xref: /freebsd/crypto/heimdal/kdc/default_config.c (revision b00ab754) 
1 /*
2  * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "kdc_locl.h"
37 #include <getarg.h>
38 #include <parse_bytes.h>
39 
40 krb5_error_code
41 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
42 {
43     krb5_kdc_configuration *c;
44 
45     c = calloc(1, sizeof(*c));
46     if (c == NULL) {
47 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
48 	return ENOMEM;
49     }
50 
51     c->require_preauth = TRUE;
52     c->kdc_warn_pwexpire = 0;
53     c->encode_as_rep_as_tgs_rep = FALSE;
54     c->tgt_use_strongest_session_key = FALSE;
55     c->preauth_use_strongest_session_key = FALSE;
56     c->svc_use_strongest_session_key = FALSE;
57     c->use_strongest_server_key = TRUE;
58     c->check_ticket_addresses = TRUE;
59     c->allow_null_ticket_addresses = TRUE;
60     c->allow_anonymous = FALSE;
61     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
62     c->enable_pkinit = FALSE;
63     c->pkinit_princ_in_cert = TRUE;
64     c->pkinit_require_binding = TRUE;
65     c->db = NULL;
66     c->num_db = 0;
67     c->logf = NULL;
68 
69     c->require_preauth =
70 	krb5_config_get_bool_default(context, NULL,
71 				     c->require_preauth,
72 				     "kdc", "require-preauth", NULL);
73 #ifdef DIGEST
74     c->enable_digest =
75 	krb5_config_get_bool_default(context, NULL,
76 				     FALSE,
77 				     "kdc", "enable-digest", NULL);
78 
79     {
80 	const char *digests;
81 
82 	digests = krb5_config_get_string(context, NULL,
83 					 "kdc",
84 					 "digests_allowed", NULL);
85 	if (digests == NULL)
86 	    digests = "ntlm-v2";
87 	c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
88 	if (c->digests_allowed == -1) {
89 	    kdc_log(context, c, 0,
90 		    "unparsable digest units (%s), turning off digest",
91 		    digests);
92 	    c->enable_digest = 0;
93 	} else if (c->digests_allowed == 0) {
94 	    kdc_log(context, c, 0,
95 		    "no digest enable, turning digest off",
96 		    digests);
97 	    c->enable_digest = 0;
98 	}
99     }
100 #endif
101 
102 #ifdef KX509
103     c->enable_kx509 =
104 	krb5_config_get_bool_default(context, NULL,
105 				     FALSE,
106 				     "kdc", "enable-kx509", NULL);
107 
108     if (c->enable_kx509) {
109 	c->kx509_template =
110 	    krb5_config_get_string(context, NULL,
111 				   "kdc", "kx509_template", NULL);
112 	c->kx509_ca =
113 	    krb5_config_get_string(context, NULL,
114 				   "kdc", "kx509_ca", NULL);
115 	if (c->kx509_ca == NULL || c->kx509_template == NULL) {
116 	    kdc_log(context, c, 0,
117 		    "missing kx509 configuration, turning off");
118 	    c->enable_kx509 = FALSE;
119 	}
120     }
121 #endif
122 
123     c->tgt_use_strongest_session_key =
124 	krb5_config_get_bool_default(context, NULL,
125 				     c->tgt_use_strongest_session_key,
126 				     "kdc",
127 				     "tgt-use-strongest-session-key", NULL);
128     c->preauth_use_strongest_session_key =
129 	krb5_config_get_bool_default(context, NULL,
130 				     c->preauth_use_strongest_session_key,
131 				     "kdc",
132 				     "preauth-use-strongest-session-key", NULL);
133     c->svc_use_strongest_session_key =
134 	krb5_config_get_bool_default(context, NULL,
135 				     c->svc_use_strongest_session_key,
136 				     "kdc",
137 				     "svc-use-strongest-session-key", NULL);
138     c->use_strongest_server_key =
139 	krb5_config_get_bool_default(context, NULL,
140 				     c->use_strongest_server_key,
141 				     "kdc",
142 				     "use-strongest-server-key", NULL);
143 
144     c->check_ticket_addresses =
145 	krb5_config_get_bool_default(context, NULL,
146 				     c->check_ticket_addresses,
147 				     "kdc",
148 				     "check-ticket-addresses", NULL);
149     c->allow_null_ticket_addresses =
150 	krb5_config_get_bool_default(context, NULL,
151 				     c->allow_null_ticket_addresses,
152 				     "kdc",
153 				     "allow-null-ticket-addresses", NULL);
154 
155     c->allow_anonymous =
156 	krb5_config_get_bool_default(context, NULL,
157 				     c->allow_anonymous,
158 				     "kdc",
159 				     "allow-anonymous", NULL);
160 
161     c->max_datagram_reply_length =
162 	krb5_config_get_int_default(context,
163 				    NULL,
164 				    1400,
165 				    "kdc",
166 				    "max-kdc-datagram-reply-length",
167 				    NULL);
168 
169     {
170 	const char *trpolicy_str;
171 
172 	trpolicy_str =
173 	    krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
174 					   "transited-policy", NULL);
175 	if(strcasecmp(trpolicy_str, "always-check") == 0) {
176 	    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
177 	} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
178 	    c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
179 	} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
180 	    c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
181 	} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
182 	    /* default */
183 	} else {
184 	    kdc_log(context, c, 0,
185 		    "unknown transited-policy: %s, "
186 		    "reverting to default (always-check)",
187 		    trpolicy_str);
188 	}
189     }
190 
191     c->encode_as_rep_as_tgs_rep =
192 	krb5_config_get_bool_default(context, NULL,
193 				     c->encode_as_rep_as_tgs_rep,
194 				     "kdc",
195 				     "encode_as_rep_as_tgs_rep", NULL);
196 
197     c->kdc_warn_pwexpire =
198 	krb5_config_get_time_default (context, NULL,
199 				      c->kdc_warn_pwexpire,
200 				      "kdc", "kdc_warn_pwexpire", NULL);
201 
202 
203     c->enable_pkinit =
204 	krb5_config_get_bool_default(context,
205 				     NULL,
206 				     c->enable_pkinit,
207 				     "kdc",
208 				     "enable-pkinit",
209 				     NULL);
210 
211 
212     c->pkinit_kdc_identity =
213 	krb5_config_get_string(context, NULL,
214 			       "kdc", "pkinit_identity", NULL);
215     c->pkinit_kdc_anchors =
216 	krb5_config_get_string(context, NULL,
217 			       "kdc", "pkinit_anchors", NULL);
218     c->pkinit_kdc_cert_pool =
219 	krb5_config_get_strings(context, NULL,
220 				"kdc", "pkinit_pool", NULL);
221     c->pkinit_kdc_revoke =
222 	krb5_config_get_strings(context, NULL,
223 				"kdc", "pkinit_revoke", NULL);
224     c->pkinit_kdc_ocsp_file =
225 	krb5_config_get_string(context, NULL,
226 			       "kdc", "pkinit_kdc_ocsp", NULL);
227     c->pkinit_kdc_friendly_name =
228 	krb5_config_get_string(context, NULL,
229 			       "kdc", "pkinit_kdc_friendly_name", NULL);
230     c->pkinit_princ_in_cert =
231 	krb5_config_get_bool_default(context, NULL,
232 				     c->pkinit_princ_in_cert,
233 				     "kdc",
234 				     "pkinit_principal_in_certificate",
235 				     NULL);
236     c->pkinit_require_binding =
237 	krb5_config_get_bool_default(context, NULL,
238 				     c->pkinit_require_binding,
239 				     "kdc",
240 				     "pkinit_win2k_require_binding",
241 				     NULL);
242     c->pkinit_dh_min_bits =
243 	krb5_config_get_int_default(context, NULL,
244 				    0,
245 				    "kdc", "pkinit_dh_min_bits", NULL);
246 
247     *config = c;
248 
249     return 0;
250 }
251 
252 krb5_error_code
253 krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
254 {
255 #ifdef PKINIT
256 #ifdef __APPLE__
257     config->enable_pkinit = 1;
258 
259     if (config->pkinit_kdc_identity == NULL) {
260 	if (config->pkinit_kdc_friendly_name == NULL)
261 	    config->pkinit_kdc_friendly_name =
262 		strdup("O=System Identity,CN=com.apple.kerberos.kdc");
263 	config->pkinit_kdc_identity = strdup("KEYCHAIN:");
264     }
265     if (config->pkinit_kdc_anchors == NULL)
266 	config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
267 
268 #endif /* __APPLE__ */
269 
270     if (config->enable_pkinit) {
271 	if (config->pkinit_kdc_identity == NULL)
272 	    krb5_errx(context, 1, "pkinit enabled but no identity");
273 
274 	if (config->pkinit_kdc_anchors == NULL)
275 	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
276 
277 	krb5_kdc_pk_initialize(context, config,
278 			       config->pkinit_kdc_identity,
279 			       config->pkinit_kdc_anchors,
280 			       config->pkinit_kdc_cert_pool,
281 			       config->pkinit_kdc_revoke);
282 
283     }
284 
285     return 0;
286 #endif /* PKINIT */
287 }
288