1
/*
2
 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3
 * (Royal Institute of Technology, Stockholm, Sweden).
4
 * All rights reserved.
5
 *
6
 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 *
12
 * 1. Redistributions of source code must retain the above copyright
13
 *    notice, this list of conditions and the following disclaimer.
14
 *
15
 * 2. Redistributions in binary form must reproduce the above copyright
16
 *    notice, this list of conditions and the following disclaimer in the
17
 *    documentation and/or other materials provided with the distribution.
18
 *
19
 * 3. Neither the name of the Institute nor the names of its contributors
20
 *    may be used to endorse or promote products derived from this software
21
 *    without specific prior written permission.
22
 *
23
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33
 * SUCH DAMAGE.
34
 */
35

36
#include "kdc_locl.h"
37
#include <getarg.h>
38
#include <parse_bytes.h>
39

40
krb5_error_code
41
krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
42
{
43
    krb5_kdc_configuration *c;
44

45
    c = calloc(1, sizeof(*c));
46
    if (c == NULL) {
47
	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
48
	return ENOMEM;
49
    }
50

51
    c->require_preauth = TRUE;
52
    c->kdc_warn_pwexpire = 0;
53
    c->encode_as_rep_as_tgs_rep = FALSE;
54
    c->tgt_use_strongest_session_key = FALSE;
55
    c->preauth_use_strongest_session_key = FALSE;
56
    c->svc_use_strongest_session_key = FALSE;
57
    c->use_strongest_server_key = TRUE;
58
    c->check_ticket_addresses = TRUE;
59
    c->allow_null_ticket_addresses = TRUE;
60
    c->allow_anonymous = FALSE;
61
    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
62
    c->enable_pkinit = FALSE;
63
    c->pkinit_princ_in_cert = TRUE;
64
    c->pkinit_require_binding = TRUE;
65
    c->db = NULL;
66
    c->num_db = 0;
67
    c->logf = NULL;
68

69
    c->require_preauth =
70
	krb5_config_get_bool_default(context, NULL,
71
				     c->require_preauth,
72
				     "kdc", "require-preauth", NULL);
73
#ifdef DIGEST
74
    c->enable_digest =
75
	krb5_config_get_bool_default(context, NULL,
76
				     FALSE,
77
				     "kdc", "enable-digest", NULL);
78

79
    {
80
	const char *digests;
81

82
	digests = krb5_config_get_string(context, NULL,
83
					 "kdc",
84
					 "digests_allowed", NULL);
85
	if (digests == NULL)
86
	    digests = "ntlm-v2";
87
	c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
88
	if (c->digests_allowed == -1) {
89
	    kdc_log(context, c, 0,
90
		    "unparsable digest units (%s), turning off digest",
91
		    digests);
92
	    c->enable_digest = 0;
93
	} else if (c->digests_allowed == 0) {
94
	    kdc_log(context, c, 0,
95
		    "no digest enable, turning digest off",
96
		    digests);
97
	    c->enable_digest = 0;
98
	}
99
    }
100
#endif
101

102
#ifdef KX509
103
    c->enable_kx509 =
104
	krb5_config_get_bool_default(context, NULL,
105
				     FALSE,
106
				     "kdc", "enable-kx509", NULL);
107

108
    if (c->enable_kx509) {
109
	c->kx509_template =
110
	    krb5_config_get_string(context, NULL,
111
				   "kdc", "kx509_template", NULL);
112
	c->kx509_ca =
113
	    krb5_config_get_string(context, NULL,
114
				   "kdc", "kx509_ca", NULL);
115
	if (c->kx509_ca == NULL || c->kx509_template == NULL) {
116
	    kdc_log(context, c, 0,
117
		    "missing kx509 configuration, turning off");
118
	    c->enable_kx509 = FALSE;
119
	}
120
    }
121
#endif
122

123
    c->tgt_use_strongest_session_key =
124
	krb5_config_get_bool_default(context, NULL,
125
				     c->tgt_use_strongest_session_key,
126
				     "kdc",
127
				     "tgt-use-strongest-session-key", NULL);
128
    c->preauth_use_strongest_session_key =
129
	krb5_config_get_bool_default(context, NULL,
130
				     c->preauth_use_strongest_session_key,
131
				     "kdc",
132
				     "preauth-use-strongest-session-key", NULL);
133
    c->svc_use_strongest_session_key =
134
	krb5_config_get_bool_default(context, NULL,
135
				     c->svc_use_strongest_session_key,
136
				     "kdc",
137
				     "svc-use-strongest-session-key", NULL);
138
    c->use_strongest_server_key =
139
	krb5_config_get_bool_default(context, NULL,
140
				     c->use_strongest_server_key,
141
				     "kdc",
142
				     "use-strongest-server-key", NULL);
143

144
    c->check_ticket_addresses =
145
	krb5_config_get_bool_default(context, NULL,
146
				     c->check_ticket_addresses,
147
				     "kdc",
148
				     "check-ticket-addresses", NULL);
149
    c->allow_null_ticket_addresses =
150
	krb5_config_get_bool_default(context, NULL,
151
				     c->allow_null_ticket_addresses,
152
				     "kdc",
153
				     "allow-null-ticket-addresses", NULL);
154

155
    c->allow_anonymous =
156
	krb5_config_get_bool_default(context, NULL,
157
				     c->allow_anonymous,
158
				     "kdc",
159
				     "allow-anonymous", NULL);
160

161
    c->max_datagram_reply_length =
162
	krb5_config_get_int_default(context,
163
				    NULL,
164
				    1400,
165
				    "kdc",
166
				    "max-kdc-datagram-reply-length",
167
				    NULL);
168

169
    {
170
	const char *trpolicy_str;
171

172
	trpolicy_str =
173
	    krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
174
					   "transited-policy", NULL);
175
	if(strcasecmp(trpolicy_str, "always-check") == 0) {
176
	    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
177
	} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
178
	    c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
179
	} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
180
	    c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
181
	} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
182
	    /* default */
183
	} else {
184
	    kdc_log(context, c, 0,
185
		    "unknown transited-policy: %s, "
186
		    "reverting to default (always-check)",
187
		    trpolicy_str);
188
	}
189
    }
190

191
    c->encode_as_rep_as_tgs_rep =
192
	krb5_config_get_bool_default(context, NULL,
193
				     c->encode_as_rep_as_tgs_rep,
194
				     "kdc",
195
				     "encode_as_rep_as_tgs_rep", NULL);
196

197
    c->kdc_warn_pwexpire =
198
	krb5_config_get_time_default (context, NULL,
199
				      c->kdc_warn_pwexpire,
200
				      "kdc", "kdc_warn_pwexpire", NULL);
201

202

203
    c->enable_pkinit =
204
	krb5_config_get_bool_default(context,
205
				     NULL,
206
				     c->enable_pkinit,
207
				     "kdc",
208
				     "enable-pkinit",
209
				     NULL);
210

211

212
    c->pkinit_kdc_identity =
213
	krb5_config_get_string(context, NULL,
214
			       "kdc", "pkinit_identity", NULL);
215
    c->pkinit_kdc_anchors =
216
	krb5_config_get_string(context, NULL,
217
			       "kdc", "pkinit_anchors", NULL);
218
    c->pkinit_kdc_cert_pool =
219
	krb5_config_get_strings(context, NULL,
220
				"kdc", "pkinit_pool", NULL);
221
    c->pkinit_kdc_revoke =
222
	krb5_config_get_strings(context, NULL,
223
				"kdc", "pkinit_revoke", NULL);
224
    c->pkinit_kdc_ocsp_file =
225
	krb5_config_get_string(context, NULL,
226
			       "kdc", "pkinit_kdc_ocsp", NULL);
227
    c->pkinit_kdc_friendly_name =
228
	krb5_config_get_string(context, NULL,
229
			       "kdc", "pkinit_kdc_friendly_name", NULL);
230
    c->pkinit_princ_in_cert =
231
	krb5_config_get_bool_default(context, NULL,
232
				     c->pkinit_princ_in_cert,
233
				     "kdc",
234
				     "pkinit_principal_in_certificate",
235
				     NULL);
236
    c->pkinit_require_binding =
237
	krb5_config_get_bool_default(context, NULL,
238
				     c->pkinit_require_binding,
239
				     "kdc",
240
				     "pkinit_win2k_require_binding",
241
				     NULL);
242
    c->pkinit_dh_min_bits =
243
	krb5_config_get_int_default(context, NULL,
244
				    0,
245
				    "kdc", "pkinit_dh_min_bits", NULL);
246

247
    *config = c;
248

249
    return 0;
250
}
251

252
krb5_error_code
253
krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
254
{
255
#ifdef PKINIT
256
#ifdef __APPLE__
257
    config->enable_pkinit = 1;
258

259
    if (config->pkinit_kdc_identity == NULL) {
260
	if (config->pkinit_kdc_friendly_name == NULL)
261
	    config->pkinit_kdc_friendly_name =
262
		strdup("O=System Identity,CN=com.apple.kerberos.kdc");
263
	config->pkinit_kdc_identity = strdup("KEYCHAIN:");
264
    }
265
    if (config->pkinit_kdc_anchors == NULL)
266
	config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
267

268
#endif /* __APPLE__ */
269

270
    if (config->enable_pkinit) {
271
	if (config->pkinit_kdc_identity == NULL)
272
	    krb5_errx(context, 1, "pkinit enabled but no identity");
273

274
	if (config->pkinit_kdc_anchors == NULL)
275
	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
276

277
	krb5_kdc_pk_initialize(context, config,
278
			       config->pkinit_kdc_identity,
279
			       config->pkinit_kdc_anchors,
280
			       config->pkinit_kdc_cert_pool,
281
			       config->pkinit_kdc_revoke);
282

283
    }
284

285
    return 0;
286
#endif /* PKINIT */
287
}
288

289