2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 #include <parse_bytes.h>
40 static const char *sysplugin_dirs
[] = {
44 "$ORIGIN/../lib/plugin/kdc",
53 load_kdc_plugins_once(void *ctx
)
55 krb5_context context
= ctx
;
56 const char * const *dirs
= sysplugin_dirs
;
60 cfdirs
= krb5_config_get_strings(context
, NULL
, "kdc", "plugin_dir", NULL
);
62 dirs
= (const char * const *)cfdirs
;
65 _krb5_load_plugins(context
, "kdc", (const char **)dirs
);
68 krb5_config_free_strings(cfdirs
);
73 krb5_kdc_get_config(krb5_context context
, krb5_kdc_configuration
**config
)
75 static heim_base_once_t load_kdc_plugins
= HEIM_BASE_ONCE_INIT
;
76 krb5_kdc_configuration
*c
;
79 heim_base_once_f(&load_kdc_plugins
, context
, load_kdc_plugins_once
);
81 c
= calloc(1, sizeof(*c
));
83 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
88 c
->num_kdc_processes
= -1;
89 c
->require_preauth
= TRUE
;
90 c
->kdc_warn_pwexpire
= 0;
91 c
->encode_as_rep_as_tgs_rep
= FALSE
;
92 c
->tgt_use_strongest_session_key
= FALSE
;
93 c
->preauth_use_strongest_session_key
= FALSE
;
94 c
->svc_use_strongest_session_key
= FALSE
;
95 c
->use_strongest_server_key
= TRUE
;
96 c
->check_ticket_addresses
= TRUE
;
97 c
->warn_ticket_addresses
= FALSE
;
98 c
->allow_null_ticket_addresses
= TRUE
;
99 c
->allow_anonymous
= FALSE
;
100 c
->historical_anon_realm
= FALSE
;
101 c
->strict_nametypes
= FALSE
;
102 c
->trpolicy
= TRPOLICY_ALWAYS_CHECK
;
103 c
->enable_pkinit
= FALSE
;
104 c
->pkinit_princ_in_cert
= TRUE
;
105 c
->pkinit_require_binding
= TRUE
;
106 c
->synthetic_clients
= FALSE
;
107 c
->pkinit_max_life_from_cert_extension
= FALSE
;
108 c
->pkinit_max_life_bound
= 0;
109 c
->synthetic_clients_max_life
= 300;
110 c
->synthetic_clients_max_renew
= 300;
111 c
->pkinit_dh_min_bits
= 1024;
116 c
->num_kdc_processes
=
117 krb5_config_get_int_default(context
, NULL
, c
->num_kdc_processes
,
118 "kdc", "num-kdc-processes", NULL
);
121 krb5_config_get_bool_default(context
, NULL
,
123 "kdc", "require-preauth", NULL
);
126 krb5_config_get_bool_default(context
, NULL
,
128 "kdc", "enable-digest", NULL
);
133 digests
= krb5_config_get_string(context
, NULL
,
135 "digests_allowed", NULL
);
138 c
->digests_allowed
= parse_flags(digests
,_kdc_digestunits
, 0);
139 if (c
->digests_allowed
== -1) {
140 kdc_log(context
, c
, 0,
141 "unparsable digest units (%s), turning off digest",
143 c
->enable_digest
= 0;
144 } else if (c
->digests_allowed
== 0) {
145 kdc_log(context
, c
, 0, "no digest enable, turning digest off");
146 c
->enable_digest
= 0;
153 krb5_config_get_bool_default(context
, NULL
,
155 "kdc", "enable_kx509", NULL
);
158 c
->tgt_use_strongest_session_key
=
159 krb5_config_get_bool_default(context
, NULL
,
160 c
->tgt_use_strongest_session_key
,
162 "tgt-use-strongest-session-key", NULL
);
163 c
->preauth_use_strongest_session_key
=
164 krb5_config_get_bool_default(context
, NULL
,
165 c
->preauth_use_strongest_session_key
,
167 "preauth-use-strongest-session-key", NULL
);
168 c
->svc_use_strongest_session_key
=
169 krb5_config_get_bool_default(context
, NULL
,
170 c
->svc_use_strongest_session_key
,
172 "svc-use-strongest-session-key", NULL
);
173 c
->use_strongest_server_key
=
174 krb5_config_get_bool_default(context
, NULL
,
175 c
->use_strongest_server_key
,
177 "use-strongest-server-key", NULL
);
179 c
->check_ticket_addresses
=
180 krb5_config_get_bool_default(context
, NULL
,
181 c
->check_ticket_addresses
,
183 "check-ticket-addresses", NULL
);
184 c
->warn_ticket_addresses
=
185 krb5_config_get_bool_default(context
, NULL
,
186 c
->warn_ticket_addresses
,
188 "warn_ticket_addresses", NULL
);
189 c
->allow_null_ticket_addresses
=
190 krb5_config_get_bool_default(context
, NULL
,
191 c
->allow_null_ticket_addresses
,
193 "allow-null-ticket-addresses", NULL
);
196 krb5_config_get_bool_default(context
, NULL
,
199 "allow-anonymous", NULL
);
201 c
->historical_anon_realm
=
202 krb5_config_get_bool_default(context
, NULL
,
203 c
->historical_anon_realm
,
205 "historical_anon_realm", NULL
);
207 c
->strict_nametypes
=
208 krb5_config_get_bool_default(context
, NULL
,
211 "strict-nametypes", NULL
);
213 c
->max_datagram_reply_length
=
214 krb5_config_get_int_default(context
,
218 "max-kdc-datagram-reply-length",
222 const char *trpolicy_str
;
225 krb5_config_get_string_default(context
, NULL
, "DEFAULT", "kdc",
226 "transited-policy", NULL
);
227 if(strcasecmp(trpolicy_str
, "always-check") == 0) {
228 c
->trpolicy
= TRPOLICY_ALWAYS_CHECK
;
229 } else if(strcasecmp(trpolicy_str
, "allow-per-principal") == 0) {
230 c
->trpolicy
= TRPOLICY_ALLOW_PER_PRINCIPAL
;
231 } else if(strcasecmp(trpolicy_str
, "always-honour-request") == 0) {
232 c
->trpolicy
= TRPOLICY_ALWAYS_HONOUR_REQUEST
;
233 } else if(strcasecmp(trpolicy_str
, "DEFAULT") == 0) {
236 kdc_log(context
, c
, 0,
237 "unknown transited-policy: %s, "
238 "reverting to default (always-check)",
243 c
->encode_as_rep_as_tgs_rep
=
244 krb5_config_get_bool_default(context
, NULL
,
245 c
->encode_as_rep_as_tgs_rep
,
247 "encode_as_rep_as_tgs_rep", NULL
);
249 c
->kdc_warn_pwexpire
=
250 krb5_config_get_time_default (context
, NULL
,
251 c
->kdc_warn_pwexpire
,
252 "kdc", "kdc_warn_pwexpire", NULL
);
256 krb5_config_get_bool_default(context
,
264 c
->pkinit_kdc_identity
=
265 krb5_config_get_string(context
, NULL
,
266 "kdc", "pkinit_identity", NULL
);
267 c
->pkinit_kdc_anchors
=
268 krb5_config_get_string(context
, NULL
,
269 "kdc", "pkinit_anchors", NULL
);
270 c
->pkinit_kdc_cert_pool
=
271 krb5_config_get_strings(context
, NULL
,
272 "kdc", "pkinit_pool", NULL
);
273 c
->pkinit_kdc_revoke
=
274 krb5_config_get_strings(context
, NULL
,
275 "kdc", "pkinit_revoke", NULL
);
276 c
->pkinit_kdc_ocsp_file
=
277 krb5_config_get_string(context
, NULL
,
278 "kdc", "pkinit_kdc_ocsp", NULL
);
279 c
->pkinit_kdc_friendly_name
=
280 krb5_config_get_string(context
, NULL
,
281 "kdc", "pkinit_kdc_friendly_name", NULL
);
282 c
->pkinit_princ_in_cert
=
283 krb5_config_get_bool_default(context
, NULL
,
284 c
->pkinit_princ_in_cert
,
286 "pkinit_principal_in_certificate",
288 c
->pkinit_require_binding
=
289 krb5_config_get_bool_default(context
, NULL
,
290 c
->pkinit_require_binding
,
292 "pkinit_win2k_require_binding",
294 c
->pkinit_dh_min_bits
=
295 krb5_config_get_int_default(context
, NULL
,
297 "kdc", "pkinit_dh_min_bits", NULL
);
299 c
->pkinit_max_life_from_cert_extension
=
300 krb5_config_get_bool_default(context
, NULL
,
301 c
->pkinit_max_life_from_cert_extension
,
303 "pkinit_max_life_from_cert_extension",
306 c
->synthetic_clients
=
307 krb5_config_get_bool_default(context
, NULL
,
308 c
->synthetic_clients
,
313 c
->pkinit_max_life_bound
=
314 krb5_config_get_time_default(context
, NULL
, 0, "kdc",
315 "pkinit_max_life_bound",
318 c
->pkinit_max_life_from_cert
=
319 krb5_config_get_time_default(context
, NULL
, 0, "kdc",
320 "pkinit_max_life_from_cert",
323 c
->synthetic_clients_max_life
=
324 krb5_config_get_time_default(context
, NULL
, 300, "kdc",
325 "synthetic_clients_max_life",
328 c
->synthetic_clients_max_renew
=
329 krb5_config_get_time_default(context
, NULL
, 300, "kdc",
330 "synthetic_clients_max_renew",
333 c
->enable_gss_preauth
=
334 krb5_config_get_bool_default(context
, NULL
,
335 c
->enable_gss_preauth
,
337 "enable_gss_preauth", NULL
);
339 c
->enable_gss_auth_data
=
340 krb5_config_get_bool_default(context
, NULL
,
341 c
->enable_gss_auth_data
,
343 "enable_gss_auth_data", NULL
);
345 ret
= _kdc_gss_get_mechanism_config(context
, "kdc",
346 "gss_mechanisms_allowed",
347 &c
->gss_mechanisms_allowed
);
353 ret
= _kdc_gss_get_mechanism_config(context
, "kdc",
354 "gss_cross_realm_mechanisms_allowed",
355 &c
->gss_cross_realm_mechanisms_allowed
);
358 gss_release_oid_set(&minor
, &c
->gss_mechanisms_allowed
);
369 krb5_kdc_pkinit_config(krb5_context context
, krb5_kdc_configuration
*config
)
373 config
->enable_pkinit
= 1;
375 if (config
->pkinit_kdc_identity
== NULL
) {
376 if (config
->pkinit_kdc_friendly_name
== NULL
)
377 config
->pkinit_kdc_friendly_name
=
378 strdup("O=System Identity,CN=com.apple.kerberos.kdc");
379 config
->pkinit_kdc_identity
= strdup("KEYCHAIN:");
381 if (config
->pkinit_kdc_anchors
== NULL
)
382 config
->pkinit_kdc_anchors
= strdup("KEYCHAIN:");
384 #endif /* __APPLE__ */
386 if (config
->enable_pkinit
) {
387 if (config
->pkinit_kdc_identity
== NULL
)
388 krb5_errx(context
, 1, "pkinit enabled but no identity");
390 if (config
->pkinit_kdc_anchors
== NULL
)
391 krb5_errx(context
, 1, "pkinit enabled but no X509 anchors");
393 krb5_kdc_pk_initialize(context
, config
,
394 config
->pkinit_kdc_identity
,
395 config
->pkinit_kdc_anchors
,
396 config
->pkinit_kdc_cert_pool
,
397 config
->pkinit_kdc_revoke
);