bx509d: Get KDC config out of bx509d

2020-08-14 20:59:12 -05:00
parent c3e99be519
commit 73c424ea66
5 changed files with 87 additions and 66 deletions
--- a/kdc/Makefile.am
+++ b/kdc/Makefile.am
@@ -33,6 +33,7 @@ if HAVE_MICROHTTPD
 bx509d_SOURCES = bx509d.c
 bx509d_AM_CPPFLAGS = $(AM_CPPFLAGS) $(MICROHTTPD_CFLAGS)
 bx509d_LDADD =	-ldl \
+                 $(top_builddir)/lib/hdb/libhdb.la \
 		 libkdc.la \
 		 $(MICROHTTPD_LIBS) \
 		 $(LIB_roken) \
--- a/kdc/bx509d.c
+++ b/kdc/bx509d.c
@@ -126,7 +126,7 @@ struct bx509_request_desc {
    char frombuf[128];
 };

-static krb5_kdc_configuration *kdc_config;
+static krb5_log_facility *logfac;
 static pthread_key_t k5ctx;

 static krb5_error_code
@@ -425,7 +425,7 @@ bad_reqv(struct bx509_request_desc *r,
    (void) gettimeofday(&r->tv_end, NULL);
    if (code == ENOMEM) {
        if (r->context)
-            kdc_log(r->context, kdc_config, 1, "Out of memory");
+            krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
        _kdc_audit_trail((kdc_request_t)r, code);
        return resp(r, http_status_code, MHD_RESPMEM_PERSISTENT,
                    fmt, strlen(fmt), NULL);
@@ -452,7 +452,7 @@ bad_reqv(struct bx509_request_desc *r,

    if (ret == -1 || msg == NULL) {
        if (context)
-            kdc_log(r->context, kdc_config, 1, "Out of memory");
+            krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
        return resp(r, MHD_HTTP_SERVICE_UNAVAILABLE,
                    MHD_RESPMEM_PERSISTENT,
                    "Out of memory", sizeof("Out of memory") - 1, NULL);
@@ -646,7 +646,7 @@ authorize_CSR(struct bx509_request_desc *r,
        return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
                       "Could not handle query parameters");

-    ret = kdc_authorize_csr(r->context, kdc_config, r->req, p);
+    ret = kdc_authorize_csr(r->context, "bx509d", r->req, p);
    if (ret)
        return bad_403(r, ret, "Not authorized to requested certificate");
    return ret;
@@ -745,7 +745,7 @@ do_CA(struct bx509_request_desc *r, const char *csr)
    }

    /* Issue the certificate */
-    ret = kdc_issue_certificate(r->context, kdc_config, r->req, p,
+    ret = kdc_issue_certificate(r->context, "bx509d", logfac, r->req, p,
                                &r->token_times, 1 /* send_chain */, &certs);
    krb5_free_principal(r->context, p);
    if (ret) {
@@ -807,8 +807,8 @@ set_req_desc(struct MHD_Connection *connection,
    r->request.length = sizeof("<HTTP-REQUEST>");
    r->from = r->frombuf;
    r->hcontext = r->context->hcontext;
-    r->config = kdc_config;
-    r->logf = kdc_config->logf;
+    r->config = NULL;
+    r->logf = logfac;
    r->reqtype = url;
    r->target = r->redir = NULL;
    r->pkix_store = NULL;
@@ -845,7 +845,7 @@ set_req_desc(struct MHD_Connection *connection,
    }

    if (ret == 0 && r->kv == NULL) {
-        kdc_log(r->context, kdc_config, 1, "Out of memory");
+        krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
        ret = ENOMEM;
    }
    return ret;
@@ -893,7 +893,8 @@ bx509(struct bx509_request_desc *r)
        return ret;

    /* Read and send the contents of the PKIX store */
-    kdc_log(r->context, kdc_config, 4, "Issued certificate to %s", r->cname);
+    krb5_log_msg(r->context, logfac, 1, NULL, "Issued certificate to %s",
+                 r->cname);
    return good_bx509(r);
 }

@@ -1214,7 +1215,7 @@ bnegotiate_do_CA(struct bx509_request_desc *r)

    /* Issue the certificate */
    if (ret == 0)
-        ret = kdc_issue_certificate(r->context, kdc_config, req, p,
+        ret = kdc_issue_certificate(r->context, "bx509d", logfac, req, p,
                                    &r->token_times, 1 /* send_chain */,
                                    &certs);
    krb5_free_principal(r->context, p);
@@ -1664,6 +1665,32 @@ sighandler(int sig)
        ;
 }

+static void
+bx509_openlog(krb5_context context,
+              const char *svc,
+              krb5_log_facility **fac)
+{
+    char **s = NULL, **p;
+
+    krb5_initlog(context, "kdc", fac);
+    s = krb5_config_get_strings(context, NULL, svc, "logging", NULL);
+    if (s == NULL)
+        s = krb5_config_get_strings(context, NULL, "logging", svc, NULL);
+    if (s) {
+        for(p = s; *p; p++)
+            krb5_addlog_dest(context, *fac, *p);
+        krb5_config_free_strings(s);
+    } else {
+        char *ss;
+        if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
+            KDC_LOG_FILE) < 0)
+            err(1, "out of memory");
+        krb5_addlog_dest(context, *fac, ss);
+        free(ss);
+    }
+    krb5_set_warn_dest(context, *fac);
+}
+
 int
 main(int argc, char **argv)
 {
@@ -1721,11 +1748,7 @@ main(int argc, char **argv)
    if ((errno = get_krb5_context(&context)))
        err(1, "Could not init krb5 context");

-    if ((ret = krb5_kdc_get_config(context, &kdc_config)))
-        krb5_err(context, 1, ret, "Could not init krb5 context");
-
-    kdc_openlog(context, "bx509d", kdc_config);
-    kdc_config->app = "bx509";
+    bx509_openlog(context, "bx509d", &logfac);

    if (cache_dir == NULL) {
        char *s = NULL;
--- a/kdc/ca.c
+++ b/kdc/ca.c
@@ -219,7 +219,8 @@ characterize(krb5_context context,
 */
 static const krb5_config_binding *
 get_cf(krb5_context context,
-       krb5_kdc_configuration *config,
+       const char *app_name,
+       krb5_log_facility *logf,
       hx509_request req,
       krb5_principal cprinc)
 {
@@ -236,7 +237,7 @@ get_cf(krb5_context context,
    size_t nsans = 0;

    if (ncomp == 0) {
-        kdc_log(context, config, 5, "Client principal has no components!");
+        krb5_log_msg(context, logf, 5, NULL, "Client principal has no components!");
        krb5_set_error_message(context, ENOTSUP,
                               "Client principal has no components!");
        return NULL;
@@ -244,7 +245,7 @@ get_cf(krb5_context context,

    if ((ret = count_sans(req, &nsans)) ||
        (certtype = characterize(context, cprinc, req)) == CERT_NOTSUP) {
-        kdc_log(context, config, 5, "Could not characterize CSR");
+        krb5_log_msg(context, logf, 5, NULL, "Could not characterize CSR");
        krb5_set_error_message(context, ret, "Could not characterize CSR");
        return NULL;
    }
@@ -275,24 +276,24 @@ get_cf(krb5_context context,
        }
    }

-    if (strcmp(config->app, "kdc") == 0)
-        cf = krb5_config_get_list(context, NULL, config->app, "realms", realm,
+    if (strcmp(app_name, "kdc") == 0)
+        cf = krb5_config_get_list(context, NULL, app_name, "realms", realm,
                                  "kx509", label, svc, NULL);
    else
-        cf = krb5_config_get_list(context, NULL, config->app, "realms", realm,
+        cf = krb5_config_get_list(context, NULL, app_name, "realms", realm,
                                  label, svc, NULL);
    if (cf == NULL) {
-        kdc_log(context, config, 3,
+        krb5_log_msg(context, logf, 3, NULL,
                     "No %s configuration for %s %s certificates [%s] realm "
                     "-> %s -> kx509 -> %s%s%s",
-                strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509",
-                def, label, config->app, realm, label,
+                     strcmp(app_name, "bx509") == 0 ? "bx509" : "kx509",
+                     def, label, app_name, realm, label,
                     svc ? " -> " : "", svc ? svc : "");
        krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
                "No %s configuration for %s %s certificates [%s] realm "
                "-> %s -> kx509 -> %s%s%s",
-                strcmp(config->app, "bx509") == 0 ? "bx509" : "kx509",
-                def, label, config->app, realm, label,
+                strcmp(app_name, "bx509") == 0 ? "bx509" : "kx509",
+                def, label, app_name, realm, label,
                svc ? " -> " : "", svc ? svc : "");
    }
    return cf;
@@ -312,7 +313,7 @@ get_cf(krb5_context context,
 */
 static krb5_error_code
 set_template(krb5_context context,
-             krb5_kdc_configuration *config,
+             krb5_log_facility *logf,
             const krb5_config_binding *cf,
             hx509_ca_tbs tbs)
 {
@@ -338,7 +339,7 @@ set_template(krb5_context context,
            ret = hx509_get_one_cert(context->hx509ctx, certs, &template);
        hx509_certs_free(&certs);
        if (ret) {
-            kdc_log(context, config, 1,
+            krb5_log_msg(context, logf, 1, NULL,
                         "Failed to load certificate template from %s",
                         cert_template);
            krb5_set_error_message(context, KRB5KDC_ERR_POLICY,
@@ -418,7 +419,7 @@ set_template(krb5_context context,
 */
 static krb5_error_code
 set_tbs(krb5_context context,
-        krb5_kdc_configuration *config,
+        krb5_log_facility *logf,
        const krb5_config_binding *cf,
        hx509_request req,
        krb5_principal cprinc,
@@ -451,7 +452,7 @@ set_tbs(krb5_context context,
    /* Populate requested certificate extensions from CSR/CSRPlus if allowed */
    ret = hx509_ca_tbs_set_from_csr(context->hx509ctx, tbs, req);
    if (ret == 0)
-        ret = set_template(context, config, cf, tbs);
+        ret = set_template(context, logf, cf, tbs);

    /*
     * Optionally add PKINIT SAN.
@@ -533,8 +534,8 @@ set_tbs(krb5_context context,
            }
        }
    } else {
-        kdc_log(context, config, 5, "kx509/bx509 client %s has too many "
-                "components!", princ);
+        krb5_log_msg(context, logf, 5, NULL,
+                     "kx509/bx509 client %s has too many components!", princ);
        krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
                               "kx509/bx509 client %s has too many "
                               "components!", princ);
@@ -548,7 +549,7 @@ out:
    return ret;

 enomem:
-    kdc_log(context, config, 0,
+    krb5_log_msg(context, logf, 0, NULL,
                 "Could not set up TBSCertificate: Out of memory");
    ret = krb5_enomem(context);
    goto out;
@@ -591,7 +592,8 @@ tbs_set_times(krb5_context context,
 */
 krb5_error_code
 kdc_issue_certificate(krb5_context context,
-                      krb5_kdc_configuration *config,
+                      const char *app_name,
+                      krb5_log_facility *logf,
                      hx509_request req,
                      krb5_principal cprinc,
                      krb5_times *auth_times,
@@ -615,10 +617,11 @@ kdc_issue_certificate(krb5_context context,
    hx509_request_authorize_ku(req, ku);

    /* Get configuration */
-    if ((cf = get_cf(context, config, req, cprinc)) == NULL)
+    if ((cf = get_cf(context, app_name, logf, req, cprinc)) == NULL)
        return KRB5KDC_ERR_POLICY;
    if ((ca = krb5_config_get_string(context, cf, "ca", NULL)) == NULL) {
-        kdc_log(context, config, 3, "No kx509 CA issuer credential specified");
+        krb5_log_msg(context, logf, 3, NULL,
+                     "No kx509 CA issuer credential specified");
        krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
                               "No kx509 CA issuer credential specified");
        return ret;
@@ -626,14 +629,14 @@ kdc_issue_certificate(krb5_context context,

    ret = hx509_ca_tbs_init(context->hx509ctx, &tbs);
    if (ret) {
-        kdc_log(context, config, 0,
+        krb5_log_msg(context, logf, 0, NULL,
                     "Failed to create certificate: Out of memory");
        return ret;
    }

    /* Lookup a template and set things in `env' and `tbs' as appropriate */
    if (ret == 0)
-        ret = set_tbs(context, config, cf, req, cprinc, &env, tbs);
+        ret = set_tbs(context, logf, cf, req, cprinc, &env, tbs);

    /* Populate generic template "env" variables */

@@ -646,7 +649,7 @@ kdc_issue_certificate(krb5_context context,
     */
    if (ret == 0 && hx509_name_is_null_p(hx509_ca_tbs_get_name(tbs)) &&
        !has_sans(req)) {
-        kdc_log(context, config, 3,
+        krb5_log_msg(context, logf, 3, NULL,
                     "Not issuing certificate because it would have no names");
        krb5_set_error_message(context, ret = KRB5KDC_ERR_POLICY,
                               "Not issuing certificate because it "
@@ -672,8 +675,9 @@ kdc_issue_certificate(krb5_context context,

        ret = hx509_certs_init(context->hx509ctx, ca, 0, NULL, &certs);
        if (ret) {
-            kdc_log(context, config, 1,
-                    "Failed to load CA certificate and private key %s", ca);
+            krb5_log_msg(context, logf, 1, NULL,
+                         "Failed to load CA certificate and private key %s",
+                         ca);
            krb5_set_error_message(context, ret, "Failed to load CA "
                                   "certificate and private key %s", ca);
            goto out;
@@ -691,7 +695,7 @@ kdc_issue_certificate(krb5_context context,
        hx509_query_free(context->hx509ctx, q);
        hx509_certs_free(&certs);
        if (ret) {
-            kdc_log(context, config, 1,
+            krb5_log_msg(context, logf, 1, NULL,
                         "Failed to find a CA certificate in %s", ca);
            krb5_set_error_message(context, ret,
                                   "Failed to find a CA certificate in %s",
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -1004,8 +1004,9 @@ _kdc_do_kx509(kx509_req_context r)
    krb5_data_zero(rep.hash);
    krb5_data_zero(rep.certificate);
    krb5_ticket_get_times(r->context, ticket, &r->ticket_times);
-    ret = kdc_issue_certificate(r->context, r->config, r->csr, cprincipal,
-                                &r->ticket_times, r->send_chain, &certs);
+    ret = kdc_issue_certificate(r->context, r->config->app, r->logf, r->csr,
+                                cprincipal, &r->ticket_times, r->send_chain,
+                                &certs);
    if (ret) {
        int level = 1;
 	const char *msg = krb5_get_error_message(r->context, ret);
--- a/kdc/test_kdc_ca.c
+++ b/kdc/test_kdc_ca.c
@@ -37,7 +37,7 @@ usage(int e)
 int
 main(int argc, char **argv)
 {
-    krb5_kdc_configuration *config;
+    krb5_log_facility *logf = NULL;
    krb5_error_code ret;
    krb5_principal p = NULL;
    krb5_context context;
@@ -67,16 +67,9 @@ main(int argc, char **argv)

    if ((errno = krb5_init_context(&context)))
        err(1, "Could not initialize krb5_context");
-    if ((ret = krb5_kdc_get_config(context, &config)))
-        krb5_err(context, 1, ret, "Could not get KDC configuration");
-    config->app = app_string;
-    if ((ret = krb5_initlog(context, argv0, &config->logf)) ||
-        (ret = krb5_addlog_dest(context, config->logf, "0-5/STDERR")))
+    if ((ret = krb5_initlog(context, argv0, &logf)) ||
+        (ret = krb5_addlog_dest(context, logf, "0-5/STDERR")))
        krb5_err(context, 1, ret, "Could not set up logging to stderr");
-#if 0
-    if ((ret = krb5_kdc_set_dbinfo(context, config)))
-        krb5_err(context, 1, ret, "Could not get KDC configuration (HDB)");
-#endif
    if ((ret = krb5_parse_name(context, argv[0], &p)))
        krb5_err(context, 1, ret, "Could not parse principal %s", argv[0]);
    if ((ret = hx509_request_parse(context->hx509ctx, argv[1], &req)))
@@ -110,7 +103,7 @@ main(int argc, char **argv)
        }
        if (ret == HX509_NO_ITEM)
            ret = 0;
-    } else if ((ret = kdc_authorize_csr(context, config, req, p))) {
+    } else if ((ret = kdc_authorize_csr(context, app_string, req, p))) {
        krb5_err(context, 1, ret,
                 "Requested certificate extensions rejected by policy");
    }
@@ -118,7 +111,7 @@ main(int argc, char **argv)
    memset(&t, 0, sizeof(t));
    t.starttime = time(NULL);
    t.endtime = t.starttime + 3600;
-    if ((ret = kdc_issue_certificate(context, config, req, p, &t, 1,
+    if ((ret = kdc_issue_certificate(context, app_string, logf, req, p, &t, 1,
                                     &certs)))
        krb5_err(context, 1, ret, "Certificate issuance failed");

@@ -143,6 +136,5 @@ main(int argc, char **argv)
    hx509_request_free(&req);
    hx509_certs_free(&store);
    hx509_certs_free(&certs);
-    /* FIXME There's no free function for config yet */
    return 0;
 }