From 73c424ea6655cdb292dcdcf3f09f1d1ca9f0cc9d Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Fri, 14 Aug 2020 20:59:12 -0500 Subject: [PATCH] bx509d: Get KDC config out of bx509d --- kdc/Makefile.am | 1 + kdc/bx509d.c | 53 +++++++++++++++++++++++---------- kdc/ca.c | 76 +++++++++++++++++++++++++---------------------- kdc/kx509.c | 5 ++-- kdc/test_kdc_ca.c | 18 ++++------- 5 files changed, 87 insertions(+), 66 deletions(-) diff --git a/kdc/Makefile.am b/kdc/Makefile.am index 9c366fa1a..bbd1d2ce8 100644 --- a/kdc/Makefile.am +++ b/kdc/Makefile.am @@ -33,6 +33,7 @@ if HAVE_MICROHTTPD bx509d_SOURCES = bx509d.c bx509d_AM_CPPFLAGS = $(AM_CPPFLAGS) $(MICROHTTPD_CFLAGS) bx509d_LDADD = -ldl \ + $(top_builddir)/lib/hdb/libhdb.la \ libkdc.la \ $(MICROHTTPD_LIBS) \ $(LIB_roken) \ diff --git a/kdc/bx509d.c b/kdc/bx509d.c index 5419beb9f..ac622f000 100644 --- a/kdc/bx509d.c +++ b/kdc/bx509d.c @@ -126,7 +126,7 @@ struct bx509_request_desc { char frombuf[128]; }; -static krb5_kdc_configuration *kdc_config; +static krb5_log_facility *logfac; static pthread_key_t k5ctx; static krb5_error_code @@ -425,7 +425,7 @@ bad_reqv(struct bx509_request_desc *r, (void) gettimeofday(&r->tv_end, NULL); if (code == ENOMEM) { if (r->context) - kdc_log(r->context, kdc_config, 1, "Out of memory"); + krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory"); _kdc_audit_trail((kdc_request_t)r, code); return resp(r, http_status_code, MHD_RESPMEM_PERSISTENT, fmt, strlen(fmt), NULL); @@ -452,7 +452,7 @@ bad_reqv(struct bx509_request_desc *r, if (ret == -1 || msg == NULL) { if (context) - kdc_log(r->context, kdc_config, 1, "Out of memory"); + krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory"); return resp(r, MHD_HTTP_SERVICE_UNAVAILABLE, MHD_RESPMEM_PERSISTENT, "Out of memory", sizeof("Out of memory") - 1, NULL); @@ -646,7 +646,7 @@ authorize_CSR(struct bx509_request_desc *r, return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE, "Could not handle query parameters"); - ret = kdc_authorize_csr(r->context, kdc_config, r->req, p); + ret = kdc_authorize_csr(r->context, "bx509d", r->req, p); if (ret) return bad_403(r, ret, "Not authorized to requested certificate"); return ret; @@ -745,7 +745,7 @@ do_CA(struct bx509_request_desc *r, const char *csr) } /* Issue the certificate */ - ret = kdc_issue_certificate(r->context, kdc_config, r->req, p, + ret = kdc_issue_certificate(r->context, "bx509d", logfac, r->req, p, &r->token_times, 1 /* send_chain */, &certs); krb5_free_principal(r->context, p); if (ret) { @@ -807,8 +807,8 @@ set_req_desc(struct MHD_Connection *connection, r->request.length = sizeof(""); r->from = r->frombuf; r->hcontext = r->context->hcontext; - r->config = kdc_config; - r->logf = kdc_config->logf; + r->config = NULL; + r->logf = logfac; r->reqtype = url; r->target = r->redir = NULL; r->pkix_store = NULL; @@ -845,7 +845,7 @@ set_req_desc(struct MHD_Connection *connection, } if (ret == 0 && r->kv == NULL) { - kdc_log(r->context, kdc_config, 1, "Out of memory"); + krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory"); ret = ENOMEM; } return ret; @@ -893,7 +893,8 @@ bx509(struct bx509_request_desc *r) return ret; /* Read and send the contents of the PKIX store */ - kdc_log(r->context, kdc_config, 4, "Issued certificate to %s", r->cname); + krb5_log_msg(r->context, logfac, 1, NULL, "Issued certificate to %s", + r->cname); return good_bx509(r); } @@ -1214,7 +1215,7 @@ bnegotiate_do_CA(struct bx509_request_desc *r) /* Issue the certificate */ if (ret == 0) - ret = kdc_issue_certificate(r->context, kdc_config, req, p, + ret = kdc_issue_certificate(r->context, "bx509d", logfac, req, p, &r->token_times, 1 /* send_chain */, &certs); krb5_free_principal(r->context, p); @@ -1664,6 +1665,32 @@ sighandler(int sig) ; } +static void +bx509_openlog(krb5_context context, + const char *svc, + krb5_log_facility **fac) +{ + char **s = NULL, **p; + + krb5_initlog(context, "kdc", fac); + s = krb5_config_get_strings(context, NULL, svc, "logging", NULL); + if (s == NULL) + s = krb5_config_get_strings(context, NULL, "logging", svc, NULL); + if (s) { + for(p = s; *p; p++) + krb5_addlog_dest(context, *fac, *p); + krb5_config_free_strings(s); + } else { + char *ss; + if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context), + KDC_LOG_FILE) < 0) + err(1, "out of memory"); + krb5_addlog_dest(context, *fac, ss); + free(ss); + } + krb5_set_warn_dest(context, *fac); +} + int main(int argc, char **argv) { @@ -1721,11 +1748,7 @@ main(int argc, char **argv) if ((errno = get_krb5_context(&context))) err(1, "Could not init krb5 context"); - if ((ret = krb5_kdc_get_config(context, &kdc_config))) - krb5_err(context, 1, ret, "Could not init krb5 context"); - - kdc_openlog(context, "bx509d", kdc_config); - kdc_config->app = "bx509"; + bx509_openlog(context, "bx509d", &logfac); if (cache_dir == NULL) { char *s = NULL; diff --git a/kdc/ca.c b/kdc/ca.c index ea4183ba9..271cc1f37 100644 --- a/kdc/ca.c +++ b/kdc/ca.c @@ -219,7 +219,8 @@ characterize(krb5_context context, */ static const krb5_config_binding * get_cf(krb5_context context, - krb5_kdc_configuration *config, + const char *app_name, + krb5_log_facility *logf, hx509_request req, krb5_principal cprinc) { @@ -236,7 +237,7 @@ get_cf(krb5_context context, size_t nsans = 0; if (ncomp == 0) { - kdc_log(context, config, 5, "Client principal has no components!"); + krb5_log_msg(context, logf, 5, NULL, "Client principal has no components!"); krb5_set_error_message(context, ENOTSUP, "Client principal has no components!"); return NULL; @@ -244,7 +245,7 @@ get_cf(krb5_context context, if ((ret = count_sans(req, &nsans)) || (certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) { - kdc_log(context, config, 5, "Could not characterize CSR"); + krb5_log_msg(context, logf, 5, NULL, "Could not characterize CSR"); krb5_set_error_message(context, ret, "Could not characterize CSR"); return NULL; } @@ -275,24 +276,24 @@ get_cf(krb5_context context, } } - if (strcmp(config->app, "kdc") == 0) - cf = krb5_config_get_list(context, NULL, config->app, "realms", realm, + if (strcmp(app_name, "kdc") == 0) + cf = krb5_config_get_list(context, NULL, app_name, "realms", realm, "kx509", label, svc, NULL); else - cf = krb5_config_get_list(context, NULL, config->app, "realms", realm, + cf = krb5_config_get_list(context, NULL, app_name, "realms", realm, label, svc, NULL); if (cf == NULL) { - kdc_log(context, config, 3, - "No %s configuration for %s %s certificates [%s] realm " - "-> %s -> kx509 -> %s%s%s", - strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509", - def, label, config->app, realm, label, - svc ? " -> " : "", svc ? svc : ""); + krb5_log_msg(context, logf, 3, NULL, + "No %s configuration for %s %s certificates [%s] realm " + "-> %s -> kx509 -> %s%s%s", + strcmp(app_name, "bx509") == 0 ? "bx509" : "kx509", + def, label, app_name, realm, label, + svc ? " -> " : "", svc ? svc : ""); krb5_set_error_message(context, KRB5KDC_ERR_POLICY, "No %s configuration for %s %s certificates [%s] realm " "-> %s -> kx509 -> %s%s%s", - strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509", - def, label, config->app, realm, label, + strcmp(app_name, "bx509") == 0 ? "bx509" : "kx509", + def, label, app_name, realm, label, svc ? " -> " : "", svc ? svc : ""); } return cf; @@ -312,7 +313,7 @@ get_cf(krb5_context context, */ static krb5_error_code set_template(krb5_context context, - krb5_kdc_configuration *config, + krb5_log_facility *logf, const krb5_config_binding *cf, hx509_ca_tbs tbs) { @@ -338,9 +339,9 @@ set_template(krb5_context context, ret = hx509_get_one_cert(context->hx509ctx, certs, &template); hx509_certs_free(&certs); if (ret) { - kdc_log(context, config, 1, - "Failed to load certificate template from %s", - cert_template); + krb5_log_msg(context, logf, 1, NULL, + "Failed to load certificate template from %s", + cert_template); krb5_set_error_message(context, KRB5KDC_ERR_POLICY, "Failed to load certificate template from " "%s", cert_template); @@ -418,7 +419,7 @@ set_template(krb5_context context, */ static krb5_error_code set_tbs(krb5_context context, - krb5_kdc_configuration *config, + krb5_log_facility *logf, const krb5_config_binding *cf, hx509_request req, krb5_principal cprinc, @@ -451,7 +452,7 @@ set_tbs(krb5_context context, /* Populate requested certificate extensions from CSR/CSRPlus if allowed */ ret = hx509_ca_tbs_set_from_csr(context->hx509ctx, tbs, req); if (ret == 0) - ret = set_template(context, config, cf, tbs); + ret = set_template(context, logf, cf, tbs); /* * Optionally add PKINIT SAN. @@ -533,8 +534,8 @@ set_tbs(krb5_context context, } } } else { - kdc_log(context, config, 5, "kx509/bx509 client %s has too many " - "components!", princ); + krb5_log_msg(context, logf, 5, NULL, + "kx509/bx509 client %s has too many components!", princ); krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY, "kx509/bx509 client %s has too many " "components!", princ); @@ -548,8 +549,8 @@ out: return ret; enomem: - kdc_log(context, config, 0, - "Could not set up TBSCertificate: Out of memory"); + krb5_log_msg(context, logf, 0, NULL, + "Could not set up TBSCertificate: Out of memory"); ret = krb5_enomem(context); goto out; } @@ -591,7 +592,8 @@ tbs_set_times(krb5_context context, */ krb5_error_code kdc_issue_certificate(krb5_context context, - krb5_kdc_configuration *config, + const char *app_name, + krb5_log_facility *logf, hx509_request req, krb5_principal cprinc, krb5_times *auth_times, @@ -615,10 +617,11 @@ kdc_issue_certificate(krb5_context context, hx509_request_authorize_ku(req, ku); /* Get configuration */ - if ((cf = get_cf(context, config, req, cprinc)) == NULL) + if ((cf = get_cf(context, app_name, logf, req, cprinc)) == NULL) return KRB5KDC_ERR_POLICY; if ((ca = krb5_config_get_string(context, cf, "ca", NULL)) == NULL) { - kdc_log(context, config, 3, "No kx509 CA issuer credential specified"); + krb5_log_msg(context, logf, 3, NULL, + "No kx509 CA issuer credential specified"); krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY, "No kx509 CA issuer credential specified"); return ret; @@ -626,14 +629,14 @@ kdc_issue_certificate(krb5_context context, ret = hx509_ca_tbs_init(context->hx509ctx, &tbs); if (ret) { - kdc_log(context, config, 0, - "Failed to create certificate: Out of memory"); + krb5_log_msg(context, logf, 0, NULL, + "Failed to create certificate: Out of memory"); return ret; } /* Lookup a template and set things in `env' and `tbs' as appropriate */ if (ret == 0) - ret = set_tbs(context, config, cf, req, cprinc, &env, tbs); + ret = set_tbs(context, logf, cf, req, cprinc, &env, tbs); /* Populate generic template "env" variables */ @@ -646,8 +649,8 @@ kdc_issue_certificate(krb5_context context, */ if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) && !has_sans(req)) { - kdc_log(context, config, 3, - "Not issuing certificate because it would have no names"); + krb5_log_msg(context, logf, 3, NULL, + "Not issuing certificate because it would have no names"); krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY, "Not issuing certificate because it " "would have no names"); @@ -672,8 +675,9 @@ kdc_issue_certificate(krb5_context context, ret = hx509_certs_init(context->hx509ctx, ca, 0, NULL, &certs); if (ret) { - kdc_log(context, config, 1, - "Failed to load CA certificate and private key %s", ca); + krb5_log_msg(context, logf, 1, NULL, + "Failed to load CA certificate and private key %s", + ca); krb5_set_error_message(context, ret, "Failed to load CA " "certificate and private key %s", ca); goto out; @@ -691,8 +695,8 @@ kdc_issue_certificate(krb5_context context, hx509_query_free(context->hx509ctx, q); hx509_certs_free(&certs); if (ret) { - kdc_log(context, config, 1, - "Failed to find a CA certificate in %s", ca); + krb5_log_msg(context, logf, 1, NULL, + "Failed to find a CA certificate in %s", ca); krb5_set_error_message(context, ret, "Failed to find a CA certificate in %s", ca); diff --git a/kdc/kx509.c b/kdc/kx509.c index 5ab34e954..5e86bfc83 100644 --- a/kdc/kx509.c +++ b/kdc/kx509.c @@ -1004,8 +1004,9 @@ _kdc_do_kx509(kx509_req_context r) krb5_data_zero(rep.hash); krb5_data_zero(rep.certificate); krb5_ticket_get_times(r->context, ticket, &r->ticket_times); - ret = kdc_issue_certificate(r->context, r->config, r->csr, cprincipal, - &r->ticket_times, r->send_chain, &certs); + ret = kdc_issue_certificate(r->context, r->config->app, r->logf, r->csr, + cprincipal, &r->ticket_times, r->send_chain, + &certs); if (ret) { int level = 1; const char *msg = krb5_get_error_message(r->context, ret); diff --git a/kdc/test_kdc_ca.c b/kdc/test_kdc_ca.c index 0eaaa6296..fd5791e5d 100644 --- a/kdc/test_kdc_ca.c +++ b/kdc/test_kdc_ca.c @@ -37,7 +37,7 @@ usage(int e) int main(int argc, char **argv) { - krb5_kdc_configuration *config; + krb5_log_facility *logf = NULL; krb5_error_code ret; krb5_principal p = NULL; krb5_context context; @@ -67,16 +67,9 @@ main(int argc, char **argv) if ((errno = krb5_init_context(&context))) err(1, "Could not initialize krb5_context"); - if ((ret = krb5_kdc_get_config(context, &config))) - krb5_err(context, 1, ret, "Could not get KDC configuration"); - config->app = app_string; - if ((ret = krb5_initlog(context, argv0, &config->logf)) || - (ret = krb5_addlog_dest(context, config->logf, "0-5/STDERR"))) + if ((ret = krb5_initlog(context, argv0, &logf)) || + (ret = krb5_addlog_dest(context, logf, "0-5/STDERR"))) krb5_err(context, 1, ret, "Could not set up logging to stderr"); -#if 0 - if ((ret = krb5_kdc_set_dbinfo(context, config))) - krb5_err(context, 1, ret, "Could not get KDC configuration (HDB)"); -#endif if ((ret = krb5_parse_name(context, argv[0], &p))) krb5_err(context, 1, ret, "Could not parse principal %s", argv[0]); if ((ret = hx509_request_parse(context->hx509ctx, argv[1], &req))) @@ -110,7 +103,7 @@ main(int argc, char **argv) } if (ret == HX509_NO_ITEM) ret = 0; - } else if ((ret = kdc_authorize_csr(context, config, req, p))) { + } else if ((ret = kdc_authorize_csr(context, app_string, req, p))) { krb5_err(context, 1, ret, "Requested certificate extensions rejected by policy"); } @@ -118,7 +111,7 @@ main(int argc, char **argv) memset(&t, 0, sizeof(t)); t.starttime = time(NULL); t.endtime = t.starttime + 3600; - if ((ret = kdc_issue_certificate(context, config, req, p, &t, 1, + if ((ret = kdc_issue_certificate(context, app_string, logf, req, p, &t, 1, &certs))) krb5_err(context, 1, ret, "Certificate issuance failed"); @@ -143,6 +136,5 @@ main(int argc, char **argv) hx509_request_free(&req); hx509_certs_free(&store); hx509_certs_free(&certs); - /* FIXME There's no free function for config yet */ return 0; }