crypto/dist/heimdal/kdc/default_config.c

   1 /*
   2  * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  *
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  *
  11  * 1. Redistributions of source code must retain the above copyright
  12  *    notice, this list of conditions and the following disclaimer.
  13  *
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * 3. Neither the name of the Institute nor the names of its contributors
  19  *    may be used to endorse or promote products derived from this software
  20  *    without specific prior written permission.
  21  *
  22  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32  * SUCH DAMAGE.
  33  */
  34
  35 #include "kdc_locl.h"
  36 #include <getarg.h>
  37 #include <parse_bytes.h>
  38
  39 __RCSID("$Heimdal: default_config.c 21405 2007-07-04 10:35:45Z lha $"
  40         "$NetBSD$");
  41
  42 krb5_error_code
  43 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
  44 {
  45     krb5_kdc_configuration *c;
  46
  47     c = calloc(1, sizeof(*c));
  48     if (c == NULL) {
  49         krb5_set_error_string(context, "malloc: out of memory");
  50         return ENOMEM;
  51     }
  52
  53     c->require_preauth = TRUE;
  54     c->kdc_warn_pwexpire = 0;
  55     c->encode_as_rep_as_tgs_rep = FALSE;
  56     c->check_ticket_addresses = TRUE;
  57     c->allow_null_ticket_addresses = TRUE;
  58     c->allow_anonymous = FALSE;
  59     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
  60     c->enable_v4 = FALSE;
  61     c->enable_kaserver = FALSE;
  62     c->enable_524 = FALSE;
  63     c->enable_v4_cross_realm = FALSE;
  64     c->enable_pkinit = FALSE;
  65     c->pkinit_princ_in_cert = TRUE;
  66     c->pkinit_require_binding = TRUE;
  67     c->db = NULL;
  68     c->num_db = 0;
  69     c->logf = NULL;
  70
  71     c->require_preauth =
  72         krb5_config_get_bool_default(context, NULL,
  73                                      c->require_preauth,
  74                                      "kdc", "require-preauth", NULL);
  75     c->enable_v4 =
  76         krb5_config_get_bool_default(context, NULL,
  77                                      c->enable_v4,
  78                                      "kdc", "enable-kerberos4", NULL);
  79     c->enable_v4_cross_realm =
  80         krb5_config_get_bool_default(context, NULL,
  81                                      c->enable_v4_cross_realm,
  82                                      "kdc",
  83                                      "enable-kerberos4-cross-realm", NULL);
  84     c->enable_524 =
  85         krb5_config_get_bool_default(context, NULL,
  86                                      c->enable_v4,
  87                                      "kdc", "enable-524", NULL);
  88     c->enable_digest =
  89         krb5_config_get_bool_default(context, NULL,
  90                                      FALSE,
  91                                      "kdc", "enable-digest", NULL);
  92
  93     {
  94         const char *digests;
  95
  96         digests = krb5_config_get_string(context, NULL,
  97                                          "kdc",
  98                                          "digests_allowed", NULL);
  99         if (digests == NULL)
 100             digests = "ntlm-v2";
 101         c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
 102         if (c->digests_allowed == -1) {
 103             kdc_log(context, c, 0,
 104                     "unparsable digest units (%s), turning off digest",
 105                     digests);
 106             c->enable_digest = 0;
 107         } else if (c->digests_allowed == 0) {
 108             kdc_log(context, c, 0,
 109                     "no digest enable, turning digest off",
 110                     digests);
 111             c->enable_digest = 0;
 112         }
 113     }
 114
 115     c->enable_kx509 =
 116         krb5_config_get_bool_default(context, NULL,
 117                                      FALSE,
 118                                      "kdc", "enable-kx509", NULL);
 119
 120     if (c->enable_kx509) {
 121         c->kx509_template =
 122             krb5_config_get_string(context, NULL,
 123                                    "kdc", "kx509_template", NULL);
 124         c->kx509_ca =
 125             krb5_config_get_string(context, NULL,
 126                                    "kdc", "kx509_ca", NULL);
 127         if (c->kx509_ca == NULL || c->kx509_template == NULL) {
 128             kdc_log(context, c, 0,
 129                     "missing kx509 configuration, turning off");
 130             c->enable_kx509 = FALSE;
 131         }
 132     }
 133
 134     c->check_ticket_addresses =
 135         krb5_config_get_bool_default(context, NULL,
 136                                      c->check_ticket_addresses,
 137                                      "kdc",
 138                                      "check-ticket-addresses", NULL);
 139     c->allow_null_ticket_addresses =
 140         krb5_config_get_bool_default(context, NULL,
 141                                      c->allow_null_ticket_addresses,
 142                                      "kdc",
 143                                      "allow-null-ticket-addresses", NULL);
 144
 145     c->allow_anonymous =
 146         krb5_config_get_bool_default(context, NULL,
 147                                      c->allow_anonymous,
 148                                      "kdc",
 149                                      "allow-anonymous", NULL);
 150
 151     c->max_datagram_reply_length =
 152         krb5_config_get_int_default(context,
 153                                     NULL,
 154                                     1400,
 155                                     "kdc",
 156                                     "max-kdc-datagram-reply-length",
 157                                     NULL);
 158
 159     {
 160         const char *trpolicy_str;
 161
 162         trpolicy_str =
 163             krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
 164                                            "transited-policy", NULL);
 165         if(strcasecmp(trpolicy_str, "always-check") == 0) {
 166             c->trpolicy = TRPOLICY_ALWAYS_CHECK;
 167         } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
 168             c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
 169         } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
 170             c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
 171         } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
 172             /* default */
 173         } else {
 174             kdc_log(context, c, 0,
 175                     "unknown transited-policy: %s, "
 176                     "reverting to default (always-check)",
 177                     trpolicy_str);
 178         }
 179     }
 180
 181     {
 182         const char *p;
 183         p = krb5_config_get_string (context, NULL,
 184                                     "kdc",
 185                                     "v4-realm",
 186                                     NULL);
 187         if(p != NULL) {
 188             c->v4_realm = strdup(p);
 189             if (c->v4_realm == NULL)
 190                 krb5_errx(context, 1, "out of memory");
 191         } else {
 192             c->v4_realm = NULL;
 193         }
 194     }
 195
 196     c->enable_kaserver =
 197         krb5_config_get_bool_default(context,
 198                                      NULL,
 199                                      c->enable_kaserver,
 200                                      "kdc", "enable-kaserver", NULL);
 201
 202
 203     c->encode_as_rep_as_tgs_rep =
 204         krb5_config_get_bool_default(context, NULL,
 205                                      c->encode_as_rep_as_tgs_rep,
 206                                      "kdc",
 207                                      "encode_as_rep_as_tgs_rep", NULL);
 208
 209     c->kdc_warn_pwexpire =
 210         krb5_config_get_time_default (context, NULL,
 211                                       c->kdc_warn_pwexpire,
 212                                       "kdc", "kdc_warn_pwexpire", NULL);
 213
 214
 215 #ifdef PKINIT
 216     c->enable_pkinit =
 217         krb5_config_get_bool_default(context,
 218                                      NULL,
 219                                      c->enable_pkinit,
 220                                      "kdc",
 221                                      "enable-pkinit",
 222                                      NULL);
 223     if (c->enable_pkinit) {
 224         const char *user_id, *anchors, *ocsp_file;
 225         char **pool_list, **revoke_list;
 226
 227         user_id =
 228             krb5_config_get_string(context, NULL,
 229                                    "kdc", "pkinit_identity", NULL);
 230         if (user_id == NULL)
 231             krb5_errx(context, 1, "pkinit enabled but no identity");
 232
 233         anchors = krb5_config_get_string(context, NULL,
 234                                          "kdc", "pkinit_anchors", NULL);
 235         if (anchors == NULL)
 236             krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
 237
 238         pool_list =
 239             krb5_config_get_strings(context, NULL,
 240                                     "kdc", "pkinit_pool", NULL);
 241
 242         revoke_list =
 243             krb5_config_get_strings(context, NULL,
 244                                     "kdc", "pkinit_revoke", NULL);
 245
 246         ocsp_file =
 247             krb5_config_get_string(context, NULL,
 248                                    "kdc", "pkinit_kdc_ocsp", NULL);
 249         if (ocsp_file) {
 250             c->pkinit_kdc_ocsp_file = strdup(ocsp_file);
 251             if (c->pkinit_kdc_ocsp_file == NULL)
 252                 krb5_errx(context, 1, "out of memory");
 253         }
 254
 255         _kdc_pk_initialize(context, c, user_id, anchors,
 256                            pool_list, revoke_list);
 257
 258         krb5_config_free_strings(pool_list);
 259         krb5_config_free_strings(revoke_list);
 260
 261         c->pkinit_princ_in_cert =
 262             krb5_config_get_bool_default(context, NULL,
 263                                          c->pkinit_princ_in_cert,
 264                                          "kdc",
 265                                          "pkinit_principal_in_certificate",
 266                                          NULL);
 267
 268         c->pkinit_require_binding =
 269             krb5_config_get_bool_default(context, NULL,
 270                                          c->pkinit_require_binding,
 271                                          "kdc",
 272                                          "pkinit_win2k_require_binding",
 273                                          NULL);
 274     }
 275
 276     c->pkinit_dh_min_bits =
 277         krb5_config_get_int_default(context, NULL,
 278                                     0,
 279                                     "kdc", "pkinit_dh_min_bits", NULL);
 280
 281 #endif
 282
 283     *config = c;
 284
 285     return 0;
 286 }