2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 #include <parse_bytes.h>
41 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
43 krb5_kdc_configuration *c;
45 c = calloc(1, sizeof(*c));
47 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
51 c->require_preauth = TRUE;
52 c->kdc_warn_pwexpire = 0;
53 c->encode_as_rep_as_tgs_rep = FALSE;
54 c->tgt_use_strongest_session_key = FALSE;
55 c->preauth_use_strongest_session_key = FALSE;
56 c->svc_use_strongest_session_key = FALSE;
57 c->use_strongest_server_key = TRUE;
58 c->check_ticket_addresses = TRUE;
59 c->allow_null_ticket_addresses = TRUE;
60 c->allow_anonymous = FALSE;
61 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
62 c->enable_pkinit = FALSE;
63 c->pkinit_princ_in_cert = TRUE;
64 c->pkinit_require_binding = TRUE;
70 krb5_config_get_bool_default(context, NULL,
72 "kdc", "require-preauth", NULL);
75 krb5_config_get_bool_default(context, NULL,
77 "kdc", "enable-digest", NULL);
82 digests = krb5_config_get_string(context, NULL,
84 "digests_allowed", NULL);
87 c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
88 if (c->digests_allowed == -1) {
89 kdc_log(context, c, 0,
90 "unparsable digest units (%s), turning off digest",
93 } else if (c->digests_allowed == 0) {
94 kdc_log(context, c, 0,
95 "no digest enable, turning digest off",
104 krb5_config_get_bool_default(context, NULL,
106 "kdc", "enable-kx509", NULL);
108 if (c->enable_kx509) {
110 krb5_config_get_string(context, NULL,
111 "kdc", "kx509_template", NULL);
113 krb5_config_get_string(context, NULL,
114 "kdc", "kx509_ca", NULL);
115 if (c->kx509_ca == NULL || c->kx509_template == NULL) {
116 kdc_log(context, c, 0,
117 "missing kx509 configuration, turning off");
118 c->enable_kx509 = FALSE;
123 c->tgt_use_strongest_session_key =
124 krb5_config_get_bool_default(context, NULL,
125 c->tgt_use_strongest_session_key,
127 "tgt-use-strongest-session-key", NULL);
128 c->preauth_use_strongest_session_key =
129 krb5_config_get_bool_default(context, NULL,
130 c->preauth_use_strongest_session_key,
132 "preauth-use-strongest-session-key", NULL);
133 c->svc_use_strongest_session_key =
134 krb5_config_get_bool_default(context, NULL,
135 c->svc_use_strongest_session_key,
137 "svc-use-strongest-session-key", NULL);
138 c->use_strongest_server_key =
139 krb5_config_get_bool_default(context, NULL,
140 c->use_strongest_server_key,
142 "use-strongest-server-key", NULL);
144 c->check_ticket_addresses =
145 krb5_config_get_bool_default(context, NULL,
146 c->check_ticket_addresses,
148 "check-ticket-addresses", NULL);
149 c->allow_null_ticket_addresses =
150 krb5_config_get_bool_default(context, NULL,
151 c->allow_null_ticket_addresses,
153 "allow-null-ticket-addresses", NULL);
156 krb5_config_get_bool_default(context, NULL,
159 "allow-anonymous", NULL);
161 c->max_datagram_reply_length =
162 krb5_config_get_int_default(context,
166 "max-kdc-datagram-reply-length",
170 const char *trpolicy_str;
173 krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
174 "transited-policy", NULL);
175 if(strcasecmp(trpolicy_str, "always-check") == 0) {
176 c->trpolicy = TRPOLICY_ALWAYS_CHECK;
177 } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
178 c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
179 } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
180 c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
181 } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
184 kdc_log(context, c, 0,
185 "unknown transited-policy: %s, "
186 "reverting to default (always-check)",
191 c->encode_as_rep_as_tgs_rep =
192 krb5_config_get_bool_default(context, NULL,
193 c->encode_as_rep_as_tgs_rep,
195 "encode_as_rep_as_tgs_rep", NULL);
197 c->kdc_warn_pwexpire =
198 krb5_config_get_time_default (context, NULL,
199 c->kdc_warn_pwexpire,
200 "kdc", "kdc_warn_pwexpire", NULL);
204 krb5_config_get_bool_default(context,
212 c->pkinit_kdc_identity =
213 krb5_config_get_string(context, NULL,
214 "kdc", "pkinit_identity", NULL);
215 c->pkinit_kdc_anchors =
216 krb5_config_get_string(context, NULL,
217 "kdc", "pkinit_anchors", NULL);
218 c->pkinit_kdc_cert_pool =
219 krb5_config_get_strings(context, NULL,
220 "kdc", "pkinit_pool", NULL);
221 c->pkinit_kdc_revoke =
222 krb5_config_get_strings(context, NULL,
223 "kdc", "pkinit_revoke", NULL);
224 c->pkinit_kdc_ocsp_file =
225 krb5_config_get_string(context, NULL,
226 "kdc", "pkinit_kdc_ocsp", NULL);
227 c->pkinit_kdc_friendly_name =
228 krb5_config_get_string(context, NULL,
229 "kdc", "pkinit_kdc_friendly_name", NULL);
230 c->pkinit_princ_in_cert =
231 krb5_config_get_bool_default(context, NULL,
232 c->pkinit_princ_in_cert,
234 "pkinit_principal_in_certificate",
236 c->pkinit_require_binding =
237 krb5_config_get_bool_default(context, NULL,
238 c->pkinit_require_binding,
240 "pkinit_win2k_require_binding",
242 c->pkinit_dh_min_bits =
243 krb5_config_get_int_default(context, NULL,
245 "kdc", "pkinit_dh_min_bits", NULL);
253 krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
257 config->enable_pkinit = 1;
259 if (config->pkinit_kdc_identity == NULL) {
260 if (config->pkinit_kdc_friendly_name == NULL)
261 config->pkinit_kdc_friendly_name =
262 strdup("O=System Identity,CN=com.apple.kerberos.kdc");
263 config->pkinit_kdc_identity = strdup("KEYCHAIN:");
265 if (config->pkinit_kdc_anchors == NULL)
266 config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
268 #endif /* __APPLE__ */
270 if (config->enable_pkinit) {
271 if (config->pkinit_kdc_identity == NULL)
272 krb5_errx(context, 1, "pkinit enabled but no identity");
274 if (config->pkinit_kdc_anchors == NULL)
275 krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
277 krb5_kdc_pk_initialize(context, config,
278 config->pkinit_kdc_identity,
279 config->pkinit_kdc_anchors,
280 config->pkinit_kdc_cert_pool,
281 config->pkinit_kdc_revoke);