source4/heimdal/kdc/default_config.c

   1 /*
   2  * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in the
  17  *    documentation and/or other materials provided with the distribution.
  18  *
  19  * 3. Neither the name of the Institute nor the names of its contributors
  20  *    may be used to endorse or promote products derived from this software
  21  *    without specific prior written permission.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  33  * SUCH DAMAGE.
  34  */
  35
  36 #include "kdc_locl.h"
  37 #include <getarg.h>
  38 #include <parse_bytes.h>
  39
  40 krb5_error_code
  41 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
  42 {
  43     krb5_kdc_configuration *c;
  44
  45     c = calloc(1, sizeof(*c));
  46     if (c == NULL) {
  47         krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
  48         return ENOMEM;
  49     }
  50
  51     c->require_preauth = TRUE;
  52     c->kdc_warn_pwexpire = 0;
  53     c->encode_as_rep_as_tgs_rep = FALSE;
  54     c->check_ticket_addresses = TRUE;
  55     c->allow_null_ticket_addresses = TRUE;
  56     c->allow_anonymous = FALSE;
  57     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
  58     c->enable_v4 = FALSE;
  59     c->enable_kaserver = FALSE;
  60     c->enable_524 = FALSE;
  61     c->enable_v4_cross_realm = FALSE;
  62     c->enable_pkinit = FALSE;
  63     c->pkinit_princ_in_cert = TRUE;
  64     c->pkinit_require_binding = TRUE;
  65     c->db = NULL;
  66     c->num_db = 0;
  67     c->logf = NULL;
  68
  69     c->require_preauth =
  70         krb5_config_get_bool_default(context, NULL,
  71                                      c->require_preauth,
  72                                      "kdc", "require-preauth", NULL);
  73     c->enable_v4 =
  74         krb5_config_get_bool_default(context, NULL,
  75                                      c->enable_v4,
  76                                      "kdc", "enable-kerberos4", NULL);
  77     c->enable_v4_cross_realm =
  78         krb5_config_get_bool_default(context, NULL,
  79                                      c->enable_v4_cross_realm,
  80                                      "kdc",
  81                                      "enable-kerberos4-cross-realm", NULL);
  82     c->enable_524 =
  83         krb5_config_get_bool_default(context, NULL,
  84                                      c->enable_v4,
  85                                      "kdc", "enable-524", NULL);
  86 #ifdef DIGEST
  87     c->enable_digest =
  88         krb5_config_get_bool_default(context, NULL,
  89                                      FALSE,
  90                                      "kdc", "enable-digest", NULL);
  91
  92     {
  93         const char *digests;
  94
  95         digests = krb5_config_get_string(context, NULL,
  96                                          "kdc",
  97                                          "digests_allowed", NULL);
  98         if (digests == NULL)
  99             digests = "ntlm-v2";
 100         c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
 101         if (c->digests_allowed == -1) {
 102             kdc_log(context, c, 0,
 103                     "unparsable digest units (%s), turning off digest",
 104                     digests);
 105             c->enable_digest = 0;
 106         } else if (c->digests_allowed == 0) {
 107             kdc_log(context, c, 0,
 108                     "no digest enable, turning digest off",
 109                     digests);
 110             c->enable_digest = 0;
 111         }
 112     }
 113 #endif
 114
 115 #ifdef KX509
 116     c->enable_kx509 =
 117         krb5_config_get_bool_default(context, NULL,
 118                                      FALSE,
 119                                      "kdc", "enable-kx509", NULL);
 120
 121     if (c->enable_kx509) {
 122         c->kx509_template =
 123             krb5_config_get_string(context, NULL,
 124                                    "kdc", "kx509_template", NULL);
 125         c->kx509_ca =
 126             krb5_config_get_string(context, NULL,
 127                                    "kdc", "kx509_ca", NULL);
 128         if (c->kx509_ca == NULL || c->kx509_template == NULL) {
 129             kdc_log(context, c, 0,
 130                     "missing kx509 configuration, turning off");
 131             c->enable_kx509 = FALSE;
 132         }
 133     }
 134 #endif
 135
 136     c->check_ticket_addresses =
 137         krb5_config_get_bool_default(context, NULL,
 138                                      c->check_ticket_addresses,
 139                                      "kdc",
 140                                      "check-ticket-addresses", NULL);
 141     c->allow_null_ticket_addresses =
 142         krb5_config_get_bool_default(context, NULL,
 143                                      c->allow_null_ticket_addresses,
 144                                      "kdc",
 145                                      "allow-null-ticket-addresses", NULL);
 146
 147     c->allow_anonymous =
 148         krb5_config_get_bool_default(context, NULL,
 149                                      c->allow_anonymous,
 150                                      "kdc",
 151                                      "allow-anonymous", NULL);
 152
 153     c->max_datagram_reply_length =
 154         krb5_config_get_int_default(context,
 155                                     NULL,
 156                                     1400,
 157                                     "kdc",
 158                                     "max-kdc-datagram-reply-length",
 159                                     NULL);
 160
 161     {
 162         const char *trpolicy_str;
 163
 164         trpolicy_str =
 165             krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
 166                                            "transited-policy", NULL);
 167         if(strcasecmp(trpolicy_str, "always-check") == 0) {
 168             c->trpolicy = TRPOLICY_ALWAYS_CHECK;
 169         } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
 170             c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
 171         } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
 172             c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
 173         } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
 174             /* default */
 175         } else {
 176             kdc_log(context, c, 0,
 177                     "unknown transited-policy: %s, "
 178                     "reverting to default (always-check)",
 179                     trpolicy_str);
 180         }
 181     }
 182
 183     {
 184         const char *p;
 185         p = krb5_config_get_string (context, NULL,
 186                                     "kdc",
 187                                     "v4-realm",
 188                                     NULL);
 189         if(p != NULL) {
 190             c->v4_realm = strdup(p);
 191             if (c->v4_realm == NULL)
 192                 krb5_errx(context, 1, "out of memory");
 193         } else {
 194             c->v4_realm = NULL;
 195         }
 196     }
 197
 198     c->enable_kaserver =
 199         krb5_config_get_bool_default(context,
 200                                      NULL,
 201                                      c->enable_kaserver,
 202                                      "kdc", "enable-kaserver", NULL);
 203
 204
 205     c->encode_as_rep_as_tgs_rep =
 206         krb5_config_get_bool_default(context, NULL,
 207                                      c->encode_as_rep_as_tgs_rep,
 208                                      "kdc",
 209                                      "encode_as_rep_as_tgs_rep", NULL);
 210
 211     c->kdc_warn_pwexpire =
 212         krb5_config_get_time_default (context, NULL,
 213                                       c->kdc_warn_pwexpire,
 214                                       "kdc", "kdc_warn_pwexpire", NULL);
 215
 216
 217     c->enable_pkinit =
 218         krb5_config_get_bool_default(context,
 219                                      NULL,
 220                                      c->enable_pkinit,
 221                                      "kdc",
 222                                      "enable-pkinit",
 223                                      NULL);
 224
 225
 226     c->pkinit_kdc_identity =
 227         krb5_config_get_string(context, NULL,
 228                                "kdc", "pkinit_identity", NULL);
 229     c->pkinit_kdc_anchors =
 230         krb5_config_get_string(context, NULL,
 231                                "kdc", "pkinit_anchors", NULL);
 232     c->pkinit_kdc_cert_pool =
 233         krb5_config_get_strings(context, NULL,
 234                                 "kdc", "pkinit_pool", NULL);
 235     c->pkinit_kdc_revoke =
 236         krb5_config_get_strings(context, NULL,
 237                                 "kdc", "pkinit_revoke", NULL);
 238     c->pkinit_kdc_ocsp_file =
 239         krb5_config_get_string(context, NULL,
 240                                "kdc", "pkinit_kdc_ocsp", NULL);
 241     c->pkinit_kdc_friendly_name =
 242         krb5_config_get_string(context, NULL,
 243                                "kdc", "pkinit_kdc_friendly_name", NULL);
 244     c->pkinit_princ_in_cert =
 245         krb5_config_get_bool_default(context, NULL,
 246                                      c->pkinit_princ_in_cert,
 247                                      "kdc",
 248                                      "pkinit_principal_in_certificate",
 249                                      NULL);
 250     c->pkinit_require_binding =
 251         krb5_config_get_bool_default(context, NULL,
 252                                      c->pkinit_require_binding,
 253                                      "kdc",
 254                                      "pkinit_win2k_require_binding",
 255                                      NULL);
 256     c->pkinit_dh_min_bits =
 257         krb5_config_get_int_default(context, NULL,
 258                                     0,
 259                                     "kdc", "pkinit_dh_min_bits", NULL);
 260
 261
 262 #ifdef __APPLE__
 263     c->enable_pkinit = 1;
 264
 265     if (c->pkinit_kdc_identity == NULL) {
 266         if (c->pkinit_kdc_friendly_name == NULL)
 267             c->pkinit_kdc_friendly_name =
 268                 strdup("O=System Identity,CN=com.apple.kerberos.kdc");
 269         c->pkinit_kdc_identity = strdup("KEYCHAIN:");
 270     }
 271     if (c->pkinit_kdc_anchors == NULL)
 272         c->pkinit_kdc_anchors = strdup("KEYCHAIN:");
 273
 274 #endif
 275
 276     if (c->enable_pkinit) {
 277         if (c->pkinit_kdc_identity == NULL)
 278             krb5_errx(context, 1, "pkinit enabled but no identity");
 279
 280         if (c->pkinit_kdc_anchors == NULL)
 281             krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
 282
 283         krb5_kdc_pk_initialize(context, c,
 284                                c->pkinit_kdc_identity,
 285                                c->pkinit_kdc_anchors,
 286                                c->pkinit_kdc_cert_pool,
 287                                c->pkinit_kdc_revoke);
 288
 289     }
 290
 291     *config = c;
 292
 293     return 0;
 294 }