSmp if (hp == NULL) {
110456a424ccSmp ret = errno;
110556a424ccSmp goto err_params;
110656a424ccSmp }
110756a424ccSmp if (strlen(hp->h_name) + sizeof("kadmin/") > maxlen) {
110856a424ccSmp ret = ENOMEM;
110956a424ccSmp goto err_params;
111056a424ccSmp }
111156a424ccSmp sprintf(admin_name, "kadmin/%s", hp->h_name);
111256a424ccSmp
111356a424ccSmp err_params:
111456a424ccSmp kadm5_free_config_params(ctx, ¶ms_out);
111556a424ccSmp return ret;
111656a424ccSmp }
111756a424ccSmp
111856a424ccSmp /***********************************************************************
11197c478bd9Sstevel@tonic-gate * This is the old krb5_realm_read_params, which I mutated into
112056a424ccSmp * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
11217c478bd9Sstevel@tonic-gate * still uses.
112256a424ccSmp ***********************************************************************/
11237c478bd9Sstevel@tonic-gate
11247c478bd9Sstevel@tonic-gate /*
11257c478bd9Sstevel@tonic-gate * krb5_read_realm_params() - Read per-realm parameters from KDC
11267c478bd9Sstevel@tonic-gate * alternate profile.
11277c478bd9Sstevel@tonic-gate */
11287c478bd9Sstevel@tonic-gate krb5_error_code
krb5_read_realm_params(kcontext,realm,rparamp)1129159d09a2SMark Phalan krb5_read_realm_params(kcontext, realm, rparamp)
113056a424ccSmp krb5_context kcontext;
113156a424ccSmp char *realm;
113256a424ccSmp krb5_realm_params **rparamp;
11337c478bd9Sstevel@tonic-gate {
113456a424ccSmp char *filename;
113556a424ccSmp char *envname;
113656a424ccSmp char *lrealm;
113756a424ccSmp krb5_pointer aprofile = 0;
113856a424ccSmp krb5_realm_params *rparams;
113956a424ccSmp const char *hierarchy[4];
114056a424ccSmp char *svalue;
114156a424ccSmp krb5_int32 ivalue;
114256a424ccSmp krb5_boolean bvalue;
114356a424ccSmp krb5_deltat dtvalue;
114456a424ccSmp
1145159d09a2SMark Phalan char *kdcprofile = 0;
1146159d09a2SMark Phalan char *kdcenv = 0;
1147159d09a2SMark Phalan
114856a424ccSmp krb5_error_code kret;
114956a424ccSmp
115056a424ccSmp filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE;
115156a424ccSmp envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV;
115256a424ccSmp
115356a424ccSmp if (kcontext->profile_secure == TRUE) envname = 0;
115456a424ccSmp
115556a424ccSmp rparams = (krb5_realm_params *) NULL;
115656a424ccSmp if (realm)
115756a424ccSmp lrealm = strdup(realm);
115856a424ccSmp else {
115956a424ccSmp kret = krb5_get_default_realm(kcontext, &lrealm);
11607c478bd9Sstevel@tonic-gate if (kret)
116156a424ccSmp goto cleanup;
116256a424ccSmp }
116356a424ccSmp
116456a424ccSmp kret = krb5_aprof_init(filename, envname, &aprofile);
116556a424ccSmp if (kret)
116656a424ccSmp goto cleanup;
1167*55fea89dSDan Cross
116856a424ccSmp rparams = (krb5_realm_params *) malloc(sizeof(krb5_realm_params));
116956a424ccSmp if (rparams == 0) {
117056a424ccSmp kret = ENOMEM;
117156a424ccSmp goto cleanup;
117256a424ccSmp }
117356a424ccSmp
117456a424ccSmp /* Initialize realm parameters */
117556a424ccSmp memset((char *) rparams, 0, sizeof(krb5_realm_params));
117656a424ccSmp
117756a424ccSmp /* Get the value for the database */
117856a424ccSmp hierarchy[0] = "realms";
117956a424ccSmp hierarchy[1] = lrealm;
118056a424ccSmp hierarchy[2] = "database_name";
118156a424ccSmp hierarchy[3] = (char *) NULL;
118256a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
118356a424ccSmp rparams->realm_dbname = svalue;
1184*55fea89dSDan Cross
118556a424ccSmp /* Get the value for the KDC port list */
118656a424ccSmp hierarchy[2] = "kdc_ports";
118756a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
118856a424ccSmp rparams->realm_kdc_ports = svalue;
118956a424ccSmp hierarchy[2] = "kdc_tcp_ports";
119056a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
119156a424ccSmp rparams->realm_kdc_tcp_ports = svalue;
119256a424ccSmp
119356a424ccSmp /* Get the name of the acl file */
119456a424ccSmp hierarchy[2] = "acl_file";
119556a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
119656a424ccSmp rparams->realm_acl_file = svalue;
1197*55fea89dSDan Cross
119856a424ccSmp /* Get the value for the kadmind port */
119956a424ccSmp hierarchy[2] = "kadmind_port";
120056a424ccSmp if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) {
120156a424ccSmp rparams->realm_kadmind_port = ivalue;
120256a424ccSmp rparams->realm_kadmind_port_valid = 1;
120356a424ccSmp }
1204*55fea89dSDan Cross
120556a424ccSmp /* Get the value for the master key name */
120656a424ccSmp hierarchy[2] = "master_key_name";
120756a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
120856a424ccSmp rparams->realm_mkey_name = svalue;
1209*55fea89dSDan Cross
121056a424ccSmp /* Get the value for the master key type */
121156a424ccSmp hierarchy[2] = "master_key_type";
121256a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
121356a424ccSmp if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype))
121456a424ccSmp rparams->realm_enctype_valid = 1;
121556a424ccSmp krb5_xfree(svalue);
121656a424ccSmp }
1217*55fea89dSDan Cross
121856a424ccSmp /* Get the value for the stashfile */
121956a424ccSmp hierarchy[2] = "key_stash_file";
122056a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
122156a424ccSmp rparams->realm_stash_file = svalue;
1222*55fea89dSDan Cross
122356a424ccSmp /* Get the value for maximum ticket lifetime. */
122456a424ccSmp hierarchy[2] = "max_life";
122556a424ccSmp if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) {
122656a424ccSmp rparams->realm_max_life = dtvalue;
122756a424ccSmp rparams->realm_max_life_valid = 1;
122856a424ccSmp }
1229*55fea89dSDan Cross
123056a424ccSmp /* Get the value for maximum renewable ticket lifetime. */
123156a424ccSmp hierarchy[2] = "max_renewable_life";
123256a424ccSmp if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) {
123356a424ccSmp rparams->realm_max_rlife = dtvalue;
123456a424ccSmp rparams->realm_max_rlife_valid = 1;
123556a424ccSmp }
1236*55fea89dSDan Cross
123756a424ccSmp /* Get the value for the default principal expiration */
123856a424ccSmp hierarchy[2] = "default_principal_expiration";
123956a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
124056a424ccSmp if (!krb5_string_to_timestamp(svalue,
124156a424ccSmp &rparams->realm_expiration))
124256a424ccSmp rparams->realm_expiration_valid = 1;
124356a424ccSmp krb5_xfree(svalue);
124456a424ccSmp }
124556a424ccSmp
124656a424ccSmp hierarchy[2] = "reject_bad_transit";
124756a424ccSmp if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
124856a424ccSmp rparams->realm_reject_bad_transit = bvalue;
124956a424ccSmp rparams->realm_reject_bad_transit_valid = 1;
125056a424ccSmp }
125156a424ccSmp
125256a424ccSmp /* Get the value for the default principal flags */
125356a424ccSmp hierarchy[2] = "default_principal_flags";
125456a424ccSmp if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
125556a424ccSmp char *sp, *ep, *tp;
125656a424ccSmp
125756a424ccSmp sp = svalue;
125856a424ccSmp rparams->realm_flags = 0;
125956a424ccSmp while (sp) {
126056a424ccSmp if ((ep = strchr(sp, (int) ',')) ||
126156a424ccSmp (ep = strchr(sp, (int) ' ')) ||
126256a424ccSmp (ep = strchr(sp, (int) '\t'))) {
126356a424ccSmp /* Fill in trailing whitespace of sp */
126456a424ccSmp tp = ep - 1;
126556a424ccSmp while (isspace((int) *tp) && (tp < sp)) {
126656a424ccSmp *tp = '\0';
126756a424ccSmp tp--;
12687c478bd9Sstevel@tonic-gate }
126956a424ccSmp *ep = '\0';
127056a424ccSmp ep++;
127156a424ccSmp /* Skip over trailing whitespace of ep */
127256a424ccSmp while (isspace((int) *ep) && (*ep)) ep++;
127356a424ccSmp }
127456a424ccSmp /* Convert this flag */
127556a424ccSmp if (krb5_string_to_flags(sp,
127656a424ccSmp "+",
127756a424ccSmp "-",
127856a424ccSmp &rparams->realm_flags))
127956a424ccSmp break;
128056a424ccSmp sp = ep;
12817c478bd9Sstevel@tonic-gate }
128256a424ccSmp if (!sp)
128356a424ccSmp rparams->realm_flags_valid = 1;
128456a424ccSmp krb5_xfree(svalue);
128556a424ccSmp }
12867c478bd9Sstevel@tonic-gate
12877c478bd9Sstevel@tonic-gate /* Get the value for the supported enctype/salttype matrix */
12887c478bd9Sstevel@tonic-gate /*
12897c478bd9Sstevel@tonic-gate * SUNWresync121
12907c478bd9Sstevel@tonic-gate * Solaris kerberos: updated this code to support default values for
12917c478bd9Sstevel@tonic-gate * the supported_enctypes.
12927c478bd9Sstevel@tonic-gate */
12937c478bd9Sstevel@tonic-gate hierarchy[2] = "supported_enctypes";
12947c478bd9Sstevel@tonic-gate svalue = NULL;
12957c478bd9Sstevel@tonic-gate krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
12967c478bd9Sstevel@tonic-gate
12977c478bd9Sstevel@tonic-gate /*
12987c478bd9Sstevel@tonic-gate * Set the default value if supported_enctypes was not explicitly
12997c478bd9Sstevel@tonic-gate * set in the kdc.conf.
13007c478bd9Sstevel@tonic-gate */
13017c478bd9Sstevel@tonic-gate if (svalue == NULL) {
13027c478bd9Sstevel@tonic-gate svalue = strdup(DEFAULT_ENCTYPE_LIST);
13037c478bd9Sstevel@tonic-gate }
13047c478bd9Sstevel@tonic-gate if (svalue != NULL) {
13057c478bd9Sstevel@tonic-gate krb5_string_to_keysalts(svalue,
13067c478bd9Sstevel@tonic-gate ", \t", /* Tuple separators */
13077c478bd9Sstevel@tonic-gate ":.-", /* Key/salt separators */
13087c478bd9Sstevel@tonic-gate 0, /* No duplicates */
13097c478bd9Sstevel@tonic-gate &rparams->realm_keysalts,
13107c478bd9Sstevel@tonic-gate &rparams->realm_num_keysalts);
13117c478bd9Sstevel@tonic-gate krb5_xfree(svalue);
13127c478bd9Sstevel@tonic-gate svalue = NULL;
13137c478bd9Sstevel@tonic-gate }
13147c478bd9Sstevel@tonic-gate cleanup:
131556a424ccSmp if (aprofile)
131656a424ccSmp krb5_aprof_finish(aprofile);
131756a424ccSmp if (lrealm)
131856a424ccSmp free(lrealm);
131956a424ccSmp if (kret) {
132056a424ccSmp if (rparams)
132156a424ccSmp krb5_free_realm_params(kcontext, rparams);
132256a424ccSmp rparams = 0;
132356a424ccSmp }
132456a424ccSmp *rparamp = rparams;
132556a424ccSmp return(kret);
13267c478bd9Sstevel@tonic-gate }
13277c478bd9Sstevel@tonic-gate
13287c478bd9Sstevel@tonic-gate /*
13297c478bd9Sstevel@tonic-gate * krb5_free_realm_params() - Free data allocated by above.
13307c478bd9Sstevel@tonic-gate */
13317c478bd9Sstevel@tonic-gate krb5_error_code
krb5_free_realm_params(kcontext,rparams)13327c478bd9Sstevel@tonic-gate krb5_free_realm_params(kcontext, rparams)
133356a424ccSmp krb5_context kcontext;
133456a424ccSmp krb5_realm_params *rparams;
13357c478bd9Sstevel@tonic-gate {
133656a424ccSmp if (rparams) {
133756a424ccSmp if (rparams->realm_profile)
133856a424ccSmp krb5_xfree(rparams->realm_profile);
133956a424ccSmp if (rparams->realm_dbname)
134056a424ccSmp krb5_xfree(rparams->realm_dbname);
134156a424ccSmp if (rparams->realm_mkey_name)
134256a424ccSmp krb5_xfree(rparams->realm_mkey_name);
134356a424ccSmp if (rparams->realm_stash_file)
134456a424ccSmp krb5_xfree(rparams->realm_stash_file);
134556a424ccSmp if (rparams->realm_keysalts)
134656a424ccSmp krb5_xfree(rparams->realm_keysalts);
134756a424ccSmp if (rparams->realm_kdc_ports)
134856a424ccSmp krb5_xfree(rparams->realm_kdc_ports);
134956a424ccSmp if (rparams->realm_kdc_tcp_ports)
135056a424ccSmp krb5_xfree(rparams->realm_kdc_tcp_ports);
135156a424ccSmp if (rparams->realm_acl_file)
135256a424ccSmp krb5_xfree(rparams->realm_acl_file);
135356a424ccSmp krb5_xfree(rparams);
135456a424ccSmp }
135556a424ccSmp return(0);
13567c478bd9Sstevel@tonic-gate }
135756a424ccSmp
1358