From 584eb44cb9d962c3ba309bc5e5ee9f8168fa4e17 Mon Sep 17 00:00:00 2001 From: Johan Danielsson Date: Fri, 1 Aug 1997 14:47:43 +0000 Subject: [PATCH] Pass context to kdc_log. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2664 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/connect.c | 2 +- kdc/kerberos4.c | 50 ++++++++++--------- kdc/kerberos5.c | 128 +++++++++++++++++++++++++++--------------------- kdc/main.c | 6 +-- kdc/misc.c | 2 +- 5 files changed, 104 insertions(+), 84 deletions(-) diff --git a/kdc/connect.c b/kdc/connect.c index 474249acc..16343e4b0 100644 --- a/kdc/connect.c +++ b/kdc/connect.c @@ -133,7 +133,7 @@ do_request(krb5_context context, void *buf, size_t len, reply.length = 0; ret = process_request(context, buf, len, &reply, addr, from); if(reply.length){ - kdc_log(5, "sending %d bytes to %s", reply.length, addr); + kdc_log(context, 5, "sending %d bytes to %s", reply.length, addr); sendto(socket, reply.data, reply.length, 0, from, from_len); krb5_data_free(&reply); } diff --git a/kdc/kerberos4.c b/kdc/kerberos4.c index 645a62073..d4715a45c 100644 --- a/kdc/kerberos4.c +++ b/kdc/kerberos4.c @@ -40,6 +40,8 @@ RCSID("$Id$"); +#ifdef KRB4 + static u_int32_t swap32(u_int32_t x) { @@ -97,7 +99,7 @@ do_version4(krb5_context context, sp = krb5_storage_from_mem(buf, len); RCHECK(krb5_ret_int8(sp, &pvno), out); if(pvno != 4){ - kdc_log(0, "Protocol version mismatch (%d)", pvno); + kdc_log(context, 0, "Protocol version mismatch (%d)", pvno); make_err_reply(reply, KDC_PKT_VER, NULL); goto out; } @@ -115,14 +117,14 @@ do_version4(krb5_context context, RCHECK(krb5_ret_int8(sp, &life), out1); RCHECK(krb5_ret_stringz(sp, &sname), out1); RCHECK(krb5_ret_stringz(sp, &sinst), out1); - kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s", + kdc_log(context, 0, "AS-REQ %s.%s@%s from %s for %s.%s", name, inst, realm, from, sname, sinst); ret = krb5_425_conv_principal(context, name, inst, realm, &client_princ); if(ret){ - kdc_log(0, "Converting client principal: %s", + kdc_log(context, 0, "Converting client principal: %s", krb5_get_err_text(context, ret)); make_err_reply(reply, KFAILURE, "Failed to convert v4 principal (client)"); @@ -132,7 +134,7 @@ do_version4(krb5_context context, ret = krb5_425_conv_principal(context, sname, sinst, v4_realm, &server_princ); if(ret){ - kdc_log(0, "Converting server principal: %s", + kdc_log(context, 0, "Converting server principal: %s", krb5_get_err_text(context, ret)); make_err_reply(reply, KFAILURE, "Failed to convert v4 principal (server)"); @@ -141,14 +143,14 @@ do_version4(krb5_context context, client = db_fetch(context, client_princ); if(client == NULL){ - kdc_log(0, "Client not found in database: %s.%s@%s", + kdc_log(context, 0, "Client not found in database: %s.%s@%s", name, inst, realm); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); goto out1; } server = db_fetch(context, server_princ); if(server == NULL){ - kdc_log(0, "Server not found in database: %s.%s@%s", + kdc_log(context, 0, "Server not found in database: %s.%s@%s", sname, sinst, v4_realm); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); goto out1; @@ -156,7 +158,7 @@ do_version4(krb5_context context, ret = hdb_keytype2key(context, client, KEYTYPE_DES, &ckey); if(ret){ - kdc_log(0, "%s", krb5_get_err_text(context, ret)); + kdc_log(context, 0, "%s", krb5_get_err_text(context, ret)); /* XXX */ make_err_reply(reply, KDC_NULL_KEY, "No DES key in database (client)"); @@ -167,7 +169,7 @@ do_version4(krb5_context context, while(ckey->salt == NULL || ckey->salt->length != 0) ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey); if(ret){ - kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", + kdc_log(context, 0, "No version-4 salted key in database -- %s.%s@%s", name, inst, realm); make_err_reply(reply, KDC_NULL_KEY, "No version-4 salted key in database"); @@ -176,7 +178,7 @@ do_version4(krb5_context context, ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey); if(ret){ - kdc_log(0, "%s", krb5_get_err_text(context, ret)); + kdc_log(context, 0, "%s", krb5_get_err_text(context, ret)); /* XXX */ make_err_reply(reply, KDC_NULL_KEY, "No DES key in database (server)"); @@ -236,7 +238,7 @@ do_version4(krb5_context context, ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm, &tgt_princ); if(ret){ - kdc_log(0, "Converting krbtgt principal: %s", + kdc_log(context, 0, "Converting krbtgt principal: %s", krb5_get_err_text(context, ret)); make_err_reply(reply, KFAILURE, "Failed to convert v4 principal (krbtgt)"); @@ -246,7 +248,7 @@ do_version4(krb5_context context, tgt = db_fetch(context, tgt_princ); if(tgt == NULL){ char *s; - s = kdc_log_msg(0, "Ticket-granting ticket not " + s = kdc_log_msg(context, 0, "Ticket-granting ticket not " "found in database: krbtgt.%s@%s", realm, v4_realm); make_err_reply(reply, KFAILURE, s); @@ -260,7 +262,7 @@ do_version4(krb5_context context, ret = hdb_keytype2key(context, tgt, KEYTYPE_DES, &tkey); if(ret){ - kdc_log(0, "%s", krb5_get_err_text(context, ret)); + kdc_log(context, 0, "%s", krb5_get_err_text(context, ret)); /* XXX */ make_err_reply(reply, KDC_NULL_KEY, "No DES key in database (krbtgt)"); @@ -284,7 +286,7 @@ do_version4(krb5_context context, e = krb_rd_req(&auth, "krbtgt", realm, addr->sin_addr.s_addr, &ad, 0); if(e){ - kdc_log(0, "krb_rd_req: %s", krb_get_err_text(e)); + kdc_log(context, 0, "krb_rd_req: %s", krb_get_err_text(e)); make_err_reply(reply, ret, NULL); goto out2; } @@ -296,18 +298,18 @@ do_version4(krb5_context context, RCHECK(krb5_ret_int8(sp, &life), out2); RCHECK(krb5_ret_stringz(sp, &sname), out2); RCHECK(krb5_ret_stringz(sp, &sinst), out2); - kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s", + kdc_log(context, 0, "TGS-REQ %s.%s@%s from %s for %s.%s", ad.pname, ad.pinst, ad.prealm, from, sname, sinst); if(strcmp(ad.prealm, realm)){ - kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm); + kdc_log(context, 0, "Can't hop realms %s -> %s", realm, ad.prealm); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, "Can't hop realms"); goto out2; } if(strcmp(sname, "changepw") == 0){ - kdc_log(0, "Bad request for changepw ticket"); + kdc_log(context, 0, "Bad request for changepw ticket"); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, "Can't authorize password change based on TGT"); goto out2; @@ -316,7 +318,7 @@ do_version4(krb5_context context, ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm, &client_princ); if(ret){ - kdc_log(0, "Converting client principal: %s", + kdc_log(context, 0, "Converting client principal: %s", krb5_get_err_text(context, ret)); make_err_reply(reply, KFAILURE, "Failed to convert v4 principal (client)"); @@ -326,7 +328,8 @@ do_version4(krb5_context context, client = db_fetch(context, client_princ); if(client == NULL){ char *s; - s = kdc_log_msg(0, "Client not found in database: %s.%s@%s", + s = kdc_log_msg(context, 0, + "Client not found in database: %s.%s@%s", ad.pname, ad.pinst, ad.prealm); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); free(s); @@ -336,7 +339,7 @@ do_version4(krb5_context context, ret = krb5_425_conv_principal(context, sname, sinst, v4_realm, &server_princ); if(ret){ - kdc_log(0, "Converting server principal: %s", + kdc_log(context, 0, "Converting server principal: %s", krb5_get_err_text(context, ret)); make_err_reply(reply, KFAILURE, "Failed to convert v4 principal (server)"); @@ -345,7 +348,8 @@ do_version4(krb5_context context, server = db_fetch(context, server_princ); if(server == NULL){ char *s; - s = kdc_log_msg(0, "Server not found in database: %s.%s@%s", + s = kdc_log_msg(context, 0, + "Server not found in database: %s.%s@%s", sname, sinst, v4_realm); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); free(s); @@ -354,7 +358,7 @@ do_version4(krb5_context context, ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey); if(ret){ - kdc_log(0, "%s", krb5_get_err_text(context, ret)); + kdc_log(context, 0, "%s", krb5_get_err_text(context, ret)); /* XXX */ make_err_reply(reply, KDC_NULL_KEY, "No DES key in database (server)"); @@ -406,7 +410,7 @@ do_version4(krb5_context context, case AUTH_MSG_ERR_REPLY: break; default: - kdc_log(0, "Unknown message type: %d from %s", + kdc_log(context, 0, "Unknown message type: %d from %s", msg_type, from); make_err_reply(reply, KFAILURE, "Unknown message type"); @@ -433,3 +437,5 @@ out: krb5_storage_free(sp); return 0; } + +#endif diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index d18bef32a..74af9eb74 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -80,14 +80,15 @@ as_rep(krb5_context context, principalname2krb5_principal (&client_princ, *(b->cname), b->realm); krb5_unparse_name(context, client_princ, &client_name); } - kdc_log(0, "AS-REQ %s from %s for %s", client_name, from, server_name); + kdc_log(context, 0, "AS-REQ %s from %s for %s", + client_name, from, server_name); if(ret) goto out; client = db_fetch(context, client_princ); if(client == NULL){ - kdc_log(0, "UNKNOWN -- %s", client_name); + kdc_log(context, 0, "UNKNOWN -- %s", client_name); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } @@ -95,7 +96,7 @@ as_rep(krb5_context context, server = db_fetch(context, server_princ); if(server == NULL){ - kdc_log(0, "UNKNOWN -- %s", server_name); + kdc_log(context, 0, "UNKNOWN -- %s", server_name); ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto out; } @@ -103,12 +104,13 @@ as_rep(krb5_context context, if(!client->flags.client){ ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Principal may not act as client -- %s", client_name); + kdc_log(context, 0, "Principal may not act as client -- %s", + client_name); goto out; } if(!server->flags.server){ ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Principal (%s) may not act as server -- %s", + kdc_log(context, 0, "Principal (%s) may not act as server -- %s", server_name, client_name); goto out; } @@ -126,7 +128,7 @@ as_rep(krb5_context context, if(ret){ ret = KRB5KDC_ERR_ETYPE_NOSUPP; - kdc_log(0, "No support for etypes -- %s", client_name); + kdc_log(context, 0, "No support for etypes -- %s", client_name); goto out; } @@ -139,7 +141,7 @@ as_rep(krb5_context context, int i; PA_DATA *pa; int found_pa = 0; - kdc_log(5, "Looking for pa-data -- %s", client_name); + kdc_log(context, 5, "Looking for pa-data -- %s", client_name); for(i = 0; i < req->padata->len; i++){ PA_DATA *pa = &req->padata->val[i]; if(pa->padata_type == pa_enc_timestamp){ @@ -149,7 +151,8 @@ as_rep(krb5_context context, size_t len; EncryptedData enc_data; - kdc_log(5, "Found pa-enc-timestamp -- %s", client_name); + kdc_log(context, 5, "Found pa-enc-timestamp -- %s", + client_name); found_pa = 1; ret = decode_EncryptedData(pa->padata_value.data, @@ -158,7 +161,8 @@ as_rep(krb5_context context, &len); if (ret) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - kdc_log(5, "Failed to decode PA-DATA -- %s", client_name); + kdc_log(context, 5, "Failed to decode PA-DATA -- %s", + client_name); goto out; } @@ -174,7 +178,7 @@ as_rep(krb5_context context, free_EncryptedData(&enc_data); if(ret){ e_text = "Failed to decrypt PA-DATA"; - kdc_log (5, "Failed to decrypt PA-DATA -- %s", + kdc_log (context, 5, "Failed to decrypt PA-DATA -- %s", client_name); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; continue; @@ -187,7 +191,7 @@ as_rep(krb5_context context, if(ret){ e_text = "Failed to decode PA-ENC-TS-ENC"; ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s", + kdc_log (context, 5, "Failed to decode PA-ENC-TS_ENC -- %s", client_name); continue; } @@ -203,14 +207,16 @@ as_rep(krb5_context context, server_princ, 0, reply); - kdc_log(0, "Too large time skew -- %s", client_name); + kdc_log(context, 0, "Too large time skew -- %s", + client_name); goto out2; } et.flags.pre_authent = 1; - kdc_log(2, "Pre-authentication succeded -- %s", client_name); + kdc_log(context, 2, "Pre-authentication succeded -- %s", + client_name); break; } else { - kdc_log(5, "Found pa-data of type %d -- %s", + kdc_log(context, 5, "Found pa-data of type %d -- %s", pa->padata_type, client_name); } } @@ -220,7 +226,7 @@ as_rep(krb5_context context, /* We come here if we found a pa-enc-timestamp, but if there was some problem with it, other than too large skew */ if(et.flags.pre_authent == 0){ - kdc_log(0, "%s -- %s", e_text, client_name); + kdc_log(context, 0, "%s -- %s", e_text, client_name); e_text = NULL; goto out; } @@ -256,11 +262,11 @@ as_rep(krb5_context context, 0, reply); - kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name); + kdc_log(context, 0, "No PA-ENC-TIMESTAMP -- %s", client_name); goto out2; } - kdc_log(2, "Using etype %d -- %s", etype, client_name); + kdc_log(context, 2, "Using etype %d -- %s", etype, client_name); memset(&rep, 0, sizeof(rep)); rep.pvno = 5; @@ -273,7 +279,7 @@ as_rep(krb5_context context, if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey){ ret = KRB5KDC_ERR_BADOPTION; - kdc_log(0, "Bad KDC options -- %s", client_name); + kdc_log(context, 0, "Bad KDC options -- %s", client_name); goto out; } @@ -282,21 +288,21 @@ as_rep(krb5_context context, et.flags.forwardable = f.forwardable; else{ ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Ticket may not be forwardable -- %s", client_name); + kdc_log(context, 0, "Ticket may not be forwardable -- %s", client_name); goto out; } if(client->flags.proxiable && server->flags.proxiable) et.flags.proxiable = f.proxiable; else{ ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Ticket may not be proxiable -- %s", client_name); + kdc_log(context, 0, "Ticket may not be proxiable -- %s", client_name); goto out; } if(client->flags.postdate && server->flags.postdate) et.flags.may_postdate = f.allow_postdate; else{ ret = KRB5KDC_ERR_POLICY; - kdc_log(0, "Ticket may not be postdatable -- %s", client_name); + kdc_log(context, 0, "Ticket may not be postdatable -- %s", client_name); goto out; } @@ -315,7 +321,8 @@ as_rep(krb5_context context, start = *et.starttime = *req->req_body.from; et.flags.invalid = 1; et.flags.postdated = 1; /* XXX ??? */ - kdc_log(2, "Postdated ticket requested -- %s", client_name); + kdc_log(context, 2, "Postdated ticket requested -- %s", + client_name); } if(b->till == 0) b->till = MAX_TIME; @@ -360,7 +367,13 @@ as_rep(krb5_context context, } copy_EncryptionKey(&et.key, &ek.key); - /* MIT must have at least one last_req */ + + /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded + * as 0 and as 0x80 (meaning indefinite length) apart, and is thus + * incapable to correctly decode vectors of zero length. + * + * To fix this, always send at least one no-op last_req + */ ek.last_req.len = 1; ALLOC(ek.last_req.val); ek.last_req.val->lr_type = 0; @@ -394,7 +407,7 @@ as_rep(krb5_context context, &et, &len); free_EncTicketPart(&et); if(ret) { - kdc_log(0, "Failed to encode ticket -- %s", client); + kdc_log(context, 0, "Failed to encode ticket -- %s", client); goto out; } @@ -411,7 +424,7 @@ as_rep(krb5_context context, &ek, &len); free_EncKDCRepPart(&ek); if(ret) { - kdc_log(0, "Failed to encode KDC-REP -- %s", client_name); + kdc_log(context, 0, "Failed to encode KDC-REP -- %s", client_name); goto out; } ekey = unseal_key(ckey); @@ -433,7 +446,7 @@ as_rep(krb5_context context, ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len); free_AS_REP(&rep); if(ret) { - kdc_log(0, "Failed to encode AS-REP -- %s", client_name); + kdc_log(context, 0, "Failed to encode AS-REP -- %s", client_name); goto out; } @@ -476,30 +489,30 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b, if(f.validate){ if(!tgt->flags.invalid || tgt->starttime == NULL){ - kdc_log(0, "Bad request to validate ticket"); + kdc_log(context, 0, "Bad request to validate ticket"); return KRB5KDC_ERR_BADOPTION; } if(*tgt->starttime < kdc_time){ - kdc_log(0, "Early request to validate ticket"); + kdc_log(context, 0, "Early request to validate ticket"); return KRB5KRB_AP_ERR_TKT_NYV; } /* XXX tkt = tgt */ et->flags.invalid = 0; }else if(tgt->flags.invalid){ - kdc_log(0, "Ticket-granting ticket has INVALID flag set"); + kdc_log(context, 0, "Ticket-granting ticket has INVALID flag set"); return KRB5KRB_AP_ERR_TKT_INVALID; } if(f.forwardable){ if(!tgt->flags.forwardable){ - kdc_log(0, "Bad request for forwardable ticket"); + kdc_log(context, 0, "Bad request for forwardable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.forwardable = 1; } if(f.forwarded){ if(!tgt->flags.forwardable){ - kdc_log(0, "Request to forward non-forwardable ticket"); + kdc_log(context, 0, "Request to forward non-forwardable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.forwarded = 1; @@ -510,14 +523,14 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b, if(f.proxiable){ if(!tgt->flags.proxiable){ - kdc_log(0, "Bad request for proxiable ticket"); + kdc_log(context, 0, "Bad request for proxiable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.proxiable = 1; } if(f.proxy){ if(!tgt->flags.proxiable){ - kdc_log(0, "Request to proxy non-proxiable ticket"); + kdc_log(context, 0, "Request to proxy non-proxiable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.proxy = 1; @@ -528,14 +541,14 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b, if(f.allow_postdate){ if(!tgt->flags.may_postdate){ - kdc_log(0, "Bad request for post-datable ticket"); + kdc_log(context, 0, "Bad request for post-datable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.may_postdate = 1; } if(f.postdated){ if(!tgt->flags.may_postdate){ - kdc_log(0, "Bad request for postdated ticket"); + kdc_log(context, 0, "Bad request for postdated ticket"); return KRB5KDC_ERR_BADOPTION; } if(b->from) @@ -543,13 +556,13 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b, et->flags.postdated = 1; et->flags.invalid = 1; }else if(b->from && *b->from > kdc_time + context->max_skew){ - kdc_log(0, "Ticket cannot be postdated"); + kdc_log(context, 0, "Ticket cannot be postdated"); return KRB5KDC_ERR_CANNOT_POSTDATE; } if(f.renewable){ if(!tgt->flags.renewable){ - kdc_log(0, "Bad request for renewable ticket"); + kdc_log(context, 0, "Bad request for renewable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.renewable = 1; @@ -559,7 +572,7 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b, if(f.renew){ time_t old_life; if(!tgt->flags.renewable || tgt->renew_till == NULL){ - kdc_log(0, "Request to renew non-renewable ticket"); + kdc_log(context, 0, "Request to renew non-renewable ticket"); return KRB5KDC_ERR_BADOPTION; } old_life = tgt->endtime; @@ -595,7 +608,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt, } if(ret){ - kdc_log(0, "Failed to find requested etype"); + kdc_log(context, 0, "Failed to find requested etype"); return KRB5KDC_ERR_ETYPE_NOSUPP; } @@ -704,7 +717,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt, ret = encode_EncTicketPart(buf + sizeof(buf) - 1, sizeof(buf), &et, &len); if(ret){ - kdc_log(0, "Failed to encode EncTicketPart: %s", + kdc_log(context, 0, "Failed to encode EncTicketPart: %s", krb5_get_err_text(context, ret)); goto out; } @@ -718,7 +731,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt, ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1, sizeof(buf), &ek, &len); if(ret){ - kdc_log(0, "Failed to encode EncTicketPart: %s", + kdc_log(context, 0, "Failed to encode EncTicketPart: %s", krb5_get_err_text(context, ret)); goto out; } @@ -743,7 +756,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt, ret = encode_TGS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len); if(ret){ - kdc_log(0, "Failed to encode TGS-REP: %s", + kdc_log(context, 0, "Failed to encode TGS-REP: %s", krb5_get_err_text(context, ret)); goto out; } @@ -772,7 +785,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac, krb5_auth_getauthenticator(context, ac, &auth); if(auth->cksum == NULL){ - kdc_log(0, "No authenticator in request"); + kdc_log(context, 0, "No authenticator in request"); ret = KRB5KRB_AP_ERR_INAPP_CKSUM; goto out; } @@ -780,7 +793,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac, if (auth->cksum->cksumtype != CKSUMTYPE_RSA_MD4 && auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5 && auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5_DES){ - kdc_log(0, "Bad checksum type in authenticator: %d", + kdc_log(context, 0, "Bad checksum type in authenticator: %d", auth->cksum->cksumtype); ret = KRB5KRB_AP_ERR_INAPP_CKSUM; goto out; @@ -790,7 +803,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac, ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf), b, &len); if(ret){ - kdc_log(0, "Failed to encode KDC-REQ-BODY: %s", + kdc_log(context, 0, "Failed to encode KDC-REQ-BODY: %s", krb5_get_err_text(context, ret)); goto out; } @@ -798,7 +811,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_context ac, key, auth->cksum); if(ret){ - kdc_log(0, "Failed to verify checksum: %s", + kdc_log(context, 0, "Failed to verify checksum: %s", krb5_get_err_text(context, ret)); } out: @@ -833,14 +846,14 @@ tgs_rep2(krb5_context context, ret = krb5_decode_ap_req(context, &pa_data->padata_value, &ap_req); if(ret){ - kdc_log(0, "Failed to decode AP-REQ: %s", + kdc_log(context, 0, "Failed to decode AP-REQ: %s", krb5_get_err_text(context, ret)); goto out; } if(ap_req.ticket.sname.name_string.len != 2 || strcmp(ap_req.ticket.sname.name_string.val[0], "krbtgt")){ - kdc_log(0, "PA-DATA is not a ticket-granting ticket"); + kdc_log(context, 0, "PA-DATA is not a ticket-granting ticket"); ret = KRB5KDC_ERR_POLICY; /* ? */ goto out; } @@ -854,7 +867,8 @@ tgs_rep2(krb5_context context, if(krbtgt == NULL) { char *p; krb5_unparse_name(context, princ, &p); - kdc_log(0, "Ticket-granting ticket not found in database: %s", p); + kdc_log(context, 0, "Ticket-granting ticket not found in database: %s", + p); free(p); ret = KRB5KRB_AP_ERR_NOT_US; goto out; @@ -872,7 +886,7 @@ tgs_rep2(krb5_context context, krb5_free_principal(context, princ); if(ret) { - kdc_log(0, "Failed to verify AP-REQ: %s", + kdc_log(context, 0, "Failed to verify AP-REQ: %s", krb5_get_err_text(context, ret)); goto out; } @@ -884,7 +898,7 @@ tgs_rep2(krb5_context context, krb5_auth_con_free(context, ac); if(ret){ - kdc_log(0, "Failed to verify authenticator: %s", + kdc_log(context, 0, "Failed to verify authenticator: %s", krb5_get_err_text(context, ret)); goto out; } @@ -928,17 +942,17 @@ tgs_rep2(krb5_context context, krb5_unparse_name(context, cp, &cpn); client = db_fetch(context, cp); - kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn); + kdc_log(context, 0, "TGS-REQ %s from %s for %s", cpn, from, spn); if(server == NULL){ - kdc_log(0, "Server not found in database: %s", spn); + kdc_log(context, 0, "Server not found in database: %s", spn); /* do foreign realm stuff */ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto out; } if(client == NULL){ - kdc_log(0, "Client not found in database: %s", cpn); + kdc_log(context, 0, "Client not found in database: %s", cpn); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } @@ -947,7 +961,7 @@ tgs_rep2(krb5_context context, !krb5_principal_compare(context, krbtgt->principal, server->principal)){ - kdc_log(0, "Inconsistent request."); + kdc_log(context, 0, "Inconsistent request."); ret = KRB5KDC_ERR_SERVER_NOMATCH; goto out; } @@ -1026,7 +1040,7 @@ tgs_rep(krb5_context context, if(req->padata == NULL){ ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */ - kdc_log(0, "TGS-REQ from %s without PA-DATA", from); + kdc_log(context, 0, "TGS-REQ from %s without PA-DATA", from); goto out; } @@ -1038,7 +1052,7 @@ tgs_rep(krb5_context context, if(pa_data == NULL){ ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from); + kdc_log(context, 0, "TGS-REQ from %s without PA-TGS-REQ", from); goto out; } ret = tgs_rep2(context, &req->req_body, server, pa_data, data, from); diff --git a/kdc/main.c b/kdc/main.c index 1755f9989..d98f3e7e9 100644 --- a/kdc/main.c +++ b/kdc/main.c @@ -71,15 +71,15 @@ main(int argc, char **argv) EncryptionKey key; f = fopen(keyfile, "r"); if(f == NULL){ - kdc_log(0, "Failed to open master key file %s", + kdc_log(context, 0, "Failed to open master key file %s", keyfile); exit(1); } len = fread(buf, 1, sizeof(buf), f); fclose(f); if(decode_EncryptionKey(buf, len, &key, &len)){ - kdc_log(0, "Failed to parse contents of master key file %s", - keyfile); + kdc_log(context, 0, + "Failed to parse contents of master key file %s", keyfile); exit(1); } set_master_key(&key); diff --git a/kdc/misc.c b/kdc/misc.c index 4c393cb3d..6d79bd1a0 100644 --- a/kdc/misc.c +++ b/kdc/misc.c @@ -51,7 +51,7 @@ db_fetch(krb5_context context, krb5_principal principal) ret = hdb_open(context, &db, NULL, O_RDONLY, 0); if (ret) { - kdc_log(0, "Failed to open database: %s", + kdc_log(context, 0, "Failed to open database: %s", krb5_get_err_text(context, ret)); return NULL; }