From 766d43105fd4f15fdc7be9c236f14f237cf7f6a6 Mon Sep 17 00:00:00 2001 From: Zhanna Tsitkov Date: Fri, 3 Feb 2012 19:22:44 +0000 Subject: [PATCH] Added a new trace logging message TRACE_PROFILE_ERR to improve the diagnostics of the potential misconfiguration. Added profile_get_(string/integer/boolean)_nodef functions to the profile library to get the typed values from the configuration files (without setting these values to the defaults). Used TRACE_PROFILE_ERR for the configuration diagnostics in krb5_init_context_profile API. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25669 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-trace.h | 3 + src/lib/krb5/krb/init_ctx.c | 222 +++++++++++++++++++--------- src/lib/krb5/libkrb5.exports | 5 +- src/util/profile/libprofile.exports | 5 +- src/util/profile/prof_get.c | 59 +++++++- src/util/profile/profile.hin | 9 ++ 6 files changed, 233 insertions(+), 70 deletions(-) diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index 926c523bc..8c5f52109 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -371,5 +371,8 @@ TRACE(c, (c, "Requesting TGT {princ} using TGT {princ}", next, cur)) #define TRACE_TKT_CREDS_WRONG_ENCTYPE(c) \ TRACE(c, (c, "Retrying TGS request with desired service ticket enctypes")) +#define TRACE_PROFILE_ERR(c,subsection, section, retval) \ + TRACE(c, (c, "Bad value of {str} from [{str}] in conf file: {kerr}", \ + subsection, section, retval)) #endif /* K5_TRACE_H */ diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index aa916b20f..1dc1e715d 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -1,7 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/krb5/krb/init_ctx.c */ /* - * Copyright 1994,1999,2000, 2002, 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology. + * Copyright 1994,1999,2000, 2002, 2003, 2007, 2008, 2009,2012 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -103,9 +103,32 @@ krb5int_init_context_kdc(krb5_context *context) return krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, context); } +#define DEFAULT_KDC_TIMESYNC 1 +#define DEFAULT_CCACHE_TYPE 4 +#define DEFAULT_CLOCKSKEW 5*60 + +static krb5_error_code +init_context(profile_t profile, krb5_context *context, krb5_flags flags); +static krb5_error_code +process_config(krb5_context *context); + krb5_error_code KRB5_CALLCONV krb5_init_context_profile(profile_t profile, krb5_flags flags, krb5_context *context_out) +{ + krb5_error_code retval = 0; + + /* Init context with defaults */ + retval = init_context(profile, context_out, flags); + + if (!retval && (*context_out)->profile != NULL) + retval = process_config(context_out); + + return retval; +} + +static krb5_error_code +init_context(profile_t profile, krb5_context *context, krb5_flags flags) { krb5_context ctx = 0; krb5_error_code retval; @@ -114,7 +137,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, long pid; } seed_data; krb5_data seed; - int tmp; /* Verify some assumptions. If the assumptions hold and the compiler is optimizing, this should result in no code being @@ -153,7 +175,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, return retval; #endif - *context_out = NULL; + *context = NULL; ctx = calloc(1, sizeof(struct _krb5_context)); if (!ctx) @@ -165,21 +187,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, if ((retval = krb5_os_init_context(ctx, profile, flags)) != 0) goto cleanup; - retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 0, &tmp); - if (retval) - goto cleanup; - ctx->allow_weak_crypto = tmp; - - retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, NULL, 0, - &tmp); - if (retval) - goto cleanup; - ctx->ignore_acceptor_hostname = tmp; - /* initialize the prng (not well, but passable) */ - if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0) + if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) != 0) goto cleanup; if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec))) goto cleanup; @@ -189,11 +198,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed))) goto cleanup; - ctx->default_realm = 0; - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW, - 0, 5 * 60, &tmp); - ctx->clockskew = tmp; - #if 0 /* Default ticket lifetime is currently not supported */ profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", @@ -201,40 +205,130 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, ctx->tkt_lifetime = tmp; #endif + ctx->prompt_types = 0; + ctx->use_conf_ktypes = 0; + ctx->udp_pref_limit = -1; + ctx->trace_callback = NULL; + ctx->ignore_acceptor_hostname = FALSE; + ctx->allow_weak_crypto = FALSE; + ctx->kdc_req_sumtype = CKSUMTYPE_RSA_MD5; + ctx->default_ap_req_sumtype = 0; + ctx->default_safe_sumtype = CKSUMTYPE_RSA_MD5_DES; + ctx->kdc_default_options = KDC_OPT_RENEWABLE_OK; + ctx->library_options = DEFAULT_KDC_TIMESYNC; + ctx->fcc_default_format = DEFAULT_CCACHE_TYPE + 0x0500; + ctx->clockskew = DEFAULT_CLOCKSKEW; + + ctx->plugin_base_dir = strdup(DEFAULT_PLUGIN_BASE_DIR); + if (ctx->plugin_base_dir == NULL) { + retval = ENOMEM; + goto cleanup; + } + +#ifndef DISABLE_TRACING + if (!ctx->profile_secure) + krb5int_init_trace(ctx); +#endif + + *context = ctx; + return 0; + +cleanup: + krb5_free_context(ctx); + return retval; +} + +static krb5_error_code +process_config(krb5_context *context) +{ + krb5_error_code retval = 0; + const char *names[4]; + int tmp; + char * s_tmp = NULL; + krb5_context ctx = *context; + + names[0] = KRB5_CONF_LIBDEFAULTS; + names[2] = names[3] = 0; + + /* allow_weak_crypto */ + names[1] = KRB5_CONF_ALLOW_WEAK_CRYPTO; + retval = profile_get_boolean_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->allow_weak_crypto = tmp; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + + /* ignore_acceptor_hostname */ + names[1] = KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME; + retval = profile_get_boolean_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->ignore_acceptor_hostname = tmp; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + + /* clockskew */ + names[1] = KRB5_CONF_CLOCKSKEW; + retval = profile_get_integer_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->clockskew = tmp; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, - &tmp); - ctx->kdc_req_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, - &tmp); - ctx->default_ap_req_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_SAFE_CHECKSUM_TYPE, 0, - CKSUMTYPE_RSA_MD5_DES, &tmp); - ctx->default_safe_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_DEFAULT_OPTIONS, 0, - KDC_OPT_RENEWABLE_OK, &tmp); - ctx->kdc_default_options = tmp; -#define DEFAULT_KDC_TIMESYNC 1 - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC, - &tmp); - ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; - - retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_PLUGIN_BASE_DIR, 0, - DEFAULT_PLUGIN_BASE_DIR, - &ctx->plugin_base_dir); - if (retval) + /* kdc_req_sumtype */ + names[1] = KRB5_CONF_KDC_REQ_CHECKSUM_TYPE; + retval = profile_get_integer_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->kdc_req_sumtype = tmp; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + + /* default_ap_req_sumtype */ + names[1] = KRB5_CONF_AP_REQ_CHECKSUM_TYPE; + retval = profile_get_integer_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->default_ap_req_sumtype = tmp; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + + /* default_safe_sumtype */ + names[1] = KRB5_CONF_SAFE_CHECKSUM_TYPE; + retval = profile_get_integer_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->default_safe_sumtype = tmp; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) goto cleanup; + /* kdc_default_options */ + names[1] = KRB5_CONF_KDC_DEFAULT_OPTIONS; + retval = profile_get_integer_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->kdc_default_options = tmp; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + + /* library_options */ + names[1] = KRB5_CONF_KDC_TIMESYNC; + retval = profile_get_integer_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + + /* plugin_base_dir */ + names[1] = KRB5_CONF_PLUGIN_BASE_DIR; + retval = profile_get_string_nodef(ctx->profile, names, &s_tmp); + if (!retval) { + if (ctx->plugin_base_dir) + free(ctx->plugin_base_dir); + ctx->plugin_base_dir = strdup(s_tmp); + free(s_tmp); + s_tmp = NULL; + } else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + + /* fcc_default_format */ /* * We use a default file credentials cache of 3. See * lib/krb5/krb/ccache/file/fcc.h for a description of the @@ -243,23 +337,18 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, * Note: DCE 1.0.3a only supports a cache type of 1 * DCE 1.1 supports a cache type of 2. */ -#define DEFAULT_CCACHE_TYPE 4 - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE, - 0, DEFAULT_CCACHE_TYPE, &tmp); - ctx->fcc_default_format = tmp + 0x0500; - ctx->prompt_types = 0; - ctx->use_conf_ktypes = 0; - ctx->udp_pref_limit = -1; - ctx->trace_callback = NULL; -#ifndef DISABLE_TRACING - if (!ctx->profile_secure) - krb5int_init_trace(ctx); -#endif - *context_out = ctx; + names[1] = KRB5_CONF_CCACHE_TYPE; + retval = profile_get_integer_nodef(ctx->profile, names, &tmp); + if (!retval) + ctx->fcc_default_format = tmp + 0x0500; + else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + goto cleanup; + return 0; cleanup: - krb5_free_context(ctx); + TRACE_PROFILE_ERR(ctx, names[1], names[0], retval); + krb5_free_context(*context); return retval; } @@ -565,7 +654,6 @@ krb5_is_permitted_enctype(krb5_context context, krb5_enctype etype) if (krb5_get_permitted_enctypes(context, &list)) return(0); - ret = 0; for (ptr = list; *ptr; ptr++) diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 04a09eb45..8c9cab854 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -594,8 +594,11 @@ profile_flush profile_free_list profile_get_boolean profile_get_integer -profile_get_relation_names profile_get_string +profile_get_boolean_nodef +profile_get_integer_nodef +profile_get_string_nodef +profile_get_relation_names profile_get_subsection_names profile_get_values profile_init diff --git a/src/util/profile/libprofile.exports b/src/util/profile/libprofile.exports index 3f02b4f4f..743bc4901 100644 --- a/src/util/profile/libprofile.exports +++ b/src/util/profile/libprofile.exports @@ -7,8 +7,11 @@ profile_flush profile_free_list profile_get_boolean profile_get_integer -profile_get_relation_names profile_get_string +profile_get_boolean_nodef +profile_get_integer_nodef +profile_get_string_nodef +profile_get_relation_names profile_get_subsection_names profile_get_values profile_init diff --git a/src/util/profile/prof_get.c b/src/util/profile/prof_get.c index 3eba78722..b4f6ee82b 100644 --- a/src/util/profile/prof_get.c +++ b/src/util/profile/prof_get.c @@ -280,6 +280,23 @@ profile_get_string(profile_t profile, const char *name, const char *subname, return 0; } +errcode_t KRB5_CALLCONV +profile_get_string_nodef(profile_t profile, const char **names, char **ret_string) +{ + char *value = NULL; + errcode_t retval = 0; + + if (profile == 0) + return 0; + + retval = profile_get_value(profile, names, &value); + if (retval == 0) { + *ret_string = value; + return 0; + } else if (retval != PROF_NO_SECTION && retval != PROF_NO_RELATION) + return retval; +} + static errcode_t parse_int(const char *value, int *ret_int) { @@ -334,11 +351,30 @@ profile_get_integer(profile_t profile, const char *name, const char *subname, return retval; } +errcode_t KRB5_CALLCONV +profile_get_integer_nodef(profile_t profile, const char **names, int *ret_int) +{ + char *value = NULL; + errcode_t retval = 0; + + if (profile == 0) + return 0; + + retval = profile_get_value(profile, names, &value); + if (retval == PROF_NO_SECTION || retval == PROF_NO_RELATION) { + return retval; + } else if (retval) + return retval; + + retval = parse_int(value, ret_int); + free(value); + return retval; +} + static const char *const conf_yes[] = { "y", "yes", "true", "t", "1", "on", 0, }; - static const char *const conf_no[] = { "n", "no", "false", "nil", "0", "off", 0, @@ -398,6 +434,27 @@ profile_get_boolean(profile_t profile, const char *name, const char *subname, return retval; } +errcode_t KRB5_CALLCONV +profile_get_boolean_nodef(profile_t profile, const char **names, + int *ret_boolean) +{ + char *value = NULL; + errcode_t retval = 0; + + if (profile == 0) + return 0; + + retval = profile_get_value(profile, names, &value); + if (retval == PROF_NO_SECTION || retval == PROF_NO_RELATION) { + return retval; + } else if (retval) + return retval; + + retval = profile_parse_boolean(value, ret_boolean); + free(value); + return retval; +} + /* * This function will return the list of the names of subections in the * under the specified section name. diff --git a/src/util/profile/profile.hin b/src/util/profile/profile.hin index 45ad55430..db437d6aa 100644 --- a/src/util/profile/profile.hin +++ b/src/util/profile/profile.hin @@ -91,6 +91,15 @@ long KRB5_CALLCONV profile_get_boolean const char *subsubname, int def_val, int *ret_default); +long KRB5_CALLCONV profile_get_string_nodef + (profile_t profile, const char **names, char **ret_string); + +long KRB5_CALLCONV profile_get_integer_nodef + (profile_t profile, const char **names, int *ret_default); + +long KRB5_CALLCONV profile_get_boolean_nodef + (profile_t profile, const char **names, int *ret_default); + long KRB5_CALLCONV profile_get_relation_names (profile_t profile, const char **names, char ***ret_names); -- 2.26.2