2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 #include <parse_bytes.h>
40 static const char *sysplugin_dirs
[] = {
44 "$ORIGIN/../lib/plugin/kdc",
53 load_kdc_plugins_once(void *ctx
)
55 krb5_context context
= ctx
;
56 const char * const *dirs
= sysplugin_dirs
;
60 cfdirs
= krb5_config_get_strings(context
, NULL
, "kdc", "plugin_dir", NULL
);
62 dirs
= (const char * const *)cfdirs
;
65 _krb5_load_plugins(context
, "kdc", (const char **)dirs
);
68 krb5_config_free_strings(cfdirs
);
73 krb5_kdc_get_config(krb5_context context
, krb5_kdc_configuration
**config
)
75 static heim_base_once_t load_kdc_plugins
= HEIM_BASE_ONCE_INIT
;
76 krb5_kdc_configuration
*c
;
79 heim_base_once_f(&load_kdc_plugins
, context
, load_kdc_plugins_once
);
81 c
= calloc(1, sizeof(*c
));
83 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
88 c
->num_kdc_processes
= -1;
89 c
->require_preauth
= TRUE
;
90 c
->kdc_warn_pwexpire
= 0;
91 c
->encode_as_rep_as_tgs_rep
= FALSE
;
92 c
->tgt_use_strongest_session_key
= FALSE
;
93 c
->preauth_use_strongest_session_key
= FALSE
;
94 c
->svc_use_strongest_session_key
= FALSE
;
95 c
->use_strongest_server_key
= TRUE
;
96 c
->check_ticket_addresses
= TRUE
;
97 c
->warn_ticket_addresses
= FALSE
;
98 c
->allow_null_ticket_addresses
= TRUE
;
99 c
->allow_anonymous
= FALSE
;
100 c
->historical_anon_realm
= FALSE
;
101 c
->strict_nametypes
= FALSE
;
102 c
->trpolicy
= TRPOLICY_ALWAYS_CHECK
;
103 c
->enable_armored_pa_enc_timestamp
= TRUE
;
104 c
->enable_unarmored_pa_enc_timestamp
= TRUE
;
105 c
->enable_pkinit
= FALSE
;
106 c
->pkinit_princ_in_cert
= TRUE
;
107 c
->pkinit_require_binding
= TRUE
;
108 c
->synthetic_clients
= FALSE
;
109 c
->pkinit_max_life_from_cert_extension
= FALSE
;
110 c
->pkinit_max_life_bound
= 0;
111 c
->synthetic_clients_max_life
= 300;
112 c
->synthetic_clients_max_renew
= 300;
113 c
->pkinit_dh_min_bits
= 1024;
118 c
->num_kdc_processes
=
119 krb5_config_get_int_default(context
, NULL
, c
->num_kdc_processes
,
120 "kdc", "num-kdc-processes", NULL
);
123 krb5_config_get_bool_default(context
, NULL
,
125 "kdc", "require-preauth", NULL
);
128 krb5_config_get_bool_default(context
, NULL
,
130 "kdc", "enable-digest", NULL
);
135 digests
= krb5_config_get_string(context
, NULL
,
137 "digests_allowed", NULL
);
140 c
->digests_allowed
= parse_flags(digests
,_kdc_digestunits
, 0);
141 if (c
->digests_allowed
== -1) {
142 kdc_log(context
, c
, 0,
143 "unparsable digest units (%s), turning off digest",
145 c
->enable_digest
= 0;
146 } else if (c
->digests_allowed
== 0) {
147 kdc_log(context
, c
, 0, "no digest enable, turning digest off");
148 c
->enable_digest
= 0;
155 krb5_config_get_bool_default(context
, NULL
,
157 "kdc", "enable_kx509", NULL
);
160 c
->tgt_use_strongest_session_key
=
161 krb5_config_get_bool_default(context
, NULL
,
162 c
->tgt_use_strongest_session_key
,
164 "tgt-use-strongest-session-key", NULL
);
165 c
->preauth_use_strongest_session_key
=
166 krb5_config_get_bool_default(context
, NULL
,
167 c
->preauth_use_strongest_session_key
,
169 "preauth-use-strongest-session-key", NULL
);
170 c
->svc_use_strongest_session_key
=
171 krb5_config_get_bool_default(context
, NULL
,
172 c
->svc_use_strongest_session_key
,
174 "svc-use-strongest-session-key", NULL
);
175 c
->use_strongest_server_key
=
176 krb5_config_get_bool_default(context
, NULL
,
177 c
->use_strongest_server_key
,
179 "use-strongest-server-key", NULL
);
181 c
->check_ticket_addresses
=
182 krb5_config_get_bool_default(context
, NULL
,
183 c
->check_ticket_addresses
,
185 "check-ticket-addresses", NULL
);
186 c
->warn_ticket_addresses
=
187 krb5_config_get_bool_default(context
, NULL
,
188 c
->warn_ticket_addresses
,
190 "warn_ticket_addresses", NULL
);
191 c
->allow_null_ticket_addresses
=
192 krb5_config_get_bool_default(context
, NULL
,
193 c
->allow_null_ticket_addresses
,
195 "allow-null-ticket-addresses", NULL
);
198 krb5_config_get_bool_default(context
, NULL
,
201 "allow-anonymous", NULL
);
203 c
->historical_anon_realm
=
204 krb5_config_get_bool_default(context
, NULL
,
205 c
->historical_anon_realm
,
207 "historical_anon_realm", NULL
);
209 c
->strict_nametypes
=
210 krb5_config_get_bool_default(context
, NULL
,
213 "strict-nametypes", NULL
);
215 c
->max_datagram_reply_length
=
216 krb5_config_get_int_default(context
,
220 "max-kdc-datagram-reply-length",
224 const char *trpolicy_str
;
227 krb5_config_get_string_default(context
, NULL
, "DEFAULT", "kdc",
228 "transited-policy", NULL
);
229 if(strcasecmp(trpolicy_str
, "always-check") == 0) {
230 c
->trpolicy
= TRPOLICY_ALWAYS_CHECK
;
231 } else if(strcasecmp(trpolicy_str
, "allow-per-principal") == 0) {
232 c
->trpolicy
= TRPOLICY_ALLOW_PER_PRINCIPAL
;
233 } else if(strcasecmp(trpolicy_str
, "always-honour-request") == 0) {
234 c
->trpolicy
= TRPOLICY_ALWAYS_HONOUR_REQUEST
;
235 } else if(strcasecmp(trpolicy_str
, "DEFAULT") == 0) {
238 kdc_log(context
, c
, 0,
239 "unknown transited-policy: %s, "
240 "reverting to default (always-check)",
245 c
->encode_as_rep_as_tgs_rep
=
246 krb5_config_get_bool_default(context
, NULL
,
247 c
->encode_as_rep_as_tgs_rep
,
249 "encode_as_rep_as_tgs_rep", NULL
);
251 c
->kdc_warn_pwexpire
=
252 krb5_config_get_time_default (context
, NULL
,
253 c
->kdc_warn_pwexpire
,
254 "kdc", "kdc_warn_pwexpire", NULL
);
256 c
->enable_armored_pa_enc_timestamp
=
257 krb5_config_get_bool_default(context
,
259 c
->enable_armored_pa_enc_timestamp
,
261 "enable_armored_pa_enc_timestamp",
264 c
->enable_unarmored_pa_enc_timestamp
=
265 krb5_config_get_bool_default(context
,
267 c
->enable_unarmored_pa_enc_timestamp
,
269 "enable_unarmored_pa_enc_timestamp",
273 krb5_config_get_bool_default(context
,
281 c
->pkinit_kdc_identity
=
282 krb5_config_get_string(context
, NULL
,
283 "kdc", "pkinit_identity", NULL
);
284 c
->pkinit_kdc_anchors
=
285 krb5_config_get_string(context
, NULL
,
286 "kdc", "pkinit_anchors", NULL
);
287 c
->pkinit_kdc_cert_pool
=
288 krb5_config_get_strings(context
, NULL
,
289 "kdc", "pkinit_pool", NULL
);
290 c
->pkinit_kdc_revoke
=
291 krb5_config_get_strings(context
, NULL
,
292 "kdc", "pkinit_revoke", NULL
);
293 c
->pkinit_kdc_ocsp_file
=
294 krb5_config_get_string(context
, NULL
,
295 "kdc", "pkinit_kdc_ocsp", NULL
);
296 c
->pkinit_kdc_friendly_name
=
297 krb5_config_get_string(context
, NULL
,
298 "kdc", "pkinit_kdc_friendly_name", NULL
);
299 c
->pkinit_princ_in_cert
=
300 krb5_config_get_bool_default(context
, NULL
,
301 c
->pkinit_princ_in_cert
,
303 "pkinit_principal_in_certificate",
305 c
->pkinit_require_binding
=
306 krb5_config_get_bool_default(context
, NULL
,
307 c
->pkinit_require_binding
,
309 "pkinit_win2k_require_binding",
311 c
->pkinit_dh_min_bits
=
312 krb5_config_get_int_default(context
, NULL
,
314 "kdc", "pkinit_dh_min_bits", NULL
);
316 c
->pkinit_max_life_from_cert_extension
=
317 krb5_config_get_bool_default(context
, NULL
,
318 c
->pkinit_max_life_from_cert_extension
,
320 "pkinit_max_life_from_cert_extension",
323 c
->synthetic_clients
=
324 krb5_config_get_bool_default(context
, NULL
,
325 c
->synthetic_clients
,
330 c
->pkinit_max_life_bound
=
331 krb5_config_get_time_default(context
, NULL
, 0, "kdc",
332 "pkinit_max_life_bound",
335 c
->pkinit_max_life_from_cert
=
336 krb5_config_get_time_default(context
, NULL
, 0, "kdc",
337 "pkinit_max_life_from_cert",
340 c
->synthetic_clients_max_life
=
341 krb5_config_get_time_default(context
, NULL
, 300, "kdc",
342 "synthetic_clients_max_life",
345 c
->synthetic_clients_max_renew
=
346 krb5_config_get_time_default(context
, NULL
, 300, "kdc",
347 "synthetic_clients_max_renew",
350 c
->enable_gss_preauth
=
351 krb5_config_get_bool_default(context
, NULL
,
352 c
->enable_gss_preauth
,
354 "enable_gss_preauth", NULL
);
356 c
->enable_gss_auth_data
=
357 krb5_config_get_bool_default(context
, NULL
,
358 c
->enable_gss_auth_data
,
360 "enable_gss_auth_data", NULL
);
362 ret
= _kdc_gss_get_mechanism_config(context
, "kdc",
363 "gss_mechanisms_allowed",
364 &c
->gss_mechanisms_allowed
);
370 ret
= _kdc_gss_get_mechanism_config(context
, "kdc",
371 "gss_cross_realm_mechanisms_allowed",
372 &c
->gss_cross_realm_mechanisms_allowed
);
375 gss_release_oid_set(&minor
, &c
->gss_mechanisms_allowed
);
386 krb5_kdc_pkinit_config(krb5_context context
, krb5_kdc_configuration
*config
)
390 config
->enable_pkinit
= 1;
392 if (config
->pkinit_kdc_identity
== NULL
) {
393 if (config
->pkinit_kdc_friendly_name
== NULL
)
394 config
->pkinit_kdc_friendly_name
=
395 strdup("O=System Identity,CN=com.apple.kerberos.kdc");
396 config
->pkinit_kdc_identity
= strdup("KEYCHAIN:");
398 if (config
->pkinit_kdc_anchors
== NULL
)
399 config
->pkinit_kdc_anchors
= strdup("KEYCHAIN:");
401 #endif /* __APPLE__ */
403 if (config
->enable_pkinit
) {
404 if (config
->pkinit_kdc_identity
== NULL
)
405 krb5_errx(context
, 1, "pkinit enabled but no identity");
407 if (config
->pkinit_kdc_anchors
== NULL
)
408 krb5_errx(context
, 1, "pkinit enabled but no X509 anchors");
410 krb5_kdc_pk_initialize(context
, config
,
411 config
->pkinit_kdc_identity
,
412 config
->pkinit_kdc_anchors
,
413 config
->pkinit_kdc_cert_pool
,
414 config
->pkinit_kdc_revoke
);