From: Tom Yu Date: Wed, 18 Feb 2009 18:14:48 +0000 (+0000) Subject: pull up r21871, r21872, r21873, r21879, r21880 from trunk X-Git-Tag: krb5-1.7-beta1~87 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=33cacedb5031233aca262d12b227a7321c6068e6;p=krb5.git pull up r21871, r21872, r21873, r21879, r21880 from trunk ------------------------------------------------------------------------ r21880 | ghudson | 2009-02-04 14:15:13 -0500 (Wed, 04 Feb 2009) | 3 lines Changed paths: M /trunk/src/plugins/preauth/pkinit/pkinit_clnt.c M /trunk/src/plugins/preauth/pkinit/pkinit_matching.c M /trunk/src/plugins/preauth/pkinit/pkinit_srv.c Include k5-int.h in several pkinit source files, in order to define the KRB5_CONFIG symbols now used by those files. ------------------------------------------------------------------------ r21879 | tsitkova | 2009-02-04 12:08:44 -0500 (Wed, 04 Feb 2009) | 2 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/kdc/do_tgs_req.c M /trunk/src/kdc/main.c M /trunk/src/lib/kadm5/alt_prof.c M /trunk/src/lib/kdb/kdb5.c M /trunk/src/lib/krb5/krb/conv_princ.c M /trunk/src/lib/krb5/krb/get_in_tkt.c M /trunk/src/lib/krb5/krb/init_ctx.c M /trunk/src/lib/krb5/krb/vfy_increds.c M /trunk/src/lib/krb5/os/an_to_ln.c M /trunk/src/lib/krb5/os/def_realm.c M /trunk/src/lib/krb5/os/get_krbhst.c M /trunk/src/lib/krb5/os/hst_realm.c M /trunk/src/lib/krb5/os/ktdefname.c M /trunk/src/lib/krb5/os/localaddr.c M /trunk/src/lib/krb5/os/locate_kdc.c M /trunk/src/lib/krb5/os/realm_dom.c M /trunk/src/lib/krb5/os/sendto_kdc.c M /trunk/src/lib/krb5/os/sn2princ.c M /trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c M /trunk/src/plugins/preauth/pkinit/pkinit_clnt.c M /trunk/src/plugins/preauth/pkinit/pkinit_matching.c M /trunk/src/plugins/preauth/pkinit/pkinit_profile.c M /trunk/src/plugins/preauth/pkinit/pkinit_srv.c Use macros for config parameters. ------------------------------------------------------------------------ r21873 | ghudson | 2009-02-02 16:55:13 -0500 (Mon, 02 Feb 2009) | 3 lines Changed paths: M /trunk/src/include/k5-int.h Fix a whitespace error introduced when fixing a typo in the defines added to k5-int.h. ------------------------------------------------------------------------ r21872 | ghudson | 2009-02-02 16:53:16 -0500 (Mon, 02 Feb 2009) | 2 lines Changed paths: M /trunk/src/include/k5-int.h Fix a typo in the defines added to k5-int.h. ------------------------------------------------------------------------ r21871 | tsitkova | 2009-02-02 16:34:19 -0500 (Mon, 02 Feb 2009) | 2 lines Changed paths: M /trunk/src/include/k5-int.h Introduces macros for config parameters. ------------------------------------------------------------------------ ticket: 6397 status: resolved version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22013 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 7de6c1a60..31a15ad2e 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -179,6 +179,100 @@ typedef INT64_TYPE krb5_int64; /* Get string buffer support. */ #include "k5-buf.h" +/* cofiguration variables */ +#define KRB5_CONF_ACL_FILE "acl_file" +#define KRB5_CONF_ADMIN_KEYTAB "admin_keytab" +#define KRB5_CONF_ADMIN_SERVER "admin_server" +#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" +#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type" +#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" +#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +#define KRB5_CONF_CANONICALIZE "canonicalize" +#define KRB5_CONF_CCACHE_TYPE "ccache_type" +#define KRB5_CONF_CLOCKSKEW "clockskew" +#define KRB5_CONF_DATABASE_NAME "database_name" +#define KRB5_CONF_DB_MODULE_DIR "db_module_dir" +#define KRB5_CONF_DB_MODULES "db_modules" +#define KRB5_CONF_DOMAIN_REALM "domain_realm" +#define KRB5_CONF_DEFAULT_REALM "default_realm" +#define KRB5_CONF_DEFAULT_DOMAIN "default_domain" +#define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes" +#define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes" +#define KRB5_CONF_DEFAULT_KEYTAB_NAME "default_keytab_name" +#define KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION "default_principal_expiration" +#define KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS "default_principal_flags" +#define KRB5_CONF_DICT_FILE "dict_file" +#define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc" +#define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm" +#define KRB5_CONF_DNS_FALLBACK "dns_fallback" +#define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses" +#define KRB5_CONF_FORWARDABLE "forwardable" +#define KRB5_CONF_HOST_BASED_SERVICES "host_based_services" +#define KRB5_CONF_IPROP_ENABLE "iprop_enable" +#define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize" +#define KRB5_CONF_IPROP_PORT "iprop_port" +#define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll" +#define KRB5_CONF_IPROP_LOGFILE "iprop_logfile" +#define KRB5_CONF_KADMIND_PORT "kadmind_port" +#define KRB5_CONF_KRB524_SERVER "krb524_server" +#define KRB5_CONF_KDC "kdc" +#define KRB5_CONF_KDCDEFAULTS "kdcdefaults" +#define KRB5_CONF_KDC_PORTS "kdc_ports" +#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports" +#define KRB5_CONF_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size" +#define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options" +#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync" +#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type" +#define KRB5_CONF_KEY_STASH_FILE "key_stash_file" +#define KRB5_CONF_KPASSWD_PORT "kpasswd_port" +#define KRB5_CONF_KPASSWD_SERVER "kpasswd_server" +#define KRB5_CONF_LIBDEFAULTS "libdefaults" +#define KRB5_CONF_LDAP_KDC_DN "ldap_kdc_dn" +#define KRB5_CONF_LDAP_KADMIN_DN "ldap_kadmind_dn" +#define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file" +#define KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE "ldap_root_certificate_file" +#define KRB5_CONF_LDAP_SERVERS "ldap_servers" +#define KRB5_CONF_LDAP_CONNS_PER_SERVER "ldap_conns_per_server" +#define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral" +#define KRB5_CONF_MASTER_KEY_NAME "master_key_name" +#define KRB5_CONF_MASTER_KEY_TYPE "master_key_type" +#define KRB5_CONF_MASTER_KDC "master_kdc" +#define KRB5_CONF_MAX_LIFE "max_life" +#define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life" +#define KRB5_CONF_NOADDRESSES "noaddresses" +#define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes" +#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn" +#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors" +#define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match" +#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits" +#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking" +#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity" +#define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities" +#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname" +#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp" +#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn" +#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mappings_file" +#define KRB5_CONF_PKINIT_POOL "pkinit_pool" +#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke" +#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" +#define KRB5_CONF_PKINIT_WIN2K "pkinit_win2k" +#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding" +#define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types" +#define KRB5_CONF_PROXIABLE "proxiable" +#define KRB5_CONF_RDNS "rdns" +#define KRB5_CONF_REALMS "realms" +#define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains" +#define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit" +#define KRB5_CONF_RENEW_LIFETIME "renew_lifetime" +#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type" +#define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes" +#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime" +#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit" +#define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail" +#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert" +#define KRB5_CONF_V4_REALM "v4_realm" +#define KRB5_CONF_ASTERISK "*" + /* Error codes used in KRB_ERROR protocol messages. Return values of library routines are based on a different error table (which allows non-ambiguous error codes between subsystems) */ diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index a6ce704bd..bf008e60d 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1105,9 +1105,9 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && kdc_active_realm->realm_host_based_services != NULL && (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE || - krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, "*") == TRUE))) && + krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE))) && (kdc_active_realm->realm_no_host_referral == NULL || - (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, "*") == FALSE && + (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, KRB5_CONF_ASTERISK) == FALSE && krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) { for (len=0; len < comp2->length; len++) { diff --git a/src/kdc/main.c b/src/kdc/main.c index 91d781404..5c5ea9663 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -176,14 +176,14 @@ handle_referral_params(krb5_realm_params *rparams, { krb5_error_code retval = 0; - if (no_refrls && krb5_match_config_pattern(no_refrls, "*") == TRUE) { - rdp->realm_no_host_referral = strdup("*"); + if (no_refrls && krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == TRUE) { + rdp->realm_no_host_referral = strdup(KRB5_CONF_ASTERISK); if (!rdp->realm_no_host_referral) retval = ENOMEM; } else { if (rparams && rparams->realm_no_host_referral) { - if (krb5_match_config_pattern(rparams->realm_no_host_referral, "*") == TRUE) { - rdp->realm_no_host_referral = strdup("*"); + if (krb5_match_config_pattern(rparams->realm_no_host_referral, KRB5_CONF_ASTERISK) == TRUE) { + rdp->realm_no_host_referral = strdup(KRB5_CONF_ASTERISK); if (!rdp->realm_no_host_referral) retval = ENOMEM; } else if (no_refrls && (asprintf(&(rdp->realm_no_host_referral), "%s%s%s%s%s", @@ -198,19 +198,19 @@ handle_referral_params(krb5_realm_params *rparams, rdp->realm_no_host_referral = NULL; } - if (rdp->realm_no_host_referral && krb5_match_config_pattern(rdp->realm_no_host_referral, "*") == TRUE) { + if (rdp->realm_no_host_referral && krb5_match_config_pattern(rdp->realm_no_host_referral, KRB5_CONF_ASTERISK) == TRUE) { rdp->realm_host_based_services = NULL; return 0; } - if (host_based_srvcs && (krb5_match_config_pattern(host_based_srvcs, "*") == TRUE)) { - rdp->realm_host_based_services = strdup("*"); + if (host_based_srvcs && (krb5_match_config_pattern(host_based_srvcs, KRB5_CONF_ASTERISK) == TRUE)) { + rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK); if (!rdp->realm_host_based_services) retval = ENOMEM; } else { if (rparams && rparams->realm_host_based_services) { - if (krb5_match_config_pattern(rparams->realm_host_based_services, "*") == TRUE) { - rdp->realm_host_based_services = strdup("*"); + if (krb5_match_config_pattern(rparams->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE) { + rdp->realm_host_based_services = strdup(KRB5_CONF_ASTERISK); if (!rdp->realm_host_based_services) retval = ENOMEM; } else if (host_based_srvcs && asprintf(&(rdp->realm_host_based_services), "%s%s%s%s%s", @@ -552,22 +552,22 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) extern char *optarg; if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) { - hierarchy[0] = "kdcdefaults"; - hierarchy[1] = "kdc_ports"; + hierarchy[0] = KRB5_CONF_KDCDEFAULTS; + hierarchy[1] = KRB5_CONF_KDC_PORTS; hierarchy[2] = (char *) NULL; if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_udp_ports)) default_udp_ports = 0; - hierarchy[1] = "kdc_tcp_ports"; + hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS; if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports)) default_tcp_ports = 0; - hierarchy[1] = "kdc_max_dgram_reply_size"; + hierarchy[1] = KRB5_CONF_MAX_DGRAM_REPLY_SIZE; if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size)) max_dgram_reply_size = MAX_DGRAM_SIZE; - hierarchy[1] = "no_host_referral"; + hierarchy[1] = KRB5_CONF_NO_HOST_REFERRAL; if (krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls)) no_refrls = 0; - if (!no_refrls || krb5_match_config_pattern(no_refrls, "*") == FALSE) { - hierarchy[1] = "host_based_services"; + if (!no_refrls || krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == FALSE) { + hierarchy[1] = KRB5_CONF_HOST_BASED_SERVICES; if (krb5_aprof_get_string_all(aprof, hierarchy, &host_based_srvcs)) host_based_srvcs = 0; } diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 7ad59ab4d..f2db0a221 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -566,7 +566,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, goto cleanup; /* Initialize realm parameters */ - hierarchy[0] = "realms"; + hierarchy[0] = KRB5_CONF_REALMS; hierarchy[1] = lrealm; hierarchy[3] = (char *) NULL; @@ -576,7 +576,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, aprofile, hierarchy, CONFTAG, DEFAULT) /* Get the value for the admin server */ - GET_STRING_PARAM(admin_server, KADM5_CONFIG_ADMIN_SERVER, "admin_server", + GET_STRING_PARAM(admin_server, KADM5_CONFIG_ADMIN_SERVER, KRB5_CONF_ADMIN_SERVER, NULL); if (params.mask & KADM5_CONFIG_ADMIN_SERVER) { @@ -590,7 +590,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, } /* Get the value for the database */ - GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, "database_name", + GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, KRB5_CONF_DATABASE_NAME, DEFAULT_KDB_FILE); params.admin_dbname_was_here = NULL; @@ -599,7 +599,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, /* Get the value for the admin (policy) database lock file*/ if (!GET_STRING_PARAM(admin_keytab, KADM5_CONFIG_ADMIN_KEYTAB, - "admin_keytab", NULL)) { + KRB5_CONF_ADMIN_KEYTAB, NULL)) { const char *s = getenv("KRB5_KTNAME"); if (s == NULL) s = DEFAULT_KADM5_KEYTAB; @@ -609,11 +609,11 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, } /* Get the name of the acl file */ - GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, "acl_file", + GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, KRB5_CONF_ACL_FILE, DEFAULT_KADM5_ACL_FILE); /* Get the name of the dict file */ - GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, "dict_file", NULL); + GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, KRB5_CONF_DICT_FILE, NULL); #define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ get_port_param(¶ms.FIELD, params_in->FIELD, \ @@ -621,18 +621,18 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, aprofile, hierarchy, CONFTAG, DEFAULT) /* Get the value for the kadmind port */ GET_PORT_PARAM(kadmind_port, KADM5_CONFIG_KADMIND_PORT, - "kadmind_port", DEFAULT_KADM5_PORT); + KRB5_CONF_KADMIND_PORT, DEFAULT_KADM5_PORT); /* Get the value for the kpasswd port */ GET_PORT_PARAM(kpasswd_port, KADM5_CONFIG_KPASSWD_PORT, - "kpasswd_port", DEFAULT_KPASSWD_PORT); + KRB5_CONF_KPASSWD_PORT, DEFAULT_KPASSWD_PORT); /* Get the value for the master key name */ GET_STRING_PARAM(mkey_name, KADM5_CONFIG_MKEY_NAME, - "master_key_name", NULL); + KRB5_CONF_MASTER_KEY_NAME, NULL); /* Get the value for the master key type */ - hierarchy[2] = "master_key_type"; + hierarchy[2] = KRB5_CONF_MASTER_KEY_TYPE; if (params_in->mask & KADM5_CONFIG_ENCTYPE) { params.mask |= KADM5_CONFIG_ENCTYPE; params.enctype = params_in->enctype; @@ -655,7 +655,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, /* Get the value for the stashfile */ GET_STRING_PARAM(stash_file, KADM5_CONFIG_STASH_FILE, - "key_stash_file", NULL); + KRB5_CONF_KEY_STASH_FILE, NULL); /* Get the value for maximum ticket lifetime. */ #define GET_DELTAT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ @@ -663,15 +663,15 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, ¶ms.mask, params_in->mask, BIT, \ aprofile, hierarchy, CONFTAG, DEFAULT) - GET_DELTAT_PARAM(max_life, KADM5_CONFIG_MAX_LIFE, "max_life", + GET_DELTAT_PARAM(max_life, KADM5_CONFIG_MAX_LIFE, KRB5_CONF_MAX_LIFE, 24 * 60 * 60); /* 1 day */ /* Get the value for maximum renewable ticket lifetime. */ - GET_DELTAT_PARAM(max_rlife, KADM5_CONFIG_MAX_RLIFE, "max_renewable_life", + GET_DELTAT_PARAM(max_rlife, KADM5_CONFIG_MAX_RLIFE, KRB5_CONF_MAX_RENEWABLE_LIFE, 0); /* Get the value for the default principal expiration */ - hierarchy[2] = "default_principal_expiration"; + hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION; if (params_in->mask & KADM5_CONFIG_EXPIRATION) { params.mask |= KADM5_CONFIG_EXPIRATION; params.expiration = params_in->expiration; @@ -687,7 +687,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, } /* Get the value for the default principal flags */ - hierarchy[2] = "default_principal_flags"; + hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS; if (params_in->mask & KADM5_CONFIG_FLAGS) { params.mask |= KADM5_CONFIG_FLAGS; params.flags = params_in->flags; @@ -729,7 +729,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, } /* Get the value for the supported enctype/salttype matrix */ - hierarchy[2] = "supported_enctypes"; + hierarchy[2] = KRB5_CONF_SUPPORTED_ENCTYPES; if (params_in->mask & KADM5_CONFIG_ENCTYPES) { /* The following scenario is when the input keysalts are !NULL */ if(params_in->keysalts) { @@ -765,7 +765,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, free(svalue); } - hierarchy[2] = "iprop_enable"; + hierarchy[2] = KRB5_CONF_IPROP_ENABLE; params.iprop_enabled = FALSE; params.mask |= KADM5_CONFIG_IPROP_ENABLED; @@ -783,7 +783,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, } if (!GET_STRING_PARAM(iprop_logfile, KADM5_CONFIG_IPROP_LOGFILE, - "iprop_logfile", NULL)) { + KRB5_CONF_IPROP_LOGFILE, NULL)) { if (params.mask & KADM5_CONFIG_DBNAME) { if (asprintf(¶ms.iprop_logfile, "%s.ulog", params.dbname) >= 0) { params.mask |= KADM5_CONFIG_IPROP_LOGFILE; @@ -792,9 +792,9 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, } GET_PORT_PARAM(iprop_port, KADM5_CONFIG_IPROP_PORT, - "iprop_port", 0); + KRB5_CONF_IPROP_PORT, 0); - hierarchy[2] = "iprop_master_ulogsize"; + hierarchy[2] = KRB5_CONF_IPROP_MASTER_ULOGSIZE; params.iprop_ulogsize = DEF_ULOGENTRIES; params.mask |= KADM5_CONFIG_ULOG_SIZE; @@ -816,7 +816,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, } GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, - "iprop_slave_poll", 2 * 60); /* 2m */ + KRB5_CONF_IPROP_SLAVE_POLL, 2 * 60); /* 2m */ *params_out = params; @@ -955,40 +955,40 @@ krb5_read_realm_params(kcontext, realm, rparamp) memset((char *) rparams, 0, sizeof(krb5_realm_params)); /* Get the value for the database */ - hierarchy[0] = "realms"; + hierarchy[0] = KRB5_CONF_REALMS; hierarchy[1] = lrealm; - hierarchy[2] = "database_name"; + hierarchy[2] = KRB5_CONF_DATABASE_NAME; hierarchy[3] = (char *) NULL; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_dbname = svalue; /* Get the value for the KDC port list */ - hierarchy[2] = "kdc_ports"; + hierarchy[2] = KRB5_CONF_KDC_PORTS; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_kdc_ports = svalue; - hierarchy[2] = "kdc_tcp_ports"; + hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_kdc_tcp_ports = svalue; /* Get the name of the acl file */ - hierarchy[2] = "acl_file"; + hierarchy[2] = KRB5_CONF_ACL_FILE; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_acl_file = svalue; /* Get the value for the kadmind port */ - hierarchy[2] = "kadmind_port"; + hierarchy[2] = KRB5_CONF_KADMIND_PORT; if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { rparams->realm_kadmind_port = ivalue; rparams->realm_kadmind_port_valid = 1; } /* Get the value for the master key name */ - hierarchy[2] = "master_key_name"; + hierarchy[2] = KRB5_CONF_MASTER_KEY_NAME; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_mkey_name = svalue; /* Get the value for the master key type */ - hierarchy[2] = "master_key_type"; + hierarchy[2] = KRB5_CONF_MASTER_KEY_TYPE; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype)) rparams->realm_enctype_valid = 1; @@ -996,26 +996,26 @@ krb5_read_realm_params(kcontext, realm, rparamp) } /* Get the value for the stashfile */ - hierarchy[2] = "key_stash_file"; + hierarchy[2] = KRB5_CONF_KEY_STASH_FILE; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) rparams->realm_stash_file = svalue; /* Get the value for maximum ticket lifetime. */ - hierarchy[2] = "max_life"; + hierarchy[2] = KRB5_CONF_MAX_LIFE; if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { rparams->realm_max_life = dtvalue; rparams->realm_max_life_valid = 1; } /* Get the value for maximum renewable ticket lifetime. */ - hierarchy[2] = "max_renewable_life"; + hierarchy[2] = KRB5_CONF_MAX_RENEWABLE_LIFE; if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { rparams->realm_max_rlife = dtvalue; rparams->realm_max_rlife_valid = 1; } /* Get the value for the default principal expiration */ - hierarchy[2] = "default_principal_expiration"; + hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { if (!krb5_string_to_timestamp(svalue, &rparams->realm_expiration)) @@ -1023,20 +1023,20 @@ krb5_read_realm_params(kcontext, realm, rparamp) free(svalue); } - hierarchy[2] = "reject_bad_transit"; + hierarchy[2] = KRB5_CONF_REJECT_BAD_TRANSIT; if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { rparams->realm_reject_bad_transit = bvalue; rparams->realm_reject_bad_transit_valid = 1; } - hierarchy[2] = "no_host_referral"; + hierarchy[2] = KRB5_CONF_NO_HOST_REFERRAL; if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls)) rparams->realm_no_host_referral = no_refrls; else no_refrls = 0; - if (!no_refrls || krb5_match_config_pattern(no_refrls, "*") == FALSE) { - hierarchy[2] = "host_based_services"; + if (!no_refrls || krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == FALSE) { + hierarchy[2] = KRB5_CONF_HOST_BASED_SERVICES; if (!krb5_aprof_get_string_all(aprofile, hierarchy, &host_based_srvcs)) rparams->realm_host_based_services = host_based_srvcs; else @@ -1044,7 +1044,7 @@ krb5_read_realm_params(kcontext, realm, rparamp) } /* Get the value for the default principal flags */ - hierarchy[2] = "default_principal_flags"; + hierarchy[2] = KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { char *sp, *ep, *tp; diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 2252c3ad0..a7d5154cb 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -413,7 +413,7 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library * lib) When it's static, it goes into ".picdata", which is read-write. */ static const char *const dbpath_names[] = { - KDB_MODULE_SECTION, "db_module_dir", NULL, + KDB_MODULE_SECTION, KRB5_CONF_DB_MODULE_DIR, NULL, }; const char *filebases[2]; char **profpath = NULL; diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c index 176b41e35..3247893bc 100644 --- a/src/lib/krb5/krb/conv_princ.c +++ b/src/lib/krb5/krb/conv_princ.c @@ -220,8 +220,8 @@ krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, if (context->profile == 0) return KRB5_CONFIG_CANTOPEN; - retval = profile_get_string(context->profile, "realms", - tmp_prealm, "v4_realm", 0, + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + tmp_prealm, KRB5_CONF_V4_REALM, 0, &tmp_realm); free(tmp_prealm); if (retval) { @@ -263,15 +263,15 @@ krb5_425_conv_principal(krb5_context context, const char *name, /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm To do that, iterate over all the realms in the config file, looking for a matching v4_realm line */ - names2 [0] = "realms"; + names2 [0] = KRB5_CONF_REALMS; names2 [1] = NULL; retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator); while (retval == 0) { retval = profile_iterator (&iterator, &realm_name, &dummy_value); if ((retval == 0) && (realm_name != NULL)) { - names [0] = "realms"; + names [0] = KRB5_CONF_REALMS; names [1] = realm_name; - names [2] = "v4_realm"; + names [2] = KRB5_CONF_V4_REALM; names [3] = NULL; retval = profile_get_values (context -> profile, names, &v4realms); @@ -314,9 +314,9 @@ krb5_425_conv_principal(krb5_context context, const char *name, } name = p->v5_str; if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) { - names[0] = "realms"; + names[0] = KRB5_CONF_REALMS; names[1] = realm; - names[2] = "v4_instance_convert"; + names[2] = KRB5_CONF_V4_INSTANCE_CONVERT; names[3] = instance; names[4] = 0; retval = profile_get_values(context->profile, names, &full_name); diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 52d17e0bb..cacf37846 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -800,7 +800,7 @@ krb5_libdefault_string(krb5_context context, const krb5_data *realm, profile = context->profile; - names[0] = "libdefaults"; + names[0] = KRB5_CONF_LIBDEFAULTS; /* * Try number one: @@ -887,7 +887,7 @@ sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, return 0; } - ret = krb5_libdefault_string(context, realm, "preferred_preauth_types", + ret = krb5_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES, &preauth_types); if ((ret != 0) || (preauth_types == NULL)) { /* Try to use PKINIT first. */ @@ -1022,7 +1022,7 @@ krb5_get_init_creds(krb5_context context, if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)) tempint = options->forwardable; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - "forwardable", &tempint)) == 0) + KRB5_CONF_FORWARDABLE, &tempint)) == 0) ; else tempint = 0; @@ -1034,7 +1034,7 @@ krb5_get_init_creds(krb5_context context, if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)) tempint = options->proxiable; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - "proxiable", &tempint)) == 0) + KRB5_CONF_PROXIABLE, &tempint)) == 0) ; else tempint = 0; @@ -1045,7 +1045,7 @@ krb5_get_init_creds(krb5_context context, if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_CANONICALIZE)) tempint = 1; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - "canonicalize", &tempint)) == 0) + KRB5_CONF_CANONICALIZE, &tempint)) == 0) ; else tempint = 0; @@ -1066,7 +1066,7 @@ krb5_get_init_creds(krb5_context context, if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) { tkt_life = options->tkt_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, - "ticket_lifetime", &tempstr)) + KRB5_CONF_TICKET_LIFETIME, &tempstr)) == 0) { ret = krb5_string_to_deltat(tempstr, &tkt_life); free(tempstr); @@ -1084,7 +1084,7 @@ krb5_get_init_creds(krb5_context context, if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) { renew_life = options->renew_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, - "renew_lifetime", &tempstr)) + KRB5_CONF_RENEW_LIFETIME, &tempstr)) == 0) { ret = krb5_string_to_deltat(tempstr, &renew_life); free(tempstr); @@ -1178,7 +1178,7 @@ krb5_get_init_creds(krb5_context context, /* it would be nice if this parsed out an address list, but that would be work. */ else if (((ret = krb5_libdefault_boolean(context, &client->realm, - "noaddresses", &tempint)) != 0) + KRB5_CONF_NOADDRESSES, &tempint)) != 0) || (tempint == 1)) { ; } else { diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 69f7ad887..bf9b30df2 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/init_ctx.c * - * Copyright 1994,1999,2000, 2002, 2003, 2007, 2008 by the Massachusetts Institute of Technology. + * Copyright 1994,1999,2000, 2002, 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -171,8 +171,8 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) if ((retval = krb5_os_init_context(ctx, kdc))) goto cleanup; - retval = profile_get_boolean(ctx->profile, "libdefaults", - "allow_weak_crypto", NULL, 1, &tmp); + retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); if (retval) goto cleanup; ctx->allow_weak_crypto = tmp; @@ -189,41 +189,41 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) goto cleanup; ctx->default_realm = 0; - profile_get_integer(ctx->profile, "libdefaults", "clockskew", + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW, 0, 5 * 60, &tmp); ctx->clockskew = tmp; #if 0 /* Default ticket lifetime is currently not supported */ - profile_get_integer(ctx->profile, "libdefaults", "tkt_lifetime", + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", 0, 10 * 60 * 60, &tmp); ctx->tkt_lifetime = tmp; #endif /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ - profile_get_integer(ctx->profile, "libdefaults", - "kdc_req_checksum_type", 0, CKSUMTYPE_RSA_MD5, + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, &tmp); ctx->kdc_req_sumtype = tmp; - profile_get_integer(ctx->profile, "libdefaults", - "ap_req_checksum_type", 0, CKSUMTYPE_RSA_MD5, + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, &tmp); ctx->default_ap_req_sumtype = tmp; - profile_get_integer(ctx->profile, "libdefaults", - "safe_checksum_type", 0, + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_SAFE_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5_DES, &tmp); ctx->default_safe_sumtype = tmp; - profile_get_integer(ctx->profile, "libdefaults", - "kdc_default_options", 0, + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_DEFAULT_OPTIONS, 0, KDC_OPT_RENEWABLE_OK, &tmp); ctx->kdc_default_options = tmp; #define DEFAULT_KDC_TIMESYNC 1 - profile_get_integer(ctx->profile, "libdefaults", - "kdc_timesync", 0, DEFAULT_KDC_TIMESYNC, + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC, &tmp); ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; @@ -236,7 +236,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) * DCE 1.1 supports a cache type of 2. */ #define DEFAULT_CCACHE_TYPE 4 - profile_get_integer(ctx->profile, "libdefaults", "ccache_type", + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE, 0, DEFAULT_CCACHE_TYPE, &tmp); ctx->fcc_default_format = tmp + 0x0500; ctx->prompt_types = 0; @@ -341,12 +341,12 @@ get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profst session key types. */ - char *retval; - char *sp, *ep; + char *retval = NULL; + char *sp = NULL, *ep = NULL; int i, j, count; krb5_error_code code; - code = profile_get_string(context->profile, "libdefaults", profstr, + code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, profstr, NULL, DEFAULT_ETYPE_LIST, &retval); if (code) return code; @@ -406,7 +406,7 @@ get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profst krb5_error_code krb5_get_default_in_tkt_ktypes(krb5_context context, krb5_enctype **ktypes) { - return(get_profile_etype_list(context, ktypes, "default_tkt_enctypes", + return(get_profile_etype_list(context, ktypes, KRB5_CONF_DEFAULT_TKT_ENCTYPES, context->in_tkt_ktype_count, context->in_tkt_ktypes)); } @@ -464,10 +464,10 @@ krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_encty if (context->use_conf_ktypes) /* This one is set *only* by reading the config file; it's not set by the application. */ - return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes", + return(get_profile_etype_list(context, ktypes, KRB5_CONF_DEFAULT_TKT_ENCTYPES, 0, NULL)); else - return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes", + return(get_profile_etype_list(context, ktypes, KRB5_CONF_DEFAULT_TGS_ENCTYPES, context->tgs_ktype_count, context->tgs_ktypes)); } @@ -475,7 +475,7 @@ krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_encty krb5_error_code KRB5_CALLCONV krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes) { - return(get_profile_etype_list(context, ktypes, "permitted_enctypes", + return(get_profile_etype_list(context, ktypes, KRB5_CONF_PERMITTED_ENCTYPES, context->tgs_ktype_count, context->tgs_ktypes)); } diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c index ba4187ea6..6f53f5728 100644 --- a/src/lib/krb5/krb/vfy_increds.c +++ b/src/lib/krb5/krb/vfy_increds.c @@ -115,7 +115,7 @@ krb5_verify_init_creds(krb5_context context, goto cleanup; } else if (krb5_libdefault_boolean(context, &creds->client->realm, - "verify_ap_req_nofail", + KRB5_CONF_VERIFY_AP_REQ_NOFAIL, &nofail) == 0) { if (nofail) diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c index b886f17f1..2c4e7047d 100644 --- a/src/lib/krb5/os/an_to_ln.c +++ b/src/lib/krb5/os/an_to_ln.c @@ -703,9 +703,9 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int ln * * [realms]->realm->"auth_to_local_names"->mapping_name */ - hierarchy[0] = "realms"; + hierarchy[0] = KRB5_CONF_REALMS; hierarchy[1] = realm; - hierarchy[2] = "auth_to_local_names"; + hierarchy[2] = KRB5_CONF_AUTH_TO_LOCAL_NAMES; hierarchy[3] = mname; hierarchy[4] = (char *) NULL; if (!(kret = profile_get_values(context->profile, @@ -747,9 +747,9 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int ln * DEFAULT - Use default rule. * The first rule to find a match is used. */ - hierarchy[0] = "realms"; + hierarchy[0] = KRB5_CONF_REALMS; hierarchy[1] = realm; - hierarchy[2] = "auth_to_local"; + hierarchy[2] = KRB5_CONF_AUTH_TO_LOCAL; hierarchy[3] = (char *) NULL; if (!(kret = profile_get_values(context->profile, hierarchy, diff --git a/src/lib/krb5/os/def_realm.c b/src/lib/krb5/os/def_realm.c index d30a914cd..998e555d1 100644 --- a/src/lib/krb5/os/def_realm.c +++ b/src/lib/krb5/os/def_realm.c @@ -84,8 +84,8 @@ krb5_get_default_realm(krb5_context context, char **lrealm) */ context->default_realm = 0; if (context->profile != 0) { - retval = profile_get_string(context->profile, "libdefaults", - "default_realm", 0, 0, + retval = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_DEFAULT_REALM, 0, 0, &realm); if (!retval && realm) { @@ -210,7 +210,7 @@ krb5int_get_domain_realm_mapping(krb5_context context, const char *host, char ** realm = (char *)NULL; temp_realm = 0; while (cp ) { - retval = profile_get_string(context->profile, "domain_realm", cp, + retval = profile_get_string(context->profile, KRB5_CONF_DOMAIN_REALM, cp, 0, (char *)NULL, &temp_realm); if (retval) return retval; diff --git a/src/lib/krb5/os/get_krbhst.c b/src/lib/krb5/os/get_krbhst.c index 31c77af6f..1cac7514c 100644 --- a/src/lib/krb5/os/get_krbhst.c +++ b/src/lib/krb5/os/get_krbhst.c @@ -68,9 +68,9 @@ krb5_get_krbhst(krb5_context context, const krb5_data *realm, char ***hostlist) rethosts = 0; - realm_kdc_names[0] = "realms"; + realm_kdc_names[0] = KRB5_CONF_REALMS; realm_kdc_names[1] = realm->data; - realm_kdc_names[2] = "kdc"; + realm_kdc_names[2] = KRB5_CONF_KDC; realm_kdc_names[3] = 0; if (context->profile == 0) diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c index fda0dfde2..839df8056 100644 --- a/src/lib/krb5/os/hst_realm.c +++ b/src/lib/krb5/os/hst_realm.c @@ -234,7 +234,7 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp) #ifdef DEBUG_REFERRALS printf(" trying to look up %s in the domain_realm map\n",cp); #endif - retval = profile_get_string(context->profile, "domain_realm", cp, + retval = profile_get_string(context->profile, KRB5_CONF_DOMAIN_REALM, cp, 0, (char *)NULL, &temp_realm); if (retval) return retval; @@ -385,8 +385,8 @@ krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***rea int limit; errcode_t code; - code = profile_get_integer(context->profile, "libdefaults", - "realm_try_domains", 0, -1, &limit); + code = profile_get_integer(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_REALM_TRY_DOMAINS, 0, -1, &limit); if (code == 0) { retval = domain_heuristic(context, local_host, &realm, limit); if (retval) diff --git a/src/lib/krb5/os/ktdefname.c b/src/lib/krb5/os/ktdefname.c index 89bb35fcf..91f65858b 100644 --- a/src/lib/krb5/os/ktdefname.c +++ b/src/lib/krb5/os/ktdefname.c @@ -51,8 +51,8 @@ krb5_kt_default_name(krb5_context context, char *name, int name_size) if (strlcpy(name, cp, namesize) >= namesize) return KRB5_CONFIG_NOTENUFSPACE; } else if ((profile_get_string(context->profile, - "libdefaults", - "default_keytab_name", NULL, + KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_DEFAULT_KEYTAB_NAME, NULL, NULL, &retval) == 0) && retval) { if (strlcpy(name, retval, namesize) >= namesize) diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c index 100752247..25079062a 100644 --- a/src/lib/krb5/os/localaddr.c +++ b/src/lib/krb5/os/localaddr.c @@ -1247,7 +1247,7 @@ krb5_os_localaddr_profile (krb5_context context, struct localaddr_data *datap) { krb5_error_code err; static const char *const profile_name[] = { - "libdefaults", "extra_addresses", 0 + KRB5_CONF_LIBDEFAULTS, KRB5_CONF_EXTRA_ADDRESSES, 0 }; char **values; char **iter; diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c index f10f3af1c..7326435fa 100644 --- a/src/lib/krb5/os/locate_kdc.c +++ b/src/lib/krb5/os/locate_kdc.c @@ -70,11 +70,11 @@ maybe_use_dns (krb5_context context, const char *name, int defalt) char * value = NULL; int use_dns = 0; - code = profile_get_string(context->profile, "libdefaults", + code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, name, 0, 0, &value); if (value == 0 && code == 0) - code = profile_get_string(context->profile, "libdefaults", - "dns_fallback", 0, 0, &value); + code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_DNS_FALLBACK, 0, 0, &value); if (code) return defalt; @@ -89,13 +89,13 @@ maybe_use_dns (krb5_context context, const char *name, int defalt) int _krb5_use_dns_kdc(krb5_context context) { - return maybe_use_dns (context, "dns_lookup_kdc", DEFAULT_LOOKUP_KDC); + return maybe_use_dns (context, KRB5_CONF_DNS_LOOKUP_KDC, DEFAULT_LOOKUP_KDC); } int _krb5_use_dns_realm(krb5_context context) { - return maybe_use_dns (context, "dns_lookup_realm", DEFAULT_LOOKUP_REALM); + return maybe_use_dns (context, KRB5_CONF_DNS_LOOKUP_REALM, DEFAULT_LOOKUP_REALM); } #endif /* KRB5_DNS_LOOKUP */ @@ -325,7 +325,7 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, masterlist = NULL; - realm_srv_names[0] = "realms"; + realm_srv_names[0] = KRB5_CONF_REALMS; realm_srv_names[1] = host; realm_srv_names[2] = name; realm_srv_names[3] = 0; @@ -354,9 +354,9 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, } if (get_masters) { - realm_srv_names[0] = "realms"; + realm_srv_names[0] = KRB5_CONF_REALMS; realm_srv_names[1] = host; - realm_srv_names[2] = "admin_server"; + realm_srv_names[2] = KRB5_CONF_ADMIN_SERVER; realm_srv_names[3] = 0; code = profile_get_values(context->profile, realm_srv_names, @@ -712,7 +712,7 @@ prof_locate_server (krb5_context context, const krb5_data *realm, switch (svc) { case locate_service_kdc: - profname = "kdc"; + profname = KRB5_CONF_KDC; /* We used to use /etc/services for these, but enough systems have old, crufty, wrong settings that this is probably better. */ @@ -721,19 +721,19 @@ prof_locate_server (krb5_context context, const krb5_data *realm, dflport2 = htons(KRB5_DEFAULT_SEC_PORT); break; case locate_service_master_kdc: - profname = "master_kdc"; + profname = KRB5_CONF_MASTER_KDC; goto kdc_ports; case locate_service_kadmin: - profname = "admin_server"; + profname = KRB5_CONF_ADMIN_SERVER; dflport1 = htons(DEFAULT_KADM5_PORT); break; case locate_service_krb524: - profname = "krb524_server"; + profname = KRB5_CONF_KRB524_SERVER; serv = getservbyname(KRB524_SERVICE, "udp"); dflport1 = serv ? serv->s_port : htons (KRB524_PORT); break; case locate_service_kpasswd: - profname = "kpasswd_server"; + profname = KRB5_CONF_KPASSWD_SERVER; dflport1 = htons(DEFAULT_KPASSWD_PORT); break; default: diff --git a/src/lib/krb5/os/realm_dom.c b/src/lib/krb5/os/realm_dom.c index 43e6266ca..ed44e9d59 100644 --- a/src/lib/krb5/os/realm_dom.c +++ b/src/lib/krb5/os/realm_dom.c @@ -51,8 +51,8 @@ krb5_get_realm_domain(krb5_context context, const char *realm, char **domain) krb5_error_code retval; char *temp_domain = 0; - retval = profile_get_string(context->profile, "realms", realm, - "default_domain", realm, &temp_domain); + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, realm, + KRB5_CONF_DEFAULT_DOMAIN, realm, &temp_domain); if (!retval && temp_domain) { *domain = strdup(temp_domain); diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c index 971047b54..86f372299 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c @@ -377,7 +377,7 @@ krb5_sendto_kdc (krb5_context context, const krb5_data *message, if (!tcp_only && context->udp_pref_limit < 0) { int tmp; retval = profile_get_integer(context->profile, - "libdefaults", "udp_preference_limit", 0, + KRB5_CONF_LIBDEFAULTS, KRB5_CONF_UDP_PREFERENCE_LIMIT, 0, DEFAULT_UDP_PREF_LIMIT, &tmp); if (retval) return retval; diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c index c300e2d42..ee4f3bc11 100644 --- a/src/lib/krb5/os/sn2princ.c +++ b/src/lib/krb5/os/sn2princ.c @@ -47,8 +47,8 @@ maybe_use_reverse_dns (krb5_context context, int defalt) char * value = NULL; int use_rdns = 0; - code = profile_get_string(context->profile, "libdefaults", - "rdns", 0, 0, &value); + code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_RDNS, 0, 0, &value); if (code) return defalt; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index f0734deb2..8625984d8 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -185,7 +185,7 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) */ if (ldap_context->max_server_conns == 0) { st = prof_get_integer_def (context, conf_section, - "ldap_conns_per_server", + KRB5_CONF_LDAP_CONNS_PER_SERVER, DEFAULT_CONNS_PER_SERVER, &ldap_context->max_server_conns); if (st) @@ -208,9 +208,9 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) if (ldap_context->bind_dn == NULL) { char *name = 0; if (srv_type == KRB5_KDB_SRV_TYPE_KDC) - name = "ldap_kdc_dn"; + name = KRB5_CONF_LDAP_KDC_DN; else if (srv_type == KRB5_KDB_SRV_TYPE_ADMIN) - name = "ldap_kadmind_dn"; + name = KRB5_CONF_LDAP_KADMIN_DN; else if (srv_type == KRB5_KDB_SRV_TYPE_PASSWD) name = "ldap_kpasswdd_dn"; @@ -229,7 +229,7 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) */ if (ldap_context->service_password_file == NULL) { st = prof_get_string_def (context, conf_section, - "ldap_service_password_file", + KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE, &ldap_context->service_password_file); if (st) goto cleanup; @@ -243,7 +243,7 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) */ if (ldap_context->root_certificate_file == NULL) { st = prof_get_string_def (context, conf_section, - "ldap_root_certificate_file", + KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE, &ldap_context->root_certificate_file); if (st) goto cleanup; @@ -268,7 +268,7 @@ krb5_ldap_read_server_params(context, conf_section, srv_type) } if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section, - "ldap_servers", NULL, &tempval)) != 0) { + KRB5_CONF_LDAP_SERVERS, NULL, &tempval)) != 0) { krb5_set_error_message (context, st, "Error reading 'ldap_servers' attribute"); goto cleanup; } diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 0d6da4dc5..7e3689592 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -38,6 +38,7 @@ #include #include +#include "k5-int.h" #include "pkinit.h" #ifdef LONGHORN_BETA_COMPAT @@ -548,7 +549,7 @@ verify_kdc_san(krb5_context context, retval = pkinit_libdefault_strings(context, krb5_princ_realm(context, kdcprinc), - "pkinit_kdc_hostname", + KRB5_CONF_PKINIT_KDC_HOSTNAME, &cfghosts); if (retval || cfghosts == NULL) { pkiDebug("%s: No pkinit_kdc_hostname values found in config file\n", @@ -936,19 +937,19 @@ pkinit_client_profile(krb5_context context, context, plgctx, reqctx, request); pkinit_libdefault_boolean(context, &request->server->realm, - "pkinit_win2k", + KRB5_CONF_PKINIT_WIN2K, reqctx->opts->win2k_target, &reqctx->opts->win2k_target); pkinit_libdefault_boolean(context, &request->server->realm, - "pkinit_win2k_require_binding", + KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING, reqctx->opts->win2k_require_cksum, &reqctx->opts->win2k_require_cksum); pkinit_libdefault_boolean(context, &request->server->realm, - "pkinit_require_crl_checking", + KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING, reqctx->opts->require_crl_checking, &reqctx->opts->require_crl_checking); pkinit_libdefault_integer(context, &request->server->realm, - "pkinit_dh_min_bits", + KRB5_CONF_PKINIT_DH_MIN_BITS, reqctx->opts->dh_size, &reqctx->opts->dh_size); if (reqctx->opts->dh_size != 1024 && reqctx->opts->dh_size != 2048 @@ -959,7 +960,7 @@ pkinit_client_profile(krb5_context context, reqctx->opts->dh_size = PKINIT_DEFAULT_DH_MIN_BITS; } pkinit_libdefault_string(context, &request->server->realm, - "pkinit_eku_checking", + KRB5_CONF_PKINIT_EKU_CHECKING, &eku_string); if (eku_string != NULL) { if (strcasecmp(eku_string, "kpKDC") == 0) { @@ -980,7 +981,7 @@ pkinit_client_profile(krb5_context context, #ifdef LONGHORN_BETA_COMPAT /* Temporarily just set global flag from config file */ pkinit_libdefault_boolean(context, &request->server->realm, - "pkinit_longhorn", + KRB5_CONF_PKINIT_LONGHORN, 0, &longhorn); #endif @@ -988,16 +989,16 @@ pkinit_client_profile(krb5_context context, /* Only process anchors here if they were not specified on command line */ if (reqctx->idopts->anchors == NULL) pkinit_libdefault_strings(context, &request->server->realm, - "pkinit_anchors", + KRB5_CONF_PKINIT_ANCHORS, &reqctx->idopts->anchors); pkinit_libdefault_strings(context, &request->server->realm, - "pkinit_pool", + KRB5_CONF_PKINIT_POOL, &reqctx->idopts->intermediates); pkinit_libdefault_strings(context, &request->server->realm, - "pkinit_revoke", + KRB5_CONF_PKINIT_REVOKE, &reqctx->idopts->crls); pkinit_libdefault_strings(context, &request->server->realm, - "pkinit_identities", + KRB5_CONF_PKINIT_IDENTITIES, &reqctx->idopts->identity_alt); } diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c index b790c38f7..aa59a7f4e 100644 --- a/src/plugins/preauth/pkinit/pkinit_matching.c +++ b/src/plugins/preauth/pkinit/pkinit_matching.c @@ -34,7 +34,7 @@ #include #include #include -#include +#include "k5-int.h" #include "pkinit.h" typedef struct _pkinit_cert_info pkinit_cert_info; @@ -746,7 +746,7 @@ pkinit_cert_matching(krb5_context context, /* If no matching rules, select the default cert and we're done */ pkinit_libdefault_strings(context, krb5_princ_realm(context, princ), - "pkinit_cert_match", &rules); + KRB5_CONF_PKINIT_CERT_MATCH, &rules); if (rules == NULL) { pkiDebug("%s: no matching rules found in config file\n", __FUNCTION__); retval = crypto_cert_select_default(context, plg_cryptoctx, diff --git a/src/plugins/preauth/pkinit/pkinit_profile.c b/src/plugins/preauth/pkinit/pkinit_profile.c index 1f7045aca..6b1b45b26 100644 --- a/src/plugins/preauth/pkinit/pkinit_profile.c +++ b/src/plugins/preauth/pkinit/pkinit_profile.c @@ -114,7 +114,7 @@ pkinit_kdcdefault_strings(krb5_context context, const char *realmname, * } */ - names[0] = "realms"; + names[0] = KRB5_CONF_REALMS; names[1] = realmname; names[2] = option; names[3] = 0; @@ -130,7 +130,7 @@ pkinit_kdcdefault_strings(krb5_context context, const char *realmname, * option = */ - names[0] = "kdcdefaults"; + names[0] = KRB5_CONF_KDCDEFAULTS; names[1] = option; names[2] = 0; retval = profile_get_values(profile, names, &values); @@ -256,7 +256,7 @@ pkinit_libdefault_strings(krb5_context context, const krb5_data *realm, * } */ - names[0] = "libdefaults"; + names[0] = KRB5_CONF_LIBDEFAULTS; names[1] = realmstr; names[2] = option; names[3] = 0; @@ -273,7 +273,7 @@ pkinit_libdefault_strings(krb5_context context, const krb5_data *realm, * } */ - names[0] = "realms"; + names[0] = KRB5_CONF_REALMS; names[1] = realmstr; names[2] = option; names[3] = 0; @@ -289,7 +289,7 @@ pkinit_libdefault_strings(krb5_context context, const krb5_data *realm, * option = */ - names[0] = "libdefaults"; + names[0] = KRB5_CONF_LIBDEFAULTS; names[1] = option; names[2] = 0; retval = profile_get_values(profile, names, &values); diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 595a3d04d..ac39bdb51 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -33,6 +33,7 @@ #include #include +#include "k5-int.h" #include "pkinit.h" static krb5_error_code @@ -1092,7 +1093,7 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname); retval = pkinit_kdcdefault_string(context, plgctx->realmname, - "pkinit_identity", + KRB5_CONF_PKINIT_IDENTITY, &plgctx->idopts->identity); if (retval != 0 || NULL == plgctx->idopts->identity) { retval = EINVAL; @@ -1103,7 +1104,7 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) } retval = pkinit_kdcdefault_strings(context, plgctx->realmname, - "pkinit_anchors", + KRB5_CONF_PKINIT_ANCHORS, &plgctx->idopts->anchors); if (retval != 0 || NULL == plgctx->idopts->anchors) { retval = EINVAL; @@ -1114,26 +1115,26 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) } pkinit_kdcdefault_strings(context, plgctx->realmname, - "pkinit_pool", + KRB5_CONF_PKINIT_POOL, &plgctx->idopts->intermediates); pkinit_kdcdefault_strings(context, plgctx->realmname, - "pkinit_revoke", + KRB5_CONF_PKINIT_REVOKE, &plgctx->idopts->crls); pkinit_kdcdefault_string(context, plgctx->realmname, - "pkinit_kdc_ocsp", + KRB5_CONF_PKINIT_KDC_OCSP, &plgctx->idopts->ocsp); pkinit_kdcdefault_string(context, plgctx->realmname, - "pkinit_mappings_file", + KRB5_CONF_PKINIT_MAPPING_FILE, &plgctx->idopts->dn_mapping_file); pkinit_kdcdefault_integer(context, plgctx->realmname, - "pkinit_dh_min_bits", + KRB5_CONF_PKINIT_DH_MIN_BITS, PKINIT_DEFAULT_DH_MIN_BITS, &plgctx->opts->dh_min_bits); - if (plgctx->opts->dh_min_bits < 1024) { + if (plgctx->opts->dh_min_bits < PKINIT_DEFAULT_DH_MIN_BITS) { pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, " "using default value (%d) instead\n", __FUNCTION__, plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS); @@ -1141,15 +1142,15 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) } pkinit_kdcdefault_boolean(context, plgctx->realmname, - "pkinit_allow_upn", + KRB5_CONF_PKINIT_ALLOW_UPN, 0, &plgctx->opts->allow_upn); pkinit_kdcdefault_boolean(context, plgctx->realmname, - "pkinit_require_crl_checking", + KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING, 0, &plgctx->opts->require_crl_checking); pkinit_kdcdefault_string(context, plgctx->realmname, - "pkinit_eku_checking", + KRB5_CONF_PKINIT_EKU_CHECKING, &eku_string); if (eku_string != NULL) { if (strcasecmp(eku_string, "kpClientAuth") == 0) {