1/* 2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * 3. Neither the name of the Institute nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35#include "kdc_locl.h" 36#include <getarg.h> 37#include <parse_bytes.h> 38 39RCSID("$Id: default_config.c,v 1.1.1.1 2011/06/10 09:34:43 andrew Exp $"); 40 41krb5_error_code 42krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) 43{ 44 krb5_kdc_configuration *c; 45 46 c = calloc(1, sizeof(*c)); 47 if (c == NULL) { 48 krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); 49 return ENOMEM; 50 } 51 52 c->require_preauth = TRUE; 53 c->kdc_warn_pwexpire = 0; 54 c->encode_as_rep_as_tgs_rep = FALSE; 55 c->check_ticket_addresses = TRUE; 56 c->allow_null_ticket_addresses = TRUE; 57 c->allow_anonymous = FALSE; 58 c->trpolicy = TRPOLICY_ALWAYS_CHECK; 59 c->enable_v4 = FALSE; 60 c->enable_kaserver = FALSE; 61 c->enable_524 = FALSE; 62 c->enable_v4_cross_realm = FALSE; 63 c->enable_pkinit = FALSE; 64 c->pkinit_princ_in_cert = TRUE; 65 c->pkinit_require_binding = TRUE; 66 c->db = NULL; 67 c->num_db = 0; 68 c->logf = NULL; 69 70 c->require_preauth = 71 krb5_config_get_bool_default(context, NULL, 72 c->require_preauth, 73 "kdc", "require-preauth", NULL); 74 c->enable_v4 = 75 krb5_config_get_bool_default(context, NULL, 76 c->enable_v4, 77 "kdc", "enable-kerberos4", NULL); 78 c->enable_v4_cross_realm = 79 krb5_config_get_bool_default(context, NULL, 80 c->enable_v4_cross_realm, 81 "kdc", 82 "enable-kerberos4-cross-realm", NULL); 83 c->enable_524 = 84 krb5_config_get_bool_default(context, NULL, 85 c->enable_v4, 86 "kdc", "enable-524", NULL); 87#ifdef DIGEST 88 c->enable_digest = 89 krb5_config_get_bool_default(context, NULL, 90 FALSE, 91 "kdc", "enable-digest", NULL); 92 93 { 94 const char *digests; 95 96 digests = krb5_config_get_string(context, NULL, 97 "kdc", 98 "digests_allowed", NULL); 99 if (digests == NULL) 100 digests = "ntlm-v2"; 101 c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0); 102 if (c->digests_allowed == -1) { 103 kdc_log(context, c, 0, 104 "unparsable digest units (%s), turning off digest", 105 digests); 106 c->enable_digest = 0; 107 } else if (c->digests_allowed == 0) { 108 kdc_log(context, c, 0, 109 "no digest enable, turning digest off", 110 digests); 111 c->enable_digest = 0; 112 } 113 } 114#endif 115 116#ifdef KX509 117 c->enable_kx509 = 118 krb5_config_get_bool_default(context, NULL, 119 FALSE, 120 "kdc", "enable-kx509", NULL); 121 122 if (c->enable_kx509) { 123 c->kx509_template = 124 krb5_config_get_string(context, NULL, 125 "kdc", "kx509_template", NULL); 126 c->kx509_ca = 127 krb5_config_get_string(context, NULL, 128 "kdc", "kx509_ca", NULL); 129 if (c->kx509_ca == NULL || c->kx509_template == NULL) { 130 kdc_log(context, c, 0, 131 "missing kx509 configuration, turning off"); 132 c->enable_kx509 = FALSE; 133 } 134 } 135#endif 136 137 c->check_ticket_addresses = 138 krb5_config_get_bool_default(context, NULL, 139 c->check_ticket_addresses, 140 "kdc", 141 "check-ticket-addresses", NULL); 142 c->allow_null_ticket_addresses = 143 krb5_config_get_bool_default(context, NULL, 144 c->allow_null_ticket_addresses, 145 "kdc", 146 "allow-null-ticket-addresses", NULL); 147 148 c->allow_anonymous = 149 krb5_config_get_bool_default(context, NULL, 150 c->allow_anonymous, 151 "kdc", 152 "allow-anonymous", NULL); 153 154 c->max_datagram_reply_length = 155 krb5_config_get_int_default(context, 156 NULL, 157 1400, 158 "kdc", 159 "max-kdc-datagram-reply-length", 160 NULL); 161 162 { 163 const char *trpolicy_str; 164 165 trpolicy_str = 166 krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", 167 "transited-policy", NULL); 168 if(strcasecmp(trpolicy_str, "always-check") == 0) { 169 c->trpolicy = TRPOLICY_ALWAYS_CHECK; 170 } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) { 171 c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; 172 } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { 173 c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; 174 } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { 175 /* default */ 176 } else { 177 kdc_log(context, c, 0, 178 "unknown transited-policy: %s, " 179 "reverting to default (always-check)", 180 trpolicy_str); 181 } 182 } 183 184 { 185 const char *p; 186 p = krb5_config_get_string (context, NULL, 187 "kdc", 188 "v4-realm", 189 NULL); 190 if(p != NULL) { 191 c->v4_realm = strdup(p); 192 if (c->v4_realm == NULL) 193 krb5_errx(context, 1, "out of memory"); 194 } else { 195 c->v4_realm = NULL; 196 } 197 } 198 199 c->enable_kaserver = 200 krb5_config_get_bool_default(context, 201 NULL, 202 c->enable_kaserver, 203 "kdc", "enable-kaserver", NULL); 204 205 206 c->encode_as_rep_as_tgs_rep = 207 krb5_config_get_bool_default(context, NULL, 208 c->encode_as_rep_as_tgs_rep, 209 "kdc", 210 "encode_as_rep_as_tgs_rep", NULL); 211 212 c->kdc_warn_pwexpire = 213 krb5_config_get_time_default (context, NULL, 214 c->kdc_warn_pwexpire, 215 "kdc", "kdc_warn_pwexpire", NULL); 216 217 218#ifdef PKINIT 219 c->enable_pkinit = 220 krb5_config_get_bool_default(context, 221 NULL, 222 c->enable_pkinit, 223 "kdc", 224 "enable-pkinit", 225 NULL); 226 if (c->enable_pkinit) { 227 const char *user_id, *anchors, *file; 228 char **pool_list, **revoke_list; 229 230 user_id = 231 krb5_config_get_string(context, NULL, 232 "kdc", "pkinit_identity", NULL); 233 if (user_id == NULL) 234 krb5_errx(context, 1, "pkinit enabled but no identity"); 235 236 anchors = krb5_config_get_string(context, NULL, 237 "kdc", "pkinit_anchors", NULL); 238 if (anchors == NULL) 239 krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); 240 241 pool_list = 242 krb5_config_get_strings(context, NULL, 243 "kdc", "pkinit_pool", NULL); 244 245 revoke_list = 246 krb5_config_get_strings(context, NULL, 247 "kdc", "pkinit_revoke", NULL); 248 249 file = krb5_config_get_string(context, NULL, 250 "kdc", "pkinit_kdc_ocsp", NULL); 251 if (file) { 252 c->pkinit_kdc_ocsp_file = strdup(file); 253 if (c->pkinit_kdc_ocsp_file == NULL) 254 krb5_errx(context, 1, "out of memory"); 255 } 256 257 file = krb5_config_get_string(context, NULL, 258 "kdc", "pkinit_kdc_friendly_name", NULL); 259 if (file) { 260 c->pkinit_kdc_friendly_name = strdup(file); 261 if (c->pkinit_kdc_friendly_name == NULL) 262 krb5_errx(context, 1, "out of memory"); 263 } 264 265 266 _kdc_pk_initialize(context, c, user_id, anchors, 267 pool_list, revoke_list); 268 269 krb5_config_free_strings(pool_list); 270 krb5_config_free_strings(revoke_list); 271 272 c->pkinit_princ_in_cert = 273 krb5_config_get_bool_default(context, NULL, 274 c->pkinit_princ_in_cert, 275 "kdc", 276 "pkinit_principal_in_certificate", 277 NULL); 278 279 c->pkinit_require_binding = 280 krb5_config_get_bool_default(context, NULL, 281 c->pkinit_require_binding, 282 "kdc", 283 "pkinit_win2k_require_binding", 284 NULL); 285 } 286 287 c->pkinit_dh_min_bits = 288 krb5_config_get_int_default(context, NULL, 289 0, 290 "kdc", "pkinit_dh_min_bits", NULL); 291 292#endif 293 294 *config = c; 295 296 return 0; 297} 298