1 /* $NetBSD: default_config.c,v 1.2 2017/01/28 21:31:44 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 #include "kdc_locl.h" 39 #include <krb5/getarg.h> 40 #include <krb5/parse_bytes.h> 41 42 krb5_error_code 43 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) 44 { 45 krb5_kdc_configuration *c; 46 47 c = calloc(1, sizeof(*c)); 48 if (c == NULL) { 49 krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); 50 return ENOMEM; 51 } 52 53 c->num_kdc_processes = -1; 54 c->require_preauth = TRUE; 55 c->kdc_warn_pwexpire = 0; 56 c->encode_as_rep_as_tgs_rep = FALSE; 57 c->tgt_use_strongest_session_key = FALSE; 58 c->preauth_use_strongest_session_key = FALSE; 59 c->svc_use_strongest_session_key = FALSE; 60 c->use_strongest_server_key = TRUE; 61 c->check_ticket_addresses = TRUE; 62 c->allow_null_ticket_addresses = TRUE; 63 c->allow_anonymous = FALSE; 64 c->strict_nametypes = FALSE; 65 c->trpolicy = TRPOLICY_ALWAYS_CHECK; 66 c->enable_pkinit = FALSE; 67 c->pkinit_princ_in_cert = TRUE; 68 c->pkinit_require_binding = TRUE; 69 c->db = NULL; 70 c->num_db = 0; 71 c->logf = NULL; 72 73 c->num_kdc_processes = 74 krb5_config_get_int_default(context, NULL, c->num_kdc_processes, 75 "kdc", "num-kdc-processes", NULL); 76 77 c->require_preauth = 78 krb5_config_get_bool_default(context, NULL, 79 c->require_preauth, 80 "kdc", "require-preauth", NULL); 81 #ifdef DIGEST 82 c->enable_digest = 83 krb5_config_get_bool_default(context, NULL, 84 FALSE, 85 "kdc", "enable-digest", NULL); 86 87 { 88 const char *digests; 89 90 digests = krb5_config_get_string(context, NULL, 91 "kdc", 92 "digests_allowed", NULL); 93 if (digests == NULL) 94 digests = "ntlm-v2"; 95 c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0); 96 if (c->digests_allowed == -1) { 97 kdc_log(context, c, 0, 98 "unparsable digest units (%s), turning off digest", 99 digests); 100 c->enable_digest = 0; 101 } else if (c->digests_allowed == 0) { 102 kdc_log(context, c, 0, 103 "no digest enable, turning digest off", 104 digests); 105 c->enable_digest = 0; 106 } 107 } 108 #endif 109 110 #ifdef KX509 111 c->enable_kx509 = 112 krb5_config_get_bool_default(context, NULL, 113 FALSE, 114 "kdc", "enable-kx509", NULL); 115 116 if (c->enable_kx509) { 117 c->kx509_template = 118 krb5_config_get_string(context, NULL, 119 "kdc", "kx509_template", NULL); 120 c->kx509_ca = 121 krb5_config_get_string(context, NULL, 122 "kdc", "kx509_ca", NULL); 123 if (c->kx509_ca == NULL || c->kx509_template == NULL) { 124 kdc_log(context, c, 0, 125 "missing kx509 configuration, turning off"); 126 c->enable_kx509 = FALSE; 127 } 128 } 129 #endif 130 131 c->tgt_use_strongest_session_key = 132 krb5_config_get_bool_default(context, NULL, 133 c->tgt_use_strongest_session_key, 134 "kdc", 135 "tgt-use-strongest-session-key", NULL); 136 c->preauth_use_strongest_session_key = 137 krb5_config_get_bool_default(context, NULL, 138 c->preauth_use_strongest_session_key, 139 "kdc", 140 "preauth-use-strongest-session-key", NULL); 141 c->svc_use_strongest_session_key = 142 krb5_config_get_bool_default(context, NULL, 143 c->svc_use_strongest_session_key, 144 "kdc", 145 "svc-use-strongest-session-key", NULL); 146 c->use_strongest_server_key = 147 krb5_config_get_bool_default(context, NULL, 148 c->use_strongest_server_key, 149 "kdc", 150 "use-strongest-server-key", NULL); 151 152 c->check_ticket_addresses = 153 krb5_config_get_bool_default(context, NULL, 154 c->check_ticket_addresses, 155 "kdc", 156 "check-ticket-addresses", NULL); 157 c->allow_null_ticket_addresses = 158 krb5_config_get_bool_default(context, NULL, 159 c->allow_null_ticket_addresses, 160 "kdc", 161 "allow-null-ticket-addresses", NULL); 162 163 c->allow_anonymous = 164 krb5_config_get_bool_default(context, NULL, 165 c->allow_anonymous, 166 "kdc", 167 "allow-anonymous", NULL); 168 169 c->strict_nametypes = 170 krb5_config_get_bool_default(context, NULL, 171 c->strict_nametypes, 172 "kdc", 173 "strict-nametypes", NULL); 174 175 c->max_datagram_reply_length = 176 krb5_config_get_int_default(context, 177 NULL, 178 1400, 179 "kdc", 180 "max-kdc-datagram-reply-length", 181 NULL); 182 183 { 184 const char *trpolicy_str; 185 186 trpolicy_str = 187 krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", 188 "transited-policy", NULL); 189 if(strcasecmp(trpolicy_str, "always-check") == 0) { 190 c->trpolicy = TRPOLICY_ALWAYS_CHECK; 191 } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) { 192 c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; 193 } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { 194 c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; 195 } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { 196 /* default */ 197 } else { 198 kdc_log(context, c, 0, 199 "unknown transited-policy: %s, " 200 "reverting to default (always-check)", 201 trpolicy_str); 202 } 203 } 204 205 c->encode_as_rep_as_tgs_rep = 206 krb5_config_get_bool_default(context, NULL, 207 c->encode_as_rep_as_tgs_rep, 208 "kdc", 209 "encode_as_rep_as_tgs_rep", NULL); 210 211 c->kdc_warn_pwexpire = 212 krb5_config_get_time_default (context, NULL, 213 c->kdc_warn_pwexpire, 214 "kdc", "kdc_warn_pwexpire", NULL); 215 216 217 c->enable_pkinit = 218 krb5_config_get_bool_default(context, 219 NULL, 220 c->enable_pkinit, 221 "kdc", 222 "enable-pkinit", 223 NULL); 224 225 226 c->pkinit_kdc_identity = 227 krb5_config_get_string(context, NULL, 228 "kdc", "pkinit_identity", NULL); 229 c->pkinit_kdc_anchors = 230 krb5_config_get_string(context, NULL, 231 "kdc", "pkinit_anchors", NULL); 232 c->pkinit_kdc_cert_pool = 233 krb5_config_get_strings(context, NULL, 234 "kdc", "pkinit_pool", NULL); 235 c->pkinit_kdc_revoke = 236 krb5_config_get_strings(context, NULL, 237 "kdc", "pkinit_revoke", NULL); 238 c->pkinit_kdc_ocsp_file = 239 krb5_config_get_string(context, NULL, 240 "kdc", "pkinit_kdc_ocsp", NULL); 241 c->pkinit_kdc_friendly_name = 242 krb5_config_get_string(context, NULL, 243 "kdc", "pkinit_kdc_friendly_name", NULL); 244 c->pkinit_princ_in_cert = 245 krb5_config_get_bool_default(context, NULL, 246 c->pkinit_princ_in_cert, 247 "kdc", 248 "pkinit_principal_in_certificate", 249 NULL); 250 c->pkinit_require_binding = 251 krb5_config_get_bool_default(context, NULL, 252 c->pkinit_require_binding, 253 "kdc", 254 "pkinit_win2k_require_binding", 255 NULL); 256 c->pkinit_dh_min_bits = 257 krb5_config_get_int_default(context, NULL, 258 0, 259 "kdc", "pkinit_dh_min_bits", NULL); 260 261 *config = c; 262 263 return 0; 264 } 265 266 krb5_error_code 267 krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config) 268 { 269 #ifdef PKINIT 270 #ifdef __APPLE__ 271 config->enable_pkinit = 1; 272 273 if (config->pkinit_kdc_identity == NULL) { 274 if (config->pkinit_kdc_friendly_name == NULL) 275 config->pkinit_kdc_friendly_name = 276 strdup("O=System Identity,CN=com.apple.kerberos.kdc"); 277 config->pkinit_kdc_identity = strdup("KEYCHAIN:"); 278 } 279 if (config->pkinit_kdc_anchors == NULL) 280 config->pkinit_kdc_anchors = strdup("KEYCHAIN:"); 281 282 #endif /* __APPLE__ */ 283 284 if (config->enable_pkinit) { 285 if (config->pkinit_kdc_identity == NULL) 286 krb5_errx(context, 1, "pkinit enabled but no identity"); 287 288 if (config->pkinit_kdc_anchors == NULL) 289 krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); 290 291 krb5_kdc_pk_initialize(context, config, 292 config->pkinit_kdc_identity, 293 config->pkinit_kdc_anchors, 294 config->pkinit_kdc_cert_pool, 295 config->pkinit_kdc_revoke); 296 297 } 298 299 return 0; 300 #endif /* PKINIT */ 301 } 302