1/*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 *    may be used to endorse or promote products derived from this software
21 *    without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#include "kdc_locl.h"
37#include <getarg.h>
38#include <parse_bytes.h>
39
40krb5_error_code
41krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
42{
43    krb5_kdc_configuration *c;
44    const char *s;
45
46    c = calloc(1, sizeof(*c));
47    if (c == NULL) {
48	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
49	return ENOMEM;
50    }
51
52    c->require_preauth = TRUE;
53    c->kdc_warn_pwexpire = 0;
54    c->encode_as_rep_as_tgs_rep = FALSE;
55    c->as_use_strongest_session_key = FALSE;
56    c->preauth_use_strongest_session_key = FALSE;
57    c->tgs_use_strongest_session_key = FALSE;
58    c->use_strongest_server_key = TRUE;
59    c->check_ticket_addresses = TRUE;
60    c->allow_null_ticket_addresses = TRUE;
61    c->allow_anonymous = FALSE;
62    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
63    c->enable_pkinit = FALSE;
64    c->pkinit_princ_in_cert = FALSE;
65    c->pkinit_require_binding = TRUE;
66    c->db = NULL;
67    c->num_db = 0;
68    c->logf = NULL;
69
70    c->require_preauth =
71	krb5_config_get_bool_default(context, NULL,
72				     c->require_preauth,
73				     "kdc", "require-preauth", NULL);
74#ifdef DIGEST
75    c->enable_digest =
76	krb5_config_get_bool_default(context, NULL,
77				     FALSE,
78				     "kdc", "enable-digest", NULL);
79
80    {
81	const char *digests;
82
83	digests = krb5_config_get_string(context, NULL,
84					 "kdc",
85					 "digests_allowed", NULL);
86	if (digests == NULL)
87	    digests = "ntlm-v2";
88	c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
89	if (c->digests_allowed == -1) {
90	    kdc_log(context, c, 0,
91		    "unparsable digest units (%s), turning off digest",
92		    digests);
93	    c->enable_digest = 0;
94	} else if (c->digests_allowed == 0) {
95	    kdc_log(context, c, 0,
96		    "no digest enable, turning digest off",
97		    digests);
98	    c->enable_digest = 0;
99	}
100    }
101#endif
102
103#ifdef KX509
104    c->enable_kx509 =
105	krb5_config_get_bool_default(context, NULL,
106				     FALSE,
107				     "kdc", "enable-kx509", NULL);
108
109    if (c->enable_kx509) {
110	c->kx509_template =
111	    krb5_config_get_string(context, NULL,
112				   "kdc", "kx509_template", NULL);
113	c->kx509_ca =
114	    krb5_config_get_string(context, NULL,
115				   "kdc", "kx509_ca", NULL);
116	if (c->kx509_ca == NULL || c->kx509_template == NULL) {
117	    kdc_log(context, c, 0,
118		    "missing kx509 configuration, turning off");
119	    c->enable_kx509 = FALSE;
120	}
121    }
122#endif
123
124    c->as_use_strongest_session_key =
125	krb5_config_get_bool_default(context, NULL,
126				     c->as_use_strongest_session_key,
127				     "kdc",
128				     "as-use-strongest-session-key", NULL);
129    c->preauth_use_strongest_session_key =
130	krb5_config_get_bool_default(context, NULL,
131				     c->preauth_use_strongest_session_key,
132				     "kdc",
133				     "preauth-use-strongest-session-key", NULL);
134    c->tgs_use_strongest_session_key =
135	krb5_config_get_bool_default(context, NULL,
136				     c->tgs_use_strongest_session_key,
137				     "kdc",
138				     "tgs-use-strongest-session-key", NULL);
139    c->use_strongest_server_key =
140	krb5_config_get_bool_default(context, NULL,
141				     c->use_strongest_server_key,
142				     "kdc",
143				     "use-strongest-server-key", NULL);
144
145    c->check_ticket_addresses =
146	krb5_config_get_bool_default(context, NULL,
147				     c->check_ticket_addresses,
148				     "kdc",
149				     "check-ticket-addresses", NULL);
150    c->allow_null_ticket_addresses =
151	krb5_config_get_bool_default(context, NULL,
152				     c->allow_null_ticket_addresses,
153				     "kdc",
154				     "allow-null-ticket-addresses", NULL);
155
156    c->allow_anonymous =
157	krb5_config_get_bool_default(context, NULL,
158				     c->allow_anonymous,
159				     "kdc",
160				     "allow-anonymous", NULL);
161
162    c->max_datagram_reply_length =
163	krb5_config_get_int_default(context,
164				    NULL,
165				    1400,
166				    "kdc",
167				    "max-kdc-datagram-reply-length",
168				    NULL);
169
170    {
171	const char *trpolicy_str;
172
173	trpolicy_str =
174	    krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
175					   "transited-policy", NULL);
176	if(strcasecmp(trpolicy_str, "always-check") == 0) {
177	    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
178	} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
179	    c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
180	} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
181	    c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
182	} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
183	    /* default */
184	} else {
185	    kdc_log(context, c, 0,
186		    "unknown transited-policy: %s, "
187		    "reverting to default (always-check)",
188		    trpolicy_str);
189	}
190    }
191
192    c->encode_as_rep_as_tgs_rep =
193	krb5_config_get_bool_default(context, NULL,
194				     c->encode_as_rep_as_tgs_rep,
195				     "kdc",
196				     "encode_as_rep_as_tgs_rep", NULL);
197
198    c->kdc_warn_pwexpire =
199	krb5_config_get_time_default (context, NULL,
200				      c->kdc_warn_pwexpire,
201				      "kdc", "kdc_warn_pwexpire", NULL);
202
203
204    c->enable_pkinit =
205	krb5_config_get_bool_default(context,
206				     NULL,
207				     c->enable_pkinit,
208				     "kdc",
209				     "enable-pkinit",
210				     NULL);
211
212
213    c->pkinit_kdc_identity =
214	krb5_config_get_string(context, NULL,
215			       "kdc", "pkinit_identity", NULL);
216    c->pkinit_kdc_anchors =
217	krb5_config_get_string(context, NULL,
218			       "kdc", "pkinit_anchors", NULL);
219    c->pkinit_kdc_cert_pool =
220	krb5_config_get_strings(context, NULL,
221				"kdc", "pkinit_pool", NULL);
222    c->pkinit_kdc_revoke =
223	krb5_config_get_strings(context, NULL,
224				"kdc", "pkinit_revoke", NULL);
225    c->pkinit_kdc_ocsp_file =
226	krb5_config_get_string(context, NULL,
227			       "kdc", "pkinit_kdc_ocsp", NULL);
228    c->pkinit_kdc_friendly_name =
229	krb5_config_get_string(context, NULL,
230			       "kdc", "pkinit_kdc_friendly_name", NULL);
231    c->pkinit_princ_in_cert =
232	krb5_config_get_bool_default(context, NULL,
233				     c->pkinit_princ_in_cert,
234				     "kdc",
235				     "pkinit_principal_in_certificate",
236				     NULL);
237    c->pkinit_require_binding =
238	krb5_config_get_bool_default(context, NULL,
239				     c->pkinit_require_binding,
240				     "kdc",
241				     "pkinit_win2k_require_binding",
242				     NULL);
243    c->pkinit_dh_min_bits =
244	krb5_config_get_int_default(context, NULL,
245				    0,
246				    "kdc", "pkinit_dh_min_bits", NULL);
247
248
249    s = krb5_config_get_string(context, NULL,
250			       "kdc", "lkdc_realm", NULL);
251    if (s)
252	c->lkdc_realm = strdup(s);
253
254    *config = c;
255
256    return 0;
257}
258
259krb5_error_code
260krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
261{
262#ifdef PKINIT
263#ifdef __APPLE__
264    config->enable_pkinit = 1;
265
266    if (config->pkinit_kdc_identity == NULL) {
267	if (config->pkinit_kdc_friendly_name == NULL)
268	    config->pkinit_kdc_friendly_name =
269		strdup("O=System Identity,CN=com.apple.kerberos.kdc");
270	config->pkinit_kdc_identity = strdup("KEYCHAIN:");
271    }
272    if (config->pkinit_kdc_anchors == NULL)
273	config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
274
275#endif /* __APPLE__ */
276
277    if (config->enable_pkinit) {
278	if (config->pkinit_kdc_identity == NULL)
279	    krb5_errx(context, 1, "pkinit enabled but no identity");
280
281	if (config->pkinit_kdc_anchors == NULL)
282	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
283
284	krb5_kdc_pk_initialize(context, config,
285			       config->pkinit_kdc_identity,
286			       config->pkinit_kdc_anchors,
287			       config->pkinit_kdc_cert_pool,
288			       config->pkinit_kdc_revoke);
289
290    }
291
292#endif /* PKINIT */
293    return 0;
294}
295