krb5_error_code pkinit_kdcdefault_boolean(krb5_context context, const char *realmname, const char *option, int default_value, int *ret_value) { char *string = NULL; krb5_error_code retval; retval = pkinit_kdcdefault_string(context, realmname, option, &string); if (retval == 0) { *ret_value = _krb5_conf_boolean(string); free(string); } else *ret_value = default_value; return 0; }
krb5_error_code pkinit_kdcdefault_integer(krb5_context context, const char *realmname, const char *option, int default_value, int *ret_value) { char *string = NULL; krb5_error_code retval; retval = pkinit_kdcdefault_string(context, realmname, option, &string); if (retval == 0) { char *endptr; long l; l = strtol(string, &endptr, 0); if (endptr == string) *ret_value = default_value; else *ret_value = l; free(string); } else *ret_value = default_value; return 0; }
static krb5_error_code pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) { krb5_error_code retval; char *eku_string = NULL; pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname); retval = pkinit_kdcdefault_string(context, plgctx->realmname, "pkinit_identity", &plgctx->idopts->identity); if (retval != 0 || NULL == plgctx->idopts->identity) { retval = EINVAL; krb5_set_error_message(context, retval, "No pkinit_identity supplied for realm %s", plgctx->realmname); goto errout; } retval = pkinit_kdcdefault_strings(context, plgctx->realmname, "pkinit_anchors", &plgctx->idopts->anchors); if (retval != 0 || NULL == plgctx->idopts->anchors) { retval = EINVAL; krb5_set_error_message(context, retval, "No pkinit_anchors supplied for realm %s", plgctx->realmname); goto errout; } pkinit_kdcdefault_strings(context, plgctx->realmname, "pkinit_pool", &plgctx->idopts->intermediates); pkinit_kdcdefault_strings(context, plgctx->realmname, "pkinit_revoke", &plgctx->idopts->crls); pkinit_kdcdefault_string(context, plgctx->realmname, "pkinit_kdc_ocsp", &plgctx->idopts->ocsp); pkinit_kdcdefault_string(context, plgctx->realmname, "pkinit_mappings_file", &plgctx->idopts->dn_mapping_file); pkinit_kdcdefault_integer(context, plgctx->realmname, "pkinit_dh_min_bits", PKINIT_DEFAULT_DH_MIN_BITS, &plgctx->opts->dh_min_bits); if (plgctx->opts->dh_min_bits < 1024) { pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, " "using default value (%d) instead\n", __FUNCTION__, plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS); plgctx->opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS; } pkinit_kdcdefault_boolean(context, plgctx->realmname, "pkinit_allow_upn", 0, &plgctx->opts->allow_upn); pkinit_kdcdefault_boolean(context, plgctx->realmname, "pkinit_require_crl_checking", 0, &plgctx->opts->require_crl_checking); pkinit_kdcdefault_string(context, plgctx->realmname, "pkinit_eku_checking", &eku_string); if (eku_string != NULL) { if (strcasecmp(eku_string, "kpClientAuth") == 0) { plgctx->opts->require_eku = 1; plgctx->opts->accept_secondary_eku = 0; } else if (strcasecmp(eku_string, "scLogin") == 0) { plgctx->opts->require_eku = 1; plgctx->opts->accept_secondary_eku = 1; } else if (strcasecmp(eku_string, "none") == 0) { plgctx->opts->require_eku = 0; plgctx->opts->accept_secondary_eku = 0; } else { pkiDebug("%s: Invalid value for pkinit_eku_checking: '%s'\n", __FUNCTION__, eku_string); } free(eku_string); } return 0; errout: pkinit_fini_kdc_profile(context, plgctx); return retval; }
static krb5_error_code pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) { krb5_error_code retval; char *eku_string = NULL; pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname); retval = pkinit_kdcdefault_string(context, plgctx->realmname, KRB5_CONF_PKINIT_IDENTITY, &plgctx->idopts->identity); if (retval != 0 || NULL == plgctx->idopts->identity) { retval = EINVAL; krb5_set_error_message(context, retval, "No pkinit_identity supplied for realm %s", plgctx->realmname); goto errout; } retval = pkinit_kdcdefault_strings(context, plgctx->realmname, KRB5_CONF_PKINIT_ANCHORS, &plgctx->idopts->anchors); if (retval != 0 || NULL == plgctx->idopts->anchors) { retval = EINVAL; krb5_set_error_message(context, retval, "No pkinit_anchors supplied for realm %s", plgctx->realmname); goto errout; } pkinit_kdcdefault_strings(context, plgctx->realmname, KRB5_CONF_PKINIT_POOL, &plgctx->idopts->intermediates); pkinit_kdcdefault_strings(context, plgctx->realmname, KRB5_CONF_PKINIT_REVOKE, &plgctx->idopts->crls); pkinit_kdcdefault_string(context, plgctx->realmname, KRB5_CONF_PKINIT_KDC_OCSP, &plgctx->idopts->ocsp); pkinit_kdcdefault_string(context, plgctx->realmname, KRB5_CONF_PKINIT_MAPPING_FILE, &plgctx->idopts->dn_mapping_file); pkinit_kdcdefault_integer(context, plgctx->realmname, KRB5_CONF_PKINIT_DH_MIN_BITS, PKINIT_DEFAULT_DH_MIN_BITS, &plgctx->opts->dh_min_bits); if (plgctx->opts->dh_min_bits < PKINIT_DEFAULT_DH_MIN_BITS) { pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, " "using default value (%d) instead\n", __FUNCTION__, plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS); plgctx->opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS; } pkinit_kdcdefault_boolean(context, plgctx->realmname, KRB5_CONF_PKINIT_ALLOW_UPN, 0, &plgctx->opts->allow_upn); pkinit_kdcdefault_boolean(context, plgctx->realmname, KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING, 0, &plgctx->opts->require_crl_checking); pkinit_kdcdefault_string(context, plgctx->realmname, KRB5_CONF_PKINIT_EKU_CHECKING, &eku_string); if (eku_string != NULL) { if (strcasecmp(eku_string, "kpClientAuth") == 0) { plgctx->opts->require_eku = 1; plgctx->opts->accept_secondary_eku = 0; } else if (strcasecmp(eku_string, "scLogin") == 0) { plgctx->opts->require_eku = 1; plgctx->opts->accept_secondary_eku = 1; } else if (strcasecmp(eku_string, "none") == 0) { plgctx->opts->require_eku = 0; plgctx->opts->accept_secondary_eku = 0; } else { pkiDebug("%s: Invalid value for pkinit_eku_checking: '%s'\n", __FUNCTION__, eku_string); } free(eku_string); } return 0; errout: pkinit_fini_kdc_profile(context, plgctx); return retval; }