1/* 2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "kdc_locl.h" 37#include <getarg.h> 38#include <parse_bytes.h> 39 40krb5_error_code 41krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) 42{ 43 krb5_kdc_configuration *c; 44 const char *s; 45 46 c = calloc(1, sizeof(*c)); 47 if (c == NULL) { 48 krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); 49 return ENOMEM; 50 } 51 52 c->require_preauth = TRUE; 53 c->kdc_warn_pwexpire = 0; 54 c->encode_as_rep_as_tgs_rep = FALSE; 55 c->as_use_strongest_session_key = FALSE; 56 c->preauth_use_strongest_session_key = FALSE; 57 c->tgs_use_strongest_session_key = FALSE; 58 c->use_strongest_server_key = TRUE; 59 c->check_ticket_addresses = TRUE; 60 c->allow_null_ticket_addresses = TRUE; 61 c->allow_anonymous = FALSE; 62 c->trpolicy = TRPOLICY_ALWAYS_CHECK; 63 c->enable_pkinit = FALSE; 64 c->pkinit_princ_in_cert = FALSE; 65 c->pkinit_require_binding = TRUE; 66 c->db = NULL; 67 c->num_db = 0; 68 c->logf = NULL; 69 70 c->require_preauth = 71 krb5_config_get_bool_default(context, NULL, 72 c->require_preauth, 73 "kdc", "require-preauth", NULL); 74#ifdef DIGEST 75 c->enable_digest = 76 krb5_config_get_bool_default(context, NULL, 77 FALSE, 78 "kdc", "enable-digest", NULL); 79 80 { 81 const char *digests; 82 83 digests = krb5_config_get_string(context, NULL, 84 "kdc", 85 "digests_allowed", NULL); 86 if (digests == NULL) 87 digests = "ntlm-v2"; 88 c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0); 89 if (c->digests_allowed == -1) { 90 kdc_log(context, c, 0, 91 "unparsable digest units (%s), turning off digest", 92 digests); 93 c->enable_digest = 0; 94 } else if (c->digests_allowed == 0) { 95 kdc_log(context, c, 0, 96 "no digest enable, turning digest off", 97 digests); 98 c->enable_digest = 0; 99 } 100 } 101#endif 102 103#ifdef KX509 104 c->enable_kx509 = 105 krb5_config_get_bool_default(context, NULL, 106 FALSE, 107 "kdc", "enable-kx509", NULL); 108 109 if (c->enable_kx509) { 110 c->kx509_template = 111 krb5_config_get_string(context, NULL, 112 "kdc", "kx509_template", NULL); 113 c->kx509_ca = 114 krb5_config_get_string(context, NULL, 115 "kdc", "kx509_ca", NULL); 116 if (c->kx509_ca == NULL || c->kx509_template == NULL) { 117 kdc_log(context, c, 0, 118 "missing kx509 configuration, turning off"); 119 c->enable_kx509 = FALSE; 120 } 121 } 122#endif 123 124 c->as_use_strongest_session_key = 125 krb5_config_get_bool_default(context, NULL, 126 c->as_use_strongest_session_key, 127 "kdc", 128 "as-use-strongest-session-key", NULL); 129 c->preauth_use_strongest_session_key = 130 krb5_config_get_bool_default(context, NULL, 131 c->preauth_use_strongest_session_key, 132 "kdc", 133 "preauth-use-strongest-session-key", NULL); 134 c->tgs_use_strongest_session_key = 135 krb5_config_get_bool_default(context, NULL, 136 c->tgs_use_strongest_session_key, 137 "kdc", 138 "tgs-use-strongest-session-key", NULL); 139 c->use_strongest_server_key = 140 krb5_config_get_bool_default(context, NULL, 141 c->use_strongest_server_key, 142 "kdc", 143 "use-strongest-server-key", NULL); 144 145 c->check_ticket_addresses = 146 krb5_config_get_bool_default(context, NULL, 147 c->check_ticket_addresses, 148 "kdc", 149 "check-ticket-addresses", NULL); 150 c->allow_null_ticket_addresses = 151 krb5_config_get_bool_default(context, NULL, 152 c->allow_null_ticket_addresses, 153 "kdc", 154 "allow-null-ticket-addresses", NULL); 155 156 c->allow_anonymous = 157 krb5_config_get_bool_default(context, NULL, 158 c->allow_anonymous, 159 "kdc", 160 "allow-anonymous", NULL); 161 162 c->max_datagram_reply_length = 163 krb5_config_get_int_default(context, 164 NULL, 165 1400, 166 "kdc", 167 "max-kdc-datagram-reply-length", 168 NULL); 169 170 { 171 const char *trpolicy_str; 172 173 trpolicy_str = 174 krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", 175 "transited-policy", NULL); 176 if(strcasecmp(trpolicy_str, "always-check") == 0) { 177 c->trpolicy = TRPOLICY_ALWAYS_CHECK; 178 } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) { 179 c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; 180 } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { 181 c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; 182 } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { 183 /* default */ 184 } else { 185 kdc_log(context, c, 0, 186 "unknown transited-policy: %s, " 187 "reverting to default (always-check)", 188 trpolicy_str); 189 } 190 } 191 192 c->encode_as_rep_as_tgs_rep = 193 krb5_config_get_bool_default(context, NULL, 194 c->encode_as_rep_as_tgs_rep, 195 "kdc", 196 "encode_as_rep_as_tgs_rep", NULL); 197 198 c->kdc_warn_pwexpire = 199 krb5_config_get_time_default (context, NULL, 200 c->kdc_warn_pwexpire, 201 "kdc", "kdc_warn_pwexpire", NULL); 202 203 204 c->enable_pkinit = 205 krb5_config_get_bool_default(context, 206 NULL, 207 c->enable_pkinit, 208 "kdc", 209 "enable-pkinit", 210 NULL); 211 212 213 c->pkinit_kdc_identity = 214 krb5_config_get_string(context, NULL, 215 "kdc", "pkinit_identity", NULL); 216 c->pkinit_kdc_anchors = 217 krb5_config_get_string(context, NULL, 218 "kdc", "pkinit_anchors", NULL); 219 c->pkinit_kdc_cert_pool = 220 krb5_config_get_strings(context, NULL, 221 "kdc", "pkinit_pool", NULL); 222 c->pkinit_kdc_revoke = 223 krb5_config_get_strings(context, NULL, 224 "kdc", "pkinit_revoke", NULL); 225 c->pkinit_kdc_ocsp_file = 226 krb5_config_get_string(context, NULL, 227 "kdc", "pkinit_kdc_ocsp", NULL); 228 c->pkinit_kdc_friendly_name = 229 krb5_config_get_string(context, NULL, 230 "kdc", "pkinit_kdc_friendly_name", NULL); 231 c->pkinit_princ_in_cert = 232 krb5_config_get_bool_default(context, NULL, 233 c->pkinit_princ_in_cert, 234 "kdc", 235 "pkinit_principal_in_certificate", 236 NULL); 237 c->pkinit_require_binding = 238 krb5_config_get_bool_default(context, NULL, 239 c->pkinit_require_binding, 240 "kdc", 241 "pkinit_win2k_require_binding", 242 NULL); 243 c->pkinit_dh_min_bits = 244 krb5_config_get_int_default(context, NULL, 245 0, 246 "kdc", "pkinit_dh_min_bits", NULL); 247 248 249 s = krb5_config_get_string(context, NULL, 250 "kdc", "lkdc_realm", NULL); 251 if (s) 252 c->lkdc_realm = strdup(s); 253 254 *config = c; 255 256 return 0; 257} 258 259krb5_error_code 260krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config) 261{ 262#ifdef PKINIT 263#ifdef __APPLE__ 264 config->enable_pkinit = 1; 265 266 if (config->pkinit_kdc_identity == NULL) { 267 if (config->pkinit_kdc_friendly_name == NULL) 268 config->pkinit_kdc_friendly_name = 269 strdup("O=System Identity,CN=com.apple.kerberos.kdc"); 270 config->pkinit_kdc_identity = strdup("KEYCHAIN:"); 271 } 272 if (config->pkinit_kdc_anchors == NULL) 273 config->pkinit_kdc_anchors = strdup("KEYCHAIN:"); 274 275#endif /* __APPLE__ */ 276 277 if (config->enable_pkinit) { 278 if (config->pkinit_kdc_identity == NULL) 279 krb5_errx(context, 1, "pkinit enabled but no identity"); 280 281 if (config->pkinit_kdc_anchors == NULL) 282 krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); 283 284 krb5_kdc_pk_initialize(context, config, 285 config->pkinit_kdc_identity, 286 config->pkinit_kdc_anchors, 287 config->pkinit_kdc_cert_pool, 288 config->pkinit_kdc_revoke); 289 290 } 291 292#endif /* PKINIT */ 293 return 0; 294} 295