2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 #include <parse_bytes.h>
41 krb5_kdc_get_config(krb5_context context
, krb5_kdc_configuration
**config
)
43 krb5_kdc_configuration
*c
;
45 c
= calloc(1, sizeof(*c
));
47 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
51 c
->num_kdc_processes
= -1;
52 c
->require_preauth
= TRUE
;
53 c
->kdc_warn_pwexpire
= 0;
54 c
->encode_as_rep_as_tgs_rep
= FALSE
;
55 c
->tgt_use_strongest_session_key
= FALSE
;
56 c
->preauth_use_strongest_session_key
= FALSE
;
57 c
->svc_use_strongest_session_key
= FALSE
;
58 c
->use_strongest_server_key
= TRUE
;
59 c
->check_ticket_addresses
= TRUE
;
60 c
->allow_null_ticket_addresses
= TRUE
;
61 c
->allow_anonymous
= FALSE
;
62 c
->trpolicy
= TRPOLICY_ALWAYS_CHECK
;
63 c
->enable_pkinit
= FALSE
;
64 c
->pkinit_princ_in_cert
= TRUE
;
65 c
->pkinit_require_binding
= TRUE
;
70 c
->num_kdc_processes
=
71 krb5_config_get_int_default(context
, NULL
, c
->num_kdc_processes
,
72 "kdc", "num-kdc-processes", NULL
);
75 krb5_config_get_bool_default(context
, NULL
,
77 "kdc", "require-preauth", NULL
);
80 krb5_config_get_bool_default(context
, NULL
,
82 "kdc", "enable-digest", NULL
);
87 digests
= krb5_config_get_string(context
, NULL
,
89 "digests_allowed", NULL
);
92 c
->digests_allowed
= parse_flags(digests
,_kdc_digestunits
, 0);
93 if (c
->digests_allowed
== -1) {
94 kdc_log(context
, c
, 0,
95 "unparsable digest units (%s), turning off digest",
98 } else if (c
->digests_allowed
== 0) {
99 kdc_log(context
, c
, 0,
100 "no digest enable, turning digest off",
102 c
->enable_digest
= 0;
109 krb5_config_get_bool_default(context
, NULL
,
111 "kdc", "enable-kx509", NULL
);
113 if (c
->enable_kx509
) {
115 krb5_config_get_string(context
, NULL
,
116 "kdc", "kx509_template", NULL
);
118 krb5_config_get_string(context
, NULL
,
119 "kdc", "kx509_ca", NULL
);
120 if (c
->kx509_ca
== NULL
|| c
->kx509_template
== NULL
) {
121 kdc_log(context
, c
, 0,
122 "missing kx509 configuration, turning off");
123 c
->enable_kx509
= FALSE
;
128 c
->tgt_use_strongest_session_key
=
129 krb5_config_get_bool_default(context
, NULL
,
130 c
->tgt_use_strongest_session_key
,
132 "tgt-use-strongest-session-key", NULL
);
133 c
->preauth_use_strongest_session_key
=
134 krb5_config_get_bool_default(context
, NULL
,
135 c
->preauth_use_strongest_session_key
,
137 "preauth-use-strongest-session-key", NULL
);
138 c
->svc_use_strongest_session_key
=
139 krb5_config_get_bool_default(context
, NULL
,
140 c
->svc_use_strongest_session_key
,
142 "svc-use-strongest-session-key", NULL
);
143 c
->use_strongest_server_key
=
144 krb5_config_get_bool_default(context
, NULL
,
145 c
->use_strongest_server_key
,
147 "use-strongest-server-key", NULL
);
149 c
->check_ticket_addresses
=
150 krb5_config_get_bool_default(context
, NULL
,
151 c
->check_ticket_addresses
,
153 "check-ticket-addresses", NULL
);
154 c
->allow_null_ticket_addresses
=
155 krb5_config_get_bool_default(context
, NULL
,
156 c
->allow_null_ticket_addresses
,
158 "allow-null-ticket-addresses", NULL
);
161 krb5_config_get_bool_default(context
, NULL
,
164 "allow-anonymous", NULL
);
166 c
->max_datagram_reply_length
=
167 krb5_config_get_int_default(context
,
171 "max-kdc-datagram-reply-length",
175 const char *trpolicy_str
;
178 krb5_config_get_string_default(context
, NULL
, "DEFAULT", "kdc",
179 "transited-policy", NULL
);
180 if(strcasecmp(trpolicy_str
, "always-check") == 0) {
181 c
->trpolicy
= TRPOLICY_ALWAYS_CHECK
;
182 } else if(strcasecmp(trpolicy_str
, "allow-per-principal") == 0) {
183 c
->trpolicy
= TRPOLICY_ALLOW_PER_PRINCIPAL
;
184 } else if(strcasecmp(trpolicy_str
, "always-honour-request") == 0) {
185 c
->trpolicy
= TRPOLICY_ALWAYS_HONOUR_REQUEST
;
186 } else if(strcasecmp(trpolicy_str
, "DEFAULT") == 0) {
189 kdc_log(context
, c
, 0,
190 "unknown transited-policy: %s, "
191 "reverting to default (always-check)",
196 c
->encode_as_rep_as_tgs_rep
=
197 krb5_config_get_bool_default(context
, NULL
,
198 c
->encode_as_rep_as_tgs_rep
,
200 "encode_as_rep_as_tgs_rep", NULL
);
202 c
->kdc_warn_pwexpire
=
203 krb5_config_get_time_default (context
, NULL
,
204 c
->kdc_warn_pwexpire
,
205 "kdc", "kdc_warn_pwexpire", NULL
);
209 krb5_config_get_bool_default(context
,
217 c
->pkinit_kdc_identity
=
218 krb5_config_get_string(context
, NULL
,
219 "kdc", "pkinit_identity", NULL
);
220 c
->pkinit_kdc_anchors
=
221 krb5_config_get_string(context
, NULL
,
222 "kdc", "pkinit_anchors", NULL
);
223 c
->pkinit_kdc_cert_pool
=
224 krb5_config_get_strings(context
, NULL
,
225 "kdc", "pkinit_pool", NULL
);
226 c
->pkinit_kdc_revoke
=
227 krb5_config_get_strings(context
, NULL
,
228 "kdc", "pkinit_revoke", NULL
);
229 c
->pkinit_kdc_ocsp_file
=
230 krb5_config_get_string(context
, NULL
,
231 "kdc", "pkinit_kdc_ocsp", NULL
);
232 c
->pkinit_kdc_friendly_name
=
233 krb5_config_get_string(context
, NULL
,
234 "kdc", "pkinit_kdc_friendly_name", NULL
);
235 c
->pkinit_princ_in_cert
=
236 krb5_config_get_bool_default(context
, NULL
,
237 c
->pkinit_princ_in_cert
,
239 "pkinit_principal_in_certificate",
241 c
->pkinit_require_binding
=
242 krb5_config_get_bool_default(context
, NULL
,
243 c
->pkinit_require_binding
,
245 "pkinit_win2k_require_binding",
247 c
->pkinit_dh_min_bits
=
248 krb5_config_get_int_default(context
, NULL
,
250 "kdc", "pkinit_dh_min_bits", NULL
);
258 krb5_kdc_pkinit_config(krb5_context context
, krb5_kdc_configuration
*config
)
262 config
->enable_pkinit
= 1;
264 if (config
->pkinit_kdc_identity
== NULL
) {
265 if (config
->pkinit_kdc_friendly_name
== NULL
)
266 config
->pkinit_kdc_friendly_name
=
267 strdup("O=System Identity,CN=com.apple.kerberos.kdc");
268 config
->pkinit_kdc_identity
= strdup("KEYCHAIN:");
270 if (config
->pkinit_kdc_anchors
== NULL
)
271 config
->pkinit_kdc_anchors
= strdup("KEYCHAIN:");
273 #endif /* __APPLE__ */
275 if (config
->enable_pkinit
) {
276 if (config
->pkinit_kdc_identity
== NULL
)
277 krb5_errx(context
, 1, "pkinit enabled but no identity");
279 if (config
->pkinit_kdc_anchors
== NULL
)
280 krb5_errx(context
, 1, "pkinit enabled but no X509 anchors");
282 krb5_kdc_pk_initialize(context
, config
,
283 config
->pkinit_kdc_identity
,
284 config
->pkinit_kdc_anchors
,
285 config
->pkinit_kdc_cert_pool
,
286 config
->pkinit_kdc_revoke
);