• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /asuswrt-rt-n18u-9.0.0.4.380.2695/release/src/router/samba-3.5.8/source4/heimdal/kdc/
1/*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 *
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 *
18 * 3. Neither the name of the Institute nor the names of its contributors
19 *    may be used to endorse or promote products derived from this software
20 *    without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35#include "kdc_locl.h"
36#include <getarg.h>
37#include <parse_bytes.h>
38
39RCSID("$Id: default_config.c,v 1.1.1.1 2011/06/10 09:34:43 andrew Exp $");
40
41krb5_error_code
42krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
43{
44    krb5_kdc_configuration *c;
45
46    c = calloc(1, sizeof(*c));
47    if (c == NULL) {
48	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
49	return ENOMEM;
50    }
51
52    c->require_preauth = TRUE;
53    c->kdc_warn_pwexpire = 0;
54    c->encode_as_rep_as_tgs_rep = FALSE;
55    c->check_ticket_addresses = TRUE;
56    c->allow_null_ticket_addresses = TRUE;
57    c->allow_anonymous = FALSE;
58    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
59    c->enable_v4 = FALSE;
60    c->enable_kaserver = FALSE;
61    c->enable_524 = FALSE;
62    c->enable_v4_cross_realm = FALSE;
63    c->enable_pkinit = FALSE;
64    c->pkinit_princ_in_cert = TRUE;
65    c->pkinit_require_binding = TRUE;
66    c->db = NULL;
67    c->num_db = 0;
68    c->logf = NULL;
69
70    c->require_preauth =
71	krb5_config_get_bool_default(context, NULL,
72				     c->require_preauth,
73				     "kdc", "require-preauth", NULL);
74    c->enable_v4 =
75	krb5_config_get_bool_default(context, NULL,
76				     c->enable_v4,
77				     "kdc", "enable-kerberos4", NULL);
78    c->enable_v4_cross_realm =
79	krb5_config_get_bool_default(context, NULL,
80				     c->enable_v4_cross_realm,
81				     "kdc",
82				     "enable-kerberos4-cross-realm", NULL);
83    c->enable_524 =
84	krb5_config_get_bool_default(context, NULL,
85				     c->enable_v4,
86				     "kdc", "enable-524", NULL);
87#ifdef DIGEST
88    c->enable_digest =
89	krb5_config_get_bool_default(context, NULL,
90				     FALSE,
91				     "kdc", "enable-digest", NULL);
92
93    {
94	const char *digests;
95
96	digests = krb5_config_get_string(context, NULL,
97					 "kdc",
98					 "digests_allowed", NULL);
99	if (digests == NULL)
100	    digests = "ntlm-v2";
101	c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
102	if (c->digests_allowed == -1) {
103	    kdc_log(context, c, 0,
104		    "unparsable digest units (%s), turning off digest",
105		    digests);
106	    c->enable_digest = 0;
107	} else if (c->digests_allowed == 0) {
108	    kdc_log(context, c, 0,
109		    "no digest enable, turning digest off",
110		    digests);
111	    c->enable_digest = 0;
112	}
113    }
114#endif
115
116#ifdef KX509
117    c->enable_kx509 =
118	krb5_config_get_bool_default(context, NULL,
119				     FALSE,
120				     "kdc", "enable-kx509", NULL);
121
122    if (c->enable_kx509) {
123	c->kx509_template =
124	    krb5_config_get_string(context, NULL,
125				   "kdc", "kx509_template", NULL);
126	c->kx509_ca =
127	    krb5_config_get_string(context, NULL,
128				   "kdc", "kx509_ca", NULL);
129	if (c->kx509_ca == NULL || c->kx509_template == NULL) {
130	    kdc_log(context, c, 0,
131		    "missing kx509 configuration, turning off");
132	    c->enable_kx509 = FALSE;
133	}
134    }
135#endif
136
137    c->check_ticket_addresses =
138	krb5_config_get_bool_default(context, NULL,
139				     c->check_ticket_addresses,
140				     "kdc",
141				     "check-ticket-addresses", NULL);
142    c->allow_null_ticket_addresses =
143	krb5_config_get_bool_default(context, NULL,
144				     c->allow_null_ticket_addresses,
145				     "kdc",
146				     "allow-null-ticket-addresses", NULL);
147
148    c->allow_anonymous =
149	krb5_config_get_bool_default(context, NULL,
150				     c->allow_anonymous,
151				     "kdc",
152				     "allow-anonymous", NULL);
153
154    c->max_datagram_reply_length =
155	krb5_config_get_int_default(context,
156				    NULL,
157				    1400,
158				    "kdc",
159				    "max-kdc-datagram-reply-length",
160				    NULL);
161
162    {
163	const char *trpolicy_str;
164
165	trpolicy_str =
166	    krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
167					   "transited-policy", NULL);
168	if(strcasecmp(trpolicy_str, "always-check") == 0) {
169	    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
170	} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
171	    c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
172	} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
173	    c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
174	} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
175	    /* default */
176	} else {
177	    kdc_log(context, c, 0,
178		    "unknown transited-policy: %s, "
179		    "reverting to default (always-check)",
180		    trpolicy_str);
181	}
182    }
183
184    {
185	const char *p;
186	p = krb5_config_get_string (context, NULL,
187				    "kdc",
188				    "v4-realm",
189				    NULL);
190	if(p != NULL) {
191	    c->v4_realm = strdup(p);
192	    if (c->v4_realm == NULL)
193		krb5_errx(context, 1, "out of memory");
194	} else {
195	    c->v4_realm = NULL;
196	}
197    }
198
199    c->enable_kaserver =
200	krb5_config_get_bool_default(context,
201				     NULL,
202				     c->enable_kaserver,
203				     "kdc", "enable-kaserver", NULL);
204
205
206    c->encode_as_rep_as_tgs_rep =
207	krb5_config_get_bool_default(context, NULL,
208				     c->encode_as_rep_as_tgs_rep,
209				     "kdc",
210				     "encode_as_rep_as_tgs_rep", NULL);
211
212    c->kdc_warn_pwexpire =
213	krb5_config_get_time_default (context, NULL,
214				      c->kdc_warn_pwexpire,
215				      "kdc", "kdc_warn_pwexpire", NULL);
216
217
218#ifdef PKINIT
219    c->enable_pkinit =
220	krb5_config_get_bool_default(context,
221				     NULL,
222				     c->enable_pkinit,
223				     "kdc",
224				     "enable-pkinit",
225				     NULL);
226    if (c->enable_pkinit) {
227	const char *user_id, *anchors, *file;
228	char **pool_list, **revoke_list;
229
230	user_id =
231	    krb5_config_get_string(context, NULL,
232				   "kdc", "pkinit_identity", NULL);
233	if (user_id == NULL)
234	    krb5_errx(context, 1, "pkinit enabled but no identity");
235
236	anchors = krb5_config_get_string(context, NULL,
237					 "kdc", "pkinit_anchors", NULL);
238	if (anchors == NULL)
239	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
240
241	pool_list =
242	    krb5_config_get_strings(context, NULL,
243				    "kdc", "pkinit_pool", NULL);
244
245	revoke_list =
246	    krb5_config_get_strings(context, NULL,
247				    "kdc", "pkinit_revoke", NULL);
248
249	file = krb5_config_get_string(context, NULL,
250				      "kdc", "pkinit_kdc_ocsp", NULL);
251	if (file) {
252	    c->pkinit_kdc_ocsp_file = strdup(file);
253	    if (c->pkinit_kdc_ocsp_file == NULL)
254		krb5_errx(context, 1, "out of memory");
255	}
256
257	file = krb5_config_get_string(context, NULL,
258				      "kdc", "pkinit_kdc_friendly_name", NULL);
259	if (file) {
260	    c->pkinit_kdc_friendly_name = strdup(file);
261	    if (c->pkinit_kdc_friendly_name == NULL)
262		krb5_errx(context, 1, "out of memory");
263	}
264
265
266	_kdc_pk_initialize(context, c, user_id, anchors,
267			   pool_list, revoke_list);
268
269	krb5_config_free_strings(pool_list);
270	krb5_config_free_strings(revoke_list);
271
272	c->pkinit_princ_in_cert =
273	    krb5_config_get_bool_default(context, NULL,
274					 c->pkinit_princ_in_cert,
275					 "kdc",
276					 "pkinit_principal_in_certificate",
277					 NULL);
278
279	c->pkinit_require_binding =
280	    krb5_config_get_bool_default(context, NULL,
281					 c->pkinit_require_binding,
282					 "kdc",
283					 "pkinit_win2k_require_binding",
284					 NULL);
285    }
286
287    c->pkinit_dh_min_bits =
288	krb5_config_get_int_default(context, NULL,
289				    0,
290				    "kdc", "pkinit_dh_min_bits", NULL);
291
292#endif
293
294    *config = c;
295
296    return 0;
297}
298