kdc/default_config.c

   1 /*
   2  * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  *
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  *
  11  * 1. Redistributions of source code must retain the above copyright
  12  *    notice, this list of conditions and the following disclaimer.
  13  *
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * 3. Neither the name of the Institute nor the names of its contributors
  19  *    may be used to endorse or promote products derived from this software
  20  *    without specific prior written permission.
  21  *
  22  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32  * SUCH DAMAGE.
  33  */
  34
  35 #include "kdc_locl.h"
  36 #include <getarg.h>
  37 #include <parse_bytes.h>
  38
  39 RCSID("$Id$");
  40
  41 krb5_error_code
  42 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
  43 {
  44     krb5_kdc_configuration *c;
  45
  46     c = calloc(1, sizeof(*c));
  47     if (c == NULL) {
  48         krb5_set_error_string(context, "malloc: out of memory");
  49         return ENOMEM;
  50     }
  51
  52     c->require_preauth = TRUE;
  53     c->kdc_warn_pwexpire = 0;
  54     c->encode_as_rep_as_tgs_rep = FALSE;
  55     c->check_ticket_addresses = TRUE;
  56     c->allow_null_ticket_addresses = TRUE;
  57     c->allow_anonymous = FALSE;
  58     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
  59     c->enable_v4 = FALSE;
  60     c->enable_kaserver = FALSE;
  61     c->enable_524 = FALSE;
  62     c->enable_v4_cross_realm = FALSE;
  63     c->enable_pkinit = FALSE;
  64     c->pkinit_princ_in_cert = TRUE;
  65     c->pkinit_require_binding = TRUE;
  66     c->db = NULL;
  67     c->num_db = 0;
  68     c->logf = NULL;
  69
  70     c->require_preauth =
  71         krb5_config_get_bool_default(context, NULL,
  72                                      c->require_preauth,
  73                                      "kdc", "require-preauth", NULL);
  74     c->enable_v4 =
  75         krb5_config_get_bool_default(context, NULL,
  76                                      c->enable_v4,
  77                                      "kdc", "enable-kerberos4", NULL);
  78     c->enable_v4_cross_realm =
  79         krb5_config_get_bool_default(context, NULL,
  80                                      c->enable_v4_cross_realm,
  81                                      "kdc",
  82                                      "enable-kerberos4-cross-realm", NULL);
  83     c->enable_524 =
  84         krb5_config_get_bool_default(context, NULL,
  85                                      c->enable_v4,
  86                                      "kdc", "enable-524", NULL);
  87     c->enable_digest =
  88         krb5_config_get_bool_default(context, NULL,
  89                                      FALSE,
  90                                      "kdc", "enable-digest", NULL);
  91
  92     {
  93         const char *digests;
  94
  95         digests = krb5_config_get_string(context, NULL,
  96                                          "kdc",
  97                                          "digests_allowed", NULL);
  98         if (digests == NULL)
  99             digests = "ntlm-v2";
 100         c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
 101         if (c->digests_allowed == -1) {
 102             kdc_log(context, c, 0,
 103                     "unparsable digest units (%s), turning off digest",
 104                     digests);
 105             c->enable_digest = 0;
 106         } else if (c->digests_allowed == 0) {
 107             kdc_log(context, c, 0,
 108                     "no digest enable, turning digest off",
 109                     digests);
 110             c->enable_digest = 0;
 111         }
 112     }
 113
 114     c->enable_kx509 =
 115         krb5_config_get_bool_default(context, NULL,
 116                                      FALSE,
 117                                      "kdc", "enable-kx509", NULL);
 118
 119     if (c->enable_kx509) {
 120         c->kx509_template =
 121             krb5_config_get_string(context, NULL,
 122                                    "kdc", "kx509_template", NULL);
 123         c->kx509_ca =
 124             krb5_config_get_string(context, NULL,
 125                                    "kdc", "kx509_ca", NULL);
 126         if (c->kx509_ca == NULL || c->kx509_template == NULL) {
 127             kdc_log(context, c, 0,
 128                     "missing kx509 configuration, turning off");
 129             c->enable_kx509 = FALSE;
 130         }
 131     }
 132
 133     c->check_ticket_addresses =
 134         krb5_config_get_bool_default(context, NULL,
 135                                      c->check_ticket_addresses,
 136                                      "kdc",
 137                                      "check-ticket-addresses", NULL);
 138     c->allow_null_ticket_addresses =
 139         krb5_config_get_bool_default(context, NULL,
 140                                      c->allow_null_ticket_addresses,
 141                                      "kdc",
 142                                      "allow-null-ticket-addresses", NULL);
 143
 144     c->allow_anonymous =
 145         krb5_config_get_bool_default(context, NULL,
 146                                      c->allow_anonymous,
 147                                      "kdc",
 148                                      "allow-anonymous", NULL);
 149
 150     c->max_datagram_reply_length =
 151         krb5_config_get_int_default(context,
 152                                     NULL,
 153                                     1400,
 154                                     "kdc",
 155                                     "max-kdc-datagram-reply-length",
 156                                     NULL);
 157
 158     {
 159         const char *trpolicy_str;
 160
 161         trpolicy_str =
 162             krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
 163                                            "transited-policy", NULL);
 164         if(strcasecmp(trpolicy_str, "always-check") == 0) {
 165             c->trpolicy = TRPOLICY_ALWAYS_CHECK;
 166         } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
 167             c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
 168         } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
 169             c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
 170         } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
 171             /* default */
 172         } else {
 173             kdc_log(context, c, 0,
 174                     "unknown transited-policy: %s, "
 175                     "reverting to default (always-check)",
 176                     trpolicy_str);
 177         }
 178     }
 179
 180     {
 181         const char *p;
 182         p = krb5_config_get_string (context, NULL,
 183                                     "kdc",
 184                                     "v4-realm",
 185                                     NULL);
 186         if(p != NULL) {
 187             c->v4_realm = strdup(p);
 188             if (c->v4_realm == NULL)
 189                 krb5_errx(context, 1, "out of memory");
 190         } else {
 191             c->v4_realm = NULL;
 192         }
 193     }
 194
 195     c->enable_kaserver =
 196         krb5_config_get_bool_default(context,
 197                                      NULL,
 198                                      c->enable_kaserver,
 199                                      "kdc", "enable-kaserver", NULL);
 200
 201
 202     c->encode_as_rep_as_tgs_rep =
 203         krb5_config_get_bool_default(context, NULL,
 204                                      c->encode_as_rep_as_tgs_rep,
 205                                      "kdc",
 206                                      "encode_as_rep_as_tgs_rep", NULL);
 207
 208     c->kdc_warn_pwexpire =
 209         krb5_config_get_time_default (context, NULL,
 210                                       c->kdc_warn_pwexpire,
 211                                       "kdc", "kdc_warn_pwexpire", NULL);
 212
 213
 214 #ifdef PKINIT
 215     c->enable_pkinit =
 216         krb5_config_get_bool_default(context,
 217                                      NULL,
 218                                      c->enable_pkinit,
 219                                      "kdc",
 220                                      "enable-pkinit",
 221                                      NULL);
 222     if (c->enable_pkinit) {
 223         const char *user_id, *anchors, *ocsp_file;
 224         char **pool_list, **revoke_list;
 225
 226         user_id =
 227             krb5_config_get_string(context, NULL,
 228                                    "kdc", "pkinit_identity", NULL);
 229         if (user_id == NULL)
 230             krb5_errx(context, 1, "pkinit enabled but no identity");
 231
 232         anchors = krb5_config_get_string(context, NULL,
 233                                          "kdc", "pkinit_anchors", NULL);
 234         if (anchors == NULL)
 235             krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
 236
 237         pool_list =
 238             krb5_config_get_strings(context, NULL,
 239                                     "kdc", "pkinit_pool", NULL);
 240
 241         revoke_list =
 242             krb5_config_get_strings(context, NULL,
 243                                     "kdc", "pkinit_revoke", NULL);
 244
 245         ocsp_file =
 246             krb5_config_get_string(context, NULL,
 247                                    "kdc", "pkinit_kdc_ocsp", NULL);
 248         if (ocsp_file) {
 249             c->pkinit_kdc_ocsp_file = strdup(ocsp_file);
 250             if (c->pkinit_kdc_ocsp_file == NULL)
 251                 krb5_errx(context, 1, "out of memory");
 252         }
 253
 254         _kdc_pk_initialize(context, c, user_id, anchors,
 255                            pool_list, revoke_list);
 256
 257         krb5_config_free_strings(pool_list);
 258         krb5_config_free_strings(revoke_list);
 259
 260         c->pkinit_princ_in_cert =
 261             krb5_config_get_bool_default(context, NULL,
 262                                          c->pkinit_princ_in_cert,
 263                                          "kdc",
 264                                          "pkinit_principal_in_certificate",
 265                                          NULL);
 266
 267         c->pkinit_require_binding =
 268             krb5_config_get_bool_default(context, NULL,
 269                                          c->pkinit_require_binding,
 270                                          "kdc",
 271                                          "pkinit_win2k_require_binding",
 272                                          NULL);
 273     }
 274
 275     c->pkinit_dh_min_bits =
 276         krb5_config_get_int_default(context, NULL,
 277                                     0,
 278                                     "kdc", "pkinit_dh_min_bits", NULL);
 279
 280 #endif
 281
 282     *config = c;
 283
 284     return 0;
 285 }