From 94ed961d02fa66937b2d094a14bd9db2fdd6cd0b Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Fri, 14 Jan 2022 15:23:48 +1100 Subject: [PATCH] kdc: make auditing API public Samba plugins will need to use auditing API without including krb5-private.h, so make the auditing APIs public. --- kdc/fast.c | 8 +- kdc/kerberos5.c | 170 ++++++++++++++++++++--------------------- kdc/krb5tgs.c | 132 ++++++++++++++++---------------- kdc/kx509.c | 88 ++++++++++----------- kdc/libkdc-exports.def | 24 +++--- kdc/mssfu.c | 46 +++++------ kdc/process.c | 28 +++---- kdc/version-script.map | 24 +++--- 8 files changed, 260 insertions(+), 260 deletions(-) diff --git a/kdc/fast.c b/kdc/fast.c index 0d1cf8e56..44a0e39ad 100644 --- a/kdc/fast.c +++ b/kdc/fast.c @@ -596,8 +596,8 @@ fast_unwrap_request(astgs_request_t r, &r->armor_ticket->ticket, armor_server_principal_name); if (ret) { - _kdc_audit_addreason((kdc_request_t)r, - "Armor TGT expired or invalid"); + kdc_audit_addreason((kdc_request_t)r, + "Armor TGT expired or invalid"); goto out; } ticket = r->armor_ticket; @@ -608,8 +608,8 @@ fast_unwrap_request(astgs_request_t r, } krb5_unparse_name(r->context, ticket->client, &armor_client_principal_name); - _kdc_audit_addkv((kdc_request_t)r, 0, "armor_client_name", "%s", - armor_client_principal_name ? armor_client_principal_name : ""); + kdc_audit_addkv((kdc_request_t)r, 0, "armor_client_name", "%s", + armor_client_principal_name ? armor_client_principal_name : ""); if (ac->remote_subkey == NULL) { krb5_auth_con_free(r->context, ac); diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 00d10e1c6..07037d5c1 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -459,13 +459,13 @@ _kdc_log_timestamp(astgs_request_t r, const char *type, endtime_str[100], renewtime_str[100]; if (authtime) - _kdc_audit_setkv_number((kdc_request_t)r, "auth", authtime); + kdc_audit_setkv_number((kdc_request_t)r, "auth", authtime); if (starttime && *starttime) - _kdc_audit_setkv_number((kdc_request_t)r, "start", *starttime); + kdc_audit_setkv_number((kdc_request_t)r, "start", *starttime); if (endtime) - _kdc_audit_setkv_number((kdc_request_t)r, "end", endtime); + kdc_audit_setkv_number((kdc_request_t)r, "end", endtime); if (renew_till && *renew_till) - _kdc_audit_setkv_number((kdc_request_t)r, "renew", *renew_till); + kdc_audit_setkv_number((kdc_request_t)r, "renew", *renew_till); krb5_format_time(r->context, authtime, authtime_str, sizeof(authtime_str), TRUE); @@ -510,13 +510,13 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa) ret = _kdc_pk_check_client(r, pkp, &client_cert); if (client_cert) - _kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_PKINIT_CLIENT_CERT, - "%s", client_cert); + kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_PKINIT_CLIENT_CERT, + "%s", client_cert); if (ret) { _kdc_set_e_text(r, "PKINIT certificate not allowed to " "impersonate principal"); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED); goto out; } @@ -535,8 +535,8 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa) ret = _kdc_add_initial_verified_cas(r->context, r->config, pkp, &r->et); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_PREAUTH_SUCCEEDED); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_PREAUTH_SUCCEEDED); out: if (pkp) @@ -563,13 +563,13 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa) if (open) { ret = _kdc_gss_check_client(r, gcp, &client_name); if (client_name) - _kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_GSS_INITIATOR, - "%s", client_name); + kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_GSS_INITIATOR, + "%s", client_name); if (ret) { _kdc_set_e_text(r, "GSS-API client not allowed to " "impersonate principal"); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED); goto out; } @@ -577,8 +577,8 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa) _kdc_r_log(r, 4, "GSS pre-authentication succeeded -- %s using %s", r->cname, client_name); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_PREAUTH_SUCCEEDED); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_PREAUTH_SUCCEEDED); ret = _kdc_gss_mk_composite_name_ad(r, gcp); if (ret) { @@ -642,8 +642,8 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) ret = KRB5KDC_ERR_CLIENT_REVOKED; kdc_log(r->context, r->config, 0, "Client (%s) is locked out", r->cname); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_CLIENT_LOCKED_OUT); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_CLIENT_LOCKED_OUT); return ret; } @@ -769,14 +769,14 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) /* * Success */ - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY); goto out; } if (invalidPassword) { - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY); ret = KRB5KDC_ERR_PREAUTH_FAILED; } else { ret = KRB5KDC_ERR_ETYPE_NOSUPP; @@ -815,8 +815,8 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) ret = KRB5KDC_ERR_CLIENT_REVOKED; kdc_log(r->context, r->config, 0, "Client (%s) is locked out", r->cname); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_CLIENT_LOCKED_OUT); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_CLIENT_LOCKED_OUT); return ret; } @@ -886,10 +886,10 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) r->cname, str ? str : "unknown enctype", msg); krb5_xfree(str); krb5_free_error_message(r->context, msg); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE, - pa_key->key.keytype); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE, + pa_key->key.keytype); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY); if(hdb_next_enctype2key(r->context, r->client, NULL, enc_data.etype, &pa_key) == 0) goto try_next_key; @@ -924,8 +924,8 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) (unsigned)labs(kdc_time - p.patimestamp), r->context->max_skew, r->cname); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_CLIENT_TIME_SKEW); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_CLIENT_TIME_SKEW); /* * The following is needed to make windows clients to @@ -950,10 +950,10 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) _kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s", r->cname, str ? str : "unknown enctype"); krb5_xfree(str); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE, - pa_key->key.keytype); - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE, + pa_key->key.keytype); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY); ret = 0; @@ -1047,8 +1047,8 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata) str = rk_strpoolcollect(p); kdc_log(r->context, config, 4, "Client sent patypes: %s", str); - _kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, - "client-pa", "%s", str); + kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, + "client-pa", "%s", str); free(str); } @@ -1586,8 +1586,8 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype) str = rk_strpoolcollect(s); if (str) - _kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, "etypes", "%s", - str); + kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, "etypes", "%s", + str); free(str); ret = krb5_enctype_to_string(r->context, cetype, &cet); @@ -1608,7 +1608,7 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype) _kdc_r_log(r, 4, "%s", str); free(str); - _kdc_audit_addkv((kdc_request_t)r, 0, "etype", "%d/%d", cetype, setype); + kdc_audit_addkv((kdc_request_t)r, 0, "etype", "%d/%d", cetype, setype); { char fixedstr[128]; @@ -1618,8 +1618,8 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype) fixedstr, sizeof(fixedstr)); if (result > 0) { _kdc_r_log(r, 4, "Requested flags: %s", fixedstr); - _kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, - "flags", "%s", fixedstr); + kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, + "flags", "%s", fixedstr); } } } @@ -1639,19 +1639,19 @@ kdc_check_flags(astgs_request_t r, if (client != NULL) { /* check client */ if (client->flags.locked_out) { - _kdc_audit_addreason((kdc_request_t)r, "Client is locked out"); + kdc_audit_addreason((kdc_request_t)r, "Client is locked out"); return KRB5KDC_ERR_CLIENT_REVOKED; } if (client->flags.invalid) { - _kdc_audit_addreason((kdc_request_t)r, - "Client has invalid bit set"); + kdc_audit_addreason((kdc_request_t)r, + "Client has invalid bit set"); return KRB5KDC_ERR_POLICY; } if (!client->flags.client) { - _kdc_audit_addreason((kdc_request_t)r, - "Principal may not act as client"); + kdc_audit_addreason((kdc_request_t)r, + "Principal may not act as client"); return KRB5KDC_ERR_POLICY; } @@ -1659,8 +1659,8 @@ kdc_check_flags(astgs_request_t r, char starttime_str[100]; krb5_format_time(r->context, *client->valid_start, starttime_str, sizeof(starttime_str), TRUE); - _kdc_audit_addreason((kdc_request_t)r, "Client not yet valid " - "until %s", starttime_str); + kdc_audit_addreason((kdc_request_t)r, "Client not yet valid " + "until %s", starttime_str); return KRB5KDC_ERR_CLIENT_NOTYET; } @@ -1668,8 +1668,8 @@ kdc_check_flags(astgs_request_t r, char endtime_str[100]; krb5_format_time(r->context, *client->valid_end, endtime_str, sizeof(endtime_str), TRUE); - _kdc_audit_addreason((kdc_request_t)r, "Client expired at %s", - endtime_str); + kdc_audit_addreason((kdc_request_t)r, "Client expired at %s", + endtime_str); return KRB5KDC_ERR_NAME_EXP; } @@ -1682,8 +1682,8 @@ kdc_check_flags(astgs_request_t r, char pwend_str[100]; krb5_format_time(r->context, *client->pw_end, pwend_str, sizeof(pwend_str), TRUE); - _kdc_audit_addreason((kdc_request_t)r, "Client's key has expired " - "at %s", pwend_str); + kdc_audit_addreason((kdc_request_t)r, "Client's key has expired " + "at %s", pwend_str); return KRB5KDC_ERR_KEY_EXPIRED; } } @@ -1692,23 +1692,23 @@ kdc_check_flags(astgs_request_t r, if (server != NULL) { if (server->flags.locked_out) { - _kdc_audit_addreason((kdc_request_t)r, "Server locked out"); + kdc_audit_addreason((kdc_request_t)r, "Server locked out"); return KRB5KDC_ERR_SERVICE_REVOKED; } if (server->flags.invalid) { - _kdc_audit_addreason((kdc_request_t)r, - "Server has invalid flag set"); + kdc_audit_addreason((kdc_request_t)r, + "Server has invalid flag set"); return KRB5KDC_ERR_POLICY; } if (!server->flags.server) { - _kdc_audit_addreason((kdc_request_t)r, - "Principal may not act as server"); + kdc_audit_addreason((kdc_request_t)r, + "Principal may not act as server"); return KRB5KDC_ERR_POLICY; } if (!is_as_req && server->flags.initial) { - _kdc_audit_addreason((kdc_request_t)r, - "AS-REQ is required for server"); + kdc_audit_addreason((kdc_request_t)r, + "AS-REQ is required for server"); return KRB5KDC_ERR_POLICY; } @@ -1716,8 +1716,8 @@ kdc_check_flags(astgs_request_t r, char starttime_str[100]; krb5_format_time(r->context, *server->valid_start, starttime_str, sizeof(starttime_str), TRUE); - _kdc_audit_addreason((kdc_request_t)r, "Server not yet valid " - "until %s", starttime_str); + kdc_audit_addreason((kdc_request_t)r, "Server not yet valid " + "until %s", starttime_str); return KRB5KDC_ERR_SERVICE_NOTYET; } @@ -1725,8 +1725,8 @@ kdc_check_flags(astgs_request_t r, char endtime_str[100]; krb5_format_time(r->context, *server->valid_end, endtime_str, sizeof(endtime_str), TRUE); - _kdc_audit_addreason((kdc_request_t)r, "Server expired at %s", - endtime_str); + kdc_audit_addreason((kdc_request_t)r, "Server expired at %s", + endtime_str); return KRB5KDC_ERR_SERVICE_EXP; } @@ -1734,8 +1734,8 @@ kdc_check_flags(astgs_request_t r, char pwend_str[100]; krb5_format_time(r->context, *server->pw_end, pwend_str, sizeof(pwend_str), TRUE); - _kdc_audit_addreason((kdc_request_t)r, "Server's key has expired " - "at %s", pwend_str); + kdc_audit_addreason((kdc_request_t)r, "Server's key has expired " + "at %s", pwend_str); return KRB5KDC_ERR_KEY_EXPIRED; } } @@ -1801,8 +1801,8 @@ krb5_error_code _kdc_check_anon_policy(astgs_request_t r) { if (!r->config->allow_anonymous) { - _kdc_audit_addreason((kdc_request_t)r, - "Anonymous tickets denied by local policy"); + kdc_audit_addreason((kdc_request_t)r, + "Anonymous tickets denied by local policy"); return KRB5KDC_ERR_POLICY; } @@ -1854,8 +1854,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, krb5_const_principal canon_princ = NULL; r->pac_attributes = get_pac_attributes(r->context, &r->req); - _kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes", - r->pac_attributes); + kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes", + r->pac_attributes); if (!_kdc_include_pac_p(r)) return 0; @@ -1903,8 +1903,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, canon_princ = r->canon_client_princ; (void) krb5_unparse_name(r->context, canon_princ, &cpn); - _kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s", - cpn ? cpn : ""); + kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s", + cpn ? cpn : ""); krb5_xfree(cpn); } @@ -2193,8 +2193,8 @@ _kdc_as_rep(astgs_request_t r) kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg); krb5_free_error_message(r->context, msg); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_CLIENT_UNKNOWN); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_CLIENT_UNKNOWN); goto out; } } @@ -2261,8 +2261,8 @@ _kdc_as_rep(astgs_request_t r) ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } - _kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_VIS, "pa", "%s", - pat[n].name); + kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_VIS, "pa", "%s", + pat[n].name); ret = pat[n].validate(r, pa); if (ret != 0) { krb5_error_code ret2; @@ -2270,9 +2270,9 @@ _kdc_as_rep(astgs_request_t r) krb5_boolean default_salt; if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED && - !_kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT)) - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_PREAUTH_FAILED); + !kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT)) + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_PREAUTH_FAILED); /* * If there is a client key, send ETYPE_INFO{,2} @@ -2288,9 +2288,9 @@ _kdc_as_rep(astgs_request_t r) } goto out; } - if (!_kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT)) - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_PREAUTH_SUCCEEDED); + if (!kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT)) + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_PREAUTH_SUCCEEDED); kdc_log(r->context, config, 4, "%s pre-authentication succeeded -- %s", pat[n].name, r->cname); @@ -2386,8 +2386,8 @@ _kdc_as_rep(astgs_request_t r) r->et.flags.anonymous = 1; } - _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, - KDC_AUTH_EVENT_CLIENT_AUTHORIZED); + kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, + KDC_AUTH_EVENT_CLIENT_AUTHORIZED); /* * Select the best encryption type for the KDC with out regard to @@ -2486,12 +2486,12 @@ _kdc_as_rep(astgs_request_t r) } if (b->addresses) - _kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs"); + kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs"); /* check for valid set of addresses */ if (!_kdc_check_addresses(r, b->addresses, r->addr)) { if (r->config->warn_ticket_addresses) { - _kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE); + kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE); } else { _kdc_set_e_text(r, "Request from wrong address"); ret = KRB5KRB_AP_ERR_BADADDR; diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 8715e2b1e..ee2f68f3b 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -211,35 +211,35 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, if(f.validate){ if (!tgt->flags.invalid || tgt->starttime == NULL) { - _kdc_audit_addreason((kdc_request_t)r, - "Bad request to validate ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Bad request to validate ticket"); return KRB5KDC_ERR_BADOPTION; } if(*tgt->starttime > kdc_time){ - _kdc_audit_addreason((kdc_request_t)r, - "Early request to validate ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Early request to validate ticket"); return KRB5KRB_AP_ERR_TKT_NYV; } /* XXX tkt = tgt */ et->flags.invalid = 0; } else if (tgt->flags.invalid) { - _kdc_audit_addreason((kdc_request_t)r, - "Ticket-granting ticket has INVALID flag set"); + kdc_audit_addreason((kdc_request_t)r, + "Ticket-granting ticket has INVALID flag set"); return KRB5KRB_AP_ERR_TKT_INVALID; } if(f.forwardable){ if (!tgt->flags.forwardable) { - _kdc_audit_addreason((kdc_request_t)r, - "Bad request for forwardable ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Bad request for forwardable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.forwardable = 1; } if(f.forwarded){ if (!tgt->flags.forwardable) { - _kdc_audit_addreason((kdc_request_t)r, - "Request to forward non-forwardable ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Request to forward non-forwardable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.forwarded = 1; @@ -250,16 +250,16 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, if(f.proxiable){ if (!tgt->flags.proxiable) { - _kdc_audit_addreason((kdc_request_t)r, - "Bad request for proxiable ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Bad request for proxiable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.proxiable = 1; } if(f.proxy){ if (!tgt->flags.proxiable) { - _kdc_audit_addreason((kdc_request_t)r, - "Request to proxy non-proxiable ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Request to proxy non-proxiable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.proxy = 1; @@ -270,16 +270,16 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, if(f.allow_postdate){ if (!tgt->flags.may_postdate) { - _kdc_audit_addreason((kdc_request_t)r, - "Bad request for post-datable ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Bad request for post-datable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.may_postdate = 1; } if(f.postdated){ if (!tgt->flags.may_postdate) { - _kdc_audit_addreason((kdc_request_t)r, - "Bad request for postdated ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Bad request for postdated ticket"); return KRB5KDC_ERR_BADOPTION; } if(b->from) @@ -287,15 +287,15 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, et->flags.postdated = 1; et->flags.invalid = 1; } else if (b->from && *b->from > kdc_time + r->context->max_skew) { - _kdc_audit_addreason((kdc_request_t)r, - "Ticket cannot be postdated"); + kdc_audit_addreason((kdc_request_t)r, + "Ticket cannot be postdated"); return KRB5KDC_ERR_CANNOT_POSTDATE; } if(f.renewable){ if (!tgt->flags.renewable || tgt->renew_till == NULL) { - _kdc_audit_addreason((kdc_request_t)r, - "Bad request for renewable ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Bad request for renewable ticket"); return KRB5KDC_ERR_BADOPTION; } et->flags.renewable = 1; @@ -306,8 +306,8 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, if(f.renew){ time_t old_life; if (!tgt->flags.renewable || tgt->renew_till == NULL) { - _kdc_audit_addreason((kdc_request_t)r, - "Request to renew non-renewable ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Request to renew non-renewable ticket"); return KRB5KDC_ERR_BADOPTION; } old_life = tgt->endtime; @@ -326,8 +326,8 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b, */ if (tgt->flags.anonymous && !_kdc_is_anonymous(r->context, tgt_name)) { - _kdc_audit_addreason((kdc_request_t)r, - "Anonymous ticket flag set without " + kdc_audit_addreason((kdc_request_t)r, + "Anonymous ticket flag set without " "anonymous principal"); return KRB5KDC_ERR_BADOPTION; } @@ -740,8 +740,8 @@ tgs_make_reply(astgs_request_t r, char *cpn; (void) krb5_unparse_name(r->context, r->canon_client_princ, &cpn); - _kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s", - cpn ? cpn : ""); + kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s", + cpn ? cpn : ""); krb5_xfree(cpn); } @@ -752,8 +752,8 @@ tgs_make_reply(astgs_request_t r, * is implementation dependent. */ if (r->pac && !et->flags.anonymous) { - _kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes", - r->pac_attributes); + kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes", + r->pac_attributes); /* * PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES @@ -1059,10 +1059,10 @@ next_kvno: &r->ticket, KRB5_KU_TGS_REQ_AUTH); if (r->ticket && r->ticket->ticket.caddr) - _kdc_audit_addaddrs((kdc_request_t)r, r->ticket->ticket.caddr, "tixaddrs"); + kdc_audit_addaddrs((kdc_request_t)r, r->ticket->ticket.caddr, "tixaddrs"); if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR && r->ticket != NULL) { - _kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE); + kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE); ret = 0; } if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) { @@ -1454,7 +1454,7 @@ server_lookup: priv->serverdb = serverdb; if (ret == HDB_ERR_NOT_FOUND_HERE) { kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", spn); - _kdc_audit_addreason((kdc_request_t)priv, "Target not found here"); + kdc_audit_addreason((kdc_request_t)priv, "Target not found here"); goto out; } else if (ret == HDB_ERR_WRONG_REALM) { free(ref_realm); @@ -1505,8 +1505,8 @@ server_lookup: req_rlm, TRUE, &capath, &num_capath); if (ret2) { ret = ret2; - _kdc_audit_addreason((kdc_request_t)priv, - "No trusted path from client realm to ours"); + kdc_audit_addreason((kdc_request_t)priv, + "No trusted path from client realm to ours"); goto out; } } @@ -1568,8 +1568,8 @@ server_lookup: krb5_free_error_message(context, msg); if (ret == HDB_ERR_NOENTRY) ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - _kdc_audit_addreason((kdc_request_t)priv, - "Service principal unknown"); + kdc_audit_addreason((kdc_request_t)priv, + "Service principal unknown"); goto out; } @@ -1649,16 +1649,16 @@ server_lookup: ret = KRB5KDC_ERR_BADOPTION; /* ? */ kdc_log(context, config, 4, "No second ticket present in user-to-user request"); - _kdc_audit_addreason((kdc_request_t)priv, - "No second ticket present in user-to-user request"); + kdc_audit_addreason((kdc_request_t)priv, + "No second ticket present in user-to-user request"); goto out; } t = &b->additional_tickets->val[0]; if(!get_krbtgt_realm(&t->sname)){ kdc_log(context, config, 4, "Additional ticket is not a ticket-granting ticket"); - _kdc_audit_addreason((kdc_request_t)priv, - "Additional ticket is not a ticket-granting ticket"); + kdc_audit_addreason((kdc_request_t)priv, + "Additional ticket is not a ticket-granting ticket"); ret = KRB5KDC_ERR_POLICY; goto out; } @@ -1680,8 +1680,8 @@ server_lookup: if(ret){ if (ret == HDB_ERR_NOENTRY) ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - _kdc_audit_addreason((kdc_request_t)priv, - "User-to-user service principal (TGS) unknown"); + kdc_audit_addreason((kdc_request_t)priv, + "User-to-user service principal (TGS) unknown"); krb5_xfree(tpn); goto out; } @@ -1689,23 +1689,23 @@ server_lookup: t->enc_part.etype, &uukey); if(ret){ ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ - _kdc_audit_addreason((kdc_request_t)priv, - "User-to-user enctype not supported"); + kdc_audit_addreason((kdc_request_t)priv, + "User-to-user enctype not supported"); krb5_xfree(tpn); goto out; } ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0); if(ret) { - _kdc_audit_addreason((kdc_request_t)priv, - "User-to-user TGT decrypt failure"); + kdc_audit_addreason((kdc_request_t)priv, + "User-to-user TGT decrypt failure"); krb5_xfree(tpn); goto out; } ret = _kdc_verify_flags(context, config, &adtkt, tpn); if (ret) { - _kdc_audit_addreason((kdc_request_t)priv, - "User-to-user TGT expired or invalid"); + kdc_audit_addreason((kdc_request_t)priv, + "User-to-user TGT expired or invalid"); krb5_xfree(tpn); goto out; } @@ -1803,8 +1803,8 @@ server_lookup: "Addition ticket have not matching etypes"); krb5_clear_error_message(context); ret = KRB5KDC_ERR_ETYPE_NOSUPP; - _kdc_audit_addreason((kdc_request_t)priv, - "No matching enctypes for 2nd ticket"); + kdc_audit_addreason((kdc_request_t)priv, + "No matching enctypes for 2nd ticket"); goto out; } etype = b->etype.val[i]; @@ -1819,8 +1819,8 @@ server_lookup: if(ret) { kdc_log(context, config, 4, "Server (%s) has no support for etypes", spn); - _kdc_audit_addreason((kdc_request_t)priv, - "Enctype not supported"); + kdc_audit_addreason((kdc_request_t)priv, + "Enctype not supported"); goto out; } ret = _kdc_get_preferred_key(context, config, server, spn, @@ -1828,8 +1828,8 @@ server_lookup: if(ret) { kdc_log(context, config, 4, "Server (%s) has no supported etypes", spn); - _kdc_audit_addreason((kdc_request_t)priv, - "Enctype not supported"); + kdc_audit_addreason((kdc_request_t)priv, + "Enctype not supported"); goto out; } ekey = &skey->key; @@ -1864,7 +1864,7 @@ server_lookup: if(ret == 0) free(ktpn); ret = KRB5KRB_AP_ERR_NOT_US; - _kdc_audit_addreason((kdc_request_t)priv, "Request with wrong TGT"); + kdc_audit_addreason((kdc_request_t)priv, "Request with wrong TGT"); goto out; } @@ -1873,8 +1873,8 @@ server_lookup: if (ret) { kdc_log(context, config, 4, "Failed to find key for krbtgt PAC signature"); - _kdc_audit_addreason((kdc_request_t)priv, - "Failed to find key for krbtgt PAC signature"); + kdc_audit_addreason((kdc_request_t)priv, + "Failed to find key for krbtgt PAC signature"); goto out; } ret = hdb_enctype2key(context, krbtgt_out, NULL, @@ -1882,8 +1882,8 @@ server_lookup: if(ret) { kdc_log(context, config, 4, "Failed to find key for krbtgt PAC signature"); - _kdc_audit_addreason((kdc_request_t)priv, - "Failed to find key for krbtgt PAC signature"); + kdc_audit_addreason((kdc_request_t)priv, + "Failed to find key for krbtgt PAC signature"); goto out; } @@ -1906,7 +1906,7 @@ server_lookup: &priv->pac_attributes); if (ret) { const char *msg = krb5_get_error_message(context, ret); - _kdc_audit_addreason((kdc_request_t)priv, "PAC check failed"); + kdc_audit_addreason((kdc_request_t)priv, "PAC check failed"); kdc_log(context, config, 4, "Verify PAC failed for %s (%s) from %s with %s", spn, cpn, from, msg); @@ -1938,7 +1938,7 @@ server_lookup: !krb5_principal_compare(context, priv->krbtgt->principal, priv->server->principal)){ - _kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request"); + kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request"); kdc_log(context, config, 4, "Inconsistent request."); ret = KRB5KDC_ERR_SERVER_NOMATCH; goto out; @@ -1948,12 +1948,12 @@ server_lookup: if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) { if (config->check_ticket_addresses) { ret = KRB5KRB_AP_ERR_BADADDR; - _kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE); + kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE); kdc_log(context, config, 4, "Request from wrong address"); - _kdc_audit_addreason((kdc_request_t)priv, "Request from wrong address"); + kdc_audit_addreason((kdc_request_t)priv, "Request from wrong address"); goto out; } else if (config->warn_ticket_addresses) { - _kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE); + kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE); } } @@ -1983,7 +1983,7 @@ server_lookup: NULL, s, &pa.padata_value); krb5_crypto_destroy(context, crypto); if (ret) { - _kdc_audit_addreason((kdc_request_t)priv, "Referral build failed"); + kdc_audit_addreason((kdc_request_t)priv, "Referral build failed"); kdc_log(context, config, 4, "Failed building server referral"); goto out; diff --git a/kdc/kx509.c b/kdc/kx509.c index 5dba3c0a1..6efd94e3a 100644 --- a/kdc/kx509.c +++ b/kdc/kx509.c @@ -305,8 +305,8 @@ kdc_kx509_verify_service_principal(krb5_context context, KRB5_TGS_NAME) == 0) { const char *r = krb5_principal_get_comp_string(context, sprincipal, 1); if ((ret = is_local_realm(context, reqctx, r))) - _kdc_audit_addreason((kdc_request_t)reqctx, - "Client used wrong krbtgt for kx509"); + kdc_audit_addreason((kdc_request_t)reqctx, + "Client used wrong krbtgt for kx509"); goto out; } @@ -315,8 +315,8 @@ kdc_kx509_verify_service_principal(krb5_context context, if (ret != 0) { ret = errno; kdc_log(context, reqctx->config, 0, "Failed to get local hostname"); - _kdc_audit_addreason((kdc_request_t)reqctx, - "Failed to get local hostname"); + kdc_audit_addreason((kdc_request_t)reqctx, + "Failed to get local hostname"); return ret; } localhost[sizeof(localhost) - 1] = '\0'; @@ -335,8 +335,8 @@ err: goto out; ret = KRB5KDC_ERR_SERVER_NOMATCH; - _kdc_audit_addreason((kdc_request_t)reqctx, "Client used wrong kx509 " - "service principal (expected %s)", expected); + kdc_audit_addreason((kdc_request_t)reqctx, "Client used wrong kx509 " + "service principal (expected %s)", expected); out: krb5_xfree(expected); @@ -400,7 +400,7 @@ mk_error_response(krb5_context context, } va_start(ap, fmt); - _kdc_audit_vaddreason((kdc_request_t)reqctx, fmt, ap); + kdc_audit_vaddreason((kdc_request_t)reqctx, fmt, ap); va_end(ap); } @@ -545,9 +545,9 @@ update_csr(krb5_context context, kx509_req_context reqctx, Extensions *exts) const char *emsg = krb5_get_error_message(context, ret); kdc_log(context, reqctx->config, 1, "Error handling requested extensions: %s", emsg); - _kdc_audit_addreason((kdc_request_t)reqctx, - "Error handling requested extensions: %s", - emsg); + kdc_audit_addreason((kdc_request_t)reqctx, + "Error handling requested extensions: %s", + emsg); krb5_free_error_message(context, emsg); } return ret; @@ -581,7 +581,7 @@ get_csr(krb5_context context, kx509_req_context reqctx) */ if (ret == 0) return update_csr(context, reqctx, reqctx->csr_plus.exts); - _kdc_audit_addreason((kdc_request_t)reqctx, "Invalid CSR"); + kdc_audit_addreason((kdc_request_t)reqctx, "Invalid CSR"); return ret; } reqctx->send_chain = 0; @@ -589,8 +589,8 @@ get_csr(krb5_context context, kx509_req_context reqctx) /* Check if proof of possession is required by configuration */ if (!get_bool_param(context, FALSE, reqctx->realm, "require_csr")) { - _kdc_audit_addreason((kdc_request_t)reqctx, - "CSRs required but client did not send one"); + kdc_audit_addreason((kdc_request_t)reqctx, + "CSRs required but client did not send one"); krb5_set_error_message(context, KX509_STATUS_CLIENT_USE_CSR, "CSRs required but kx509 client did not send " "one"); @@ -608,14 +608,14 @@ get_csr(krb5_context context, kx509_req_context reqctx) /* Not an RSAPublicKey or garbage follows it */ if (ret == 0) { ret = KRB5KDC_ERR_NULL_KEY; - _kdc_audit_addreason((kdc_request_t)reqctx, - "Request has garbage after key"); + kdc_audit_addreason((kdc_request_t)reqctx, + "Request has garbage after key"); krb5_set_error_message(context, ret, "Request has garbage after key"); return ret; } - _kdc_audit_addreason((kdc_request_t)reqctx, - "Could not decode CSR or RSA subject public key"); + kdc_audit_addreason((kdc_request_t)reqctx, + "Could not decode CSR or RSA subject public key"); krb5_set_error_message(context, ret, "Could not decode CSR or RSA subject public key"); return ret; @@ -675,7 +675,7 @@ check_authz(krb5_context context, ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr, cprincipal); if (ret == 0) { - _kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE); + kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE); ret = hx509_request_get_san(reqctx->csr, 0, &san_type, &s); if (ret == 0) { @@ -692,19 +692,19 @@ check_authz(krb5_context context, case HX509_SAN_TYPE_MS_UPN: san_type_s = "ms-UPN"; break; default: san_type_s = "unknown"; break; } - _kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0_type", "%s", - san_type_s); - _kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0", "%s", s); + kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0_type", "%s", + san_type_s); + kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0", "%s", s); } frees(&s); ret = hx509_request_get_eku(reqctx->csr, 0, &s); if (ret == 0) - _kdc_audit_addkv((kdc_request_t)reqctx, 0, "eku0", "%s", s); + kdc_audit_addkv((kdc_request_t)reqctx, 0, "eku0", "%s", s); free(s); return 0; } if (ret != KRB5_PLUGIN_NO_HANDLE) { - _kdc_audit_addreason((kdc_request_t)reqctx, + kdc_audit_addreason((kdc_request_t)reqctx, "Requested extensions rejected by plugin"); return ret; } @@ -724,27 +724,27 @@ check_authz(krb5_context context, if (ncomp != 2 || strcasecmp(comp1, s) != 0 || strchr(s, '.') == NULL || !check_authz_svc_ok(context, comp0)) { - _kdc_audit_addreason((kdc_request_t)reqctx, - "Requested extensions rejected by " - "default policy (dNSName SAN " - "does not match client)"); + kdc_audit_addreason((kdc_request_t)reqctx, + "Requested extensions rejected by " + "default policy (dNSName SAN " + "does not match client)"); goto eacces; } break; case HX509_SAN_TYPE_PKINIT: if (strcmp(cprinc, s) != 0) { - _kdc_audit_addreason((kdc_request_t)reqctx, - "Requested extensions rejected by " - "default policy (PKINIT SAN " - "does not match client)"); + kdc_audit_addreason((kdc_request_t)reqctx, + "Requested extensions rejected by " + "default policy (PKINIT SAN " + "does not match client)"); goto eacces; } break; default: - _kdc_audit_addreason((kdc_request_t)reqctx, - "Requested extensions rejected by " - "default policy (non-default SAN " - "requested)"); + kdc_audit_addreason((kdc_request_t)reqctx, + "Requested extensions rejected by " + "default policy (non-default SAN " + "requested)"); goto eacces; } } @@ -772,8 +772,8 @@ check_authz(krb5_context context, } der_free_oid(&oid); if (k == sizeof(eku_whitelist)/sizeof(eku_whitelist[0])) { - _kdc_audit_addreason((kdc_request_t)reqctx, - "Requested EKU rejected by default policy"); + kdc_audit_addreason((kdc_request_t)reqctx, + "Requested EKU rejected by default policy"); goto eacces; } } @@ -791,7 +791,7 @@ check_authz(krb5_context context, if (KeyUsage2int(ku) != (KeyUsage2int(ku) & KeyUsage2int(ku_allowed))) goto eacces; - _kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE); + kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE); free(cprinc); return 0; @@ -801,7 +801,7 @@ eacces: out: /* XXX Display error code */ - _kdc_audit_addreason((kdc_request_t)reqctx, + kdc_audit_addreason((kdc_request_t)reqctx, "Error handling requested extensions"); out2: free(cprinc); @@ -891,7 +891,7 @@ _kdc_do_kx509(kx509_req_context r) * possibly change the error code and message. */ is_probe = 1; - _kdc_audit_addkv((kdc_request_t)r, 0, "probe", "unauthenticated"); + kdc_audit_addkv((kdc_request_t)r, 0, "probe", "unauthenticated"); ret = mk_error_response(r->context, r, 4, 0, "kx509 service is available"); goto out; @@ -974,7 +974,7 @@ _kdc_do_kx509(kx509_req_context r) * possibly change the error code and message. */ is_probe = 1; - _kdc_audit_addkv((kdc_request_t)r, 0, "probe", "authenticated"); + kdc_audit_addkv((kdc_request_t)r, 0, "probe", "authenticated"); ret = mk_error_response(r->context, r, 4, 0, "kx509 authenticated probe request"); goto out; @@ -1049,14 +1049,14 @@ _kdc_do_kx509(kx509_req_context r) ret = encode_reply(r->context, r, &rep); if (ret) /* Can't send an error message either in this case, surely */ - _kdc_audit_addreason((kdc_request_t)r, "Could not encode response"); + kdc_audit_addreason((kdc_request_t)r, "Could not encode response"); out: hx509_certs_free(&certs); if (ret == 0 && !is_probe) - _kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", TRUE); + kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", TRUE); else - _kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", FALSE); + kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", FALSE); if (r->ac) krb5_auth_con_free(r->context, r->ac); if (ticket) diff --git a/kdc/libkdc-exports.def b/kdc/libkdc-exports.def index 79c24714b..4421acc04 100644 --- a/kdc/libkdc-exports.def +++ b/kdc/libkdc-exports.def @@ -21,19 +21,19 @@ EXPORTS kdc_request_get_attribute kdc_request_copy_attribute kdc_request_delete_attribute - _kdc_audit_addkv - _kdc_audit_addkv_number - _kdc_audit_addkv_object - _kdc_audit_addkv_timediff - _kdc_audit_addaddrs - _kdc_audit_addreason - _kdc_audit_getkv - _kdc_audit_setkv_bool - _kdc_audit_setkv_number - _kdc_audit_setkv_object + kdc_audit_addkv + kdc_audit_addkv_number + kdc_audit_addkv_object + kdc_audit_addkv_timediff + kdc_audit_addaddrs + kdc_audit_addreason + kdc_audit_getkv + kdc_audit_setkv_bool + kdc_audit_setkv_number + kdc_audit_setkv_object + kdc_audit_vaddkv + kdc_audit_vaddreason _kdc_audit_trail - _kdc_audit_vaddkv - _kdc_audit_vaddreason ; needed for digest-service _kdc_db_fetch diff --git a/kdc/mssfu.c b/kdc/mssfu.c index 877b11d05..dada92e0e 100644 --- a/kdc/mssfu.c +++ b/kdc/mssfu.c @@ -168,15 +168,15 @@ validate_protocol_transition(astgs_request_t r) sdata->padata_value.length, &self, NULL); if (ret) { - _kdc_audit_addreason((kdc_request_t)r, - "Failed to decode PA-S4U2Self"); + kdc_audit_addreason((kdc_request_t)r, + "Failed to decode PA-S4U2Self"); kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self"); goto out; } if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) { - _kdc_audit_addreason((kdc_request_t)r, - "PA-S4U2Self with unkeyed checksum"); + kdc_audit_addreason((kdc_request_t)r, + "PA-S4U2Self with unkeyed checksum"); kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum"); ret = KRB5KRB_AP_ERR_INAPP_CKSUM; goto out; @@ -225,8 +225,8 @@ validate_protocol_transition(astgs_request_t r) krb5_crypto_destroy(r->context, crypto); if (ret) { const char *msg = krb5_get_error_message(r->context, ret); - _kdc_audit_addreason((kdc_request_t)r, - "S4U2Self checksum failed"); + kdc_audit_addreason((kdc_request_t)r, + "S4U2Self checksum failed"); kdc_log(r->context, r->config, 4, "krb5_verify_checksum failed for S4U2Self: %s", msg); krb5_free_error_message(r->context, msg); @@ -262,8 +262,8 @@ validate_protocol_transition(astgs_request_t r) if (ret == HDB_ERR_NOENTRY) ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; msg = krb5_get_error_message(r->context, ret); - _kdc_audit_addreason((kdc_request_t)r, - "S4U2Self principal to impersonate not found"); + kdc_audit_addreason((kdc_request_t)r, + "S4U2Self principal to impersonate not found"); kdc_log(r->context, r->config, 2, "S4U2Self principal to impersonate %s not found in database: %s", s4ucname, msg); @@ -281,7 +281,7 @@ validate_protocol_transition(astgs_request_t r) ret = kdc_check_flags(r, FALSE, s4u_client, r->server); if (ret) - goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */ + goto out; /* kdc_check_flags() calls kdc_audit_addreason() */ ret = _kdc_pac_generate(r->context, r->config, @@ -397,7 +397,7 @@ validate_constrained_delegation(astgs_request_t r) */ if (r->pac == NULL) { ret = KRB5KDC_ERR_BADOPTION; - _kdc_audit_addreason((kdc_request_t)r, "Missing PAC"); + kdc_audit_addreason((kdc_request_t)r, "Missing PAC"); kdc_log(r->context, r->config, 4, "Constrained delegation without PAC, %s/%s", r->cname, r->sname); @@ -417,8 +417,8 @@ validate_constrained_delegation(astgs_request_t r) ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0); if (ret) { - _kdc_audit_addreason((kdc_request_t)r, - "Failed to decrypt constrained delegation ticket"); + kdc_audit_addreason((kdc_request_t)r, + "Failed to decrypt constrained delegation ticket"); kdc_log(r->context, r->config, 4, "failed to decrypt ticket for " "constrained delegation from %s to %s ", r->cname, r->sname); @@ -436,7 +436,7 @@ validate_constrained_delegation(astgs_request_t r) if (ret) goto out; - _kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname); + kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname); ret = _krb5_principalname2krb5_principal(r->context, &s4u_server_name, @@ -451,8 +451,8 @@ validate_constrained_delegation(astgs_request_t r) /* check that ticket is valid */ if (evidence_tkt.flags.forwardable == 0) { - _kdc_audit_addreason((kdc_request_t)r, - "Missing forwardable flag on ticket for constrained delegation"); + kdc_audit_addreason((kdc_request_t)r, + "Missing forwardable flag on ticket for constrained delegation"); kdc_log(r->context, r->config, 4, "Missing forwardable flag on ticket for " "constrained delegation from %s (%s) as %s to %s ", @@ -464,8 +464,8 @@ validate_constrained_delegation(astgs_request_t r) ret = check_constrained_delegation(r->context, r->config, r->clientdb, r->client, r->server, r->server_princ); if (ret) { - _kdc_audit_addreason((kdc_request_t)r, - "Constrained delegation not allowed"); + kdc_audit_addreason((kdc_request_t)r, + "Constrained delegation not allowed"); kdc_log(r->context, r->config, 4, "constrained delegation from %s (%s) as %s to %s not allowed", r->cname, s4usname, s4ucname, r->sname); @@ -474,8 +474,8 @@ validate_constrained_delegation(astgs_request_t r) ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname); if (ret) { - _kdc_audit_addreason((kdc_request_t)r, - "Constrained delegation ticket expired or invalid"); + kdc_audit_addreason((kdc_request_t)r, + "Constrained delegation ticket expired or invalid"); goto out; } @@ -503,8 +503,8 @@ validate_constrained_delegation(astgs_request_t r) &s4u_canon_client_name, &s4u_pac_attributes); if (ret) { const char *msg = krb5_get_error_message(r->context, ret); - _kdc_audit_addreason((kdc_request_t)r, - "Constrained delegation ticket PAC check failed"); + kdc_audit_addreason((kdc_request_t)r, + "Constrained delegation ticket PAC check failed"); kdc_log(r->context, r->config, 4, "Verify delegated PAC failed to %s for client" "%s (%s) as %s from %s with %s", @@ -520,8 +520,8 @@ validate_constrained_delegation(astgs_request_t r) "for delegation to %s for client %s (%s) from %s; (%s).", r->sname, s4ucname, s4usname, r->cname, r->from, s4u_pac ? "Ticket unsigned" : "No PAC"); - _kdc_audit_addreason((kdc_request_t)r, - "Constrained delegation ticket not signed"); + kdc_audit_addreason((kdc_request_t)r, + "Constrained delegation ticket not signed"); goto out; } diff --git a/kdc/process.c b/kdc/process.c index f1fed9a5c..6098fbc88 100644 --- a/kdc/process.c +++ b/kdc/process.c @@ -43,14 +43,14 @@ #define __attribute__(x) KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_vaddreason(kdc_request_t r, const char *fmt, va_list ap) +kdc_audit_vaddreason(kdc_request_t r, const char *fmt, va_list ap) __attribute__ ((__format__ (__printf__, 2, 0))) { heim_audit_vaddreason((heim_svc_req_desc)r, fmt, ap); } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_addreason(kdc_request_t r, const char *fmt, ...) +kdc_audit_addreason(kdc_request_t r, const char *fmt, ...) __attribute__ ((__format__ (__printf__, 2, 3))) { va_list ap; @@ -67,7 +67,7 @@ _kdc_audit_addreason(kdc_request_t r, const char *fmt, ...) */ KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_vaddkv(kdc_request_t r, int flags, const char *k, +kdc_audit_vaddkv(kdc_request_t r, int flags, const char *k, const char *fmt, va_list ap) __attribute__ ((__format__ (__printf__, 4, 0))) { @@ -75,7 +75,7 @@ _kdc_audit_vaddkv(kdc_request_t r, int flags, const char *k, } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_addkv(kdc_request_t r, int flags, const char *k, +kdc_audit_addkv(kdc_request_t r, int flags, const char *k, const char *fmt, ...) __attribute__ ((__format__ (__printf__, 4, 5))) { @@ -87,7 +87,7 @@ _kdc_audit_addkv(kdc_request_t r, int flags, const char *k, } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_addkv_timediff(kdc_request_t r, const char *k, +kdc_audit_addkv_timediff(kdc_request_t r, const char *k, const struct timeval *start, const struct timeval *end) { @@ -95,37 +95,37 @@ _kdc_audit_addkv_timediff(kdc_request_t r, const char *k, } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_setkv_bool(kdc_request_t r, const char *k, krb5_boolean v) +kdc_audit_setkv_bool(kdc_request_t r, const char *k, krb5_boolean v) { heim_audit_setkv_bool((heim_svc_req_desc)r, k, (int)v); } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_addkv_number(kdc_request_t r, const char *k, int64_t v) +kdc_audit_addkv_number(kdc_request_t r, const char *k, int64_t v) { heim_audit_addkv_number((heim_svc_req_desc)r, k, v); } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_setkv_number(kdc_request_t r, const char *k, int64_t v) +kdc_audit_setkv_number(kdc_request_t r, const char *k, int64_t v) { heim_audit_setkv_number((heim_svc_req_desc)r, k, v); } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj) +kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj) { heim_audit_addkv_object((heim_svc_req_desc)r, k, obj); } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_setkv_object(kdc_request_t r, const char *k, heim_object_t obj) +kdc_audit_setkv_object(kdc_request_t r, const char *k, heim_object_t obj) { heim_audit_setkv_object((heim_svc_req_desc)r, k, obj); } KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL -_kdc_audit_getkv(kdc_request_t r, const char *k) +kdc_audit_getkv(kdc_request_t r, const char *k) { return heim_audit_getkv((heim_svc_req_desc)r, k); } @@ -135,7 +135,7 @@ _kdc_audit_getkv(kdc_request_t r, const char *k) * PA-TGS ticket or whatever. */ KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key) +kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key) { size_t i; char buf[128]; @@ -145,12 +145,12 @@ _kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key) if (snprintf(numkey, sizeof(numkey), "num%s", key) >= sizeof(numkey)) numkey[31] = '\0'; - _kdc_audit_addkv(r, 0, numkey, "%llu", (unsigned long long)a->len); + kdc_audit_addkv(r, 0, numkey, "%llu", (unsigned long long)a->len); } for (i = 0; i < 3 && i < a->len; i++) { if (krb5_print_address(&a->val[i], buf, sizeof(buf), NULL) == 0) - _kdc_audit_addkv(r, 0, key, "%s", buf); + kdc_audit_addkv(r, 0, key, "%s", buf); } } diff --git a/kdc/version-script.map b/kdc/version-script.map index 1b07f2cf5..8c584b38c 100644 --- a/kdc/version-script.map +++ b/kdc/version-script.map @@ -24,19 +24,19 @@ HEIMDAL_KDC_1.0 { kdc_request_get_attribute; kdc_request_copy_attribute; kdc_request_delete_attribute; - _kdc_audit_addkv; - _kdc_audit_addkv_number; - _kdc_audit_addkv_object; - _kdc_audit_addkv_timediff; - _kdc_audit_addaddrs; - _kdc_audit_addreason; - _kdc_audit_getkv; - _kdc_audit_setkv_bool; - _kdc_audit_setkv_number; - _kdc_audit_setkv_object; + kdc_audit_addkv; + kdc_audit_addkv_number; + kdc_audit_addkv_object; + kdc_audit_addkv_timediff; + kdc_audit_addaddrs; + kdc_audit_addreason; + kdc_audit_getkv; + kdc_audit_setkv_bool; + kdc_audit_setkv_number; + kdc_audit_setkv_object; + kdc_audit_vaddkv; + kdc_audit_vaddreason; _kdc_audit_trail; - _kdc_audit_vaddkv; - _kdc_audit_vaddreason; # needed for digest-service _kdc_db_fetch;