kdc: make auditing API public
Samba plugins will need to use auditing API without including krb5-private.h, so make the auditing APIs public.
This commit is contained in:
Luke Howard
@@ -596,8 +596,8 @@ fast_unwrap_request(astgs_request_t r,
|
|||||||
&r->armor_ticket->ticket,
|
&r->armor_ticket->ticket,
|
||||||
armor_server_principal_name);
|
armor_server_principal_name);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Armor TGT expired or invalid");
|
"Armor TGT expired or invalid");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ticket = r->armor_ticket;
|
ticket = r->armor_ticket;
|
||||||
@@ -608,8 +608,8 @@ fast_unwrap_request(astgs_request_t r,
|
|||||||
}
|
}
|
||||||
|
|
||||||
krb5_unparse_name(r->context, ticket->client, &armor_client_principal_name);
|
krb5_unparse_name(r->context, ticket->client, &armor_client_principal_name);
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, "armor_client_name", "%s",
|
kdc_audit_addkv((kdc_request_t)r, 0, "armor_client_name", "%s",
|
||||||
armor_client_principal_name ? armor_client_principal_name : "<unknown>");
|
armor_client_principal_name ? armor_client_principal_name : "<unknown>");
|
||||||
|
|
||||||
if (ac->remote_subkey == NULL) {
|
if (ac->remote_subkey == NULL) {
|
||||||
krb5_auth_con_free(r->context, ac);
|
krb5_auth_con_free(r->context, ac);
|
||||||
|
|||||||
170
kdc/kerberos5.c
170
kdc/kerberos5.c
@@ -459,13 +459,13 @@ _kdc_log_timestamp(astgs_request_t r, const char *type,
|
|||||||
endtime_str[100], renewtime_str[100];
|
endtime_str[100], renewtime_str[100];
|
||||||
|
|
||||||
if (authtime)
|
if (authtime)
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, "auth", authtime);
|
kdc_audit_setkv_number((kdc_request_t)r, "auth", authtime);
|
||||||
if (starttime && *starttime)
|
if (starttime && *starttime)
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, "start", *starttime);
|
kdc_audit_setkv_number((kdc_request_t)r, "start", *starttime);
|
||||||
if (endtime)
|
if (endtime)
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, "end", endtime);
|
kdc_audit_setkv_number((kdc_request_t)r, "end", endtime);
|
||||||
if (renew_till && *renew_till)
|
if (renew_till && *renew_till)
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, "renew", *renew_till);
|
kdc_audit_setkv_number((kdc_request_t)r, "renew", *renew_till);
|
||||||
|
|
||||||
krb5_format_time(r->context, authtime,
|
krb5_format_time(r->context, authtime,
|
||||||
authtime_str, sizeof(authtime_str), TRUE);
|
authtime_str, sizeof(authtime_str), TRUE);
|
||||||
@@ -510,13 +510,13 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
|
|
||||||
ret = _kdc_pk_check_client(r, pkp, &client_cert);
|
ret = _kdc_pk_check_client(r, pkp, &client_cert);
|
||||||
if (client_cert)
|
if (client_cert)
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_PKINIT_CLIENT_CERT,
|
kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_PKINIT_CLIENT_CERT,
|
||||||
"%s", client_cert);
|
"%s", client_cert);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_set_e_text(r, "PKINIT certificate not allowed to "
|
_kdc_set_e_text(r, "PKINIT certificate not allowed to "
|
||||||
"impersonate principal");
|
"impersonate principal");
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED);
|
KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -535,8 +535,8 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
ret = _kdc_add_initial_verified_cas(r->context, r->config,
|
ret = _kdc_add_initial_verified_cas(r->context, r->config,
|
||||||
pkp, &r->et);
|
pkp, &r->et);
|
||||||
|
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
|
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
if (pkp)
|
if (pkp)
|
||||||
@@ -563,13 +563,13 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
if (open) {
|
if (open) {
|
||||||
ret = _kdc_gss_check_client(r, gcp, &client_name);
|
ret = _kdc_gss_check_client(r, gcp, &client_name);
|
||||||
if (client_name)
|
if (client_name)
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_GSS_INITIATOR,
|
kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_GSS_INITIATOR,
|
||||||
"%s", client_name);
|
"%s", client_name);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_set_e_text(r, "GSS-API client not allowed to "
|
_kdc_set_e_text(r, "GSS-API client not allowed to "
|
||||||
"impersonate principal");
|
"impersonate principal");
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED);
|
KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -577,8 +577,8 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
|
|
||||||
_kdc_r_log(r, 4, "GSS pre-authentication succeeded -- %s using %s",
|
_kdc_r_log(r, 4, "GSS pre-authentication succeeded -- %s using %s",
|
||||||
r->cname, client_name);
|
r->cname, client_name);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
|
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
|
||||||
|
|
||||||
ret = _kdc_gss_mk_composite_name_ad(r, gcp);
|
ret = _kdc_gss_mk_composite_name_ad(r, gcp);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
@@ -642,8 +642,8 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
ret = KRB5KDC_ERR_CLIENT_REVOKED;
|
ret = KRB5KDC_ERR_CLIENT_REVOKED;
|
||||||
kdc_log(r->context, r->config, 0,
|
kdc_log(r->context, r->config, 0,
|
||||||
"Client (%s) is locked out", r->cname);
|
"Client (%s) is locked out", r->cname);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_CLIENT_LOCKED_OUT);
|
KDC_AUTH_EVENT_CLIENT_LOCKED_OUT);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -769,14 +769,14 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
/*
|
/*
|
||||||
* Success
|
* Success
|
||||||
*/
|
*/
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
|
KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (invalidPassword) {
|
if (invalidPassword) {
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
|
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
|
||||||
ret = KRB5KDC_ERR_PREAUTH_FAILED;
|
ret = KRB5KDC_ERR_PREAUTH_FAILED;
|
||||||
} else {
|
} else {
|
||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||||
@@ -815,8 +815,8 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
ret = KRB5KDC_ERR_CLIENT_REVOKED;
|
ret = KRB5KDC_ERR_CLIENT_REVOKED;
|
||||||
kdc_log(r->context, r->config, 0,
|
kdc_log(r->context, r->config, 0,
|
||||||
"Client (%s) is locked out", r->cname);
|
"Client (%s) is locked out", r->cname);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_CLIENT_LOCKED_OUT);
|
KDC_AUTH_EVENT_CLIENT_LOCKED_OUT);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -886,10 +886,10 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
r->cname, str ? str : "unknown enctype", msg);
|
r->cname, str ? str : "unknown enctype", msg);
|
||||||
krb5_xfree(str);
|
krb5_xfree(str);
|
||||||
krb5_free_error_message(r->context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE,
|
||||||
pa_key->key.keytype);
|
pa_key->key.keytype);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
|
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
|
||||||
if(hdb_next_enctype2key(r->context, r->client, NULL,
|
if(hdb_next_enctype2key(r->context, r->client, NULL,
|
||||||
enc_data.etype, &pa_key) == 0)
|
enc_data.etype, &pa_key) == 0)
|
||||||
goto try_next_key;
|
goto try_next_key;
|
||||||
@@ -924,8 +924,8 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
(unsigned)labs(kdc_time - p.patimestamp),
|
(unsigned)labs(kdc_time - p.patimestamp),
|
||||||
r->context->max_skew,
|
r->context->max_skew,
|
||||||
r->cname);
|
r->cname);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_CLIENT_TIME_SKEW);
|
KDC_AUTH_EVENT_CLIENT_TIME_SKEW);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The following is needed to make windows clients to
|
* The following is needed to make windows clients to
|
||||||
@@ -950,10 +950,10 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
_kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s",
|
_kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s",
|
||||||
r->cname, str ? str : "unknown enctype");
|
r->cname, str ? str : "unknown enctype");
|
||||||
krb5_xfree(str);
|
krb5_xfree(str);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE,
|
||||||
pa_key->key.keytype);
|
pa_key->key.keytype);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
|
KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
|
||||||
@@ -1047,8 +1047,8 @@ log_patypes(astgs_request_t r, METHOD_DATA *padata)
|
|||||||
|
|
||||||
str = rk_strpoolcollect(p);
|
str = rk_strpoolcollect(p);
|
||||||
kdc_log(r->context, config, 4, "Client sent patypes: %s", str);
|
kdc_log(r->context, config, 4, "Client sent patypes: %s", str);
|
||||||
_kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
|
kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
|
||||||
"client-pa", "%s", str);
|
"client-pa", "%s", str);
|
||||||
free(str);
|
free(str);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1586,8 +1586,8 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
|||||||
|
|
||||||
str = rk_strpoolcollect(s);
|
str = rk_strpoolcollect(s);
|
||||||
if (str)
|
if (str)
|
||||||
_kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, "etypes", "%s",
|
kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, "etypes", "%s",
|
||||||
str);
|
str);
|
||||||
free(str);
|
free(str);
|
||||||
|
|
||||||
ret = krb5_enctype_to_string(r->context, cetype, &cet);
|
ret = krb5_enctype_to_string(r->context, cetype, &cet);
|
||||||
@@ -1608,7 +1608,7 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
|||||||
_kdc_r_log(r, 4, "%s", str);
|
_kdc_r_log(r, 4, "%s", str);
|
||||||
free(str);
|
free(str);
|
||||||
|
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, "etype", "%d/%d", cetype, setype);
|
kdc_audit_addkv((kdc_request_t)r, 0, "etype", "%d/%d", cetype, setype);
|
||||||
|
|
||||||
{
|
{
|
||||||
char fixedstr[128];
|
char fixedstr[128];
|
||||||
@@ -1618,8 +1618,8 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
|
|||||||
fixedstr, sizeof(fixedstr));
|
fixedstr, sizeof(fixedstr));
|
||||||
if (result > 0) {
|
if (result > 0) {
|
||||||
_kdc_r_log(r, 4, "Requested flags: %s", fixedstr);
|
_kdc_r_log(r, 4, "Requested flags: %s", fixedstr);
|
||||||
_kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
|
kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
|
||||||
"flags", "%s", fixedstr);
|
"flags", "%s", fixedstr);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1639,19 +1639,19 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
if (client != NULL) {
|
if (client != NULL) {
|
||||||
/* check client */
|
/* check client */
|
||||||
if (client->flags.locked_out) {
|
if (client->flags.locked_out) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Client is locked out");
|
kdc_audit_addreason((kdc_request_t)r, "Client is locked out");
|
||||||
return KRB5KDC_ERR_CLIENT_REVOKED;
|
return KRB5KDC_ERR_CLIENT_REVOKED;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (client->flags.invalid) {
|
if (client->flags.invalid) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Client has invalid bit set");
|
"Client has invalid bit set");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!client->flags.client) {
|
if (!client->flags.client) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Principal may not act as client");
|
"Principal may not act as client");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1659,8 +1659,8 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
char starttime_str[100];
|
char starttime_str[100];
|
||||||
krb5_format_time(r->context, *client->valid_start,
|
krb5_format_time(r->context, *client->valid_start,
|
||||||
starttime_str, sizeof(starttime_str), TRUE);
|
starttime_str, sizeof(starttime_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Client not yet valid "
|
kdc_audit_addreason((kdc_request_t)r, "Client not yet valid "
|
||||||
"until %s", starttime_str);
|
"until %s", starttime_str);
|
||||||
return KRB5KDC_ERR_CLIENT_NOTYET;
|
return KRB5KDC_ERR_CLIENT_NOTYET;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1668,8 +1668,8 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
char endtime_str[100];
|
char endtime_str[100];
|
||||||
krb5_format_time(r->context, *client->valid_end,
|
krb5_format_time(r->context, *client->valid_end,
|
||||||
endtime_str, sizeof(endtime_str), TRUE);
|
endtime_str, sizeof(endtime_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Client expired at %s",
|
kdc_audit_addreason((kdc_request_t)r, "Client expired at %s",
|
||||||
endtime_str);
|
endtime_str);
|
||||||
return KRB5KDC_ERR_NAME_EXP;
|
return KRB5KDC_ERR_NAME_EXP;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1682,8 +1682,8 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
char pwend_str[100];
|
char pwend_str[100];
|
||||||
krb5_format_time(r->context, *client->pw_end,
|
krb5_format_time(r->context, *client->pw_end,
|
||||||
pwend_str, sizeof(pwend_str), TRUE);
|
pwend_str, sizeof(pwend_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Client's key has expired "
|
kdc_audit_addreason((kdc_request_t)r, "Client's key has expired "
|
||||||
"at %s", pwend_str);
|
"at %s", pwend_str);
|
||||||
return KRB5KDC_ERR_KEY_EXPIRED;
|
return KRB5KDC_ERR_KEY_EXPIRED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1692,23 +1692,23 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
|
|
||||||
if (server != NULL) {
|
if (server != NULL) {
|
||||||
if (server->flags.locked_out) {
|
if (server->flags.locked_out) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Server locked out");
|
kdc_audit_addreason((kdc_request_t)r, "Server locked out");
|
||||||
return KRB5KDC_ERR_SERVICE_REVOKED;
|
return KRB5KDC_ERR_SERVICE_REVOKED;
|
||||||
}
|
}
|
||||||
if (server->flags.invalid) {
|
if (server->flags.invalid) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Server has invalid flag set");
|
"Server has invalid flag set");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
if (!server->flags.server) {
|
if (!server->flags.server) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Principal may not act as server");
|
"Principal may not act as server");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!is_as_req && server->flags.initial) {
|
if (!is_as_req && server->flags.initial) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"AS-REQ is required for server");
|
"AS-REQ is required for server");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1716,8 +1716,8 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
char starttime_str[100];
|
char starttime_str[100];
|
||||||
krb5_format_time(r->context, *server->valid_start,
|
krb5_format_time(r->context, *server->valid_start,
|
||||||
starttime_str, sizeof(starttime_str), TRUE);
|
starttime_str, sizeof(starttime_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Server not yet valid "
|
kdc_audit_addreason((kdc_request_t)r, "Server not yet valid "
|
||||||
"until %s", starttime_str);
|
"until %s", starttime_str);
|
||||||
return KRB5KDC_ERR_SERVICE_NOTYET;
|
return KRB5KDC_ERR_SERVICE_NOTYET;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1725,8 +1725,8 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
char endtime_str[100];
|
char endtime_str[100];
|
||||||
krb5_format_time(r->context, *server->valid_end,
|
krb5_format_time(r->context, *server->valid_end,
|
||||||
endtime_str, sizeof(endtime_str), TRUE);
|
endtime_str, sizeof(endtime_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Server expired at %s",
|
kdc_audit_addreason((kdc_request_t)r, "Server expired at %s",
|
||||||
endtime_str);
|
endtime_str);
|
||||||
return KRB5KDC_ERR_SERVICE_EXP;
|
return KRB5KDC_ERR_SERVICE_EXP;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1734,8 +1734,8 @@ kdc_check_flags(astgs_request_t r,
|
|||||||
char pwend_str[100];
|
char pwend_str[100];
|
||||||
krb5_format_time(r->context, *server->pw_end,
|
krb5_format_time(r->context, *server->pw_end,
|
||||||
pwend_str, sizeof(pwend_str), TRUE);
|
pwend_str, sizeof(pwend_str), TRUE);
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Server's key has expired "
|
kdc_audit_addreason((kdc_request_t)r, "Server's key has expired "
|
||||||
"at %s", pwend_str);
|
"at %s", pwend_str);
|
||||||
return KRB5KDC_ERR_KEY_EXPIRED;
|
return KRB5KDC_ERR_KEY_EXPIRED;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1801,8 +1801,8 @@ krb5_error_code
|
|||||||
_kdc_check_anon_policy(astgs_request_t r)
|
_kdc_check_anon_policy(astgs_request_t r)
|
||||||
{
|
{
|
||||||
if (!r->config->allow_anonymous) {
|
if (!r->config->allow_anonymous) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Anonymous tickets denied by local policy");
|
"Anonymous tickets denied by local policy");
|
||||||
return KRB5KDC_ERR_POLICY;
|
return KRB5KDC_ERR_POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1854,8 +1854,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
|
|||||||
krb5_const_principal canon_princ = NULL;
|
krb5_const_principal canon_princ = NULL;
|
||||||
|
|
||||||
r->pac_attributes = get_pac_attributes(r->context, &r->req);
|
r->pac_attributes = get_pac_attributes(r->context, &r->req);
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes",
|
kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes",
|
||||||
r->pac_attributes);
|
r->pac_attributes);
|
||||||
|
|
||||||
if (!_kdc_include_pac_p(r))
|
if (!_kdc_include_pac_p(r))
|
||||||
return 0;
|
return 0;
|
||||||
@@ -1903,8 +1903,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
|
|||||||
canon_princ = r->canon_client_princ;
|
canon_princ = r->canon_client_princ;
|
||||||
|
|
||||||
(void) krb5_unparse_name(r->context, canon_princ, &cpn);
|
(void) krb5_unparse_name(r->context, canon_princ, &cpn);
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s",
|
kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s",
|
||||||
cpn ? cpn : "<unknown>");
|
cpn ? cpn : "<unknown>");
|
||||||
krb5_xfree(cpn);
|
krb5_xfree(cpn);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2193,8 +2193,8 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
|
kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
|
||||||
krb5_free_error_message(r->context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_CLIENT_UNKNOWN);
|
KDC_AUTH_EVENT_CLIENT_UNKNOWN);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -2261,8 +2261,8 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
_kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_VIS, "pa", "%s",
|
kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_VIS, "pa", "%s",
|
||||||
pat[n].name);
|
pat[n].name);
|
||||||
ret = pat[n].validate(r, pa);
|
ret = pat[n].validate(r, pa);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
krb5_error_code ret2;
|
krb5_error_code ret2;
|
||||||
@@ -2270,9 +2270,9 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
krb5_boolean default_salt;
|
krb5_boolean default_salt;
|
||||||
|
|
||||||
if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED &&
|
if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED &&
|
||||||
!_kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT))
|
!kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT))
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_PREAUTH_FAILED);
|
KDC_AUTH_EVENT_PREAUTH_FAILED);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If there is a client key, send ETYPE_INFO{,2}
|
* If there is a client key, send ETYPE_INFO{,2}
|
||||||
@@ -2288,9 +2288,9 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
}
|
}
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (!_kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT))
|
if (!kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT))
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
|
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
|
||||||
kdc_log(r->context, config, 4,
|
kdc_log(r->context, config, 4,
|
||||||
"%s pre-authentication succeeded -- %s",
|
"%s pre-authentication succeeded -- %s",
|
||||||
pat[n].name, r->cname);
|
pat[n].name, r->cname);
|
||||||
@@ -2386,8 +2386,8 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
r->et.flags.anonymous = 1;
|
r->et.flags.anonymous = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||||
KDC_AUTH_EVENT_CLIENT_AUTHORIZED);
|
KDC_AUTH_EVENT_CLIENT_AUTHORIZED);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Select the best encryption type for the KDC with out regard to
|
* Select the best encryption type for the KDC with out regard to
|
||||||
@@ -2486,12 +2486,12 @@ _kdc_as_rep(astgs_request_t r)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (b->addresses)
|
if (b->addresses)
|
||||||
_kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs");
|
kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs");
|
||||||
|
|
||||||
/* check for valid set of addresses */
|
/* check for valid set of addresses */
|
||||||
if (!_kdc_check_addresses(r, b->addresses, r->addr)) {
|
if (!_kdc_check_addresses(r, b->addresses, r->addr)) {
|
||||||
if (r->config->warn_ticket_addresses) {
|
if (r->config->warn_ticket_addresses) {
|
||||||
_kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
|
kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
|
||||||
} else {
|
} else {
|
||||||
_kdc_set_e_text(r, "Request from wrong address");
|
_kdc_set_e_text(r, "Request from wrong address");
|
||||||
ret = KRB5KRB_AP_ERR_BADADDR;
|
ret = KRB5KRB_AP_ERR_BADADDR;
|
||||||
|
|||||||
132
kdc/krb5tgs.c
132
kdc/krb5tgs.c
@@ -211,35 +211,35 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
|
|
||||||
if(f.validate){
|
if(f.validate){
|
||||||
if (!tgt->flags.invalid || tgt->starttime == NULL) {
|
if (!tgt->flags.invalid || tgt->starttime == NULL) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Bad request to validate ticket");
|
"Bad request to validate ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
if(*tgt->starttime > kdc_time){
|
if(*tgt->starttime > kdc_time){
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Early request to validate ticket");
|
"Early request to validate ticket");
|
||||||
return KRB5KRB_AP_ERR_TKT_NYV;
|
return KRB5KRB_AP_ERR_TKT_NYV;
|
||||||
}
|
}
|
||||||
/* XXX tkt = tgt */
|
/* XXX tkt = tgt */
|
||||||
et->flags.invalid = 0;
|
et->flags.invalid = 0;
|
||||||
} else if (tgt->flags.invalid) {
|
} else if (tgt->flags.invalid) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Ticket-granting ticket has INVALID flag set");
|
"Ticket-granting ticket has INVALID flag set");
|
||||||
return KRB5KRB_AP_ERR_TKT_INVALID;
|
return KRB5KRB_AP_ERR_TKT_INVALID;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(f.forwardable){
|
if(f.forwardable){
|
||||||
if (!tgt->flags.forwardable) {
|
if (!tgt->flags.forwardable) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Bad request for forwardable ticket");
|
"Bad request for forwardable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.forwardable = 1;
|
et->flags.forwardable = 1;
|
||||||
}
|
}
|
||||||
if(f.forwarded){
|
if(f.forwarded){
|
||||||
if (!tgt->flags.forwardable) {
|
if (!tgt->flags.forwardable) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Request to forward non-forwardable ticket");
|
"Request to forward non-forwardable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.forwarded = 1;
|
et->flags.forwarded = 1;
|
||||||
@@ -250,16 +250,16 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
|
|
||||||
if(f.proxiable){
|
if(f.proxiable){
|
||||||
if (!tgt->flags.proxiable) {
|
if (!tgt->flags.proxiable) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Bad request for proxiable ticket");
|
"Bad request for proxiable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.proxiable = 1;
|
et->flags.proxiable = 1;
|
||||||
}
|
}
|
||||||
if(f.proxy){
|
if(f.proxy){
|
||||||
if (!tgt->flags.proxiable) {
|
if (!tgt->flags.proxiable) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Request to proxy non-proxiable ticket");
|
"Request to proxy non-proxiable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.proxy = 1;
|
et->flags.proxy = 1;
|
||||||
@@ -270,16 +270,16 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
|
|
||||||
if(f.allow_postdate){
|
if(f.allow_postdate){
|
||||||
if (!tgt->flags.may_postdate) {
|
if (!tgt->flags.may_postdate) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Bad request for post-datable ticket");
|
"Bad request for post-datable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.may_postdate = 1;
|
et->flags.may_postdate = 1;
|
||||||
}
|
}
|
||||||
if(f.postdated){
|
if(f.postdated){
|
||||||
if (!tgt->flags.may_postdate) {
|
if (!tgt->flags.may_postdate) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Bad request for postdated ticket");
|
"Bad request for postdated ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
if(b->from)
|
if(b->from)
|
||||||
@@ -287,15 +287,15 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
et->flags.postdated = 1;
|
et->flags.postdated = 1;
|
||||||
et->flags.invalid = 1;
|
et->flags.invalid = 1;
|
||||||
} else if (b->from && *b->from > kdc_time + r->context->max_skew) {
|
} else if (b->from && *b->from > kdc_time + r->context->max_skew) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Ticket cannot be postdated");
|
"Ticket cannot be postdated");
|
||||||
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
return KRB5KDC_ERR_CANNOT_POSTDATE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(f.renewable){
|
if(f.renewable){
|
||||||
if (!tgt->flags.renewable || tgt->renew_till == NULL) {
|
if (!tgt->flags.renewable || tgt->renew_till == NULL) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Bad request for renewable ticket");
|
"Bad request for renewable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
et->flags.renewable = 1;
|
et->flags.renewable = 1;
|
||||||
@@ -306,8 +306,8 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
if(f.renew){
|
if(f.renew){
|
||||||
time_t old_life;
|
time_t old_life;
|
||||||
if (!tgt->flags.renewable || tgt->renew_till == NULL) {
|
if (!tgt->flags.renewable || tgt->renew_till == NULL) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Request to renew non-renewable ticket");
|
"Request to renew non-renewable ticket");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
old_life = tgt->endtime;
|
old_life = tgt->endtime;
|
||||||
@@ -326,8 +326,8 @@ check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
|
|||||||
*/
|
*/
|
||||||
if (tgt->flags.anonymous &&
|
if (tgt->flags.anonymous &&
|
||||||
!_kdc_is_anonymous(r->context, tgt_name)) {
|
!_kdc_is_anonymous(r->context, tgt_name)) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Anonymous ticket flag set without "
|
"Anonymous ticket flag set without "
|
||||||
"anonymous principal");
|
"anonymous principal");
|
||||||
return KRB5KDC_ERR_BADOPTION;
|
return KRB5KDC_ERR_BADOPTION;
|
||||||
}
|
}
|
||||||
@@ -740,8 +740,8 @@ tgs_make_reply(astgs_request_t r,
|
|||||||
char *cpn;
|
char *cpn;
|
||||||
|
|
||||||
(void) krb5_unparse_name(r->context, r->canon_client_princ, &cpn);
|
(void) krb5_unparse_name(r->context, r->canon_client_princ, &cpn);
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s",
|
kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s",
|
||||||
cpn ? cpn : "<unknown>");
|
cpn ? cpn : "<unknown>");
|
||||||
krb5_xfree(cpn);
|
krb5_xfree(cpn);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -752,8 +752,8 @@ tgs_make_reply(astgs_request_t r,
|
|||||||
* is implementation dependent.
|
* is implementation dependent.
|
||||||
*/
|
*/
|
||||||
if (r->pac && !et->flags.anonymous) {
|
if (r->pac && !et->flags.anonymous) {
|
||||||
_kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes",
|
kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes",
|
||||||
r->pac_attributes);
|
r->pac_attributes);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES
|
* PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES
|
||||||
@@ -1059,10 +1059,10 @@ next_kvno:
|
|||||||
&r->ticket,
|
&r->ticket,
|
||||||
KRB5_KU_TGS_REQ_AUTH);
|
KRB5_KU_TGS_REQ_AUTH);
|
||||||
if (r->ticket && r->ticket->ticket.caddr)
|
if (r->ticket && r->ticket->ticket.caddr)
|
||||||
_kdc_audit_addaddrs((kdc_request_t)r, r->ticket->ticket.caddr, "tixaddrs");
|
kdc_audit_addaddrs((kdc_request_t)r, r->ticket->ticket.caddr, "tixaddrs");
|
||||||
if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR &&
|
if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR &&
|
||||||
r->ticket != NULL) {
|
r->ticket != NULL) {
|
||||||
_kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
|
kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
|
||||||
ret = 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
|
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
|
||||||
@@ -1454,7 +1454,7 @@ server_lookup:
|
|||||||
priv->serverdb = serverdb;
|
priv->serverdb = serverdb;
|
||||||
if (ret == HDB_ERR_NOT_FOUND_HERE) {
|
if (ret == HDB_ERR_NOT_FOUND_HERE) {
|
||||||
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", spn);
|
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", spn);
|
||||||
_kdc_audit_addreason((kdc_request_t)priv, "Target not found here");
|
kdc_audit_addreason((kdc_request_t)priv, "Target not found here");
|
||||||
goto out;
|
goto out;
|
||||||
} else if (ret == HDB_ERR_WRONG_REALM) {
|
} else if (ret == HDB_ERR_WRONG_REALM) {
|
||||||
free(ref_realm);
|
free(ref_realm);
|
||||||
@@ -1505,8 +1505,8 @@ server_lookup:
|
|||||||
req_rlm, TRUE, &capath, &num_capath);
|
req_rlm, TRUE, &capath, &num_capath);
|
||||||
if (ret2) {
|
if (ret2) {
|
||||||
ret = ret2;
|
ret = ret2;
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"No trusted path from client realm to ours");
|
"No trusted path from client realm to ours");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1568,8 +1568,8 @@ server_lookup:
|
|||||||
krb5_free_error_message(context, msg);
|
krb5_free_error_message(context, msg);
|
||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"Service principal unknown");
|
"Service principal unknown");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1649,16 +1649,16 @@ server_lookup:
|
|||||||
ret = KRB5KDC_ERR_BADOPTION; /* ? */
|
ret = KRB5KDC_ERR_BADOPTION; /* ? */
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"No second ticket present in user-to-user request");
|
"No second ticket present in user-to-user request");
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"No second ticket present in user-to-user request");
|
"No second ticket present in user-to-user request");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
t = &b->additional_tickets->val[0];
|
t = &b->additional_tickets->val[0];
|
||||||
if(!get_krbtgt_realm(&t->sname)){
|
if(!get_krbtgt_realm(&t->sname)){
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Additional ticket is not a ticket-granting ticket");
|
"Additional ticket is not a ticket-granting ticket");
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"Additional ticket is not a ticket-granting ticket");
|
"Additional ticket is not a ticket-granting ticket");
|
||||||
ret = KRB5KDC_ERR_POLICY;
|
ret = KRB5KDC_ERR_POLICY;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1680,8 +1680,8 @@ server_lookup:
|
|||||||
if(ret){
|
if(ret){
|
||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"User-to-user service principal (TGS) unknown");
|
"User-to-user service principal (TGS) unknown");
|
||||||
krb5_xfree(tpn);
|
krb5_xfree(tpn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1689,23 +1689,23 @@ server_lookup:
|
|||||||
t->enc_part.etype, &uukey);
|
t->enc_part.etype, &uukey);
|
||||||
if(ret){
|
if(ret){
|
||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"User-to-user enctype not supported");
|
"User-to-user enctype not supported");
|
||||||
krb5_xfree(tpn);
|
krb5_xfree(tpn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
|
ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
|
||||||
if(ret) {
|
if(ret) {
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"User-to-user TGT decrypt failure");
|
"User-to-user TGT decrypt failure");
|
||||||
krb5_xfree(tpn);
|
krb5_xfree(tpn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = _kdc_verify_flags(context, config, &adtkt, tpn);
|
ret = _kdc_verify_flags(context, config, &adtkt, tpn);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"User-to-user TGT expired or invalid");
|
"User-to-user TGT expired or invalid");
|
||||||
krb5_xfree(tpn);
|
krb5_xfree(tpn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -1803,8 +1803,8 @@ server_lookup:
|
|||||||
"Addition ticket have not matching etypes");
|
"Addition ticket have not matching etypes");
|
||||||
krb5_clear_error_message(context);
|
krb5_clear_error_message(context);
|
||||||
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"No matching enctypes for 2nd ticket");
|
"No matching enctypes for 2nd ticket");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
etype = b->etype.val[i];
|
etype = b->etype.val[i];
|
||||||
@@ -1819,8 +1819,8 @@ server_lookup:
|
|||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Server (%s) has no support for etypes", spn);
|
"Server (%s) has no support for etypes", spn);
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"Enctype not supported");
|
"Enctype not supported");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = _kdc_get_preferred_key(context, config, server, spn,
|
ret = _kdc_get_preferred_key(context, config, server, spn,
|
||||||
@@ -1828,8 +1828,8 @@ server_lookup:
|
|||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Server (%s) has no supported etypes", spn);
|
"Server (%s) has no supported etypes", spn);
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"Enctype not supported");
|
"Enctype not supported");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = &skey->key;
|
ekey = &skey->key;
|
||||||
@@ -1864,7 +1864,7 @@ server_lookup:
|
|||||||
if(ret == 0)
|
if(ret == 0)
|
||||||
free(ktpn);
|
free(ktpn);
|
||||||
ret = KRB5KRB_AP_ERR_NOT_US;
|
ret = KRB5KRB_AP_ERR_NOT_US;
|
||||||
_kdc_audit_addreason((kdc_request_t)priv, "Request with wrong TGT");
|
kdc_audit_addreason((kdc_request_t)priv, "Request with wrong TGT");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1873,8 +1873,8 @@ server_lookup:
|
|||||||
if (ret) {
|
if (ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Failed to find key for krbtgt PAC signature");
|
"Failed to find key for krbtgt PAC signature");
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"Failed to find key for krbtgt PAC signature");
|
"Failed to find key for krbtgt PAC signature");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ret = hdb_enctype2key(context, krbtgt_out, NULL,
|
ret = hdb_enctype2key(context, krbtgt_out, NULL,
|
||||||
@@ -1882,8 +1882,8 @@ server_lookup:
|
|||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Failed to find key for krbtgt PAC signature");
|
"Failed to find key for krbtgt PAC signature");
|
||||||
_kdc_audit_addreason((kdc_request_t)priv,
|
kdc_audit_addreason((kdc_request_t)priv,
|
||||||
"Failed to find key for krbtgt PAC signature");
|
"Failed to find key for krbtgt PAC signature");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1906,7 +1906,7 @@ server_lookup:
|
|||||||
&priv->pac_attributes);
|
&priv->pac_attributes);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(context, ret);
|
const char *msg = krb5_get_error_message(context, ret);
|
||||||
_kdc_audit_addreason((kdc_request_t)priv, "PAC check failed");
|
kdc_audit_addreason((kdc_request_t)priv, "PAC check failed");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Verify PAC failed for %s (%s) from %s with %s",
|
"Verify PAC failed for %s (%s) from %s with %s",
|
||||||
spn, cpn, from, msg);
|
spn, cpn, from, msg);
|
||||||
@@ -1938,7 +1938,7 @@ server_lookup:
|
|||||||
!krb5_principal_compare(context,
|
!krb5_principal_compare(context,
|
||||||
priv->krbtgt->principal,
|
priv->krbtgt->principal,
|
||||||
priv->server->principal)){
|
priv->server->principal)){
|
||||||
_kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request");
|
kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request");
|
||||||
kdc_log(context, config, 4, "Inconsistent request.");
|
kdc_log(context, config, 4, "Inconsistent request.");
|
||||||
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1948,12 +1948,12 @@ server_lookup:
|
|||||||
if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
|
if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
|
||||||
if (config->check_ticket_addresses) {
|
if (config->check_ticket_addresses) {
|
||||||
ret = KRB5KRB_AP_ERR_BADADDR;
|
ret = KRB5KRB_AP_ERR_BADADDR;
|
||||||
_kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE);
|
kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE);
|
||||||
kdc_log(context, config, 4, "Request from wrong address");
|
kdc_log(context, config, 4, "Request from wrong address");
|
||||||
_kdc_audit_addreason((kdc_request_t)priv, "Request from wrong address");
|
kdc_audit_addreason((kdc_request_t)priv, "Request from wrong address");
|
||||||
goto out;
|
goto out;
|
||||||
} else if (config->warn_ticket_addresses) {
|
} else if (config->warn_ticket_addresses) {
|
||||||
_kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE);
|
kdc_audit_setkv_bool((kdc_request_t)priv, "wrongaddr", TRUE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1983,7 +1983,7 @@ server_lookup:
|
|||||||
NULL, s, &pa.padata_value);
|
NULL, s, &pa.padata_value);
|
||||||
krb5_crypto_destroy(context, crypto);
|
krb5_crypto_destroy(context, crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_audit_addreason((kdc_request_t)priv, "Referral build failed");
|
kdc_audit_addreason((kdc_request_t)priv, "Referral build failed");
|
||||||
kdc_log(context, config, 4,
|
kdc_log(context, config, 4,
|
||||||
"Failed building server referral");
|
"Failed building server referral");
|
||||||
goto out;
|
goto out;
|
||||||
|
|||||||
88
kdc/kx509.c
88
kdc/kx509.c
@@ -305,8 +305,8 @@ kdc_kx509_verify_service_principal(krb5_context context,
|
|||||||
KRB5_TGS_NAME) == 0) {
|
KRB5_TGS_NAME) == 0) {
|
||||||
const char *r = krb5_principal_get_comp_string(context, sprincipal, 1);
|
const char *r = krb5_principal_get_comp_string(context, sprincipal, 1);
|
||||||
if ((ret = is_local_realm(context, reqctx, r)))
|
if ((ret = is_local_realm(context, reqctx, r)))
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Client used wrong krbtgt for kx509");
|
"Client used wrong krbtgt for kx509");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -315,8 +315,8 @@ kdc_kx509_verify_service_principal(krb5_context context,
|
|||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
ret = errno;
|
ret = errno;
|
||||||
kdc_log(context, reqctx->config, 0, "Failed to get local hostname");
|
kdc_log(context, reqctx->config, 0, "Failed to get local hostname");
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Failed to get local hostname");
|
"Failed to get local hostname");
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
localhost[sizeof(localhost) - 1] = '\0';
|
localhost[sizeof(localhost) - 1] = '\0';
|
||||||
@@ -335,8 +335,8 @@ err:
|
|||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
ret = KRB5KDC_ERR_SERVER_NOMATCH;
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx, "Client used wrong kx509 "
|
kdc_audit_addreason((kdc_request_t)reqctx, "Client used wrong kx509 "
|
||||||
"service principal (expected %s)", expected);
|
"service principal (expected %s)", expected);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
krb5_xfree(expected);
|
krb5_xfree(expected);
|
||||||
@@ -400,7 +400,7 @@ mk_error_response(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
va_start(ap, fmt);
|
va_start(ap, fmt);
|
||||||
_kdc_audit_vaddreason((kdc_request_t)reqctx, fmt, ap);
|
kdc_audit_vaddreason((kdc_request_t)reqctx, fmt, ap);
|
||||||
va_end(ap);
|
va_end(ap);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -545,9 +545,9 @@ update_csr(krb5_context context, kx509_req_context reqctx, Extensions *exts)
|
|||||||
const char *emsg = krb5_get_error_message(context, ret);
|
const char *emsg = krb5_get_error_message(context, ret);
|
||||||
kdc_log(context, reqctx->config, 1,
|
kdc_log(context, reqctx->config, 1,
|
||||||
"Error handling requested extensions: %s", emsg);
|
"Error handling requested extensions: %s", emsg);
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Error handling requested extensions: %s",
|
"Error handling requested extensions: %s",
|
||||||
emsg);
|
emsg);
|
||||||
krb5_free_error_message(context, emsg);
|
krb5_free_error_message(context, emsg);
|
||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
@@ -581,7 +581,7 @@ get_csr(krb5_context context, kx509_req_context reqctx)
|
|||||||
*/
|
*/
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
return update_csr(context, reqctx, reqctx->csr_plus.exts);
|
return update_csr(context, reqctx, reqctx->csr_plus.exts);
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx, "Invalid CSR");
|
kdc_audit_addreason((kdc_request_t)reqctx, "Invalid CSR");
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
reqctx->send_chain = 0;
|
reqctx->send_chain = 0;
|
||||||
@@ -589,8 +589,8 @@ get_csr(krb5_context context, kx509_req_context reqctx)
|
|||||||
|
|
||||||
/* Check if proof of possession is required by configuration */
|
/* Check if proof of possession is required by configuration */
|
||||||
if (!get_bool_param(context, FALSE, reqctx->realm, "require_csr")) {
|
if (!get_bool_param(context, FALSE, reqctx->realm, "require_csr")) {
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"CSRs required but client did not send one");
|
"CSRs required but client did not send one");
|
||||||
krb5_set_error_message(context, KX509_STATUS_CLIENT_USE_CSR,
|
krb5_set_error_message(context, KX509_STATUS_CLIENT_USE_CSR,
|
||||||
"CSRs required but kx509 client did not send "
|
"CSRs required but kx509 client did not send "
|
||||||
"one");
|
"one");
|
||||||
@@ -608,14 +608,14 @@ get_csr(krb5_context context, kx509_req_context reqctx)
|
|||||||
/* Not an RSAPublicKey or garbage follows it */
|
/* Not an RSAPublicKey or garbage follows it */
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
ret = KRB5KDC_ERR_NULL_KEY;
|
ret = KRB5KDC_ERR_NULL_KEY;
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Request has garbage after key");
|
"Request has garbage after key");
|
||||||
krb5_set_error_message(context, ret, "Request has garbage after key");
|
krb5_set_error_message(context, ret, "Request has garbage after key");
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Could not decode CSR or RSA subject public key");
|
"Could not decode CSR or RSA subject public key");
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(context, ret,
|
||||||
"Could not decode CSR or RSA subject public key");
|
"Could not decode CSR or RSA subject public key");
|
||||||
return ret;
|
return ret;
|
||||||
@@ -675,7 +675,7 @@ check_authz(krb5_context context,
|
|||||||
ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
|
ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
|
||||||
cprincipal);
|
cprincipal);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
_kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
|
kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
|
||||||
|
|
||||||
ret = hx509_request_get_san(reqctx->csr, 0, &san_type, &s);
|
ret = hx509_request_get_san(reqctx->csr, 0, &san_type, &s);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
@@ -692,19 +692,19 @@ check_authz(krb5_context context,
|
|||||||
case HX509_SAN_TYPE_MS_UPN: san_type_s = "ms-UPN"; break;
|
case HX509_SAN_TYPE_MS_UPN: san_type_s = "ms-UPN"; break;
|
||||||
default: san_type_s = "unknown"; break;
|
default: san_type_s = "unknown"; break;
|
||||||
}
|
}
|
||||||
_kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0_type", "%s",
|
kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0_type", "%s",
|
||||||
san_type_s);
|
san_type_s);
|
||||||
_kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0", "%s", s);
|
kdc_audit_addkv((kdc_request_t)reqctx, 0, "san0", "%s", s);
|
||||||
}
|
}
|
||||||
frees(&s);
|
frees(&s);
|
||||||
ret = hx509_request_get_eku(reqctx->csr, 0, &s);
|
ret = hx509_request_get_eku(reqctx->csr, 0, &s);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
_kdc_audit_addkv((kdc_request_t)reqctx, 0, "eku0", "%s", s);
|
kdc_audit_addkv((kdc_request_t)reqctx, 0, "eku0", "%s", s);
|
||||||
free(s);
|
free(s);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (ret != KRB5_PLUGIN_NO_HANDLE) {
|
if (ret != KRB5_PLUGIN_NO_HANDLE) {
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Requested extensions rejected by plugin");
|
"Requested extensions rejected by plugin");
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -724,27 +724,27 @@ check_authz(krb5_context context,
|
|||||||
if (ncomp != 2 || strcasecmp(comp1, s) != 0 ||
|
if (ncomp != 2 || strcasecmp(comp1, s) != 0 ||
|
||||||
strchr(s, '.') == NULL ||
|
strchr(s, '.') == NULL ||
|
||||||
!check_authz_svc_ok(context, comp0)) {
|
!check_authz_svc_ok(context, comp0)) {
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Requested extensions rejected by "
|
"Requested extensions rejected by "
|
||||||
"default policy (dNSName SAN "
|
"default policy (dNSName SAN "
|
||||||
"does not match client)");
|
"does not match client)");
|
||||||
goto eacces;
|
goto eacces;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case HX509_SAN_TYPE_PKINIT:
|
case HX509_SAN_TYPE_PKINIT:
|
||||||
if (strcmp(cprinc, s) != 0) {
|
if (strcmp(cprinc, s) != 0) {
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Requested extensions rejected by "
|
"Requested extensions rejected by "
|
||||||
"default policy (PKINIT SAN "
|
"default policy (PKINIT SAN "
|
||||||
"does not match client)");
|
"does not match client)");
|
||||||
goto eacces;
|
goto eacces;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Requested extensions rejected by "
|
"Requested extensions rejected by "
|
||||||
"default policy (non-default SAN "
|
"default policy (non-default SAN "
|
||||||
"requested)");
|
"requested)");
|
||||||
goto eacces;
|
goto eacces;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -772,8 +772,8 @@ check_authz(krb5_context context,
|
|||||||
}
|
}
|
||||||
der_free_oid(&oid);
|
der_free_oid(&oid);
|
||||||
if (k == sizeof(eku_whitelist)/sizeof(eku_whitelist[0])) {
|
if (k == sizeof(eku_whitelist)/sizeof(eku_whitelist[0])) {
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Requested EKU rejected by default policy");
|
"Requested EKU rejected by default policy");
|
||||||
goto eacces;
|
goto eacces;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -791,7 +791,7 @@ check_authz(krb5_context context,
|
|||||||
if (KeyUsage2int(ku) != (KeyUsage2int(ku) & KeyUsage2int(ku_allowed)))
|
if (KeyUsage2int(ku) != (KeyUsage2int(ku) & KeyUsage2int(ku_allowed)))
|
||||||
goto eacces;
|
goto eacces;
|
||||||
|
|
||||||
_kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
|
kdc_audit_setkv_bool((kdc_request_t)reqctx, "authorized", TRUE);
|
||||||
free(cprinc);
|
free(cprinc);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
@@ -801,7 +801,7 @@ eacces:
|
|||||||
|
|
||||||
out:
|
out:
|
||||||
/* XXX Display error code */
|
/* XXX Display error code */
|
||||||
_kdc_audit_addreason((kdc_request_t)reqctx,
|
kdc_audit_addreason((kdc_request_t)reqctx,
|
||||||
"Error handling requested extensions");
|
"Error handling requested extensions");
|
||||||
out2:
|
out2:
|
||||||
free(cprinc);
|
free(cprinc);
|
||||||
@@ -891,7 +891,7 @@ _kdc_do_kx509(kx509_req_context r)
|
|||||||
* possibly change the error code and message.
|
* possibly change the error code and message.
|
||||||
*/
|
*/
|
||||||
is_probe = 1;
|
is_probe = 1;
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, "probe", "unauthenticated");
|
kdc_audit_addkv((kdc_request_t)r, 0, "probe", "unauthenticated");
|
||||||
ret = mk_error_response(r->context, r, 4, 0,
|
ret = mk_error_response(r->context, r, 4, 0,
|
||||||
"kx509 service is available");
|
"kx509 service is available");
|
||||||
goto out;
|
goto out;
|
||||||
@@ -974,7 +974,7 @@ _kdc_do_kx509(kx509_req_context r)
|
|||||||
* possibly change the error code and message.
|
* possibly change the error code and message.
|
||||||
*/
|
*/
|
||||||
is_probe = 1;
|
is_probe = 1;
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, "probe", "authenticated");
|
kdc_audit_addkv((kdc_request_t)r, 0, "probe", "authenticated");
|
||||||
ret = mk_error_response(r->context, r, 4, 0,
|
ret = mk_error_response(r->context, r, 4, 0,
|
||||||
"kx509 authenticated probe request");
|
"kx509 authenticated probe request");
|
||||||
goto out;
|
goto out;
|
||||||
@@ -1049,14 +1049,14 @@ _kdc_do_kx509(kx509_req_context r)
|
|||||||
ret = encode_reply(r->context, r, &rep);
|
ret = encode_reply(r->context, r, &rep);
|
||||||
if (ret)
|
if (ret)
|
||||||
/* Can't send an error message either in this case, surely */
|
/* Can't send an error message either in this case, surely */
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Could not encode response");
|
kdc_audit_addreason((kdc_request_t)r, "Could not encode response");
|
||||||
|
|
||||||
out:
|
out:
|
||||||
hx509_certs_free(&certs);
|
hx509_certs_free(&certs);
|
||||||
if (ret == 0 && !is_probe)
|
if (ret == 0 && !is_probe)
|
||||||
_kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", TRUE);
|
kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", TRUE);
|
||||||
else
|
else
|
||||||
_kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", FALSE);
|
kdc_audit_setkv_bool((kdc_request_t)r, "cert_issued", FALSE);
|
||||||
if (r->ac)
|
if (r->ac)
|
||||||
krb5_auth_con_free(r->context, r->ac);
|
krb5_auth_con_free(r->context, r->ac);
|
||||||
if (ticket)
|
if (ticket)
|
||||||
|
|||||||
@@ -21,19 +21,19 @@ EXPORTS
|
|||||||
kdc_request_get_attribute
|
kdc_request_get_attribute
|
||||||
kdc_request_copy_attribute
|
kdc_request_copy_attribute
|
||||||
kdc_request_delete_attribute
|
kdc_request_delete_attribute
|
||||||
_kdc_audit_addkv
|
kdc_audit_addkv
|
||||||
_kdc_audit_addkv_number
|
kdc_audit_addkv_number
|
||||||
_kdc_audit_addkv_object
|
kdc_audit_addkv_object
|
||||||
_kdc_audit_addkv_timediff
|
kdc_audit_addkv_timediff
|
||||||
_kdc_audit_addaddrs
|
kdc_audit_addaddrs
|
||||||
_kdc_audit_addreason
|
kdc_audit_addreason
|
||||||
_kdc_audit_getkv
|
kdc_audit_getkv
|
||||||
_kdc_audit_setkv_bool
|
kdc_audit_setkv_bool
|
||||||
_kdc_audit_setkv_number
|
kdc_audit_setkv_number
|
||||||
_kdc_audit_setkv_object
|
kdc_audit_setkv_object
|
||||||
|
kdc_audit_vaddkv
|
||||||
|
kdc_audit_vaddreason
|
||||||
_kdc_audit_trail
|
_kdc_audit_trail
|
||||||
_kdc_audit_vaddkv
|
|
||||||
_kdc_audit_vaddreason
|
|
||||||
|
|
||||||
; needed for digest-service
|
; needed for digest-service
|
||||||
_kdc_db_fetch
|
_kdc_db_fetch
|
||||||
|
|||||||
46
kdc/mssfu.c
46
kdc/mssfu.c
@@ -168,15 +168,15 @@ validate_protocol_transition(astgs_request_t r)
|
|||||||
sdata->padata_value.length,
|
sdata->padata_value.length,
|
||||||
&self, NULL);
|
&self, NULL);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Failed to decode PA-S4U2Self");
|
"Failed to decode PA-S4U2Self");
|
||||||
kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
|
kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
|
if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"PA-S4U2Self with unkeyed checksum");
|
"PA-S4U2Self with unkeyed checksum");
|
||||||
kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
|
kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
|
||||||
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -225,8 +225,8 @@ validate_protocol_transition(astgs_request_t r)
|
|||||||
krb5_crypto_destroy(r->context, crypto);
|
krb5_crypto_destroy(r->context, crypto);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(r->context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"S4U2Self checksum failed");
|
"S4U2Self checksum failed");
|
||||||
kdc_log(r->context, r->config, 4,
|
kdc_log(r->context, r->config, 4,
|
||||||
"krb5_verify_checksum failed for S4U2Self: %s", msg);
|
"krb5_verify_checksum failed for S4U2Self: %s", msg);
|
||||||
krb5_free_error_message(r->context, msg);
|
krb5_free_error_message(r->context, msg);
|
||||||
@@ -262,8 +262,8 @@ validate_protocol_transition(astgs_request_t r)
|
|||||||
if (ret == HDB_ERR_NOENTRY)
|
if (ret == HDB_ERR_NOENTRY)
|
||||||
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
||||||
msg = krb5_get_error_message(r->context, ret);
|
msg = krb5_get_error_message(r->context, ret);
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"S4U2Self principal to impersonate not found");
|
"S4U2Self principal to impersonate not found");
|
||||||
kdc_log(r->context, r->config, 2,
|
kdc_log(r->context, r->config, 2,
|
||||||
"S4U2Self principal to impersonate %s not found in database: %s",
|
"S4U2Self principal to impersonate %s not found in database: %s",
|
||||||
s4ucname, msg);
|
s4ucname, msg);
|
||||||
@@ -281,7 +281,7 @@ validate_protocol_transition(astgs_request_t r)
|
|||||||
|
|
||||||
ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
|
ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
|
goto out; /* kdc_check_flags() calls kdc_audit_addreason() */
|
||||||
|
|
||||||
ret = _kdc_pac_generate(r->context,
|
ret = _kdc_pac_generate(r->context,
|
||||||
r->config,
|
r->config,
|
||||||
@@ -397,7 +397,7 @@ validate_constrained_delegation(astgs_request_t r)
|
|||||||
*/
|
*/
|
||||||
if (r->pac == NULL) {
|
if (r->pac == NULL) {
|
||||||
ret = KRB5KDC_ERR_BADOPTION;
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
_kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
|
kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
|
||||||
kdc_log(r->context, r->config, 4,
|
kdc_log(r->context, r->config, 4,
|
||||||
"Constrained delegation without PAC, %s/%s",
|
"Constrained delegation without PAC, %s/%s",
|
||||||
r->cname, r->sname);
|
r->cname, r->sname);
|
||||||
@@ -417,8 +417,8 @@ validate_constrained_delegation(astgs_request_t r)
|
|||||||
|
|
||||||
ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
|
ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Failed to decrypt constrained delegation ticket");
|
"Failed to decrypt constrained delegation ticket");
|
||||||
kdc_log(r->context, r->config, 4,
|
kdc_log(r->context, r->config, 4,
|
||||||
"failed to decrypt ticket for "
|
"failed to decrypt ticket for "
|
||||||
"constrained delegation from %s to %s ", r->cname, r->sname);
|
"constrained delegation from %s to %s ", r->cname, r->sname);
|
||||||
@@ -436,7 +436,7 @@ validate_constrained_delegation(astgs_request_t r)
|
|||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
_kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
|
kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
|
||||||
|
|
||||||
ret = _krb5_principalname2krb5_principal(r->context,
|
ret = _krb5_principalname2krb5_principal(r->context,
|
||||||
&s4u_server_name,
|
&s4u_server_name,
|
||||||
@@ -451,8 +451,8 @@ validate_constrained_delegation(astgs_request_t r)
|
|||||||
|
|
||||||
/* check that ticket is valid */
|
/* check that ticket is valid */
|
||||||
if (evidence_tkt.flags.forwardable == 0) {
|
if (evidence_tkt.flags.forwardable == 0) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Missing forwardable flag on ticket for constrained delegation");
|
"Missing forwardable flag on ticket for constrained delegation");
|
||||||
kdc_log(r->context, r->config, 4,
|
kdc_log(r->context, r->config, 4,
|
||||||
"Missing forwardable flag on ticket for "
|
"Missing forwardable flag on ticket for "
|
||||||
"constrained delegation from %s (%s) as %s to %s ",
|
"constrained delegation from %s (%s) as %s to %s ",
|
||||||
@@ -464,8 +464,8 @@ validate_constrained_delegation(astgs_request_t r)
|
|||||||
ret = check_constrained_delegation(r->context, r->config, r->clientdb,
|
ret = check_constrained_delegation(r->context, r->config, r->clientdb,
|
||||||
r->client, r->server, r->server_princ);
|
r->client, r->server, r->server_princ);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Constrained delegation not allowed");
|
"Constrained delegation not allowed");
|
||||||
kdc_log(r->context, r->config, 4,
|
kdc_log(r->context, r->config, 4,
|
||||||
"constrained delegation from %s (%s) as %s to %s not allowed",
|
"constrained delegation from %s (%s) as %s to %s not allowed",
|
||||||
r->cname, s4usname, s4ucname, r->sname);
|
r->cname, s4usname, s4ucname, r->sname);
|
||||||
@@ -474,8 +474,8 @@ validate_constrained_delegation(astgs_request_t r)
|
|||||||
|
|
||||||
ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
|
ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Constrained delegation ticket expired or invalid");
|
"Constrained delegation ticket expired or invalid");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -503,8 +503,8 @@ validate_constrained_delegation(astgs_request_t r)
|
|||||||
&s4u_canon_client_name, &s4u_pac_attributes);
|
&s4u_canon_client_name, &s4u_pac_attributes);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
const char *msg = krb5_get_error_message(r->context, ret);
|
const char *msg = krb5_get_error_message(r->context, ret);
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Constrained delegation ticket PAC check failed");
|
"Constrained delegation ticket PAC check failed");
|
||||||
kdc_log(r->context, r->config, 4,
|
kdc_log(r->context, r->config, 4,
|
||||||
"Verify delegated PAC failed to %s for client"
|
"Verify delegated PAC failed to %s for client"
|
||||||
"%s (%s) as %s from %s with %s",
|
"%s (%s) as %s from %s with %s",
|
||||||
@@ -520,8 +520,8 @@ validate_constrained_delegation(astgs_request_t r)
|
|||||||
"for delegation to %s for client %s (%s) from %s; (%s).",
|
"for delegation to %s for client %s (%s) from %s; (%s).",
|
||||||
r->sname, s4ucname, s4usname, r->cname, r->from,
|
r->sname, s4ucname, s4usname, r->cname, r->from,
|
||||||
s4u_pac ? "Ticket unsigned" : "No PAC");
|
s4u_pac ? "Ticket unsigned" : "No PAC");
|
||||||
_kdc_audit_addreason((kdc_request_t)r,
|
kdc_audit_addreason((kdc_request_t)r,
|
||||||
"Constrained delegation ticket not signed");
|
"Constrained delegation ticket not signed");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -43,14 +43,14 @@
|
|||||||
#define __attribute__(x)
|
#define __attribute__(x)
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_vaddreason(kdc_request_t r, const char *fmt, va_list ap)
|
kdc_audit_vaddreason(kdc_request_t r, const char *fmt, va_list ap)
|
||||||
__attribute__ ((__format__ (__printf__, 2, 0)))
|
__attribute__ ((__format__ (__printf__, 2, 0)))
|
||||||
{
|
{
|
||||||
heim_audit_vaddreason((heim_svc_req_desc)r, fmt, ap);
|
heim_audit_vaddreason((heim_svc_req_desc)r, fmt, ap);
|
||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_addreason(kdc_request_t r, const char *fmt, ...)
|
kdc_audit_addreason(kdc_request_t r, const char *fmt, ...)
|
||||||
__attribute__ ((__format__ (__printf__, 2, 3)))
|
__attribute__ ((__format__ (__printf__, 2, 3)))
|
||||||
{
|
{
|
||||||
va_list ap;
|
va_list ap;
|
||||||
@@ -67,7 +67,7 @@ _kdc_audit_addreason(kdc_request_t r, const char *fmt, ...)
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_vaddkv(kdc_request_t r, int flags, const char *k,
|
kdc_audit_vaddkv(kdc_request_t r, int flags, const char *k,
|
||||||
const char *fmt, va_list ap)
|
const char *fmt, va_list ap)
|
||||||
__attribute__ ((__format__ (__printf__, 4, 0)))
|
__attribute__ ((__format__ (__printf__, 4, 0)))
|
||||||
{
|
{
|
||||||
@@ -75,7 +75,7 @@ _kdc_audit_vaddkv(kdc_request_t r, int flags, const char *k,
|
|||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_addkv(kdc_request_t r, int flags, const char *k,
|
kdc_audit_addkv(kdc_request_t r, int flags, const char *k,
|
||||||
const char *fmt, ...)
|
const char *fmt, ...)
|
||||||
__attribute__ ((__format__ (__printf__, 4, 5)))
|
__attribute__ ((__format__ (__printf__, 4, 5)))
|
||||||
{
|
{
|
||||||
@@ -87,7 +87,7 @@ _kdc_audit_addkv(kdc_request_t r, int flags, const char *k,
|
|||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
|
kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
|
||||||
const struct timeval *start,
|
const struct timeval *start,
|
||||||
const struct timeval *end)
|
const struct timeval *end)
|
||||||
{
|
{
|
||||||
@@ -95,37 +95,37 @@ _kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
|
|||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_setkv_bool(kdc_request_t r, const char *k, krb5_boolean v)
|
kdc_audit_setkv_bool(kdc_request_t r, const char *k, krb5_boolean v)
|
||||||
{
|
{
|
||||||
heim_audit_setkv_bool((heim_svc_req_desc)r, k, (int)v);
|
heim_audit_setkv_bool((heim_svc_req_desc)r, k, (int)v);
|
||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_addkv_number(kdc_request_t r, const char *k, int64_t v)
|
kdc_audit_addkv_number(kdc_request_t r, const char *k, int64_t v)
|
||||||
{
|
{
|
||||||
heim_audit_addkv_number((heim_svc_req_desc)r, k, v);
|
heim_audit_addkv_number((heim_svc_req_desc)r, k, v);
|
||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_setkv_number(kdc_request_t r, const char *k, int64_t v)
|
kdc_audit_setkv_number(kdc_request_t r, const char *k, int64_t v)
|
||||||
{
|
{
|
||||||
heim_audit_setkv_number((heim_svc_req_desc)r, k, v);
|
heim_audit_setkv_number((heim_svc_req_desc)r, k, v);
|
||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj)
|
kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj)
|
||||||
{
|
{
|
||||||
heim_audit_addkv_object((heim_svc_req_desc)r, k, obj);
|
heim_audit_addkv_object((heim_svc_req_desc)r, k, obj);
|
||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_setkv_object(kdc_request_t r, const char *k, heim_object_t obj)
|
kdc_audit_setkv_object(kdc_request_t r, const char *k, heim_object_t obj)
|
||||||
{
|
{
|
||||||
heim_audit_setkv_object((heim_svc_req_desc)r, k, obj);
|
heim_audit_setkv_object((heim_svc_req_desc)r, k, obj);
|
||||||
}
|
}
|
||||||
|
|
||||||
KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL
|
KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL
|
||||||
_kdc_audit_getkv(kdc_request_t r, const char *k)
|
kdc_audit_getkv(kdc_request_t r, const char *k)
|
||||||
{
|
{
|
||||||
return heim_audit_getkv((heim_svc_req_desc)r, k);
|
return heim_audit_getkv((heim_svc_req_desc)r, k);
|
||||||
}
|
}
|
||||||
@@ -135,7 +135,7 @@ _kdc_audit_getkv(kdc_request_t r, const char *k)
|
|||||||
* PA-TGS ticket or whatever.
|
* PA-TGS ticket or whatever.
|
||||||
*/
|
*/
|
||||||
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
KDC_LIB_FUNCTION void KDC_LIB_CALL
|
||||||
_kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key)
|
kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
char buf[128];
|
char buf[128];
|
||||||
@@ -145,12 +145,12 @@ _kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key)
|
|||||||
|
|
||||||
if (snprintf(numkey, sizeof(numkey), "num%s", key) >= sizeof(numkey))
|
if (snprintf(numkey, sizeof(numkey), "num%s", key) >= sizeof(numkey))
|
||||||
numkey[31] = '\0';
|
numkey[31] = '\0';
|
||||||
_kdc_audit_addkv(r, 0, numkey, "%llu", (unsigned long long)a->len);
|
kdc_audit_addkv(r, 0, numkey, "%llu", (unsigned long long)a->len);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < 3 && i < a->len; i++) {
|
for (i = 0; i < 3 && i < a->len; i++) {
|
||||||
if (krb5_print_address(&a->val[i], buf, sizeof(buf), NULL) == 0)
|
if (krb5_print_address(&a->val[i], buf, sizeof(buf), NULL) == 0)
|
||||||
_kdc_audit_addkv(r, 0, key, "%s", buf);
|
kdc_audit_addkv(r, 0, key, "%s", buf);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -24,19 +24,19 @@ HEIMDAL_KDC_1.0 {
|
|||||||
kdc_request_get_attribute;
|
kdc_request_get_attribute;
|
||||||
kdc_request_copy_attribute;
|
kdc_request_copy_attribute;
|
||||||
kdc_request_delete_attribute;
|
kdc_request_delete_attribute;
|
||||||
_kdc_audit_addkv;
|
kdc_audit_addkv;
|
||||||
_kdc_audit_addkv_number;
|
kdc_audit_addkv_number;
|
||||||
_kdc_audit_addkv_object;
|
kdc_audit_addkv_object;
|
||||||
_kdc_audit_addkv_timediff;
|
kdc_audit_addkv_timediff;
|
||||||
_kdc_audit_addaddrs;
|
kdc_audit_addaddrs;
|
||||||
_kdc_audit_addreason;
|
kdc_audit_addreason;
|
||||||
_kdc_audit_getkv;
|
kdc_audit_getkv;
|
||||||
_kdc_audit_setkv_bool;
|
kdc_audit_setkv_bool;
|
||||||
_kdc_audit_setkv_number;
|
kdc_audit_setkv_number;
|
||||||
_kdc_audit_setkv_object;
|
kdc_audit_setkv_object;
|
||||||
|
kdc_audit_vaddkv;
|
||||||
|
kdc_audit_vaddreason;
|
||||||
_kdc_audit_trail;
|
_kdc_audit_trail;
|
||||||
_kdc_audit_vaddkv;
|
|
||||||
_kdc_audit_vaddreason;
|
|
||||||
|
|
||||||
# needed for digest-service
|
# needed for digest-service
|
||||||
_kdc_db_fetch;
|
_kdc_db_fetch;
|
||||||
|
|||||||
Reference in New Issue
Block a user