summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/kdc/default_config.c
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/kdc/default_config.c')
-rw-r--r--third_party/heimdal/kdc/default_config.c464
1 files changed, 464 insertions, 0 deletions
diff --git a/third_party/heimdal/kdc/default_config.c b/third_party/heimdal/kdc/default_config.c
new file mode 100644
index 0000000..8301b90
--- /dev/null
+++ b/third_party/heimdal/kdc/default_config.c
@@ -0,0 +1,464 @@
+/*
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kdc_locl.h"
+#include <getarg.h>
+#include <parse_bytes.h>
+
+static const char *sysplugin_dirs[] = {
+#ifdef _WIN32
+ "$ORIGIN",
+#else
+ "$ORIGIN/../lib/plugin/kdc",
+#endif
+#ifdef __APPLE__
+ LIBDIR "/plugin/kdc",
+#endif
+ NULL
+};
+
+static void
+load_kdc_plugins_once(void *ctx)
+{
+ krb5_context context = ctx;
+ const char * const *dirs = sysplugin_dirs;
+#ifndef _WIN32
+ char **cfdirs;
+
+ cfdirs = krb5_config_get_strings(context, NULL, "kdc", "plugin_dir", NULL);
+ if (cfdirs)
+ dirs = (const char * const *)cfdirs;
+#endif
+
+ _krb5_load_plugins(context, "kdc", (const char **)dirs);
+
+#ifndef _WIN32
+ krb5_config_free_strings(cfdirs);
+#endif
+}
+
+KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
+krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
+{
+ static heim_base_once_t load_kdc_plugins = HEIM_BASE_ONCE_INIT;
+ krb5_kdc_configuration *c;
+ krb5_error_code ret;
+
+ heim_base_once_f(&load_kdc_plugins, context, load_kdc_plugins_once);
+
+ c = calloc(1, sizeof(*c));
+ if (c == NULL) {
+ krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ return ENOMEM;
+ }
+
+ c->app = "kdc";
+ c->num_kdc_processes = -1;
+ c->require_preauth = TRUE;
+ c->kdc_warn_pwexpire = 0;
+ c->encode_as_rep_as_tgs_rep = FALSE;
+ c->tgt_use_strongest_session_key = FALSE;
+ c->preauth_use_strongest_session_key = FALSE;
+ c->svc_use_strongest_session_key = FALSE;
+ c->use_strongest_server_key = TRUE;
+ c->check_ticket_addresses = TRUE;
+ c->warn_ticket_addresses = FALSE;
+ c->allow_null_ticket_addresses = TRUE;
+ c->allow_anonymous = FALSE;
+ c->historical_anon_realm = FALSE;
+ c->strict_nametypes = FALSE;
+ c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+ c->require_pac = FALSE;
+ c->disable_pac = FALSE;
+ c->enable_fast = TRUE;
+ c->enable_fast_cookie = TRUE;
+ c->enable_armored_pa_enc_timestamp = TRUE;
+ c->enable_unarmored_pa_enc_timestamp = TRUE;
+ c->enable_pkinit = FALSE;
+ c->require_pkinit_freshness = FALSE;
+ c->pkinit_princ_in_cert = TRUE;
+ c->pkinit_require_binding = TRUE;
+ c->synthetic_clients = FALSE;
+ c->pkinit_max_life_from_cert_extension = FALSE;
+ c->pkinit_max_life_bound = 0;
+ c->synthetic_clients_max_life = 300;
+ c->synthetic_clients_max_renew = 300;
+ c->pkinit_dh_min_bits = 1024;
+ c->db = NULL;
+ c->num_db = 0;
+ c->logf = NULL;
+
+ c->num_kdc_processes =
+ krb5_config_get_int_default(context, NULL, c->num_kdc_processes,
+ "kdc", "num-kdc-processes", NULL);
+
+ c->require_preauth =
+ krb5_config_get_bool_default(context, NULL,
+ c->require_preauth,
+ "kdc", "require-preauth", NULL);
+#ifdef DIGEST
+ c->enable_digest =
+ krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "kdc", "enable-digest", NULL);
+
+ {
+ const char *digests;
+
+ digests = krb5_config_get_string(context, NULL,
+ "kdc",
+ "digests_allowed", NULL);
+ if (digests == NULL)
+ digests = "ntlm-v2";
+ c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
+ if (c->digests_allowed == -1) {
+ kdc_log(context, c, 0,
+ "unparsable digest units (%s), turning off digest",
+ digests);
+ c->enable_digest = 0;
+ } else if (c->digests_allowed == 0) {
+ kdc_log(context, c, 0, "no digest enable, turning digest off");
+ c->enable_digest = 0;
+ }
+ }
+#endif
+
+#ifdef KX509
+ c->enable_kx509 =
+ krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "kdc", "enable_kx509", NULL);
+#endif
+
+ c->tgt_use_strongest_session_key =
+ krb5_config_get_bool_default(context, NULL,
+ c->tgt_use_strongest_session_key,
+ "kdc",
+ "tgt-use-strongest-session-key", NULL);
+ c->preauth_use_strongest_session_key =
+ krb5_config_get_bool_default(context, NULL,
+ c->preauth_use_strongest_session_key,
+ "kdc",
+ "preauth-use-strongest-session-key", NULL);
+ c->svc_use_strongest_session_key =
+ krb5_config_get_bool_default(context, NULL,
+ c->svc_use_strongest_session_key,
+ "kdc",
+ "svc-use-strongest-session-key", NULL);
+ c->use_strongest_server_key =
+ krb5_config_get_bool_default(context, NULL,
+ c->use_strongest_server_key,
+ "kdc",
+ "use-strongest-server-key", NULL);
+
+ c->check_ticket_addresses =
+ krb5_config_get_bool_default(context, NULL,
+ c->check_ticket_addresses,
+ "kdc",
+ "check-ticket-addresses", NULL);
+ c->warn_ticket_addresses =
+ krb5_config_get_bool_default(context, NULL,
+ c->warn_ticket_addresses,
+ "kdc",
+ "warn_ticket_addresses", NULL);
+ c->allow_null_ticket_addresses =
+ krb5_config_get_bool_default(context, NULL,
+ c->allow_null_ticket_addresses,
+ "kdc",
+ "allow-null-ticket-addresses", NULL);
+
+ c->allow_anonymous =
+ krb5_config_get_bool_default(context, NULL,
+ c->allow_anonymous,
+ "kdc",
+ "allow-anonymous", NULL);
+
+ c->historical_anon_realm =
+ krb5_config_get_bool_default(context, NULL,
+ c->historical_anon_realm,
+ "kdc",
+ "historical_anon_realm", NULL);
+
+ c->strict_nametypes =
+ krb5_config_get_bool_default(context, NULL,
+ c->strict_nametypes,
+ "kdc",
+ "strict-nametypes", NULL);
+
+ c->max_datagram_reply_length =
+ krb5_config_get_int_default(context,
+ NULL,
+ 1400,
+ "kdc",
+ "max-kdc-datagram-reply-length",
+ NULL);
+
+ {
+ const char *trpolicy_str;
+
+ trpolicy_str =
+ krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
+ "transited-policy", NULL);
+ if(strcasecmp(trpolicy_str, "always-check") == 0) {
+ c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+ } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
+ c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
+ } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
+ c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
+ } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
+ /* default */
+ } else {
+ kdc_log(context, c, 0,
+ "unknown transited-policy: %s, "
+ "reverting to default (always-check)",
+ trpolicy_str);
+ }
+ }
+
+ c->encode_as_rep_as_tgs_rep =
+ krb5_config_get_bool_default(context, NULL,
+ c->encode_as_rep_as_tgs_rep,
+ "kdc",
+ "encode_as_rep_as_tgs_rep", NULL);
+
+ c->kdc_warn_pwexpire =
+ krb5_config_get_time_default (context, NULL,
+ c->kdc_warn_pwexpire,
+ "kdc", "kdc_warn_pwexpire", NULL);
+
+ c->require_pac =
+ krb5_config_get_bool_default(context,
+ NULL,
+ c->require_pac,
+ "kdc",
+ "require_pac",
+ NULL);
+
+ c->disable_pac =
+ krb5_config_get_bool_default(context,
+ NULL,
+ c->disable_pac,
+ "kdc",
+ "disable_pac",
+ NULL);
+
+ c->enable_fast =
+ krb5_config_get_bool_default(context,
+ NULL,
+ c->enable_fast,
+ "kdc",
+ "enable_fast",
+ NULL);
+
+ c->enable_fast_cookie =
+ krb5_config_get_bool_default(context,
+ NULL,
+ c->enable_fast_cookie,
+ "kdc",
+ "enable_fast_cookie",
+ NULL);
+
+ c->enable_armored_pa_enc_timestamp =
+ krb5_config_get_bool_default(context,
+ NULL,
+ c->enable_armored_pa_enc_timestamp,
+ "kdc",
+ "enable_armored_pa_enc_timestamp",
+ NULL);
+
+ c->enable_unarmored_pa_enc_timestamp =
+ krb5_config_get_bool_default(context,
+ NULL,
+ c->enable_unarmored_pa_enc_timestamp,
+ "kdc",
+ "enable_unarmored_pa_enc_timestamp",
+ NULL);
+
+ c->enable_pkinit =
+ krb5_config_get_bool_default(context,
+ NULL,
+ c->enable_pkinit,
+ "kdc",
+ "enable-pkinit",
+ NULL);
+
+ c->require_pkinit_freshness =
+ krb5_config_get_bool_default(context,
+ NULL,
+ c->require_pkinit_freshness,
+ "kdc",
+ "require-pkinit-freshness",
+ NULL);
+
+ c->pkinit_kdc_identity =
+ krb5_config_get_string(context, NULL,
+ "kdc", "pkinit_identity", NULL);
+ c->pkinit_kdc_anchors =
+ krb5_config_get_string(context, NULL,
+ "kdc", "pkinit_anchors", NULL);
+ c->pkinit_kdc_cert_pool =
+ krb5_config_get_strings(context, NULL,
+ "kdc", "pkinit_pool", NULL);
+ c->pkinit_kdc_revoke =
+ krb5_config_get_strings(context, NULL,
+ "kdc", "pkinit_revoke", NULL);
+ c->pkinit_kdc_ocsp_file =
+ krb5_config_get_string(context, NULL,
+ "kdc", "pkinit_kdc_ocsp", NULL);
+ c->pkinit_kdc_friendly_name =
+ krb5_config_get_string(context, NULL,
+ "kdc", "pkinit_kdc_friendly_name", NULL);
+ c->pkinit_princ_in_cert =
+ krb5_config_get_bool_default(context, NULL,
+ c->pkinit_princ_in_cert,
+ "kdc",
+ "pkinit_principal_in_certificate",
+ NULL);
+ c->pkinit_require_binding =
+ krb5_config_get_bool_default(context, NULL,
+ c->pkinit_require_binding,
+ "kdc",
+ "pkinit_win2k_require_binding",
+ NULL);
+ c->pkinit_dh_min_bits =
+ krb5_config_get_int_default(context, NULL,
+ 0,
+ "kdc", "pkinit_dh_min_bits", NULL);
+
+ c->pkinit_max_life_from_cert_extension =
+ krb5_config_get_bool_default(context, NULL,
+ c->pkinit_max_life_from_cert_extension,
+ "kdc",
+ "pkinit_max_life_from_cert_extension",
+ NULL);
+
+ c->synthetic_clients =
+ krb5_config_get_bool_default(context, NULL,
+ c->synthetic_clients,
+ "kdc",
+ "synthetic_clients",
+ NULL);
+
+ c->pkinit_max_life_bound =
+ krb5_config_get_time_default(context, NULL, 0, "kdc",
+ "pkinit_max_life_bound",
+ NULL);
+
+ c->pkinit_max_life_from_cert =
+ krb5_config_get_time_default(context, NULL, 0, "kdc",
+ "pkinit_max_life_from_cert",
+ NULL);
+
+ c->synthetic_clients_max_life =
+ krb5_config_get_time_default(context, NULL, 300, "kdc",
+ "synthetic_clients_max_life",
+ NULL);
+
+ c->synthetic_clients_max_renew =
+ krb5_config_get_time_default(context, NULL, 300, "kdc",
+ "synthetic_clients_max_renew",
+ NULL);
+
+ c->enable_gss_preauth =
+ krb5_config_get_bool_default(context, NULL,
+ c->enable_gss_preauth,
+ "kdc",
+ "enable_gss_preauth", NULL);
+
+ c->enable_gss_auth_data =
+ krb5_config_get_bool_default(context, NULL,
+ c->enable_gss_auth_data,
+ "kdc",
+ "enable_gss_auth_data", NULL);
+
+ ret = _kdc_gss_get_mechanism_config(context, "kdc",
+ "gss_mechanisms_allowed",
+ &c->gss_mechanisms_allowed);
+ if (ret) {
+ free(c);
+ return ret;
+ }
+
+ ret = _kdc_gss_get_mechanism_config(context, "kdc",
+ "gss_cross_realm_mechanisms_allowed",
+ &c->gss_cross_realm_mechanisms_allowed);
+ if (ret) {
+ OM_uint32 minor;
+ gss_release_oid_set(&minor, &c->gss_mechanisms_allowed);
+ free(c);
+ return ret;
+ }
+
+ *config = c;
+
+ return 0;
+}
+
+KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
+krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
+{
+#ifdef PKINIT
+#ifdef __APPLE__
+ config->enable_pkinit = 1;
+
+ if (config->pkinit_kdc_identity == NULL) {
+ if (config->pkinit_kdc_friendly_name == NULL)
+ config->pkinit_kdc_friendly_name =
+ strdup("O=System Identity,CN=com.apple.kerberos.kdc");
+ config->pkinit_kdc_identity = strdup("KEYCHAIN:");
+ }
+ if (config->pkinit_kdc_anchors == NULL)
+ config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
+
+#endif /* __APPLE__ */
+
+ if (config->enable_pkinit) {
+ if (config->pkinit_kdc_identity == NULL)
+ krb5_errx(context, 1, "pkinit enabled but no identity");
+
+ if (config->pkinit_kdc_anchors == NULL)
+ krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
+
+ krb5_kdc_pk_initialize(context, config,
+ config->pkinit_kdc_identity,
+ config->pkinit_kdc_anchors,
+ config->pkinit_kdc_cert_pool,
+ config->pkinit_kdc_revoke);
+
+ }
+
+ return 0;
+#endif /* PKINIT */
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-23 22:57:44 +0000