Call out to Heimdal's krb5.conf processing to configure many aspects

of KDC behaviour.  This should allow PKINIT to be turned on and
managed with reasonable sanity.

From Andrew Bartlet



git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20447 ec53bebd-3082-4978-b11e-865c3cabbd6b

kdc/default_config.c

@@ -1,6 +1,7 @@
 /*
- * Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org>
- * 
+ * Copyright (c) 1997-2005 Kungliga Tekniska H<>gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ *
  * All rights reserved. 
  *
  * Redistribution and use in source and binary forms, with or without 
@@ -14,10 +15,14 @@
  *    notice, this list of conditions and the following disclaimer in the 
  *    documentation and/or other materials provided with the distribution. 
  *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
@@ -29,6 +34,19 @@
 
 #include "kdc_locl.h"
 
+int require_preauth = -1; /* 1 == require preauth for all principals */
+
+const char *trpolicy_str;
+
+int disable_des = -1;
+int enable_v4 = -1;
+int enable_kaserver = -1;
+int enable_524 = -1;
+int enable_v4_cross_realm = -1;
+int detach_from_console = -1;
+
+char *v4_realm;
+
 /* 
  * Setup some of the defaults for the KDC configuration.
  * 
@@ -60,3 +78,293 @@ krb5_kdc_default_config(krb5_kdc_configuration *config)
     config->num_db = 0;
     config->logf = NULL;
 }
+
+
+/* 
+ * Setup some valudes for the KDC configuration, from the config file
+ * 
+ * Note: Caller must also fill in:
+ * - db
+ * - num_db
+ * - logf
+ *
+*/
+
+void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
+{
+    const char *p;
+    if(require_preauth == -1) {
+	config->require_preauth = krb5_config_get_bool_default(context, NULL, 
+							       config->require_preauth,
+							       "kdc", 
+							       "require-preauth", NULL);
+    } else {
+	config->require_preauth = require_preauth;
+    }
+
+    if(enable_v4 == -1) {
+	config->enable_v4 = krb5_config_get_bool_default(context, NULL, 
+							 config->enable_v4, 
+							 "kdc", 
+							 "enable-kerberos4", 
+							 NULL);
+    } else {
+	config->enable_v4 = enable_v4;
+    }
+
+    if(enable_v4_cross_realm == -1) {
+	config->enable_v4_cross_realm =
+	    krb5_config_get_bool_default(context, NULL,
+					 config->enable_v4_cross_realm, 
+					 "kdc", 
+					 "enable-kerberos4-cross-realm",
+					 NULL);
+    } else {
+	config->enable_v4_cross_realm = enable_v4_cross_realm;
+    }
+
+    if(enable_524 == -1) {
+	config->enable_524 = krb5_config_get_bool_default(context, NULL, 
+							  config->enable_v4, 
+							  "kdc", "enable-524", 
+							  NULL);
+    } else {
+	config->enable_524 = enable_524;
+    }
+
+    config->enable_digest = 
+	krb5_config_get_bool_default(context, NULL, 
+				     FALSE, 
+				     "kdc", 
+				     "enable-digest", NULL);
+
+    {
+	const char *digests;
+
+	digests = krb5_config_get_string(context, NULL, 
+					 "kdc", 
+					 "digests_allowed", NULL);
+	if (digests == NULL)
+	    digests = "ntlm-v2";
+	config->digests_allowed = parse_flags(digests,
+					      _kdc_digestunits,
+					      0);
+	if (config->digests_allowed == -1) {
+	    kdc_log(context, config, 0,
+		    "unparsable digest units (%s), turning off digest",
+		    digests);
+	    config->enable_digest = 0;
+	} else if (config->digests_allowed == 0) {
+	    kdc_log(context, config, 0,
+		    "no digest enable, turning digest off",
+		    digests);
+	    config->enable_digest = 0;
+	}
+    }
+
+    config->enable_kx509 = 
+	krb5_config_get_bool_default(context, NULL, 
+				     FALSE, 
+				     "kdc", 
+				     "enable-kx509", NULL);
+
+    config->check_ticket_addresses = 
+	krb5_config_get_bool_default(context, NULL, 
+				     config->check_ticket_addresses, 
+				     "kdc", 
+				     "check-ticket-addresses", NULL);
+    config->allow_null_ticket_addresses = 
+	krb5_config_get_bool_default(context, NULL, 
+				     config->allow_null_ticket_addresses, 
+				     "kdc", 
+				     "allow-null-ticket-addresses", NULL);
+
+    config->allow_anonymous = 
+	krb5_config_get_bool_default(context, NULL, 
+				     config->allow_anonymous,
+				     "kdc", 
+				     "allow-anonymous", NULL);
+
+    config->max_datagram_reply_length =
+	krb5_config_get_int_default(context, 
+				    NULL, 
+				    1400,
+				    "kdc",
+				    "max-kdc-datagram-reply-length",
+				    NULL);
+
+    trpolicy_str = 
+	krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", 
+				       "transited-policy", NULL);
+    if(strcasecmp(trpolicy_str, "always-check") == 0) {
+	config->trpolicy = TRPOLICY_ALWAYS_CHECK;
+    } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
+	config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
+    } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
+	config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
+    } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { 
+	/* default */
+    } else {
+	kdc_log(context, config, 
+		0, "unknown transited-policy: %s, reverting to default (always-check)", 
+		trpolicy_str);
+    }
+	
+    if (krb5_config_get_string(context, NULL, "kdc", 
+			       "enforce-transited-policy", NULL))
+	krb5_errx(context, 1, "enforce-transited-policy deprecated, "
+		  "use [kdc]transited-policy instead");
+
+    if(v4_realm == NULL){
+	p = krb5_config_get_string (context, NULL, 
+				    "kdc",
+				    "v4-realm",
+				    NULL);
+	if(p != NULL) {
+	    config->v4_realm = strdup(p);
+	    if (config->v4_realm == NULL)
+		krb5_errx(context, 1, "out of memory");
+	} else {
+	    config->v4_realm = NULL;
+	}
+    } else {
+	config->v4_realm = v4_realm;
+    }
+
+    if (enable_kaserver == -1) {
+	config->enable_kaserver = 
+	    krb5_config_get_bool_default(context, 
+					 NULL, 
+					 config->enable_kaserver,
+					 "kdc",
+					 "enable-kaserver",
+					 NULL);
+    } else {
+	config->enable_kaserver = enable_kaserver;
+    }
+
+    config->encode_as_rep_as_tgs_rep =
+	krb5_config_get_bool_default(context, NULL, 
+				     config->encode_as_rep_as_tgs_rep, 
+				     "kdc", 
+				     "encode_as_rep_as_tgs_rep", 
+				     NULL);
+
+    config->kdc_warn_pwexpire =
+	krb5_config_get_time_default (context, NULL,
+				      config->kdc_warn_pwexpire,
+				      "kdc",
+				      "kdc_warn_pwexpire",
+				      NULL);
+
+    if(detach_from_console == -1) 
+	detach_from_console = krb5_config_get_bool_default(context, NULL, 
+							   DETACH_IS_DEFAULT,
+							   "kdc",
+							   "detach", NULL);
+
+#ifdef PKINIT
+    config->enable_pkinit = 
+	krb5_config_get_bool_default(context, 
+				     NULL, 
+				     config->enable_pkinit,
+				     "kdc",
+				     "enable-pkinit",
+				     NULL);
+    if (config->enable_pkinit) {
+	const char *user_id, *anchors, *ocsp_file;
+	char **pool_list, **revoke_list;
+
+	user_id = krb5_config_get_string(context, NULL,
+					 "kdc",
+					 "pkinit_identity",
+					 NULL);
+	if (user_id == NULL)
+	    krb5_errx(context, 1, "pkinit enabled but no identity");
+
+	anchors = krb5_config_get_string(context, NULL,
+					 "kdc",
+					 "pkinit_anchors",
+					 NULL);
+	if (anchors == NULL)
+	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
+
+	pool_list = krb5_config_get_strings(context, NULL,
+					    "kdc",
+					    "pkinit_pool",
+					    NULL);
+
+	revoke_list = krb5_config_get_strings(context, NULL,
+					      "kdc",
+					      "pkinit_revoke",
+					      NULL);
+
+	ocsp_file = 
+	    krb5_config_get_string(context, NULL,
+				   "kdc",
+				   "pkinit_kdc_ocsp",
+				   NULL);
+	if (ocsp_file) {
+	    config->pkinit_kdc_ocsp_file = strdup(ocsp_file);
+	    if (config->pkinit_kdc_ocsp_file == NULL)
+		krb5_errx(context, 1, "out of memory");
+	}
+	_kdc_pk_initialize(context, config, user_id, anchors, 
+			   pool_list, revoke_list);
+
+	krb5_config_free_strings(pool_list);
+	krb5_config_free_strings(revoke_list);
+
+	config->enable_pkinit_princ_in_cert = 
+	    krb5_config_get_bool_default(context, 
+					 NULL,
+					 config->enable_pkinit_princ_in_cert,
+					 "kdc",
+					 "pkinit_principal_in_certificate",
+					 NULL);
+    }
+
+    config->pkinit_dh_min_bits =
+	krb5_config_get_int_default(context, 
+				    NULL, 
+				    0,
+				    "kdc",
+				    "pkinit_dh_min_bits",
+				    NULL);
+
+#endif
+
+    if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){
+#ifdef KRB4
+	config->v4_realm = malloc(40); /* REALM_SZ */
+	if (config->v4_realm == NULL)
+	    krb5_errx(context, 1, "out of memory");
+	krb_get_lrealm(config->v4_realm, 1);
+#else
+	krb5_errx(context, 1, "No Kerberos 4 realm configured");
+#endif
+    }
+    if(disable_des == -1)
+	disable_des = krb5_config_get_bool_default(context, NULL, 
+						   FALSE,
+						   "kdc",
+						   "disable-des", NULL);
+    if(disable_des) {
+	krb5_enctype_disable(context, ETYPE_DES_CBC_CRC);
+	krb5_enctype_disable(context, ETYPE_DES_CBC_MD4);
+	krb5_enctype_disable(context, ETYPE_DES_CBC_MD5);
+	krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
+	krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
+	krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
+
+	kdc_log(context, config, 
+		0, "DES was disabled, turned off Kerberos V4, 524 "
+		"and kaserver");
+	config->enable_v4 = 0;
+	config->enable_524 = 0;
+	config->enable_kaserver = 0;
+    }
+
+    _kdc_windc_init(context);
+}
+