x
[heimdal.git] / kdc / default_config.c
blob6a651886d6c9ea7c08744a5e8e20da9e08d2bc6e
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
5 * All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the Institute nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
35 #include "kdc_locl.h"
36 #include <getarg.h>
37 #include <parse_bytes.h>
39 RCSID("$Id$");
41 krb5_error_code
42 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
44 krb5_kdc_configuration *c;
46 c = calloc(1, sizeof(*c));
47 if (c == NULL) {
48 krb5_set_error_string(context, "malloc: out of memory");
49 return ENOMEM;
52 c->require_preauth = TRUE;
53 c->kdc_warn_pwexpire = 0;
54 c->encode_as_rep_as_tgs_rep = FALSE;
55 c->check_ticket_addresses = TRUE;
56 c->allow_null_ticket_addresses = TRUE;
57 c->allow_anonymous = FALSE;
58 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
59 c->enable_v4 = FALSE;
60 c->enable_kaserver = FALSE;
61 c->enable_524 = FALSE;
62 c->enable_v4_cross_realm = FALSE;
63 c->enable_pkinit = FALSE;
64 c->pkinit_princ_in_cert = TRUE;
65 c->pkinit_require_binding = TRUE;
66 c->db = NULL;
67 c->num_db = 0;
68 c->logf = NULL;
70 c->require_preauth =
71 krb5_config_get_bool_default(context, NULL,
72 c->require_preauth,
73 "kdc", "require-preauth", NULL);
74 c->enable_v4 =
75 krb5_config_get_bool_default(context, NULL,
76 c->enable_v4,
77 "kdc", "enable-kerberos4", NULL);
78 c->enable_v4_cross_realm =
79 krb5_config_get_bool_default(context, NULL,
80 c->enable_v4_cross_realm,
81 "kdc",
82 "enable-kerberos4-cross-realm", NULL);
83 c->enable_524 =
84 krb5_config_get_bool_default(context, NULL,
85 c->enable_v4,
86 "kdc", "enable-524", NULL);
87 c->enable_digest =
88 krb5_config_get_bool_default(context, NULL,
89 FALSE,
90 "kdc", "enable-digest", NULL);
93 const char *digests;
95 digests = krb5_config_get_string(context, NULL,
96 "kdc",
97 "digests_allowed", NULL);
98 if (digests == NULL)
99 digests = "ntlm-v2";
100 c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
101 if (c->digests_allowed == -1) {
102 kdc_log(context, c, 0,
103 "unparsable digest units (%s), turning off digest",
104 digests);
105 c->enable_digest = 0;
106 } else if (c->digests_allowed == 0) {
107 kdc_log(context, c, 0,
108 "no digest enable, turning digest off",
109 digests);
110 c->enable_digest = 0;
114 c->enable_kx509 =
115 krb5_config_get_bool_default(context, NULL,
116 FALSE,
117 "kdc", "enable-kx509", NULL);
119 if (c->enable_kx509) {
120 c->kx509_template =
121 krb5_config_get_string(context, NULL,
122 "kdc", "kx509_template", NULL);
123 c->kx509_ca =
124 krb5_config_get_string(context, NULL,
125 "kdc", "kx509_ca", NULL);
126 if (c->kx509_ca == NULL || c->kx509_template == NULL) {
127 kdc_log(context, c, 0,
128 "missing kx509 configuration, turning off");
129 c->enable_kx509 = FALSE;
133 c->check_ticket_addresses =
134 krb5_config_get_bool_default(context, NULL,
135 c->check_ticket_addresses,
136 "kdc",
137 "check-ticket-addresses", NULL);
138 c->allow_null_ticket_addresses =
139 krb5_config_get_bool_default(context, NULL,
140 c->allow_null_ticket_addresses,
141 "kdc",
142 "allow-null-ticket-addresses", NULL);
144 c->allow_anonymous =
145 krb5_config_get_bool_default(context, NULL,
146 c->allow_anonymous,
147 "kdc",
148 "allow-anonymous", NULL);
150 c->max_datagram_reply_length =
151 krb5_config_get_int_default(context,
152 NULL,
153 1400,
154 "kdc",
155 "max-kdc-datagram-reply-length",
156 NULL);
159 const char *trpolicy_str;
161 trpolicy_str =
162 krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
163 "transited-policy", NULL);
164 if(strcasecmp(trpolicy_str, "always-check") == 0) {
165 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
166 } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
167 c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
168 } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
169 c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
170 } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
171 /* default */
172 } else {
173 kdc_log(context, c, 0,
174 "unknown transited-policy: %s, "
175 "reverting to default (always-check)",
176 trpolicy_str);
181 const char *p;
182 p = krb5_config_get_string (context, NULL,
183 "kdc",
184 "v4-realm",
185 NULL);
186 if(p != NULL) {
187 c->v4_realm = strdup(p);
188 if (c->v4_realm == NULL)
189 krb5_errx(context, 1, "out of memory");
190 } else {
191 c->v4_realm = NULL;
195 c->enable_kaserver =
196 krb5_config_get_bool_default(context,
197 NULL,
198 c->enable_kaserver,
199 "kdc", "enable-kaserver", NULL);
202 c->encode_as_rep_as_tgs_rep =
203 krb5_config_get_bool_default(context, NULL,
204 c->encode_as_rep_as_tgs_rep,
205 "kdc",
206 "encode_as_rep_as_tgs_rep", NULL);
208 c->kdc_warn_pwexpire =
209 krb5_config_get_time_default (context, NULL,
210 c->kdc_warn_pwexpire,
211 "kdc", "kdc_warn_pwexpire", NULL);
214 #ifdef PKINIT
215 c->enable_pkinit =
216 krb5_config_get_bool_default(context,
217 NULL,
218 c->enable_pkinit,
219 "kdc",
220 "enable-pkinit",
221 NULL);
222 if (c->enable_pkinit) {
223 const char *user_id, *anchors, *ocsp_file;
224 char **pool_list, **revoke_list;
226 user_id =
227 krb5_config_get_string(context, NULL,
228 "kdc", "pkinit_identity", NULL);
229 if (user_id == NULL)
230 krb5_errx(context, 1, "pkinit enabled but no identity");
232 anchors = krb5_config_get_string(context, NULL,
233 "kdc", "pkinit_anchors", NULL);
234 if (anchors == NULL)
235 krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
237 pool_list =
238 krb5_config_get_strings(context, NULL,
239 "kdc", "pkinit_pool", NULL);
241 revoke_list =
242 krb5_config_get_strings(context, NULL,
243 "kdc", "pkinit_revoke", NULL);
245 ocsp_file =
246 krb5_config_get_string(context, NULL,
247 "kdc", "pkinit_kdc_ocsp", NULL);
248 if (ocsp_file) {
249 c->pkinit_kdc_ocsp_file = strdup(ocsp_file);
250 if (c->pkinit_kdc_ocsp_file == NULL)
251 krb5_errx(context, 1, "out of memory");
254 _kdc_pk_initialize(context, c, user_id, anchors,
255 pool_list, revoke_list);
257 krb5_config_free_strings(pool_list);
258 krb5_config_free_strings(revoke_list);
260 c->pkinit_princ_in_cert =
261 krb5_config_get_bool_default(context, NULL,
262 c->pkinit_princ_in_cert,
263 "kdc",
264 "pkinit_principal_in_certificate",
265 NULL);
267 c->pkinit_require_binding =
268 krb5_config_get_bool_default(context, NULL,
269 c->pkinit_require_binding,
270 "kdc",
271 "pkinit_win2k_require_binding",
272 NULL);
275 c->pkinit_dh_min_bits =
276 krb5_config_get_int_default(context, NULL,
278 "kdc", "pkinit_dh_min_bits", NULL);
280 #endif
282 *config = c;
284 return 0;