search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib/roken: is_special_auxv_p test for AT_HWCAP2
[heimdal.git] / kdc / default_config.c
blob63b4681f0ea2ead9219e23f58f1b148d5487a7bf
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kdc_locl.h"
37 #include <getarg.h>
38 #include <parse_bytes.h>
39
40 krb5_error_code
41 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
42 {
43 krb5_kdc_configuration *c;
44
45 c = calloc(1, sizeof(*c));
46 if (c == NULL) {
47 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
48 return ENOMEM;
49 }
50
51 c->num_kdc_processes = -1;
52 c->require_preauth = TRUE;
53 c->kdc_warn_pwexpire = 0;
54 c->encode_as_rep_as_tgs_rep = FALSE;
55 c->tgt_use_strongest_session_key = FALSE;
56 c->preauth_use_strongest_session_key = FALSE;
57 c->svc_use_strongest_session_key = FALSE;
58 c->use_strongest_server_key = TRUE;
59 c->check_ticket_addresses = TRUE;
60 c->allow_null_ticket_addresses = TRUE;
61 c->allow_anonymous = FALSE;
62 c->strict_nametypes = FALSE;
63 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
64 c->enable_pkinit = FALSE;
65 c->pkinit_princ_in_cert = TRUE;
66 c->pkinit_require_binding = TRUE;
67 c->db = NULL;
68 c->num_db = 0;
69 c->logf = NULL;
70
71 c->num_kdc_processes =
72 krb5_config_get_int_default(context, NULL, c->num_kdc_processes,
73 "kdc", "num-kdc-processes", NULL);
74
75 c->require_preauth =
76 krb5_config_get_bool_default(context, NULL,
77 c->require_preauth,
78 "kdc", "require-preauth", NULL);
79 #ifdef DIGEST
80 c->enable_digest =
81 krb5_config_get_bool_default(context, NULL,
82 FALSE,
83 "kdc", "enable-digest", NULL);
84
85 {
86 const char *digests;
87
88 digests = krb5_config_get_string(context, NULL,
89 "kdc",
90 "digests_allowed", NULL);
91 if (digests == NULL)
92 digests = "ntlm-v2";
93 c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
94 if (c->digests_allowed == -1) {
95 kdc_log(context, c, 0,
96 "unparsable digest units (%s), turning off digest",
97 digests);
98 c->enable_digest = 0;
99 } else if (c->digests_allowed == 0) {
100 kdc_log(context, c, 0,
101 "no digest enable, turning digest off",
102 digests);
103 c->enable_digest = 0;
104 }
105 }
106 #endif
107
108 #ifdef KX509
109 c->enable_kx509 =
110 krb5_config_get_bool_default(context, NULL,
111 FALSE,
112 "kdc", "enable-kx509", NULL);
113
114 if (c->enable_kx509) {
115 c->kx509_template =
116 krb5_config_get_string(context, NULL,
117 "kdc", "kx509_template", NULL);
118 c->kx509_ca =
119 krb5_config_get_string(context, NULL,
120 "kdc", "kx509_ca", NULL);
121 if (c->kx509_ca == NULL || c->kx509_template == NULL) {
122 kdc_log(context, c, 0,
123 "missing kx509 configuration, turning off");
124 c->enable_kx509 = FALSE;
125 }
126 }
127 #endif
128
129 c->tgt_use_strongest_session_key =
130 krb5_config_get_bool_default(context, NULL,
131 c->tgt_use_strongest_session_key,
132 "kdc",
133 "tgt-use-strongest-session-key", NULL);
134 c->preauth_use_strongest_session_key =
135 krb5_config_get_bool_default(context, NULL,
136 c->preauth_use_strongest_session_key,
137 "kdc",
138 "preauth-use-strongest-session-key", NULL);
139 c->svc_use_strongest_session_key =
140 krb5_config_get_bool_default(context, NULL,
141 c->svc_use_strongest_session_key,
142 "kdc",
143 "svc-use-strongest-session-key", NULL);
144 c->use_strongest_server_key =
145 krb5_config_get_bool_default(context, NULL,
146 c->use_strongest_server_key,
147 "kdc",
148 "use-strongest-server-key", NULL);
149
150 c->check_ticket_addresses =
151 krb5_config_get_bool_default(context, NULL,
152 c->check_ticket_addresses,
153 "kdc",
154 "check-ticket-addresses", NULL);
155 c->allow_null_ticket_addresses =
156 krb5_config_get_bool_default(context, NULL,
157 c->allow_null_ticket_addresses,
158 "kdc",
159 "allow-null-ticket-addresses", NULL);
160
161 c->allow_anonymous =
162 krb5_config_get_bool_default(context, NULL,
163 c->allow_anonymous,
164 "kdc",
165 "allow-anonymous", NULL);
166
167 c->strict_nametypes =
168 krb5_config_get_bool_default(context, NULL,
169 c->strict_nametypes,
170 "kdc",
171 "strict-nametypes", NULL);
172
173 c->max_datagram_reply_length =
174 krb5_config_get_int_default(context,
175 NULL,
176 1400,
177 "kdc",
178 "max-kdc-datagram-reply-length",
179 NULL);
180
181 {
182 const char *trpolicy_str;
183
184 trpolicy_str =
185 krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
186 "transited-policy", NULL);
187 if(strcasecmp(trpolicy_str, "always-check") == 0) {
188 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
189 } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
190 c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
191 } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
192 c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
193 } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
194 /* default */
195 } else {
196 kdc_log(context, c, 0,
197 "unknown transited-policy: %s, "
198 "reverting to default (always-check)",
199 trpolicy_str);
200 }
201 }
202
203 c->encode_as_rep_as_tgs_rep =
204 krb5_config_get_bool_default(context, NULL,
205 c->encode_as_rep_as_tgs_rep,
206 "kdc",
207 "encode_as_rep_as_tgs_rep", NULL);
208
209 c->kdc_warn_pwexpire =
210 krb5_config_get_time_default (context, NULL,
211 c->kdc_warn_pwexpire,
212 "kdc", "kdc_warn_pwexpire", NULL);
213
214
215 c->enable_pkinit =
216 krb5_config_get_bool_default(context,
217 NULL,
218 c->enable_pkinit,
219 "kdc",
220 "enable-pkinit",
221 NULL);
222
223
224 c->pkinit_kdc_identity =
225 krb5_config_get_string(context, NULL,
226 "kdc", "pkinit_identity", NULL);
227 c->pkinit_kdc_anchors =
228 krb5_config_get_string(context, NULL,
229 "kdc", "pkinit_anchors", NULL);
230 c->pkinit_kdc_cert_pool =
231 krb5_config_get_strings(context, NULL,
232 "kdc", "pkinit_pool", NULL);
233 c->pkinit_kdc_revoke =
234 krb5_config_get_strings(context, NULL,
235 "kdc", "pkinit_revoke", NULL);
236 c->pkinit_kdc_ocsp_file =
237 krb5_config_get_string(context, NULL,
238 "kdc", "pkinit_kdc_ocsp", NULL);
239 c->pkinit_kdc_friendly_name =
240 krb5_config_get_string(context, NULL,
241 "kdc", "pkinit_kdc_friendly_name", NULL);
242 c->pkinit_princ_in_cert =
243 krb5_config_get_bool_default(context, NULL,
244 c->pkinit_princ_in_cert,
245 "kdc",
246 "pkinit_principal_in_certificate",
247 NULL);
248 c->pkinit_require_binding =
249 krb5_config_get_bool_default(context, NULL,
250 c->pkinit_require_binding,
251 "kdc",
252 "pkinit_win2k_require_binding",
253 NULL);
254 c->pkinit_dh_min_bits =
255 krb5_config_get_int_default(context, NULL,
256 0,
257 "kdc", "pkinit_dh_min_bits", NULL);
258
259 *config = c;
260
261 return 0;
262 }
263
264 krb5_error_code
265 krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
266 {
267 #ifdef PKINIT
268 #ifdef __APPLE__
269 config->enable_pkinit = 1;
270
271 if (config->pkinit_kdc_identity == NULL) {
272 if (config->pkinit_kdc_friendly_name == NULL)
273 config->pkinit_kdc_friendly_name =
274 strdup("O=System Identity,CN=com.apple.kerberos.kdc");
275 config->pkinit_kdc_identity = strdup("KEYCHAIN:");
276 }
277 if (config->pkinit_kdc_anchors == NULL)
278 config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
279
280 #endif /* __APPLE__ */
281
282 if (config->enable_pkinit) {
283 if (config->pkinit_kdc_identity == NULL)
284 krb5_errx(context, 1, "pkinit enabled but no identity");
285
286 if (config->pkinit_kdc_anchors == NULL)
287 krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
288
289 krb5_kdc_pk_initialize(context, config,
290 config->pkinit_kdc_identity,
291 config->pkinit_kdc_anchors,
292 config->pkinit_kdc_cert_pool,
293 config->pkinit_kdc_revoke);
294
295 }
296
297 return 0;
298 #endif /* PKINIT */
299 }
Heimdal