diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index d1152630f..3fe80367d 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -352,7 +352,7 @@ _kdc_set_e_text(astgs_request_t r, char *fmt, ...) r->e_text = e_text; r->e_text_buf = e_text; - kdc_log(r->context, r->config, 0, "%s", e_text); + kdc_log(r->context, r->config, 4, "%s", e_text); } void @@ -391,7 +391,7 @@ _kdc_log_timestamp(astgs_request_t r, const char *type, else strlcpy(renewtime_str, "unset", sizeof(renewtime_str)); - kdc_log(context, config, 3, + kdc_log(context, config, 4, "%s authtime: %s starttime: %s endtime: %s renew till: %s", type, authtime_str, starttime_str, endtime_str, renewtime_str); } @@ -514,7 +514,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) if (_kdc_is_anon_request(&r->req)) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - kdc_log(r->context, r->config, 2, "ENC-CHALL doesn't support anon"); + kdc_log(r->context, r->config, 4, "ENC-CHALL doesn't support anon"); return ret; } @@ -573,7 +573,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) ret2 = krb5_enctype_to_string(r->context, k->key.keytype, &str); if (ret2) str = NULL; - _kdc_r_log(r, 2, "Failed to decrypt ENC-CHAL -- %s " + _kdc_r_log(r, 4, "Failed to decrypt ENC-CHAL -- %s " "(enctype %s) error %s", r->cname, str ? str : "unknown enctype", msg); krb5_free_error_message(r->context, msg); @@ -604,7 +604,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) client_time, sizeof(client_time), TRUE); ret = KRB5KRB_AP_ERR_SKEW; - _kdc_r_log(r, 2, "Too large time skew, " + _kdc_r_log(r, 4, "Too large time skew, " "client time %s is out by %u > %u seconds -- %s", client_time, (unsigned)labs(kdc_time - p.patimestamp), @@ -680,11 +680,11 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) if(krb5_enctype_to_string(r->context, enc_data.etype, &estr)) estr = NULL; if(estr == NULL) - _kdc_r_log(r, 2, + _kdc_r_log(r, 4, "No client key matching pa-data (%d) -- %s", enc_data.etype, r->cname); else - _kdc_r_log(r, 2, + _kdc_r_log(r, 4, "No client key matching pa-data (%s) -- %s", estr, r->cname); free(estr); @@ -696,7 +696,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) ret = krb5_crypto_init(r->context, &pa_key->key, 0, &crypto); if (ret) { const char *msg = krb5_get_error_message(r->context, ret); - _kdc_r_log(r, 1, "krb5_crypto_init failed: %s", msg); + _kdc_r_log(r, 4, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(r->context, msg); free_EncryptedData(&enc_data); goto out; @@ -721,7 +721,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) pa_key->key.keytype, &str); if (ret2) str = NULL; - _kdc_r_log(r, 2, "Failed to decrypt PA-DATA -- %s " + _kdc_r_log(r, 4, "Failed to decrypt PA-DATA -- %s " "(enctype %s) error %s", r->cname, str ? str : "unknown enctype", msg); krb5_free_error_message(r->context, msg); @@ -759,7 +759,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) client_time, sizeof(client_time), TRUE); ret = KRB5KRB_AP_ERR_SKEW; - _kdc_r_log(r, 2, "Too large time skew, " + _kdc_r_log(r, 4, "Too large time skew, " "client time %s is out by %u > %u seconds -- %s", client_time, (unsigned)labs(kdc_time - p.patimestamp), @@ -904,7 +904,7 @@ _kdc_encode_reply(krb5_context context, ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret); if(ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 1, "Failed to encode ticket: %s", msg); + kdc_log(context, config, 4, "Failed to encode ticket: %s", msg); krb5_free_error_message(context, msg); return ret; } @@ -914,7 +914,7 @@ _kdc_encode_reply(krb5_context context, ret = krb5_crypto_init(context, skey, etype, &crypto); if (ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg); + kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(context, msg); free(buf); return ret; @@ -931,7 +931,7 @@ _kdc_encode_reply(krb5_context context, krb5_crypto_destroy(context, crypto); if(ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 1, "Failed to encrypt data: %s", msg); + kdc_log(context, config, 4, "Failed to encrypt data: %s", msg); krb5_free_error_message(context, msg); return ret; } @@ -1005,13 +1005,13 @@ _kdc_encode_reply(krb5_context context, ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret); if(ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 1, "Failed to encode KDC-REP: %s", msg); + kdc_log(context, config, 4, "Failed to encode KDC-REP: %s", msg); krb5_free_error_message(context, msg); return ret; } if(buf_size != len) { free(buf); - kdc_log(context, config, 1, "Internal error in ASN.1 encoder"); + kdc_log(context, config, 4, "Internal error in ASN.1 encoder"); *e_text = "KDC internal error"; return KRB5KRB_ERR_GENERIC; } @@ -1019,7 +1019,7 @@ _kdc_encode_reply(krb5_context context, if (ret) { const char *msg = krb5_get_error_message(context, ret); free(buf); - kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg); + kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(context, msg); return ret; } @@ -1047,13 +1047,13 @@ _kdc_encode_reply(krb5_context context, krb5_crypto_destroy(context, crypto); if(ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 1, "Failed to encode KDC-REP: %s", msg); + kdc_log(context, config, 4, "Failed to encode KDC-REP: %s", msg); krb5_free_error_message(context, msg); return ret; } if(buf_size != len) { free(buf); - kdc_log(context, config, 1, "Internal error in ASN.1 encoder"); + kdc_log(context, config, 4, "Internal error in ASN.1 encoder"); *e_text = "KDC internal error"; return KRB5KRB_ERR_GENERIC; } @@ -1110,7 +1110,7 @@ make_etype_info_entry(krb5_context context, else if(key->salt->type == hdb_afs3_salt) *ent->salttype = 2; else { - kdc_log(context, config, 2, "unknown salt-type: %d", + kdc_log(context, config, 4, "unknown salt-type: %d", key->salt->type); return KRB5KRB_ERR_GENERIC; } @@ -1450,31 +1450,31 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype) */ krb5_error_code -kdc_check_flags(krb5_context context, - krb5_kdc_configuration *config, - hdb_entry_ex *client_ex, const char *client_name, - hdb_entry_ex *server_ex, const char *server_name, - krb5_boolean is_as_req) +kdc_check_flags(astgs_request_t r, krb5_boolean is_as_req) { + krb5_context context = r->context; + hdb_entry_ex *client_ex = r->client; + hdb_entry_ex *server_ex = r->server; + if(client_ex != NULL) { hdb_entry *client = &client_ex->entry; /* check client */ if (client->flags.locked_out) { - kdc_log(context, config, 2, - "Client (%s) is locked out", client_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Client is locked out"); return KRB5KDC_ERR_POLICY; } if (client->flags.invalid) { - kdc_log(context, config, 2, - "Client (%s) has invalid bit set", client_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Client has invalid bit set"); return KRB5KDC_ERR_POLICY; } - if(!client->flags.client){ - kdc_log(context, config, 2, - "Principal may not act as client -- %s", client_name); + if (!client->flags.client) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Principal may not act as client"); return KRB5KDC_ERR_POLICY; } @@ -1482,9 +1482,8 @@ kdc_check_flags(krb5_context context, char starttime_str[100]; krb5_format_time(context, *client->valid_start, starttime_str, sizeof(starttime_str), TRUE); - kdc_log(context, config, 2, - "Client not yet valid until %s -- %s", - starttime_str, client_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Client not yet valid until %s", starttime_str); return KRB5KDC_ERR_CLIENT_NOTYET; } @@ -1492,27 +1491,22 @@ kdc_check_flags(krb5_context context, char endtime_str[100]; krb5_format_time(context, *client->valid_end, endtime_str, sizeof(endtime_str), TRUE); - kdc_log(context, config, 2, - "Client expired at %s -- %s", - endtime_str, client_name); - return KRB5KDC_ERR_NAME_EXP; + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Client expired at %s", endtime_str); + return KRB5KDC_ERR_NAME_EXP; } if (client->flags.require_pwchange && - (server_ex == NULL || !server_ex->entry.flags.change_pw)) { - kdc_log(context, config, 2, - "Client's key must be changed -- %s", client_name); + (server_ex == NULL || !server_ex->entry.flags.change_pw)) return KRB5KDC_ERR_KEY_EXPIRED; - } if (client->pw_end && *client->pw_end < kdc_time && (server_ex == NULL || !server_ex->entry.flags.change_pw)) { char pwend_str[100]; krb5_format_time(context, *client->pw_end, pwend_str, sizeof(pwend_str), TRUE); - kdc_log(context, config, 2, - "Client's key has expired at %s -- %s", - pwend_str, client_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Client's key has expired at %s", pwend_str); return KRB5KDC_ERR_KEY_EXPIRED; } } @@ -1523,25 +1517,24 @@ kdc_check_flags(krb5_context context, hdb_entry *server = &server_ex->entry; if (server->flags.locked_out) { - kdc_log(context, config, 2, - "Server locked out -- %s", server_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Server locked out"); return KRB5KDC_ERR_POLICY; } if (server->flags.invalid) { - kdc_log(context, config, 2, - "Server has invalid flag set -- %s", server_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Server has invalid flag set"); + return KRB5KDC_ERR_POLICY; + } + if (!server->flags.server) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Principal may not act as server"); return KRB5KDC_ERR_POLICY; } - if(!server->flags.server){ - kdc_log(context, config, 2, - "Principal may not act as server -- %s", server_name); - return KRB5KDC_ERR_POLICY; - } - - if(!is_as_req && server->flags.initial) { - kdc_log(context, config, 2, - "AS-REQ is required for server -- %s", server_name); + if (!is_as_req && server->flags.initial) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "AS-REQ is required for server"); return KRB5KDC_ERR_POLICY; } @@ -1549,9 +1542,8 @@ kdc_check_flags(krb5_context context, char starttime_str[100]; krb5_format_time(context, *server->valid_start, starttime_str, sizeof(starttime_str), TRUE); - kdc_log(context, config, 2, - "Server not yet valid until %s -- %s", - starttime_str, server_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Server not yet valid until %s", starttime_str); return KRB5KDC_ERR_SERVICE_NOTYET; } @@ -1559,9 +1551,8 @@ kdc_check_flags(krb5_context context, char endtime_str[100]; krb5_format_time(context, *server->valid_end, endtime_str, sizeof(endtime_str), TRUE); - kdc_log(context, config, 2, - "Server expired at %s -- %s", - endtime_str, server_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Server expired at %s", endtime_str); return KRB5KDC_ERR_SERVICE_EXP; } @@ -1569,9 +1560,8 @@ kdc_check_flags(krb5_context context, char pwend_str[100]; krb5_format_time(context, *server->pw_end, pwend_str, sizeof(pwend_str), TRUE); - kdc_log(context, config, 2, - "Server's key has expired at %s -- %s", - pwend_str, server_name); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Server's key has expired at %s", pwend_str); return KRB5KDC_ERR_KEY_EXPIRED; } } @@ -1633,8 +1623,8 @@ krb5_error_code _kdc_check_anon_policy(astgs_request_t r) { if (!r->config->allow_anonymous) { - _kdc_r_log(r, 2, - "Request for anonymous ticket denied by local policy"); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", "anonymous tickets " + "denied by local policy"); return KRB5KDC_ERR_POLICY; } @@ -1932,7 +1922,7 @@ _kdc_as_rep(astgs_request_t r) b->etype.val, b->etype.len, &r->sessionetype, NULL, NULL); if (ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Client (%s) from %s has no common enctypes with KDC " "to use for the session key", r->cname, from); @@ -1982,7 +1972,7 @@ _kdc_as_rep(astgs_request_t r) } goto out; } - kdc_log(context, config, 3, + kdc_log(context, config, 4, "%s pre-authentication succeeded -- %s", pat[n].name, r->cname); found_pa = 1; @@ -2370,7 +2360,7 @@ _kdc_as_rep(astgs_request_t r) ret = add_enc_pa_rep(r); if (ret) { msg = krb5_get_error_message(r->context, ret); - _kdc_r_log(r, 1, "add_enc_pa_rep failed: %s: %d", msg, ret); + _kdc_r_log(r, 4, "add_enc_pa_rep failed: %s: %d", msg, ret); krb5_free_error_message(r->context, msg); goto out; } diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 686590662..e48f56a04 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -243,7 +243,7 @@ check_KRB5SignedPath(krb5_context context, free(data.data); if (ret) { free_KRB5SignedPath(&sp); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "KRB5SignedPath not signed correctly, not marking as signed"); return 0; } @@ -389,46 +389,44 @@ is_anon_tgs_request_p(const KDC_REQ_BODY *b, */ static krb5_error_code -check_tgs_flags(krb5_context context, - krb5_kdc_configuration *config, - KDC_REQ_BODY *b, +check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, krb5_const_principal tgt_name, - const EncTicketPart *tgt, - EncTicketPart *et) + const EncTicketPart *tgt, EncTicketPart *et) { + krb5_context context = r->context; KDCOptions f = b->kdc_options; if(f.validate){ - if(!tgt->flags.invalid || tgt->starttime == NULL){ - kdc_log(context, config, 2, - "Bad request to validate ticket"); + if (!tgt->flags.invalid || tgt->starttime == NULL) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Bad request to validate ticket"); return KRB5KDC_ERR_BADOPTION; } if(*tgt->starttime > kdc_time){ - kdc_log(context, config, 2, - "Early request to validate ticket"); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Early request to validate ticket"); return KRB5KRB_AP_ERR_TKT_NYV; } /* XXX tkt = tgt */ et->flags.invalid = 0; - }else if(tgt->flags.invalid){ - kdc_log(context, config, 2, - "Ticket-granting ticket has INVALID flag set"); + } else if (tgt->flags.invalid) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Ticket-granting ticket has INVALID flag set"); return KRB5KRB_AP_ERR_TKT_INVALID; } if(f.forwardable){ - if(!tgt->flags.forwardable){ - kdc_log(context, config, 2, - "Bad request for forwardable ticket"); + if (!tgt->flags.forwardable) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Bad request for forwardable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.forwardable = 1; } if(f.forwarded){ - if(!tgt->flags.forwardable){ - kdc_log(context, config, 2, - "Request to forward non-forwardable ticket"); + if (!tgt->flags.forwardable) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Request to forward non-forwardable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.forwarded = 1; @@ -438,17 +436,17 @@ check_tgs_flags(krb5_context context, et->flags.forwarded = 1; if(f.proxiable){ - if(!tgt->flags.proxiable){ - kdc_log(context, config, 2, - "Bad request for proxiable ticket"); + if (!tgt->flags.proxiable) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Bad request for proxiable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.proxiable = 1; } if(f.proxy){ - if(!tgt->flags.proxiable){ - kdc_log(context, config, 2, - "Request to proxy non-proxiable ticket"); + if (!tgt->flags.proxiable) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Request to proxy non-proxiable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.proxy = 1; @@ -458,32 +456,33 @@ check_tgs_flags(krb5_context context, et->flags.proxy = 1; if(f.allow_postdate){ - if(!tgt->flags.may_postdate){ - kdc_log(context, config, 2, - "Bad request for post-datable ticket"); + if (!tgt->flags.may_postdate) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Bad request for post-datable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.may_postdate = 1; } if(f.postdated){ - if(!tgt->flags.may_postdate){ - kdc_log(context, config, 2, - "Bad request for postdated ticket"); + if (!tgt->flags.may_postdate) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Bad request for postdated ticket"); return KRB5KDC_ERR_BADOPTION; } if(b->from) *et->starttime = *b->from; et->flags.postdated = 1; et->flags.invalid = 1; - }else if(b->from && *b->from > kdc_time + context->max_skew){ - kdc_log(context, config, 0, "Ticket cannot be postdated"); + } else if (b->from && *b->from > kdc_time + context->max_skew) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Ticket cannot be postdated"); return KRB5KDC_ERR_CANNOT_POSTDATE; } if(f.renewable){ - if(!tgt->flags.renewable || tgt->renew_till == NULL){ - kdc_log(context, config, 2, - "Bad request for renewable ticket"); + if (!tgt->flags.renewable || tgt->renew_till == NULL) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Bad request for renewable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.renewable = 1; @@ -493,9 +492,9 @@ check_tgs_flags(krb5_context context, } if(f.renew){ time_t old_life; - if(!tgt->flags.renewable || tgt->renew_till == NULL){ - kdc_log(context, config, 2, - "Request to renew non-renewable ticket"); + if (!tgt->flags.renewable || tgt->renew_till == NULL) { + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Request to renew non-renewable ticket"); return KRB5KDC_ERR_BADOPTION; } old_life = tgt->endtime; @@ -514,8 +513,9 @@ check_tgs_flags(krb5_context context, */ if (tgt->flags.anonymous && !_kdc_is_anonymous(context, tgt_name)) { - kdc_log(context, config, 2, - "Anonymous ticket flag set without anonymous principal"); + _kdc_audit_addkv((kdc_request_t)r, 0, "reason", + "Anonymous ticket flag set without " + "anonymous principal"); return KRB5KDC_ERR_BADOPTION; } @@ -554,7 +554,7 @@ check_constrained_delegation(krb5_context context, */ if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) { ret = KRB5KDC_ERR_BADOPTION; - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Bad request for constrained delegation"); return ret; } @@ -582,7 +582,7 @@ check_constrained_delegation(krb5_context context, } ret = KRB5KDC_ERR_BADOPTION; } - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Bad request for constrained delegation"); return ret; } @@ -628,11 +628,11 @@ verify_flags (krb5_context context, const char *pstr) { if(et->endtime < kdc_time){ - kdc_log(context, config, 2, "Ticket expired (%s)", pstr); + kdc_log(context, config, 4, "Ticket expired (%s)", pstr); return KRB5KRB_AP_ERR_TKT_EXPIRED; } if(et->flags.invalid){ - kdc_log(context, config, 2, "Ticket not valid (%s)", pstr); + kdc_log(context, config, 4, "Ticket not valid (%s)", pstr); return KRB5KRB_AP_ERR_TKT_NYV; } return 0; @@ -667,11 +667,11 @@ fix_transited_encoding(krb5_context context, */ if (tr->contents.length == 0) break; - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Transited type 0 with non empty content"); return KRB5KDC_ERR_TRTYPE_NOSUPP; default: - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Unknown transited type: %u", tr->tr_type); return KRB5KDC_ERR_TRTYPE_NOSUPP; } @@ -802,7 +802,7 @@ tgs_make_reply(astgs_request_t r, ALLOC(et.starttime); *et.starttime = kdc_time; - ret = check_tgs_flags(context, config, b, tgt_name, tgt, &et); + ret = check_tgs_flags(r, b, tgt_name, tgt, &et); if(ret) goto out; @@ -1083,7 +1083,7 @@ tgs_check_authenticator(krb5_context context, krb5_auth_con_getauthenticator(context, ac, &auth); if(auth->cksum == NULL){ - kdc_log(context, config, 2, "No authenticator in request"); + kdc_log(context, config, 4, "No authenticator in request"); ret = KRB5KRB_AP_ERR_INAPP_CKSUM; goto out; } @@ -1097,7 +1097,7 @@ tgs_check_authenticator(krb5_context context, || #endif !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) { - kdc_log(context, config, 2, "Bad checksum type in authenticator: %d", + kdc_log(context, config, 4, "Bad checksum type in authenticator: %d", auth->cksum->cksumtype); ret = KRB5KRB_AP_ERR_INAPP_CKSUM; goto out; @@ -1107,13 +1107,13 @@ tgs_check_authenticator(krb5_context context, ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); if(ret){ const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 1, "Failed to encode KDC-REQ-BODY: %s", msg); + kdc_log(context, config, 4, "Failed to encode KDC-REQ-BODY: %s", msg); krb5_free_error_message(context, msg); goto out; } if(buf_size != len) { free(buf); - kdc_log(context, config, 1, "Internal error in ASN.1 encoder"); + kdc_log(context, config, 4, "Internal error in ASN.1 encoder"); *e_text = "KDC internal error"; ret = KRB5KRB_ERR_GENERIC; goto out; @@ -1122,7 +1122,7 @@ tgs_check_authenticator(krb5_context context, if (ret) { const char *msg = krb5_get_error_message(context, ret); free(buf); - kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg); + kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(context, msg); goto out; } @@ -1136,7 +1136,7 @@ tgs_check_authenticator(krb5_context context, krb5_crypto_destroy(context, crypto); if(ret){ const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Failed to verify authenticator checksum: %s", msg); krb5_free_error_message(context, msg); } @@ -1227,14 +1227,14 @@ tgs_parse_request(astgs_request_t r, ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); if(ret){ const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, "Failed to decode AP-REQ: %s", msg); + kdc_log(context, config, 4, "Failed to decode AP-REQ: %s", msg); krb5_free_error_message(context, msg); goto out; } if(!get_krbtgt_realm(&ap_req.ticket.sname)){ /* XXX check for ticket.sname == req.sname */ - kdc_log(context, config, 2, "PA-DATA is not a ticket-granting ticket"); + kdc_log(context, config, 4, "PA-DATA is not a ticket-granting ticket"); ret = KRB5KDC_ERR_POLICY; /* ? */ goto out; } @@ -1294,7 +1294,7 @@ tgs_parse_request(astgs_request_t r, ret = krb5_unparse_name(context, princ, &p); if (ret != 0) p = failed; - kdc_log(context, config, 1, + kdc_log(context, config, 4, "Ticket-granting ticket %s not found in database: %s", p, msg); krb5_free_principal(context, princ); krb5_free_error_message(context, msg); @@ -1320,7 +1320,7 @@ next_kvno: krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str); krb5_unparse_name(context, princ, &p); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "No server key with enctype %s found for %s", str ? str : "", p ? p : ""); @@ -1353,7 +1353,7 @@ next_kvno: krb5_free_principal(context, princ); if(ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, "Failed to verify AP-REQ: %s", msg); + kdc_log(context, config, 4, "Failed to verify AP-REQ: %s", msg); krb5_free_error_message(context, msg); goto out; } @@ -1366,14 +1366,14 @@ next_kvno: *csec = malloc(sizeof(**csec)); if (*csec == NULL) { krb5_free_authenticator(context, &auth); - kdc_log(context, config, 1, "malloc failed"); + kdc_log(context, config, 4, "malloc failed"); goto out; } **csec = auth->ctime; *cusec = malloc(sizeof(**cusec)); if (*cusec == NULL) { krb5_free_authenticator(context, &auth); - kdc_log(context, config, 1, "malloc failed"); + kdc_log(context, config, 4, "malloc failed"); goto out; } **cusec = auth->cusec; @@ -1395,7 +1395,7 @@ next_kvno: if(ret){ const char *msg = krb5_get_error_message(context, ret); krb5_auth_con_free(context, ac); - kdc_log(context, config, 1, "Failed to get remote subkey: %s", msg); + kdc_log(context, config, 4, "Failed to get remote subkey: %s", msg); krb5_free_error_message(context, msg); goto out; } @@ -1407,14 +1407,14 @@ next_kvno: if(ret) { const char *msg = krb5_get_error_message(context, ret); krb5_auth_con_free(context, ac); - kdc_log(context, config, 1, "Failed to get session key: %s", msg); + kdc_log(context, config, 4, "Failed to get session key: %s", msg); krb5_free_error_message(context, msg); goto out; } } if(subkey == NULL){ krb5_auth_con_free(context, ac); - kdc_log(context, config, 1, + kdc_log(context, config, 4, "Failed to get key for enc-authorization-data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; @@ -1429,7 +1429,7 @@ next_kvno: if (ret) { const char *msg = krb5_get_error_message(context, ret); krb5_auth_con_free(context, ac); - kdc_log(context, config, 1, "krb5_crypto_init failed: %s", msg); + kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(context, msg); goto out; } @@ -1441,7 +1441,7 @@ next_kvno: krb5_crypto_destroy(context, crypto); if(ret){ krb5_auth_con_free(context, ac); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Failed to decrypt enc-authorization-data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; @@ -1457,7 +1457,7 @@ next_kvno: krb5_auth_con_free(context, ac); free(*auth_data); *auth_data = NULL; - kdc_log(context, config, 2, "Failed to decode authorization data"); + kdc_log(context, config, 4, "Failed to decode authorization data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; } @@ -1625,13 +1625,13 @@ tgs_build_reply(astgs_request_t priv, if(b->additional_tickets == NULL || b->additional_tickets->len == 0){ ret = KRB5KDC_ERR_BADOPTION; /* ? */ - kdc_log(context, config, 2, + kdc_log(context, config, 4, "No second ticket present in request"); goto out; } t = &b->additional_tickets->val[0]; if(!get_krbtgt_realm(&t->sname)){ - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Additional ticket is not a ticket-granting ticket"); ret = KRB5KDC_ERR_POLICY; goto out; @@ -1684,11 +1684,11 @@ tgs_build_reply(astgs_request_t priv, asn1_KDCOptions_units(), opt_str, sizeof(opt_str)); if(*opt_str) - kdc_log(context, config, 3, + kdc_log(context, config, 4, "TGS-REQ %s from %s for %s [%s]", cpn, from, spn, opt_str); else - kdc_log(context, config, 3, + kdc_log(context, config, 4, "TGS-REQ %s from %s for %s", cpn, from, spn); /* @@ -1796,7 +1796,7 @@ server_lookup: krb5_free_host_realm(context, realms); } msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Server not found in database: %s: %s", spn, msg); krb5_free_error_message(context, msg); if (ret == HDB_ERR_NOENTRY) @@ -1830,7 +1830,7 @@ server_lookup: if (b->etype.val[i] == adtkt.key.keytype) break; if(i == b->etype.len) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Addition ticket have not matching etypes"); krb5_clear_error_message(context); ret = KRB5KDC_ERR_ETYPE_NOSUPP; @@ -1846,14 +1846,14 @@ server_lookup: b->etype.val, b->etype.len, &etype, NULL, NULL); if(ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Server (%s) has no support for etypes", spn); goto out; } ret = _kdc_get_preferred_key(context, config, server, spn, NULL, &skey); if(ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Server (%s) has no supported etypes", spn); goto out; } @@ -1879,7 +1879,7 @@ server_lookup: ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */ krbtgt_etype, &tkey_check); if(ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Failed to find key for krbtgt PAC check"); goto out; } @@ -1897,14 +1897,14 @@ server_lookup: our_realm, NULL); if (ret) { - kdc_log(context, config, 1, + kdc_log(context, config, 4, "Failed to make krbtgt principal name object for " "authz-data signatures"); goto out; } ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n); if (ret) { - kdc_log(context, config, 1, + kdc_log(context, config, 4, "Failed to make krbtgt principal name object for " "authz-data signatures"); goto out; @@ -1915,7 +1915,7 @@ server_lookup: if (ret) { char *ktpn = NULL; ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "No such principal %s (needed for authz-data signature keys) " "while processing TGS-REQ for service %s with krbtg %s", krbtgt_out_n, spn, (ret == 0) ? ktpn : ""); @@ -1935,7 +1935,7 @@ server_lookup: krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) { char *ktpn; ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Request with wrong krbtgt: %s", (ret == 0) ? ktpn : ""); if(ret == 0) @@ -1947,14 +1947,14 @@ server_lookup: ret = _kdc_get_preferred_key(context, config, krbtgt_out, krbtgt_out_n, NULL, &tkey_sign); if (ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Failed to find key for krbtgt PAC signature"); goto out; } ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL, tkey_sign->key.keytype, &tkey_sign); if(ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Failed to find key for krbtgt PAC signature"); goto out; } @@ -1980,13 +1980,13 @@ server_lookup: if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) { if (ret == HDB_ERR_NOENTRY) ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - kdc_log(context, config, 2, "Client no longer in database: %s", + kdc_log(context, config, 4, "Client no longer in database: %s", cpn); goto out; } msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, "Client not found in database: %s", msg); + kdc_log(context, config, 4, "Client not found in database: %s", msg); krb5_free_error_message(context, msg); } @@ -1997,7 +1997,7 @@ server_lookup: tgt, &rspac, &signedpath); if (ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Verify PAC failed for %s (%s) from %s with %s", spn, cpn, from, msg); krb5_free_error_message(context, msg); @@ -2014,7 +2014,7 @@ server_lookup: &signedpath); if (ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "KRB5SignedPath check failed for %s (%s) from %s with %s", spn, cpn, from, msg); krb5_free_error_message(context, msg); @@ -2044,13 +2044,13 @@ server_lookup: sdata->padata_value.length, &self, NULL); if (ret) { - kdc_log(context, config, 2, "Failed to decode PA-S4U2Self"); + kdc_log(context, config, 4, "Failed to decode PA-S4U2Self"); goto out; } if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) { free_PA_S4U2Self(&self); - kdc_log(context, config, 2, "Reject PA-S4U2Self with unkeyed checksum"); + kdc_log(context, config, 4, "Reject PA-S4U2Self with unkeyed checksum"); ret = KRB5KRB_AP_ERR_INAPP_CKSUM; goto out; } @@ -2064,7 +2064,7 @@ server_lookup: const char *msg = krb5_get_error_message(context, ret); free_PA_S4U2Self(&self); krb5_data_free(&datack); - kdc_log(context, config, 2, "krb5_crypto_init failed: %s", msg); + kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(context, msg); goto out; } @@ -2102,7 +2102,7 @@ server_lookup: if (ret) { const char *msg = krb5_get_error_message(context, ret); free_PA_S4U2Self(&self); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "krb5_verify_checksum failed for S4U2Self: %s", msg); krb5_free_error_message(context, msg); goto out; @@ -2138,7 +2138,7 @@ server_lookup: if (ret == HDB_ERR_NOENTRY) ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "S4U2Self principal to impersonate %s not found in database: %s", tpn, msg); krb5_free_error_message(context, msg); @@ -2146,7 +2146,7 @@ server_lookup: } ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p); if (ret) { - kdc_log(context, config, 2, "PAC generation failed for -- %s", + kdc_log(context, config, 4, "PAC generation failed for -- %s", tpn); goto out; } @@ -2157,7 +2157,7 @@ server_lookup: &rspac); krb5_pac_free(context, p); if (ret) { - kdc_log(context, config, 2, "PAC signing failed for -- %s", + kdc_log(context, config, 4, "PAC signing failed for -- %s", tpn); goto out; } @@ -2170,7 +2170,7 @@ server_lookup: */ ret = check_s4u2self(context, config, clientdb, client, sp); if (ret) { - kdc_log(context, config, 2, "S4U2Self: %s is not allowed " + kdc_log(context, config, 4, "S4U2Self: %s is not allowed " "to impersonate to service " "(tried for user %s to service %s)", cpn, tpn, spn); @@ -2188,7 +2188,7 @@ server_lookup: b->kdc_options.forwardable = 0; str = ""; } - kdc_log(context, config, 3, "s4u2self %s impersonating %s to " + kdc_log(context, config, 4, "s4u2self %s impersonating %s to " "service %s %s", cpn, tpn, spn, str); } } @@ -2213,7 +2213,7 @@ server_lookup: */ if (!signedpath) { ret = KRB5KDC_ERR_BADOPTION; - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Constrained delegation done on service ticket %s/%s", cpn, spn); goto out; @@ -2232,7 +2232,7 @@ server_lookup: ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0); if (ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "failed to decrypt ticket for " "constrained delegation from %s to %s ", cpn, spn); goto out; @@ -2262,7 +2262,7 @@ server_lookup: /* check that ticket is valid */ if (adtkt.flags.forwardable == 0) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Missing forwardable flag on ticket for " "constrained delegation from %s (%s) as %s to %s ", cpn, dpn, tpn, spn); @@ -2273,7 +2273,7 @@ server_lookup: ret = check_constrained_delegation(context, config, clientdb, client, server, sp); if (ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "constrained delegation from %s (%s) as %s to %s not allowed", cpn, dpn, tpn, spn); goto out; @@ -2299,7 +2299,7 @@ server_lookup: &adtkt, &rspac, &ad_signedpath); if (ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Verify delegated PAC failed to %s for client" "%s (%s) as %s from %s with %s", spn, cpn, dpn, tpn, from, msg); @@ -2319,7 +2319,7 @@ server_lookup: &ad_signedpath); if (ret) { const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 2, + kdc_log(context, config, 4, "KRB5SignedPath check from service %s failed " "for delegation to %s for client %s (%s)" "from %s failed with %s", @@ -2330,7 +2330,7 @@ server_lookup: if (!ad_signedpath) { ret = KRB5KDC_ERR_BADOPTION; - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Ticket not signed with PAC nor SignedPath service %s failed " "for delegation to %s for client %s (%s)" "from %s", @@ -2339,7 +2339,7 @@ server_lookup: } _kdc_audit_addkv((kdc_request_t)priv, 0, "impersonatee", tpn); - kdc_log(context, config, 3, "constrained delegation for %s " + kdc_log(context, config, 4, "constrained delegation for %s " "from %s (%s) to %s", tpn, cpn, dpn, spn); } @@ -2347,10 +2347,7 @@ server_lookup: * Check flags */ - ret = kdc_check_flags(context, config, - client, cpn, - server, spn, - FALSE); + ret = kdc_check_flags(priv, FALSE); if(ret) goto out; @@ -2358,7 +2355,7 @@ server_lookup: !krb5_principal_compare(context, krbtgt->entry.principal, server->entry.principal)){ - kdc_log(context, config, 2, "Inconsistent request."); + kdc_log(context, config, 4, "Inconsistent request."); ret = KRB5KDC_ERR_SERVER_NOMATCH; goto out; } @@ -2366,7 +2363,7 @@ server_lookup: /* check for valid set of addresses */ if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) { ret = KRB5KRB_AP_ERR_BADADDR; - kdc_log(context, config, 2, "Request from wrong address"); + kdc_log(context, config, 4, "Request from wrong address"); goto out; } @@ -2396,7 +2393,7 @@ server_lookup: NULL, s, &pa.padata_value); krb5_crypto_destroy(context, crypto); if (ret) { - kdc_log(context, config, 1, + kdc_log(context, config, 4, "Failed building server referral"); goto out; } @@ -2498,7 +2495,7 @@ _kdc_tgs_rep(astgs_request_t r) if(req->padata == NULL){ ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */ - kdc_log(context, config, 2, + kdc_log(context, config, 4, "TGS-REQ from %s without PA-DATA", from); goto out; } @@ -2508,7 +2505,7 @@ _kdc_tgs_rep(astgs_request_t r) if(tgs_req == NULL){ ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - kdc_log(context, config, 2, + kdc_log(context, config, 4, "TGS-REQ from %s without PA-TGS-REQ", from); goto out; } @@ -2527,7 +2524,7 @@ _kdc_tgs_rep(astgs_request_t r) goto out; } if (ret) { - kdc_log(context, config, 2, + kdc_log(context, config, 4, "Failed parsing TGS-REQ from %s", from); goto out; } @@ -2549,7 +2546,7 @@ _kdc_tgs_rep(astgs_request_t r) &auth_data, from_addr); if (ret) { - kdc_log(context, config, 1, + kdc_log(context, config, 4, "Failed building TGS-REP to %s", from); goto out; } diff --git a/kdc/windc.c b/kdc/windc.c index 762212921..84419275e 100644 --- a/kdc/windc.c +++ b/kdc/windc.c @@ -212,10 +212,7 @@ _kdc_check_access(astgs_request_t r, KDC_REQ *req, METHOD_DATA *method_data) } if (ret == KRB5_PLUGIN_NO_HANDLE) - return kdc_check_flags(context, config, - client_ex, client_name, - server_ex, server_name, - req->msg_type == krb_as_req); + return kdc_check_flags(r, req->msg_type == krb_as_req); return ret; }